Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Bug fix | CLI apply command | not filtering the resources from cluster #2417

Merged
merged 1 commit into from
Sep 21, 2021
Merged

Bug fix | CLI apply command | not filtering the resources from cluster #2417

merged 1 commit into from
Sep 21, 2021

Conversation

NoSkillGirl
Copy link
Contributor

Signed-off-by: NoSkillGirl singhpooja240393@gmail.com

Related issue

issue reported in slack - https://kubernetes.slack.com/archives/CLGR9BJU9/p1631904964399300

Milestone of this PR

/milestone 1.5.0.

What type of PR is this

/kind bug

Proposed Changes

Proof Manifests

apply the following pod manifest in cluster:

apiVersion: v1
kind: Pod
metadata:
  name: nginx2
spec:
  containers:
    - name: nginx
      image: nginx
      ports:
        - containerPort: 30000
          hostPort: 30000

now test it using the Kyverno CLI apply command with the following policy:

apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
  name: block-pod-host-port-node-port-collision
spec:
  validationFailureAction: audit
  rules:
  - name: check-host-port
    match:
      resources:
        kinds:
        - Pod
    validate:
      message: "Pods may not request use of a host port that overlaps with the cluster's Service node port range."
      pattern:
        spec:
          containers:
          - =(ports):
            - =(hostPort): "<30000 | >32767"
$ kyverno apply policy.yaml --cluster
Applying 1 policy to 18 resources... 
(Total number of result count may vary as the policy is mutated by Kyverno. To check the mutated policy please try with log level 5)

policy block-pod-host-port-node-port-collision -> resource default/Pod/nginx2 failed: 
1. check-host-port: validation error: Pods may not request use of a host port that overlaps with the cluster's Service node port range. Rule check-host-port failed at path /spec/containers/0/ports/0/hostPort/ 

pass: 17, fail: 1, warn: 0, error: 0, skip: 36 
exit status 1

Checklist

  • I have read the contributing guidelines.
  • [] I have added tests that prove my fix is effective or that my feature works.
  • [] My PR contains new or altered behavior to Kyverno and
    • [] I have added or changed the documentation myself in an existing PR and the link is:
    • [] I have raised an issue in kyverno/website to track the doc update and the link is:
    • [] I have read the PR documentation guide and followed the process including adding proof manifests to this PR.

@NoSkillGirl
issue fixed
661b819 
Signed-off-by: NoSkillGirl <singhpooja240393@gmail.com>
@NoSkillGirl NoSkillGirl added this to the Kyverno Release 1.5.0 milestone Sep 21, 2021
@NoSkillGirl NoSkillGirl changed the title issue fixed Bug fix | CLI apply command | not filtering the resources from cluster Sep 21, 2021
@NoSkillGirl NoSkillGirl merged commit 06c2702 into kyverno:main Sep 21, 2021
@seh seh mentioned this pull request Sep 21, 2021
Closed
@NoSkillGirl NoSkillGirl added the milestone 1.5.0 Issues and PRs for the 1.5.0 release. label Sep 21, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@vyankyGH vyankyGH vyankyGH approved these changes

@JimBugwadia JimBugwadia Awaiting requested review from JimBugwadia

@realshuting realshuting Awaiting requested review from realshuting

Assignees

@vyankyGH vyankyGH

Labels
milestone 1.5.0 Issues and PRs for the 1.5.0 release.
Projects
None yet
Milestone
Kyverno Release 1.5.0
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@NoSkillGirl @vyankyGH @realshuting