kyverno icon indicating copy to clipboard operation
kyverno copied to clipboard

Published 20 hours ago verified publisher icon kyverno

fix: add the resource name to the SubjectAccessReview

Open MariamFahmy98 opened this issue 9 months ago • 1 comments

Explanation

This PR passes the resource name if exists to the SubjectAccessReview. If it is empty, it means all.

Related issue

Closes #10198

Milestone of this PR

/milestone 1.12.2

Documentation (required for features)

My PR contains new or altered behavior to Kyverno.

What type of PR is this

/kind bug

Proposed Changes

Proof Manifests

  1. Create the following clusterrole that allows the deletion of a secret called test-secret:
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  labels:
    app.kubernetes.io/component: cleanup-controller
    app.kubernetes.io/instance: kyverno
    app.kubernetes.io/part-of: kyverno
  name: kyverno:cleanup-secrets
rules:
- apiGroups:
  - ""
  resources:
  - secrets
  resourceNames:
  - test-secret
  verbs:
  - list
  - delete
  1. Create the following policy:
apiVersion: kyverno.io/v2beta1
kind: CleanupPolicy
metadata:
  name: test-secret-removal
spec:
  match:
    any:
    - resources:
        kinds:
        - Secret
        names:
        - test-secret
  schedule: "*/10 * * * *"

The policy is successfully created.

Checklist

  • [ ] I have read the contributing guidelines.
  • [ ] I have read the PR documentation guide and followed the process including adding proof manifests to this PR.
  • [ ] This is a bug fix and I have added unit tests that prove my fix is effective.
  • [ ] This is a feature and I have added CLI tests that are applicable.
  • [ ] My PR needs to be cherry picked to a specific release branch which is .
  • [ ] My PR contains new or altered behavior to Kyverno and
    • [ ] CLI support should be added and my PR doesn't contain that functionality.

Further Comments

MariamFahmy98 avatar May 10 '24 16:05 MariamFahmy98

Codecov Report

Attention: Patch coverage is 11.36364% with 39 lines in your changes missing coverage. Please review.

Project coverage is 11.64%. Comparing base (4342c36) to head (d5fa1b8).

Files Patch % Lines
pkg/validation/cleanuppolicy/validate.go 0.00% 26 Missing :warning:
api/kyverno/v2beta1/match_resources_types.go 0.00% 5 Missing :warning:
pkg/policy/auth/auth.go 0.00% 4 Missing :warning:
pkg/auth/checker/self.go 0.00% 2 Missing :warning:
pkg/auth/checker/helpers.go 0.00% 1 Missing :warning:
pkg/engine/adapters/dclient.go 0.00% 1 Missing :warning:
Additional details and impacted files 
@@            Coverage Diff             @@
##             main   #10221      +/-   ##
==========================================
- Coverage   11.64%   11.64%   -0.01%     
==========================================
  Files         933      933              
  Lines       85260    85280      +20     
==========================================
+ Hits         9926     9928       +2     
- Misses      74201    74220      +19     
+ Partials     1133     1132       -1

:umbrella: View full report in Codecov by Sentry.
:loudspeaker: Have feedback on the report? Share it here.

codecov[bot] avatar May 10 '24 16:05 codecov[bot]

Bump⬆️

realshuting avatar Jul 24 '24 09:07 realshuting