mirrors/kyverno
mirrors/kyverno
1
0
Fork 0
mirror of https://github.com/kyverno/kyverno.git synced 2025-03-31 03:45:17 +00:00
Code Activity

[BUG] filterK8Resources is not correctly configured using ConfigMap (#1059)

Browse source 
* configmap issue fixed

* fixed e2e test

* helm template file added

* remove extra check

* string empty check removed
This commit is contained in:
Yuvraj 2020-08-19 13:46:08 +05:30 committed by GitHub
parent dbd35831c1
commit 3799b52fc8
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
3 changed files with 41 additions and 44 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

8
charts/kyverno/templates/configmap.yaml
View file

@ -7,5 +7,13 @@ metadata:
namespace: {{ .Release.Namespace }} namespace: {{ .Release.Namespace }}
data: data:
# resource types to be skipped by kyverno policy engine # resource types to be skipped by kyverno policy engine
{{- if .Values.config.resourceFilters }}
resourceFilters: {{ join "" .Values.config.resourceFilters | quote }} resourceFilters: {{ join "" .Values.config.resourceFilters | quote }}
{{- end -}}
{{- if .Values.config.excludeGroupRole }}
excludeGroupRole: {{ join "" .Values.config.excludeGroupRole | quote }}
{{- end -}}
{{- if .Values.config.excludeUsername }}
excludeUsername: {{ join "" .Values.config.excludeUsername | quote }}
{{- end -}}
{{- end -}} {{- end -}}

5
charts/kyverno/values.yaml
View file

@ -99,7 +99,10 @@ config:
- "[*,kyverno,*]" - "[*,kyverno,*]"
# Or give the name of an existing config map (ignores default/provided resourceFilters) # Or give the name of an existing config map (ignores default/provided resourceFilters)
existingConfig: '' existingConfig: ''
excludeGroupRole: '' excludeGroupRole:
# - ""
excludeUsername:
# - ""
# existingConfig: init-config # existingConfig: init-config
service: service:

72
pkg/config/dynamicconfig.go
View file

@ -109,6 +109,8 @@ func NewConfigData(rclient kubernetes.Interface, cmInformer informers.ConfigMapI
if excludeGroupRole != "" { if excludeGroupRole != "" {
cd.log.Info("init configuration from commandline arguments for excludeGroupRole") cd.log.Info("init configuration from commandline arguments for excludeGroupRole")
cd.initRbac("excludeRoles", excludeGroupRole) cd.initRbac("excludeRoles", excludeGroupRole)
}else{
cd.initRbac("excludeRoles", "")
} }
if excludeUsername != "" { if excludeUsername != "" {
@ -180,50 +182,28 @@ func (cd *ConfigData) load(cm v1.ConfigMap) {
logger.V(4).Info("configuration: No data defined in ConfigMap") logger.V(4).Info("configuration: No data defined in ConfigMap")
return return
} }
// parse and load the configuration
cd.mux.Lock()
defer cd.mux.Unlock()
// get resource filters // get resource filters
filters, ok := cm.Data["resourceFilters"] filters, ok := cm.Data["resourceFilters"]
if !ok { if !ok {
logger.V(4).Info("configuration: No resourceFilters defined in ConfigMap") logger.V(4).Info("configuration: No resourceFilters defined in ConfigMap")
return }else{
newFilters := parseKinds(filters)
if reflect.DeepEqual(newFilters, cd.filters) {
logger.V(4).Info("resourceFilters did not change")
} else {
logger.V(2).Info("Updated resource filters", "oldFilters", cd.filters, "newFilters", newFilters)
// update filters
cd.filters = newFilters
}
} }
// get resource filters // get resource filters
excludeGroupRole, ok := cm.Data["excludeGroupRole"] excludeGroupRole, ok := cm.Data["excludeGroupRole"]
if !ok { if !ok {
logger.V(4).Info("configuration: No excludeGroupRole defined in ConfigMap") logger.V(4).Info("configuration: No excludeGroupRole defined in ConfigMap")
return
}
// get resource filters
excludeUsername, ok := cm.Data["excludeUsername"]
if !ok {
logger.V(4).Info("configuration: No excludeUsername defined in ConfigMap")
return
}
// filters is a string
if filters == "" {
logger.V(4).Info("configuration: resourceFilters is empty in ConfigMap")
return
}
if excludeGroupRole == "" {
logger.V(4).Info("configuration: excludeGroupRole is empty in ConfigMap")
return
}
if excludeUsername == "" {
logger.V(4).Info("configuration: excludeUsername is empty in ConfigMap")
return
}
// parse and load the configuration
cd.mux.Lock()
defer cd.mux.Unlock()
newFilters := parseKinds(filters)
if reflect.DeepEqual(newFilters, cd.filters) {
logger.V(4).Info("resourceFilters did not change")
} else {
logger.V(2).Info("Updated resource filters", "oldFilters", cd.filters, "newFilters", newFilters)
// update filters
cd.filters = newFilters
} }
newExcludeGroupRoles := parseRbac(excludeGroupRole) newExcludeGroupRoles := parseRbac(excludeGroupRole)
newExcludeGroupRoles = append(newExcludeGroupRoles, defaultExcludeGroupRole...) newExcludeGroupRoles = append(newExcludeGroupRoles, defaultExcludeGroupRole...)
@ -235,13 +215,19 @@ func (cd *ConfigData) load(cm v1.ConfigMap) {
cd.excludeGroupRole = newExcludeGroupRoles cd.excludeGroupRole = newExcludeGroupRoles
} }
excludeUsernames := parseRbac(excludeUsername) // get resource filters
if reflect.DeepEqual(excludeUsernames, cd.excludeUsername) { excludeUsername, ok := cm.Data["excludeUsername"]
logger.V(4).Info("excludeGroupRole did not change") if !ok {
} else { logger.V(4).Info("configuration: No excludeUsername defined in ConfigMap")
logger.V(2).Info("Updated resource excludeUsernames", "oldExcludeUsername", cd.excludeUsername, "newExcludeUsername", excludeUsernames) }else{
// update filters excludeUsernames := parseRbac(excludeUsername)
cd.excludeUsername = excludeUsernames if reflect.DeepEqual(excludeUsernames, cd.excludeUsername) {
logger.V(4).Info("excludeGroupRole did not change")
} else {
logger.V(2).Info("Updated resource excludeUsernames", "oldExcludeUsername", cd.excludeUsername, "newExcludeUsername", excludeUsernames)
// update filters
cd.excludeUsername = excludeUsernames
}
} }
} }