[Bug] kyverno-json documentation seems incorrect re: wildcards and validate property

[menzenski]

Kyverno JSON Version

0.1.0

Description

I am on version 0.0.2, which I can't select in the bug issue form version selector (I installed via Homebrew, and the only version available there is 0.0.2)

The kyverno-json documentation includes an example ValidatingPolicy that uses validate with a wildcard ?*:

apiVersion: json.kyverno.io/v1alpha1
kind: ValidatingPolicy
metadata:
  name: required-s3-tags
spec:
  rules:
    - name: require-team-tag
      identifier: address
      match:
        any:
        - type: aws_s3_bucket
      exclude:
        any:
        - name: bypass-me
      validate:
        assert:
          all:
          - values:
              tags:
                Team: ?*

However, this doesn't work. In the Kyverno playground an attempt to use this policy just returns {"results": null}. On the command line there is an error thrown:

$ kyverno-json scan --payload my_payload.yaml --policy required_s3_tags.yaml
Loading policies ...
Error: failed to parse document (spec.rules[0].validate: Invalid value: value provided for unknown field)

Steps to reproduce

1. Define policy with the YAML example from the documentation:

cat <<EOF > test_policy.yaml
apiVersion: json.kyverno.io/v1alpha1
kind: ValidatingPolicy
metadata:
  name: required-s3-tags
spec:
  rules:
    - name: require-team-tag
      identifier: address
      match:
        any:
        - type: aws_s3_bucket
      exclude:
        any:
        - name: bypass-me
      validate:
        assert:
          all:
          - values:
              tags:
                Team: ?*
EOF

2. Invoke kyverno-json using that policy:

$ kyverno-json scan --policy test_policy.yaml

This throws an error:

$ kyverno-json scan --policy test_policy.yaml
Loading policies ...
Error: failed to parse document (spec.rules[0].validate: Invalid value: value provided for unknown field)

Expected behavior

I had expected that the examples provided in the documentation would work.

Screenshots

No response

Logs

No response

Slack discussion

No response

Troubleshooting

• I have searched other issues in this repository and mine is not recorded.

[menzenski]

Many of the examples on https://kyverno.github.io/kyverno-json/latest/policies/asserts/#assert also contain the validate property. These seem to exhibit the same error.

For example:

apiVersion: json.kyverno.io/v1alpha1
kind: ValidatingPolicy
metadata:
  name: test
spec:
  rules:
    - name: foo-bar-4
      validate:
        assert:
          all:
          - message: "..."
            check:
              # project field `foo` onto itself, the content of `foo` becomes the current object for descendants
              foo:

                # evaluate expression `(bar > `3`)`, the boolean result becomes the current object for descendants
                # the `true` leaf is compared with the current value `true`
                (bar > `3`): true

                # evaluate expression `(!baz)`, the boolean result becomes the current object for descendants
                # the leaf `false` is compared with the current value `false`
                (!baz): false

                # evaluate expression `(bar + bat)`, the numeric result becomes the current object for descendants
                # the leaf `10` is compared with the current value `10`
                (bar + bat): 10

$ kyverno-json scan --policy test_policy_2.yaml
Loading policies ...
Error: failed to parse document (spec.rules[0].validate: Invalid value: value provided for unknown field)

[eddycharly]

Hmm, thanks for reporting !

Will check that next week.