Skip to content

Fix autogen to use fully-qualified GVKs to prevent matching non-Kubernetes resources

Placeholder github Source User requested to merge github/fork/shivansh-gohem/fix-autogen-gvk-14214 into main

Description

This PR fixes the issue where auto-generated rules for Pod controllers match non-Kubernetes CRDs that share the same kind name (e.g., Job).

Fixes #14214

Problem

When defining a Pod policy that triggers auto-generation, the autogen rules use simple kind names like Job, Deployment, etc. This causes them to incorrectly match CRDs with the same kind name, such as compute.databricks.crossplane.io/v1alpha1/Job.

Example error: policy restrict-image-registries/autogen-validate-registries fail: validation error: Unknown image registry. rule autogen-validate-registries failed at path /spec/template/

Solution

Modified the autogen logic to use fully-qualified GVKs (Group/Version/Kind) in the generated match rules:

  • Jobbatch/v1/Job
  • Deploymentapps/v1/Deployment
  • CronJobbatch/v1/CronJob
  • DaemonSetapps/v1/DaemonSet
  • StatefulSetapps/v1/StatefulSet
  • ReplicaSetapps/v1/ReplicaSet
  • ReplicationControllerv1/ReplicationController

Implementation Details

  1. Added podControllerGVKMap - A mapping from simple kind names to fully-qualified GVKs
  2. Added convertKindsToGVK() function - Converts simple kind names to GVKs when generating output rules
  3. Maintained backward compatibility - Internal logic still uses simple kind names for checking and annotation parsing
  4. Updated tests - Test expectations updated to match the new GVK format

Files Changed

  • pkg/autogen/v1/autogen.go - Added GVK mapping and conversion function
  • pkg/autogen/v1/rule.go - Applied GVK conversion when setting kinds in generated rules
  • pkg/autogen/v2/autogen.go - Added GVK mapping and conversion function (v2 API)
  • pkg/autogen/v1/autogen_test.go - Updated test expectations

Testing

All existing tests pass: go test ./pkg/autogen/v1/... -v go test ./pkg/autogen/v2/... -v

Benefits

  1. Autogen rules will only match built-in Kubernetes resources
  2. No more false positives on CRDs with common kind names
  3. Users no longer need workarounds with preconditions
  4. Backward compatible with existing policies
  5. Aligns with the suggested fix in the issue

Merge request reports