1
0
Fork 0
mirror of https://github.com/kyverno/kyverno.git synced 2025-03-13 19:28:55 +00:00

refactor: simplify cli processor (#8352)

Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>
This commit is contained in:
Charles-Edouard Brétéché 2023-09-12 14:07:12 +02:00 committed by GitHub
parent 9b0e6b6e9e
commit 045e955a6e
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
2 changed files with 12 additions and 93 deletions

View file

@ -15,7 +15,6 @@ import (
"github.com/kyverno/kyverno/cmd/cli/kubectl-kyverno/utils/common"
sanitizederror "github.com/kyverno/kyverno/cmd/cli/kubectl-kyverno/utils/sanitizedError"
"github.com/kyverno/kyverno/cmd/cli/kubectl-kyverno/variables"
"github.com/kyverno/kyverno/pkg/autogen"
"github.com/kyverno/kyverno/pkg/clients/dclient"
"github.com/kyverno/kyverno/pkg/config"
"github.com/kyverno/kyverno/pkg/engine"
@ -99,7 +98,6 @@ func (p *PolicyProcessor) ApplyPoliciesOnResource() ([]engineapi.EngineResponse,
return responses, err
}
mutateResponse := eng.Mutate(context.Background(), policyContext)
combineRuleResponses(mutateResponse)
err = p.processMutateEngineResponse(mutateResponse, resPath)
if err != nil {
if !sanitizederror.IsErrorSanitized(err) {
@ -117,11 +115,8 @@ func (p *PolicyProcessor) ApplyPoliciesOnResource() ([]engineapi.EngineResponse,
}
// TODO annotation
verifyImageResponse, _ := eng.VerifyAndPatchImages(context.TODO(), policyContext)
if !verifyImageResponse.IsEmpty() {
verifyImageResponse = combineRuleResponses(verifyImageResponse)
responses = append(responses, verifyImageResponse)
resource = verifyImageResponse.PatchedResource
}
responses = append(responses, verifyImageResponse)
resource = verifyImageResponse.PatchedResource
}
// validate
for _, policy := range p.Policies {
@ -130,26 +125,16 @@ func (p *PolicyProcessor) ApplyPoliciesOnResource() ([]engineapi.EngineResponse,
return responses, err
}
validateResponse := eng.Validate(context.TODO(), policyContext)
if !validateResponse.IsEmpty() {
validateResponse = combineRuleResponses(validateResponse)
responses = append(responses, validateResponse)
resource = validateResponse.PatchedResource
}
responses = append(responses, validateResponse)
resource = validateResponse.PatchedResource
}
// generate
for _, policy := range p.Policies {
var policyHasGenerate bool
for _, rule := range autogen.ComputeRules(policy) {
if rule.HasGenerate() {
policyHasGenerate = true
}
}
if policyHasGenerate {
if policyHasGenerate(policy) {
policyContext, err := p.makePolicyContext(jp, cfg, resource, policy, namespaceLabels, gvk, subresource)
if err != nil {
return responses, err
}
generateResponse := eng.ApplyBackgroundChecks(context.TODO(), policyContext)
if !generateResponse.IsEmpty() {
newRuleResponse, err := handleGeneratePolicy(&generateResponse, *policyContext, p.RuleToCloneSourceResource)
@ -158,7 +143,6 @@ func (p *PolicyProcessor) ApplyPoliciesOnResource() ([]engineapi.EngineResponse,
} else {
generateResponse.PolicyResponse.Rules = newRuleResponse
}
combineRuleResponses(generateResponse)
responses = append(responses, generateResponse)
}
p.Rc.addGenerateResponse(p.AuditWarn, resPath, generateResponse)

View file

@ -1,79 +1,14 @@
package processor
import (
"strings"
engineapi "github.com/kyverno/kyverno/pkg/engine/api"
kyvernov1 "github.com/kyverno/kyverno/api/kyverno/v1"
)
func combineRuleResponses(imageResponse engineapi.EngineResponse) engineapi.EngineResponse {
if imageResponse.PolicyResponse.RulesAppliedCount() == 0 {
return imageResponse
func policyHasGenerate(policy kyvernov1.PolicyInterface) bool {
for _, rule := range policy.GetSpec().Rules {
if rule.HasGenerate() {
return true
}
}
completeRuleResponses := imageResponse.PolicyResponse.Rules
var combineRuleResponses []engineapi.RuleResponse
ruleNameType := make(map[string][]engineapi.RuleResponse)
for _, rsp := range completeRuleResponses {
key := rsp.Name() + ";" + string(rsp.RuleType())
ruleNameType[key] = append(ruleNameType[key], rsp)
}
for key, ruleResponses := range ruleNameType {
tokens := strings.Split(key, ";")
ruleName := tokens[0]
ruleType := tokens[1]
var failRuleResponses []engineapi.RuleResponse
var errorRuleResponses []engineapi.RuleResponse
var passRuleResponses []engineapi.RuleResponse
var skipRuleResponses []engineapi.RuleResponse
ruleMesssage := ""
for _, rsp := range ruleResponses {
if rsp.Status() == engineapi.RuleStatusFail {
failRuleResponses = append(failRuleResponses, rsp)
} else if rsp.Status() == engineapi.RuleStatusError {
errorRuleResponses = append(errorRuleResponses, rsp)
} else if rsp.Status() == engineapi.RuleStatusPass {
passRuleResponses = append(passRuleResponses, rsp)
} else if rsp.Status() == engineapi.RuleStatusSkip {
skipRuleResponses = append(skipRuleResponses, rsp)
}
}
if len(errorRuleResponses) > 0 {
for _, errRsp := range errorRuleResponses {
ruleMesssage += errRsp.Message() + ";"
}
errorResponse := engineapi.NewRuleResponse(ruleName, engineapi.RuleType(ruleType), ruleMesssage, engineapi.RuleStatusError)
combineRuleResponses = append(combineRuleResponses, *errorResponse)
continue
}
if len(failRuleResponses) > 0 {
for _, failRsp := range failRuleResponses {
ruleMesssage += failRsp.Message() + ";"
}
failResponse := engineapi.NewRuleResponse(ruleName, engineapi.RuleType(ruleType), ruleMesssage, engineapi.RuleStatusFail)
combineRuleResponses = append(combineRuleResponses, *failResponse)
continue
}
if len(passRuleResponses) > 0 {
for _, passRsp := range passRuleResponses {
ruleMesssage += passRsp.Message() + ";"
}
passResponse := engineapi.NewRuleResponse(ruleName, engineapi.RuleType(ruleType), ruleMesssage, engineapi.RuleStatusPass)
combineRuleResponses = append(combineRuleResponses, *passResponse)
continue
}
for _, skipRsp := range skipRuleResponses {
ruleMesssage += skipRsp.Message() + ";"
}
skipResponse := engineapi.NewRuleResponse(ruleName, engineapi.RuleType(ruleType), ruleMesssage, engineapi.RuleStatusSkip)
combineRuleResponses = append(combineRuleResponses, *skipResponse)
}
imageResponse.PolicyResponse.Rules = combineRuleResponses
return imageResponse
return false
}