[Bug] kyverno-json documentation seems incorrect re: wildcards and validate property

[menzenski]

Kyverno JSON Version

0.1.0

Description

I am on version 0.0.2, which I can't select in the bug issue form version selector (I installed via Homebrew, and the only version available there is 0.0.2)

The kyverno-json documentation includes an example ValidatingPolicy that uses validate with a wildcard ?*:

apiVersion: json.kyverno.io/v1alpha1
kind: ValidatingPolicy
metadata:
  name: required-s3-tags
spec:
  rules:
    - name: require-team-tag
      identifier: address
      match:
        any:
        - type: aws_s3_bucket
      exclude:
        any:
        - name: bypass-me
      validate:
        assert:
          all:
          - values:
              tags:
                Team: ?*

However, this doesn't work. In the Kyverno playground an attempt to use this policy just returns {"results": null}. On the command line there is an error thrown:

$ kyverno-json scan --payload my_payload.yaml --policy required_s3_tags.yaml
Loading policies ...
Error: failed to parse document (spec.rules[0].validate: Invalid value: value provided for unknown field)

Steps to reproduce

1. Define policy with the YAML example from the documentation:

cat <<EOF > test_policy.yaml
apiVersion: json.kyverno.io/v1alpha1
kind: ValidatingPolicy
metadata:
  name: required-s3-tags
spec:
  rules:
    - name: require-team-tag
      identifier: address
      match:
        any:
        - type: aws_s3_bucket
      exclude:
        any:
        - name: bypass-me
      validate:
        assert:
          all:
          - values:
              tags:
                Team: ?*
EOF

2. Invoke kyverno-json using that policy:

$ kyverno-json scan --policy test_policy.yaml

This throws an error:

$ kyverno-json scan --policy test_policy.yaml
Loading policies ...
Error: failed to parse document (spec.rules[0].validate: Invalid value: value provided for unknown field)

Expected behavior

I had expected that the examples provided in the documentation would work.

Screenshots

No response

Logs

No response

Slack discussion

No response

Troubleshooting

• I have searched other issues in this repository and mine is not recorded.

[menzenski]

Many of the examples on https://kyverno.github.io/kyverno-json/latest/policies/asserts/#assert also contain the validate property. These seem to exhibit the same error.

For example:

apiVersion: json.kyverno.io/v1alpha1
kind: ValidatingPolicy
metadata:
  name: test
spec:
  rules:
    - name: foo-bar-4
      validate:
        assert:
          all:
          - message: "..."
            check:
              # project field `foo` onto itself, the content of `foo` becomes the current object for descendants
              foo:

                # evaluate expression `(bar > `3`)`, the boolean result becomes the current object for descendants
                # the `true` leaf is compared with the current value `true`
                (bar > `3`): true

                # evaluate expression `(!baz)`, the boolean result becomes the current object for descendants
                # the leaf `false` is compared with the current value `false`
                (!baz): false

                # evaluate expression `(bar + bat)`, the numeric result becomes the current object for descendants
                # the leaf `10` is compared with the current value `10`
                (bar + bat): 10

$ kyverno-json scan --policy test_policy_2.yaml
Loading policies ...
Error: failed to parse document (spec.rules[0].validate: Invalid value: value provided for unknown field)

[eddycharly]

Hmm, thanks for reporting !

Will check that next week.

[12rashic]

/assign

[Curious-x]

Hi, I was building a project which used KyvernoJSON, as I was understanding it's working I stumbled upon the same mistakes which are mentioned above. I figured it out: it was mainly due to some mistakes in some of the examples on the website Assertion Tree.

The main issue: use of validate before assert and missing check after assert.

This is the example given on latest website:

and KyvernoJSON playground give this error:

{
  "results": [
    {
      "policy": "test",
      "rule": "foo-bar",
      "result": "error",
      "message": "<nil>: Invalid value: \"null\": an empty assert is not valid"
    }
  ]
}

If corrected according to doc:

An assert declaration contains an any or all list in which each entry contains a:
check: the assertion check
message: an optional message

The policy becomes:

apiVersion: json.kyverno.io/v1alpha1
kind: ValidatingPolicy
metadata:
  name: test
spec:
  rules:
    - name: foo-bar
      assert:
          all:
          - check:
             foo:
              bar:
              - 1
              - 2
              - 3

and the result is as expected:

{
  "results": [
    {
      "policy": "test",
      "rule": "foo-bar",
      "result": "pass",
      "message": ""
    }
  ]
}

[Curious-x]

The first comment of @menzenski in this thread refers to the wildcard.

Playground Example Link

To use wildcard:

One could use custom (wildcard function)[https://kyverno.github.io/kyverno-json/latest/jp/functions/#custom-functions] provided by Kyverno-json as at the time of this comment JMESPath don't support wildcards comparison, but it's proposed.
Policy

apiVersion: json.kyverno.io/v1alpha1
kind: ValidatingPolicy
metadata:
  name: test
spec:
  rules:
    - name: wildcard entry
      assert:
          all:
          - message: "Presence Check using wildcard"
            check:
                foo:
                 (wildcard('?*',image)): true

Data

foo:
  image: Test

Output

{
  "results": [
    {
      "policy": "test",
      "rule": "wildcard entry",
      "result": "pass",
      "message": ""
    }
  ]
}

[Curious-x]

Respected @JimBugwadia,

I plan to do the corrections of the mistakes I have identified in code examples but it seems that the project doc might be updated with next patch. So, I wanted to confirm that should I do these corrections or there's already someone working on the doc update.