diff --git a/Cargo.lock b/Cargo.lock new file mode 100644 index 0000000..17014af --- /dev/null +++ b/Cargo.lock @@ -0,0 +1,428 @@ +# This file is automatically @generated by Cargo. +# It is not intended for manual editing. +version = 3 + +[[package]] +name = "anyhow" +version = "1.0.47" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "38d9ff5d688f1c13395289f67db01d4826b46dd694e7580accdc3e8430f2d98e" + +[[package]] +name = "autocfg" +version = "1.0.1" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "cdb031dd78e28731d87d56cc8ffef4a8f36ca26c38fe2de700543e627f8a464a" + +[[package]] +name = "base64" +version = "0.13.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "904dfeac50f3cdaba28fc6f57fdcddb75f49ed61346676a78c4ffe55877802fd" + +[[package]] +name = "bytes" +version = "1.1.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "c4872d67bab6358e59559027aa3b9157c53d9358c51423c17554809a8858e0f8" + +[[package]] +name = "chrono" +version = "0.4.19" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "670ad68c9088c2a963aaa298cb369688cf3f9465ce5e2d4ca10e6e0098a1ce73" +dependencies = [ + "libc", + "num-integer", + "num-traits", + "serde", + "time", + "winapi", +] + +[[package]] +name = "fnv" +version = "1.0.7" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "3f9eec918d3f24069decb9af1554cad7c880e2da24a9afd88aca000531ab82c1" + +[[package]] +name = "form_urlencoded" +version = "1.0.1" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "5fc25a87fa4fd2094bffb06925852034d90a17f0d1e05197d4956d3555752191" +dependencies = [ + "matches", + "percent-encoding", +] + +[[package]] +name = "http" +version = "0.2.5" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "1323096b05d41827dadeaee54c9981958c0f94e670bc94ed80037d1a7b8b186b" +dependencies = [ + "bytes", + "fnv", + "itoa", +] + +[[package]] +name = "idna" +version = "0.2.3" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "418a0a6fab821475f634efe3ccc45c013f742efe03d853e8d3355d5cb850ecf8" +dependencies = [ + "matches", + "unicode-bidi", + "unicode-normalization", +] + +[[package]] +name = "itoa" +version = "0.4.8" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "b71991ff56294aa922b450139ee08b3bfc70982c6b2c7562771375cf73542dd4" + +[[package]] +name = "k8s-openapi" +version = "0.11.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "bcc1f973542059e6d5a6d63de6a9539d0ec784f82b2327f3c1915d33200bc6a4" +dependencies = [ + "base64", + "bytes", + "chrono", + "http", + "percent-encoding", + "serde", + "serde-value", + "serde_json", + "url", +] + +[[package]] +name = "kubewarden-policy-sdk" +version = "0.2.4" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "61a46677c118ebeff46e1d3b09450715270366482a5b0cbeb8ef04152f7b4605" +dependencies = [ + "anyhow", + "k8s-openapi", + "num", + "num-derive", + "num-traits", + "serde", + "serde_json", + "slog", + "wapc-guest", +] + +[[package]] +name = "lazy_static" +version = "1.4.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "e2abad23fbc42b3700f2f279844dc832adb2b2eb069b2df918f455c4e18cc646" + +[[package]] +name = "libc" +version = "0.2.107" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "fbe5e23404da5b4f555ef85ebed98fb4083e55a00c317800bc2a50ede9f3d219" + +[[package]] +name = "matches" +version = "0.1.9" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "a3e378b66a060d48947b590737b30a1be76706c8dd7b8ba0f2fe3989c68a853f" + +[[package]] +name = "num" +version = "0.4.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "43db66d1170d347f9a065114077f7dccb00c1b9478c89384490a3425279a4606" +dependencies = [ + "num-bigint", + "num-complex", + "num-integer", + "num-iter", + "num-rational", + "num-traits", +] + +[[package]] +name = "num-bigint" +version = "0.4.3" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "f93ab6289c7b344a8a9f60f88d80aa20032336fe78da341afc91c8a2341fc75f" +dependencies = [ + "autocfg", + "num-integer", + "num-traits", +] + +[[package]] +name = "num-complex" +version = "0.4.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "26873667bbbb7c5182d4a37c1add32cdf09f841af72da53318fdb81543c15085" +dependencies = [ + "num-traits", +] + +[[package]] +name = "num-derive" +version = "0.3.3" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "876a53fff98e03a936a674b29568b0e605f06b29372c2489ff4de23f1949743d" +dependencies = [ + "proc-macro2", + "quote", + "syn", +] + +[[package]] +name = "num-integer" +version = "0.1.44" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "d2cc698a63b549a70bc047073d2949cce27cd1c7b0a4a862d08a8031bc2801db" +dependencies = [ + "autocfg", + "num-traits", +] + +[[package]] +name = "num-iter" +version = "0.1.42" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "b2021c8337a54d21aca0d59a92577a029af9431cb59b909b03252b9c164fad59" +dependencies = [ + "autocfg", + "num-integer", + "num-traits", +] + +[[package]] +name = "num-rational" +version = "0.4.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "d41702bd167c2df5520b384281bc111a4b5efcf7fbc4c9c222c815b07e0a6a6a" +dependencies = [ + "autocfg", + "num-bigint", + "num-integer", + "num-traits", +] + +[[package]] +name = "num-traits" +version = "0.2.14" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "9a64b1ec5cda2586e284722486d802acf1f7dbdc623e2bfc57e65ca1cd099290" +dependencies = [ + "autocfg", +] + +[[package]] +name = "ordered-float" +version = "2.8.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "97c9d06878b3a851e8026ef94bf7fef9ba93062cd412601da4d9cf369b1cc62d" +dependencies = [ + "num-traits", +] + +[[package]] +name = "percent-encoding" +version = "2.1.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "d4fd5641d01c8f18a23da7b6fe29298ff4b55afcccdf78973b24cf3175fee32e" + +[[package]] +name = "proc-macro2" +version = "1.0.32" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "ba508cc11742c0dc5c1659771673afbab7a0efab23aa17e854cbab0837ed0b43" +dependencies = [ + "unicode-xid", +] + +[[package]] +name = "psp-flexvolume-drivers" +version = "0.1.0" +dependencies = [ + "k8s-openapi", + "kubewarden-policy-sdk", + "serde", + "serde_json", + "wapc-guest", +] + +[[package]] +name = "quote" +version = "1.0.10" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "38bc8cc6a5f2e3655e0899c1b848643b2562f853f114bfec7be120678e3ace05" +dependencies = [ + "proc-macro2", +] + +[[package]] +name = "ryu" +version = "1.0.5" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "71d301d4193d031abdd79ff7e3dd721168a9572ef3fe51a1517aba235bd8f86e" + +[[package]] +name = "serde" +version = "1.0.130" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "f12d06de37cf59146fbdecab66aa99f9fe4f78722e3607577a5375d66bd0c913" +dependencies = [ + "serde_derive", +] + +[[package]] +name = "serde-value" +version = "0.7.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "f3a1a3341211875ef120e117ea7fd5228530ae7e7036a779fdc9117be6b3282c" +dependencies = [ + "ordered-float", + "serde", +] + +[[package]] +name = "serde_derive" +version = "1.0.130" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "d7bc1a1ab1961464eae040d96713baa5a724a8152c1222492465b54322ec508b" +dependencies = [ + "proc-macro2", + "quote", + "syn", +] + +[[package]] +name = "serde_json" +version = "1.0.71" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "063bf466a64011ac24040a49009724ee60a57da1b437617ceb32e53ad61bfb19" +dependencies = [ + "itoa", + "ryu", + "serde", +] + +[[package]] +name = "slog" +version = "2.7.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "8347046d4ebd943127157b94d63abb990fcf729dc4e9978927fdf4ac3c998d06" + +[[package]] +name = "syn" +version = "1.0.81" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "f2afee18b8beb5a596ecb4a2dce128c719b4ba399d34126b9e4396e3f9860966" +dependencies = [ + "proc-macro2", + "quote", + "unicode-xid", +] + +[[package]] +name = "time" +version = "0.1.44" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "6db9e6914ab8b1ae1c260a4ae7a49b6c5611b40328a735b21862567685e73255" +dependencies = [ + "libc", + "wasi", + "winapi", +] + +[[package]] +name = "tinyvec" +version = "1.5.1" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "2c1c1d5a42b6245520c249549ec267180beaffcc0615401ac8e31853d4b6d8d2" +dependencies = [ + "tinyvec_macros", +] + +[[package]] +name = "tinyvec_macros" +version = "0.1.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "cda74da7e1a664f795bb1f8a87ec406fb89a02522cf6e50620d016add6dbbf5c" + +[[package]] +name = "unicode-bidi" +version = "0.3.7" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "1a01404663e3db436ed2746d9fefef640d868edae3cceb81c3b8d5732fda678f" + +[[package]] +name = "unicode-normalization" +version = "0.1.19" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "d54590932941a9e9266f0832deed84ebe1bf2e4c9e4a3554d393d18f5e854bf9" +dependencies = [ + "tinyvec", +] + +[[package]] +name = "unicode-xid" +version = "0.2.2" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "8ccb82d61f80a663efe1f787a51b16b5a51e3314d6ac365b08639f52387b33f3" + +[[package]] +name = "url" +version = "2.2.2" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "a507c383b2d33b5fc35d1861e77e6b383d158b2da5e14fe51b83dfedf6fd578c" +dependencies = [ + "form_urlencoded", + "idna", + "matches", + "percent-encoding", +] + +[[package]] +name = "wapc-guest" +version = "0.4.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "47cbd9d778b9718eda797278936f93f25ce81064fe26f0bb6a710cd51315f00b" +dependencies = [ + "lazy_static", +] + +[[package]] +name = "wasi" +version = "0.10.0+wasi-snapshot-preview1" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "1a143597ca7c7793eff794def352d41792a93c481eb1042423ff7ff72ba2c31f" + +[[package]] +name = "winapi" +version = "0.3.9" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "5c839a674fcd7a98952e593242ea400abe93992746761e38641405d28b00f419" +dependencies = [ + "winapi-i686-pc-windows-gnu", + "winapi-x86_64-pc-windows-gnu", +] + +[[package]] +name = "winapi-i686-pc-windows-gnu" +version = "0.4.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "ac3b87c63620426dd9b991e5ce0329eff545bccbbb34f3be09ff6fb6ab51b7b6" + +[[package]] +name = "winapi-x86_64-pc-windows-gnu" +version = "0.4.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "712e227841d057c1ee1cd2fb22fa7e5a5461ae8e48fa2ca79ec42cfc1931183f" diff --git a/Cargo.toml b/Cargo.toml index a8943d0..9e52dd6 100644 --- a/Cargo.toml +++ b/Cargo.toml @@ -12,8 +12,6 @@ crate-type = ["cdylib"] [dependencies] k8s-openapi = { version = "0.11.0", features = ["v1_20"] } kubewarden-policy-sdk = "0.2.3" -lazy_static = "1.4" serde = { version = "1.0", features = ["derive"] } serde_json = "1.0" -slog = "2.7" wapc-guest = "0.4.0" \ No newline at end of file diff --git a/README.md b/README.md index 5d6bfac..dc5c2be 100644 --- a/README.md +++ b/README.md @@ -1,25 +1,27 @@ -Please, note well: this file and the scaffold were generated from [a -template](https://github.com/kubewarden/policy-rust-template). Make -this project yours! - # Kubewarden policy psp-flexvolume-drivers ## Description -This policy will reject pods that have a name `invalid-pod-name`. If -the pod to be validated has a different name, or if a different type -of resource is evaluated, it will be accepted. +Replacement for the Kubernetes Pod Security Policy that controls Flex Volume drivers. ## Settings -This policy has no configurable settings. This would be a good place -to document if yours does, and what behaviors can be configured by -tweaking them. +This policy allows to provide a list of allowed Flex Volume drivers. + +The configuration supports a list of allowed flex volume drivers. An example follows: + +```yaml +allowedFlexVolumes: + - driver: example/lvm + - driver: example/cifs +``` + +If the pod to be evaluated has a different driver on any `flexVolume` volume, it will be rejected. ## License ``` -Copyright (C) 2021 Rafael Fernández López +Copyright (C) 2021 Rafael Fernández López Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. diff --git a/hub.yml b/hub.yml index 1fda445..8d7329a 100644 --- a/hub.yml +++ b/hub.yml @@ -1,16 +1,20 @@ name: psp-flexvolume-drivers -description: DESCRIPTION OF YOUR POLICY -homepage: POLICY HOMEPAGE URL +description: Replacement for the Kubernetes Pod Security Policy that controls the allowed `flexVolume` drivers +homepage: https://github.com/kubewarden/psp-flexvolume-drivers author: - name: Rafael Fernández López - homepage: https://author1.website + name: Kubewarden devs + homepage: https://github.com/kubewarden download: # Important: leave the __TAG__ around: this is automatically replaced with the value of the git tag registry: ghcr.io/kubewarden/policies/psp-flexvolume-drivers:__TAG__ # url is optional - url: https://github.com/yourorg/psp-flexvolume-drivers/releases/download/__TAG__/policy.wasm + url: https://github.com/kubwarden/psp-flexvolume-drivers/releases/download/__TAG__/policy.wasm keywords: - - this is freeform + - PSP + - Container + - Runtime + - Flex Volume + - Flex resources: - Pod mutation: false diff --git a/metadata.yml b/metadata.yml index 998ed9c..88e9e05 100644 --- a/metadata.yml +++ b/metadata.yml @@ -8,12 +8,20 @@ contextAware: false executionMode: kubewarden-wapc annotations: io.kubewarden.policy.title: psp-flexvolume-drivers - io.kubewarden.policy.description: Short description - io.kubewarden.policy.author: Rafael Fernández López - io.kubewarden.policy.url: https://github.com/yourorg/psp-flexvolume-drivers - io.kubewarden.policy.source: https://github.com/yourorg/psp-flexvolume-drivers + io.kubewarden.policy.description: Replacement for the Kubernetes Pod Security Policy that controls the allowed `flexVolume` drivers + io.kubewarden.policy.author: Rafael Fernández López + io.kubewarden.policy.url: https://github.com/kubewarden/psp-flexvolume-drivers + io.kubewarden.policy.source: https://github.com/kubewarden/psp-flexvolume-drivers io.kubewarden.policy.license: Apache-2.0 io.kubewarden.policy.usage: | - Long explaination. + This policy allows to provide a list of allowed Flex Volume drivers. - **Note well:** this can be Markdown text + The configuration supports a list of allowed flex volume drivers. An example follows: + + ```yaml + allowedFlexVolumes: + - driver: example/lvm + - driver: example/cifs + ``` + + If the pod to be evaluated has a different driver on any `flexVolume` volume, it will be rejected. diff --git a/src/lib.rs b/src/lib.rs index 4c7c6be..dcdbddf 100644 --- a/src/lib.rs +++ b/src/lib.rs @@ -1,25 +1,14 @@ -use lazy_static::lazy_static; - extern crate wapc_guest as guest; use guest::prelude::*; use k8s_openapi::api::core::v1 as apicore; extern crate kubewarden_policy_sdk as kubewarden; -use kubewarden::{logging, protocol_version_guest, request::ValidationRequest, validate_settings}; +use kubewarden::{protocol_version_guest, request::ValidationRequest, validate_settings}; mod settings; use settings::Settings; -use slog::{info, o, warn, Logger}; - -lazy_static! { - static ref LOG_DRAIN: Logger = Logger::root( - logging::KubewardenDrain::new(), - o!("policy" => "sample-policy") - ); -} - #[no_mangle] pub extern "C" fn wapc_init() { register_function("validate", validate); @@ -30,35 +19,41 @@ pub extern "C" fn wapc_init() { fn validate(payload: &[u8]) -> CallResult { let validation_request: ValidationRequest = ValidationRequest::new(payload)?; - info!(LOG_DRAIN, "starting validation"); - - // TODO: you can unmarshal any Kubernetes API type you are interested in - match serde_json::from_value::(validation_request.request.object) { - Ok(pod) => { - // TODO: your logic goes here - if pod.metadata.name == Some("invalid-pod-name".to_string()) { - let pod_name = pod.metadata.name.unwrap(); - info!( - LOG_DRAIN, - "rejecting pod"; - "pod_name" => &pod_name - ); - kubewarden::reject_request( - Some(format!("pod name {} is not accepted", &pod_name)), - None, - ) - } else { - info!(LOG_DRAIN, "accepting resource"); - kubewarden::accept_request() - } - } - Err(_) => { - // TODO: handle as you wish - // We were forwarded a request we cannot unmarshal or - // understand, just accept it - warn!(LOG_DRAIN, "cannot unmarshal resource: this policy does not know how to evaluate this resource; accept it"); - kubewarden::accept_request() - } + let pod = match serde_json::from_value::(validation_request.request.object) { + Ok(pod) => pod, + Err(_) => return kubewarden::accept_request(), + }; + + let pod_spec = pod.spec.ok_or("invalid pod spec")?; + let settings = validation_request.settings; + + if any_invalid_flexvolume_driver( + pod_spec, + settings + .allowed_flex_volumes + .iter() + .map(|flex_volume| flex_volume.driver.clone()) + .collect(), + ) { + return kubewarden::reject_request( + Some("Pod has at least one invalid flex volume driver".to_string()), + None, + ); + } + + kubewarden::accept_request() +} + +fn any_invalid_flexvolume_driver( + pod_spec: apicore::PodSpec, + allowed_flex_volumes: Vec, +) -> bool { + match &pod_spec.volumes { + Some(volumes) => volumes.iter().any(|volume| match &volume.flex_volume { + Some(flex_volume) => !allowed_flex_volumes.contains(&flex_volume.driver), + None => false, + }), + None => false, } } @@ -66,65 +61,107 @@ fn validate(payload: &[u8]) -> CallResult { mod tests { use super::*; - use kubewarden_policy_sdk::test::Testcase; - #[test] - fn accept_pod_with_valid_name() -> Result<(), ()> { - let request_file = "test_data/pod_creation.json"; - let tc = Testcase { - name: String::from("Valid name"), - fixture_file: String::from(request_file), - expected_validation_result: true, - settings: Settings {}, - }; - - let res = tc.eval(validate).unwrap(); - assert!( - res.mutated_object.is_none(), - "Something mutated with test case: {}", - tc.name, - ); + fn no_volumes_accepts_with_no_containers() { + let allowed_flex_volumes = vec!["example/lvm".to_string(), "example/cifs".to_string()]; - Ok(()) + assert!(!any_invalid_flexvolume_driver( + apicore::PodSpec::default(), + allowed_flex_volumes + )); } #[test] - fn reject_pod_with_invalid_name() -> Result<(), ()> { - let request_file = "test_data/pod_creation_invalid_name.json"; - let tc = Testcase { - name: String::from("Bad name"), - fixture_file: String::from(request_file), - expected_validation_result: false, - settings: Settings {}, - }; - - let res = tc.eval(validate).unwrap(); - assert!( - res.mutated_object.is_none(), - "Something mutated with test case: {}", - tc.name, - ); + fn a_valid_volume_accepts() { + let allowed_flex_volumes = vec!["example/lvm".to_string(), "example/cifs".to_string()]; + + assert!(!any_invalid_flexvolume_driver( + apicore::PodSpec { + volumes: Some(vec![apicore::Volume { + flex_volume: Some(apicore::FlexVolumeSource { + driver: "example/lvm".to_string(), + ..apicore::FlexVolumeSource::default() + }), + ..apicore::Volume::default() + }]), + ..apicore::PodSpec::default() + }, + allowed_flex_volumes + )); + } - Ok(()) + #[test] + fn an_invalid_volume_rejects() { + let allowed_flex_volumes = vec!["example/lvm".to_string(), "example/cifs".to_string()]; + + assert!(any_invalid_flexvolume_driver( + apicore::PodSpec { + volumes: Some(vec![apicore::Volume { + flex_volume: Some(apicore::FlexVolumeSource { + driver: "example/other".to_string(), + ..apicore::FlexVolumeSource::default() + }), + ..apicore::Volume::default() + }]), + ..apicore::PodSpec::default() + }, + allowed_flex_volumes + )); } #[test] - fn accept_request_with_non_pod_resource() -> Result<(), ()> { - let request_file = "test_data/ingress_creation.json"; - let tc = Testcase { - name: String::from("Ingress creation"), - fixture_file: String::from(request_file), - expected_validation_result: true, - settings: Settings {}, - }; - - let res = tc.eval(validate).unwrap(); - assert!( - res.mutated_object.is_none(), - "Something mutated with test case: {}", - tc.name, - ); + fn some_invalid_volume_rejects() { + let allowed_flex_volumes = vec!["example/lvm".to_string(), "example/cifs".to_string()]; + + assert!(any_invalid_flexvolume_driver( + apicore::PodSpec { + volumes: Some(vec![ + apicore::Volume { + flex_volume: Some(apicore::FlexVolumeSource { + driver: "example/cifs".to_string(), + ..apicore::FlexVolumeSource::default() + }), + ..apicore::Volume::default() + }, + apicore::Volume { + flex_volume: Some(apicore::FlexVolumeSource { + driver: "example/other".to_string(), + ..apicore::FlexVolumeSource::default() + }), + ..apicore::Volume::default() + } + ]), + ..apicore::PodSpec::default() + }, + allowed_flex_volumes + )); + } - Ok(()) + #[test] + fn no_invalid_volume_accepts() { + let allowed_flex_volumes = vec!["example/lvm".to_string(), "example/cifs".to_string()]; + + assert!(!any_invalid_flexvolume_driver( + apicore::PodSpec { + volumes: Some(vec![ + apicore::Volume { + flex_volume: Some(apicore::FlexVolumeSource { + driver: "example/cifs".to_string(), + ..apicore::FlexVolumeSource::default() + }), + ..apicore::Volume::default() + }, + apicore::Volume { + flex_volume: Some(apicore::FlexVolumeSource { + driver: "example/lvm".to_string(), + ..apicore::FlexVolumeSource::default() + }), + ..apicore::Volume::default() + } + ]), + ..apicore::PodSpec::default() + }, + allowed_flex_volumes + )); } } diff --git a/src/settings.rs b/src/settings.rs index 8aeb9cd..679355e 100644 --- a/src/settings.rs +++ b/src/settings.rs @@ -1,34 +1,19 @@ -use crate::LOG_DRAIN; - use serde::{Deserialize, Serialize}; -use slog::info; -// Describe the settings your policy expects when -// loaded by the policy server. #[derive(Serialize, Deserialize, Default, Debug)] #[serde(default)] -pub(crate) struct Settings {} - -impl kubewarden::settings::Validatable for Settings { - fn validate(&self) -> Result<(), String> { - info!(LOG_DRAIN, "starting settings validation"); - - // TODO: perform settings validation if applies - Ok(()) - } +pub(crate) struct Settings { + #[serde(rename = "allowedFlexVolumes")] + pub(crate) allowed_flex_volumes: Vec, } -#[cfg(test)] -mod tests { - use super::*; - - use kubewarden_policy_sdk::settings::Validatable; - - #[test] - fn validate_settings() -> Result<(), ()> { - let settings = Settings {}; +#[derive(Serialize, Deserialize, Debug)] +pub(crate) struct Driver { + pub(crate) driver: String, +} - assert!(settings.validate().is_ok()); +impl kubewarden::settings::Validatable for Settings { + fn validate(&self) -> Result<(), String> { Ok(()) } }