NDEV-18561-Incorrect-Remediation-Diff (nirmata#127)

Co-authored-by: Harshit Raj <“harshit.raj@nirmata.com”>
fykaa · Mar 19, 2024 · 6a31e66 · 6a31e66
1 parent 787d2c6
commit 6a31e66
Showing 1 changed file with 48 additions and 30 deletions.
diff --git a/...urity/restricted/disallow-capabilities-strict/remediate-disallow-capabilities-strict.yaml b/...urity/restricted/disallow-capabilities-strict/remediate-disallow-capabilities-strict.yaml
@@ -12,35 +12,53 @@ spec:
   rules:
     - name: add-drop-all
       match:
-        any:
-          - resources:
-              kinds:
-                - Deployment
-                - StatefulSet
-                - Job
-                - DaemonSet
+        resources:
+          kinds:
+            - Deployment
+            - StatefulSet
+            - Job
+            - DaemonSet
       mutate:
         foreach:
-        - list: "request.object.spec.template.spec.[containers, initContainers, ephemeralContainers][]"
-          patchStrategicMerge:
-            spec:
-              template:
-                spec:
-                  containers:
-                    - (name): "{{ element.name }}"
-                      securityContext:
-                        capabilities:
-                          +(drop):
-                            - ALL
-                  initContainers:
-                    - (name): "{{ element.name }}"
-                      securityContext:
-                        capabilities:
-                          +(drop):
-                            - ALL
-                  ephemeralContainers:
-                    - (name): "{{ element.name }}"
-                      securityContext:
-                        capabilities:
-                          +(drop):
-                            - ALL
+          - list: request.object.spec.template.spec.containers[]
+            order: Descending
+            preconditions:
+              all:
+                - key: ALL
+                  operator: AnyNotIn
+                  value: "{{ element.securityContext.capabilities.drop[].to_upper(@) || `[]` }}"
+            patchesJson6902: |-
+              - op: add
+                path: /spec/template/spec/containers/{{elementIndex}}/securityContext
+                value:
+                  capabilities:
+                    drop:
+                      - ALL
+          - list: request.object.spec.template.spec.initContainers[]
+            order: Descending
+            preconditions:
+              all:
+                - key: ALL
+                  operator: AnyNotIn
+                  value: "{{ element.securityContext.capabilities.drop[].to_upper(@) || `[]` }}"
+            patchesJson6902: |-
+              - op: add
+                path: /spec/template/spec/initContainers/{{elementIndex}}/securityContext
+                value:
+                  capabilities:
+                    drop:
+                      - ALL
+          - list: request.object.spec.template.spec.ephemeralContainers[]
+            order: Descending
+            preconditions:
+              all:
+                - key: ALL
+                  operator: AnyNotIn
+                  value: "{{ element.securityContext.capabilities.drop[].to_upper(@) || `[]` }}"
+            patchesJson6902: |-
+              - op: add
+                path: /spec/template/spec/ephemeralContainers/{{elementIndex}}/securityContext
+                value:
+                  capabilities:
+                    drop:
+                      - ALL