fix: skip duplicate PSa checks for the latest version (#6634) (#6636)

* add version check * debug * debug * skip multiple applies * skip multiple applies --------- Signed-off-by: ShutingZhao <shuting@nirmata.com> Co-authored-by: shuting <shuting@nirmata.com>
kyverno · Mar 21, 2023 · 4dbffc5 · 4dbffc5
1 parent 91f1929
commit 4dbffc5
Show file tree

Hide file tree

Showing 2 changed files with 14 additions and 5 deletions.
diff --git a/pkg/pss/evaluate.go b/pkg/pss/evaluate.go
@@ -21,7 +21,16 @@ func evaluatePSS(level *api.LevelVersion, pod corev1.Pod) (results []pssutils.PS
 			continue
 		}
 		// check version
+		appliedOnce := true
 		for _, versionCheck := range check.Versions {
+			// the latest check returned twice, skip duplicate application
+			if level.Version == api.LatestVersion() {
+				if !appliedOnce {
+					continue
+				}
+			} else if level.Version != api.LatestVersion() && level.Version.Older(versionCheck.MinimumVersion) {
+				continue
+			}
 			checkResult := versionCheck.CheckPod(&pod.ObjectMeta, &pod.Spec)
 			// Append only if the checkResult is not already in pssCheckResult
 			if !checkResult.Allowed {
@@ -31,6 +40,7 @@ func evaluatePSS(level *api.LevelVersion, pod corev1.Pod) (results []pssutils.PS
 					RestrictedFields: GetRestrictedFields(check),
 				})
 			}
+			appliedOnce = false
 		}
 	}
 	return results
@@ -81,25 +91,25 @@ func parseVersion(rule *kyvernov1.PodSecurity) (*api.LevelVersion, error) {
 
 // EvaluatePod applies PSS checks to the pod and exempts controls specified in the rule
 func EvaluatePod(rule *kyvernov1.PodSecurity, pod *corev1.Pod) (bool, []pssutils.PSSCheckResult, error) {
-	level, err := parseVersion(rule)
+	levelVersion, err := parseVersion(rule)
 	if err != nil {
 		return false, nil, err
 	}
 
-	defaultCheckResults := evaluatePSS(level, *pod)
+	defaultCheckResults := evaluatePSS(levelVersion, *pod)
 
 	for _, exclude := range rule.Exclude {
 		spec, matching := GetPodWithMatchingContainers(exclude, pod)
 
 		switch {
 		// exclude pod level checks
 		case spec != nil:
-			excludeCheckResults := evaluatePSS(level, *spec)
+			excludeCheckResults := evaluatePSS(levelVersion, *spec)
 			defaultCheckResults = exemptKyvernoExclusion(defaultCheckResults, excludeCheckResults, exclude)
 
 		// exclude container level checks
 		default:
-			excludeCheckResults := evaluatePSS(level, *matching)
+			excludeCheckResults := evaluatePSS(levelVersion, *matching)
 			defaultCheckResults = exemptKyvernoExclusion(defaultCheckResults, excludeCheckResults, exclude)
 		}
 	}

diff --git a/test/conformance/kuttl/reports/background/test-report-background-mode/report-assert.yaml b/test/conformance/kuttl/reports/background/test-report-background-mode/report-assert.yaml
@@ -7,7 +7,6 @@ results:
 - category: Pod Security
   message: |
     Validation rule 'restricted' failed. It violates PodSecurity "restricted:latest": ({Allowed:false ForbiddenReason:unrestricted capabilities ForbiddenDetail:container "container01" must set securityContext.capabilities.drop=["ALL"]})
-    ({Allowed:false ForbiddenReason:unrestricted capabilities ForbiddenDetail:container "container01" must set securityContext.capabilities.drop=["ALL"]})
   policy: podsecurity-subrule-restricted
   resources:
   - apiVersion: v1