Add namespace checking on rego #13
Conversation
kevindiu
changed the title
|
Hi @kevindiu , thank you for raising the PR! |
|
Hi @mcieplak, |
| @@ -51,7 +51,7 @@ data: | |||
| pod_name = k8s_claims.pod.name | |||
|
|
|||
| pod_verified = true { | |||
| input.service = input.service | |||
| pod_ns = k8s_claims.namespace | |||
There was a problem hiding this comment.
This line is actually equivalent to the what's currently checked below here:
https://github.com/yahoo/k8s-athenz-identity/blob/7689cbdb69b81f214f65e0162e1d3e5901da7462/k8s/identity-validation.rego.yaml#L59
This will compare the pod namespace is equal to what is in the claim.
| @@ -51,7 +51,7 @@ data: | |||
| pod_name = k8s_claims.pod.name | |||
|
|
|||
| pod_verified = true { | |||
| input.service = input.service | |||
There was a problem hiding this comment.
This can definitely be removed as it is comparing the same service string with itself. The subsequent line does the comparison of the input.service against the service account name that is needed.
I confirm that this contribution is made under the terms of the license found in the root directory of this repository's source tree and that I have the authority necessary to make this contribution on behalf of its copyright owner.