fix: add detail messages to deletion namespace targets

Author: georgibaltiev

pkg/provider/managedk8s/ruleset/securityhardenedk8s/rules/2000.go

@@ -55,6 +55,11 @@ func (r *Rule2000) Severity() rule.SeverityLevel {
 }
 
 func (r *Rule2000) Run(ctx context.Context) (rule.RuleResult, error) {
+	const (
+		namespaceDeletionWithoutPodsMessage = "namespace is marked for deletion - no pods are deployed on it"
+		namespaceDeletionWithPodsMessage    = "namespace is marked for deletion - there are still pods deployed on it"
+	)
+
 	networkPolicies, err := kubeutils.GetNetworkPolicies(ctx, r.Client, "", labels.NewSelector(), 300)
 	if err != nil {
 		return rule.Result(r, rule.ErroredCheckResult(err.Error(), rule.NewTarget("kind", "ServiceList"))), nil
@@ -154,15 +159,15 @@ func (r *Rule2000) Run(ctx context.Context) (rule.RuleResult, error) {
 					checkResults = append(checkResults, rule.ErroredCheckResult(err.Error(), rule.NewTarget()))
 				} else if len(pods) > 0 {
 					if allowsAllIngress {
-						checkResults = append(checkResults, rule.FailedCheckResult("All Ingress traffic is allowed by default.", allowsAllIngressTarget))
+						checkResults = append(checkResults, rule.FailedCheckResult("All Ingress traffic is allowed by default.", allowsAllIngressTarget.With("details", namespaceDeletionWithPodsMessage)))
 					} else {
-						checkResults = append(checkResults, rule.FailedCheckResult("Ingress traffic is not denied by default.", target))
+						checkResults = append(checkResults, rule.FailedCheckResult("Ingress traffic is not denied by default.", target.With("details", namespaceDeletionWithPodsMessage)))
 					}
 				} else {
 					if allowsAllIngress {
-						checkResults = append(checkResults, rule.WarningCheckResult("All Ingress traffic is allowed by default.", allowsAllIngressTarget))
+						checkResults = append(checkResults, rule.WarningCheckResult("All Ingress traffic is allowed by default.", allowsAllIngressTarget.With("details", namespaceDeletionWithoutPodsMessage)))
 					} else {
-						checkResults = append(checkResults, rule.WarningCheckResult("Ingress traffic is not denied by default.", target))
+						checkResults = append(checkResults, rule.WarningCheckResult("Ingress traffic is not denied by default.", target.With("details", namespaceDeletionWithoutPodsMessage)))
 					}
 				}
 			}
@@ -200,15 +205,15 @@ func (r *Rule2000) Run(ctx context.Context) (rule.RuleResult, error) {
 					checkResults = append(checkResults, rule.ErroredCheckResult(err.Error(), rule.NewTarget()))
 				} else if len(pods) > 0 {
 					if allowsAllEgress {
-						checkResults = append(checkResults, rule.FailedCheckResult("All Egress traffic is allowed by default.", allowsAllEgressTarget))
+						checkResults = append(checkResults, rule.FailedCheckResult("All Egress traffic is allowed by default.", allowsAllEgressTarget.With("details", namespaceDeletionWithPodsMessage)))
 					} else {
-						checkResults = append(checkResults, rule.FailedCheckResult("Egress traffic is not denied by default.", target))
+						checkResults = append(checkResults, rule.FailedCheckResult("Egress traffic is not denied by default.", target.With("details", namespaceDeletionWithPodsMessage)))
 					}
 				} else {
 					if allowsAllEgress {
-						checkResults = append(checkResults, rule.WarningCheckResult("All Egress traffic is allowed by default.", allowsAllEgressTarget))
+						checkResults = append(checkResults, rule.WarningCheckResult("All Egress traffic is allowed by default.", allowsAllEgressTarget.With("details", namespaceDeletionWithoutPodsMessage)))
 					} else {
-						checkResults = append(checkResults, rule.WarningCheckResult("Egress traffic is not denied by default.", target))
+						checkResults = append(checkResults, rule.WarningCheckResult("Egress traffic is not denied by default.", target.With("details", namespaceDeletionWithoutPodsMessage)))
 					}
 				}
 			}

pkg/provider/managedk8s/ruleset/securityhardenedk8s/rules/2000_test.go

@@ -553,7 +553,7 @@ var _ = Describe("#2000", func() {
 					{
 						Status:  rule.Failed,
 						Message: "All Ingress traffic is allowed by default.",
-						Target:  rule.NewTarget("namespace", "plain-namespace", "kind", "NetworkPolicy", "name", "allow-ingress"),
+						Target:  rule.NewTarget("namespace", "plain-namespace", "kind", "NetworkPolicy", "name", "allow-ingress", "details", "namespace is marked for deletion - there are still pods deployed on it"),
 					},
 					{
 						Status:  rule.Passed,
@@ -586,7 +586,7 @@ var _ = Describe("#2000", func() {
 					{
 						Status:  rule.Failed,
 						Message: "All Egress traffic is allowed by default.",
-						Target:  rule.NewTarget("namespace", "plain-namespace", "kind", "NetworkPolicy", "name", "allow-egress"),
+						Target:  rule.NewTarget("namespace", "plain-namespace", "kind", "NetworkPolicy", "name", "allow-egress", "details", "namespace is marked for deletion - there are still pods deployed on it"),
 					},
 				},
 			),
@@ -608,7 +608,7 @@ var _ = Describe("#2000", func() {
 					{
 						Status:  rule.Failed,
 						Message: "Ingress traffic is not denied by default.",
-						Target:  rule.NewTarget("namespace", "plain-namespace"),
+						Target:  rule.NewTarget("namespace", "plain-namespace", "details", "namespace is marked for deletion - there are still pods deployed on it"),
 					},
 					{
 						Status:  rule.Passed,
@@ -640,7 +640,7 @@ var _ = Describe("#2000", func() {
 					{
 						Status:  rule.Failed,
 						Message: "Egress traffic is not denied by default.",
-						Target:  rule.NewTarget("namespace", "plain-namespace"),
+						Target:  rule.NewTarget("namespace", "plain-namespace", "details", "namespace is marked for deletion - there are still pods deployed on it"),
 					},
 				},
 			),
@@ -663,7 +663,7 @@ var _ = Describe("#2000", func() {
 					{
 						Status:  rule.Warning,
 						Message: "All Ingress traffic is allowed by default.",
-						Target:  rule.NewTarget("namespace", "plain-namespace", "kind", "NetworkPolicy", "name", "allow-ingress"),
+						Target:  rule.NewTarget("namespace", "plain-namespace", "kind", "NetworkPolicy", "name", "allow-ingress", "details", "namespace is marked for deletion - no pods are deployed on it"),
 					},
 					{
 						Status:  rule.Passed,
@@ -696,7 +696,7 @@ var _ = Describe("#2000", func() {
 					{
 						Status:  rule.Warning,
 						Message: "All Egress traffic is allowed by default.",
-						Target:  rule.NewTarget("namespace", "plain-namespace", "kind", "NetworkPolicy", "name", "allow-egress"),
+						Target:  rule.NewTarget("namespace", "plain-namespace", "kind", "NetworkPolicy", "name", "allow-egress", "details", "namespace is marked for deletion - no pods are deployed on it"),
 					},
 				},
 			),
@@ -718,7 +718,7 @@ var _ = Describe("#2000", func() {
 					{
 						Status:  rule.Warning,
 						Message: "Ingress traffic is not denied by default.",
-						Target:  rule.NewTarget("namespace", "plain-namespace"),
+						Target:  rule.NewTarget("namespace", "plain-namespace", "details", "namespace is marked for deletion - no pods are deployed on it"),
 					},
 					{
 						Status:  rule.Passed,
@@ -750,7 +750,7 @@ var _ = Describe("#2000", func() {
 					{
 						Status:  rule.Warning,
 						Message: "Egress traffic is not denied by default.",
-						Target:  rule.NewTarget("namespace", "plain-namespace"),
+						Target:  rule.NewTarget("namespace", "plain-namespace", "details", "namespace is marked for deletion - no pods are deployed on it"),
 					},
 				},
 			),
@@ -762,26 +762,24 @@ var _ = Describe("#2000", func() {
 			acceptedNamespace.Labels = map[string]string{
 				"environment": "production",
 			}
-			Expect(client.Create(ctx, acceptedNamespace)).To(Succeed())
+			// Expect(client.Create(ctx, acceptedNamespace)).To(Succeed())
 
 			partiallyAcceptedNamespaceWithPod := namespaceWithDeletionTimestamp.DeepCopy()
 			partiallyAcceptedNamespaceWithPod.Name = "partially-accepted-with-pod"
 			partiallyAcceptedNamespaceWithPod.Labels = map[string]string{
 				"team": "security",
 			}
-			Expect(client.Create(ctx, partiallyAcceptedNamespaceWithPod)).To(Succeed())
 
 			partiallyAcceptedNamespace := namespaceWithDeletionTimestamp.DeepCopy()
 			partiallyAcceptedNamespace.Name = "partially-accepted"
 			partiallyAcceptedNamespace.Labels = map[string]string{
 				"team": "security",
 			}
 
-			client = fakeclient.NewClientBuilder().WithObjects(acceptedNamespace, partiallyAcceptedNamespace, partiallyAcceptedNamespaceWithPod).Build()
-
 			pod1 := plainPod.DeepCopy()
 			pod1.Namespace = "partially-accepted-with-pod"
-			Expect(client.Create(ctx, pod1)).To(Succeed())
+
+			client = fakeclient.NewClientBuilder().WithObjects(acceptedNamespace, partiallyAcceptedNamespace, partiallyAcceptedNamespaceWithPod, pod1).Build()
 
 			allowAllPolicy1 := &networkingv1.NetworkPolicy{
 				ObjectMeta: metav1.ObjectMeta{
@@ -870,7 +868,7 @@ var _ = Describe("#2000", func() {
 				{
 					Status:  rule.Failed,
 					Message: "Ingress traffic is not denied by default.",
-					Target:  rule.NewTarget("namespace", "partially-accepted-with-pod"),
+					Target:  rule.NewTarget("namespace", "partially-accepted-with-pod", "details", "namespace is marked for deletion - there are still pods deployed on it"),
 				},
 				{
 					Status:  rule.Accepted,
@@ -880,7 +878,7 @@ var _ = Describe("#2000", func() {
 				{
 					Status:  rule.Warning,
 					Message: "All Ingress traffic is allowed by default.",
-					Target:  rule.NewTarget("namespace", "partially-accepted", "kind", "NetworkPolicy", "name", "allow-all"),
+					Target:  rule.NewTarget("namespace", "partially-accepted", "kind", "NetworkPolicy", "name", "allow-all", "details", "namespace is marked for deletion - no pods are deployed on it"),
 				},
 				{
 					Status:  rule.Accepted,