fix: auth check the generate policy when use variables in name/namespace (#6874)

* decrease log level Signed-off-by: ShutingZhao <shuting@nirmata.com> * set namespace to for 'all' Signed-off-by: ShutingZhao <shuting@nirmata.com> * udpate kuttl tests Signed-off-by: ShutingZhao <shuting@nirmata.com> * rename file Signed-off-by: ShutingZhao <shuting@nirmata.com> * rename file Signed-off-by: ShutingZhao <shuting@nirmata.com> --------- Signed-off-by: ShutingZhao <shuting@nirmata.com>
2024-12-14 11:57:48 +00:00 · 2023-04-13 15:38:47 +08:00 · 2023-04-13 15:38:47 +08:00 · 2948adba57
commit 2948adba57
parent a48049aac2
10 changed files with 65 additions and 60 deletions
--- a/pkg/policy/generate/validate.go
+++ b/pkg/policy/generate/validate.go
@ -57,10 +57,10 @@ func (g *Generate) Validate(ctx context.Context) (string, error) {
 		}
 	} else {
 		if name != "" {
-			return "name", fmt.Errorf("with cloneList, generate.name. should not be specified.")
+			return "name", fmt.Errorf("with cloneList, generate.name. should not be specified")
 		}
 		if kind != "" {
-			return "kind", fmt.Errorf("with cloneList, generate.kind. should not be specified.")
+			return "kind", fmt.Errorf("with cloneList, generate.kind. should not be specified")
 		}
 	}

@ -111,8 +111,11 @@ func (g *Generate) validateClone(c kyvernov1.CloneFrom, cl kyvernov1.CloneList,
 	}

 	namespace := c.Namespace
+	if !regex.IsVariable(namespace) {
+		namespace = ""
+	}
 	// Skip if there is variable defined
-	if !regex.IsVariable(kind) && !regex.IsVariable(namespace) {
+	if !regex.IsVariable(kind) {
 		// GET
 		ok, err := g.authCheck.CanIGet(context.TODO(), kind, namespace)
 		if err != nil {
@ -122,7 +125,7 @@ func (g *Generate) validateClone(c kyvernov1.CloneFrom, cl kyvernov1.CloneList,
 			return "", fmt.Errorf("kyverno does not have permissions to 'get' resource %s/%s. Update permissions in ClusterRole 'kyverno:background-controller:additional'", kind, namespace)
 		}
 	} else {
-		g.log.V(4).Info("name & namespace uses variables, so cannot be resolved. Skipping Auth Checks.")
+		g.log.V(2).Info("resource Kind uses variables, so cannot be resolved. Skipping Auth Checks.")
 	}
 	return "", nil
 }
@ -131,7 +134,10 @@ func (g *Generate) validateClone(c kyvernov1.CloneFrom, cl kyvernov1.CloneList,
 func (g *Generate) canIGenerate(ctx context.Context, kind, namespace string) error {
 	// Skip if there is variable defined
 	authCheck := g.authCheck
-	if !regex.IsVariable(kind) && !regex.IsVariable(namespace) {
+	if !regex.IsVariable(namespace) {
+		namespace = ""
+	}
+	if !regex.IsVariable(kind) {
 		// CREATE
 		ok, err := authCheck.CanICreate(ctx, kind, namespace)
 		if err != nil {
@ -170,7 +176,7 @@ func (g *Generate) canIGenerate(ctx context.Context, kind, namespace string) err
 			return fmt.Errorf("kyverno does not have permissions to 'delete' resource %s/%s. Update permissions in ClusterRole 'kyverno:background-controller:additional'", kind, namespace)
 		}
 	} else {
-		g.log.V(4).Info("name & namespace uses variables, so cannot be resolved. Skipping Auth Checks.")
+		g.log.V(2).Info("resource Kind uses variables, so cannot be resolved. Skipping Auth Checks.")
 	}

 	return nil
--- a/test/conformance/kuttl/generate/validation/clusterpolicy/permissions/02-update-clusterrole.yaml
+++ b/test/conformance/kuttl/generate/validation/clusterpolicy/permissions/02-update-clusterrole.yaml
@ -2,6 +2,10 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
  name: kyverno:background-controller:additional
+  labels:
+    app.kubernetes.io/component: background-controller
+    app.kubernetes.io/instance: kyverno
+    app.kubernetes.io/part-of: kyverno
 rules:
 - apiGroups:
  - '*'
--- a/test/conformance/kuttl/generate/validation/clusterpolicy/permissions/04-delete.yaml
+++ b/test/conformance/kuttl/generate/validation/clusterpolicy/permissions/04-delete.yaml
@ -0,0 +1,6 @@
+apiVersion: kuttl.dev/v1beta1
+kind: TestStep
+delete:
+- apiVersion: kyverno.io/v1
+  kind: ClusterPolicy
+  name: cpol-validate-create-sa-permission
--- a/test/conformance/kuttl/generate/validation/clusterpolicy/permissions/04-reset-clusterrole.yaml
+++ b/test/conformance/kuttl/generate/validation/clusterpolicy/permissions/04-reset-clusterrole.yaml
@ -1,27 +0,0 @@
-## reset changed clusterrole for the rest of the tests
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRole
-metadata:
-  name: kyverno:background-controller:additional
-rules:
- apiGroups:
-  - '*'
-  resources:
-  - configmaps
-  - networkpolicies
-  - resourcequotas
-  - secrets
-  - roles
-  - rolebindings
-  - limitranges
-  - namespaces
-  - nodes
-  - nodes/status
-  - pods
-  verbs:
-  - create
-  - update
-  - patch
-  - delete
-  - get
-  - list
--- a/test/conformance/kuttl/generate/validation/clusterpolicy/permissions/05-pass.yaml
+++ b/test/conformance/kuttl/generate/validation/clusterpolicy/permissions/05-pass.yaml
@ -0,0 +1,6 @@
+apiVersion: kuttl.dev/v1beta1
+kind: TestStep
+apply:
+- policy-with-var.yaml
+assert:
+- policy-assert.yaml
--- a/test/conformance/kuttl/generate/validation/clusterpolicy/permissions/06-delete.yaml
+++ b/test/conformance/kuttl/generate/validation/clusterpolicy/permissions/06-delete.yaml
@ -0,0 +1,6 @@
+apiVersion: kuttl.dev/v1beta1
+kind: TestStep
+delete:
+- apiVersion: rbac.authorization.k8s.io/v1
+  kind: ClusterRole
+  name: kyverno:background-controller:additional
--- a/test/conformance/kuttl/generate/validation/clusterpolicy/permissions/policy-with-var.yaml
+++ b/test/conformance/kuttl/generate/validation/clusterpolicy/permissions/policy-with-var.yaml
@ -0,0 +1,21 @@
+apiVersion: kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+  name: cpol-validate-create-sa-permission
+spec:
+  rules:
+  - name: clone-secret
+    match:
+      any:
+      - resources:
+          kinds:
+          - ConfigMap
+    generate:
+      apiVersion: v1
+      kind: ServiceAccount
+      name: cpol-validate-create-sa-permission-sa
+      namespace: "{{ request.object.metadata.namespace }}"
+      synchronize: true
+      clone:
+        namespace: default
+        name: regcred
--- a/test/conformance/kuttl/generate/validation/policy/permissions/03-update-clusterrole.yaml
+++ b/test/conformance/kuttl/generate/validation/policy/permissions/03-update-clusterrole.yaml
@ -2,6 +2,10 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
  name: kyverno:background-controller:additional
+  labels:
+    app.kubernetes.io/component: background-controller
+    app.kubernetes.io/instance: kyverno
+    app.kubernetes.io/part-of: kyverno
 rules:
 - apiGroups:
  - '*'
--- a/test/conformance/kuttl/generate/validation/policy/permissions/05-delete.yaml
+++ b/test/conformance/kuttl/generate/validation/policy/permissions/05-delete.yaml
@ -0,0 +1,6 @@
+apiVersion: kuttl.dev/v1beta1
+kind: TestStep
+delete:
+- apiVersion: rbac.authorization.k8s.io/v1
+  kind: ClusterRole
+  name: kyverno:background-controller:additional
--- a/test/conformance/kuttl/generate/validation/policy/permissions/05-reset-clusterrole.yaml
+++ b/test/conformance/kuttl/generate/validation/policy/permissions/05-reset-clusterrole.yaml
@ -1,27 +0,0 @@
-## reset changed clusterrole for the rest of the tests
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRole
-metadata:
-  name: kyverno:background-controller:additional
-rules:
- apiGroups:
-  - '*'
-  resources:
-  - configmaps
-  - networkpolicies
-  - resourcequotas
-  - secrets
-  - roles
-  - rolebindings
-  - limitranges
-  - namespaces
-  - nodes
-  - nodes/status
-  - pods
-  verbs:
-  - create
-  - update
-  - patch
-  - delete
-  - get
-  - list