feat: Support PodSecurityPolicy relationships

Signed-off-by: Justin Toh <tohjustin@hotmail.com>
tohjustin · Oct 15, 2021 · d5f71d2 · d5f71d2
1 parent 4dcc354
commit d5f71d2
Show file tree

Hide file tree

Showing 3 changed files with 49 additions and 0 deletions.
diff --git a/README.md b/README.md
@@ -95,6 +95,7 @@ List of supported relationships used for discovering dependent objects:
   - [PersistentVolume References](https://kubernetes.io/docs/reference/kubernetes-api/config-and-storage-resources/persistent-volume-v1/) & [PersistentVolumeClaim References](https://kubernetes.io/docs/reference/kubernetes-api/config-and-storage-resources/persistent-volume-claim-v1/)
   - [Pod References](https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/)
   - [PodDisruptionBudget References](https://kubernetes.io/docs/reference/kubernetes-api/policy-resources/pod-disruption-budget-v1/)
+  - [PodSecurityPolicy References](https://kubernetes.io/docs/reference/kubernetes-api/policy-resources/pod-disruption-budget-v1/)
   - [RuntimeClass References](https://kubernetes.io/docs/reference/kubernetes-api/cluster-resources/runtime-class-v1/)
   - [Service References](https://kubernetes.io/docs/reference/kubernetes-api/service-resources/service-v1/)
   - [ServiceAccount References](https://kubernetes.io/docs/reference/kubernetes-api/authentication-resources/service-account-v1/)

diff --git a/internal/graph/graph.go b/internal/graph/graph.go
@@ -465,6 +465,13 @@ func ResolveDependents(m meta.RESTMapper, objects []unstructuredv1.Unstructured,
 				klog.V(4).Infof("Failed to get relationships for poddisruptionbudget named \"%s\": %s", node.Name, err)
 				continue
 			}
+		// Populate dependents based on PodSecurityPolicy relationships
+		case node.Group == "policy" && node.Kind == "PodSecurityPolicy":
+			rmap, err = getPodSecurityPolicyRelationships(node)
+			if err != nil {
+				klog.V(4).Infof("Failed to get relationships for podsecuritypolicy named \"%s\": %s", node.Name, err)
+				continue
+			}
 		// Populate dependents based on MutatingWebhookConfiguration relationships
 		case node.Group == "admissionregistration.k8s.io" && node.Kind == "MutatingWebhookConfiguration":
 			rmap, err = getMutatingWebhookConfigurationRelationships(node)

diff --git a/internal/graph/kubernetes.go b/internal/graph/kubernetes.go
@@ -9,6 +9,7 @@ import (
 	networkingv1 "k8s.io/api/networking/v1"
 	nodev1 "k8s.io/api/node/v1"
 	policyv1 "k8s.io/api/policy/v1"
+	policyv1beta1 "k8s.io/api/policy/v1beta1"
 	rbacv1 "k8s.io/api/rbac/v1"
 	storagev1 "k8s.io/api/storage/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
@@ -65,6 +66,11 @@ const (
 	// Kubernetes PodDisruptionBudget relationships.
 	RelationshipPodDisruptionBudget Relationship = "PodDisruptionBudget"
 
+	// Kubernetes PodSecurityPolicy relationships.
+	RelationshipPodSecurityPolicyAllowedCSIDriver    Relationship = "PodSecurityPolicyAllowedCSIDriver"
+	RelationshipPodSecurityPolicyAllowedRuntimeClass Relationship = "PodSecurityPolicyAllowedRuntimeClass"
+	RelationshipPodSecurityPolicyDefaultRuntimeClass Relationship = "PodSecurityPolicyDefaultRuntimeClass"
+
 	// Kubernetes RuntimeClass relationships.
 	RelationshipRuntimeClass Relationship = "RuntimeClass"
 
@@ -558,6 +564,41 @@ func getPodDisruptionBudgetRelationships(n *Node) (*RelationshipMap, error) {
 	return &result, nil
 }
 
+// getPodSecurityPolicyRelationships returns a map of relationships that this
+// PodSecurityPolicy has with other objects, based on what was referenced in its
+// manifest.
+func getPodSecurityPolicyRelationships(n *Node) (*RelationshipMap, error) {
+	var psp policyv1beta1.PodSecurityPolicy
+	err := runtime.DefaultUnstructuredConverter.FromUnstructured(n.UnstructuredContent(), &psp)
+	if err != nil {
+		return nil, err
+	}
+
+	var ref ObjectReference
+	result := newRelationshipMap()
+
+	// RelationshipPodSecurityPolicyAllowedCSIDriver
+	for _, csi := range psp.Spec.AllowedCSIDrivers {
+		ref = ObjectReference{Group: "storage.k8s.io", Kind: "CSIDriver", Name: csi.Name}
+		result.AddDependencyByKey(ref.Key(), RelationshipPodSecurityPolicyAllowedCSIDriver)
+	}
+	if rc := psp.Spec.RuntimeClass; rc != nil {
+		// RelationshipPodSecurityPolicyAllowedRuntimeClass
+		for _, n := range psp.Spec.RuntimeClass.AllowedRuntimeClassNames {
+			ref = ObjectReference{Group: "node.k8s.io", Kind: "RuntimeClass", Name: n}
+			result.AddDependencyByKey(ref.Key(), RelationshipPodSecurityPolicyAllowedRuntimeClass)
+		}
+
+		// RelationshipPodSecurityPolicyDefaultRuntimeClass
+		if n := psp.Spec.RuntimeClass.DefaultRuntimeClassName; n != nil {
+			ref = ObjectReference{Group: "node.k8s.io", Kind: "RuntimeClass", Name: *n}
+			result.AddDependencyByKey(ref.Key(), RelationshipPodSecurityPolicyDefaultRuntimeClass)
+		}
+	}
+
+	return &result, nil
+}
+
 // getRoleBindingRelationships returns a map of relationships that this
 // RoleBinding has with other objects, based on what was referenced in its
 // manifest.