added check for any/all (#2907)

* added check for any/all Signed-off-by: anushkamittal20 <anumittal4641@gmail.com> * minor corrections Signed-off-by: anushkamittal20 <anumittal4641@gmail.com>
2025-03-31 03:45:17 +00:00 · 2022-01-05 22:38:24 +05:30 · 2022-01-05 22:38:24 +05:30 · e9826e103d
commit e9826e103d
parent df105ff596
1 changed files with 36 additions and 3 deletions
--- a/pkg/webhooks/common.go
+++ b/pkg/webhooks/common.go
@ -117,9 +117,42 @@ func containsRBACInfo(policies ...[]*kyverno.ClusterPolicy) bool {
 	for _, policySlice := range policies {
 		for _, policy := range policySlice {
 			for _, rule := range policy.Spec.Rules {
-				if len(rule.MatchResources.Roles) > 0 || len(rule.MatchResources.ClusterRoles) > 0 || len(rule.ExcludeResources.Roles) > 0 || len(rule.ExcludeResources.ClusterRoles) > 0 {
-					return true
-				}
+				checkForRBACInfo(rule)
+			}
+		}
+	}
+	return false
+}
+
+func checkForRBACInfo(rule kyverno.Rule) bool {
+	if len(rule.MatchResources.Roles) > 0 || len(rule.MatchResources.ClusterRoles) > 0 || len(rule.ExcludeResources.Roles) > 0 || len(rule.ExcludeResources.ClusterRoles) > 0 {
+		return true
+	}
+	if len(rule.MatchResources.All) > 0 {
+		for _, rf := range rule.MatchResources.All {
+			if len(rf.UserInfo.Roles) > 0 || len(rf.UserInfo.ClusterRoles) > 0 {
+				return true
+			}
+		}
+	}
+	if len(rule.MatchResources.Any) > 0 {
+		for _, rf := range rule.MatchResources.Any {
+			if len(rf.UserInfo.Roles) > 0 || len(rf.UserInfo.ClusterRoles) > 0 {
+				return true
+			}
+		}
+	}
+	if len(rule.ExcludeResources.All) > 0 {
+		for _, rf := range rule.ExcludeResources.All {
+			if len(rf.UserInfo.Roles) > 0 || len(rf.UserInfo.ClusterRoles) > 0 {
+				return true
+			}
+		}
+	}
+	if len(rule.ExcludeResources.Any) > 0 {
+		for _, rf := range rule.ExcludeResources.Any {
+			if len(rf.UserInfo.Roles) > 0 || len(rf.UserInfo.ClusterRoles) > 0 {
+				return true
 			}
 		}
 	}