chore: new-filter and unit test covering cluster-scoped and group defined resources

src/fixtures/data/admission-create-clusterrole.json

@@ -0,0 +1,52 @@
+{
+  "uid": "2ac28f03-c045-4af6-86f1-aa0007571863",
+  "kind": {
+    "group": "rbac.authorization.k8s.io",
+    "version": "v1",
+    "kind": "ClusterRole"
+  },
+  "resource": {
+    "group": "rbac.authorization.k8s.io",
+    "version": "v1",
+    "resource": "clusterroles"
+  },
+  "requestKind": {
+    "group": "rbac.authorization.k8s.io",
+    "version": "v1",
+    "kind": "ClusterRole"
+  },
+  "requestResource": {
+    "group": "rbac.authorization.k8s.io",
+    "version": "v1",
+    "resource": "clusterroles"
+  },
+  "name": "pod-creator",
+  "operation": "CREATE",
+  "userInfo": {
+    "username": "system:admin",
+    "groups": ["system:masters", "system:authenticated"]
+  },
+  "object": {
+    "kind": "ClusterRole",
+    "apiVersion": "rbac.authorization.k8s.io/v1",
+    "metadata": {
+      "name": "pod-creator",
+      "creationTimestamp": null
+    },
+    "rules": [
+      {
+        "verbs": ["create", "update", "patch"],
+        "apiGroups": [""],
+        "resources": ["pods"]
+      }
+    ]
+  },
+  "oldObject": null,
+  "dryRun": false,
+  "options": {
+    "kind": "CreateOptions",
+    "apiVersion": "meta.k8s.io/v1",
+    "fieldManager": "kubectl-create",
+    "fieldValidation": "Strict"
+  }
+}

src/fixtures/data/admission-create-deployment.json

@@ -0,0 +1,93 @@
+{
+  "uid": "501f5447-a028-4a3f-b4ac-fc56f3f78ffc",
+  "kind": {
+    "group": "apps",
+    "version": "v1",
+    "kind": "Deployment"
+  },
+  "resource": {
+    "group": "apps",
+    "version": "v1",
+    "resource": "deployments"
+  },
+  "requestKind": {
+    "group": "apps",
+    "version": "v1",
+    "kind": "Deployment"
+  },
+  "requestResource": {
+    "group": "apps",
+    "version": "v1",
+    "resource": "deployments"
+  },
+  "name": "lower",
+  "namespace": "pepr-demo",
+  "operation": "CREATE",
+  "userInfo": {
+    "username": "system:admin",
+    "groups": ["system:masters", "system:authenticated"]
+  },
+  "object": {
+    "kind": "Deployment",
+    "apiVersion": "apps/v1",
+    "metadata": {
+      "name": "lower",
+      "namespace": "pepr-demo",
+      "creationTimestamp": null,
+      "labels": {
+        "app": "lower"
+      }
+    },
+    "spec": {
+      "replicas": 3,
+      "selector": {
+        "matchLabels": {
+          "app": "lower"
+        }
+      },
+      "template": {
+        "metadata": {
+          "creationTimestamp": null,
+          "labels": {
+            "app": "lower"
+          }
+        },
+        "spec": {
+          "containers": [
+            {
+              "name": "nginx",
+              "image": "nginx",
+              "resources": {},
+              "terminationMessagePath": "/dev/termination-log",
+              "terminationMessagePolicy": "File",
+              "imagePullPolicy": "Always"
+            }
+          ],
+          "restartPolicy": "Always",
+          "terminationGracePeriodSeconds": 30,
+          "dnsPolicy": "ClusterFirst",
+          "securityContext": {},
+          "schedulerName": "default-scheduler"
+        }
+      },
+      "strategy": {
+        "type": "RollingUpdate",
+        "rollingUpdate": {
+          "maxUnavailable": "25%",
+          "maxSurge": "25%"
+        }
+      },
+      "revisionHistoryLimit": 10,
+      "progressDeadlineSeconds": 600
+    },
+    "status": {}
+  },
+  "oldObject": null,
+  "dryRun": false,
+  "options": {
+    "kind": "CreateOptions",
+    "apiVersion": "meta.k8s.io/v1",
+    "fieldManager": "kubectl-create",
+    "fieldValidation": "Strict"
+  }
+}

src/fixtures/loader.ts

@@ -1,15 +1,25 @@
 import { kind } from "kubernetes-fluent-client";
 
 import { AdmissionRequest } from "../lib/types";
-import createPod from "./data/create-pod.json";
-import deletePod from "./data/delete-pod.json";
+import admissionRequestCreatePod from "./data/admission-create-pod.json";
+import admissionRequestDeletePod from "./data/admission-delete-pod.json";
+import admissionRequestCreateClusterRole from "./data/admission-create-clusterrole.json";
+import admissionRequestCreateDeployment from "./data/admission-create-deployment.json";
 
-export function CreatePod() {
-  return cloneObject<kind.Pod>(createPod);
+export function AdmissionRequestCreateDeployment() {
+  return cloneObject<kind.Deployment>(admissionRequestCreateDeployment);
 }
 
-export function DeletePod() {
-  return cloneObject<kind.Pod>(deletePod);
+export function AdmissionRequestCreatePod() {
+  return cloneObject<kind.Pod>(admissionRequestCreatePod);
+}
+
+export function AdmissionRequestDeletePod() {
+  return cloneObject<kind.Pod>(admissionRequestDeletePod);
+}
+
+export function AdmissionRequestCreateClusterRole() {
+  return cloneObject<kind.ClusterRole>(admissionRequestCreateClusterRole);
 }
 
 function cloneObject<T>(obj: unknown): AdmissionRequest<T> {

src/lib/assets/rbac.ts

@@ -22,7 +22,6 @@ export function clusterRole(
 ): kind.ClusterRole {
   // Create the RBAC map from capabilities
   const rbacMap = createRBACMap(capabilities);
-
   // Generate scoped rules from rbacMap
   const scopedRules = Object.keys(rbacMap).map(key => {
     let group: string;

src/lib/filter/adjudicators.test.ts

@@ -254,6 +254,37 @@ describe("mismatchedLabels", () => {
   });
 });
 
+describe("missingCarriableNamespace", () => {
+  //[ capa ns's, KubernetesObject, result ]
+  it.each([
+    [[], {}, false],
+    [[], { metadata: { namespace: "namespace" } }, false],
+
+    [["namespace"], {}, true],
+    [["namespace"], { metadata: {} }, true],
+    [["namespace"], { metadata: { namespace: null } }, true],
+    [["namespace"], { metadata: { namespace: "" } }, true],
+    [["namespace"], { metadata: { namespace: "incorrect" } }, false],
+    [["namespace"], { metadata: { namespace: "namespace" } }, false],
+
+    [["name", "space"], {}, true],
+    [["name", "space"], { metadata: {} }, true],
+    [["name", "space"], { metadata: { namespace: null } }, true],
+    [["name", "space"], { metadata: { namespace: "" } }, true],
+    [["name", "space"], { metadata: { namespace: "incorrect" } }, false],
+    [["name", "space"], { metadata: { namespace: "name" } }, false],
+    [["name", "space"], { metadata: { namespace: "space" } }, false],
+    [["ingress-controller"], { kind: "Namespace", metadata: { name: "ingress-controller" } }, false],
+    [["ingress-controller"], { kind: "Namespace", metadata: { name: "egress-controller" } }, true],
+  ])("given capabilityNamespaces %j and object %j, returns %s", (nss, obj, expected) => {
+    const object = obj as DeepPartial<KubernetesObject>;
+
+    const result = sut.missingCarriableNamespace(nss, object);
+
+    expect(result).toBe(expected);
+  });
+});
+
 describe("uncarryableNamespace", () => {
   //[ capa ns's, KubernetesObject, result ]
   it.each([

src/lib/filter/adjudicators.ts

@@ -216,6 +216,15 @@ export const uncarryableNamespace = allPass([
   pipe((namespaceSelector, kubernetesObject) => namespaceSelector.includes(carriedNamespace(kubernetesObject)), not),
 ]);
 
+export const missingCarriableNamespace = allPass([
+  pipe(nthArg(0), length, gt(__, 0)),
+  pipe((namespaceSelector: string[], kubernetesObject: KubernetesObject): boolean =>
+    kubernetesObject.kind === "Namespace"
+      ? !namespaceSelector.includes(kubernetesObject.metadata!.name!)
+      : !carriesNamespace(kubernetesObject),
+  ),
+]);
+
 export const carriesIgnoredNamespace = allPass([
   pipe(nthArg(0), length, gt(__, 0)),
   pipe(nthArg(1), carriesNamespace),