Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix: add the resource name to the SubjectAccessReview #10221

Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

fix: add the resource name to the SubjectAccessReview #10221

wants to merge 1 commit into from

Conversation

MariamFahmy98
Copy link
Collaborator

Explanation

This PR passes the resource name if exists to the SubjectAccessReview. If it is empty, it means all.

Related issue

Closes #10198

Milestone of this PR

/milestone 1.12.2

Documentation (required for features)

My PR contains new or altered behavior to Kyverno.

What type of PR is this

/kind bug

Proposed Changes

Proof Manifests

  1. Create the following clusterrole that allows the deletion of a secret called test-secret:
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  labels:
    app.kubernetes.io/component: cleanup-controller
    app.kubernetes.io/instance: kyverno
    app.kubernetes.io/part-of: kyverno
  name: kyverno:cleanup-secrets
rules:
- apiGroups:
  - ""
  resources:
  - secrets
  resourceNames:
  - test-secret
  verbs:
  - list
  - delete
  1. Create the following policy:
apiVersion: kyverno.io/v2beta1
kind: CleanupPolicy
metadata:
  name: test-secret-removal
spec:
  match:
    any:
    - resources:
        kinds:
        - Secret
        names:
        - test-secret
  schedule: "*/10 * * * *"

The policy is successfully created.

Checklist

  • I have read the contributing guidelines.
  • I have read the PR documentation guide and followed the process including adding proof manifests to this PR.
  • This is a bug fix and I have added unit tests that prove my fix is effective.
  • This is a feature and I have added CLI tests that are applicable.
  • My PR needs to be cherry picked to a specific release branch which is .
  • My PR contains new or altered behavior to Kyverno and
    • CLI support should be added and my PR doesn't contain that functionality.

Further Comments

@MariamFahmy98
fix: add the resource name to the SubjectAccessReview
fc39bae 
Signed-off-by: Mariam Fahmy <mariam.fahmy@nirmata.com>
@MariamFahmy98 MariamFahmy98 added this to the Kyverno Release 1.12.2 milestone May 10, 2024
@codecov Codecov
Copy link

codecov bot commented May 10, 2024
edited

Codecov Report

Attention: Patch coverage is 11.36364% with 39 lines in your changes are missing coverage. Please review.

Project coverage is 10.15%. Comparing base (900bf48) to head (fc39bae).
Report is 32 commits behind head on main.

Files Patch % Lines
pkg/validation/cleanuppolicy/validate.go 0.00% 26 Missing ⚠️
api/kyverno/v2beta1/match_resources_types.go 0.00% 5 Missing ⚠️
pkg/policy/auth/auth.go 0.00% 4 Missing ⚠️
pkg/auth/checker/self.go 0.00% 2 Missing ⚠️
pkg/auth/checker/helpers.go 0.00% 1 Missing ⚠️
pkg/engine/adapters/dclient.go 0.00% 1 Missing ⚠️
Additional details and impacted files 
@@            Coverage Diff             @@
##             main   #10221      +/-   ##
==========================================
- Coverage   10.15%   10.15%   -0.01%     
==========================================
  Files        1030     1030              
  Lines       91816    91836      +20     
==========================================
+ Hits         9327     9329       +2     
- Misses      81470    81488      +18     
  Partials     1019     1019

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@realshuting realshuting Awaiting requested review from realshuting realshuting is a code owner

@MarcelMue MarcelMue Awaiting requested review from MarcelMue MarcelMue is a code owner

@KhaledEmaraDev KhaledEmaraDev Awaiting requested review from KhaledEmaraDev KhaledEmaraDev is a code owner

@eddycharly eddycharly Awaiting requested review from eddycharly eddycharly is a code owner

At least 1 approving review is required to merge this pull request.

Assignees
No one assigned
Labels
cherry-pick-required milestone 1.12.4
Projects
None yet
Milestone
Kyverno Release 1.12.4
Development

Successfully merging this pull request may close these issues.

[Bug] Creation of CleanupPolicy to delete specific Secret fails due to admission webhook RBAC error
2 participants
@MariamFahmy98 @realshuting