Giter VIP home page Giter VIP logo

Comments (9)

garethr avatar garethr commented on May 29, 2024 1

Confirmed, I think this is an unintended side effect of #34.

Adding an additional deny causes the failures to duplicate.

Pinging @brendanjryan in case the fix is obvious. Otherwise I'll try and grab some time to look at this tomorrow as well.

You might be able to see the problem in the trace I think, run contest test --trace, for example

A sample trace ``` deployment.yaml Enter data.main.deny = _ | Eval data.main.deny = _ | Index data.main.deny = _ (matched 2 rules) | Enter data.main.deny | | Eval data.kubernetes.is_deployment | | Index data.kubernetes.is_deployment (matched 1 rule) | | Enter data.kubernetes.is_deployment | | | Eval input.kind = "Deployment" | | | Exit data.kubernetes.is_deployment | | Eval not input.spec.template.spec.securityContext.runAsNonRoot = true | | Enter input.spec.template.spec.securityContext.runAsNonRoot = true | | | Eval input.spec.template.spec.securityContext.runAsNonRoot = true | | | Fail input.spec.template.spec.securityContext.runAsNonRoot = true | | Eval __local3__ = data.main.name | | Index __local3__ = data.main.name (matched 1 rule) | | Enter data.main.name | | | Eval true | | | Eval __local2__ = input.metadata.name | | | Exit data.main.name | | Eval sprintf("Containers must not run as root in Deployment %s", [__local3__], __local0__) | | Eval msg = __local0__ | | Exit data.main.deny | Redo data.main.deny | | Redo msg = __local0__ | | Redo sprintf("Containers must not run as root in Deployment %s", [__local3__], __local0__) | | Redo __local3__ = data.main.name | | Redo data.main.name | | | Redo __local2__ = input.metadata.name | | | Redo true | | Redo data.kubernetes.is_deployment | | Redo data.kubernetes.is_deployment | | | Redo input.kind = "Deployment" | Enter data.main.deny | | Eval data.kubernetes.is_deployment | | Index data.kubernetes.is_deployment (matched 1 rule) | | Eval not data.main.labels | | Enter data.main.labels | | | Eval data.main.labels | | | Index data.main.labels (matched 1 rule) | | | Enter data.main.labels | | | | Eval input.spec.selector.matchLabels.app | | | | Eval input.spec.selector.matchLabels.release | | | | Fail input.spec.selector.matchLabels.release | | | | Redo input.spec.selector.matchLabels.app | | | Fail data.main.labels | | Eval __local4__ = data.main.name | | Index __local4__ = data.main.name (matched 1 rule) | | Eval sprintf("Deployment %s must provide app/release labels for pod selectors", [__local4__], __local1__) | | Eval msg = __local1__ | | Exit data.main.deny | Redo data.main.deny | | Redo msg = __local1__ | | Redo sprintf("Deployment %s must provide app/release labels for pod selectors", [__local4__], __local1__) | | Redo __local4__ = data.main.name | | Redo data.kubernetes.is_deployment | Exit data.main.deny = _ Redo data.main.deny = _ | Redo data.main.deny = _ Enter data.main.deny = _ | Eval data.main.deny = _ | Index data.main.deny = _ (matched 2 rules) | Enter data.main.deny | | Eval data.kubernetes.is_deployment | | Index data.kubernetes.is_deployment (matched 1 rule) | | Enter data.kubernetes.is_deployment | | | Eval input.kind = "Deployment" | | | Exit data.kubernetes.is_deployment | | Eval not input.spec.template.spec.securityContext.runAsNonRoot = true | | Enter input.spec.template.spec.securityContext.runAsNonRoot = true | | | Eval input.spec.template.spec.securityContext.runAsNonRoot = true | | | Fail input.spec.template.spec.securityContext.runAsNonRoot = true | | Eval __local3__ = data.main.name | | Index __local3__ = data.main.name (matched 1 rule) | | Enter data.main.name | | | Eval true | | | Eval __local2__ = input.metadata.name | | | Exit data.main.name | | Eval sprintf("Containers must not run as root in Deployment %s", [__local3__], __local0__) | | Eval msg = __local0__ | | Exit data.main.deny | Redo data.main.deny | | Redo msg = __local0__ | | Redo sprintf("Containers must not run as root in Deployment %s", [__local3__], __local0__) | | Redo __local3__ = data.main.name | | Redo data.main.name | | | Redo __local2__ = input.metadata.name | | | Redo true | | Redo data.kubernetes.is_deployment | | Redo data.kubernetes.is_deployment | | | Redo input.kind = "Deployment" | Enter data.main.deny | | Eval data.kubernetes.is_deployment | | Index data.kubernetes.is_deployment (matched 1 rule) | | Eval not data.main.labels | | Enter data.main.labels | | | Eval data.main.labels | | | Index data.main.labels (matched 1 rule) | | | Enter data.main.labels | | | | Eval input.spec.selector.matchLabels.app | | | | Eval input.spec.selector.matchLabels.release | | | | Fail input.spec.selector.matchLabels.release | | | | Redo input.spec.selector.matchLabels.app | | | Fail data.main.labels | | Eval __local4__ = data.main.name | | Index __local4__ = data.main.name (matched 1 rule) | | Eval sprintf("Deployment %s must provide app/release labels for pod selectors", [__local4__], __local1__) | | Eval msg = __local1__ | | Exit data.main.deny | Redo data.main.deny | | Redo msg = __local1__ | | Redo sprintf("Deployment %s must provide app/release labels for pod selectors", [__local4__], __local1__) | | Redo __local4__ = data.main.name | | Redo data.kubernetes.is_deployment | Exit data.main.deny = _ Redo data.main.deny = _ | Redo data.main.deny = _ �[31mContainers must not run as root in Deployment hello-kubernetes�[0m �[31mDeployment hello-kubernetes must provide app/release labels for pod selectors�[0m �[31mContainers must not run as root in Deployment hello-kubernetes�[0m �[31mDeployment hello-kubernetes must provide app/release labels for pod selectors�[0m ```

from conftest.

garethr avatar garethr commented on May 29, 2024 1

I have a fix. Ran out of time this evening I think to finish off, but wanted to post. Will finish up tomorrow and release a bug fix.

func getRules(ctx context.Context, re *regexp.Regexp, compiler *ast.Compiler) ([]string) {

     var res []string

     for _, m := range compiler.Modules {
         for _, r := range m.Rules {
             n := r.Head.Name.String()
             if re.MatchString(n) {
                 // the same rule names can be used multiple times, but
                 // we only want to run the query and report results once
                 if !stringInSlice(n, res) {
                     res = append(res, n)
                 }
             }
         }
     }

     return res
 }

 func stringInSlice(a string, list []string) bool {
     for _, b := range list {
         if b == a {
             return true
         }
     }
     return false
 }

from conftest.

garethr avatar garethr commented on May 29, 2024

Sounds like a bug. Could you include an example and some output? Will look into.

from conftest.

mKamleiter avatar mKamleiter commented on May 29, 2024

Hi, I'm working with 0.9.0 and get a similiar Output.
I'm testing a openshift route object using helm:

apiVersion: route.openshift.io/v1
 kind: Route
 metadata:
  labels:
    app: {{ .Chart.Name }}
  name: {{ .Chart.Name }}
spec:
  host: foobar
  tls:
    termination: Edge
  to:
    kind: Service
    name: {{ .Chart.Name }}
    weight: 100
  wildcardPolicy: None

My simple policy:

package main

deny[msg] {
  input.kind = "Route"
  name = input.metadata.name
  not input.spec.tls.termination
  msg = sprintf("%s/%s has to be secure", [input.kind,name])
}

deny[msg] {
  input.kind = "Route"
  name = input.metadata.name
  input.spec.host
  msg = sprintf("%s/%s can not contain the \"spec.host\" attribute", [input.kind,name])
}

Just the second policy should fail, the first is good, but the output is the following:

[user@rhel7 helm]$ helm template . | conftest test -
   Route/infra-test can not contain the "spec.host" attribute
   Route/infra-test can not contain the "spec.host" attribute

Once I delete the not failing policy it's working like it should:

[user@rhel7 helm]$ helm template . | conftest test -
   Route/infra-test can not contain the "spec.host" attribute

from conftest.

yurrriq avatar yurrriq commented on May 29, 2024

My experience is similar to @mKamleiter's, though I hadn't yet made the connection about failing/passing policies. I think we're on to something here...

from conftest.

brendanjryan avatar brendanjryan commented on May 29, 2024

ah good catch @garethr! This looks good to me!

from conftest.

yurrriq avatar yurrriq commented on May 29, 2024

Awesome, thanks! I'll stand by to test against my policies.

from conftest.

garethr avatar garethr commented on May 29, 2024

Should now be fixed in master and I'm releasing a 0.9.1 with the fix. Let me know if that doesn't resolve your issue.

from conftest.

yurrriq avatar yurrriq commented on May 29, 2024

All good for me in 0.10.0. Thanks!

from conftest.

Related Issues (20)

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.