chore: add match conditions with variable chainsaw test (#301)

Signed-off-by: Charles-Edouard Brétéché <[email protected]>
kyverno · Jan 6, 2025 · c5df7b5 · c5df7b5
1 parent 7c35858
commit c5df7b5
Show file tree

Hide file tree

Showing 5 changed files with 37 additions and 3 deletions.
diff --git a/tests/e2e/authz-server/allow/chainsaw-test.yaml b/tests/e2e/authz-server/allow/chainsaw-test.yaml
@@ -1,7 +1,7 @@
 apiVersion: chainsaw.kyverno.io/v1alpha1
 kind: Test
 metadata:
-  name: deny
+  name: allow
 spec:
   namespace: app
   steps: 

diff --git a/tests/e2e/authz-server/default/chainsaw-test.yaml b/tests/e2e/authz-server/default/chainsaw-test.yaml
@@ -1,7 +1,7 @@
 apiVersion: chainsaw.kyverno.io/v1alpha1
 kind: Test
 metadata:
-  name: deny
+  name: default
 spec:
   namespace: app
   steps: 

diff --git a/tests/e2e/validation-webhook/match-conditions/no-variables/chainsaw-test.yaml b/tests/e2e/validation-webhook/match-conditions/no-variables/chainsaw-test.yaml
@@ -0,0 +1,15 @@
+apiVersion: chainsaw.kyverno.io/v1alpha1
+kind: Test
+metadata:
+  name: no-variables
+spec:
+  steps: 
+  - try:
+    - create:
+        file: ./policy.yaml
+        expect:
+        - check:
+            ($error): |-
+              admission webhook "kyverno-authz-server-validation.kyverno.svc" denied the request: AuthorizationPolicy.envoy.kyverno.io "policy" is invalid: spec.matchConditions[0].expression: Invalid value: "variables.foo": ERROR: <input>:1:10: undefined field 'foo'
+               | variables.foo
+               | .........^
diff --git a/tests/e2e/validation-webhook/match-conditions/no-variables/policy.yaml b/tests/e2e/validation-webhook/match-conditions/no-variables/policy.yaml
@@ -0,0 +1,19 @@
+# yaml-language-server: $schema=../../../../../.schemas/json/authorizationpolicy-envoy-v1alpha1.json
+apiVersion: envoy.kyverno.io/v1alpha1
+kind: AuthorizationPolicy
+metadata:
+  name: policy
+spec:
+  matchConditions:
+  - name: check-foo
+    expression: variables.foo
+  variables:
+  - name: foo
+    expression: >
+      true
+  deny:
+  - response: >
+      envoy
+        .Denied(403)
+        .WithBody("Unauthorized Request")
+        .Response()
diff --git a/website/docs/policies/match-conditions.md b/website/docs/policies/match-conditions.md
@@ -6,7 +6,7 @@ Match conditions are **CEL expressions**. All match conditions must evaluate to
 
 !!!info
 
-    Match conditions have access to the same CEL variables as validation expressions.
+    The policy [variables](./variables.md) will NOT be available in match conditions because they are evaluated before the rest of the policy.
 
 ## Example
-Original file line number
+Diff line change
@@ Expand Up @@
     !!!info
-        Match conditions have access to the same CEL variables as validation expressions.
+        The policy [variables](./variables.md) will NOT be available in match conditions because they are evaluated before the rest of the policy.
     ## Example
@@ Expand Down @@