fix: skip duplicate PSa checks for the latest version (#6634) (#6636)

* add version check * debug * debug * skip multiple applies * skip multiple applies --------- Signed-off-by: ShutingZhao <shuting@nirmata.com> Co-authored-by: shuting <shuting@nirmata.com>
2025-03-13 19:28:55 +00:00 · 2023-03-21 20:26:48 +00:00 · 2023-03-21 20:26:48 +00:00 · 4dbffc57a1
commit 4dbffc57a1
parent 91f1929f6e
2 changed files with 14 additions and 5 deletions
--- a/pkg/pss/evaluate.go
+++ b/pkg/pss/evaluate.go
@ -21,7 +21,16 @@ func evaluatePSS(level *api.LevelVersion, pod corev1.Pod) (results []pssutils.PS
 			continue
 		}
 		// check version
+		appliedOnce := true
 		for _, versionCheck := range check.Versions {
+			// the latest check returned twice, skip duplicate application
+			if level.Version == api.LatestVersion() {
+				if !appliedOnce {
+					continue
+				}
+			} else if level.Version != api.LatestVersion() && level.Version.Older(versionCheck.MinimumVersion) {
+				continue
+			}
 			checkResult := versionCheck.CheckPod(&pod.ObjectMeta, &pod.Spec)
 			// Append only if the checkResult is not already in pssCheckResult
 			if !checkResult.Allowed {
@ -31,6 +40,7 @@ func evaluatePSS(level *api.LevelVersion, pod corev1.Pod) (results []pssutils.PS
 					RestrictedFields: GetRestrictedFields(check),
 				})
 			}
+			appliedOnce = false
 		}
 	}
 	return results
@ -81,12 +91,12 @@ func parseVersion(rule *kyvernov1.PodSecurity) (*api.LevelVersion, error) {

 // EvaluatePod applies PSS checks to the pod and exempts controls specified in the rule
 func EvaluatePod(rule *kyvernov1.PodSecurity, pod *corev1.Pod) (bool, []pssutils.PSSCheckResult, error) {
-	level, err := parseVersion(rule)
+	levelVersion, err := parseVersion(rule)
 	if err != nil {
 		return false, nil, err
 	}

-	defaultCheckResults := evaluatePSS(level, *pod)
+	defaultCheckResults := evaluatePSS(levelVersion, *pod)

 	for _, exclude := range rule.Exclude {
 		spec, matching := GetPodWithMatchingContainers(exclude, pod)
@ -94,12 +104,12 @@ func EvaluatePod(rule *kyvernov1.PodSecurity, pod *corev1.Pod) (bool, []pssutils
 		switch {
 		// exclude pod level checks
 		case spec != nil:
-			excludeCheckResults := evaluatePSS(level, *spec)
+			excludeCheckResults := evaluatePSS(levelVersion, *spec)
 			defaultCheckResults = exemptKyvernoExclusion(defaultCheckResults, excludeCheckResults, exclude)

 		// exclude container level checks
 		default:
-			excludeCheckResults := evaluatePSS(level, *matching)
+			excludeCheckResults := evaluatePSS(levelVersion, *matching)
 			defaultCheckResults = exemptKyvernoExclusion(defaultCheckResults, excludeCheckResults, exclude)
 		}
 	}
--- a/test/conformance/kuttl/reports/background/test-report-background-mode/report-assert.yaml
+++ b/test/conformance/kuttl/reports/background/test-report-background-mode/report-assert.yaml
@ -7,7 +7,6 @@ results:
 - category: Pod Security
  message: |
    Validation rule 'restricted' failed. It violates PodSecurity "restricted:latest": ({Allowed:false ForbiddenReason:unrestricted capabilities ForbiddenDetail:container "container01" must set securityContext.capabilities.drop=["ALL"]})
-    ({Allowed:false ForbiddenReason:unrestricted capabilities ForbiddenDetail:container "container01" must set securityContext.capabilities.drop=["ALL"]})
  policy: podsecurity-subrule-restricted
  resources:
  - apiVersion: v1