mirror of
https://github.com/kyverno/kyverno.git
synced 2025-03-08 17:06:57 +00:00
2a22e8762a
* refactor: match utils package Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * fix Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * test Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * test Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * test Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>
38 lines
1 KiB
Go
38 lines
1 KiB
Go
package match
|
|
|
|
import (
|
|
"golang.org/x/exp/slices"
|
|
authenticationv1 "k8s.io/api/authentication/v1"
|
|
rbacv1 "k8s.io/api/rbac/v1"
|
|
)
|
|
|
|
// CheckSubjects return true if one of ruleSubjects exist in userInfo
|
|
func CheckSubjects(
|
|
ruleSubjects []rbacv1.Subject,
|
|
userInfo authenticationv1.UserInfo,
|
|
excludeGroupRole []string,
|
|
) bool {
|
|
const SaPrefix = "system:serviceaccount:"
|
|
userGroups := append(userInfo.Groups, userInfo.Username)
|
|
// TODO: see issue https://github.com/kyverno/kyverno/issues/861
|
|
for _, e := range excludeGroupRole {
|
|
ruleSubjects = append(ruleSubjects, rbacv1.Subject{Kind: "Group", Name: e})
|
|
}
|
|
for _, subject := range ruleSubjects {
|
|
switch subject.Kind {
|
|
case "ServiceAccount":
|
|
if len(userInfo.Username) <= len(SaPrefix) {
|
|
continue
|
|
}
|
|
subjectServiceAccount := subject.Namespace + ":" + subject.Name
|
|
if userInfo.Username[len(SaPrefix):] == subjectServiceAccount {
|
|
return true
|
|
}
|
|
case "User", "Group":
|
|
if slices.Contains(userGroups, subject.Name) {
|
|
return true
|
|
}
|
|
}
|
|
}
|
|
return false
|
|
}
|