Bug fix: remove wrong logic in testPodClusterRoleBindings (#1792)

redhat-best-practices-for-k8s · Jan 10, 2024 · f1968dd · f1968dd
1 parent 92700ac
commit f1968dd
Showing 1 changed file with 4 additions and 16 deletions.
diff --git a/cnf-certification-test/accesscontrol/suite.go b/cnf-certification-test/accesscontrol/suite.go
@@ -610,26 +610,12 @@ func testPodClusterRoleBindings(check *checksdb.Check, env *provider.TestEnviron
 
 	for _, put := range env.Pods {
 		check.LogInfo("Testing Pod %q", put)
-		podIsCompliant := true
 		result, roleRefName, err := put.IsUsingClusterRoleBinding(env.ClusterRoleBindings, check.GetLoggger())
 		if err != nil {
 			check.LogError("Failed to determine if Pod %q is using a cluster role binding, err=%v", put, err)
-			podIsCompliant = false
-		}
-
-		// Pod was found to be using a cluster role binding.  This is not allowed.
-		// Flagging this pod as a failed pod.
-		if result {
-			podIsCompliant = false
-		}
-
-		if podIsCompliant {
-			check.LogInfo("Pod %q is not using a cluster role binding", put)
-			compliantObjects = append(compliantObjects, testhelper.NewPodReportObject(put.Namespace, put.Name, "Pod is not using a cluster role binding", true))
-		} else {
-			check.LogError("Pod %q is using a cluster role binding", put)
-			nonCompliantObjects = append(nonCompliantObjects, testhelper.NewPodReportObject(put.Namespace, put.Name, "Pod is using a cluster role binding", false).
+			nonCompliantObjects = append(nonCompliantObjects, testhelper.NewPodReportObject(put.Namespace, put.Name, fmt.Sprintf("failed to determine if pod is using a cluster role binding: %v", err), false).
 				AddField(testhelper.ClusterRoleName, roleRefName))
+			continue
 		}
 
 		topOwners, err := put.GetTopOwner()
@@ -650,10 +636,12 @@ func testPodClusterRoleBindings(check *checksdb.Check, env *provider.TestEnviron
 		if result {
 			// Pod was found to be using a cluster role binding.  This is not allowed.
 			// Flagging this pod as a failed pod.
+			check.LogError("Pod %q is using a cluster role binding (roleRefName=%q)", put, roleRefName)
 			nonCompliantObjects = append(nonCompliantObjects, testhelper.NewPodReportObject(put.Namespace, put.Name, "Pod is using a cluster role binding", false).
 				AddField(testhelper.ClusterRoleName, roleRefName))
 			continue
 		}
+		check.LogInfo("Pod %q is not using a cluster role binding", put)
 		compliantObjects = append(compliantObjects, testhelper.NewPodReportObject(put.Namespace, put.Name, "Pod is not using a cluster role binding", true))
 	}
 	check.SetResult(compliantObjects, nonCompliantObjects)