github/kubernetes
1
0
Fork 0
mirror of https://github.com/k3s-io/kubernetes.git synced 2025-07-25 12:43:23 +00:00
Code Issues Projects Releases Wiki Activity

podsecurity: distinguish between audit and audit violation annotations

Browse Source
This commit is contained in:
Stanislav Laznicka 2021-10-26 09:18:39 +02:00
parent 4a79488ac2
commit 65f88c675c
No known key found for this signature in database
GPG Key ID: C98C414936B1A7F3
3 changed files with 4 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
staging/src/k8s.io/pod-security-admission/admission/admission.go
View File

@ -446,7 +446,7 @@ func (a *Admission) EvaluatePod(ctx context.Context, nsPolicy api.Policy, nsPoli
// TODO: reuse previous evaluation if audit level+version is the same as enforce level+version // TODO: reuse previous evaluation if audit level+version is the same as enforce level+version
if result := policy.AggregateCheckResults(a.Evaluator.EvaluatePod(nsPolicy.Audit, podMetadata, podSpec)); !result.Allowed { if result := policy.AggregateCheckResults(a.Evaluator.EvaluatePod(nsPolicy.Audit, podMetadata, podSpec)); !result.Allowed {
auditAnnotations["audit"] = fmt.Sprintf( auditAnnotations[api.AuditViolationsAnnotationKey] = fmt.Sprintf(
"would violate PodSecurity %q: %s", "would violate PodSecurity %q: %s",
nsPolicy.Audit.String(), nsPolicy.Audit.String(),
result.ForbiddenDetail(), result.ForbiddenDetail(),

4
staging/src/k8s.io/pod-security-admission/admission/admission_test.go
View File

@ -650,7 +650,7 @@ func TestValidatePodController(t *testing.T) {
newObject: &badDeploy, newObject: &badDeploy,
gvk: schema.GroupVersionKind{Group: "apps", Version: "v1", Kind: "Deployment"}, gvk: schema.GroupVersionKind{Group: "apps", Version: "v1", Kind: "Deployment"},
gvr: schema.GroupVersionResource{Group: "apps", Version: "v1", Resource: "deployments"}, gvr: schema.GroupVersionResource{Group: "apps", Version: "v1", Resource: "deployments"},
expectAuditAnnotations: map[string]string{"audit": "would violate PodSecurity \"baseline:latest\": forbidden sysctls (unknown)"}, expectAuditAnnotations: map[string]string{"audit-violations": "would violate PodSecurity \"baseline:latest\": forbidden sysctls (unknown)"},
expectWarnings: []string{"would violate PodSecurity \"baseline:latest\": forbidden sysctls (unknown)"}, expectWarnings: []string{"would violate PodSecurity \"baseline:latest\": forbidden sysctls (unknown)"},
}, },
{ {
@ -659,7 +659,7 @@ func TestValidatePodController(t *testing.T) {
oldObject: &goodDeploy, oldObject: &goodDeploy,
gvk: schema.GroupVersionKind{Group: "apps", Version: "v1", Kind: "Deployment"}, gvk: schema.GroupVersionKind{Group: "apps", Version: "v1", Kind: "Deployment"},
gvr: schema.GroupVersionResource{Group: "apps", Version: "v1", Resource: "deployments"}, gvr: schema.GroupVersionResource{Group: "apps", Version: "v1", Resource: "deployments"},
expectAuditAnnotations: map[string]string{"audit": "would violate PodSecurity \"baseline:latest\": forbidden sysctls (unknown)"}, expectAuditAnnotations: map[string]string{"audit-violations": "would violate PodSecurity \"baseline:latest\": forbidden sysctls (unknown)"},
expectWarnings: []string{"would violate PodSecurity \"baseline:latest\": forbidden sysctls (unknown)"}, expectWarnings: []string{"would violate PodSecurity \"baseline:latest\": forbidden sysctls (unknown)"},
}, },
} }

1
staging/src/k8s.io/pod-security-admission/api/constants.go
View File

@ -45,4 +45,5 @@ const (
WarnVersionLabel = labelPrefix + "warn-version" WarnVersionLabel = labelPrefix + "warn-version"
ExemptionReasonAnnotationKey = "exempt" ExemptionReasonAnnotationKey = "exempt"
AuditViolationsAnnotationKey = "audit-violations"
) )