mirror of
https://github.com/kyverno/kyverno.git
synced 2025-03-31 03:45:17 +00:00
644 removed concurrency
This commit is contained in:
shravan
parent
9f36141e3c
commit
38f916961d
1 changed files with 48 additions and 99 deletions
|
|
@ -5,7 +5,6 @@ import (
|
|||
"errors"
|
||||
"fmt"
|
||||
"reflect"
|
||||
"sync"
|
||||
"time"
|
||||
|
||||
"github.com/nirmata/kyverno/pkg/utils"
|
||||
|
|
@ -70,83 +69,49 @@ func checkSelector(labelSelector *metav1.LabelSelector, resourceLabels map[strin
|
|||
}
|
||||
|
||||
func doesResourceMatchConditionBlock(conditionBlock kyverno.ResourceDescription, userInfo kyverno.UserInfo, admissionInfo kyverno.RequestInfo, resource unstructured.Unstructured) []error {
|
||||
var wg sync.WaitGroup
|
||||
wg.Add(7)
|
||||
var errs = make(chan error, 7)
|
||||
go func() {
|
||||
if len(conditionBlock.Kinds) > 0 {
|
||||
if !checkKind(conditionBlock.Kinds, resource.GetKind()) {
|
||||
errs <- fmt.Errorf("resource kind does not match conditionBlock")
|
||||
var errs []error
|
||||
if len(conditionBlock.Kinds) > 0 {
|
||||
if !checkKind(conditionBlock.Kinds, resource.GetKind()) {
|
||||
errs = append(errs, fmt.Errorf("resource kind does not match conditionBlock"))
|
||||
}
|
||||
}
|
||||
if conditionBlock.Name != "" {
|
||||
if !checkName(conditionBlock.Name, resource.GetName()) {
|
||||
errs = append(errs, fmt.Errorf("resource name does not match conditionBlock"))
|
||||
}
|
||||
}
|
||||
if len(conditionBlock.Namespaces) > 0 {
|
||||
if !checkNameSpace(conditionBlock.Namespaces, resource.GetNamespace()) {
|
||||
errs = append(errs, fmt.Errorf("resource namespace does not match conditionBlock"))
|
||||
}
|
||||
}
|
||||
if conditionBlock.Selector != nil {
|
||||
hasPassed, err := checkSelector(conditionBlock.Selector, resource.GetLabels())
|
||||
if err != nil {
|
||||
errs = append(errs, fmt.Errorf("could not parse selector block of the policy in conditionBlock: %v", err))
|
||||
} else {
|
||||
if !hasPassed {
|
||||
errs = append(errs, fmt.Errorf("resource does not match selector of given conditionBlock"))
|
||||
}
|
||||
}
|
||||
wg.Done()
|
||||
}()
|
||||
go func() {
|
||||
if conditionBlock.Name != "" {
|
||||
if !checkName(conditionBlock.Name, resource.GetName()) {
|
||||
errs <- fmt.Errorf("resource name does not match conditionBlock")
|
||||
}
|
||||
}
|
||||
if len(userInfo.Roles) > 0 {
|
||||
if !doesSliceContainsAnyOfTheseValues(userInfo.Roles, admissionInfo.Roles...) {
|
||||
errs = append(errs, fmt.Errorf("user info does not match roles for the given conditionBlock"))
|
||||
}
|
||||
wg.Done()
|
||||
}()
|
||||
go func() {
|
||||
if len(conditionBlock.Namespaces) > 0 {
|
||||
if !checkNameSpace(conditionBlock.Namespaces, resource.GetNamespace()) {
|
||||
errs <- fmt.Errorf("resource namespace does not match conditionBlock")
|
||||
}
|
||||
}
|
||||
if len(userInfo.ClusterRoles) > 0 {
|
||||
if !doesSliceContainsAnyOfTheseValues(userInfo.ClusterRoles, admissionInfo.ClusterRoles...) {
|
||||
errs = append(errs, fmt.Errorf("user info does not match clustersRoles for the given conditionBlock"))
|
||||
}
|
||||
wg.Done()
|
||||
}()
|
||||
go func() {
|
||||
if conditionBlock.Selector != nil {
|
||||
hasPassed, err := checkSelector(conditionBlock.Selector, resource.GetLabels())
|
||||
if err != nil {
|
||||
errs <- fmt.Errorf("could not parse selector block of the policy in conditionBlock: %v", err)
|
||||
} else {
|
||||
if !hasPassed {
|
||||
errs <- fmt.Errorf("resource does not match selector of given conditionBlock")
|
||||
}
|
||||
}
|
||||
}
|
||||
if len(userInfo.Subjects) > 0 {
|
||||
if !matchSubjects(userInfo.Subjects, admissionInfo.AdmissionUserInfo) {
|
||||
errs = append(errs, fmt.Errorf("user info does not match subject for the given conditionBlock"))
|
||||
}
|
||||
wg.Done()
|
||||
}()
|
||||
|
||||
go func() {
|
||||
if len(userInfo.Roles) > 0 {
|
||||
if !doesSliceContainsAnyOfTheseValues(userInfo.Roles, admissionInfo.Roles...) {
|
||||
errs <- fmt.Errorf("user info does not match roles for the given conditionBlock")
|
||||
}
|
||||
}
|
||||
wg.Done()
|
||||
}()
|
||||
|
||||
go func() {
|
||||
if len(userInfo.ClusterRoles) > 0 {
|
||||
if !doesSliceContainsAnyOfTheseValues(userInfo.ClusterRoles, admissionInfo.ClusterRoles...) {
|
||||
errs <- fmt.Errorf("user info does not match clustersRoles for the given conditionBlock")
|
||||
}
|
||||
}
|
||||
wg.Done()
|
||||
}()
|
||||
|
||||
go func() {
|
||||
if len(userInfo.Subjects) > 0 {
|
||||
if !matchSubjects(userInfo.Subjects, admissionInfo.AdmissionUserInfo) {
|
||||
errs <- fmt.Errorf("user info does not match subject for the given conditionBlock")
|
||||
}
|
||||
}
|
||||
wg.Done()
|
||||
}()
|
||||
|
||||
wg.Wait()
|
||||
close(errs)
|
||||
|
||||
var errsIfAny []error
|
||||
for err := range errs {
|
||||
errsIfAny = append(errsIfAny, err)
|
||||
}
|
||||
|
||||
return errsIfAny
|
||||
return errs
|
||||
}
|
||||
|
||||
// matchSubjects return true if one of ruleSubjects exist in userInfo
|
||||
|
|
@ -196,44 +161,28 @@ func MatchesResourceDescription(resourceRef unstructured.Unstructured, ruleRef k
|
|||
resource := *resourceRef.DeepCopy()
|
||||
admissionInfo := *admissionInfoRef.DeepCopy()
|
||||
|
||||
var errs = make(chan error, 8)
|
||||
var wg sync.WaitGroup
|
||||
wg.Add(2)
|
||||
var reasonsForFailure []error
|
||||
|
||||
if reflect.DeepEqual(admissionInfo, kyverno.RequestInfo{}) {
|
||||
rule.MatchResources.UserInfo = kyverno.UserInfo{}
|
||||
}
|
||||
|
||||
// checking if resource matches the rule
|
||||
go func() {
|
||||
if !reflect.DeepEqual(rule.MatchResources.ResourceDescription, kyverno.ResourceDescription{}) {
|
||||
matchErrs := doesResourceMatchConditionBlock(rule.MatchResources.ResourceDescription, rule.MatchResources.UserInfo, admissionInfo, resource)
|
||||
for _, matchErr := range matchErrs {
|
||||
errs <- matchErr
|
||||
}
|
||||
} else {
|
||||
errs <- fmt.Errorf("match block in rule cannot be empty")
|
||||
if !reflect.DeepEqual(rule.MatchResources.ResourceDescription, kyverno.ResourceDescription{}) {
|
||||
matchErrs := doesResourceMatchConditionBlock(rule.MatchResources.ResourceDescription, rule.MatchResources.UserInfo, admissionInfo, resource)
|
||||
for _, matchErr := range matchErrs {
|
||||
reasonsForFailure = append(reasonsForFailure, matchErr)
|
||||
}
|
||||
wg.Done()
|
||||
}()
|
||||
} else {
|
||||
reasonsForFailure = append(reasonsForFailure, fmt.Errorf("match block in rule cannot be empty"))
|
||||
}
|
||||
|
||||
// checking if resource has been excluded
|
||||
go func() {
|
||||
if !reflect.DeepEqual(rule.ExcludeResources.ResourceDescription, kyverno.ResourceDescription{}) {
|
||||
excludeErrs := doesResourceMatchConditionBlock(rule.ExcludeResources.ResourceDescription, rule.ExcludeResources.UserInfo, admissionInfo, resource)
|
||||
if excludeErrs == nil {
|
||||
errs <- fmt.Errorf("resource has been excluded since it matches the exclude block")
|
||||
}
|
||||
if !reflect.DeepEqual(rule.ExcludeResources.ResourceDescription, kyverno.ResourceDescription{}) {
|
||||
excludeErrs := doesResourceMatchConditionBlock(rule.ExcludeResources.ResourceDescription, rule.ExcludeResources.UserInfo, admissionInfo, resource)
|
||||
if excludeErrs == nil {
|
||||
reasonsForFailure = append(reasonsForFailure, fmt.Errorf("resource has been excluded since it matches the exclude block"))
|
||||
}
|
||||
wg.Done()
|
||||
}()
|
||||
|
||||
wg.Wait()
|
||||
close(errs)
|
||||
|
||||
var reasonsForFailure []error
|
||||
for err := range errs {
|
||||
reasonsForFailure = append(reasonsForFailure, err)
|
||||
}
|
||||
|
||||
// creating final error
|
||||
|
|
|
|||
Loading…
Add table
Reference in a new issue