2022-09-08 10:36:31 +02:00
|
|
|
package utils
|
|
|
|
|
|
|
|
|
|
import (
|
|
|
|
|
"fmt"
|
|
|
|
|
|
|
|
|
|
"github.com/go-logr/logr"
|
|
|
|
|
kyvernov1 "github.com/kyverno/kyverno/api/kyverno/v1"
|
2023-01-30 12:41:09 +01:00
|
|
|
engineapi "github.com/kyverno/kyverno/pkg/engine/api"
|
2022-09-08 10:36:31 +02:00
|
|
|
engineutils "github.com/kyverno/kyverno/pkg/utils/engine"
|
|
|
|
|
"gopkg.in/yaml.v2"
|
|
|
|
|
)
|
|
|
|
|
|
|
|
|
|
func getAction(hasViolations bool, i int) string {
|
|
|
|
|
action := "error"
|
|
|
|
|
if hasViolations {
|
|
|
|
|
action = "violation"
|
|
|
|
|
}
|
|
|
|
|
if i > 1 {
|
|
|
|
|
action = action + "s"
|
|
|
|
|
}
|
|
|
|
|
return action
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// returns true -> if there is even one policy that blocks resource request
|
|
|
|
|
// returns false -> if all the policies are meant to report only, we dont block resource request
|
2023-03-23 13:58:52 +01:00
|
|
|
func BlockRequest(engineResponses []engineapi.EngineResponse, failurePolicy kyvernov1.FailurePolicyType, log logr.Logger) bool {
|
2022-09-08 10:36:31 +02:00
|
|
|
for _, er := range engineResponses {
|
|
|
|
|
if engineutils.BlockRequest(er, failurePolicy) {
|
2023-02-10 09:11:21 +01:00
|
|
|
log.V(2).Info("blocking admission request", "policy", er.Policy.GetName())
|
2022-09-08 10:36:31 +02:00
|
|
|
return true
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
log.V(4).Info("allowing admission request")
|
|
|
|
|
return false
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// GetBlockedMessages gets the error messages for rules with error or fail status
|
2023-03-23 13:58:52 +01:00
|
|
|
func GetBlockedMessages(engineResponses []engineapi.EngineResponse) string {
|
2022-09-08 10:36:31 +02:00
|
|
|
if len(engineResponses) == 0 {
|
|
|
|
|
return ""
|
|
|
|
|
}
|
|
|
|
|
failures := make(map[string]interface{})
|
|
|
|
|
hasViolations := false
|
|
|
|
|
for _, er := range engineResponses {
|
|
|
|
|
ruleToReason := make(map[string]string)
|
|
|
|
|
for _, rule := range er.PolicyResponse.Rules {
|
2023-04-05 12:35:38 +02:00
|
|
|
if rule.Status() != engineapi.RuleStatusPass {
|
|
|
|
|
ruleToReason[rule.Name()] = rule.Message()
|
|
|
|
|
if rule.Status() == engineapi.RuleStatusFail {
|
2022-09-08 10:36:31 +02:00
|
|
|
hasViolations = true
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
}
|
2022-10-04 18:34:37 +08:00
|
|
|
if len(ruleToReason) != 0 {
|
2023-02-10 09:11:21 +01:00
|
|
|
failures[er.Policy.GetName()] = ruleToReason
|
2022-10-04 18:34:37 +08:00
|
|
|
}
|
2022-09-08 10:36:31 +02:00
|
|
|
}
|
|
|
|
|
if len(failures) == 0 {
|
|
|
|
|
return ""
|
|
|
|
|
}
|
2023-02-10 15:04:41 +01:00
|
|
|
r := engineResponses[0].Resource
|
|
|
|
|
resourceName := fmt.Sprintf("%s/%s/%s", r.GetKind(), r.GetNamespace(), r.GetName())
|
2022-09-08 10:36:31 +02:00
|
|
|
action := getAction(hasViolations, len(failures))
|
|
|
|
|
results, _ := yaml.Marshal(failures)
|
|
|
|
|
msg := fmt.Sprintf("\n\npolicy %s for resource %s: \n\n%s", resourceName, action, results)
|
|
|
|
|
return msg
|
|
|
|
|
}
|
