PodSecurity: fix level/version validation fieldpaths

This commit is contained in:
Jordan Liggitt 2021-10-27 23:44:26 -04:00
parent 7cd905e897
commit c0f33ddf08
2 changed files with 18 additions and 18 deletions

View File

@ -34,45 +34,45 @@ func ToPolicy(defaults PodSecurityDefaults) (policyapi.Policy, error) {
) )
if len(defaults.Enforce) == 0 { if len(defaults.Enforce) == 0 {
errs = appendErr(errs, requiredErr, "Enforce.Level") errs = appendErr(errs, requiredErr, "enforce")
} else { } else {
p.Enforce.Level, err = policyapi.ParseLevel(defaults.Enforce) p.Enforce.Level, err = policyapi.ParseLevel(defaults.Enforce)
errs = appendErr(errs, err, "Enforce.Level") errs = appendErr(errs, err, "enforce")
} }
if len(defaults.EnforceVersion) == 0 { if len(defaults.EnforceVersion) == 0 {
errs = appendErr(errs, requiredErr, "Enforce.Version") errs = appendErr(errs, requiredErr, "enforce-version")
} else { } else {
p.Enforce.Version, err = policyapi.ParseVersion(defaults.EnforceVersion) p.Enforce.Version, err = policyapi.ParseVersion(defaults.EnforceVersion)
errs = appendErr(errs, err, "Enforce.Version") errs = appendErr(errs, err, "enforce-version")
} }
if len(defaults.Audit) == 0 { if len(defaults.Audit) == 0 {
errs = appendErr(errs, requiredErr, "Audit.Level") errs = appendErr(errs, requiredErr, "audit")
} else { } else {
p.Audit.Level, err = policyapi.ParseLevel(defaults.Audit) p.Audit.Level, err = policyapi.ParseLevel(defaults.Audit)
errs = appendErr(errs, err, "Audit.Level") errs = appendErr(errs, err, "audit")
} }
if len(defaults.AuditVersion) == 0 { if len(defaults.AuditVersion) == 0 {
errs = appendErr(errs, requiredErr, "Audit.Version") errs = appendErr(errs, requiredErr, "audit-version")
} else { } else {
p.Audit.Version, err = policyapi.ParseVersion(defaults.AuditVersion) p.Audit.Version, err = policyapi.ParseVersion(defaults.AuditVersion)
errs = appendErr(errs, err, "Audit.Version") errs = appendErr(errs, err, "audit-version")
} }
if len(defaults.Warn) == 0 { if len(defaults.Warn) == 0 {
errs = appendErr(errs, requiredErr, "Warn.Level") errs = appendErr(errs, requiredErr, "warn")
} else { } else {
p.Warn.Level, err = policyapi.ParseLevel(defaults.Warn) p.Warn.Level, err = policyapi.ParseLevel(defaults.Warn)
errs = appendErr(errs, err, "Warn.Level") errs = appendErr(errs, err, "warn")
} }
if len(defaults.WarnVersion) == 0 { if len(defaults.WarnVersion) == 0 {
errs = appendErr(errs, requiredErr, "Warn.Version") errs = appendErr(errs, requiredErr, "warn-version")
} else { } else {
p.Warn.Version, err = policyapi.ParseVersion(defaults.WarnVersion) p.Warn.Version, err = policyapi.ParseVersion(defaults.WarnVersion)
errs = appendErr(errs, err, "Warn.Version") errs = appendErr(errs, err, "warn-version")
} }
return p, errors.NewAggregate(errs) return p, errors.NewAggregate(errs)

View File

@ -158,33 +158,33 @@ func PolicyToEvaluate(labels map[string]string, defaults Policy) (Policy, error)
) )
if level, ok := labels[EnforceLevelLabel]; ok { if level, ok := labels[EnforceLevelLabel]; ok {
p.Enforce.Level, err = ParseLevel(level) p.Enforce.Level, err = ParseLevel(level)
errs = appendErr(errs, err, "Enforce.Level") errs = appendErr(errs, err, EnforceLevelLabel)
} }
if version, ok := labels[EnforceVersionLabel]; ok { if version, ok := labels[EnforceVersionLabel]; ok {
p.Enforce.Version, err = ParseVersion(version) p.Enforce.Version, err = ParseVersion(version)
errs = appendErr(errs, err, "Enforce.Version") errs = appendErr(errs, err, EnforceVersionLabel)
} }
if level, ok := labels[AuditLevelLabel]; ok { if level, ok := labels[AuditLevelLabel]; ok {
p.Audit.Level, err = ParseLevel(level) p.Audit.Level, err = ParseLevel(level)
errs = appendErr(errs, err, "Audit.Level") errs = appendErr(errs, err, AuditLevelLabel)
if err != nil { if err != nil {
p.Audit.Level = LevelPrivileged // Fail open for audit. p.Audit.Level = LevelPrivileged // Fail open for audit.
} }
} }
if version, ok := labels[AuditVersionLabel]; ok { if version, ok := labels[AuditVersionLabel]; ok {
p.Audit.Version, err = ParseVersion(version) p.Audit.Version, err = ParseVersion(version)
errs = appendErr(errs, err, "Audit.Version") errs = appendErr(errs, err, AuditVersionLabel)
} }
if level, ok := labels[WarnLevelLabel]; ok { if level, ok := labels[WarnLevelLabel]; ok {
p.Warn.Level, err = ParseLevel(level) p.Warn.Level, err = ParseLevel(level)
errs = appendErr(errs, err, "Warn.Level") errs = appendErr(errs, err, WarnLevelLabel)
if err != nil { if err != nil {
p.Warn.Level = LevelPrivileged // Fail open for warn. p.Warn.Level = LevelPrivileged // Fail open for warn.
} }
} }
if version, ok := labels[WarnVersionLabel]; ok { if version, ok := labels[WarnVersionLabel]; ok {
p.Warn.Version, err = ParseVersion(version) p.Warn.Version, err = ParseVersion(version)
errs = appendErr(errs, err, "Warn.Version") errs = appendErr(errs, err, WarnVersionLabel)
} }
return p, errors.NewAggregate(errs) return p, errors.NewAggregate(errs)
} }