fix: allow exceptions to match Pod/ephemeralcontainers by default (#10778)

Signed-off-by: Mariam Fahmy <mariam.fahmy@nirmata.com>
2025-03-05 07:26:55 +00:00 · 2024-08-02 15:47:09 +03:00 · 2024-08-02 15:47:09 +03:00 · 9d28116eb4
commit 9d28116eb4
parent a1510d9db1
7 changed files with 120 additions and 2 deletions
--- a/pkg/engine/utils/exceptions.go
+++ b/pkg/engine/utils/exceptions.go
@ -96,8 +96,7 @@ func checkResourceDescription(
 	subresource string,
 ) bool {
 	if len(conditionBlock.Kinds) > 0 {
-		// Matching on ephemeralcontainers even when they are not explicitly specified is only applicable to policies.
-		if !matched.CheckKind(conditionBlock.Kinds, gvk, subresource, false) {
+		if !matched.CheckKind(conditionBlock.Kinds, gvk, subresource, true) {
 			return false
 		}
 	}
--- a/test/conformance/chainsaw/exceptions/exclude-ephemeral-containers/README.md
+++ b/test/conformance/chainsaw/exceptions/exclude-ephemeral-containers/README.md
@ -0,0 +1,16 @@
+## Description
+
+This test makes sure that policy exception matches `Pod/epehemeralcontainers` resource by default in case it matches Pods.
+
+## Expected Behavior
+1. Create a policy that matches Pods and restrict setting `runAsNonRoot` to `true`.
+
+2. Create an exception that excludes Pods from the policy.
+
+3. Create a Pod that violates the policy. It is expected that the Pod will be created successfully as it matches the exception.
+
+4. Run `kubectl debug` command to attach to the Pod. It is expected that the command will run successfully since exceptions match `Pod/ephemeralcontainers` resource by default.
+
+## Reference Issue(s)
+
+#9484
--- a/test/conformance/chainsaw/exceptions/exclude-ephemeral-containers/chainsaw-test.yaml
+++ b/test/conformance/chainsaw/exceptions/exclude-ephemeral-containers/chainsaw-test.yaml
@ -0,0 +1,25 @@
+apiVersion: chainsaw.kyverno.io/v1alpha1
+kind: Test
+metadata:
+  creationTimestamp: null
+  name: exclude-ephemeral-containers
+spec:
+  steps:
+  - name: step-01
+    try:
+    - apply:
+        file: policy.yaml
+    - assert:
+        file: policy-assert.yaml
+  - name: step-02
+    try:
+    - apply:
+        file: exception.yaml
+  - name: step-03
+    try:
+    - apply:
+        file: excluded-pod.yaml
+  - name: step-04
+    try:
+    - script:
+        content: if kubectl debug -n $NAMESPACE badpod --image=busybox:1.35; then exit 0; else exit 1; fi;
--- a/test/conformance/chainsaw/exceptions/exclude-ephemeral-containers/exception.yaml
+++ b/test/conformance/chainsaw/exceptions/exclude-ephemeral-containers/exception.yaml
@ -0,0 +1,16 @@
+apiVersion: kyverno.io/v2
+kind: PolicyException
+metadata:
+  name: test-policy-exceptions
+spec:
+  background: true
+  exceptions:
+  - policyName: require-run-as-nonroot
+    ruleNames:
+    - run-as-non-root
+    - autogen-run-as-non-root
+  match:
+    all:
+    - resources:
+        kinds:
+        - Pod
--- a/test/conformance/chainsaw/exceptions/exclude-ephemeral-containers/excluded-pod.yaml
+++ b/test/conformance/chainsaw/exceptions/exclude-ephemeral-containers/excluded-pod.yaml
@ -0,0 +1,10 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: badpod
+spec:
+  containers:
+  - name: container01
+    image: busybox:1.35
+    securityContext:
+      runAsNonRoot: false
--- a/test/conformance/chainsaw/exceptions/exclude-ephemeral-containers/policy-assert.yaml
+++ b/test/conformance/chainsaw/exceptions/exclude-ephemeral-containers/policy-assert.yaml
@ -0,0 +1,9 @@
+apiVersion: kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+  name: require-run-as-nonroot
+status:
+  conditions:
+  - reason: Succeeded
+    status: "True"
+    type: Ready
--- a/test/conformance/chainsaw/exceptions/exclude-ephemeral-containers/policy.yaml
+++ b/test/conformance/chainsaw/exceptions/exclude-ephemeral-containers/policy.yaml
@ -0,0 +1,43 @@
+apiVersion: kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+  name: require-run-as-nonroot
+spec:
+  validationFailureAction: Enforce
+  background: true
+  rules:
+    - name: run-as-non-root
+      match:
+        any:
+        - resources:
+            kinds:
+              - Pod
+      validate:
+        message: >-
+          Running as root is not allowed. Either the field spec.securityContext.runAsNonRoot
+          must be set to `true`, or the fields spec.containers[*].securityContext.runAsNonRoot,
+          spec.initContainers[*].securityContext.runAsNonRoot, and spec.ephemeralContainers[*].securityContext.runAsNonRoot
+          must be set to `true`.
+        anyPattern:
+        - spec:
+            securityContext:
+              runAsNonRoot: "true"
+            =(ephemeralContainers):
+            - =(securityContext):
+                =(runAsNonRoot): "true"
+            =(initContainers):
+            - =(securityContext):
+                =(runAsNonRoot): "true"
+            containers:
+            - =(securityContext):
+                =(runAsNonRoot): "true"
+        - spec:
+            =(ephemeralContainers):
+            - securityContext:
+                runAsNonRoot: "true"
+            =(initContainers):
+            - securityContext:
+                runAsNonRoot: "true"
+            containers:
+            - securityContext:
+                runAsNonRoot: "true"