mirrors/kyverno
mirrors/kyverno
1
0
Fork 0
mirror of https://github.com/kyverno/kyverno.git synced 2025-04-08 10:04:25 +00:00
Code Activity

Add error handling and log for image extractor errors (#3724)

Browse source 
Co-authored-by: Vyankatesh Kudtarkar <vyankateshkd@gmail.com>
This commit is contained in:
Jim Bugwadia 2022-05-01 16:44:51 -07:00 committed by GitHub
parent ef71102b22
commit 0771ffd474
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
8 changed files with 61 additions and 20 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

8
charts/kyverno/templates/crds.yaml
View file

@ -547,7 +547,7 @@ spec:
description: Name is the entry the image will be available under 'images.<name>' in the context. If this field is not defined, image entries will appear under 'images.custom'.
type: string
path:
description: Path is the path to the object containing the image field in a custom resource. It should be slash-separated. Each slash-separated key must by a valid YAML key or a wildcard '*'. Wildcard keys are expanded in case of arrays or objects.
description: Path is the path to the object containing the image field in a custom resource. It should be slash-separated. Each slash-separated key must be a valid YAML key or a wildcard '*'. Wildcard keys are expanded in case of arrays or objects.
type: string
value:
description: Value is an optional name of the field within 'path' that points to the image URI. This is useful when a custom 'key' is also defined.
@ -2075,7 +2075,7 @@ spec:
description: Name is the entry the image will be available under 'images.<name>' in the context. If this field is not defined, image entries will appear under 'images.custom'.
type: string
path:
description: Path is the path to the object containing the image field in a custom resource. It should be slash-separated. Each slash-separated key must by a valid YAML key or a wildcard '*'. Wildcard keys are expanded in case of arrays or objects.
description: Path is the path to the object containing the image field in a custom resource. It should be slash-separated. Each slash-separated key must be a valid YAML key or a wildcard '*'. Wildcard keys are expanded in case of arrays or objects.
type: string
value:
description: Value is an optional name of the field within 'path' that points to the image URI. This is useful when a custom 'key' is also defined.
@ -4318,7 +4318,7 @@ spec:
description: Name is the entry the image will be available under 'images.<name>' in the context. If this field is not defined, image entries will appear under 'images.custom'.
type: string
path:
description: Path is the path to the object containing the image field in a custom resource. It should be slash-separated. Each slash-separated key must by a valid YAML key or a wildcard '*'. Wildcard keys are expanded in case of arrays or objects.
description: Path is the path to the object containing the image field in a custom resource. It should be slash-separated. Each slash-separated key must be a valid YAML key or a wildcard '*'. Wildcard keys are expanded in case of arrays or objects.
type: string
value:
description: Value is an optional name of the field within 'path' that points to the image URI. This is useful when a custom 'key' is also defined.
@ -5846,7 +5846,7 @@ spec:
description: Name is the entry the image will be available under 'images.<name>' in the context. If this field is not defined, image entries will appear under 'images.custom'.
type: string
path:
description: Path is the path to the object containing the image field in a custom resource. It should be slash-separated. Each slash-separated key must by a valid YAML key or a wildcard '*'. Wildcard keys are expanded in case of arrays or objects.
description: Path is the path to the object containing the image field in a custom resource. It should be slash-separated. Each slash-separated key must be a valid YAML key or a wildcard '*'. Wildcard keys are expanded in case of arrays or objects.
type: string
value:
description: Value is an optional name of the field within 'path' that points to the image URI. This is useful when a custom 'key' is also defined.

4
config/crds/kyverno.io_clusterpolicies.yaml
View file

@ -853,7 +853,7 @@ spec:
path:
description: Path is the path to the object containing
the image field in a custom resource. It should be
slash-separated. Each slash-separated key must by
slash-separated. Each slash-separated key must be
a valid YAML key or a wildcard '*'. Wildcard keys
are expanded in case of arrays or objects.
type: string
@ -3316,7 +3316,7 @@ spec:
path:
description: Path is the path to the object containing
the image field in a custom resource. It should be
slash-separated. Each slash-separated key must by
slash-separated. Each slash-separated key must be
a valid YAML key or a wildcard '*'. Wildcard keys
are expanded in case of arrays or objects.
type: string

4
config/crds/kyverno.io_policies.yaml
View file

@ -854,7 +854,7 @@ spec:
path:
description: Path is the path to the object containing
the image field in a custom resource. It should be
slash-separated. Each slash-separated key must by
slash-separated. Each slash-separated key must be
a valid YAML key or a wildcard '*'. Wildcard keys
are expanded in case of arrays or objects.
type: string
@ -3318,7 +3318,7 @@ spec:
path:
description: Path is the path to the object containing
the image field in a custom resource. It should be
slash-separated. Each slash-separated key must by
slash-separated. Each slash-separated key must be
a valid YAML key or a wildcard '*'. Wildcard keys
are expanded in case of arrays or objects.
type: string

8
config/install.yaml
View file

@ -870,7 +870,7 @@ spec:
path:
description: Path is the path to the object containing
the image field in a custom resource. It should be
slash-separated. Each slash-separated key must by
slash-separated. Each slash-separated key must be
a valid YAML key or a wildcard '*'. Wildcard keys
are expanded in case of arrays or objects.
type: string
@ -3333,7 +3333,7 @@ spec:
path:
description: Path is the path to the object containing
the image field in a custom resource. It should be
slash-separated. Each slash-separated key must by
slash-separated. Each slash-separated key must be
a valid YAML key or a wildcard '*'. Wildcard keys
are expanded in case of arrays or objects.
type: string
@ -6690,7 +6690,7 @@ spec:
path:
description: Path is the path to the object containing
the image field in a custom resource. It should be
slash-separated. Each slash-separated key must by
slash-separated. Each slash-separated key must be
a valid YAML key or a wildcard '*'. Wildcard keys
are expanded in case of arrays or objects.
type: string
@ -9154,7 +9154,7 @@ spec:
path:
description: Path is the path to the object containing
the image field in a custom resource. It should be
slash-separated. Each slash-separated key must by
slash-separated. Each slash-separated key must be
a valid YAML key or a wildcard '*'. Wildcard keys
are expanded in case of arrays or objects.
type: string

8
config/install_debug.yaml
View file

@ -859,7 +859,7 @@ spec:
path:
description: Path is the path to the object containing
the image field in a custom resource. It should be
slash-separated. Each slash-separated key must by
slash-separated. Each slash-separated key must be
a valid YAML key or a wildcard '*'. Wildcard keys
are expanded in case of arrays or objects.
type: string
@ -3322,7 +3322,7 @@ spec:
path:
description: Path is the path to the object containing
the image field in a custom resource. It should be
slash-separated. Each slash-separated key must by
slash-separated. Each slash-separated key must be
a valid YAML key or a wildcard '*'. Wildcard keys
are expanded in case of arrays or objects.
type: string
@ -6655,7 +6655,7 @@ spec:
path:
description: Path is the path to the object containing
the image field in a custom resource. It should be
slash-separated. Each slash-separated key must by
slash-separated. Each slash-separated key must be
a valid YAML key or a wildcard '*'. Wildcard keys
are expanded in case of arrays or objects.
type: string
@ -9119,7 +9119,7 @@ spec:
path:
description: Path is the path to the object containing
the image field in a custom resource. It should be
slash-separated. Each slash-separated key must by
slash-separated. Each slash-separated key must be
a valid YAML key or a wildcard '*'. Wildcard keys
are expanded in case of arrays or objects.
type: string

11
pkg/engine/context/context.go
View file

@ -244,6 +244,9 @@ func (ctx *context) AddImageInfo(info kubeutils.ImageInfo) error {
}
func (ctx *context) AddImageInfos(resource *unstructured.Unstructured) error {
log.Log.Info("extracting image info", "obj", resource.UnstructuredContent())
images, err := kubeutils.ExtractImagesFromResource(*resource, nil)
if err != nil {
return err
@ -252,17 +255,23 @@ func (ctx *context) AddImageInfos(resource *unstructured.Unstructured) error {
return nil
}
ctx.images = images
log.Log.Info("updated image info", "images", images)
return addToContext(ctx, images, "images")
}
func (ctx *context) GenerateCustomImageInfo(resource *unstructured.Unstructured, imageExtractorConfigs kubeutils.ImageExtractorConfigs) (map[string]map[string]kubeutils.ImageInfo, error) {
images, err := kubeutils.ExtractImagesFromResource(*resource, imageExtractorConfigs)
if err != nil {
return nil, err
return nil, errors.Wrapf(err, "failed to extract images")
}
if len(images) == 0 {
logger.Info("no images found", "extractor", imageExtractorConfigs)
return nil, nil
}
return images, addToContext(ctx, images, "images")
}

16
pkg/utils/kube/image.go
View file

@ -19,7 +19,7 @@ type ImageExtractorConfigs map[string][]ImageExtractorConfig
type ImageExtractorConfig struct {
// Path is the path to the object containing the image field in a custom resource.
// It should be slash-separated. Each slash-separated key must by a valid YAML key or a wildcard '*'.
// It should be slash-separated. Each slash-separated key must be a valid YAML key or a wildcard '*'.
// Wildcard keys are expanded in case of arrays or objects.
Path string `json:"path" yaml:"path"`
// Value is an optional name of the field within 'path' that points to the image URI.
@ -89,10 +89,12 @@ func extract(obj interface{}, path []string, keyPath, valuePath string, fields [
}
return nil
}
output, ok := obj.(map[string]interface{})
if !ok {
return fmt.Errorf("invalid image config")
}
if len(fields) == 0 {
pointer := fmt.Sprintf("/%s/%s", strings.Join(path, "/"), valuePath)
key := pointer
@ -113,6 +115,7 @@ func extract(obj interface{}, path []string, keyPath, valuePath string, fields [
}
return nil
}
currentPath := fields[0]
return extract(output[currentPath], append(path, currentPath), keyPath, valuePath, fields[1:], imageInfos)
}
@ -168,12 +171,19 @@ func lookupImageExtractor(kind string, configs ImageExtractorConfigs) []imageExt
func ExtractImagesFromResource(resource unstructured.Unstructured, configs ImageExtractorConfigs) (map[string]map[string]ImageInfo, error) {
infos := map[string]map[string]ImageInfo{}
for _, extractor := range lookupImageExtractor(resource.GetKind(), configs) {
extractors := lookupImageExtractor(resource.GetKind(), configs)
if extractors != nil && len(extractors) == 0 {
return nil, fmt.Errorf("no extractors found for %s", resource.GetKind())
}
for _, extractor := range extractors {
if infoMap, err := extractor.ExtractFromResource(resource.Object); err != nil {
return nil, err
} else if infoMap != nil && len(infoMap) > 0 {
} else if len(infoMap) > 0 {
infos[extractor.Name] = infoMap
}
}
return infos, nil
}

22
pkg/utils/kube/image_test.go
View file

@ -192,12 +192,34 @@ func Test_extractImageInfo(t *testing.T) {
},
},
},
{
extractionConfig: ImageExtractorConfigs{
"ClusterTask": []ImageExtractorConfig{
{Name: "steps", Path: "/spec/steps/*", Value: "image", Key: "name"},
},
},
raw: []byte(`{"apiVersion":"tekton.dev/v1beta1","kind":"ClusterTask","metadata":{"name":"hello","resourceVersion":"5752181","uid":"395010b6-fe0e-4364-a7b4-6abb86974d54"},"spec":{"steps":[{"image":"alpine","name":"echo","resources":{},"script":"#!/bin/sh\necho \"Hello World\"\n"}]}}`),
images: map[string]map[string]ImageInfo{
"steps": {
"echo": {
imageutils.ImageInfo{
Registry: "docker.io",
Name: "alpine",
Path: "alpine",
Tag: "latest",
},
"/spec/steps/0/image",
},
},
},
},
}
for _, test := range tests {
resource, err := utils.ConvertToUnstructured(test.raw)
assert.NilError(t, err)
images, err := ExtractImagesFromResource(*resource, test.extractionConfig)
assert.NilError(t, err)
assert.DeepEqual(t, test.images, images)
}
}