mirrors/kyverno
mirrors/kyverno
1
0
Fork 0
mirror of https://github.com/kyverno/kyverno.git synced 2025-03-31 03:45:17 +00:00
Code Activity

fix: delete VAPs in case Kyverno policies can't be translated ()

Browse source 
Signed-off-by: Mariam Fahmy <mariam.fahmy@nirmata.com>
This commit is contained in:
Mariam Fahmy 2023-11-27 08:36:01 +02:00 committed by GitHub
parent 1a331f1297
commit 1404ea0966
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
10 changed files with 154 additions and 13 deletions
pkg/controllers/validatingadmissionpolicy-generate
controller.go
test/conformance/kuttl/generate-validating-admission-policy/clusterpolicy/cornercases/check-deletion-of-vaps-after-modifying-kyverno-policy
01-policy.yaml02-validatingadmissionpolicy.yaml03-update-policy.yaml04-check-validatingadmissionpolicy.yamlpolicy-assert.yamlpolicy.yamlupdated-policy.yamlvalidatingadmissionpolicy.yamlvalidatingadmissionpolicybinding.yaml

46
pkg/controllers/validatingadmissionpolicy-generate/controller.go
View file

@ -297,6 +297,10 @@ func (c *controller) buildValidatingAdmissionPolicyBinding(vapbinding *admission
return nil return nil
} }
func constructVapBindingName(vapName string) string {
return vapName + "-binding"
}
func (c *controller) reconcile(ctx context.Context, logger logr.Logger, key, namespace, name string) error { func (c *controller) reconcile(ctx context.Context, logger logr.Logger, key, namespace, name string) error {
policy, err := c.getClusterPolicy(name) policy, err := c.getClusterPolicy(name)
if err != nil { if err != nil {
@ -326,34 +330,50 @@ func (c *controller) reconcile(ctx context.Context, logger logr.Logger, key, nam
return nil return nil
} }
vapName := policy.GetName()
vapBindingName := constructVapBindingName(vapName)
observedVAP, vapErr := c.getValidatingAdmissionPolicy(vapName)
observedVAPbinding, vapBindingErr := c.getValidatingAdmissionPolicyBinding(vapBindingName)
if ok, msg := canGenerateVAP(spec); !ok { if ok, msg := canGenerateVAP(spec); !ok {
// delete the ValidatingAdmissionPolicy if exist
if vapErr == nil {
err = c.client.AdmissionregistrationV1alpha1().ValidatingAdmissionPolicies().Delete(ctx, vapName, metav1.DeleteOptions{})
if err != nil {
return err
}
}
// delete the ValidatingAdmissionPolicyBinding if exist
if vapBindingErr == nil {
err = c.client.AdmissionregistrationV1alpha1().ValidatingAdmissionPolicyBindings().Delete(ctx, vapBindingName, metav1.DeleteOptions{})
if err != nil {
return err
}
}
c.updateClusterPolicyStatus(ctx, *policy, false, msg) c.updateClusterPolicyStatus(ctx, *policy, false, msg)
return nil return nil
} }
polName := policy.GetName() if vapErr != nil {
observedVAP, err := c.getValidatingAdmissionPolicy(polName) if !apierrors.IsNotFound(vapErr) {
if err != nil { c.updateClusterPolicyStatus(ctx, *policy, false, vapErr.Error())
if !apierrors.IsNotFound(err) { return vapErr
c.updateClusterPolicyStatus(ctx, *policy, false, err.Error())
return err
} }
observedVAP = &admissionregistrationv1alpha1.ValidatingAdmissionPolicy{ observedVAP = &admissionregistrationv1alpha1.ValidatingAdmissionPolicy{
ObjectMeta: metav1.ObjectMeta{ ObjectMeta: metav1.ObjectMeta{
Name: polName, Name: vapName,
}, },
} }
} }
observedVAPbinding, err := c.getValidatingAdmissionPolicyBinding(polName + "-binding") if vapBindingErr != nil {
if err != nil { if !apierrors.IsNotFound(vapBindingErr) {
if !apierrors.IsNotFound(err) { c.updateClusterPolicyStatus(ctx, *policy, false, vapBindingErr.Error())
c.updateClusterPolicyStatus(ctx, *policy, false, err.Error()) return vapBindingErr
return err
} }
observedVAPbinding = &admissionregistrationv1alpha1.ValidatingAdmissionPolicyBinding{ observedVAPbinding = &admissionregistrationv1alpha1.ValidatingAdmissionPolicyBinding{
ObjectMeta: metav1.ObjectMeta{ ObjectMeta: metav1.ObjectMeta{
Name: polName + "-binding", Name: vapBindingName,
}, },
} }
} }

6
test/conformance/kuttl/generate-validating-admission-policy/clusterpolicy/cornercases/check-deletion-of-vaps-after-modifying-kyverno-policy/01-policy.yaml Normal file
View file

@ -0,0 +1,6 @@
apiVersion: kuttl.dev/v1beta1
kind: TestStep
apply:
- policy.yaml
assert:
- policy-assert.yaml

5
test/conformance/kuttl/generate-validating-admission-policy/clusterpolicy/cornercases/check-deletion-of-vaps-after-modifying-kyverno-policy/02-validatingadmissionpolicy.yaml Normal file
View file

@ -0,0 +1,5 @@
apiVersion: kuttl.dev/v1beta1
kind: TestStep
assert:
- validatingadmissionpolicy.yaml
- validatingadmissionpolicybinding.yaml

6
test/conformance/kuttl/generate-validating-admission-policy/clusterpolicy/cornercases/check-deletion-of-vaps-after-modifying-kyverno-policy/03-update-policy.yaml Normal file
View file

@ -0,0 +1,6 @@
apiVersion: kuttl.dev/v1beta1
kind: TestStep
apply:
- updated-policy.yaml
assert:
- policy-assert.yaml

5
test/conformance/kuttl/generate-validating-admission-policy/clusterpolicy/cornercases/check-deletion-of-vaps-after-modifying-kyverno-policy/04-check-validatingadmissionpolicy.yaml Normal file
View file

@ -0,0 +1,5 @@
apiVersion: kuttl.dev/v1beta1
kind: TestStep
error:
- validatingadmissionpolicy.yaml
- validatingadmissionpolicybinding.yaml

9
test/conformance/kuttl/generate-validating-admission-policy/clusterpolicy/cornercases/check-deletion-of-vaps-after-modifying-kyverno-policy/policy-assert.yaml Normal file
View file

@ -0,0 +1,9 @@
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
name: disallow-host-path-cel
status:
conditions:
- reason: Succeeded
status: "True"
type: Ready

23
test/conformance/kuttl/generate-validating-admission-policy/clusterpolicy/cornercases/check-deletion-of-vaps-after-modifying-kyverno-policy/policy.yaml Normal file
View file

@ -0,0 +1,23 @@
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
name: disallow-host-path-cel
spec:
validationFailureAction: Enforce
background: false
rules:
- name: host-path-cel
match:
any:
- resources:
kinds:
- Deployment
- StatefulSet
operations:
- CREATE
- UPDATE
validate:
cel:
expressions:
- expression: "!has(object.spec.template.spec.volumes) || object.spec.template.spec.volumes.all(volume, !has(volume.hostPath))"
message: "HostPath volumes are forbidden. The field spec.template.spec.volumes[*].hostPath must be unset."

25
test/conformance/kuttl/generate-validating-admission-policy/clusterpolicy/cornercases/check-deletion-of-vaps-after-modifying-kyverno-policy/updated-policy.yaml Normal file
View file

@ -0,0 +1,25 @@
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
name: disallow-host-path-cel
spec:
validationFailureAction: Enforce
background: true
rules:
- name: host-path-cel
match:
any:
- resources:
kinds:
- Deployment
- StatefulSet
operations:
- CREATE
- UPDATE
namespaces:
- prod
validate:
cel:
expressions:
- expression: "!has(object.spec.template.spec.volumes) || object.spec.template.spec.volumes.all(volume, !has(volume.hostPath))"
message: "HostPath volumes are forbidden. The field spec.template.spec.volumes[*].hostPath must be unset."

29
test/conformance/kuttl/generate-validating-admission-policy/clusterpolicy/cornercases/check-deletion-of-vaps-after-modifying-kyverno-policy/validatingadmissionpolicy.yaml Normal file
View file

@ -0,0 +1,29 @@
apiVersion: admissionregistration.k8s.io/v1alpha1
kind: ValidatingAdmissionPolicy
metadata:
labels:
app.kubernetes.io/managed-by: kyverno
name: disallow-host-path-cel
ownerReferences:
- apiVersion: kyverno.io/v1
kind: ClusterPolicy
name: disallow-host-path-cel
spec:
failurePolicy: Fail
matchConstraints:
resourceRules:
- apiGroups:
- apps
apiVersions:
- v1
operations:
- CREATE
- UPDATE
resources:
- deployments
- statefulsets
validations:
- expression: '!has(object.spec.template.spec.volumes) || object.spec.template.spec.volumes.all(volume,
!has(volume.hostPath))'
message: HostPath volumes are forbidden. The field spec.template.spec.volumes[*].hostPath
must be unset.

13
test/conformance/kuttl/generate-validating-admission-policy/clusterpolicy/cornercases/check-deletion-of-vaps-after-modifying-kyverno-policy/validatingadmissionpolicybinding.yaml Normal file
View file

@ -0,0 +1,13 @@
apiVersion: admissionregistration.k8s.io/v1alpha1
kind: ValidatingAdmissionPolicyBinding
metadata:
labels:
app.kubernetes.io/managed-by: kyverno
name: disallow-host-path-cel-binding
ownerReferences:
- apiVersion: kyverno.io/v1
kind: ClusterPolicy
name: disallow-host-path-cel
spec:
policyName: disallow-host-path-cel
validationActions: [Deny]