Description

Problem (before)

Policy exclusions accept a Scope which includes cluster_label and namespace_label fields, however label matchers are not supported in exclusions and do not resolve at runtime.

If a user sets cluster_label or namespace_label on an exclusion scope:

• Validation passes without error
• At match time, MatchesClusterLabels/MatchesNamespaceLabels detects the nil provider and returns false
• The policy applies more broadly than intended - deployments the user expected to be excluded still trigger violations, but there is no user visible error.

Behavior (after)

• validateDeploymentExclusion rejects cluster_label and namespace_label on exclusion scopes with a clear user visible error message
• The nil-provider guard in MatchesClusterLabels/MatchesNamespaceLabels is upgraded from log.Error to utils.Should so that it panics in dev/test builds, logs in release. It is noted that this path is unreachable in production code.

User-facing documentation

• CHANGELOG.md is updated OR update is not needed
• documentation PR is created and is linked above OR is not needed

Testing and quality

• the change is production ready: the change is GA, or otherwise the functionality is gated by a feature flag
• CI results are inspected

Automated testing

• added unit tests
• added e2e tests
• added regression tests
• added compatibility tests
• modified existing tests

How I validated my change

CI + Manual

ksanchet@ksanchet-mac:~/go/src/github.com/stackrox/stackrox$ curl -k -X POST 'https://localhost:8000/v1/policies' \
>   -u 'admin:<password>' \
>   -H 'Content-Type: application/json' \
>   -d '{
>     "name": "My Test Policy",
>     "description": "Policy with cluster label exclusion",
>     "severity": "LOW_SEVERITY",
>     "categories": ["DevOps Best Practices"],
>     "lifecycleStages": ["DEPLOY"],
>     "eventSource": "NOT_APPLICABLE",
>     "policyVersion": "1.1",
>     "policySections": [
>       {
>         "policyGroups": [
>           {
>             "fieldName": "Image Registry",
>             "values": [
>               { "value": "docker.io" }
>             ]
>           }
>         ]
>       }
>     ],
>     "exclusions": [
>       {
>         "name": "Exclude by cluster label",
>         "deployment": {
>           "scope": {
>             "clusterLabel": {
>               "key": "env",
>               "value": "staging"
>             }
>           }
>         }
>       }
>     ]
>   }'
{"code":3,"message":"policy invalid error: exclusion scopes do not support cluster labels: invalid arguments","details":[],"error":"policy invalid error: exclusion scopes do not support cluster labels: invalid arguments"