mirror of
https://github.com/kyverno/kyverno.git
synced 2025-03-29 02:45:06 +00:00
[BUG] filterK8Resources is not correctly configured using ConfigMap (#1059)
* configmap issue fixed * fixed e2e test * helm template file added * remove extra check * string empty check removed
This commit is contained in:
Yuvraj
GitHub
parent
dbd35831c1
commit
3799b52fc8
3 changed files with 41 additions and 44 deletions
|
|
@ -7,5 +7,13 @@ metadata:
|
|||
namespace: {{ .Release.Namespace }}
|
||||
data:
|
||||
# resource types to be skipped by kyverno policy engine
|
||||
{{- if .Values.config.resourceFilters }}
|
||||
resourceFilters: {{ join "" .Values.config.resourceFilters | quote }}
|
||||
{{- end -}}
|
||||
{{- if .Values.config.excludeGroupRole }}
|
||||
excludeGroupRole: {{ join "" .Values.config.excludeGroupRole | quote }}
|
||||
{{- end -}}
|
||||
{{- if .Values.config.excludeUsername }}
|
||||
excludeUsername: {{ join "" .Values.config.excludeUsername | quote }}
|
||||
{{- end -}}
|
||||
{{- end -}}
|
||||
|
|
@ -99,7 +99,10 @@ config:
|
|||
- "[*,kyverno,*]"
|
||||
# Or give the name of an existing config map (ignores default/provided resourceFilters)
|
||||
existingConfig: ''
|
||||
excludeGroupRole: ''
|
||||
excludeGroupRole:
|
||||
# - ""
|
||||
excludeUsername:
|
||||
# - ""
|
||||
# existingConfig: init-config
|
||||
|
||||
service:
|
||||
|
|
|
|||
|
|
@ -109,6 +109,8 @@ func NewConfigData(rclient kubernetes.Interface, cmInformer informers.ConfigMapI
|
|||
if excludeGroupRole != "" {
|
||||
cd.log.Info("init configuration from commandline arguments for excludeGroupRole")
|
||||
cd.initRbac("excludeRoles", excludeGroupRole)
|
||||
}else{
|
||||
cd.initRbac("excludeRoles", "")
|
||||
}
|
||||
|
||||
if excludeUsername != "" {
|
||||
|
|
@ -180,50 +182,28 @@ func (cd *ConfigData) load(cm v1.ConfigMap) {
|
|||
logger.V(4).Info("configuration: No data defined in ConfigMap")
|
||||
return
|
||||
}
|
||||
// parse and load the configuration
|
||||
cd.mux.Lock()
|
||||
defer cd.mux.Unlock()
|
||||
// get resource filters
|
||||
filters, ok := cm.Data["resourceFilters"]
|
||||
if !ok {
|
||||
if !ok {
|
||||
logger.V(4).Info("configuration: No resourceFilters defined in ConfigMap")
|
||||
return
|
||||
}else{
|
||||
newFilters := parseKinds(filters)
|
||||
if reflect.DeepEqual(newFilters, cd.filters) {
|
||||
logger.V(4).Info("resourceFilters did not change")
|
||||
} else {
|
||||
logger.V(2).Info("Updated resource filters", "oldFilters", cd.filters, "newFilters", newFilters)
|
||||
// update filters
|
||||
cd.filters = newFilters
|
||||
}
|
||||
}
|
||||
|
||||
// get resource filters
|
||||
excludeGroupRole, ok := cm.Data["excludeGroupRole"]
|
||||
if !ok {
|
||||
if !ok {
|
||||
logger.V(4).Info("configuration: No excludeGroupRole defined in ConfigMap")
|
||||
return
|
||||
}
|
||||
// get resource filters
|
||||
excludeUsername, ok := cm.Data["excludeUsername"]
|
||||
if !ok {
|
||||
logger.V(4).Info("configuration: No excludeUsername defined in ConfigMap")
|
||||
return
|
||||
}
|
||||
// filters is a string
|
||||
if filters == "" {
|
||||
logger.V(4).Info("configuration: resourceFilters is empty in ConfigMap")
|
||||
return
|
||||
}
|
||||
if excludeGroupRole == "" {
|
||||
logger.V(4).Info("configuration: excludeGroupRole is empty in ConfigMap")
|
||||
return
|
||||
}
|
||||
|
||||
if excludeUsername == "" {
|
||||
logger.V(4).Info("configuration: excludeUsername is empty in ConfigMap")
|
||||
return
|
||||
}
|
||||
// parse and load the configuration
|
||||
cd.mux.Lock()
|
||||
defer cd.mux.Unlock()
|
||||
|
||||
newFilters := parseKinds(filters)
|
||||
if reflect.DeepEqual(newFilters, cd.filters) {
|
||||
logger.V(4).Info("resourceFilters did not change")
|
||||
} else {
|
||||
logger.V(2).Info("Updated resource filters", "oldFilters", cd.filters, "newFilters", newFilters)
|
||||
// update filters
|
||||
cd.filters = newFilters
|
||||
}
|
||||
newExcludeGroupRoles := parseRbac(excludeGroupRole)
|
||||
newExcludeGroupRoles = append(newExcludeGroupRoles, defaultExcludeGroupRole...)
|
||||
|
|
@ -235,13 +215,19 @@ func (cd *ConfigData) load(cm v1.ConfigMap) {
|
|||
cd.excludeGroupRole = newExcludeGroupRoles
|
||||
}
|
||||
|
||||
excludeUsernames := parseRbac(excludeUsername)
|
||||
if reflect.DeepEqual(excludeUsernames, cd.excludeUsername) {
|
||||
logger.V(4).Info("excludeGroupRole did not change")
|
||||
} else {
|
||||
logger.V(2).Info("Updated resource excludeUsernames", "oldExcludeUsername", cd.excludeUsername, "newExcludeUsername", excludeUsernames)
|
||||
// update filters
|
||||
cd.excludeUsername = excludeUsernames
|
||||
// get resource filters
|
||||
excludeUsername, ok := cm.Data["excludeUsername"]
|
||||
if !ok {
|
||||
logger.V(4).Info("configuration: No excludeUsername defined in ConfigMap")
|
||||
}else{
|
||||
excludeUsernames := parseRbac(excludeUsername)
|
||||
if reflect.DeepEqual(excludeUsernames, cd.excludeUsername) {
|
||||
logger.V(4).Info("excludeGroupRole did not change")
|
||||
} else {
|
||||
logger.V(2).Info("Updated resource excludeUsernames", "oldExcludeUsername", cd.excludeUsername, "newExcludeUsername", excludeUsernames)
|
||||
// update filters
|
||||
cd.excludeUsername = excludeUsernames
|
||||
}
|
||||
}
|
||||
|
||||
}
|
||||
|
|
|
|||
Loading…
Add table
Reference in a new issue