Skip to content

Commit

Permalink
Update restrict-wildcard-verbs to handle null/empty rules (#1025)
Browse files Browse the repository at this point in the history 
* update restrict-wildcard-verbs to handle null/empty rules

Signed-off-by: Daniel Reed <[email protected]>

* update digest in artifacthub-pkg.yml

Signed-off-by: Daniel Reed <[email protected]>

---------

Signed-off-by: Daniel Reed <[email protected]>
  • Loading branch information
@danielreed
danielreed committed May 31, 2024
1 parent c2fc68a commit a556d71
Show file tree
Hide file tree
Showing 4 changed files with 113 additions and 3 deletions.
49 changes: 49 additions & 0 deletions other/restrict-wildcard-verbs/.kyverno-test/kyverno-test.yaml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,49 @@
apiVersion: cli.kyverno.io/v1alpha1
kind: Test
metadata:
name: restrict-verbs
policies:
- ../restrict-wildcard-verbs.yaml
resources:
- resource.yaml
results:
- policy: restrict-wildcard-verbs
rule: wildcard-verbs
resource: empty-rules
kind: ClusterRole
result: pass
- policy: restrict-wildcard-verbs
rule: wildcard-verbs
resource: empty-rules
kind: Role
result: pass
- policy: restrict-wildcard-verbs
rule: wildcard-verbs
resource: omitted-rules
kind: ClusterRole
result: pass
- policy: restrict-wildcard-verbs
rule: wildcard-verbs
resource: omitted-rules
kind: Role
result: pass
- policy: restrict-wildcard-verbs
rule: wildcard-verbs
resource: wildcard-once
kind: ClusterRole
result: fail
- policy: restrict-wildcard-verbs
rule: wildcard-verbs
resource: wildcard-once
kind: Role
result: fail
- policy: restrict-wildcard-verbs
rule: wildcard-verbs
resource: wildcard-with-another-verb
kind: ClusterRole
result: fail
- policy: restrict-wildcard-verbs
rule: wildcard-verbs
resource: wildcard-with-another-verb
kind: Role
result: fail
61 changes: 61 additions & 0 deletions other/restrict-wildcard-verbs/.kyverno-test/resource.yaml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,61 @@
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: empty-rules
rules:
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: empty-rules
namespace: test
rules:
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: omitted-rules
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: omitted-rules
namespace: test
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: wildcard-once
rules:
- apiGroups: [""]
resources: ["secrets"]
verbs: ["*"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: wildcard-once
namespace: test
rules:
- apiGroups: [""]
resources: ["secrets"]
verbs: ["*"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: wildcard-with-another-verb
rules:
- apiGroups: ["my-arbitrary-group"]
resources: ["my-resource"]
verbs: ["GET", "*"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: wildcard-with-another-verb
namespace: test
rules:
- apiGroups: ["my-arbitrary-group"]
resources: ["my-resource"]
verbs: ["GET", "*"]
2 changes: 1 addition & 1 deletion other/restrict-wildcard-verbs/artifacthub-pkg.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -20,4 +20,4 @@ annotations:
kyverno/category: "Security, EKS Best Practices"
kyverno/kubernetesVersion: "1.23"
kyverno/subject: "Role, ClusterRole, RBAC"
digest: 3107969ac2e467ebca02514dd6c099b05b9294bc863e8e45b0d58e0ec5c1cbb6
digest: 6c66139e22ed82c0b6d4756b7653136347fdb9575976e13292fbc33e516fe475
4 changes: 2 additions & 2 deletions other/restrict-wildcard-verbs/restrict-wildcard-verbs.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -32,6 +32,6 @@ spec:
deny:
conditions:
any:
- key: "{{ contains(request.object.rules[].verbs[], '*') }}"
- key: "{{ contains(to_array(request.object.rules[].verbs[]), '*') }}"
operator: Equals
value: true
value: true

0 comments on commit a556d71

Please sign in to comment.