diff --git a/rego/allow_rollout_restart_deployment/policy.rego b/rego/allow_rollout_restart_deployment/policy.rego index 83f4ccd079449c215824df7244b52d63bf48f870..6acd89dd7ed16660f3ee4771c79847f6ed80b8db 100644 --- a/rego/allow_rollout_restart_deployment/policy.rego +++ b/rego/allow_rollout_restart_deployment/policy.rego @@ -1,7 +1,8 @@ -package allow_rollout_restart +package allow_rollout_restart_deployment -# Violation caused when user is not flux and not in the admin group, trying to use UPDATE to change a DEPLOYMENT. The old annotations get patched with a value to build the datastructure, but it gets removed in the next step, so the value is innocuous. +# Violation caused when user is not the local flux, nor stakater-reloader, and not in the admin group, trying to use UPDATE to change a DEPLOYMENT. The old annotations get patched with a value to build the datastructure, but it gets removed in the next step, so the value is innocuous. violation[{"msg": msg}] { + not input.review.userInfo.username == "system:serviceaccount:platform-stakater-reloader:stakater-reloader" flux_username := concat("",["system:serviceaccount:",input.review.namespace,":flux"]) not input.review.userInfo.username == flux_username not contains(input.review.userInfo.groups, "oidc:it.platform.roles.admin") diff --git a/rego/allow_rollout_restart_deployment/policy_test.rego b/rego/allow_rollout_restart_deployment/policy_test.rego index 74ef125e94cf3418af2e28cada5df7aaaa78b198..b347d6970658cc374422e6dbdaa72a6c9ca87b92 100644 --- a/rego/allow_rollout_restart_deployment/policy_test.rego +++ b/rego/allow_rollout_restart_deployment/policy_test.rego @@ -1,4 +1,4 @@ -package allow_rollout_restart +package allow_rollout_restart_deployment test_with_deployment_and_correct_annotation { input := review_deployment_patch_existing("kubectl.kubernetes.io/restartedAt","14oclock","randomuser","randomgroup","13oclock") @@ -27,6 +27,15 @@ test_with_deployment_and_incorrect_annotation_with_flux { count(results) == 0 } +test_with_deployment_and_incorrect_annotation_with_stakater { + input := review_deployment_patch_existing("wrongAnnotation","wrong","system:serviceaccount:platform-stakater-reloader:stakater-reloader","randomgroup","13oclock") + + results := violation + with input as input + + count(results) == 0 +} + test_with_deployment_and_incorrect_annotation_with_platform_admin_group { input := review_deployment_patch_existing("wrongAnnotation","wrong","randomuser","oidc:it.platform.roles.admin","13oclock") diff --git a/rego/allow_rollout_restart_statefulset/policy.rego b/rego/allow_rollout_restart_statefulset/policy.rego index b5bec76de2c06930626d9415987fe136a3e7ad40..122f143d21b0425835f6f4958798164267d6515b 100644 --- a/rego/allow_rollout_restart_statefulset/policy.rego +++ b/rego/allow_rollout_restart_statefulset/policy.rego @@ -1,7 +1,8 @@ -package allow_rollout_restart +package allow_rollout_restart_statefulset -# Violation caused when user is not flux and not in the admin group, trying to use UPDATE to change a StatefulSet. The old annotations get patched with a value to build the datastructure, but it gets removed in the next step, so the value is innocuous. +# Violation caused when user is not local flux, not the stakater-reloader, and not in the admin group, trying to use UPDATE to change a StatefulSet. The old annotations get patched with a value to build the datastructure, but it gets removed in the next step, so the value is innocuous. violation[{"msg": msg}] { + not input.review.userInfo.username == "system:serviceaccount:platform-stakater-reloader:stakater-reloader" flux_username := concat("",["system:serviceaccount:",input.review.namespace,":flux"]) not input.review.userInfo.username == flux_username not contains(input.review.userInfo.groups, "oidc:it.platform.roles.admin") diff --git a/rego/allow_rollout_restart_statefulset/policy_test.rego b/rego/allow_rollout_restart_statefulset/policy_test.rego index 3f52e3ce3e03e0571b517ec06908f8898f1962e8..00365c9521aec50458215f6eff5975462532bc0e 100644 --- a/rego/allow_rollout_restart_statefulset/policy_test.rego +++ b/rego/allow_rollout_restart_statefulset/policy_test.rego @@ -1,4 +1,4 @@ -package allow_rollout_restart +package allow_rollout_restart_statefulset test_with_statefulset_and_correct_annotation { input := review_statefulset_patch_existing("kubectl.kubernetes.io/restartedAt","14oclock","randomuser","randomgroup","13oclock") @@ -27,6 +27,15 @@ test_with_statefulset_and_incorrect_annotation_with_flux { count(results) == 0 } +test_with_statefulset_and_incorrect_annotation_with_stakater { + input := review_statefulset_patch_existing("wrongAnnotation","wrong","system:serviceaccount:platform-stakater-reloader:stakater-reloader","randomgroup","13oclock") + + results := violation + with input as input + + count(results) == 0 +} + test_with_statefulset_and_incorrect_annotation_with_platform_admin_group { input := review_statefulset_patch_existing("wrongAnnotation","wrong","randomuser","oidc:it.platform.roles.admin","13oclock") diff --git a/rego/authorizeddomainpolicy/policy_test.rego b/rego/authorizeddomainpolicy/policy_test.rego index a8a7899712c4fffac3b454e17378ae8f2bb971a7..c3cd92d524b29b6975e7c04dcf23f6b5bf398669 100644 --- a/rego/authorizeddomainpolicy/policy_test.rego +++ b/rego/authorizeddomainpolicy/policy_test.rego @@ -352,7 +352,7 @@ review_ingress_route_tcp(matchRule) = out { }, "object": { "kind": "IngressRouteTCP", - "apiVersion": "traefik.containo.us/v1alpha1", + "apiVersion": "traefik.io/v1alpha1", "metadata": { "name": "my-ingress", }, @@ -374,7 +374,7 @@ review_ingress_route(matchRule) = out { }, "object": { "kind": "IngressRoute", - "apiVersion": "traefik.containo.us/v1alpha1", + "apiVersion": "traefik.io/v1alpha1", "metadata": { "name": "my-ingress", },