From bf0a76bcb5404d5694a50822f129eb16b9ec7263 Mon Sep 17 00:00:00 2001
From: Morgan Hoffman <hoffmanm@vt.edu>
Date: Tue, 9 Apr 2024 20:24:38 +0000
Subject: [PATCH] hoffmanm-PLATFORM-2176-permit-stakater-reloads

---
 rego/allow_rollout_restart_deployment/policy.rego       | 3 ++-
 rego/allow_rollout_restart_deployment/policy_test.rego  | 9 +++++++++
 rego/allow_rollout_restart_statefulset/policy.rego      | 3 ++-
 rego/allow_rollout_restart_statefulset/policy_test.rego | 9 +++++++++
 4 files changed, 22 insertions(+), 2 deletions(-)

diff --git a/rego/allow_rollout_restart_deployment/policy.rego b/rego/allow_rollout_restart_deployment/policy.rego
index 83f4ccd..ddfa5e5 100644
--- a/rego/allow_rollout_restart_deployment/policy.rego
+++ b/rego/allow_rollout_restart_deployment/policy.rego
@@ -1,7 +1,8 @@
 package allow_rollout_restart
 
-# Violation caused when user is not flux and not in the admin group, trying to use UPDATE to change a DEPLOYMENT. The old annotations get patched with a value to build the datastructure, but it gets removed in the next step, so the value is innocuous.
+# Violation caused when user is not the local flux, nor stakater-reloader, and not in the admin group, trying to use UPDATE to change a DEPLOYMENT. The old annotations get patched with a value to build the datastructure, but it gets removed in the next step, so the value is innocuous.
 violation[{"msg": msg}] {
+    not input.review.userInfo.username == "system:serviceaccount:platform-stakater-reloader:stakater-reloader"
     flux_username := concat("",["system:serviceaccount:",input.review.namespace,":flux"])
     not input.review.userInfo.username == flux_username
     not contains(input.review.userInfo.groups, "oidc:it.platform.roles.admin")
diff --git a/rego/allow_rollout_restart_deployment/policy_test.rego b/rego/allow_rollout_restart_deployment/policy_test.rego
index 74ef125..9416bbf 100644
--- a/rego/allow_rollout_restart_deployment/policy_test.rego
+++ b/rego/allow_rollout_restart_deployment/policy_test.rego
@@ -27,6 +27,15 @@ test_with_deployment_and_incorrect_annotation_with_flux {
   count(results) == 0
 }
 
+test_with_deployment_and_incorrect_annotation_with_stakater {
+  input := review_deployment_patch_existing("wrongAnnotation","wrong","system:serviceaccount:platform-stakater-reloader:stakater-reloader","randomgroup","13oclock")
+
+  results := violation
+    with input as input
+
+  count(results) == 0
+}
+
 test_with_deployment_and_incorrect_annotation_with_platform_admin_group {
   input := review_deployment_patch_existing("wrongAnnotation","wrong","randomuser","oidc:it.platform.roles.admin","13oclock")
 
diff --git a/rego/allow_rollout_restart_statefulset/policy.rego b/rego/allow_rollout_restart_statefulset/policy.rego
index b5bec76..c9888c0 100644
--- a/rego/allow_rollout_restart_statefulset/policy.rego
+++ b/rego/allow_rollout_restart_statefulset/policy.rego
@@ -1,7 +1,8 @@
 package allow_rollout_restart
 
-# Violation caused when user is not flux and not in the admin group, trying to use UPDATE to change a StatefulSet. The old annotations get patched with a value to build the datastructure, but it gets removed in the next step, so the value is innocuous.
+# Violation caused when user is not local flux, not the stakater-reloader, and not in the admin group, trying to use UPDATE to change a StatefulSet. The old annotations get patched with a value to build the datastructure, but it gets removed in the next step, so the value is innocuous.
 violation[{"msg": msg}] {
+    not input.review.userInfo.username == "system:serviceaccount:platform-stakater-reloader:stakater-reloader"
     flux_username := concat("",["system:serviceaccount:",input.review.namespace,":flux"])
     not input.review.userInfo.username == flux_username
     not contains(input.review.userInfo.groups, "oidc:it.platform.roles.admin")
diff --git a/rego/allow_rollout_restart_statefulset/policy_test.rego b/rego/allow_rollout_restart_statefulset/policy_test.rego
index 3f52e3c..2f7e1a2 100644
--- a/rego/allow_rollout_restart_statefulset/policy_test.rego
+++ b/rego/allow_rollout_restart_statefulset/policy_test.rego
@@ -27,6 +27,15 @@ test_with_statefulset_and_incorrect_annotation_with_flux {
   count(results) == 0
 }
 
+test_with_statefulset_and_incorrect_annotation_with_stakater {
+  input := review_statefulset_patch_existing("wrongAnnotation","wrong",""system:serviceaccount:platform-stakater-reloader:stakater-reloader","randomgroup","13oclock")
+
+  results := violation
+    with input as input
+
+  count(results) == 0
+}
+
 test_with_statefulset_and_incorrect_annotation_with_platform_admin_group {
   input := review_statefulset_patch_existing("wrongAnnotation","wrong","randomuser","oidc:it.platform.roles.admin","13oclock")
 
-- 
GitLab