mirror of
https://github.com/kyverno/kyverno.git
synced 2025-03-05 07:26:55 +00:00
refactor: switch to admission v1 (#3526)
Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com> Co-authored-by: shuting <shuting@nirmata.com>
This commit is contained in:
parent
c8275b7c00
commit
06c2b2bb79
21 changed files with 108 additions and 109 deletions
|
@ -1,7 +1,7 @@
|
|||
package v1
|
||||
|
||||
import (
|
||||
"k8s.io/api/admission/v1beta1"
|
||||
admissionv1 "k8s.io/api/admission/v1"
|
||||
authenticationv1 "k8s.io/api/authentication/v1"
|
||||
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
|
||||
)
|
||||
|
@ -55,7 +55,7 @@ type AdmissionRequestInfoObject struct {
|
|||
// +optional
|
||||
AdmissionRequest string `json:"admissionRequest,omitempty" yaml:"admissionRequest,omitempty"`
|
||||
// +optional
|
||||
Operation v1beta1.Operation `json:"operation,omitempty" yaml:"operation,omitempty"`
|
||||
Operation admissionv1.Operation `json:"operation,omitempty" yaml:"operation,omitempty"`
|
||||
}
|
||||
|
||||
// RequestInfo contains permission info carried in an admission request.
|
||||
|
|
|
@ -110,8 +110,8 @@ string
|
|||
<td>
|
||||
<code>operation</code></br>
|
||||
<em>
|
||||
<a href="https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.18/#operation-v1beta1-admission">
|
||||
Kubernetes admission/v1beta1.Operation
|
||||
<a href="https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.18/#operation-v1-admission">
|
||||
Kubernetes admission/v1.Operation
|
||||
</a>
|
||||
</em>
|
||||
</td>
|
||||
|
|
|
@ -10,7 +10,7 @@ import (
|
|||
jsonpatch "github.com/evanphx/json-patch/v5"
|
||||
"github.com/go-logr/logr"
|
||||
kyverno "github.com/kyverno/kyverno/api/kyverno/v1"
|
||||
"k8s.io/api/admission/v1beta1"
|
||||
admissionv1 "k8s.io/api/admission/v1"
|
||||
"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
|
||||
"sigs.k8s.io/controller-runtime/pkg/log"
|
||||
)
|
||||
|
@ -19,7 +19,7 @@ import (
|
|||
type Interface interface {
|
||||
|
||||
// AddRequest marshals and adds the admission request to the context
|
||||
AddRequest(request *v1beta1.AdmissionRequest) error
|
||||
AddRequest(request *admissionv1.AdmissionRequest) error
|
||||
|
||||
// AddJSON merges the json with context
|
||||
AddJSON(dataRaw []byte) error
|
||||
|
@ -97,7 +97,7 @@ func (ctx *Context) AddJSONObject(jsonData interface{}) error {
|
|||
}
|
||||
|
||||
// AddRequest adds an admission request to context
|
||||
func (ctx *Context) AddRequest(request *v1beta1.AdmissionRequest) error {
|
||||
func (ctx *Context) AddRequest(request *admissionv1.AdmissionRequest) error {
|
||||
modifiedResource := struct {
|
||||
Request interface{} `json:"request"`
|
||||
}{
|
||||
|
|
|
@ -4,7 +4,7 @@ import (
|
|||
"testing"
|
||||
|
||||
"github.com/stretchr/testify/assert"
|
||||
"k8s.io/api/admission/v1beta1"
|
||||
admissionv1 "k8s.io/api/admission/v1"
|
||||
)
|
||||
|
||||
func TestHasChanged(t *testing.T) {
|
||||
|
@ -27,7 +27,7 @@ func TestHasChanged(t *testing.T) {
|
|||
}
|
||||
|
||||
func TestRequestNotInitialize(t *testing.T) {
|
||||
request := &v1beta1.AdmissionRequest{}
|
||||
request := &admissionv1.AdmissionRequest{}
|
||||
ctx := NewContext()
|
||||
ctx.AddRequest(request)
|
||||
|
||||
|
@ -36,7 +36,7 @@ func TestRequestNotInitialize(t *testing.T) {
|
|||
}
|
||||
|
||||
func TestMissingOldObject(t *testing.T) {
|
||||
request := &v1beta1.AdmissionRequest{}
|
||||
request := &admissionv1.AdmissionRequest{}
|
||||
ctx := NewContext()
|
||||
ctx.AddRequest(request)
|
||||
request.Object.Raw = []byte(`{"a": {"b": 1, "c": 2}, "d": 3}`)
|
||||
|
@ -46,7 +46,7 @@ func TestMissingOldObject(t *testing.T) {
|
|||
}
|
||||
|
||||
func TestMissingObject(t *testing.T) {
|
||||
request := &v1beta1.AdmissionRequest{}
|
||||
request := &admissionv1.AdmissionRequest{}
|
||||
ctx := NewContext()
|
||||
ctx.AddRequest(request)
|
||||
request.OldObject.Raw = []byte(`{"a": {"b": 1, "c": 2}, "d": 3}`)
|
||||
|
@ -56,7 +56,7 @@ func TestMissingObject(t *testing.T) {
|
|||
}
|
||||
|
||||
func createTestContext(obj, oldObj string) *Context {
|
||||
request := &v1beta1.AdmissionRequest{}
|
||||
request := &admissionv1.AdmissionRequest{}
|
||||
request.Operation = "UPDATE"
|
||||
request.Object.Raw = []byte(obj)
|
||||
request.OldObject.Raw = []byte(oldObj)
|
||||
|
|
|
@ -13,7 +13,7 @@ import (
|
|||
"github.com/kyverno/kyverno/pkg/kyverno/store"
|
||||
utils2 "github.com/kyverno/kyverno/pkg/utils"
|
||||
"gotest.tools/assert"
|
||||
"k8s.io/api/admission/v1beta1"
|
||||
admissionv1 "k8s.io/api/admission/v1"
|
||||
)
|
||||
|
||||
func TestGetAnchorsFromMap_ThereAreAnchors(t *testing.T) {
|
||||
|
@ -2104,7 +2104,7 @@ func executeTest(t *testing.T, err error, test testCase) {
|
|||
t.Fatal(err)
|
||||
}
|
||||
|
||||
var request *v1beta1.AdmissionRequest
|
||||
var request *admissionv1.AdmissionRequest
|
||||
err = json.Unmarshal(test.request, &request)
|
||||
if err != nil {
|
||||
t.Fatal(err)
|
||||
|
|
|
@ -23,7 +23,7 @@ import (
|
|||
"github.com/kyverno/kyverno/pkg/engine/utils"
|
||||
"github.com/kyverno/kyverno/pkg/engine/variables"
|
||||
kyvernoutils "github.com/kyverno/kyverno/pkg/utils"
|
||||
"k8s.io/api/admission/v1beta1"
|
||||
admissionv1 "k8s.io/api/admission/v1"
|
||||
apierrors "k8s.io/apimachinery/pkg/api/errors"
|
||||
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
|
||||
"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
|
||||
|
@ -146,13 +146,13 @@ func (c *Controller) applyGenerate(resource unstructured.Unstructured, gr kyvern
|
|||
}
|
||||
|
||||
requestString := gr.Spec.Context.AdmissionRequestInfo.AdmissionRequest
|
||||
var request v1beta1.AdmissionRequest
|
||||
var request admissionv1.AdmissionRequest
|
||||
err = json.Unmarshal([]byte(requestString), &request)
|
||||
if err != nil {
|
||||
logger.Error(err, "error parsing the request string")
|
||||
}
|
||||
|
||||
if gr.Spec.Context.AdmissionRequestInfo.Operation == v1beta1.Update {
|
||||
if gr.Spec.Context.AdmissionRequestInfo.Operation == admissionv1.Update {
|
||||
request.Operation = gr.Spec.Context.AdmissionRequestInfo.Operation
|
||||
}
|
||||
|
||||
|
|
|
@ -4,11 +4,8 @@ import (
|
|||
"reflect"
|
||||
"time"
|
||||
|
||||
kyverno "github.com/kyverno/kyverno/api/kyverno/v1"
|
||||
"k8s.io/api/admission/v1beta1"
|
||||
"k8s.io/client-go/kubernetes"
|
||||
|
||||
"github.com/go-logr/logr"
|
||||
kyverno "github.com/kyverno/kyverno/api/kyverno/v1"
|
||||
"github.com/kyverno/kyverno/pkg/autogen"
|
||||
kyvernoclient "github.com/kyverno/kyverno/pkg/client/clientset/versioned"
|
||||
kyvernoinformer "github.com/kyverno/kyverno/pkg/client/informers/externalversions/kyverno/v1"
|
||||
|
@ -16,12 +13,14 @@ import (
|
|||
"github.com/kyverno/kyverno/pkg/config"
|
||||
dclient "github.com/kyverno/kyverno/pkg/dclient"
|
||||
"github.com/kyverno/kyverno/pkg/event"
|
||||
admissionv1 "k8s.io/api/admission/v1"
|
||||
apierrors "k8s.io/apimachinery/pkg/api/errors"
|
||||
"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
|
||||
utilruntime "k8s.io/apimachinery/pkg/util/runtime"
|
||||
"k8s.io/apimachinery/pkg/util/wait"
|
||||
"k8s.io/client-go/dynamic/dynamicinformer"
|
||||
"k8s.io/client-go/informers"
|
||||
"k8s.io/client-go/kubernetes"
|
||||
"k8s.io/client-go/tools/cache"
|
||||
"k8s.io/client-go/util/workqueue"
|
||||
)
|
||||
|
@ -237,7 +236,7 @@ func (c *Controller) updateGenericResource(old, cur interface{}) {
|
|||
|
||||
// re-evaluate the GR as the resource was updated
|
||||
for _, gr := range grs {
|
||||
gr.Spec.Context.AdmissionRequestInfo.Operation = v1beta1.Update
|
||||
gr.Spec.Context.AdmissionRequestInfo.Operation = admissionv1.Update
|
||||
c.enqueueGenerateRequest(gr)
|
||||
}
|
||||
}
|
||||
|
@ -294,7 +293,7 @@ func (c *Controller) updatePolicy(old, cur interface{}) {
|
|||
|
||||
// re-evaluate the GR as the policy was updated
|
||||
for _, gr := range grs {
|
||||
gr.Spec.Context.AdmissionRequestInfo.Operation = v1beta1.Update
|
||||
gr.Spec.Context.AdmissionRequestInfo.Operation = admissionv1.Update
|
||||
c.enqueueGenerateRequest(gr)
|
||||
}
|
||||
}
|
||||
|
|
|
@ -22,7 +22,7 @@ import (
|
|||
"github.com/kyverno/kyverno/pkg/utils"
|
||||
kubeutils "github.com/kyverno/kyverno/pkg/utils/kube"
|
||||
"github.com/pkg/errors"
|
||||
v1beta1 "k8s.io/api/admission/v1beta1"
|
||||
admissionv1 "k8s.io/api/admission/v1"
|
||||
"k8s.io/apiextensions-apiserver/pkg/apis/apiextensions"
|
||||
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
|
||||
"k8s.io/apimachinery/pkg/util/sets"
|
||||
|
@ -78,7 +78,7 @@ func validateJSONPatchPathForForwardSlash(patch string) error {
|
|||
}
|
||||
|
||||
// Validate checks the policy and rules declarations for required configurations
|
||||
func Validate(policy kyverno.PolicyInterface, client *dclient.Client, mock bool, openAPIController *openapi.Controller) (*v1beta1.AdmissionResponse, error) {
|
||||
func Validate(policy kyverno.PolicyInterface, client *dclient.Client, mock bool, openAPIController *openapi.Controller) (*admissionv1.AdmissionResponse, error) {
|
||||
namespaced := policy.IsNamespaced()
|
||||
spec := policy.GetSpec()
|
||||
background := spec.BackgroundProcessingEnabled()
|
||||
|
@ -122,7 +122,7 @@ func Validate(policy kyverno.PolicyInterface, client *dclient.Client, mock bool,
|
|||
|
||||
if jsonPatchOnPod(rule) {
|
||||
log.Log.V(1).Info("Pods managed by workload controllers cannot be mutated using policies. Use the autogen feature or write policies that match Pod controllers.")
|
||||
return &v1beta1.AdmissionResponse{
|
||||
return &admissionv1.AdmissionResponse{
|
||||
Allowed: true,
|
||||
Warnings: []string{"Pods managed by workload controllers cannot be mutated using policies. Use the autogen feature or write policies that match Pod controllers."},
|
||||
}, nil
|
||||
|
@ -237,7 +237,7 @@ func Validate(policy kyverno.PolicyInterface, client *dclient.Client, mock bool,
|
|||
podOnlyMap["Pod"] = true
|
||||
if reflect.DeepEqual(common.GetKindsFromRule(rule), podOnlyMap) && podControllerAutoGenExclusion(policy) {
|
||||
log.Log.V(4).Info("Pod controllers excluded from autogen require adding of preconditions to also exclude the desired controller(s).")
|
||||
return &v1beta1.AdmissionResponse{
|
||||
return &admissionv1.AdmissionResponse{
|
||||
Allowed: true,
|
||||
Warnings: []string{"Pod controllers excluded from autogen require adding of preconditions to also exclude the desired controller(s)."},
|
||||
}, nil
|
||||
|
|
|
@ -6,7 +6,7 @@ import (
|
|||
|
||||
"github.com/kyverno/kyverno/pkg/config"
|
||||
"github.com/kyverno/kyverno/pkg/utils"
|
||||
v1beta1 "k8s.io/api/admission/v1beta1"
|
||||
admissionv1 "k8s.io/api/admission/v1"
|
||||
authenticationv1 "k8s.io/api/authentication/v1"
|
||||
rbacv1 "k8s.io/api/rbac/v1"
|
||||
labels "k8s.io/apimachinery/pkg/labels"
|
||||
|
@ -31,7 +31,7 @@ type allRolesStruct struct {
|
|||
var allRoles []allRolesStruct
|
||||
|
||||
//GetRoleRef gets the list of roles and cluster roles for the incoming api-request
|
||||
func GetRoleRef(rbLister rbaclister.RoleBindingLister, crbLister rbaclister.ClusterRoleBindingLister, request *v1beta1.AdmissionRequest, dynamicConfig config.Interface) (roles []string, clusterRoles []string, err error) {
|
||||
func GetRoleRef(rbLister rbaclister.RoleBindingLister, crbLister rbaclister.ClusterRoleBindingLister, request *admissionv1.AdmissionRequest, dynamicConfig config.Interface) (roles []string, clusterRoles []string, err error) {
|
||||
keys := append(request.UserInfo.Groups, request.UserInfo.Username)
|
||||
if utils.SliceContains(keys, dynamicConfig.GetExcludeGroupRole()...) {
|
||||
return
|
||||
|
@ -139,7 +139,7 @@ func matchUserOrGroup(subject rbacv1.Subject, userInfo authenticationv1.UserInfo
|
|||
}
|
||||
|
||||
//IsRoleAuthorize is role authorize or not
|
||||
func IsRoleAuthorize(rbLister rbaclister.RoleBindingLister, crbLister rbaclister.ClusterRoleBindingLister, rLister rbaclister.RoleLister, crLister rbaclister.ClusterRoleLister, request *v1beta1.AdmissionRequest, dynamicConfig config.Interface) (bool, error) {
|
||||
func IsRoleAuthorize(rbLister rbaclister.RoleBindingLister, crbLister rbaclister.ClusterRoleBindingLister, rLister rbaclister.RoleLister, crLister rbaclister.ClusterRoleLister, request *admissionv1.AdmissionRequest, dynamicConfig config.Interface) (bool, error) {
|
||||
if strings.Contains(request.UserInfo.Username, SaPrefix) {
|
||||
roles, clusterRoles, err := GetRoleRef(rbLister, crbLister, request, dynamicConfig)
|
||||
if err != nil {
|
||||
|
|
|
@ -5,7 +5,7 @@ import (
|
|||
"fmt"
|
||||
|
||||
kyverno "github.com/kyverno/kyverno/api/kyverno/v1"
|
||||
v1beta1 "k8s.io/api/admission/v1beta1"
|
||||
admissionv1 "k8s.io/api/admission/v1"
|
||||
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
|
||||
)
|
||||
|
||||
|
@ -26,30 +26,30 @@ func UnmarshalPolicy(kind string, raw []byte) (kyverno.PolicyInterface, error) {
|
|||
return nil, fmt.Errorf("admission request does not contain a policy")
|
||||
}
|
||||
|
||||
func GetPolicy(request *v1beta1.AdmissionRequest) (kyverno.PolicyInterface, error) {
|
||||
func GetPolicy(request *admissionv1.AdmissionRequest) (kyverno.PolicyInterface, error) {
|
||||
return UnmarshalPolicy(request.Kind.Kind, request.Object.Raw)
|
||||
}
|
||||
|
||||
func GetPolicies(request *v1beta1.AdmissionRequest) (kyverno.PolicyInterface, kyverno.PolicyInterface, error) {
|
||||
func GetPolicies(request *admissionv1.AdmissionRequest) (kyverno.PolicyInterface, kyverno.PolicyInterface, error) {
|
||||
policy, err := UnmarshalPolicy(request.Kind.Kind, request.Object.Raw)
|
||||
if err != nil {
|
||||
return policy, nil, err
|
||||
}
|
||||
if request.Operation == v1beta1.Update {
|
||||
if request.Operation == admissionv1.Update {
|
||||
oldPolicy, err := UnmarshalPolicy(request.Kind.Kind, request.OldObject.Raw)
|
||||
return policy, oldPolicy, err
|
||||
}
|
||||
return policy, nil, nil
|
||||
}
|
||||
|
||||
func Response(allowed bool) *v1beta1.AdmissionResponse {
|
||||
r := &v1beta1.AdmissionResponse{
|
||||
func Response(allowed bool) *admissionv1.AdmissionResponse {
|
||||
r := &admissionv1.AdmissionResponse{
|
||||
Allowed: allowed,
|
||||
}
|
||||
return r
|
||||
}
|
||||
|
||||
func ResponseWithMessage(allowed bool, msg string) *v1beta1.AdmissionResponse {
|
||||
func ResponseWithMessage(allowed bool, msg string) *admissionv1.AdmissionResponse {
|
||||
r := Response(allowed)
|
||||
r.Result = &metav1.Status{
|
||||
Message: msg,
|
||||
|
@ -57,13 +57,13 @@ func ResponseWithMessage(allowed bool, msg string) *v1beta1.AdmissionResponse {
|
|||
return r
|
||||
}
|
||||
|
||||
func ResponseWithMessageAndPatch(allowed bool, msg string, patch []byte) *v1beta1.AdmissionResponse {
|
||||
func ResponseWithMessageAndPatch(allowed bool, msg string, patch []byte) *admissionv1.AdmissionResponse {
|
||||
r := ResponseWithMessage(allowed, msg)
|
||||
r.Patch = patch
|
||||
return r
|
||||
}
|
||||
|
||||
func ResponseStatus(allowed bool, status, msg string) *v1beta1.AdmissionResponse {
|
||||
func ResponseStatus(allowed bool, status, msg string) *admissionv1.AdmissionResponse {
|
||||
r := Response(allowed)
|
||||
r.Result = &metav1.Status{
|
||||
Status: status,
|
||||
|
@ -72,15 +72,15 @@ func ResponseStatus(allowed bool, status, msg string) *v1beta1.AdmissionResponse
|
|||
return r
|
||||
}
|
||||
|
||||
func ResponseFailure(allowed bool, msg string) *v1beta1.AdmissionResponse {
|
||||
func ResponseFailure(allowed bool, msg string) *admissionv1.AdmissionResponse {
|
||||
return ResponseStatus(allowed, metav1.StatusFailure, msg)
|
||||
}
|
||||
|
||||
func ResponseSuccess(allowed bool, msg string) *v1beta1.AdmissionResponse {
|
||||
func ResponseSuccess(allowed bool, msg string) *admissionv1.AdmissionResponse {
|
||||
return ResponseStatus(allowed, metav1.StatusSuccess, msg)
|
||||
}
|
||||
|
||||
func ResponseSuccessWithPatch(allowed bool, msg string, patch []byte) *v1beta1.AdmissionResponse {
|
||||
func ResponseSuccessWithPatch(allowed bool, msg string, patch []byte) *admissionv1.AdmissionResponse {
|
||||
r := ResponseSuccess(allowed, msg)
|
||||
if len(patch) > 0 {
|
||||
r.Patch = patch
|
||||
|
@ -88,7 +88,7 @@ func ResponseSuccessWithPatch(allowed bool, msg string, patch []byte) *v1beta1.A
|
|||
return r
|
||||
}
|
||||
|
||||
func GetResourceName(request *v1beta1.AdmissionRequest) string {
|
||||
func GetResourceName(request *admissionv1.AdmissionRequest) string {
|
||||
resourceName := request.Kind.Kind + "/" + request.Name
|
||||
if request.Namespace != "" {
|
||||
resourceName = request.Namespace + "/" + resourceName
|
||||
|
|
|
@ -14,7 +14,7 @@ import (
|
|||
wildcard "github.com/kyverno/go-wildcard"
|
||||
client "github.com/kyverno/kyverno/pkg/dclient"
|
||||
engineutils "github.com/kyverno/kyverno/pkg/engine/utils"
|
||||
"k8s.io/api/admission/v1beta1"
|
||||
admissionv1 "k8s.io/api/admission/v1"
|
||||
corev1 "k8s.io/api/core/v1"
|
||||
"k8s.io/apiextensions-apiserver/pkg/apis/apiextensions"
|
||||
"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
|
||||
|
@ -137,7 +137,7 @@ func isCRDInstalled(discoveryClient client.IDiscovery, kind string) bool {
|
|||
}
|
||||
|
||||
// ExtractResources extracts the new and old resource as unstructured
|
||||
func ExtractResources(newRaw []byte, request *v1beta1.AdmissionRequest) (unstructured.Unstructured, unstructured.Unstructured, error) {
|
||||
func ExtractResources(newRaw []byte, request *admissionv1.AdmissionRequest) (unstructured.Unstructured, unstructured.Unstructured, error) {
|
||||
var emptyResource unstructured.Unstructured
|
||||
var newResource unstructured.Unstructured
|
||||
var oldResource unstructured.Unstructured
|
||||
|
|
|
@ -13,7 +13,7 @@ import (
|
|||
engineutils2 "github.com/kyverno/kyverno/pkg/utils/engine"
|
||||
"github.com/pkg/errors"
|
||||
yamlv2 "gopkg.in/yaml.v2"
|
||||
"k8s.io/api/admission/v1beta1"
|
||||
admissionv1 "k8s.io/api/admission/v1"
|
||||
)
|
||||
|
||||
// returns true -> if there is even one policy that blocks resource request
|
||||
|
@ -70,7 +70,7 @@ func getErrorMsg(engineReponses []*response.EngineResponse) string {
|
|||
}
|
||||
|
||||
// patchRequest applies patches to the request.Object and returns a new copy of the request
|
||||
func patchRequest(patches []byte, request *v1beta1.AdmissionRequest, logger logr.Logger) *v1beta1.AdmissionRequest {
|
||||
func patchRequest(patches []byte, request *admissionv1.AdmissionRequest, logger logr.Logger) *admissionv1.AdmissionRequest {
|
||||
patchedResource := processResourceWithPatches(patches, request.Object.Raw, logger)
|
||||
newRequest := request.DeepCopy()
|
||||
newRequest.Object.Raw = patchedResource
|
||||
|
@ -157,7 +157,7 @@ func excludeKyvernoResources(kind string) bool {
|
|||
}
|
||||
}
|
||||
|
||||
func newVariablesContext(request *v1beta1.AdmissionRequest, userRequestInfo *kyverno.RequestInfo) (*enginectx.Context, error) {
|
||||
func newVariablesContext(request *admissionv1.AdmissionRequest, userRequestInfo *kyverno.RequestInfo) (*enginectx.Context, error) {
|
||||
ctx := enginectx.NewContext()
|
||||
if err := ctx.AddRequest(request); err != nil {
|
||||
return nil, errors.Wrap(err, "failed to load incoming request in context")
|
||||
|
|
|
@ -12,7 +12,7 @@ import (
|
|||
kyvernoinformer "github.com/kyverno/kyverno/pkg/client/informers/externalversions/kyverno/v1"
|
||||
kyvernolister "github.com/kyverno/kyverno/pkg/client/listers/kyverno/v1"
|
||||
"github.com/kyverno/kyverno/pkg/config"
|
||||
"k8s.io/api/admission/v1beta1"
|
||||
admissionv1 "k8s.io/api/admission/v1"
|
||||
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
|
||||
"k8s.io/apimachinery/pkg/labels"
|
||||
utilruntime "k8s.io/apimachinery/pkg/util/runtime"
|
||||
|
@ -21,13 +21,13 @@ import (
|
|||
|
||||
// GenerateRequests provides interface to manage generate requests
|
||||
type GenerateRequests interface {
|
||||
Apply(gr kyverno.GenerateRequestSpec, action v1beta1.Operation) error
|
||||
Apply(gr kyverno.GenerateRequestSpec, action admissionv1.Operation) error
|
||||
}
|
||||
|
||||
// GeneratorChannel ...
|
||||
type GeneratorChannel struct {
|
||||
spec kyverno.GenerateRequestSpec
|
||||
action v1beta1.Operation
|
||||
action admissionv1.Operation
|
||||
}
|
||||
|
||||
// Generator defines the implementation to mange generate request resource
|
||||
|
@ -54,7 +54,7 @@ func NewGenerator(client *kyvernoclient.Clientset, grInformer kyvernoinformer.Ge
|
|||
}
|
||||
|
||||
// Apply creates generate request resource (blocking call if channel is full)
|
||||
func (g *Generator) Apply(gr kyverno.GenerateRequestSpec, action v1beta1.Operation) error {
|
||||
func (g *Generator) Apply(gr kyverno.GenerateRequestSpec, action admissionv1.Operation) error {
|
||||
logger := g.log
|
||||
logger.V(4).Info("creating Generate Request", "request", gr)
|
||||
|
||||
|
@ -91,7 +91,7 @@ func (g *Generator) processApply(m GeneratorChannel) {
|
|||
}
|
||||
}
|
||||
|
||||
func (g *Generator) generate(grSpec kyverno.GenerateRequestSpec, action v1beta1.Operation) error {
|
||||
func (g *Generator) generate(grSpec kyverno.GenerateRequestSpec, action admissionv1.Operation) error {
|
||||
// create/update a generate request
|
||||
|
||||
if err := retryApplyResource(g.client, grSpec, g.log, action, g.grLister); err != nil {
|
||||
|
@ -104,7 +104,7 @@ func (g *Generator) generate(grSpec kyverno.GenerateRequestSpec, action v1beta1.
|
|||
// use worker pattern to read and create the CR resource
|
||||
|
||||
func retryApplyResource(client *kyvernoclient.Clientset, grSpec kyverno.GenerateRequestSpec,
|
||||
log logr.Logger, action v1beta1.Operation, grLister kyvernolister.GenerateRequestNamespaceLister) error {
|
||||
log logr.Logger, action admissionv1.Operation, grLister kyvernolister.GenerateRequestNamespaceLister) error {
|
||||
|
||||
var i int
|
||||
var err error
|
||||
|
@ -122,7 +122,7 @@ func retryApplyResource(client *kyvernoclient.Clientset, grSpec kyverno.Generate
|
|||
// Initial state "Pending"
|
||||
// generate requests created in kyverno namespace
|
||||
isExist := false
|
||||
if action == v1beta1.Create || action == v1beta1.Update {
|
||||
if action == admissionv1.Create || action == admissionv1.Update {
|
||||
log.V(4).Info("querying all generate requests")
|
||||
selector := labels.SelectorFromSet(labels.Set(map[string]string{
|
||||
"generate.kyverno.io/policy-name": policyName,
|
||||
|
|
|
@ -25,13 +25,13 @@ import (
|
|||
gen "github.com/kyverno/kyverno/pkg/generate"
|
||||
kyvernoutils "github.com/kyverno/kyverno/pkg/utils"
|
||||
"github.com/kyverno/kyverno/pkg/webhooks/generate"
|
||||
"k8s.io/api/admission/v1beta1"
|
||||
admissionv1 "k8s.io/api/admission/v1"
|
||||
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
|
||||
"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
|
||||
"k8s.io/apimachinery/pkg/labels"
|
||||
)
|
||||
|
||||
func (ws *WebhookServer) applyGeneratePolicies(request *v1beta1.AdmissionRequest, policyContext *engine.PolicyContext, policies []kyverno.PolicyInterface, ts int64, logger logr.Logger) {
|
||||
func (ws *WebhookServer) applyGeneratePolicies(request *admissionv1.AdmissionRequest, policyContext *engine.PolicyContext, policies []kyverno.PolicyInterface, ts int64, logger logr.Logger) {
|
||||
admissionReviewCompletionLatencyChannel := make(chan int64, 1)
|
||||
generateEngineResponsesSenderForAdmissionReviewDurationMetric := make(chan []*response.EngineResponse, 1)
|
||||
generateEngineResponsesSenderForAdmissionRequestsCountMetric := make(chan []*response.EngineResponse, 1)
|
||||
|
@ -43,7 +43,7 @@ func (ws *WebhookServer) applyGeneratePolicies(request *v1beta1.AdmissionRequest
|
|||
|
||||
//handleGenerate handles admission-requests for policies with generate rules
|
||||
func (ws *WebhookServer) handleGenerate(
|
||||
request *v1beta1.AdmissionRequest,
|
||||
request *admissionv1.AdmissionRequest,
|
||||
policies []kyverno.PolicyInterface,
|
||||
ctx *context.Context,
|
||||
userRequestInfo kyverno.RequestInfo,
|
||||
|
@ -58,7 +58,7 @@ func (ws *WebhookServer) handleGenerate(
|
|||
logger.V(6).Info("generate request")
|
||||
|
||||
var engineResponses []*response.EngineResponse
|
||||
if (request.Operation == v1beta1.Create || request.Operation == v1beta1.Update) && len(policies) != 0 {
|
||||
if (request.Operation == admissionv1.Create || request.Operation == admissionv1.Update) && len(policies) != 0 {
|
||||
// convert RAW to unstructured
|
||||
new, old, err := kyvernoutils.ExtractResources(nil, request)
|
||||
if err != nil {
|
||||
|
@ -113,7 +113,7 @@ func (ws *WebhookServer) handleGenerate(
|
|||
}
|
||||
}
|
||||
|
||||
if request.Operation == v1beta1.Update {
|
||||
if request.Operation == admissionv1.Update {
|
||||
ws.handleUpdatesForGenerateRules(request, policies)
|
||||
}
|
||||
|
||||
|
@ -125,8 +125,8 @@ func (ws *WebhookServer) handleGenerate(
|
|||
}
|
||||
|
||||
//handleUpdatesForGenerateRules handles admission-requests for update
|
||||
func (ws *WebhookServer) handleUpdatesForGenerateRules(request *v1beta1.AdmissionRequest, policies []kyverno.PolicyInterface) {
|
||||
if request.Operation != v1beta1.Update {
|
||||
func (ws *WebhookServer) handleUpdatesForGenerateRules(request *admissionv1.AdmissionRequest, policies []kyverno.PolicyInterface) {
|
||||
if request.Operation != admissionv1.Update {
|
||||
return
|
||||
}
|
||||
|
||||
|
@ -141,7 +141,7 @@ func (ws *WebhookServer) handleUpdatesForGenerateRules(request *v1beta1.Admissio
|
|||
ws.handleUpdateGenerateSourceResource(resLabels, logger)
|
||||
}
|
||||
|
||||
if resLabels["app.kubernetes.io/managed-by"] == "kyverno" && resLabels["policy.kyverno.io/synchronize"] == "enable" && request.Operation == v1beta1.Update {
|
||||
if resLabels["app.kubernetes.io/managed-by"] == "kyverno" && resLabels["policy.kyverno.io/synchronize"] == "enable" && request.Operation == admissionv1.Update {
|
||||
ws.handleUpdateGenerateTargetResource(request, policies, resLabels, logger)
|
||||
}
|
||||
}
|
||||
|
@ -197,7 +197,7 @@ func (ws *WebhookServer) updateAnnotationInGR(gr *kyverno.GenerateRequest, logge
|
|||
}
|
||||
|
||||
//handleUpdateGenerateTargetResource - handles update of target resource for generate policy
|
||||
func (ws *WebhookServer) handleUpdateGenerateTargetResource(request *v1beta1.AdmissionRequest, policies []kyverno.PolicyInterface, resLabels map[string]string, logger logr.Logger) {
|
||||
func (ws *WebhookServer) handleUpdateGenerateTargetResource(request *admissionv1.AdmissionRequest, policies []kyverno.PolicyInterface, resLabels map[string]string, logger logr.Logger) {
|
||||
enqueueBool := false
|
||||
newRes, err := enginutils.ConvertToUnstructured(request.Object.Raw)
|
||||
if err != nil {
|
||||
|
@ -260,7 +260,7 @@ func (ws *WebhookServer) handleUpdateGenerateTargetResource(request *v1beta1.Adm
|
|||
|
||||
func getGeneratedByResource(newRes *unstructured.Unstructured, resLabels map[string]string, client *client.Client, rule kyverno.Rule, logger logr.Logger) (kyverno.Rule, error) {
|
||||
var apiVersion, kind, name, namespace string
|
||||
sourceRequest := &v1beta1.AdmissionRequest{}
|
||||
sourceRequest := &admissionv1.AdmissionRequest{}
|
||||
kind = resLabels["kyverno.io/generated-by-kind"]
|
||||
name = resLabels["kyverno.io/generated-by-name"]
|
||||
if kind != "Namespace" {
|
||||
|
@ -355,7 +355,7 @@ func stripNonPolicyFields(obj, newRes map[string]interface{}, logger logr.Logger
|
|||
}
|
||||
|
||||
//HandleDelete handles admission-requests for delete
|
||||
func (ws *WebhookServer) handleDelete(request *v1beta1.AdmissionRequest) {
|
||||
func (ws *WebhookServer) handleDelete(request *admissionv1.AdmissionRequest) {
|
||||
logger := ws.log.WithValues("action", "generation", "uid", request.UID, "kind", request.Kind, "namespace", request.Namespace, "name", request.Name, "operation", request.Operation, "gvk", request.Kind.String())
|
||||
resource, err := enginutils.ConvertToUnstructured(request.OldObject.Raw)
|
||||
if err != nil {
|
||||
|
@ -363,7 +363,7 @@ func (ws *WebhookServer) handleDelete(request *v1beta1.AdmissionRequest) {
|
|||
}
|
||||
|
||||
resLabels := resource.GetLabels()
|
||||
if resLabels["app.kubernetes.io/managed-by"] == "kyverno" && request.Operation == v1beta1.Delete {
|
||||
if resLabels["app.kubernetes.io/managed-by"] == "kyverno" && request.Operation == admissionv1.Delete {
|
||||
grName := resLabels["policy.kyverno.io/gr-name"]
|
||||
gr, err := ws.grLister.Get(grName)
|
||||
if err != nil {
|
||||
|
@ -397,8 +397,8 @@ func (ws *WebhookServer) deleteGR(logger logr.Logger, engineResponse *response.E
|
|||
}
|
||||
}
|
||||
|
||||
func applyGenerateRequest(request *v1beta1.AdmissionRequest, gnGenerator generate.GenerateRequests, userRequestInfo kyverno.RequestInfo,
|
||||
action v1beta1.Operation, engineResponses ...*response.EngineResponse) (failedGenerateRequest []generateRequestResponse) {
|
||||
func applyGenerateRequest(request *admissionv1.AdmissionRequest, gnGenerator generate.GenerateRequests, userRequestInfo kyverno.RequestInfo,
|
||||
action admissionv1.Operation, engineResponses ...*response.EngineResponse) (failedGenerateRequest []generateRequestResponse) {
|
||||
|
||||
requestBytes, err := json.Marshal(request)
|
||||
if err != nil {
|
||||
|
|
|
@ -19,7 +19,7 @@ import (
|
|||
"github.com/kyverno/kyverno/pkg/utils"
|
||||
admissionutils "github.com/kyverno/kyverno/pkg/utils/admission"
|
||||
"github.com/kyverno/kyverno/pkg/webhooks/handlers"
|
||||
"k8s.io/api/admission/v1beta1"
|
||||
admissionv1 "k8s.io/api/admission/v1"
|
||||
)
|
||||
|
||||
// TODO: use admission review sub resource ?
|
||||
|
@ -36,12 +36,12 @@ func isStatusUpdate(old, new kyverno.PolicyInterface) bool {
|
|||
return true
|
||||
}
|
||||
|
||||
func errorResponse(logger logr.Logger, err error, message string) *v1beta1.AdmissionResponse {
|
||||
func errorResponse(logger logr.Logger, err error, message string) *admissionv1.AdmissionResponse {
|
||||
logger.Error(err, message)
|
||||
return admissionutils.ResponseFailure(false, message+": "+err.Error())
|
||||
}
|
||||
|
||||
func setupLogger(logger logr.Logger, name string, request *v1beta1.AdmissionRequest) logr.Logger {
|
||||
func setupLogger(logger logr.Logger, name string, request *admissionv1.AdmissionRequest) logr.Logger {
|
||||
return logger.WithName("MutateWebhook").WithValues(
|
||||
"uid", request.UID,
|
||||
"kind", request.Kind,
|
||||
|
@ -59,7 +59,7 @@ func (ws *WebhookServer) admissionHandler(filter bool, inner handlers.AdmissionH
|
|||
return handlers.Monitor(ws.webhookMonitor, handlers.Admission(ws.log, inner))
|
||||
}
|
||||
|
||||
func (ws *WebhookServer) policyMutation(request *v1beta1.AdmissionRequest) *v1beta1.AdmissionResponse {
|
||||
func (ws *WebhookServer) policyMutation(request *admissionv1.AdmissionRequest) *admissionv1.AdmissionResponse {
|
||||
logger := setupLogger(ws.log, "policy mutation", request)
|
||||
policy, oldPolicy, err := admissionutils.GetPolicies(request)
|
||||
if err != nil {
|
||||
|
@ -81,7 +81,7 @@ func (ws *WebhookServer) policyMutation(request *v1beta1.AdmissionRequest) *v1be
|
|||
}
|
||||
|
||||
//policyValidation performs the validation check on policy resource
|
||||
func (ws *WebhookServer) policyValidation(request *v1beta1.AdmissionRequest) *v1beta1.AdmissionResponse {
|
||||
func (ws *WebhookServer) policyValidation(request *admissionv1.AdmissionRequest) *admissionv1.AdmissionResponse {
|
||||
logger := setupLogger(ws.log, "policy validation", request)
|
||||
policy, oldPolicy, err := admissionutils.GetPolicies(request)
|
||||
if err != nil {
|
||||
|
@ -107,12 +107,12 @@ func (ws *WebhookServer) policyValidation(request *v1beta1.AdmissionRequest) *v1
|
|||
}
|
||||
|
||||
// resourceMutation mutates resource
|
||||
func (ws *WebhookServer) resourceMutation(request *v1beta1.AdmissionRequest) *v1beta1.AdmissionResponse {
|
||||
func (ws *WebhookServer) resourceMutation(request *admissionv1.AdmissionRequest) *admissionv1.AdmissionResponse {
|
||||
logger := setupLogger(ws.log, "resource mutation", request)
|
||||
if excludeKyvernoResources(request.Kind.Kind) {
|
||||
return admissionutils.ResponseSuccess(true, "")
|
||||
}
|
||||
if request.Operation == v1beta1.Delete {
|
||||
if request.Operation == admissionv1.Delete {
|
||||
resource, err := utils.ConvertResource(request.OldObject.Raw, request.Kind.Group, request.Kind.Version, request.Kind.Kind, request.Namespace)
|
||||
if err == nil {
|
||||
ws.prGenerator.Add(buildDeletionPrInfo(resource))
|
||||
|
@ -150,9 +150,9 @@ func (ws *WebhookServer) resourceMutation(request *v1beta1.AdmissionRequest) *v1
|
|||
return admissionutils.ResponseSuccessWithPatch(true, "", patches)
|
||||
}
|
||||
|
||||
func (ws *WebhookServer) resourceValidation(request *v1beta1.AdmissionRequest) *v1beta1.AdmissionResponse {
|
||||
func (ws *WebhookServer) resourceValidation(request *admissionv1.AdmissionRequest) *admissionv1.AdmissionResponse {
|
||||
logger := setupLogger(ws.log, "resource validation", request)
|
||||
if request.Operation == v1beta1.Delete {
|
||||
if request.Operation == admissionv1.Delete {
|
||||
ws.handleDelete(request)
|
||||
}
|
||||
if excludeKyvernoResources(request.Kind.Kind) {
|
||||
|
@ -166,7 +166,7 @@ func (ws *WebhookServer) resourceValidation(request *v1beta1.AdmissionRequest) *
|
|||
nsPolicies := ws.pCache.GetPolicies(policycache.ValidateEnforce, request.Kind.Kind, request.Namespace)
|
||||
policies = append(policies, nsPolicies...)
|
||||
generatePolicies := ws.pCache.GetPolicies(policycache.Generate, request.Kind.Kind, request.Namespace)
|
||||
if len(generatePolicies) == 0 && request.Operation == v1beta1.Update {
|
||||
if len(generatePolicies) == 0 && request.Operation == admissionv1.Update {
|
||||
// handle generate source resource updates
|
||||
go ws.handleUpdatesForGenerateRules(request, []kyverno.PolicyInterface{})
|
||||
}
|
||||
|
|
|
@ -11,10 +11,10 @@ import (
|
|||
"github.com/kyverno/kyverno/pkg/config"
|
||||
admissionutils "github.com/kyverno/kyverno/pkg/utils/admission"
|
||||
"github.com/kyverno/kyverno/pkg/webhookconfig"
|
||||
"k8s.io/api/admission/v1beta1"
|
||||
admissionv1 "k8s.io/api/admission/v1"
|
||||
)
|
||||
|
||||
type AdmissionHandler func(*v1beta1.AdmissionRequest) *v1beta1.AdmissionResponse
|
||||
type AdmissionHandler func(*admissionv1.AdmissionRequest) *admissionv1.AdmissionResponse
|
||||
|
||||
func Admission(logger logr.Logger, inner AdmissionHandler) http.HandlerFunc {
|
||||
return func(writer http.ResponseWriter, request *http.Request) {
|
||||
|
@ -37,7 +37,7 @@ func Admission(logger logr.Logger, inner AdmissionHandler) http.HandlerFunc {
|
|||
http.Error(writer, "invalid Content-Type, expect `application/json`", http.StatusUnsupportedMediaType)
|
||||
return
|
||||
}
|
||||
admissionReview := &v1beta1.AdmissionReview{}
|
||||
admissionReview := &admissionv1.AdmissionReview{}
|
||||
if err := json.Unmarshal(body, &admissionReview); err != nil {
|
||||
logger.Error(err, "failed to decode request body to type 'AdmissionReview")
|
||||
http.Error(writer, "Can't decode body as AdmissionReview", http.StatusExpectationFailed)
|
||||
|
@ -50,7 +50,7 @@ func Admission(logger logr.Logger, inner AdmissionHandler) http.HandlerFunc {
|
|||
"operation", admissionReview.Request.Operation,
|
||||
"uid", admissionReview.Request.UID,
|
||||
)
|
||||
admissionReview.Response = &v1beta1.AdmissionResponse{
|
||||
admissionReview.Response = &admissionv1.AdmissionResponse{
|
||||
Allowed: true,
|
||||
UID: admissionReview.Request.UID,
|
||||
}
|
||||
|
@ -72,7 +72,7 @@ func Admission(logger logr.Logger, inner AdmissionHandler) http.HandlerFunc {
|
|||
}
|
||||
|
||||
func Filter(c config.Interface, inner AdmissionHandler) AdmissionHandler {
|
||||
return func(request *v1beta1.AdmissionRequest) *v1beta1.AdmissionResponse {
|
||||
return func(request *admissionv1.AdmissionRequest) *admissionv1.AdmissionResponse {
|
||||
if c.ToFilter(request.Kind.Kind, request.Namespace, request.Name) {
|
||||
return nil
|
||||
}
|
||||
|
@ -81,7 +81,7 @@ func Filter(c config.Interface, inner AdmissionHandler) AdmissionHandler {
|
|||
}
|
||||
|
||||
func Verify(m *webhookconfig.Monitor, logger logr.Logger) AdmissionHandler {
|
||||
return func(request *v1beta1.AdmissionRequest) *v1beta1.AdmissionResponse {
|
||||
return func(request *admissionv1.AdmissionRequest) *admissionv1.AdmissionResponse {
|
||||
logger = logger.WithName("verifyHandler").WithValues(
|
||||
"action", "verify",
|
||||
"kind", request.Kind,
|
||||
|
|
|
@ -14,12 +14,12 @@ import (
|
|||
engineutils "github.com/kyverno/kyverno/pkg/utils/engine"
|
||||
jsonutils "github.com/kyverno/kyverno/pkg/utils/json"
|
||||
"github.com/pkg/errors"
|
||||
"k8s.io/api/admission/v1beta1"
|
||||
admissionv1 "k8s.io/api/admission/v1"
|
||||
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
|
||||
"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
|
||||
)
|
||||
|
||||
func (ws *WebhookServer) applyMutatePolicies(request *v1beta1.AdmissionRequest, policyContext *engine.PolicyContext, policies []kyverno.PolicyInterface, ts int64, logger logr.Logger) []byte {
|
||||
func (ws *WebhookServer) applyMutatePolicies(request *admissionv1.AdmissionRequest, policyContext *engine.PolicyContext, policies []kyverno.PolicyInterface, ts int64, logger logr.Logger) []byte {
|
||||
var mutateEngineResponses []*response.EngineResponse
|
||||
|
||||
mutatePatches, mutateEngineResponses := ws.handleMutation(request, policyContext, policies)
|
||||
|
@ -35,7 +35,7 @@ func (ws *WebhookServer) applyMutatePolicies(request *v1beta1.AdmissionRequest,
|
|||
// handleMutation handles mutating webhook admission request
|
||||
// return value: generated patches, triggered policies, engine responses correspdonding to the triggered policies
|
||||
func (ws *WebhookServer) handleMutation(
|
||||
request *v1beta1.AdmissionRequest,
|
||||
request *admissionv1.AdmissionRequest,
|
||||
policyContext *engine.PolicyContext,
|
||||
policies []kyverno.PolicyInterface) ([]byte, []*response.EngineResponse) {
|
||||
|
||||
|
@ -64,7 +64,7 @@ func (ws *WebhookServer) handleMutation(
|
|||
deletionTimeStamp = oldR.GetDeletionTimestamp()
|
||||
}
|
||||
|
||||
if deletionTimeStamp != nil && request.Operation == v1beta1.Update {
|
||||
if deletionTimeStamp != nil && request.Operation == admissionv1.Update {
|
||||
return nil, nil
|
||||
}
|
||||
var patches [][]byte
|
||||
|
@ -115,7 +115,7 @@ func (ws *WebhookServer) handleMutation(
|
|||
// all policies were applied successfully.
|
||||
// create an event on the resource
|
||||
// ADD EVENTS
|
||||
events := generateEvents(engineResponses, false, request.Operation == v1beta1.Update, logger)
|
||||
events := generateEvents(engineResponses, false, request.Operation == admissionv1.Update, logger)
|
||||
ws.eventGen.Add(events...)
|
||||
|
||||
// debug info
|
||||
|
@ -134,7 +134,7 @@ func (ws *WebhookServer) handleMutation(
|
|||
return jsonutils.JoinPatches(patches...), engineResponses
|
||||
}
|
||||
|
||||
func (ws *WebhookServer) applyMutation(request *v1beta1.AdmissionRequest, policyContext *engine.PolicyContext, logger logr.Logger) (*response.EngineResponse, [][]byte, error) {
|
||||
func (ws *WebhookServer) applyMutation(request *admissionv1.AdmissionRequest, policyContext *engine.PolicyContext, logger logr.Logger) (*response.EngineResponse, [][]byte, error) {
|
||||
if request.Kind.Kind != "Namespace" && request.Namespace != "" {
|
||||
policyContext.NamespaceLabels = common.GetNamespaceSelectorsFromNamespaceLister(
|
||||
request.Kind.Kind, request.Namespace, ws.nsLister, logger)
|
||||
|
|
|
@ -29,7 +29,7 @@ import (
|
|||
webhookgenerate "github.com/kyverno/kyverno/pkg/webhooks/generate"
|
||||
"github.com/kyverno/kyverno/pkg/webhooks/handlers"
|
||||
"github.com/pkg/errors"
|
||||
"k8s.io/api/admission/v1beta1"
|
||||
admissionv1 "k8s.io/api/admission/v1"
|
||||
informers "k8s.io/client-go/informers/core/v1"
|
||||
rbacinformer "k8s.io/client-go/informers/rbac/v1"
|
||||
listerv1 "k8s.io/client-go/listers/core/v1"
|
||||
|
@ -204,7 +204,7 @@ func NewWebhookServer(
|
|||
return ws, nil
|
||||
}
|
||||
|
||||
func (ws *WebhookServer) buildPolicyContext(request *v1beta1.AdmissionRequest, addRoles bool) (*engine.PolicyContext, error) {
|
||||
func (ws *WebhookServer) buildPolicyContext(request *admissionv1.AdmissionRequest, addRoles bool) (*engine.PolicyContext, error) {
|
||||
userRequestInfo := v1.RequestInfo{
|
||||
AdmissionUserInfo: *request.UserInfo.DeepCopy(),
|
||||
}
|
||||
|
@ -232,7 +232,7 @@ func (ws *WebhookServer) buildPolicyContext(request *v1beta1.AdmissionRequest, a
|
|||
return nil, errors.Wrap(err, "failed to add image information to the policy rule context")
|
||||
}
|
||||
|
||||
if request.Kind.Kind == "Secret" && request.Operation == v1beta1.Update {
|
||||
if request.Kind.Kind == "Secret" && request.Operation == admissionv1.Update {
|
||||
resource, err = utils.NormalizeSecret(&resource)
|
||||
if err != nil {
|
||||
return nil, errors.Wrap(err, "failed to convert secret to unstructured format")
|
||||
|
@ -248,7 +248,7 @@ func (ws *WebhookServer) buildPolicyContext(request *v1beta1.AdmissionRequest, a
|
|||
Client: ws.client,
|
||||
}
|
||||
|
||||
if request.Operation == v1beta1.Update {
|
||||
if request.Operation == admissionv1.Update {
|
||||
policyContext.OldResource = resource
|
||||
}
|
||||
|
||||
|
|
|
@ -20,7 +20,7 @@ import (
|
|||
"github.com/kyverno/kyverno/pkg/policycache"
|
||||
"github.com/kyverno/kyverno/pkg/policyreport"
|
||||
"github.com/kyverno/kyverno/pkg/userinfo"
|
||||
"k8s.io/api/admission/v1beta1"
|
||||
admissionv1 "k8s.io/api/admission/v1"
|
||||
utilruntime "k8s.io/apimachinery/pkg/util/runtime"
|
||||
"k8s.io/apimachinery/pkg/util/wait"
|
||||
informers "k8s.io/client-go/informers/core/v1"
|
||||
|
@ -41,7 +41,7 @@ const (
|
|||
// the request is processed in background, with the exact same logic
|
||||
// when process the admission request in the webhook
|
||||
type AuditHandler interface {
|
||||
Add(request *v1beta1.AdmissionRequest)
|
||||
Add(request *admissionv1.AdmissionRequest)
|
||||
Run(workers int, stopCh <-chan struct{})
|
||||
}
|
||||
|
||||
|
@ -94,7 +94,7 @@ func NewValidateAuditHandler(pCache policycache.Interface,
|
|||
}
|
||||
}
|
||||
|
||||
func (h *auditHandler) Add(request *v1beta1.AdmissionRequest) {
|
||||
func (h *auditHandler) Add(request *admissionv1.AdmissionRequest) {
|
||||
h.log.V(4).Info("admission request added", "uid", request.UID, "kind", request.Kind.Kind, "namespace", request.Namespace, "name", request.Name, "operation", request.Operation)
|
||||
h.queue.Add(request)
|
||||
}
|
||||
|
@ -131,7 +131,7 @@ func (h *auditHandler) processNextWorkItem() bool {
|
|||
|
||||
defer h.queue.Done(obj)
|
||||
|
||||
request, ok := obj.(*v1beta1.AdmissionRequest)
|
||||
request, ok := obj.(*admissionv1.AdmissionRequest)
|
||||
if !ok {
|
||||
h.queue.Forget(obj)
|
||||
h.log.Info("incorrect type: expecting type 'AdmissionRequest'", "object", obj)
|
||||
|
@ -144,7 +144,7 @@ func (h *auditHandler) processNextWorkItem() bool {
|
|||
return true
|
||||
}
|
||||
|
||||
func (h *auditHandler) process(request *v1beta1.AdmissionRequest) error {
|
||||
func (h *auditHandler) process(request *admissionv1.AdmissionRequest) error {
|
||||
var roles, clusterRoles []string
|
||||
var err error
|
||||
// time at which the corresponding the admission request's processing got initiated
|
||||
|
@ -205,7 +205,7 @@ func (h *auditHandler) process(request *v1beta1.AdmissionRequest) error {
|
|||
return nil
|
||||
}
|
||||
|
||||
func (h *auditHandler) handleErr(err error, key interface{}, request *v1beta1.AdmissionRequest) {
|
||||
func (h *auditHandler) handleErr(err error, key interface{}, request *admissionv1.AdmissionRequest) {
|
||||
logger := h.log.WithName("handleErr")
|
||||
if err == nil {
|
||||
h.queue.Forget(key)
|
||||
|
|
|
@ -12,7 +12,7 @@ import (
|
|||
"github.com/kyverno/kyverno/pkg/metrics"
|
||||
"github.com/kyverno/kyverno/pkg/policyreport"
|
||||
admissionutils "github.com/kyverno/kyverno/pkg/utils/admission"
|
||||
v1beta1 "k8s.io/api/admission/v1beta1"
|
||||
admissionv1 "k8s.io/api/admission/v1"
|
||||
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
|
||||
"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
|
||||
)
|
||||
|
@ -28,7 +28,7 @@ type validationHandler struct {
|
|||
// patchedResource is the (resource + patches) after applying mutation rules
|
||||
func (v *validationHandler) handleValidation(
|
||||
promConfig *metrics.PromConfig,
|
||||
request *v1beta1.AdmissionRequest,
|
||||
request *admissionv1.AdmissionRequest,
|
||||
policies []v1.PolicyInterface,
|
||||
policyContext *engine.PolicyContext,
|
||||
namespaceLabels map[string]string,
|
||||
|
@ -48,7 +48,7 @@ func (v *validationHandler) handleValidation(
|
|||
deletionTimeStamp = policyContext.OldResource.GetDeletionTimestamp()
|
||||
}
|
||||
|
||||
if deletionTimeStamp != nil && request.Operation == v1beta1.Update {
|
||||
if deletionTimeStamp != nil && request.Operation == admissionv1.Update {
|
||||
return true, ""
|
||||
}
|
||||
|
||||
|
@ -94,7 +94,7 @@ func (v *validationHandler) handleValidation(
|
|||
// Scenario 3:
|
||||
// all policies were applied successfully.
|
||||
// create an event on the resource
|
||||
events := generateEvents(engineResponses, blocked, (request.Operation == v1beta1.Update), logger)
|
||||
events := generateEvents(engineResponses, blocked, (request.Operation == admissionv1.Update), logger)
|
||||
v.eventGen.Add(events...)
|
||||
|
||||
if blocked {
|
||||
|
@ -109,7 +109,7 @@ func (v *validationHandler) handleValidation(
|
|||
|
||||
// reports are generated for non-managed pods/jobs only
|
||||
// no need to create rcr for managed resources
|
||||
if request.Operation == v1beta1.Delete {
|
||||
if request.Operation == admissionv1.Delete {
|
||||
managed := true
|
||||
for _, er := range engineResponses {
|
||||
if er.Policy != nil && !engine.ManagedPodResource(er.Policy, er.PatchedResource) {
|
||||
|
|
|
@ -10,10 +10,10 @@ import (
|
|||
"github.com/kyverno/kyverno/pkg/policyreport"
|
||||
admissionutils "github.com/kyverno/kyverno/pkg/utils/admission"
|
||||
jsonutils "github.com/kyverno/kyverno/pkg/utils/json"
|
||||
"k8s.io/api/admission/v1beta1"
|
||||
admissionv1 "k8s.io/api/admission/v1"
|
||||
)
|
||||
|
||||
func (ws *WebhookServer) applyImageVerifyPolicies(request *v1beta1.AdmissionRequest, policyContext *engine.PolicyContext, policies []v1.PolicyInterface, logger logr.Logger) ([]byte, error) {
|
||||
func (ws *WebhookServer) applyImageVerifyPolicies(request *admissionv1.AdmissionRequest, policyContext *engine.PolicyContext, policies []v1.PolicyInterface, logger logr.Logger) ([]byte, error) {
|
||||
ok, message, imagePatches := ws.handleVerifyImages(request, policyContext, policies)
|
||||
if !ok {
|
||||
return nil, errors.New(message)
|
||||
|
@ -23,7 +23,7 @@ func (ws *WebhookServer) applyImageVerifyPolicies(request *v1beta1.AdmissionRequ
|
|||
return imagePatches, nil
|
||||
}
|
||||
|
||||
func (ws *WebhookServer) handleVerifyImages(request *v1beta1.AdmissionRequest,
|
||||
func (ws *WebhookServer) handleVerifyImages(request *admissionv1.AdmissionRequest,
|
||||
policyContext *engine.PolicyContext,
|
||||
policies []v1.PolicyInterface) (bool, string, []byte) {
|
||||
|
||||
|
|
Loading…
Add table
Reference in a new issue