Merge pull request #169 from Tomgrinds777/fix/container-level-exceptions

matthyx · web-flow · commit 80426b36e5c0 · 2026-05-13T15:29:18.000+02:00
feat(exceptions): support container-level exceptions via containerName attribute
diff --git a/exceptions/comparator.go b/exceptions/comparator.go
@@ -104,6 +104,41 @@ func (c *comparator) compareCluster(designatorCluster, clusterName string) bool
 	return designatorCluster != "" && c.regexCompare(designatorCluster, clusterName)
 }
 
+// compareContainerName reports whether containerName matches any of the
+// failing containers. If failingNames is provided, only those containers are
+// checked; otherwise every container and init-container in the workload is
+// inspected (used by callers that have no FailedPaths context).
+func (c *comparator) compareContainerName(workload workloadinterface.IMetadata, containerName string, failingNames []string) bool {
+	if len(failingNames) > 0 {
+		for _, name := range failingNames {
+			if c.regexCompare(containerName, name) {
+				return true
+			}
+		}
+		return false
+	}
+
+	wl := workloadinterface.NewWorkloadObj(workload.GetObject())
+
+	if containers, err := wl.GetContainers(); err == nil {
+		for i := range containers {
+			if c.regexCompare(containerName, containers[i].Name) {
+				return true
+			}
+		}
+	}
+
+	if initContainers, err := wl.GetInitContainers(); err == nil {
+		for i := range initContainers {
+			if c.regexCompare(containerName, initContainers[i].Name) {
+				return true
+			}
+		}
+	}
+
+	return false
+}
+
 // regexpCompareI performs a case-insensitive regexp match
 func (c *comparator) regexCompareI(reg, name string) bool {
 	var (
diff --git a/exceptions/comparator_test.go b/exceptions/comparator_test.go
@@ -256,6 +256,88 @@ func TestComparator_comparePath(t *testing.T) {
 	}
 }
 
+func podObject(containers, initContainers []string) map[string]interface{} {
+	cs := make([]interface{}, len(containers))
+	for i, name := range containers {
+		cs[i] = map[string]interface{}{"name": name}
+	}
+	ics := make([]interface{}, len(initContainers))
+	for i, name := range initContainers {
+		ics[i] = map[string]interface{}{"name": name}
+	}
+	return map[string]interface{}{
+		"apiVersion": "v1",
+		"kind":       "Pod",
+		"metadata":   map[string]interface{}{"name": "test-pod", "namespace": "default"},
+		"spec": map[string]interface{}{
+			"containers":     cs,
+			"initContainers": ics,
+		},
+	}
+}
+
+func TestComparator_compareContainerName(t *testing.T) {
+	c := &comparator{}
+
+	tests := []struct {
+		name          string
+		workload      workloadinterface.IMetadata
+		containerName string
+		expected      bool
+	}{
+		{
+			name:          "exact match on regular container",
+			workload:      workloadinterface.NewWorkloadObj(podObject([]string{"app", "sidecar"}, nil)),
+			containerName: "app",
+			expected:      true,
+		},
+		{
+			name:          "exact match on init container",
+			workload:      workloadinterface.NewWorkloadObj(podObject([]string{"app"}, []string{"init-setup"})),
+			containerName: "init-setup",
+			expected:      true,
+		},
+		{
+			name:          "regex wildcard matches container",
+			workload:      workloadinterface.NewWorkloadObj(podObject([]string{"proxy-envoy"}, nil)),
+			containerName: "proxy-.*",
+			expected:      true,
+		},
+		{
+			name:          "no container name match",
+			workload:      workloadinterface.NewWorkloadObj(podObject([]string{"app"}, nil)),
+			containerName: "other",
+			expected:      false,
+		},
+		{
+			name:          "no containers at all",
+			workload:      workloadinterface.NewWorkloadObj(podObject(nil, nil)),
+			containerName: "app",
+			expected:      false,
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			// nil failingNames → full workload scan (backward-compat path)
+			assert.Equal(t, tt.expected, c.compareContainerName(tt.workload, tt.containerName, nil))
+		})
+	}
+}
+
+func TestComparator_compareContainerName_failingNamesFilter(t *testing.T) {
+	c := &comparator{}
+	wl := workloadinterface.NewWorkloadObj(podObject([]string{"app", "sidecar"}, nil))
+
+	// When failingNames is ["app"], only "app" is a valid match.
+	assert.True(t, c.compareContainerName(wl, "app", []string{"app"}))
+	assert.False(t, c.compareContainerName(wl, "sidecar", []string{"app"}))
+
+	// When failingNames is ["sidecar"], only "sidecar" is a valid match.
+	assert.True(t, c.compareContainerName(wl, "sidecar", []string{"sidecar"}))
+	assert.False(t, c.compareContainerName(wl, "app", []string{"sidecar"}))
+}
+
 func TestIsTypeWorkload(t *testing.T) {
 	tests := []struct {
 		workload workloadinterface.IMetadata
diff --git a/exceptions/exceptionprocessor.go b/exceptions/exceptionprocessor.go
@@ -1,6 +1,8 @@
 package exceptions
 
 import (
+	"regexp"
+	"strconv"
 	"strings"
 
 	"github.com/armosec/armoapi-go/identifiers"
@@ -12,6 +14,10 @@ import (
 	"github.com/armosec/armoapi-go/armotypes"
 )
 
+// rexContainerPath matches "containers[N]" and "initContainers[N]" in a
+// FailedPath so we can resolve the container index to a name.
+var rexContainerPath = regexp.MustCompile(`(initC|c)ontainers\[(\d+)\]`)
+
 // Processor processes exceptions.
 type Processor struct {
 	*comparator
@@ -59,7 +65,11 @@ func (p *Processor) SetRuleResponsExceptions(results []reporthandling.RuleRespon
 		}
 
 		for w := range workloads {
-			if exceptions := p.GetResourceExceptions(ruleExceptions, workloads[w], clusterName); len(exceptions) > 0 {
+			// Resolve which containers actually produced the finding so that a
+			// containerName exception is only applied when the excepted container
+			// is the one that failed, not just any container in the pod.
+			failingContainerNames := extractFailingContainerNames(results[i].FailedPaths, workloads[w])
+			if exceptions := p.getResourceExceptions(ruleExceptions, workloads[w], clusterName, failingContainerNames); len(exceptions) > 0 {
 				results[i].Exception = &exceptions[0]
 			}
 		}
@@ -135,15 +145,21 @@ func alertObjectToWorkloads(obj *reporthandling.AlertObject) []workloadinterface
 	return resources[:len(resources):len(resources)]
 }
 
-// GetResourceException get exceptions of single resource
+// GetResourceExceptions returns the exception policies that match workload.
+// It checks container membership across the whole workload; use
+// SetRuleResponsExceptions when FailedPaths are available for precise matching.
 func (p *Processor) GetResourceExceptions(ruleExceptions []armotypes.PostureExceptionPolicy, workload workloadinterface.IMetadata, clusterName string) []armotypes.PostureExceptionPolicy {
+	return p.getResourceExceptions(ruleExceptions, workload, clusterName, nil)
+}
+
+func (p *Processor) getResourceExceptions(ruleExceptions []armotypes.PostureExceptionPolicy, workload workloadinterface.IMetadata, clusterName string, failingContainerNames []string) []armotypes.PostureExceptionPolicy {
 	// no pre-allocation since most of the time it's empty or has only one element
 	var postureExceptionPolicy []armotypes.PostureExceptionPolicy
 
 	for _, ruleException := range ruleExceptions {
 		for _, resourceToPin := range ruleException.Resources {
 			resource := resourceToPin
-			if p.hasException(clusterName, &resource, workload) {
+			if p.hasException(clusterName, &resource, workload, failingContainerNames) {
 				postureExceptionPolicy = append(postureExceptionPolicy, ruleException)
 			}
 		}
@@ -185,8 +201,7 @@ func (p *Processor) matchesCluster(attributes identifiers.AttributesDesignators,
 	return p.compareCluster(cluster, clusterName)
 }
 
-// compareMetadata - compare namespace and kind
-func (p *Processor) hasException(clusterName string, designator *identifiers.PortalDesignator, workload workloadinterface.IMetadata) bool {
+func (p *Processor) hasException(clusterName string, designator *identifiers.PortalDesignator, workload workloadinterface.IMetadata, failingContainerNames []string) bool {
 	attributes := p.getAttributes(designator)
 
 	if attributes.GetCluster() == "" && attributes.GetNamespace() == "" && attributes.GetKind() == "" && attributes.GetName() == "" && attributes.GetResourceID() == "" && attributes.GetPath() == "" && len(attributes.GetLabels()) == 0 {
@@ -198,16 +213,23 @@ func (p *Processor) hasException(clusterName string, designator *identifiers.Por
 	}
 
 	if isTypeRegoResponseVector(workload) {
-		if p.iterateRegoResponseVector(workload, attributes) {
+		if p.iterateRegoResponseVector(workload, attributes, failingContainerNames) {
 			return true
 		}
+		// If containerName is in the designator, stop here: the base
+		// RegoResponseVector object is not a workload, so container membership
+		// cannot be verified on it. Falling through would silently skip the
+		// container check and produce false positives.
+		if _, ok := attributes.GetLabels()[identifiers.AttributeContainerName]; ok {
+			return false
+		}
 		// otherwise, continue to check the base object
 	}
-	return p.metadataHasException(workload, attributes)
+	return p.metadataHasException(workload, attributes, failingContainerNames)
 
 }
 
-func (p *Processor) metadataHasException(workload workloadinterface.IMetadata, attributes identifiers.AttributesDesignators) bool {
+func (p *Processor) metadataHasException(workload workloadinterface.IMetadata, attributes identifiers.AttributesDesignators, failingContainerNames []string) bool {
 
 	if attributes.GetNamespace() != "" && !p.compareNamespace(workload, attributes.GetNamespace()) {
 		return false // namespaces do not match
@@ -229,20 +251,111 @@ func (p *Processor) metadataHasException(workload workloadinterface.IMetadata, a
 		return false // paths do not match
 	}
 
-	if isTypeWorkload(workload) && len(attributes.GetLabels()) > 0 {
-		if !p.compareLabels(workload, attributes.GetLabels()) && !p.compareAnnotations(workload, attributes.GetLabels()) {
-			return false // labels nor annotations do not match
+	if isTypeWorkload(workload) {
+		allLabels := attributes.GetLabels()
+		containerName, hasContainerName := allLabels[identifiers.AttributeContainerName]
+
+		// Build a label map with containerName stripped out so it is not
+		// treated as a Kubernetes label during label/annotation comparison.
+		labelsWithoutContainer := allLabels
+		if hasContainerName {
+			labelsWithoutContainer = make(map[string]string, len(allLabels)-1)
+			for k, v := range allLabels {
+				if k != identifiers.AttributeContainerName {
+					labelsWithoutContainer[k] = v
+				}
+			}
+		}
+
+		if len(labelsWithoutContainer) > 0 {
+			if !p.compareLabels(workload, labelsWithoutContainer) && !p.compareAnnotations(workload, labelsWithoutContainer) {
+				return false // labels nor annotations do not match
+			}
+		}
+
+		if hasContainerName && !p.compareContainerName(workload, containerName, failingContainerNames) {
+			return false // container name does not match
 		}
 	}
+
 	return true
 }
 
-func (p *Processor) iterateRegoResponseVector(workload workloadinterface.IMetadata, attributes identifiers.AttributesDesignators) bool {
+func (p *Processor) iterateRegoResponseVector(workload workloadinterface.IMetadata, attributes identifiers.AttributesDesignators, failingContainerNames []string) bool {
 	v := objectsenvelopes.NewRegoResponseVectorObject(workload.GetObject())
 	for _, r := range v.GetRelatedObjects() {
-		if p.metadataHasException(r, attributes) {
+		if p.metadataHasException(r, attributes, failingContainerNames) {
 			return true
 		}
 	}
 	return false
 }
+
+// extractFailingContainerNames parses paths like "spec.containers[0].…" or
+// "spec.template.spec.initContainers[1].…" to find which containers produced
+// the finding, then returns their names from the workload spec. When the
+// FailedPaths contain no container indices (e.g. pod-level findings) the
+// returned slice is nil and compareContainerName falls back to checking all
+// containers in the workload.
+//
+// For RegoResponseVector objects the vector itself carries no containers; the
+// containers live in the related objects. We recurse into each related workload
+// so that container-index resolution still works for vector-based findings.
+func extractFailingContainerNames(paths []string, workload workloadinterface.IMetadata) []string {
+	if len(paths) == 0 {
+		return nil
+	}
+
+	if isTypeRegoResponseVector(workload) {
+		v := objectsenvelopes.NewRegoResponseVectorObject(workload.GetObject())
+		seen := make(map[string]struct{})
+		for _, r := range v.GetRelatedObjects() {
+			for _, name := range extractFailingContainerNames(paths, r) {
+				seen[name] = struct{}{}
+			}
+		}
+		if len(seen) == 0 {
+			return nil
+		}
+		names := make([]string, 0, len(seen))
+		for name := range seen {
+			names = append(names, name)
+		}
+		return names
+	}
+
+	wl := workloadinterface.NewWorkloadObj(workload.GetObject())
+	containers, _ := wl.GetContainers()
+	initContainers, _ := wl.GetInitContainers()
+	if len(containers)+len(initContainers) == 0 {
+		return nil
+	}
+
+	seen := make(map[string]struct{})
+	for _, path := range paths {
+		for _, m := range rexContainerPath.FindAllStringSubmatch(path, -1) {
+			idx, err := strconv.Atoi(m[2])
+			if err != nil {
+				continue
+			}
+			if m[1] == "initC" {
+				if idx < len(initContainers) {
+					seen[initContainers[idx].Name] = struct{}{}
+				}
+			} else {
+				if idx < len(containers) {
+					seen[containers[idx].Name] = struct{}{}
+				}
+			}
+		}
+	}
+
+	if len(seen) == 0 {
+		return nil
+	}
+	names := make([]string, 0, len(seen))
+	for name := range seen {
+		names = append(names, name)
+	}
+	return names
+}
diff --git a/exceptions/exceptionprocessor_test.go b/exceptions/exceptionprocessor_test.go
