fix: update name rule logic to ignore incorrect kinds (#957)

hadar-co · web-flow · commit c9b7710f0222 · 2023-07-12T12:16:17.000+03:00
* fix: update name rule logic to ignore incorrect kinds

* fix: update name rule logic to ignore incorrect kinds

* fix: update name rule logic to ignore incorrect kinds

* fix: update name rule logic to ignore incorrect kinds

* fix: update name rule logic to ignore incorrect kinds
diff --git a/pkg/defaultRules/defaultRules.yaml b/pkg/defaultRules/defaultRules.yaml
@@ -1861,28 +1861,48 @@ rules:
     impact: Configurations with a missing or invalid name will pass k8s schema validation, but will fail when pushed into a cluster (i.e. when running kubectl apply/create)
     schema:
       definitions:
-        metadataNamePattern:
-          properties:
-            metadata:
-              type: object
-              properties:
-                name:
-                  type: string
-                  format: hostname
-              required:
-                - name
-          required:
-            - metadata
-        metadataGenerateNamePattern:
+        strictNamesPattern:
+          if:
+            properties:
+              kind:
+                not:
+                  enum:
+                    - ClusterRole
+                    - ClusterRoleBinding
+          then:
+            properties:
+              metadata:
+                type: object
+                anyOf:
+                  - properties:
+                      name:
+                        type: string
+                        format: hostname
+                    required:
+                      - name
+                  - properties:
+                      generateName:
+                        type: string
+                        format: hostname
+                    required:
+                      - generateName
+            required:
+              - metadata
+        nonStrictNamesPattern:
           properties:
             metadata:
               type: object
-              properties:
-                generateName:
-                  type: string
-                  format: hostname
-              required:
-                - generateName
+              anyOf:
+                - properties:
+                    name:
+                      type: string
+                  required:
+                    - name
+                - properties:
+                    generateName:
+                      type: string
+                  required:
+                    - generateName
           required:
             - metadata
       if:
@@ -1892,9 +1912,9 @@ rules:
               enum:
                 - Kustomization
       then:
-        anyOf:
-          - $ref: "#/definitions/metadataNamePattern"
-          - $ref: "#/definitions/metadataGenerateNamePattern"
+        allOf:
+          - $ref: "#/definitions/strictNamesPattern"
+          - $ref: "#/definitions/nonStrictNamesPattern"
   - id: 55
     name: Ensure each container probe has an initial delay configured
     uniqueName: CONTAINERS_INCORRECT_INITIALDELAYSECONDS_VALUE
diff --git a/pkg/policy/tests/54/fail/54-fail-2.yaml b/pkg/policy/tests/54/fail/54-fail-2.yaml
@@ -0,0 +1,20 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: invalid:format
+spec:
+  selector:
+  matchLabels:
+    app: frontend-deployment
+  template:
+  metadata:
+    labels:
+      app: frontend-deployment
+  spec:
+    containers:
+      - name: app
+        image: foo/bar:latest
+        ports:
+          - name: http
+            containerPort: 8080
+            protocol: TCP
diff --git a/pkg/policy/tests/54/pass/54-pass-2.yaml b/pkg/policy/tests/54/pass/54-pass-2.yaml
@@ -0,0 +1,12 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  # "namespace" omitted since ClusterRoles are not namespaced
+  name: system:secret-reader
+rules:
+- apiGroups: [""]
+  #
+  # at the HTTP level, the name of the resource for accessing Secret
+  # objects is "secrets"
+  resources: ["secrets"]
+  verbs: ["get", "watch", "list"]
diff --git a/pkg/policy/tests/54/pass/54-pass-3.yaml b/pkg/policy/tests/54/pass/54-pass-3.yaml
@@ -0,0 +1,6 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+  - service.yaml
+  - deployment.yaml
+  - hpa.yaml
diff --git a/pkg/policy/tests/54/pass/54-pass-4.yaml b/pkg/policy/tests/54/pass/54-pass-4.yaml
@@ -0,0 +1,12 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  # "namespace" omitted since ClusterRoles are not namespaced
+  name: valid:name
+rules:
+- apiGroups: [""]
+  #
+  # at the HTTP level, the name of the resource for accessing Secret
+  # objects is "secrets"
+  resources: ["secrets"]
+  verbs: ["get", "watch", "list"]
