Skip to content

Commit

Permalink
Fix setting manifest overrides correctly
Browse files Browse the repository at this point in the history
Since the manifest configuration wasn't being set
when consolidateManifests was true, it wasn't
being propagated to things like expanded policies
and policy template manifests provided directly.
This fixes it to set manifest configurations and
then compare manifest and policy configurations
to make sure they match when consolidateManifests
is true.

ref: https://issues.redhat.com/browse/ACM-9131
Signed-off-by: Dale Haiducek <[email protected]>
  • Loading branch information
dhaiducek committed Dec 18, 2023
1 parent 868658a commit 6f98d4f
Show file tree
Hide file tree
Showing 3 changed files with 178 additions and 18 deletions.
27 changes: 27 additions & 0 deletions internal/ordering_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -667,6 +667,33 @@ policies:
wantFile: "testdata/ordering/manifest-extradeps-configpolicy.yaml",
wantErr: "",
},
"manifest extraDependencies are handled with ConfigurationPolicy manifests when defaults are set": {
tmpDir: tmpDir,
generator: `
apiVersion: policy.open-cluster-management.io/v1
kind: PolicyGenerator
metadata:
name: test
policyDefaults:
namespace: my-policies
placement:
clusterSelector:
matchExpressions: []
extraDependencies:
- kind: IamPolicy
name: manifestextra
policies:
- name: one
manifests:
- path: {{printf "%v/%v" .Dir "configpolicy.yaml"}}
- path: {{printf "%v/%v" .Dir "configmap.yaml"}}
- name: two
manifests:
- path: {{printf "%v/%v" .Dir "configmap.yaml"}}
`,
wantFile: "testdata/ordering/manifest-extradeps-configpolicy-defaults.yaml",
wantErr: "",
},
"extraDependencies defaults can be overwritten": {
tmpDir: tmpDir,
generator: `
Expand Down
29 changes: 11 additions & 18 deletions internal/plugin.go
Original file line number Diff line number Diff line change
Expand Up @@ -8,6 +8,7 @@ import (
"fmt"
"os"
"path/filepath"
"reflect"
"sort"
"strings"
"time"
Expand Down Expand Up @@ -673,6 +674,8 @@ func (p *Plugin) applyDefaults(unmarshaledConfig map[string]interface{}) {
for j := range policy.Manifests {
manifest := &policy.Manifests[j]

// Only use the policy's ConfigurationPolicyOptions values when they're not explicitly set in
// the manifest.
if manifest.ComplianceType == "" {
manifest.ComplianceType = policy.ComplianceType
}
Expand All @@ -681,13 +684,6 @@ func (p *Plugin) applyDefaults(unmarshaledConfig map[string]interface{}) {
manifest.MetadataComplianceType = policy.MetadataComplianceType
}

// If the manifests are consolidated to a single ConfigurationPolicy object, don't set
// ConfigurationPolicy options per manifest.
if policy.ConsolidateManifests {
continue
}

// Only use the policy's ConfigurationPolicyOptions values when they're not explicitly set in the manifest.
if manifest.EvaluationInterval.Compliant == "" {
set := isEvaluationIntervalSetManifest(unmarshaledConfig, i, j, "compliant")
if !set {
Expand Down Expand Up @@ -1008,41 +1004,38 @@ func (p *Plugin) assertValidConfig() error {

evalInterval := manifest.EvaluationInterval

// Verify that consolidated manifests don't specify fields
// that can't be overridden at the objectTemplate level
// Verify that consolidated manifests fields match that of the policy configuration.
if policy.ConsolidateManifests {
errorMsgFmt := fmt.Sprintf(
"the policy %s has the %%s value set on manifest[%d] but consolidateManifests is true",
policy.Name, j,
)

if evalInterval.Compliant != "" || evalInterval.NonCompliant != "" {
if !reflect.DeepEqual(evalInterval, policy.EvaluationInterval) {
return fmt.Errorf(errorMsgFmt, "evaluationInterval")
}

selector := manifest.NamespaceSelector
if selector.Exclude != nil || selector.Include != nil ||
selector.MatchLabels != nil || selector.MatchExpressions != nil {
if !reflect.DeepEqual(manifest.NamespaceSelector, policy.NamespaceSelector) {
return fmt.Errorf(errorMsgFmt, "namespaceSelector")
}

if manifest.PruneObjectBehavior != "" {
if manifest.PruneObjectBehavior != policy.PruneObjectBehavior {
return fmt.Errorf(errorMsgFmt, "pruneObjectBehavior")
}

if manifest.RemediationAction != "" {
if manifest.RemediationAction != policy.RemediationAction {
return fmt.Errorf(errorMsgFmt, "remediationAction")
}

if manifest.Severity != "" {
if manifest.Severity != policy.Severity {
return fmt.Errorf(errorMsgFmt, "severity")
}

if len(manifest.ExtraDependencies) != 0 {
if !reflect.DeepEqual(manifest.ExtraDependencies, policy.ExtraDependencies) {
return fmt.Errorf(errorMsgFmt, "extraDependencies")
}

if manifest.IgnorePending {
if manifest.IgnorePending != policy.IgnorePending {
return fmt.Errorf(errorMsgFmt, "ignorePending")
}
}
Expand Down
Original file line number Diff line number Diff line change
@@ -0,0 +1,140 @@
---
apiVersion: policy.open-cluster-management.io/v1
kind: Policy
metadata:
annotations:
policy.open-cluster-management.io/categories: CM Configuration Management
policy.open-cluster-management.io/controls: CM-2 Baseline Configuration
policy.open-cluster-management.io/standards: NIST SP 800-53
name: one
namespace: my-policies
spec:
disabled: false
policy-templates:
- extraDependencies:
- apiVersion: policy.open-cluster-management.io/v1
compliance: Compliant
kind: IamPolicy
name: manifestextra
objectDefinition:
apiVersion: policy.open-cluster-management.io/v1
kind: ConfigurationPolicy
metadata:
name: configpolicy-my-configmap
spec:
object-templates:
- complianceType: musthave
objectDefinition:
apiVersion: v1
data:
game.properties: enemies=potato
kind: ConfigMap
metadata:
name: my-configmap
remediationAction: inform
severity: low
- extraDependencies:
- apiVersion: policy.open-cluster-management.io/v1
compliance: Compliant
kind: IamPolicy
name: manifestextra
objectDefinition:
apiVersion: policy.open-cluster-management.io/v1
kind: ConfigurationPolicy
metadata:
name: one
spec:
object-templates:
- complianceType: musthave
objectDefinition:
apiVersion: v1
data:
game.properties: enemies=potato
kind: ConfigMap
metadata:
name: my-configmap
remediationAction: inform
severity: low
remediationAction: inform
---
apiVersion: policy.open-cluster-management.io/v1
kind: Policy
metadata:
annotations:
policy.open-cluster-management.io/categories: CM Configuration Management
policy.open-cluster-management.io/controls: CM-2 Baseline Configuration
policy.open-cluster-management.io/standards: NIST SP 800-53
name: two
namespace: my-policies
spec:
disabled: false
policy-templates:
- extraDependencies:
- apiVersion: policy.open-cluster-management.io/v1
compliance: Compliant
kind: IamPolicy
name: manifestextra
objectDefinition:
apiVersion: policy.open-cluster-management.io/v1
kind: ConfigurationPolicy
metadata:
name: two
spec:
object-templates:
- complianceType: musthave
objectDefinition:
apiVersion: v1
data:
game.properties: enemies=potato
kind: ConfigMap
metadata:
name: my-configmap
remediationAction: inform
severity: low
remediationAction: inform
---
apiVersion: apps.open-cluster-management.io/v1
kind: PlacementRule
metadata:
name: placement-one
namespace: my-policies
spec:
clusterSelector:
matchExpressions: []
---
apiVersion: apps.open-cluster-management.io/v1
kind: PlacementRule
metadata:
name: placement-two
namespace: my-policies
spec:
clusterSelector:
matchExpressions: []
---
apiVersion: policy.open-cluster-management.io/v1
kind: PlacementBinding
metadata:
name: binding-one
namespace: my-policies
placementRef:
apiGroup: apps.open-cluster-management.io
kind: PlacementRule
name: placement-one
subjects:
- apiGroup: policy.open-cluster-management.io
kind: Policy
name: one
---
apiVersion: policy.open-cluster-management.io/v1
kind: PlacementBinding
metadata:
name: binding-two
namespace: my-policies
placementRef:
apiGroup: apps.open-cluster-management.io
kind: PlacementRule
name: placement-two
subjects:
- apiGroup: policy.open-cluster-management.io
kind: Policy
name: two

0 comments on commit 6f98d4f

Please sign in to comment.