Add support for API groups with multiple slashes

jpreese · jpreese · commit d0bab6cb079b · 2020-06-30T08:59:30.000-04:00
diff --git a/examples/virtual-service-naming/constraint.yaml b/examples/virtual-service-naming/constraint.yaml
@@ -0,0 +1,11 @@
+apiVersion: constraints.gatekeeper.sh/v1beta1
+kind: VirtualServiceNaming
+metadata:
+  name: virtualservicenaming
+spec:
+  match:
+    kinds:
+    - apiGroups:
+      - networking.istio.io/v1alpha3
+      kinds:
+      - VirtualService
diff --git a/examples/virtual-service-naming/src.rego b/examples/virtual-service-naming/src.rego
@@ -0,0 +1,16 @@
+package policy
+
+import data.lib.k8s
+
+# VirtualServices must not be named virtual-service
+# @Kinds networking.istio.io/v1alpha3/VirtualService
+violation[msg] {
+  not virtualservice_name_allowed
+
+  msg := k8s.format(sprintf("(%s) %s: VirtualServices must not be named virtual-service", [k8s.kind, k8s.name]))
+}
+
+virtualservice_name_allowed {
+  k8s.kind == "VirtualService"
+  not k8s.name == "virtual-service"
+}
diff --git a/examples/virtual-service-naming/src_test.rego b/examples/virtual-service-naming/src_test.rego
@@ -0,0 +1,23 @@
+package policy
+
+test_input_as_invalid_name {
+  input := {
+    "kind": "VirtualService",
+    "metadata": {
+      "name": "virtual-service"
+    }
+  }
+
+  not virtualservice_name_allowed with input as input
+}
+
+test_input_as_valid_name {
+  input := {
+    "kind": "VirtualService",
+    "metadata": {
+      "name": "valid-name"
+    }
+  }
+
+  virtualservice_name_allowed with input as input
+}
diff --git a/examples/virtual-service-naming/template.yaml b/examples/virtual-service-naming/template.yaml
@@ -2,12 +2,12 @@ apiVersion: templates.gatekeeper.sh/v1beta1
 kind: ConstraintTemplate
 metadata:
   creationTimestamp: null
-  name: volumesemptydirlimitsrequired
+  name: virtualservicenaming
 spec:
   crd:
     spec:
       names:
-        kind: VolumesEmptydirLimitsRequired
+        kind: VirtualServiceNaming
   targets:
   - libs:
     - |
@@ -297,16 +297,13 @@ spec:
 
       import data.lib.k8s
 
-      # EmptyDir volume mounts must specify a size limit.
-      # @Kinds apps/DaemonSet apps/Deployment apps/StatefulSet core/Pod
+      # VirtualServices must not be named virtual-service
+      # @Kinds networking.istio.io/v1alpha3/VirtualService
       violation[msg] {
-        volumes_emptydir_size_limit_required
+        k8s.kind == "VirtualService"
+        k8s.name == "virtual-service"
 
-        msg := k8s.format(sprintf("(%s) %s: Volume mounts of type emptyDir must set a size limit", [k8s.kind, k8s.name]))
-      }
-
-      volumes_emptydir_size_limit_required {
-        k8s.missing_field(k8s.volumes[_].emptyDir, "sizeLimit")
+        msg := k8s.format(sprintf("(%s) %s: VirtualServices must not be named virtual-service", [k8s.kind, k8s.name]))
       }
     target: admission.k8s.gatekeeper.sh
 status: {}
diff --git a/examples/volumes-emptydir-limits-required/constraint.yaml b/examples/volumes-emptydir-limits-required/constraint.yaml
diff --git a/examples/volumes-emptydir-limits-required/src.rego b/examples/volumes-emptydir-limits-required/src.rego
diff --git a/examples/volumes-emptydir-limits-required/src_test.rego b/examples/volumes-emptydir-limits-required/src_test.rego
diff --git a/internal/commands/document.go b/internal/commands/document.go
@@ -116,12 +116,13 @@ func getPolicyCommentBlocks(policy []byte) ([]PolicyCommentBlock, error) {
 		var kinds []string
 		for _, kindGroup := range kindGroups {
 			kindTokens := strings.Split(kindGroup, "/")
+			apiGroup := strings.Join(kindTokens[:len(kindTokens)-1], "/")
 
-			if !contains(apiGroups, kindTokens[0]) {
-				apiGroups = append(apiGroups, kindTokens[0])
+			if !contains(apiGroups, apiGroup) {
+				apiGroups = append(apiGroups, apiGroup)
 			}
 
-			kinds = append(kinds, kindTokens[1])
+			kinds = append(kinds, kindTokens[len(kindTokens)-1])
 		}
 
 		policyCommentBlock := PolicyCommentBlock{
diff --git a/internal/commands/document_test.go b/internal/commands/document_test.go
@@ -23,7 +23,7 @@ violation[msg] {
 func TestGetPolicyCommentBlocks(t *testing.T) {
 	policy := `
 # First description
-# @Kinds core/Pods apps/Deployments apps/DaemonSet
+# @Kinds core/Pods apps/Deployments apps/DaemonSet networking.istio.io/v1alpha3/VirtualService
 violation[msg] {
 	false
 }`
@@ -38,7 +38,7 @@ violation[msg] {
 		t.Errorf("expected policy block to exist, but one did not.")
 	}
 
-	expectedAPIGroupCount := 2
+	expectedAPIGroupCount := 3
 	if len(actual[0].APIGroups) != expectedAPIGroupCount {
 		t.Errorf("expected %v APIGroups to exists but %v were found", expectedAPIGroupCount, len(actual[0].APIGroups))
 	}
@@ -51,11 +51,19 @@ violation[msg] {
 		t.Errorf("expected policy block to contain 'apps' APIGroup, but was not found.")
 	}
 
+	if !contains(actual[0].APIGroups, "networking.istio.io/v1alpha3") {
+		t.Errorf("expected policy block to contain 'apps' APIGroup, but was not found.")
+	}
+
 	if !contains(actual[0].Kinds, "Pods") {
 		t.Errorf("expected policy block to contain 'Pods' Kind, but was not found.")
 	}
 
 	if !contains(actual[0].Kinds, "Deployments") {
 		t.Errorf("expected policy block to contain 'Deployments' Kind, but was not found.")
 	}
+
+	if !contains(actual[0].Kinds, "VirtualService") {
+		t.Errorf("expected policy block to contain 'VirtualService' Kind, but was not found.")
+	}
 }

Original file line number	Diff line number	Diff line change
`@@ -116,12 +116,13 @@ func getPolicyCommentBlocks(policy []byte) ([]PolicyCommentBlock, error) {`
`116`	`116`	`var kinds []string`
`117`	`117`	`for _, kindGroup := range kindGroups {`
`118`	`118`	`kindTokens := strings.Split(kindGroup, "/")`
	`119`	`+ apiGroup := strings.Join(kindTokens[:len(kindTokens)-1], "/")`
`119`	`120`
`120`		`- if !contains(apiGroups, kindTokens[0]) {`
`121`		`- apiGroups = append(apiGroups, kindTokens[0])`
	`121`	`+ if !contains(apiGroups, apiGroup) {`
	`122`	`+ apiGroups = append(apiGroups, apiGroup)`
`122`	`123`	`}`
`123`	`124`
`124`		`- kinds = append(kinds, kindTokens[1])`
	`125`	`+ kinds = append(kinds, kindTokens[len(kindTokens)-1])`
`125`	`126`	`}`
`126`	`127`
`127`	`128`	`policyCommentBlock := PolicyCommentBlock{`
Original file line number	Diff line number	Diff line change
`@@ -23,7 +23,7 @@ violation[msg] {`
`23`	`23`	`func TestGetPolicyCommentBlocks(t *testing.T) {`
`24`	`24`	policy := `
`25`	`25`	`# First description`
`26`		`-# @Kinds core/Pods apps/Deployments apps/DaemonSet`
	`26`	`+# @Kinds core/Pods apps/Deployments apps/DaemonSet networking.istio.io/v1alpha3/VirtualService`
`27`	`27`	`violation[msg] {`
`28`	`28`	`false`
`29`	`29`	}`
`@@ -38,7 +38,7 @@ violation[msg] {`
`38`	`38`	`t.Errorf("expected policy block to exist, but one did not.")`
`39`	`39`	`}`
`40`	`40`
`41`		`- expectedAPIGroupCount := 2`
	`41`	`+ expectedAPIGroupCount := 3`
`42`	`42`	`if len(actual[0].APIGroups) != expectedAPIGroupCount {`
`43`	`43`	`t.Errorf("expected %v APIGroups to exists but %v were found", expectedAPIGroupCount, len(actual[0].APIGroups))`
`44`	`44`	`}`
`@@ -51,11 +51,19 @@ violation[msg] {`
`51`	`51`	`t.Errorf("expected policy block to contain 'apps' APIGroup, but was not found.")`
`52`	`52`	`}`
`53`	`53`
	`54`	`+ if !contains(actual[0].APIGroups, "networking.istio.io/v1alpha3") {`
	`55`	`+ t.Errorf("expected policy block to contain 'apps' APIGroup, but was not found.")`
	`56`	`+ }`
	`57`	`+`
`54`	`58`	`if !contains(actual[0].Kinds, "Pods") {`
`55`	`59`	`t.Errorf("expected policy block to contain 'Pods' Kind, but was not found.")`
`56`	`60`	`}`
`57`	`61`
`58`	`62`	`if !contains(actual[0].Kinds, "Deployments") {`
`59`	`63`	`t.Errorf("expected policy block to contain 'Deployments' Kind, but was not found.")`
`60`	`64`	`}`
	`65`	`+`
	`66`	`+ if !contains(actual[0].Kinds, "VirtualService") {`
	`67`	`+ t.Errorf("expected policy block to contain 'VirtualService' Kind, but was not found.")`
	`68`	`+ }`
`61`	`69`	`}`