mirror of
https://github.com/kyverno/kyverno.git
synced 2025-03-05 07:26:55 +00:00
code review corrections
This commit is contained in:
parent
50b0da48a1
commit
39a17911c3
3 changed files with 40 additions and 8 deletions
|
@ -176,6 +176,7 @@ spec:
|
||||||
containers:
|
containers:
|
||||||
- name: kyverno
|
- name: kyverno
|
||||||
image: nirmata/kyverno:latest
|
image: nirmata/kyverno:latest
|
||||||
|
args: ["--filterKind","Nodes,Events,APIService,SubjectAccessReview"]
|
||||||
ports:
|
ports:
|
||||||
- containerPort: 443
|
- containerPort: 443
|
||||||
securityContext:
|
securityContext:
|
||||||
|
|
|
@ -81,6 +81,7 @@ func (ws *WebhookServer) serve(w http.ResponseWriter, r *http.Request) {
|
||||||
admissionReview.Response = &v1beta1.AdmissionResponse{
|
admissionReview.Response = &v1beta1.AdmissionResponse{
|
||||||
Allowed: true,
|
Allowed: true,
|
||||||
}
|
}
|
||||||
|
// Do not process the admission requests for kinds that are in filterKinds for filtering
|
||||||
if !StringInSlice(admissionReview.Request.Kind.Kind, ws.filterKinds) {
|
if !StringInSlice(admissionReview.Request.Kind.Kind, ws.filterKinds) {
|
||||||
|
|
||||||
switch r.URL.Path {
|
switch r.URL.Path {
|
||||||
|
@ -135,15 +136,19 @@ func (ws *WebhookServer) HandleMutation(request *v1beta1.AdmissionRequest) *v1be
|
||||||
glog.Warning(err)
|
glog.Warning(err)
|
||||||
return nil
|
return nil
|
||||||
}
|
}
|
||||||
glog.V(3).Infof("Handling mutation for Kind=%s, Namespace=%s Name=%s UID=%s patchOperation=%s",
|
|
||||||
request.Kind.Kind, request.Namespace, request.Name, request.UID, request.Operation)
|
|
||||||
|
|
||||||
admissionResult := result.NewAdmissionResult(string(request.UID))
|
admissionResult := result.NewAdmissionResult(string(request.UID))
|
||||||
var allPatches []engine.PatchBytes
|
var allPatches []engine.PatchBytes
|
||||||
for _, policy := range policies {
|
for _, policy := range policies {
|
||||||
if policy.Kind != request.Kind.Kind {
|
|
||||||
|
// check if policy has a rule for the admission request kind
|
||||||
|
if !StringInSlice(request.Kind.Kind, getApplicableKindsForPolicy(policy)) {
|
||||||
continue
|
continue
|
||||||
}
|
}
|
||||||
|
|
||||||
|
glog.V(3).Infof("Handling mutation for Kind=%s, Namespace=%s Name=%s UID=%s patchOperation=%s",
|
||||||
|
request.Kind.Kind, request.Namespace, request.Name, request.UID, request.Operation)
|
||||||
|
|
||||||
glog.Infof("Applying policy %s with %d rules\n", policy.ObjectMeta.Name, len(policy.Spec.Rules))
|
glog.Infof("Applying policy %s with %d rules\n", policy.ObjectMeta.Name, len(policy.Spec.Rules))
|
||||||
|
|
||||||
policyPatches, mutationResult := engine.Mutate(*policy, request.Object.Raw, request.Kind)
|
policyPatches, mutationResult := engine.Mutate(*policy, request.Object.Raw, request.Kind)
|
||||||
|
@ -159,10 +164,10 @@ func (ws *WebhookServer) HandleMutation(request *v1beta1.AdmissionRequest) *v1be
|
||||||
name := engine.ParseNameFromObject(request.Object.Raw)
|
name := engine.ParseNameFromObject(request.Object.Raw)
|
||||||
glog.Infof("Mutation from policy %s has applied to %s %s/%s", policy.Name, request.Kind.Kind, namespace, name)
|
glog.Infof("Mutation from policy %s has applied to %s %s/%s", policy.Name, request.Kind.Kind, namespace, name)
|
||||||
}
|
}
|
||||||
|
glog.Info(admissionResult.String())
|
||||||
}
|
}
|
||||||
|
|
||||||
message := "\n" + admissionResult.String()
|
message := "\n" + admissionResult.String()
|
||||||
glog.Info(message)
|
|
||||||
|
|
||||||
if admissionResult.GetReason() == result.Success {
|
if admissionResult.GetReason() == result.Success {
|
||||||
patchType := v1beta1.PatchTypeJSONPatch
|
patchType := v1beta1.PatchTypeJSONPatch
|
||||||
|
@ -183,8 +188,6 @@ func (ws *WebhookServer) HandleMutation(request *v1beta1.AdmissionRequest) *v1be
|
||||||
|
|
||||||
// HandleValidation handles validating webhook admission request
|
// HandleValidation handles validating webhook admission request
|
||||||
func (ws *WebhookServer) HandleValidation(request *v1beta1.AdmissionRequest) *v1beta1.AdmissionResponse {
|
func (ws *WebhookServer) HandleValidation(request *v1beta1.AdmissionRequest) *v1beta1.AdmissionResponse {
|
||||||
glog.Infof("Handling validation for Kind=%s, Namespace=%s Name=%s UID=%s patchOperation=%s",
|
|
||||||
request.Kind.Kind, request.Namespace, request.Name, request.UID, request.Operation)
|
|
||||||
|
|
||||||
policies, err := ws.policyLister.List(labels.NewSelector())
|
policies, err := ws.policyLister.List(labels.NewSelector())
|
||||||
if err != nil {
|
if err != nil {
|
||||||
|
@ -194,6 +197,14 @@ func (ws *WebhookServer) HandleValidation(request *v1beta1.AdmissionRequest) *v1
|
||||||
|
|
||||||
admissionResult := result.NewAdmissionResult(string(request.UID))
|
admissionResult := result.NewAdmissionResult(string(request.UID))
|
||||||
for _, policy := range policies {
|
for _, policy := range policies {
|
||||||
|
|
||||||
|
if !StringInSlice(request.Kind.Kind, getApplicableKindsForPolicy(policy)) {
|
||||||
|
continue
|
||||||
|
}
|
||||||
|
|
||||||
|
glog.V(3).Infof("Handling validation for Kind=%s, Namespace=%s Name=%s UID=%s patchOperation=%s",
|
||||||
|
request.Kind.Kind, request.Namespace, request.Name, request.UID, request.Operation)
|
||||||
|
|
||||||
glog.Infof("Validating resource with policy %s with %d rules", policy.ObjectMeta.Name, len(policy.Spec.Rules))
|
glog.Infof("Validating resource with policy %s with %d rules", policy.ObjectMeta.Name, len(policy.Spec.Rules))
|
||||||
validationResult := engine.Validate(*policy, request.Object.Raw, request.Kind)
|
validationResult := engine.Validate(*policy, request.Object.Raw, request.Kind)
|
||||||
admissionResult = result.Append(admissionResult, validationResult)
|
admissionResult = result.Append(admissionResult, validationResult)
|
||||||
|
@ -201,10 +212,10 @@ func (ws *WebhookServer) HandleValidation(request *v1beta1.AdmissionRequest) *v1
|
||||||
if validationError := validationResult.ToError(); validationError != nil {
|
if validationError := validationResult.ToError(); validationError != nil {
|
||||||
glog.Warningf(validationError.Error())
|
glog.Warningf(validationError.Error())
|
||||||
}
|
}
|
||||||
|
glog.Info(admissionResult.String())
|
||||||
}
|
}
|
||||||
|
|
||||||
message := "\n" + admissionResult.String()
|
message := "\n" + admissionResult.String()
|
||||||
glog.Info(message)
|
|
||||||
|
|
||||||
// Generation loop after all validation succeeded
|
// Generation loop after all validation succeeded
|
||||||
var response *v1beta1.AdmissionResponse
|
var response *v1beta1.AdmissionResponse
|
||||||
|
@ -213,7 +224,7 @@ func (ws *WebhookServer) HandleValidation(request *v1beta1.AdmissionRequest) *v1
|
||||||
for _, policy := range policies {
|
for _, policy := range policies {
|
||||||
engine.Generate(ws.client, *policy, request.Object.Raw, request.Kind)
|
engine.Generate(ws.client, *policy, request.Object.Raw, request.Kind)
|
||||||
}
|
}
|
||||||
glog.Info("Validation is successful")
|
glog.V(3).Info("Validation is successful")
|
||||||
|
|
||||||
response = &v1beta1.AdmissionResponse{
|
response = &v1beta1.AdmissionResponse{
|
||||||
Allowed: true,
|
Allowed: true,
|
||||||
|
|
|
@ -2,6 +2,8 @@ package webhooks
|
||||||
|
|
||||||
import (
|
import (
|
||||||
"strings"
|
"strings"
|
||||||
|
|
||||||
|
"github.com/nirmata/kyverno/pkg/apis/policy/v1alpha1"
|
||||||
)
|
)
|
||||||
|
|
||||||
//StringInSlice checks if string is present in slice of strings
|
//StringInSlice checks if string is present in slice of strings
|
||||||
|
@ -43,3 +45,21 @@ func (i *ArrayFlags) Set(value string) error {
|
||||||
*i = append(*i, value)
|
*i = append(*i, value)
|
||||||
return nil
|
return nil
|
||||||
}
|
}
|
||||||
|
|
||||||
|
// extract the kinds that the policy rules apply to
|
||||||
|
func getApplicableKindsForPolicy(p *v1alpha1.Policy) []string {
|
||||||
|
kindsMap := map[string]interface{}{}
|
||||||
|
kinds := []string{}
|
||||||
|
// iterate over the rules an identify all kinds
|
||||||
|
for _, rule := range p.Spec.Rules {
|
||||||
|
for _, k := range rule.ResourceDescription.Kinds {
|
||||||
|
kindsMap[k] = nil
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
// get the kinds
|
||||||
|
for k := range kindsMap {
|
||||||
|
kinds = append(kinds, k)
|
||||||
|
}
|
||||||
|
return kinds
|
||||||
|
}
|
||||||
|
|
Loading…
Add table
Reference in a new issue