Azure · yjst2012 · Mar 9, 2023 · Mar 9, 2023 · Mar 9, 2023 · Mar 9, 2023
diff --git a/...src/aro-deny-master-toleration-taints/gator-test/allowed_create_pod_in_privileged_ns.yaml b/...src/aro-deny-master-toleration-taints/gator-test/allowed_create_pod_in_privileged_ns.yaml
@@ -0,0 +1,48 @@
+kind: AdmissionReview
+apiVersion: admission.k8s.io/v1
+request:
+  uid: f700ab7f-8f42-45ff-83f5-782c739806d9
+  kind:
+    group: ''
+    version: v1
+    kind: Pod
+  resource:
+    group: ''
+    version: v1
+    resource: pods
+  requestKind:
+    group: ''
+    version: v1
+    kind: Pod
+  requestResource:
+    group: ''
+    version: v1
+    resource: pods
+  name: my-pod
+  namespace: openshift-dns
+  operation: CREATE
+  userInfo:
+    username: kube-review
+    uid: 45884572-1cab-49e5-be4c-1d2eb0299773
+  object:
+    kind: Pod
+    apiVersion: v1
+    metadata:
+      name: my-pod
+      namespace: openshift-dns
+      creationTimestamp:
+    spec:
+      containers:
+      - name: my-container
+        image: nginx
+        resources: {}
+      tolerations:
+      - key: node-role.kubernetes.io/master=
+        operator: Exists
+        effect: NoSchedule
+    status: {}
+  oldObject:
+  dryRun: true
+  options:
+    kind: CreateOptions
+    apiVersion: meta.k8s.io/v1
diff --git a/...not_allowed_pod_in_non_privledged_ns.yaml → ...owed_delete_pod_in_non_privileged_ns.yaml b/...not_allowed_pod_in_non_privledged_ns.yaml → ...owed_delete_pod_in_non_privileged_ns.yaml
@@ -19,11 +19,11 @@ request:
     version: v1
     resource: pods
   name: demo-pod
-  operation: CREATE
+  operation: DELETE
   userInfo:
     username: kube-review
     uid: eede9e7b-1854-4635-b5c0-029598ec6865
-  object:
+  oldObject:
     kind: Pod
     apiVersion: v1
     metadata:
@@ -40,7 +40,6 @@ request:
         operator: Exists
         effect: NoSchedule
     status: {}
-  oldObject:
   options:
     kind: CreateOptions
     apiVersion: meta.k8s.io/v1
diff --git a/...deny-master-toleration-taints/gator-test/not_allowed_create_pod_in_non_privileged_ns.yaml b/...deny-master-toleration-taints/gator-test/not_allowed_create_pod_in_non_privileged_ns.yaml
@@ -0,0 +1,46 @@
+kind: AdmissionReview
+apiVersion: admission.k8s.io/v1
+request:
+  uid: 46cf42b9-c413-4e04-ab23-777dac840bf5
+  kind:
+    group: ''
+    version: v1
+    kind: Pod
+  resource:
+    group: ''
+    version: v1
+    resource: pods
+  requestKind:
+    group: ''
+    version: v1
+    kind: Pod
+  requestResource:
+    group: ''
+    version: v1
+    resource: pods
+  name: demo-pod
+  operation: CREATE
+  userInfo:
+    username: kube-review
+    uid: eede9e7b-1854-4635-b5c0-029598ec6865
+  object:
+    kind: Pod
+    apiVersion: v1
+    metadata:
+      name: demo-pod
+      namespace: customer-namespace
+      creationTimestamp:
+    spec:
+      containers:
+      - name: demo-container
+        image: nginx
+        resources: {}
+      tolerations:
+      - key: node-role.kubernetes.io/control-plane=
+        operator: Exists
+        effect: NoSchedule
+    status: {}
+  oldObject:
+  options:
+    kind: CreateOptions
+    apiVersion: meta.k8s.io/v1
diff --git a/...deny-master-toleration-taints/gator-test/not_allowed_update_pod_in_non_privileged_ns.yaml b/...deny-master-toleration-taints/gator-test/not_allowed_update_pod_in_non_privileged_ns.yaml
@@ -0,0 +1,55 @@
+kind: AdmissionReview
+apiVersion: admission.k8s.io/v1
+request:
+  uid: 46cf42b9-c413-4e04-ab23-777dac840bf5
+  kind:
+    group: ''
+    version: v1
+    kind: Pod
+  resource:
+    group: ''
+    version: v1
+    resource: pods
+  requestKind:
+    group: ''
+    version: v1
+    kind: Pod
+  requestResource:
+    group: ''
+    version: v1
+    resource: pods
+  name: demo-pod
+  operation: UPDATE
+  userInfo:
+    username: kube-review
+    uid: eede9e7b-1854-4635-b5c0-029598ec6865
+  object:
+    kind: Pod
+    apiVersion: v1
+    metadata:
+      name: demo-pod
+      namespace: customer-namespace
+      creationTimestamp:
+    spec:
+      containers:
+      - name: demo-container
+        image: nginx
+        resources: {}
+      tolerations:
+      - key: node-role.kubernetes.io/control-plane
+        operator: Exists
+        effect: NoSchedule
+    status: {}
+  oldObject:
+    kind: Pod
+    apiVersion: v1
+    metadata:
+      name: demo-pod
+      namespace: customer-namespace
+    spec:
+      containers:
+        - name: demo-container
+          image: nginx
+  options:
+    kind: CreateOptions
+    apiVersion: meta.k8s.io/v1
diff --git a/...ontrollers/guardrails/policies/gktemplates-src/aro-deny-master-toleration-taints/src.rego b/...ontrollers/guardrails/policies/gktemplates-src/aro-deny-master-toleration-taints/src.rego
@@ -1,6 +1,7 @@
 package arodenymastertolerationtaints
 
 import future.keywords.in
+import future.keywords.contains
 import data.lib.common.is_priv_namespace
 
 violation[{"msg": msg}] {
@@ -14,7 +15,16 @@ violation[{"msg": msg}] {
     # Check if pod object has master toleration taints
     tolerations := input.review.object.spec.tolerations
     some toleration in tolerations
-    toleration.key in ["node-role.kubernetes.io/master", "node-role.kubernetes.io/control-plane"]
+    is_master_toleration(toleration.key)
 
     msg := "Create or update resources to have master toleration taints is not allowed in non-privileged namespaces"
-}
+}
+
+
+is_master_toleration(toleration_key){
+    contains(toleration_key,"node-role.kubernetes.io/master")
+}
+
+is_master_toleration(toleration_key){
+    contains(toleration_key,"node-role.kubernetes.io/control-plane")
+}
diff --git a/...llers/guardrails/policies/gktemplates-src/aro-deny-master-toleration-taints/src_test.rego b/...llers/guardrails/policies/gktemplates-src/aro-deny-master-toleration-taints/src_test.rego
@@ -3,7 +3,7 @@ package arodenymastertolerationtaints
 
 test_input_allowed_in_privileged_ns_with_master_taint {
     input := { 
-        "review": fake_input_review("openshift-config", "CREATE", "node-role.kubernetes.io/worker", "node-role.kubernetes.io/master")
+        "review": fake_input_review("openshift-config", "CREATE", "node-role.kubernetes.io/worker", "node-role.kubernetes.io/master=")
     }
     results := violation with input as input
     count(results) == 0
@@ -19,15 +19,15 @@ test_input_allowed_in_nonprivileged_ns_with_no_master_taint {
 
 test_input_allowed_in_nonprivileged_ns_with_delete_operation {
     input := { 
-        "review": fake_input_review("customer", "DELETE", "node-role.kubernetes.io/worker", "node-role.kubernetes.io/control-plane")
+        "review": fake_input_review("customer", "DELETE", "node-role.kubernetes.io/worker", "node-role.kubernetes.io/control-plane=")
     }
     results := violation with input as input
     count(results) == 0
 }
 
 test_input_not_allowed_in_nonprivileged_ns_with_create_operation {
     input := { 
-        "review": fake_input_review("customer", "CREATE", "node-role.kubernetes.io/worker", "node-role.kubernetes.io/master")
+        "review": fake_input_review("customer", "CREATE", "node-role.kubernetes.io/worker", "node-role.kubernetes.io/master=")
     }
     results := violation with input as input
     count(results) == 1

diff --git a/...trollers/guardrails/policies/gktemplates-src/aro-deny-master-toleration-taints/suite.yaml b/...trollers/guardrails/policies/gktemplates-src/aro-deny-master-toleration-taints/suite.yaml
@@ -7,7 +7,19 @@ tests:
   template: ../../gktemplates/aro-deny-master-toleration-taints.yaml
   constraint: ../../gkconstraints-test/aro-master-toleration-pod-deny.yaml
   cases:
-  - name: not-allowed-in-nonprivileged-namespaces
-    object: gator-test/not_allowed_pod_in_non_privledged_ns.yaml
+  - name: create-not-allowed-in-nonprivileged-namespaces
+    object: gator-test/not_allowed_create_pod_in_non_privileged_ns.yaml
     assertions:
     - violations: yes
+  - name: create-allowed-in-privileged-namespaces
+    object: gator-test/allowed_create_pod_in_privileged_ns.yaml
+    assertions:
+    - violations: no
+  - name: update-not-allowed-in-nonprivileged-namespaces
+    object: gator-test/not_allowed_update_pod_in_non_privileged_ns.yaml
+    assertions:
+    - violations: yes
+  - name: deletion-allowed-in-nonprivileged-namespaces
+    object: gator-test/allowed_delete_pod_in_non_privileged_ns.yaml
+    assertions:
+    - violations: no
diff --git a/pkg/operator/controllers/guardrails/policies/gktemplates/aro-deny-labels.yaml b/pkg/operator/controllers/guardrails/policies/gktemplates/aro-deny-labels.yaml
@@ -37,13 +37,7 @@ spec:
     - target: admission.k8s.gatekeeper.sh
       rego: |
         package arodenylabels
-        get_message(parameters, _default) = msg {
-          not parameters.message
-          msg := _default
-        }
-        get_message(parameters, _default) = msg {
-          msg := parameters.message
-        }
+
         violation[{"msg": msg}] {
           input.review.operation == "DELETE"
           label_value := input.review.object.metadata.labels[key]
@@ -55,3 +49,12 @@ spec:
           def_msg := sprintf("Operation not allowed. Label <%v: %v> matches deny regex: <%v>", [key, label_value, deny_regex])
           msg := get_message(input.parameters, def_msg)
         }
+
+        get_message(parameters, _default) = msg {
+          not parameters.message
+          msg := _default
+        }
+
+        get_message(parameters, _default) = msg {
+          msg := parameters.message
+        }
diff --git a/...erator/controllers/guardrails/policies/gktemplates/aro-deny-master-toleration-taints.yaml b/...erator/controllers/guardrails/policies/gktemplates/aro-deny-master-toleration-taints.yaml
@@ -17,6 +17,7 @@ spec:
         package arodenymastertolerationtaints
 
         import future.keywords.in
+        import future.keywords.contains
         import data.lib.common.is_priv_namespace
 
         violation[{"msg": msg}] {
@@ -30,14 +31,25 @@ spec:
             # Check if pod object has master toleration taints
             tolerations := input.review.object.spec.tolerations
             some toleration in tolerations
-            toleration.key in ["node-role.kubernetes.io/master", "node-role.kubernetes.io/control-plane"]
+            is_master_toleration(toleration.key)
 
             msg := "Create or update resources to have master toleration taints is not allowed in non-privileged namespaces"
         }
+
+
+        is_master_toleration(toleration_key){
+            contains(toleration_key,"node-role.kubernetes.io/master")
+        }
+
+        is_master_toleration(toleration_key){
+            contains(toleration_key,"node-role.kubernetes.io/control-plane")
+        }
       libs:
         - |
           package lib.common
 
+          # shared structures, functions, etc.
+
           is_priv_namespace(ns) {
             privileged_ns[ns]
           }

diff --git a/pkg/operator/controllers/guardrails/policies/gktemplates/aro-deny-privileged-namespace.yaml b/pkg/operator/controllers/guardrails/policies/gktemplates/aro-deny-privileged-namespace.yaml
@@ -7,7 +7,6 @@ metadata:
     metadata.gatekeeper.sh/version: 1.0.0
     description: >-
       Disallows creating, updating or deleting resources in privileged namespaces.
-      including, ["^kube.*|^openshift.*|^default$|^redhat.*|^com$|^io$|^in$"]
 spec:
   crd:
     spec:
@@ -19,7 +18,6 @@ spec:
           type: object
           description: >-
             Disallows creating, updating or deleting resources in privileged namespaces.
-            including, ["^kube.*|^openshift.*|^default$|^redhat.*|^com$|^io$|^in$"]
   targets:
     - target: admission.k8s.gatekeeper.sh
       rego: |
@@ -40,6 +38,8 @@ spec:
         - |
           package lib.common
 
+          # shared structures, functions, etc.
+
           is_priv_namespace(ns) {
             privileged_ns[ns]
           }