[Feature] automatically escape - within strings for JMESPath

[JimBugwadia]

Kyverno Version

1.7.2

Description

JMESPath does not allow a - in an expression. See: jmespath/jmespath.py#109

However, JSON keys (especially for Kubernetes resource names, etc.) commonly have dashes.

This requires all usage of such strings to be quoted:

This does not work:

"{{ my-map.data.{{image.name}} }}"

(image.name resolves to a string with a -)

This works:

"{{ \"my-\".data.\"{{image.name}}\" }}"

It would be good if Kyverno can automatically quote any string with a - in it.

Slack discussion

No response

Troubleshooting

• I have read and followed the documentation AND the troubleshooting guide.
• I have searched other issues in this repository and mine is not recorded.

[vishal-chdhry]

This might be relevant as well: jmespath/go-jmespath#58

@chipzoller as stated here, we can add this workaround jmespath/go-jmespath#58 (comment) until it it fixed in the go-jmespath library itself

[chipzoller]

Could we still add this?

[vishal-chdhry]

@chipzoller We can either

1. Add the workaround in our code, or,
2. We can do an upstream contribution to go-jmespath, or,
3. Add it to kyverno/go-jmespath

What is the best approach here?

[chipzoller]

Are we using Kyverno's fork of go-jmespath currently? If so, I would do 3 and then 2. If we're using upstream go-jmespath currently, I would do 1 and then 2.

[vishal-chdhry]

/assign

[vishal-chdhry]

This get compiled as well

key: "{{ \"image-data\".{{element}} }}"
key: "{{ \"image-data\".user }}"

This get compiled but the key does not get resolved

key: "{{ \"image-data.user\" }}"

Discussion in jmespath/jmespath.py#109 (comment) suggests that this is by design

Sorry for the delayed response. Yes, this is by design. There's a quoted-string and unquoted-string in the grammar rules. Docs here, and a few examples here.

Is it worth changing this, if it is in the jmespath specification? We can put the key in hyphens in quotes like \"key-with-hyphen"\

apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
  name: check-trustable-images
spec:
  validationFailureAction: Enforce
  rules:
  - name: only-allow-trusted-images
    match:
      any:
      - resources:
          kinds:
          - Pod
    preconditions:
      - key: "{{request.operation}}"
        operator: NotEquals
        value: DELETE
    validate:
      message: "images with root user are not allowed"
      foreach:
      - list: "request.object.spec.containers"
        context:
        - name: image-data
          imageRegistry:
            reference: "{{ element.image }}"
            jmesPath: "{user: configData.config.User || '', registry: registry}"
        deny:
          conditions:
            all:
              - key: "{{ \"image-data\".user }}"
                operator: Equals
                value: ""
              - key: "{{ \"image-data\".{{element}} }}"
                operator: NotEquals
                value: "ghcr.io"

[chipzoller]

It would just be easier this way and to always do it:

        deny:
          conditions:
            all:
              - key: '{{ "image-data".{{element}} }}'
                operator: NotEquals
                value: ghcr.io