Skip to content

Commit 98b3236

Browse files
tliu2021openshift-merge-robot
tliu2021
authored and
openshift-merge-robot
committed
Add remediationAction at the Policy spec level
Check policy-templates to see if all the remediation actions match, if so set the root policy remediation action to that value. Otherwise, leave the root policy remediation action unset. Refs: - https://issues.redhat.com/browse/OCPBUGS-2200 Signed-off-by: Tao Liu <[email protected]>
1 parent a1b277a commit 98b3236

File tree

4 files changed

+155
-0
lines changed

4 files changed

+155
-0
lines changed

internal/plugin.go

Lines changed: 5 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -1167,6 +1167,11 @@ func (p *Plugin) createPolicy(policyConf *types.PolicyConfig) error {
11671167
},
11681168
}
11691169

1170+
// set the root policy remediation action if all the remediation actions match
1171+
if rootRemediationAction := getRootRemediationAction(policyTemplates); rootRemediationAction != "" {
1172+
policy["spec"].(map[string]interface{})["remediationAction"] = rootRemediationAction
1173+
}
1174+
11701175
policyYAML, err := yaml.Marshal(policy)
11711176
if err != nil {
11721177
return fmt.Errorf(

internal/plugin_test.go

Lines changed: 106 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -118,6 +118,7 @@ spec:
118118
pruneObjectBehavior: None
119119
remediationAction: inform
120120
severity: low
121+
remediationAction: inform
121122
---
122123
apiVersion: policy.open-cluster-management.io/v1
123124
kind: Policy
@@ -150,6 +151,7 @@ spec:
150151
pruneObjectBehavior: DeleteAll
151152
remediationAction: inform
152153
severity: low
154+
remediationAction: inform
153155
---
154156
apiVersion: apps.open-cluster-management.io/v1
155157
kind: PlacementRule
@@ -355,6 +357,7 @@ spec:
355357
name: my-configmap
356358
remediationAction: inform
357359
severity: low
360+
remediationAction: inform
358361
---
359362
apiVersion: policy.open-cluster-management.io/v1
360363
kind: PlacementBinding
@@ -446,6 +449,7 @@ spec:
446449
name: my-configmap
447450
remediationAction: inform
448451
severity: low
452+
remediationAction: inform
449453
---
450454
apiVersion: policy.open-cluster-management.io/v1
451455
kind: PlacementBinding
@@ -535,6 +539,7 @@ spec:
535539
name: my-configmap
536540
remediationAction: inform
537541
severity: low
542+
remediationAction: inform
538543
---
539544
apiVersion: policy.open-cluster-management.io/v1
540545
kind: Policy
@@ -565,6 +570,7 @@ spec:
565570
name: my-configmap
566571
remediationAction: inform
567572
severity: low
573+
remediationAction: inform
568574
---
569575
apiVersion: apps.open-cluster-management.io/v1
570576
kind: PlacementRule
@@ -723,6 +729,7 @@ spec:
723729
name: my-configmap
724730
remediationAction: inform
725731
severity: low
732+
remediationAction: inform
726733
`
727734
expected = strings.TrimPrefix(expected, "\n")
728735
assertEqual(t, output, expected)
@@ -784,6 +791,7 @@ spec:
784791
name: my-configmap
785792
remediationAction: inform
786793
severity: low
794+
remediationAction: inform
787795
`
788796
expected = strings.TrimPrefix(expected, "\n")
789797
assertEqual(t, output, expected)
@@ -830,6 +838,7 @@ spec:
830838
name: my-configmap
831839
remediationAction: inform
832840
severity: low
841+
remediationAction: inform
833842
`
834843
expected = strings.TrimPrefix(expected, "\n")
835844
assertEqual(t, output, expected)
@@ -877,6 +886,7 @@ spec:
877886
name: my-configmap
878887
remediationAction: inform
879888
severity: low
889+
remediationAction: inform
880890
`
881891
expected = strings.TrimPrefix(expected, "\n")
882892
assertEqual(t, output, expected)
@@ -941,6 +951,99 @@ spec:
941951
- '*'
942952
remediationAction: enforce
943953
severity: medium
954+
remediationAction: enforce
955+
`
956+
expected = strings.TrimPrefix(expected, "\n")
957+
assertEqual(t, output, expected)
958+
}
959+
960+
func TestCreatePolicyWithDifferentRemediationAction(t *testing.T) {
961+
t.Parallel()
962+
tmpDir := t.TempDir()
963+
createIamPolicyManifest(t, tmpDir, "iamKindManifestPluginTest.yaml")
964+
createIamPolicyManifest(t, tmpDir, "iamKindManifestPluginTest2.yaml")
965+
966+
p := Plugin{}
967+
p.PolicyDefaults.Namespace = "Iam-policies"
968+
969+
patches := []map[string]interface{}{
970+
{
971+
"spec": map[string]interface{}{
972+
"remediationAction": "inform",
973+
},
974+
},
975+
}
976+
policyConf := types.PolicyConfig{
977+
PolicyOptions: types.PolicyOptions{
978+
Categories: []string{"AC Access Control"},
979+
Controls: []string{"AC-3 Access Enforcement"},
980+
Standards: []string{"NIST SP 800-53"},
981+
},
982+
Name: "policy-limitclusteradmin",
983+
Manifests: []types.Manifest{
984+
{Path: path.Join(tmpDir, "iamKindManifestPluginTest.yaml")},
985+
{
986+
Path: path.Join(tmpDir, "iamKindManifestPluginTest2.yaml"),
987+
Patches: patches,
988+
},
989+
},
990+
}
991+
p.Policies = append(p.Policies, policyConf)
992+
p.applyDefaults(map[string]interface{}{})
993+
994+
err := p.createPolicy(&p.Policies[0])
995+
if err != nil {
996+
t.Fatal(err.Error())
997+
}
998+
999+
output := p.outputBuffer.String()
1000+
// expected Iam policy generated from
1001+
// non-root IAM policy type manifest
1002+
// in createIamPolicyTypeConfigMap()
1003+
expected := `
1004+
---
1005+
apiVersion: policy.open-cluster-management.io/v1
1006+
kind: Policy
1007+
metadata:
1008+
annotations:
1009+
policy.open-cluster-management.io/categories: AC Access Control
1010+
policy.open-cluster-management.io/controls: AC-3 Access Enforcement
1011+
policy.open-cluster-management.io/standards: NIST SP 800-53
1012+
name: policy-limitclusteradmin
1013+
namespace: Iam-policies
1014+
spec:
1015+
disabled: false
1016+
policy-templates:
1017+
- objectDefinition:
1018+
apiVersion: policy.open-cluster-management.io/v1
1019+
kind: IamPolicy
1020+
metadata:
1021+
name: policy-limitclusteradmin-example
1022+
spec:
1023+
maxClusterRoleBindingUsers: 5
1024+
namespaceSelector:
1025+
exclude:
1026+
- kube-*
1027+
- openshift-*
1028+
include:
1029+
- '*'
1030+
remediationAction: enforce
1031+
severity: medium
1032+
- objectDefinition:
1033+
apiVersion: policy.open-cluster-management.io/v1
1034+
kind: IamPolicy
1035+
metadata:
1036+
name: policy-limitclusteradmin-example
1037+
spec:
1038+
maxClusterRoleBindingUsers: 5
1039+
namespaceSelector:
1040+
exclude:
1041+
- kube-*
1042+
- openshift-*
1043+
include:
1044+
- '*'
1045+
remediationAction: inform
1046+
severity: medium
9441047
`
9451048
expected = strings.TrimPrefix(expected, "\n")
9461049
assertEqual(t, output, expected)
@@ -1012,6 +1115,7 @@ spec:
10121115
name: my-configmap
10131116
remediationAction: inform
10141117
severity: low
1118+
remediationAction: inform
10151119
`
10161120
expected = strings.TrimPrefix(expected, "\n")
10171121
assertEqual(t, output, expected)
@@ -1983,6 +2087,7 @@ spec:
19832087
name: my-configmap
19842088
remediationAction: inform
19852089
severity: low
2090+
remediationAction: inform
19862091
---
19872092
apiVersion: policy.open-cluster-management.io/v1beta1
19882093
kind: PolicySet
@@ -2105,6 +2210,7 @@ spec:
21052210
name: my-configmap
21062211
remediationAction: inform
21072212
severity: low
2213+
remediationAction: inform
21082214
---
21092215
apiVersion: policy.open-cluster-management.io/v1beta1
21102216
kind: PolicySet

internal/utils.go

Lines changed: 19 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -486,3 +486,22 @@ func verifyManifestPath(baseDirectory string, manifestPath string) error {
486486

487487
return nil
488488
}
489+
490+
// Check policy-templates to see if all the remediation actions match, if so return the root policy remediation action
491+
func getRootRemediationAction(policyTemplates []map[string]map[string]interface{}) string {
492+
var action string
493+
494+
for _, value := range policyTemplates {
495+
if spec, ok := value["objectDefinition"]["spec"].(map[string]interface{}); ok {
496+
if _, ok = spec["remediationAction"].(string); ok {
497+
if action == "" {
498+
action = spec["remediationAction"].(string)
499+
} else if spec["remediationAction"].(string) != action {
500+
return ""
501+
}
502+
}
503+
}
504+
}
505+
506+
return action
507+
}

internal/utils_test.go

Lines changed: 25 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -1418,3 +1418,28 @@ data:
14181418
}
14191419
}
14201420
}
1421+
1422+
func TestGetRootRemediationAction(t *testing.T) {
1423+
t.Parallel()
1424+
1425+
policyTemplates := []map[string]map[string]interface{}{
1426+
{"objectDefinition": {
1427+
"apiVersion": policyAPIVersion,
1428+
"kind": configPolicyKind,
1429+
"metadata": map[string]interface{}{
1430+
"name": "my-template",
1431+
},
1432+
"spec": map[string]interface{}{
1433+
"remediationAction": "inform",
1434+
"severity": "low",
1435+
},
1436+
}},
1437+
}
1438+
1439+
expected := getRootRemediationAction(policyTemplates)
1440+
assertEqual(t, "inform", expected)
1441+
1442+
policyTemplates[0]["objectDefinition"]["spec"].(map[string]interface{})["remediationAction"] = "enforce"
1443+
expected = getRootRemediationAction(policyTemplates)
1444+
assertEqual(t, "enforce", expected)
1445+
}

0 commit comments

Comments
 (0)