Skip to content

ROX-34157: Allow label scopes on audit event policies#20061

Open
AlexVulaj wants to merge 1 commit intomasterfrom
AlexVulaj/ROX-34157-audit-event-label-scope
Open

ROX-34157: Allow label scopes on audit event policies#20061
AlexVulaj wants to merge 1 commit intomasterfrom
AlexVulaj/ROX-34157-audit-event-label-scope

Conversation

@AlexVulaj
Copy link
Copy Markdown
Contributor

@AlexVulaj AlexVulaj commented Apr 16, 2026

Description

Fixes a bug where cluster and namespace label scopes were incorrectly rejected on audit log event policies. In https://redhat.atlassian.net/browse/ROX-32149, the validateNoLabelsInScopeForAuditEvent guard was extended to reject cluster_label and namespace_label scopes, modeled after the existing rejection of deployment labels. However, unlike deployment labels, audit events carry cluster ID and namespace information that is sufficient to resolve cluster and namespace labels via providers.

This change removes cluster_label/namespace_label from the validation rejection (keeping the deployment label rejection, since audit events have no deployment context) and wires up MatchesClusterLabels and MatchesNamespaceLabels in MatchesAuditEvent so that label-based cluster/namespace scoping actually works for audit event policies.

Additionally, MatchesClusterLabels and MatchesNamespaceLabels signatures are refactored to accept primitive parameters (clusterID string, namespace string) instead of a full *storage.Deployment, making them usable from non-deployment contexts like audit events.

User-facing documentation

Testing and quality

  • the change is production ready: the change is GA, or otherwise the functionality is gated by a feature flag
  • CI results are inspected

Automated testing

  • added unit tests
  • added e2e tests
  • added regression tests
  • added compatibility tests
  • modified existing tests

How I validated my change

Added new test(s). Will rely on CI for full integration validation.

@AlexVulaj AlexVulaj requested a review from a team as a code owner April 16, 2026 18:34
@AlexVulaj AlexVulaj changed the title ROX-34157: Allow cluster/namespace label scopes on audit event policies ROX-34157: Allow label scopes on audit event policies Apr 16, 2026
@codecov
Copy link
Copy Markdown

codecov bot commented Apr 16, 2026
edited
Loading

Codecov Report

❌ Patch coverage is 73.33333% with 4 lines in your changes missing coverage. Please review.
✅ Project coverage is 49.67%. Comparing base (745a6ff) to head (dd12183).

Files with missing lines Patch % Lines
pkg/scopecomp/scope.go 71.42% 2 Missing and 2 partials ⚠️
Additional details and impacted files 
@@           Coverage Diff           @@
##           master   #20061   +/-   ##
=======================================
  Coverage   49.67%   49.67%           
=======================================
  Files        2765     2765           
  Lines      209039   209045    +6     
=======================================
+ Hits       103834   103844   +10     
+ Misses      97527    97520    -7     
- Partials     7678     7681    +3
Flag Coverage Δ
go-unit-tests 49.67% <73.33%> (+<0.01%) ⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

@github-actions
Copy link
Copy Markdown
Contributor

github-actions bot commented Apr 16, 2026
edited
Loading

🚀 Build Images Ready

Images are ready for commit dd12183. To use with deploy scripts:

export MAIN_IMAGE_TAG=4.11.x-674-gdd12183441

@AlexVulaj AlexVulaj self-assigned this Apr 16, 2026
@openshift-ci
Copy link
Copy Markdown

openshift-ci bot commented Apr 16, 2026

@AlexVulaj: The following test failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name Commit Details Required Rerun command
ci/prow/ocp-4-12-qa-e2e-tests dd12183 link false /test ocp-4-12-qa-e2e-tests

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

@AlexVulaj AlexVulaj

Labels

area/central

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@AlexVulaj