[Bug] Enabling many-to-one comparisons for AnyNotIn operator
#9462
Conversation
Signed-off-by: Shubham Singh <shubhammahar1306@gmail.com>
Codecov ReportAttention: Patch coverage is
Additional details and impacted files@@ Coverage Diff @@
## main #9462 +/- ##
==========================================
+ Coverage 10.11% 10.12% +0.01%
==========================================
Files 1030 1030
Lines 91757 91763 +6
==========================================
+ Hits 9285 9295 +10
+ Misses 81455 81452 -3
+ Partials 1017 1016 -1 ☔ View full report in Codecov by Sentry. |
|
Please add unit tests which cover any missing scenarios for this operator in your PR. |
Signed-off-by: Shubham Singh <shubhammahar1306@gmail.com>
Signed-off-by: Shubham Singh <shubhammahar1306@gmail.com>
Signed-off-by: Shubham Singh <shubhammahar1306@gmail.com>
|
@chipzoller, I have added tests for scenarios like:
|
|
Please run go fmt |
|
@chipzoller, please have a look. |
|
You don't need to keep mentioning users upon every comment. This triggers a push notification every time is makes unnecessary noise when we already subscribe to these PRs/issues. |
|
@eddycharly or @realshuting: can you please ensure this is correct and we have 100% coverage on unit tests for all combinations and all types of supported values? |
|
Please explain the changes in full so the reviewer understands what has been fixed. The unit tests need to be fixed. |
|
PR template is also not complete. |
Signed-off-by: Shubham Singh <shubhammahar1306@gmail.com>
sorry for that, now its done. |
AnyNotIn operator
no, that will defy the current logic i.e. "AnyNotIn checks that ANY of the keys are NOT found in the values." . See if key = [0,1,2] and value = 0 then since 1,2 are not in value, AnyNotIn is true. but when key = 0 and value =[0,1,2] now 0 is in value therefore false. |
|
Do we need to clarify this new behavior in our doc? |
no, this is not new behavior, it is just a bug that defies existing behavior. Docs already says this - |
|
@1Shubham7 - Could you please resolve all the comments? So that we can merge it. |
Hey Mariam, all the comments are already resolved. |
…no#9462) * added cases for int, float Signed-off-by: Shubham Singh <shubhammahar1306@gmail.com> * added bool as well Signed-off-by: Shubham Singh <shubhammahar1306@gmail.com> * added tests Signed-off-by: Shubham Singh <shubhammahar1306@gmail.com> * some more tests Signed-off-by: Shubham Singh <shubhammahar1306@gmail.com> * go fmt Signed-off-by: Shubham Singh <shubhammahar1306@gmail.com> * fixed the failing test cases Signed-off-by: Shubham Singh <shubhammahar1306@gmail.com> --------- Signed-off-by: Shubham Singh <shubhammahar1306@gmail.com> Co-authored-by: shuting <shuting@nirmata.com>
Explanation
The
AnyNotInoperator can't evaluate many-to-one comparisons (e.g. where key is array of int and value is int) for any datatype. This causes the rule in the webhook work differently from the CLI.Related issue
Fixes #9319
Milestone of this PR
Documentation (optional)
My PR contains new or altered behavior to Kyverno.
What type of PR is this
/kind bug
Proposed Changes
I have added support for these many-to-one comparisons for all datatypes.
Proof Manifests
Before
Step 1. The example Policy below uses
AnyNotInoperator and has a key of [0,1,2] and value is 0, so obviously it should evaluate to true, but sinceAnyNotInas of now doesn't support comparison when key is array of int and partially in value, the default implementation is false.Step 2. So after applying that policy, when we create this cm
Step 3. It allows the Configmap to be created.
After
After implementing these changes,
AnyNotInchecks if the key of type []int is not included in value which is true and the cm is blocked. So when we now apply the policy and create the configmapIt blocks the cm, and the result is
Checklist
Further Comments