kyverno precondition for possible empty values

Question

I am learning how to use kyverno to build some policies, but I am facing a few problems to understand some behaviour:

My first scenario is I want block some resource that may or may not have the spec.tier set. If it is set and it is different from 'Application' I want it to be blocked. If it is not set it should be allow. So I tried this:

apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
  name: test-block-tier
spec:
  validationFailureAction: enforce
  background: false
  rules:
  - name: test-block-tier
    match:
      any:
      - resources:
          kinds:
          - crd.antrea.io/v1alpha1/NetworkPolicy
    preconditions:
      any:
      - key: "{{request.object.spec.tier || 'Application'}}"
        operator: NotEquals
        value: Application
    validate:
      message: "Antrea namespaced ANP can only be used on tier: Application"
      deny: {}

The policy works as expected as far as there is the tier set in the yaml.

Accepts if have tier: Application

apiVersion: crd.antrea.io/v1alpha1
kind: NetworkPolicy
metadata:
  name: test-np     
spec:
    tier: Application

Refuses if have tier: anything else

apiVersion: crd.antrea.io/v1alpha1
kind: NetworkPolicy
metadata:
  name: test-np     
spec:
    tier: Emergency

But also refuses if there is not spec.tier set which I was not expecting since the default if not exists is "Application" per key: "{{request.object.spec.tier || 'Application'}}".

Whats should I change to make it work as expected?

Answer 1

Your example works for me:

/tmp/test ❯ cat neither.yaml                                                                                                                                                                                                                                                                         ✘ INT
apiVersion: crd.antrea.io/v1alpha1
kind: NetworkPolicy
metadata:
  name: test-np
/tmp/test ❯ cat policy.yaml
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
  name: test-block-tier
spec:
  validationFailureAction: enforce
  background: false
 rules:
  - name: test-block-tier
    match:
      any:
      - resources:
          kinds:
          - crd.antrea.io/v1alpha1/NetworkPolicy
    preconditions:
      any:
      - key: "{{request.object.spec.tier || 'Application'}}"
        operator: NotEquals
        value: Application
    validate:
      message: "Antrea namespaced ANP can only be used on tier:         Application"
      deny: {}
/tmp/test ❯ kyverno -v3 apply policy.yaml --resource neither.yaml
I1027 14:20:09.635300    9373 logr.go:261]  "msg"="Defaulting     request.operation to CREATE"
I1027 14:20:09.997558    9373 logr.go:261]  "msg"="read policies" "errors"=0 "policies"=1

Applying 1 policy rule to 1 resource...
I1027 14:20:09.999904    9373 logr.go:261]  "msg"="variable     substituted" "path"="/preconditions/any/0/key" "value"=null "variable"="    {{request.object.spec.tier || 'Application'}}"
I1027 14:20:10.000398    9373 logr.go:261]  "msg"="applying policy on     resource" "policy"="test-block-tier"     "resource"="default/NetworkPolicy/test-np"
I1027 14:20:10.002033    9373 validation.go:125] EngineValidate     "msg"="processing validation rule" "applyRules"="All" "kind"="NetworkPolicy" "matchCount"=0 "name"="test-np" "namespace"="default" "policy"="test-block-tier" "rule"="test-block-tier"
I1027 14:20:10.003314    9373 vars.go:380] EngineValidate "msg"="variable substituted" "kind"="NetworkPolicy" "name"="test-np" "namespace"="default" "path"="/any/0/key" "policy"="test-block-tier" "rule"="test-block-tier" "value"="Application" "variable"="    {{request.object.spec.tier || 'Application'}}"
I1027 14:20:10.003766    9373 evaluate.go:57] EngineValidate "msg"="no condition passed for 'any' block" "any"=[{"key":"Application","operator":"NotEquals","value":"Application"}] "kind"="NetworkPolicy" "name"="test-np" "namespace"="default" "policy"="test-block-tier" "rule"="test-block-tier"

pass: 0, fail: 0, warn: 0, error: 0, skip: 1