mirrors/kyverno
mirrors/kyverno
1
0
Fork 0
mirror of https://github.com/kyverno/kyverno.git synced 2025-03-06 16:06:56 +00:00
Code Activity
kyverno/pkg/webhooks/generation.go

233 lines
7.3 KiB
Go
Raw Normal View History

538 (#587) * initial commit * background policy validation * correct message * skip non-background policy process for add/update * add Generate Request CR * generate Request Generator Initial * test generate request CR generation * initial commit gr generator * generate controller initial framework * add crd for generate request * gr cleanup controller initial commit * cleanup controller initial * generate mid-commit * generate rule processing * create PV on generate error * embed resource type * testing phase 1- generate resources with variable substitution * fix tests * comment broken test #586 * add printer column for state * return if existing resource for clone * set resync time to 2 mins & remove resource version check in update handler for gr * generate events for reporting * fix logs * cleanup * CR fixes * fix logs
2020-01-07 10:33:28 -08:00
package webhooks
import (
Add Policy Report (#1229) * add report in cli * policy report crd added * policy report added * configmap added * added jobs * added jobs * bug fixed * added logic for cli * common function added * sub command added for policy report * subcommand added for report * common package changed * configmap added * added logic for kyverno cli * added logic for jobs * added logic for jobs * added logic for jobs * added logic for cli * buf fix * cli changes * count bug fix * docs added for command * go fmt * refactor codebase * remove policy controller for policyreport * policy report removed * bug fixes * bug fixes * added job trigger if needed * job deletation logic added * build failed fix * fixed e2e test * remove hard coded variables * packages adde * improvment added in jobs sheduler * policy report yaml added * cronjob added * small fixes * remove background sync * documentation added for report command * remove extra log * small improvement * tested policy report * revert hardcoded changes * changes for demo * demo changes * resource aggrigation added * More changes * More changes * - resolve PR comments; - refactor jobs controller * set rbac for jobs * add clean up in job controller * add short names * remove application scope for policyreport * move job controller to policyreport * add report logic in command apply * - update policy report types; - upgrade k8s library; - update code gen * temporarily comment out code to pass CI build * generate / update policyreport to cluster * add unit test for CLI report * add test for apply - generate policy report * fix unit test * - remove job controller; - remove in-memory configmap; - clean up kustomize manifest * remove dependency * add reportRequest / clusterReportRequest * clean up policy report * generate report request * update crd clusterReportRequest * - update json tag of report summary; - update definition manifests; - fix dclient creation * aggregate reportRequest into policy report * fix unit tests * - update report summary to optional; - generate clusterPolicyReport; - remove reportRequests after merged to report * remove * generate reportRequest in kyverno namespace * update resource filter in helm chart * - rename reportRequest to reportChangeRequest; -rename clusterReportRequest to clusterReportChangeRequest * generate policy report in background scan * skip generating report change request if there's entry results * fix results entry removal when policy / rule gets deleted * rename apiversion from policy.kubernetes.io to policy.k8s.io * update summary.* to lower case * move reportChangeRequest to kyverno.io/v1alpha1 * remove policy report flag * fix report update * clean up policy violation CRD * remove violation CRD from manifest * clean up policy violation code - remove pvGenerator * change severity fields to lower case * update import library * set report category Co-authored-by: Yuvraj <yuvraj.yad001@gmail.com> Co-authored-by: Yuvraj <10830562+evalsocket@users.noreply.github.com> Co-authored-by: Jim Bugwadia <jim@nirmata.com>
2020-11-09 11:26:12 -08:00
contextdefault "context"
965 add validate audit handler (#967) * store policy names cache to reduce lookup time * add validate audit handler * fix #958, remove auto-gen annotation on Pod * formatting code * update processTime to readable format * #586, add back unit test * update logging info * remove unused interface * handle generate policy in a single thread in weboook * resolve pr comments
2020-07-09 11:48:34 -07:00
"fmt"
Generate policy does not work on namespace update (#1085) * added logic for handling generate request * generate rules added * added label condition for generate * remove extra logs * remove extra logs * buf fixed * bug fixed * added logic for delete gr * log fixed * documentation changed * remove best practices changes * bug fix * added best pratice
2020-08-31 23:55:13 +05:30
"reflect"
"sort"
"strings"
"time"
update nirmata/kyverno to kyverno/kyverno
2020-10-07 11:12:31 -07:00
Fix invalid failure event for generate policy (#1413) * reduce RCR throttling requests by merging policy application (policy - namespace) results into single RCR * - refactor policy controller; - fix RCR issue * - refactor RCR controller; - fix cpolr on ns update; - reduce throttling when getting resources; - fix tests * update CRD schema * fix typo * fix invalid generate failure event
2020-12-22 11:07:31 -08:00
"github.com/go-logr/logr"
update nirmata/kyverno to kyverno/kyverno
2020-10-07 11:12:31 -07:00
kyverno "github.com/kyverno/kyverno/pkg/api/kyverno/v1"
v1 "github.com/kyverno/kyverno/pkg/api/kyverno/v1"
"github.com/kyverno/kyverno/pkg/config"
"github.com/kyverno/kyverno/pkg/engine"
"github.com/kyverno/kyverno/pkg/engine/context"
"github.com/kyverno/kyverno/pkg/engine/response"
"github.com/kyverno/kyverno/pkg/event"
1319 fix throttling (#1348) * fix policy status and generate controller issues * shorten ACTION column name * update logs * improve naming * add temp logs for troubleshooting * cleanup logs * apply generate policy to old & new resource in webhook * cleanup log messages * cleanup log messages * cleanup log messages * fix clean up of policy report in init container Co-authored-by: Jim Bugwadia <jim@nirmata.com>
2020-12-01 12:30:08 -08:00
kyvernoutils "github.com/kyverno/kyverno/pkg/utils"
update nirmata/kyverno to kyverno/kyverno
2020-10-07 11:12:31 -07:00
"github.com/kyverno/kyverno/pkg/webhooks/generate"
v1beta1 "k8s.io/api/admission/v1beta1"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
1345 use GR lister (#1387) * improved log message * added lister for GR * added label to GR * added wait for cache is sync
2020-12-15 04:22:13 +05:30
"k8s.io/apimachinery/pkg/labels"
538 (#587) * initial commit * background policy validation * correct message * skip non-background policy process for add/update * add Generate Request CR * generate Request Generator Initial * test generate request CR generation * initial commit gr generator * generate controller initial framework * add crd for generate request * gr cleanup controller initial commit * cleanup controller initial * generate mid-commit * generate rule processing * create PV on generate error * embed resource type * testing phase 1- generate resources with variable substitution * fix tests * comment broken test #586 * add printer column for state * return if existing resource for clone * set resync time to 2 mins & remove resource version check in update handler for gr * generate events for reporting * fix logs * cleanup * CR fixes * fix logs
2020-01-07 10:33:28 -08:00
)
linter suggestions (#655) * cleanup phase 1 * linter fixes phase 2
2020-01-24 12:05:53 -08:00
//HandleGenerate handles admission-requests for policies with generate rules
Add go fmt (#1055) * remove empty flag * format code * revert change in install.yaml
2020-08-14 12:21:06 -07:00
func (ws *WebhookServer) HandleGenerate(request *v1beta1.AdmissionRequest, policies []*kyverno.ClusterPolicy, ctx *context.Context, userRequestInfo kyverno.RequestInfo, dynamicConfig config.Interface) {
logs & access
2020-03-17 11:05:20 -07:00
logger := ws.log.WithValues("action", "generation", "uid", request.UID, "kind", request.Kind, "namespace", request.Namespace, "name", request.Name, "operation", request.Operation)
logger.V(4).Info("incoming request")
update validation logic
2020-12-23 15:10:07 -08:00
var engineResponses []*response.EngineResponse
538 (#587) * initial commit * background policy validation * correct message * skip non-background policy process for add/update * add Generate Request CR * generate Request Generator Initial * test generate request CR generation * initial commit gr generator * generate controller initial framework * add crd for generate request * gr cleanup controller initial commit * cleanup controller initial * generate mid-commit * generate rule processing * create PV on generate error * embed resource type * testing phase 1- generate resources with variable substitution * fix tests * comment broken test #586 * add printer column for state * return if existing resource for clone * set resync time to 2 mins & remove resource version check in update handler for gr * generate events for reporting * fix logs * cleanup * CR fixes * fix logs
2020-01-07 10:33:28 -08:00
Add policy cache based on policyType (#960) * add policy cache based on policyType * fetch policy from cache in webhook * add unit test for policy cache * update log for exclude resources filter * skip webhook mutation on DELETE operation * remove duplicate k8s version check * add description
2020-07-02 12:49:10 -07:00
if len(policies) == 0 {
965 add validate audit handler (#967) * store policy names cache to reduce lookup time * add validate audit handler * fix #958, remove auto-gen annotation on Pod * formatting code * update processTime to readable format * #586, add back unit test * update logging info * remove unused interface * handle generate policy in a single thread in weboook * resolve pr comments
2020-07-09 11:48:34 -07:00
return
Add policy cache based on policyType (#960) * add policy cache based on policyType * fetch policy from cache in webhook * add unit test for policy cache * update log for exclude resources filter * skip webhook mutation on DELETE operation * remove duplicate k8s version check * add description
2020-07-02 12:49:10 -07:00
}
538 (#587) * initial commit * background policy validation * correct message * skip non-background policy process for add/update * add Generate Request CR * generate Request Generator Initial * test generate request CR generation * initial commit gr generator * generate controller initial framework * add crd for generate request * gr cleanup controller initial commit * cleanup controller initial * generate mid-commit * generate rule processing * create PV on generate error * embed resource type * testing phase 1- generate resources with variable substitution * fix tests * comment broken test #586 * add printer column for state * return if existing resource for clone * set resync time to 2 mins & remove resource version check in update handler for gr * generate events for reporting * fix logs * cleanup * CR fixes * fix logs
2020-01-07 10:33:28 -08:00
// convert RAW to unstructured
1319 fix throttling (#1348) * fix policy status and generate controller issues * shorten ACTION column name * update logs * improve naming * add temp logs for troubleshooting * cleanup logs * apply generate policy to old & new resource in webhook * cleanup log messages * cleanup log messages * cleanup log messages * fix clean up of policy report in init container Co-authored-by: Jim Bugwadia <jim@nirmata.com>
2020-12-01 12:30:08 -08:00
new, old, err := kyvernoutils.ExtractResources(nil, request)
538 (#587) * initial commit * background policy validation * correct message * skip non-background policy process for add/update * add Generate Request CR * generate Request Generator Initial * test generate request CR generation * initial commit gr generator * generate controller initial framework * add crd for generate request * gr cleanup controller initial commit * cleanup controller initial * generate mid-commit * generate rule processing * create PV on generate error * embed resource type * testing phase 1- generate resources with variable substitution * fix tests * comment broken test #586 * add printer column for state * return if existing resource for clone * set resync time to 2 mins & remove resource version check in update handler for gr * generate events for reporting * fix logs * cleanup * CR fixes * fix logs
2020-01-07 10:33:28 -08:00
if err != nil {
1319 fix throttling (#1348) * fix policy status and generate controller issues * shorten ACTION column name * update logs * improve naming * add temp logs for troubleshooting * cleanup logs * apply generate policy to old & new resource in webhook * cleanup log messages * cleanup log messages * cleanup log messages * fix clean up of policy report in init container Co-authored-by: Jim Bugwadia <jim@nirmata.com>
2020-12-01 12:30:08 -08:00
logger.Error(err, "failed to extract resource")
538 (#587) * initial commit * background policy validation * correct message * skip non-background policy process for add/update * add Generate Request CR * generate Request Generator Initial * test generate request CR generation * initial commit gr generator * generate controller initial framework * add crd for generate request * gr cleanup controller initial commit * cleanup controller initial * generate mid-commit * generate rule processing * create PV on generate error * embed resource type * testing phase 1- generate resources with variable substitution * fix tests * comment broken test #586 * add printer column for state * return if existing resource for clone * set resync time to 2 mins & remove resource version check in update handler for gr * generate events for reporting * fix logs * cleanup * CR fixes * fix logs
2020-01-07 10:33:28 -08:00
}
policyContext := engine.PolicyContext{
filter resources excluded in config (#1404)
2020-12-16 12:29:16 -08:00
NewResource: new,
OldResource: old,
AdmissionInfo: userRequestInfo,
ExcludeGroupRole: dynamicConfig.GetExcludeGroupRole(),
ExcludeResourceFunc: ws.configHandler.ToFilter,
ResourceCache: ws.resCache,
JSONContext: ctx,
538 (#587) * initial commit * background policy validation * correct message * skip non-background policy process for add/update * add Generate Request CR * generate Request Generator Initial * test generate request CR generation * initial commit gr generator * generate controller initial framework * add crd for generate request * gr cleanup controller initial commit * cleanup controller initial * generate mid-commit * generate rule processing * create PV on generate error * embed resource type * testing phase 1- generate resources with variable substitution * fix tests * comment broken test #586 * add printer column for state * return if existing resource for clone * set resync time to 2 mins & remove resource version check in update handler for gr * generate events for reporting * fix logs * cleanup * CR fixes * fix logs
2020-01-07 10:33:28 -08:00
}
for _, policy := range policies {
Fix invalid failure event for generate policy (#1413) * reduce RCR throttling requests by merging policy application (policy - namespace) results into single RCR * - refactor policy controller; - fix RCR issue * - refactor RCR controller; - fix cpolr on ns update; - reduce throttling when getting resources; - fix tests * update CRD schema * fix typo * fix invalid generate failure event
2020-12-22 11:07:31 -08:00
var rules []response.RuleResponse
Bugfix/659 support wildcards for namespaces (#871) * - support wildcards for namespaces * do not annotate resource, unless policy is an autogen policy * close HTTP body * improve messages * remove policy store Policy store was not fully implemented and simply provided a way to list all polices and get a policy by name, which can be done via standard client-go interfaces. We need to revisit and design a better PolicyStore that provides fast lookups for matching policies based on names, namespaces, etc. * handle wildcard namespaces in background processing * fix unit tests 1) remove platform dependent path usage 2) remove policy store * add test case for mutate with wildcard namespaces
2020-05-26 10:36:56 -07:00
policyContext.Policy = *policy
linter suggestions (#655) * cleanup phase 1 * linter fixes phase 2
2020-01-24 12:05:53 -08:00
engineResponse := engine.Generate(policyContext)
Reconcile Generate request on policy update (#1096) * policy report crd added * added namespaced rule * remove extra field from crd * revert crd change * remove policy report chnages * remove policy report chnages * remove policy report chnages * remove policy report chnages * added logic for gr * revert changes * fixed generate rules * fixed generate rules * fixed generate rules * fixed generate rules * remove extra logs * remove extra logs * fixed e2e test * remove extra logs * crd issue resolved * added check for sync * add labels update * add label update * added permission to role * roles added to helm * roles added to helm
2020-09-04 03:04:23 +05:30
for _, rule := range engineResponse.PolicyResponse.Rules {
Generate policy does not work on namespace update (#1085) * added logic for handling generate request * generate rules added * added label condition for generate * remove extra logs * remove extra logs * buf fixed * bug fixed * added logic for delete gr * log fixed * documentation changed * remove best practices changes * bug fix * added best pratice
2020-08-31 23:55:13 +05:30
if !rule.Success {
filter resources excluded in config (#1404)
2020-12-16 12:29:16 -08:00
ws.deleteGR(logger, engineResponse)
continue
Generate policy does not work on namespace update (#1085) * added logic for handling generate request * generate rules added * added label condition for generate * remove extra logs * remove extra logs * buf fixed * bug fixed * added logic for delete gr * log fixed * documentation changed * remove best practices changes * bug fix * added best pratice
2020-08-31 23:55:13 +05:30
}
filter resources excluded in config (#1404)
2020-12-16 12:29:16 -08:00
rules = append(rules, rule)
Generate policy does not work on namespace update (#1085) * added logic for handling generate request * generate rules added * added label condition for generate * remove extra logs * remove extra logs * buf fixed * bug fixed * added logic for delete gr * log fixed * documentation changed * remove best practices changes * bug fix * added best pratice
2020-08-31 23:55:13 +05:30
}
Reconcile Generate request on policy update (#1096) * policy report crd added * added namespaced rule * remove extra field from crd * revert crd change * remove policy report chnages * remove policy report chnages * remove policy report chnages * remove policy report chnages * added logic for gr * revert changes * fixed generate rules * fixed generate rules * fixed generate rules * fixed generate rules * remove extra logs * remove extra logs * fixed e2e test * remove extra logs * crd issue resolved * added check for sync * add labels update * add label update * added permission to role * roles added to helm * roles added to helm
2020-09-04 03:04:23 +05:30
if len(rules) > 0 {
engineResponse.PolicyResponse.Rules = rules
538 (#587) * initial commit * background policy validation * correct message * skip non-background policy process for add/update * add Generate Request CR * generate Request Generator Initial * test generate request CR generation * initial commit gr generator * generate controller initial framework * add crd for generate request * gr cleanup controller initial commit * cleanup controller initial * generate mid-commit * generate rule processing * create PV on generate error * embed resource type * testing phase 1- generate resources with variable substitution * fix tests * comment broken test #586 * add printer column for state * return if existing resource for clone * set resync time to 2 mins & remove resource version check in update handler for gr * generate events for reporting * fix logs * cleanup * CR fixes * fix logs
2020-01-07 10:33:28 -08:00
// some generate rules do apply to the resource
engineResponses = append(engineResponses, engineResponse)
1319 fix throttling (#1341) * fix policy status and generate controller issues * shorten ACTION column name * update logs Co-authored-by: Shuting Zhao <shutting06@gmail.com>
2020-11-30 11:22:20 -08:00
ws.statusListener.Update(generateStats{
527 redesigned implementation so that package variables are not used across packages
2020-03-04 15:45:20 +05:30
resp: engineResponse,
527 renamed package and send listner instead of entire sync object
2020-03-07 12:53:37 +05:30
})
538 (#587) * initial commit * background policy validation * correct message * skip non-background policy process for add/update * add Generate Request CR * generate Request Generator Initial * test generate request CR generation * initial commit gr generator * generate controller initial framework * add crd for generate request * gr cleanup controller initial commit * cleanup controller initial * generate mid-commit * generate rule processing * create PV on generate error * embed resource type * testing phase 1- generate resources with variable substitution * fix tests * comment broken test #586 * add printer column for state * return if existing resource for clone * set resync time to 2 mins & remove resource version check in update handler for gr * generate events for reporting * fix logs * cleanup * CR fixes * fix logs
2020-01-07 10:33:28 -08:00
}
Generate policy does not work on namespace update (#1085) * added logic for handling generate request * generate rules added * added label condition for generate * remove extra logs * remove extra logs * buf fixed * bug fixed * added logic for delete gr * log fixed * documentation changed * remove best practices changes * bug fix * added best pratice
2020-08-31 23:55:13 +05:30
}
Reconcile Generate request on policy update (#1096) * policy report crd added * added namespaced rule * remove extra field from crd * revert crd change * remove policy report chnages * remove policy report chnages * remove policy report chnages * remove policy report chnages * added logic for gr * revert changes * fixed generate rules * fixed generate rules * fixed generate rules * fixed generate rules * remove extra logs * remove extra logs * fixed e2e test * remove extra logs * crd issue resolved * added check for sync * add labels update * add label update * added permission to role * roles added to helm * roles added to helm
2020-09-04 03:04:23 +05:30
538 (#587) * initial commit * background policy validation * correct message * skip non-background policy process for add/update * add Generate Request CR * generate Request Generator Initial * test generate request CR generation * initial commit gr generator * generate controller initial framework * add crd for generate request * gr cleanup controller initial commit * cleanup controller initial * generate mid-commit * generate rule processing * create PV on generate error * embed resource type * testing phase 1- generate resources with variable substitution * fix tests * comment broken test #586 * add printer column for state * return if existing resource for clone * set resync time to 2 mins & remove resource version check in update handler for gr * generate events for reporting * fix logs * cleanup * CR fixes * fix logs
2020-01-07 10:33:28 -08:00
// Adds Generate Request to a channel(queue size 1000) to generators
965 add validate audit handler (#967) * store policy names cache to reduce lookup time * add validate audit handler * fix #958, remove auto-gen annotation on Pod * formatting code * update processTime to readable format * #586, add back unit test * update logging info * remove unused interface * handle generate policy in a single thread in weboook * resolve pr comments
2020-07-09 11:48:34 -07:00
if failedResponse := applyGenerateRequest(ws.grGenerator, userRequestInfo, request.Operation, engineResponses...); err != nil {
// report failure event
for _, failedGR := range failedResponse {
1319 fix throttling (#1348) * fix policy status and generate controller issues * shorten ACTION column name * update logs * improve naming * add temp logs for troubleshooting * cleanup logs * apply generate policy to old & new resource in webhook * cleanup log messages * cleanup log messages * cleanup log messages * fix clean up of policy report in init container Co-authored-by: Jim Bugwadia <jim@nirmata.com>
2020-12-01 12:30:08 -08:00
events := failedEvents(fmt.Errorf("failed to create Generate Request: %v", failedGR.err), failedGR.gr, new)
965 add validate audit handler (#967) * store policy names cache to reduce lookup time * add validate audit handler * fix #958, remove auto-gen annotation on Pod * formatting code * update processTime to readable format * #586, add back unit test * update logging info * remove unused interface * handle generate policy in a single thread in weboook * resolve pr comments
2020-07-09 11:48:34 -07:00
ws.eventGen.Add(events...)
}
538 (#587) * initial commit * background policy validation * correct message * skip non-background policy process for add/update * add Generate Request CR * generate Request Generator Initial * test generate request CR generation * initial commit gr generator * generate controller initial framework * add crd for generate request * gr cleanup controller initial commit * cleanup controller initial * generate mid-commit * generate rule processing * create PV on generate error * embed resource type * testing phase 1- generate resources with variable substitution * fix tests * comment broken test #586 * add printer column for state * return if existing resource for clone * set resync time to 2 mins & remove resource version check in update handler for gr * generate events for reporting * fix logs * cleanup * CR fixes * fix logs
2020-01-07 10:33:28 -08:00
}
Synchronize data for generated resources (#933) * Generate request added fro update resource * synchronize flag added * documentation added for keeping resource synchronized Signed-off-by: Yuvraj <yuvraj.yad001@gmail.com>
2020-06-22 18:49:43 -07:00
965 add validate audit handler (#967) * store policy names cache to reduce lookup time * add validate audit handler * fix #958, remove auto-gen annotation on Pod * formatting code * update processTime to readable format * #586, add back unit test * update logging info * remove unused interface * handle generate policy in a single thread in weboook * resolve pr comments
2020-07-09 11:48:34 -07:00
return
538 (#587) * initial commit * background policy validation * correct message * skip non-background policy process for add/update * add Generate Request CR * generate Request Generator Initial * test generate request CR generation * initial commit gr generator * generate controller initial framework * add crd for generate request * gr cleanup controller initial commit * cleanup controller initial * generate mid-commit * generate rule processing * create PV on generate error * embed resource type * testing phase 1- generate resources with variable substitution * fix tests * comment broken test #586 * add printer column for state * return if existing resource for clone * set resync time to 2 mins & remove resource version check in update handler for gr * generate events for reporting * fix logs * cleanup * CR fixes * fix logs
2020-01-07 10:33:28 -08:00
}
update validation logic
2020-12-23 15:10:07 -08:00
func (ws *WebhookServer) deleteGR(logger logr.Logger, engineResponse *response.EngineResponse) {
filter resources excluded in config (#1404)
2020-12-16 12:29:16 -08:00
logger.V(4).Info("querying all generate requests")
selector := labels.SelectorFromSet(labels.Set(map[string]string{
"policyName": engineResponse.PolicyResponse.Policy,
"resourceName": engineResponse.PolicyResponse.Resource.Name,
"resourceKind": engineResponse.PolicyResponse.Resource.Kind,
"ResourceNamespace": engineResponse.PolicyResponse.Resource.Namespace,
}))
grList, err := ws.grLister.List(selector)
if err != nil {
logger.Error(err, "failed to get generate request for the resource", "kind", engineResponse.PolicyResponse.Resource.Kind, "name", engineResponse.PolicyResponse.Resource.Name, "namespace", engineResponse.PolicyResponse.Resource.Namespace)
}
for _, v := range grList {
err := ws.kyvernoClient.KyvernoV1().GenerateRequests(config.KyvernoNamespace).Delete(contextdefault.TODO(), v.GetName(), metav1.DeleteOptions{})
if err != nil {
logger.Error(err, "failed to update gr")
}
}
}
965 add validate audit handler (#967) * store policy names cache to reduce lookup time * add validate audit handler * fix #958, remove auto-gen annotation on Pod * formatting code * update processTime to readable format * #586, add back unit test * update logging info * remove unused interface * handle generate policy in a single thread in weboook * resolve pr comments
2020-07-09 11:48:34 -07:00
func applyGenerateRequest(gnGenerator generate.GenerateRequests, userRequestInfo kyverno.RequestInfo,
update validation logic
2020-12-23 15:10:07 -08:00
action v1beta1.Operation, engineResponses ...*response.EngineResponse) (failedGenerateRequest []generateRequestResponse) {
965 add validate audit handler (#967) * store policy names cache to reduce lookup time * add validate audit handler * fix #958, remove auto-gen annotation on Pod * formatting code * update processTime to readable format * #586, add back unit test * update logging info * remove unused interface * handle generate policy in a single thread in weboook * resolve pr comments
2020-07-09 11:48:34 -07:00
538 (#587) * initial commit * background policy validation * correct message * skip non-background policy process for add/update * add Generate Request CR * generate Request Generator Initial * test generate request CR generation * initial commit gr generator * generate controller initial framework * add crd for generate request * gr cleanup controller initial commit * cleanup controller initial * generate mid-commit * generate rule processing * create PV on generate error * embed resource type * testing phase 1- generate resources with variable substitution * fix tests * comment broken test #586 * add printer column for state * return if existing resource for clone * set resync time to 2 mins & remove resource version check in update handler for gr * generate events for reporting * fix logs * cleanup * CR fixes * fix logs
2020-01-07 10:33:28 -08:00
for _, er := range engineResponses {
965 add validate audit handler (#967) * store policy names cache to reduce lookup time * add validate audit handler * fix #958, remove auto-gen annotation on Pod * formatting code * update processTime to readable format * #586, add back unit test * update logging info * remove unused interface * handle generate policy in a single thread in weboook * resolve pr comments
2020-07-09 11:48:34 -07:00
gr := transform(userRequestInfo, er)
if err := gnGenerator.Apply(gr, action); err != nil {
failedGenerateRequest = append(failedGenerateRequest, generateRequestResponse{gr: gr, err: err})
538 (#587) * initial commit * background policy validation * correct message * skip non-background policy process for add/update * add Generate Request CR * generate Request Generator Initial * test generate request CR generation * initial commit gr generator * generate controller initial framework * add crd for generate request * gr cleanup controller initial commit * cleanup controller initial * generate mid-commit * generate rule processing * create PV on generate error * embed resource type * testing phase 1- generate resources with variable substitution * fix tests * comment broken test #586 * add printer column for state * return if existing resource for clone * set resync time to 2 mins & remove resource version check in update handler for gr * generate events for reporting * fix logs * cleanup * CR fixes * fix logs
2020-01-07 10:33:28 -08:00
}
}
1319 fix throttling (#1348) * fix policy status and generate controller issues * shorten ACTION column name * update logs * improve naming * add temp logs for troubleshooting * cleanup logs * apply generate policy to old & new resource in webhook * cleanup log messages * cleanup log messages * cleanup log messages * fix clean up of policy report in init container Co-authored-by: Jim Bugwadia <jim@nirmata.com>
2020-12-01 12:30:08 -08:00
965 add validate audit handler (#967) * store policy names cache to reduce lookup time * add validate audit handler * fix #958, remove auto-gen annotation on Pod * formatting code * update processTime to readable format * #586, add back unit test * update logging info * remove unused interface * handle generate policy in a single thread in weboook * resolve pr comments
2020-07-09 11:48:34 -07:00
return
538 (#587) * initial commit * background policy validation * correct message * skip non-background policy process for add/update * add Generate Request CR * generate Request Generator Initial * test generate request CR generation * initial commit gr generator * generate controller initial framework * add crd for generate request * gr cleanup controller initial commit * cleanup controller initial * generate mid-commit * generate rule processing * create PV on generate error * embed resource type * testing phase 1- generate resources with variable substitution * fix tests * comment broken test #586 * add printer column for state * return if existing resource for clone * set resync time to 2 mins & remove resource version check in update handler for gr * generate events for reporting * fix logs * cleanup * CR fixes * fix logs
2020-01-07 10:33:28 -08:00
}
update validation logic
2020-12-23 15:10:07 -08:00
func transform(userRequestInfo kyverno.RequestInfo, er *response.EngineResponse) kyverno.GenerateRequestSpec {
538 (#587) * initial commit * background policy validation * correct message * skip non-background policy process for add/update * add Generate Request CR * generate Request Generator Initial * test generate request CR generation * initial commit gr generator * generate controller initial framework * add crd for generate request * gr cleanup controller initial commit * cleanup controller initial * generate mid-commit * generate rule processing * create PV on generate error * embed resource type * testing phase 1- generate resources with variable substitution * fix tests * comment broken test #586 * add printer column for state * return if existing resource for clone * set resync time to 2 mins & remove resource version check in update handler for gr * generate events for reporting * fix logs * cleanup * CR fixes * fix logs
2020-01-07 10:33:28 -08:00
gr := kyverno.GenerateRequestSpec{
Policy: er.PolicyResponse.Policy,
Resource: kyverno.ResourceSpec{
Kind: er.PolicyResponse.Resource.Kind,
Namespace: er.PolicyResponse.Resource.Namespace,
Name: er.PolicyResponse.Resource.Name,
},
Context: kyverno.GenerateRequestContext{
UserRequestInfo: userRequestInfo,
},
}
update validation logic
2020-12-23 15:10:07 -08:00
538 (#587) * initial commit * background policy validation * correct message * skip non-background policy process for add/update * add Generate Request CR * generate Request Generator Initial * test generate request CR generation * initial commit gr generator * generate controller initial framework * add crd for generate request * gr cleanup controller initial commit * cleanup controller initial * generate mid-commit * generate rule processing * create PV on generate error * embed resource type * testing phase 1- generate resources with variable substitution * fix tests * comment broken test #586 * add printer column for state * return if existing resource for clone * set resync time to 2 mins & remove resource version check in update handler for gr * generate events for reporting * fix logs * cleanup * CR fixes * fix logs
2020-01-07 10:33:28 -08:00
return gr
}
527 decoupling sender and reciever
2020-02-29 22:39:27 +05:30
type generateStats struct {
update validation logic
2020-12-23 15:10:07 -08:00
resp *response.EngineResponse
527 decoupling sender and reciever
2020-02-29 22:39:27 +05:30
}
527 redesigned implementation so that package variables are not used across packages
2020-03-04 15:45:20 +05:30
func (gs generateStats) PolicyName() string {
return gs.resp.PolicyResponse.Policy
527 decoupling sender and reciever
2020-02-29 22:39:27 +05:30
}
527 redesigned implementation so that package variables are not used across packages
2020-03-04 15:45:20 +05:30
func (gs generateStats) UpdateStatus(status kyverno.PolicyStatus) kyverno.PolicyStatus {
527 decoupling sender and reciever
2020-02-29 22:39:27 +05:30
if reflect.DeepEqual(response.EngineResponse{}, gs.resp) {
527 redesigned implementation so that package variables are not used across packages
2020-03-04 15:45:20 +05:30
return status
527 decoupling sender and reciever
2020-02-29 22:39:27 +05:30
}
var nameToRule = make(map[string]v1.RuleStats)
for _, rule := range status.Rules {
nameToRule[rule.Name] = rule
}
for _, rule := range gs.resp.PolicyResponse.Rules {
ruleStat := nameToRule[rule.Name]
ruleStat.Name = rule.Name
averageOver := int64(ruleStat.AppliedCount + ruleStat.FailedCount)
ruleStat.ExecutionTime = updateAverageTime(
rule.ProcessingTime,
ruleStat.ExecutionTime,
averageOver).String()
if rule.Success {
status.RulesAppliedCount++
ruleStat.AppliedCount++
} else {
status.RulesFailedCount++
ruleStat.FailedCount++
}
nameToRule[rule.Name] = ruleStat
}
var policyAverageExecutionTime time.Duration
var ruleStats = make([]v1.RuleStats, 0, len(nameToRule))
for _, ruleStat := range nameToRule {
executionTime, err := time.ParseDuration(ruleStat.ExecutionTime)
if err == nil {
policyAverageExecutionTime += executionTime
}
ruleStats = append(ruleStats, ruleStat)
}
sort.Slice(ruleStats, func(i, j int) bool {
return ruleStats[i].Name < ruleStats[j].Name
})
status.AvgExecutionTime = policyAverageExecutionTime.String()
status.Rules = ruleStats
527 redesigned implementation so that package variables are not used across packages
2020-03-04 15:45:20 +05:30
return status
527 decoupling sender and reciever
2020-02-29 22:39:27 +05:30
}
func updateAverageTime(newTime time.Duration, oldAverageTimeString string, averageOver int64) time.Duration {
if averageOver == 0 {
return newTime
}
oldAverageExecutionTime, _ := time.ParseDuration(oldAverageTimeString)
numerator := (oldAverageExecutionTime.Nanoseconds() * averageOver) + newTime.Nanoseconds()
denominator := averageOver + 1
newAverageTimeInNanoSeconds := numerator / denominator
return time.Duration(newAverageTimeInNanoSeconds) * time.Nanosecond
}
965 add validate audit handler (#967) * store policy names cache to reduce lookup time * add validate audit handler * fix #958, remove auto-gen annotation on Pod * formatting code * update processTime to readable format * #586, add back unit test * update logging info * remove unused interface * handle generate policy in a single thread in weboook * resolve pr comments
2020-07-09 11:48:34 -07:00
type generateRequestResponse struct {
gr v1.GenerateRequestSpec
err error
}
func (resp generateRequestResponse) info() string {
return strings.Join([]string{resp.gr.Resource.Kind, resp.gr.Resource.Namespace, resp.gr.Resource.Name}, "/")
}
func (resp generateRequestResponse) error() string {
return resp.err.Error()
}
func failedEvents(err error, gr kyverno.GenerateRequestSpec, resource unstructured.Unstructured) []event.Info {
re := event.Info{}
re.Kind = resource.GetKind()
re.Namespace = resource.GetNamespace()
re.Name = resource.GetName()
re.Reason = event.PolicyFailed.String()
re.Source = event.GeneratePolicyController
re.Message = fmt.Sprintf("policy %s failed to apply: %v", gr.Policy, err)
Events fix (#1006) * remove success event * remove event success message * remove events generated on clusterpolicy
2020-07-20 08:00:02 -07:00
return []event.Info{re}
965 add validate audit handler (#967) * store policy names cache to reduce lookup time * add validate audit handler * fix #958, remove auto-gen annotation on Pod * formatting code * update processTime to readable format * #586, add back unit test * update logging info * remove unused interface * handle generate policy in a single thread in weboook * resolve pr comments
2020-07-09 11:48:34 -07:00
}
Copy permalink