1
0
Fork 0
mirror of https://github.com/kyverno/kyverno.git synced 2024-12-14 11:57:48 +00:00

enable autogen for validate.podsecurity with no exclude (#4594)

Signed-off-by: Jim Bugwadia <jim@nirmata.com>
This commit is contained in:
Jim Bugwadia 2022-09-12 00:03:35 -07:00 committed by GitHub
parent 4d0a01393b
commit ed6d9b9624
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
3 changed files with 20 additions and 1 deletions

View file

@ -220,12 +220,16 @@ func generateRules(spec *kyvernov1.Spec, controllers string) []kyvernov1.Rule {
if genRule := createRule(generateRuleForControllers(&spec.Rules[i], stripCronJob(controllers))); genRule != nil {
if convRule, err := convertRule(*genRule, "Pod"); err == nil {
rules = append(rules, *convRule)
} else {
logger.Error(err, "failed to create rule")
}
}
// handle CronJob, it appends an additional rule
if genRule := createRule(generateCronJobRule(&spec.Rules[i], controllers)); genRule != nil {
if convRule, err := convertRule(*genRule, "Cronjob"); err == nil {
rules = append(rules, *convRule)
} else {
logger.Error(err, "failed to create Cronjob rule")
}
}
}

View file

@ -228,6 +228,11 @@ func Test_GetSupportedControllers(t *testing.T) {
policy: []byte(`{"apiVersion":"kyverno.io/v1","kind":"ClusterPolicy","metadata":{"name":"test"},"spec":{"rules":[{"name":"require-network-policy","match":{"resources":{"kinds":["Pod"]}},"validate":{"message":"testpolicy","podSecurity": {"level": "baseline","version":"v1.24","exclude":[{"controlName":"SELinux","restrictedField":"spec.containers[*].securityContext.seLinuxOptions.role","images":["nginx"],"values":["baz"]}, {"controlName":"SELinux","restrictedField":"spec.initContainers[*].securityContext.seLinuxOptions.role","images":["nodejs"],"values":["init-baz"]}]}}}]}}`),
expectedControllers: PodControllers,
},
{
name: "rule-with-validate-podsecurity",
policy: []byte(`{"apiVersion":"kyverno.io/v1","kind":"ClusterPolicy","metadata":{"name":"pod-security"},"spec":{"validationFailureAction":"enforce","rules":[{"name":"restricted","match":{"all":[{"resources":{"kinds":["Pod"]}}]},"validate":{"podSecurity":{"level":"restricted","version":"v1.24"}}}]}}`),
expectedControllers: PodControllers,
},
}
for _, test := range testCases {
@ -817,3 +822,13 @@ kA==
assert.DeepEqual(t, test.expectedRules, rules)
}
}
func Test_PodSecurityWithNoExceptions(t *testing.T) {
policy := []byte(`{"apiVersion":"kyverno.io/v1","kind":"ClusterPolicy","metadata":{"name":"pod-security"},"spec":{"validationFailureAction":"enforce","rules":[{"name":"restricted","match":{"all":[{"resources":{"kinds":["Pod"]}}]},"validate":{"podSecurity":{"level":"restricted","version":"v1.24"}}}]}}`)
policies, err := yamlutils.GetPolicy([]byte(policy))
assert.NilError(t, err)
assert.Equal(t, 1, len(policies))
rules := computeRules(policies[0])
assert.Equal(t, 3, len(rules))
}

View file

@ -149,7 +149,7 @@ func generateRule(name string, rule *kyvernov1.Rule, tplKey, shift string, kinds
rule.Validation = deny
return rule
}
if rule.Validation.PodSecurity != nil && len(rule.Validation.PodSecurity.Exclude) > 0 {
if rule.Validation.PodSecurity != nil {
newExclude := make([]kyvernov1.PodSecurityStandard, len(rule.Validation.PodSecurity.Exclude))
copy(newExclude, rule.Validation.PodSecurity.Exclude)
podSecurity := kyvernov1.Validation{