search

kyverno / chainsaw

Declarative K8s e2e testing
https://kyverno.github.io/chainsaw/
Apache License 2.0
310 stars 46 forks source link

[Bug] JMESPath conditions for name, namespace or labels don't work #2138

Open bertbaron opened 2 weeks ago

bertbaron commented 2 weeks ago

chainsaw version Version

v0.2.11

Description

JMESPath conditions for name or namespace are ignored. When a JMESPath condition is used for a label, all labels are ignored. In our setup this resulted in strange sporadic failures where totally different resources from other tests were matched.

The problem is that ResourceRef assumes that the values for those properties are string and silently removes them as a side-effect when they aren't, removing all labels if any label value isn't a string.

This could be considered an unsupported feature, but because of the strange behaviour and the clear cause I found in the code I think it can be considered a bug.

I already created a fix for which I will submit a pull request.

Steps to reproduce

  1. Run the following test: 
    apiVersion: chainsaw.kyverno.io/v1alpha1
kind: Test
metadata:
name: metadata-template-conditions
spec:
steps:
  - try:
      - apply:
          resource:
            apiVersion: v1
            kind: ConfigMap
            metadata:
              labels:
                color: green
                type: peugeot
                top_speed: '130'
              name: peugeot-206
      - assert:
          resource:
            apiVersion: v1
            kind: ConfigMap
            metadata:
              labels:
                color: red
                type: ferrari
                top_speed:
                  (to_number(@) > `200`): true
              name:
                (starts_with(@, 'ferrari-')): true

Expected behavior

The test should fail because four conditions don't match, of which two are not even JMESPath conditions.

Screenshots

No response

Logs

No response

Slack discussion

No response

Troubleshooting