mirror of
https://github.com/kyverno/kyverno.git
synced 2025-03-31 03:45:17 +00:00
rename namespacedpolicyviolation: update code
This commit is contained in:
Shuting Zhao
parent
a107ad7ac8
commit
2c783cfe02
7 changed files with 66 additions and 66 deletions
|
|
@ -47,7 +47,7 @@ func (pc *PolicyController) cleanUpPolicyViolation(pResponse engine.PolicyRespon
|
|||
}
|
||||
|
||||
for _, pv := range nspvs {
|
||||
if reflect.DeepEqual(pv, kyverno.NamespacedPolicyViolation{}) {
|
||||
if reflect.DeepEqual(pv, kyverno.PolicyViolation{}) {
|
||||
continue
|
||||
}
|
||||
glog.V(4).Infof("cleanup namespaced violation %s on %s", pv.Name, pv.Spec.ResourceSpec.ToKey())
|
||||
|
|
@ -127,8 +127,8 @@ func getClusterPVonOwnerRef(pvLister kyvernolister.ClusterPolicyViolationLister,
|
|||
return pvs, nil
|
||||
}
|
||||
|
||||
func getNamespacedPVs(nspvLister kyvernolister.NamespacedPolicyViolationLister, client *dclient.Client, policyName, kind, namespace, name string) ([]kyverno.NamespacedPolicyViolation, error) {
|
||||
var pvs []kyverno.NamespacedPolicyViolation
|
||||
func getNamespacedPVs(nspvLister kyvernolister.PolicyViolationLister, client *dclient.Client, policyName, kind, namespace, name string) ([]kyverno.PolicyViolation, error) {
|
||||
var pvs []kyverno.PolicyViolation
|
||||
var err error
|
||||
pv, err := getNamespacedPVOnResource(nspvLister, policyName, kind, namespace, name)
|
||||
if err != nil {
|
||||
|
|
@ -136,7 +136,7 @@ func getNamespacedPVs(nspvLister kyvernolister.NamespacedPolicyViolationLister,
|
|||
return nil, err
|
||||
}
|
||||
|
||||
if !reflect.DeepEqual(pv, kyverno.NamespacedPolicyViolation{}) {
|
||||
if !reflect.DeepEqual(pv, kyverno.PolicyViolation{}) {
|
||||
// found a violation on resource
|
||||
pvs = append(pvs, pv)
|
||||
return pvs, nil
|
||||
|
|
@ -151,11 +151,11 @@ func getNamespacedPVs(nspvLister kyvernolister.NamespacedPolicyViolationLister,
|
|||
return pvs, nil
|
||||
}
|
||||
|
||||
func getNamespacedPVOnResource(nspvLister kyvernolister.NamespacedPolicyViolationLister, policyName, kind, namespace, name string) (kyverno.NamespacedPolicyViolation, error) {
|
||||
nspvs, err := nspvLister.NamespacedPolicyViolations(namespace).List(labels.Everything())
|
||||
func getNamespacedPVOnResource(nspvLister kyvernolister.PolicyViolationLister, policyName, kind, namespace, name string) (kyverno.PolicyViolation, error) {
|
||||
nspvs, err := nspvLister.PolicyViolations(namespace).List(labels.Everything())
|
||||
if err != nil {
|
||||
glog.V(2).Infof("failed to list namespaced pv: %v", err)
|
||||
return kyverno.NamespacedPolicyViolation{}, fmt.Errorf("failed to list namespaced pv: %v", err)
|
||||
return kyverno.PolicyViolation{}, fmt.Errorf("failed to list namespaced pv: %v", err)
|
||||
}
|
||||
|
||||
for _, nspv := range nspvs {
|
||||
|
|
@ -166,11 +166,11 @@ func getNamespacedPVOnResource(nspvLister kyvernolister.NamespacedPolicyViolatio
|
|||
return *nspv, nil
|
||||
}
|
||||
}
|
||||
return kyverno.NamespacedPolicyViolation{}, nil
|
||||
return kyverno.PolicyViolation{}, nil
|
||||
}
|
||||
|
||||
func getNamespacedPVonOwnerRef(nspvLister kyvernolister.NamespacedPolicyViolationLister, dclient *dclient.Client, policyName, kind, namespace, name string) ([]kyverno.NamespacedPolicyViolation, error) {
|
||||
var pvs []kyverno.NamespacedPolicyViolation
|
||||
func getNamespacedPVonOwnerRef(nspvLister kyvernolister.PolicyViolationLister, dclient *dclient.Client, policyName, kind, namespace, name string) ([]kyverno.PolicyViolation, error) {
|
||||
var pvs []kyverno.PolicyViolation
|
||||
// get resource
|
||||
resource, err := dclient.GetResource(kind, namespace, name)
|
||||
if err != nil {
|
||||
|
|
|
|||
|
|
@ -64,7 +64,7 @@ type PolicyController struct {
|
|||
// pvLister can list/get policy violation from the shared informer's store
|
||||
pvLister kyvernolister.ClusterPolicyViolationLister
|
||||
// nspvLister can list/get namespaced policy violation from the shared informer's store
|
||||
nspvLister kyvernolister.NamespacedPolicyViolationLister
|
||||
nspvLister kyvernolister.PolicyViolationLister
|
||||
// pListerSynced returns true if the Policy store has been synced at least once
|
||||
pListerSynced cache.InformerSynced
|
||||
// pvListerSynced returns true if the Policy store has been synced at least once
|
||||
|
|
@ -90,7 +90,7 @@ func NewPolicyController(kyvernoClient *kyvernoclient.Clientset,
|
|||
client *client.Client,
|
||||
pInformer kyvernoinformer.ClusterPolicyInformer,
|
||||
pvInformer kyvernoinformer.ClusterPolicyViolationInformer,
|
||||
nspvInformer kyvernoinformer.NamespacedPolicyViolationInformer,
|
||||
nspvInformer kyvernoinformer.PolicyViolationInformer,
|
||||
configHandler config.Interface,
|
||||
eventGen event.Interface,
|
||||
pvGenerator policyviolation.GeneratorInterface,
|
||||
|
|
@ -490,7 +490,7 @@ func (pc *PolicyController) syncPolicy(key string) error {
|
|||
//syncStatusOnly updates the policy status subresource
|
||||
// status:
|
||||
// - violations : (count of the resources that violate this policy )
|
||||
func (pc *PolicyController) syncStatusOnly(p *kyverno.ClusterPolicy, pvList []*kyverno.ClusterPolicyViolation, nspvList []*kyverno.NamespacedPolicyViolation) error {
|
||||
func (pc *PolicyController) syncStatusOnly(p *kyverno.ClusterPolicy, pvList []*kyverno.ClusterPolicyViolation, nspvList []*kyverno.PolicyViolation) error {
|
||||
newStatus := pc.calculateStatus(p.Name, pvList, nspvList)
|
||||
if reflect.DeepEqual(newStatus, p.Status) {
|
||||
// no update to status
|
||||
|
|
@ -503,7 +503,7 @@ func (pc *PolicyController) syncStatusOnly(p *kyverno.ClusterPolicy, pvList []*k
|
|||
return err
|
||||
}
|
||||
|
||||
func (pc *PolicyController) calculateStatus(policyName string, pvList []*kyverno.ClusterPolicyViolation, nspvList []*kyverno.NamespacedPolicyViolation) kyverno.PolicyStatus {
|
||||
func (pc *PolicyController) calculateStatus(policyName string, pvList []*kyverno.ClusterPolicyViolation, nspvList []*kyverno.PolicyViolation) kyverno.PolicyStatus {
|
||||
violationCount := len(pvList) + len(nspvList)
|
||||
status := kyverno.PolicyStatus{
|
||||
ViolationCount: violationCount,
|
||||
|
|
@ -522,7 +522,7 @@ func (pc *PolicyController) calculateStatus(policyName string, pvList []*kyverno
|
|||
return status
|
||||
}
|
||||
|
||||
func (pc *PolicyController) getPolicyViolationsForPolicy(p *kyverno.ClusterPolicy) ([]*kyverno.ClusterPolicyViolation, []*kyverno.NamespacedPolicyViolation, error) {
|
||||
func (pc *PolicyController) getPolicyViolationsForPolicy(p *kyverno.ClusterPolicy) ([]*kyverno.ClusterPolicyViolation, []*kyverno.PolicyViolation, error) {
|
||||
policyLabelmap := map[string]string{"policy": p.Name}
|
||||
//NOt using a field selector, as the match function will have to cash the runtime.object
|
||||
// to get the field, while it can get labels directly, saves the cast effort
|
||||
|
|
@ -573,7 +573,7 @@ func (pc *PolicyController) getPolicyViolationsForPolicy(p *kyverno.ClusterPolic
|
|||
if err != nil {
|
||||
return nil, nil, err
|
||||
}
|
||||
claimedNSPVs := claimedNSPVList.([]*kyverno.NamespacedPolicyViolation)
|
||||
claimedNSPVs := claimedNSPVList.([]*kyverno.PolicyViolation)
|
||||
|
||||
return claimedPVs, claimedNSPVs, nil
|
||||
}
|
||||
|
|
@ -606,8 +606,8 @@ func (m *PolicyViolationControllerRefManager) claimPolicyViolations(sets interfa
|
|||
return claimed, utilerrors.NewAggregate(errlist)
|
||||
}
|
||||
|
||||
var claimed []*kyverno.NamespacedPolicyViolation
|
||||
for _, pv := range sets.([]*kyverno.NamespacedPolicyViolation) {
|
||||
var claimed []*kyverno.PolicyViolation
|
||||
for _, pv := range sets.([]*kyverno.PolicyViolation) {
|
||||
ok, err := m.ClaimObject(pv, match, adopt, release)
|
||||
if err != nil {
|
||||
errlist = append(errlist, err)
|
||||
|
|
@ -627,7 +627,7 @@ func (m *PolicyViolationControllerRefManager) adoptPolicyViolation(pv interface{
|
|||
case *kyverno.ClusterPolicyViolation:
|
||||
pvname = typedPV.Name
|
||||
pvuid = typedPV.UID
|
||||
case *kyverno.NamespacedPolicyViolation:
|
||||
case *kyverno.PolicyViolation:
|
||||
ns = typedPV.Namespace
|
||||
pvname = typedPV.Name
|
||||
pvuid = typedPV.UID
|
||||
|
|
@ -691,7 +691,7 @@ func (m *PolicyViolationControllerRefManager) releasePolicyViolation(pv interfac
|
|||
switch typedPV := pv.(type) {
|
||||
case *kyverno.ClusterPolicyViolation:
|
||||
pvname = typedPV.Name
|
||||
case *kyverno.NamespacedPolicyViolation:
|
||||
case *kyverno.PolicyViolation:
|
||||
ns = typedPV.Namespace
|
||||
pvname = typedPV.Name
|
||||
}
|
||||
|
|
@ -884,13 +884,13 @@ func (r RealPVControl) DeletePolicyViolation(name string) error {
|
|||
|
||||
//PatchNamespacedPolicyViolation patches the namespaced policy violation with the provided JSON Patch
|
||||
func (r RealPVControl) PatchNamespacedPolicyViolation(ns, name string, data []byte) error {
|
||||
_, err := r.Client.KyvernoV1().NamespacedPolicyViolations(ns).Patch(name, types.JSONPatchType, data)
|
||||
_, err := r.Client.KyvernoV1().PolicyViolations(ns).Patch(name, types.JSONPatchType, data)
|
||||
return err
|
||||
}
|
||||
|
||||
//DeleteNamespacedPolicyViolation deletes the namespaced policy violation
|
||||
func (r RealPVControl) DeleteNamespacedPolicyViolation(ns, name string) error {
|
||||
return r.Client.KyvernoV1().NamespacedPolicyViolations(ns).Delete(name, &metav1.DeleteOptions{})
|
||||
return r.Client.KyvernoV1().PolicyViolations(ns).Delete(name, &metav1.DeleteOptions{})
|
||||
}
|
||||
|
||||
// RecheckDeletionTimestamp returns a CanAdopt() function to recheck deletion.
|
||||
|
|
|
|||
|
|
@ -10,7 +10,7 @@ import (
|
|||
)
|
||||
|
||||
func (pc *PolicyController) addNamespacedPolicyViolation(obj interface{}) {
|
||||
pv := obj.(*kyverno.NamespacedPolicyViolation)
|
||||
pv := obj.(*kyverno.PolicyViolation)
|
||||
|
||||
if pv.DeletionTimestamp != nil {
|
||||
// On a restart of the controller manager, it's possible for an object to
|
||||
|
|
@ -55,8 +55,8 @@ func (pc *PolicyController) addNamespacedPolicyViolation(obj interface{}) {
|
|||
}
|
||||
|
||||
func (pc *PolicyController) updateNamespacedPolicyViolation(old, cur interface{}) {
|
||||
curPV := cur.(*kyverno.NamespacedPolicyViolation)
|
||||
oldPV := old.(*kyverno.NamespacedPolicyViolation)
|
||||
curPV := cur.(*kyverno.PolicyViolation)
|
||||
oldPV := old.(*kyverno.PolicyViolation)
|
||||
if curPV.ResourceVersion == oldPV.ResourceVersion {
|
||||
// Periodic resync will send update events for all known Policy Violation.
|
||||
// Two different versions of the same replica set will always have different RVs.
|
||||
|
|
@ -111,7 +111,7 @@ func (pc *PolicyController) updateNamespacedPolicyViolation(old, cur interface{}
|
|||
}
|
||||
|
||||
func (pc *PolicyController) deleteNamespacedPolicyViolation(obj interface{}) {
|
||||
pv, ok := obj.(*kyverno.NamespacedPolicyViolation)
|
||||
pv, ok := obj.(*kyverno.PolicyViolation)
|
||||
// When a delete is dropped, the relist will notice a PolicyViolation in the store not
|
||||
// in the list, leading to the insertion of a tombstone object which contains
|
||||
// the deleted key/value. Note that this value might be stale. If the PolicyViolation
|
||||
|
|
@ -122,7 +122,7 @@ func (pc *PolicyController) deleteNamespacedPolicyViolation(obj interface{}) {
|
|||
glog.Infof("Couldn't get object from tombstone %#v", obj)
|
||||
return
|
||||
}
|
||||
pv, ok = tombstone.Obj.(*kyverno.NamespacedPolicyViolation)
|
||||
pv, ok = tombstone.Obj.(*kyverno.PolicyViolation)
|
||||
if !ok {
|
||||
glog.Infof("Couldn't get object from tombstone %#v", obj)
|
||||
return
|
||||
|
|
@ -141,7 +141,7 @@ func (pc *PolicyController) deleteNamespacedPolicyViolation(obj interface{}) {
|
|||
pc.enqueuePolicy(p)
|
||||
}
|
||||
|
||||
func updateLabels(pv *kyverno.NamespacedPolicyViolation) bool {
|
||||
func updateLabels(pv *kyverno.PolicyViolation) bool {
|
||||
if pv.Spec.Policy == "" {
|
||||
glog.Error("policy not defined for violation")
|
||||
// should be cleaned up
|
||||
|
|
@ -176,7 +176,7 @@ func updateLabels(pv *kyverno.NamespacedPolicyViolation) bool {
|
|||
return false
|
||||
}
|
||||
|
||||
func (pc *PolicyController) getPolicyForNamespacedPolicyViolation(pv *kyverno.NamespacedPolicyViolation) []*kyverno.ClusterPolicy {
|
||||
func (pc *PolicyController) getPolicyForNamespacedPolicyViolation(pv *kyverno.PolicyViolation) []*kyverno.ClusterPolicy {
|
||||
policies, err := pc.pLister.GetPolicyForNamespacedPolicyViolation(pv)
|
||||
if err != nil || len(policies) == 0 {
|
||||
return nil
|
||||
|
|
|
|||
|
|
@ -294,7 +294,7 @@ func (fl *FakeLister) ListResources(selector labels.Selector) (ret []*kyverno.Cl
|
|||
return nil, nil
|
||||
}
|
||||
|
||||
func (fl *FakeLister) GetPolicyForNamespacedPolicyViolation(pv *kyverno.NamespacedPolicyViolation) ([]*kyverno.ClusterPolicy, error) {
|
||||
func (fl *FakeLister) GetPolicyForNamespacedPolicyViolation(pv *kyverno.PolicyViolation) ([]*kyverno.ClusterPolicy, error) {
|
||||
return nil, nil
|
||||
}
|
||||
|
||||
|
|
|
|||
|
|
@ -33,7 +33,7 @@ type Generator struct {
|
|||
// get/list cluster policy violation
|
||||
pvLister kyvernolister.ClusterPolicyViolationLister
|
||||
// get/ist namespaced policy violation
|
||||
nspvLister kyvernolister.NamespacedPolicyViolationLister
|
||||
nspvLister kyvernolister.PolicyViolationLister
|
||||
// returns true if the cluster policy store has been synced at least once
|
||||
pvSynced cache.InformerSynced
|
||||
// returns true if the namespaced cluster policy store has been synced at at least once
|
||||
|
|
@ -104,7 +104,7 @@ type GeneratorInterface interface {
|
|||
// NewPVGenerator returns a new instance of policy violation generator
|
||||
func NewPVGenerator(client *kyvernoclient.Clientset, dclient *client.Client,
|
||||
pvInformer kyvernoinformer.ClusterPolicyViolationInformer,
|
||||
nspvInformer kyvernoinformer.NamespacedPolicyViolationInformer) *Generator {
|
||||
nspvInformer kyvernoinformer.PolicyViolationInformer) *Generator {
|
||||
gen := Generator{
|
||||
pvInterface: client.KyvernoV1(),
|
||||
dclient: dclient,
|
||||
|
|
|
|||
|
|
@ -14,7 +14,7 @@ import (
|
|||
|
||||
func (gen *Generator) createNamespacedPV(info Info) error {
|
||||
// namespaced policy violations
|
||||
var pvs []kyverno.NamespacedPolicyViolation
|
||||
var pvs []kyverno.PolicyViolation
|
||||
if !info.Blocked {
|
||||
pvs = append(pvs, buildNamespacedPV(info))
|
||||
} else {
|
||||
|
|
@ -30,7 +30,7 @@ func (gen *Generator) createNamespacedPV(info Info) error {
|
|||
return nil
|
||||
}
|
||||
|
||||
func buildNamespacedPV(info Info) kyverno.NamespacedPolicyViolation {
|
||||
func buildNamespacedPV(info Info) kyverno.PolicyViolation {
|
||||
return buildNamespacedPVObj(info.PolicyName,
|
||||
kyverno.ResourceSpec{
|
||||
Kind: info.Resource.GetKind(),
|
||||
|
|
@ -40,8 +40,8 @@ func buildNamespacedPV(info Info) kyverno.NamespacedPolicyViolation {
|
|||
}
|
||||
|
||||
//buildNamespacedPVObj returns an value of type PolicyViolation
|
||||
func buildNamespacedPVObj(policy string, resource kyverno.ResourceSpec, fRules []kyverno.ViolatedRule) kyverno.NamespacedPolicyViolation {
|
||||
pv := kyverno.NamespacedPolicyViolation{
|
||||
func buildNamespacedPVObj(policy string, resource kyverno.ResourceSpec, fRules []kyverno.ViolatedRule) kyverno.PolicyViolation {
|
||||
pv := kyverno.PolicyViolation{
|
||||
Spec: kyverno.PolicyViolationSpec{
|
||||
Policy: policy,
|
||||
ResourceSpec: resource,
|
||||
|
|
@ -58,7 +58,7 @@ func buildNamespacedPVObj(policy string, resource kyverno.ResourceSpec, fRules [
|
|||
return pv
|
||||
}
|
||||
|
||||
func buildNamespacedPVWithOwner(dclient *dclient.Client, info Info) (pvs []kyverno.NamespacedPolicyViolation) {
|
||||
func buildNamespacedPVWithOwner(dclient *dclient.Client, info Info) (pvs []kyverno.PolicyViolation) {
|
||||
// create violation on resource owner (if exist) when action is set to enforce
|
||||
ownerMap := map[kyverno.ResourceSpec]interface{}{}
|
||||
GetOwner(dclient, ownerMap, info.Resource)
|
||||
|
|
@ -78,7 +78,7 @@ func buildNamespacedPVWithOwner(dclient *dclient.Client, info Info) (pvs []kyver
|
|||
return
|
||||
}
|
||||
|
||||
func createNamespacedPV(namespace string, dclient *dclient.Client, pvLister kyvernolister.NamespacedPolicyViolationLister, pvInterface kyvernov1.KyvernoV1Interface, pvs []kyverno.NamespacedPolicyViolation) error {
|
||||
func createNamespacedPV(namespace string, dclient *dclient.Client, pvLister kyvernolister.PolicyViolationLister, pvInterface kyvernov1.KyvernoV1Interface, pvs []kyverno.PolicyViolation) error {
|
||||
for _, newPv := range pvs {
|
||||
glog.V(4).Infof("creating namespaced policyViolation resource for policy %s and resource %s", newPv.Spec.Policy, newPv.Spec.ResourceSpec.ToKey())
|
||||
// check if there was a previous policy voilation for policy & resource combination
|
||||
|
|
@ -87,16 +87,16 @@ func createNamespacedPV(namespace string, dclient *dclient.Client, pvLister kyve
|
|||
return fmt.Errorf("failed to get existing namespaced pv on resource '%s': %v", newPv.Spec.ResourceSpec.ToKey(), err)
|
||||
}
|
||||
|
||||
if reflect.DeepEqual(curPv, kyverno.NamespacedPolicyViolation{}) {
|
||||
if reflect.DeepEqual(curPv, kyverno.PolicyViolation{}) {
|
||||
// no existing policy violation, create a new one
|
||||
if reflect.DeepEqual(curPv, kyverno.NamespacedPolicyViolation{}) {
|
||||
if reflect.DeepEqual(curPv, kyverno.PolicyViolation{}) {
|
||||
glog.V(4).Infof("creating new namespaced policy violation for policy %s & resource %s", newPv.Spec.Policy, newPv.Spec.ResourceSpec.ToKey())
|
||||
|
||||
if err := retryGetResource(namespace, dclient, newPv.Spec.ResourceSpec); err != nil {
|
||||
return fmt.Errorf("failed to get resource for policy violation on resource '%s': %v", newPv.Spec.ResourceSpec.ToKey(), err)
|
||||
}
|
||||
|
||||
if _, err := pvInterface.NamespacedPolicyViolations(namespace).Create(&newPv); err != nil {
|
||||
if _, err := pvInterface.PolicyViolations(namespace).Create(&newPv); err != nil {
|
||||
return fmt.Errorf("failed to create namespaced policy violation: %v", err)
|
||||
}
|
||||
|
||||
|
|
@ -120,7 +120,7 @@ func createNamespacedPV(namespace string, dclient *dclient.Client, pvLister kyve
|
|||
glog.V(4).Infof("creating new policy violation for policy %s & resource %s", curPv.Spec.Policy, curPv.Spec.ResourceSpec.ToKey())
|
||||
//TODO: using a generic name, but would it be helpful to have naming convention for policy violations
|
||||
// as we can only have one policy violation for each (policy + resource) combination
|
||||
if _, err = pvInterface.NamespacedPolicyViolations(namespace).Update(&newPv); err != nil {
|
||||
if _, err = pvInterface.PolicyViolations(namespace).Update(&newPv); err != nil {
|
||||
return fmt.Errorf("failed to update namespaced policy violation: %v", err)
|
||||
}
|
||||
glog.Infof("namespaced policy violation updated for resource %s", newPv.Spec.ResourceSpec.ToKey())
|
||||
|
|
@ -128,11 +128,11 @@ func createNamespacedPV(namespace string, dclient *dclient.Client, pvLister kyve
|
|||
return nil
|
||||
}
|
||||
|
||||
func getExistingNamespacedPVIfAny(nspvLister kyvernolister.NamespacedPolicyViolationLister, newPv kyverno.NamespacedPolicyViolation) (kyverno.NamespacedPolicyViolation, error) {
|
||||
func getExistingNamespacedPVIfAny(nspvLister kyvernolister.PolicyViolationLister, newPv kyverno.PolicyViolation) (kyverno.PolicyViolation, error) {
|
||||
// TODO(shuting): list pvs by labels
|
||||
pvs, err := nspvLister.NamespacedPolicyViolations(newPv.GetNamespace()).List(labels.NewSelector())
|
||||
pvs, err := nspvLister.PolicyViolations(newPv.GetNamespace()).List(labels.NewSelector())
|
||||
if err != nil {
|
||||
return kyverno.NamespacedPolicyViolation{}, fmt.Errorf("failed to list namespaced policy violations err: %v", err)
|
||||
return kyverno.PolicyViolation{}, fmt.Errorf("failed to list namespaced policy violations err: %v", err)
|
||||
}
|
||||
|
||||
for _, pv := range pvs {
|
||||
|
|
@ -141,5 +141,5 @@ func getExistingNamespacedPVIfAny(nspvLister kyvernolister.NamespacedPolicyViola
|
|||
}
|
||||
}
|
||||
|
||||
return kyverno.NamespacedPolicyViolation{}, nil
|
||||
return kyverno.PolicyViolation{}, nil
|
||||
}
|
||||
|
|
|
|||
|
|
@ -25,7 +25,7 @@ import (
|
|||
"k8s.io/client-go/util/workqueue"
|
||||
)
|
||||
|
||||
var nspvcontrollerKind = kyverno.SchemeGroupVersion.WithKind("NamespacedPolicyViolation")
|
||||
var nspvcontrollerKind = kyverno.SchemeGroupVersion.WithKind("PolicyViolation")
|
||||
|
||||
// PolicyViolationController manages the policy violation resource
|
||||
// - sync the lastupdate time
|
||||
|
|
@ -35,11 +35,11 @@ type NamespacedPolicyViolationController struct {
|
|||
kyvernoClient *kyvernoclient.Clientset
|
||||
eventRecorder record.EventRecorder
|
||||
syncHandler func(pKey string) error
|
||||
enqueuePolicyViolation func(policy *kyverno.NamespacedPolicyViolation)
|
||||
enqueuePolicyViolation func(policy *kyverno.PolicyViolation)
|
||||
// Policys that need to be synced
|
||||
queue workqueue.RateLimitingInterface
|
||||
// nspvLister can list/get policy violation from the shared informer's store
|
||||
nspvLister kyvernolister.NamespacedPolicyViolationLister
|
||||
nspvLister kyvernolister.PolicyViolationLister
|
||||
// pLister can list/get policy from the shared informer's store
|
||||
pLister kyvernolister.ClusterPolicyLister
|
||||
// pListerSynced returns true if the Policy store has been synced at least once
|
||||
|
|
@ -51,7 +51,7 @@ type NamespacedPolicyViolationController struct {
|
|||
}
|
||||
|
||||
//NewPolicyViolationController creates a new NewPolicyViolationController
|
||||
func NewNamespacedPolicyViolationController(client *client.Client, kyvernoClient *kyvernoclient.Clientset, pInformer kyvernoinformer.ClusterPolicyInformer, pvInformer kyvernoinformer.NamespacedPolicyViolationInformer) (*NamespacedPolicyViolationController, error) {
|
||||
func NewNamespacedPolicyViolationController(client *client.Client, kyvernoClient *kyvernoclient.Clientset, pInformer kyvernoinformer.ClusterPolicyInformer, pvInformer kyvernoinformer.PolicyViolationInformer) (*NamespacedPolicyViolationController, error) {
|
||||
// Event broad caster
|
||||
eventBroadcaster := record.NewBroadcaster()
|
||||
eventBroadcaster.StartLogging(glog.Infof)
|
||||
|
|
@ -86,14 +86,14 @@ func NewNamespacedPolicyViolationController(client *client.Client, kyvernoClient
|
|||
}
|
||||
|
||||
func (pvc *NamespacedPolicyViolationController) addPolicyViolation(obj interface{}) {
|
||||
pv := obj.(*kyverno.NamespacedPolicyViolation)
|
||||
pv := obj.(*kyverno.PolicyViolation)
|
||||
glog.V(4).Infof("Adding Namespaced Policy Violation %s", pv.Name)
|
||||
pvc.enqueuePolicyViolation(pv)
|
||||
}
|
||||
|
||||
func (pvc *NamespacedPolicyViolationController) updatePolicyViolation(old, cur interface{}) {
|
||||
oldPv := old.(*kyverno.NamespacedPolicyViolation)
|
||||
curPv := cur.(*kyverno.NamespacedPolicyViolation)
|
||||
oldPv := old.(*kyverno.PolicyViolation)
|
||||
curPv := cur.(*kyverno.PolicyViolation)
|
||||
glog.V(4).Infof("Updating Namespaced Policy Violation %s", oldPv.Name)
|
||||
if err := pvc.syncLastUpdateTimeStatus(curPv, oldPv); err != nil {
|
||||
glog.Errorf("Failed to update lastUpdateTime in NamespacedPolicyViolation %s status: %v", curPv.Name, err)
|
||||
|
|
@ -102,14 +102,14 @@ func (pvc *NamespacedPolicyViolationController) updatePolicyViolation(old, cur i
|
|||
}
|
||||
|
||||
func (pvc *NamespacedPolicyViolationController) deletePolicyViolation(obj interface{}) {
|
||||
pv, ok := obj.(*kyverno.NamespacedPolicyViolation)
|
||||
pv, ok := obj.(*kyverno.PolicyViolation)
|
||||
if !ok {
|
||||
tombstone, ok := obj.(cache.DeletedFinalStateUnknown)
|
||||
if !ok {
|
||||
glog.Info(fmt.Errorf("Couldn't get object from tombstone %#v", obj))
|
||||
return
|
||||
}
|
||||
pv, ok = tombstone.Obj.(*kyverno.NamespacedPolicyViolation)
|
||||
pv, ok = tombstone.Obj.(*kyverno.PolicyViolation)
|
||||
if !ok {
|
||||
glog.Info(fmt.Errorf("Tombstone contained object that is not a NamespacedPolicyViolation %#v", obj))
|
||||
return
|
||||
|
|
@ -119,7 +119,7 @@ func (pvc *NamespacedPolicyViolationController) deletePolicyViolation(obj interf
|
|||
pvc.enqueuePolicyViolation(pv)
|
||||
}
|
||||
|
||||
func (pvc *NamespacedPolicyViolationController) enqueue(policyViolation *kyverno.NamespacedPolicyViolation) {
|
||||
func (pvc *NamespacedPolicyViolationController) enqueue(policyViolation *kyverno.PolicyViolation) {
|
||||
key, err := cache.MetaNamespaceKeyFunc(policyViolation)
|
||||
if err != nil {
|
||||
glog.Error(err)
|
||||
|
|
@ -196,7 +196,7 @@ func (pvc *NamespacedPolicyViolationController) syncPolicyViolation(key string)
|
|||
return fmt.Errorf("error getting namespaced policy violation key %v", key)
|
||||
}
|
||||
|
||||
policyViolation, err := pvc.nspvLister.NamespacedPolicyViolations(ns).Get(name)
|
||||
policyViolation, err := pvc.nspvLister.PolicyViolations(ns).Get(name)
|
||||
if errors.IsNotFound(err) {
|
||||
glog.V(2).Infof("PolicyViolation %v has been deleted", key)
|
||||
return nil
|
||||
|
|
@ -221,7 +221,7 @@ func (pvc *NamespacedPolicyViolationController) syncPolicyViolation(key string)
|
|||
return pvc.syncStatusOnly(pv)
|
||||
}
|
||||
|
||||
func (pvc *NamespacedPolicyViolationController) syncActiveResource(curPv *kyverno.NamespacedPolicyViolation) error {
|
||||
func (pvc *NamespacedPolicyViolationController) syncActiveResource(curPv *kyverno.PolicyViolation) error {
|
||||
// check if the resource is active or not ?
|
||||
rspec := curPv.Spec.ResourceSpec
|
||||
// get resource
|
||||
|
|
@ -247,7 +247,7 @@ func (pvc *NamespacedPolicyViolationController) syncActiveResource(curPv *kyvern
|
|||
|
||||
// syncBlockedResource remove inactive policy violation
|
||||
// when rejected resource created in the cluster
|
||||
func (pvc *NamespacedPolicyViolationController) syncBlockedResource(curPv *kyverno.NamespacedPolicyViolation) error {
|
||||
func (pvc *NamespacedPolicyViolationController) syncBlockedResource(curPv *kyverno.PolicyViolation) error {
|
||||
for _, violatedRule := range curPv.Spec.ViolatedRules {
|
||||
if reflect.DeepEqual(violatedRule.ManagedResource, kyverno.ManagedResourceSpec{}) {
|
||||
continue
|
||||
|
|
@ -286,7 +286,7 @@ func (pvc *NamespacedPolicyViolationController) syncBlockedResource(curPv *kyver
|
|||
|
||||
//syncStatusOnly updates the policyviolation status subresource
|
||||
// status:
|
||||
func (pvc *NamespacedPolicyViolationController) syncStatusOnly(curPv *kyverno.NamespacedPolicyViolation) error {
|
||||
func (pvc *NamespacedPolicyViolationController) syncStatusOnly(curPv *kyverno.PolicyViolation) error {
|
||||
// newStatus := calculateStatus(pv)
|
||||
return nil
|
||||
}
|
||||
|
|
@ -294,7 +294,7 @@ func (pvc *NamespacedPolicyViolationController) syncStatusOnly(curPv *kyverno.Na
|
|||
//TODO: think this through again
|
||||
//syncLastUpdateTimeStatus updates the policyviolation lastUpdateTime if anything in ViolationSpec changed
|
||||
// - lastUpdateTime : (time stamp when the policy violation changed)
|
||||
func (pvc *NamespacedPolicyViolationController) syncLastUpdateTimeStatus(curPv *kyverno.NamespacedPolicyViolation, oldPv *kyverno.NamespacedPolicyViolation) error {
|
||||
func (pvc *NamespacedPolicyViolationController) syncLastUpdateTimeStatus(curPv *kyverno.PolicyViolation, oldPv *kyverno.PolicyViolation) error {
|
||||
// check if there is any change in policy violation information
|
||||
if !updatedNamespaced(curPv, oldPv) {
|
||||
return nil
|
||||
|
|
@ -306,13 +306,13 @@ func (pvc *NamespacedPolicyViolationController) syncLastUpdateTimeStatus(curPv *
|
|||
return pvc.pvControl.UpdateStatusPolicyViolation(newPolicyViolation)
|
||||
}
|
||||
|
||||
func updatedNamespaced(curPv *kyverno.NamespacedPolicyViolation, oldPv *kyverno.NamespacedPolicyViolation) bool {
|
||||
func updatedNamespaced(curPv *kyverno.PolicyViolation, oldPv *kyverno.PolicyViolation) bool {
|
||||
return !reflect.DeepEqual(curPv.Spec, oldPv.Spec)
|
||||
//TODO check if owner reference changed, then should we update the lastUpdateTime as well ?
|
||||
}
|
||||
|
||||
type NamespacedPVControlInterface interface {
|
||||
UpdateStatusPolicyViolation(newPv *kyverno.NamespacedPolicyViolation) error
|
||||
UpdateStatusPolicyViolation(newPv *kyverno.PolicyViolation) error
|
||||
RemovePolicyViolation(ns, name string) error
|
||||
}
|
||||
|
||||
|
|
@ -323,14 +323,14 @@ type RealNamespacedPVControl struct {
|
|||
}
|
||||
|
||||
//UpdateStatusPolicyViolation updates the status for policy violation
|
||||
func (r RealNamespacedPVControl) UpdateStatusPolicyViolation(newPv *kyverno.NamespacedPolicyViolation) error {
|
||||
_, err := r.Client.KyvernoV1().NamespacedPolicyViolations(newPv.Namespace).UpdateStatus(newPv)
|
||||
func (r RealNamespacedPVControl) UpdateStatusPolicyViolation(newPv *kyverno.PolicyViolation) error {
|
||||
_, err := r.Client.KyvernoV1().PolicyViolations(newPv.Namespace).UpdateStatus(newPv)
|
||||
return err
|
||||
}
|
||||
|
||||
//RemovePolicyViolation removes the policy violation
|
||||
func (r RealNamespacedPVControl) RemovePolicyViolation(ns, name string) error {
|
||||
return r.Client.KyvernoV1().NamespacedPolicyViolations(ns).Delete(name, &metav1.DeleteOptions{})
|
||||
return r.Client.KyvernoV1().PolicyViolations(ns).Delete(name, &metav1.DeleteOptions{})
|
||||
}
|
||||
|
||||
func retryGetResource(namespace string, client *client.Client, rspec kyverno.ResourceSpec) error {
|
||||
|
|
|
|||
Loading…
Add table
Reference in a new issue