fix(policy chart): Skip DELETE requests on policies using deny statem…

…ents (kyverno#7883) Fixes kyverno#7456 Signed-off-by: Trey Dockendorf <tdockendorf@osc.edu> Co-authored-by: shuting <shuting@nirmata.com>
Chandan-DK · Jul 24, 2023 · 2273529 · 2273529
1 parent 295e98a
commit 2273529
Show file tree

Hide file tree

Showing 4 changed files with 50 additions and 4 deletions.
diff --git a/charts/kyverno-policies/Chart.yaml b/charts/kyverno-policies/Chart.yaml
@@ -29,3 +29,5 @@ annotations:
       description: Support for customLabels, they were ignored up to now
     - kind: removed
       description: "Walk back change in PSS policy to send to to_upper"
+    - kind: fixed
+      description: Skip DELETE requests on policies using deny statements
diff --git a/charts/kyverno-policies/ci/test-preconditions-values.yaml b/charts/kyverno-policies/ci/test-preconditions-values.yaml
@@ -12,8 +12,18 @@ policyPreconditions:
     - key: "{{ request.object.metadata.name }}"
       operator: NotEquals
       value: "dcgm-exporter*"
+  disallow-capabilities:
+    all:
+    - key: "{{ request.object.metadata.name }}"
+      operator: NotEquals
+      value: "dcgm-exporter*"
   adding-capabilities-strict:
     all:
     - key: "{{ request.object.metadata.name }}"
       operator: NotEquals
       value: "dcgm-exporter*"
+  restrict-volume-types:
+    all:
+    - key: "{{ request.object.metadata.name }}"
+      operator: NotEquals
+      value: "dcgm-exporter*"
diff --git a/charts/kyverno-policies/templates/baseline/disallow-capabilities.yaml b/charts/kyverno-policies/templates/baseline/disallow-capabilities.yaml
@@ -43,9 +43,26 @@ spec:
       exclude:
         {{- toYaml . | nindent 8 }}
       {{- end }}
-      {{- with index .Values "policyPreconditions" $name }}
+      {{- $preconditions := index .Values "policyPreconditions" $name }}
+      {{- if $preconditions }}
+      {{- with $preconditions }}
       preconditions:
-        {{- toYaml . | nindent 8 }}
+        {{- if .all }}
+        all:
+        - key: "{{`{{ request.operation || 'BACKGROUND' }}`}}"
+          operator: NotEquals
+          value: DELETE
+        {{- toYaml .all | nindent 8 }}
+        {{- else }}
+          {{- toYaml . | nindent 8 }}
+        {{- end }}
+      {{- end }}
+      {{- else }}
+      preconditions:
+        all:
+        - key: "{{`{{ request.operation || 'BACKGROUND' }}`}}"
+          operator: NotEquals
+          value: DELETE
       {{- end }}
       validate:
         message: >-

diff --git a/charts/kyverno-policies/templates/restricted/restrict-volume-types.yaml b/charts/kyverno-policies/templates/restricted/restrict-volume-types.yaml
@@ -45,9 +45,26 @@ spec:
       exclude:
         {{- toYaml . | nindent 8 }}
       {{- end }}
-      {{- with index .Values "policyPreconditions" $name }}
+      {{- $preconditions := index .Values "policyPreconditions" $name }}
+      {{- if $preconditions }}
+      {{- with $preconditions }}
       preconditions:
-        {{- toYaml . | nindent 8 }}
+        {{- if .all }}
+        all:
+        - key: "{{`{{ request.operation || 'BACKGROUND' }}`}}"
+          operator: NotEquals
+          value: DELETE
+        {{- toYaml .all | nindent 8 }}
+        {{- else }}
+          {{- toYaml . | nindent 8 }}
+        {{- end }}
+      {{- end }}
+      {{- else }}
+      preconditions:
+        all:
+        - key: "{{`{{ request.operation || 'BACKGROUND' }}`}}"
+          operator: NotEquals
+          value: DELETE
       {{- end }}
       validate:
         message: >-