kyverno/pkg/webhooks/resource/validation/utils.go

package validation

import (
	admissionutils "github.com/kyverno/kyverno/pkg/utils/admission"
	reportutils "github.com/kyverno/kyverno/pkg/utils/report"
	"github.com/kyverno/kyverno/pkg/webhooks/handlers"
	admissionv1 "k8s.io/api/admission/v1"
	"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
	"k8s.io/apimachinery/pkg/runtime/schema"
)

func needsReports(request handlers.AdmissionRequest, resource unstructured.Unstructured, admissionReport bool, reportConfig reportutils.ReportingConfiguration) bool {
	createReport := admissionReport
	if admissionutils.IsDryRun(request.AdmissionRequest) {
		createReport = false
	}
	if !reportConfig.ValidateReportsEnabled() {
		createReport = false
	}
	// we don't need reports for deletions
	if request.Operation == admissionv1.Delete {
		createReport = false
	}
	// check if the resource supports reporting
	if !reportutils.IsGvkSupported(schema.GroupVersionKind(request.Kind)) {
		createReport = false
	}
	// if the underlying resource has no UID don't create a report
	if resource.GetUID() == "" {
		createReport = false
	}
	return createReport
}
feat(audit): use a worker pool for Audit policies (#10048) * enhancement: split validation logic for enforce and audit policies to return admission response earlier Signed-off-by: ShutingZhao <shuting@nirmata.com> * chore: add missing file Signed-off-by: ShutingZhao <shuting@nirmata.com> * fix: unit tests Signed-off-by: ShutingZhao <shuting@nirmata.com> * fix: linter issues Signed-off-by: ShutingZhao <shuting@nirmata.com> * fix: unit tests Signed-off-by: ShutingZhao <shuting@nirmata.com> * fix: get latest policy object before updating status Signed-off-by: ShutingZhao <shuting@nirmata.com> * chore: remove debug code Signed-off-by: ShutingZhao <shuting@nirmata.com> * fix: compare before updates Signed-off-by: ShutingZhao <shuting@nirmata.com> * fix: initial reconcile Signed-off-by: ShutingZhao <shuting@nirmata.com> * fix: updates Signed-off-by: ShutingZhao <shuting@nirmata.com> * feat(audit): use a worker pool for Audit policies Signed-off-by: Khaled Emara <khaled.emara@nirmata.com> * fix: unit test Signed-off-by: ShutingZhao <shuting@nirmata.com> * fix(attempt): spin up go routine Signed-off-by: ShutingZhao <shuting@nirmata.com> * feat: add flags maxAuditWorkers, maxAuditCapacity Signed-off-by: ShutingZhao <shuting@nirmata.com> * fix: enable debug log on failure Signed-off-by: ShutingZhao <shuting@nirmata.com> * fix: wait group panic Signed-off-by: ShutingZhao <shuting@nirmata.com> * load-tests: add stess tests configurations Signed-off-by: ShutingZhao <shuting@nirmata.com> * load-tests: disable admissionreports Signed-off-by: ShutingZhao <shuting@nirmata.com> * fix: build policy contexts syncronously Signed-off-by: Vishal Choudhary <vishal.choudhary@nirmata.com> * fix: only run generate and mutate existing go routines when policies are present Signed-off-by: Vishal Choudhary <vishal.choudhary@nirmata.com> * fix: mutate and verify tests Signed-off-by: Vishal Choudhary <vishal.choudhary@nirmata.com> * fix: return early if no audit policy Signed-off-by: ShutingZhao <shuting@nirmata.com> * fix: run handlegenerate and mutate existing in all cases Signed-off-by: Vishal Choudhary <vishal.choudhary@nirmata.com> * fix: only test bgapplies in generate test Signed-off-by: Vishal Choudhary <vishal.choudhary@nirmata.com> * fix: defer wait in tests Signed-off-by: Vishal Choudhary <vishal.choudhary@nirmata.com> * enhancement: process validate enforce in a go routine Signed-off-by: ShutingZhao <shuting@nirmata.com> --------- Signed-off-by: ShutingZhao <shuting@nirmata.com> Signed-off-by: Khaled Emara <khaled.emara@nirmata.com> Signed-off-by: Vishal Choudhary <vishal.choudhary@nirmata.com> Co-authored-by: ShutingZhao <shuting@nirmata.com> Co-authored-by: Vishal Choudhary <vishal.choudhary@nirmata.com> 2024-04-17 09:46:18 +02:00			`package validation`

			`import (`
			`admissionutils "github.com/kyverno/kyverno/pkg/utils/admission"`
			`reportutils "github.com/kyverno/kyverno/pkg/utils/report"`
			`"github.com/kyverno/kyverno/pkg/webhooks/handlers"`
			`admissionv1 "k8s.io/api/admission/v1"`
			`"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"`
			`"k8s.io/apimachinery/pkg/runtime/schema"`
			`)`

feat: add helm configuration for reporting in different rules (#11376) * feat: add helm configuration for reporting in different rules (forgot signoff) Signed-off-by: Vishal Choudhary <vishal.choudhary@nirmata.com> * fix: linter and tests Signed-off-by: Vishal Choudhary <vishal.choudhary@nirmata.com> * feat: rename reporting.imageVerification Signed-off-by: Vishal Choudhary <vishal.choudhary@nirmata.com> --------- Signed-off-by: Vishal Choudhary <vishal.choudhary@nirmata.com> Signed-off-by: ShutingZhao <shuting@nirmata.com> Co-authored-by: shuting <shuting@nirmata.com> 2024-10-11 15:12:29 +05:30			`func needsReports(request handlers.AdmissionRequest, resource unstructured.Unstructured, admissionReport bool, reportConfig reportutils.ReportingConfiguration) bool {`
feat(audit): use a worker pool for Audit policies (#10048) * enhancement: split validation logic for enforce and audit policies to return admission response earlier Signed-off-by: ShutingZhao <shuting@nirmata.com> * chore: add missing file Signed-off-by: ShutingZhao <shuting@nirmata.com> * fix: unit tests Signed-off-by: ShutingZhao <shuting@nirmata.com> * fix: linter issues Signed-off-by: ShutingZhao <shuting@nirmata.com> * fix: unit tests Signed-off-by: ShutingZhao <shuting@nirmata.com> * fix: get latest policy object before updating status Signed-off-by: ShutingZhao <shuting@nirmata.com> * chore: remove debug code Signed-off-by: ShutingZhao <shuting@nirmata.com> * fix: compare before updates Signed-off-by: ShutingZhao <shuting@nirmata.com> * fix: initial reconcile Signed-off-by: ShutingZhao <shuting@nirmata.com> * fix: updates Signed-off-by: ShutingZhao <shuting@nirmata.com> * feat(audit): use a worker pool for Audit policies Signed-off-by: Khaled Emara <khaled.emara@nirmata.com> * fix: unit test Signed-off-by: ShutingZhao <shuting@nirmata.com> * fix(attempt): spin up go routine Signed-off-by: ShutingZhao <shuting@nirmata.com> * feat: add flags maxAuditWorkers, maxAuditCapacity Signed-off-by: ShutingZhao <shuting@nirmata.com> * fix: enable debug log on failure Signed-off-by: ShutingZhao <shuting@nirmata.com> * fix: wait group panic Signed-off-by: ShutingZhao <shuting@nirmata.com> * load-tests: add stess tests configurations Signed-off-by: ShutingZhao <shuting@nirmata.com> * load-tests: disable admissionreports Signed-off-by: ShutingZhao <shuting@nirmata.com> * fix: build policy contexts syncronously Signed-off-by: Vishal Choudhary <vishal.choudhary@nirmata.com> * fix: only run generate and mutate existing go routines when policies are present Signed-off-by: Vishal Choudhary <vishal.choudhary@nirmata.com> * fix: mutate and verify tests Signed-off-by: Vishal Choudhary <vishal.choudhary@nirmata.com> * fix: return early if no audit policy Signed-off-by: ShutingZhao <shuting@nirmata.com> * fix: run handlegenerate and mutate existing in all cases Signed-off-by: Vishal Choudhary <vishal.choudhary@nirmata.com> * fix: only test bgapplies in generate test Signed-off-by: Vishal Choudhary <vishal.choudhary@nirmata.com> * fix: defer wait in tests Signed-off-by: Vishal Choudhary <vishal.choudhary@nirmata.com> * enhancement: process validate enforce in a go routine Signed-off-by: ShutingZhao <shuting@nirmata.com> --------- Signed-off-by: ShutingZhao <shuting@nirmata.com> Signed-off-by: Khaled Emara <khaled.emara@nirmata.com> Signed-off-by: Vishal Choudhary <vishal.choudhary@nirmata.com> Co-authored-by: ShutingZhao <shuting@nirmata.com> Co-authored-by: Vishal Choudhary <vishal.choudhary@nirmata.com> 2024-04-17 09:46:18 +02:00			`createReport := admissionReport`
			`if admissionutils.IsDryRun(request.AdmissionRequest) {`
			`createReport = false`
			`}`
feat: add helm configuration for reporting in different rules (#11376) * feat: add helm configuration for reporting in different rules (forgot signoff) Signed-off-by: Vishal Choudhary <vishal.choudhary@nirmata.com> * fix: linter and tests Signed-off-by: Vishal Choudhary <vishal.choudhary@nirmata.com> * feat: rename reporting.imageVerification Signed-off-by: Vishal Choudhary <vishal.choudhary@nirmata.com> --------- Signed-off-by: Vishal Choudhary <vishal.choudhary@nirmata.com> Signed-off-by: ShutingZhao <shuting@nirmata.com> Co-authored-by: shuting <shuting@nirmata.com> 2024-10-11 15:12:29 +05:30			`if !reportConfig.ValidateReportsEnabled() {`
			`createReport = false`
			`}`
feat(audit): use a worker pool for Audit policies (#10048) * enhancement: split validation logic for enforce and audit policies to return admission response earlier Signed-off-by: ShutingZhao <shuting@nirmata.com> * chore: add missing file Signed-off-by: ShutingZhao <shuting@nirmata.com> * fix: unit tests Signed-off-by: ShutingZhao <shuting@nirmata.com> * fix: linter issues Signed-off-by: ShutingZhao <shuting@nirmata.com> * fix: unit tests Signed-off-by: ShutingZhao <shuting@nirmata.com> * fix: get latest policy object before updating status Signed-off-by: ShutingZhao <shuting@nirmata.com> * chore: remove debug code Signed-off-by: ShutingZhao <shuting@nirmata.com> * fix: compare before updates Signed-off-by: ShutingZhao <shuting@nirmata.com> * fix: initial reconcile Signed-off-by: ShutingZhao <shuting@nirmata.com> * fix: updates Signed-off-by: ShutingZhao <shuting@nirmata.com> * feat(audit): use a worker pool for Audit policies Signed-off-by: Khaled Emara <khaled.emara@nirmata.com> * fix: unit test Signed-off-by: ShutingZhao <shuting@nirmata.com> * fix(attempt): spin up go routine Signed-off-by: ShutingZhao <shuting@nirmata.com> * feat: add flags maxAuditWorkers, maxAuditCapacity Signed-off-by: ShutingZhao <shuting@nirmata.com> * fix: enable debug log on failure Signed-off-by: ShutingZhao <shuting@nirmata.com> * fix: wait group panic Signed-off-by: ShutingZhao <shuting@nirmata.com> * load-tests: add stess tests configurations Signed-off-by: ShutingZhao <shuting@nirmata.com> * load-tests: disable admissionreports Signed-off-by: ShutingZhao <shuting@nirmata.com> * fix: build policy contexts syncronously Signed-off-by: Vishal Choudhary <vishal.choudhary@nirmata.com> * fix: only run generate and mutate existing go routines when policies are present Signed-off-by: Vishal Choudhary <vishal.choudhary@nirmata.com> * fix: mutate and verify tests Signed-off-by: Vishal Choudhary <vishal.choudhary@nirmata.com> * fix: return early if no audit policy Signed-off-by: ShutingZhao <shuting@nirmata.com> * fix: run handlegenerate and mutate existing in all cases Signed-off-by: Vishal Choudhary <vishal.choudhary@nirmata.com> * fix: only test bgapplies in generate test Signed-off-by: Vishal Choudhary <vishal.choudhary@nirmata.com> * fix: defer wait in tests Signed-off-by: Vishal Choudhary <vishal.choudhary@nirmata.com> * enhancement: process validate enforce in a go routine Signed-off-by: ShutingZhao <shuting@nirmata.com> --------- Signed-off-by: ShutingZhao <shuting@nirmata.com> Signed-off-by: Khaled Emara <khaled.emara@nirmata.com> Signed-off-by: Vishal Choudhary <vishal.choudhary@nirmata.com> Co-authored-by: ShutingZhao <shuting@nirmata.com> Co-authored-by: Vishal Choudhary <vishal.choudhary@nirmata.com> 2024-04-17 09:46:18 +02:00			`// we don't need reports for deletions`
			`if request.Operation == admissionv1.Delete {`
			`createReport = false`
			`}`
			`// check if the resource supports reporting`
			`if !reportutils.IsGvkSupported(schema.GroupVersionKind(request.Kind)) {`
			`createReport = false`
			`}`
			`// if the underlying resource has no UID don't create a report`
			`if resource.GetUID() == "" {`
			`createReport = false`
			`}`
			`return createReport`
			`}`