/
rb.go
60 lines (51 loc) 路 1.3 KB
/
rb.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
// SPDX-License-Identifier: Apache-2.0
// Copyright Authors of Popeye
package sanitize
import (
"context"
"github.com/derailed/popeye/internal"
"github.com/derailed/popeye/internal/cache"
"github.com/derailed/popeye/internal/issues"
)
type (
// RBLister represents RB dependencies.
RBLister interface {
RoleBindingLister
ClusterRoleLister
RoleLister
}
// RoleBinding tracks RoleBinding sanitization.
RoleBinding struct {
*issues.Collector
RBLister
}
)
// NewRoleBinding returns a new sanitizer.
func NewRoleBinding(c *issues.Collector, lister RBLister) *RoleBinding {
return &RoleBinding{
Collector: c,
RBLister: lister,
}
}
// Sanitize cleanse the resource..
func (r *RoleBinding) Sanitize(ctx context.Context) error {
for fqn, rb := range r.ListRoleBindings() {
r.InitOutcome(fqn)
ctx = internal.WithFQN(ctx, fqn)
switch rb.RoleRef.Kind {
case "ClusterRole":
if _, ok := r.ListClusterRoles()[rb.RoleRef.Name]; !ok {
r.AddCode(ctx, 1300, rb.RoleRef.Kind, rb.RoleRef.Name)
}
case "Role":
rFQN := cache.FQN(rb.Namespace, rb.RoleRef.Name)
if _, ok := r.ListRoles()[rFQN]; !ok {
r.AddCode(ctx, 1300, rb.RoleRef.Kind, rFQN)
}
}
if r.NoConcerns(fqn) && r.Config.ExcludeFQN(internal.MustExtractSectionGVR(ctx), fqn) {
r.ClearOutcome(fqn)
}
}
return nil
}