accept wildcard in NetworkPolicy RBAC apiGroups and resources

[yashvardhannanavati]

Refers to CLOUDDST-CLOUDDST-32704

Operators granting broad RBAC via wildcard "*" in apiGroups or resources
already cover networking.k8s.io/networkpolicies. Update the policy to
recognize this and rename the rule title to describe the desired state.

[qodo-for-conforma]

Code Review by Qodo

🐞 Bugs (0) 📘 Rule violations (0) 📎 Requirement gaps (0)

Great, no issues found!

Qodo reviewed your code and found no material issues that require review

[coderabbitai]

📝 Walkthrough

Walkthrough

This PR extends the OLM NetworkPolicy RBAC policy rule to accept wildcard matches in API groups and resources, refactors the matching logic using new helper predicates, adds comprehensive test coverage, and synchronizes documentation to reflect the changes.

Changes

NetworkPolicy RBAC Wildcard Policy Enhancement

Layer / File(s)	Summary
Policy wildcard matching refactoring policy/release/olm/olm.rego	New helper predicates _matches_api_group(groups) and _matches_resource(resources) enable matching both specific values and wildcards. The _is_network_policy_rule(rule) predicate refactored to use these helpers. Metadata title updated to "NetworkPolicy RBAC present in OLM bundle".
Wildcard validation test cases policy/release/olm/olm_test.rego	Four new test rules cover passing cases for wildcard apiGroups, wildcard resources, both wildcarded, and a failing test case with mismatched apiGroups while resources is wildcarded.
Documentation reorganization and synchronization antora/docs/modules/ROOT/pages/packages/release_olm.adoc, antora/docs/modules/ROOT/pages/release_policy.adoc, antora/docs/modules/ROOT/partials/release_policy_nav.adoc	Rule documentation section relocated earlier in release_olm.adoc with updated title. OLM rule references reordered in release_policy.adoc and release_policy_nav.adoc to prioritize NetworkPolicy RBAC entry.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~12 minutes

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title clearly and concisely summarizes the main change: allowing wildcard entries in NetworkPolicy RBAC apiGroups and resources.
Description check	✅ Passed	The description is related to the changeset, explaining the rationale for accepting wildcards in RBAC and the rule title rename.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[fullsend-ai-review]

🤖 Review · Started 4:12 PM UTC
Commit: 47d3320 · View workflow run →

[qodo-for-conforma]

PR Summary by Qodo

Accept wildcard RBAC for NetworkPolicy rule and align rule title/docs
🐞 Bug fix 🧪 Tests 📝 Documentation 🕐 20-40 Minutes

Walkthroughs

Description

• Treat wildcard "*" in RBAC apiGroups/resources as satisfying NetworkPolicy permissions.
• Rename the rule title to describe the desired state (“present”) and update docs/index links.
• Add regression tests covering wildcard and negative matching scenarios.

Diagram

graph TD
CSV["CSV RBAC rules"] --> Policy["olm.rego: NetworkPolicy RBAC"] --> Result["deny result"]
Policy --> Helpers["Wildcard match helpers"]
Tests["olm_test.rego"] --> Policy
Index["Release policy index"] --> Docs["Antora rule docs"] --> Policy

Loading

High-Level Assessment

The following are alternative approaches to this PR:

1. Generalize list matching into a single helper

• ➕ Reduces duplication by using one predicate like matches(required, list) that supports "*"
• ➕ Easier to extend if more RBAC checks need the same wildcard semantics
• ➖ Slightly less explicit than separate _matches_api_group/_matches_resource helpers
• ➖ May be premature abstraction if only this rule needs it

Recommendation: Current approach is solid: small, explicit helpers make the wildcard intent clear and are easy to test. Consider a generalized matcher only if additional RBAC rules need the same wildcard behavior.

File Changes

Bug fix (1)

olm.rego Allow wildcard apiGroups/resources to satisfy NetworkPolicy RBAC +19/-3

Allow wildcard apiGroups/resources to satisfy NetworkPolicy RBAC

• Renames the rule metadata title to the desired-state wording. Updates NetworkPolicy RBAC rule matching so apiGroups/resources are considered satisfied when they explicitly include the required value or use wildcard "*".

policy/release/olm/olm.rego

---

Tests (1)

olm_test.rego Add tests for wildcard NetworkPolicy RBAC matching +91/-0

Add tests for wildcard NetworkPolicy RBAC matching

• Adds coverage to ensure the rule passes when apiGroups and/or resources are "*" (including the all-wildcard case). Adds a negative test ensuring wildcard resources do not pass when the apiGroup is incorrect.

policy/release/olm/olm_test.rego

---

Documentation (3)

release_olm.adoc Rename NetworkPolicy RBAC rule doc title to desired-state wording +13/-13

Rename NetworkPolicy RBAC rule doc title to desired-state wording

• Updates the rule section heading to “NetworkPolicy RBAC present in OLM bundle” while keeping the rule semantics, messaging, and effective date intact. Reorders the section to align with surrounding rule documentation.

antora/docs/modules/ROOT/pages/packages/release_olm.adoc

---

release_policy.adoc Update release policy rule list to the new NetworkPolicy RBAC title +1/-1

Update release policy rule list to the new NetworkPolicy RBAC title

• Adjusts the rule list entry to match the renamed NetworkPolicy RBAC rule title and removes the previous “missing” phrasing reference.

antora/docs/modules/ROOT/pages/release_policy.adoc

---

release_policy_nav.adoc Update navigation link text for NetworkPolicy RBAC rule +1/-1

Update navigation link text for NetworkPolicy RBAC rule

• Updates the navigation entry label to “NetworkPolicy RBAC present in OLM bundle” and removes the old label, keeping the anchor unchanged.

antora/docs/modules/ROOT/partials/release_policy_nav.adoc

---

[coderabbitai]

🧹 Nitpick comments (1)

policy/release/olm/olm_test.rego (1)

1156-1156: 💤 Low value

Inconsistent argument order in assertion.

This test uses assert_equal_results(expected, olm.deny), while all other tests in this file use assert_equal_results(olm.deny, expected). While functionally equivalent, maintaining consistency improves readability.

🔄 Suggested fix for consistency

-	assertions.assert_equal_results(expected, olm.deny) with input.image.files as {"manifests/csv.yaml": manifest_wrong_group}
+	assertions.assert_equal_results(olm.deny, expected) with input.image.files as {"manifests/csv.yaml": manifest_wrong_group}

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@policy/release/olm/olm_test.rego` at line 1156, The assertion call uses
inconsistent argument order: change assertions.assert_equal_results(expected,
olm.deny) to assertions.assert_equal_results(olm.deny, expected) so it matches
the other tests; update the call that uses with input.image.files as
{"manifests/csv.yaml": manifest_wrong_group} and ensure the symbols
assertions.assert_equal_results, olm.deny and expected are used in that order
for consistency.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Nitpick comments:
In `@policy/release/olm/olm_test.rego`:
- Line 1156: The assertion call uses inconsistent argument order: change
assertions.assert_equal_results(expected, olm.deny) to
assertions.assert_equal_results(olm.deny, expected) so it matches the other
tests; update the call that uses with input.image.files as
{"manifests/csv.yaml": manifest_wrong_group} and ensure the symbols
assertions.assert_equal_results, olm.deny and expected are used in that order
for consistency.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Enterprise

Run ID: 05f647c7-987f-4165-9ae9-080a9c744932

📥 Commits

Reviewing files that changed from the base of the PR and between 8ab3082 and 07d1d3b.

📒 Files selected for processing (5)

• antora/docs/modules/ROOT/pages/packages/release_olm.adoc
• antora/docs/modules/ROOT/pages/release_policy.adoc
• antora/docs/modules/ROOT/partials/release_policy_nav.adoc
• policy/release/olm/olm.rego
• policy/release/olm/olm_test.rego

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.

Flag	Coverage Δ
unit-tests	100.00% <100.00%> (ø)

Flags with carried forward coverage won't be shown. Click here to find out more.

Files with missing lines	Coverage Δ
policy/release/olm/olm.rego	100.00% <100.00%> (ø)
policy/release/olm/olm_test.rego	100.00% <100.00%> (ø)

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

[joelanford]

/lgtm

[fullsend-ai-review]

Review

Findings

Low

• [solution-text] policy/release/olm/olm.rego:402 — The solution text in the rule metadata advises adding a rule for networking.k8s.io/networkpolicies but does not mention that wildcard "*" in apiGroups or resources also satisfies the requirement. While the guidance is correct (adding specific access works), mentioning the wildcard alternative would help operators understand why their existing broad grants already pass the check.
  Remediation: Update the solution annotation to note that wildcards in apiGroups or resources also satisfy the requirement.

• [test-adequacy] policy/release/olm/olm_test.rego:1071 — The new tests cover wildcard apiGroup with exact resource, wildcard resource with exact apiGroup, both wildcards, and wrong apiGroup with wildcard resource (negative). A symmetric negative test for wildcard apiGroup with wrong resource (e.g., apiGroups: ["*"], resources: ["foo"]) is missing. The logic is correct, but this would strengthen confidence in the _matches_resource helper.
  Remediation: Add a test case with apiGroups: ["*"] and resources: ["foo"] asserting a deny result.

Info

• [naming-convention] policy/release/olm/olm.rego:451 — New helpers _matches_api_group and _matches_resource introduce a _matches_ prefix. Existing helpers in this file use _is_ (predicates) and _has_ (state checks). The _matches_ prefix is semantically clear but diverges from the established convention. See also: _has_lifecycle_verbs which performs a similar membership check using the _has_ prefix.

[fullsend-ai-review]

🤖 Finished Review · ✅ Success · Started 4:12 PM UTC · Completed 4:22 PM UTC
Commit: 47d3320 · View workflow run →

[simonbaird]

Lgtm.