mirrors/kyverno
mirrors/kyverno
1
0
Fork 0
mirror of https://github.com/kyverno/kyverno.git synced 2025-03-31 03:45:17 +00:00
Code Activity

parse regex from policyResourceName

Browse source
This commit is contained in:
shuting 2019-04-30 18:54:08 -07:00
parent 9a6738e272
commit 2e1c4b36d9
4 changed files with 39 additions and 33 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

12
controller/controller.go
View file

@ -80,7 +80,7 @@ func NewPolicyController(config *rest.Config, logger *log.Logger) (*PolicyContro
func (c *PolicyController) Run(stopCh <-chan struct{}) { func (c *PolicyController) Run(stopCh <-chan struct{}) {
c.policyInformerFactory.Start(stopCh) c.policyInformerFactory.Start(stopCh)
// Un-comment to run the violation Builder // Un-comment to run the violation Builder
// c.violationBuilder.Run(1, stopCh) c.violationBuilder.Run(1, stopCh)
} }
// GetPolicies retrieves all policy resources // GetPolicies retrieves all policy resources
@ -135,12 +135,12 @@ func (c *PolicyController) addPolicyLog(name, text string) {
// Add new log record // Add new log record
text = time.Now().Format("2006 Jan 02 15:04:05.999 ") + text text = time.Now().Format("2006 Jan 02 15:04:05.999 ") + text
policy.Status.Logs = append(policy.Status.Logs, text) //policy.Status.Logs = append(policy.Status.Logs, text)
// Pop front extra log records // Pop front extra log records
logsCount := len(policy.Status.Logs) // logsCount := len(policy.Status.Logs)
if logsCount > policyLogMaxRecords { // if logsCount > policyLogMaxRecords {
policy.Status.Logs = policy.Status.Logs[logsCount-policyLogMaxRecords:] // policy.Status.Logs = policy.Status.Logs[logsCount-policyLogMaxRecords:]
} // }
// Save logs to policy object // Save logs to policy object
_, err = c.policiesInterface.UpdateStatus(policy) _, err = c.policiesInterface.UpdateStatus(policy)
if err != nil { if err != nil {

46
webhooks/admission.go
View file

@ -61,40 +61,40 @@ func IsRuleApplicableToResource(kind string, resourceRaw []byte, policyResource
meta := parseMetadataFromObject(resourceRaw) meta := parseMetadataFromObject(resourceRaw)
name := parseNameFromMetadata(meta) name := parseNameFromMetadata(meta)
// if policyResource.Name != nil && *policyResource.Name != name {
// return false, false
// }
if policyResource.Name != nil { if policyResource.Name != nil {
fmt.Println("*policyResource.Name, name", *policyResource.Name, name)
policyResourceName, isRegex := parseRegexPolicyResourceName(*policyResource.Name)
fmt.Println("policyResourceName, name, isRegex", policyResourceName, name, isRegex)
// if no regex used, check if names are matched, return directly // if no regex used, check if names are matched, return directly
if policyResource.Name != nil && *policyResource.Name == name { if !isRegex && policyResourceName != name {
return true, nil return false, nil
} }
// validation of regex is peformed when validating the policyResource // validation of regex is peformed when validating the policyResource
// refer to policyResource.Validate() // refer to policyResource.Validate()
parseRegexPolicyResourceName(*policyResource.Name) if isRegex {
match, _ := regexp.MatchString(*policyResource.Name, name) match, _ := regexp.MatchString(policyResourceName, name)
if !match {
if !match {
return false, nil
}
if policyResource.Selector != nil {
selector, err := metav1.LabelSelectorAsSelector(policyResource.Selector)
if err != nil {
return false, err
}
labelMap := parseLabelsFromMetadata(meta)
if !selector.Matches(labelMap) {
return false, nil return false, nil
} }
} }
} }
if policyResource.Selector != nil {
selector, err := metav1.LabelSelectorAsSelector(policyResource.Selector)
if err != nil {
return false, err
}
labelMap := parseLabelsFromMetadata(meta)
if !selector.Matches(labelMap) {
return false, nil
}
}
} }
return true, nil return true, nil
} }

3
webhooks/mutation.go
View file

@ -78,6 +78,7 @@ func (mw *MutationWebhook) Mutate(request *v1beta1.AdmissionRequest) *v1beta1.Ad
namespace := parseNamespaceFromMetadata(meta) namespace := parseNamespaceFromMetadata(meta)
name := parseNameFromMetadata(meta) name := parseNameFromMetadata(meta)
mw.controller.LogPolicyInfo(policy.Name, fmt.Sprintf("Applied to %s %s/%s", request.Kind.Kind, namespace, name)) mw.controller.LogPolicyInfo(policy.Name, fmt.Sprintf("Applied to %s %s/%s", request.Kind.Kind, namespace, name))
mw.logger.Printf("%s applied to %s %s/%s", policy.Name, request.Kind.Kind, namespace, name)
allPatches = append(allPatches, policyPatches...) allPatches = append(allPatches, policyPatches...)
} }
@ -123,7 +124,7 @@ func (mw *MutationWebhook) applyPolicyRulesOnResource(kind string, rawResource [
} }
if ok, err := IsRuleApplicableToResource(kind, rawResource, rule.Resource); !ok { if ok, err := IsRuleApplicableToResource(kind, rawResource, rule.Resource); !ok {
// mw.logger.Printf("Rule %d of policy %s does not match the request %v", ruleIdx, policy.Name, request.UID) mw.logger.Printf("Rule %d of policy %s does not match the request", ruleIdx, policy.Name)
violationCount++ violationCount++
return nil, violationCount, err return nil, violationCount, err
} }

11
webhooks/utils.go
View file

@ -2,6 +2,7 @@ package webhooks
import ( import (
"encoding/json" "encoding/json"
"strings"
"k8s.io/apimachinery/pkg/labels" "k8s.io/apimachinery/pkg/labels"
) )
@ -39,7 +40,11 @@ func parseNamespaceFromMetadata(meta map[string]interface{}) string {
return "" return ""
} }
// TODO: // returns true if policyResourceName is a regexp
func parseRegexPolicyResourceName(policyResourceName string) string { func parseRegexPolicyResourceName(policyResourceName string) (string, bool) {
return "" regex := strings.Split(policyResourceName, "regex:")
if len(regex) == 1 {
return regex[0], false
}
return strings.Trim(regex[1], " "), true
} }