diff --git a/tests/e2e/authz-server/allow/chainsaw-test.yaml b/tests/e2e/authz-server/allow/chainsaw-test.yaml index 6ded5d5..b6dbe0a 100644 --- a/tests/e2e/authz-server/allow/chainsaw-test.yaml +++ b/tests/e2e/authz-server/allow/chainsaw-test.yaml @@ -1,7 +1,7 @@ apiVersion: chainsaw.kyverno.io/v1alpha1 kind: Test metadata: - name: deny + name: allow spec: namespace: app steps: diff --git a/tests/e2e/authz-server/default/chainsaw-test.yaml b/tests/e2e/authz-server/default/chainsaw-test.yaml index 6ded5d5..05c9676 100644 --- a/tests/e2e/authz-server/default/chainsaw-test.yaml +++ b/tests/e2e/authz-server/default/chainsaw-test.yaml @@ -1,7 +1,7 @@ apiVersion: chainsaw.kyverno.io/v1alpha1 kind: Test metadata: - name: deny + name: default spec: namespace: app steps: diff --git a/tests/e2e/validation-webhook/match-conditions/no-variables/chainsaw-test.yaml b/tests/e2e/validation-webhook/match-conditions/no-variables/chainsaw-test.yaml new file mode 100644 index 0000000..0d67033 --- /dev/null +++ b/tests/e2e/validation-webhook/match-conditions/no-variables/chainsaw-test.yaml @@ -0,0 +1,15 @@ +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: Test +metadata: + name: no-variables +spec: + steps: + - try: + - create: + file: ./policy.yaml + expect: + - check: + ($error): |- + admission webhook "kyverno-authz-server-validation.kyverno.svc" denied the request: AuthorizationPolicy.envoy.kyverno.io "policy" is invalid: spec.matchConditions[0].expression: Invalid value: "variables.foo": ERROR: :1:10: undefined field 'foo' + | variables.foo + | .........^ diff --git a/tests/e2e/validation-webhook/match-conditions/no-variables/policy.yaml b/tests/e2e/validation-webhook/match-conditions/no-variables/policy.yaml new file mode 100644 index 0000000..ba93733 --- /dev/null +++ b/tests/e2e/validation-webhook/match-conditions/no-variables/policy.yaml @@ -0,0 +1,19 @@ +# yaml-language-server: $schema=../../../../../.schemas/json/authorizationpolicy-envoy-v1alpha1.json +apiVersion: envoy.kyverno.io/v1alpha1 +kind: AuthorizationPolicy +metadata: + name: policy +spec: + matchConditions: + - name: check-foo + expression: variables.foo + variables: + - name: foo + expression: > + true + deny: + - response: > + envoy + .Denied(403) + .WithBody("Unauthorized Request") + .Response() diff --git a/website/docs/policies/match-conditions.md b/website/docs/policies/match-conditions.md index a944c65..a2a7faf 100644 --- a/website/docs/policies/match-conditions.md +++ b/website/docs/policies/match-conditions.md @@ -6,7 +6,7 @@ Match conditions are **CEL expressions**. All match conditions must evaluate to !!!info - Match conditions have access to the same CEL variables as validation expressions. + The policy [variables](./variables.md) will NOT be available in match conditions because they are evaluated before the rest of the policy. ## Example