mirror of
https://github.com/k3s-io/kubernetes.git
synced 2025-07-24 20:24:09 +00:00
[PSA] default warn to enforce level
This commit is contained in:
parent
748daeb862
commit
0574a8181d
@ -278,7 +278,7 @@ func TestValidateNamespace(t *testing.T) {
|
|||||||
expectAllowed: true,
|
expectAllowed: true,
|
||||||
expectListPods: false,
|
expectListPods: false,
|
||||||
expectWarnings: []string{
|
expectWarnings: []string{
|
||||||
`namespace "test" is exempt from Pod Security, and the policy (enforce=restricted:latest) will be ignored`,
|
`namespace "test" is exempt from Pod Security, and the policy (enforce=restricted:latest, warn=restricted:latest) will be ignored`,
|
||||||
},
|
},
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
@ -1180,7 +1180,7 @@ func TestExemptNamespaceWarning(t *testing.T) {
|
|||||||
api.EnforceLevelLabel: string(api.LevelBaseline),
|
api.EnforceLevelLabel: string(api.LevelBaseline),
|
||||||
},
|
},
|
||||||
expectWarning: true,
|
expectWarning: true,
|
||||||
expectWarningContains: "(enforce=baseline:latest)",
|
expectWarningContains: "(enforce=baseline:latest, warn=baseline:latest)",
|
||||||
}, {
|
}, {
|
||||||
name: "warn-on-warn",
|
name: "warn-on-warn",
|
||||||
labels: map[string]string{
|
labels: map[string]string{
|
||||||
|
@ -213,12 +213,16 @@ func PolicyToEvaluate(labels map[string]string, defaults Policy) (Policy, field.
|
|||||||
errs field.ErrorList
|
errs field.ErrorList
|
||||||
|
|
||||||
p = defaults
|
p = defaults
|
||||||
|
|
||||||
|
hasEnforceLevel bool
|
||||||
|
hasWarnLevel, hasWarnVersion bool
|
||||||
)
|
)
|
||||||
if len(labels) == 0 {
|
if len(labels) == 0 {
|
||||||
return p, nil
|
return p, nil
|
||||||
}
|
}
|
||||||
if level, ok := labels[EnforceLevelLabel]; ok {
|
if level, ok := labels[EnforceLevelLabel]; ok {
|
||||||
p.Enforce.Level, err = ParseLevel(level)
|
p.Enforce.Level, err = ParseLevel(level)
|
||||||
|
hasEnforceLevel = (err == nil) // Don't default warn in case of error
|
||||||
errs = appendErr(errs, err, EnforceLevelLabel, level)
|
errs = appendErr(errs, err, EnforceLevelLabel, level)
|
||||||
}
|
}
|
||||||
if version, ok := labels[EnforceVersionLabel]; ok {
|
if version, ok := labels[EnforceVersionLabel]; ok {
|
||||||
@ -237,6 +241,7 @@ func PolicyToEvaluate(labels map[string]string, defaults Policy) (Policy, field.
|
|||||||
errs = appendErr(errs, err, AuditVersionLabel, version)
|
errs = appendErr(errs, err, AuditVersionLabel, version)
|
||||||
}
|
}
|
||||||
if level, ok := labels[WarnLevelLabel]; ok {
|
if level, ok := labels[WarnLevelLabel]; ok {
|
||||||
|
hasWarnLevel = true
|
||||||
p.Warn.Level, err = ParseLevel(level)
|
p.Warn.Level, err = ParseLevel(level)
|
||||||
errs = appendErr(errs, err, WarnLevelLabel, level)
|
errs = appendErr(errs, err, WarnLevelLabel, level)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
@ -244,9 +249,19 @@ func PolicyToEvaluate(labels map[string]string, defaults Policy) (Policy, field.
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
if version, ok := labels[WarnVersionLabel]; ok {
|
if version, ok := labels[WarnVersionLabel]; ok {
|
||||||
|
hasWarnVersion = true
|
||||||
p.Warn.Version, err = ParseVersion(version)
|
p.Warn.Version, err = ParseVersion(version)
|
||||||
errs = appendErr(errs, err, WarnVersionLabel, version)
|
errs = appendErr(errs, err, WarnVersionLabel, version)
|
||||||
}
|
}
|
||||||
|
|
||||||
|
// Default warn to the enforce level when explicitly set to a more restrictive level.
|
||||||
|
if !hasWarnLevel && hasEnforceLevel && CompareLevels(p.Enforce.Level, p.Warn.Level) > 0 {
|
||||||
|
p.Warn.Level = p.Enforce.Level
|
||||||
|
if !hasWarnVersion {
|
||||||
|
p.Warn.Version = p.Enforce.Version
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
return p, errs
|
return p, errs
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -117,3 +117,151 @@ func TestPolicyEquals(t *testing.T) {
|
|||||||
assert.True(t, baseline.Equivalent(&baseline), "baseline policy equals itself")
|
assert.True(t, baseline.Equivalent(&baseline), "baseline policy equals itself")
|
||||||
assert.False(t, privileged.Equivalent(&baseline), "privileged != baseline")
|
assert.False(t, privileged.Equivalent(&baseline), "privileged != baseline")
|
||||||
}
|
}
|
||||||
|
|
||||||
|
func TestPolicyToEvaluate(t *testing.T) {
|
||||||
|
privilegedLV := LevelVersion{
|
||||||
|
Level: LevelPrivileged,
|
||||||
|
Version: LatestVersion(),
|
||||||
|
}
|
||||||
|
privilegedPolicy := Policy{
|
||||||
|
Enforce: privilegedLV,
|
||||||
|
Warn: privilegedLV,
|
||||||
|
Audit: privilegedLV,
|
||||||
|
}
|
||||||
|
|
||||||
|
type testcase struct {
|
||||||
|
desc string
|
||||||
|
labels map[string]string
|
||||||
|
defaults Policy
|
||||||
|
expect Policy
|
||||||
|
expectErr bool
|
||||||
|
}
|
||||||
|
|
||||||
|
tests := []testcase{{
|
||||||
|
desc: "simple enforce",
|
||||||
|
labels: makeLabels("enforce", "baseline"),
|
||||||
|
expect: Policy{
|
||||||
|
Enforce: LevelVersion{LevelBaseline, LatestVersion()},
|
||||||
|
Warn: LevelVersion{LevelBaseline, LatestVersion()},
|
||||||
|
Audit: privilegedLV,
|
||||||
|
},
|
||||||
|
}, {
|
||||||
|
desc: "simple warn",
|
||||||
|
labels: makeLabels("warn", "restricted"),
|
||||||
|
expect: Policy{
|
||||||
|
Enforce: privilegedLV,
|
||||||
|
Warn: LevelVersion{LevelRestricted, LatestVersion()},
|
||||||
|
Audit: privilegedLV,
|
||||||
|
},
|
||||||
|
}, {
|
||||||
|
desc: "simple audit",
|
||||||
|
labels: makeLabels("audit", "baseline"),
|
||||||
|
expect: Policy{
|
||||||
|
Enforce: privilegedLV,
|
||||||
|
Warn: privilegedLV,
|
||||||
|
Audit: LevelVersion{LevelBaseline, LatestVersion()},
|
||||||
|
},
|
||||||
|
}, {
|
||||||
|
desc: "enforce & warn",
|
||||||
|
labels: makeLabels("enforce", "baseline", "warn", "restricted"),
|
||||||
|
expect: Policy{
|
||||||
|
Enforce: LevelVersion{LevelBaseline, LatestVersion()},
|
||||||
|
Warn: LevelVersion{LevelRestricted, LatestVersion()},
|
||||||
|
Audit: privilegedLV,
|
||||||
|
},
|
||||||
|
}, {
|
||||||
|
desc: "enforce version",
|
||||||
|
labels: makeLabels("enforce", "baseline", "enforce-version", "v1.22"),
|
||||||
|
expect: Policy{
|
||||||
|
Enforce: LevelVersion{LevelBaseline, MajorMinorVersion(1, 22)},
|
||||||
|
Warn: LevelVersion{LevelBaseline, MajorMinorVersion(1, 22)},
|
||||||
|
Audit: privilegedLV,
|
||||||
|
},
|
||||||
|
}, {
|
||||||
|
desc: "enforce version & warn-version",
|
||||||
|
labels: makeLabels("enforce", "baseline", "enforce-version", "v1.22", "warn-version", "latest"),
|
||||||
|
expect: Policy{
|
||||||
|
Enforce: LevelVersion{LevelBaseline, MajorMinorVersion(1, 22)},
|
||||||
|
Warn: LevelVersion{LevelBaseline, LatestVersion()},
|
||||||
|
Audit: privilegedLV,
|
||||||
|
},
|
||||||
|
}, {
|
||||||
|
desc: "enforce & warn-version",
|
||||||
|
labels: makeLabels("enforce", "baseline", "warn-version", "v1.23"),
|
||||||
|
expect: Policy{
|
||||||
|
Enforce: LevelVersion{LevelBaseline, LatestVersion()},
|
||||||
|
Warn: LevelVersion{LevelBaseline, MajorMinorVersion(1, 23)},
|
||||||
|
Audit: privilegedLV,
|
||||||
|
},
|
||||||
|
}, {
|
||||||
|
desc: "fully specd",
|
||||||
|
labels: makeLabels(
|
||||||
|
"enforce", "baseline", "enforce-version", "v1.20",
|
||||||
|
"warn", "restricted", "warn-version", "v1.21",
|
||||||
|
"audit", "restricted", "audit-version", "v1.22"),
|
||||||
|
expect: Policy{
|
||||||
|
Enforce: LevelVersion{LevelBaseline, MajorMinorVersion(1, 20)},
|
||||||
|
Warn: LevelVersion{LevelRestricted, MajorMinorVersion(1, 21)},
|
||||||
|
Audit: LevelVersion{LevelRestricted, MajorMinorVersion(1, 22)},
|
||||||
|
},
|
||||||
|
}, {
|
||||||
|
desc: "enforce no warn",
|
||||||
|
labels: makeLabels("enforce", "baseline", "warn", "privileged"),
|
||||||
|
expect: Policy{
|
||||||
|
Enforce: LevelVersion{LevelBaseline, LatestVersion()},
|
||||||
|
Warn: privilegedLV,
|
||||||
|
Audit: privilegedLV,
|
||||||
|
},
|
||||||
|
}, {
|
||||||
|
desc: "enforce warn error",
|
||||||
|
labels: makeLabels("enforce", "baseline", "warn", "foo"),
|
||||||
|
expect: Policy{
|
||||||
|
Enforce: LevelVersion{LevelBaseline, LatestVersion()},
|
||||||
|
Warn: privilegedLV,
|
||||||
|
Audit: privilegedLV,
|
||||||
|
},
|
||||||
|
expectErr: true,
|
||||||
|
}, {
|
||||||
|
desc: "enforce error",
|
||||||
|
labels: makeLabels("enforce", "foo"),
|
||||||
|
expect: Policy{
|
||||||
|
Enforce: LevelVersion{LevelRestricted, LatestVersion()},
|
||||||
|
Warn: privilegedLV,
|
||||||
|
Audit: privilegedLV,
|
||||||
|
},
|
||||||
|
expectErr: true,
|
||||||
|
}}
|
||||||
|
|
||||||
|
for _, test := range tests {
|
||||||
|
t.Run(test.desc, func(t *testing.T) {
|
||||||
|
if test.defaults == (Policy{}) {
|
||||||
|
test.defaults = privilegedPolicy
|
||||||
|
}
|
||||||
|
|
||||||
|
actual, errs := PolicyToEvaluate(test.labels, test.defaults)
|
||||||
|
if test.expectErr {
|
||||||
|
assert.Error(t, errs.ToAggregate())
|
||||||
|
} else {
|
||||||
|
assert.NoError(t, errs.ToAggregate())
|
||||||
|
}
|
||||||
|
|
||||||
|
assert.Equal(t, test.expect, actual)
|
||||||
|
})
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
// makeLabels turns the kev-value pairs into a labels map[string]string.
|
||||||
|
func makeLabels(kvs ...string) map[string]string {
|
||||||
|
if len(kvs)%2 != 0 {
|
||||||
|
panic("makeLabels called with mismatched key-values")
|
||||||
|
}
|
||||||
|
labels := map[string]string{
|
||||||
|
"other-label": "foo-bar",
|
||||||
|
}
|
||||||
|
for i := 0; i < len(kvs); i += 2 {
|
||||||
|
key, value := kvs[i], kvs[i+1]
|
||||||
|
key = labelPrefix + key
|
||||||
|
labels[key] = value
|
||||||
|
}
|
||||||
|
return labels
|
||||||
|
}
|
||||||
|
Loading…
Reference in New Issue
Block a user