Compare revisions

Alain Atemnkeng · Nandan Sadineni · Nandan Sadineni · Morgan Hoffman · Brandon Booker · Brandon Booker
--- a/Chart.yaml
+++ b/Chart.yaml
 apiVersion: v2
 name: constraint-templates
-version: 1.5.4
+version: 1.5.8
 appVersion: 1.0.0
--- a/rego/allow_rollout_restart_deployment/policy.rego
+++ b/rego/allow_rollout_restart_deployment/policy.rego
-package allow_rollout_restart
+package allow_rollout_restart_deployment

-# Violation caused when user is not flux and not in the admin group, trying to use UPDATE to change a DEPLOYMENT. The old annotations get patched with a value to build the datastructure, but it gets removed in the next step, so the value is innocuous.
+# Violation caused when user is not the local flux, nor stakater-reloader, and not in the admin group, trying to use UPDATE to change a DEPLOYMENT. The old annotations get patched with a value to build the datastructure, but it gets removed in the next step, so the value is innocuous.
 violation[{"msg": msg}] {
+    not input.review.userInfo.username == "system:serviceaccount:platform-stakater-reloader:stakater-reloader"
    flux_username := concat("",["system:serviceaccount:",input.review.namespace,":flux"])
    not input.review.userInfo.username == flux_username
    not contains(input.review.userInfo.groups, "oidc:it.platform.roles.admin")

--- a/rego/allow_rollout_restart_deployment/policy_test.rego
+++ b/rego/allow_rollout_restart_deployment/policy_test.rego
-package allow_rollout_restart
+package allow_rollout_restart_deployment

 test_with_deployment_and_correct_annotation {
  input := review_deployment_patch_existing("kubectl.kubernetes.io/restartedAt","14oclock","randomuser","randomgroup","13oclock")
@@ -27,6 +27,15 @@ test_with_deployment_and_incorrect_annotation_with_flux {
  count(results) == 0
 }

+test_with_deployment_and_incorrect_annotation_with_stakater {
+  input := review_deployment_patch_existing("wrongAnnotation","wrong","system:serviceaccount:platform-stakater-reloader:stakater-reloader","randomgroup","13oclock")
+
+  results := violation
+    with input as input
+
+  count(results) == 0
+}
+
 test_with_deployment_and_incorrect_annotation_with_platform_admin_group {
  input := review_deployment_patch_existing("wrongAnnotation","wrong","randomuser","oidc:it.platform.roles.admin","13oclock")


--- a/rego/allow_rollout_restart_statefulset/policy.rego
+++ b/rego/allow_rollout_restart_statefulset/policy.rego
-package allow_rollout_restart
+package allow_rollout_restart_statefulset

-# Violation caused when user is not flux and not in the admin group, trying to use UPDATE to change a StatefulSet. The old annotations get patched with a value to build the datastructure, but it gets removed in the next step, so the value is innocuous.
+# Violation caused when user is not local flux, not the stakater-reloader, and not in the admin group, trying to use UPDATE to change a StatefulSet. The old annotations get patched with a value to build the datastructure, but it gets removed in the next step, so the value is innocuous.
 violation[{"msg": msg}] {
+    not input.review.userInfo.username == "system:serviceaccount:platform-stakater-reloader:stakater-reloader"
    flux_username := concat("",["system:serviceaccount:",input.review.namespace,":flux"])
    not input.review.userInfo.username == flux_username
    not contains(input.review.userInfo.groups, "oidc:it.platform.roles.admin")

--- a/rego/allow_rollout_restart_statefulset/policy_test.rego
+++ b/rego/allow_rollout_restart_statefulset/policy_test.rego
-package allow_rollout_restart
+package allow_rollout_restart_statefulset

 test_with_statefulset_and_correct_annotation {
  input := review_statefulset_patch_existing("kubectl.kubernetes.io/restartedAt","14oclock","randomuser","randomgroup","13oclock")
@@ -27,6 +27,15 @@ test_with_statefulset_and_incorrect_annotation_with_flux {
  count(results) == 0
 }

+test_with_statefulset_and_incorrect_annotation_with_stakater {
+  input := review_statefulset_patch_existing("wrongAnnotation","wrong","system:serviceaccount:platform-stakater-reloader:stakater-reloader","randomgroup","13oclock")
+
+  results := violation
+    with input as input
+
+  count(results) == 0
+}
+
 test_with_statefulset_and_incorrect_annotation_with_platform_admin_group {
  input := review_statefulset_patch_existing("wrongAnnotation","wrong","randomuser","oidc:it.platform.roles.admin","13oclock")


--- a/rego/authorizeddomainpolicy/policy_test.rego
+++ b/rego/authorizeddomainpolicy/policy_test.rego
@@ -352,7 +352,7 @@ review_ingress_route_tcp(matchRule) = out {
    },
    "object": {
      "kind": "IngressRouteTCP",
-      "apiVersion": "traefik.containo.us/v1alpha1",
+      "apiVersion": "traefik.io/v1alpha1",
      "metadata": {
        "name": "my-ingress",
      },
@@ -374,7 +374,7 @@ review_ingress_route(matchRule) = out {
    },
    "object": {
      "kind": "IngressRoute",
-      "apiVersion": "traefik.containo.us/v1alpha1",
+      "apiVersion": "traefik.io/v1alpha1",
      "metadata": {
        "name": "my-ingress",
      },
No results found