Fix nil ptr error for rule 1001 (#628)

gardener-ci-robot · AleksandarSavchev · web-flow · commit 51d8aa6a1691 · 2025-10-23T13:12:39.000Z
Co-authored-by: Aleksandar Savchev &lt;aleksandar.savchev@sap.com&gt;
diff --git a/pkg/provider/garden/ruleset/securityhardenedshoot/rules/1001.go b/pkg/provider/garden/ruleset/securityhardenedshoot/rules/1001.go
@@ -113,8 +113,10 @@ func (r *Rule1001) Run(ctx context.Context) (rule.RuleResult, error) {
 		return rule.Result(r, rule.ErroredCheckResult("kubernetes version not found in cloudProfile", target)), nil
 	}
 
-	if checkResult, found := r.checkShootVersion(shoot.Spec.Kubernetes.Version, namespacedCloudProfile.Spec.Kubernetes.Versions, target); found {
-		return rule.Result(r, checkResult), nil
+	if namespacedCloudProfile.Spec.Kubernetes != nil {
+		if checkResult, found := r.checkShootVersion(shoot.Spec.Kubernetes.Version, namespacedCloudProfile.Spec.Kubernetes.Versions, target); found {
+			return rule.Result(r, checkResult), nil
+		}
 	}
 	if checkResult, found := r.checkShootVersion(shoot.Spec.Kubernetes.Version, namespacedCloudProfile.Status.CloudProfileSpec.Kubernetes.Versions, target); found {
 		return rule.Result(r, checkResult), nil
diff --git a/pkg/provider/garden/ruleset/securityhardenedshoot/rules/1001_test.go b/pkg/provider/garden/ruleset/securityhardenedshoot/rules/1001_test.go
@@ -282,6 +282,30 @@ var _ = Describe("#1001", func() {
 		),
 	)
 
+	It("should correctly use NamespacedCloudProfile status when Spec.Kubernetes is nil", func() {
+		nsCloudProfile.Spec.Kubernetes = nil
+		Expect(fakeClient.Update(ctx, nsCloudProfile)).To(Succeed())
+
+		shoot.Spec.CloudProfile = &gardencorev1beta1.CloudProfileReference{
+			Name: "foo",
+			Kind: "NamespacedCloudProfile",
+		}
+		shoot.Spec.Kubernetes.Version = "2"
+		Expect(fakeClient.Create(ctx, shoot)).To(Succeed())
+
+		r = &rules.Rule1001{
+			Client:         fakeClient,
+			ShootName:      shootName,
+			ShootNamespace: shootNamespace,
+		}
+
+		res, err := r.Run(ctx)
+		Expect(err).To(BeNil())
+		Expect(res).To(Equal(rule.RuleResult{RuleID: ruleID, RuleName: ruleName, Severity: severity, CheckResults: []rule.CheckResult{
+			{Status: rule.Passed, Message: "Shoot uses a Kubernetes version with an allowed classification.", Target: rule.NewTarget("version", "2", "classification", "supported")},
+		}}))
+	})
+
 	Describe("#ValidateOptions", func() {
 		It("should not error when options are correct", func() {
 			options := rules.Options1001{

Original file line number	Diff line number	Diff line change
`@@ -113,8 +113,10 @@ func (r *Rule1001) Run(ctx context.Context) (rule.RuleResult, error) {`
`113`	`113`	`return rule.Result(r, rule.ErroredCheckResult("kubernetes version not found in cloudProfile", target)), nil`
`114`	`114`	`}`
`115`	`115`
`116`		`- if checkResult, found := r.checkShootVersion(shoot.Spec.Kubernetes.Version, namespacedCloudProfile.Spec.Kubernetes.Versions, target); found {`
`117`		`- return rule.Result(r, checkResult), nil`
	`116`	`+ if namespacedCloudProfile.Spec.Kubernetes != nil {`
	`117`	`+ if checkResult, found := r.checkShootVersion(shoot.Spec.Kubernetes.Version, namespacedCloudProfile.Spec.Kubernetes.Versions, target); found {`
	`118`	`+ return rule.Result(r, checkResult), nil`
	`119`	`+ }`
`118`	`120`	`}`
`119`	`121`	`if checkResult, found := r.checkShootVersion(shoot.Spec.Kubernetes.Version, namespacedCloudProfile.Status.CloudProfileSpec.Kubernetes.Versions, target); found {`
`120`	`122`	`return rule.Result(r, checkResult), nil`