Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix(reports-controller): Allow UPDATE Operation in Resource Validation for Reports Controller #23

Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

fix(reports-controller): Allow UPDATE Operation in Resource Validation for Reports Controller #23

wants to merge 1 commit into from

Conversation

Bhargav-InfraCloud
Copy link

@Bhargav-InfraCloud Bhargav-InfraCloud commented Feb 1, 2024
edited
Loading

Explanation

Allow UPDATE operation in validation.

Pass operations list instead of one to check for resources that match the policy's condition block.

Also, decouple the operation list for resource validation from the policy context's operation.

Related issue

9562

Milestone of this PR

NA

Documentation (optional)

NA

What type of PR is this

/kind bug

Proposed Changes

Allow UPDATE operation in validation.

Pass operations list instead of one to check for resources that match the policy's condition block.

Also, decouple the operation list for resource validation from the policy context's operation.

Proof Manifests

Included in issue 9562

Kyverno CLI test manifest (please see docs for latest manifest format at https://kyverno.io/docs/kyverno-cli/). See kyverno/policies for complete examples of all related test files.

NA

Checklist

  • I have read the contributing guidelines.
  • I have read the PR documentation guide and followed the process including adding proof manifests to this PR.
  • This is a bug fix and I have added unit tests that prove my fix is effective.
  • This is a feature and I have added CLI tests that are applicable.
  • My PR needs to be cherry picked to a specific release branch which is .
  • My PR contains new or altered behavior to Kyverno and
    • CLI support should be added and my PR doesn't contain that functionality.

Further Comments

NA

@Bhargav-InfraCloud Bhargav-InfraCloud self-assigned this Feb 1, 2024
@Bhargav-InfraCloud Bhargav-InfraCloud changed the title WIP: fix(reports-controller): Allow UPDATE operation in validation WIP: fix(reports-controller): Allow UPDATE Operation in Resource Validation for Reports Controller Feb 1, 2024
@Bhargav-InfraCloud Bhargav-InfraCloud force-pushed the br_include_update_op_in_resource_validation_in_bg_ctr branch 2 times, most recently from d258fa8 to 8fe2c5c Compare February 1, 2024 21:41
@Bhargav-InfraCloud Bhargav-InfraCloud marked this pull request as ready for review February 1, 2024 22:11
@Bhargav-InfraCloud
Copy link
Author

Steps to Test

  1. Clone the repo and switch to PR branch.
  2. Go to repo and run the following to deploy the changes in local KinD cluster:
make kind-create-cluster build-all kind-load-all kind-deploy-all

Note: It creates the KinD cluster(s).

  1. Create the following 2 cluster policies.
    With CREATE operation:
kubectl apply -f - <<EOF
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
  name: require-network-policy-with-create
spec:
  validationFailureAction: Audit
  background: true
  rules:
    - name: check-netpol
      match:
        resources:
          kinds:
            - Namespace
          operations:
            - CREATE
            - UPDATE
      context:
      - name: network_policies_count
        apiCall:
          urlPath: "/apis/networking.k8s.io/v1/namespaces/{{request.namespace}}/networkpolicies"
          jmesPath: "items[] | length(@)"
      validate:
        message: "Multi-Tenancy & Isolation Checks; The namespace must have a network policy"
        deny:
          conditions:
            any:
            - key: "{{network_policies_count}}"
              operator: LessThan
              value: 1
EOF

Without CREATE operation:

kubectl apply -f - <<EOF
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
  name: require-network-policy-without-create
spec:
  validationFailureAction: Audit
  background: true
  rules:
    - name: check-netpol
      match:
        resources:
          kinds:
            - Namespace
          operations:
            - UPDATE
      context:
      - name: network_policies_count
        apiCall:
          urlPath: "/apis/networking.k8s.io/v1/namespaces/{{request.namespace}}/networkpolicies"
          jmesPath: "items[] | length(@)"
      validate:
        message: "Multi-Tenancy & Isolation Checks; The namespace must have a network policy"
        deny:
          conditions:
            any:
            - key: "{{network_policies_count}}"
              operator: LessThan
              value: 1
EOF
  1. Check for events. Both should have events unlike earlier when the policy without CREATE doesn't list events.
kubectl get event --field-selector involvedObject.name=require-network-policy-with-create
kubectl get event --field-selector involvedObject.name=require-network-policy-without-create

@Bhargav-InfraCloud Bhargav-InfraCloud changed the title WIP: fix(reports-controller): Allow UPDATE Operation in Resource Validation for Reports Controller fix(reports-controller): Allow UPDATE Operation in Resource Validation for Reports Controller Feb 2, 2024
ApsTomar
ApsTomar approved these changes Feb 2, 2024
View reviewed changes
Copy link

@ApsTomar ApsTomar left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@Bhargav-InfraCloud
Copy link
Author

Thanks @ApsTomar

@Bhargav-InfraCloud Bhargav-InfraCloud force-pushed the br_include_update_op_in_resource_validation_in_bg_ctr branch from 8fe2c5c to 8d8d72b Compare February 2, 2024 13:30
@Bhargav-InfraCloud Bhargav-InfraCloud force-pushed the br_include_update_op_in_resource_validation_in_bg_ctr branch from 8d8d72b to 7136e7b Compare February 14, 2024 16:33
@Bhargav-InfraCloud
fix(reports-controller): Allow UPDATE operation in validation
1affc43 
Pass operations list instead of one to check for resources
that match policy's condition block.

Also, decouple operation list for resource validation from
the policy context's operation.

Fixes kyverno#9562

Signed-off-by: Bhargav Ravuri <[email protected]>
@Bhargav-InfraCloud Bhargav-InfraCloud force-pushed the br_include_update_op_in_resource_validation_in_bg_ctr branch from 7136e7b to 1affc43 Compare March 20, 2024 14:19
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@ApsTomar ApsTomar ApsTomar approved these changes

Assignees

@Bhargav-InfraCloud Bhargav-InfraCloud

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@Bhargav-InfraCloud @ApsTomar