mirror of
https://github.com/kyverno/kyverno.git
synced 2025-01-20 18:52:16 +00:00
refactor: remove admission request/response pointers (#6769)
* refactor: remove admission request/response pointers Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * fix tests Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> --------- Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>
This commit is contained in:
parent
396282ab77
commit
18033a415b
18 changed files with 93 additions and 101 deletions
|
@ -21,8 +21,8 @@ func New(client dclient.Interface) *handlers {
|
|||
}
|
||||
}
|
||||
|
||||
func (h *handlers) Validate(ctx context.Context, logger logr.Logger, request *admissionv1.AdmissionRequest, _ time.Time) *admissionv1.AdmissionResponse {
|
||||
policy, _, err := admissionutils.GetCleanupPolicies(request)
|
||||
func (h *handlers) Validate(ctx context.Context, logger logr.Logger, request admissionv1.AdmissionRequest, _ time.Time) admissionv1.AdmissionResponse {
|
||||
policy, _, err := admissionutils.GetCleanupPolicies(&request)
|
||||
if err != nil {
|
||||
logger.Error(err, "failed to unmarshal policies from admission request")
|
||||
return admissionutils.Response(request.UID, err)
|
||||
|
@ -31,5 +31,5 @@ func (h *handlers) Validate(ctx context.Context, logger logr.Logger, request *ad
|
|||
logger.Error(err, "policy validation errors")
|
||||
return admissionutils.Response(request.UID, err)
|
||||
}
|
||||
return nil
|
||||
return admissionutils.ResponseSuccess(request.UID)
|
||||
}
|
||||
|
|
|
@ -31,7 +31,7 @@ type server struct {
|
|||
|
||||
type (
|
||||
TlsProvider = func() ([]byte, []byte, error)
|
||||
ValidationHandler = func(context.Context, logr.Logger, *admissionv1.AdmissionRequest, time.Time) *admissionv1.AdmissionResponse
|
||||
ValidationHandler = func(context.Context, logr.Logger, admissionv1.AdmissionRequest, time.Time) admissionv1.AdmissionResponse
|
||||
CleanupHandler = func(context.Context, logr.Logger, string, time.Time, config.Configuration) error
|
||||
)
|
||||
|
||||
|
|
|
@ -8,8 +8,8 @@ import (
|
|||
|
||||
var patchTypeJSONPatch = admissionv1.PatchTypeJSONPatch
|
||||
|
||||
func Response(uid types.UID, err error, warnings ...string) *admissionv1.AdmissionResponse {
|
||||
response := &admissionv1.AdmissionResponse{
|
||||
func Response(uid types.UID, err error, warnings ...string) admissionv1.AdmissionResponse {
|
||||
response := admissionv1.AdmissionResponse{
|
||||
Allowed: err == nil,
|
||||
UID: uid,
|
||||
}
|
||||
|
@ -23,11 +23,11 @@ func Response(uid types.UID, err error, warnings ...string) *admissionv1.Admissi
|
|||
return response
|
||||
}
|
||||
|
||||
func ResponseSuccess(uid types.UID, warnings ...string) *admissionv1.AdmissionResponse {
|
||||
func ResponseSuccess(uid types.UID, warnings ...string) admissionv1.AdmissionResponse {
|
||||
return Response(uid, nil, warnings...)
|
||||
}
|
||||
|
||||
func MutationResponse(uid types.UID, patch []byte, warnings ...string) *admissionv1.AdmissionResponse {
|
||||
func MutationResponse(uid types.UID, patch []byte, warnings ...string) admissionv1.AdmissionResponse {
|
||||
response := ResponseSuccess(uid, warnings...)
|
||||
if len(patch) != 0 {
|
||||
response.Patch = patch
|
||||
|
|
|
@ -17,14 +17,14 @@ func TestResponse(t *testing.T) {
|
|||
tests := []struct {
|
||||
name string
|
||||
args args
|
||||
want *admissionv1.AdmissionResponse
|
||||
want admissionv1.AdmissionResponse
|
||||
}{{
|
||||
name: "no error, no warnings",
|
||||
args: args{
|
||||
err: nil,
|
||||
warnings: nil,
|
||||
},
|
||||
want: &admissionv1.AdmissionResponse{
|
||||
want: admissionv1.AdmissionResponse{
|
||||
Allowed: true,
|
||||
},
|
||||
}, {
|
||||
|
@ -33,7 +33,7 @@ func TestResponse(t *testing.T) {
|
|||
err: nil,
|
||||
warnings: []string{"foo", "bar"},
|
||||
},
|
||||
want: &admissionv1.AdmissionResponse{
|
||||
want: admissionv1.AdmissionResponse{
|
||||
Allowed: true,
|
||||
Warnings: []string{"foo", "bar"},
|
||||
},
|
||||
|
@ -43,7 +43,7 @@ func TestResponse(t *testing.T) {
|
|||
err: errors.New("an error has occured"),
|
||||
warnings: nil,
|
||||
},
|
||||
want: &admissionv1.AdmissionResponse{
|
||||
want: admissionv1.AdmissionResponse{
|
||||
Allowed: false,
|
||||
Result: &metav1.Status{
|
||||
Status: metav1.StatusFailure,
|
||||
|
@ -56,7 +56,7 @@ func TestResponse(t *testing.T) {
|
|||
err: errors.New("an error has occured"),
|
||||
warnings: []string{"foo", "bar"},
|
||||
},
|
||||
want: &admissionv1.AdmissionResponse{
|
||||
want: admissionv1.AdmissionResponse{
|
||||
Allowed: false,
|
||||
Result: &metav1.Status{
|
||||
Status: metav1.StatusFailure,
|
||||
|
@ -81,13 +81,13 @@ func TestResponseSuccess(t *testing.T) {
|
|||
tests := []struct {
|
||||
name string
|
||||
args args
|
||||
want *admissionv1.AdmissionResponse
|
||||
want admissionv1.AdmissionResponse
|
||||
}{{
|
||||
name: "no warnings",
|
||||
args: args{
|
||||
warnings: nil,
|
||||
},
|
||||
want: &admissionv1.AdmissionResponse{
|
||||
want: admissionv1.AdmissionResponse{
|
||||
Allowed: true,
|
||||
},
|
||||
}, {
|
||||
|
@ -95,7 +95,7 @@ func TestResponseSuccess(t *testing.T) {
|
|||
args: args{
|
||||
warnings: []string{"foo", "bar"},
|
||||
},
|
||||
want: &admissionv1.AdmissionResponse{
|
||||
want: admissionv1.AdmissionResponse{
|
||||
Allowed: true,
|
||||
Warnings: []string{"foo", "bar"},
|
||||
},
|
||||
|
@ -117,14 +117,14 @@ func TestMutationResponse(t *testing.T) {
|
|||
tests := []struct {
|
||||
name string
|
||||
args args
|
||||
want *admissionv1.AdmissionResponse
|
||||
want admissionv1.AdmissionResponse
|
||||
}{{
|
||||
name: "no patch, no warnings",
|
||||
args: args{
|
||||
patch: nil,
|
||||
warnings: nil,
|
||||
},
|
||||
want: &admissionv1.AdmissionResponse{
|
||||
want: admissionv1.AdmissionResponse{
|
||||
Allowed: true,
|
||||
},
|
||||
}, {
|
||||
|
@ -133,7 +133,7 @@ func TestMutationResponse(t *testing.T) {
|
|||
patch: nil,
|
||||
warnings: []string{"foo", "bar"},
|
||||
},
|
||||
want: &admissionv1.AdmissionResponse{
|
||||
want: admissionv1.AdmissionResponse{
|
||||
Allowed: true,
|
||||
Warnings: []string{"foo", "bar"},
|
||||
},
|
||||
|
@ -143,7 +143,7 @@ func TestMutationResponse(t *testing.T) {
|
|||
patch: []byte{1, 2, 3, 4},
|
||||
warnings: nil,
|
||||
},
|
||||
want: &admissionv1.AdmissionResponse{
|
||||
want: admissionv1.AdmissionResponse{
|
||||
Allowed: true,
|
||||
Patch: []byte{1, 2, 3, 4},
|
||||
PatchType: &patchTypeJSONPatch,
|
||||
|
@ -154,7 +154,7 @@ func TestMutationResponse(t *testing.T) {
|
|||
patch: []byte{1, 2, 3, 4},
|
||||
warnings: []string{"foo", "bar"},
|
||||
},
|
||||
want: &admissionv1.AdmissionResponse{
|
||||
want: admissionv1.AdmissionResponse{
|
||||
Allowed: true,
|
||||
Patch: []byte{1, 2, 3, 4},
|
||||
Warnings: []string{"foo", "bar"},
|
||||
|
|
|
@ -22,8 +22,8 @@ func NewHandlers(validationOptions validation.ValidationOptions) webhooks.Except
|
|||
}
|
||||
|
||||
// Validate performs the validation check on policy exception resources
|
||||
func (h *handlers) Validate(ctx context.Context, logger logr.Logger, request *admissionv1.AdmissionRequest, startTime time.Time) *admissionv1.AdmissionResponse {
|
||||
polex, _, err := admissionutils.GetPolicyExceptions(request)
|
||||
func (h *handlers) Validate(ctx context.Context, logger logr.Logger, request admissionv1.AdmissionRequest, startTime time.Time) admissionv1.AdmissionResponse {
|
||||
polex, _, err := admissionutils.GetPolicyExceptions(&request)
|
||||
if err != nil {
|
||||
logger.Error(err, "failed to unmarshal policy exceptions from admission request")
|
||||
return admissionutils.Response(request.UID, err)
|
||||
|
|
|
@ -51,10 +51,9 @@ func (inner AdmissionHandler) withAdmission(logger logr.Logger) HttpHandler {
|
|||
Allowed: true,
|
||||
UID: admissionReview.Request.UID,
|
||||
}
|
||||
admissionResponse := inner(request.Context(), logger, admissionReview.Request, startTime)
|
||||
if admissionResponse != nil {
|
||||
admissionReview.Response = admissionResponse
|
||||
}
|
||||
// TODO: check request is not nil ?
|
||||
admissionResponse := inner(request.Context(), logger, *admissionReview.Request, startTime)
|
||||
admissionReview.Response = &admissionResponse
|
||||
responseJSON, err := json.Marshal(admissionReview)
|
||||
if err != nil {
|
||||
HttpError(request.Context(), writer, request, logger, err, http.StatusInternalServerError)
|
||||
|
|
|
@ -32,9 +32,9 @@ func (inner AdmissionHandler) withDump(
|
|||
rbLister rbacv1listers.RoleBindingLister,
|
||||
crbLister rbacv1listers.ClusterRoleBindingLister,
|
||||
) AdmissionHandler {
|
||||
return func(ctx context.Context, logger logr.Logger, request *admissionv1.AdmissionRequest, startTime time.Time) *admissionv1.AdmissionResponse {
|
||||
return func(ctx context.Context, logger logr.Logger, request admissionv1.AdmissionRequest, startTime time.Time) admissionv1.AdmissionResponse {
|
||||
response := inner(ctx, logger, request, startTime)
|
||||
dumpPayload(logger, rbLister, crbLister, request, response)
|
||||
dumpPayload(logger, rbLister, crbLister, &request, &response)
|
||||
return response
|
||||
}
|
||||
}
|
||||
|
|
|
@ -6,6 +6,7 @@ import (
|
|||
|
||||
"github.com/go-logr/logr"
|
||||
"github.com/kyverno/kyverno/pkg/config"
|
||||
admissionutils "github.com/kyverno/kyverno/pkg/utils/admission"
|
||||
wildcard "github.com/kyverno/kyverno/pkg/utils/wildcard"
|
||||
webhookutils "github.com/kyverno/kyverno/pkg/webhooks/utils"
|
||||
admissionv1 "k8s.io/api/admission/v1"
|
||||
|
@ -25,28 +26,28 @@ func (inner AdmissionHandler) WithSubResourceFilter(subresources ...string) Admi
|
|||
}
|
||||
|
||||
func (inner AdmissionHandler) withFilter(c config.Configuration) AdmissionHandler {
|
||||
return func(ctx context.Context, logger logr.Logger, request *admissionv1.AdmissionRequest, startTime time.Time) *admissionv1.AdmissionResponse {
|
||||
return func(ctx context.Context, logger logr.Logger, request admissionv1.AdmissionRequest, startTime time.Time) admissionv1.AdmissionResponse {
|
||||
// filter by username
|
||||
for _, username := range c.GetExcludedUsernames() {
|
||||
if wildcard.Match(username, request.UserInfo.Username) {
|
||||
return nil
|
||||
return admissionutils.ResponseSuccess(request.UID)
|
||||
}
|
||||
}
|
||||
// filter by groups
|
||||
for _, group := range c.GetExcludedGroups() {
|
||||
for _, candidate := range request.UserInfo.Groups {
|
||||
if wildcard.Match(group, candidate) {
|
||||
return nil
|
||||
return admissionutils.ResponseSuccess(request.UID)
|
||||
}
|
||||
}
|
||||
}
|
||||
// filter by resource filters
|
||||
if c.ToFilter(request.Kind.Kind, request.Namespace, request.Name) {
|
||||
return nil
|
||||
return admissionutils.ResponseSuccess(request.UID)
|
||||
}
|
||||
// filter kyverno resources
|
||||
if webhookutils.ExcludeKyvernoResources(request.Kind.Kind) {
|
||||
return nil
|
||||
return admissionutils.ResponseSuccess(request.UID)
|
||||
}
|
||||
return inner(ctx, logger, request, startTime)
|
||||
}
|
||||
|
@ -57,20 +58,20 @@ func (inner AdmissionHandler) withOperationFilter(operations ...admissionv1.Oper
|
|||
for _, operation := range operations {
|
||||
allowed.Insert(string(operation))
|
||||
}
|
||||
return func(ctx context.Context, logger logr.Logger, request *admissionv1.AdmissionRequest, startTime time.Time) *admissionv1.AdmissionResponse {
|
||||
return func(ctx context.Context, logger logr.Logger, request admissionv1.AdmissionRequest, startTime time.Time) admissionv1.AdmissionResponse {
|
||||
if allowed.Has(string(request.Operation)) {
|
||||
return inner(ctx, logger, request, startTime)
|
||||
}
|
||||
return nil
|
||||
return admissionutils.ResponseSuccess(request.UID)
|
||||
}
|
||||
}
|
||||
|
||||
func (inner AdmissionHandler) withSubResourceFilter(subresources ...string) AdmissionHandler {
|
||||
allowed := sets.New(subresources...)
|
||||
return func(ctx context.Context, logger logr.Logger, request *admissionv1.AdmissionRequest, startTime time.Time) *admissionv1.AdmissionResponse {
|
||||
return func(ctx context.Context, logger logr.Logger, request admissionv1.AdmissionRequest, startTime time.Time) admissionv1.AdmissionResponse {
|
||||
if request.SubResource == "" || allowed.Has(request.SubResource) {
|
||||
return inner(ctx, logger, request, startTime)
|
||||
}
|
||||
return nil
|
||||
return admissionutils.ResponseSuccess(request.UID)
|
||||
}
|
||||
}
|
||||
|
|
|
@ -36,20 +36,16 @@ func (inner AdmissionHandler) withMetrics(logger logr.Logger, metricsConfig conf
|
|||
if err != nil {
|
||||
logger.Error(err, "Failed to create instrument, kyverno_admission_review_duration_seconds")
|
||||
}
|
||||
return func(ctx context.Context, logger logr.Logger, request *admissionv1.AdmissionRequest, startTime time.Time) *admissionv1.AdmissionResponse {
|
||||
return func(ctx context.Context, logger logr.Logger, request admissionv1.AdmissionRequest, startTime time.Time) admissionv1.AdmissionResponse {
|
||||
response := inner(ctx, logger, request, startTime)
|
||||
namespace := request.Namespace
|
||||
if metricsConfig.CheckNamespace(namespace) {
|
||||
operation := strings.ToLower(string(request.Operation))
|
||||
allowed := true
|
||||
if response != nil {
|
||||
allowed = response.Allowed
|
||||
}
|
||||
attributes := []attribute.KeyValue{
|
||||
attribute.String("resource_kind", request.Kind.Kind),
|
||||
attribute.String("resource_namespace", namespace),
|
||||
attribute.String("resource_request_operation", operation),
|
||||
attribute.Bool("request_allowed", allowed),
|
||||
attribute.Bool("request_allowed", response.Allowed),
|
||||
}
|
||||
attributes = append(attributes, attrs...)
|
||||
if durationMetric != nil {
|
||||
|
|
|
@ -24,12 +24,12 @@ func (inner AdmissionHandler) WithProtection(enabled bool) AdmissionHandler {
|
|||
}
|
||||
|
||||
func (inner AdmissionHandler) withProtection() AdmissionHandler {
|
||||
return func(ctx context.Context, logger logr.Logger, request *admissionv1.AdmissionRequest, startTime time.Time) *admissionv1.AdmissionResponse {
|
||||
return func(ctx context.Context, logger logr.Logger, request admissionv1.AdmissionRequest, startTime time.Time) admissionv1.AdmissionResponse {
|
||||
// Allows deletion of namespace containing managed resources
|
||||
if request.Operation == admissionv1.Delete && request.UserInfo.Username == namespaceControllerUsername {
|
||||
return inner(ctx, logger, request, startTime)
|
||||
}
|
||||
newResource, oldResource, err := admissionutils.ExtractResources(nil, request)
|
||||
newResource, oldResource, err := admissionutils.ExtractResources(nil, &request)
|
||||
if err != nil {
|
||||
logger.Error(err, "Failed to extract resources")
|
||||
return admissionutils.Response(request.UID, err)
|
||||
|
|
|
@ -35,32 +35,30 @@ func (inner HttpHandler) WithTrace(name string) HttpHandler {
|
|||
}
|
||||
|
||||
func (inner AdmissionHandler) WithTrace(name string) AdmissionHandler {
|
||||
return func(ctx context.Context, logger logr.Logger, request *admissionv1.AdmissionRequest, startTime time.Time) *admissionv1.AdmissionResponse {
|
||||
return func(ctx context.Context, logger logr.Logger, request admissionv1.AdmissionRequest, startTime time.Time) admissionv1.AdmissionResponse {
|
||||
return tracing.Span1(
|
||||
ctx,
|
||||
"webhooks/handlers",
|
||||
fmt.Sprintf("%s %s %s", name, request.Operation, request.Kind),
|
||||
func(ctx context.Context, span trace.Span) *admissionv1.AdmissionResponse {
|
||||
func(ctx context.Context, span trace.Span) admissionv1.AdmissionResponse {
|
||||
response := inner(ctx, logger, request, startTime)
|
||||
if response != nil {
|
||||
span.SetAttributes(
|
||||
tracing.ResponseUidKey.String(tracing.StringValue(string(response.UID))),
|
||||
tracing.ResponseAllowedKey.Bool(response.Allowed),
|
||||
tracing.ResponseWarningsKey.StringSlice(response.Warnings),
|
||||
)
|
||||
if response.Result != nil {
|
||||
span.SetAttributes(
|
||||
tracing.ResponseUidKey.String(tracing.StringValue(string(response.UID))),
|
||||
tracing.ResponseAllowedKey.Bool(response.Allowed),
|
||||
tracing.ResponseWarningsKey.StringSlice(response.Warnings),
|
||||
tracing.ResponseResultStatusKey.String(tracing.StringValue(response.Result.Status)),
|
||||
tracing.ResponseResultMessageKey.String(tracing.StringValue(response.Result.Message)),
|
||||
tracing.ResponseResultReasonKey.String(tracing.StringValue(string(response.Result.Reason))),
|
||||
tracing.ResponseResultCodeKey.Int(int(response.Result.Code)),
|
||||
)
|
||||
}
|
||||
if response.PatchType != nil {
|
||||
span.SetAttributes(
|
||||
tracing.ResponsePatchTypeKey.String(tracing.StringValue(string(*response.PatchType))),
|
||||
)
|
||||
if response.Result != nil {
|
||||
span.SetAttributes(
|
||||
tracing.ResponseResultStatusKey.String(tracing.StringValue(response.Result.Status)),
|
||||
tracing.ResponseResultMessageKey.String(tracing.StringValue(response.Result.Message)),
|
||||
tracing.ResponseResultReasonKey.String(tracing.StringValue(string(response.Result.Reason))),
|
||||
tracing.ResponseResultCodeKey.Int(int(response.Result.Code)),
|
||||
)
|
||||
}
|
||||
if response.PatchType != nil {
|
||||
span.SetAttributes(
|
||||
tracing.ResponsePatchTypeKey.String(tracing.StringValue(string(*response.PatchType))),
|
||||
)
|
||||
}
|
||||
}
|
||||
return response
|
||||
},
|
||||
|
@ -69,7 +67,7 @@ func (inner AdmissionHandler) WithTrace(name string) AdmissionHandler {
|
|||
tracing.RequestNamespaceKey.String(tracing.StringValue(request.Namespace)),
|
||||
tracing.RequestUidKey.String(tracing.StringValue(string(request.UID))),
|
||||
tracing.RequestOperationKey.String(tracing.StringValue(string(request.Operation))),
|
||||
tracing.RequestDryRunKey.Bool(admissionutils.IsDryRun(request)),
|
||||
tracing.RequestDryRunKey.Bool(admissionutils.IsDryRun(&request)),
|
||||
tracing.RequestKindGroupKey.String(tracing.StringValue(request.Kind.Group)),
|
||||
tracing.RequestKindVersionKey.String(tracing.StringValue(request.Kind.Version)),
|
||||
tracing.RequestKindKindKey.String(tracing.StringValue(request.Kind.Kind)),
|
||||
|
|
|
@ -10,7 +10,7 @@ import (
|
|||
)
|
||||
|
||||
type (
|
||||
AdmissionHandler func(context.Context, logr.Logger, *admissionv1.AdmissionRequest, time.Time) *admissionv1.AdmissionResponse
|
||||
AdmissionHandler func(context.Context, logr.Logger, admissionv1.AdmissionRequest, time.Time) admissionv1.AdmissionResponse
|
||||
HttpHandler func(http.ResponseWriter, *http.Request)
|
||||
)
|
||||
|
||||
|
|
|
@ -11,7 +11,7 @@ import (
|
|||
admissionv1 "k8s.io/api/admission/v1"
|
||||
)
|
||||
|
||||
func Verify(ctx context.Context, logger logr.Logger, request *admissionv1.AdmissionRequest, startTime time.Time) *admissionv1.AdmissionResponse {
|
||||
func Verify(ctx context.Context, logger logr.Logger, request admissionv1.AdmissionRequest, startTime time.Time) admissionv1.AdmissionResponse {
|
||||
if request.Name != "kyverno-health" || request.Namespace != config.KyvernoNamespace() {
|
||||
return admissionutils.ResponseSuccess(request.UID)
|
||||
}
|
||||
|
|
|
@ -25,8 +25,8 @@ func NewHandlers(client dclient.Interface, openApiManager openapi.Manager) webho
|
|||
}
|
||||
}
|
||||
|
||||
func (h *handlers) Validate(ctx context.Context, logger logr.Logger, request *admissionv1.AdmissionRequest, _ time.Time) *admissionv1.AdmissionResponse {
|
||||
policy, oldPolicy, err := admissionutils.GetPolicies(request)
|
||||
func (h *handlers) Validate(ctx context.Context, logger logr.Logger, request admissionv1.AdmissionRequest, _ time.Time) admissionv1.AdmissionResponse {
|
||||
policy, oldPolicy, err := admissionutils.GetPolicies(&request)
|
||||
if err != nil {
|
||||
logger.Error(err, "failed to unmarshal policies from admission request")
|
||||
return admissionutils.Response(request.UID, err)
|
||||
|
@ -38,6 +38,6 @@ func (h *handlers) Validate(ctx context.Context, logger logr.Logger, request *ad
|
|||
return admissionutils.Response(request.UID, err, warnings...)
|
||||
}
|
||||
|
||||
func (h *handlers) Mutate(_ context.Context, _ logr.Logger, _ *admissionv1.AdmissionRequest, _ time.Time) *admissionv1.AdmissionResponse {
|
||||
return nil
|
||||
func (h *handlers) Mutate(_ context.Context, _ logr.Logger, request admissionv1.AdmissionRequest, _ time.Time) admissionv1.AdmissionResponse {
|
||||
return admissionutils.ResponseSuccess(request.UID)
|
||||
}
|
||||
|
|
|
@ -101,7 +101,7 @@ func NewHandlers(
|
|||
}
|
||||
}
|
||||
|
||||
func (h *handlers) Validate(ctx context.Context, logger logr.Logger, request *admissionv1.AdmissionRequest, failurePolicy string, startTime time.Time) *admissionv1.AdmissionResponse {
|
||||
func (h *handlers) Validate(ctx context.Context, logger logr.Logger, request admissionv1.AdmissionRequest, failurePolicy string, startTime time.Time) admissionv1.AdmissionResponse {
|
||||
kind := request.Kind.Kind
|
||||
logger = logger.WithValues("kind", kind)
|
||||
logger.V(4).Info("received an admission request in validating webhook")
|
||||
|
@ -120,7 +120,7 @@ func (h *handlers) Validate(ctx context.Context, logger logr.Logger, request *ad
|
|||
|
||||
logger.V(4).Info("processing policies for validate admission request", "validate", len(policies), "mutate", len(mutatePolicies), "generate", len(generatePolicies))
|
||||
|
||||
policyContext, err := h.pcBuilder.Build(request)
|
||||
policyContext, err := h.pcBuilder.Build(&request)
|
||||
if err != nil {
|
||||
return errorResponse(logger, request.UID, err, "failed create policy context")
|
||||
}
|
||||
|
@ -132,18 +132,18 @@ func (h *handlers) Validate(ctx context.Context, logger logr.Logger, request *ad
|
|||
policyContext = policyContext.WithNamespaceLabels(namespaceLabels)
|
||||
vh := validation.NewValidationHandler(logger, h.kyvernoClient, h.engine, h.pCache, h.pcBuilder, h.eventGen, h.admissionReports, h.metricsConfig, h.configuration)
|
||||
|
||||
ok, msg, warnings := vh.HandleValidation(ctx, request, policies, policyContext, startTime)
|
||||
ok, msg, warnings := vh.HandleValidation(ctx, &request, policies, policyContext, startTime)
|
||||
if !ok {
|
||||
logger.Info("admission request denied")
|
||||
return admissionutils.Response(request.UID, errors.New(msg), warnings...)
|
||||
}
|
||||
if !admissionutils.IsDryRun(request) {
|
||||
go h.handleBackgroundApplies(ctx, logger, request, policyContext, generatePolicies, mutatePolicies, startTime)
|
||||
if !admissionutils.IsDryRun(&request) {
|
||||
go h.handleBackgroundApplies(ctx, logger, &request, policyContext, generatePolicies, mutatePolicies, startTime)
|
||||
}
|
||||
return admissionutils.ResponseSuccess(request.UID, warnings...)
|
||||
}
|
||||
|
||||
func (h *handlers) Mutate(ctx context.Context, logger logr.Logger, request *admissionv1.AdmissionRequest, failurePolicy string, startTime time.Time) *admissionv1.AdmissionResponse {
|
||||
func (h *handlers) Mutate(ctx context.Context, logger logr.Logger, request admissionv1.AdmissionRequest, failurePolicy string, startTime time.Time) admissionv1.AdmissionResponse {
|
||||
kind := request.Kind.Kind
|
||||
logger = logger.WithValues("kind", kind)
|
||||
logger.V(4).Info("received an admission request in mutating webhook")
|
||||
|
@ -155,26 +155,26 @@ func (h *handlers) Mutate(ctx context.Context, logger logr.Logger, request *admi
|
|||
return admissionutils.ResponseSuccess(request.UID)
|
||||
}
|
||||
logger.V(4).Info("processing policies for mutate admission request", "mutatePolicies", len(mutatePolicies), "verifyImagesPolicies", len(verifyImagesPolicies))
|
||||
policyContext, err := h.pcBuilder.Build(request)
|
||||
policyContext, err := h.pcBuilder.Build(&request)
|
||||
if err != nil {
|
||||
logger.Error(err, "failed to build policy context")
|
||||
return admissionutils.Response(request.UID, err)
|
||||
}
|
||||
mh := mutation.NewMutationHandler(logger, h.engine, h.eventGen, h.openApiManager, h.nsLister, h.metricsConfig)
|
||||
mutatePatches, mutateWarnings, err := mh.HandleMutation(ctx, request, mutatePolicies, policyContext, startTime)
|
||||
mutatePatches, mutateWarnings, err := mh.HandleMutation(ctx, &request, mutatePolicies, policyContext, startTime)
|
||||
if err != nil {
|
||||
logger.Error(err, "mutation failed")
|
||||
return admissionutils.Response(request.UID, err)
|
||||
}
|
||||
newRequest := patchRequest(mutatePatches, request, logger)
|
||||
// rebuild context to process images updated via mutate policies
|
||||
policyContext, err = h.pcBuilder.Build(newRequest)
|
||||
policyContext, err = h.pcBuilder.Build(&newRequest)
|
||||
if err != nil {
|
||||
logger.Error(err, "failed to build policy context")
|
||||
return admissionutils.Response(request.UID, err)
|
||||
}
|
||||
ivh := imageverification.NewImageVerificationHandler(logger, h.kyvernoClient, h.engine, h.eventGen, h.admissionReports, h.configuration)
|
||||
imagePatches, imageVerifyWarnings, err := ivh.Handle(ctx, newRequest, verifyImagesPolicies, policyContext)
|
||||
imagePatches, imageVerifyWarnings, err := ivh.Handle(ctx, &newRequest, verifyImagesPolicies, policyContext)
|
||||
if err != nil {
|
||||
logger.Error(err, "image verification failed")
|
||||
return admissionutils.Response(request.UID, err)
|
||||
|
|
|
@ -272,7 +272,7 @@ func Test_AdmissionResponseValid(t *testing.T) {
|
|||
key := makeKey(&validPolicy)
|
||||
policyCache.Set(key, &validPolicy, policycache.TestResourceFinder{})
|
||||
|
||||
request := &v1.AdmissionRequest{
|
||||
request := v1.AdmissionRequest{
|
||||
Operation: v1.Create,
|
||||
Kind: metav1.GroupVersionKind{Group: "", Version: "v1", Kind: "Pod"},
|
||||
Resource: metav1.GroupVersionResource{Group: "", Version: "v1", Resource: "pods"},
|
||||
|
@ -283,7 +283,6 @@ func Test_AdmissionResponseValid(t *testing.T) {
|
|||
}
|
||||
|
||||
response := handlers.Mutate(ctx, logger, request, "", time.Now())
|
||||
assert.Assert(t, response != nil)
|
||||
assert.Equal(t, response.Allowed, true)
|
||||
|
||||
response = handlers.Validate(ctx, logger, request, "", time.Now())
|
||||
|
@ -313,7 +312,7 @@ func Test_AdmissionResponseInvalid(t *testing.T) {
|
|||
err := json.Unmarshal([]byte(policyInvalid), &invalidPolicy)
|
||||
assert.NilError(t, err)
|
||||
|
||||
request := &v1.AdmissionRequest{
|
||||
request := v1.AdmissionRequest{
|
||||
Operation: v1.Create,
|
||||
Kind: metav1.GroupVersionKind{Group: "", Version: "v1", Kind: "Pod"},
|
||||
Resource: metav1.GroupVersionResource{Group: "", Version: "v1", Resource: "pods"},
|
||||
|
@ -356,7 +355,7 @@ func Test_ImageVerify(t *testing.T) {
|
|||
key := makeKey(&policy)
|
||||
policyCache.Set(key, &policy, policycache.TestResourceFinder{})
|
||||
|
||||
request := &v1.AdmissionRequest{
|
||||
request := v1.AdmissionRequest{
|
||||
Operation: v1.Create,
|
||||
Kind: metav1.GroupVersionKind{Group: "", Version: "v1", Kind: "Pod"},
|
||||
Resource: metav1.GroupVersionResource{Group: "", Version: "v1", Resource: "pods"},
|
||||
|
@ -398,7 +397,7 @@ func Test_MutateAndVerify(t *testing.T) {
|
|||
key := makeKey(&policy)
|
||||
policyCache.Set(key, &policy, policycache.TestResourceFinder{})
|
||||
|
||||
request := &v1.AdmissionRequest{
|
||||
request := v1.AdmissionRequest{
|
||||
Operation: v1.Create,
|
||||
Kind: metav1.GroupVersionKind{Group: "", Version: "v1", Kind: "Pod"},
|
||||
Resource: metav1.GroupVersionResource{Group: "", Version: "v1", Resource: "Pod"},
|
||||
|
|
|
@ -20,16 +20,15 @@ type updateRequestResponse struct {
|
|||
err error
|
||||
}
|
||||
|
||||
func errorResponse(logger logr.Logger, uid types.UID, err error, message string) *admissionv1.AdmissionResponse {
|
||||
func errorResponse(logger logr.Logger, uid types.UID, err error, message string) admissionv1.AdmissionResponse {
|
||||
logger.Error(err, message)
|
||||
return admissionutils.Response(uid, errors.New(message+": "+err.Error()))
|
||||
}
|
||||
|
||||
func patchRequest(patches []byte, request *admissionv1.AdmissionRequest, logger logr.Logger) *admissionv1.AdmissionRequest {
|
||||
func patchRequest(patches []byte, request admissionv1.AdmissionRequest, logger logr.Logger) admissionv1.AdmissionRequest {
|
||||
patchedResource := processResourceWithPatches(patches, request.Object.Raw, logger)
|
||||
newRequest := request.DeepCopy()
|
||||
newRequest.Object.Raw = patchedResource
|
||||
return newRequest
|
||||
request.Object.Raw = patchedResource
|
||||
return request
|
||||
}
|
||||
|
||||
func processResourceWithPatches(patch []byte, resource []byte, log logr.Logger) []byte {
|
||||
|
|
|
@ -39,21 +39,21 @@ type Server interface {
|
|||
|
||||
type ExceptionHandlers interface {
|
||||
// Validate performs the validation check on exception resources
|
||||
Validate(context.Context, logr.Logger, *admissionv1.AdmissionRequest, time.Time) *admissionv1.AdmissionResponse
|
||||
Validate(context.Context, logr.Logger, admissionv1.AdmissionRequest, time.Time) admissionv1.AdmissionResponse
|
||||
}
|
||||
|
||||
type PolicyHandlers interface {
|
||||
// Mutate performs the mutation of policy resources
|
||||
Mutate(context.Context, logr.Logger, *admissionv1.AdmissionRequest, time.Time) *admissionv1.AdmissionResponse
|
||||
Mutate(context.Context, logr.Logger, admissionv1.AdmissionRequest, time.Time) admissionv1.AdmissionResponse
|
||||
// Validate performs the validation check on policy resources
|
||||
Validate(context.Context, logr.Logger, *admissionv1.AdmissionRequest, time.Time) *admissionv1.AdmissionResponse
|
||||
Validate(context.Context, logr.Logger, admissionv1.AdmissionRequest, time.Time) admissionv1.AdmissionResponse
|
||||
}
|
||||
|
||||
type ResourceHandlers interface {
|
||||
// Mutate performs the mutation of kube resources
|
||||
Mutate(context.Context, logr.Logger, *admissionv1.AdmissionRequest, string, time.Time) *admissionv1.AdmissionResponse
|
||||
Mutate(context.Context, logr.Logger, admissionv1.AdmissionRequest, string, time.Time) admissionv1.AdmissionResponse
|
||||
// Validate performs the validation check on kube resources
|
||||
Validate(context.Context, logr.Logger, *admissionv1.AdmissionRequest, string, time.Time) *admissionv1.AdmissionResponse
|
||||
Validate(context.Context, logr.Logger, admissionv1.AdmissionRequest, string, time.Time) admissionv1.AdmissionResponse
|
||||
}
|
||||
|
||||
type server struct {
|
||||
|
@ -245,24 +245,24 @@ func registerWebhookHandlers(
|
|||
mux *httprouter.Router,
|
||||
name string,
|
||||
basePath string,
|
||||
handlerFunc func(context.Context, logr.Logger, *admissionv1.AdmissionRequest, string, time.Time) *admissionv1.AdmissionResponse,
|
||||
handlerFunc func(context.Context, logr.Logger, admissionv1.AdmissionRequest, string, time.Time) admissionv1.AdmissionResponse,
|
||||
builder func(handler handlers.AdmissionHandler) handlers.HttpHandler,
|
||||
) {
|
||||
all := handlers.FromAdmissionFunc(
|
||||
name,
|
||||
func(ctx context.Context, logger logr.Logger, request *admissionv1.AdmissionRequest, startTime time.Time) *admissionv1.AdmissionResponse {
|
||||
func(ctx context.Context, logger logr.Logger, request admissionv1.AdmissionRequest, startTime time.Time) admissionv1.AdmissionResponse {
|
||||
return handlerFunc(ctx, logger, request, "all", startTime)
|
||||
},
|
||||
)
|
||||
ignore := handlers.FromAdmissionFunc(
|
||||
name,
|
||||
func(ctx context.Context, logger logr.Logger, request *admissionv1.AdmissionRequest, startTime time.Time) *admissionv1.AdmissionResponse {
|
||||
func(ctx context.Context, logger logr.Logger, request admissionv1.AdmissionRequest, startTime time.Time) admissionv1.AdmissionResponse {
|
||||
return handlerFunc(ctx, logger, request, "ignore", startTime)
|
||||
},
|
||||
)
|
||||
fail := handlers.FromAdmissionFunc(
|
||||
name,
|
||||
func(ctx context.Context, logger logr.Logger, request *admissionv1.AdmissionRequest, startTime time.Time) *admissionv1.AdmissionResponse {
|
||||
func(ctx context.Context, logger logr.Logger, request admissionv1.AdmissionRequest, startTime time.Time) admissionv1.AdmissionResponse {
|
||||
return handlerFunc(ctx, logger, request, "fail", startTime)
|
||||
},
|
||||
)
|
||||
|
|
Loading…
Add table
Reference in a new issue