From 35e0c7ca49b56b7214970c60386ebc737e518ff9 Mon Sep 17 00:00:00 2001 From: shivkumar dudhani Date: Wed, 21 Aug 2019 16:34:17 -0700 Subject: [PATCH] fix build errors + add example for exclude policy --- examples/policy_mutate_imagePullPolicy.yaml | 4 ++ pkg/kyverno/apply/apply.go | 43 ++++++++++----------- pkg/kyverno/apply/util.go | 10 +++++ test/generate-resource/main.go | 4 +- 4 files changed, 37 insertions(+), 24 deletions(-) diff --git a/examples/policy_mutate_imagePullPolicy.yaml b/examples/policy_mutate_imagePullPolicy.yaml index 64fb71a910..83a9aad033 100644 --- a/examples/policy_mutate_imagePullPolicy.yaml +++ b/examples/policy_mutate_imagePullPolicy.yaml @@ -12,6 +12,10 @@ spec: selector: matchLabels: app : nginxlatest + exclude: + resources: + kinds: + - DaemonSet mutate: overlay: spec: diff --git a/pkg/kyverno/apply/apply.go b/pkg/kyverno/apply/apply.go index eb30c5dc26..e8b9ad2316 100644 --- a/pkg/kyverno/apply/apply.go +++ b/pkg/kyverno/apply/apply.go @@ -8,7 +8,7 @@ import ( "os" "github.com/golang/glog" - kubepolicy "github.com/nirmata/kyverno/pkg/apis/policy/v1alpha1" + kyverno "github.com/nirmata/kyverno/pkg/api/kyverno/v1alpha1" "github.com/nirmata/kyverno/pkg/engine" "github.com/nirmata/kyverno/pkg/info" "github.com/spf13/cobra" @@ -51,7 +51,7 @@ func NewCmdApply(in io.Reader, out, errout io.Writer) *cobra.Command { return cmd } -func complete(kubeconfig string, args []string) (*kubepolicy.Policy, []*resourceInfo) { +func complete(kubeconfig string, args []string) (*kyverno.Policy, []*resourceInfo) { policyDir, resourceDir, err := validateDir(args) if err != nil { glog.Errorf("Failed to parse file path, err: %v\n", err) @@ -75,7 +75,7 @@ func complete(kubeconfig string, args []string) (*kubepolicy.Policy, []*resource return policy, resources } -func applyPolicy(policy *kubepolicy.Policy, resources []*resourceInfo) (output string) { +func applyPolicy(policy *kyverno.Policy, resources []*resourceInfo) (output string) { for _, resource := range resources { patchedDocument, err := applyPolicyOnRaw(policy, resource.rawResource, resource.gvk) if err != nil { @@ -94,7 +94,7 @@ func applyPolicy(policy *kubepolicy.Policy, resources []*resourceInfo) (output s return } -func applyPolicyOnRaw(policy *kubepolicy.Policy, rawResource []byte, gvk *metav1.GroupVersionKind) ([]byte, error) { +func applyPolicyOnRaw(policy *kyverno.Policy, rawResource []byte, gvk *metav1.GroupVersionKind) ([]byte, error) { patchedResource := rawResource var err error @@ -106,45 +106,44 @@ func applyPolicyOnRaw(policy *kubepolicy.Policy, rawResource []byte, gvk *metav1 rns, policy.Spec.ValidationFailureAction) + resource, err := ConvertToUnstructured(rawResource) + if err != nil { + return nil, err + } + //TODO check if the kind information is present resource // Process Mutation - patches, ruleInfos := engine.Mutate(*policy, rawResource, *gvk) - policyInfo.AddRuleInfos(ruleInfos) + engineResponse := engine.Mutate(*policy, *resource) + policyInfo.AddRuleInfos(engineResponse.RuleInfos) if !policyInfo.IsSuccessful() { glog.Infof("Failed to apply policy %s on resource %s/%s", policy.Name, rname, rns) - for _, r := range ruleInfos { + for _, r := range engineResponse.RuleInfos { glog.Warning(r.Msgs) } - } else if len(patches) > 0 { + } else if len(engineResponse.Patches) > 0 { glog.Infof("Mutation from policy %s has applied succesfully to %s %s/%s", policy.Name, gvk.Kind, rname, rns) - patchedResource, err = engine.ApplyPatches(rawResource, patches) + patchedResource, err = engine.ApplyPatches(rawResource, engineResponse.Patches) if err != nil { return nil, fmt.Errorf("Unable to apply mutation patches:\n%v", err) } // Process Validation - ruleInfos, err := engine.Validate(*policy, patchedResource, *gvk) - if err != nil { - // This is not policy error - // but if unable to parse request raw resource - // TODO : create event ? dont think so - glog.Error(err) - return patchedResource, err - } - policyInfo.AddRuleInfos(ruleInfos) + engineResponse := engine.Validate(*policy, *resource) + + policyInfo.AddRuleInfos(engineResponse.RuleInfos) if !policyInfo.IsSuccessful() { glog.Infof("Failed to apply policy %s on resource %s/%s", policy.Name, rname, rns) - for _, r := range ruleInfos { + for _, r := range engineResponse.RuleInfos { glog.Warning(r.Msgs) } return patchedResource, fmt.Errorf("Failed to apply policy %s on resource %s/%s", policy.Name, rname, rns) - } else if len(ruleInfos) > 0 { + } else if len(engineResponse.RuleInfos) > 0 { glog.Infof("Validation from policy %s has applied succesfully to %s %s/%s", policy.Name, gvk.Kind, rname, rns) } } return patchedResource, nil } -func extractPolicy(fileDir string) (*kubepolicy.Policy, error) { - policy := &kubepolicy.Policy{} +func extractPolicy(fileDir string) (*kyverno.Policy, error) { + policy := &kyverno.Policy{} file, err := loadFile(fileDir) if err != nil { diff --git a/pkg/kyverno/apply/util.go b/pkg/kyverno/apply/util.go index bb71715ac3..26e0390300 100644 --- a/pkg/kyverno/apply/util.go +++ b/pkg/kyverno/apply/util.go @@ -9,6 +9,7 @@ import ( "github.com/golang/glog" yamlv2 "gopkg.in/yaml.v2" + unstructured "k8s.io/apimachinery/pkg/apis/meta/v1/unstructured" rest "k8s.io/client-go/rest" clientcmd "k8s.io/client-go/tools/clientcmd" ) @@ -93,3 +94,12 @@ func scanDir(dir string) ([]string, error) { return res[1:], nil } +func ConvertToUnstructured(data []byte) (*unstructured.Unstructured, error) { + resource := &unstructured.Unstructured{} + err := resource.UnmarshalJSON(data) + if err != nil { + glog.V(4).Infof("failed to unmarshall resource: %v", err) + return nil, err + } + return resource, nil +} diff --git a/test/generate-resource/main.go b/test/generate-resource/main.go index ee5a66b579..6a8d52bd59 100644 --- a/test/generate-resource/main.go +++ b/test/generate-resource/main.go @@ -10,7 +10,7 @@ import ( "path/filepath" "strconv" - kubepolicy "github.com/nirmata/kyverno/pkg/apis/policy/v1alpha1" + kyverno "github.com/nirmata/kyverno/pkg/api/kyverno/v1alpha1" yaml "k8s.io/apimachinery/pkg/util/yaml" ) @@ -21,7 +21,7 @@ func main() { } func generatePolicies() error { - var policy *kubepolicy.Policy + var policy *kyverno.Policy file, err := ioutil.ReadFile(policyPath) if err != nil {