fix: remove excluded groups from matching (#7083)

* fix: remove excluded groups from matching Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * fix Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> --------- Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>
2024-12-14 11:57:48 +00:00 · 2023-05-03 15:37:17 +02:00 · 2023-05-03 15:37:17 +02:00 · 6a95b305c3
commit 6a95b305c3
parent a7900ff40c
3 changed files with 3 additions and 17 deletions
--- a/cmd/cleanup-controller/handlers/cleanup/handlers.go
+++ b/cmd/cleanup-controller/handlers/cleanup/handlers.go
@ -173,7 +173,6 @@ func (h *handlers) executePolicy(ctx context.Context, logger logr.Logger, policy
 						// TODO(eddycharly): we don't have user info here, we should check that
 						// we don't have user conditions in the policy rule
 						kyvernov1beta1.RequestInfo{},
-						nil,
 						resource.GroupVersionKind(),
 						"",
 					)
@ -189,7 +188,6 @@ func (h *handlers) executePolicy(ctx context.Context, logger logr.Logger, policy
 							// TODO(eddycharly): we don't have user info here, we should check that
 							// we don't have user conditions in the policy rule
 							kyvernov1beta1.RequestInfo{},
-							nil,
 							resource.GroupVersionKind(),
 							"",
 						)
--- a/pkg/engine/exceptions.go
+++ b/pkg/engine/exceptions.go
@ -6,7 +6,6 @@ import (
 	"github.com/go-logr/logr"
 	kyvernov1 "github.com/kyverno/kyverno/api/kyverno/v1"
 	kyvernov2alpha1 "github.com/kyverno/kyverno/api/kyverno/v2alpha1"
-	"github.com/kyverno/kyverno/pkg/config"
 	engineapi "github.com/kyverno/kyverno/pkg/engine/api"
 	matched "github.com/kyverno/kyverno/pkg/utils/match"
 	"k8s.io/apimachinery/pkg/labels"
@ -43,7 +42,6 @@ func matchesException(
 	selector engineapi.PolicyExceptionSelector,
 	policyContext engineapi.PolicyContext,
 	rule kyvernov1.Rule,
-	cfg config.Configuration,
 ) (*kyvernov2alpha1.PolicyException, error) {
 	candidates, err := findExceptions(selector, policyContext.Policy(), rule.Name)
 	if err != nil {
@ -56,7 +54,6 @@ func matchesException(
 			candidate.Spec.Match,
 			policyContext.NamespaceLabels(),
 			policyContext.AdmissionInfo(),
-			cfg.GetExcludedGroups(),
 			gvk,
 			subresource,
 		)
@ -77,7 +74,7 @@ func (e *engine) hasPolicyExceptions(
 	rule kyvernov1.Rule,
 ) *engineapi.RuleResponse {
 	// if matches, check if there is a corresponding policy exception
-	exception, err := matchesException(e.exceptionSelector, ctx, rule, e.configuration)
+	exception, err := matchesException(e.exceptionSelector, ctx, rule)
 	if err != nil {
 		logger.Error(err, "failed to match exceptions")
 		return nil
--- a/pkg/utils/match/match.go
+++ b/pkg/utils/match/match.go
@ -28,7 +28,6 @@ func CheckMatchesResources(
 	statement kyvernov2beta1.MatchResources,
 	namespaceLabels map[string]string,
 	admissionInfo kyvernov1beta1.RequestInfo,
-	excludeGroupRole []string,
 	gvk schema.GroupVersionKind,
 	subresource string,
 ) error {
@ -44,7 +43,6 @@ func CheckMatchesResources(
 				resource,
 				namespaceLabels,
 				admissionInfo,
-				excludeGroupRole,
 				gvk,
 				subresource,
 			)) == 0 {
@ -65,7 +63,6 @@ func CheckMatchesResources(
 					resource,
 					namespaceLabels,
 					admissionInfo,
-					excludeGroupRole,
 					gvk,
 					subresource,
 				)...,
@ -80,7 +77,6 @@ func checkResourceFilter(
 	resource unstructured.Unstructured,
 	namespaceLabels map[string]string,
 	admissionInfo kyvernov1beta1.RequestInfo,
-	excludeGroupRole []string,
 	gvk schema.GroupVersionKind,
 	subresource string,
 ) []error {
@ -100,7 +96,6 @@ func checkResourceFilter(
 	userErrs := checkUserInfo(
 		statement.UserInfo,
 		admissionInfo,
-		excludeGroupRole,
 	)
 	errs = append(errs, matchErrs...)
 	errs = append(errs, userErrs...)
@ -110,18 +105,14 @@ func checkResourceFilter(
 func checkUserInfo(
 	userInfo kyvernov1.UserInfo,
 	admissionInfo kyvernov1beta1.RequestInfo,
-	excludeGroupRole []string,
 ) []error {
 	var errs []error
-	var excludeKeys []string
-	excludeKeys = append(excludeKeys, admissionInfo.AdmissionUserInfo.Groups...)
-	excludeKeys = append(excludeKeys, admissionInfo.AdmissionUserInfo.Username)
-	if len(userInfo.Roles) > 0 && !datautils.SliceContains(excludeKeys, excludeGroupRole...) {
+	if len(userInfo.Roles) > 0 {
 		if !datautils.SliceContains(userInfo.Roles, admissionInfo.Roles...) {
 			errs = append(errs, fmt.Errorf("user info does not match roles for the given conditionBlock"))
 		}
 	}
-	if len(userInfo.ClusterRoles) > 0 && !datautils.SliceContains(excludeKeys, excludeGroupRole...) {
+	if len(userInfo.ClusterRoles) > 0 {
 		if !datautils.SliceContains(userInfo.ClusterRoles, admissionInfo.ClusterRoles...) {
 			errs = append(errs, fmt.Errorf("user info does not match clustersRoles for the given conditionBlock"))
 		}