From 0c8e8c1212b65f4ae31d38b8768618b66c7884a9 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Charles-Edouard=20Br=C3=A9t=C3=A9ch=C3=A9?= Date: Fri, 18 Mar 2022 16:18:32 +0100 Subject: [PATCH] feat: move GetRules() at the policy level (#3420) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Charles-Edouard Brétéché Co-authored-by: shuting --- api/kyverno/v1/clusterpolicy_types.go | 5 +++++ api/kyverno/v1/policy_types.go | 5 +++++ api/kyverno/v1/rule_test.go | 4 ++-- api/kyverno/v1/spec_types.go | 1 + pkg/autogen/autogen.go | 4 ++-- pkg/autogen/autogen_test.go | 14 ++++++------- pkg/compatibility/add_labels.go | 2 +- pkg/engine/forceMutate.go | 2 +- pkg/engine/generation.go | 2 +- pkg/engine/imageVerify.go | 2 +- .../mutate/patch/strategicMergePatch_test.go | 2 +- pkg/engine/mutation.go | 2 +- pkg/engine/utils_test.go | 2 +- pkg/engine/validation.go | 2 +- pkg/generate/cleanup/controller.go | 2 +- pkg/generate/generate.go | 2 +- pkg/generate/generate_controller.go | 2 +- pkg/kyverno/common/common.go | 18 ++++++++--------- pkg/kyverno/common/fetch.go | 4 ++-- pkg/kyverno/test/test_command.go | 2 +- pkg/metrics/policyruleinfo/policyRuleInfo.go | 8 ++++---- pkg/openapi/validation.go | 2 +- pkg/policy/background.go | 2 +- pkg/policy/existing.go | 2 +- pkg/policy/policy_controller.go | 10 +++++----- pkg/policy/validate.go | 4 ++-- pkg/policycache/cache.go | 4 ++-- pkg/policycache/cache_test.go | 20 +++++++++---------- pkg/policymutation/policymutation.go | 2 +- pkg/utils/json.go | 2 +- pkg/webhookconfig/configmanager.go | 6 +++--- pkg/webhooks/common.go | 2 +- pkg/webhooks/generation.go | 2 +- 33 files changed, 78 insertions(+), 67 deletions(-) diff --git a/api/kyverno/v1/clusterpolicy_types.go b/api/kyverno/v1/clusterpolicy_types.go index 5e14dbe1dc..bf39d676f4 100644 --- a/api/kyverno/v1/clusterpolicy_types.go +++ b/api/kyverno/v1/clusterpolicy_types.go @@ -30,6 +30,11 @@ type ClusterPolicy struct { Status PolicyStatus `json:"status,omitempty" yaml:"status,omitempty"` } +// GetRules returns the policy rules +func (p *ClusterPolicy) GetRules() []Rule { + return p.Spec.GetRules() +} + // HasAutoGenAnnotation checks if a policy has auto-gen annotation func (p *ClusterPolicy) HasAutoGenAnnotation() bool { annotations := p.GetAnnotations() diff --git a/api/kyverno/v1/policy_types.go b/api/kyverno/v1/policy_types.go index e5a4e9c904..b8c5c814b0 100755 --- a/api/kyverno/v1/policy_types.go +++ b/api/kyverno/v1/policy_types.go @@ -31,6 +31,11 @@ type Policy struct { Status PolicyStatus `json:"status,omitempty" yaml:"status,omitempty"` } +// GetRules returns the policy rules +func (p *Policy) GetRules() []Rule { + return p.Spec.GetRules() +} + // HasAutoGenAnnotation checks if a policy has auto-gen annotation func (p *Policy) HasAutoGenAnnotation() bool { annotations := p.GetAnnotations() diff --git a/api/kyverno/v1/rule_test.go b/api/kyverno/v1/rule_test.go index 691101aaff..920815eb40 100644 --- a/api/kyverno/v1/rule_test.go +++ b/api/kyverno/v1/rule_test.go @@ -88,7 +88,7 @@ func Test_Validate_RuleType_MultipleRule(t *testing.T) { var policy *ClusterPolicy err := json.Unmarshal(rawPolicy, &policy) assert.NilError(t, err) - for _, rule := range policy.Spec.GetRules() { + for _, rule := range policy.GetRules() { path := field.NewPath("dummy") errs := rule.Validate(path) assert.Assert(t, len(errs) != 0) @@ -143,7 +143,7 @@ func Test_Validate_RuleType_SingleRule(t *testing.T) { var policy *ClusterPolicy err := json.Unmarshal(rawPolicy, &policy) assert.NilError(t, err) - for _, rule := range policy.Spec.GetRules() { + for _, rule := range policy.GetRules() { path := field.NewPath("dummy") errs := rule.Validate(path) assert.Assert(t, len(errs) == 0) diff --git a/api/kyverno/v1/spec_types.go b/api/kyverno/v1/spec_types.go index 4a600fde87..6d75f097d1 100644 --- a/api/kyverno/v1/spec_types.go +++ b/api/kyverno/v1/spec_types.go @@ -48,6 +48,7 @@ type Spec struct { WebhookTimeoutSeconds *int32 `json:"webhookTimeoutSeconds,omitempty" yaml:"webhookTimeoutSeconds,omitempty"` } +// GetRules returns the spec rules func (s *Spec) GetRules() []Rule { return s.Rules } diff --git a/pkg/autogen/autogen.go b/pkg/autogen/autogen.go index 1b7995d94b..872709b8ea 100644 --- a/pkg/autogen/autogen.go +++ b/pkg/autogen/autogen.go @@ -30,7 +30,7 @@ const ( // - otherwise it returns all pod controllers func CanAutoGen(spec *kyverno.Spec, log logr.Logger) (applyAutoGen bool, controllers string) { var needAutogen bool - rules := spec.GetRules() + rules := spec.Rules for _, rule := range rules { match := rule.MatchResources exclude := rule.ExcludeResources @@ -166,7 +166,7 @@ func GetControllers(meta metav1.ObjectMeta, spec *kyverno.Spec, log logr.Logger) // GenerateRulePatches generates rule for podControllers based on scenario A and C func GenerateRulePatches(spec *kyverno.Spec, controllers string, log logr.Logger) (rulePatches [][]byte, errs []error) { - rules := spec.GetRules() + rules := spec.Rules insertIdx := len(rules) ruleMap := createRuleMap(rules) diff --git a/pkg/autogen/autogen_test.go b/pkg/autogen/autogen_test.go index b353126574..31c8c0ef62 100644 --- a/pkg/autogen/autogen_test.go +++ b/pkg/autogen/autogen_test.go @@ -260,7 +260,7 @@ func Test_Any(t *testing.T) { } policy := policies[0] - policy.Spec.GetRules()[0].MatchResources.Any = kyverno.ResourceFilters{ + policy.GetRules()[0].MatchResources.Any = kyverno.ResourceFilters{ { ResourceDescription: kyverno.ResourceDescription{ Kinds: []string{"Pod"}, @@ -298,7 +298,7 @@ func Test_All(t *testing.T) { } policy := policies[0] - policy.Spec.GetRules()[0].MatchResources.All = kyverno.ResourceFilters{ + policy.GetRules()[0].MatchResources.All = kyverno.ResourceFilters{ { ResourceDescription: kyverno.ResourceDescription{ Kinds: []string{"Pod"}, @@ -336,7 +336,7 @@ func Test_Exclude(t *testing.T) { } policy := policies[0] - policy.Spec.GetRules()[0].ExcludeResources.Namespaces = []string{"fake-namespce"} + policy.GetRules()[0].ExcludeResources.Namespaces = []string{"fake-namespce"} rulePatches, errs := GenerateRulePatches(&policy.Spec, PodControllers, log.Log) if len(errs) != 0 { @@ -400,7 +400,7 @@ func Test_ForEachPod(t *testing.T) { } policy := policies[0] - policy.Spec.GetRules()[0].ExcludeResources.Namespaces = []string{"fake-namespce"} + policy.GetRules()[0].ExcludeResources.Namespaces = []string{"fake-namespce"} rulePatches, errs := GenerateRulePatches(&policy.Spec, PodControllers, log.Log) if len(errs) != 0 { @@ -439,10 +439,10 @@ func Test_CronJob_hasExclude(t *testing.T) { kyverno.PodControllersAnnotation: controllers, }) - rule := policy.Spec.GetRules()[0].DeepCopy() + rule := policy.GetRules()[0].DeepCopy() rule.ExcludeResources.Kinds = []string{"Pod"} rule.ExcludeResources.Namespaces = []string{"test"} - policy.Spec.GetRules()[0] = *rule + policy.GetRules()[0] = *rule rulePatches, errs := GenerateRulePatches(&policy.Spec, controllers, log.Log) if len(errs) != 0 { @@ -529,7 +529,7 @@ func Test_Deny(t *testing.T) { } policy := policies[0] - policy.Spec.GetRules()[0].MatchResources.Any = kyverno.ResourceFilters{ + policy.GetRules()[0].MatchResources.Any = kyverno.ResourceFilters{ { ResourceDescription: kyverno.ResourceDescription{ Kinds: []string{"Pod"}, diff --git a/pkg/compatibility/add_labels.go b/pkg/compatibility/add_labels.go index 7ecd377d89..ea913d86cf 100644 --- a/pkg/compatibility/add_labels.go +++ b/pkg/compatibility/add_labels.go @@ -94,7 +94,7 @@ func AddCloneLabel(client *dclient.Client, pInformer kyvernoinformer.ClusterPoli } for _, policy := range policies { - for _, rule := range policy.Spec.GetRules() { + for _, rule := range policy.GetRules() { if rule.HasGenerate() { clone := rule.Generation.Clone if clone.Name != "" { diff --git a/pkg/engine/forceMutate.go b/pkg/engine/forceMutate.go index a7101db229..36eefda6db 100644 --- a/pkg/engine/forceMutate.go +++ b/pkg/engine/forceMutate.go @@ -19,7 +19,7 @@ func ForceMutate(ctx *context.Context, policy kyverno.ClusterPolicy, resource un "namespace", resource.GetNamespace(), "name", resource.GetName()) patchedResource := resource - for _, rule := range policy.Spec.GetRules() { + for _, rule := range policy.GetRules() { if !rule.HasMutate() { continue } diff --git a/pkg/engine/generation.go b/pkg/engine/generation.go index 7eca4f7310..b4a9f1d3bf 100644 --- a/pkg/engine/generation.go +++ b/pkg/engine/generation.go @@ -48,7 +48,7 @@ func filterRules(policyContext *PolicyContext, startTime time.Time) *response.En return resp } - for _, rule := range policyContext.Policy.Spec.GetRules() { + for _, rule := range policyContext.Policy.GetRules() { if ruleResp := filterRule(rule, policyContext); ruleResp != nil { resp.PolicyResponse.Rules = append(resp.PolicyResponse.Rules, *ruleResp) } diff --git a/pkg/engine/imageVerify.go b/pkg/engine/imageVerify.go index 7834652048..8d7964931b 100644 --- a/pkg/engine/imageVerify.go +++ b/pkg/engine/imageVerify.go @@ -48,7 +48,7 @@ func VerifyAndPatchImages(policyContext *PolicyContext) (resp *response.EngineRe } } - rules := policyContext.Policy.Spec.GetRules() + rules := policyContext.Policy.GetRules() for i := range rules { rule := &rules[i] if len(rule.VerifyImages) == 0 { diff --git a/pkg/engine/mutate/patch/strategicMergePatch_test.go b/pkg/engine/mutate/patch/strategicMergePatch_test.go index a8fc68687a..75ab141a92 100644 --- a/pkg/engine/mutate/patch/strategicMergePatch_test.go +++ b/pkg/engine/mutate/patch/strategicMergePatch_test.go @@ -242,7 +242,7 @@ func Test_PolicyDeserilize(t *testing.T) { err := json.Unmarshal(rawPolicy, &policy) assert.NilError(t, err) - overlayPatches := policy.Spec.GetRules()[0].Mutation.GetPatchStrategicMerge() + overlayPatches := policy.GetRules()[0].Mutation.GetPatchStrategicMerge() patchString, err := json.Marshal(overlayPatches) assert.NilError(t, err) diff --git a/pkg/engine/mutation.go b/pkg/engine/mutation.go index 188764e279..3b663405ae 100644 --- a/pkg/engine/mutation.go +++ b/pkg/engine/mutation.go @@ -39,7 +39,7 @@ func Mutate(policyContext *PolicyContext) (resp *response.EngineResponse) { var err error - for _, rule := range policy.Spec.GetRules() { + for _, rule := range policy.GetRules() { if !rule.HasMutate() { continue } diff --git a/pkg/engine/utils_test.go b/pkg/engine/utils_test.go index 77b0ba824c..56e1a85dac 100644 --- a/pkg/engine/utils_test.go +++ b/pkg/engine/utils_test.go @@ -897,7 +897,7 @@ func TestMatchesResourceDescription(t *testing.T) { } resource, _ := utils.ConvertToUnstructured(tc.Resource) - for _, rule := range policy.Spec.GetRules() { + for _, rule := range policy.GetRules() { err := MatchesResourceDescription(*resource, rule, tc.AdmissionInfo, []string{}, nil, "") if err != nil { if !tc.areErrorsExpected { diff --git a/pkg/engine/validation.go b/pkg/engine/validation.go index a7657a3a31..fbea84969b 100644 --- a/pkg/engine/validation.go +++ b/pkg/engine/validation.go @@ -87,7 +87,7 @@ func validateResource(log logr.Logger, ctx *PolicyContext) *response.EngineRespo ctx.JSONContext.Checkpoint() defer ctx.JSONContext.Restore() - rules := ctx.Policy.Spec.GetRules() + rules := ctx.Policy.GetRules() for i := range rules { rule := &rules[i] if !rule.HasValidate() { diff --git a/pkg/generate/cleanup/controller.go b/pkg/generate/cleanup/controller.go index aff7c83d69..28d01e243e 100644 --- a/pkg/generate/cleanup/controller.go +++ b/pkg/generate/cleanup/controller.go @@ -141,7 +141,7 @@ func (c *Controller) deletePolicy(obj interface{}) { // clean up the GR // Get the corresponding GR // get the list of GR for the current Policy version - rules := p.Spec.GetRules() + rules := p.GetRules() generatePolicyWithClone := pkgCommon.ProcessDeletePolicyForCloneGenerateRule(rules, c.client, p.GetName(), logger) diff --git a/pkg/generate/generate.go b/pkg/generate/generate.go index 1795e08cf3..79cadad5f7 100644 --- a/pkg/generate/generate.go +++ b/pkg/generate/generate.go @@ -259,7 +259,7 @@ func (c *Controller) applyGeneratePolicy(log logr.Logger, policyContext *engine. // To manage existing resources, we compare the creation time for the default resource to be generated and policy creation time ruleNameToProcessingTime := make(map[string]time.Duration) - for _, rule := range policy.Spec.GetRules() { + for _, rule := range policy.GetRules() { var err error if !rule.HasGenerate() { continue diff --git a/pkg/generate/generate_controller.go b/pkg/generate/generate_controller.go index acc2199106..cda96cf584 100644 --- a/pkg/generate/generate_controller.go +++ b/pkg/generate/generate_controller.go @@ -258,7 +258,7 @@ func (c *Controller) updatePolicy(old, cur interface{}) { } var policyHasGenerate bool - for _, rule := range curP.Spec.GetRules() { + for _, rule := range curP.GetRules() { if rule.HasGenerate() { policyHasGenerate = true } diff --git a/pkg/kyverno/common/common.go b/pkg/kyverno/common/common.go index f8ea06e062..dac4d534cb 100644 --- a/pkg/kyverno/common/common.go +++ b/pkg/kyverno/common/common.go @@ -471,7 +471,7 @@ func ApplyPolicyOnResource(policy *v1.ClusterPolicy, resource *unstructured.Unst policyWithNamespaceSelector := false OuterLoop: - for _, p := range policy.Spec.GetRules() { + for _, p := range policy.GetRules() { if p.MatchResources.ResourceDescription.NamespaceSelector != nil || p.ExcludeResources.ResourceDescription.NamespaceSelector != nil { policyWithNamespaceSelector = true @@ -573,7 +573,7 @@ OuterLoop: } var policyHasValidate bool - for _, rule := range policy.Spec.GetRules() { + for _, rule := range policy.GetRules() { if rule.HasValidate() { policyHasValidate = true } @@ -591,7 +591,7 @@ OuterLoop: } var policyHasGenerate bool - for _, rule := range policy.Spec.GetRules() { + for _, rule := range policy.GetRules() { if rule.HasGenerate() { policyHasGenerate = true } @@ -768,7 +768,7 @@ func GetResourceAccordingToResourcePath(fs billy.Filesystem, resourcePaths []str func ProcessValidateEngineResponse(policy *v1.ClusterPolicy, validateResponse *response.EngineResponse, resPath string, rc *ResultCounts, policyReport bool) policyreport.Info { var violatedRules []v1.ViolatedRule printCount := 0 - for _, policyRule := range policy.Spec.GetRules() { + for _, policyRule := range policy.GetRules() { ruleFoundInEngineResponse := false if !policyRule.HasValidate() { continue @@ -849,7 +849,7 @@ func buildPVInfo(er *response.EngineResponse, violatedRules []v1.ViolatedRule) p func processGenerateEngineResponse(policy *v1.ClusterPolicy, generateResponse *response.EngineResponse, resPath string, rc *ResultCounts) { printCount := 0 - for _, policyRule := range policy.Spec.GetRules() { + for _, policyRule := range policy.GetRules() { ruleFoundInEngineResponse := false for i, genResponseRule := range generateResponse.PolicyResponse.Rules { if policyRule.Name == genResponseRule.Name { @@ -877,7 +877,7 @@ func SetInStoreContext(mutatedPolicies []*v1.ClusterPolicy, variables map[string storePolicies := make([]store.Policy, 0) for _, policy := range mutatedPolicies { storeRules := make([]store.Rule, 0) - for _, rule := range policy.Spec.GetRules() { + for _, rule := range policy.GetRules() { contextVal := make(map[string]string) if len(rule.Context) != 0 { for _, contextVar := range rule.Context { @@ -909,7 +909,7 @@ func SetInStoreContext(mutatedPolicies []*v1.ClusterPolicy, variables map[string func processMutateEngineResponse(policy *v1.ClusterPolicy, mutateResponse *response.EngineResponse, resPath string, rc *ResultCounts, mutateLogPath string, stdin bool, mutateLogPathIsDir bool, resourceName string, printPatchResource bool) error { var policyHasMutate bool - for _, rule := range policy.Spec.GetRules() { + for _, rule := range policy.GetRules() { if rule.HasMutate() { policyHasMutate = true } @@ -920,7 +920,7 @@ func processMutateEngineResponse(policy *v1.ClusterPolicy, mutateResponse *respo printCount := 0 printMutatedRes := false - for _, policyRule := range policy.Spec.GetRules() { + for _, policyRule := range policy.GetRules() { ruleFoundInEngineResponse := false for i, mutateResponseRule := range mutateResponse.PolicyResponse.Rules { if policyRule.Name == mutateResponseRule.Name { @@ -1019,7 +1019,7 @@ func CheckVariableForPolicy(valuesMap map[string]map[string]Resource, globalValM func GetKindsFromPolicy(policy *v1.ClusterPolicy) map[string]struct{} { var kindOnwhichPolicyIsApplied = make(map[string]struct{}) - for _, rule := range policy.Spec.GetRules() { + for _, rule := range policy.GetRules() { for _, kind := range rule.MatchResources.ResourceDescription.Kinds { kindOnwhichPolicyIsApplied[kind] = struct{}{} } diff --git a/pkg/kyverno/common/fetch.go b/pkg/kyverno/common/fetch.go index a400aa7bdb..e50b4df55f 100644 --- a/pkg/kyverno/common/fetch.go +++ b/pkg/kyverno/common/fetch.go @@ -31,7 +31,7 @@ func GetResources(policies []*v1.ClusterPolicy, resourcePaths []string, dClient var resourceTypes []string for _, policy := range policies { - for _, rule := range policy.Spec.GetRules() { + for _, rule := range policy.GetRules() { resourceTypesInRule := GetKindsFromRule(rule) for resourceKind := range resourceTypesInRule { resourceTypesMap[resourceKind] = true @@ -120,7 +120,7 @@ func GetResourcesWithTest(fs billy.Filesystem, policies []*v1.ClusterPolicy, res var resourceTypesMap = make(map[string]bool) var resourceTypes []string for _, policy := range policies { - for _, rule := range policy.Spec.GetRules() { + for _, rule := range policy.GetRules() { for _, kind := range rule.MatchResources.Kinds { resourceTypesMap[kind] = true } diff --git a/pkg/kyverno/test/test_command.go b/pkg/kyverno/test/test_command.go index 0f8349cc7c..e0e041a0ba 100644 --- a/pkg/kyverno/test/test_command.go +++ b/pkg/kyverno/test/test_command.go @@ -789,7 +789,7 @@ func applyPoliciesFromPath(fs billy.Filesystem, policyBytes []byte, isGit bool, for _, p := range filteredPolicies { var filteredRules = []v1.Rule{} - for _, rule := range p.Spec.GetRules() { + for _, rule := range p.GetRules() { for _, res := range values.Results { if rule.Name == res.Rule { filteredRules = append(filteredRules, rule) diff --git a/pkg/metrics/policyruleinfo/policyRuleInfo.go b/pkg/metrics/policyruleinfo/policyRuleInfo.go index a376faaa59..3f13b940d0 100644 --- a/pkg/metrics/policyruleinfo/policyRuleInfo.go +++ b/pkg/metrics/policyruleinfo/policyRuleInfo.go @@ -73,7 +73,7 @@ func (pc PromConfig) AddPolicy(policy interface{}) error { policyName := inputPolicy.ObjectMeta.Name ready := inputPolicy.Status.Ready // registering the metrics on a per-rule basis - for _, rule := range inputPolicy.Spec.GetRules() { + for _, rule := range inputPolicy.GetRules() { ruleName := rule.Name ruleType := metrics.ParseRuleType(rule) @@ -93,7 +93,7 @@ func (pc PromConfig) AddPolicy(policy interface{}) error { policyName := inputPolicy.ObjectMeta.Name ready := inputPolicy.Status.Ready // registering the metrics on a per-rule basis - for _, rule := range inputPolicy.Spec.GetRules() { + for _, rule := range inputPolicy.GetRules() { ruleName := rule.Name ruleType := metrics.ParseRuleType(rule) @@ -110,7 +110,7 @@ func (pc PromConfig) AddPolicy(policy interface{}) error { func (pc PromConfig) RemovePolicy(policy interface{}) error { switch inputPolicy := policy.(type) { case *kyverno.ClusterPolicy: - for _, rule := range inputPolicy.Spec.GetRules() { + for _, rule := range inputPolicy.GetRules() { policyValidationMode, err := metrics.ParsePolicyValidationMode(inputPolicy.Spec.ValidationFailureAction) if err != nil { return err @@ -129,7 +129,7 @@ func (pc PromConfig) RemovePolicy(policy interface{}) error { } return nil case *kyverno.Policy: - for _, rule := range inputPolicy.Spec.GetRules() { + for _, rule := range inputPolicy.GetRules() { policyValidationMode, err := metrics.ParsePolicyValidationMode(inputPolicy.Spec.ValidationFailureAction) if err != nil { return err diff --git a/pkg/openapi/validation.go b/pkg/openapi/validation.go index b3cedabd9c..e0e5d5b3f8 100644 --- a/pkg/openapi/validation.go +++ b/pkg/openapi/validation.go @@ -138,7 +138,7 @@ func (o *Controller) ValidateResource(patchedResource unstructured.Unstructured, // ValidatePolicyMutation ... func (o *Controller) ValidatePolicyMutation(policy v1.ClusterPolicy) error { var kindToRules = make(map[string][]v1.Rule) - for _, rule := range policy.Spec.GetRules() { + for _, rule := range policy.GetRules() { if rule.HasMutate() { for _, kind := range rule.MatchResources.Kinds { kindToRules[kind] = append(kindToRules[common.GetFormatedKind(kind)], rule) diff --git a/pkg/policy/background.go b/pkg/policy/background.go index 040511efb6..f3373d1573 100644 --- a/pkg/policy/background.go +++ b/pkg/policy/background.go @@ -19,7 +19,7 @@ func containsUserVariables(policy *kyverno.ClusterPolicy, vars [][]string) error return fmt.Errorf("variable %s is not allowed", s[0]) } } - rules := policy.Spec.GetRules() + rules := policy.GetRules() for idx := range rules { if err := hasUserMatchExclude(idx, &rules[idx]); err != nil { return err diff --git a/pkg/policy/existing.go b/pkg/policy/existing.go index e41e4fc7cf..cc21121a95 100644 --- a/pkg/policy/existing.go +++ b/pkg/policy/existing.go @@ -23,7 +23,7 @@ func (pc *PolicyController) processExistingResources(policy *kyverno.ClusterPoli // Parse through all the resources drops the cache after configured rebuild time pc.rm.Drop() - for _, rule := range policy.Spec.GetRules() { + for _, rule := range policy.GetRules() { if !rule.HasValidate() && !rule.HasVerifyImages() { continue } diff --git a/pkg/policy/policy_controller.go b/pkg/policy/policy_controller.go index 2355641262..8cc9905069 100644 --- a/pkg/policy/policy_controller.go +++ b/pkg/policy/policy_controller.go @@ -274,7 +274,7 @@ func (pc *PolicyController) deletePolicy(obj interface{}) { // we process policies that are not set of background processing // as we need to clean up GRs when a policy is deleted // skip generate policies with clone - rules := p.Spec.GetRules() + rules := p.GetRules() generatePolicyWithClone := pkgCommon.ProcessDeletePolicyForCloneGenerateRule(rules, pc.client, p.GetName(), logger) @@ -380,11 +380,11 @@ func (pc *PolicyController) deleteNsPolicy(obj interface{}) { func (pc *PolicyController) enqueueRCRDeletedRule(old, cur *kyverno.ClusterPolicy) { curRule := make(map[string]bool) - for _, rule := range cur.Spec.GetRules() { + for _, rule := range cur.GetRules() { curRule[rule.Name] = true } - for _, rule := range old.Spec.GetRules() { + for _, rule := range old.GetRules() { if !curRule[rule.Name] { pc.prGenerator.Add(policyreport.Info{ PolicyName: cur.GetName(), @@ -569,7 +569,7 @@ func missingAutoGenRules(policy *kyverno.ClusterPolicy, log logr.Logger) bool { var podRuleName []string ruleCount := 1 if canApplyAutoGen, _ := autogen.CanAutoGen(&policy.Spec, log); canApplyAutoGen { - for _, rule := range policy.Spec.GetRules() { + for _, rule := range policy.GetRules() { podRuleName = append(podRuleName, rule.Name) } } @@ -596,7 +596,7 @@ func missingAutoGenRules(policy *kyverno.ClusterPolicy, log logr.Logger) bool { } } - if len(policy.Spec.GetRules()) != (ruleCount * len(podRuleName)) { + if len(policy.GetRules()) != (ruleCount * len(podRuleName)) { return true } } diff --git a/pkg/policy/validate.go b/pkg/policy/validate.go index eadcf66938..c8a4b7e9a3 100644 --- a/pkg/policy/validate.go +++ b/pkg/policy/validate.go @@ -127,7 +127,7 @@ func Validate(policy *kyverno.ClusterPolicy, client *dclient.Client, mock bool, clusterResources = append(clusterResources, k) } } - rules := policy.Spec.GetRules() + rules := policy.GetRules() rulesPath := specPath.Child("rules") for i, rule := range rules { rulePath := rulesPath.Index(i) @@ -385,7 +385,7 @@ func ValidateVariables(p *kyverno.ClusterPolicy, backgroundMode bool) error { // hasInvalidVariables - checks for unexpected variables in the policy func hasInvalidVariables(policy *kyverno.ClusterPolicy, background bool) error { - for _, r := range policy.Spec.GetRules() { + for _, r := range policy.GetRules() { ruleCopy := r.DeepCopy() if err := ruleForbiddenSectionsHaveVariables(ruleCopy); err != nil { diff --git a/pkg/policycache/cache.go b/pkg/policycache/cache.go index 26df86e6ba..561bd51145 100644 --- a/pkg/policycache/cache.go +++ b/pkg/policycache/cache.go @@ -124,7 +124,7 @@ func (m *pMap) add(policy *kyverno.ClusterPolicy) { pName = pSpace + "/" + pName } - for _, rule := range policy.Spec.GetRules() { + for _, rule := range policy.GetRules() { if len(rule.MatchResources.Any) > 0 { for _, rmr := range rule.MatchResources.Any { @@ -230,7 +230,7 @@ func (m *pMap) remove(policy *kyverno.ClusterPolicy) { pName = pSpace + "/" + pName } - for _, rule := range policy.Spec.GetRules() { + for _, rule := range policy.GetRules() { if len(rule.MatchResources.Any) > 0 { for _, rmr := range rule.MatchResources.Any { removeCacheHelper(rmr, m, pName) diff --git a/pkg/policycache/cache_test.go b/pkg/policycache/cache_test.go index ccdcbd3606..36e6d03922 100644 --- a/pkg/policycache/cache_test.go +++ b/pkg/policycache/cache_test.go @@ -49,7 +49,7 @@ func Test_All(t *testing.T) { policy := newPolicy(t) //add pCache.Add(policy) - for _, rule := range policy.Spec.GetRules() { + for _, rule := range policy.GetRules() { for _, kind := range rule.MatchResources.Kinds { // get @@ -82,7 +82,7 @@ func Test_Add_Duplicate_Policy(t *testing.T) { pCache.Add(policy) pCache.Add(policy) pCache.Add(policy) - for _, rule := range policy.Spec.GetRules() { + for _, rule := range policy.GetRules() { for _, kind := range rule.MatchResources.Kinds { mutate := pCache.get(Mutate, kind, "") @@ -111,7 +111,7 @@ func Test_Add_Validate_Audit(t *testing.T) { policy.Spec.ValidationFailureAction = "audit" pCache.Add(policy) pCache.Add(policy) - for _, rule := range policy.Spec.GetRules() { + for _, rule := range policy.GetRules() { for _, kind := range rule.MatchResources.Kinds { validateEnforce := pCache.get(ValidateEnforce, kind, "") @@ -930,7 +930,7 @@ func Test_Ns_All(t *testing.T) { //add pCache.Add(policy) nspace := policy.GetNamespace() - for _, rule := range policy.Spec.GetRules() { + for _, rule := range policy.GetRules() { for _, kind := range rule.MatchResources.Kinds { // get @@ -963,7 +963,7 @@ func Test_Ns_Add_Duplicate_Policy(t *testing.T) { pCache.Add(policy) pCache.Add(policy) nspace := policy.GetNamespace() - for _, rule := range policy.Spec.GetRules() { + for _, rule := range policy.GetRules() { for _, kind := range rule.MatchResources.Kinds { mutate := pCache.get(Mutate, kind, nspace) @@ -992,7 +992,7 @@ func Test_Ns_Add_Validate_Audit(t *testing.T) { policy.Spec.ValidationFailureAction = "audit" pCache.Add(policy) pCache.Add(policy) - for _, rule := range policy.Spec.GetRules() { + for _, rule := range policy.GetRules() { for _, kind := range rule.MatchResources.Kinds { validateEnforce := pCache.get(ValidateEnforce, kind, nspace) @@ -1031,7 +1031,7 @@ func Test_GVk_Cache(t *testing.T) { policy := newGVKPolicy(t) //add pCache.Add(policy) - for _, rule := range policy.Spec.GetRules() { + for _, rule := range policy.GetRules() { for _, kind := range rule.MatchResources.Kinds { generate := pCache.get(Generate, kind, "") @@ -1065,7 +1065,7 @@ func Test_Add_Validate_Enforce(t *testing.T) { nspace := policy.GetNamespace() //add pCache.Add(policy) - for _, rule := range policy.Spec.GetRules() { + for _, rule := range policy.GetRules() { for _, kind := range rule.MatchResources.Kinds { validateEnforce := pCache.get(ValidateEnforce, kind, nspace) if len(validateEnforce) != 1 { @@ -1100,7 +1100,7 @@ func Test_Mutate_Policy(t *testing.T) { pCache.Add(policy) pCache.Add(policy) pCache.Add(policy) - for _, rule := range policy.Spec.GetRules() { + for _, rule := range policy.GetRules() { for _, kind := range rule.MatchResources.Kinds { // get @@ -1117,7 +1117,7 @@ func Test_Generate_Policy(t *testing.T) { policy := newgenratePolicy(t) //add pCache.Add(policy) - for _, rule := range policy.Spec.GetRules() { + for _, rule := range policy.GetRules() { for _, kind := range rule.MatchResources.Kinds { // get diff --git a/pkg/policymutation/policymutation.go b/pkg/policymutation/policymutation.go index 005f90d5b7..17af444c17 100644 --- a/pkg/policymutation/policymutation.go +++ b/pkg/policymutation/policymutation.go @@ -65,7 +65,7 @@ func GenerateJSONPatchesForDefaults(policy *kyverno.ClusterPolicy, autogenIntern func checkForGVKFormatPatch(policy *kyverno.ClusterPolicy, log logr.Logger) (patches [][]byte, errs []error) { patches = make([][]byte, 0) - for i, rule := range policy.Spec.GetRules() { + for i, rule := range policy.GetRules() { patchByte, err := convertGVKForKinds(fmt.Sprintf("/spec/rules/%s/match/resources/kinds", strconv.Itoa(i)), rule.MatchResources.Kinds, log) if err == nil && patchByte != nil { patches = append(patches, patchByte) diff --git a/pkg/utils/json.go b/pkg/utils/json.go index 81a97e66e4..d7eeaba328 100644 --- a/pkg/utils/json.go +++ b/pkg/utils/json.go @@ -31,7 +31,7 @@ func JoinPatches(patches [][]byte) []byte { // TODO This needs to be removed. A simpler way to encode and decode Policy is needed. func MarshalPolicy(policy v1.ClusterPolicy) []byte { var rules []interface{} - policyRules := policy.Spec.GetRules() + policyRules := policy.GetRules() rulesRaw, _ := json.Marshal(policyRules) _ = json.Unmarshal(rulesRaw, &rules) for i, r := range rules { diff --git a/pkg/webhookconfig/configmanager.go b/pkg/webhookconfig/configmanager.go index 90d1d50e88..13fd0ed9d3 100644 --- a/pkg/webhookconfig/configmanager.go +++ b/pkg/webhookconfig/configmanager.go @@ -700,7 +700,7 @@ func (m *webhookConfigManager) updateStatus(policy *kyverno.ClusterPolicy, statu // mergeWebhook merges the matching kinds of the policy to webhook.rule func (m *webhookConfigManager) mergeWebhook(dst *webhook, policy *kyverno.ClusterPolicy, updateValidate bool) { matchedGVK := make([]string, 0) - for _, rule := range policy.Spec.GetRules() { + for _, rule := range policy.GetRules() { // matching kinds in generate policies need to be added to both webhook if rule.HasGenerate() { matchedGVK = append(matchedGVK, rule.MatchKinds()...) @@ -811,7 +811,7 @@ func webhookKey(webhookKind, failurePolicy string) string { func hasWildcard(policy interface{}) bool { if p, ok := policy.(*kyverno.ClusterPolicy); ok { - for _, rule := range p.Spec.GetRules() { + for _, rule := range p.GetRules() { if kinds := rule.MatchKinds(); utils.ContainsString(kinds, "*") { return true } @@ -819,7 +819,7 @@ func hasWildcard(policy interface{}) bool { } if p, ok := policy.(*kyverno.Policy); ok { - for _, rule := range p.Spec.GetRules() { + for _, rule := range p.GetRules() { if kinds := rule.MatchKinds(); utils.ContainsString(kinds, "*") { return true } diff --git a/pkg/webhooks/common.go b/pkg/webhooks/common.go index 4d919e4cb3..2b7793d085 100644 --- a/pkg/webhooks/common.go +++ b/pkg/webhooks/common.go @@ -143,7 +143,7 @@ func processResourceWithPatches(patch []byte, resource []byte, log logr.Logger) func containsRBACInfo(policies ...[]*kyverno.ClusterPolicy) bool { for _, policySlice := range policies { for _, policy := range policySlice { - for _, rule := range policy.Spec.GetRules() { + for _, rule := range policy.GetRules() { if checkForRBACInfo(rule) { return true } diff --git a/pkg/webhooks/generation.go b/pkg/webhooks/generation.go index 2b7a8039b3..82c2b08cef 100644 --- a/pkg/webhooks/generation.go +++ b/pkg/webhooks/generation.go @@ -234,7 +234,7 @@ func (ws *WebhookServer) handleUpdateGenerateTargetResource(request *v1beta1.Adm return } - for _, rule := range policy.Spec.GetRules() { + for _, rule := range policy.GetRules() { if rule.Generation.Kind == targetSourceKind && rule.Generation.Name == targetSourceName { updatedRule, err := getGeneratedByResource(newRes, resLabels, ws.client, rule, logger) if err != nil {