enable autogen for validate.podsecurity with no exclude (#4594)

Signed-off-by: Jim Bugwadia <jim@nirmata.com>
2024-12-15 17:51:20 +00:00 · 2022-09-12 00:03:35 -07:00 · 2022-09-12 00:03:35 -07:00 · ed6d9b9624
commit ed6d9b9624
parent 4d0a01393b
3 changed files with 20 additions and 1 deletions
--- a/pkg/autogen/autogen.go
+++ b/pkg/autogen/autogen.go
@ -220,12 +220,16 @@ func generateRules(spec *kyvernov1.Spec, controllers string) []kyvernov1.Rule {
 		if genRule := createRule(generateRuleForControllers(&spec.Rules[i], stripCronJob(controllers))); genRule != nil {
 			if convRule, err := convertRule(*genRule, "Pod"); err == nil {
 				rules = append(rules, *convRule)
 			} else {
 				logger.Error(err, "failed to create rule")
 			}
 		}
 		// handle CronJob, it appends an additional rule
 		if genRule := createRule(generateCronJobRule(&spec.Rules[i], controllers)); genRule != nil {
 			if convRule, err := convertRule(*genRule, "Cronjob"); err == nil {
 				rules = append(rules, *convRule)
 			} else {
 				logger.Error(err, "failed to create Cronjob rule")
 			}
 		}
 	}
--- a/pkg/autogen/autogen_test.go
+++ b/pkg/autogen/autogen_test.go
@ -228,6 +228,11 @@ func Test_GetSupportedControllers(t *testing.T) {
 			policy:              []byte(`{"apiVersion":"kyverno.io/v1","kind":"ClusterPolicy","metadata":{"name":"test"},"spec":{"rules":[{"name":"require-network-policy","match":{"resources":{"kinds":["Pod"]}},"validate":{"message":"testpolicy","podSecurity": {"level": "baseline","version":"v1.24","exclude":[{"controlName":"SELinux","restrictedField":"spec.containers[*].securityContext.seLinuxOptions.role","images":["nginx"],"values":["baz"]}, {"controlName":"SELinux","restrictedField":"spec.initContainers[*].securityContext.seLinuxOptions.role","images":["nodejs"],"values":["init-baz"]}]}}}]}}`),
 			expectedControllers: PodControllers,
 		},
 		{
 			name:                "rule-with-validate-podsecurity",
 			policy:              []byte(`{"apiVersion":"kyverno.io/v1","kind":"ClusterPolicy","metadata":{"name":"pod-security"},"spec":{"validationFailureAction":"enforce","rules":[{"name":"restricted","match":{"all":[{"resources":{"kinds":["Pod"]}}]},"validate":{"podSecurity":{"level":"restricted","version":"v1.24"}}}]}}`),
 			expectedControllers: PodControllers,
 		},
 	}
 	for _, test := range testCases {
@ -817,3 +822,13 @@ kA==
 		assert.DeepEqual(t, test.expectedRules, rules)
 	}
 }
 func Test_PodSecurityWithNoExceptions(t *testing.T) {
 	policy := []byte(`{"apiVersion":"kyverno.io/v1","kind":"ClusterPolicy","metadata":{"name":"pod-security"},"spec":{"validationFailureAction":"enforce","rules":[{"name":"restricted","match":{"all":[{"resources":{"kinds":["Pod"]}}]},"validate":{"podSecurity":{"level":"restricted","version":"v1.24"}}}]}}`)
 	policies, err := yamlutils.GetPolicy([]byte(policy))
 	assert.NilError(t, err)
 	assert.Equal(t, 1, len(policies))
 	rules := computeRules(policies[0])
 	assert.Equal(t, 3, len(rules))
 }
--- a/pkg/autogen/rule.go
+++ b/pkg/autogen/rule.go
@ -149,7 +149,7 @@ func generateRule(name string, rule *kyvernov1.Rule, tplKey, shift string, kinds
 		rule.Validation = deny
 		return rule
 	}
-	if rule.Validation.PodSecurity != nil && len(rule.Validation.PodSecurity.Exclude) > 0 {
+	if rule.Validation.PodSecurity != nil {
 		newExclude := make([]kyvernov1.PodSecurityStandard, len(rule.Validation.PodSecurity.Exclude))
 		copy(newExclude, rule.Validation.PodSecurity.Exclude)
 		podSecurity := kyvernov1.Validation{