FWI-5232 Conditional expressions should be at very top of additionalSchemaStrings

[jslivka]

This PR fixes #1003

Checklist

• I have signed the CLA
• I have updated/added any relevant documentation

Description

Polaris checks utilize additionalSchemaStrings, an additional section of jsonschema that will only evaluate if the object conforms to schemaString. The conditional statements in additionalSchemaStrings need to be arranged in a manner such that when there's nothing to evaluate, the string is empty (not the object therein).

What's the goal of this PR?

Fix false positives reported when running the Polaris CLI for the following checks:

• clusterrolebindingClusterAdmin
• rolebindingClusterAdminClusterRole
• rolebindingClusterRolePodExecAttach
• rolebindingRolePodExecAttach

What changes did you make?

adjust the ordering of conditional expressions in additionalSchemaStrings:

e.g.

 additionalSchemaStrings:
   rbac.authorization.k8s.io/ClusterRole: |
-    type: object
-    # This schema is validated for all roleBindings, regardless of their roleRef.
     {{ if eq .roleRef.kind "ClusterRole" }}
     {{ if and (not (hasPrefix .metadata.name "system:")) (ne .metadata.name "gce:podsecuritypolicy:calico-sa") }}
+    # This schema is validated for all roleBindings, regardless of their roleRef.
+    type: object

so that there is not an empty object being evaluated, but rather an empty string

I've also added success test cases as a regression check

What alternative solution should we consider, if any?

[fairwinds-insights]

Fairwinds Insights Scan Results

View the Full Report

✅ No new Action Items detected!

[rbren]

For posterity, here's the line that makes this work:

polaris/pkg/config/schema.go

Line 243 in 0b765df

if strings.TrimSpace(templated) == "" {