kyverno/pkg/utils/match/kind.go

package match

import (
	"strings"

	kubeutils "github.com/kyverno/kyverno/pkg/utils/kube"
	"golang.org/x/text/cases"
	"golang.org/x/text/language"
	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
	"k8s.io/apimachinery/pkg/runtime/schema"
)

// CheckKind checks if the resource kind matches the kinds in the policy. If the policy matches on subresources, then those resources are
// present in the subresourceGVKToAPIResource map. Set allowEphemeralContainers to true to allow ephemeral containers to be matched even when the
// policy does not explicitly match on ephemeral containers and only matches on pods.
func CheckKind(subresourceGVKToAPIResource map[string]*metav1.APIResource, kinds []string, gvk schema.GroupVersionKind, subresourceInAdmnReview string, allowEphemeralContainers bool) bool {
	title := cases.Title(language.Und, cases.NoLower)
	result := false
	for _, k := range kinds {
		if k != "*" {
			gv, kind := kubeutils.GetKindFromGVK(k)
			apiResource, ok := subresourceGVKToAPIResource[k]
			if ok {
				result = apiResource.Group == gvk.Group && (apiResource.Version == gvk.Version || strings.Contains(gv, "*")) && apiResource.Kind == gvk.Kind
			} else { // if the kind is not found in the subresourceGVKToAPIResource, then it is not a subresource
				result = title.String(kind) == gvk.Kind &&
					(subresourceInAdmnReview == "" ||
						(allowEphemeralContainers && subresourceInAdmnReview == "ephemeralcontainers"))
				if gv != "" {
					result = result && kubeutils.GroupVersionMatches(gv, gvk.GroupVersion().String())
				}
			}
		} else {
			result = true
		}
		if result {
			break
		}
	}
	return result
}
refactor: match utils package (#5961) * refactor: match utils package Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * fix Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * test Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * test Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * test Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> 2023-01-10 21:16:59 +01:00			`package match`

			`import (`
			`"strings"`

			`kubeutils "github.com/kyverno/kyverno/pkg/utils/kube"`
			`"golang.org/x/text/cases"`
			`"golang.org/x/text/language"`
			`metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"`
			`"k8s.io/apimachinery/pkg/runtime/schema"`
			`)`

			`// CheckKind checks if the resource kind matches the kinds in the policy. If the policy matches on subresources, then those resources are`
			`// present in the subresourceGVKToAPIResource map. Set allowEphemeralContainers to true to allow ephemeral containers to be matched even when the`
			`// policy does not explicitly match on ephemeral containers and only matches on pods.`
			`func CheckKind(subresourceGVKToAPIResource map[string]*metav1.APIResource, kinds []string, gvk schema.GroupVersionKind, subresourceInAdmnReview string, allowEphemeralContainers bool) bool {`
			`title := cases.Title(language.Und, cases.NoLower)`
			`result := false`
			`for _, k := range kinds {`
			`if k != "*" {`
			`gv, kind := kubeutils.GetKindFromGVK(k)`
			`apiResource, ok := subresourceGVKToAPIResource[k]`
			`if ok {`
			`result = apiResource.Group == gvk.Group && (apiResource.Version == gvk.Version \|\| strings.Contains(gv, "*")) && apiResource.Kind == gvk.Kind`
			`} else { // if the kind is not found in the subresourceGVKToAPIResource, then it is not a subresource`
			`result = title.String(kind) == gvk.Kind &&`
			`(subresourceInAdmnReview == "" \|\|`
			`(allowEphemeralContainers && subresourceInAdmnReview == "ephemeralcontainers"))`
			`if gv != "" {`
			`result = result && kubeutils.GroupVersionMatches(gv, gvk.GroupVersion().String())`
			`}`
			`}`
			`} else {`
			`result = true`
			`}`
			`if result {`
			`break`
			`}`
			`}`
			`return result`
			`}`