mirror of
https://github.com/kyverno/kyverno.git
synced 2025-03-05 15:37:19 +00:00
fix: remove excluded groups from matching (#7083)
* fix: remove excluded groups from matching Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * fix Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> --------- Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>
This commit is contained in:
Charles-Edouard Brétéché
GitHub
parent
a7900ff40c
commit
6a95b305c3
3 changed files with 3 additions and 17 deletions
|
|
@ -173,7 +173,6 @@ func (h *handlers) executePolicy(ctx context.Context, logger logr.Logger, policy
|
||||||
// TODO(eddycharly): we don't have user info here, we should check that
|
// TODO(eddycharly): we don't have user info here, we should check that
|
||||||
// we don't have user conditions in the policy rule
|
// we don't have user conditions in the policy rule
|
||||||
kyvernov1beta1.RequestInfo{},
|
kyvernov1beta1.RequestInfo{},
|
||||||
nil,
|
|
||||||
resource.GroupVersionKind(),
|
resource.GroupVersionKind(),
|
||||||
"",
|
"",
|
||||||
)
|
)
|
||||||
|
|
@ -189,7 +188,6 @@ func (h *handlers) executePolicy(ctx context.Context, logger logr.Logger, policy
|
||||||
// TODO(eddycharly): we don't have user info here, we should check that
|
// TODO(eddycharly): we don't have user info here, we should check that
|
||||||
// we don't have user conditions in the policy rule
|
// we don't have user conditions in the policy rule
|
||||||
kyvernov1beta1.RequestInfo{},
|
kyvernov1beta1.RequestInfo{},
|
||||||
nil,
|
|
||||||
resource.GroupVersionKind(),
|
resource.GroupVersionKind(),
|
||||||
"",
|
"",
|
||||||
)
|
)
|
||||||
|
|
|
||||||
|
|
@ -6,7 +6,6 @@ import (
|
||||||
"github.com/go-logr/logr"
|
"github.com/go-logr/logr"
|
||||||
kyvernov1 "github.com/kyverno/kyverno/api/kyverno/v1"
|
kyvernov1 "github.com/kyverno/kyverno/api/kyverno/v1"
|
||||||
kyvernov2alpha1 "github.com/kyverno/kyverno/api/kyverno/v2alpha1"
|
kyvernov2alpha1 "github.com/kyverno/kyverno/api/kyverno/v2alpha1"
|
||||||
"github.com/kyverno/kyverno/pkg/config"
|
|
||||||
engineapi "github.com/kyverno/kyverno/pkg/engine/api"
|
engineapi "github.com/kyverno/kyverno/pkg/engine/api"
|
||||||
matched "github.com/kyverno/kyverno/pkg/utils/match"
|
matched "github.com/kyverno/kyverno/pkg/utils/match"
|
||||||
"k8s.io/apimachinery/pkg/labels"
|
"k8s.io/apimachinery/pkg/labels"
|
||||||
|
|
@ -43,7 +42,6 @@ func matchesException(
|
||||||
selector engineapi.PolicyExceptionSelector,
|
selector engineapi.PolicyExceptionSelector,
|
||||||
policyContext engineapi.PolicyContext,
|
policyContext engineapi.PolicyContext,
|
||||||
rule kyvernov1.Rule,
|
rule kyvernov1.Rule,
|
||||||
cfg config.Configuration,
|
|
||||||
) (*kyvernov2alpha1.PolicyException, error) {
|
) (*kyvernov2alpha1.PolicyException, error) {
|
||||||
candidates, err := findExceptions(selector, policyContext.Policy(), rule.Name)
|
candidates, err := findExceptions(selector, policyContext.Policy(), rule.Name)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
|
|
@ -56,7 +54,6 @@ func matchesException(
|
||||||
candidate.Spec.Match,
|
candidate.Spec.Match,
|
||||||
policyContext.NamespaceLabels(),
|
policyContext.NamespaceLabels(),
|
||||||
policyContext.AdmissionInfo(),
|
policyContext.AdmissionInfo(),
|
||||||
cfg.GetExcludedGroups(),
|
|
||||||
gvk,
|
gvk,
|
||||||
subresource,
|
subresource,
|
||||||
)
|
)
|
||||||
|
|
@ -77,7 +74,7 @@ func (e *engine) hasPolicyExceptions(
|
||||||
rule kyvernov1.Rule,
|
rule kyvernov1.Rule,
|
||||||
) *engineapi.RuleResponse {
|
) *engineapi.RuleResponse {
|
||||||
// if matches, check if there is a corresponding policy exception
|
// if matches, check if there is a corresponding policy exception
|
||||||
exception, err := matchesException(e.exceptionSelector, ctx, rule, e.configuration)
|
exception, err := matchesException(e.exceptionSelector, ctx, rule)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
logger.Error(err, "failed to match exceptions")
|
logger.Error(err, "failed to match exceptions")
|
||||||
return nil
|
return nil
|
||||||
|
|
|
||||||
|
|
@ -28,7 +28,6 @@ func CheckMatchesResources(
|
||||||
statement kyvernov2beta1.MatchResources,
|
statement kyvernov2beta1.MatchResources,
|
||||||
namespaceLabels map[string]string,
|
namespaceLabels map[string]string,
|
||||||
admissionInfo kyvernov1beta1.RequestInfo,
|
admissionInfo kyvernov1beta1.RequestInfo,
|
||||||
excludeGroupRole []string,
|
|
||||||
gvk schema.GroupVersionKind,
|
gvk schema.GroupVersionKind,
|
||||||
subresource string,
|
subresource string,
|
||||||
) error {
|
) error {
|
||||||
|
|
@ -44,7 +43,6 @@ func CheckMatchesResources(
|
||||||
resource,
|
resource,
|
||||||
namespaceLabels,
|
namespaceLabels,
|
||||||
admissionInfo,
|
admissionInfo,
|
||||||
excludeGroupRole,
|
|
||||||
gvk,
|
gvk,
|
||||||
subresource,
|
subresource,
|
||||||
)) == 0 {
|
)) == 0 {
|
||||||
|
|
@ -65,7 +63,6 @@ func CheckMatchesResources(
|
||||||
resource,
|
resource,
|
||||||
namespaceLabels,
|
namespaceLabels,
|
||||||
admissionInfo,
|
admissionInfo,
|
||||||
excludeGroupRole,
|
|
||||||
gvk,
|
gvk,
|
||||||
subresource,
|
subresource,
|
||||||
)...,
|
)...,
|
||||||
|
|
@ -80,7 +77,6 @@ func checkResourceFilter(
|
||||||
resource unstructured.Unstructured,
|
resource unstructured.Unstructured,
|
||||||
namespaceLabels map[string]string,
|
namespaceLabels map[string]string,
|
||||||
admissionInfo kyvernov1beta1.RequestInfo,
|
admissionInfo kyvernov1beta1.RequestInfo,
|
||||||
excludeGroupRole []string,
|
|
||||||
gvk schema.GroupVersionKind,
|
gvk schema.GroupVersionKind,
|
||||||
subresource string,
|
subresource string,
|
||||||
) []error {
|
) []error {
|
||||||
|
|
@ -100,7 +96,6 @@ func checkResourceFilter(
|
||||||
userErrs := checkUserInfo(
|
userErrs := checkUserInfo(
|
||||||
statement.UserInfo,
|
statement.UserInfo,
|
||||||
admissionInfo,
|
admissionInfo,
|
||||||
excludeGroupRole,
|
|
||||||
)
|
)
|
||||||
errs = append(errs, matchErrs...)
|
errs = append(errs, matchErrs...)
|
||||||
errs = append(errs, userErrs...)
|
errs = append(errs, userErrs...)
|
||||||
|
|
@ -110,18 +105,14 @@ func checkResourceFilter(
|
||||||
func checkUserInfo(
|
func checkUserInfo(
|
||||||
userInfo kyvernov1.UserInfo,
|
userInfo kyvernov1.UserInfo,
|
||||||
admissionInfo kyvernov1beta1.RequestInfo,
|
admissionInfo kyvernov1beta1.RequestInfo,
|
||||||
excludeGroupRole []string,
|
|
||||||
) []error {
|
) []error {
|
||||||
var errs []error
|
var errs []error
|
||||||
var excludeKeys []string
|
if len(userInfo.Roles) > 0 {
|
||||||
excludeKeys = append(excludeKeys, admissionInfo.AdmissionUserInfo.Groups...)
|
|
||||||
excludeKeys = append(excludeKeys, admissionInfo.AdmissionUserInfo.Username)
|
|
||||||
if len(userInfo.Roles) > 0 && !datautils.SliceContains(excludeKeys, excludeGroupRole...) {
|
|
||||||
if !datautils.SliceContains(userInfo.Roles, admissionInfo.Roles...) {
|
if !datautils.SliceContains(userInfo.Roles, admissionInfo.Roles...) {
|
||||||
errs = append(errs, fmt.Errorf("user info does not match roles for the given conditionBlock"))
|
errs = append(errs, fmt.Errorf("user info does not match roles for the given conditionBlock"))
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
if len(userInfo.ClusterRoles) > 0 && !datautils.SliceContains(excludeKeys, excludeGroupRole...) {
|
if len(userInfo.ClusterRoles) > 0 {
|
||||||
if !datautils.SliceContains(userInfo.ClusterRoles, admissionInfo.ClusterRoles...) {
|
if !datautils.SliceContains(userInfo.ClusterRoles, admissionInfo.ClusterRoles...) {
|
||||||
errs = append(errs, fmt.Errorf("user info does not match clustersRoles for the given conditionBlock"))
|
errs = append(errs, fmt.Errorf("user info does not match clustersRoles for the given conditionBlock"))
|
||||||
}
|
}
|
||||||
|
|
|
||||||
Loading…
Add table
Reference in a new issue