fix: add CONNECT operation in the webhook config for pod/exec subresource

[MariamFahmy98]

Explanation

This PR checks for the Pod/exec subresource, and if it does exists, we return the operations specified by the user instead of returning back the default operations.

Related issue

Closes #9829

Milestone of this PR

/milestone 1.12.0

Documentation (required for features)

My PR contains new or altered behavior to Kyverno.

• I have sent the draft PR to add or update the documentation and the link is:

What type of PR is this

/kind bug

Proposed Changes

Proof Manifests

1. policy.yaml:

apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
  name: std-shell
spec:
  background: false
  rules:
  - match:
      any:
      - resources:
          kinds:
          - Pod/exec
          operations:
          - CONNECT
    mutate:
      patchesJson6902: |-
        - op: replace
          path: "/command/0"
          value: "bash" 
    name: std-shell-replace
  validationFailureAction: Audit

Check the mutating webhook configuration:

kubectl get mutatingwebhookconfigurations.admissionregistration.k8s.io kyverno-resource-mutating-webhook-cfg -o yaml

apiVersion: admissionregistration.k8s.io/v1
kind: MutatingWebhookConfiguration
metadata:
  labels:
    webhook.kyverno.io/managed-by: kyverno
  name: kyverno-resource-mutating-webhook-cfg
webhooks:
- admissionReviewVersions:
  - v1
  clientConfig:
    caBundle: <ca-bundle>
    url: https://172.18.0.1:9443/mutate/fail
  failurePolicy: Fail
  matchPolicy: Equivalent
  name: mutate.kyverno.svc-fail
  namespaceSelector:
    matchExpressions:
    - key: kubernetes.io/metadata.name
      operator: NotIn
      values:
      - kyverno
  objectSelector: {}
  reinvocationPolicy: IfNeeded
  rules:
  - apiGroups:
    - ""
    apiVersions:
    - v1
    operations:
    - CONNECT
    resources:
    - pods/exec
    scope: Namespaced
  sideEffects: NoneOnDryRun
  timeoutSeconds: 10

Checklist

• I have read the contributing guidelines.
• I have read the PR documentation guide and followed the process including adding proof manifests to this PR.
• This is a bug fix and I have added unit tests that prove my fix is effective.
• This is a feature and I have added CLI tests that are applicable.
• My PR needs to be cherry picked to a specific release branch which is .
• My PR contains new or altered behavior to Kyverno and
  • CLI support should be added and my PR doesn't contain that functionality.

Further Comments

[codecov]

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 10.15%. Comparing base (f91bf65) to head (bb851af).

Additional details and impacted files

@@           Coverage Diff           @@
##             main    #9855   +/-   ##
=======================================
  Coverage   10.15%   10.15%           
=======================================
  Files        1030     1030           
  Lines       91793    91793           
=======================================
  Hits         9322     9322           
  Misses      81452    81452           
  Partials     1019     1019           

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

[realshuting]

Is there a sample policy for this? If so, do we need to update accordingly?

[realshuting]

/cherry-pick release-1.12