From ed6d9b96245fda7a128f815269866b13a523fcc6 Mon Sep 17 00:00:00 2001 From: Jim Bugwadia Date: Mon, 12 Sep 2022 00:03:35 -0700 Subject: [PATCH] enable autogen for validate.podsecurity with no exclude (#4594) Signed-off-by: Jim Bugwadia --- pkg/autogen/autogen.go | 4 ++++ pkg/autogen/autogen_test.go | 15 +++++++++++++++ pkg/autogen/rule.go | 2 +- 3 files changed, 20 insertions(+), 1 deletion(-) diff --git a/pkg/autogen/autogen.go b/pkg/autogen/autogen.go index 63453a8548..09dc28c63e 100644 --- a/pkg/autogen/autogen.go +++ b/pkg/autogen/autogen.go @@ -220,12 +220,16 @@ func generateRules(spec *kyvernov1.Spec, controllers string) []kyvernov1.Rule { if genRule := createRule(generateRuleForControllers(&spec.Rules[i], stripCronJob(controllers))); genRule != nil { if convRule, err := convertRule(*genRule, "Pod"); err == nil { rules = append(rules, *convRule) + } else { + logger.Error(err, "failed to create rule") } } // handle CronJob, it appends an additional rule if genRule := createRule(generateCronJobRule(&spec.Rules[i], controllers)); genRule != nil { if convRule, err := convertRule(*genRule, "Cronjob"); err == nil { rules = append(rules, *convRule) + } else { + logger.Error(err, "failed to create Cronjob rule") } } } diff --git a/pkg/autogen/autogen_test.go b/pkg/autogen/autogen_test.go index 73ed503e01..279f08d8a0 100644 --- a/pkg/autogen/autogen_test.go +++ b/pkg/autogen/autogen_test.go @@ -228,6 +228,11 @@ func Test_GetSupportedControllers(t *testing.T) { policy: []byte(`{"apiVersion":"kyverno.io/v1","kind":"ClusterPolicy","metadata":{"name":"test"},"spec":{"rules":[{"name":"require-network-policy","match":{"resources":{"kinds":["Pod"]}},"validate":{"message":"testpolicy","podSecurity": {"level": "baseline","version":"v1.24","exclude":[{"controlName":"SELinux","restrictedField":"spec.containers[*].securityContext.seLinuxOptions.role","images":["nginx"],"values":["baz"]}, {"controlName":"SELinux","restrictedField":"spec.initContainers[*].securityContext.seLinuxOptions.role","images":["nodejs"],"values":["init-baz"]}]}}}]}}`), expectedControllers: PodControllers, }, + { + name: "rule-with-validate-podsecurity", + policy: []byte(`{"apiVersion":"kyverno.io/v1","kind":"ClusterPolicy","metadata":{"name":"pod-security"},"spec":{"validationFailureAction":"enforce","rules":[{"name":"restricted","match":{"all":[{"resources":{"kinds":["Pod"]}}]},"validate":{"podSecurity":{"level":"restricted","version":"v1.24"}}}]}}`), + expectedControllers: PodControllers, + }, } for _, test := range testCases { @@ -817,3 +822,13 @@ kA== assert.DeepEqual(t, test.expectedRules, rules) } } + +func Test_PodSecurityWithNoExceptions(t *testing.T) { + policy := []byte(`{"apiVersion":"kyverno.io/v1","kind":"ClusterPolicy","metadata":{"name":"pod-security"},"spec":{"validationFailureAction":"enforce","rules":[{"name":"restricted","match":{"all":[{"resources":{"kinds":["Pod"]}}]},"validate":{"podSecurity":{"level":"restricted","version":"v1.24"}}}]}}`) + policies, err := yamlutils.GetPolicy([]byte(policy)) + assert.NilError(t, err) + assert.Equal(t, 1, len(policies)) + + rules := computeRules(policies[0]) + assert.Equal(t, 3, len(rules)) +} diff --git a/pkg/autogen/rule.go b/pkg/autogen/rule.go index 50314071ce..16530372a5 100644 --- a/pkg/autogen/rule.go +++ b/pkg/autogen/rule.go @@ -149,7 +149,7 @@ func generateRule(name string, rule *kyvernov1.Rule, tplKey, shift string, kinds rule.Validation = deny return rule } - if rule.Validation.PodSecurity != nil && len(rule.Validation.PodSecurity.Exclude) > 0 { + if rule.Validation.PodSecurity != nil { newExclude := make([]kyvernov1.PodSecurityStandard, len(rule.Validation.PodSecurity.Exclude)) copy(newExclude, rule.Validation.PodSecurity.Exclude) podSecurity := kyvernov1.Validation{