From 829ab94b11d6191fc7baceb0d5889375eec7127d Mon Sep 17 00:00:00 2001 From: Mariam Fahmy Date: Fri, 14 Feb 2025 11:45:10 +0200 Subject: [PATCH] fix CEL autogen (#12165) Signed-off-by: Mariam Fahmy --- pkg/cel/autogen/rule.go | 4 ++-- pkg/cel/autogen/rule_test.go | 4 ++-- pkg/controllers/webhook/validatingpolicy.go | 2 +- .../autogen/autogen-deployments-cronjobs/check-autogen.yaml | 4 ++-- .../autogen-deployments-statefulsets/check-autogen.yaml | 2 +- .../autogen/should-autogen/check-autogen.yaml | 4 ++-- 6 files changed, 10 insertions(+), 10 deletions(-) diff --git a/pkg/cel/autogen/rule.go b/pkg/cel/autogen/rule.go index 5c5dea7cdd..6d310094ea 100644 --- a/pkg/cel/autogen/rule.go +++ b/pkg/cel/autogen/rule.go @@ -196,9 +196,9 @@ var ( } podControllerMatchConditionName = "autogen-" - podControllersMatchConditionExpression = "!(object.Kind =='Deployment' || object.Kind =='ReplicaSet' || object.Kind =='StatefulSet' || object.Kind =='DaemonSet') || " + podControllersMatchConditionExpression = "!(object.kind =='Deployment' || object.kind =='ReplicaSet' || object.kind =='StatefulSet' || object.kind =='DaemonSet') || " cronjobMatchConditionName = "autogen-cronjobs-" - cronJobMatchConditionExpression = "!(object.Kind =='CronJob') || " + cronJobMatchConditionExpression = "!(object.kind =='CronJob') || " ) func updateFields(data []byte, resource string) []byte { diff --git a/pkg/cel/autogen/rule_test.go b/pkg/cel/autogen/rule_test.go index 608cfa4af3..bffd6dee67 100644 --- a/pkg/cel/autogen/rule_test.go +++ b/pkg/cel/autogen/rule_test.go @@ -181,7 +181,7 @@ func TestGenerateRuleForControllers(t *testing.T) { MatchConditions: []admissionregistrationv1.MatchCondition{ { Name: "autogen-only for production", - Expression: "!(object.Kind =='Deployment' || object.Kind =='ReplicaSet' || object.Kind =='StatefulSet' || object.Kind =='DaemonSet') || has(object.spec.template.metadata.labels) && has(object.spec.template.metadata.labels.prod) && object.spec.template.metadata.labels.prod == 'true'", + Expression: "!(object.kind =='Deployment' || object.kind =='ReplicaSet' || object.kind =='StatefulSet' || object.kind =='DaemonSet') || has(object.spec.template.metadata.labels) && has(object.spec.template.metadata.labels.prod) && object.spec.template.metadata.labels.prod == 'true'", }, }, Validations: []admissionregistrationv1.Validation{ @@ -320,7 +320,7 @@ func TestGenerateCronJobRule(t *testing.T) { MatchConditions: []admissionregistrationv1.MatchCondition{ { Name: "autogen-cronjobs-only for production", - Expression: "!(object.Kind =='CronJob') || has(object.spec.jobTemplate.spec.template.metadata.labels) && has(object.spec.jobTemplate.spec.template.metadata.labels.prod) && object.spec.jobTemplate.spec.template.metadata.labels.prod == 'true'", + Expression: "!(object.kind =='CronJob') || has(object.spec.jobTemplate.spec.template.metadata.labels) && has(object.spec.jobTemplate.spec.template.metadata.labels.prod) && object.spec.jobTemplate.spec.template.metadata.labels.prod == 'true'", }, }, Validations: []admissionregistrationv1.Validation{ diff --git a/pkg/controllers/webhook/validatingpolicy.go b/pkg/controllers/webhook/validatingpolicy.go index a26bfeee48..45dc1fb539 100644 --- a/pkg/controllers/webhook/validatingpolicy.go +++ b/pkg/controllers/webhook/validatingpolicy.go @@ -55,7 +55,7 @@ func buildWebhookRules(cfg config.Configuration, server string, servicePort int3 if ok, _ := autogen.CanAutoGen(vpol.GetSpec()); ok { webhook.MatchConditions = append(webhook.MatchConditions, admissionregistrationv1.MatchCondition{ Name: m.Name, - Expression: "!(object.Kind == 'Pod') || " + m.Expression, + Expression: "!(object.kind == 'Pod') || " + m.Expression, }) } else { webhook.MatchConditions = vpol.GetMatchConditions() diff --git a/test/conformance/chainsaw/validating-policies/autogen/autogen-deployments-cronjobs/check-autogen.yaml b/test/conformance/chainsaw/validating-policies/autogen/autogen-deployments-cronjobs/check-autogen.yaml index 8d7f8f5a9b..ce899a4443 100644 --- a/test/conformance/chainsaw/validating-policies/autogen/autogen-deployments-cronjobs/check-autogen.yaml +++ b/test/conformance/chainsaw/validating-policies/autogen/autogen-deployments-cronjobs/check-autogen.yaml @@ -6,7 +6,7 @@ status: autogen: rules: - matchConditions: - - expression: "!(object.Kind =='Deployment' || object.Kind =='ReplicaSet' || object.Kind =='StatefulSet' || object.Kind =='DaemonSet') || has(object.spec.template.metadata.labels) && has(object.spec.template.metadata.labels.prod) + - expression: "!(object.kind =='Deployment' || object.kind =='ReplicaSet' || object.kind =='StatefulSet' || object.kind =='DaemonSet') || has(object.spec.template.metadata.labels) && has(object.spec.template.metadata.labels.prod) && object.spec.template.metadata.labels.prod == 'true'" name: autogen-check-prod-label matchConstraints: @@ -27,7 +27,7 @@ status: message: Privilege escalation is disallowed. The field spec.containers[*].securityContext.allowPrivilegeEscalation must be set to `false`. - matchConditions: - - expression: "!(object.Kind =='CronJob') || has(object.spec.jobTemplate.spec.template.metadata.labels) + - expression: "!(object.kind =='CronJob') || has(object.spec.jobTemplate.spec.template.metadata.labels) && has(object.spec.jobTemplate.spec.template.metadata.labels.prod) && object.spec.jobTemplate.spec.template.metadata.labels.prod == 'true'" diff --git a/test/conformance/chainsaw/validating-policies/autogen/autogen-deployments-statefulsets/check-autogen.yaml b/test/conformance/chainsaw/validating-policies/autogen/autogen-deployments-statefulsets/check-autogen.yaml index 779170de0e..8681e631e2 100644 --- a/test/conformance/chainsaw/validating-policies/autogen/autogen-deployments-statefulsets/check-autogen.yaml +++ b/test/conformance/chainsaw/validating-policies/autogen/autogen-deployments-statefulsets/check-autogen.yaml @@ -6,7 +6,7 @@ status: autogen: rules: - matchConditions: - - expression: "!(object.Kind =='Deployment' || object.Kind =='ReplicaSet' || object.Kind =='StatefulSet' || object.Kind =='DaemonSet') || has(object.spec.template.metadata.labels) && has(object.spec.template.metadata.labels.prod) + - expression: "!(object.kind =='Deployment' || object.kind =='ReplicaSet' || object.kind =='StatefulSet' || object.kind =='DaemonSet') || has(object.spec.template.metadata.labels) && has(object.spec.template.metadata.labels.prod) && object.spec.template.metadata.labels.prod == 'true'" name: autogen-check-prod-label matchConstraints: diff --git a/test/conformance/chainsaw/validating-policies/autogen/should-autogen/check-autogen.yaml b/test/conformance/chainsaw/validating-policies/autogen/should-autogen/check-autogen.yaml index 997ef69233..b998041b65 100644 --- a/test/conformance/chainsaw/validating-policies/autogen/should-autogen/check-autogen.yaml +++ b/test/conformance/chainsaw/validating-policies/autogen/should-autogen/check-autogen.yaml @@ -6,7 +6,7 @@ status: autogen: rules: - matchConditions: - - expression: "!(object.Kind =='Deployment' || object.Kind =='ReplicaSet' || object.Kind =='StatefulSet' || object.Kind =='DaemonSet') || has(object.spec.template.metadata.labels) && has(object.spec.template.metadata.labels.prod) + - expression: "!(object.kind =='Deployment' || object.kind =='ReplicaSet' || object.kind =='StatefulSet' || object.kind =='DaemonSet') || has(object.spec.template.metadata.labels) && has(object.spec.template.metadata.labels.prod) && object.spec.template.metadata.labels.prod == 'true'" name: autogen-check-prod-label matchConstraints: @@ -39,7 +39,7 @@ status: message: Privilege escalation is disallowed. The field spec.containers[*].securityContext.allowPrivilegeEscalation must be set to `false`. - matchConditions: - - expression: "!(object.Kind =='CronJob') || has(object.spec.jobTemplate.spec.template.metadata.labels) + - expression: "!(object.kind =='CronJob') || has(object.spec.jobTemplate.spec.template.metadata.labels) && has(object.spec.jobTemplate.spec.template.metadata.labels.prod) && object.spec.jobTemplate.spec.template.metadata.labels.prod == 'true'"