fix latest version check (#7263) (#7266)

Signed-off-by: ShutingZhao <shuting@nirmata.com> Co-authored-by: shuting <shuting@nirmata.com>
2024-12-14 11:57:48 +00:00 · 2023-05-23 16:31:26 +00:00 · 2023-05-23 16:31:26 +00:00 · 25fe96c710
commit 25fe96c710
parent dab311d6b3
2 changed files with 56 additions and 7 deletions
--- a/pkg/pss/evaluate.go
+++ b/pkg/pss/evaluate.go
@ -15,19 +15,35 @@ import (
 // Evaluate Pod's specified containers only and get PSSCheckResults
 func evaluatePSS(level *api.LevelVersion, pod corev1.Pod) (results []pssutils.PSSCheckResult) {
 	checks := policy.DefaultChecks()
-
+	var latestVersionCheck policy.VersionedCheck
 	for _, check := range checks {
 		if level.Level == api.LevelBaseline && check.Level != level.Level {
 			continue
 		}
-		// check version
-		appliedOnce := true
+
+		latestVersionCheck = check.Versions[0]
+		for i := 1; i < len(check.Versions); i++ {
+			vc := check.Versions[i]
+			if !vc.MinimumVersion.Older(latestVersionCheck.MinimumVersion) {
+				latestVersionCheck = vc
+			}
+		}
+
+		if level.Version == api.LatestVersion() {
+			checkResult := latestVersionCheck.CheckPod(&pod.ObjectMeta, &pod.Spec)
+			if !checkResult.Allowed {
+				results = append(results, pssutils.PSSCheckResult{
+					ID:               string(check.ID),
+					CheckResult:      checkResult,
+					RestrictedFields: GetRestrictedFields(check),
+				})
+			}
+		}
+
 		for _, versionCheck := range check.Versions {
 			// the latest check returned twice, skip duplicate application
 			if level.Version == api.LatestVersion() {
-				if !appliedOnce {
-					continue
-				}
+				continue
 			} else if level.Version != api.LatestVersion() && level.Version.Older(versionCheck.MinimumVersion) {
 				continue
 			}
@ -40,7 +56,6 @@ func evaluatePSS(level *api.LevelVersion, pod corev1.Pod) (results []pssutils.PS
 					RestrictedFields: GetRestrictedFields(check),
 				})
 			}
-			appliedOnce = false
 		}
 	}
 	return results
--- a/pkg/pss/evaluate_test.go
+++ b/pkg/pss/evaluate_test.go
@ -2115,6 +2115,40 @@ var baseline_procMount = []testCase{
 }

 var baseline_seccompProfile = []testCase{
+	{
+		name: "baseline_seccompProfile_no_exclusion",
+		rawRule: []byte(`
+		{
+			"level": "baseline",
+			"version": "latest"
+		}`),
+		rawPod: []byte(`
+		{
+			"kind": "Pod",
+			"metadata": {
+				"name": "test"
+			},
+			"spec": {
+				"securityContext": {
+					"seccompProfile": {
+						"type": "Unconfined"
+					}
+				},
+				"containers": [
+					{
+						"name": "nginx",
+						"image": "nginx",
+						"securityContext": {
+							"seccompProfile": {
+								"type": "Unconfined"
+							}
+						}
+					}
+				]
+			}
+		}`),
+		allowed: false,
+	},
 	{
 		name: "baseline_seccompProfile_defines_all_violate_true_1",
 		rawRule: []byte(`