fix PodExecOptions issue (#3373)

* fix PodExecOptions issue * add note * update comment
2025-03-05 15:37:19 +00:00 · 2022-03-11 15:09:32 +05:30 · 2022-03-11 15:09:32 +05:30 · b3a53f0658
commit b3a53f0658
parent 61245f0b69
5 changed files with 61 additions and 7 deletions
--- a/pkg/autogen/rule.go
+++ b/pkg/autogen/rule.go
@ -77,8 +77,8 @@ func generateRuleForControllers(rule kyverno.Rule, controllers string, log logr.
 	matchResourceDescriptionsKinds := rule.MatchKinds()
 	excludeResourceDescriptionsKinds := rule.ExcludeKinds()

-	if !utils.ContainsPod(matchResourceDescriptionsKinds, "Pod") ||
-		(len(excludeResourceDescriptionsKinds) != 0 && !utils.ContainsPod(excludeResourceDescriptionsKinds, "Pod")) {
+	if !utils.ContainsKind(matchResourceDescriptionsKinds, "Pod") ||
+		(len(excludeResourceDescriptionsKinds) != 0 && !utils.ContainsKind(excludeResourceDescriptionsKinds, "Pod")) {
 		return nil
 	}

--- a/pkg/autogen/utils.go
+++ b/pkg/autogen/utils.go
@ -8,7 +8,7 @@ import (
 )

 func isKindOtherthanPod(kinds []string) bool {
-	if len(kinds) > 1 && utils.ContainsPod(kinds, "Pod") {
+	if len(kinds) > 1 && utils.ContainsKind(kinds, "Pod") {
 		return true
 	}
 	return false
@ -39,7 +39,7 @@ func validateAnyPattern(anyPatterns []interface{}) []interface{} {
 func getAnyAllAutogenRule(v kyverno.ResourceFilters, controllers string) kyverno.ResourceFilters {
 	anyKind := v.DeepCopy()
 	for i, value := range v {
-		if utils.ContainsPod(value.Kinds, "Pod") {
+		if utils.ContainsKind(value.Kinds, "Pod") {
 			anyKind[i].Kinds = strings.Split(controllers, ",")
 		}
 	}
@ -65,7 +65,7 @@ func stripCronJob(controllers string) string {
 func cronJobAnyAllAutogenRule(v kyverno.ResourceFilters) kyverno.ResourceFilters {
 	anyKind := v.DeepCopy()
 	for i, value := range v {
-		if utils.ContainsPod(value.Kinds, "Job") {
+		if utils.ContainsKind(value.Kinds, "Job") {
 			anyKind[i].Kinds = []string{PodControllerCronJob}
 		}
 	}
--- a/pkg/policy/validate.go
+++ b/pkg/policy/validate.go
@ -1506,7 +1506,7 @@ func validateKinds(kinds []string, mock bool, client *dclient.Client, p kyverno.
 			return fmt.Errorf("kind and match resource kind should not be the same")
 		}

-		if !mock {
+		if !mock && !utils.SkipSubResources(k) {
 			_, _, err := client.DiscoveryClient.FindResource(gv, k)
 			if err != nil {
 				return fmt.Errorf("unable to convert GVK to GVR, %s, err: %s", kinds, err)
--- a/pkg/policy/validate_test.go
+++ b/pkg/policy/validate_test.go
@ -1558,3 +1558,51 @@ func Test_patchesJson6902_Policy(t *testing.T) {
 	err = Validate(policy, nil, true, openAPIController)
 	assert.NilError(t, err)
 }
+
+func Test_deny_exec(t *testing.T) {
+	var err error
+	rawPolicy := []byte(`{
+		"apiVersion": "kyverno.io/v1",
+		"kind": "ClusterPolicy",
+		"metadata": {
+		  "name": "deny-exec-to-pod"
+		},
+		"spec": {
+		  "validationFailureAction": "enforce",
+		  "background": false,
+		  "schemaValidation": false,
+		  "rules": [
+			{
+			  "name": "deny-pod-exec",
+			  "match": {
+				"resources": {
+				  "kinds": [
+					"PodExecOptions"
+				  ]
+				}
+			  },
+			  "preconditions": {
+				"all": [
+				  {
+					"key": "{{ request.operation }}",
+					"operator": "Equals",
+					"value": "CONNECT"
+				  }
+				]
+			  },
+			  "validate": {
+				"message": "Containers can't be exec'd into in production.",
+				"deny": {}
+			  }
+			}
+		  ]
+		}
+	  }`)
+	var policy *kyverno.ClusterPolicy
+	err = json.Unmarshal(rawPolicy, &policy)
+	assert.NilError(t, err)
+
+	openAPIController, _ := openapi.NewOpenAPIController()
+	err = Validate(policy, nil, true, openAPIController)
+	assert.NilError(t, err)
+}
--- a/pkg/utils/util.go
+++ b/pkg/utils/util.go
@ -36,7 +36,7 @@ func contains(list []string, element string, fn func(string, string) bool) bool
 	return false
 }

-func ContainsPod(list []string, element string) bool {
+func ContainsKind(list []string, element string) bool {
 	for _, e := range list {
 		_, k := common.GetKindFromGVK(e)
 		if k == element {
@ -46,6 +46,12 @@ func ContainsPod(list []string, element string) bool {
 	return false
 }

+// SkipSubResources check to skip list of resources which don't have group.
+func SkipSubResources(kind string) bool {
+	s := []string{"PodExecOptions", "PodAttachOptions", "PodProxyOptions", "ServiceProxyOptions", "NodeProxyOptions"}
+	return ContainsKind(s, kind)
+}
+
 // ContainsNamepace check if namespace satisfies any list of pattern(regex)
 func ContainsNamepace(patterns []string, ns string) bool {
 	return contains(patterns, ns, compareNamespaces)