Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix: add a copy method to the policy context #10236

Merged
merged 4 commits into from
May 21, 2024
Merged

fix: add a copy method to the policy context #10236

merged 4 commits into from
May 21, 2024
+83 −1

Conversation

MariamFahmy98
Copy link
Collaborator

Explanation

In case there is a policy that have two rules; one of which has forEach so it sets the element of the policy context while the other rule which is of type validate.pattern uses the same policy context that has the element set.

This issue arises from the following line:

kyverno/pkg/engine/handlers/validation/validate_resource.go

Line 225 in 25cb47e

policyContext := v.policyContext

Both v.policyContext and policyContext reference the same struct in memory. As a solution, this PR implements a Copy() method for the policy context.

Related issue

Closes #10220

Milestone of this PR

/milestone 1.12.2

Documentation (required for features)

My PR contains new or altered behavior to Kyverno.

What type of PR is this

/kind bug

Proposed Changes

Proof Manifests

  1. Create the following policy:
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
  name: restrict-service-ports
spec:
  validationFailureAction: Enforce
  background: true
  rules:
  - name: restrict-port-range
    match:
      any:
      - resources:
          kinds:
          - Service
    preconditions:
      all:
        - key: "{{ request.object.spec.type }}"
          operator: Equals
          value: 'LoadBalancer'
    validate:
      message: >-
        Only approved ports may be used for LoadBalancer services.
      foreach:
        - list: request.object.spec.ports[]
          deny:
            conditions:
              all:
                - key: "{{ element.port }}"
                  operator: AnyNotIn
                  value:
                    - 22
                    - 80
                    - 443
  - name: restrict-nodeport
    match:
      any:
      - resources:
          kinds:
          - Service
    validate:
      message: "NodePort services are not allowed. This is {{ request.object.spec.type }}"
      pattern:
        spec:
          =(type): "!NodePort"
  1. Create the following resource:
apiVersion: v1
kind: Service
metadata:
  name: service-example-port-22
spec:
  selector:
    app: example
  ports:
    - port: 22
      targetPort: 22
  type: LoadBalancer

The resource is successfully created.

We can test it using Kyverno CLI as follows:

./cmd/cli/kubectl-kyverno/kubectl-kyverno apply policy.yaml --resource resource.yaml -p

apiVersion: wgpolicyk8s.io/v1alpha2
kind: ClusterPolicyReport
metadata:
  creationTimestamp: null
  name: merged
results:
- message: rule passed
  policy: restrict-service-ports
  resources:
  - apiVersion: v1
    kind: Service
    name: service-example-port-22
    namespace: default
  result: pass
  rule: restrict-port-range
  scored: true
  source: kyverno
  timestamp:
    nanos: 0
    seconds: 1715695618
- message: validation rule 'restrict-nodeport' passed.
  policy: restrict-service-ports
  resources:
  - apiVersion: v1
    kind: Service
    name: service-example-port-22
    namespace: default
  result: pass
  rule: restrict-nodeport
  scored: true
  source: kyverno
  timestamp:
    nanos: 0
    seconds: 1715695618
summary:
  error: 0
  fail: 0
  pass: 2
  skip: 0
  warn: 0

Checklist

  • I have read the contributing guidelines.
  • I have read the PR documentation guide and followed the process including adding proof manifests to this PR.
  • This is a bug fix and I have added unit tests that prove my fix is effective.
  • This is a feature and I have added CLI tests that are applicable.
  • My PR needs to be cherry picked to a specific release branch which is .
  • My PR contains new or altered behavior to Kyverno and
    • CLI support should be added and my PR doesn't contain that functionality.

Further Comments

@MariamFahmy98 MariamFahmy98 added this to the Kyverno Release 1.12.2 milestone May 14, 2024
@codecov Codecov
Copy link

codecov bot commented May 14, 2024
edited

Codecov Report

Attention: Patch coverage is 0% with 3 lines in your changes are missing coverage. Please review.

Project coverage is 10.20%. Comparing base (e58d712) to head (81a80ed).

Files Patch % Lines
pkg/engine/policycontext/policy_context.go 0.00% 2 Missing ⚠️
...kg/engine/handlers/validation/validate_resource.go 0.00% 1 Missing ⚠️
Additional details and impacted files 
@@            Coverage Diff             @@
##             main   #10236      +/-   ##
==========================================
- Coverage   10.20%   10.20%   -0.01%     
==========================================
  Files        1031     1031              
  Lines       91875    91877       +2     
==========================================
- Hits         9377     9375       -2     
- Misses      81470    81473       +3     
- Partials     1028     1029       +1

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

@realshuting realshuting removed this from the Kyverno Release 1.12.2 milestone May 20, 2024
realshuting
realshuting previously approved these changes May 20, 2024
View reviewed changes
vishal-chdhry
vishal-chdhry previously approved these changes May 20, 2024
View reviewed changes
KhaledEmaraDev
KhaledEmaraDev previously approved these changes May 21, 2024
View reviewed changes
@realshuting realshuting enabled auto-merge (squash) May 21, 2024 06:01
@realshuting realshuting disabled auto-merge May 21, 2024 09:18
@MariamFahmy98 MariamFahmy98 enabled auto-merge (squash) May 21, 2024 12:47
realshuting
realshuting previously approved these changes May 21, 2024
View reviewed changes
@MariamFahmy98 MariamFahmy98 added this to the Kyverno Release 1.12.2 milestone May 21, 2024
@MariamFahmy98
fix: add a copy method to the policy context
f88f753 
Signed-off-by: Mariam Fahmy <mariam.fahmy@nirmata.com>
@MariamFahmy98
chore: add a CLI test
6a91260 
Signed-off-by: Mariam Fahmy <mariam.fahmy@nirmata.com>
@MariamFahmy98
chore: remove mutate changes
f1ff4c9 
Signed-off-by: Mariam Fahmy <mariam.fahmy@nirmata.com>
@MariamFahmy98
fix CLI test
81a80ed 
Signed-off-by: Mariam Fahmy <mariam.fahmy@nirmata.com>
@MariamFahmy98 MariamFahmy98 merged commit 57b2c5f into kyverno:main May 21, 2024
245 of 250 checks passed
@realshuting
Copy link
Member

/cherry-pick release-1.12

gcp-cherry-pick-bot bot pushed a commit that referenced this pull request May 21, 2024
@MariamFahmy98
fix: add a copy method to the policy context (#10236)
f4efdec 
* fix: add a copy method to the policy context

Signed-off-by: Mariam Fahmy <mariam.fahmy@nirmata.com>

* chore: add a CLI test

Signed-off-by: Mariam Fahmy <mariam.fahmy@nirmata.com>

* chore: remove mutate changes

Signed-off-by: Mariam Fahmy <mariam.fahmy@nirmata.com>

---------

Signed-off-by: Mariam Fahmy <mariam.fahmy@nirmata.com>
@gcp-cherry-pick-bot gcp-cherry-pick-bot bot mentioned this pull request May 21, 2024
Merged
@realshuting realshuting added the cherry-pick-completed The PR was cherry-picked (or merged) to required release branches label May 21, 2024
realshuting pushed a commit that referenced this pull request May 21, 2024
@gcp-cherry-pick-bot @MariamFahmy98
fix: add a copy method to the policy context (#10236) (#10280)
b7fa943 
* fix: add a copy method to the policy context



* chore: add a CLI test



* chore: remove mutate changes



---------

Signed-off-by: Mariam Fahmy <mariam.fahmy@nirmata.com>
Co-authored-by: Mariam Fahmy <mariam.fahmy@nirmata.com>
anushkamittal2001 pushed a commit to nirmata/kyverno that referenced this pull request May 24, 2024
@gcp-cherry-pick-bot @MariamFahmy98 @anushkamittal2001
fix: add a copy method to the policy context (kyverno#10236) (kyverno…
9060176 
…#10280)

* fix: add a copy method to the policy context



* chore: add a CLI test



* chore: remove mutate changes



---------

Signed-off-by: Mariam Fahmy <mariam.fahmy@nirmata.com>
Co-authored-by: Mariam Fahmy <mariam.fahmy@nirmata.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@realshuting realshuting realshuting approved these changes

@eddycharly eddycharly Awaiting requested review from eddycharly eddycharly is a code owner

@MarcelMue MarcelMue Awaiting requested review from MarcelMue MarcelMue is a code owner

@chipzoller chipzoller Awaiting requested review from chipzoller chipzoller is a code owner

@KhaledEmaraDev KhaledEmaraDev Awaiting requested review from KhaledEmaraDev KhaledEmaraDev is a code owner

@vishal-chdhry vishal-chdhry Awaiting requested review from vishal-chdhry

Assignees
No one assigned
Labels
cherry-pick-completed The PR was cherry-picked (or merged) to required release branches cherry-pick-required milestone 1.12.2 milestone 1.13.0
Projects
None yet
Milestone
Kyverno Release 1.12.2
Development

Successfully merging this pull request may close these issues.

[Bug] [CLI] 1.11.x to 1.12.x changed behavior for tests. Rules affect each over
4 participants
@MariamFahmy98 @realshuting @KhaledEmaraDev @vishal-chdhry