Validate PAAS account is valid

OSC · Apr 2, 2024 · 70fe874 · 70fe874
1 parent f0f5fa4
commit 70fe874
Show file tree

Hide file tree

Showing 4 changed files with 138 additions and 7 deletions.
diff --git a/charts/kyverno-policies/templates/pod-account-validation.yaml b/charts/kyverno-policies/templates/pod-account-validation.yaml
@@ -56,3 +56,41 @@ spec:
         - key: "{{`{{ request.object.metadata.labels.account }}`}}"
           operator: NotIn
           value: "{{`{{ userGroupMap.data.\"{{ request.object.metadata.namespace }}\" }}`}}"
+  - name: paas-user-authorized-for-account
+    match:
+      any:
+        - resources:
+            kinds:
+            - Pod
+            namespaceSelector:
+              matchExpressions:
+              - key: osc.edu/role
+                operator: In
+                values:
+                - paas
+    preconditions:
+    - key: "{{`{{ request.operation }}`}}"
+      operator: In
+      value: ["CREATE","UPDATE"]
+    - key: "{{`{{ request.object.metadata.labels.account || '' }}`}}"
+      operator: NotEquals
+      value: ""
+    - key: "{{`{{ serviceAccount }}`}}"
+      operator: NotEquals
+      value: ""
+    context:
+    - name: serviceAccount
+      apiCall:
+        urlPath: "/api/v1/namespaces/{{`{{ request.namespace }}`}}"
+        jmesPath: "metadata.labels.\"{{ include "osc.common.serviceAccountKey" . }}\" || ''"
+    - name: userGroupMap
+      configMap:
+        name: user-groups-map
+        namespace: k8-ldap-configmap
+    validate:
+      message: "{{`{{ serviceAccount }}`}} not authorized to charge against account {{`{{ request.object.metadata.labels.account }}`}}"
+      deny:
+        conditions:
+        - key: "{{`{{ request.object.metadata.labels.account }}`}}"
+          operator: NotIn
+          value: "{{`{{ userGroupMap.data.\"user-{{ serviceAccount }}\" }}`}}"
diff --git a/tests/kyverno-policies/pod-account-validation/kyverno-test.yaml b/tests/kyverno-policies/pod-account-validation/kyverno-test.yaml
@@ -6,6 +6,27 @@ resources:
   - resources.yaml
 variables: variables.yaml
 results:
+  - policy: pod-account-validation
+    rule: pods-user-account-prefix
+    resources:
+      - test-pass
+      - test-pass-paas
+    kind: Pod
+    result: pass
+  - policy: pod-account-validation
+    rule: pods-user-account-prefix
+    resources:
+      - test-fail
+      - test-fail-paas
+    kind: Pod
+    result: fail
+  - policy: pod-account-validation
+    rule: pods-user-account-prefix
+    resources:
+      - test-fail-prefix
+      - test-fail-prefix-paas
+    kind: Pod
+    result: fail
   - policy: pod-account-validation
     rule: pods-user-authorized-for-account
     resources:
@@ -17,23 +38,32 @@ results:
     rule: pods-user-authorized-for-account
     resources:
       - test-pass
-      - test-pass-paas
     kind: Pod
     namespace: user-test
     result: pass
   - policy: pod-account-validation
     rule: pods-user-authorized-for-account
     resources:
       - test-fail
-      - test-fail-paas
     kind: Pod
     namespace: user-test
     result: fail
   - policy: pod-account-validation
-    rule: pods-user-account-prefix
+    rule: paas-user-authorized-for-account
     resources:
-      - test-fail-prefix
-      - test-fail-prefix-paas
+      - test-paas-skip
+      - test-paas-skip-op
     kind: Pod
-    namespace: user-test
-    result: fail
+    result: skip
+  - policy: pod-account-validation
+    rule: paas-user-authorized-for-account
+    resources:
+      - test-paas-pass
+    kind: Pod
+    result: pass
+  - policy: pod-account-validation
+    rule: paas-user-authorized-for-account
+    resources:
+      - test-paas-fail
+    kind: Pod
+    result: fail
diff --git a/tests/kyverno-policies/pod-account-validation/resources.yaml b/tests/kyverno-policies/pod-account-validation/resources.yaml
@@ -92,3 +92,49 @@ spec:
   containers:
   - name: nginx
     image: nginx:1.12
+---
+apiVersion: v1
+kind: Pod
+metadata:
+  name: test-paas-skip
+  namespace: user-test
+spec: 
+  containers:
+  - name: nginx
+    image: nginx:1.12
+---
+apiVersion: v1
+kind: Pod
+metadata:
+  name: test-paas-skip-op
+  namespace: paas
+  labels:
+    account: test
+spec: 
+  containers:
+  - name: nginx
+    image: nginx:1.12
+---
+apiVersion: v1
+kind: Pod
+metadata:
+  name: test-paas-pass
+  namespace: paas
+  labels:
+    account: PZS0001
+spec: 
+  containers:
+  - name: nginx
+    image: nginx:1.12
+---
+apiVersion: v1
+kind: Pod
+metadata:
+  name: test-paas-fail
+  namespace: paas
+  labels:
+    account: PZS0002
+spec: 
+  containers:
+  - name: nginx
+    image: nginx:1.12
diff --git a/tests/kyverno-policies/pod-account-validation/variables.yaml b/tests/kyverno-policies/pod-account-validation/variables.yaml
@@ -4,6 +4,9 @@ policies:
       - name: pods-user-authorized-for-account
         values:
           userGroupMap.data.user-test: '["PZS0001","PZS0003","oscall"]'
+      - name: paas-user-authorized-for-account
+        values:
+          userGroupMap.data.user-test: '["PZS0001","PZS0003","oscall"]'
     resources:
       - name: test-skip
         values:
@@ -29,6 +32,20 @@ policies:
       - name: test-fail-prefix-paas
         values:
           request.operation: CREATE
+      - name: test-paas-skip
+        values:
+          request.operation: CREATE
+      - name: test-paas-skip-op
+        values:
+          request.operation: DELETE
+      - name: test-paas-pass
+        values:
+          request.operation: CREATE
+          serviceAccount: test
+      - name: test-paas-fail
+        values:
+          request.operation: CREATE
+          serviceAccount: test
 namespaceSelector:
   - name: user-test
     labels: