Skip to content

Simplify Disallow hostPorts in CEL expressions #1108

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
JimBugwadia merged 2 commits into from
Oct 22, 2025
Merged

Simplify Disallow hostPorts in CEL expressions #1108

JimBugwadia merged 2 commits into from
Oct 22, 2025

Conversation

@lavishpal
Copy link
Contributor

@lavishpal lavishpal commented Aug 3, 2024
edited
Loading

Related Issue(s)

fixes #1093

Description

This PR simplify the CEL expression by removing the repeated terms.

Checklist

  • I have read the policy contribution guidelines.
  • I have added test manifests and resources covering both positive and negative tests that prove this policy works as intended.
  • I have added the artifacthub-pkg.yml file and have verified it is complete and correct.

@lavishpal lavishpal mentioned this pull request Aug 3, 2024
Closed
@Chandan-DK
Copy link
Contributor

Chandan-DK commented Aug 3, 2024
edited
Loading

Hi @lavishpal - Thanks for the contribution!

We can create a variable allContainers to hold all the containers.

      validate:
        cel:
          variables:
            - name: allContainers
              expression: >-
                object.spec.containers + 
                object.spec.?initContainers.orValue([]) + 
                object.spec.?ephemeralContainers.orValue([])

We can then use this variable and simplify expression to:

         expressions:
            - expression: >- 
                variables.allContainers.all(container, 
                container.?ports.orValue([]).all(port, port.?hostPort.orValue(0) == 0))

@lavishpal
Copy link
Contributor Author

lavishpal commented Aug 3, 2024

Yes we can use variable, but we can also directly use optional .

@Chandan-DK
Copy link
Contributor

Chandan-DK commented Aug 3, 2024

Yes, using the optional syntax directly in the expression is a valid approach and works well. However, it's easier to read the expression when we can generalize a large expression like this into a variable.

object.spec.containers + object.spec.?initContainers.orValue([]) + object.spec.?ephemeralContainers.orValue([])

The newer CEL policies in the library make use of the allContainers variable, and it would help keep it consistent with that.

@lavishpal
Copy link
Contributor Author

lavishpal commented Aug 4, 2024

cc : @JimBugwadia

chipzoller
chipzoller suggested changes Aug 4, 2024
View reviewed changes
Copy link
Contributor

@chipzoller chipzoller left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Multiple tests failing.

@lavishpal lavishpal force-pushed the simplify-cel-host-ports branch 10 times, most recently from 237e5a2 to 3b925f4 Compare August 6, 2024 12:13
@lavishpal lavishpal requested a review from chipzoller August 6, 2024 12:24
chipzoller
chipzoller previously requested changes Aug 9, 2024
View reviewed changes
Copy link
Contributor

@chipzoller chipzoller left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Tests are failing.

@lavishpal lavishpal force-pushed the simplify-cel-host-ports branch from 3b925f4 to ab6d073 Compare August 9, 2024 14:54
@lavishpal
Copy link
Contributor Author

lavishpal commented Aug 9, 2024

Multiple tests failing.

Can you guide me how to fix these test.

@chipzoller
Copy link
Contributor

chipzoller commented Aug 9, 2024

Once CI completes, go look at the failing tests and see the logged messages.

@lavishpal lavishpal force-pushed the simplify-cel-host-ports branch from ab6d073 to 6382933 Compare August 13, 2024 11:19
@lavishpal lavishpal force-pushed the simplify-cel-host-ports branch from 5045ac9 to 5688761 Compare November 13, 2024 22:13
@realshuting
Copy link
Member

realshuting commented Nov 15, 2024

All disallow-host-ports tests failed, something's broken.

@lavishpal
Copy link
Contributor Author

lavishpal commented Nov 16, 2024

Yeah i figured out that there is indentation mistake in YAML.

@realshuting
Copy link
Member

realshuting commented Nov 18, 2024

@lavishpal - are you fixing it?

@lavishpal
Copy link
Contributor Author

lavishpal commented Nov 18, 2024

@lavishpal - are you fixing it?

Yeah i will fix it till tomorrow.

@lavishpal
Copy link
Contributor Author

lavishpal commented May 28, 2025

cc: @realshuting
PTAL

@lavishpal lavishpal force-pushed the simplify-cel-host-ports branch from c8b5678 to 459d31c Compare June 25, 2025 12:01
@realshuting realshuting requested a review from chipzoller June 25, 2025 13:44
@realshuting realshuting dismissed chipzoller’s stale review June 25, 2025 13:45

Chip has stepped down from the Kyverno maintainer.

JimBugwadia
JimBugwadia previously approved these changes Oct 21, 2025
View reviewed changes
@JimBugwadia JimBugwadia enabled auto-merge (squash) October 21, 2025 23:05
auto-merge was automatically disabled October 21, 2025 23:17

Head branch was pushed to by a user without write access

@JimBugwadia
Copy link
Member

JimBugwadia commented Oct 21, 2025

Thanks @lavishpal! The DCO also needs to be fixed.

@lavishpal
Copy link
Contributor Author

lavishpal commented Oct 21, 2025

Hi @JimBugwadia ,
I just Fixed the artifacthub-pkg.yml.
This resolves the Artifact Hub lint failure

@lavishpal lavishpal force-pushed the simplify-cel-host-ports branch 2 times, most recently from 8119432 to 98b6997 Compare October 21, 2025 23:34
@lavishpal
Update artifacthub-pkg.yml
5a11bc5 
Signed-off-by: Lavish Pal <[email protected]>
(cherry picked from commit 8119432)
Signed-off-by: Lavish Pal <[email protected]>
@lavishpal lavishpal force-pushed the simplify-cel-host-ports branch from 98b6997 to 5a11bc5 Compare October 21, 2025 23:50
@JimBugwadia JimBugwadia enabled auto-merge (squash) October 21, 2025 23:54
JimBugwadia
JimBugwadia previously approved these changes Oct 21, 2025
View reviewed changes
auto-merge was automatically disabled October 22, 2025 00:23

Head branch was pushed to by a user without write access

@lavishpal
Copy link
Contributor Author

lavishpal commented Oct 22, 2025

cc: @JimBugwadia

@JimBugwadia JimBugwadia enabled auto-merge (squash) October 22, 2025 00:26
@JimBugwadia JimBugwadia merged commit a2eca38 into kyverno:main Oct 22, 2025
270 of 271 checks passed
@lavishpal lavishpal deleted the simplify-cel-host-ports branch October 22, 2025 00:36
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@JimBugwadia JimBugwadia JimBugwadia approved these changes

@chipzoller chipzoller Awaiting requested review from chipzoller

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

disallow-host-ports: simplify CEL expressions

5 participants

@lavishpal @Chandan-DK @chipzoller @realshuting @JimBugwadia