Moved common utils for mutation, validation and generation to pkg/engine/utils

2025-04-08 10:04:25 +00:00 · 2019-05-15 14:25:32 +03:00 · 2019-05-15 14:25:32 +03:00 · 10e8d2cfe0
commit 10e8d2cfe0
parent 44ba5dbd8f
8 changed files with 47 additions and 92 deletions
--- a/pkg/engine/engine.go
+++ b/pkg/engine/engine.go
@ -80,9 +80,9 @@ func (p *policyEngine) processRuleOnResource(policyName string, rule types.Rule,
 	var violationInfo violation.Info
 	var eventInfos []event.Info

-	resourceKind := mutation.ParseKindFromObject(rawResource)
-	resourceName := mutation.ParseNameFromObject(rawResource)
-	resourceNamespace := mutation.ParseNamespaceFromObject(rawResource)
+	resourceKind := ParseKindFromObject(rawResource)
+	resourceName := ParseNameFromObject(rawResource)
+	resourceNamespace := ParseNamespaceFromObject(rawResource)

 	rulePatchesProcessed, err := mutation.ProcessPatches(rule.Mutation.Patches, nil)
 	if err != nil {
--- a/pkg/engine/generation.go
+++ b/pkg/engine/generation.go
@ -4,18 +4,17 @@ import (
 	"fmt"

 	kubepolicy "github.com/nirmata/kube-policy/pkg/apis/policy/v1alpha1"
-	"github.com/nirmata/kube-policy/pkg/engine/mutation"
 )

 // TODO: To be reworked due to spec policy-v2

 // Applies "configMapGenerator" and "secretGenerator" described in PolicyRule
 func (p *policyEngine) applyRuleGenerators(rawResource []byte, rule kubepolicy.Rule) error {
-	kind := mutation.ParseKindFromObject(rawResource)
+	kind := ParseKindFromObject(rawResource)

 	// configMapGenerator and secretGenerator can be applied only to namespaces
 	if kind == "Namespace" {
-		namespaceName := mutation.ParseNameFromObject(rawResource)
+		namespaceName := ParseNameFromObject(rawResource)

 		err := p.applyConfigGenerator(rule.Generation, namespaceName, "ConfigMap")
 		if err == nil {
--- a/pkg/engine/mutation.go
+++ b/pkg/engine/mutation.go
@ -23,7 +23,7 @@ func (p *policyEngine) Mutate(policy kubepolicy.Policy, rawResource []byte, gvk
 			continue
 		}

-		ok, err := mutation.ResourceMeetsRules(rawResource, rule.ResourceDescription, gvk)
+		ok, err := ResourceMeetsRules(rawResource, rule.ResourceDescription, gvk)
 		if err != nil {
 			p.logger.Printf("Rule has invalid data: rule number = %d, rule name = %s in policy %s, err: %v\n", i, rule.Name, policy.ObjectMeta.Name, err)
 			continue
--- a/pkg/engine/mutation/checkRules.go
+++ b/pkg/engine/mutation/checkRules.go
@ -1,44 +0,0 @@
-package mutation
-
-import (
-	"github.com/minio/minio/pkg/wildcard"
-	types "github.com/nirmata/kube-policy/pkg/apis/policy/v1alpha1"
-	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
-)
-
-// kind is the type of object being manipulated
-// Checks requests kind, name and labels to fit the policy
-func IsRuleApplicableToResource(resourceRaw []byte, description types.ResourceDescription) (bool, error) {
-	kind := ParseKindFromObject(resourceRaw)
-	if description.Kind != kind {
-		return false, nil
-	}
-
-	if resourceRaw != nil {
-		meta := ParseMetadataFromObject(resourceRaw)
-		name := ParseNameFromObject(resourceRaw)
-
-		if description.Name != nil {
-
-			if !wildcard.Match(*description.Name, name) {
-				return false, nil
-			}
-		}
-
-		if description.Selector != nil {
-			selector, err := metav1.LabelSelectorAsSelector(description.Selector)
-
-			if err != nil {
-				return false, err
-			}
-
-			labelMap := ParseLabelsFromMetadata(meta)
-
-			if !selector.Matches(labelMap) {
-				return false, nil
-			}
-
-		}
-	}
-	return true, nil
-}
--- a/pkg/engine/mutation/utils.go
+++ b/pkg/engine/mutation/utils.go
@ -1,4 +1,4 @@
-package mutation
+package engine

 import (
 	"encoding/json"
@ -6,10 +6,46 @@ import (

 	"github.com/minio/minio/pkg/wildcard"
 	kubepolicy "github.com/nirmata/kube-policy/pkg/apis/policy/v1alpha1"
+
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/labels"
 )

+// ResourceMeetsRules checks requests kind, name and labels to fit the policy
+func ResourceMeetsRules(resourceRaw []byte, description kubepolicy.ResourceDescription, gvk metav1.GroupVersionKind) (bool, error) {
+	if description.Kind != gvk.Kind {
+		return false, nil
+	}
+
+	if resourceRaw != nil {
+		meta := ParseMetadataFromObject(resourceRaw)
+		name := ParseNameFromObject(resourceRaw)
+
+		if description.Name != nil {
+
+			if !wildcard.Match(*description.Name, name) {
+				return false, nil
+			}
+		}
+
+		if description.Selector != nil {
+			selector, err := metav1.LabelSelectorAsSelector(description.Selector)
+
+			if err != nil {
+				return false, err
+			}
+
+			labelMap := ParseLabelsFromMetadata(meta)
+
+			if !selector.Matches(labelMap) {
+				return false, nil
+			}
+
+		}
+	}
+	return true, nil
+}
+
 func ParseMetadataFromObject(bytes []byte) map[string]interface{} {
 	var objectJSON map[string]interface{}
 	json.Unmarshal(bytes, &objectJSON)
@ -68,38 +104,3 @@ func ParseRegexPolicyResourceName(policyResourceName string) (string, bool) {
 	}
 	return strings.Trim(regex[1], " "), true
 }
-
-// ResourceMeetsRules checks requests kind, name and labels to fit the policy
-func ResourceMeetsRules(resourceRaw []byte, description kubepolicy.ResourceDescription, gvk metav1.GroupVersionKind) (bool, error) {
-	if description.Kind != gvk.Kind {
-		return false, nil
-	}
-
-	if resourceRaw != nil {
-		meta := ParseMetadataFromObject(resourceRaw)
-		name := ParseNameFromObject(resourceRaw)
-
-		if description.Name != nil {
-
-			if !wildcard.Match(*description.Name, name) {
-				return false, nil
-			}
-		}
-
-		if description.Selector != nil {
-			selector, err := metav1.LabelSelectorAsSelector(description.Selector)
-
-			if err != nil {
-				return false, err
-			}
-
-			labelMap := ParseLabelsFromMetadata(meta)
-
-			if !selector.Matches(labelMap) {
-				return false, nil
-			}
-
-		}
-	}
-	return true, nil
-}
--- a/pkg/engine/mutation/utils_test.go
+++ b/pkg/engine/mutation/utils_test.go
@ -1,4 +1,4 @@
-package mutation
+package engine

 import (
 	"testing"
--- a/pkg/engine/validation.go
+++ b/pkg/engine/validation.go
@ -5,7 +5,6 @@ import (
 	"fmt"

 	kubepolicy "github.com/nirmata/kube-policy/pkg/apis/policy/v1alpha1"
-	"github.com/nirmata/kube-policy/pkg/engine/mutation"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 )

@ -27,7 +26,7 @@ func (p *policyEngine) Validate(policy kubepolicy.Policy, rawResource []byte, gv
 			continue
 		}

-		ok, err := mutation.ResourceMeetsRules(rawResource, rule.ResourceDescription, gvk)
+		ok, err := ResourceMeetsRules(rawResource, rule.ResourceDescription, gvk)
 		if err != nil {
 			p.logger.Printf("Rule has invalid data: rule number = %d, rule name = %s in policy %s, err: %v\n", i, rule.Name, policy.ObjectMeta.Name, err)
 			continue
--- a/pkg/webhooks/server.go
+++ b/pkg/webhooks/server.go
@ -152,8 +152,8 @@ func (ws *WebhookServer) HandleMutation(request *v1beta1.AdmissionRequest) *v1be
 		allPatches = append(allPatches, policyPatches...)

 		if len(policyPatches) > 0 {
-			namespace := mutation.ParseNamespaceFromObject(request.Object.Raw)
-			name := mutation.ParseNameFromObject(request.Object.Raw)
+			namespace := engine.ParseNamespaceFromObject(request.Object.Raw)
+			name := engine.ParseNameFromObject(request.Object.Raw)
 			ws.logger.Printf("Policy %s applied to %s %s/%s", policy.Name, request.Kind.Kind, namespace, name)
 		}
 	}