mirrors/kyverno
mirrors/kyverno
1
0
Fork 0
mirror of https://github.com/kyverno/kyverno.git synced 2025-03-31 03:45:17 +00:00
Code Activity

fix: match on ephemeral containers (#6963)

Browse source 
Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>
This commit is contained in:
Charles-Edouard Brétéché 2023-04-17 17:17:45 +02:00 committed by GitHub
parent b9ee8bf984
commit 688d30bda1
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
1 changed files with 6 additions and 6 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

12
pkg/utils/match/kind.go
View file

@ -6,18 +6,18 @@ import (
"k8s.io/apimachinery/pkg/runtime/schema"
)
var podGVK = schema.GroupVersionKind{Group: "", Version: "v1", Kind: "Pod"}
// CheckKind checks if the resource kind matches the kinds in the policy. If the policy matches on subresources, then those resources are
// present in the subresourceGVKToAPIResource map. Set allowEphemeralContainers to true to allow ephemeral containers to be matched even when the
// policy does not explicitly match on ephemeral containers and only matches on pods.
func CheckKind(kinds []string, gvk schema.GroupVersionKind, subresource string, allowEphemeralContainers bool) bool {
for _, k := range kinds {
group, version, kind, sub := kubeutils.ParseKindSelector(k)
if wildcard.Match(group, gvk.Group) && wildcard.Match(version, gvk.Version) && wildcard.Match(kind, gvk.Kind) && wildcard.Match(sub, subresource) {
return true
}
if allowEphemeralContainers {
// TODO: we should check if GVK matches v1/Pod
if subresource == "ephemeralcontainers" {
if wildcard.Match(group, gvk.Group) && wildcard.Match(version, gvk.Version) && wildcard.Match(kind, gvk.Kind) {
if wildcard.Match(sub, subresource) {
return true
} else if allowEphemeralContainers && gvk == podGVK && subresource == "ephemeralcontainers" {
return true
}
}