FWI-5232 Conditional expressions should be at very top of additionalSchemaStrings

jslivka commented 6 months ago

This PR fixes #1003

Checklist

[x] I have signed the CLA
[x] I have updated/added any relevant documentation

Description

Polaris checks utilize additionalSchemaStrings, an additional section of jsonschema that will only evaluate if the object conforms to schemaString. The conditional statements in additionalSchemaStrings need to be arranged in a manner such that when there's nothing to evaluate, the string is empty (not the object therein).

What's the goal of this PR?

Fix false positives reported when running the Polaris CLI for the following checks:

clusterrolebindingClusterAdmin
rolebindingClusterAdminClusterRole
rolebindingClusterRolePodExecAttach
rolebindingRolePodExecAttach

What changes did you make?

adjust the ordering of conditional expressions in additionalSchemaStrings:

e.g.

 additionalSchemaStrings:
   rbac.authorization.k8s.io/ClusterRole: |
-    type: object
-    # This schema is validated for all roleBindings, regardless of their roleRef.
     {{ if eq .roleRef.kind "ClusterRole" }}
     {{ if and (not (hasPrefix .metadata.name "system:")) (ne .metadata.name "gce:podsecuritypolicy:calico-sa") }}
+    # This schema is validated for all roleBindings, regardless of their roleRef.
+    type: object

so that there is not an empty object being evaluated, but rather an empty string

I've also added success test cases as a regression check

What alternative solution should we consider, if any?

fairwinds-insights[bot] commented 6 months ago

Fairwinds Insights Scan Results

View the Full Report

:white_check_mark: No new Action Items detected!

rbren commented 6 months ago

For posterity, here's the line that makes this work: https://github.com/FairwindsOps/polaris/blob/0b765df04db2960bb744ab3dcb23fdbe304cbcde/pkg/config/schema.go#L243

FairwindsOps / polaris