2022-05-16 16:36:21 +02:00
|
|
|
package resource
|
|
|
|
|
|
|
|
|
|
import (
|
2022-11-17 16:17:52 +01:00
|
|
|
"context"
|
2022-11-08 10:35:08 +01:00
|
|
|
"errors"
|
2024-01-27 21:00:22 +08:00
|
|
|
"fmt"
|
|
|
|
|
"strings"
|
2024-03-29 19:07:15 +05:30
|
|
|
"sync"
|
2022-05-16 16:36:21 +02:00
|
|
|
"time"
|
|
|
|
|
|
2024-04-17 09:46:18 +02:00
|
|
|
"github.com/alitto/pond"
|
2022-05-16 16:36:21 +02:00
|
|
|
"github.com/go-logr/logr"
|
|
|
|
|
kyvernov1 "github.com/kyverno/kyverno/api/kyverno/v1"
|
2022-09-07 06:01:43 +02:00
|
|
|
"github.com/kyverno/kyverno/pkg/client/clientset/versioned"
|
2023-02-22 18:49:09 +08:00
|
|
|
kyvernov1informers "github.com/kyverno/kyverno/pkg/client/informers/externalversions/kyverno/v1"
|
|
|
|
|
kyvernov1listers "github.com/kyverno/kyverno/pkg/client/listers/kyverno/v1"
|
2024-06-20 11:44:43 +02:00
|
|
|
kyvernov2listers "github.com/kyverno/kyverno/pkg/client/listers/kyverno/v2"
|
2022-08-31 14:03:47 +08:00
|
|
|
"github.com/kyverno/kyverno/pkg/clients/dclient"
|
2022-05-16 16:36:21 +02:00
|
|
|
"github.com/kyverno/kyverno/pkg/config"
|
2024-06-25 05:16:30 +02:00
|
|
|
"github.com/kyverno/kyverno/pkg/d4f"
|
2023-01-31 08:46:38 +01:00
|
|
|
engineapi "github.com/kyverno/kyverno/pkg/engine/api"
|
2023-04-13 13:29:40 +02:00
|
|
|
"github.com/kyverno/kyverno/pkg/engine/jmespath"
|
2024-03-29 19:07:15 +05:30
|
|
|
"github.com/kyverno/kyverno/pkg/engine/policycontext"
|
2022-05-16 16:36:21 +02:00
|
|
|
"github.com/kyverno/kyverno/pkg/event"
|
|
|
|
|
"github.com/kyverno/kyverno/pkg/metrics"
|
|
|
|
|
"github.com/kyverno/kyverno/pkg/policycache"
|
|
|
|
|
admissionutils "github.com/kyverno/kyverno/pkg/utils/admission"
|
2022-12-21 21:30:45 +01:00
|
|
|
engineutils "github.com/kyverno/kyverno/pkg/utils/engine"
|
2022-05-16 16:36:21 +02:00
|
|
|
jsonutils "github.com/kyverno/kyverno/pkg/utils/json"
|
|
|
|
|
"github.com/kyverno/kyverno/pkg/webhooks"
|
2023-04-04 07:11:18 +02:00
|
|
|
"github.com/kyverno/kyverno/pkg/webhooks/handlers"
|
2022-09-09 15:05:57 +02:00
|
|
|
"github.com/kyverno/kyverno/pkg/webhooks/resource/imageverification"
|
2022-09-09 12:48:29 +02:00
|
|
|
"github.com/kyverno/kyverno/pkg/webhooks/resource/mutation"
|
2022-09-09 09:52:38 +02:00
|
|
|
"github.com/kyverno/kyverno/pkg/webhooks/resource/validation"
|
2022-05-16 16:36:21 +02:00
|
|
|
webhookgenerate "github.com/kyverno/kyverno/pkg/webhooks/updaterequest"
|
2022-09-01 16:52:36 +02:00
|
|
|
webhookutils "github.com/kyverno/kyverno/pkg/webhooks/utils"
|
2023-03-13 15:44:39 +01:00
|
|
|
"k8s.io/apimachinery/pkg/runtime/schema"
|
2022-05-17 17:51:03 +02:00
|
|
|
corev1listers "k8s.io/client-go/listers/core/v1"
|
2022-05-16 16:36:21 +02:00
|
|
|
)
|
|
|
|
|
|
2023-04-04 07:11:18 +02:00
|
|
|
type resourceHandlers struct {
|
2022-05-16 16:36:21 +02:00
|
|
|
// clients
|
2022-05-17 16:40:51 +02:00
|
|
|
client dclient.Interface
|
2022-09-07 06:01:43 +02:00
|
|
|
kyvernoClient versioned.Interface
|
2023-02-02 11:58:34 +01:00
|
|
|
engine engineapi.Engine
|
2022-05-16 16:36:21 +02:00
|
|
|
|
|
|
|
|
// config
|
|
|
|
|
configuration config.Configuration
|
2022-11-30 14:37:53 +01:00
|
|
|
metricsConfig metrics.MetricsConfigManager
|
2022-05-16 16:36:21 +02:00
|
|
|
|
|
|
|
|
// cache
|
|
|
|
|
pCache policycache.Cache
|
|
|
|
|
|
|
|
|
|
// listers
|
2023-02-22 18:49:09 +08:00
|
|
|
nsLister corev1listers.NamespaceLister
|
2024-06-20 11:44:43 +02:00
|
|
|
urLister kyvernov2listers.UpdateRequestNamespaceLister
|
2023-02-22 18:49:09 +08:00
|
|
|
cpolLister kyvernov1listers.ClusterPolicyLister
|
|
|
|
|
polLister kyvernov1listers.PolicyLister
|
2022-05-16 16:36:21 +02:00
|
|
|
|
2023-09-27 18:21:47 +02:00
|
|
|
urGenerator webhookgenerate.Generator
|
|
|
|
|
eventGen event.Interface
|
|
|
|
|
pcBuilder webhookutils.PolicyContextBuilder
|
2022-09-28 13:45:16 +02:00
|
|
|
|
2023-04-05 13:50:29 +02:00
|
|
|
admissionReports bool
|
2023-12-19 14:25:12 +08:00
|
|
|
backgroundServiceAccountName string
|
2024-04-17 09:46:18 +02:00
|
|
|
auditPool *pond.WorkerPool
|
2024-06-25 05:16:30 +02:00
|
|
|
reportsBreaker d4f.Breaker
|
2022-05-16 16:36:21 +02:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
func NewHandlers(
|
2023-02-02 11:58:34 +01:00
|
|
|
engine engineapi.Engine,
|
2022-05-17 16:40:51 +02:00
|
|
|
client dclient.Interface,
|
2022-09-07 06:01:43 +02:00
|
|
|
kyvernoClient versioned.Interface,
|
2022-05-16 16:36:21 +02:00
|
|
|
configuration config.Configuration,
|
2022-11-30 14:37:53 +01:00
|
|
|
metricsConfig metrics.MetricsConfigManager,
|
2022-05-16 16:36:21 +02:00
|
|
|
pCache policycache.Cache,
|
2022-05-17 17:51:03 +02:00
|
|
|
nsLister corev1listers.NamespaceLister,
|
2024-06-20 11:44:43 +02:00
|
|
|
urLister kyvernov2listers.UpdateRequestNamespaceLister,
|
2023-02-22 18:49:09 +08:00
|
|
|
cpolInformer kyvernov1informers.ClusterPolicyInformer,
|
|
|
|
|
polInformer kyvernov1informers.PolicyInformer,
|
2022-05-23 16:39:12 +02:00
|
|
|
urGenerator webhookgenerate.Generator,
|
2022-05-16 16:36:21 +02:00
|
|
|
eventGen event.Interface,
|
2022-09-28 13:45:16 +02:00
|
|
|
admissionReports bool,
|
2023-12-19 14:25:12 +08:00
|
|
|
backgroundServiceAccountName string,
|
2023-04-13 13:29:40 +02:00
|
|
|
jp jmespath.Interface,
|
2024-04-17 09:46:18 +02:00
|
|
|
maxAuditWorkers int,
|
|
|
|
|
maxAuditCapacity int,
|
2024-06-25 05:16:30 +02:00
|
|
|
reportsBreaker d4f.Breaker,
|
2022-09-26 17:55:46 +02:00
|
|
|
) webhooks.ResourceHandlers {
|
2023-04-04 07:11:18 +02:00
|
|
|
return &resourceHandlers{
|
2023-04-05 13:50:29 +02:00
|
|
|
engine: engine,
|
|
|
|
|
client: client,
|
|
|
|
|
kyvernoClient: kyvernoClient,
|
|
|
|
|
configuration: configuration,
|
|
|
|
|
metricsConfig: metricsConfig,
|
|
|
|
|
pCache: pCache,
|
|
|
|
|
nsLister: nsLister,
|
|
|
|
|
urLister: urLister,
|
|
|
|
|
cpolLister: cpolInformer.Lister(),
|
|
|
|
|
polLister: polInformer.Lister(),
|
|
|
|
|
urGenerator: urGenerator,
|
|
|
|
|
eventGen: eventGen,
|
2023-04-13 13:29:40 +02:00
|
|
|
pcBuilder: webhookutils.NewPolicyContextBuilder(configuration, jp),
|
2023-04-05 13:50:29 +02:00
|
|
|
admissionReports: admissionReports,
|
2023-12-19 14:25:12 +08:00
|
|
|
backgroundServiceAccountName: backgroundServiceAccountName,
|
2024-04-17 09:46:18 +02:00
|
|
|
auditPool: pond.New(maxAuditWorkers, maxAuditCapacity, pond.Strategy(pond.Lazy())),
|
2024-06-25 05:16:30 +02:00
|
|
|
reportsBreaker: reportsBreaker,
|
2022-05-16 16:36:21 +02:00
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
2023-04-04 07:11:18 +02:00
|
|
|
func (h *resourceHandlers) Validate(ctx context.Context, logger logr.Logger, request handlers.AdmissionRequest, failurePolicy string, startTime time.Time) handlers.AdmissionResponse {
|
2022-05-16 16:36:21 +02:00
|
|
|
kind := request.Kind.Kind
|
2024-01-27 21:00:22 +08:00
|
|
|
logger = logger.WithValues("kind", kind).WithValues("URLParams", request.URLParams)
|
2022-09-01 17:48:14 +02:00
|
|
|
logger.V(4).Info("received an admission request in validating webhook")
|
2022-05-16 16:36:21 +02:00
|
|
|
|
2024-01-27 21:00:22 +08:00
|
|
|
policies, mutatePolicies, generatePolicies, _, err := h.retrieveAndCategorizePolicies(ctx, logger, request, failurePolicy, false)
|
|
|
|
|
if err != nil {
|
|
|
|
|
return errorResponse(logger, request.UID, err, "failed to fetch policy with key")
|
|
|
|
|
}
|
2022-05-16 16:36:21 +02:00
|
|
|
|
|
|
|
|
if len(policies) == 0 && len(mutatePolicies) == 0 && len(generatePolicies) == 0 {
|
2022-09-01 17:48:14 +02:00
|
|
|
logger.V(4).Info("no policies matched admission request")
|
2022-05-16 16:36:21 +02:00
|
|
|
}
|
|
|
|
|
|
2022-09-01 17:48:14 +02:00
|
|
|
logger.V(4).Info("processing policies for validate admission request", "validate", len(policies), "mutate", len(mutatePolicies), "generate", len(generatePolicies))
|
2022-05-16 16:36:21 +02:00
|
|
|
|
2024-06-25 05:16:30 +02:00
|
|
|
vh := validation.NewValidationHandler(
|
|
|
|
|
logger,
|
|
|
|
|
h.kyvernoClient,
|
|
|
|
|
h.engine,
|
|
|
|
|
h.pCache,
|
|
|
|
|
h.pcBuilder,
|
|
|
|
|
h.eventGen,
|
|
|
|
|
h.admissionReports,
|
|
|
|
|
h.metricsConfig,
|
|
|
|
|
h.configuration,
|
|
|
|
|
h.nsLister,
|
|
|
|
|
h.reportsBreaker,
|
|
|
|
|
)
|
2024-04-17 09:46:18 +02:00
|
|
|
var wg sync.WaitGroup
|
|
|
|
|
var ok bool
|
|
|
|
|
var msg string
|
|
|
|
|
var warnings []string
|
|
|
|
|
wg.Add(1)
|
|
|
|
|
go func() {
|
|
|
|
|
defer wg.Done()
|
|
|
|
|
ok, msg, warnings = vh.HandleValidationEnforce(ctx, request, policies, startTime)
|
|
|
|
|
}()
|
|
|
|
|
|
|
|
|
|
go h.auditPool.Submit(func() {
|
|
|
|
|
vh.HandleValidationAudit(ctx, request)
|
|
|
|
|
})
|
|
|
|
|
if !admissionutils.IsDryRun(request.AdmissionRequest) {
|
|
|
|
|
h.handleBackgroundApplies(ctx, logger, request, generatePolicies, mutatePolicies, startTime, nil)
|
|
|
|
|
}
|
|
|
|
|
if len(policies) == 0 {
|
|
|
|
|
return admissionutils.ResponseSuccess(request.UID)
|
2022-05-16 16:36:21 +02:00
|
|
|
}
|
|
|
|
|
|
2024-04-17 09:46:18 +02:00
|
|
|
wg.Wait()
|
2022-05-16 16:36:21 +02:00
|
|
|
if !ok {
|
|
|
|
|
logger.Info("admission request denied")
|
2022-11-30 16:37:42 +01:00
|
|
|
return admissionutils.Response(request.UID, errors.New(msg), warnings...)
|
2022-05-16 16:36:21 +02:00
|
|
|
}
|
2024-04-17 09:46:18 +02:00
|
|
|
|
2022-11-30 16:37:42 +01:00
|
|
|
return admissionutils.ResponseSuccess(request.UID, warnings...)
|
2022-05-16 16:36:21 +02:00
|
|
|
}
|
|
|
|
|
|
2023-04-04 07:11:18 +02:00
|
|
|
func (h *resourceHandlers) Mutate(ctx context.Context, logger logr.Logger, request handlers.AdmissionRequest, failurePolicy string, startTime time.Time) handlers.AdmissionResponse {
|
2022-05-16 16:36:21 +02:00
|
|
|
kind := request.Kind.Kind
|
2024-01-27 21:00:22 +08:00
|
|
|
logger = logger.WithValues("kind", kind).WithValues("URLParams", request.URLParams)
|
2022-09-01 17:48:14 +02:00
|
|
|
logger.V(4).Info("received an admission request in mutating webhook")
|
2024-01-27 21:00:22 +08:00
|
|
|
|
|
|
|
|
_, mutatePolicies, _, verifyImagesPolicies, err := h.retrieveAndCategorizePolicies(ctx, logger, request, failurePolicy, true)
|
|
|
|
|
if err != nil {
|
|
|
|
|
return errorResponse(logger, request.UID, err, "failed to fetch policy with key")
|
|
|
|
|
}
|
2022-05-16 16:36:21 +02:00
|
|
|
if len(mutatePolicies) == 0 && len(verifyImagesPolicies) == 0 {
|
2022-09-01 17:48:14 +02:00
|
|
|
logger.V(4).Info("no policies matched mutate admission request")
|
2022-11-30 16:37:42 +01:00
|
|
|
return admissionutils.ResponseSuccess(request.UID)
|
2022-05-16 16:36:21 +02:00
|
|
|
}
|
2022-09-01 17:48:14 +02:00
|
|
|
logger.V(4).Info("processing policies for mutate admission request", "mutatePolicies", len(mutatePolicies), "verifyImagesPolicies", len(verifyImagesPolicies))
|
2023-04-04 12:23:20 +02:00
|
|
|
policyContext, err := h.pcBuilder.Build(request.AdmissionRequest, request.Roles, request.ClusterRoles, request.GroupVersionKind)
|
2022-05-16 16:36:21 +02:00
|
|
|
if err != nil {
|
|
|
|
|
logger.Error(err, "failed to build policy context")
|
2022-11-30 16:37:42 +01:00
|
|
|
return admissionutils.Response(request.UID, err)
|
2022-05-16 16:36:21 +02:00
|
|
|
}
|
2023-09-27 18:21:47 +02:00
|
|
|
mh := mutation.NewMutationHandler(logger, h.engine, h.eventGen, h.nsLister, h.metricsConfig)
|
2023-04-04 07:11:18 +02:00
|
|
|
mutatePatches, mutateWarnings, err := mh.HandleMutation(ctx, request.AdmissionRequest, mutatePolicies, policyContext, startTime)
|
2022-08-02 07:54:02 -07:00
|
|
|
if err != nil {
|
|
|
|
|
logger.Error(err, "mutation failed")
|
2022-11-30 16:37:42 +01:00
|
|
|
return admissionutils.Response(request.UID, err)
|
2022-08-02 07:54:02 -07:00
|
|
|
}
|
2023-04-04 07:11:18 +02:00
|
|
|
newRequest := patchRequest(mutatePatches, request.AdmissionRequest, logger)
|
2022-10-18 14:08:28 +05:30
|
|
|
// rebuild context to process images updated via mutate policies
|
2023-04-04 12:23:20 +02:00
|
|
|
policyContext, err = h.pcBuilder.Build(newRequest, request.Roles, request.ClusterRoles, request.GroupVersionKind)
|
2022-10-18 14:08:28 +05:30
|
|
|
if err != nil {
|
|
|
|
|
logger.Error(err, "failed to build policy context")
|
2022-11-30 16:37:42 +01:00
|
|
|
return admissionutils.Response(request.UID, err)
|
2022-10-18 14:08:28 +05:30
|
|
|
}
|
2024-06-25 05:16:30 +02:00
|
|
|
ivh := imageverification.NewImageVerificationHandler(
|
|
|
|
|
logger,
|
|
|
|
|
h.kyvernoClient,
|
|
|
|
|
h.engine,
|
|
|
|
|
h.eventGen,
|
|
|
|
|
h.admissionReports,
|
|
|
|
|
h.configuration,
|
|
|
|
|
h.nsLister,
|
|
|
|
|
h.reportsBreaker,
|
|
|
|
|
)
|
2023-04-04 07:11:18 +02:00
|
|
|
imagePatches, imageVerifyWarnings, err := ivh.Handle(ctx, newRequest, verifyImagesPolicies, policyContext)
|
2022-05-16 16:36:21 +02:00
|
|
|
if err != nil {
|
|
|
|
|
logger.Error(err, "image verification failed")
|
2022-11-30 16:37:42 +01:00
|
|
|
return admissionutils.Response(request.UID, err)
|
2022-05-16 16:36:21 +02:00
|
|
|
}
|
2022-07-10 20:56:31 -07:00
|
|
|
patch := jsonutils.JoinPatches(mutatePatches, imagePatches)
|
2022-11-08 10:35:08 +01:00
|
|
|
var warnings []string
|
|
|
|
|
warnings = append(warnings, mutateWarnings...)
|
|
|
|
|
warnings = append(warnings, imageVerifyWarnings...)
|
2022-11-30 16:37:42 +01:00
|
|
|
return admissionutils.MutationResponse(request.UID, patch, warnings...)
|
2022-05-16 16:36:21 +02:00
|
|
|
}
|
|
|
|
|
|
2024-01-27 21:00:22 +08:00
|
|
|
func (h *resourceHandlers) retrieveAndCategorizePolicies(
|
|
|
|
|
ctx context.Context, logger logr.Logger, request handlers.AdmissionRequest, failurePolicy string, mutation bool) (
|
|
|
|
|
[]kyvernov1.PolicyInterface, []kyvernov1.PolicyInterface, []kyvernov1.PolicyInterface, []kyvernov1.PolicyInterface, error,
|
|
|
|
|
) {
|
|
|
|
|
var policies, mutatePolicies, generatePolicies, imageVerifyValidatePolicies []kyvernov1.PolicyInterface
|
|
|
|
|
if request.URLParams == "" {
|
|
|
|
|
gvr := schema.GroupVersionResource(request.Resource)
|
|
|
|
|
policies = filterPolicies(ctx, failurePolicy, h.pCache.GetPolicies(policycache.ValidateEnforce, gvr, request.SubResource, request.Namespace)...)
|
|
|
|
|
mutatePolicies = filterPolicies(ctx, failurePolicy, h.pCache.GetPolicies(policycache.Mutate, gvr, request.SubResource, request.Namespace)...)
|
|
|
|
|
generatePolicies = filterPolicies(ctx, failurePolicy, h.pCache.GetPolicies(policycache.Generate, gvr, request.SubResource, request.Namespace)...)
|
|
|
|
|
if mutation {
|
|
|
|
|
imageVerifyValidatePolicies = filterPolicies(ctx, failurePolicy, h.pCache.GetPolicies(policycache.VerifyImagesMutate, gvr, request.SubResource, request.Namespace)...)
|
|
|
|
|
} else {
|
|
|
|
|
imageVerifyValidatePolicies = filterPolicies(ctx, failurePolicy, h.pCache.GetPolicies(policycache.VerifyImagesValidate, gvr, request.SubResource, request.Namespace)...)
|
|
|
|
|
policies = append(policies, imageVerifyValidatePolicies...)
|
|
|
|
|
}
|
|
|
|
|
} else {
|
|
|
|
|
meta := strings.Split(request.URLParams, "/")
|
|
|
|
|
polName := meta[1]
|
|
|
|
|
polNamespace := ""
|
|
|
|
|
|
|
|
|
|
if len(meta) >= 3 {
|
|
|
|
|
polNamespace = meta[1]
|
|
|
|
|
polName = meta[2]
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
var policy kyvernov1.PolicyInterface
|
|
|
|
|
var err error
|
|
|
|
|
if polNamespace == "" {
|
|
|
|
|
policy, err = h.cpolLister.Get(polName)
|
|
|
|
|
} else {
|
|
|
|
|
policy, err = h.polLister.Policies(polNamespace).Get(polName)
|
|
|
|
|
}
|
|
|
|
|
if err != nil {
|
|
|
|
|
return nil, nil, nil, nil, fmt.Errorf("key %s/%s: %v", polNamespace, polName, err)
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
filteredPolicies := filterPolicies(ctx, failurePolicy, policy)
|
|
|
|
|
if len(filteredPolicies) == 0 {
|
|
|
|
|
logger.V(4).Info("no policy found with key", "namespace", polNamespace, "name", polName)
|
|
|
|
|
return nil, nil, nil, nil, nil
|
|
|
|
|
}
|
|
|
|
|
policy = filteredPolicies[0]
|
|
|
|
|
spec := policy.GetSpec()
|
|
|
|
|
if spec.HasValidate() {
|
|
|
|
|
policies = append(policies, policy)
|
|
|
|
|
}
|
|
|
|
|
if spec.HasGenerate() {
|
|
|
|
|
generatePolicies = append(generatePolicies, policy)
|
|
|
|
|
}
|
|
|
|
|
if spec.HasMutate() {
|
|
|
|
|
mutatePolicies = append(mutatePolicies, policy)
|
|
|
|
|
}
|
|
|
|
|
if spec.HasVerifyImages() {
|
|
|
|
|
policies = append(policies, policy)
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
return policies, mutatePolicies, generatePolicies, imageVerifyValidatePolicies, nil
|
|
|
|
|
}
|
|
|
|
|
|
2024-03-29 19:07:15 +05:30
|
|
|
func (h *resourceHandlers) buildPolicyContextFromAdmissionRequest(logger logr.Logger, request handlers.AdmissionRequest) (*policycontext.PolicyContext, error) {
|
|
|
|
|
policyContext, err := h.pcBuilder.Build(request.AdmissionRequest, request.Roles, request.ClusterRoles, request.GroupVersionKind)
|
|
|
|
|
if err != nil {
|
|
|
|
|
return nil, err
|
|
|
|
|
}
|
|
|
|
|
namespaceLabels := make(map[string]string)
|
|
|
|
|
if request.Kind.Kind != "Namespace" && request.Namespace != "" {
|
|
|
|
|
namespaceLabels = engineutils.GetNamespaceSelectorsFromNamespaceLister(request.Kind.Kind, request.Namespace, h.nsLister, logger)
|
|
|
|
|
}
|
|
|
|
|
policyContext = policyContext.WithNamespaceLabels(namespaceLabels)
|
|
|
|
|
return policyContext, nil
|
|
|
|
|
}
|
|
|
|
|
|
2023-06-12 17:36:12 +02:00
|
|
|
func filterPolicies(ctx context.Context, failurePolicy string, policies ...kyvernov1.PolicyInterface) []kyvernov1.PolicyInterface {
|
2022-09-26 17:55:46 +02:00
|
|
|
var results []kyvernov1.PolicyInterface
|
|
|
|
|
for _, policy := range policies {
|
|
|
|
|
if failurePolicy == "fail" {
|
2023-06-12 17:36:12 +02:00
|
|
|
if policy.GetSpec().GetFailurePolicy(ctx) == kyvernov1.Fail {
|
2022-09-26 17:55:46 +02:00
|
|
|
results = append(results, policy)
|
|
|
|
|
}
|
|
|
|
|
} else if failurePolicy == "ignore" {
|
2023-06-12 17:36:12 +02:00
|
|
|
if policy.GetSpec().GetFailurePolicy(ctx) == kyvernov1.Ignore {
|
2022-09-26 17:55:46 +02:00
|
|
|
results = append(results, policy)
|
|
|
|
|
}
|
|
|
|
|
} else {
|
|
|
|
|
results = append(results, policy)
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
return results
|
|
|
|
|
}
|
