open-policy-agent · julianKatz · Sep 17, 2021 · Aug 25, 2021 · Aug 27, 2021 · Sep 8, 2021
@@ -59,6 +59,8 @@ spec:
                 properties:
                   excludedNamespaces:
                     items:
+                      description: 'A string that supports globbing at its end.  Ex: "kube-*" will match "kube-system" or "kube-public".  The asterisk is required for wildcard matching.'
+                      pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\*|-\*)?$
                       type: string
                     type: array
                   kinds:
@@ -106,6 +108,10 @@ spec:
                         description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
                         type: object
                     type: object
+                  name:
+                    description: 'Name is the name of an object.  If defined, it will match against objects with the specified name.  Name also supports a prefix-based glob.  For example, `name: pod-*` would match both `pod-a` and `pod-b`.'
+                    pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\*|-\*)?$
+                    type: string
                   namespaceSelector:
                     description: A label selector is a label query over a set of resources. The result of matchLabels and matchExpressions are ANDed. An empty label selector matches all objects. A null label selector matches no objects.
                     properties:
@@ -138,6 +144,8 @@ spec:
                     type: object
                   namespaces:
                     items:
+                      description: 'A string that supports globbing at its end.  Ex: "kube-*" will match "kube-system" or "kube-public".  The asterisk is required for wildcard matching.'
+                      pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\*|-\*)?$
                       type: string
                     type: array
                   scope:

@@ -39,6 +39,8 @@ spec:
                 properties:
                   excludedNamespaces:
                     items:
+                      description: 'A string that supports globbing at its end.  Ex: "kube-*" will match "kube-system" or "kube-public".  The asterisk is required for wildcard matching.'
+                      pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\*|-\*)?$
                       type: string
                     type: array
                   kinds:
@@ -86,6 +88,10 @@ spec:
                         description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
                         type: object
                     type: object
+                  name:
+                    description: 'Name is the name of an object.  If defined, it will match against objects with the specified name.  Name also supports a prefix-based glob.  For example, `name: pod-*` would match both `pod-a` and `pod-b`.'
+                    pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\*|-\*)?$
+                    type: string
                   namespaceSelector:
                     description: A label selector is a label query over a set of resources. The result of matchLabels and matchExpressions are ANDed. An empty label selector matches all objects. A null label selector matches no objects.
                     properties:
@@ -118,6 +124,8 @@ spec:
                     type: object
                   namespaces:
                     items:
+                      description: 'A string that supports globbing at its end.  Ex: "kube-*" will match "kube-system" or "kube-public".  The asterisk is required for wildcard matching.'
+                      pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\*|-\*)?$
                       type: string
                     type: array
                   scope:

@@ -59,6 +59,8 @@ spec:
                 properties:
                   excludedNamespaces:
                     items:
+                      description: 'A string that supports globbing at its end.  Ex: "kube-*" will match "kube-system" or "kube-public".  The asterisk is required for wildcard matching.'
+                      pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\*|-\*)?$
                       type: string
                     type: array
                   kinds:
@@ -106,6 +108,10 @@ spec:
                         description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
                         type: object
                     type: object
+                  name:
+                    description: 'Name is the name of an object.  If defined, it will match against objects with the specified name.  Name also supports a prefix-based glob.  For example, `name: pod-*` would match both `pod-a` and `pod-b`.'
+                    pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\*|-\*)?$
+                    type: string
                   namespaceSelector:
                     description: A label selector is a label query over a set of resources. The result of matchLabels and matchExpressions are ANDed. An empty label selector matches all objects. A null label selector matches no objects.
                     properties:
@@ -138,6 +144,8 @@ spec:
                     type: object
                   namespaces:
                     items:
+                      description: 'A string that supports globbing at its end.  Ex: "kube-*" will match "kube-system" or "kube-public".  The asterisk is required for wildcard matching.'
+                      pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\*|-\*)?$
                       type: string
                     type: array
                   scope:

@@ -63,6 +63,8 @@ spec:
                 properties:
                   excludedNamespaces:
                     items:
+                      description: 'A string that supports globbing at its end.  Ex: "kube-*" will match "kube-system" or "kube-public".  The asterisk is required for wildcard matching.'
+                      pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\*|-\*)?$
                       type: string
                     type: array
                   kinds:
@@ -110,6 +112,10 @@ spec:
                         description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
                         type: object
                     type: object
+                  name:
+                    description: 'Name is the name of an object.  If defined, it will match against objects with the specified name.  Name also supports a prefix-based glob.  For example, `name: pod-*` would match both `pod-a` and `pod-b`.'
+                    pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\*|-\*)?$
+                    type: string
                   namespaceSelector:
                     description: A label selector is a label query over a set of resources. The result of matchLabels and matchExpressions are ANDed. An empty label selector matches all objects. A null label selector matches no objects.
                     properties:
@@ -142,6 +148,8 @@ spec:
                     type: object
                   namespaces:
                     items:
+                      description: 'A string that supports globbing at its end.  Ex: "kube-*" will match "kube-system" or "kube-public".  The asterisk is required for wildcard matching.'
+                      pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\*|-\*)?$
                       type: string
                     type: array
                   scope:

@@ -43,6 +43,8 @@ spec:
                 properties:
                   excludedNamespaces:
                     items:
+                      description: 'A string that supports globbing at its end.  Ex: "kube-*" will match "kube-system" or "kube-public".  The asterisk is required for wildcard matching.'
+                      pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\*|-\*)?$
                       type: string
                     type: array
                   kinds:
@@ -90,6 +92,10 @@ spec:
                         description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
                         type: object
                     type: object
+                  name:
+                    description: 'Name is the name of an object.  If defined, it will match against objects with the specified name.  Name also supports a prefix-based glob.  For example, `name: pod-*` would match both `pod-a` and `pod-b`.'
+                    pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\*|-\*)?$
+                    type: string
                   namespaceSelector:
                     description: A label selector is a label query over a set of resources. The result of matchLabels and matchExpressions are ANDed. An empty label selector matches all objects. A null label selector matches no objects.
                     properties:
@@ -122,6 +128,8 @@ spec:
                     type: object
                   namespaces:
                     items:
+                      description: 'A string that supports globbing at its end.  Ex: "kube-*" will match "kube-system" or "kube-public".  The asterisk is required for wildcard matching.'
+                      pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\*|-\*)?$
                       type: string
                     type: array
                   scope:

@@ -63,6 +63,8 @@ spec:
                 properties:
                   excludedNamespaces:
                     items:
+                      description: 'A string that supports globbing at its end.  Ex: "kube-*" will match "kube-system" or "kube-public".  The asterisk is required for wildcard matching.'
+                      pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\*|-\*)?$
                       type: string
                     type: array
                   kinds:
@@ -110,6 +112,10 @@ spec:
                         description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
                         type: object
                     type: object
+                  name:
+                    description: 'Name is the name of an object.  If defined, it will match against objects with the specified name.  Name also supports a prefix-based glob.  For example, `name: pod-*` would match both `pod-a` and `pod-b`.'
+                    pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\*|-\*)?$
+                    type: string
                   namespaceSelector:
                     description: A label selector is a label query over a set of resources. The result of matchLabels and matchExpressions are ANDed. An empty label selector matches all objects. A null label selector matches no objects.
                     properties:
@@ -142,6 +148,8 @@ spec:
                     type: object
                   namespaces:
                     items:
+                      description: 'A string that supports globbing at its end.  Ex: "kube-*" will match "kube-system" or "kube-public".  The asterisk is required for wildcard matching.'
+                      pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\*|-\*)?$
                       type: string
                     type: array
                   scope:

@@ -2,8 +2,8 @@ package match
 
 import (
 	"errors"
-	"strings"
 
+	"github.com/open-policy-agent/gatekeeper/pkg/util"
 	corev1 "k8s.io/api/core/v1"
 	apiextensionsv1 "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
@@ -46,10 +46,14 @@ func (a ApplyTo) Flatten() []schema.GroupVersionKind {
 type Match struct {
 	Kinds              []Kinds                       `json:"kinds,omitempty"`
 	Scope              apiextensionsv1.ResourceScope `json:"scope,omitempty"`
-	Namespaces         []string                      `json:"namespaces,omitempty"`
-	ExcludedNamespaces []string                      `json:"excludedNamespaces,omitempty"`
+	Namespaces         []util.PrefixWildcard         `json:"namespaces,omitempty"`
+	ExcludedNamespaces []util.PrefixWildcard         `json:"excludedNamespaces,omitempty"`
 	LabelSelector      *metav1.LabelSelector         `json:"labelSelector,omitempty"`
 	NamespaceSelector  *metav1.LabelSelector         `json:"namespaceSelector,omitempty"`
+	// Name is the name of an object.  If defined, it will match against objects with the specified
+	// name.  Name also supports a prefix-based glob.  For example, `name: pod-*` would match both
+	// `pod-a` and `pod-b`.
+	Name util.PrefixWildcard `json:"name,omitempty"`
 }
 
 // Kinds accepts a list of objects with apiGroups and kinds fields
@@ -79,6 +83,7 @@ func Matches(match *Match, obj client.Object, ns *corev1.Namespace) (bool, error
 		excludedNamespacesMatch,
 		labelSelectorMatch,
 		namespaceSelectorMatch,
+		namesMatch,
 	}
 
 	for _, fn := range topLevelMatchers {
@@ -142,7 +147,7 @@ func excludedNamespacesMatch(match *Match, obj client.Object, ns *corev1.Namespa
 	}
 
 	for _, n := range match.ExcludedNamespaces {
-		if ns.Name == n || prefixMatch(n, ns.Name) {
+		if n.Matches(ns.Name) {
 			return false, nil
 		}
 	}
@@ -157,7 +162,7 @@ func namespacesMatch(match *Match, obj client.Object, ns *corev1.Namespace) (boo
 	}
 
 	for _, n := range match.Namespaces {
-		if ns.Name == n || prefixMatch(n, ns.Name) {
+		if n.Matches(ns.Name) {
 			return true, nil
 		}
 	}
@@ -206,6 +211,17 @@ func kindsMatch(match *Match, obj client.Object, ns *corev1.Namespace) (bool, er
 	return false, nil
 }
 
+func namesMatch(match *Match, obj client.Object, ns *corev1.Namespace) (bool, error) {
+	// A blank string could be undefined or an intentional blank string by the user.  Either way,
+	// we will assume this means "any name".  This goes with the undefined == match everything
+	// pattern that we've already got going in the Match.
+	if match.Name == "" {
+		return true, nil
+	}
+
+	return match.Name.Matches(obj.GetName()), nil
+}
+
 func scopeMatch(match *Match, obj client.Object, ns *corev1.Namespace) (bool, error) {
 	clusterScoped := ns == nil || isNamespace(obj)
 
@@ -222,17 +238,6 @@ func scopeMatch(match *Match, obj client.Object, ns *corev1.Namespace) (bool, er
 	return true, nil
 }
 
-// prefixMatch matches checks if the candidate contains the prefix defined in the source.
-// The source is expected to end with a "*", which acts as a glob.  It is removed when
-// performing the prefix-based match.
-func prefixMatch(source, candidate string) bool {
-	if !strings.HasSuffix(source, "*") {
-		return false
-	}
-
-	return strings.HasPrefix(candidate, strings.TrimSuffix(source, "*"))
-}
-
 // AppliesTo checks if any item the given slice of ApplyTo applies to the given object.
 func AppliesTo(applyTo []ApplyTo, obj runtime.Object) bool {
 	gvk := obj.GetObjectKind().GroupVersionKind()