diff --git a/staging/src/k8s.io/apiserver/pkg/audit/policy/reader.go b/staging/src/k8s.io/apiserver/pkg/audit/policy/reader.go index 1d2d502f769..b748e8649cc 100644 --- a/staging/src/k8s.io/apiserver/pkg/audit/policy/reader.go +++ b/staging/src/k8s.io/apiserver/pkg/audit/policy/reader.go @@ -49,6 +49,10 @@ func LoadPolicyFromFile(filePath string) (*auditinternal.Policy, error) { return nil, err.ToAggregate() } - glog.V(4).Infof("Loaded %d audit policy rules from file %s\n", len(policy.Rules), filePath) + policyCnt := len(policy.Rules) + if policyCnt == 0 { + return nil, fmt.Errorf("loaded illegal policy with 0 rules from file %s", filePath) + } + glog.V(4).Infof("Loaded %d audit policy rules from file %s", policyCnt, filePath) return policy, nil } diff --git a/staging/src/k8s.io/apiserver/pkg/audit/policy/reader_test.go b/staging/src/k8s.io/apiserver/pkg/audit/policy/reader_test.go index b61e5131700..06aaea54235 100644 --- a/staging/src/k8s.io/apiserver/pkg/audit/policy/reader_test.go +++ b/staging/src/k8s.io/apiserver/pkg/audit/policy/reader_test.go @@ -32,7 +32,7 @@ import ( ) const policyDefV1alpha1 = ` -apiVersion: audit.k8s.io/v1beta1 +apiVersion: audit.k8s.io/v1alpha1 kind: Policy rules: - level: None @@ -91,16 +91,11 @@ var expectedPolicy = &audit.Policy{ } func TestParserV1alpha1(t *testing.T) { - // Create a policy file. - f, err := ioutil.TempFile("", "policy.yaml") + f, err := writePolicy(policyDefV1alpha1, t) require.NoError(t, err) - defer os.Remove(f.Name()) + defer os.Remove(f) - _, err = f.WriteString(policyDefV1alpha1) - require.NoError(t, err) - require.NoError(t, f.Close()) - - policy, err := LoadPolicyFromFile(f.Name()) + policy, err := LoadPolicyFromFile(f) require.NoError(t, err) assert.Len(t, policy.Rules, 3) // Sanity check. @@ -110,16 +105,11 @@ func TestParserV1alpha1(t *testing.T) { } func TestParserV1beta1(t *testing.T) { - // Create a policy file. - f, err := ioutil.TempFile("", "policy.yaml") + f, err := writePolicy(policyDefV1beta1, t) require.NoError(t, err) - defer os.Remove(f.Name()) + defer os.Remove(f) - _, err = f.WriteString(policyDefV1beta1) - require.NoError(t, err) - require.NoError(t, f.Close()) - - policy, err := LoadPolicyFromFile(f.Name()) + policy, err := LoadPolicyFromFile(f) require.NoError(t, err) assert.Len(t, policy.Rules, 3) // Sanity check. @@ -127,3 +117,37 @@ func TestParserV1beta1(t *testing.T) { t.Errorf("Unexpected policy! Diff:\n%s", diff.ObjectDiff(policy, expectedPolicy)) } } + +func TestPolicyCntCheck(t *testing.T) { + //a set of testCases + var testCases = []struct { + caseName, policy string + }{ + { + "policyWithNoRule", + `apiVersion: audit.k8s.io/v1beta1 +kind: Policy`, + }, + {"emptyPolicyFile", ""}, + } + + for _, tc := range testCases { + f, err := writePolicy(tc.policy, t) + require.NoError(t, err) + defer os.Remove(f) + + _, err = LoadPolicyFromFile(f) + assert.Errorf(t, err, "loaded illegal policy with 0 rules from testCase %s", tc.caseName) + } +} + +func writePolicy(policy string, t *testing.T) (string, error) { + f, err := ioutil.TempFile("", "policy.yaml") + require.NoError(t, err) + + _, err = f.WriteString(policy) + require.NoError(t, err) + require.NoError(t, f.Close()) + + return f.Name(), nil +}