kyverno: [Bug] [CLI] Exclude statements are not evaluated correctly during testing

Kyverno CLI Version

1.9.2

Description

I have two equivalent sections inside the policy that filter out the resources:

      exclude:
        any:
          - subjects:
            - kind: Group
              name: "system:masters"

and very similar section in preconditions:

          - key: "{{ request.userInfo.groups }}"
            operator: AllNotIn
            value: [ "system:masters" ]

The mocked data work properly for preconditions, but identical tests fail when exclude statement is used instead

Steps to reproduce

  1. Try to comment out the exclude section and run the tests
  2. Try to do the reverse, and comment part of the precondition that validates the subject/resources, and uncomment the exclude section

Expected behavior

Tests work identically, however, it seems like the mock data doesn’t propagate to the exclude section.

Screenshots

No response

Kyverno logs

No response

Slack discussion

No response

Troubleshooting

  • I have read and followed the troubleshooting guide.
  • I have searched other issues in this repository and mine is not recorded.

About this issue

  • Original URL
  • State: closed
  • Created a year ago
  • Comments: 18 (10 by maintainers)

Most upvoted comments

Ok, so this is exclusive to the CLI. We have some issues with the CLI regarding users and groups, so I assume this is related. We’re hoping to put some serious effort into the CLI for the 1.11 release.

+1
chipzoller on Apr 6, 2023

Please add the YAML contents to either your first comment or a follow-up. Attaching ZIP files is risky and not ideal.

+1
chipzoller on Apr 6, 2023
Read more comments on GitHub
← kyverno: [Bug] [CLI] 1.11.0 CLI breaks test for rules with exclusions
kyverno: [Bug] [CLI] `kyverno apply` not working for local files →