Skip to content

Commit

Permalink
Fix handling of core apiGroup in audit and evaluation (#4)
Browse files Browse the repository at this point in the history
Co-authored-by: Sebastian Woehrl <[email protected]>
(cherry picked from commit 8f0dd27)
  • Loading branch information
lieberlois authored and swoehrl-mw committed Feb 7, 2023
1 parent ee5ac65 commit f193a20
Show file tree
Hide file tree
Showing 5 changed files with 7 additions and 21 deletions.
6 changes: 1 addition & 5 deletions src/audit.rs
Original file line number Diff line number Diff line change
Expand Up @@ -4,7 +4,6 @@ use crate::manager::Manager;
use crate::policy::{load_policies_from_file, PolicyInfo, PolicyStore, PolicyStoreRef};
use crate::util::error::{kube_err, load_err, BridgekeeperError, Result};
use crate::util::k8s::{list_with_retry, patch_status_with_retry, namespaces, find_k8s_resource_matches, gen_target_identifier};
use crate::util::defaults::api_group_or_default;
use argh::FromArgs;
use k8s_openapi::chrono::{DateTime, Utc};
use kube::{
Expand Down Expand Up @@ -143,10 +142,7 @@ impl Auditor {
let namespaces = namespaces(self.k8s_client.clone()).await?;
let mut matched_resources: Vec<(KubeApiResource, bool)> = Vec::new();
for target_match in policy.policy.target.matches.iter() {
// Default to "core" if apiGroup is set to ""
let api_group = api_group_or_default(target_match.api_group.as_str());

let mut result = find_k8s_resource_matches(api_group, &target_match.kind, &self.k8s_client).await?;
let mut result = find_k8s_resource_matches(&target_match.api_group, &target_match.kind, &self.k8s_client).await?;
matched_resources.append(&mut result);
}

Expand Down
4 changes: 1 addition & 3 deletions src/policy.rs
Original file line number Diff line number Diff line change
@@ -1,6 +1,5 @@
use crate::crd::{Policy, PolicySpec};
use crate::util::error::{load_err, Result};
use crate::util::defaults::api_group_or_default;
use k8s_openapi::api::core::v1::ObjectReference as KubeObjectReference;
use kube::api::GroupVersionKind;
use kube::core::Resource;
Expand Down Expand Up @@ -78,8 +77,7 @@ impl PolicyInfo {

pub fn is_match(&self, gvk: &GroupVersionKind, namespace: &Option<String>) -> bool {
for kind in self.policy.target.matches.iter() {
// Default to "core" if apiGroup is set to ""
let api_group = api_group_or_default(kind.api_group.as_str());
let api_group = kind.api_group.as_str();

if (api_group == "*" || api_group.to_lowercase() == gvk.group.to_lowercase())
&& (kind.kind == "*" || kind.kind.to_lowercase() == gvk.kind.to_lowercase())
Expand Down
8 changes: 0 additions & 8 deletions src/util/defaults.rs

This file was deleted.

7 changes: 4 additions & 3 deletions src/util/k8s.rs
Original file line number Diff line number Diff line change
Expand Up @@ -89,7 +89,7 @@ pub async fn find_k8s_resource_matches(
&& !resource.name.contains('/')
{
matched_resources.push((
gen_resource_description(None, resource),
gen_resource_description(None, resource, Some(version.clone())),
resource.namespaced,
));
}
Expand Down Expand Up @@ -119,7 +119,7 @@ pub async fn find_k8s_resource_matches(
&& !resource.name.contains('/')
{
matched_resources.push((
gen_resource_description(Some(group), resource),
gen_resource_description(Some(group), resource, None),
resource.namespaced,
));
}
Expand All @@ -133,6 +133,7 @@ pub async fn find_k8s_resource_matches(
pub fn gen_resource_description(
api_group: Option<&APIGroup>,
api_resource: &APIResource,
version: Option<String>,
) -> KubeApiResource {
let gvk = GroupVersionKind {
group: match api_group {
Expand All @@ -147,7 +148,7 @@ pub fn gen_resource_description(
.expect("API Server always has a preferred_version")
.version
}
None => String::from(""),
None => version.unwrap_or_default(),
},
kind: api_resource.kind.clone(),
};
Expand Down
3 changes: 1 addition & 2 deletions src/util/mod.rs
Original file line number Diff line number Diff line change
@@ -1,5 +1,4 @@
pub mod cert;
pub mod error;
pub mod k8s;
pub mod webhook;
pub mod defaults;
pub mod webhook;

0 comments on commit f193a20

Please sign in to comment.