Bug fix: negation of string kernel version caused Cluster Policy to fail (#3229)

* fixed bug where negation of kernel version caused cpolr to fail Signed-off-by: Tathagata Paul <tathagatapaul7@gmail.com> * small fix in function validateString Signed-off-by: Tathagata Paul <tathagatapaul7@gmail.com> * Added necessary tests Signed-off-by: Tathagata Paul <tathagatapaul7@gmail.com> Added one more test Signed-off-by: Tathagata Paul <tathagatapaul7@gmail.com> * Add more tests and added a policy to the test folder Signed-off-by: Tathagata Paul <tathagatapaul7@gmail.com> * added policy for test cli Signed-off-by: Tathagata Paul <tathagatapaul7@gmail.com> Co-authored-by: Jim Bugwadia <jim@nirmata.com>
2024-12-14 11:57:48 +00:00 · 2022-02-17 09:33:30 +05:30 · 2022-02-17 09:33:30 +05:30 · b91ff5a7f2
commit b91ff5a7f2
parent 1f60aee4b9
6 changed files with 98 additions and 2 deletions
--- a/pkg/engine/common/pattern.go
+++ b/pkg/engine/common/pattern.go
@ -285,11 +285,12 @@ func validateNumberWithStr(log logr.Logger, value interface{}, pattern string, o
 	}

 	// 2. wildcard match
-	if !wildcard.Match(pattern, typedValue) {
+	if validateString(log, value, pattern, operator) {
+		return true
+	} else {
 		log.V(4).Info("value failed wildcard check", "type", fmt.Sprintf("%T", typedValue), "value", typedValue, "check", pattern)
 		return false
 	}
-	return true
 }

 func compareQuantity(value, pattern apiresource.Quantity, op operator.Operator) bool {
--- a/pkg/engine/common/pattern_test.go
+++ b/pkg/engine/common/pattern_test.go
@ -385,3 +385,11 @@ func TestGetOperatorFromStringPattern_OneChar(t *testing.T) {
 func TestGetOperatorFromStringPattern_EmptyString(t *testing.T) {
 	assert.Equal(t, operator.GetOperatorFromStringPattern(""), operator.Equal)
 }
+
+func TestValidateKernelVersion_NotEquals(t *testing.T) {
+	assert.Assert(t, validateValueWithStringPattern(log.Log, "5.16.5-arch1-1", "!5.10.84-1"))
+	assert.Assert(t, !validateValueWithStringPattern(log.Log, "5.10.84-1", "!5.10.84-1"))
+	assert.Assert(t, validateValueWithStringPatterns(log.Log, "5.16.5-arch1-1", "!5.10.84-1 & !5.15.2-1"))
+	assert.Assert(t, !validateValueWithStringPatterns(log.Log, "5.10.84-1", "!5.10.84-1 & !5.15.2-1"))
+	assert.Assert(t, !validateValueWithStringPatterns(log.Log, "5.15.2-1", "!5.10.84-1 & !5.15.2-1"))
+}
--- a/test/cli/test/node-status/check_node_for_cve_2022_0185.yaml
+++ b/test/cli/test/node-status/check_node_for_cve_2022_0185.yaml
@ -0,0 +1,34 @@
+apiVersion: kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+  name: check-kernel
+  annotations:
+    policies.kyverno.io/title: Check Node for CVE-2022-0185
+    policies.kyverno.io/category: Other
+    policies.kyverno.io/severity: high
+    kyverno.io/kyverno-version: 1.6.0
+    policies.kyverno.io/minversion: 1.6.0
+    kyverno.io/kubernetes-version: "1.23"
+    policies.kyverno.io/subject: Node
+    policies.kyverno.io/description: >-
+      Linux CVE-2022-0185 can allow a container escape in Kubernetes if left unpatched.
+      The affected Linux kernel versions, at this time, are 5.10.84-1 and 5.15.5-2.
+      For more information, refer to https://security-tracker.debian.org/tracker/CVE-2022-0185.
+      This policy runs in background mode and flags an entry in the ClusterPolicyReport
+      if any Node is reporting one of the affected kernel versions.
+spec:
+  validationFailureAction: audit
+  background: true
+  rules:
+  - name: kernel-validate
+    match:
+      any:
+      - resources:
+          kinds:
+            - Node
+    validate:
+      message: "Kernel is vulnerable to CVE-2022-0185."
+      pattern:
+        status:
+          nodeInfo:
+            kernelVersion: "!5.10.84-1 & !5.15.5-2"
--- a/test/cli/test/node-status/kyverno-test.yaml
+++ b/test/cli/test/node-status/kyverno-test.yaml
@ -0,0 +1,11 @@
+name: check-kernel
+policies:
+  - check_node_for_cve_2022_0185.yaml
+resources:
+  - resource.yaml
+results:
+- policy: check-kernel
+  rule: kernel-validate
+  resource: test-check-kernel-version
+  kind: Node
+  result: pass
--- a/test/cli/test/node-status/resource.yaml
+++ b/test/cli/test/node-status/resource.yaml
@ -0,0 +1,8 @@
+apiVersion: v1
+kind: Node
+metadata:
+  name: test-check-kernel-version
+status:
+    nodeInfo:
+      architechture: "amd64"
+      kernelVersion: "5.16.5-arch1-1"
--- a/test/policy/validate/check_node_for_cve_2022_0185.yaml
+++ b/test/policy/validate/check_node_for_cve_2022_0185.yaml
@ -0,0 +1,34 @@
+apiVersion: kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+  name: check-kernel
+  annotations:
+    policies.kyverno.io/title: Check Node for CVE-2022-0185
+    policies.kyverno.io/category: Other
+    policies.kyverno.io/severity: high
+    kyverno.io/kyverno-version: 1.6.0
+    policies.kyverno.io/minversion: 1.6.0
+    kyverno.io/kubernetes-version: "1.23"
+    policies.kyverno.io/subject: Node
+    policies.kyverno.io/description: >-
+      Linux CVE-2022-0185 can allow a container escape in Kubernetes if left unpatched.
+      The affected Linux kernel versions, at this time, are 5.10.84-1 and 5.15.5-2.
+      For more information, refer to https://security-tracker.debian.org/tracker/CVE-2022-0185.
+      This policy runs in background mode and flags an entry in the ClusterPolicyReport
+      if any Node is reporting one of the affected kernel versions.
+spec:
+  validationFailureAction: audit
+  background: true
+  rules:
+  - name: kernel-validate
+    match:
+      any:
+      - resources:
+          kinds:
+            - Node
+    validate:
+      message: "Kernel is vulnerable to CVE-2022-0185."
+      pattern:
+        status:
+          nodeInfo:
+            kernelVersion: "!5.10.84-1 & !5.15.5-2"