1
0
Fork 0
mirror of https://github.com/kyverno/kyverno.git synced 2025-03-05 07:26:55 +00:00

fix: skip duplicate PSa checks for the latest version (#6634) (#6636)

* add version check



* debug



* debug



* skip multiple applies



* skip multiple applies



---------

Signed-off-by: ShutingZhao <shuting@nirmata.com>
Co-authored-by: shuting <shuting@nirmata.com>
This commit is contained in:
gcp-cherry-pick-bot[bot] 2023-03-21 20:26:48 +00:00 committed by GitHub
parent 91f1929f6e
commit 4dbffc57a1
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
2 changed files with 14 additions and 5 deletions

View file

@ -21,7 +21,16 @@ func evaluatePSS(level *api.LevelVersion, pod corev1.Pod) (results []pssutils.PS
continue
}
// check version
appliedOnce := true
for _, versionCheck := range check.Versions {
// the latest check returned twice, skip duplicate application
if level.Version == api.LatestVersion() {
if !appliedOnce {
continue
}
} else if level.Version != api.LatestVersion() && level.Version.Older(versionCheck.MinimumVersion) {
continue
}
checkResult := versionCheck.CheckPod(&pod.ObjectMeta, &pod.Spec)
// Append only if the checkResult is not already in pssCheckResult
if !checkResult.Allowed {
@ -31,6 +40,7 @@ func evaluatePSS(level *api.LevelVersion, pod corev1.Pod) (results []pssutils.PS
RestrictedFields: GetRestrictedFields(check),
})
}
appliedOnce = false
}
}
return results
@ -81,12 +91,12 @@ func parseVersion(rule *kyvernov1.PodSecurity) (*api.LevelVersion, error) {
// EvaluatePod applies PSS checks to the pod and exempts controls specified in the rule
func EvaluatePod(rule *kyvernov1.PodSecurity, pod *corev1.Pod) (bool, []pssutils.PSSCheckResult, error) {
level, err := parseVersion(rule)
levelVersion, err := parseVersion(rule)
if err != nil {
return false, nil, err
}
defaultCheckResults := evaluatePSS(level, *pod)
defaultCheckResults := evaluatePSS(levelVersion, *pod)
for _, exclude := range rule.Exclude {
spec, matching := GetPodWithMatchingContainers(exclude, pod)
@ -94,12 +104,12 @@ func EvaluatePod(rule *kyvernov1.PodSecurity, pod *corev1.Pod) (bool, []pssutils
switch {
// exclude pod level checks
case spec != nil:
excludeCheckResults := evaluatePSS(level, *spec)
excludeCheckResults := evaluatePSS(levelVersion, *spec)
defaultCheckResults = exemptKyvernoExclusion(defaultCheckResults, excludeCheckResults, exclude)
// exclude container level checks
default:
excludeCheckResults := evaluatePSS(level, *matching)
excludeCheckResults := evaluatePSS(levelVersion, *matching)
defaultCheckResults = exemptKyvernoExclusion(defaultCheckResults, excludeCheckResults, exclude)
}
}

View file

@ -7,7 +7,6 @@ results:
- category: Pod Security
message: |
Validation rule 'restricted' failed. It violates PodSecurity "restricted:latest": ({Allowed:false ForbiddenReason:unrestricted capabilities ForbiddenDetail:container "container01" must set securityContext.capabilities.drop=["ALL"]})
({Allowed:false ForbiddenReason:unrestricted capabilities ForbiddenDetail:container "container01" must set securityContext.capabilities.drop=["ALL"]})
policy: podsecurity-subrule-restricted
resources:
- apiVersion: v1