Merge pull request kyverno#1331 from kyverno/1330_validate_condition_…

…operators 1330 validate condition operators
realshuting · Nov 30, 2020 · a90dcf8 · a90dcf8
2 parents ec95724 + 2aeb5aa
commit a90dcf8
Show file tree

Hide file tree

Showing 14 changed files with 1,079 additions and 2,961 deletions.
diff --git a/Makefile b/Makefile
@@ -179,7 +179,7 @@ kustomize-crd:
 	kustomize build ./definitions/debug > ./definitions/install_debug.yaml
 
 # guidance https://github.com/kyverno/kyverno/wiki/Generate-a-Release
-release: 
+release:
 	kustomize build ./definitions > ./definitions/install.yaml
 	kustomize build ./definitions > ./definitions/release/install.yaml
 
@@ -202,7 +202,7 @@ ifeq (, $(shell which controller-gen))
 	go get sigs.k8s.io/controller-tools/cmd/[email protected] ;\
 	rm -rf $$CONTROLLER_GEN_TMP_DIR ;\
 	}
-CONTROLLER_GEN=$(GOBIN)/controller-gen
+CONTROLLER_GEN=$(GOPATH)/bin/controller-gen
 else
 CONTROLLER_GEN=$(shell which controller-gen)
 endif

diff --git a/charts/kyverno/crds/crds.yaml b/charts/kyverno/crds/crds.yaml
diff --git a/definitions/crds/kyverno.io_clusterpolicies.yaml b/definitions/crds/kyverno.io_clusterpolicies.yaml
@@ -23,7 +23,7 @@ spec:
       name: Background
       type: string
     - jsonPath: .spec.validationFailureAction
-      name: Validatoin Failure Action
+      name: Validation Failure Action
       type: string
     name: v1
     schema:
@@ -431,6 +431,11 @@ spec:
                             x-kubernetes-preserve-unknown-fields: true
                           operator:
                             description: Operator is the operation to perform.
+                            enum:
+                            - Equals
+                            - NotEquals
+                            - In
+                            - NotIn
                             type: string
                           value:
                             description: Value is the conditional value, or set of
@@ -463,6 +468,11 @@ spec:
                                     x-kubernetes-preserve-unknown-fields: true
                                   operator:
                                     description: Operator is the operation to perform.
+                                    enum:
+                                    - Equals
+                                    - NotEquals
+                                    - In
+                                    - NotIn
                                     type: string
                                   value:
                                     description: Value is the conditional value, or

diff --git a/definitions/crds/kyverno.io_policies.yaml b/definitions/crds/kyverno.io_policies.yaml
@@ -23,7 +23,7 @@ spec:
       name: Background
       type: string
     - jsonPath: .spec.validationFailureAction
-      name: Validatoin Failure Action
+      name: Validation Failure Action
       type: string
     name: v1
     schema:
@@ -432,6 +432,11 @@ spec:
                             x-kubernetes-preserve-unknown-fields: true
                           operator:
                             description: Operator is the operation to perform.
+                            enum:
+                            - Equals
+                            - NotEquals
+                            - In
+                            - NotIn
                             type: string
                           value:
                             description: Value is the conditional value, or set of
@@ -464,6 +469,11 @@ spec:
                                     x-kubernetes-preserve-unknown-fields: true
                                   operator:
                                     description: Operator is the operation to perform.
+                                    enum:
+                                    - Equals
+                                    - NotEquals
+                                    - In
+                                    - NotIn
                                     type: string
                                   value:
                                     description: Value is the conditional value, or

diff --git a/definitions/install.yaml b/definitions/install.yaml
diff --git a/definitions/install_debug.yaml b/definitions/install_debug.yaml
diff --git a/go.mod b/go.mod
@@ -5,7 +5,7 @@ go 1.13
 require (
 	github.com/cenkalti/backoff v2.2.1+incompatible
 	github.com/cornelk/hashmap v1.0.1
-	github.com/evanphx/json-patch v4.5.0+incompatible
+	github.com/evanphx/json-patch v4.9.0+incompatible
 	github.com/fatih/color v1.9.0 // indirect
 	github.com/fsnotify/fsnotify v1.4.9 // indirect
 	github.com/gardener/controller-manager-library v0.2.0
@@ -37,11 +37,11 @@ require (
 	google.golang.org/appengine v1.6.5 // indirect
 	gopkg.in/yaml.v2 v2.3.0
 	gotest.tools v2.2.0+incompatible
-	k8s.io/api v0.18.4
-	k8s.io/apiextensions-apiserver v0.18.4
-	k8s.io/apimachinery v0.18.4
-	k8s.io/cli-runtime v0.18.4
-	k8s.io/client-go v0.18.4
+	k8s.io/api v0.18.12
+	k8s.io/apiextensions-apiserver v0.18.12
+	k8s.io/apimachinery v0.18.12
+	k8s.io/cli-runtime v0.18.12
+	k8s.io/client-go v0.18.12
 	k8s.io/klog v1.0.0
 	k8s.io/kube-openapi v0.0.0-20200410145947-61e04a5be9a6
 	sigs.k8s.io/controller-runtime v0.5.0

diff --git a/go.sum b/go.sum
@@ -140,6 +140,8 @@ github.com/evanphx/json-patch v4.0.0+incompatible/go.mod h1:50XU6AFN0ol/bzJsmQLi
 github.com/evanphx/json-patch v4.2.0+incompatible/go.mod h1:50XU6AFN0ol/bzJsmQLiYLvXMP4fmwYFNcr97nuDLSk=
 github.com/evanphx/json-patch v4.5.0+incompatible h1:ouOWdg56aJriqS0huScTkVXPC5IcNrDCXZ6OoTAWu7M=
 github.com/evanphx/json-patch v4.5.0+incompatible/go.mod h1:50XU6AFN0ol/bzJsmQLiYLvXMP4fmwYFNcr97nuDLSk=
+github.com/evanphx/json-patch v4.9.0+incompatible h1:kLcOMZeuLAJvL2BPWLMIj5oaZQobrkAqrL+WFZwQses=
+github.com/evanphx/json-patch v4.9.0+incompatible/go.mod h1:50XU6AFN0ol/bzJsmQLiYLvXMP4fmwYFNcr97nuDLSk=
 github.com/fatih/color v1.7.0/go.mod h1:Zm6kSWBoL9eyXnKyktHP6abPY2pDugNf5KwzbycvMj4=
 github.com/fatih/color v1.9.0 h1:8xPHl4/q1VyqGIPif1F+1V3Y3lSmrq01EabUW3CoW5s=
 github.com/fatih/color v1.9.0/go.mod h1:eQcE1qtQxscV5RaZvpXrrb8Drkc3/DdQ+uUYCNjL+zU=
@@ -911,31 +913,42 @@ k8s.io/api v0.17.0/go.mod h1:npsyOePkeP0CPwyGfXDHxvypiYMJxBWAMpQxCaJ4ZxI=
 k8s.io/api v0.17.2/go.mod h1:BS9fjjLc4CMuqfSO8vgbHPKMt5+SF0ET6u/RVDihTo4=
 k8s.io/api v0.18.4 h1:8x49nBRxuXGUlDlwlWd3RMY1SayZrzFfxea3UZSkFw4=
 k8s.io/api v0.18.4/go.mod h1:lOIQAKYgai1+vz9J7YcDZwC26Z0zQewYOGWdyIPUUQ4=
+k8s.io/api v0.18.12 h1:97X6znOXMVgCKivTAgpBXGBGlCe3gbM++yFdldgBCaE=
+k8s.io/api v0.18.12/go.mod h1:3sS78jmUoGHwERyMbEhxP6owcQ77UxGo+Yy+dKNWrh0=
 k8s.io/apiextensions-apiserver v0.0.0-20190918161926-8f644eb6e783/go.mod h1:xvae1SZB3E17UpV59AWc271W/Ph25N+bjPyR63X6tPY=
 k8s.io/apiextensions-apiserver v0.16.4/go.mod h1:HYQwjujEkXmQNhap2C9YDdIVOSskGZ3et0Mvjcyjbto=
 k8s.io/apiextensions-apiserver v0.17.2/go.mod h1:4KdMpjkEjjDI2pPfBA15OscyNldHWdBCfsWMDWAmSTs=
 k8s.io/apiextensions-apiserver v0.18.4 h1:Y3HGERmS8t9u12YNUFoOISqefaoGRuTc43AYCLzWmWE=
 k8s.io/apiextensions-apiserver v0.18.4/go.mod h1:NYeyeYq4SIpFlPxSAB6jHPIdvu3hL0pc36wuRChybio=
+k8s.io/apiextensions-apiserver v0.18.12 h1:b0jTgW/qwqZBMIJTMxkLvvAtNRDZboG5yZiIbOFgQv8=
+k8s.io/apiextensions-apiserver v0.18.12/go.mod h1:nihADkPed1L37Vxpz2/BrtxO9mCtINH23aNtUe/CRLo=
 k8s.io/apimachinery v0.0.0-20190612125636-6a5db36e93ad/go.mod h1:I4A+glKBHiTgiEjQiCCQfCAIcIMFGt291SmsvcrFzJA=
 k8s.io/apimachinery v0.0.0-20190913080033-27d36303b655/go.mod h1:nL6pwRT8NgfF8TT68DBI8uEePRt89cSvoXUVqbkWHq4=
 k8s.io/apimachinery v0.16.4/go.mod h1:llRdnznGEAqC3DcNm6yEj472xaFVfLM7hnYofMb12tQ=
 k8s.io/apimachinery v0.17.0/go.mod h1:b9qmWdKlLuU9EBh+06BtLcSf/Mu89rWL33naRxs1uZg=
 k8s.io/apimachinery v0.17.2/go.mod h1:b9qmWdKlLuU9EBh+06BtLcSf/Mu89rWL33naRxs1uZg=
 k8s.io/apimachinery v0.18.4 h1:ST2beySjhqwJoIFk6p7Hp5v5O0hYY6Gngq/gUYXTPIA=
 k8s.io/apimachinery v0.18.4/go.mod h1:OaXp26zu/5J7p0f92ASynJa1pZo06YlV9fG7BoWbCko=
+k8s.io/apimachinery v0.18.12 h1:bLFXU4IxOu06F6Z6PV7eqtapXFb1G2q0ni0XBNFtJH8=
+k8s.io/apimachinery v0.18.12/go.mod h1:PF5taHbXgTEJLU+xMypMmYTXTWPJ5LaW8bfsisxnEXk=
 k8s.io/apiserver v0.0.0-20190918160949-bfa5e2e684ad/go.mod h1:XPCXEwhjaFN29a8NldXA901ElnKeKLrLtREO9ZhFyhg=
 k8s.io/apiserver v0.16.4/go.mod h1:kbLJOak655g6W7C+muqu1F76u9wnEycfKMqbVaXIdAc=
 k8s.io/apiserver v0.17.2/go.mod h1:lBmw/TtQdtxvrTk0e2cgtOxHizXI+d0mmGQURIHQZlo=
 k8s.io/apiserver v0.18.4 h1:pn1jSQkfboPSirZopkVpEdLW4FcQLnYMaIY8LFxxj30=
 k8s.io/apiserver v0.18.4/go.mod h1:q+zoFct5ABNnYkGIaGQ3bcbUNdmPyOCoEBcg51LChY8=
+k8s.io/apiserver v0.18.12/go.mod h1:uFOeW4LlxS6KDgLWy3n3gh0DhC6m41QIFgL33ouk+4w=
 k8s.io/cli-runtime v0.18.4 h1:IUx7quIOb4gbQ4M+B1ksF/PTBovQuL5tXWzplX3t+FM=
 k8s.io/cli-runtime v0.18.4/go.mod h1:9/hS/Cuf7NVzWR5F/5tyS6xsnclxoPLVtwhnkJG1Y4g=
+k8s.io/cli-runtime v0.18.12 h1:gVWbvntlEttCIvy1jc5UUr2cG/4TmmCM1MY/PGeENBo=
+k8s.io/cli-runtime v0.18.12/go.mod h1:wTj8W8za8NDWe505mrlckiZ5H2cZA0YEuv0E7WC+Srs=
 k8s.io/client-go v0.0.0-20190918160344-1fbdaa4c8d90/go.mod h1:J69/JveO6XESwVgG53q3Uz5OSfgsv4uxpScmmyYOOlk=
 k8s.io/client-go v0.16.4/go.mod h1:ZgxhFDxSnoKY0J0U2/Y1C8obKDdlhGPZwA7oHH863Ok=
 k8s.io/client-go v0.17.0/go.mod h1:TYgR6EUHs6k45hb6KWjVD6jFZvJV4gHDikv/It0xz+k=
 k8s.io/client-go v0.17.2/go.mod h1:QAzRgsa0C2xl4/eVpeVAZMvikCn8Nm81yqVx3Kk9XYI=
 k8s.io/client-go v0.18.4 h1:un55V1Q/B3JO3A76eS0kUSywgGK/WR3BQ8fHQjNa6Zc=
 k8s.io/client-go v0.18.4/go.mod h1:f5sXwL4yAZRkAtzOxRWUhA/N8XzGCb+nPZI8PfobZ9g=
+k8s.io/client-go v0.18.12 h1:MDGRE2tGidz29g45dI4kfelJo+aRmDqWx0Way8mD88A=
+k8s.io/client-go v0.18.12/go.mod h1:0aC8XkA09dX/goYqHQJ/kVv0zL1t+weOZt3pmz9LpxA=
 k8s.io/code-generator v0.0.0-20200306081859-6a048a382944/go.mod h1:+UHX5rSbxmR8kzS+FAv7um6dtYrZokQvjHpDSYRVkTc=
 k8s.io/component-base v0.0.0-20190612130303-4062e14deebe h1:GHRdxwv4/80MA+Yy/YVyfc9n6VyOhEGzyM09mEXsIAU=
 k8s.io/component-base v0.0.0-20190612130303-4062e14deebe/go.mod h1:MmIDXnint3qMN0cqXHKrSiJ2XQKo3J1BPIz7in7NvO0=

diff --git a/pkg/api/kyverno/v1/policy_types.go b/pkg/api/kyverno/v1/policy_types.go
@@ -115,14 +115,16 @@ type Condition struct {
 }
 
 // ConditionOperator is the operation performed on condition key and value.
+// +kubebuilder:validation:Enum=Equals;NotEquals;In;NotIn
 type ConditionOperator string
-
 const (
 	// Equal evaluates if the key is equal to the value.
+	// Deprecated. Use Equals instead.
 	Equal ConditionOperator = "Equal"
 	// Equals evaluates if the key is equal to the value.
 	Equals ConditionOperator = "Equals"
 	// NotEqual evaluates if the key is not equal to the value.
+	// Deprecated. Use NotEquals instead.
 	NotEqual ConditionOperator = "NotEqual"
 	// NotEquals evaluates if the key is not equal to the value.
 	NotEquals ConditionOperator = "NotEquals"
@@ -143,7 +145,7 @@ type MatchResources struct {
 	ResourceDescription `json:"resources,omitempty" yaml:"resources,omitempty"`
 }
 
-// ExcludeResources is used to specify resource and admission review request data for
+// ExcludeResources specifies resource and admission review request data for
 // which a policy rule is not applicable.
 type ExcludeResources struct {
 	// UserInfo contains information about the user performing the operation.

diff --git a/pkg/engine/variables/operator/equal.go b/pkg/engine/variables/operator/equal.go
@@ -2,6 +2,7 @@ package operator
 
 import (
 	"fmt"
+	"github.com/minio/minio/pkg/wildcard"
 	"math"
 	"reflect"
 	"strconv"
@@ -45,15 +46,15 @@ func (eh EqualHandler) Evaluate(key, value interface{}) bool {
 	// key and value need to be of same type
 	switch typedKey := key.(type) {
 	case bool:
-		return eh.validateValuewithBoolPattern(typedKey, value)
+		return eh.validateValueWithBoolPattern(typedKey, value)
 	case int:
-		return eh.validateValuewithIntPattern(int64(typedKey), value)
+		return eh.validateValueWithIntPattern(int64(typedKey), value)
 	case int64:
-		return eh.validateValuewithIntPattern(typedKey, value)
+		return eh.validateValueWithIntPattern(typedKey, value)
 	case float64:
-		return eh.validateValuewithFloatPattern(typedKey, value)
+		return eh.validateValueWithFloatPattern(typedKey, value)
 	case string:
-		return eh.validateValuewithStringPattern(typedKey, value)
+		return eh.validateValueWithStringPattern(typedKey, value)
 	case map[string]interface{}:
 		return eh.validateValueWithMapPattern(typedKey, value)
 	case []interface{}:
@@ -80,16 +81,16 @@ func (eh EqualHandler) validateValueWithMapPattern(key map[string]interface{}, v
 	return false
 }
 
-func (eh EqualHandler) validateValuewithStringPattern(key string, value interface{}) bool {
+func (eh EqualHandler) validateValueWithStringPattern(key string, value interface{}) bool {
 	if val, ok := value.(string); ok {
-		return key == val
+		return wildcard.Match(val, key)
 	}
 
 	eh.log.Info("Expected type string", "value", value, "type", fmt.Sprintf("%T", value))
 	return false
 }
 
-func (eh EqualHandler) validateValuewithFloatPattern(key float64, value interface{}) bool {
+func (eh EqualHandler) validateValueWithFloatPattern(key float64, value interface{}) bool {
 	switch typedValue := value.(type) {
 	case int:
 		// check that float has not fraction
@@ -120,7 +121,7 @@ func (eh EqualHandler) validateValuewithFloatPattern(key float64, value interfac
 	return false
 }
 
-func (eh EqualHandler) validateValuewithBoolPattern(key bool, value interface{}) bool {
+func (eh EqualHandler) validateValueWithBoolPattern(key bool, value interface{}) bool {
 	typedValue, ok := value.(bool)
 	if !ok {
 		eh.log.Info("Expected type bool", "value", value, "type", fmt.Sprintf("%T", value))
@@ -129,7 +130,7 @@ func (eh EqualHandler) validateValuewithBoolPattern(key bool, value interface{})
 	return key == typedValue
 }
 
-func (eh EqualHandler) validateValuewithIntPattern(key int64, value interface{}) bool {
+func (eh EqualHandler) validateValueWithIntPattern(key int64, value interface{}) bool {
 	switch typedValue := value.(type) {
 	case int:
 		return int64(typedValue) == key

diff --git a/pkg/engine/variables/operator/in.go b/pkg/engine/variables/operator/in.go
@@ -3,7 +3,8 @@ package operator
 import (
 	"encoding/json"
 	"fmt"
-	"reflect"
+
+	"github.com/minio/minio/pkg/wildcard"
 
 	"github.com/go-logr/logr"
 	"github.com/kyverno/kyverno/pkg/engine/context"
@@ -40,15 +41,15 @@ func (in InHandler) Evaluate(key, value interface{}) bool {
 
 	switch typedKey := key.(type) {
 	case string:
-		return in.validateValuewithStringPattern(typedKey, value)
+		return in.validateValueWithStringPattern(typedKey, value)
 	default:
 		in.log.Info("Unsupported type", "value", typedKey, "type", fmt.Sprintf("%T", typedKey))
 		return false
 	}
 }
 
-func (in InHandler) validateValuewithStringPattern(key string, value interface{}) (keyExists bool) {
-	invalidType, keyExists := ValidateStringPattern(key, value, in.log)
+func (in InHandler) validateValueWithStringPattern(key string, value interface{}) (keyExists bool) {
+	invalidType, keyExists := keyExistsInArray(key, value, in.log)
 	if invalidType {
 		in.log.Info("expected type []string", "value", value, "type", fmt.Sprintf("%T", value))
 		return false
@@ -57,60 +58,70 @@ func (in InHandler) validateValuewithStringPattern(key string, value interface{}
 	return keyExists
 }
 
-// ValidateStringPattern ...
-func ValidateStringPattern(key string, value interface{}, log logr.Logger) (invalidType bool, keyExists bool) {
-	stringType := reflect.TypeOf("")
-	switch valuesAvaliable := value.(type) {
+// keyExistsInArray checks if the  key exists in the array value
+// The value can be a string, an array of strings, or a JSON format
+// array of strings (e.g. ["val1", "val2", "val3"].
+func keyExistsInArray(key string, value interface{}, log logr.Logger) (invalidType bool, keyExists bool) {
+	switch valuesAvailable := value.(type) {
+
 	case []interface{}:
-		for _, val := range valuesAvaliable {
-			if reflect.TypeOf(val) != stringType {
-				return true, false
-			}
-			if key == val {
-				keyExists = true
+		invalidType = false
+		for _, val := range valuesAvailable {
+			if v, ok := val.(string); ok {
+				if wildcard.Match(key, v) {
+					keyExists = true
+					return
+				}
 			}
 		}
 
-	// add to handle the configMap lookup, as configmap.data
-	// takes string-string map, when looking for a value of array
-	// data:
-	//   key: "[\"value1\", \"value2\"]"
-	// it will first unmarshal it to string slice, then compare
 	case string:
+
+		if wildcard.Match(valuesAvailable, key) {
+			keyExists = true
+			return
+		}
+
 		var arr []string
-		if err := json.Unmarshal([]byte(valuesAvaliable), &arr); err != nil {
-			log.Error(err, "failed to unmarshal to string slice", "value", value)
-			return invalidType, keyExists
+		if err := json.Unmarshal([]byte(valuesAvailable), &arr); err != nil {
+			log.Error(err, "failed to unmarshal value to JSON string array", "key", key, "value", value)
+			invalidType = true
+			return
 		}
 
 		for _, val := range arr {
 			if key == val {
 				keyExists = true
+				return
 			}
 		}
+
 	default:
-		return true, false
+		invalidType = true
+		return
 	}
 
-	return invalidType, keyExists
+	invalidType = true
+	keyExists = false
+	return
 }
 
-func (in InHandler) validateValuewithBoolPattern(key bool, value interface{}) bool {
+func (in InHandler) validateValueWithBoolPattern(_ bool, _ interface{}) bool {
 	return false
 }
 
-func (in InHandler) validateValuewithIntPattern(key int64, value interface{}) bool {
+func (in InHandler) validateValueWithIntPattern(_ int64, _ interface{}) bool {
 	return false
 }
 
-func (in InHandler) validateValuewithFloatPattern(key float64, value interface{}) bool {
+func (in InHandler) validateValueWithFloatPattern(_ float64, _ interface{}) bool {
 	return false
 }
 
-func (in InHandler) validateValueWithMapPattern(key map[string]interface{}, value interface{}) bool {
+func (in InHandler) validateValueWithMapPattern(_ map[string]interface{}, _ interface{}) bool {
 	return false
 }
 
-func (in InHandler) validateValueWithSlicePattern(key []interface{}, value interface{}) bool {
+func (in InHandler) validateValueWithSlicePattern(_ []interface{}, _ interface{}) bool {
 	return false
 }