Instance of k8sdisallowanonymous with no parameters yields no violations

Question

Instance of k8sdisallowanonymous with no parameters yields no violations

Closed this issue a month ago · 1 comments

With this template and the following constraint:

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sDisallowAnonymous
metadata:
  name: avoid-system-bindings
spec:
  match:
    kinds:
      - apiGroups: ["rbac.authorization.k8s.io"]
        kinds: ["ClusterRoleBinding"]
      - apiGroups: ["rbac.authorization.k8s.io"]
        kinds: ["RoleBinding"]

The following object does not generate a violation in my suite.yaml:

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: test-crb
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: test-crole
subjects:
- apiGroup: rbac.authorization.k8s.io
  kind: Group
  name: system:unauthenticated

If I then update the constraint to have an empty allowedRoles:

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sDisallowAnonymous
metadata:
  name: avoid-system-bindings
spec:
  match:
    kinds:
      - apiGroups: ["rbac.authorization.k8s.io"]
        kinds: ["ClusterRoleBinding"]
      - apiGroups: ["rbac.authorization.k8s.io"]
        kinds: ["RoleBinding"]
  parameters:
    allowedRoles: []

It generates a violation. This should be a no-op, so it seems like the logic in the template has a bug.

Answer 1 · 2024-08-19T16:16:28.000Z

@julianKatz Taking a super quick look:

Probably input.parameters.allowedRoles needs to be retrieved using object.get() to avoid being undefined (the template schema does not require allowedRoles).
Should also add a test case for omitted allowedRoles.