Merge pull request #3641 from Azure/yjst2012/ARO-8531

update guardrails protected namespaces list
Azure · Jul 2, 2024 · 2adcd63 · 2adcd63
2 parents 42daa82 + a100c61
commit 2adcd63
Show file tree

Hide file tree

Showing 6 changed files with 77 additions and 82 deletions.
diff --git a/...ntrollers/guardrails/policies/gktemplates-src/aro-deny-privileged-namespace/src_test.rego b/...ntrollers/guardrails/policies/gktemplates-src/aro-deny-privileged-namespace/src_test.rego
@@ -192,7 +192,7 @@ delete_pullsecret_with_userinfo(userinfo) = output {
   }
 }
 
-input_allowed_ns = "mytest"
+input_allowed_ns = "openshift-marketplace"
 
 input_disallowed_ns = "openshift-apiserver"
 

diff --git a/pkg/operator/controllers/guardrails/policies/gktemplates-src/library/common.rego b/pkg/operator/controllers/guardrails/policies/gktemplates-src/library/common.rego
@@ -71,7 +71,6 @@ exempted_groups = {
   # "system:serviceaccounts:openshift-machine-config-operator", # machine-config-operator, however the request provide correct sa name
   "system:masters" # system:admin
 }
-
 privileged_ns = {
   # Kubernetes specific namespaces
   "kube-node-lease",
@@ -92,13 +91,9 @@ privileged_ns = {
   "openshift-cloud-controller-manager",
   "openshift-cloud-controller-manager-operator",
   "openshift-cloud-credential-operator",
-  # "openshift-cluster-csi-drivers",
   "openshift-cluster-machine-approver",
-  "openshift-cluster-node-tuning-operator",
-  "openshift-cluster-samples-operator",
   "openshift-cluster-storage-operator",
   "openshift-cluster-version",
-  # "openshift-config",
   "openshift-config-managed",
   "openshift-config-operator",
   "openshift-console",
@@ -113,31 +108,35 @@ privileged_ns = {
   "openshift-host-network",
   "openshift-image-registry",
   "openshift-ingress",
-  "openshift-ingress-canary",
   "openshift-ingress-operator",
-  "openshift-insights",
-  "openshift-kni-infra",
   "openshift-kube-apiserver",
   "openshift-kube-apiserver-operator",
   "openshift-kube-controller-manager",
   "openshift-kube-controller-manager-operator",
   "openshift-kube-scheduler",
   "openshift-kube-scheduler-operator",
-  "openshift-kube-storage-version-migrator",
-  "openshift-kube-storage-version-migrator-operator",
   "openshift-machine-api",
   "openshift-machine-config-operator",
-  "openshift-marketplace",
   "openshift-monitoring",
   "openshift-multus",
-  "openshift-network-diagnostics",
   "openshift-network-operator",
   "openshift-oauth-apiserver",
-  "openshift-openstack-infra",
   "openshift-operators",
   "openshift-operator-lifecycle-manager",
-  "openshift-ovirt-infra",
-  "openshift-sdn",
   "openshift-service-ca",
-  "openshift-service-ca-operator"
-}
+  "openshift-service-ca-operator",
+  # "openshift-kube-storage-version-migrator",
+  # "openshift-kube-storage-version-migrator-operator",
+  # "openshift-network-diagnostics",
+  # "openshift-openstack-infra",
+  # "openshift-marketplace",
+  # "openshift-ingress-canary",
+  # "openshift-insights",
+  # "openshift-kni-infra",
+  # "openshift-cluster-csi-drivers",
+  # "openshift-cluster-node-tuning-operator",
+  # "openshift-cluster-samples-operator",
+  # "openshift-config",
+  # "openshift-ovirt-infra",
+  "openshift-sdn"
+}
diff --git a/pkg/operator/controllers/guardrails/policies/gktemplates/aro-deny-delete-pull-secret.yaml b/pkg/operator/controllers/guardrails/policies/gktemplates/aro-deny-delete-pull-secret.yaml
@@ -99,7 +99,6 @@ spec:
             # "system:serviceaccounts:openshift-machine-config-operator", # machine-config-operator, however the request provide correct sa name
             "system:masters" # system:admin
           }
-
           privileged_ns = {
             # Kubernetes specific namespaces
             "kube-node-lease",
@@ -120,13 +119,9 @@ spec:
             "openshift-cloud-controller-manager",
             "openshift-cloud-controller-manager-operator",
             "openshift-cloud-credential-operator",
-            # "openshift-cluster-csi-drivers",
             "openshift-cluster-machine-approver",
-            "openshift-cluster-node-tuning-operator",
-            "openshift-cluster-samples-operator",
             "openshift-cluster-storage-operator",
             "openshift-cluster-version",
-            # "openshift-config",
             "openshift-config-managed",
             "openshift-config-operator",
             "openshift-console",
@@ -141,31 +136,35 @@ spec:
             "openshift-host-network",
             "openshift-image-registry",
             "openshift-ingress",
-            "openshift-ingress-canary",
             "openshift-ingress-operator",
-            "openshift-insights",
-            "openshift-kni-infra",
             "openshift-kube-apiserver",
             "openshift-kube-apiserver-operator",
             "openshift-kube-controller-manager",
             "openshift-kube-controller-manager-operator",
             "openshift-kube-scheduler",
             "openshift-kube-scheduler-operator",
-            "openshift-kube-storage-version-migrator",
-            "openshift-kube-storage-version-migrator-operator",
             "openshift-machine-api",
             "openshift-machine-config-operator",
-            "openshift-marketplace",
             "openshift-monitoring",
             "openshift-multus",
-            "openshift-network-diagnostics",
             "openshift-network-operator",
             "openshift-oauth-apiserver",
-            "openshift-openstack-infra",
             "openshift-operators",
             "openshift-operator-lifecycle-manager",
-            "openshift-ovirt-infra",
-            "openshift-sdn",
             "openshift-service-ca",
-            "openshift-service-ca-operator"
+            "openshift-service-ca-operator",
+            # "openshift-kube-storage-version-migrator",
+            # "openshift-kube-storage-version-migrator-operator",
+            # "openshift-network-diagnostics",
+            # "openshift-openstack-infra",
+            # "openshift-marketplace",
+            # "openshift-ingress-canary",
+            # "openshift-insights",
+            # "openshift-kni-infra",
+            # "openshift-cluster-csi-drivers",
+            # "openshift-cluster-node-tuning-operator",
+            # "openshift-cluster-samples-operator",
+            # "openshift-config",
+            # "openshift-ovirt-infra",
+            "openshift-sdn"
           }
diff --git a/pkg/operator/controllers/guardrails/policies/gktemplates/aro-deny-machine-config.yaml b/pkg/operator/controllers/guardrails/policies/gktemplates/aro-deny-machine-config.yaml
@@ -104,7 +104,6 @@ spec:
             # "system:serviceaccounts:openshift-machine-config-operator", # machine-config-operator, however the request provide correct sa name
             "system:masters" # system:admin
           }
-
           privileged_ns = {
             # Kubernetes specific namespaces
             "kube-node-lease",
@@ -125,13 +124,9 @@ spec:
             "openshift-cloud-controller-manager",
             "openshift-cloud-controller-manager-operator",
             "openshift-cloud-credential-operator",
-            # "openshift-cluster-csi-drivers",
             "openshift-cluster-machine-approver",
-            "openshift-cluster-node-tuning-operator",
-            "openshift-cluster-samples-operator",
             "openshift-cluster-storage-operator",
             "openshift-cluster-version",
-            # "openshift-config",
             "openshift-config-managed",
             "openshift-config-operator",
             "openshift-console",
@@ -146,31 +141,35 @@ spec:
             "openshift-host-network",
             "openshift-image-registry",
             "openshift-ingress",
-            "openshift-ingress-canary",
             "openshift-ingress-operator",
-            "openshift-insights",
-            "openshift-kni-infra",
             "openshift-kube-apiserver",
             "openshift-kube-apiserver-operator",
             "openshift-kube-controller-manager",
             "openshift-kube-controller-manager-operator",
             "openshift-kube-scheduler",
             "openshift-kube-scheduler-operator",
-            "openshift-kube-storage-version-migrator",
-            "openshift-kube-storage-version-migrator-operator",
             "openshift-machine-api",
             "openshift-machine-config-operator",
-            "openshift-marketplace",
             "openshift-monitoring",
             "openshift-multus",
-            "openshift-network-diagnostics",
             "openshift-network-operator",
             "openshift-oauth-apiserver",
-            "openshift-openstack-infra",
             "openshift-operators",
             "openshift-operator-lifecycle-manager",
-            "openshift-ovirt-infra",
-            "openshift-sdn",
             "openshift-service-ca",
-            "openshift-service-ca-operator"
+            "openshift-service-ca-operator",
+            # "openshift-kube-storage-version-migrator",
+            # "openshift-kube-storage-version-migrator-operator",
+            # "openshift-network-diagnostics",
+            # "openshift-openstack-infra",
+            # "openshift-marketplace",
+            # "openshift-ingress-canary",
+            # "openshift-insights",
+            # "openshift-kni-infra",
+            # "openshift-cluster-csi-drivers",
+            # "openshift-cluster-node-tuning-operator",
+            # "openshift-cluster-samples-operator",
+            # "openshift-config",
+            # "openshift-ovirt-infra",
+            "openshift-sdn"
           }
diff --git a/...erator/controllers/guardrails/policies/gktemplates/aro-deny-master-toleration-taints.yaml b/...erator/controllers/guardrails/policies/gktemplates/aro-deny-master-toleration-taints.yaml
@@ -123,7 +123,6 @@ spec:
             # "system:serviceaccounts:openshift-machine-config-operator", # machine-config-operator, however the request provide correct sa name
             "system:masters" # system:admin
           }
-
           privileged_ns = {
             # Kubernetes specific namespaces
             "kube-node-lease",
@@ -144,13 +143,9 @@ spec:
             "openshift-cloud-controller-manager",
             "openshift-cloud-controller-manager-operator",
             "openshift-cloud-credential-operator",
-            # "openshift-cluster-csi-drivers",
             "openshift-cluster-machine-approver",
-            "openshift-cluster-node-tuning-operator",
-            "openshift-cluster-samples-operator",
             "openshift-cluster-storage-operator",
             "openshift-cluster-version",
-            # "openshift-config",
             "openshift-config-managed",
             "openshift-config-operator",
             "openshift-console",
@@ -165,31 +160,35 @@ spec:
             "openshift-host-network",
             "openshift-image-registry",
             "openshift-ingress",
-            "openshift-ingress-canary",
             "openshift-ingress-operator",
-            "openshift-insights",
-            "openshift-kni-infra",
             "openshift-kube-apiserver",
             "openshift-kube-apiserver-operator",
             "openshift-kube-controller-manager",
             "openshift-kube-controller-manager-operator",
             "openshift-kube-scheduler",
             "openshift-kube-scheduler-operator",
-            "openshift-kube-storage-version-migrator",
-            "openshift-kube-storage-version-migrator-operator",
             "openshift-machine-api",
             "openshift-machine-config-operator",
-            "openshift-marketplace",
             "openshift-monitoring",
             "openshift-multus",
-            "openshift-network-diagnostics",
             "openshift-network-operator",
             "openshift-oauth-apiserver",
-            "openshift-openstack-infra",
             "openshift-operators",
             "openshift-operator-lifecycle-manager",
-            "openshift-ovirt-infra",
-            "openshift-sdn",
             "openshift-service-ca",
-            "openshift-service-ca-operator"
+            "openshift-service-ca-operator",
+            # "openshift-kube-storage-version-migrator",
+            # "openshift-kube-storage-version-migrator-operator",
+            # "openshift-network-diagnostics",
+            # "openshift-openstack-infra",
+            # "openshift-marketplace",
+            # "openshift-ingress-canary",
+            # "openshift-insights",
+            # "openshift-kni-infra",
+            # "openshift-cluster-csi-drivers",
+            # "openshift-cluster-node-tuning-operator",
+            # "openshift-cluster-samples-operator",
+            # "openshift-config",
+            # "openshift-ovirt-infra",
+            "openshift-sdn"
           }
diff --git a/pkg/operator/controllers/guardrails/policies/gktemplates/aro-deny-privileged-namespace.yaml b/pkg/operator/controllers/guardrails/policies/gktemplates/aro-deny-privileged-namespace.yaml
@@ -121,7 +121,6 @@ spec:
             # "system:serviceaccounts:openshift-machine-config-operator", # machine-config-operator, however the request provide correct sa name
             "system:masters" # system:admin
           }
-
           privileged_ns = {
             # Kubernetes specific namespaces
             "kube-node-lease",
@@ -142,13 +141,9 @@ spec:
             "openshift-cloud-controller-manager",
             "openshift-cloud-controller-manager-operator",
             "openshift-cloud-credential-operator",
-            # "openshift-cluster-csi-drivers",
             "openshift-cluster-machine-approver",
-            "openshift-cluster-node-tuning-operator",
-            "openshift-cluster-samples-operator",
             "openshift-cluster-storage-operator",
             "openshift-cluster-version",
-            # "openshift-config",
             "openshift-config-managed",
             "openshift-config-operator",
             "openshift-console",
@@ -163,31 +158,35 @@ spec:
             "openshift-host-network",
             "openshift-image-registry",
             "openshift-ingress",
-            "openshift-ingress-canary",
             "openshift-ingress-operator",
-            "openshift-insights",
-            "openshift-kni-infra",
             "openshift-kube-apiserver",
             "openshift-kube-apiserver-operator",
             "openshift-kube-controller-manager",
             "openshift-kube-controller-manager-operator",
             "openshift-kube-scheduler",
             "openshift-kube-scheduler-operator",
-            "openshift-kube-storage-version-migrator",
-            "openshift-kube-storage-version-migrator-operator",
             "openshift-machine-api",
             "openshift-machine-config-operator",
-            "openshift-marketplace",
             "openshift-monitoring",
             "openshift-multus",
-            "openshift-network-diagnostics",
             "openshift-network-operator",
             "openshift-oauth-apiserver",
-            "openshift-openstack-infra",
             "openshift-operators",
             "openshift-operator-lifecycle-manager",
-            "openshift-ovirt-infra",
-            "openshift-sdn",
             "openshift-service-ca",
-            "openshift-service-ca-operator"
+            "openshift-service-ca-operator",
+            # "openshift-kube-storage-version-migrator",
+            # "openshift-kube-storage-version-migrator-operator",
+            # "openshift-network-diagnostics",
+            # "openshift-openstack-infra",
+            # "openshift-marketplace",
+            # "openshift-ingress-canary",
+            # "openshift-insights",
+            # "openshift-kni-infra",
+            # "openshift-cluster-csi-drivers",
+            # "openshift-cluster-node-tuning-operator",
+            # "openshift-cluster-samples-operator",
+            # "openshift-config",
+            # "openshift-ovirt-infra",
+            "openshift-sdn"
           }