From 1171ac691b62b75bd83d2bbdd9fd1a3b0c3b7a2c Mon Sep 17 00:00:00 2001 From: Shivkumar Dudhani Date: Fri, 24 Jan 2020 09:37:12 -0800 Subject: [PATCH] cleanup phase 1 (#653) --- .../listers/kyverno/v1/expansion_generated.go | 3 + pkg/config/config.go | 14 ++- pkg/config/dynamicconfig.go | 1 - pkg/dclient/client.go | 1 - pkg/engine/context/context_test.go | 16 ++- pkg/engine/mutate/patches_test.go | 4 - pkg/engine/operator/operator.go | 1 - pkg/engine/policy/validate_test.go | 2 - pkg/engine/utils.go | 14 --- pkg/engine/utils/utils_test.go | 12 +- pkg/engine/utils_test.go | 16 ++- pkg/engine/validate/common.go | 32 ----- pkg/engine/validate/validate.go | 8 ++ pkg/engine/variables/evaluate_test.go | 114 ++++++++++++++---- pkg/engine/variables/validatevariables.go | 2 + .../variables/validatevariables_test.go | 23 +++- pkg/event/util.go | 2 - pkg/generate/generate.go | 19 ++- pkg/namespace/controller.go | 2 +- pkg/namespace/utils.go | 7 -- pkg/policy/cleanup.go | 16 --- pkg/policy/controller.go | 11 +- pkg/policy/existing.go | 41 ------- pkg/policy/utils.go | 17 --- pkg/policy/webhookregistration.go | 3 +- pkg/policystore/policystore_test.go | 5 +- pkg/testrunner/scenario.go | 19 --- pkg/testrunner/utils.go | 3 +- pkg/webhookconfig/registration.go | 4 +- pkg/webhooks/common.go | 13 -- pkg/webhooks/policyvalidation.go | 9 -- 31 files changed, 197 insertions(+), 237 deletions(-) delete mode 100644 pkg/namespace/utils.go delete mode 100644 pkg/policy/utils.go diff --git a/pkg/client/listers/kyverno/v1/expansion_generated.go b/pkg/client/listers/kyverno/v1/expansion_generated.go index 1afb8b6e21..328ff5bd31 100644 --- a/pkg/client/listers/kyverno/v1/expansion_generated.go +++ b/pkg/client/listers/kyverno/v1/expansion_generated.go @@ -53,6 +53,9 @@ type PolicyViolationNamespaceListerExpansion interface{} // as the lister is specific to a gvk we can harcode the values here func (pvl *clusterPolicyViolationLister) ListResources(selector labels.Selector) (ret []*kyvernov1.ClusterPolicyViolation, err error) { policyviolations, err := pvl.List(selector) + if err != nil { + return nil, err + } for index := range policyviolations { policyviolations[index].SetGroupVersionKind(kyvernov1.SchemeGroupVersion.WithKind("ClusterPolicyViolation")) } diff --git a/pkg/config/config.go b/pkg/config/config.go index f553fa8122..aba5d11124 100644 --- a/pkg/config/config.go +++ b/pkg/config/config.go @@ -72,9 +72,19 @@ var ( //LogDefaults sets default glog flags func LogDefaultFlags() { - flag.Set("logtostderr", "true") - flag.Set("stderrthreshold", "WARNING") + var err error + err = flag.Set("logtostderr", "true") + if err != nil { + glog.Fatalf("failed to set flag 'logtostderr' to 'true':%v", err) + } + err = flag.Set("stderrthreshold", "WARNING") + if err != nil { + glog.Fatalf("failed to set flag 'stderrthreshold' to 'WARNING':%v", err) + } flag.Set("v", "2") + if err != nil { + glog.Fatalf("failed to set flag 'v' to '2':%v", err) + } } //CreateClientConfig creates client config diff --git a/pkg/config/dynamicconfig.go b/pkg/config/dynamicconfig.go index 03b77926ec..e7c8e4db70 100644 --- a/pkg/config/dynamicconfig.go +++ b/pkg/config/dynamicconfig.go @@ -19,7 +19,6 @@ import ( // read the conifgMap with name in env:INIT_CONFIG // this configmap stores the resources that are to be filtered const cmNameEnv string = "INIT_CONFIG" -const cmDataField string = "resourceFilters" type ConfigData struct { client kubernetes.Interface diff --git a/pkg/dclient/client.go b/pkg/dclient/client.go index 7993d83ce5..bd5cac549f 100644 --- a/pkg/dclient/client.go +++ b/pkg/dclient/client.go @@ -29,7 +29,6 @@ import ( //Client enables interaction with k8 resource type Client struct { client dynamic.Interface - cachedClient discovery.CachedDiscoveryInterface clientConfig *rest.Config kclient kubernetes.Interface DiscoveryClient IDiscovery diff --git a/pkg/engine/context/context_test.go b/pkg/engine/context/context_test.go index 5531cac544..a583fdbef1 100644 --- a/pkg/engine/context/context_test.go +++ b/pkg/engine/context/context_test.go @@ -9,6 +9,7 @@ import ( ) func Test_addResourceAndUserContext(t *testing.T) { + var err error rawResource := []byte(` { "apiVersion": "v1", @@ -54,7 +55,10 @@ func Test_addResourceAndUserContext(t *testing.T) { var expectedResult string ctx := NewContext() - ctx.AddResource(rawResource) + err = ctx.AddResource(rawResource) + if err != nil { + t.Error(err) + } result, err := ctx.Query("request.object.apiVersion") if err != nil { t.Error(err) @@ -65,7 +69,10 @@ func Test_addResourceAndUserContext(t *testing.T) { t.Error("exected result does not match") } - ctx.AddUserInfo(userRequestInfo) + err = ctx.AddUserInfo(userRequestInfo) + if err != nil { + t.Error(err) + } result, err = ctx.Query("request.object.apiVersion") if err != nil { t.Error(err) @@ -86,7 +93,10 @@ func Test_addResourceAndUserContext(t *testing.T) { t.Error("exected result does not match") } // Add service account Name - ctx.AddSA(userRequestInfo.AdmissionUserInfo.Username) + err = ctx.AddSA(userRequestInfo.AdmissionUserInfo.Username) + if err != nil { + t.Error(err) + } result, err = ctx.Query("serviceAccountName") if err != nil { t.Error(err) diff --git a/pkg/engine/mutate/patches_test.go b/pkg/engine/mutate/patches_test.go index ddec999eac..f38b68d2c4 100644 --- a/pkg/engine/mutate/patches_test.go +++ b/pkg/engine/mutate/patches_test.go @@ -174,10 +174,6 @@ func assertEqDataImpl(t *testing.T, expected, actual []byte, formatModifier stri } } -func assertEqData(t *testing.T, expected, actual []byte) { - assertEqDataImpl(t, expected, actual, "%x") -} - func assertEqStringAndData(t *testing.T, str string, data []byte) { assertEqDataImpl(t, []byte(str), data, "%s") } diff --git a/pkg/engine/operator/operator.go b/pkg/engine/operator/operator.go index 7c40239c61..241f055c54 100644 --- a/pkg/engine/operator/operator.go +++ b/pkg/engine/operator/operator.go @@ -18,7 +18,6 @@ const ( Less Operator = "<" ) -const relativePrefix Operator = "./" const ReferenceSign Operator = "$()" // getOperatorFromStringPattern parses opeartor from pattern diff --git a/pkg/engine/policy/validate_test.go b/pkg/engine/policy/validate_test.go index bce81bcab9..9c3a827ffa 100644 --- a/pkg/engine/policy/validate_test.go +++ b/pkg/engine/policy/validate_test.go @@ -500,7 +500,6 @@ func Test_Validate_ExistingAnchor_Valid(t *testing.T) { if _, err := validateValidation(validation); err != nil { assert.Assert(t, err != nil) } - rawValidation = nil rawValidation = []byte(` { "message": "validate container security contexts", @@ -567,7 +566,6 @@ func Test_Validate_Validate_ValidAnchor(t *testing.T) { } // case 2 - rawValidate = nil validate = kyverno.Validation{} rawValidate = []byte(` { diff --git a/pkg/engine/utils.go b/pkg/engine/utils.go index b99221773b..eeece82c5d 100644 --- a/pkg/engine/utils.go +++ b/pkg/engine/utils.go @@ -10,7 +10,6 @@ import ( "github.com/minio/minio/pkg/wildcard" kyverno "github.com/nirmata/kyverno/pkg/api/kyverno/v1" "github.com/nirmata/kyverno/pkg/engine/context" - "github.com/nirmata/kyverno/pkg/engine/operator" "github.com/nirmata/kyverno/pkg/engine/response" "github.com/nirmata/kyverno/pkg/engine/variables" "github.com/nirmata/kyverno/pkg/utils" @@ -219,19 +218,6 @@ func findKind(kinds []string, kindGVK string) bool { return false } -func isStringIsReference(str string) bool { - if len(str) < len(operator.ReferenceSign) { - return false - } - - return str[0] == '$' && str[1] == '(' && str[len(str)-1] == ')' -} - -type resourceInfo struct { - Resource unstructured.Unstructured - Gvk *metav1.GroupVersionKind -} - // validateGeneralRuleInfoVariables validate variable subtition defined in // - MatchResources // - ExcludeResources diff --git a/pkg/engine/utils/utils_test.go b/pkg/engine/utils/utils_test.go index 823d43f1ae..b095265e4f 100644 --- a/pkg/engine/utils/utils_test.go +++ b/pkg/engine/utils/utils_test.go @@ -1,9 +1,9 @@ package utils -import( - "testing" +import ( "encoding/json" "gotest.tools/assert" + "testing" ) func TestGetAnchorsFromMap_ThereAreNoAnchors(t *testing.T) { @@ -19,8 +19,10 @@ func TestGetAnchorsFromMap_ThereAreNoAnchors(t *testing.T) { }`) var unmarshalled map[string]interface{} - json.Unmarshal(rawMap, &unmarshalled) - + err := json.Unmarshal(rawMap, &unmarshalled) + if err != nil { + t.Error(err) + } actualMap := GetAnchorsFromMap(unmarshalled) assert.Assert(t, len(actualMap) == 0) -} \ No newline at end of file +} diff --git a/pkg/engine/utils_test.go b/pkg/engine/utils_test.go index 6c527dde6f..69df80900b 100644 --- a/pkg/engine/utils_test.go +++ b/pkg/engine/utils_test.go @@ -488,9 +488,19 @@ func Test_validateGeneralRuleInfoVariables(t *testing.T) { assert.NilError(t, json.Unmarshal(policyRaw, &policy)) ctx := context.NewContext() - ctx.AddResource(rawResource) - ctx.AddUserInfo(userReqInfo) - ctx.AddSA("system:serviceaccount:test:testuser") + var err error + err = ctx.AddResource(rawResource) + if err != nil { + t.Error(err) + } + err = ctx.AddUserInfo(userReqInfo) + if err != nil { + t.Error(err) + } + err = ctx.AddSA("system:serviceaccount:test:testuser") + if err != nil { + t.Error(err) + } expectPaths := []string{"request.userInfo.username1", "request.object.namespace", ""} diff --git a/pkg/engine/validate/common.go b/pkg/engine/validate/common.go index 109831a89a..f30e903212 100644 --- a/pkg/engine/validate/common.go +++ b/pkg/engine/validate/common.go @@ -3,8 +3,6 @@ package validate import ( "fmt" "strconv" - - "github.com/nirmata/kyverno/pkg/engine/operator" ) type ValidationFailureReason int @@ -14,36 +12,6 @@ const ( Rulefailure ) -func isStringIsReference(str string) bool { - if len(str) < len(operator.ReferenceSign) { - return false - } - - return str[0] == '$' && str[1] == '(' && str[len(str)-1] == ')' -} - -// convertToFloat converts string and any other value to float64 -func convertToFloat(value interface{}) (float64, error) { - switch typed := value.(type) { - case string: - var err error - floatValue, err := strconv.ParseFloat(typed, 64) - if err != nil { - return 0, err - } - - return floatValue, nil - case float64: - return typed, nil - case int64: - return float64(typed), nil - case int: - return float64(typed), nil - default: - return 0, fmt.Errorf("Could not convert %T to float64", value) - } -} - // convertToString converts value to string func convertToString(value interface{}) (string, error) { switch typed := value.(type) { diff --git a/pkg/engine/validate/validate.go b/pkg/engine/validate/validate.go index 73e973348a..04164e3979 100644 --- a/pkg/engine/validate/validate.go +++ b/pkg/engine/validate/validate.go @@ -274,3 +274,11 @@ func validateArrayOfMaps(resourceMapArray []interface{}, patternMap map[string]i } return "", nil } + +func isStringIsReference(str string) bool { + if len(str) < len(operator.ReferenceSign) { + return false + } + + return str[0] == '$' && str[1] == '(' && str[len(str)-1] == ')' +} diff --git a/pkg/engine/variables/evaluate_test.go b/pkg/engine/variables/evaluate_test.go index 9eaf532766..33b3a4f2b7 100644 --- a/pkg/engine/variables/evaluate_test.go +++ b/pkg/engine/variables/evaluate_test.go @@ -299,12 +299,20 @@ func Test_Eval_NoEqual_Const_float64_Fail(t *testing.T) { func Test_Eval_Equal_Const_object_Pass(t *testing.T) { ctx := context.NewContext() + var err error obj1Raw := []byte(`{ "dir": { "file1": "a" } }`) obj2Raw := []byte(`{ "dir": { "file1": "a" } }`) var obj1, obj2 interface{} - json.Unmarshal(obj1Raw, &obj1) - json.Unmarshal(obj2Raw, &obj2) + err = json.Unmarshal(obj1Raw, &obj1) + if err != nil { + t.Error(err) + } + err = json.Unmarshal(obj2Raw, &obj2) + if err != nil { + t.Error(err) + } + // no variables condition := kyverno.Condition{ Key: obj1, @@ -319,12 +327,20 @@ func Test_Eval_Equal_Const_object_Pass(t *testing.T) { func Test_Eval_Equal_Const_object_Fail(t *testing.T) { ctx := context.NewContext() - + var err error obj1Raw := []byte(`{ "dir": { "file1": "a" } }`) obj2Raw := []byte(`{ "dir": { "file1": "b" } }`) var obj1, obj2 interface{} - json.Unmarshal(obj1Raw, &obj1) - json.Unmarshal(obj2Raw, &obj2) + err = json.Unmarshal(obj1Raw, &obj1) + if err != nil { + t.Error(err) + } + + err = json.Unmarshal(obj2Raw, &obj2) + if err != nil { + t.Error(err) + } + // no variables condition := kyverno.Condition{ Key: obj1, @@ -339,12 +355,20 @@ func Test_Eval_Equal_Const_object_Fail(t *testing.T) { func Test_Eval_NotEqual_Const_object_Pass(t *testing.T) { ctx := context.NewContext() - + var err error obj1Raw := []byte(`{ "dir": { "file1": "a" } }`) obj2Raw := []byte(`{ "dir": { "file1": "b" } }`) var obj1, obj2 interface{} - json.Unmarshal(obj1Raw, &obj1) - json.Unmarshal(obj2Raw, &obj2) + err = json.Unmarshal(obj1Raw, &obj1) + if err != nil { + t.Error(err) + } + + err = json.Unmarshal(obj2Raw, &obj2) + if err != nil { + t.Error(err) + } + // no variables condition := kyverno.Condition{ Key: obj1, @@ -359,12 +383,20 @@ func Test_Eval_NotEqual_Const_object_Pass(t *testing.T) { func Test_Eval_NotEqual_Const_object_Fail(t *testing.T) { ctx := context.NewContext() - + var err error obj1Raw := []byte(`{ "dir": { "file1": "a" } }`) obj2Raw := []byte(`{ "dir": { "file1": "a" } }`) var obj1, obj2 interface{} - json.Unmarshal(obj1Raw, &obj1) - json.Unmarshal(obj2Raw, &obj2) + err = json.Unmarshal(obj1Raw, &obj1) + if err != nil { + t.Error(err) + } + + err = json.Unmarshal(obj2Raw, &obj2) + if err != nil { + t.Error(err) + } + // no variables condition := kyverno.Condition{ Key: obj1, @@ -381,12 +413,20 @@ func Test_Eval_NotEqual_Const_object_Fail(t *testing.T) { func Test_Eval_Equal_Const_list_Pass(t *testing.T) { ctx := context.NewContext() - + var err error obj1Raw := []byte(`[ { "name": "a", "file": "a" }, { "name": "b", "file": "b" } ]`) obj2Raw := []byte(`[ { "name": "a", "file": "a" }, { "name": "b", "file": "b" } ]`) var obj1, obj2 interface{} - json.Unmarshal(obj1Raw, &obj1) - json.Unmarshal(obj2Raw, &obj2) + err = json.Unmarshal(obj1Raw, &obj1) + if err != nil { + t.Error(err) + } + + err = json.Unmarshal(obj2Raw, &obj2) + if err != nil { + t.Error(err) + } + // no variables condition := kyverno.Condition{ Key: obj1, @@ -401,12 +441,18 @@ func Test_Eval_Equal_Const_list_Pass(t *testing.T) { func Test_Eval_Equal_Const_list_Fail(t *testing.T) { ctx := context.NewContext() - + var err error obj1Raw := []byte(`[ { "name": "a", "file": "a" }, { "name": "b", "file": "b" } ]`) obj2Raw := []byte(`[ { "name": "b", "file": "a" }, { "name": "b", "file": "b" } ]`) var obj1, obj2 interface{} - json.Unmarshal(obj1Raw, &obj1) - json.Unmarshal(obj2Raw, &obj2) + err = json.Unmarshal(obj1Raw, &obj1) + if err != nil { + t.Error(err) + } + err = json.Unmarshal(obj2Raw, &obj2) + if err != nil { + t.Error(err) + } // no variables condition := kyverno.Condition{ Key: obj1, @@ -421,12 +467,18 @@ func Test_Eval_Equal_Const_list_Fail(t *testing.T) { func Test_Eval_NotEqual_Const_list_Pass(t *testing.T) { ctx := context.NewContext() - + var err error obj1Raw := []byte(`[ { "name": "a", "file": "a" }, { "name": "b", "file": "b" } ]`) obj2Raw := []byte(`[ { "name": "b", "file": "a" }, { "name": "b", "file": "b" } ]`) var obj1, obj2 interface{} - json.Unmarshal(obj1Raw, &obj1) - json.Unmarshal(obj2Raw, &obj2) + err = json.Unmarshal(obj1Raw, &obj1) + if err != nil { + t.Error(err) + } + err = json.Unmarshal(obj2Raw, &obj2) + if err != nil { + t.Error(err) + } // no variables condition := kyverno.Condition{ Key: obj1, @@ -441,12 +493,18 @@ func Test_Eval_NotEqual_Const_list_Pass(t *testing.T) { func Test_Eval_NotEqual_Const_list_Fail(t *testing.T) { ctx := context.NewContext() - + var err error obj1Raw := []byte(`[ { "name": "a", "file": "a" }, { "name": "b", "file": "b" } ]`) obj2Raw := []byte(`[ { "name": "a", "file": "a" }, { "name": "b", "file": "b" } ]`) var obj1, obj2 interface{} - json.Unmarshal(obj1Raw, &obj1) - json.Unmarshal(obj2Raw, &obj2) + err = json.Unmarshal(obj1Raw, &obj1) + if err != nil { + t.Error(err) + } + err = json.Unmarshal(obj2Raw, &obj2) + if err != nil { + t.Error(err) + } // no variables condition := kyverno.Condition{ Key: obj1, @@ -477,7 +535,10 @@ func Test_Eval_Equal_Var_Pass(t *testing.T) { // context ctx := context.NewContext() - ctx.AddResource(resourceRaw) + err := ctx.AddResource(resourceRaw) + if err != nil { + t.Error(err) + } condition := kyverno.Condition{ Key: "{{request.object.metadata.name}}", Operator: kyverno.Equal, @@ -505,7 +566,10 @@ func Test_Eval_Equal_Var_Fail(t *testing.T) { // context ctx := context.NewContext() - ctx.AddResource(resourceRaw) + err := ctx.AddResource(resourceRaw) + if err != nil { + t.Error(err) + } condition := kyverno.Condition{ Key: "{{request.object.metadata.name}}", Operator: kyverno.Equal, diff --git a/pkg/engine/variables/validatevariables.go b/pkg/engine/variables/validatevariables.go index 23e3edf2bb..f1c9ee7d3f 100644 --- a/pkg/engine/variables/validatevariables.go +++ b/pkg/engine/variables/validatevariables.go @@ -1,6 +1,7 @@ package variables import ( + "fmt" "regexp" "strings" @@ -42,6 +43,7 @@ func extractVariables(pattern interface{}) [][]string { case string: return extractValue(typedPattern) default: + fmt.Printf("variable type %T", typedPattern) return nil } } diff --git a/pkg/engine/variables/validatevariables_test.go b/pkg/engine/variables/validatevariables_test.go index a6e5154f1a..f82eab572b 100644 --- a/pkg/engine/variables/validatevariables_test.go +++ b/pkg/engine/variables/validatevariables_test.go @@ -95,10 +95,16 @@ func Test_ValidateVariables_NoVariable(t *testing.T) { assert.NilError(t, json.Unmarshal(patternRaw, &pattern)) assert.NilError(t, json.Unmarshal(resourceRaw, &resource)) + var err error ctx := context.NewContext() - ctx.AddResource(resourceRaw) - ctx.AddUserInfo(userReqInfo) - + err = ctx.AddResource(resourceRaw) + if err != nil { + t.Error(err) + } + err = ctx.AddUserInfo(userReqInfo) + if err != nil { + t.Error(err) + } invalidPaths := ValidateVariables(ctx, pattern) assert.Assert(t, len(invalidPaths) == 0) } @@ -152,8 +158,15 @@ func Test_ValidateVariables(t *testing.T) { assert.NilError(t, json.Unmarshal(resourceRaw, &resource)) ctx := context.NewContext() - ctx.AddResource(resourceRaw) - ctx.AddUserInfo(userReqInfo) + var err error + err = ctx.AddResource(resourceRaw) + if err != nil { + t.Error(err) + } + err = ctx.AddUserInfo(userReqInfo) + if err != nil { + t.Error(err) + } invalidPaths := ValidateVariables(ctx, pattern) assert.Assert(t, len(invalidPaths) > 0) diff --git a/pkg/event/util.go b/pkg/event/util.go index 677e79d986..3de498c029 100644 --- a/pkg/event/util.go +++ b/pkg/event/util.go @@ -2,8 +2,6 @@ package event const eventWorkQueueName = "kyverno-events" -const eventWorkerThreadCount = 1 - const workQueueRetryLimit = 5 //Info defines the event details diff --git a/pkg/generate/generate.go b/pkg/generate/generate.go index 3d85f8bbe2..968e8b386c 100644 --- a/pkg/generate/generate.go +++ b/pkg/generate/generate.go @@ -66,10 +66,21 @@ func (c *Controller) applyGenerate(resource unstructured.Unstructured, gr kyvern glog.V(4).Infof("failed to marshal resource: %v", err) return nil, err } - - ctx.AddResource(resourceRaw) - ctx.AddUserInfo(gr.Spec.Context.UserRequestInfo) - ctx.AddSA(gr.Spec.Context.UserRequestInfo.AdmissionUserInfo.Username) + err = ctx.AddResource(resourceRaw) + if err != nil { + glog.Infof("Failed to load resource in context: %v", err) + return nil, err + } + err = ctx.AddUserInfo(gr.Spec.Context.UserRequestInfo) + if err != nil { + glog.Infof("Failed to load userInfo in context: %v", err) + return nil, err + } + err = ctx.AddSA(gr.Spec.Context.UserRequestInfo.AdmissionUserInfo.Username) + if err != nil { + glog.Infof("Failed to load serviceAccount in context: %v", err) + return nil, err + } policyContext := engine.PolicyContext{ NewResource: resource, diff --git a/pkg/namespace/controller.go b/pkg/namespace/controller.go index 30292b0bbb..5d1e4b9b7e 100644 --- a/pkg/namespace/controller.go +++ b/pkg/namespace/controller.go @@ -173,7 +173,7 @@ func (nsc *NamespaceController) Run(workers int, stopCh <-chan struct{}) { return } - for i := 0; i < workerCount; i++ { + for i := 0; i < workers; i++ { go wait.Until(nsc.worker, time.Second, stopCh) } <-stopCh diff --git a/pkg/namespace/utils.go b/pkg/namespace/utils.go deleted file mode 100644 index 6f648e8344..0000000000 --- a/pkg/namespace/utils.go +++ /dev/null @@ -1,7 +0,0 @@ -package namespace - -const ( - wqNamespace string = "namespace" - workerCount int = 1 - wqRetryLimit int = 5 -) diff --git a/pkg/policy/cleanup.go b/pkg/policy/cleanup.go index a75db05e74..6a41c579ba 100644 --- a/pkg/policy/cleanup.go +++ b/pkg/policy/cleanup.go @@ -8,7 +8,6 @@ import ( kyverno "github.com/nirmata/kyverno/pkg/api/kyverno/v1" kyvernolister "github.com/nirmata/kyverno/pkg/client/listers/kyverno/v1" "github.com/nirmata/kyverno/pkg/engine/response" - metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" "k8s.io/apimachinery/pkg/labels" ) @@ -88,18 +87,3 @@ func getNamespacedPV(nspvLister kyvernolister.PolicyViolationLister, policyName, return kyverno.PolicyViolation{}, nil } - -func converLabelToSelector(labelMap map[string]string) (labels.Selector, error) { - ls := &metav1.LabelSelector{} - err := metav1.Convert_Map_string_To_string_To_v1_LabelSelector(&labelMap, ls, nil) - if err != nil { - return nil, err - } - - policyViolationSelector, err := metav1.LabelSelectorAsSelector(ls) - if err != nil { - return nil, fmt.Errorf("invalid label selector: %v", err) - } - - return policyViolationSelector, nil -} diff --git a/pkg/policy/controller.go b/pkg/policy/controller.go index 1dbca0611a..0c339ab04a 100644 --- a/pkg/policy/controller.go +++ b/pkg/policy/controller.go @@ -38,8 +38,6 @@ const ( maxRetries = 15 ) -var controllerKind = kyverno.SchemeGroupVersion.WithKind("ClusterPolicy") - // PolicyController is responsible for synchronizing Policy objects stored // in the system with the corresponding policy violations type PolicyController struct { @@ -188,7 +186,10 @@ func (pc *PolicyController) updatePolicy(old, cur interface{}) { curP := cur.(*kyverno.ClusterPolicy) // TODO: optimize this : policy meta-store // Update policy-> (remove,add) - pc.pMetaStore.UnRegister(*oldP) + err := pc.pMetaStore.UnRegister(*oldP) + if err != nil { + glog.Infof("Failed to unregister policy %s", oldP.Name) + } pc.pMetaStore.Register(*curP) // Only process policies that are enabled for "background" execution @@ -230,7 +231,9 @@ func (pc *PolicyController) deletePolicy(obj interface{}) { } glog.V(4).Infof("Deleting Policy %s", p.Name) // Unregister from policy meta-store - pc.pMetaStore.UnRegister(*p) + if err := pc.pMetaStore.UnRegister(*p); err != nil { + glog.Infof("failed to unregister policy %s", p.Name) + } // we process policies that are not set of background processing as we need to perform policy violation // cleanup when a policy is deleted. pc.enqueuePolicy(p) diff --git a/pkg/policy/existing.go b/pkg/policy/existing.go index dfc89fabad..f1497302f9 100644 --- a/pkg/policy/existing.go +++ b/pkg/policy/existing.go @@ -239,47 +239,6 @@ func mergeresources(a, b map[string]unstructured.Unstructured) { a[k] = v } } -func mergeLabelSectors(include, exclude *metav1.LabelSelector) *metav1.LabelSelector { - if exclude == nil { - return include - } - // negate the exclude information - // copy the label selector - //TODO: support exclude expressions in exclude - ls := include.DeepCopy() - for k, v := range exclude.MatchLabels { - lsreq := metav1.LabelSelectorRequirement{ - Key: k, - Operator: metav1.LabelSelectorOpNotIn, - Values: []string{v}, - } - ls.MatchExpressions = append(ls.MatchExpressions, lsreq) - } - return ls -} - -func kindIsExcluded(kind string, list []string) bool { - for _, b := range list { - if b == kind { - return true - } - } - return false -} - -func excludeNamespaces(namespaces, excludeNs []string) []string { - if len(excludeNs) == 0 { - return namespaces - } - filteredNamespaces := []string{} - for _, n := range namespaces { - if utils.ContainsNamepace(excludeNs, n) { - continue - } - filteredNamespaces = append(filteredNamespaces, n) - } - return filteredNamespaces -} func getAllNamespaces(client *client.Client) []string { var namespaces []string diff --git a/pkg/policy/utils.go b/pkg/policy/utils.go deleted file mode 100644 index 45c3150983..0000000000 --- a/pkg/policy/utils.go +++ /dev/null @@ -1,17 +0,0 @@ -package policy - -import kyverno "github.com/nirmata/kyverno/pkg/api/kyverno/v1" - -// reEvaulatePolicy checks if the policy needs to be re-evaulated -// during re-evaulation we remove all the old policy violations and re-create new ones -// - Rule count changes -// - Rule resource description changes -// - Rule operation changes -// - Rule name changed -func reEvaulatePolicy(curP, oldP *kyverno.ClusterPolicy) bool { - // count of rules changed - if len(curP.Spec.Rules) != len(curP.Spec.Rules) { - - } - return true -} diff --git a/pkg/policy/webhookregistration.go b/pkg/policy/webhookregistration.go index f0c62233d8..f4b2188b2a 100644 --- a/pkg/policy/webhookregistration.go +++ b/pkg/policy/webhookregistration.go @@ -20,9 +20,8 @@ func (pc *PolicyController) removeResourceWebhookConfiguration() error { } glog.V(4).Info("no policies with mutating or validating webhook configurations, remove resource webhook configuration if one exists") - return pc.resourceWebhookWatcher.RemoveResourceWebhookConfiguration() - return nil + return pc.resourceWebhookWatcher.RemoveResourceWebhookConfiguration() } func (pc *PolicyController) registerResourceWebhookConfiguration() { diff --git a/pkg/policystore/policystore_test.go b/pkg/policystore/policystore_test.go index e3ee7f8448..0e893f7ca4 100644 --- a/pkg/policystore/policystore_test.go +++ b/pkg/policystore/policystore_test.go @@ -230,7 +230,10 @@ func Test_Operations(t *testing.T) { } // Remove - store.UnRegister(policy1) + err = store.UnRegister(policy1) + if err != nil { + t.Error(err) + } retPolicies, err = store.LookUp("Pod", "") if err != nil { t.Error(err) diff --git a/pkg/testrunner/scenario.go b/pkg/testrunner/scenario.go index eb390c10c9..9574341b0e 100644 --- a/pkg/testrunner/scenario.go +++ b/pkg/testrunner/scenario.go @@ -7,7 +7,6 @@ import ( "io/ioutil" "os" ospath "path" - "path/filepath" "reflect" "testing" @@ -109,24 +108,6 @@ func loadFile(t *testing.T, path string) ([]byte, error) { return ioutil.ReadFile(path) } -//getFiles loads all scneario files in specified folder path -func getFiles(t *testing.T, folder string) ([]string, error) { - t.Logf("loading scneario files for folder %s", folder) - files, err := ioutil.ReadDir(folder) - if err != nil { - glog.Error(err) - return nil, err - } - - var yamls []string - for _, file := range files { - if filepath.Ext(file.Name()) == ".yml" || filepath.Ext(file.Name()) == ".yaml" { - yamls = append(yamls, ospath.Join(folder, file.Name())) - } - } - return yamls, nil -} - func runScenario(t *testing.T, s *scenarioT) bool { for _, tc := range s.testCases { runTestCase(t, tc) diff --git a/pkg/testrunner/utils.go b/pkg/testrunner/utils.go index 509e971aad..135a54f5aa 100644 --- a/pkg/testrunner/utils.go +++ b/pkg/testrunner/utils.go @@ -9,8 +9,7 @@ import ( ) const ( - defaultYamlSeparator = "---" - projectPath = "src/github.com/nirmata/kyverno" + projectPath = "src/github.com/nirmata/kyverno" ) // LoadFile loads file in byte buffer diff --git a/pkg/webhookconfig/registration.go b/pkg/webhookconfig/registration.go index 9e0afec396..61cd584d7c 100644 --- a/pkg/webhookconfig/registration.go +++ b/pkg/webhookconfig/registration.go @@ -236,7 +236,9 @@ func (wrc *WebhookRegistrationClient) removeWebhookConfigurations() { // TODO: re-work with RemoveResourceMutatingWebhookConfiguration, as the only difference is wg handling func (wrc *WebhookRegistrationClient) removeResourceMutatingWebhookConfiguration(wg *sync.WaitGroup) { defer wg.Done() - wrc.RemoveResourceMutatingWebhookConfiguration() + if err := wrc.RemoveResourceMutatingWebhookConfiguration(); err != nil { + glog.Error(err) + } } // delete policy mutating webhookconfigurations diff --git a/pkg/webhooks/common.go b/pkg/webhooks/common.go index 0c4e780101..1313f2bcdf 100644 --- a/pkg/webhooks/common.go +++ b/pkg/webhooks/common.go @@ -92,19 +92,6 @@ func (i *ArrayFlags) Set(value string) error { return nil } -// extract the kinds that the policy rules apply to -func getApplicableKindsForPolicy(p *kyverno.ClusterPolicy) []string { - kinds := []string{} - // iterate over the rules an identify all kinds - // Matching - for _, rule := range p.Spec.Rules { - for _, k := range rule.MatchResources.Kinds { - kinds = append(kinds, k) - } - } - return kinds -} - // Policy Reporting Modes const ( Enforce = "enforce" // blocks the request on failure diff --git a/pkg/webhooks/policyvalidation.go b/pkg/webhooks/policyvalidation.go index 0ccff804e0..c5d138f192 100644 --- a/pkg/webhooks/policyvalidation.go +++ b/pkg/webhooks/policyvalidation.go @@ -43,12 +43,3 @@ func (ws *WebhookServer) handlePolicyValidation(request *v1beta1.AdmissionReques } return admissionResp } - -func failResponseWithMsg(msg string) *v1beta1.AdmissionResponse { - return &v1beta1.AdmissionResponse{ - Allowed: false, - Result: &metav1.Status{ - Message: msg, - }, - } -}