diff --git a/charts/kyverno/crds/crds.yaml b/charts/kyverno/crds/crds.yaml index 564cf2fd47..dfba15d80a 100644 --- a/charts/kyverno/crds/crds.yaml +++ b/charts/kyverno/crds/crds.yaml @@ -1286,7 +1286,7 @@ spec: type: string - jsonPath: .metadata.creationTimestamp name: Age - type: string + type: date name: v1 schema: openAPIV3Schema: diff --git a/definitions/crds/kyverno.io_generaterequests.yaml b/definitions/crds/kyverno.io_generaterequests.yaml index 099968e100..39a4711ac7 100644 --- a/definitions/crds/kyverno.io_generaterequests.yaml +++ b/definitions/crds/kyverno.io_generaterequests.yaml @@ -36,7 +36,7 @@ spec: type: string - jsonPath: .metadata.creationTimestamp name: Age - type: string + type: date name: v1 schema: openAPIV3Schema: diff --git a/definitions/install.yaml b/definitions/install.yaml index 97de6e7817..9c00789a4c 100644 --- a/definitions/install.yaml +++ b/definitions/install.yaml @@ -1291,7 +1291,7 @@ spec: type: string - jsonPath: .metadata.creationTimestamp name: Age - type: string + type: date name: v1 schema: openAPIV3Schema: diff --git a/definitions/install_debug.yaml b/definitions/install_debug.yaml index 66f5bd4e17..3f56c1f858 100755 --- a/definitions/install_debug.yaml +++ b/definitions/install_debug.yaml @@ -1291,7 +1291,7 @@ spec: type: string - jsonPath: .metadata.creationTimestamp name: Age - type: string + type: date name: v1 schema: openAPIV3Schema: diff --git a/pkg/api/kyverno/v1/generaterequest_types.go b/pkg/api/kyverno/v1/generaterequest_types.go index 75bf404304..ec71915015 100644 --- a/pkg/api/kyverno/v1/generaterequest_types.go +++ b/pkg/api/kyverno/v1/generaterequest_types.go @@ -15,7 +15,7 @@ import ( // +kubebuilder:printcolumn:name="ResourceName",type="string",JSONPath=".spec.resource.name" // +kubebuilder:printcolumn:name="ResourceNamespace",type="string",JSONPath=".spec.resource.namespace" // +kubebuilder:printcolumn:name="status",type="string",JSONPath=".status.state" -// +kubebuilder:printcolumn:name="Age",type="string",JSONPath=".metadata.creationTimestamp" +// +kubebuilder:printcolumn:name="Age",type="date",JSONPath=".metadata.creationTimestamp" // +kubebuilder:resource:shortName=gr type GenerateRequest struct { metav1.TypeMeta `json:",inline" yaml:",inline"` diff --git a/pkg/engine/mutation.go b/pkg/engine/mutation.go index da458ca744..f8410ed352 100644 --- a/pkg/engine/mutation.go +++ b/pkg/engine/mutation.go @@ -2,6 +2,7 @@ package engine import ( "time" + "github.com/go-logr/logr" kyverno "github.com/kyverno/kyverno/pkg/api/kyverno/v1" "github.com/kyverno/kyverno/pkg/engine/mutate" @@ -109,7 +110,6 @@ func startMutateResultResponse(resp *response.EngineResponse, policy kyverno.Clu resp.PolicyResponse.Resource.Namespace = resource.GetNamespace() resp.PolicyResponse.Resource.Kind = resource.GetKind() resp.PolicyResponse.Resource.APIVersion = resource.GetAPIVersion() - // TODO(shuting): set response with mutationFailureAction } func endMutateResultResponse(logger logr.Logger, resp *response.EngineResponse, startTime time.Time) { diff --git a/pkg/policymutation/policymutation.go b/pkg/policymutation/policymutation.go index 313679c09b..61d6c8006f 100644 --- a/pkg/policymutation/policymutation.go +++ b/pkg/policymutation/policymutation.go @@ -352,7 +352,7 @@ func generateRulePatches(policy kyverno.ClusterPolicy, controllers string, log l // when serilizing data, we would expect to drop the omitempty key // otherwise (without the pointer), it will be set to empty value // - an empty struct in this case, some may fail the schema validation -// TODO(shuting) may related to: +// may related to: // https://github.com/kyverno/kyverno/pull/549#discussion_r360088556 // https://github.com/kyverno/kyverno/issues/568 diff --git a/pkg/policyreport/builder.go b/pkg/policyreport/builder.go index 15d3bc1eac..899cfd3373 100755 --- a/pkg/policyreport/builder.go +++ b/pkg/policyreport/builder.go @@ -21,6 +21,10 @@ import ( const ( clusterreportchangerequest string = "clusterreportchangerequest" + resourceLabelName string = "kyverno.io/resource.name" + resourceLabelKind string = "kyverno.io/resource.kind" + resourceLabelNamespace string = "kyverno.io/resource.namespace" + policyLabel string = "kyverno.io/policy" deletedLabelResource string = "kyverno.io/delete.resource" deletedLabelResourceKind string = "kyverno.io/delete.resource.kind" deletedLabelPolicy string = "kyverno.io/delete.policy" @@ -111,7 +115,7 @@ func (builder *requestBuilder) build(info Info) (req *unstructured.Unstructured, } req = &unstructured.Unstructured{Object: obj} - set(req, fmt.Sprintf("reportchangerequest-%s-%s-%s", info.PolicyName, info.Resource.GetNamespace(), info.Resource.GetName()), info) + set(req, info) } else { rr := &request.ClusterReportChangeRequest{ Summary: calculateSummary(results), @@ -123,7 +127,7 @@ func (builder *requestBuilder) build(info Info) (req *unstructured.Unstructured, return nil, err } req = &unstructured.Unstructured{Object: obj} - set(req, fmt.Sprintf("%s-%s", clusterreportchangerequest, info.Resource.GetName()), info) + set(req, info) } // deletion of a result entry @@ -135,7 +139,7 @@ func (builder *requestBuilder) build(info Info) (req *unstructured.Unstructured, // - set label delete.policy=policyName if len(info.Rules) == 0 && info.PolicyName == "" { req.SetLabels(map[string]string{ - "namespace": info.Resource.GetNamespace(), + resourceLabelNamespace: info.Resource.GetNamespace(), deletedLabelResource: info.Resource.GetName(), deletedLabelResourceKind: info.Resource.GetKind()}) } else if info.PolicyName != "" && reflect.DeepEqual(info.Resource, unstructured.Unstructured{}) { @@ -160,21 +164,23 @@ func (builder *requestBuilder) build(info Info) (req *unstructured.Unstructured, return req, nil } -func set(obj *unstructured.Unstructured, name string, info Info) { +func set(obj *unstructured.Unstructured, info Info) { resource := info.Resource - obj.SetName(name) obj.SetNamespace(config.KubePolicyNamespace) obj.SetAPIVersion(request.SchemeGroupVersion.Group + "/" + request.SchemeGroupVersion.Version) if resource.GetNamespace() == "" { + obj.SetGenerateName(clusterreportchangerequest + "-") obj.SetKind("ClusterReportChangeRequest") } else { + obj.SetGenerateName("reportchangerequest-") obj.SetKind("ReportChangeRequest") } obj.SetLabels(map[string]string{ - "namespace": resource.GetNamespace(), - "policy": info.PolicyName, - "resource": resource.GetKind() + "-" + resource.GetNamespace() + "-" + resource.GetName(), + resourceLabelNamespace: resource.GetNamespace(), + resourceLabelName: resource.GetName(), + resourceLabelKind: resource.GetKind(), + policyLabel: info.PolicyName, }) if info.FromSync { @@ -243,7 +249,7 @@ func (builder *requestBuilder) fetchCategory(policy, ns string) string { } } - pol, err := builder.polLister.Policies("").Get(policy) + pol, err := builder.polLister.Policies(ns).Get(policy) if err == nil { if ann := pol.GetAnnotations(); ann != nil { return ann[categoryLabel] diff --git a/pkg/policyreport/policyreport.go b/pkg/policyreport/policyreport.go index 39cce580bc..42afc981fe 100644 --- a/pkg/policyreport/policyreport.go +++ b/pkg/policyreport/policyreport.go @@ -22,7 +22,7 @@ func getDeletedResources(aggregatedRequests interface{}) (resources []deletedRes dr := deletedResource{ kind: labels[deletedLabelResourceKind], name: labels[deletedLabelResource], - ns: labels["namespace"], + ns: labels[resourceLabelNamespace], } resources = append(resources, dr) @@ -33,7 +33,7 @@ func getDeletedResources(aggregatedRequests interface{}) (resources []deletedRes dr := deletedResource{ kind: labels[deletedLabelResourceKind], name: labels[deletedLabelResource], - ns: labels["namespace"], + ns: labels[resourceLabelNamespace], } resources = append(resources, dr) } @@ -124,7 +124,7 @@ func generateHashKey(result map[string]interface{}, dr deletedResource) (string, "%s-%s-%s-%s-%s", result["policy"], result["rule"], - resource["name"], + resource["kind"], resource["namespace"], resource["name"]), true } diff --git a/pkg/policyreport/reportcontroller.go b/pkg/policyreport/reportcontroller.go index 58e869e9d2..963fbafda1 100644 --- a/pkg/policyreport/reportcontroller.go +++ b/pkg/policyreport/reportcontroller.go @@ -116,7 +116,7 @@ func generateCacheKey(changeRequest interface{}) string { return strings.Join([]string{deletedPolicyKey, policy, rule}, "/") } - ns := label["namespace"] + ns := label[resourceLabelNamespace] if ns == "" { ns = "default" } @@ -398,7 +398,7 @@ func (g *ReportGenerator) aggregateReports(namespace string) ( } } - selector := labels.SelectorFromSet(labels.Set(map[string]string{"namespace": namespace})) + selector := labels.SelectorFromSet(labels.Set(map[string]string{resourceLabelNamespace: namespace})) requests, err := g.reportChangeRequestLister.ReportChangeRequests(config.KubePolicyNamespace).List(selector) if err != nil { return nil, nil, fmt.Errorf("unable to list reportChangeRequests within namespace %s: %v", ns, err) diff --git a/pkg/policyreport/reportrequest.go b/pkg/policyreport/reportrequest.go index 2f29bb81cb..c1ba319b01 100755 --- a/pkg/policyreport/reportrequest.go +++ b/pkg/policyreport/reportrequest.go @@ -332,7 +332,7 @@ func updateReportChangeRequest(dClient *client.Client, old interface{}, new *uns log.V(4).Info("unchanged report request", "name", new.GetName()) return nil } - // TODO(shuting): set annotation / label + if _, err = dClient.UpdateResource(new.GetAPIVersion(), new.GetKind(), config.KubePolicyNamespace, new, false); err != nil { return fmt.Errorf("failed to update report request: %v", err) } diff --git a/pkg/webhooks/server.go b/pkg/webhooks/server.go index b7b04f421c..b17e527a56 100644 --- a/pkg/webhooks/server.go +++ b/pkg/webhooks/server.go @@ -293,7 +293,6 @@ func (ws *WebhookServer) ResourceMutation(request *v1beta1.AdmissionRequest) *v1 if containRBACinfo(mutatePolicies, validatePolicies, generatePolicies) { roles, clusterRoles, err = userinfo.GetRoleRef(ws.rbLister, ws.crbLister, request, ws.configHandler) if err != nil { - // TODO(shuting): continue apply policy if error getting roleRef? logger.Error(err, "failed to get RBAC information for request") } }