mirror of
https://github.com/kyverno/kyverno.git
synced 2025-03-28 02:18:15 +00:00
chore: fix golangcilint timeout (#4388)
* chore: fix golangcilint timeout Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com> * fix commit sha Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com> * add .gitattributes Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com> Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com>
This commit is contained in:
Charles-Edouard Brétéché
GitHub
parent
0cc4d9b1f0
commit
144985ee5a
46 changed files with 123 additions and 136 deletions
1
.gitattributes
vendored
Normal file
1
.gitattributes
vendored
Normal file
|
|
@ -0,0 +1 @@
|
|||
*.go text eol=lf
|
||||
23
.github/workflows/tests.yaml
vendored
23
.github/workflows/tests.yaml
vendored
|
|
@ -19,27 +19,21 @@ jobs:
|
|||
runs-on: ubuntu-latest
|
||||
steps:
|
||||
- name: Checkout
|
||||
uses: actions/checkout@ec3a7ce113134d7a93b817d10a8272cb61118579 # pin@v2.4.0
|
||||
uses: actions/checkout@2541b1294d2704b0964813337f33b291d3f8596b # pin@v3
|
||||
|
||||
# see https://michaelheap.com/ensure-github-actions-pinned-sha/
|
||||
- name: Ensure SHA pinned actions
|
||||
uses: zgosalvez/github-actions-ensure-sha-pinned-actions@6ca5574367befbc9efdb2fa25978084159c5902d # pin@v1.3.0
|
||||
|
||||
- name: Unshallow
|
||||
run: git fetch --prune --unshallow
|
||||
|
||||
- name: Set up Go
|
||||
uses: actions/setup-go@424fc82d43fa5a37540bae62709ddcc23d9520d4 # pin@v2.1.5
|
||||
- name: Setup go
|
||||
uses: actions/setup-go@268d8c0ca0432bb2cf416faae41297df9d262d7f # pin@v3
|
||||
with:
|
||||
go-version: 1.17
|
||||
|
||||
- name: Cache Go modules
|
||||
uses: actions/cache@d9747005de0f7240e5d35a68dca96b3f41b8b340 # pin@v1.2.0
|
||||
- name: golangci-lint
|
||||
uses: golangci/golangci-lint-action@537aa1903e5d359d0b27dbc19ddd22c5087f3fbc # pin@v3
|
||||
with:
|
||||
path: ~/go/pkg/mod
|
||||
key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }}
|
||||
restore-keys: |
|
||||
${{ runner.os }}-go-
|
||||
version: v1.48
|
||||
|
||||
- name: gofmt check
|
||||
run: |
|
||||
|
|
@ -61,11 +55,6 @@ jobs:
|
|||
exit 1
|
||||
fi
|
||||
|
||||
- name: golangci-lint
|
||||
uses: reviewdog/action-golangci-lint@02bcf8c1a9febe8620f1ca523b18dd64f82296db # pin@v1.25.0
|
||||
with:
|
||||
fail_on_error: true
|
||||
|
||||
- name: Checking unused pkgs using go mod tidy
|
||||
run: |
|
||||
make unused-package-check
|
||||
|
|
|
|||
|
|
@ -21,7 +21,6 @@ linters:
|
|||
- gosimple
|
||||
- govet
|
||||
- grouper
|
||||
- ifshort
|
||||
- importas
|
||||
- ineffassign
|
||||
- makezero
|
||||
|
|
@ -43,7 +42,7 @@ linters:
|
|||
- whitespace
|
||||
|
||||
run:
|
||||
timeout: 5m
|
||||
timeout: 10m
|
||||
skip-files:
|
||||
- ".+_test.go"
|
||||
- ".+_test_.+.go"
|
||||
|
|
|
|||
|
|
@ -18,7 +18,7 @@ const (
|
|||
Fail FailurePolicyType = "Fail"
|
||||
)
|
||||
|
||||
// ApplyRulesType controls whether processing stops after one rule is applied or all rules are applied.
|
||||
// ApplyRulesType controls whether processing stops after one rule is applied or all rules are applied.
|
||||
// +kubebuilder:validation:Enum=All;One
|
||||
type ApplyRulesType string
|
||||
|
||||
|
|
|
|||
|
|
@ -15,8 +15,8 @@ limitations under the License.
|
|||
*/
|
||||
|
||||
// Package v1beta1 contains API Schema definitions for the kyverno.io v1beta1 API group
|
||||
//+kubebuilder:object:generate=true
|
||||
//+groupName=kyverno.io
|
||||
// +kubebuilder:object:generate=true
|
||||
// +groupName=kyverno.io
|
||||
package v1beta1
|
||||
|
||||
import (
|
||||
|
|
|
|||
|
|
@ -82,11 +82,11 @@ func (prs PolicyReportSummary) ToMap() map[string]interface{} {
|
|||
type PolicyResult string
|
||||
|
||||
// PolicySeverity has one of the following values:
|
||||
// - critical
|
||||
// - high
|
||||
// - low
|
||||
// - medium
|
||||
// - info
|
||||
// - critical
|
||||
// - high
|
||||
// - low
|
||||
// - medium
|
||||
// - info
|
||||
// +kubebuilder:validation:Enum=critical;high;low;medium;info
|
||||
type PolicySeverity string
|
||||
|
||||
|
|
|
|||
|
|
@ -557,8 +557,8 @@ func buildPolicyResults(engineResponses []*response.EngineResponse, testResults
|
|||
|
||||
if test.Resources != nil {
|
||||
if test.Policy == policyName {
|
||||
// results[].namespace value implict set same as metadata.namespace until and unless
|
||||
// user provides explict values for results[].namespace in test yaml file.
|
||||
// results[].namespace value implicit set same as metadata.namespace until and unless
|
||||
// user provides explicit values for results[].namespace in test yaml file.
|
||||
if test.Namespace == "" {
|
||||
test.Namespace = resourceNamespace
|
||||
testResults[i].Namespace = resourceNamespace
|
||||
|
|
@ -903,7 +903,7 @@ func applyPoliciesFromPath(fs billy.Filesystem, policyBytes []byte, isGit bool,
|
|||
}
|
||||
}
|
||||
|
||||
var ruleToCloneSourceResource = map[string]string{}
|
||||
ruleToCloneSourceResource := map[string]string{}
|
||||
for _, p := range filteredPolicies {
|
||||
filteredRules := []kyvernov1.Rule{}
|
||||
|
||||
|
|
@ -1036,7 +1036,7 @@ func printTestResult(resps map[string]policyreportv1alpha2.PolicyReportResult, t
|
|||
boldYellow := color.New(color.FgYellow).Add(color.Bold)
|
||||
boldFgCyan := color.New(color.FgCyan).Add(color.Bold)
|
||||
|
||||
countDeprecatedResource := 0
|
||||
var countDeprecatedResource int
|
||||
for i, v := range testResults {
|
||||
res := new(Table)
|
||||
res.ID = i + 1
|
||||
|
|
@ -1046,7 +1046,6 @@ func printTestResult(resps map[string]policyreportv1alpha2.PolicyReportResult, t
|
|||
} else {
|
||||
res.Policy = v.Policy
|
||||
res.Rule = v.Rule
|
||||
|
||||
}
|
||||
|
||||
if v.Resources != nil {
|
||||
|
|
@ -1055,7 +1054,6 @@ func printTestResult(resps map[string]policyreportv1alpha2.PolicyReportResult, t
|
|||
res.Resource = boldFgCyan.Sprintf(v.Namespace) + "/" + boldFgCyan.Sprintf(v.Kind) + "/" + boldFgCyan.Sprintf(resource)
|
||||
} else {
|
||||
res.Resource = v.Namespace + "/" + v.Kind + "/" + resource
|
||||
|
||||
}
|
||||
var ruleNameInResultKey string
|
||||
if v.AutoGeneratedRule != "" {
|
||||
|
|
@ -1078,7 +1076,6 @@ func printTestResult(resps map[string]policyreportv1alpha2.PolicyReportResult, t
|
|||
} else {
|
||||
res.Policy = ns + "/" + v.Policy
|
||||
res.Resource = v.Namespace + "/" + v.Kind + "/" + resource
|
||||
|
||||
}
|
||||
} else if v.Namespace != "" {
|
||||
if !removeColor {
|
||||
|
|
@ -1173,7 +1170,6 @@ func printTestResult(resps map[string]policyreportv1alpha2.PolicyReportResult, t
|
|||
res.Resource = boldFgCyan.Sprintf(v.Namespace) + "/" + boldFgCyan.Sprintf(v.Kind) + "/" + boldFgCyan.Sprintf(v.Resource)
|
||||
} else {
|
||||
res.Resource = v.Namespace + "/" + v.Kind + "/" + v.Resource
|
||||
|
||||
}
|
||||
resultKey = fmt.Sprintf("%s-%s-%s-%s-%s", v.Policy, ruleNameInResultKey, v.Namespace, v.Kind, v.Resource)
|
||||
}
|
||||
|
|
|
|||
|
|
@ -297,7 +297,6 @@ func GetVariable(variablesString, valuesFile string, fs billy.Filesystem, isGit
|
|||
values.GlobalValues = make(map[string]string)
|
||||
values.GlobalValues["request.operation"] = "CREATE"
|
||||
log.Log.V(3).Info("Defaulting request.operation to CREATE")
|
||||
|
||||
} else {
|
||||
if val, ok := values.GlobalValues["request.operation"]; ok {
|
||||
if val == "" {
|
||||
|
|
@ -1003,7 +1002,7 @@ func GetKindsFromPolicy(policy kyvernov1.PolicyInterface) map[string]struct{} {
|
|||
return kindOnwhichPolicyIsApplied
|
||||
}
|
||||
|
||||
//GetResourceFromPath - get patchedResource and generatedResource from given path
|
||||
// GetResourceFromPath - get patchedResource and generatedResource from given path
|
||||
func GetResourceFromPath(fs billy.Filesystem, path string, isGit bool, policyResourcePath string, resourceType string) (unstructured.Unstructured, error) {
|
||||
var resourceBytes []byte
|
||||
var resource unstructured.Unstructured
|
||||
|
|
@ -1049,7 +1048,7 @@ func initializeMockController(objects []runtime.Object) (*generate.GenerateContr
|
|||
// handleGeneratePolicy returns a new RuleResponse with the Kyverno generated resource configuration by applying the generate rule.
|
||||
func handleGeneratePolicy(generateResponse *response.EngineResponse, policyContext engine.PolicyContext, ruleToCloneSourceResource map[string]string) ([]response.RuleResponse, error) {
|
||||
objects := []runtime.Object{&policyContext.NewResource}
|
||||
var resources = []*unstructured.Unstructured{}
|
||||
resources := []*unstructured.Unstructured{}
|
||||
for _, rule := range generateResponse.PolicyResponse.Rules {
|
||||
if path, ok := ruleToCloneSourceResource[rule.Name]; ok {
|
||||
resourceBytes, err := getFileBytes(path)
|
||||
|
|
|
|||
|
|
@ -15,6 +15,8 @@ import (
|
|||
"github.com/kyverno/kyverno/pkg/dclient"
|
||||
engineutils "github.com/kyverno/kyverno/pkg/engine/utils"
|
||||
yamlutils "github.com/kyverno/kyverno/pkg/utils/yaml"
|
||||
"golang.org/x/text/cases"
|
||||
"golang.org/x/text/language"
|
||||
"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
|
||||
"k8s.io/apimachinery/pkg/runtime/schema"
|
||||
"k8s.io/client-go/kubernetes/scheme"
|
||||
|
|
@ -293,9 +295,9 @@ func GetKindsFromRule(rule kyvernov1.Rule) map[string]bool {
|
|||
for _, kind := range rule.MatchResources.Kinds {
|
||||
if strings.Contains(kind, "/") {
|
||||
lastElement := kind[strings.LastIndex(kind, "/")+1:]
|
||||
resourceTypesMap[strings.Title(lastElement)] = true
|
||||
resourceTypesMap[cases.Title(language.Und, cases.NoLower).String(lastElement)] = true
|
||||
}
|
||||
resourceTypesMap[strings.Title(kind)] = true
|
||||
resourceTypesMap[cases.Title(language.Und, cases.NoLower).String(kind)] = true
|
||||
}
|
||||
|
||||
if rule.MatchResources.Any != nil {
|
||||
|
|
@ -303,7 +305,7 @@ func GetKindsFromRule(rule kyvernov1.Rule) map[string]bool {
|
|||
for _, kind := range resFilter.ResourceDescription.Kinds {
|
||||
if strings.Contains(kind, "/") {
|
||||
lastElement := kind[strings.LastIndex(kind, "/")+1:]
|
||||
resourceTypesMap[strings.Title(lastElement)] = true
|
||||
resourceTypesMap[cases.Title(language.Und, cases.NoLower).String(lastElement)] = true
|
||||
}
|
||||
resourceTypesMap[kind] = true
|
||||
}
|
||||
|
|
@ -315,9 +317,9 @@ func GetKindsFromRule(rule kyvernov1.Rule) map[string]bool {
|
|||
for _, kind := range resFilter.ResourceDescription.Kinds {
|
||||
if strings.Contains(kind, "/") {
|
||||
lastElement := kind[strings.LastIndex(kind, "/")+1:]
|
||||
resourceTypesMap[strings.Title(lastElement)] = true
|
||||
resourceTypesMap[cases.Title(language.Und, cases.NoLower).String(lastElement)] = true
|
||||
}
|
||||
resourceTypesMap[strings.Title(kind)] = true
|
||||
resourceTypesMap[cases.Title(language.Und, cases.NoLower).String(kind)] = true
|
||||
}
|
||||
}
|
||||
}
|
||||
|
|
|
|||
|
|
@ -11,8 +11,6 @@ import (
|
|||
"strings"
|
||||
"time"
|
||||
|
||||
_ "go.uber.org/automaxprocs" // #nosec
|
||||
|
||||
"github.com/kyverno/kyverno/pkg/background"
|
||||
generatecleanup "github.com/kyverno/kyverno/pkg/background/generate/cleanup"
|
||||
kyvernoclient "github.com/kyverno/kyverno/pkg/client/clientset/versioned"
|
||||
|
|
@ -43,6 +41,7 @@ import (
|
|||
webhookspolicy "github.com/kyverno/kyverno/pkg/webhooks/policy"
|
||||
webhooksresource "github.com/kyverno/kyverno/pkg/webhooks/resource"
|
||||
webhookgenerate "github.com/kyverno/kyverno/pkg/webhooks/updaterequest"
|
||||
_ "go.uber.org/automaxprocs" // #nosec
|
||||
kubeinformers "k8s.io/client-go/informers"
|
||||
"k8s.io/client-go/kubernetes"
|
||||
"k8s.io/client-go/rest"
|
||||
|
|
@ -307,7 +306,6 @@ func main() {
|
|||
if err := http.ListenAndServe(metricsAddr, metricsServerMux); err != nil {
|
||||
setupLog.Error(err, "failed to enable metrics", "address", metricsAddr)
|
||||
}
|
||||
|
||||
}()
|
||||
}
|
||||
|
||||
|
|
|
|||
|
|
@ -62,10 +62,11 @@ func stripCronJob(controllers string) string {
|
|||
// CanAutoGen checks whether the rule(s) (in policy) can be applied to Pod controllers
|
||||
// returns controllers as:
|
||||
// - "" if:
|
||||
// - name or selector is defined
|
||||
// - mixed kinds (Pod + pod controller) is defined
|
||||
// - Pod and PodControllers are not defined
|
||||
// - mutate.Patches/mutate.PatchesJSON6902/validate.deny/generate rule is defined
|
||||
// - name or selector is defined
|
||||
// - mixed kinds (Pod + pod controller) is defined
|
||||
// - Pod and PodControllers are not defined
|
||||
// - mutate.Patches/mutate.PatchesJSON6902/validate.deny/generate rule is defined
|
||||
//
|
||||
// - otherwise it returns all pod controllers
|
||||
func CanAutoGen(spec *kyvernov1.Spec) (applyAutoGen bool, controllers string) {
|
||||
needed := false
|
||||
|
|
|
|||
|
|
@ -660,6 +660,7 @@ func (c *GenerateController) GetUnstrResource(genResourceSpec kyvernov1.Resource
|
|||
}
|
||||
return resource, nil
|
||||
}
|
||||
|
||||
func deleteGeneratedResources(log logr.Logger, client dclient.Interface, ur kyvernov1beta1.UpdateRequest) error {
|
||||
for _, genResource := range ur.Status.GeneratedResources {
|
||||
err := client.DeleteResource("", genResource.Kind, genResource.Namespace, genResource.Name, false)
|
||||
|
|
|
|||
|
|
@ -2,5 +2,7 @@ package config
|
|||
|
||||
import "sigs.k8s.io/controller-runtime/pkg/log"
|
||||
|
||||
var controllerName = "config-controller"
|
||||
var logger = log.Log.WithName(controllerName)
|
||||
var (
|
||||
controllerName = "config-controller"
|
||||
logger = log.Log.WithName(controllerName)
|
||||
)
|
||||
|
|
|
|||
|
|
@ -53,8 +53,7 @@ type Response struct {
|
|||
Statements []map[string]interface{}
|
||||
}
|
||||
|
||||
type CosignError struct {
|
||||
}
|
||||
type CosignError struct{}
|
||||
|
||||
func Verify(opts Options) (*Response, error) {
|
||||
if opts.FetchAttestations {
|
||||
|
|
@ -159,7 +158,7 @@ func buildCosignOptions(opts Options) (*cosign.CheckOpts, error) {
|
|||
// load cert and optionally a cert chain as a verifier
|
||||
cert, err := loadCert([]byte(opts.Cert))
|
||||
if err != nil {
|
||||
return nil, errors.Wrapf(err, "failed to load certificate from %s", string(opts.Cert))
|
||||
return nil, errors.Wrapf(err, "failed to load certificate from %s", opts.Cert)
|
||||
}
|
||||
|
||||
if opts.CertChain == "" {
|
||||
|
|
|
|||
|
|
@ -62,7 +62,6 @@ func (c serverPreferredResources) Poll(resync time.Duration, stopCh <-chan struc
|
|||
// OpenAPISchema returns the API server OpenAPI schema document
|
||||
func (c serverPreferredResources) OpenAPISchema() (*openapiv2.Document, error) {
|
||||
return c.cachedClient.OpenAPISchema()
|
||||
|
||||
}
|
||||
|
||||
// GetGVRFromKind get the Group Version Resource from kind
|
||||
|
|
|
|||
|
|
@ -92,6 +92,7 @@ func (c *fakeDiscoveryClient) OpenAPISchema() (*openapiv2.Document, error) {
|
|||
func (c *fakeDiscoveryClient) DiscoveryCache() discovery.CachedDiscoveryInterface {
|
||||
return nil
|
||||
}
|
||||
|
||||
func (c *fakeDiscoveryClient) DiscoveryInterface() discovery.DiscoveryInterface {
|
||||
return nil
|
||||
}
|
||||
|
|
|
|||
|
|
@ -13,7 +13,8 @@ import (
|
|||
|
||||
// ApplyBackgroundChecks checks for validity of generate and mutateExisting rules on the resource
|
||||
// 1. validate variables to be substitute in the general ruleInfo (match,exclude,condition)
|
||||
// - the caller has to check the ruleResponse to determine whether the path exist
|
||||
// - the caller has to check the ruleResponse to determine whether the path exist
|
||||
//
|
||||
// 2. returns the list of rules that are applicable on this policy and resource, if 1 succeed
|
||||
func ApplyBackgroundChecks(policyContext *PolicyContext) (resp *response.EngineResponse) {
|
||||
policyStartTime := time.Now()
|
||||
|
|
|
|||
|
|
@ -264,7 +264,7 @@ func validateString(log logr.Logger, value interface{}, pattern string, operator
|
|||
}
|
||||
|
||||
// validateNumberWithStr compares quantity if pattern type is quantity
|
||||
// or a wildcard match to pattern string
|
||||
// or a wildcard match to pattern string
|
||||
func validateNumberWithStr(log logr.Logger, value interface{}, pattern string, operator operator.Operator) bool {
|
||||
typedValue, err := convertNumberToString(value)
|
||||
if err != nil {
|
||||
|
|
|
|||
|
|
@ -197,7 +197,6 @@ func (iv *imageVerifier) verify(imageVerify kyvernov1.ImageVerification, images
|
|||
ruleResp.Patches = append(ruleResp.Patches, patch)
|
||||
imageInfo.Digest = retrievedDigest
|
||||
image = imageInfo.String()
|
||||
digest = retrievedDigest
|
||||
}
|
||||
}
|
||||
|
||||
|
|
@ -307,8 +306,8 @@ func (iv *imageVerifier) verifyImage(imageVerify kyvernov1.ImageVerification, im
|
|||
}
|
||||
|
||||
func (iv *imageVerifier) verifyAttestorSet(attestorSet kyvernov1.AttestorSet, imageVerify kyvernov1.ImageVerification,
|
||||
imageInfo apiutils.ImageInfo, path string) (*cosign.Response, error) {
|
||||
|
||||
imageInfo apiutils.ImageInfo, path string,
|
||||
) (*cosign.Response, error) {
|
||||
var errorList []error
|
||||
verifiedCount := 0
|
||||
attestorSet = expandStaticKeys(attestorSet)
|
||||
|
|
@ -530,8 +529,8 @@ func evaluateConditions(
|
|||
conditions []kyvernov1.AnyAllConditions,
|
||||
ctx context.Interface,
|
||||
s map[string]interface{},
|
||||
log logr.Logger) (bool, error) {
|
||||
|
||||
log logr.Logger,
|
||||
) (bool, error) {
|
||||
predicate, ok := s["predicate"].(map[string]interface{})
|
||||
if !ok {
|
||||
return false, fmt.Errorf("failed to extract predicate from statement: %v", s)
|
||||
|
|
|
|||
|
|
@ -296,7 +296,7 @@ func hasAnchor(key string) bool {
|
|||
}
|
||||
|
||||
func hasAnchors(pattern *yaml.RNode, isAnchor func(key string) bool) bool {
|
||||
ynode := pattern.YNode() // nolint:ifshort
|
||||
ynode := pattern.YNode() //nolint:ifshort
|
||||
if ynode.Kind == yaml.MappingNode {
|
||||
fields, err := pattern.Fields()
|
||||
if err != nil {
|
||||
|
|
|
|||
|
|
@ -125,14 +125,18 @@ func checkSelector(labelSelector *metav1.LabelSelector, resourceLabels map[strin
|
|||
// doesResourceMatchConditionBlock filters the resource with defined conditions
|
||||
// for a match / exclude block, it has the following attributes:
|
||||
// ResourceDescription:
|
||||
// Kinds []string
|
||||
// Name string
|
||||
// Namespaces []string
|
||||
// Selector
|
||||
//
|
||||
// Kinds []string
|
||||
// Name string
|
||||
// Namespaces []string
|
||||
// Selector
|
||||
//
|
||||
// UserInfo:
|
||||
// Roles []string
|
||||
// ClusterRoles []string
|
||||
// Subjects []rbacv1.Subject
|
||||
//
|
||||
// Roles []string
|
||||
// ClusterRoles []string
|
||||
// Subjects []rbacv1.Subject
|
||||
//
|
||||
// To filter out the targeted resources with ResourceDescription, the check
|
||||
// should be: AND across attributes but an OR inside attributes that of type list
|
||||
// To filter out the targeted resources with UserInfo, the check
|
||||
|
|
|
|||
|
|
@ -7,7 +7,7 @@ import (
|
|||
"github.com/kyverno/kyverno/pkg/engine/context"
|
||||
)
|
||||
|
||||
//NewNotInHandler returns handler to manage NotIn operations
|
||||
// NewNotInHandler returns handler to manage NotIn operations
|
||||
//
|
||||
// Deprecated: Use `NewAllNotInHandler` or `NewAnyNotInHandler` instead
|
||||
func NewNotInHandler(log logr.Logger, ctx context.EvalInterface) OperatorHandler {
|
||||
|
|
|
|||
|
|
@ -46,7 +46,7 @@ type Interface interface {
|
|||
Add(infoList ...Info)
|
||||
}
|
||||
|
||||
//NewEventGenerator to generate a new event controller
|
||||
// NewEventGenerator to generate a new event controller
|
||||
func NewEventGenerator(client dclient.Interface, cpInformer kyvernov1informers.ClusterPolicyInformer, pInformer kyvernov1informers.PolicyInformer, maxQueuedEvents int, log logr.Logger) *Generator {
|
||||
gen := Generator{
|
||||
client: client,
|
||||
|
|
|
|||
|
|
@ -4,9 +4,7 @@ func NewFake() Interface {
|
|||
return &fakeEventGenerator{}
|
||||
}
|
||||
|
||||
type fakeEventGenerator struct {
|
||||
}
|
||||
type fakeEventGenerator struct{}
|
||||
|
||||
func (f *fakeEventGenerator) Add(infoList ...Info) {
|
||||
|
||||
}
|
||||
|
|
|
|||
|
|
@ -17,8 +17,8 @@ func InitMetrics(
|
|||
metricsConfigData *config.MetricsConfigData,
|
||||
transportCreds string,
|
||||
kubeClient kubernetes.Interface,
|
||||
log logr.Logger) (*MetricsConfig, *http.ServeMux, *controller.Controller, error) {
|
||||
|
||||
log logr.Logger,
|
||||
) (*MetricsConfig, *http.ServeMux, *controller.Controller, error) {
|
||||
var metricsConfig *MetricsConfig
|
||||
var err error
|
||||
var metricsServerMux *http.ServeMux
|
||||
|
|
|
|||
|
|
@ -222,7 +222,8 @@ func NewPrometheusConfig(metricsConfigData *kconfig.MetricsConfigData,
|
|||
|
||||
func (m *MetricsConfig) RecordPolicyResults(policyValidationMode PolicyValidationMode, policyType PolicyType, policyBackgroundMode PolicyBackgroundMode, policyNamespace string, policyName string,
|
||||
resourceKind string, resourceNamespace string, resourceRequestOperation ResourceRequestOperation, ruleName string, ruleResult RuleResult, ruleType RuleType,
|
||||
ruleExecutionCause RuleExecutionCause) {
|
||||
ruleExecutionCause RuleExecutionCause,
|
||||
) {
|
||||
ctx := context.Background()
|
||||
|
||||
commonLabels := []attribute.KeyValue{
|
||||
|
|
@ -259,7 +260,8 @@ func (m *MetricsConfig) RecordPolicyChanges(policyValidationMode PolicyValidatio
|
|||
}
|
||||
|
||||
func (m *MetricsConfig) RecordPolicyRuleInfo(policyValidationMode PolicyValidationMode, policyType PolicyType, policyBackgroundMode PolicyBackgroundMode, policyNamespace string, policyName string,
|
||||
ruleName string, ruleType RuleType, status string, metricValue float64) {
|
||||
ruleName string, ruleType RuleType, status string, metricValue float64,
|
||||
) {
|
||||
ctx := context.Background()
|
||||
commonLabels := []attribute.KeyValue{
|
||||
attribute.String("policy_validation_mode", string(policyValidationMode)),
|
||||
|
|
@ -289,7 +291,8 @@ func (m MetricsConfig) RecordAdmissionRequests(resourceKind string, resourceName
|
|||
|
||||
func (m *MetricsConfig) RecordPolicyExecutionDuration(policyValidationMode PolicyValidationMode, policyType PolicyType, policyBackgroundMode PolicyBackgroundMode, policyNamespace string, policyName string,
|
||||
resourceKind string, resourceNamespace string, resourceRequestOperation ResourceRequestOperation, ruleName string, ruleResult RuleResult, ruleType RuleType,
|
||||
ruleExecutionCause RuleExecutionCause, generalRuleLatencyType string, ruleExecutionLatency float64) {
|
||||
ruleExecutionCause RuleExecutionCause, generalRuleLatencyType string, ruleExecutionLatency float64,
|
||||
) {
|
||||
ctx := context.Background()
|
||||
|
||||
commonLabels := []attribute.KeyValue{
|
||||
|
|
|
|||
|
|
@ -45,8 +45,8 @@ func registerPolicyExecutionDurationMetric(
|
|||
return nil
|
||||
}
|
||||
|
||||
//policy - policy related data
|
||||
//engineResponse - resource and rule related data
|
||||
// policy - policy related data
|
||||
// engineResponse - resource and rule related data
|
||||
func ProcessEngineResponse(m *metrics.MetricsConfig, policy kyvernov1.PolicyInterface, engineResponse response.EngineResponse, executionCause metrics.RuleExecutionCause, generateRuleLatencyType string, resourceRequestOperation metrics.ResourceRequestOperation) error {
|
||||
name, namespace, policyType, backgroundMode, validationMode, err := metrics.GetPolicyInfos(policy)
|
||||
if err != nil {
|
||||
|
|
|
|||
|
|
@ -40,8 +40,8 @@ func registerPolicyResultsMetric(
|
|||
return nil
|
||||
}
|
||||
|
||||
//policy - policy related data
|
||||
//engineResponse - resource and rule related data
|
||||
// policy - policy related data
|
||||
// engineResponse - resource and rule related data
|
||||
func ProcessEngineResponse(m *metrics.MetricsConfig, policy kyvernov1.PolicyInterface, engineResponse response.EngineResponse, executionCause metrics.RuleExecutionCause, resourceRequestOperation metrics.ResourceRequestOperation) error {
|
||||
name, namespace, policyType, backgroundMode, validationMode, err := metrics.GetPolicyInfos(policy)
|
||||
if err != nil {
|
||||
|
|
|
|||
|
|
@ -6,8 +6,7 @@ func NewFake() ValidateInterface {
|
|||
return &fakeValidation{}
|
||||
}
|
||||
|
||||
type fakeValidation struct {
|
||||
}
|
||||
type fakeValidation struct{}
|
||||
|
||||
func (f *fakeValidation) ValidateResource(resource unstructured.Unstructured, apiVersion, kind string) error {
|
||||
return nil
|
||||
|
|
|
|||
|
|
@ -564,7 +564,6 @@ func validateMatchKindHelper(rule kyvernov1.Rule) error {
|
|||
|
||||
// isLabelAndAnnotationsString :- Validate if labels and annotations contains only string values
|
||||
func isLabelAndAnnotationsString(rule kyvernov1.Rule) bool {
|
||||
|
||||
checkLabelAnnotation := func(metaKey map[string]interface{}) bool {
|
||||
for mk := range metaKey {
|
||||
if mk == "labels" {
|
||||
|
|
|
|||
|
|
@ -124,7 +124,7 @@ func (c *changeRequestCreator) run(stopChan <-chan struct{}) {
|
|||
for {
|
||||
select {
|
||||
case <-ticker.C:
|
||||
requests := []*unstructured.Unstructured{}
|
||||
var requests []*unstructured.Unstructured
|
||||
var size int
|
||||
if c.splitPolicyReport {
|
||||
requests, size = c.mergeRequestsPerPolicy()
|
||||
|
|
|
|||
|
|
@ -4,21 +4,16 @@ func NewFake() GeneratorInterface {
|
|||
return &fakeReporter{}
|
||||
}
|
||||
|
||||
type fakeReporter struct {
|
||||
}
|
||||
type fakeReporter struct{}
|
||||
|
||||
func (f *fakeReporter) Add(infos ...Info) {
|
||||
|
||||
}
|
||||
|
||||
func (f *fakeReporter) MapperReset(string) {
|
||||
|
||||
}
|
||||
|
||||
func (f *fakeReporter) MapperInactive(string) {
|
||||
|
||||
}
|
||||
|
||||
func (f *fakeReporter) MapperInvalidate() {
|
||||
|
||||
}
|
||||
|
|
|
|||
|
|
@ -524,7 +524,6 @@ func (g *ReportGenerator) removeFromClusterPolicyReport(policyName, ruleName str
|
|||
}
|
||||
|
||||
func (g *ReportGenerator) removeFromPolicyReport(policyName, ruleName string) error {
|
||||
|
||||
namespaces, err := g.client.ListResource("", "Namespace", "", nil)
|
||||
if err != nil {
|
||||
return fmt.Errorf("unable to list namespace %v", err)
|
||||
|
|
@ -589,7 +588,7 @@ func (g *ReportGenerator) aggregateReports(namespace, policyName string) (
|
|||
g.log.Error(err, "failed to get Kyverno namespace, policy reports will not be garbage collected upon termination")
|
||||
}
|
||||
|
||||
selector := labels.NewSelector()
|
||||
var selector labels.Selector
|
||||
if namespace == "" {
|
||||
if toggle.SplitPolicyReport() {
|
||||
selector = labels.SelectorFromSet(labels.Set(map[string]string{appVersion: version.BuildVersion, policyLabel: TrimmedName(policyName)}))
|
||||
|
|
|
|||
|
|
@ -95,7 +95,7 @@ func WithKeychainPullSecrets(kubClient kubernetes.Interface, namespace, serviceA
|
|||
// WithKeychainPullSecrets provides initialize registry client option that allows to use insecure registries.
|
||||
func WithAllowInsecureRegistry() Option {
|
||||
return func(c *client) error {
|
||||
c.transport.TLSClientConfig = &tls.Config{InsecureSkipVerify: true}
|
||||
c.transport.TLSClientConfig = &tls.Config{InsecureSkipVerify: true} //nolint:gosec
|
||||
return nil
|
||||
}
|
||||
}
|
||||
|
|
|
|||
|
|
@ -71,7 +71,7 @@ type Generation struct {
|
|||
// It assumes that the project directory is 2 levels up. This means if this function is moved
|
||||
// it may not work as expected.
|
||||
func RootDir() string {
|
||||
_, b, _, _ := runtime.Caller(0) // nolint:dogsled
|
||||
_, b, _, _ := runtime.Caller(0) //nolint:dogsled
|
||||
d := ospath.Join(ospath.Dir(b))
|
||||
d = filepath.Dir(d)
|
||||
return filepath.Dir(d)
|
||||
|
|
|
|||
|
|
@ -7,15 +7,16 @@ import (
|
|||
|
||||
"github.com/kyverno/kyverno/pkg/config"
|
||||
"google.golang.org/grpc/credentials"
|
||||
v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
|
||||
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
|
||||
"k8s.io/client-go/kubernetes"
|
||||
)
|
||||
|
||||
func FetchCert(
|
||||
ctx context.Context,
|
||||
certs string,
|
||||
kubeClient kubernetes.Interface) (credentials.TransportCredentials, error) {
|
||||
secret, err := kubeClient.CoreV1().Secrets(config.KyvernoNamespace()).Get(ctx, certs, v1.GetOptions{})
|
||||
kubeClient kubernetes.Interface,
|
||||
) (credentials.TransportCredentials, error) {
|
||||
secret, err := kubeClient.CoreV1().Secrets(config.KyvernoNamespace()).Get(ctx, certs, metav1.GetOptions{})
|
||||
if err != nil {
|
||||
return nil, fmt.Errorf("error fetching certificate from secret")
|
||||
}
|
||||
|
|
|
|||
|
|
@ -346,7 +346,6 @@ func OverrideRuntimeErrorHandler() {
|
|||
runtime.ErrorHandlers[0] = func(err error) {
|
||||
logger.V(6).Info("runtime error: %s", err)
|
||||
}
|
||||
|
||||
} else {
|
||||
runtime.ErrorHandlers = []func(err error){
|
||||
func(err error) {
|
||||
|
|
|
|||
|
|
@ -36,11 +36,9 @@ const (
|
|||
// latestTimestamp is longer than idleCheckInterval, the monitor triggers an
|
||||
// annotation update; otherwise lastSeenRequestTime is updated to latestTimestamp.
|
||||
//
|
||||
//
|
||||
// Webhook configurations are checked every tickerInterval across all instances.
|
||||
// Currently the check only queries for the expected resource name, and does
|
||||
// not compare other details like the webhook settings.
|
||||
//
|
||||
type Monitor struct {
|
||||
// leaseClient is used to manage Kyverno lease
|
||||
leaseClient coordinationv1.LeaseInterface
|
||||
|
|
|
|||
|
|
@ -184,7 +184,8 @@ func (wrc *Register) ResetPolicyStatus(kyvernoInTermination bool, wg *sync.WaitG
|
|||
logger := wrc.log.WithName("ResetPolicyStatus")
|
||||
cpols, err := wrc.kyvernoClient.KyvernoV1().ClusterPolicies().List(context.TODO(), metav1.ListOptions{})
|
||||
if err == nil {
|
||||
for _, cpol := range cpols.Items {
|
||||
for _, item := range cpols.Items {
|
||||
cpol := item
|
||||
cpol.Status.SetReady(false)
|
||||
if _, err := wrc.kyvernoClient.KyvernoV1().ClusterPolicies().UpdateStatus(context.TODO(), &cpol, metav1.UpdateOptions{}); err != nil {
|
||||
logger.Error(err, "failed to set ClusterPolicy status READY=false", "name", cpol.GetName())
|
||||
|
|
@ -196,7 +197,8 @@ func (wrc *Register) ResetPolicyStatus(kyvernoInTermination bool, wg *sync.WaitG
|
|||
|
||||
pols, err := wrc.kyvernoClient.KyvernoV1().Policies(metav1.NamespaceAll).List(context.TODO(), metav1.ListOptions{})
|
||||
if err == nil {
|
||||
for _, pol := range pols.Items {
|
||||
for _, item := range pols.Items {
|
||||
pol := item
|
||||
pol.Status.SetReady(false)
|
||||
if _, err := wrc.kyvernoClient.KyvernoV1().Policies(pol.GetNamespace()).UpdateStatus(context.TODO(), &pol, metav1.UpdateOptions{}); err != nil {
|
||||
logger.Error(err, "failed to set Policy status READY=false", "namespace", pol.GetNamespace(), "name", pol.GetName())
|
||||
|
|
|
|||
|
|
@ -20,7 +20,6 @@ import (
|
|||
)
|
||||
|
||||
func NewFakeHandlers(ctx context.Context, policyCache policycache.Cache) webhooks.Handlers {
|
||||
|
||||
client := fake.NewSimpleClientset()
|
||||
metricsConfig := metrics.NewFakeMetricsConfig(client)
|
||||
|
||||
|
|
@ -53,13 +52,10 @@ func newFakeAuditHandler() AuditHandler {
|
|||
return &fakeAuditHandler{}
|
||||
}
|
||||
|
||||
type fakeAuditHandler struct {
|
||||
}
|
||||
type fakeAuditHandler struct{}
|
||||
|
||||
func (f *fakeAuditHandler) Add(request *admissionv1.AdmissionRequest) {
|
||||
|
||||
}
|
||||
|
||||
func (f *fakeAuditHandler) Run(workers int, stopCh <-chan struct{}) {
|
||||
|
||||
}
|
||||
|
|
|
|||
|
|
@ -75,9 +75,10 @@ func NewServer(
|
|||
},
|
||||
MinVersion: tls.VersionTLS12,
|
||||
},
|
||||
Handler: mux,
|
||||
ReadTimeout: 30 * time.Second,
|
||||
WriteTimeout: 30 * time.Second,
|
||||
Handler: mux,
|
||||
ReadTimeout: 30 * time.Second,
|
||||
WriteTimeout: 30 * time.Second,
|
||||
ReadHeaderTimeout: 30 * time.Second,
|
||||
},
|
||||
webhookRegister: register,
|
||||
cleanUp: cleanUp,
|
||||
|
|
|
|||
|
|
@ -9,8 +9,7 @@ func NewFake() Generator {
|
|||
return &fakeGenerator{}
|
||||
}
|
||||
|
||||
type fakeGenerator struct {
|
||||
}
|
||||
type fakeGenerator struct{}
|
||||
|
||||
func (f *fakeGenerator) Apply(gr kyvernov1beta1.UpdateRequestSpec, action admissionv1.Operation) error {
|
||||
return nil
|
||||
|
|
|
|||
|
|
@ -27,6 +27,7 @@ type client struct {
|
|||
}
|
||||
|
||||
func New(t *testing.T) Client {
|
||||
t.Helper()
|
||||
c, err := e2e.NewE2EClient()
|
||||
gomega.Expect(err).NotTo(gomega.HaveOccurred())
|
||||
return &client{t, c}
|
||||
|
|
|
|||
|
|
@ -11,6 +11,7 @@ import (
|
|||
)
|
||||
|
||||
func Setup(t *testing.T) {
|
||||
t.Helper()
|
||||
gomega.RegisterTestingT(t)
|
||||
if os.Getenv("E2E") == "" {
|
||||
t.Skip("Skipping E2E Test")
|
||||
|
|
@ -18,6 +19,7 @@ func Setup(t *testing.T) {
|
|||
}
|
||||
|
||||
func RunTest(t *testing.T, steps ...step.Step) {
|
||||
t.Helper()
|
||||
ginkgo.By("Creating client ...")
|
||||
client := client.New(t)
|
||||
for _, step := range steps {
|
||||
|
|
@ -27,6 +29,7 @@ func RunTest(t *testing.T, steps ...step.Step) {
|
|||
}
|
||||
|
||||
func RunSubTest(t *testing.T, name string, steps ...step.Step) {
|
||||
t.Helper()
|
||||
t.Run(name, func(t *testing.T) {
|
||||
RunTest(t, steps...)
|
||||
})
|
||||
|
|
|
|||
|
|
@ -4,10 +4,9 @@ import (
|
|||
"time"
|
||||
|
||||
"github.com/kyverno/kyverno/test/e2e"
|
||||
. "github.com/onsi/gomega"
|
||||
"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
|
||||
"sigs.k8s.io/yaml"
|
||||
|
||||
. "github.com/onsi/gomega"
|
||||
)
|
||||
|
||||
var (
|
||||
|
|
|
|||
|
|
@ -7,13 +7,12 @@ import (
|
|||
"time"
|
||||
|
||||
"github.com/kyverno/kyverno/test/e2e"
|
||||
. "github.com/onsi/ginkgo"
|
||||
. "github.com/onsi/gomega"
|
||||
apierrors "k8s.io/apimachinery/pkg/api/errors"
|
||||
"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
|
||||
"k8s.io/apimachinery/pkg/runtime/schema"
|
||||
"sigs.k8s.io/yaml"
|
||||
|
||||
. "github.com/onsi/ginkgo"
|
||||
. "github.com/onsi/gomega"
|
||||
)
|
||||
|
||||
type resource struct {
|
||||
|
|
@ -72,6 +71,7 @@ func expectation(id _id, expectations ...resourceExpectation) expectedResource {
|
|||
}
|
||||
|
||||
func setup(t *testing.T) {
|
||||
t.Helper()
|
||||
RegisterTestingT(t)
|
||||
if os.Getenv("E2E") == "" {
|
||||
t.Skip("Skipping E2E Test")
|
||||
|
|
@ -86,7 +86,7 @@ func createClient() *e2e.E2EClient {
|
|||
|
||||
func deleteClusteredResource(client *e2e.E2EClient, resource expectedResource) {
|
||||
By(fmt.Sprintf("Deleting %s : %s", resource.gvr.String(), resource.name))
|
||||
client.DeleteClusteredResource(resource.gvr, resource.name)
|
||||
_ = client.DeleteClusteredResource(resource.gvr, resource.name)
|
||||
err := e2e.GetWithRetry(1*time.Second, 15, func() error {
|
||||
_, err := client.GetClusteredResource(resource.gvr, resource.name)
|
||||
if err == nil {
|
||||
|
|
@ -102,7 +102,7 @@ func deleteClusteredResource(client *e2e.E2EClient, resource expectedResource) {
|
|||
|
||||
func deleteNamespacedResource(client *e2e.E2EClient, resource expectedResource) {
|
||||
By(fmt.Sprintf("Deleting %s : %s/%s", resource.gvr.String(), resource.ns, resource.name))
|
||||
client.DeleteNamespacedResource(resource.gvr, resource.ns, resource.name)
|
||||
_ = client.DeleteNamespacedResource(resource.gvr, resource.ns, resource.name)
|
||||
err := e2e.GetWithRetry(1*time.Second, 15, func() error {
|
||||
_, err := client.GetNamespacedResource(resource.gvr, resource.ns, resource.name)
|
||||
if err == nil {
|
||||
|
|
@ -131,6 +131,7 @@ func deleteResources(client *e2e.E2EClient, resources ...expectedResource) {
|
|||
}
|
||||
|
||||
func createClusteredResource(t *testing.T, client *e2e.E2EClient, resource resource) *unstructured.Unstructured {
|
||||
t.Helper()
|
||||
var u unstructured.Unstructured
|
||||
Expect(yaml.Unmarshal(resource.raw, &u)).To(Succeed())
|
||||
By(fmt.Sprintf("Creating %s : %s", resource.gvr.String(), u.GetName()))
|
||||
|
|
@ -143,6 +144,7 @@ func createClusteredResource(t *testing.T, client *e2e.E2EClient, resource resou
|
|||
}
|
||||
|
||||
func createNamespacedResource(t *testing.T, client *e2e.E2EClient, resource resource) *unstructured.Unstructured {
|
||||
t.Helper()
|
||||
var u unstructured.Unstructured
|
||||
Expect(yaml.Unmarshal(resource.raw, &u)).To(Succeed())
|
||||
By(fmt.Sprintf("Creating %s : %s/%s", resource.gvr.String(), resource.ns, u.GetName()))
|
||||
|
|
@ -155,6 +157,7 @@ func createNamespacedResource(t *testing.T, client *e2e.E2EClient, resource reso
|
|||
}
|
||||
|
||||
func createResource(t *testing.T, client *e2e.E2EClient, resource resource) *unstructured.Unstructured {
|
||||
t.Helper()
|
||||
if resource.ns != "" {
|
||||
return createNamespacedResource(t, client, resource)
|
||||
} else {
|
||||
|
|
@ -163,6 +166,7 @@ func createResource(t *testing.T, client *e2e.E2EClient, resource resource) *uns
|
|||
}
|
||||
|
||||
func createResources(t *testing.T, client *e2e.E2EClient, resources ...resource) {
|
||||
t.Helper()
|
||||
for _, resource := range resources {
|
||||
createResource(t, client, resource)
|
||||
}
|
||||
|
|
@ -182,13 +186,13 @@ func getNamespacedResource(client *e2e.E2EClient, gvr schema.GroupVersionResourc
|
|||
return r
|
||||
}
|
||||
|
||||
func getResource(client *e2e.E2EClient, gvr schema.GroupVersionResource, ns, name string) *unstructured.Unstructured {
|
||||
if ns != "" {
|
||||
return getNamespacedResource(client, gvr, ns, name)
|
||||
} else {
|
||||
return getClusteredResource(client, gvr, name)
|
||||
}
|
||||
}
|
||||
// func getResource(client *e2e.E2EClient, gvr schema.GroupVersionResource, ns, name string) *unstructured.Unstructured {
|
||||
// if ns != "" {
|
||||
// return getNamespacedResource(client, gvr, ns, name)
|
||||
// } else {
|
||||
// return getClusteredResource(client, gvr, name)
|
||||
// }
|
||||
// }
|
||||
|
||||
func updateClusteredResource(client *e2e.E2EClient, gvr schema.GroupVersionResource, name string, m func(*unstructured.Unstructured) error) {
|
||||
r := getClusteredResource(client, gvr, name)
|
||||
|
|
@ -297,11 +301,11 @@ func expectResourceNotExists(client *e2e.E2EClient, resource expectedResource) {
|
|||
}
|
||||
}
|
||||
|
||||
func expectResourcesNotExist(client *e2e.E2EClient, resources ...expectedResource) {
|
||||
for _, resource := range resources {
|
||||
expectResourceNotExists(client, resource)
|
||||
}
|
||||
}
|
||||
// func expectResourcesNotExist(client *e2e.E2EClient, resources ...expectedResource) {
|
||||
// for _, resource := range resources {
|
||||
// expectResourceNotExists(client, resource)
|
||||
// }
|
||||
// }
|
||||
|
||||
func expectClusteredResourceNotFound(client *e2e.E2EClient, resource expectedResource) {
|
||||
By(fmt.Sprintf("Expecting not found %s : %s", resource.gvr.String(), resource.name))
|
||||
|
|
|
|||
Loading…
Add table
Reference in a new issue