mirrors/kyverno
mirrors/kyverno
1
0
Fork 0
mirror of https://github.com/kyverno/kyverno.git synced 2025-03-31 03:45:17 +00:00
Code Activity

fix latest version check (#7263)

Browse source 
Signed-off-by: ShutingZhao <shuting@nirmata.com>
This commit is contained in:
shuting 2023-05-23 23:38:41 +08:00 committed by GitHub
parent f372adfa1a
commit 67cf3e1c96
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
2 changed files with 56 additions and 7 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

29
pkg/pss/evaluate.go
View file

@ -15,19 +15,35 @@ import (
// Evaluate Pod's specified containers only and get PSSCheckResults // Evaluate Pod's specified containers only and get PSSCheckResults
func evaluatePSS(level *api.LevelVersion, pod corev1.Pod) (results []pssutils.PSSCheckResult) { func evaluatePSS(level *api.LevelVersion, pod corev1.Pod) (results []pssutils.PSSCheckResult) {
checks := policy.DefaultChecks() checks := policy.DefaultChecks()
var latestVersionCheck policy.VersionedCheck
for _, check := range checks { for _, check := range checks {
if level.Level == api.LevelBaseline && check.Level != level.Level { if level.Level == api.LevelBaseline && check.Level != level.Level {
continue continue
} }
// check version
appliedOnce := true latestVersionCheck = check.Versions[0]
for i := 1; i < len(check.Versions); i++ {
vc := check.Versions[i]
if !vc.MinimumVersion.Older(latestVersionCheck.MinimumVersion) {
latestVersionCheck = vc
}
}
if level.Version == api.LatestVersion() {
checkResult := latestVersionCheck.CheckPod(&pod.ObjectMeta, &pod.Spec)
if !checkResult.Allowed {
results = append(results, pssutils.PSSCheckResult{
ID: string(check.ID),
CheckResult: checkResult,
RestrictedFields: GetRestrictedFields(check),
})
}
}
for _, versionCheck := range check.Versions { for _, versionCheck := range check.Versions {
// the latest check returned twice, skip duplicate application // the latest check returned twice, skip duplicate application
if level.Version == api.LatestVersion() { if level.Version == api.LatestVersion() {
if !appliedOnce { continue
continue
}
} else if level.Version != api.LatestVersion() && level.Version.Older(versionCheck.MinimumVersion) { } else if level.Version != api.LatestVersion() && level.Version.Older(versionCheck.MinimumVersion) {
continue continue
} }
@ -40,7 +56,6 @@ func evaluatePSS(level *api.LevelVersion, pod corev1.Pod) (results []pssutils.PS
RestrictedFields: GetRestrictedFields(check), RestrictedFields: GetRestrictedFields(check),
}) })
} }
appliedOnce = false
} }
} }
return results return results

34
pkg/pss/evaluate_test.go
View file

@ -2115,6 +2115,40 @@ var baseline_procMount = []testCase{
} }
var baseline_seccompProfile = []testCase{ var baseline_seccompProfile = []testCase{
{
name: "baseline_seccompProfile_no_exclusion",
rawRule: []byte(`
{
"level": "baseline",
"version": "latest"
}`),
rawPod: []byte(`
{
"kind": "Pod",
"metadata": {
"name": "test"
},
"spec": {
"securityContext": {
"seccompProfile": {
"type": "Unconfined"
}
},
"containers": [
{
"name": "nginx",
"image": "nginx",
"securityContext": {
"seccompProfile": {
"type": "Unconfined"
}
}
}
]
}
}`),
allowed: false,
},
{ {
name: "baseline_seccompProfile_defines_all_violate_true_1", name: "baseline_seccompProfile_defines_all_violate_true_1",
rawRule: []byte(` rawRule: []byte(`