kyverno/pkg/webhooks/utils/policy_context_builder.go

package utils

import (
	kyvernov1beta1 "github.com/kyverno/kyverno/api/kyverno/v1beta1"
	kyvernov2alpha1listers "github.com/kyverno/kyverno/pkg/client/listers/kyverno/v2alpha1"
	"github.com/kyverno/kyverno/pkg/clients/dclient"
	"github.com/kyverno/kyverno/pkg/config"
	"github.com/kyverno/kyverno/pkg/engine"
	"github.com/kyverno/kyverno/pkg/engine/context/resolvers"
	"github.com/kyverno/kyverno/pkg/userinfo"
	"github.com/pkg/errors"
	admissionv1 "k8s.io/api/admission/v1"
	rbacv1listers "k8s.io/client-go/listers/rbac/v1"
)

type PolicyContextBuilder interface {
	Build(*admissionv1.AdmissionRequest) (*engine.PolicyContext, error)
}

type policyContextBuilder struct {
	configuration          config.Configuration
	client                 dclient.Interface
	rbLister               rbacv1listers.RoleBindingLister
	crbLister              rbacv1listers.ClusterRoleBindingLister
	informerCacheResolvers resolvers.ConfigmapResolver
	peLister               kyvernov2alpha1listers.PolicyExceptionLister
}

func NewPolicyContextBuilder(
	configuration config.Configuration,
	client dclient.Interface,
	rbLister rbacv1listers.RoleBindingLister,
	crbLister rbacv1listers.ClusterRoleBindingLister,
	informerCacheResolvers resolvers.ConfigmapResolver,
	peLister kyvernov2alpha1listers.PolicyExceptionLister,
) PolicyContextBuilder {
	return &policyContextBuilder{
		configuration:          configuration,
		client:                 client,
		rbLister:               rbLister,
		crbLister:              crbLister,
		informerCacheResolvers: informerCacheResolvers,
		peLister:               peLister,
	}
}

func (b *policyContextBuilder) Build(request *admissionv1.AdmissionRequest) (*engine.PolicyContext, error) {
	userRequestInfo := kyvernov1beta1.RequestInfo{
		AdmissionUserInfo: *request.UserInfo.DeepCopy(),
	}
	if roles, clusterRoles, err := userinfo.GetRoleRef(b.rbLister, b.crbLister, request, b.configuration); err != nil {
		return nil, errors.Wrap(err, "failed to fetch RBAC information for request")
	} else {
		userRequestInfo.Roles = roles
		userRequestInfo.ClusterRoles = clusterRoles
	}
	return engine.NewPolicyContextFromAdmissionRequest(request, userRequestInfo, b.configuration, b.client, b.informerCacheResolvers, b.peLister)
}
refactor: webhook policy context creation (#4480) Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com> Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com> 2022-09-01 16:52:36 +02:00			`package utils`

			`import (`
			`kyvernov1beta1 "github.com/kyverno/kyverno/api/kyverno/v1beta1"`
feat: Implement PolicyException (#5680) * feat: Handle Exception Signed-off-by: Eileen Yu <eileenylj@gmail.com> * fixes Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> Signed-off-by: Eileen Yu <eileenylj@gmail.com> Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> Co-authored-by: Charles-Edouard Brétéché <charled.breteche@gmail.com> Co-authored-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> Co-authored-by: Jim Bugwadia <jim@nirmata.com> 2022-12-16 04:13:14 -05:00			`kyvernov2alpha1listers "github.com/kyverno/kyverno/pkg/client/listers/kyverno/v2alpha1"`
refactor: webhook policy context creation (#4480) Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com> Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com> 2022-09-01 16:52:36 +02:00			`"github.com/kyverno/kyverno/pkg/clients/dclient"`
			`"github.com/kyverno/kyverno/pkg/config"`
			`"github.com/kyverno/kyverno/pkg/engine"`
issue-4613: Add support for cache enhancements with informers (#5484) Signed-off-by: Pratik Shah <pratik@infracloud.io> Signed-off-by: Pratik Shah <pratik@infracloud.io> 2022-12-02 19:29:51 +05:30			`"github.com/kyverno/kyverno/pkg/engine/context/resolvers"`
refactor: webhook policy context creation (#4480) Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com> Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com> 2022-09-01 16:52:36 +02:00			`"github.com/kyverno/kyverno/pkg/userinfo"`
			`"github.com/pkg/errors"`
			`admissionv1 "k8s.io/api/admission/v1"`
			`rbacv1listers "k8s.io/client-go/listers/rbac/v1"`
			`)`

			`type PolicyContextBuilder interface {`
refactor: make policy context immutable and fields private (#5523) * refactor: make policy context immutable and fields private Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * refactor: make policy context immutable and fields private Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * fix Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * fix Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> Co-authored-by: shuting <shuting@nirmata.com> 2022-12-02 09:14:23 +01:00			`Build(admissionv1.AdmissionRequest) (engine.PolicyContext, error)`
refactor: webhook policy context creation (#4480) Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com> Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com> 2022-09-01 16:52:36 +02:00			`}`

			`type policyContextBuilder struct {`
issue-4613: Add support for cache enhancements with informers (#5484) Signed-off-by: Pratik Shah <pratik@infracloud.io> Signed-off-by: Pratik Shah <pratik@infracloud.io> 2022-12-02 19:29:51 +05:30			`configuration config.Configuration`
			`client dclient.Interface`
			`rbLister rbacv1listers.RoleBindingLister`
			`crbLister rbacv1listers.ClusterRoleBindingLister`
			`informerCacheResolvers resolvers.ConfigmapResolver`
feat: Implement PolicyException (#5680) * feat: Handle Exception Signed-off-by: Eileen Yu <eileenylj@gmail.com> * fixes Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> Signed-off-by: Eileen Yu <eileenylj@gmail.com> Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> Co-authored-by: Charles-Edouard Brétéché <charled.breteche@gmail.com> Co-authored-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> Co-authored-by: Jim Bugwadia <jim@nirmata.com> 2022-12-16 04:13:14 -05:00			`peLister kyvernov2alpha1listers.PolicyExceptionLister`
refactor: webhook policy context creation (#4480) Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com> Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com> 2022-09-01 16:52:36 +02:00			`}`

			`func NewPolicyContextBuilder(`
			`configuration config.Configuration,`
			`client dclient.Interface,`
			`rbLister rbacv1listers.RoleBindingLister,`
			`crbLister rbacv1listers.ClusterRoleBindingLister,`
issue-4613: Add support for cache enhancements with informers (#5484) Signed-off-by: Pratik Shah <pratik@infracloud.io> Signed-off-by: Pratik Shah <pratik@infracloud.io> 2022-12-02 19:29:51 +05:30			`informerCacheResolvers resolvers.ConfigmapResolver,`
feat: Implement PolicyException (#5680) * feat: Handle Exception Signed-off-by: Eileen Yu <eileenylj@gmail.com> * fixes Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> Signed-off-by: Eileen Yu <eileenylj@gmail.com> Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> Co-authored-by: Charles-Edouard Brétéché <charled.breteche@gmail.com> Co-authored-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> Co-authored-by: Jim Bugwadia <jim@nirmata.com> 2022-12-16 04:13:14 -05:00			`peLister kyvernov2alpha1listers.PolicyExceptionLister,`
refactor: webhook policy context creation (#4480) Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com> Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com> 2022-09-01 16:52:36 +02:00			`) PolicyContextBuilder {`
			`return &policyContextBuilder{`
issue-4613: Add support for cache enhancements with informers (#5484) Signed-off-by: Pratik Shah <pratik@infracloud.io> Signed-off-by: Pratik Shah <pratik@infracloud.io> 2022-12-02 19:29:51 +05:30			`configuration: configuration,`
			`client: client,`
			`rbLister: rbLister,`
			`crbLister: crbLister,`
			`informerCacheResolvers: informerCacheResolvers,`
feat: Implement PolicyException (#5680) * feat: Handle Exception Signed-off-by: Eileen Yu <eileenylj@gmail.com> * fixes Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> Signed-off-by: Eileen Yu <eileenylj@gmail.com> Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> Co-authored-by: Charles-Edouard Brétéché <charled.breteche@gmail.com> Co-authored-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> Co-authored-by: Jim Bugwadia <jim@nirmata.com> 2022-12-16 04:13:14 -05:00			`peLister: peLister,`
refactor: webhook policy context creation (#4480) Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com> Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com> 2022-09-01 16:52:36 +02:00			`}`
			`}`

refactor: make policy context immutable and fields private (#5523) * refactor: make policy context immutable and fields private Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * refactor: make policy context immutable and fields private Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * fix Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * fix Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> Co-authored-by: shuting <shuting@nirmata.com> 2022-12-02 09:14:23 +01:00			`func (b policyContextBuilder) Build(request admissionv1.AdmissionRequest) (*engine.PolicyContext, error) {`
refactor: webhook policy context creation (#4480) Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com> Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com> 2022-09-01 16:52:36 +02:00			`userRequestInfo := kyvernov1beta1.RequestInfo{`
			`AdmissionUserInfo: *request.UserInfo.DeepCopy(),`
			`}`
fix: go routines not gracefully shut down in controllers (#5022) Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> Co-authored-by: Prateek Pandey <prateek.pandey@nirmata.com> 2022-10-19 10:54:48 +02:00			`if roles, clusterRoles, err := userinfo.GetRoleRef(b.rbLister, b.crbLister, request, b.configuration); err != nil {`
remove RBACInfo check (#5015) 2022-10-17 20:17:06 +05:30			`return nil, errors.Wrap(err, "failed to fetch RBAC information for request")`
fix: go routines not gracefully shut down in controllers (#5022) Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> Co-authored-by: Prateek Pandey <prateek.pandey@nirmata.com> 2022-10-19 10:54:48 +02:00			`} else {`
			`userRequestInfo.Roles = roles`
			`userRequestInfo.ClusterRoles = clusterRoles`
refactor: webhook policy context creation (#4480) Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com> Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com> 2022-09-01 16:52:36 +02:00			`}`
feat: Implement PolicyException (#5680) * feat: Handle Exception Signed-off-by: Eileen Yu <eileenylj@gmail.com> * fixes Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> Signed-off-by: Eileen Yu <eileenylj@gmail.com> Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> Co-authored-by: Charles-Edouard Brétéché <charled.breteche@gmail.com> Co-authored-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> Co-authored-by: Jim Bugwadia <jim@nirmata.com> 2022-12-16 04:13:14 -05:00			`return engine.NewPolicyContextFromAdmissionRequest(request, userRequestInfo, b.configuration, b.client, b.informerCacheResolvers, b.peLister)`
refactor: webhook policy context creation (#4480) Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com> Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com> 2022-09-01 16:52:36 +02:00			`}`