Skip to content

pod-files checks only files with paths part of the volumeMounts of the container#39

Merged
dimityrmirchev merged 3 commits intogardener:mainfrom
AleksandarSavchev:pod-files-check-only-volumeMounts
Oct 4, 2023
Merged

pod-files checks only files with paths part of the volumeMounts of the container#39
dimityrmirchev merged 3 commits intogardener:mainfrom
AleksandarSavchev:pod-files-check-only-volumeMounts

Conversation

@AleksandarSavchev
Copy link
Copy Markdown
Member

@AleksandarSavchev AleksandarSavchev commented Oct 3, 2023
edited by dimityrmirchev
Loading

What this PR does / why we need it:

Which issue(s) this PR fixes:
Fixes #

Special notes for your reviewer:

Release note:

DISA Kubernetes STIGS `pod-files` rule now checks only files with paths part of the `volumeMounts` for the specific container. It also excludes directories of no interest like `/var/log/journal`.

@AleksandarSavchev AleksandarSavchev requested a review from a team as a code owner October 3, 2023 14:39
@gardener-robot gardener-robot added needs/review size/S Denotes a PR that changes 10-29 lines, ignoring generated files. labels Oct 3, 2023
@gardener-robot gardener-robot added size/M Denotes a PR that changes 30-99 lines, ignoring generated files. and removed size/S Denotes a PR that changes 10-29 lines, ignoring generated files. labels Oct 4, 2023
@ghost ghost added the reviewed/ok-to-test label Oct 4, 2023
dimityrmirchev
dimityrmirchev requested changes Oct 4, 2023
View reviewed changes
Copy link
Copy Markdown
Member

@dimityrmirchev dimityrmirchev left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Just one minor suggestion

Comment thread pkg/provider/gardener/ruleset/disak8sstig/v1r10/pod_files_permissions_and_owner.go Outdated

func (r *RulePodFiles) isMountRequiredByContainer(destination, containerName string, pod *corev1.Pod) bool {
for _, container := range pod.Spec.Containers {
if container.Name == containerName {
Copy link
Copy Markdown
Member

@dimityrmirchev dimityrmirchev Oct 4, 2023

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We can reduce nesting if we continue when the names do not match like in the function below.

dimityrmirchev
dimityrmirchev approved these changes Oct 4, 2023
View reviewed changes
Copy link
Copy Markdown
Member

@dimityrmirchev dimityrmirchev left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

/lgtm

@dimityrmirchev dimityrmirchev merged commit 1b046c9 into gardener:main Oct 4, 2023
@ghost ghost added the reviewed/ok-to-test label Oct 4, 2023
@AleksandarSavchev AleksandarSavchev deleted the pod-files-check-only-volumeMounts branch February 7, 2024 07:25
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@dimityrmirchev dimityrmirchev dimityrmirchev approved these changes

Assignees

No one assigned

Labels

size/M Denotes a PR that changes 30-99 lines, ignoring generated files.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@AleksandarSavchev @dimityrmirchev @gardener-robot-ci-1 @gardener-robot