2023-01-30 15:49:44 +01:00
|
|
|
package api
|
|
|
|
|
|
|
|
|
|
import (
|
|
|
|
|
"fmt"
|
|
|
|
|
|
2023-02-10 21:14:34 +01:00
|
|
|
kyvernov2alpha1 "github.com/kyverno/kyverno/api/kyverno/v2alpha1"
|
2023-01-30 15:49:44 +01:00
|
|
|
pssutils "github.com/kyverno/kyverno/pkg/pss/utils"
|
|
|
|
|
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
|
|
|
|
|
"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
|
|
|
|
|
"k8s.io/pod-security-admission/api"
|
|
|
|
|
)
|
|
|
|
|
|
|
|
|
|
// PodSecurityChecks details about pod securty checks
|
|
|
|
|
type PodSecurityChecks struct {
|
|
|
|
|
// Level is the pod security level
|
|
|
|
|
Level api.Level
|
|
|
|
|
// Version is the pod security version
|
|
|
|
|
Version string
|
|
|
|
|
// Checks contains check result details
|
|
|
|
|
Checks []pssutils.PSSCheckResult
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// RuleResponse details for each rule application
|
|
|
|
|
type RuleResponse struct {
|
|
|
|
|
// Name is the rule name specified in policy
|
|
|
|
|
Name string
|
|
|
|
|
// Type is the rule type (Mutation,Generation,Validation) for Kyverno Policy
|
|
|
|
|
Type RuleType
|
|
|
|
|
// Message is the message response from the rule application
|
|
|
|
|
Message string
|
|
|
|
|
// Patches are JSON patches, for mutation rules
|
|
|
|
|
Patches [][]byte
|
|
|
|
|
// GeneratedResource is the generated by the generate rules of a policy
|
|
|
|
|
GeneratedResource unstructured.Unstructured
|
|
|
|
|
// Status rule status
|
|
|
|
|
Status RuleStatus
|
2023-02-10 20:35:55 +01:00
|
|
|
// Stats contains rule statistics
|
|
|
|
|
Stats ExecutionStats
|
2023-01-30 15:49:44 +01:00
|
|
|
// PatchedTarget is the patched resource for mutate.targets
|
|
|
|
|
PatchedTarget *unstructured.Unstructured
|
|
|
|
|
// PatchedTargetSubresourceName is the name of the subresource which is patched, empty if the resource patched is not a subresource.
|
|
|
|
|
PatchedTargetSubresourceName string
|
|
|
|
|
// PatchedTargetParentResourceGVR is the GVR of the parent resource of the PatchedTarget. This is only populated when PatchedTarget is a subresource.
|
|
|
|
|
PatchedTargetParentResourceGVR metav1.GroupVersionResource
|
|
|
|
|
// PodSecurityChecks contains pod security checks (only if this is a pod security rule)
|
|
|
|
|
PodSecurityChecks *PodSecurityChecks
|
2023-02-10 21:14:34 +01:00
|
|
|
// Exception is the exception applied (if any)
|
|
|
|
|
Exception *kyvernov2alpha1.PolicyException
|
2023-01-30 15:49:44 +01:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// HasStatus checks if rule status is in a given list
|
|
|
|
|
func (r RuleResponse) HasStatus(status ...RuleStatus) bool {
|
|
|
|
|
for _, s := range status {
|
|
|
|
|
if r.Status == s {
|
|
|
|
|
return true
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
return false
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// String implements Stringer interface
|
|
|
|
|
func (r RuleResponse) String() string {
|
|
|
|
|
return fmt.Sprintf("rule %s (%s): %v", r.Name, r.Type, r.Message)
|
|
|
|
|
}
|
