Skip to content
This repository has been archived by the owner on Jan 12, 2023. It is now read-only.

Commit

Permalink
Merge pull request #120 from cruise-automation/filter-istio-virtual-s…
Browse files Browse the repository at this point in the history 
…ervices

Filter out Istio Virtual Services from Admission Requests correctly
  • Loading branch information
@somethingnew2-0
somethingnew2-0 committed Aug 20, 2021
2 parents 2f3c20d + eb5ec6c commit 5cc97be
Show file tree
Hide file tree
Showing 4 changed files with 9 additions and 3 deletions.
2 changes: 1 addition & 1 deletion charts/k-rail/Chart.yaml
View file
Expand Up @@ -2,7 +2,7 @@ apiVersion: v1
name: k-rail
description: Kubernetes security tool for policy enforcement
home: https://github.com/cruise-automation/k-rail
version: v3.5.0
version: v3.5.1
maintainers:
- name: cruise-automation
url: https://cruise-automation.github.io/k-rail/
6 changes: 6 additions & 0 deletions charts/k-rail/values.yaml
View file
Expand Up @@ -110,6 +110,9 @@ config:
- name: "pod_empty_dir_size_limit"
enabled: True
report_only: False
- name: "pod_no_root_user"
enabled: True
report_only: False
- name: "pod_default_seccomp_policy"
enabled: True
report_only: False
Expand All @@ -131,6 +134,9 @@ config:
- name: "service_require_loadbalancer_exemption"
enabled: True
report_only: False
- name: "service_require_virtualservice_gateway_exemption"
enabled: True
report_only: False
- name: "cluster_role_binding_no_anonymous_subject"
enabled: True
report_only: False
Expand Down
2 changes: 1 addition & 1 deletion policies/virtualservice/require_virtualservice_gateway_exemption_test.go
View file
Expand Up @@ -150,7 +150,7 @@ func TestPolicyRequireVirtualServiceGatewayExemption_Validate(t *testing.T) {
Namespace: "namespace",
Name: "name",
Object: runtime.RawExtension{Raw: raw},
Resource: metav1.GroupVersionResource{Group: "", Version: "v1beta1", Resource: "virtualservices"},
Resource: metav1.GroupVersionResource{Group: "networking.istio.io", Version: "v1beta1", Resource: "virtualservices"},
}

v := PolicyRequireVirtualServiceGatewayExemption{}
Expand Down
2 changes: 1 addition & 1 deletion resource/virtual_service.go
View file
Expand Up @@ -78,7 +78,7 @@ func GetVirtualServiceResource(ctx context.Context, ar *admissionv1.AdmissionReq

func decodeVirtualServiceResource(ar *admissionv1.AdmissionRequest) *VirtualServiceResource {
switch ar.Resource {
case metav1.GroupVersionResource{Group: "", Version: "v1beta1", Resource: "virtualservices"}, metav1.GroupVersionResource{Group: "", Version: "v1alpha3", Resource: "virtualservices"}:
case metav1.GroupVersionResource{Group: "networking.istio.io", Version: "v1beta1", Resource: "virtualservices"}, metav1.GroupVersionResource{Group: "networking.istio.io", Version: "v1alpha3", Resource: "virtualservices"}:
vsvc := VirtualService{}
if err := decodeObject(ar.Object.Raw, &vsvc); err != nil {
return nil
Expand Down

0 comments on commit 5cc97be

Please sign in to comment.