website icon indicating copy to clipboard operation
website copied to clipboard
verified publisher icon kyverno

[Enhancement] Documentation should specify where variables are not allowed

Open abohne opened this issue 11 months ago • 4 comments

Description

I've been working on writing a ClusterPolicy that includes a rule with a verifyImages section. I've been trying to source the imageReferences from a context value that contains an array of strings. My policy has failed to validate (without indication why) until I explicitly tried making the value of imageReferences into an array.

At that point, I finally was able to generate the following error

"policy contains invalid variables: rule \"verify-image-signature\" should not have variables in image reference section"

Example rule:

  rules:
    - name: verify-image-signature
      match:
        any:
        - resources:
            kinds:
              - Pod
      context:
        - name: allowedregistryprefixes
          configMap:
            name: allowedregistryprefixes
            namespace: kyverno
      verifyImages:
      - imageReferences: ["{{ parse_yaml(allowedregistryprefixes.data.allowedregistryprefixes) }}"]

This was extremely frustrating to diagnose, only to run into that error. If variables are not allowed in certain portions of a policy, the documentation (both on the main site and the API documentation for ClusterPolicy and Policy) should indicate that.

Slack discussion

No response

abohne avatar Jan 24 '25 17:01 abohne

Thanks for opening your first issue here! Be sure to follow the issue template!

welcome[bot] avatar Jan 24 '25 17:01 welcome[bot]

I'd like to take this on! I'll update the documentation to clarify where variables are not allowed and provide examples. Assigning this to myself.

kushal9897 avatar Feb 05 '25 02:02 kushal9897

#1472 addresses the specific use case that I encountered, but it seems like there are other places that variables are not allowed as well.

E.g. https://github.com/kyverno/kyverno/blob/de0d8e04f840f8027cc4a653262edf04df3b601d/pkg/validation/policy/validate.go#L629

Imo, it would also be nice to document why variables are not allowed in these areas, but at least documenting that they are not allowed would be a welcome first step.

abohne avatar Feb 10 '25 18:02 abohne

Thanks for the feedback!

I appreciate the insights! While my current PR (#1472) addresses the imageReferences field, I see that there are other areas where variable interpolation is not allowed. I updated my PR to include documentation for those sections and also provide a brief explanation of why variables are restricted in these areas. I'll review the validation logic in validate.go and make the necessary changes. Let me know if there are any other sections you'd like to highlight!

kushal9897 avatar Feb 11 '25 03:02 kushal9897