From bf0a76bcb5404d5694a50822f129eb16b9ec7263 Mon Sep 17 00:00:00 2001 From: Morgan Hoffman <hoffmanm@vt.edu> Date: Tue, 9 Apr 2024 20:24:38 +0000 Subject: [PATCH] hoffmanm-PLATFORM-2176-permit-stakater-reloads --- rego/allow_rollout_restart_deployment/policy.rego | 3 ++- rego/allow_rollout_restart_deployment/policy_test.rego | 9 +++++++++ rego/allow_rollout_restart_statefulset/policy.rego | 3 ++- rego/allow_rollout_restart_statefulset/policy_test.rego | 9 +++++++++ 4 files changed, 22 insertions(+), 2 deletions(-) diff --git a/rego/allow_rollout_restart_deployment/policy.rego b/rego/allow_rollout_restart_deployment/policy.rego index 83f4ccd..ddfa5e5 100644 --- a/rego/allow_rollout_restart_deployment/policy.rego +++ b/rego/allow_rollout_restart_deployment/policy.rego @@ -1,7 +1,8 @@ package allow_rollout_restart -# Violation caused when user is not flux and not in the admin group, trying to use UPDATE to change a DEPLOYMENT. The old annotations get patched with a value to build the datastructure, but it gets removed in the next step, so the value is innocuous. +# Violation caused when user is not the local flux, nor stakater-reloader, and not in the admin group, trying to use UPDATE to change a DEPLOYMENT. The old annotations get patched with a value to build the datastructure, but it gets removed in the next step, so the value is innocuous. violation[{"msg": msg}] { + not input.review.userInfo.username == "system:serviceaccount:platform-stakater-reloader:stakater-reloader" flux_username := concat("",["system:serviceaccount:",input.review.namespace,":flux"]) not input.review.userInfo.username == flux_username not contains(input.review.userInfo.groups, "oidc:it.platform.roles.admin") diff --git a/rego/allow_rollout_restart_deployment/policy_test.rego b/rego/allow_rollout_restart_deployment/policy_test.rego index 74ef125..9416bbf 100644 --- a/rego/allow_rollout_restart_deployment/policy_test.rego +++ b/rego/allow_rollout_restart_deployment/policy_test.rego @@ -27,6 +27,15 @@ test_with_deployment_and_incorrect_annotation_with_flux { count(results) == 0 } +test_with_deployment_and_incorrect_annotation_with_stakater { + input := review_deployment_patch_existing("wrongAnnotation","wrong","system:serviceaccount:platform-stakater-reloader:stakater-reloader","randomgroup","13oclock") + + results := violation + with input as input + + count(results) == 0 +} + test_with_deployment_and_incorrect_annotation_with_platform_admin_group { input := review_deployment_patch_existing("wrongAnnotation","wrong","randomuser","oidc:it.platform.roles.admin","13oclock") diff --git a/rego/allow_rollout_restart_statefulset/policy.rego b/rego/allow_rollout_restart_statefulset/policy.rego index b5bec76..c9888c0 100644 --- a/rego/allow_rollout_restart_statefulset/policy.rego +++ b/rego/allow_rollout_restart_statefulset/policy.rego @@ -1,7 +1,8 @@ package allow_rollout_restart -# Violation caused when user is not flux and not in the admin group, trying to use UPDATE to change a StatefulSet. The old annotations get patched with a value to build the datastructure, but it gets removed in the next step, so the value is innocuous. +# Violation caused when user is not local flux, not the stakater-reloader, and not in the admin group, trying to use UPDATE to change a StatefulSet. The old annotations get patched with a value to build the datastructure, but it gets removed in the next step, so the value is innocuous. violation[{"msg": msg}] { + not input.review.userInfo.username == "system:serviceaccount:platform-stakater-reloader:stakater-reloader" flux_username := concat("",["system:serviceaccount:",input.review.namespace,":flux"]) not input.review.userInfo.username == flux_username not contains(input.review.userInfo.groups, "oidc:it.platform.roles.admin") diff --git a/rego/allow_rollout_restart_statefulset/policy_test.rego b/rego/allow_rollout_restart_statefulset/policy_test.rego index 3f52e3c..2f7e1a2 100644 --- a/rego/allow_rollout_restart_statefulset/policy_test.rego +++ b/rego/allow_rollout_restart_statefulset/policy_test.rego @@ -27,6 +27,15 @@ test_with_statefulset_and_incorrect_annotation_with_flux { count(results) == 0 } +test_with_statefulset_and_incorrect_annotation_with_stakater { + input := review_statefulset_patch_existing("wrongAnnotation","wrong",""system:serviceaccount:platform-stakater-reloader:stakater-reloader","randomgroup","13oclock") + + results := violation + with input as input + + count(results) == 0 +} + test_with_statefulset_and_incorrect_annotation_with_platform_admin_group { input := review_statefulset_patch_existing("wrongAnnotation","wrong","randomuser","oidc:it.platform.roles.admin","13oclock") -- GitLab