chore: annotate mutations in policies (#236)

## Description Give users better information about when a resource is mutated by a policy (e.g. Require Non Root User mutates security contexts if undefined or `uds` labels are set). ## Related Issue Resolves #212 ## Type of change - [ ] Bug fix (non-breaking change which fixes an issue) - [ ] New feature (non-breaking change which adds functionality) - [x] Other (security config, docs update, etc) ## Checklist before merging - [ ] Test, docs, adr added or updated as needed - [x] [Contributor Guide Steps](https://github.com/defenseunicorns/uds-template-capability/blob/main/CONTRIBUTING.md)(https://github.com/defenseunicorns/uds-template-capability/blob/main/CONTRIBUTING.md#submitting-a-pull-request) followed
defenseunicorns · Mar 8, 2024 · cc9db50 · cc9db50
1 parent 05c903e
commit cc9db50
Show file tree

Hide file tree

Showing 2 changed files with 26 additions and 2 deletions.
diff --git a/src/pepr/policies/common.ts b/src/pepr/policies/common.ts
@@ -1,5 +1,6 @@
-import { V1SecurityContext, V1Container } from "@kubernetes/client-node";
+import { KubernetesObject, V1Container, V1SecurityContext } from "@kubernetes/client-node";
 import { Capability, PeprMutateRequest, PeprValidateRequest, a } from "pepr";
+import { Policy } from "../operator/crd";
 
 export type Ctx = {
   name?: string;
@@ -90,3 +91,17 @@ export function isIstioInitContainer(
   // If we get here, it's an istio init container
   return true;
 }
+
+function transform(policy: Policy) {
+  return policy
+    .split(/(?=[A-Z])/)
+    .join("-")
+    .toLowerCase();
+}
+
+export function annotateMutation<T extends KubernetesObject>(
+  request: PeprMutateRequest<T>,
+  policy: Policy,
+) {
+  request.SetAnnotation(`policies.uds.core/mutated`, transform(policy));
+}
diff --git a/src/pepr/policies/security.ts b/src/pepr/policies/security.ts
@@ -2,7 +2,13 @@ import { a } from "pepr";
 
 import { V1SecurityContext } from "@kubernetes/client-node";
 import { Policy } from "../operator/crd";
-import { When, containers, securityContextContainers, securityContextMessage } from "./common";
+import {
+  When,
+  annotateMutation,
+  containers,
+  securityContextContainers,
+  securityContextMessage,
+} from "./common";
 import { isExempt, markExemption } from "./exemptions";
 
 /**
@@ -97,6 +103,8 @@ When(a.Pod)
     if (pod.securityContext.runAsGroup === undefined) {
       pod.securityContext.runAsGroup = 1000;
     }
+
+    annotateMutation(request, Policy.RequireNonRootUser);
   })
   .Validate(request => {
     if (isExempt(request, Policy.RequireNonRootUser)) {
@@ -316,6 +324,7 @@ When(a.Pod)
       container.securityContext.capabilities = container.securityContext.capabilities || {};
       container.securityContext.capabilities.drop = ["ALL"];
     }
+    annotateMutation(request, Policy.DropAllCapabilities);
   })
   .Validate(request => {
     if (isExempt(request, Policy.DropAllCapabilities)) {