Deny policy for specific string in section data in ConfigMap

[zaval1976]

Hello,

I want write policy for deny deploy ConfigMap, if in some keys value, in section data, will be specific string with contain, for example "postgresql".

I wrote this policy, but it work for specific key name.
I need that check in all key values in section data.

apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
  name: disallow-credential-composite-design
spec:
  rules:
  - name: validate-data-design
    match:
      resources:
        kinds:
        - ConfigMap
    validate:
      allowExistingViolations: true
      failureAction: Enforce
      message: "Use of composite structures to assemble credentials is prohibited by cybersecurity policy."
      foreach:
      - list: request.object.data
        deny:
          conditions:
            all:
            - key: '{{ element }}'
              operator: Equals
              value: "*postgresql*"

Do you have any ideas?
I use Kyverno v.1.14.1

[maheshcodes12]

Your current policy checks for exact matches against the key names rather than the values. You can use contains() to check for substrng matches in values, and change condition all to any since you want to match if any value contains the substring.

      foreach:
      - list: "request.object.data"
        deny:
          conditions:
            any:
            - key: "{{ contains('{{ element.value }}', 'postgresql') }}"
              operator: Equals
              value: true

[zaval1976]

Hi, Mahesh

Thanks for answer.
But I get error

disallow-credential-composite-design:
  validate-data-design: 'validation failure: failed to check deny conditions: failed
    to substitute variables in condition key: failed to resolve element.value at path
    : JMESPath query failed: Unknown key "value" in path'

[zaval1976]

valeryzavalishin kyverno %kyverno test . --detailed-results -v 100
Loading test  ( kyverno-test.yaml ) ...
  Loading values/variables ...
  Loading policies ...
  Loading resources ...
  Loading exceptions ...
  Applying 1 policy to 1 resource with 0 exceptions ...
2025-08-05T15:19:48+03:00 -2 github.com/kyverno/kyverno/pkg/engine/variables/vars.go:359 > variable substituted path=/validate/foreach/0/deny/conditions/any/0/key v=3 value=null variable={{element.value}}
2025-08-05T15:19:48+03:00 -2 github.com/kyverno/kyverno/pkg/engine/variables/vars.go:359 > variable substituted path=/validate/foreach/0/deny/conditions/any/0/key v=3 value=null variable="{{ contains(null, 'postgresql') }}"
2025-08-05T15:19:48+03:00 -3 github.com/kyverno/kyverno/pkg/engine/variables/vars.go:48 > Variable substitution failed in preconditions, therefore nil value assigned to variable,  "element.value"  logger=engine.validate new.kind=ConfigMap new.name=test new.namespace=default policy.apply=All policy.name=disallow-credential-composite-design policy.namespace= rule.name=validate-data-design v=4
  Checking results ...

│────│──────────────────────────────────────│──────────────────────│───────────────────────────│────────│──────────────────────│────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────│
│ ID │ POLICY                               │ RULE                 │ RESOURCE                  │ RESULT │ REASON               │ MESSAGE                                                                                                                                                                                            │
│────│──────────────────────────────────────│──────────────────────│───────────────────────────│────────│──────────────────────│────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────│
│ 1  │ disallow-credential-composite-design │ validate-data-design │ v1/ConfigMap/default/test │ Fail   │ Want pass, got error │ validation failure: failed to check deny conditions: failed to substitute variables in condition key: failed to resolve element.value at path : JMESPath query failed: Unknown key "value" in path │
│────│──────────────────────────────────────│──────────────────────│───────────────────────────│────────│──────────────────────│────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────│


Test Summary: 0 tests passed and 1 tests failed

Error: 1 tests failed

[maheshcodes12]

Hii @zaval1976

Yes, there was a mistake how I was accessing element values. The request.object.data is a map (dictionary), not a list. So {{ element }} will be the value itself.

        foreach:
          - list: "request.object.data.*"
            deny:
              conditions:
                any:
                  - key: "{{ contains(element, 'postgresql') }}"
                    operator: Equals
                    value: true

I tested this on my PC and it worked. Hopefully, it resolves the issue on your end too!

[zaval1976]

It works, great.

I found working version too):

     foreach:
      - list: "request.object.data"
        deny:
          conditions:
            any:
            - key: "{{ contains('{{ element.values(@) }}', 'postgresql') }}"
              operator: Equals
              value: true