func()

in pkg/analyzer/psaEvaluator.go [105:198]

• 82 lines of code
• 16 McCabe index (conditional complexity)

func (e *psaEvaluator) evaluate(obj runtime.Object, gKV *schema.GroupVersionKind, levelVersion api.LevelVersion) (bool, error) {
	var podMetadata v1.ObjectMeta
	var podSpec corev1.PodSpec
	var name string
	evaluator, _ := policy.NewEvaluator(policy.DefaultChecks())

	// TODO: Defer return true or false after whole document evaluation depending on configuration
	// f.e.: You may want to consider that including non evaluable versions should render the level as privileged
	// or you may just skip them depending on command line parameters

	switch gKV.Kind {
	case "Pod":
		pod := obj.(*corev1.Pod)
		name = pod.ObjectMeta.Name
		podMetadata = pod.ObjectMeta
		podSpec = pod.Spec
	case "Deployment":
		if gKV.Group+gKV.Version != "appsv1" {
			fmt.Printf(gKV.Group+"."+gKV.Version+" not evaluable for kind: %v\n", gKV.Kind)
			return true, nil
		}
		deployment := obj.(*appsv1.Deployment)
		name = deployment.ObjectMeta.Name
		podMetadata = deployment.ObjectMeta
		podSpec = deployment.Spec.Template.Spec
	case "DaemonSet":
		if gKV.Group+gKV.Version != "appsv1" {
			fmt.Printf("Version "+gKV.Version+" not evaluable for kind: %v\n", gKV.Kind)
			return true, nil
		}
		daemonset := obj.(*appsv1.DaemonSet)
		name = daemonset.ObjectMeta.Name
		podMetadata = daemonset.ObjectMeta
		podSpec = daemonset.Spec.Template.Spec
	case "ReplicaSet":
		if gKV.Group+gKV.Version != "appsv1" {
			fmt.Printf("Version "+gKV.Version+" not evaluable for kind: %v\n", gKV.Kind)
			return true, nil
		}
		replicaset := obj.(*appsv1.ReplicaSet)
		name = replicaset.ObjectMeta.Name
		podMetadata = replicaset.ObjectMeta
		podSpec = replicaset.Spec.Template.Spec
	case "StatefulSet":
		if gKV.Group+gKV.Version != "appsv1" {
			fmt.Printf("Version "+gKV.Version+" not evaluable for kind: %v\n", gKV.Kind)
			return true, nil
		}
		statefulset := obj.(*appsv1.StatefulSet)
		name = statefulset.ObjectMeta.Name
		podMetadata = statefulset.ObjectMeta
		podSpec = statefulset.Spec.Template.Spec
	case "Job":
		if gKV.Group+gKV.Version != "batchv1" {
			fmt.Printf("Version "+gKV.Version+" not evaluable for kind: %v\n", gKV.Kind)
			return true, nil
		}
		job := obj.(*batchv1.Job)
		name = job.ObjectMeta.Name
		podMetadata = job.ObjectMeta
		podSpec = job.Spec.Template.Spec
	case "CronJob":
		if gKV.Group+gKV.Version != "batchv1" {
			fmt.Printf("Version "+gKV.Version+" not evaluable for kind: %v\n", gKV.Kind)
			return true, nil
		}
		cronJob := obj.(*batchv1.CronJob)
		name = cronJob.ObjectMeta.Name
		podMetadata = cronJob.ObjectMeta
		podSpec = cronJob.Spec.JobTemplate.Spec.Template.Spec
	default:
		//TODO: optional log message on verbose output
		fmt.Printf("Kind not evaluable: %v\n", gKV.Kind)
		return true, nil
	}

	fmt.Printf("%v %v\n", gKV.Kind, name)

	// Evaluate
	allowed := true
	results := evaluator.EvaluatePod(levelVersion, &podMetadata, &podSpec)
	//TODO: optional log message on verbose output
	fmt.Printf("  PSS level %v %v\n", levelVersion.Level, levelVersion.Version)
	for i := range results {
		if !results[i].Allowed {
			fmt.Printf("    Check %v failed: %v\n", i, results[i].ForbiddenReason)
			fmt.Printf("      %v\n", results[i].ForbiddenDetail)
			allowed = false
		}
	}

	//TODO: make error return error
	return allowed, nil
}