kyverno/pkg/utils/match/subjects.go

package match

import (
	"golang.org/x/exp/slices"
	authenticationv1 "k8s.io/api/authentication/v1"
	rbacv1 "k8s.io/api/rbac/v1"
)

// CheckSubjects return true if one of ruleSubjects exist in userInfo
func CheckSubjects(
	ruleSubjects []rbacv1.Subject,
	userInfo authenticationv1.UserInfo,
	excludeGroupRole []string,
) bool {
	const SaPrefix = "system:serviceaccount:"
	userGroups := append(userInfo.Groups, userInfo.Username)
	// TODO: see issue https://github.com/kyverno/kyverno/issues/861
	for _, e := range excludeGroupRole {
		ruleSubjects = append(ruleSubjects, rbacv1.Subject{Kind: "Group", Name: e})
	}
	for _, subject := range ruleSubjects {
		switch subject.Kind {
		case "ServiceAccount":
			if len(userInfo.Username) <= len(SaPrefix) {
				continue
			}
			subjectServiceAccount := subject.Namespace + ":" + subject.Name
			if userInfo.Username[len(SaPrefix):] == subjectServiceAccount {
				return true
			}
		case "User", "Group":
			if slices.Contains(userGroups, subject.Name) {
				return true
			}
		}
	}
	return false
}
refactor: match utils package (#5961) * refactor: match utils package Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * fix Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * test Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * test Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * test Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> 2023-01-10 21:16:59 +01:00			`package match`

			`import (`
			`"golang.org/x/exp/slices"`
			`authenticationv1 "k8s.io/api/authentication/v1"`
			`rbacv1 "k8s.io/api/rbac/v1"`
			`)`

			`// CheckSubjects return true if one of ruleSubjects exist in userInfo`
			`func CheckSubjects(`
			`ruleSubjects []rbacv1.Subject,`
			`userInfo authenticationv1.UserInfo,`
			`excludeGroupRole []string,`
			`) bool {`
			`const SaPrefix = "system:serviceaccount:"`
			`userGroups := append(userInfo.Groups, userInfo.Username)`
			`// TODO: see issue https://github.com/kyverno/kyverno/issues/861`
			`for _, e := range excludeGroupRole {`
			`ruleSubjects = append(ruleSubjects, rbacv1.Subject{Kind: "Group", Name: e})`
			`}`
			`for _, subject := range ruleSubjects {`
			`switch subject.Kind {`
			`case "ServiceAccount":`
			`if len(userInfo.Username) <= len(SaPrefix) {`
			`continue`
			`}`
			`subjectServiceAccount := subject.Namespace + ":" + subject.Name`
			`if userInfo.Username[len(SaPrefix):] == subjectServiceAccount {`
			`return true`
			`}`
			`case "User", "Group":`
			`if slices.Contains(userGroups, subject.Name) {`
			`return true`
			`}`
			`}`
			`}`
			`return false`
			`}`