Comments (9)
Confirmed, I think this is an unintended side effect of #34.
Adding an additional deny
causes the failures to duplicate.
Pinging @brendanjryan in case the fix is obvious. Otherwise I'll try and grab some time to look at this tomorrow as well.
You might be able to see the problem in the trace I think, run contest test --trace
, for example
A sample trace
``` deployment.yaml Enter data.main.deny = _ | Eval data.main.deny = _ | Index data.main.deny = _ (matched 2 rules) | Enter data.main.deny | | Eval data.kubernetes.is_deployment | | Index data.kubernetes.is_deployment (matched 1 rule) | | Enter data.kubernetes.is_deployment | | | Eval input.kind = "Deployment" | | | Exit data.kubernetes.is_deployment | | Eval not input.spec.template.spec.securityContext.runAsNonRoot = true | | Enter input.spec.template.spec.securityContext.runAsNonRoot = true | | | Eval input.spec.template.spec.securityContext.runAsNonRoot = true | | | Fail input.spec.template.spec.securityContext.runAsNonRoot = true | | Eval __local3__ = data.main.name | | Index __local3__ = data.main.name (matched 1 rule) | | Enter data.main.name | | | Eval true | | | Eval __local2__ = input.metadata.name | | | Exit data.main.name | | Eval sprintf("Containers must not run as root in Deployment %s", [__local3__], __local0__) | | Eval msg = __local0__ | | Exit data.main.deny | Redo data.main.deny | | Redo msg = __local0__ | | Redo sprintf("Containers must not run as root in Deployment %s", [__local3__], __local0__) | | Redo __local3__ = data.main.name | | Redo data.main.name | | | Redo __local2__ = input.metadata.name | | | Redo true | | Redo data.kubernetes.is_deployment | | Redo data.kubernetes.is_deployment | | | Redo input.kind = "Deployment" | Enter data.main.deny | | Eval data.kubernetes.is_deployment | | Index data.kubernetes.is_deployment (matched 1 rule) | | Eval not data.main.labels | | Enter data.main.labels | | | Eval data.main.labels | | | Index data.main.labels (matched 1 rule) | | | Enter data.main.labels | | | | Eval input.spec.selector.matchLabels.app | | | | Eval input.spec.selector.matchLabels.release | | | | Fail input.spec.selector.matchLabels.release | | | | Redo input.spec.selector.matchLabels.app | | | Fail data.main.labels | | Eval __local4__ = data.main.name | | Index __local4__ = data.main.name (matched 1 rule) | | Eval sprintf("Deployment %s must provide app/release labels for pod selectors", [__local4__], __local1__) | | Eval msg = __local1__ | | Exit data.main.deny | Redo data.main.deny | | Redo msg = __local1__ | | Redo sprintf("Deployment %s must provide app/release labels for pod selectors", [__local4__], __local1__) | | Redo __local4__ = data.main.name | | Redo data.kubernetes.is_deployment | Exit data.main.deny = _ Redo data.main.deny = _ | Redo data.main.deny = _ Enter data.main.deny = _ | Eval data.main.deny = _ | Index data.main.deny = _ (matched 2 rules) | Enter data.main.deny | | Eval data.kubernetes.is_deployment | | Index data.kubernetes.is_deployment (matched 1 rule) | | Enter data.kubernetes.is_deployment | | | Eval input.kind = "Deployment" | | | Exit data.kubernetes.is_deployment | | Eval not input.spec.template.spec.securityContext.runAsNonRoot = true | | Enter input.spec.template.spec.securityContext.runAsNonRoot = true | | | Eval input.spec.template.spec.securityContext.runAsNonRoot = true | | | Fail input.spec.template.spec.securityContext.runAsNonRoot = true | | Eval __local3__ = data.main.name | | Index __local3__ = data.main.name (matched 1 rule) | | Enter data.main.name | | | Eval true | | | Eval __local2__ = input.metadata.name | | | Exit data.main.name | | Eval sprintf("Containers must not run as root in Deployment %s", [__local3__], __local0__) | | Eval msg = __local0__ | | Exit data.main.deny | Redo data.main.deny | | Redo msg = __local0__ | | Redo sprintf("Containers must not run as root in Deployment %s", [__local3__], __local0__) | | Redo __local3__ = data.main.name | | Redo data.main.name | | | Redo __local2__ = input.metadata.name | | | Redo true | | Redo data.kubernetes.is_deployment | | Redo data.kubernetes.is_deployment | | | Redo input.kind = "Deployment" | Enter data.main.deny | | Eval data.kubernetes.is_deployment | | Index data.kubernetes.is_deployment (matched 1 rule) | | Eval not data.main.labels | | Enter data.main.labels | | | Eval data.main.labels | | | Index data.main.labels (matched 1 rule) | | | Enter data.main.labels | | | | Eval input.spec.selector.matchLabels.app | | | | Eval input.spec.selector.matchLabels.release | | | | Fail input.spec.selector.matchLabels.release | | | | Redo input.spec.selector.matchLabels.app | | | Fail data.main.labels | | Eval __local4__ = data.main.name | | Index __local4__ = data.main.name (matched 1 rule) | | Eval sprintf("Deployment %s must provide app/release labels for pod selectors", [__local4__], __local1__) | | Eval msg = __local1__ | | Exit data.main.deny | Redo data.main.deny | | Redo msg = __local1__ | | Redo sprintf("Deployment %s must provide app/release labels for pod selectors", [__local4__], __local1__) | | Redo __local4__ = data.main.name | | Redo data.kubernetes.is_deployment | Exit data.main.deny = _ Redo data.main.deny = _ | Redo data.main.deny = _ �[31mContainers must not run as root in Deployment hello-kubernetes�[0m �[31mDeployment hello-kubernetes must provide app/release labels for pod selectors�[0m �[31mContainers must not run as root in Deployment hello-kubernetes�[0m �[31mDeployment hello-kubernetes must provide app/release labels for pod selectors�[0m ```from conftest.
I have a fix. Ran out of time this evening I think to finish off, but wanted to post. Will finish up tomorrow and release a bug fix.
func getRules(ctx context.Context, re *regexp.Regexp, compiler *ast.Compiler) ([]string) {
var res []string
for _, m := range compiler.Modules {
for _, r := range m.Rules {
n := r.Head.Name.String()
if re.MatchString(n) {
// the same rule names can be used multiple times, but
// we only want to run the query and report results once
if !stringInSlice(n, res) {
res = append(res, n)
}
}
}
}
return res
}
func stringInSlice(a string, list []string) bool {
for _, b := range list {
if b == a {
return true
}
}
return false
}
from conftest.
Sounds like a bug. Could you include an example and some output? Will look into.
from conftest.
Hi, I'm working with 0.9.0 and get a similiar Output.
I'm testing a openshift route object using helm:
apiVersion: route.openshift.io/v1
kind: Route
metadata:
labels:
app: {{ .Chart.Name }}
name: {{ .Chart.Name }}
spec:
host: foobar
tls:
termination: Edge
to:
kind: Service
name: {{ .Chart.Name }}
weight: 100
wildcardPolicy: None
My simple policy:
package main
deny[msg] {
input.kind = "Route"
name = input.metadata.name
not input.spec.tls.termination
msg = sprintf("%s/%s has to be secure", [input.kind,name])
}
deny[msg] {
input.kind = "Route"
name = input.metadata.name
input.spec.host
msg = sprintf("%s/%s can not contain the \"spec.host\" attribute", [input.kind,name])
}
Just the second policy should fail, the first is good, but the output is the following:
[user@rhel7 helm]$ helm template . | conftest test -
Route/infra-test can not contain the "spec.host" attribute
Route/infra-test can not contain the "spec.host" attribute
Once I delete the not failing policy it's working like it should:
[user@rhel7 helm]$ helm template . | conftest test -
Route/infra-test can not contain the "spec.host" attribute
from conftest.
My experience is similar to @mKamleiter's, though I hadn't yet made the connection about failing/passing policies. I think we're on to something here...
from conftest.
ah good catch @garethr! This looks good to me!
from conftest.
Awesome, thanks! I'll stand by to test against my policies.
from conftest.
Should now be fixed in master and I'm releasing a 0.9.1 with the fix. Let me know if that doesn't resolve your issue.
from conftest.
All good for me in 0.10.0. Thanks!
from conftest.
Related Issues (20)
- Add support for "azuredevops" output
- Rego policy with ExternalData Provider : undefined function external_data HOT 2
- Add support for adding built-in functions HOT 2
- Investigate generics usage in parser and engine packages HOT 2
- conftest read json file failed due to json file contains BOM HOT 3
- Rules returning a boolean (no msg) HOT 2
- parse_config not working for dockerfile HOT 2
- OPA doesn't consider built-in error fatal, but Conftest does. Can we revert the change? HOT 1
- Conftest does not output detailed summary report HOT 1
- Dependabot should update all parsers
- Implement option for custom output destinations in `output.Get()`
- Sarif Format Support HOT 2
- Has anyone used conftest in s390x environment? HOT 3
- Parser for nginx HOT 2
- Error in documentation for pulling OCI registry
- Using Conftest with OPA bundles
- Invalid parsing of ResourceQuota yaml file HOT 1
- Improper if Usage seems to miss a valid case HOT 1
- Jsonnet parser cannot handle relative imports HOT 4
- Critical vulnerability in github.com/hashicorp/go-getter: CVE-2024-3817 HOT 2
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from conftest.