From c9b7710f022203dab959a6835aac13e683132236 Mon Sep 17 00:00:00 2001 From: hadar-co Date: Wed, 12 Jul 2023 12:16:17 +0300 Subject: [PATCH] fix: update name rule logic to ignore incorrect kinds (#957) * fix: update name rule logic to ignore incorrect kinds * fix: update name rule logic to ignore incorrect kinds * fix: update name rule logic to ignore incorrect kinds * fix: update name rule logic to ignore incorrect kinds * fix: update name rule logic to ignore incorrect kinds --- pkg/defaultRules/defaultRules.yaml | 64 ++++++++++++++++--------- pkg/policy/tests/54/fail/54-fail-2.yaml | 20 ++++++++ pkg/policy/tests/54/pass/54-pass-2.yaml | 12 +++++ pkg/policy/tests/54/pass/54-pass-3.yaml | 6 +++ pkg/policy/tests/54/pass/54-pass-4.yaml | 12 +++++ 5 files changed, 92 insertions(+), 22 deletions(-) create mode 100644 pkg/policy/tests/54/fail/54-fail-2.yaml create mode 100644 pkg/policy/tests/54/pass/54-pass-2.yaml create mode 100644 pkg/policy/tests/54/pass/54-pass-3.yaml create mode 100644 pkg/policy/tests/54/pass/54-pass-4.yaml diff --git a/pkg/defaultRules/defaultRules.yaml b/pkg/defaultRules/defaultRules.yaml index 3efb5beb6..63b9df854 100644 --- a/pkg/defaultRules/defaultRules.yaml +++ b/pkg/defaultRules/defaultRules.yaml @@ -1861,28 +1861,48 @@ rules: impact: Configurations with a missing or invalid name will pass k8s schema validation, but will fail when pushed into a cluster (i.e. when running kubectl apply/create) schema: definitions: - metadataNamePattern: - properties: - metadata: - type: object - properties: - name: - type: string - format: hostname - required: - - name - required: - - metadata - metadataGenerateNamePattern: + strictNamesPattern: + if: + properties: + kind: + not: + enum: + - ClusterRole + - ClusterRoleBinding + then: + properties: + metadata: + type: object + anyOf: + - properties: + name: + type: string + format: hostname + required: + - name + - properties: + generateName: + type: string + format: hostname + required: + - generateName + required: + - metadata + nonStrictNamesPattern: properties: metadata: type: object - properties: - generateName: - type: string - format: hostname - required: - - generateName + anyOf: + - properties: + name: + type: string + required: + - name + - properties: + generateName: + type: string + required: + - generateName required: - metadata if: @@ -1892,9 +1912,9 @@ rules: enum: - Kustomization then: - anyOf: - - $ref: "#/definitions/metadataNamePattern" - - $ref: "#/definitions/metadataGenerateNamePattern" + allOf: + - $ref: "#/definitions/strictNamesPattern" + - $ref: "#/definitions/nonStrictNamesPattern" - id: 55 name: Ensure each container probe has an initial delay configured uniqueName: CONTAINERS_INCORRECT_INITIALDELAYSECONDS_VALUE diff --git a/pkg/policy/tests/54/fail/54-fail-2.yaml b/pkg/policy/tests/54/fail/54-fail-2.yaml new file mode 100644 index 000000000..988f9d8d6 --- /dev/null +++ b/pkg/policy/tests/54/fail/54-fail-2.yaml @@ -0,0 +1,20 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: invalid:format +spec: + selector: + matchLabels: + app: frontend-deployment + template: + metadata: + labels: + app: frontend-deployment + spec: + containers: + - name: app + image: foo/bar:latest + ports: + - name: http + containerPort: 8080 + protocol: TCP diff --git a/pkg/policy/tests/54/pass/54-pass-2.yaml b/pkg/policy/tests/54/pass/54-pass-2.yaml new file mode 100644 index 000000000..c649cf38e --- /dev/null +++ b/pkg/policy/tests/54/pass/54-pass-2.yaml @@ -0,0 +1,12 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + # "namespace" omitted since ClusterRoles are not namespaced + name: system:secret-reader +rules: +- apiGroups: [""] + # + # at the HTTP level, the name of the resource for accessing Secret + # objects is "secrets" + resources: ["secrets"] + verbs: ["get", "watch", "list"] diff --git a/pkg/policy/tests/54/pass/54-pass-3.yaml b/pkg/policy/tests/54/pass/54-pass-3.yaml new file mode 100644 index 000000000..cdcb8f5ed --- /dev/null +++ b/pkg/policy/tests/54/pass/54-pass-3.yaml @@ -0,0 +1,6 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: + - service.yaml + - deployment.yaml + - hpa.yaml diff --git a/pkg/policy/tests/54/pass/54-pass-4.yaml b/pkg/policy/tests/54/pass/54-pass-4.yaml new file mode 100644 index 000000000..69aac75e9 --- /dev/null +++ b/pkg/policy/tests/54/pass/54-pass-4.yaml @@ -0,0 +1,12 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + # "namespace" omitted since ClusterRoles are not namespaced + name: valid:name +rules: +- apiGroups: [""] + # + # at the HTTP level, the name of the resource for accessing Secret + # objects is "secrets" + resources: ["secrets"] + verbs: ["get", "watch", "list"] \ No newline at end of file