fix: tighten the VAP rule for all managed resources #1212
Merged
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
nwnt
force-pushed
the
tighten-managed-resource-rule
branch
from
ae2114c to
8b3fada
Compare
nwnt
changed the title
Signed-off-by: Nont <nont@duck.com>
nwnt
force-pushed
the
tighten-managed-resource-rule
branch
from
8b3fada to
840e808
Compare
jim-minter
reviewed
Oct 20, 2025
| // Verify initial state | ||
| if vap == nil { | ||
| t.Fatal("getVAPWithMutator() returned nil VAP") | ||
| return |
Member
There was a problem hiding this comment.
Surprised this is needed - I thought t.Fatal() will not execute further.
Contributor
Author
There was a problem hiding this comment.
I got a lint error/warning from not having this.
Contributor
Author
There was a problem hiding this comment.
I couldn't remember what it was that gave this warning/error, but I have gone ahead and remove this from it. Let's see if I'm going to get a lint error from the checks.
jim-minter
reviewed
Oct 20, 2025
added 2 commits
October 21, 2025 13:38
Signed-off-by: Nont <nont@duck.com>
Signed-off-by: Nont <nont@duck.com>
nibooy
reviewed
Oct 21, 2025
| "system:masters" in request.userInfo.groups || | ||
| "system:serviceaccounts:kube-system" in request.userInfo.groups || | ||
| "system:serviceaccounts:fleet-system" in request.userInfo.groups || | ||
| "system:serviceaccounts:openshift-kube-controller-manager" in request.userInfo.groups |
Contributor
There was a problem hiding this comment.
Suggested change
| "system:serviceaccounts:openshift-kube-controller-manager" in request.userInfo.groups |
You can remove this condition since the new condition added below should properly handle OCP clusters
Contributor
Author
There was a problem hiding this comment.
That clause is now removed, so is the || operator before it.
Signed-off-by: Nont <nont@duck.com>
nibooy
approved these changes
Oct 22, 2025
ryanzhang-oss
approved these changes
Oct 22, 2025
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
4 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Description of your changes
Fixes # bug that the VAP can be deleted and enhanced it so that it covers all managed resources.
I have:
make reviewableto ensure this PR is ready for review.How has this code been tested
Tested with unit tests and e2e locally.
Special notes for your reviewer
n/a