Add a prefix to all generated lists/rules

mstemm · poiana · commit f82c27e6155f · 2019-10-22T10:44:04.000+02:00
Add the ability to add a prefix to all generated lists, macros, and
rules. This makes it easier to load multiple rules files generated from
different PSPs without the generated rules/macros/lists overlapping with
each other.

The actual prefix to add is provided as a parameter to
NewConverter(). It can be a blank string, in which case the PSP name is
used as the prefix. If the name is missing for some reason, use the
string "psp".

Signed-off-by: Mark Stemm &lt;mark.stemm@gmail.com&gt;
diff --git a/cmd/psp_conv.go b/cmd/psp_conv.go
@@ -85,7 +85,7 @@ func convertPspFalcoRules(pspPath string, rulesPath string) error {
 
 	psp, err := ioutil.ReadAll(pspFile)
 
-	conv, err := converter.NewConverter(debugLog, infoLog, errorLog)
+	conv, err := converter.NewConverter("", debugLog, infoLog, errorLog)
 	if err != nil {
 		return fmt.Errorf("Could not create converter: %v", err)
 	}
diff --git a/pkg/converter/psp/converter.go b/pkg/converter/psp/converter.go
@@ -36,12 +36,18 @@ import (
 type LogFunc func(format string, args ...interface{})
 
 type Converter struct {
+	namePrefix string
 	pspTmpl  *template.Template
 	debugLog LogFunc
 	infoLog  LogFunc
 	errorLog LogFunc
 }
 
+type PspTemplate struct {
+	NamePrefix string
+	v1beta1.PodSecurityPolicy
+}
+
 func joinProcMountTypes(procMountTypes []v1.ProcMountType) string {
 	var sb strings.Builder
 
@@ -153,7 +159,7 @@ func allowPrivilegeEscalation(spec v1beta1.PodSecurityPolicySpec) bool {
 	return true
 }
 
-func NewConverter(debugLog LogFunc, infoLog LogFunc, errorLog LogFunc) (*Converter, error) {
+func NewConverter(namePrefix string, debugLog LogFunc, infoLog LogFunc, errorLog LogFunc) (*Converter, error) {
 
 	tmpl := template.New("pspRules")
 
@@ -175,6 +181,7 @@ func NewConverter(debugLog LogFunc, infoLog LogFunc, errorLog LogFunc) (*Convert
 	}
 
 	return &Converter{
+		namePrefix: namePrefix,
 		pspTmpl:  tmpl,
 		debugLog: debugLog,
 		infoLog:  infoLog,
@@ -184,7 +191,7 @@ func NewConverter(debugLog LogFunc, infoLog LogFunc, errorLog LogFunc) (*Convert
 
 func (c *Converter) GenerateRules(pspString string) (string, error) {
 
-	psp := v1beta1.PodSecurityPolicy{}
+	pspTemplateArgs := PspTemplate{}
 
 	c.debugLog("GenerateRules() pspString=%s", pspString)
 
@@ -193,26 +200,38 @@ func (c *Converter) GenerateRules(pspString string) (string, error) {
 		return "", fmt.Errorf("Could not convert generic yaml document to json: %v", err)
 	}
 
-	err = json.Unmarshal(pspJSON, &psp)
+	err = json.Unmarshal(pspJSON, &pspTemplateArgs)
 
 	if err != nil {
 		return "", fmt.Errorf("Could not unmarshal json document: %v", err)
 	}
 
-	c.debugLog("PSP Object: %v", psp)
+	// If namePrefix is empty, use the psp name as the prefix. If
+	// that is missing, use "psp".
+	if c.namePrefix == "" {
+		if pspTemplateArgs.Name == "" {
+			pspTemplateArgs.NamePrefix = "psp"
+		} else {
+			pspTemplateArgs.NamePrefix = pspTemplateArgs.Name
+		}
+	} else {
+		pspTemplateArgs.NamePrefix = c.namePrefix
+	}
+
+	c.debugLog("PSP Object: %v", pspTemplateArgs)
 
 	// The generated rules need a set of images for which
 	// to scope the rules. A annotation with the key
 	// "falco-rules-psp-images" provides the list of images.
-	if _, ok := psp.Annotations["falco-rules-psp-images"]; !ok {
+	if _, ok := pspTemplateArgs.Annotations["falco-rules-psp-images"]; !ok {
 		return "", fmt.Errorf("PSP YAML document does not have an annotation \"falco-rules-psp-images\" that lists the images for which the generated rules should apply")
 	}
 
-	c.debugLog("Images %v", psp.Annotations["falco-rules-psp-images"])
+	c.debugLog("Images %v", pspTemplateArgs.Annotations["falco-rules-psp-images"])
 
 	var rulesB bytes.Buffer
 
-	err = c.pspTmpl.Execute(&rulesB, psp)
+	err = c.pspTmpl.Execute(&rulesB, pspTemplateArgs)
 
 	if err != nil {
 		return "", fmt.Errorf("Could not convert PSP to Falco Rules: %v", err)
diff --git a/pkg/converter/psp/k8s_psp_rules_template.go b/pkg/converter/psp/k8s_psp_rules_template.go

Original file line number	Diff line number	Diff line change
`@@ -85,7 +85,7 @@ func convertPspFalcoRules(pspPath string, rulesPath string) error {`
`85`	`85`
`86`	`86`	`psp, err := ioutil.ReadAll(pspFile)`
`87`	`87`
`88`		`- conv, err := converter.NewConverter(debugLog, infoLog, errorLog)`
	`88`	`+ conv, err := converter.NewConverter("", debugLog, infoLog, errorLog)`
`89`	`89`	`if err != nil {`
`90`	`90`	`return fmt.Errorf("Could not create converter: %v", err)`
`91`	`91`	`}`