fix: Warn instead of panic when API resource not found or forbidden #73
Commits on Jul 24, 2023
-
fix: Don't emit both Info & Error logs for PolicyReports
Before this fix, we were doing log.Info().Err(err), which emits a one-line log that is both info and error: {"level":"info","error":"resource not found","namespace":"demo2","time":"2023-07-24T15:23:17+02:00","message":"no pre-existing PolicyReport, will create one at the end of the scan"} Signed-off-by: Víctor Cuadrado Juan <[email protected]> -
fix: Skip clusterwide resources in getResourcesForPolicies
We are looking for namespaced resources, clusterwide resources get checked in getClusterWideResourcesForPolicies() Signed-off-by: Víctor Cuadrado Juan <[email protected]>
-
fix: Warn instead of panic when API resource not found or forbidden
When policies are configured with a spec.rules GVK, if resource doesn't exist because it has an incorrect GVK, or if because it is a CRD that we don't know about, emit warning and skip resource from scan. The same for when policies are configured with a spec.rules GVK that the audit-scanner lacks permissions for, emit warning and skip resource from scan. Signed-off-by: Víctor Cuadrado Juan <[email protected]>
-
docs: locally run with a specific ServiceAccount
Signed-off-by: Víctor Cuadrado Juan <[email protected]>
Commits on Jul 25, 2023
-
Signed-off-by: Víctor Cuadrado Juan <[email protected]>
-
tests: Add fakeClient now that we check if res are namespaced
Needed, as we need a client when we do `fetcher.isNamespacedResource()`. Signed-off-by: Víctor Cuadrado Juan <[email protected]>
-
tests: Add test for incorrect GVKs
Signed-off-by: Víctor Cuadrado Juan <[email protected]>
-
tests: Add test to show clusterwide res are skipped
Signed-off-by: Víctor Cuadrado Juan <[email protected]>
-
tests: Add TestLackOfPermsWhenGettingResources()
Add a test that checks that we don't error nor panic when trying to filter resources that are forbidden (because the client lacks permissions, normally because the ServiceAccount is insufficient). Signed-off-by: Víctor Cuadrado Juan <[email protected]>
-
chore: Make golint-ci happy, and me a bit less
Signed-off-by: Víctor Cuadrado Juan <[email protected]>
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.