audit-scanner: Check ObjectSelector/LabelSelector
Closed this issue · 3 comments
Per RFC, before running the audit scan of a Policy against a Resource, we should check that the Resource passes the evaluation against the policy spec.ObjectSelector.
Acceptance criteria
Evaluate the Policy spec.ObjectSelector against the resource under audit. If it ends up being skipped, skip the resource from auditing.
We have unit tests
We have integration test if needed
I think this change is not required anymore. Considering that we use the resource's objectReference to check if we can reuse the previous result, I believe that this objectSelector check is not necessary anymore. Because if any change to the resource happens the objectReference, which include the resource's resourceVersion, will not match. Thus, I new evaluation will be perform. Otherwise, the old result will be reuse.
What do you think @kubewarden/kubewarden-developers ?
I think this change still is needed for behaviour parity with normal policy evaluations. We need to check that the policy indeed applies to the resource because of the spec.ObjectSelector. For example, a ClusterAdmissionPolicy can specify the ObjectSelector so only resources that have a label prod are evaluated, and that is ortogonal to checking the objectReference resourceVersion or the policy resourceVersion.
Thinking more about this, I agree. We need to consider the ObjectSelector to evaluate the resources. However, I think we can use it in a different place. Instead of using to decide if we need to skip or not the evaluation, we can use it to fetch the relevant resources only. The list method allow us to define some option to filter resources. This makes more sense to me. Because we avoid iterate over a bunch of resources that should not be evaluated anyway.