solves the cronjob autogen nested path issue (#12383)

* solves the cronjob autogen nested path issue Signed-off-by: Mohd Kamaal <mohdkamaal2019@gmail.com> * format the file using linter Signed-off-by: Mohd Kamaal <mohdkamaal2019@gmail.com> * autogen path change in validating-polcies Signed-off-by: Mohd Kamaal <mohdcode@MBA.local> --------- Signed-off-by: Mohd Kamaal <mohdkamaal2019@gmail.com> Signed-off-by: Mohd Kamaal <mohdcode@MBA.local> Co-authored-by: Mohd Kamaal <mohdcode@MBA.local>
2025-03-22 07:41:10 +00:00 · 2025-03-13 19:52:51 +05:30 · 2025-03-13 19:52:51 +05:30 · 19b816ba70
commit 19b816ba70
parent 7e3dfd934e
5 changed files with 121 additions and 67 deletions
--- a/pkg/cel/autogen/rule.go
+++ b/pkg/cel/autogen/rule.go
@ -152,19 +152,6 @@ func convertMatchconditions(conditions []admissionregistrationv1.MatchCondition,
 }

 var (
-	podReplacementRules [][2][]byte = [][2][]byte{
-		{[]byte("object.spec"), []byte("object.spec.template.spec")},
-		{[]byte("oldObject.spec"), []byte("oldObject.spec.template.spec")},
-		{[]byte("object.metadata"), []byte("object.spec.template.metadata")},
-		{[]byte("oldObject.metadata"), []byte("oldObject.spec.template.metadata")},
-	}
-	cronJobReplacementRules [][2][]byte = [][2][]byte{
-		{[]byte("object.spec"), []byte("object.spec.jobTemplate.spec.template.spec")},
-		{[]byte("oldObject.spec"), []byte("oldObject.spec.jobTemplate.spec.template.spec")},
-		{[]byte("object.metadata"), []byte("object.spec.jobTemplate.spec.template.metadata")},
-		{[]byte("oldObject.metadata"), []byte("oldObject.spec.jobTemplate.spec.template.metadata")},
-	}
-
 	podControllerMatchConditionName        = "autogen-"
 	podControllersMatchConditionExpression = "!(object.kind =='Deployment' || object.kind =='ReplicaSet' || object.kind =='StatefulSet' || object.kind =='DaemonSet') || "
 	cronjobMatchConditionName              = "autogen-cronjobs-"
@ -172,15 +159,31 @@ var (
 )

 func updateFields(data []byte, resource autogencontroller) []byte {
+	// Define the target prefixes based on resource type
+	var specPrefix, metadataPrefix []byte
 	switch resource {
 	case PODS:
-		for _, replacement := range podReplacementRules {
-			data = bytes.ReplaceAll(data, replacement[0], replacement[1])
-		}
+		specPrefix = []byte("object.spec.template.spec")
+		metadataPrefix = []byte("object.spec.template.metadata")
 	case CRONJOBS:
-		for _, replacement := range cronJobReplacementRules {
-			data = bytes.ReplaceAll(data, replacement[0], replacement[1])
-		}
+		specPrefix = []byte("object.spec.jobTemplate.spec.template.spec")
+		metadataPrefix = []byte("object.spec.jobTemplate.spec.template.metadata")
 	}
+
+	// Replace object.spec and oldObject.spec with the correct prefix
+	data = bytes.ReplaceAll(data, []byte("object.spec"), specPrefix)
+	data = bytes.ReplaceAll(data, []byte("oldObject.spec"), append([]byte("oldObject"), specPrefix[6:]...)) // Adjust for oldObject
+	data = bytes.ReplaceAll(data, []byte("object.metadata"), metadataPrefix)
+	data = bytes.ReplaceAll(data, []byte("oldObject.metadata"), append([]byte("oldObject"), metadataPrefix[6:]...))
+
+	// Normalize any over-nested paths remove extra .template.spec
+	if resource == CRONJOBS {
+		data = bytes.ReplaceAll(data, []byte("object.spec.jobTemplate.spec.template.spec.template.spec"), specPrefix)
+		data = bytes.ReplaceAll(data, []byte("oldObject.spec.jobTemplate.spec.template.spec.template.spec"), append([]byte("oldObject"), specPrefix[6:]...))
+	} else if resource == PODS {
+		data = bytes.ReplaceAll(data, []byte("object.spec.template.spec.template.spec"), specPrefix)
+		data = bytes.ReplaceAll(data, []byte("oldObject.spec.template.spec.template.spec"), append([]byte("oldObject"), specPrefix[6:]...))
+	}
+
 	return data
 }
--- a/test/conformance/chainsaw/validating-policies/autogen/autogen-deployments-cronjobs/bad-deployment.yaml
+++ b/test/conformance/chainsaw/validating-policies/autogen/autogen-deployments-cronjobs/bad-deployment.yaml
@ -22,3 +22,29 @@ spec:
        image: nginx:latest
        securityContext:
          allowPrivilegeEscalation: true
+---
+---
+apiVersion: batch/v1
+kind: CronJob
+metadata:
+  name: bad-cronjob  
+spec:
+  schedule: "*/5 * * * *"  
+  concurrencyPolicy: Forbid  
+  jobTemplate:
+    metadata:
+      labels:
+        prod: "true"  
+    spec:
+      template:
+        metadata:
+          labels:
+            prod: "true"  
+        spec:
+          containers:
+          - name: secure-container  
+            image: busybox  
+            command: ["echo", "Hello, world"]  
+            securityContext:
+              allowPrivilegeEscalation: true 
+          restartPolicy: OnFailure  
--- a/test/conformance/chainsaw/validating-policies/autogen/autogen-deployments-cronjobs/check-autogen.yaml
+++ b/test/conformance/chainsaw/validating-policies/autogen/autogen-deployments-cronjobs/check-autogen.yaml
@ -1,51 +1,52 @@
 apiVersion: policies.kyverno.io/v1alpha1
 kind: ValidatingPolicy
 metadata:
-  name: disallow-privilege-escalation
+    name: disallow-privilege-escalation
 status:
-  autogen:
-    rules:
-    - matchConditions:
-      - expression: "!(object.kind =='Deployment' || object.kind =='ReplicaSet' || object.kind =='StatefulSet' || object.kind =='DaemonSet') || has(object.spec.template.metadata.labels) && has(object.spec.template.metadata.labels.prod)
-          && object.spec.template.metadata.labels.prod == 'true'"
-        name: autogen-check-prod-label
-      matchConstraints:
-        resourceRules:
-        - apiGroups:
-          - apps
-          apiVersions:
-          - v1
-          operations:
-          - CREATE
-          - UPDATE
-          resources:
-          - deployments
-      validations:
-      - expression: object.spec.template.spec.containers.all(container, has(container.securityContext)
-          && has(container.securityContext.allowPrivilegeEscalation) && container.securityContext.allowPrivilegeEscalation
-          == false)
-        message: Privilege escalation is disallowed. The field spec.containers[*].securityContext.allowPrivilegeEscalation
-          must be set to `false`.
-    - matchConditions:
-      - expression: "!(object.kind =='CronJob') || has(object.spec.jobTemplate.spec.template.metadata.labels)
-          && has(object.spec.jobTemplate.spec.template.metadata.labels.prod)
-          && object.spec.jobTemplate.spec.template.metadata.labels.prod
-          == 'true'"
-        name: autogen-cronjobs-check-prod-label
-      matchConstraints:
-        resourceRules:
-        - apiGroups:
-          - batch
-          apiVersions:
-          - v1
-          operations:
-          - CREATE
-          - UPDATE
-          resources:
-          - cronjobs
-      validations:
-      - expression: object.spec.jobTemplate.spec.template.spec.template.spec.containers.all(container,
-          has(container.securityContext) && has(container.securityContext.allowPrivilegeEscalation)
-          && container.securityContext.allowPrivilegeEscalation == false)
-        message: Privilege escalation is disallowed. The field spec.containers[*].securityContext.allowPrivilegeEscalation
-          must be set to `false`.
+    autogen:
+      rules:
+      - matchConditions:
+        - expression: '!(object.kind ==''Deployment'' || object.kind ==''ReplicaSet''
+            || object.kind ==''StatefulSet'' || object.kind ==''DaemonSet'') || has(object.spec.template.metadata.labels)
+            && has(object.spec.template.metadata.labels.prod) && object.spec.template.metadata.labels.prod
+            == ''true'''
+          name: autogen-check-prod-label
+        matchConstraints:
+          resourceRules:
+          - apiGroups:
+            - apps
+            apiVersions:
+            - v1
+            operations:
+            - CREATE
+            - UPDATE
+            resources:
+            - deployments
+        validations:
+        - expression: object.spec.template.spec.containers.all(container, has(container.securityContext)
+            && has(container.securityContext.allowPrivilegeEscalation) && container.securityContext.allowPrivilegeEscalation
+            == false)
+          message: Privilege escalation is disallowed. The field spec.containers[*].securityContext.allowPrivilegeEscalation
+            must be set to `false`.
+      - matchConditions:
+        - expression: '!(object.kind ==''CronJob'') || has(object.spec.jobTemplate.spec.template.metadata.labels)
+            && has(object.spec.jobTemplate.spec.template.metadata.labels.prod) &&
+            object.spec.jobTemplate.spec.template.metadata.labels.prod == ''true'''
+          name: autogen-cronjobs-check-prod-label
+        matchConstraints:
+          resourceRules:
+          - apiGroups:
+            - batch
+            apiVersions:
+            - v1
+            operations:
+            - CREATE
+            - UPDATE
+            resources:
+            - cronjobs
+        validations:
+        - expression: object.spec.jobTemplate.spec.template.spec.containers.all(container,
+            has(container.securityContext) && has(container.securityContext.allowPrivilegeEscalation)
+            && container.securityContext.allowPrivilegeEscalation == false)
+          message: Privilege escalation is disallowed. The field spec.containers[*].securityContext.allowPrivilegeEscalation
+            must be set to `false`.
--- a/test/conformance/chainsaw/validating-policies/autogen/autogen-deployments-cronjobs/good-deployment.yaml
+++ b/test/conformance/chainsaw/validating-policies/autogen/autogen-deployments-cronjobs/good-deployment.yaml
@ -22,3 +22,27 @@ spec:
        image: nginx:latest
        securityContext:
          allowPrivilegeEscalation: false
+---
+apiVersion: batch/v1
+kind: CronJob
+metadata:
+  name: good-cronjob
+spec:
+  schedule: "*/5 * * * *"
+  jobTemplate:
+    metadata:
+      labels:
+        prod: "true" 
+    spec:
+      template:
+        metadata:
+          labels:
+            prod: "true"
+        spec:
+          containers:
+          - name: secure-container
+            image: busybox
+            command: ["echo", "Hello, world"]
+            securityContext:
+              allowPrivilegeEscalation: false 
+          restartPolicy: OnFailure
--- a/test/conformance/chainsaw/validating-policies/autogen/should-autogen/check-autogen.yaml
+++ b/test/conformance/chainsaw/validating-policies/autogen/should-autogen/check-autogen.yaml
@ -56,7 +56,7 @@ status:
          resources:
          - cronjobs
      validations:
-      - expression: object.spec.jobTemplate.spec.template.spec.template.spec.containers.all(container,
+      - expression: object.spec.jobTemplate.spec.template.spec.containers.all(container,
          has(container.securityContext) && has(container.securityContext.allowPrivilegeEscalation)
          && container.securityContext.allowPrivilegeEscalation == false)
        message: Privilege escalation is disallowed. The field spec.containers[*].securityContext.allowPrivilegeEscalation