mirror of
https://github.com/kyverno/kyverno.git
synced 2025-03-29 02:45:06 +00:00
Merge branch 'feature_add_pkg_engine' of github.com:nirmata/kube-policy into feature_add_pkg_engine
Add violation framework
This commit is contained in:
Shivkumar Dudhani
commit
18f4198bec
2 changed files with 58 additions and 22 deletions
|
|
@ -44,12 +44,44 @@ func AdmissionIsRequired(request *v1beta1.AdmissionRequest) bool {
|
|||
|
||||
// Checks requests kind, name and labels to fit the policy
|
||||
func IsRuleApplicableToRequest(policyResource types.PolicyResource, request *v1beta1.AdmissionRequest) bool {
|
||||
if policyResource.Kind != request.Kind.Kind {
|
||||
return IsRuleApplicableToResource(request.Kind.Kind, request.Object.Raw, policyResource)
|
||||
// if policyResource.Kind != request.Kind.Kind {
|
||||
// return false
|
||||
// }
|
||||
|
||||
// if request.Object.Raw != nil {
|
||||
// meta := parseMetadataFromObject(request.Object.Raw)
|
||||
// name := parseNameFromMetadata(meta)
|
||||
|
||||
// if policyResource.Name != nil && *policyResource.Name != name {
|
||||
// return false
|
||||
// }
|
||||
|
||||
// if policyResource.Selector != nil {
|
||||
// selector, err := metav1.LabelSelectorAsSelector(policyResource.Selector)
|
||||
|
||||
// if err != nil {
|
||||
// return false
|
||||
// }
|
||||
|
||||
// labelMap := parseLabelsFromMetadata(meta)
|
||||
|
||||
// if !selector.Matches(labelMap) {
|
||||
// return false
|
||||
// }
|
||||
// }
|
||||
// }
|
||||
// return true
|
||||
}
|
||||
|
||||
// kind is the type of object being manipulated
|
||||
func IsRuleApplicableToResource(kind string, resourceRaw []byte, policyResource types.PolicyResource) bool {
|
||||
if policyResource.Kind != kind {
|
||||
return false
|
||||
}
|
||||
|
||||
if request.Object.Raw != nil {
|
||||
meta := parseMetadataFromObject(request.Object.Raw)
|
||||
if resourceRaw != nil {
|
||||
meta := parseMetadataFromObject(resourceRaw)
|
||||
name := parseNameFromMetadata(meta)
|
||||
|
||||
if policyResource.Name != nil && *policyResource.Name != name {
|
||||
|
|
|
|||
|
|
@ -104,6 +104,12 @@ func getPolicyPatchingSets(policy types.Policy) PatchingSets {
|
|||
// May return nil patches if it is not necessary to create patches for requested object.
|
||||
// Returns error ONLY in case when creation of resource should be denied.
|
||||
func (mw *MutationWebhook) applyPolicyRules(request *v1beta1.AdmissionRequest, policy types.Policy) ([]PatchBytes, error) {
|
||||
return mw.applyPolicyRulesOnResource(request.Kind.Kind, request.Object.Raw, policy)
|
||||
}
|
||||
|
||||
// TODO: add another violation field in return elements
|
||||
// kind is the type of object being manipulated
|
||||
func (mw *MutationWebhook) applyPolicyRulesOnResource(kind string, rawResource []byte, policy types.Policy) ([]PatchBytes, error) {
|
||||
patchingSets := getPolicyPatchingSets(policy)
|
||||
var policyPatches []PatchBytes
|
||||
|
||||
|
|
@ -114,25 +120,27 @@ func (mw *MutationWebhook) applyPolicyRules(request *v1beta1.AdmissionRequest, p
|
|||
continue
|
||||
}
|
||||
|
||||
if !IsRuleApplicableToRequest(rule.Resource, request) {
|
||||
if !IsRuleApplicableToResource(kind, rawResource, rule.Resource) {
|
||||
return nil, nil
|
||||
}
|
||||
|
||||
err = mw.applyRuleGenerators(request, rule)
|
||||
if err != nil && patchingSets == PatchingSetsStopOnError {
|
||||
return nil, errors.New(fmt.Sprintf("Failed to apply generators from rule #%d: %s", ruleIdx, err))
|
||||
// configMapGenerator and secretGenerator can be applied only to namespaces
|
||||
if kind == "Namespace" {
|
||||
err = mw.applyRuleGenerators(rawResource, rule)
|
||||
if err != nil && patchingSets == PatchingSetsStopOnError {
|
||||
return nil, fmt.Errorf("Failed to apply generators from rule #%d: %s", ruleIdx, err)
|
||||
}
|
||||
}
|
||||
|
||||
rulePatchesProcessed, err := ProcessPatches(rule.Patches, request.Object.Raw, patchingSets)
|
||||
rulePatchesProcessed, err := ProcessPatches(rule.Patches, rawResource, patchingSets)
|
||||
if err != nil {
|
||||
return nil, errors.New(fmt.Sprintf("Failed to process patches from rule #%d: %s", ruleIdx, err))
|
||||
return nil, fmt.Errorf("Failed to process patches from rule #%d: %s", ruleIdx, err)
|
||||
}
|
||||
|
||||
if rulePatchesProcessed != nil {
|
||||
policyPatches = append(policyPatches, rulePatchesProcessed...)
|
||||
mw.logger.Printf("Rule %d: prepared %d patches", ruleIdx, len(rulePatchesProcessed))
|
||||
} else {
|
||||
mw.logger.Print("Rule %d: no patches prepared")
|
||||
mw.logger.Printf("Rule %d: no patches prepared", ruleIdx)
|
||||
}
|
||||
}
|
||||
|
||||
|
|
@ -140,19 +148,15 @@ func (mw *MutationWebhook) applyPolicyRules(request *v1beta1.AdmissionRequest, p
|
|||
}
|
||||
|
||||
// Applies "configMapGenerator" and "secretGenerator" described in PolicyRule
|
||||
func (mw *MutationWebhook) applyRuleGenerators(request *v1beta1.AdmissionRequest, rule types.PolicyRule) error {
|
||||
// configMapGenerator and secretGenerator can be applied only to namespaces
|
||||
if request.Kind.Kind == "Namespace" {
|
||||
meta := parseMetadataFromObject(request.Object.Raw)
|
||||
namespaceName := parseNameFromMetadata(meta)
|
||||
func (mw *MutationWebhook) applyRuleGenerators(rawResource []byte, rule types.PolicyRule) error {
|
||||
meta := parseMetadataFromObject(rawResource)
|
||||
namespaceName := parseNameFromMetadata(meta)
|
||||
|
||||
err := mw.applyConfigGenerator(rule.ConfigMapGenerator, namespaceName, "ConfigMap")
|
||||
if err == nil {
|
||||
err = mw.applyConfigGenerator(rule.SecretGenerator, namespaceName, "Secret")
|
||||
}
|
||||
return err
|
||||
err := mw.applyConfigGenerator(rule.ConfigMapGenerator, namespaceName, "ConfigMap")
|
||||
if err == nil {
|
||||
err = mw.applyConfigGenerator(rule.SecretGenerator, namespaceName, "Secret")
|
||||
}
|
||||
return nil
|
||||
return err
|
||||
}
|
||||
|
||||
// Creates resourceKind (ConfigMap or Secret) with parameters specified in generator in cluster specified in request.
|
||||
|
|
|
|||
Loading…
Add table
Reference in a new issue