mirror of
https://github.com/kyverno/kyverno.git
synced 2025-03-06 16:06:56 +00:00
ce4beb0e92
* feat: support wildcard in subjects statements Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * kuttl tests Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * fix Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * sa tests Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * more tests Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * more tests Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * fix Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * fix Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> --------- Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>
34 lines
839 B
Go
34 lines
839 B
Go
package match
|
|
|
|
import (
|
|
"github.com/kyverno/kyverno/pkg/utils/wildcard"
|
|
authenticationv1 "k8s.io/api/authentication/v1"
|
|
rbacv1 "k8s.io/api/rbac/v1"
|
|
)
|
|
|
|
// CheckSubjects return true if one of ruleSubjects exist in userInfo
|
|
func CheckSubjects(
|
|
ruleSubjects []rbacv1.Subject,
|
|
userInfo authenticationv1.UserInfo,
|
|
) bool {
|
|
for _, subject := range ruleSubjects {
|
|
switch subject.Kind {
|
|
case rbacv1.ServiceAccountKind:
|
|
username := "system:serviceaccount:" + subject.Namespace + ":" + subject.Name
|
|
if wildcard.Match(username, userInfo.Username) {
|
|
return true
|
|
}
|
|
case rbacv1.GroupKind:
|
|
for _, group := range userInfo.Groups {
|
|
if wildcard.Match(subject.Name, group) {
|
|
return true
|
|
}
|
|
}
|
|
case rbacv1.UserKind:
|
|
if wildcard.Match(subject.Name, userInfo.Username) {
|
|
return true
|
|
}
|
|
}
|
|
}
|
|
return false
|
|
}
|