From c5df7b54cd6374a5e1661a37d3d16e0486ad6bd4 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Charles-Edouard=20Br=C3=A9t=C3=A9ch=C3=A9?= Date: Mon, 6 Jan 2025 23:38:00 +0100 Subject: [PATCH] chore: add match conditions with variable chainsaw test (#301) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Charles-Edouard Brétéché --- .../e2e/authz-server/allow/chainsaw-test.yaml | 2 +- .../authz-server/default/chainsaw-test.yaml | 2 +- .../no-variables/chainsaw-test.yaml | 15 +++++++++++++++ .../match-conditions/no-variables/policy.yaml | 19 +++++++++++++++++++ website/docs/policies/match-conditions.md | 2 +- 5 files changed, 37 insertions(+), 3 deletions(-) create mode 100644 tests/e2e/validation-webhook/match-conditions/no-variables/chainsaw-test.yaml create mode 100644 tests/e2e/validation-webhook/match-conditions/no-variables/policy.yaml diff --git a/tests/e2e/authz-server/allow/chainsaw-test.yaml b/tests/e2e/authz-server/allow/chainsaw-test.yaml index 6ded5d5..b6dbe0a 100644 --- a/tests/e2e/authz-server/allow/chainsaw-test.yaml +++ b/tests/e2e/authz-server/allow/chainsaw-test.yaml @@ -1,7 +1,7 @@ apiVersion: chainsaw.kyverno.io/v1alpha1 kind: Test metadata: - name: deny + name: allow spec: namespace: app steps: diff --git a/tests/e2e/authz-server/default/chainsaw-test.yaml b/tests/e2e/authz-server/default/chainsaw-test.yaml index 6ded5d5..05c9676 100644 --- a/tests/e2e/authz-server/default/chainsaw-test.yaml +++ b/tests/e2e/authz-server/default/chainsaw-test.yaml @@ -1,7 +1,7 @@ apiVersion: chainsaw.kyverno.io/v1alpha1 kind: Test metadata: - name: deny + name: default spec: namespace: app steps: diff --git a/tests/e2e/validation-webhook/match-conditions/no-variables/chainsaw-test.yaml b/tests/e2e/validation-webhook/match-conditions/no-variables/chainsaw-test.yaml new file mode 100644 index 0000000..0d67033 --- /dev/null +++ b/tests/e2e/validation-webhook/match-conditions/no-variables/chainsaw-test.yaml @@ -0,0 +1,15 @@ +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: Test +metadata: + name: no-variables +spec: + steps: + - try: + - create: + file: ./policy.yaml + expect: + - check: + ($error): |- + admission webhook "kyverno-authz-server-validation.kyverno.svc" denied the request: AuthorizationPolicy.envoy.kyverno.io "policy" is invalid: spec.matchConditions[0].expression: Invalid value: "variables.foo": ERROR: :1:10: undefined field 'foo' + | variables.foo + | .........^ diff --git a/tests/e2e/validation-webhook/match-conditions/no-variables/policy.yaml b/tests/e2e/validation-webhook/match-conditions/no-variables/policy.yaml new file mode 100644 index 0000000..ba93733 --- /dev/null +++ b/tests/e2e/validation-webhook/match-conditions/no-variables/policy.yaml @@ -0,0 +1,19 @@ +# yaml-language-server: $schema=../../../../../.schemas/json/authorizationpolicy-envoy-v1alpha1.json +apiVersion: envoy.kyverno.io/v1alpha1 +kind: AuthorizationPolicy +metadata: + name: policy +spec: + matchConditions: + - name: check-foo + expression: variables.foo + variables: + - name: foo + expression: > + true + deny: + - response: > + envoy + .Denied(403) + .WithBody("Unauthorized Request") + .Response() diff --git a/website/docs/policies/match-conditions.md b/website/docs/policies/match-conditions.md index a944c65..a2a7faf 100644 --- a/website/docs/policies/match-conditions.md +++ b/website/docs/policies/match-conditions.md @@ -6,7 +6,7 @@ Match conditions are **CEL expressions**. All match conditions must evaluate to !!!info - Match conditions have access to the same CEL variables as validation expressions. + The policy [variables](./variables.md) will NOT be available in match conditions because they are evaluated before the rest of the policy. ## Example