From 35077ae21be181037668cf9dfe3a3d2025556a82 Mon Sep 17 00:00:00 2001
From: Morgan Hoffman <hoffmanm@vt.edu>
Date: Wed, 13 Dec 2023 21:18:38 +0000
Subject: [PATCH] PLATFORM-2126-roll-restart
---
rego/allow_rollout_restart/policy.rego | 17 ++++--
rego/allow_rollout_restart/policy_test.rego | 60 ++++++++++++++-------
2 files changed, 54 insertions(+), 23 deletions(-)
diff --git a/rego/allow_rollout_restart/policy.rego b/rego/allow_rollout_restart/policy.rego
index 7bbafca..74e505f 100644
--- a/rego/allow_rollout_restart/policy.rego
+++ b/rego/allow_rollout_restart/policy.rego
@@ -1,13 +1,20 @@
package allow_rollout_restart
-
+# Violation caused when user is not flux and not in the admin group, trying to use UPDATE to change a DEPLOYMENT. The old annotations get patched with a value to build the datastructure, but it gets removed in the next step, so the value is innocuous.
violation[{"msg": msg}] {
not input.review.userInfo.username == "flux"
+ not contains(input.review.userInfo.groups, "oidc:it.platform.roles.admin")
input.review.kind.kind == "Deployment"
- input.review.operation == "PATCH"
- new_annotations := json.remove(input.review.object,["metadata/annotations/kubectl.kubernetes.io.restartedAt"])
- old_annotations := json.remove(input.review.oldObject,["metadata/annotations/kubectl.kubernetes.io.restartedAt"])
+ input.review.operation == "UPDATE"
+ new_annotations := json.remove(input.review.object,["spec/template/metadata/annotations/kubectl.kubernetes.io~1restartedAt","metadata/generation","metadata/managedFields"])
+ old_patched_annotations := json.patch(input.review.oldObject,[{"op": "add", "path": "spec/template/metadata/annotations/kubectl.kubernetes.io~1restartedAt", "value": 3}])
+ old_annotations := json.remove(old_patched_annotations,["spec/template/metadata/annotations/kubectl.kubernetes.io~1restartedAt","metadata/generation","metadata/managedFields"])
old_annotations != new_annotations
- msg := sprintf("Only patch to annotation kubectl.kubernetes.io.restartedAt is allowed. Used '%v'", [input.review.object.metadata.annotations] )
+ msg := sprintf("Only patch to annotation kubectl.kubernetes.io.restartedAt is allowed. ",[])
+
}
+
+contains(grouparray,testgroup) {
+ grouparray[_] = testgroup
+}
\ No newline at end of file
diff --git a/rego/allow_rollout_restart/policy_test.rego b/rego/allow_rollout_restart/policy_test.rego
index 528df95..ba82538 100644
--- a/rego/allow_rollout_restart/policy_test.rego
+++ b/rego/allow_rollout_restart/policy_test.rego
@@ -65,17 +65,25 @@ review_deployment_patch_extra_annotations(annotationname,annotationvalue,usernam
"kind": "Deployment"
},
"object": {
- "metadata": {
- "annotations": {
- "dreaded_gazebo": "indeed",
- annotationname: annotationvalue
+ "spec": {
+ "template: {
+ "metadata": {
+ "annotations": {
+ "dreaded_gazebo": "indeed",
+ annotationname: annotationvalue
+ }
}
+ }
}
},
"oldObject": {
- "metadata": {
- "annotations": {
- "kubectl.kubernetes.io.restartedAt": previousrestarted
+ "spec": {
+ "template: {
+ "metadata": {
+ "annotations": {
+ "kubectl.kubernetes.io.restartedAt": previousrestarted
+ }
+ }
}
}
}
@@ -94,16 +102,24 @@ review_deployment_patch_existing(annotationname,annotationvalue,username,previou
"kind": "Deployment"
},
"object": {
- "metadata": {
- "annotations": {
- annotationname: annotationvalue
+ "spec": {
+ "template": {
+ "metadata": {
+ "annotations": {
+ annotationname: annotationvalue
+ }
}
+ }
}
},
"oldObject": {
- "metadata": {
- "annotations": {
- "kubectl.kubernetes.io.restartedAt": previousrestarted
+ "spec": {
+ "template": {
+ "metadata": {
+ "annotations": {
+ "kubectl.kubernetes.io.restartedAt": previousrestarted
+ }
+ }
}
}
}
@@ -122,15 +138,23 @@ review_deployment_patch_absent(annotationname,annotationvalue,username) = out {
"kind": "Deployment"
},
"oldObject": {
- "metadata": {
- "annotations": {}
+ "spec": {
+ "template": {
+ "metadata": {
+ "annotations": {}
+ }
+ }
}
},
"object": {
- "metadata": {
- "annotations": {
- annotationname: annotationvalue
+ "spec": {
+ "template": {
+ "metadata": {
+ "annotations": {
+ annotationname: annotationvalue
+ }
}
+ }
}
}
}
--
GitLab