-
Notifications
You must be signed in to change notification settings - Fork 328
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
fix(k8spspprocmount): exemptImages CEL bug #588
fix(k8spspprocmount): exemptImages CEL bug #588
Conversation
...security-policy/proc-mount/1.1.1/samples/psp-proc-mount/example_disallowed_exempt_image.yaml
Outdated
Show resolved
Hide resolved
99079f9
to
74ebb28
Compare
Thanks for the review @JaydipGabani! This is ready for another look. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
lgtm
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM
I recently found (open-policy-agent#584) that some K8sNativeValidation implementations of certain templates that iterate over and exempt containers by image had a bug preventing the exemption logic from working. I've fixed that bug here by mapping from `container` struct to `container.image` string. I've also added a suite test to verify this. That case fails without the change to the CEL logic. Signed-off-by: juliankatz <[email protected]>
bea5c8e
to
86996db
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM
@julianKatz I just pulled this update and it seems to break functionality getting the following violations:
Also some variants of:
|
I recently found (#584) that some K8sNativeValidation implementations of certain templates that iterate over and exempt containers by image had a bug preventing the exemption logic from working.
I've fixed that bug here by mapping from
container
struct tocontainer.image
string. I've also added a suite test to verify this. That case fails without the change to the CEL logic.