feat: remove context api call constraints (#4389)

* feat: add raw api call support Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com> * feat: remove context api call constraints Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com> Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com>
2025-03-31 03:45:17 +00:00 · 2022-09-01 10:30:04 +02:00 · 2022-09-01 10:30:04 +02:00 · 1e25bfd16f
commit 1e25bfd16f
parent 99f6dedb20
4 changed files with 5 additions and 287 deletions
--- a/pkg/engine/apiPath.go
+++ b/pkg/engine/apiPath.go
@ -1,167 +0,0 @@
-package engine
-
-import (
-	"fmt"
-	"strings"
-)
-
-type APIPath struct {
-	Root         string
-	Group        string
-	Version      string
-	ResourceType string
-	Name         string
-	Namespace    string
-	Raw          string
-}
-
-// NewAPIPath validates and parses an API path.
-// See: https://kubernetes.io/docs/reference/using-api/api-concepts/
-func NewAPIPath(path string) (*APIPath, error) {
-	trimmedPath := strings.Trim(path, "/ ")
-	paths := strings.Split(trimmedPath, "/")
-
-	if paths[0] == "apis" && len(paths) > 7 {
-		return &APIPath{
-			Raw: path,
-		}, nil
-	}
-
-	if len(paths) < 3 || len(paths) > 7 {
-		return nil, fmt.Errorf("invalid path length %s", path)
-	}
-
-	if paths[0] != "api" && paths[0] != "apis" {
-		return nil, fmt.Errorf("urlPath must start with /api or /apis")
-	}
-
-	if paths[0] == "api" && paths[1] != "v1" {
-		return nil, fmt.Errorf("expected urlPath to start with /api/v1/")
-	}
-
-	if paths[0] == "api" {
-		// /api/v1/namespaces
-		if len(paths) == 3 {
-			return &APIPath{
-				Root:         paths[0],
-				Group:        paths[1],
-				ResourceType: paths[2],
-			}, nil
-		}
-
-		// /api/v1/namespaces/foo
-		if len(paths) == 4 {
-			return &APIPath{
-				Root:         paths[0],
-				Group:        paths[1],
-				ResourceType: paths[2],
-				Name:         paths[3],
-			}, nil
-		}
-
-		// /api/v1/namespaces/foo/pods
-		if len(paths) == 5 {
-			return &APIPath{
-				Root:         paths[0],
-				Group:        paths[1],
-				Namespace:    paths[3],
-				ResourceType: paths[4],
-			}, nil
-		}
-
-		if len(paths) == 6 {
-			return &APIPath{
-				Root:         paths[0],
-				Group:        paths[1],
-				Namespace:    paths[3],
-				ResourceType: paths[4],
-				Name:         paths[5],
-			}, nil
-		}
-
-		return nil, fmt.Errorf("invalid API v1 path %s", path)
-	}
-
-	// /apis/GROUP/VERSION/RESOURCETYPE/
-	if len(paths) == 4 {
-		return &APIPath{
-			Root:         paths[0],
-			Group:        paths[1],
-			Version:      paths[1] + "/" + paths[2],
-			ResourceType: paths[3],
-		}, nil
-	}
-
-	// /apis/GROUP/VERSION/RESOURCETYPE/NAME
-	if len(paths) == 5 {
-		return &APIPath{
-			Root:         paths[0],
-			Group:        paths[1],
-			Version:      paths[1] + "/" + paths[2],
-			ResourceType: paths[3],
-			Name:         paths[4],
-		}, nil
-	}
-
-	// /apis/GROUP/VERSION/namespaces/NAMESPACE/RESOURCETYPE
-	if len(paths) == 6 {
-		return &APIPath{
-			Root:         paths[0],
-			Group:        paths[1],
-			Version:      paths[1] + "/" + paths[2],
-			Namespace:    paths[4],
-			ResourceType: paths[5],
-		}, nil
-	}
-
-	// /apis/GROUP/VERSION/namespaces/NAMESPACE/RESOURCETYPE/NAME
-	if len(paths) == 7 {
-		return &APIPath{
-			Root:         paths[0],
-			Group:        paths[1],
-			Version:      paths[1] + "/" + paths[2],
-			Namespace:    paths[4],
-			ResourceType: paths[5],
-			Name:         paths[6],
-		}, nil
-	}
-
-	return nil, fmt.Errorf("invalid API path %s", path)
-}
-
-func (a *APIPath) String() string {
-	var paths []string
-	if a.Root == "apis" {
-		if a.Namespace != "" {
-			if a.Name == "" {
-				paths = []string{a.Root, a.Version, "namespaces", a.Namespace, a.ResourceType}
-			} else {
-				paths = []string{a.Root, a.Version, "namespaces", a.Namespace, a.ResourceType, a.Name}
-			}
-		} else {
-			if a.Name != "" {
-				paths = []string{a.Root, a.Version, a.ResourceType, a.Name}
-			} else {
-				paths = []string{a.Root, a.Version, a.ResourceType}
-			}
-		}
-	} else {
-		if a.Namespace != "" {
-			if a.Name == "" {
-				paths = []string{a.Root, a.Group, "namespaces", a.Namespace, a.ResourceType}
-			} else {
-				paths = []string{a.Root, a.Group, "namespaces", a.Namespace, a.ResourceType, a.Name}
-			}
-		} else {
-			if a.Name != "" {
-				paths = []string{a.Root, a.Group, a.ResourceType, a.Name}
-			} else {
-				paths = []string{a.Root, a.Group, a.ResourceType}
-			}
-		}
-	}
-
-	result := "/" + strings.Join(paths, "/")
-	result = strings.ReplaceAll(result, "//", "/")
-	return result
-}
--- a/pkg/engine/apiPath_test.go
+++ b/pkg/engine/apiPath_test.go
@ -1,67 +0,0 @@
-package engine
-
-import (
-	"testing"
-)
-
-func Test_Raw(t *testing.T) {
-	f := func(path string) {
-		p, err := NewAPIPath(path)
-		if err != nil {
-			t.Error(err)
-			return
-		}
-
-		if p.Raw != path {
-			t.Errorf("expected raw path %s got %s", path, p.Raw)
-		}
-	}
-
-	f("/apis/cluster.karmada.io/v1alpha1/clusters/member1/proxy/api/v1/namespaces/{{ request.namespace }}/pods")
-}
-
-func Test_Paths(t *testing.T) {
-	f := func(path, expected string) {
-		p, err := NewAPIPath(path)
-		if err != nil {
-			t.Error(err)
-			return
-		}
-
-		if p.String() != expected {
-			t.Errorf("expected %s got %s", expected, p.String())
-		}
-	}
-
-	f("/api/v1/namespace/{{ request.namespace }}", "/api/v1/namespace/{{ request.namespace }}")
-	f("/api/v1/namespace/{{ request.namespace }}/", "/api/v1/namespace/{{ request.namespace }}")
-	f("/api/v1/namespace/{{ request.namespace }}/  ", "/api/v1/namespace/{{ request.namespace }}")
-	f("  /api/v1/namespace/{{ request.namespace }}", "/api/v1/namespace/{{ request.namespace }}")
-	f("/apis/gloo.solo.io/v1/namespaces/gloo-system/upstreams", "/apis/gloo.solo.io/v1/namespaces/gloo-system/upstreams")
-	f("/apis/gloo.solo.io/v1/namespaces/gloo-system/upstreams/", "/apis/gloo.solo.io/v1/namespaces/gloo-system/upstreams")
-	f("/apis/gloo.solo.io/v1/namespaces/gloo-system/upstreams/  ", "/apis/gloo.solo.io/v1/namespaces/gloo-system/upstreams")
-	f("  /apis/gloo.solo.io/v1/namespaces/gloo-system/upstreams", "/apis/gloo.solo.io/v1/namespaces/gloo-system/upstreams")
-}
-
-func Test_GroupVersions(t *testing.T) {
-	f := func(path, expected string) {
-		p, err := NewAPIPath(path)
-		if err != nil {
-			t.Error(err)
-			return
-		}
-
-		if p.Root == "api" {
-			if p.Group != expected {
-				t.Errorf("expected %s got %s", expected, p.Group)
-			}
-		} else {
-			if p.Version != expected {
-				t.Errorf("expected %s got %s", expected, p.Version)
-			}
-		}
-	}
-
-	f("/api/v1/namespace/{{ request.namespace }}", "v1")
-	f("/apis/extensions/v1beta1/namespaces/example/ingresses", "extensions/v1beta1")
-}
--- a/pkg/engine/jsonContext.go
+++ b/pkg/engine/jsonContext.go
@ -302,57 +302,17 @@ func fetchAPIData(log logr.Logger, entry kyvernov1.ContextEntry, ctx *PolicyCont
 	}

 	pathStr := path.(string)
-	p, err := NewAPIPath(pathStr)
-	if err != nil {
-		return nil, fmt.Errorf("failed to build API path for %s %v: %v", entry.Name, entry.APICall, err)
-	}

-	var jsonData []byte
-	if p.Name != "" {
-		jsonData, err = loadResource(ctx, p)
-		if err != nil {
-			return nil, fmt.Errorf("failed to add resource with urlPath: %s: %v", p, err)
-		}
-	} else if p.Raw != "" {
-		jsonData, err = getResource(ctx, p)
-		if err != nil {
-			return nil, fmt.Errorf("failed to get resource with raw url\n: %s: %v", p, err)
-		}
-	} else {
-		jsonData, err = loadResourceList(ctx, p)
-		if err != nil {
-			return nil, fmt.Errorf("failed to add resource list with urlPath: %s, error: %v", p, err)
-		}
+	jsonData, err := getResource(ctx, pathStr)
+	if err != nil {
+		return nil, fmt.Errorf("failed to get resource with raw url\n: %s: %v", pathStr, err)
 	}

 	return jsonData, nil
 }

-func loadResourceList(ctx *PolicyContext, p *APIPath) ([]byte, error) {
-	if ctx.Client == nil {
-		return nil, fmt.Errorf("API client is not available")
-	}
-
-	l, err := ctx.Client.ListResource(p.Version, p.ResourceType, p.Namespace, nil)
-	if err != nil {
-		return nil, err
-	}
-	return l.MarshalJSON()
-}
-
-func loadResource(ctx *PolicyContext, p *APIPath) ([]byte, error) {
-	if ctx.Client == nil {
-		return nil, fmt.Errorf("API client is not available")
-	}
-	r, err := ctx.Client.GetResource(p.Version, p.ResourceType, p.Namespace, p.Name)
-	if err != nil {
-		return nil, err
-	}
-	return r.MarshalJSON()
-}
-
-func getResource(ctx *PolicyContext, p *APIPath) ([]byte, error) {
-	return ctx.Client.RawAbsPath(p.Raw)
+func getResource(ctx *PolicyContext, p string) ([]byte, error) {
+	return ctx.Client.RawAbsPath(p)
 }

 func loadConfigMap(logger logr.Logger, entry kyvernov1.ContextEntry, ctx *PolicyContext) error {
--- a/pkg/policy/validate.go
+++ b/pkg/policy/validate.go
@ -16,7 +16,6 @@ import (
 	"github.com/kyverno/kyverno/cmd/cli/kubectl-kyverno/utils/common"
 	"github.com/kyverno/kyverno/pkg/autogen"
 	"github.com/kyverno/kyverno/pkg/clients/dclient"
-	"github.com/kyverno/kyverno/pkg/engine"
 	"github.com/kyverno/kyverno/pkg/engine/context"
 	"github.com/kyverno/kyverno/pkg/engine/variables"
 	"github.com/kyverno/kyverno/pkg/openapi"
@ -936,13 +935,6 @@ func validateConfigMap(entry kyvernov1.ContextEntry) error {
 }

 func validateAPICall(entry kyvernov1.ContextEntry) error {
-	// Replace all variables to prevent validation failing on variable keys.
-	urlPath := variables.ReplaceAllVars(entry.APICall.URLPath, func(s string) string { return "kyvernoapicallvariable" })
-
-	if _, err := engine.NewAPIPath(urlPath); err != nil {
-		return err
-	}
-
 	// If JMESPath contains variables, the validation will fail because it's not possible to infer which value
 	// will be inserted by the variable
 	// Skip validation if a variable is detected