excludedNamespaces wildcard with more than one dashes

[dgabrysch]

While trying to create a Constraint we saw that "excludedNamespaces" does not appear to exclude namespaces with more than one dash and wildcards combined, e.g.

    excludedNamespaces:
      - *-test-*

What did you expect to happen:
We expect to have namespaces like user1-test-randomstring being excluded which does not work.
Namespaces, e.g. user1-randomstring, with "excludedNamespaces" with "randomstring-*" are getting excluded.

Environment:

• Gatekeeper version: One of the later ones
• Kubernetes version: (use kubectl version):
  Client Version: version.Info{Major:"1", Minor:"25", GitVersion:"v1.25.2", GitCommit:"31aa3e89a926f81aa0af30320ffcb71acadf3015", GitTreeState:"clean", BuildDate:"2023-04-07T07:26:22Z", GoVersion:"go1.19.6", Compiler:"gc", Platform:"linux/amd64"}
  Kustomize Version: v4.5.7
  Server Version: version.Info{Major:"1", Minor:"25", GitVersion:"v1.25.11+1485cc9", GitCommit:"0c8cb213485c84deb0230cbefa34bf7f1c311418", GitTreeState:"clean", BuildDate:"2023-07-04T08:59:21Z", GoVersion:"go1.19.10 X:strictfipsruntime", Compiler:"gc", Platform:"linux/amd64"}

[stale]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed in 14 days if no further activity occurs. Thank you for your contributions.

[maxsmythe]

user1-randomstring doesn't match randomstring-*. Does this work if you specify *-randomstring for the wildcard?

The *-test-* example should work against user1-test-randomstring. Can you confirm that specific pairing does not work?

Is k8s random name generation involved (e.g. how pod names are generated)?

Relevant code:

gatekeeper/pkg/wildcard/wildcard.go

Lines 17 to 41 in c0e231a

	func (w Wildcard) Matches(candidate string) bool {
	wStr := string(w)
	switch {
	case strings.HasPrefix(wStr, "*") && strings.HasSuffix(wStr, "*"):
	return strings.Contains(candidate, strings.TrimSuffix(strings.TrimPrefix(wStr, "*"), "*"))
	case strings.HasPrefix(wStr, "*"):
	return strings.HasSuffix(candidate, strings.TrimPrefix(wStr, "*"))
	case strings.HasSuffix(wStr, "*"):
	return strings.HasPrefix(candidate, strings.TrimSuffix(wStr, "*"))
	default:
	return wStr == candidate
	}
	}
	func (w Wildcard) MatchesGenerateName(candidate string) bool {
	wStr := string(w)
	switch {
	case strings.HasPrefix(wStr, "*") && strings.HasSuffix(wStr, "*"):
	return strings.Contains(candidate, strings.TrimSuffix(strings.TrimPrefix(wStr, "*"), "*"))
	case strings.HasSuffix(wStr, "*"):
	return strings.HasPrefix(candidate, strings.TrimSuffix(wStr, "*"))
	default:
	return false
	}
	}

[stale]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed in 14 days if no further activity occurs. Thank you for your contributions.

[dgabrysch]

Somehow I did not see the notification. The "-test-" example did not work, this was why I created the issue. Since it is just trimming I guess it matches "-test-" then which is not the desired behavior.

[maxsmythe]

It should be a "contains" match, so any namespace with "-test-" as a substring should match.

Can you verify this behavior is still broken with a newer release and give the Gatekeeper version?

If it is still broken, can you give an example constraint, template, and resource that should be exempt but is throwing a violation?

[stale]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed in 14 days if no further activity occurs. Thank you for your contributions.