[go: up one dir, main page]
Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Bug] Policy outcome in example for multiple match expressions doesn't seem to be correct #619

Closed
sandipb opened this issue Sep 12, 2022 · 2 comments · Fixed by #643
Closed

[Bug] Policy outcome in example for multiple match expressions doesn't seem to be correct #619

sandipb opened this issue Sep 12, 2022 · 2 comments · Fixed by #643
Assignees
@chipzoller
Labels
bug Something isn't working
Milestone
1.8.0

Comments

@sandipb
Copy link
sandipb commented Sep 12, 2022

Page link

https://kyverno.io/docs/writing-policies/match-exclude/#match-statements

Description

In the second example in the documentation for match statements, the following code is given:

spec:
  rules:
  - name: no-LoadBalancer
    match:
      any:
      - resources:
          names: 
          - "prod-*"
          - "staging"
          kinds:
          - Service
      - resources:
          kinds:
          - Service
      - subjects:
        - kind: User
          name: dave

The description states:

match.any[1] will match all Services being created by the dave user regardless of the name of the Service. And since these two are specified under the any key, the entire rule will act on all Services with names prod-* or staging OR on all services being created by the dave user.

In other words, the logic described by the text is:

  • Any service names prod-* or staging
  • OR, Any service by user named dave

Expected behavior

But according to the syntax specified in the same page, the logic of the code is actually:

  • Any service names prod-* or staging
  • OR, Any service
  • OR, any action by use named dave

Being new to Kyverno policies, I am yet not clear how to change the code to match the description.

Slack discussion

https://kubernetes.slack.com/archives/CLGR9BJU9/p1662998047002599
@sandipb sandipb added the bug Something isn't working label Sep 12, 2022
@welcome
Copy link
welcome bot commented Sep 12, 2022

Thanks for opening your first issue here! Be sure to follow the issue template!

@chipzoller chipzoller added this to the 1.8.0 milestone Sep 13, 2022
@chipzoller chipzoller self-assigned this Sep 13, 2022
@chipzoller
Copy link
Contributor

Hi @sandipb, the confusion here is an excess dash (-) which mistakenly denotes another object in the match.any[] object when the dash before subject should not be present, thus:

    match:
      any:
      - resources:
          names: 
          - "prod-*"
          - "staging"
          kinds:
          - Service
      - resources:
          kinds:
          - Service
        subjects:
        - kind: User
          name: dave

Will fix this soon.

@chipzoller chipzoller mentioned this issue Oct 11, 2022
Merged
3 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@chipzoller chipzoller

Labels
bug Something isn't working
Projects
None yet
Milestone
1.8.0
Development

Successfully merging a pull request may close this issue.

More 1.8 docs
2 participants
@sandipb @chipzoller