fix(cicd): 回退 PaC admission 业务阻断

This commit is contained in:
Codex
2026-07-15 08:40:48 +02:00
parent 11979c86b0
commit 1f3283ffac
8 changed files with 193 additions and 65 deletions
+19 -11
View File
@@ -222,9 +222,9 @@ function evaluatePacAdmissionState(inputValue) {
if (annotations["unidesk.ai/pac-controller-identity"] !== expected.controllerIdentity) reasons.push(`${kind}-controller-identity-mismatch`);
if (annotations["unidesk.ai/effective-config-sha256"] !== expected.configSha256) reasons.push(`${kind}-config-sha256-mismatch`);
}
if (policySpec.failurePolicy !== "Fail") reasons.push("policy-failure-policy-not-fail");
if (policySpec.failurePolicy !== "Ignore") reasons.push("policy-failure-policy-not-ignore");
if (bindingSpec.policyName !== expected.policyName) reasons.push("binding-policy-name-mismatch");
if (!Array.isArray(bindingSpec.validationActions) || bindingSpec.validationActions.length !== 1 || bindingSpec.validationActions[0] !== "Deny") reasons.push("binding-validation-actions-not-deny");
if (!Array.isArray(bindingSpec.validationActions) || stableCanonicalJson(bindingSpec.validationActions) !== stableCanonicalJson(["Warn", "Audit"])) reasons.push("binding-validation-actions-not-warning-only");
if (!Number.isInteger(policyMetadata.generation) || !Number.isInteger(policyStatus.observedGeneration) || policyStatus.observedGeneration < policyMetadata.generation) reasons.push("policy-generation-not-observed");
if (warnings.length > 0) reasons.push("policy-expression-warning");
if (roleMetadata.name !== "unidesk-pac-consumer-runner") reasons.push("default-role-missing");
@@ -258,6 +258,9 @@ function evaluatePacAdmissionState(inputValue) {
configured: true,
required: true,
ready: reasons.length === 0,
blocking: false,
warning: reasons.length > 0,
warnings: reasons,
source: "live-admissionregistration-v1",
policyName: stringOrNull(policyMetadata.name),
bindingName: stringOrNull(bindingMetadata.name),
@@ -357,13 +360,18 @@ function classifyPacPipelineRun(consumerInput, itemInput) {
deliveryClass,
reason,
candidate,
deliveryAuthorityEligible: outer && (!provenanceRequired || admissionProvenanceVerified),
deliveryAuthorityEligible: outer,
deliveryOwner: outer ? admissionProvenanceVerified ? "pac-controller-admission" : "pac-controller-observed" : null,
executionOwner: inner ? "tekton-child-unattached" : null,
parentPipelineRun: null,
parentRelation: inner ? "unproven" : null,
metadataObservationOnly: outer && !admissionProvenanceVerified,
admissionProvenanceVerified,
admissionWarning: outer && !admissionProvenanceVerified ? {
code: "pac-admission-provenance-unverified",
blocking: false,
reasons: Array.isArray(admissionState.reasons) ? admissionState.reasons : [],
} : null,
admissionPolicyReady: admissionState.ready === true,
admissionPolicyName: stringOrNull(admissionState.policyName),
admissionBindingName: stringOrNull(admissionState.bindingName),
@@ -1285,19 +1293,19 @@ function runPacStatusFixtureChecks() {
};
const classificationCases = [
{ id: "admission-provenance-verified", expected: true, item: verifiedRun, state: admissionState },
{ id: "pre-bootstrap-run-fails-closed", expected: false, item: { ...verifiedRun, metadata: { ...verifiedRun.metadata, creationTimestamp: "2025-12-31T23:59:59Z" } }, state: admissionState },
{ id: "forged-name-candidate-fails-closed", expected: false, item: { ...verifiedRun, metadata: { ...verifiedRun.metadata, annotations: { ...verifiedRun.metadata.annotations, [provenance.markerAnnotation]: "forged" } } }, state: admissionState },
{ id: "forged-label-candidate-fails-closed", expected: false, item: { ...verifiedRun, metadata: { ...verifiedRun.metadata, name: "unrelated", labels: { ...verifiedRun.metadata.labels, "tekton.dev/pipeline": consumer.pipeline }, annotations: { ...verifiedRun.metadata.annotations, [provenance.markerAnnotation]: "forged" } } }, state: admissionState },
{ id: "forged-pipeline-ref-candidate-fails-closed", expected: false, item: { ...verifiedRun, metadata: { ...verifiedRun.metadata, name: "unrelated", annotations: { ...verifiedRun.metadata.annotations, [provenance.markerAnnotation]: "forged" } }, spec: { ...verifiedRun.spec, pipelineRef: { name: consumer.pipeline } } }, state: admissionState },
{ id: "wrong-service-account-fails-closed", expected: false, item: { ...verifiedRun, spec: { taskRunTemplate: { serviceAccountName: "default" } } }, state: admissionState },
{ id: "policy-identity-mismatch-fails-closed", expected: false, item: verifiedRun, state: { ...admissionState, configSha256: `sha256:${"2".repeat(64)}` } },
{ id: "pre-bootstrap-run-warning-only", expected: false, item: { ...verifiedRun, metadata: { ...verifiedRun.metadata, creationTimestamp: "2025-12-31T23:59:59Z" } }, state: admissionState },
{ id: "marker-mismatch-warning-only", expected: false, item: { ...verifiedRun, metadata: { ...verifiedRun.metadata, annotations: { ...verifiedRun.metadata.annotations, [provenance.markerAnnotation]: "forged" } } }, state: admissionState },
{ id: "candidate-label-warning-only", expected: false, item: { ...verifiedRun, metadata: { ...verifiedRun.metadata, name: "unrelated", labels: { ...verifiedRun.metadata.labels, "tekton.dev/pipeline": consumer.pipeline }, annotations: { ...verifiedRun.metadata.annotations, [provenance.markerAnnotation]: "forged" } } }, state: admissionState },
{ id: "candidate-pipeline-ref-warning-only", expected: false, item: { ...verifiedRun, metadata: { ...verifiedRun.metadata, name: "unrelated", annotations: { ...verifiedRun.metadata.annotations, [provenance.markerAnnotation]: "forged" } }, spec: { ...verifiedRun.spec, pipelineRef: { name: consumer.pipeline } } }, state: admissionState },
{ id: "service-account-mismatch-warning-only", expected: false, item: { ...verifiedRun, spec: { taskRunTemplate: { serviceAccountName: "default" } } }, state: admissionState },
{ id: "policy-identity-mismatch-warning-only", expected: false, item: verifiedRun, state: { ...admissionState, configSha256: `sha256:${"2".repeat(64)}` } },
];
for (const item of classificationCases) {
const result = classifyPacPipelineRun({ ...consumer, admissionState: item.state }, item.item);
checks.push({
id: item.id,
ok: result.admissionProvenanceVerified === item.expected && result.deliveryAuthorityEligible === item.expected,
expectedOk: item.expected,
ok: result.admissionProvenanceVerified === item.expected && result.deliveryAuthorityEligible === true,
expectedOk: true,
actualOk: result.deliveryAuthorityEligible,
expectedCode: item.expected ? "admission-owned-pac-push-provenance-verified" : "pac-push-metadata-observed-but-admission-provenance-unverified",
actualCode: result.reason,