website icon indicating copy to clipboard operation
website copied to clipboard

Published 20 hours ago verified publisher icon kyverno

[Enhancement] Please clarify the use of double curly braces for jmesPath in external variables

Open jsalatiel opened this issue 1 year ago • 8 comments

Description

It would be really nice if the docs could clearly explain the difference/possibility of using double curly braces in jmespath for external variables. I tried to create a policy that would set a variable based in one optional annotation or fallback to another annotation ( mandatory ) , in this case prefixed by some path.

The only way that worked ( thanks to @realshuting ) was to mix part of the request without double curly brace and part of it with double curly brace like this.

    - name: mountpath
      variable:
        jmesPath: request.object.metadata.annotations.optional || '/etc/ssl/{{request.object.metadata.annotations.mandatory"}}'

It would be nice to have a better understanding of that in the docs. Is that only for concatenation? What else?

Thanks!

Slack discussion

https://kubernetes.slack.com/archives/CLGR9BJU9/p1728944204996649

jsalatiel avatar Oct 15 '24 10:10 jsalatiel

Thanks for opening your first issue here! Be sure to follow the issue template!

welcome[bot] avatar Oct 15 '24 10:10 welcome[bot]

Adding working samples, playground.

realshuting avatar Oct 15 '24 11:10 realshuting

By default for a plain JMESPath variable, no double curly brackets are needed in variable.jmesPath, for example:

    - name: mountpath
      variable:
        jmesPath: request.object.metadata.annotations.optional

Nested variables need to be wrapped with {{}}, for example:

    - name: mountpath
      variable:
        jmesPath: request.object.metadata.annotations.optional || '/custom/string/{{request.object.metadata.annotations.mandatory"}}'

realshuting avatar Oct 15 '24 11:10 realshuting

/assign

A-5ingh avatar Oct 25 '24 04:10 A-5ingh

@realshuting Please /assign Also quick question: I was doing a bit of research on where this should go and i think this seems like the right place: https://kyverno.io/docs/writing-policies/jmespath/#basics

We already have a paragraph here mentioning the following:

JMESPath expressions in most places in Kyverno must be enclosed in double curly braces like {{request.namespace}}. If an expression is used as the value of a field and contains nothing else, the expression needs to be wrapped in quotes: appns: "{{request.namespace}}". If the value field contains other text outside of the expression, then it can be unquoted and treated as a string but this isn’t strictly required: message: The namespace name is {{request.namespace}}.

I think we can update the above text.

Or do you think it should go in Variables over here: https://kyverno.io/docs/writing-policies/variables/ Since we do not necessarily need {{}} to reference the plain JMESPath variable. We need it for the nested variables.

Or we can mention both places and add the example you have shared above in the Variables doc.

Let me know what you guys think.

cerebro1 avatar Dec 20 '24 14:12 cerebro1

@JimBugwadia @realshuting Please /assign this

cerebro1 avatar Dec 31 '24 12:12 cerebro1

Or do you think it should go in Variables over here: https://kyverno.io/docs/writing-policies/variables/ Since we do not necessarily need {{}} to reference the plain JMESPath variable. We need it for the nested variables.

This makes sense to me! Since we have jmesPath under each attribute of a rule context, we can clarify the same on the variables page.

realshuting avatar Jan 03 '25 08:01 realshuting

Sure. Thanks for the details. I will start working on this.

cerebro1 avatar Feb 04 '25 15:02 cerebro1