mirrors/kyverno
mirrors/kyverno
1
0
Fork 0
mirror of https://github.com/kyverno/kyverno.git synced 2025-03-15 20:20:22 +00:00
Code Activity

Fix PSa the control name validation

Browse source 
Signed-off-by: ShutingZhao <shuting@nirmata.com>
This commit is contained in:
ShutingZhao 2022-10-05 18:15:05 +08:00 committed by shuting
parent 51b07b7bf3
commit 614c30788e
2 changed files with 68 additions and 7 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

73
api/kyverno/v1/rule_test.go
View file

@ -460,11 +460,6 @@ func Test_ValidatePSaControlNames(t *testing.T) {
} }
} }
}`), }`),
errors: func(r *Rule) (errs field.ErrorList) {
return append(errs,
field.Invalid(path.Child("podSecurity").Child("exclude").Index(0).Child("controlName"), "/proc Mount Type", "Invalid control name defined at the given level"),
)
},
}, },
{ {
description: "restricted_with_restricted_control_name", description: "restricted_with_restricted_control_name",
@ -695,6 +690,72 @@ func Test_ValidatePSaControlNames(t *testing.T) {
} }
}`), }`),
}, },
{
description: "baseline_policy_with_restricted_control",
rule: []byte(`
{
"name": "enforce-baseline-exclude-all-hostProcesses-all-containers-nginx",
"match": {
"any": [
{
"resources": {
"kinds": [
"Pod"
]
}
}
]
},
"validate": {
"podSecurity": {
"level": "baseline",
"version": "v1.24",
"exclude": [
{
"controlName": "Volume Types"
}
]
}
}
}`),
errors: func(r *Rule) (errs field.ErrorList) {
return append(errs,
field.Invalid(path.Child("podSecurity").Child("exclude").Index(0).Child("controlName"), "Volume Types", "Invalid control name defined at the given level"),
)
},
},
{
description: "baseline_policy_with_restricted_control",
rule: []byte(`
{
"name": "enforce-baseline-exclude-all-hostProcesses-all-containers-nginx",
"match": {
"any": [
{
"resources": {
"kinds": [
"Pod"
]
}
}
]
},
"validate": {
"podSecurity": {
"level": "restricted",
"version": "latest",
"exclude": [
{
"controlName": "Privileged Containers",
"images": [
"dummyimagename*"
]
}
]
}
}
}`),
},
} }
for _, testcase := range testcases { for _, testcase := range testcases {
@ -706,7 +767,7 @@ func Test_ValidatePSaControlNames(t *testing.T) {
if testcase.errors != nil { if testcase.errors != nil {
expectedErrs = testcase.errors(&rule) expectedErrs = testcase.errors(&rule)
} }
fmt.Println("====errs", errs) fmt.Println("errs", errs)
assert.Equal(t, len(errs), len(expectedErrs)) assert.Equal(t, len(errs), len(expectedErrs))
for i := range errs { for i := range errs {
assert.Equal(t, errs[i].Error(), expectedErrs[i].Error()) assert.Equal(t, errs[i].Error(), expectedErrs[i].Error())

2
api/kyverno/v1/rule_types.go
View file

@ -367,7 +367,7 @@ func (r *Rule) ValidateMutationRuleTargetNamespace(path *field.Path, namespaced
func (r *Rule) ValidatePSaControlNames(path *field.Path) (errs field.ErrorList) { func (r *Rule) ValidatePSaControlNames(path *field.Path) (errs field.ErrorList) {
if r.IsPodSecurity() { if r.IsPodSecurity() {
podSecurity := r.Validation.PodSecurity podSecurity := r.Validation.PodSecurity
forbiddenControls := utils.PSS_baseline_control_names forbiddenControls := []string{}
if podSecurity.Level == "baseline" { if podSecurity.Level == "baseline" {
forbiddenControls = utils.PSS_restricted_control_names forbiddenControls = utils.PSS_restricted_control_names
} }