hoffmanm-PLATFORM-2176-permit-stakater-reloads

bf0a76bc · Morgan Hoffman · 73da2b95 · bf0a76bc · bf0a76bc · bf0a76bc
Commit bf0a76bc authored 11 months ago by Morgan Hoffman
--- a/rego/allow_rollout_restart_deployment/policy.rego
+++ b/rego/allow_rollout_restart_deployment/policy.rego
 package allow_rollout_restart

-# Violation caused when user is not flux and not in the admin group, trying to use UPDATE to change a DEPLOYMENT. The old annotations get patched with a value to build the datastructure, but it gets removed in the next step, so the value is innocuous.
+# Violation caused when user is not the local flux, nor stakater-reloader, and not in the admin group, trying to use UPDATE to change a DEPLOYMENT. The old annotations get patched with a value to build the datastructure, but it gets removed in the next step, so the value is innocuous.
 violation[{"msg": msg}] {
+    not input.review.userInfo.username == "system:serviceaccount:platform-stakater-reloader:stakater-reloader"
    flux_username := concat("",["system:serviceaccount:",input.review.namespace,":flux"])
    not input.review.userInfo.username == flux_username
    not contains(input.review.userInfo.groups, "oidc:it.platform.roles.admin")

--- a/rego/allow_rollout_restart_deployment/policy_test.rego
+++ b/rego/allow_rollout_restart_deployment/policy_test.rego
@@ -27,6 +27,15 @@ test_with_deployment_and_incorrect_annotation_with_flux {
  count(results) == 0
 }

+test_with_deployment_and_incorrect_annotation_with_stakater {
+  input := review_deployment_patch_existing("wrongAnnotation","wrong","system:serviceaccount:platform-stakater-reloader:stakater-reloader","randomgroup","13oclock")
+
+  results := violation
+    with input as input
+
+  count(results) == 0
+}
+
 test_with_deployment_and_incorrect_annotation_with_platform_admin_group {
  input := review_deployment_patch_existing("wrongAnnotation","wrong","randomuser","oidc:it.platform.roles.admin","13oclock")


--- a/rego/allow_rollout_restart_statefulset/policy.rego
+++ b/rego/allow_rollout_restart_statefulset/policy.rego
 package allow_rollout_restart

-# Violation caused when user is not flux and not in the admin group, trying to use UPDATE to change a StatefulSet. The old annotations get patched with a value to build the datastructure, but it gets removed in the next step, so the value is innocuous.
+# Violation caused when user is not local flux, not the stakater-reloader, and not in the admin group, trying to use UPDATE to change a StatefulSet. The old annotations get patched with a value to build the datastructure, but it gets removed in the next step, so the value is innocuous.
 violation[{"msg": msg}] {
+    not input.review.userInfo.username == "system:serviceaccount:platform-stakater-reloader:stakater-reloader"
    flux_username := concat("",["system:serviceaccount:",input.review.namespace,":flux"])
    not input.review.userInfo.username == flux_username
    not contains(input.review.userInfo.groups, "oidc:it.platform.roles.admin")

--- a/rego/allow_rollout_restart_statefulset/policy_test.rego
+++ b/rego/allow_rollout_restart_statefulset/policy_test.rego
@@ -27,6 +27,15 @@ test_with_statefulset_and_incorrect_annotation_with_flux {
  count(results) == 0
 }

+test_with_statefulset_and_incorrect_annotation_with_stakater {
+  input := review_statefulset_patch_existing("wrongAnnotation","wrong",""system:serviceaccount:platform-stakater-reloader:stakater-reloader","randomgroup","13oclock")
+
+  results := violation
+    with input as input
+
+  count(results) == 0
+}
+
 test_with_statefulset_and_incorrect_annotation_with_platform_admin_group {
  input := review_statefulset_patch_existing("wrongAnnotation","wrong","randomuser","oidc:it.platform.roles.admin","13oclock")