mirror of
https://github.com/kyverno/kyverno.git
synced 2025-03-13 19:28:55 +00:00
feat: cleanup enhancements-1 (#5796)
* update fields description Signed-off-by: ShutingZhao <shuting@nirmata.com> * update cleanup controller clusterrole name Signed-off-by: ShutingZhao <shuting@nirmata.com> * - add variables validations to support "request." and "images."; - update debug log level to 4 Signed-off-by: ShutingZhao <shuting@nirmata.com> * add missing files Signed-off-by: ShutingZhao <shuting@nirmata.com> Signed-off-by: ShutingZhao <shuting@nirmata.com>
This commit is contained in:
parent
3c0b7856eb
commit
18455b4d21
16 changed files with 115 additions and 80 deletions
|
@ -164,7 +164,7 @@ type CleanupPolicySpec struct {
|
|||
// The schedule in Cron format
|
||||
Schedule string `json:"schedule"`
|
||||
|
||||
// Conditions defines conditions used to select resources which user needs to delete
|
||||
// Conditions defines the conditions used to select the resources which will be cleaned up.
|
||||
// +optional
|
||||
Conditions *kyvernov2beta1.AnyAllConditions `json:"conditions,omitempty"`
|
||||
}
|
||||
|
|
|
@ -119,14 +119,14 @@ type AnyAllConditions struct {
|
|||
// AnyConditions enable variable-based conditional rule execution. This is useful for
|
||||
// finer control of when an rule is applied. A condition can reference object data
|
||||
// using JMESPath notation.
|
||||
// Here, at least one of the conditions need to pass
|
||||
// Here, at least one of the conditions need to pass.
|
||||
// +optional
|
||||
AnyConditions []Condition `json:"any,omitempty" yaml:"any,omitempty"`
|
||||
|
||||
// AllConditions enable variable-based conditional rule execution. This is useful for
|
||||
// finer control of when an rule is applied. A condition can reference object data
|
||||
// using JMESPath notation.
|
||||
// Here, all of the conditions need to pass
|
||||
// Here, all of the conditions need to pass.
|
||||
// +optional
|
||||
AllConditions []Condition `json:"all,omitempty" yaml:"all,omitempty"`
|
||||
}
|
||||
|
|
|
@ -3,7 +3,7 @@
|
|||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: ClusterRole
|
||||
metadata:
|
||||
name: {{ template "kyverno.cleanup-controller.name" . }}
|
||||
name: {{ template "kyverno.name" . }}:cleanup-controller
|
||||
labels:
|
||||
{{- include "kyverno.cleanup-controller.labels" . | nindent 4 }}
|
||||
rules:
|
||||
|
|
|
@ -9,7 +9,7 @@ metadata:
|
|||
roleRef:
|
||||
apiGroup: rbac.authorization.k8s.io
|
||||
kind: ClusterRole
|
||||
name: {{ template "kyverno.cleanup-controller.name" . }}
|
||||
name: {{ template "kyverno.name" . }}:cleanup-controller
|
||||
subjects:
|
||||
- kind: ServiceAccount
|
||||
name: {{ template "kyverno.cleanup-controller.serviceAccountName" . }}
|
||||
|
|
|
@ -702,14 +702,14 @@ spec:
|
|||
description: Spec declares policy behaviors.
|
||||
properties:
|
||||
conditions:
|
||||
description: Conditions defines conditions used to select resources
|
||||
which user needs to delete
|
||||
description: Conditions defines the conditions used to select the
|
||||
resources which will be cleaned up.
|
||||
properties:
|
||||
all:
|
||||
description: AllConditions enable variable-based conditional rule
|
||||
execution. This is useful for finer control of when an rule
|
||||
is applied. A condition can reference object data using JMESPath
|
||||
notation. Here, all of the conditions need to pass
|
||||
notation. Here, all of the conditions need to pass.
|
||||
items:
|
||||
properties:
|
||||
key:
|
||||
|
@ -749,7 +749,7 @@ spec:
|
|||
description: AnyConditions enable variable-based conditional rule
|
||||
execution. This is useful for finer control of when an rule
|
||||
is applied. A condition can reference object data using JMESPath
|
||||
notation. Here, at least one of the conditions need to pass
|
||||
notation. Here, at least one of the conditions need to pass.
|
||||
items:
|
||||
properties:
|
||||
key:
|
||||
|
@ -2401,14 +2401,14 @@ spec:
|
|||
description: Spec declares policy behaviors.
|
||||
properties:
|
||||
conditions:
|
||||
description: Conditions defines conditions used to select resources
|
||||
which user needs to delete
|
||||
description: Conditions defines the conditions used to select the
|
||||
resources which will be cleaned up.
|
||||
properties:
|
||||
all:
|
||||
description: AllConditions enable variable-based conditional rule
|
||||
execution. This is useful for finer control of when an rule
|
||||
is applied. A condition can reference object data using JMESPath
|
||||
notation. Here, all of the conditions need to pass
|
||||
notation. Here, all of the conditions need to pass.
|
||||
items:
|
||||
properties:
|
||||
key:
|
||||
|
@ -2448,7 +2448,7 @@ spec:
|
|||
description: AnyConditions enable variable-based conditional rule
|
||||
execution. This is useful for finer control of when an rule
|
||||
is applied. A condition can reference object data using JMESPath
|
||||
notation. Here, at least one of the conditions need to pass
|
||||
notation. Here, at least one of the conditions need to pass.
|
||||
items:
|
||||
properties:
|
||||
key:
|
||||
|
@ -11622,7 +11622,7 @@ spec:
|
|||
rule execution. This is useful for finer control of when
|
||||
an rule is applied. A condition can reference object data
|
||||
using JMESPath notation. Here, all of the conditions need
|
||||
to pass
|
||||
to pass.
|
||||
items:
|
||||
properties:
|
||||
key:
|
||||
|
@ -11663,7 +11663,7 @@ spec:
|
|||
rule execution. This is useful for finer control of when
|
||||
an rule is applied. A condition can reference object data
|
||||
using JMESPath notation. Here, at least one of the conditions
|
||||
need to pass
|
||||
need to pass.
|
||||
items:
|
||||
properties:
|
||||
key:
|
||||
|
@ -11723,7 +11723,7 @@ spec:
|
|||
conditional rule execution. This is useful for
|
||||
finer control of when an rule is applied. A condition
|
||||
can reference object data using JMESPath notation.
|
||||
Here, all of the conditions need to pass
|
||||
Here, all of the conditions need to pass.
|
||||
items:
|
||||
properties:
|
||||
key:
|
||||
|
@ -11766,7 +11766,7 @@ spec:
|
|||
conditional rule execution. This is useful for
|
||||
finer control of when an rule is applied. A condition
|
||||
can reference object data using JMESPath notation.
|
||||
Here, at least one of the conditions need to pass
|
||||
Here, at least one of the conditions need to pass.
|
||||
items:
|
||||
properties:
|
||||
key:
|
||||
|
@ -24827,7 +24827,7 @@ spec:
|
|||
rule execution. This is useful for finer control of when
|
||||
an rule is applied. A condition can reference object data
|
||||
using JMESPath notation. Here, all of the conditions need
|
||||
to pass
|
||||
to pass.
|
||||
items:
|
||||
properties:
|
||||
key:
|
||||
|
@ -24868,7 +24868,7 @@ spec:
|
|||
rule execution. This is useful for finer control of when
|
||||
an rule is applied. A condition can reference object data
|
||||
using JMESPath notation. Here, at least one of the conditions
|
||||
need to pass
|
||||
need to pass.
|
||||
items:
|
||||
properties:
|
||||
key:
|
||||
|
@ -24928,7 +24928,7 @@ spec:
|
|||
conditional rule execution. This is useful for
|
||||
finer control of when an rule is applied. A condition
|
||||
can reference object data using JMESPath notation.
|
||||
Here, all of the conditions need to pass
|
||||
Here, all of the conditions need to pass.
|
||||
items:
|
||||
properties:
|
||||
key:
|
||||
|
@ -24971,7 +24971,7 @@ spec:
|
|||
conditional rule execution. This is useful for
|
||||
finer control of when an rule is applied. A condition
|
||||
can reference object data using JMESPath notation.
|
||||
Here, at least one of the conditions need to pass
|
||||
Here, at least one of the conditions need to pass.
|
||||
items:
|
||||
properties:
|
||||
key:
|
||||
|
|
|
@ -64,7 +64,7 @@ func (h *handlers) lookupPolicy(namespace, name string) (kyvernov2alpha1.Cleanup
|
|||
func (h *handlers) executePolicy(ctx context.Context, logger logr.Logger, policy kyvernov2alpha1.CleanupPolicyInterface, cfg config.Configuration) error {
|
||||
spec := policy.GetSpec()
|
||||
kinds := sets.New(spec.MatchResources.GetKinds()...)
|
||||
debug := logger.V(5)
|
||||
debug := logger.V(4)
|
||||
var errs []error
|
||||
for kind := range kinds {
|
||||
debug := debug.WithValues("kind", kind)
|
||||
|
|
|
@ -10,7 +10,7 @@ import (
|
|||
func shutdown(logger logr.Logger, sdowns ...context.CancelFunc) context.CancelFunc {
|
||||
return func() {
|
||||
for i := range sdowns {
|
||||
logger.Info("shuting down...")
|
||||
logger.Info("shutting down...")
|
||||
defer sdowns[i]()
|
||||
}
|
||||
}
|
||||
|
|
|
@ -47,14 +47,14 @@ spec:
|
|||
description: Spec declares policy behaviors.
|
||||
properties:
|
||||
conditions:
|
||||
description: Conditions defines conditions used to select resources
|
||||
which user needs to delete
|
||||
description: Conditions defines the conditions used to select the
|
||||
resources which will be cleaned up.
|
||||
properties:
|
||||
all:
|
||||
description: AllConditions enable variable-based conditional rule
|
||||
execution. This is useful for finer control of when an rule
|
||||
is applied. A condition can reference object data using JMESPath
|
||||
notation. Here, all of the conditions need to pass
|
||||
notation. Here, all of the conditions need to pass.
|
||||
items:
|
||||
properties:
|
||||
key:
|
||||
|
@ -94,7 +94,7 @@ spec:
|
|||
description: AnyConditions enable variable-based conditional rule
|
||||
execution. This is useful for finer control of when an rule
|
||||
is applied. A condition can reference object data using JMESPath
|
||||
notation. Here, at least one of the conditions need to pass
|
||||
notation. Here, at least one of the conditions need to pass.
|
||||
items:
|
||||
properties:
|
||||
key:
|
||||
|
|
|
@ -47,14 +47,14 @@ spec:
|
|||
description: Spec declares policy behaviors.
|
||||
properties:
|
||||
conditions:
|
||||
description: Conditions defines conditions used to select resources
|
||||
which user needs to delete
|
||||
description: Conditions defines the conditions used to select the
|
||||
resources which will be cleaned up.
|
||||
properties:
|
||||
all:
|
||||
description: AllConditions enable variable-based conditional rule
|
||||
execution. This is useful for finer control of when an rule
|
||||
is applied. A condition can reference object data using JMESPath
|
||||
notation. Here, all of the conditions need to pass
|
||||
notation. Here, all of the conditions need to pass.
|
||||
items:
|
||||
properties:
|
||||
key:
|
||||
|
@ -94,7 +94,7 @@ spec:
|
|||
description: AnyConditions enable variable-based conditional rule
|
||||
execution. This is useful for finer control of when an rule
|
||||
is applied. A condition can reference object data using JMESPath
|
||||
notation. Here, at least one of the conditions need to pass
|
||||
notation. Here, at least one of the conditions need to pass.
|
||||
items:
|
||||
properties:
|
||||
key:
|
||||
|
|
|
@ -8220,7 +8220,7 @@ spec:
|
|||
rule execution. This is useful for finer control of when
|
||||
an rule is applied. A condition can reference object data
|
||||
using JMESPath notation. Here, all of the conditions need
|
||||
to pass
|
||||
to pass.
|
||||
items:
|
||||
properties:
|
||||
key:
|
||||
|
@ -8261,7 +8261,7 @@ spec:
|
|||
rule execution. This is useful for finer control of when
|
||||
an rule is applied. A condition can reference object data
|
||||
using JMESPath notation. Here, at least one of the conditions
|
||||
need to pass
|
||||
need to pass.
|
||||
items:
|
||||
properties:
|
||||
key:
|
||||
|
@ -8321,7 +8321,7 @@ spec:
|
|||
conditional rule execution. This is useful for
|
||||
finer control of when an rule is applied. A condition
|
||||
can reference object data using JMESPath notation.
|
||||
Here, all of the conditions need to pass
|
||||
Here, all of the conditions need to pass.
|
||||
items:
|
||||
properties:
|
||||
key:
|
||||
|
@ -8364,7 +8364,7 @@ spec:
|
|||
conditional rule execution. This is useful for
|
||||
finer control of when an rule is applied. A condition
|
||||
can reference object data using JMESPath notation.
|
||||
Here, at least one of the conditions need to pass
|
||||
Here, at least one of the conditions need to pass.
|
||||
items:
|
||||
properties:
|
||||
key:
|
||||
|
|
|
@ -8223,7 +8223,7 @@ spec:
|
|||
rule execution. This is useful for finer control of when
|
||||
an rule is applied. A condition can reference object data
|
||||
using JMESPath notation. Here, all of the conditions need
|
||||
to pass
|
||||
to pass.
|
||||
items:
|
||||
properties:
|
||||
key:
|
||||
|
@ -8264,7 +8264,7 @@ spec:
|
|||
rule execution. This is useful for finer control of when
|
||||
an rule is applied. A condition can reference object data
|
||||
using JMESPath notation. Here, at least one of the conditions
|
||||
need to pass
|
||||
need to pass.
|
||||
items:
|
||||
properties:
|
||||
key:
|
||||
|
@ -8324,7 +8324,7 @@ spec:
|
|||
conditional rule execution. This is useful for
|
||||
finer control of when an rule is applied. A condition
|
||||
can reference object data using JMESPath notation.
|
||||
Here, all of the conditions need to pass
|
||||
Here, all of the conditions need to pass.
|
||||
items:
|
||||
properties:
|
||||
key:
|
||||
|
@ -8367,7 +8367,7 @@ spec:
|
|||
conditional rule execution. This is useful for
|
||||
finer control of when an rule is applied. A condition
|
||||
can reference object data using JMESPath notation.
|
||||
Here, at least one of the conditions need to pass
|
||||
Here, at least one of the conditions need to pass.
|
||||
items:
|
||||
properties:
|
||||
key:
|
||||
|
|
|
@ -771,14 +771,14 @@ spec:
|
|||
description: Spec declares policy behaviors.
|
||||
properties:
|
||||
conditions:
|
||||
description: Conditions defines conditions used to select resources
|
||||
which user needs to delete
|
||||
description: Conditions defines the conditions used to select the
|
||||
resources which will be cleaned up.
|
||||
properties:
|
||||
all:
|
||||
description: AllConditions enable variable-based conditional rule
|
||||
execution. This is useful for finer control of when an rule
|
||||
is applied. A condition can reference object data using JMESPath
|
||||
notation. Here, all of the conditions need to pass
|
||||
notation. Here, all of the conditions need to pass.
|
||||
items:
|
||||
properties:
|
||||
key:
|
||||
|
@ -818,7 +818,7 @@ spec:
|
|||
description: AnyConditions enable variable-based conditional rule
|
||||
execution. This is useful for finer control of when an rule
|
||||
is applied. A condition can reference object data using JMESPath
|
||||
notation. Here, at least one of the conditions need to pass
|
||||
notation. Here, at least one of the conditions need to pass.
|
||||
items:
|
||||
properties:
|
||||
key:
|
||||
|
@ -2473,14 +2473,14 @@ spec:
|
|||
description: Spec declares policy behaviors.
|
||||
properties:
|
||||
conditions:
|
||||
description: Conditions defines conditions used to select resources
|
||||
which user needs to delete
|
||||
description: Conditions defines the conditions used to select the
|
||||
resources which will be cleaned up.
|
||||
properties:
|
||||
all:
|
||||
description: AllConditions enable variable-based conditional rule
|
||||
execution. This is useful for finer control of when an rule
|
||||
is applied. A condition can reference object data using JMESPath
|
||||
notation. Here, all of the conditions need to pass
|
||||
notation. Here, all of the conditions need to pass.
|
||||
items:
|
||||
properties:
|
||||
key:
|
||||
|
@ -2520,7 +2520,7 @@ spec:
|
|||
description: AnyConditions enable variable-based conditional rule
|
||||
execution. This is useful for finer control of when an rule
|
||||
is applied. A condition can reference object data using JMESPath
|
||||
notation. Here, at least one of the conditions need to pass
|
||||
notation. Here, at least one of the conditions need to pass.
|
||||
items:
|
||||
properties:
|
||||
key:
|
||||
|
@ -11695,7 +11695,7 @@ spec:
|
|||
rule execution. This is useful for finer control of when
|
||||
an rule is applied. A condition can reference object data
|
||||
using JMESPath notation. Here, all of the conditions need
|
||||
to pass
|
||||
to pass.
|
||||
items:
|
||||
properties:
|
||||
key:
|
||||
|
@ -11736,7 +11736,7 @@ spec:
|
|||
rule execution. This is useful for finer control of when
|
||||
an rule is applied. A condition can reference object data
|
||||
using JMESPath notation. Here, at least one of the conditions
|
||||
need to pass
|
||||
need to pass.
|
||||
items:
|
||||
properties:
|
||||
key:
|
||||
|
@ -11796,7 +11796,7 @@ spec:
|
|||
conditional rule execution. This is useful for
|
||||
finer control of when an rule is applied. A condition
|
||||
can reference object data using JMESPath notation.
|
||||
Here, all of the conditions need to pass
|
||||
Here, all of the conditions need to pass.
|
||||
items:
|
||||
properties:
|
||||
key:
|
||||
|
@ -11839,7 +11839,7 @@ spec:
|
|||
conditional rule execution. This is useful for
|
||||
finer control of when an rule is applied. A condition
|
||||
can reference object data using JMESPath notation.
|
||||
Here, at least one of the conditions need to pass
|
||||
Here, at least one of the conditions need to pass.
|
||||
items:
|
||||
properties:
|
||||
key:
|
||||
|
@ -24902,7 +24902,7 @@ spec:
|
|||
rule execution. This is useful for finer control of when
|
||||
an rule is applied. A condition can reference object data
|
||||
using JMESPath notation. Here, all of the conditions need
|
||||
to pass
|
||||
to pass.
|
||||
items:
|
||||
properties:
|
||||
key:
|
||||
|
@ -24943,7 +24943,7 @@ spec:
|
|||
rule execution. This is useful for finer control of when
|
||||
an rule is applied. A condition can reference object data
|
||||
using JMESPath notation. Here, at least one of the conditions
|
||||
need to pass
|
||||
need to pass.
|
||||
items:
|
||||
properties:
|
||||
key:
|
||||
|
@ -25003,7 +25003,7 @@ spec:
|
|||
conditional rule execution. This is useful for
|
||||
finer control of when an rule is applied. A condition
|
||||
can reference object data using JMESPath notation.
|
||||
Here, all of the conditions need to pass
|
||||
Here, all of the conditions need to pass.
|
||||
items:
|
||||
properties:
|
||||
key:
|
||||
|
@ -25046,7 +25046,7 @@ spec:
|
|||
conditional rule execution. This is useful for
|
||||
finer control of when an rule is applied. A condition
|
||||
can reference object data using JMESPath notation.
|
||||
Here, at least one of the conditions need to pass
|
||||
Here, at least one of the conditions need to pass.
|
||||
items:
|
||||
properties:
|
||||
key:
|
||||
|
@ -31438,7 +31438,7 @@ rules:
|
|||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: ClusterRole
|
||||
metadata:
|
||||
name: kyverno-cleanup-controller
|
||||
name: kyverno:cleanup-controller
|
||||
labels:
|
||||
app.kubernetes.io/part-of: kyverno
|
||||
app.kubernetes.io/version: latest
|
||||
|
@ -31709,7 +31709,7 @@ metadata:
|
|||
roleRef:
|
||||
apiGroup: rbac.authorization.k8s.io
|
||||
kind: ClusterRole
|
||||
name: kyverno-cleanup-controller
|
||||
name: kyverno:cleanup-controller
|
||||
subjects:
|
||||
- kind: ServiceAccount
|
||||
name: kyverno-cleanup-controller
|
||||
|
|
|
@ -5226,7 +5226,7 @@ AnyAllConditions
|
|||
</td>
|
||||
<td>
|
||||
<em>(Optional)</em>
|
||||
<p>Conditions defines conditions used to select resources which user needs to delete</p>
|
||||
<p>Conditions defines the conditions used to select the resources which will be cleaned up.</p>
|
||||
</td>
|
||||
</tr>
|
||||
</table>
|
||||
|
@ -5361,7 +5361,7 @@ AnyAllConditions
|
|||
</td>
|
||||
<td>
|
||||
<em>(Optional)</em>
|
||||
<p>Conditions defines conditions used to select resources which user needs to delete</p>
|
||||
<p>Conditions defines the conditions used to select the resources which will be cleaned up.</p>
|
||||
</td>
|
||||
</tr>
|
||||
</table>
|
||||
|
@ -5552,7 +5552,7 @@ AnyAllConditions
|
|||
</td>
|
||||
<td>
|
||||
<em>(Optional)</em>
|
||||
<p>Conditions defines conditions used to select resources which user needs to delete</p>
|
||||
<p>Conditions defines the conditions used to select the resources which will be cleaned up.</p>
|
||||
</td>
|
||||
</tr>
|
||||
</tbody>
|
||||
|
@ -6168,7 +6168,7 @@ PolicyStatus
|
|||
<p>AnyConditions enable variable-based conditional rule execution. This is useful for
|
||||
finer control of when an rule is applied. A condition can reference object data
|
||||
using JMESPath notation.
|
||||
Here, at least one of the conditions need to pass</p>
|
||||
Here, at least one of the conditions need to pass.</p>
|
||||
</td>
|
||||
</tr>
|
||||
<tr>
|
||||
|
@ -6185,7 +6185,7 @@ Here, at least one of the conditions need to pass</p>
|
|||
<p>AllConditions enable variable-based conditional rule execution. This is useful for
|
||||
finer control of when an rule is applied. A condition can reference object data
|
||||
using JMESPath notation.
|
||||
Here, all of the conditions need to pass</p>
|
||||
Here, all of the conditions need to pass.</p>
|
||||
</td>
|
||||
</tr>
|
||||
</tbody>
|
||||
|
|
21
pkg/engine/variables/errs.go
Normal file
21
pkg/engine/variables/errs.go
Normal file
|
@ -0,0 +1,21 @@
|
|||
package variables
|
||||
|
||||
import (
|
||||
"github.com/jmespath/go-jmespath"
|
||||
enginecontext "github.com/kyverno/kyverno/pkg/engine/context"
|
||||
)
|
||||
|
||||
func CheckNotFoundErr(err error) bool {
|
||||
if err != nil {
|
||||
switch err.(type) {
|
||||
case jmespath.NotFoundError:
|
||||
return true
|
||||
case enginecontext.InvalidVariableError:
|
||||
return false
|
||||
default:
|
||||
return false
|
||||
}
|
||||
}
|
||||
|
||||
return true
|
||||
}
|
|
@ -498,7 +498,7 @@ func hasInvalidVariables(policy kyvernov1.PolicyInterface, background bool) erro
|
|||
}
|
||||
|
||||
ctx := buildContext(ruleCopy, background)
|
||||
if _, err := variables.SubstituteAllInRule(logging.GlobalLogger(), ctx, *ruleCopy); !checkNotFoundErr(err) {
|
||||
if _, err := variables.SubstituteAllInRule(logging.GlobalLogger(), ctx, *ruleCopy); !variables.CheckNotFoundErr(err) {
|
||||
return fmt.Errorf("variable substitution failed for rule %s: %s", ruleCopy.Name, err.Error())
|
||||
}
|
||||
}
|
||||
|
@ -647,21 +647,6 @@ func addContextVariables(entries []kyvernov1.ContextEntry, ctx *enginecontext.Mo
|
|||
}
|
||||
}
|
||||
|
||||
func checkNotFoundErr(err error) bool {
|
||||
if err != nil {
|
||||
switch err.(type) {
|
||||
case jmespath.NotFoundError:
|
||||
return true
|
||||
case enginecontext.InvalidVariableError:
|
||||
return false
|
||||
default:
|
||||
return false
|
||||
}
|
||||
}
|
||||
|
||||
return true
|
||||
}
|
||||
|
||||
func validateElementInForEach(document apiextensions.JSON) error {
|
||||
jsonByte, err := json.Marshal(document)
|
||||
if err != nil {
|
||||
|
|
|
@ -3,11 +3,14 @@ package cleanuppolicy
|
|||
import (
|
||||
"context"
|
||||
"fmt"
|
||||
"regexp"
|
||||
|
||||
"github.com/go-logr/logr"
|
||||
kyvernov2alpha1 "github.com/kyverno/kyverno/api/kyverno/v2alpha1"
|
||||
"github.com/kyverno/kyverno/pkg/auth"
|
||||
"github.com/kyverno/kyverno/pkg/clients/dclient"
|
||||
enginecontext "github.com/kyverno/kyverno/pkg/engine/context"
|
||||
"github.com/kyverno/kyverno/pkg/engine/variables"
|
||||
"k8s.io/apimachinery/pkg/util/sets"
|
||||
"k8s.io/client-go/discovery"
|
||||
)
|
||||
|
@ -48,6 +51,10 @@ func Validate(ctx context.Context, logger logr.Logger, client dclient.Interface,
|
|||
if err := validateAuth(ctx, client, policy); err != nil {
|
||||
return err
|
||||
}
|
||||
|
||||
if err := validateVariables(logger, policy); err != nil {
|
||||
return err
|
||||
}
|
||||
return nil
|
||||
}
|
||||
|
||||
|
@ -64,13 +71,35 @@ func validateAuth(ctx context.Context, client dclient.Interface, policy kyvernov
|
|||
kinds := sets.New(spec.MatchResources.GetKinds()...)
|
||||
for kind := range kinds {
|
||||
checker := auth.NewCanI(client.Discovery(), client.GetKubeClient().AuthorizationV1().SelfSubjectAccessReviews(), kind, namespace, "delete", "")
|
||||
allowed, err := checker.RunAccessCheck(ctx)
|
||||
allowedDeletion, err := checker.RunAccessCheck(ctx)
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
if !allowed {
|
||||
if !allowedDeletion {
|
||||
return fmt.Errorf("cleanup controller has no permission to delete kind %s", kind)
|
||||
}
|
||||
|
||||
checker = auth.NewCanI(client.Discovery(), client.GetKubeClient().AuthorizationV1().SelfSubjectAccessReviews(), kind, namespace, "list", "")
|
||||
allowedList, err := checker.RunAccessCheck(ctx)
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
if !allowedList {
|
||||
return fmt.Errorf("cleanup controller has no permission to list kind %s", kind)
|
||||
}
|
||||
}
|
||||
return nil
|
||||
}
|
||||
|
||||
func validateVariables(logger logr.Logger, policy kyvernov2alpha1.CleanupPolicyInterface) error {
|
||||
ctx := enginecontext.NewMockContext(allowedVariables)
|
||||
|
||||
c := policy.GetSpec().Conditions
|
||||
conditionCopy := c.DeepCopy()
|
||||
if _, err := variables.SubstituteAllInType(logger, ctx, conditionCopy); !variables.CheckNotFoundErr(err) {
|
||||
return fmt.Errorf("variable substitution failed for policy %s: %s", policy.GetName(), err.Error())
|
||||
}
|
||||
return nil
|
||||
}
|
||||
|
||||
var allowedVariables = regexp.MustCompile(`request\.|images\.|([a-z_0-9]+\()[^{}]`)
|
||||
|
|
Loading…
Add table
Reference in a new issue