Skip to content
This repository has been archived by the owner on Jun 6, 2024. It is now read-only.

Commit

Permalink
fix: update name rule logic to ignore incorrect kinds (#957)
Browse files Browse the repository at this point in the history 
* fix: update name rule logic to ignore incorrect kinds

* fix: update name rule logic to ignore incorrect kinds

* fix: update name rule logic to ignore incorrect kinds

* fix: update name rule logic to ignore incorrect kinds

* fix: update name rule logic to ignore incorrect kinds
  • Loading branch information
hadar-co authored Jul 12, 2023
1 parent 6ec89d2 commit c9b7710
Show file tree
Hide file tree
Showing 5 changed files with 92 additions and 22 deletions.
64 changes: 42 additions & 22 deletions pkg/defaultRules/defaultRules.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -1861,28 +1861,48 @@ rules:
impact: Configurations with a missing or invalid name will pass k8s schema validation, but will fail when pushed into a cluster (i.e. when running kubectl apply/create)
schema:
definitions:
metadataNamePattern:
properties:
metadata:
type: object
properties:
name:
type: string
format: hostname
required:
- name
required:
- metadata
metadataGenerateNamePattern:
strictNamesPattern:
if:
properties:
kind:
not:
enum:
- ClusterRole
- ClusterRoleBinding
then:
properties:
metadata:
type: object
anyOf:
- properties:
name:
type: string
format: hostname
required:
- name
- properties:
generateName:
type: string
format: hostname
required:
- generateName
required:
- metadata
nonStrictNamesPattern:
properties:
metadata:
type: object
properties:
generateName:
type: string
format: hostname
required:
- generateName
anyOf:
- properties:
name:
type: string
required:
- name
- properties:
generateName:
type: string
required:
- generateName
required:
- metadata
if:
Expand All @@ -1892,9 +1912,9 @@ rules:
enum:
- Kustomization
then:
anyOf:
- $ref: "#/definitions/metadataNamePattern"
- $ref: "#/definitions/metadataGenerateNamePattern"
allOf:
- $ref: "#/definitions/strictNamesPattern"
- $ref: "#/definitions/nonStrictNamesPattern"
- id: 55
name: Ensure each container probe has an initial delay configured
uniqueName: CONTAINERS_INCORRECT_INITIALDELAYSECONDS_VALUE
Expand Down
20 changes: 20 additions & 0 deletions pkg/policy/tests/54/fail/54-fail-2.yaml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,20 @@
apiVersion: apps/v1
kind: Deployment
metadata:
name: invalid:format
spec:
selector:
matchLabels:
app: frontend-deployment
template:
metadata:
labels:
app: frontend-deployment
spec:
containers:
- name: app
image: foo/bar:latest
ports:
- name: http
containerPort: 8080
protocol: TCP
12 changes: 12 additions & 0 deletions pkg/policy/tests/54/pass/54-pass-2.yaml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,12 @@
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
# "namespace" omitted since ClusterRoles are not namespaced
name: system:secret-reader
rules:
- apiGroups: [""]
#
# at the HTTP level, the name of the resource for accessing Secret
# objects is "secrets"
resources: ["secrets"]
verbs: ["get", "watch", "list"]
6 changes: 6 additions & 0 deletions pkg/policy/tests/54/pass/54-pass-3.yaml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,6 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- service.yaml
- deployment.yaml
- hpa.yaml
12 changes: 12 additions & 0 deletions pkg/policy/tests/54/pass/54-pass-4.yaml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,12 @@
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
# "namespace" omitted since ClusterRoles are not namespaced
name: valid:name
rules:
- apiGroups: [""]
#
# at the HTTP level, the name of the resource for accessing Secret
# objects is "secrets"
resources: ["secrets"]
verbs: ["get", "watch", "list"]

0 comments on commit c9b7710

Please sign in to comment.