mirror of
https://github.com/kyverno/kyverno.git
synced 2025-03-15 20:20:22 +00:00
Fix PSa the control name validation
Signed-off-by: ShutingZhao <shuting@nirmata.com>
This commit is contained in:
parent
51b07b7bf3
commit
614c30788e
2 changed files with 68 additions and 7 deletions
|
@ -460,11 +460,6 @@ func Test_ValidatePSaControlNames(t *testing.T) {
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
}`),
|
}`),
|
||||||
errors: func(r *Rule) (errs field.ErrorList) {
|
|
||||||
return append(errs,
|
|
||||||
field.Invalid(path.Child("podSecurity").Child("exclude").Index(0).Child("controlName"), "/proc Mount Type", "Invalid control name defined at the given level"),
|
|
||||||
)
|
|
||||||
},
|
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
description: "restricted_with_restricted_control_name",
|
description: "restricted_with_restricted_control_name",
|
||||||
|
@ -695,6 +690,72 @@ func Test_ValidatePSaControlNames(t *testing.T) {
|
||||||
}
|
}
|
||||||
}`),
|
}`),
|
||||||
},
|
},
|
||||||
|
{
|
||||||
|
description: "baseline_policy_with_restricted_control",
|
||||||
|
rule: []byte(`
|
||||||
|
{
|
||||||
|
"name": "enforce-baseline-exclude-all-hostProcesses-all-containers-nginx",
|
||||||
|
"match": {
|
||||||
|
"any": [
|
||||||
|
{
|
||||||
|
"resources": {
|
||||||
|
"kinds": [
|
||||||
|
"Pod"
|
||||||
|
]
|
||||||
|
}
|
||||||
|
}
|
||||||
|
]
|
||||||
|
},
|
||||||
|
"validate": {
|
||||||
|
"podSecurity": {
|
||||||
|
"level": "baseline",
|
||||||
|
"version": "v1.24",
|
||||||
|
"exclude": [
|
||||||
|
{
|
||||||
|
"controlName": "Volume Types"
|
||||||
|
}
|
||||||
|
]
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}`),
|
||||||
|
errors: func(r *Rule) (errs field.ErrorList) {
|
||||||
|
return append(errs,
|
||||||
|
field.Invalid(path.Child("podSecurity").Child("exclude").Index(0).Child("controlName"), "Volume Types", "Invalid control name defined at the given level"),
|
||||||
|
)
|
||||||
|
},
|
||||||
|
},
|
||||||
|
{
|
||||||
|
description: "baseline_policy_with_restricted_control",
|
||||||
|
rule: []byte(`
|
||||||
|
{
|
||||||
|
"name": "enforce-baseline-exclude-all-hostProcesses-all-containers-nginx",
|
||||||
|
"match": {
|
||||||
|
"any": [
|
||||||
|
{
|
||||||
|
"resources": {
|
||||||
|
"kinds": [
|
||||||
|
"Pod"
|
||||||
|
]
|
||||||
|
}
|
||||||
|
}
|
||||||
|
]
|
||||||
|
},
|
||||||
|
"validate": {
|
||||||
|
"podSecurity": {
|
||||||
|
"level": "restricted",
|
||||||
|
"version": "latest",
|
||||||
|
"exclude": [
|
||||||
|
{
|
||||||
|
"controlName": "Privileged Containers",
|
||||||
|
"images": [
|
||||||
|
"dummyimagename*"
|
||||||
|
]
|
||||||
|
}
|
||||||
|
]
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}`),
|
||||||
|
},
|
||||||
}
|
}
|
||||||
|
|
||||||
for _, testcase := range testcases {
|
for _, testcase := range testcases {
|
||||||
|
@ -706,7 +767,7 @@ func Test_ValidatePSaControlNames(t *testing.T) {
|
||||||
if testcase.errors != nil {
|
if testcase.errors != nil {
|
||||||
expectedErrs = testcase.errors(&rule)
|
expectedErrs = testcase.errors(&rule)
|
||||||
}
|
}
|
||||||
fmt.Println("====errs", errs)
|
fmt.Println("errs", errs)
|
||||||
assert.Equal(t, len(errs), len(expectedErrs))
|
assert.Equal(t, len(errs), len(expectedErrs))
|
||||||
for i := range errs {
|
for i := range errs {
|
||||||
assert.Equal(t, errs[i].Error(), expectedErrs[i].Error())
|
assert.Equal(t, errs[i].Error(), expectedErrs[i].Error())
|
||||||
|
|
|
@ -367,7 +367,7 @@ func (r *Rule) ValidateMutationRuleTargetNamespace(path *field.Path, namespaced
|
||||||
func (r *Rule) ValidatePSaControlNames(path *field.Path) (errs field.ErrorList) {
|
func (r *Rule) ValidatePSaControlNames(path *field.Path) (errs field.ErrorList) {
|
||||||
if r.IsPodSecurity() {
|
if r.IsPodSecurity() {
|
||||||
podSecurity := r.Validation.PodSecurity
|
podSecurity := r.Validation.PodSecurity
|
||||||
forbiddenControls := utils.PSS_baseline_control_names
|
forbiddenControls := []string{}
|
||||||
if podSecurity.Level == "baseline" {
|
if podSecurity.Level == "baseline" {
|
||||||
forbiddenControls = utils.PSS_restricted_control_names
|
forbiddenControls = utils.PSS_restricted_control_names
|
||||||
}
|
}
|
||||||
|
|
Loading…
Add table
Reference in a new issue