fix: ns labels matching (kyverno#6020)

* fix ns labels matching Signed-off-by: ShutingZhao <[email protected]> * add kuttl tests Signed-off-by: ShutingZhao <[email protected]> Signed-off-by: ShutingZhao <[email protected]>
realshuting · Jan 18, 2023 · 36abeae · 36abeae
1 parent 0a19556
commit 36abeae
Show file tree

Hide file tree

Showing 10 changed files with 94 additions and 1 deletion.
diff --git a/pkg/engine/utils.go b/pkg/engine/utils.go
@@ -18,6 +18,7 @@ import (
 	matchutils "github.com/kyverno/kyverno/pkg/utils/match"
 	"github.com/kyverno/kyverno/pkg/utils/wildcard"
 	"github.com/pkg/errors"
+	"golang.org/x/exp/slices"
 	authenticationv1 "k8s.io/api/authentication/v1"
 	rbacv1 "k8s.io/api/rbac/v1"
 	"k8s.io/apiextensions-apiserver/pkg/apis/apiextensions"
@@ -124,7 +125,8 @@ func doesResourceMatchConditionBlock(subresourceGVKToAPIResource map[string]*met
 		}
 	}
 
-	if conditionBlock.NamespaceSelector != nil && resource.GetKind() != "Namespace" && resource.GetKind() != "" {
+	if conditionBlock.NamespaceSelector != nil && resource.GetKind() != "Namespace" &&
+		(resource.GetKind() != "" || slices.Contains(conditionBlock.Kinds, "*") && wildcard.Match("*", resource.GetKind())) {
 		hasPassed, err := matchutils.CheckSelector(conditionBlock.NamespaceSelector, namespaceLabels)
 		if err != nil {
 			errs = append(errs, fmt.Errorf("failed to parse namespace selector: %v", err))

diff --git a/...e/kuttl/validate/clusterpolicy/standard/enforce/ns-selector-with-wildcard-kind/01-ns.yaml b/...e/kuttl/validate/clusterpolicy/standard/enforce/ns-selector-with-wildcard-kind/01-ns.yaml
@@ -0,0 +1,6 @@
+apiVersion: kuttl.dev/v1beta1
+kind: TestStep
+apply:
+- ns.yaml
+assert:
+- ns.yaml
diff --git a/...ttl/validate/clusterpolicy/standard/enforce/ns-selector-with-wildcard-kind/02-policy.yaml b/...ttl/validate/clusterpolicy/standard/enforce/ns-selector-with-wildcard-kind/02-policy.yaml
@@ -0,0 +1,6 @@
+apiVersion: kuttl.dev/v1beta1
+kind: TestStep
+apply:
+- policy.yaml
+assert:
+- policy-assert.yaml
diff --git a/...l/validate/clusterpolicy/standard/enforce/ns-selector-with-wildcard-kind/03-pod-fail.yaml b/...l/validate/clusterpolicy/standard/enforce/ns-selector-with-wildcard-kind/03-pod-fail.yaml
@@ -0,0 +1,7 @@
+apiVersion: kuttl.dev/v1beta1
+kind: TestStep
+apply:
+  - file: pod-fail.yaml
+    shouldFail: true
+  - file: pod-pass.yaml
+    shouldFail: false
diff --git a/...alidate/clusterpolicy/standard/enforce/ns-selector-with-wildcard-kind/README.md b/...alidate/clusterpolicy/standard/enforce/ns-selector-with-wildcard-kind/README.md
@@ -0,0 +1,12 @@
+# ## Description
+
+This test validates that the namespaceSelector is applied to a wildcard policy successfully.
+
+## Expected Behavior
+
+The pod `test-validate/nginx-block` is blocked, and the pod `default/nginx-pass` is created.
+
+
+## Reference Issue(s)
+
+https://github.com/kyverno/kyverno/issues/6015
diff --git a/...ance/kuttl/validate/clusterpolicy/standard/enforce/ns-selector-with-wildcard-kind/ns.yaml b/...ance/kuttl/validate/clusterpolicy/standard/enforce/ns-selector-with-wildcard-kind/ns.yaml
@@ -0,0 +1,6 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: test-wildcard
+  labels:
+    freeze: "true"
diff --git a/...uttl/validate/clusterpolicy/standard/enforce/ns-selector-with-wildcard-kind/pod-fail.yaml b/...uttl/validate/clusterpolicy/standard/enforce/ns-selector-with-wildcard-kind/pod-fail.yaml
@@ -0,0 +1,11 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  labels:
+    app: nginx
+  name: nginx-block
+  namespace: test-wildcard
+spec:
+  containers:
+  - image: nginx
+    name: test
diff --git a/...uttl/validate/clusterpolicy/standard/enforce/ns-selector-with-wildcard-kind/pod-pass.yaml b/...uttl/validate/clusterpolicy/standard/enforce/ns-selector-with-wildcard-kind/pod-pass.yaml
@@ -0,0 +1,11 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  labels:
+    app: nginx
+  name: nginx-pass
+  namespace: default
+spec:
+  containers:
+  - image: nginx
+    name: test
diff --git a/...validate/clusterpolicy/standard/enforce/ns-selector-with-wildcard-kind/policy-assert.yaml b/...validate/clusterpolicy/standard/enforce/ns-selector-with-wildcard-kind/policy-assert.yaml
@@ -0,0 +1,9 @@
+apiVersion: kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+  name: freeze-policy
+status:
+  conditions:
+  - reason: Succeeded
+    status: "True"
+    type: Ready
diff --git a/.../kuttl/validate/clusterpolicy/standard/enforce/ns-selector-with-wildcard-kind/policy.yaml b/.../kuttl/validate/clusterpolicy/standard/enforce/ns-selector-with-wildcard-kind/policy.yaml
@@ -0,0 +1,23 @@
+apiVersion: kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+  name: freeze-policy
+spec:
+  validationFailureAction: Enforce
+  background: false
+  rules:
+    - name: freeze-rule
+      match:
+        any:
+        - resources:
+            kinds:
+            - "*"
+            namespaceSelector:
+              matchExpressions:
+                - key: freeze
+                  operator: In
+                  values:
+                  - "true"
+      validate:
+        message: "Namespace is frozen."
+        deny: {}