feat(CLOUDDST-29067): Add OLM allowed resource kinds policy

Anna Rania · Anna Rania · commit 9e96e87639b6 · 2025-08-29T12:24:31.000-04:00
diff --git a/antora/docs/modules/ROOT/pages/packages/release_olm.adoc b/antora/docs/modules/ROOT/pages/packages/release_olm.adoc
@@ -45,6 +45,18 @@ Each image referenced by the OLM bundle should match an entry in the list of pre
 * Effective from: `2024-09-01T00:00:00Z`
 * https://github.com/conforma/policy/blob/{page-origin-refhash}/policy/release/olm/olm.rego#L304[Source, window="_blank"]
 
+[#olm__allowed_resource_kinds]
+=== link:#olm__allowed_resource_kinds[OLM bundle image manifests contain only allowed resource kinds]
+
+Every manifest in an OLM bundle must be of an allowed resource kind, as defined by the rule data key `allowed_olm_resource_kinds`.
+
+*Solution*: Remove any unsupported OLM resource kinds in the bundle manifests.
+
+* Rule type: [rule-type-indicator failure]#FAILURE#
+* FAILURE message: `The %q manifest kind is not in the list of OLM allowed resource kinds.`
+* Code: `olm.allowed_resource_kinds`
+* https://github.com/conforma/policy/blob/{page-origin-refhash}/policy/release/olm/olm.rego#L361[Source, window="_blank"]
+
 [#olm__olm_bundle_multi_arch]
 === link:#olm__olm_bundle_multi_arch[OLM bundle images are not multi-arch]
 
diff --git a/antora/docs/modules/ROOT/pages/release_policy.adoc b/antora/docs/modules/ROOT/pages/release_policy.adoc
@@ -126,6 +126,7 @@ Rules included:
 * xref:packages/release_olm.adoc#olm__csv_semver_format[OLM: ClusterServiceVersion semver format]        
 * xref:packages/release_olm.adoc#olm__feature_annotations_format[OLM: Feature annotations have expected value]        
 * xref:packages/release_olm.adoc#olm__allowed_registries[OLM: Images referenced by OLM bundle are from allowed registries]        
+* xref:packages/release_olm.adoc#olm__allowed_resource_kinds[OLM: OLM bundle image manifests contain only allowed resource kinds]        
 * xref:packages/release_olm.adoc#olm__olm_bundle_multi_arch[OLM: OLM bundle images are not multi-arch]        
 * xref:packages/release_olm.adoc#olm__allowed_registries_related[OLM: Related images references are from allowed registries]        
 * xref:packages/release_olm.adoc#olm__required_olm_features_annotations_provided[OLM: Required OLM feature annotations list provided]        
diff --git a/antora/docs/modules/ROOT/partials/release_policy_nav.adoc b/antora/docs/modules/ROOT/partials/release_policy_nav.adoc
@@ -59,6 +59,7 @@
 **** xref:packages/release_olm.adoc#olm__csv_semver_format[ClusterServiceVersion semver format]
 **** xref:packages/release_olm.adoc#olm__feature_annotations_format[Feature annotations have expected value]
 **** xref:packages/release_olm.adoc#olm__allowed_registries[Images referenced by OLM bundle are from allowed registries]
+**** xref:packages/release_olm.adoc#olm__allowed_resource_kinds[OLM bundle image manifests contain only allowed resource kinds]
 **** xref:packages/release_olm.adoc#olm__olm_bundle_multi_arch[OLM bundle images are not multi-arch]
 **** xref:packages/release_olm.adoc#olm__allowed_registries_related[Related images references are from allowed registries]
 **** xref:packages/release_olm.adoc#olm__required_olm_features_annotations_provided[Required OLM feature annotations list provided]
diff --git a/policy/lib/rule_data.rego b/policy/lib/rule_data.rego
@@ -89,6 +89,31 @@ rule_data_defaults := {
 		"registry.access.redhat.com/",
 		"registry.redhat.io/",
 	],
+	# Used in release/olm.rego
+	# The NetworkPolicy resource kind is temporarily not allowed for all OCP versions until OLM releases a backport
+	# More information here:https://groups.google.com/a/redhat.com/g/aos-devel/c/yaWHjkj-tuA/m/RZh2YSQgBgAJ
+	"allowed_olm_resource_kinds": [
+		"ClusterServiceVersion",
+		"CustomResourceDefinition",
+		"Secret",
+		"ClusterRole",
+		"ClusterRoleBinding",
+		"ConfigMap",
+		"ServiceAccount",
+		"Service",
+		"Role",
+		"RoleBinding",
+		"PrometheusRule",
+		"ServiceMonitor",
+		"PodDisruptionBudget",
+		"PriorityClass",
+		"VerticalPodAutoscaler",
+		"ConsoleYAMLSample",
+		"ConsoleQuickStart",
+		"ConsoleCLIDownload",
+		"ConsoleLink",
+		"ConsolePlugin",
+	],
 	#
 	# Used in release/hermetic_task/hermetic_task.rego
 	"required_hermetic_tasks": [
diff --git a/policy/release/olm/olm.rego b/policy/release/olm/olm.rego
@@ -358,6 +358,30 @@ deny contains result if {
 	result := lib.result_helper_with_term(rego.metadata.chain(), [input.image.ref], input.image.ref)
 }
 
+# METADATA
+# title: OLM bundle image manifests contain only allowed resource kinds
+# description: >-
+#   Every manifest in an OLM bundle must be of an allowed resource kind,
+#   as defined by the rule data key `allowed_olm_resource_kinds`.
+# custom:
+#   short_name: allowed_resource_kinds
+#   failure_msg: The %q manifest kind is not in the list of OLM allowed resource kinds.
+#   solution: >-
+#     Remove any unsupported OLM resource kinds in the bundle manifests.
+#   collections:
+#   - redhat
+deny contains result if {
+	some path, manifest in input.image.files
+
+	# Only consider files in the manifests directory (as defined by OLM label)
+	manifest_dir := input.image.config.Labels[manifestv1]
+	startswith(path, manifest_dir)
+
+	not manifest.kind in lib.rule_data("allowed_olm_resource_kinds")
+
+	result := lib.result_helper_with_term(rego.metadata.chain(), [manifest.kind], manifest.kind)
+}
+
 _name(o) := n if {
 	n := o.name
 } else := "unnamed"
diff --git a/policy/release/olm/olm_test.rego b/policy/release/olm/olm_test.rego
@@ -98,6 +98,20 @@ manifest := {
 	"metadata-with-empty-annotations": {"metadata": {"annotations": {}}},
 }
 
+network_policy_manifest := {
+	"apiVersion": "networking.k8s.io/v1",
+	"kind": "NetworkPolicy",
+	"metadata": {"name": "default-deny"},
+	"spec": {"podSelector": {}, "policyTypes": ["Ingress", "Egress"]},
+}
+
+service_manifest := {
+	"apiVersion": "v1",
+	"kind": "Service",
+	"metadata": {"name": "simple-demo-operator-controller-manager-metrics-service"},
+	"spec": {"ports": [{"port": 8443, "targetPort": 8443}]},
+}
+
 # regal ignore:rule-length
 test_all_image_ref if {
 	lib.assert_equal(
@@ -137,12 +151,14 @@ test_all_good if {
 	lib.assert_empty(olm.deny) with input.image.files as {"manifests/csv.yaml": manifest}
 		with input.image.config.Labels as {olm.manifestv1: "manifests/"}
 		with data.rule_data.allowed_olm_image_registry_prefixes as ["registry.io"]
+		with data.rule_data.allowed_olm_resource_kinds as ["ClusterServiceVersion"]
 }
 
 test_all_good_custom_dir if {
 	lib.assert_empty(olm.deny) with input.image.files as {"other/csv.yaml": manifest}
 		with input.image.config.Labels as {olm.manifestv1: "other/"}
 		with data.rule_data.allowed_olm_image_registry_prefixes as ["registry.io"]
+		with data.rule_data.allowed_olm_resource_kinds as ["ClusterServiceVersion"]
 }
 
 test_related_img_unpinned if {
@@ -162,6 +178,7 @@ test_related_img_unpinned if {
 	lib.assert_equal_results(olm.deny, expected) with input.image.files as {"manifests/csv.yaml": unpinned_manifest}
 		with input.image.config.Labels as {olm.manifestv1: "manifests/"}
 		with data.rule_data.allowed_olm_image_registry_prefixes as ["registry.io"]
+		with data.rule_data.allowed_olm_resource_kinds as ["ClusterServiceVersion"]
 }
 
 test_feature_annotations_format if {
@@ -201,6 +218,7 @@ test_feature_annotations_format if {
 	lib.assert_equal_results(olm.deny, expected) with input.image.files as {"manifests/csv.yaml": bad_manifest}
 		with input.image.config.Labels as {olm.manifestv1: "manifests/"}
 		with data.rule_data.allowed_olm_image_registry_prefixes as ["registry.io"]
+		with data.rule_data.allowed_olm_resource_kinds as ["ClusterServiceVersion"]
 }
 
 test_feature_annotations_format_custom_rule_data if {
@@ -218,6 +236,7 @@ test_feature_annotations_format_custom_rule_data if {
 		with input.image.config.Labels as {olm.manifestv1: "manifests/"}
 		with data.rule_data.required_olm_features_annotations as ["foo", "spam"]
 		with data.rule_data.allowed_olm_image_registry_prefixes as ["registry.io"]
+		with data.rule_data.allowed_olm_resource_kinds as ["ClusterServiceVersion"]
 }
 
 test_required_olm_features_annotations_provided if {
@@ -231,6 +250,7 @@ test_required_olm_features_annotations_provided if {
 		with input.image.config.Labels as {olm.manifestv1: "manifests/"}
 		with data.rule_data.allowed_olm_image_registry_prefixes as ["registry.io"]
 		with data.rule_data.required_olm_features_annotations as []
+		with data.rule_data.allowed_olm_resource_kinds as ["ClusterServiceVersion"]
 
 	d := [
 		# Wrong type
@@ -268,6 +288,7 @@ test_required_olm_features_annotations_provided if {
 		with input.image.config.Labels as {olm.manifestv1: "manifests/"}
 		with data.rule_data.allowed_olm_image_registry_prefixes as ["registry.io"]
 		with data.rule_data.required_olm_features_annotations as d
+		with data.rule_data.allowed_olm_resource_kinds as ["ClusterServiceVersion"]
 }
 
 test_csv_semver_format_bad_semver if {
@@ -281,6 +302,7 @@ test_csv_semver_format_bad_semver if {
 	lib.assert_equal_results(olm.deny, expected) with input.image.files as {"manifests/csv.yaml": csv}
 		with input.image.config.Labels as {olm.manifestv1: "manifests/"}
 		with data.rule_data.allowed_olm_image_registry_prefixes as ["registry.io"]
+		with data.rule_data.allowed_olm_resource_kinds as ["ClusterServiceVersion"]
 }
 
 test_csv_semver_format_missing if {
@@ -294,6 +316,7 @@ test_csv_semver_format_missing if {
 	lib.assert_equal_results(olm.deny, expected) with input.image.files as {"manifests/csv.yaml": csv}
 		with input.image.config.Labels as {olm.manifestv1: "manifests/"}
 		with data.rule_data.allowed_olm_image_registry_prefixes as ["registry.io"]
+		with data.rule_data.allowed_olm_resource_kinds as ["ClusterServiceVersion"]
 }
 
 test_subscriptions_annotation_format if {
@@ -340,6 +363,7 @@ test_subscriptions_annotation_format if {
 	lib.assert_equal_results(olm.deny, expected) with input.image.files as files
 		with input.image.config.Labels as {olm.manifestv1: "m/"}
 		with data.rule_data.allowed_olm_image_registry_prefixes as ["registry.io"]
+		with data.rule_data.allowed_olm_resource_kinds as ["ClusterServiceVersion"]
 }
 
 test_unpinned_snapshot_references_operator if {
@@ -353,6 +377,7 @@ test_unpinned_snapshot_references_operator if {
 		with data.rule_data.allowed_olm_image_registry_prefixes as ["registry.io"]
 		with ec.oci.image_manifest as `{"config": {"digest": "sha256:goat"}}`
 		with input.image.ref as unpinned_component.containerImage
+		with data.rule_data.allowed_olm_resource_kinds as ["ClusterServiceVersion"]
 }
 
 test_unpinned_snapshot_references_different_input if {
@@ -373,6 +398,7 @@ test_unmapped_references_in_operator if {
 	lib.assert_equal_results(olm.deny, expected) with input.snapshot.components as [component1]
 		with input.image.files as {"manifests/csv.yaml": manifest}
 		with data.rule_data as {"pipeline_intention": "release", "allowed_olm_image_registry_prefixes": ["registry.io"]}
+		with data.rule_data.allowed_olm_resource_kinds as ["ClusterServiceVersion"]
 		with ec.oci.image_manifest as _mock_image_partial
 		with ec.oci.descriptor as mock_ec_oci_image_descriptor
 		with input.image.config.Labels as {olm.manifestv1: "manifests/"}
@@ -436,6 +462,7 @@ test_unmapped_references_none_found if {
 		with input.image.files as {"manifests/csv.yaml": manifest}
 		with input.image.config.Labels as {olm.manifestv1: "manifests/"}
 		with data.rule_data.allowed_olm_image_registry_prefixes as ["registry.io"]
+		with data.rule_data.allowed_olm_resource_kinds as ["ClusterServiceVersion"]
 }
 
 test_allowed_registries if {
@@ -444,6 +471,7 @@ test_allowed_registries if {
 		with data.rule_data.allowed_olm_image_registry_prefixes as ["registry.io", "registry.redhat.io"]
 		with input.image.config.Labels as {olm.manifestv1: "manifests/"}
 		with input.image.files as {"manifests/csv.yaml": manifest}
+		with data.rule_data.allowed_olm_resource_kinds as ["ClusterServiceVersion"]
 }
 
 test_bundle_image_index if {
@@ -457,6 +485,7 @@ test_bundle_image_index if {
 
 	lib.assert_equal_results(olm.deny, expected_deny) with data.rule_data.pipeline_intention as "release"
 		with data.rule_data.allowed_olm_image_registry_prefixes as ["registry.io", "registry.redhat.io"]
+		with data.rule_data.allowed_olm_resource_kinds as ["ClusterServiceVersion"]
 		with input.image.config.Labels as {olm.manifestv1: "manifests/"}
 		with input.image.files as {"manifests/csv.yaml": manifest}
 		with input.image.ref as pinned1
@@ -482,6 +511,7 @@ test_unallowed_registries if {
 	# This expects failure as registry.io is not a member of allowed_olm_image_registry_prefixes
 	lib.assert_equal_results(olm.deny, expected) with data.rule_data.pipeline_intention as "release"
 		with data.rule_data.allowed_olm_image_registry_prefixes as ["registry.access.redhat.com", "registry.redhat.io"]
+		with data.rule_data.allowed_olm_resource_kinds as ["ClusterServiceVersion"]
 		with input.image.config.Labels as {olm.manifestv1: "manifests/"}
 		with input.image.files as {"manifests/csv.yaml": manifest}
 }
@@ -604,3 +634,23 @@ test_image_ref_with_repo_only if {
 	expected := "registry.io/repo"
 	lib.assert_equal(olm._image_ref(img), expected)
 }
+
+test_disallowed_olm_resource_kind if {
+	expected := {{
+		"code": "olm.allowed_resource_kinds",
+		"msg": "The \"NetworkPolicy\" manifest kind is not in the list of OLM allowed resource kinds.",
+		"term": "NetworkPolicy",
+	}}
+
+	lib.assert_equal_results(olm.deny, expected) with input.image.config.Labels as {olm.manifestv1: "manifests/"}
+		with input.image.files as {"manifests/networkpolicy.yaml": network_policy_manifest}
+		with data.rule_data.allowed_olm_resource_kinds as ["foo", "bar"]
+}
+
+test_allowed_olm_resource_kind if {
+	expected_empty := {}
+
+	lib.assert_equal_results(olm.deny, expected_empty) with input.image.config.Labels as {olm.manifestv1: "manifests/"}
+		with input.image.files as {"manifests/service.yaml": service_manifest}
+		with data.rule_data.allowed_olm_resource_kinds as ["Service"]
+}
