mirror of
https://github.com/kyverno/kyverno.git
synced 2024-12-15 17:51:20 +00:00
code review corrections
This commit is contained in:
parent
50b0da48a1
commit
39a17911c3
3 changed files with 40 additions and 8 deletions
|
@ -176,6 +176,7 @@ spec:
|
|||
containers:
|
||||
- name: kyverno
|
||||
image: nirmata/kyverno:latest
|
||||
args: ["--filterKind","Nodes,Events,APIService,SubjectAccessReview"]
|
||||
ports:
|
||||
- containerPort: 443
|
||||
securityContext:
|
||||
|
|
|
@ -81,6 +81,7 @@ func (ws *WebhookServer) serve(w http.ResponseWriter, r *http.Request) {
|
|||
admissionReview.Response = &v1beta1.AdmissionResponse{
|
||||
Allowed: true,
|
||||
}
|
||||
// Do not process the admission requests for kinds that are in filterKinds for filtering
|
||||
if !StringInSlice(admissionReview.Request.Kind.Kind, ws.filterKinds) {
|
||||
|
||||
switch r.URL.Path {
|
||||
|
@ -135,15 +136,19 @@ func (ws *WebhookServer) HandleMutation(request *v1beta1.AdmissionRequest) *v1be
|
|||
glog.Warning(err)
|
||||
return nil
|
||||
}
|
||||
glog.V(3).Infof("Handling mutation for Kind=%s, Namespace=%s Name=%s UID=%s patchOperation=%s",
|
||||
request.Kind.Kind, request.Namespace, request.Name, request.UID, request.Operation)
|
||||
|
||||
admissionResult := result.NewAdmissionResult(string(request.UID))
|
||||
var allPatches []engine.PatchBytes
|
||||
for _, policy := range policies {
|
||||
if policy.Kind != request.Kind.Kind {
|
||||
|
||||
// check if policy has a rule for the admission request kind
|
||||
if !StringInSlice(request.Kind.Kind, getApplicableKindsForPolicy(policy)) {
|
||||
continue
|
||||
}
|
||||
|
||||
glog.V(3).Infof("Handling mutation for Kind=%s, Namespace=%s Name=%s UID=%s patchOperation=%s",
|
||||
request.Kind.Kind, request.Namespace, request.Name, request.UID, request.Operation)
|
||||
|
||||
glog.Infof("Applying policy %s with %d rules\n", policy.ObjectMeta.Name, len(policy.Spec.Rules))
|
||||
|
||||
policyPatches, mutationResult := engine.Mutate(*policy, request.Object.Raw, request.Kind)
|
||||
|
@ -159,10 +164,10 @@ func (ws *WebhookServer) HandleMutation(request *v1beta1.AdmissionRequest) *v1be
|
|||
name := engine.ParseNameFromObject(request.Object.Raw)
|
||||
glog.Infof("Mutation from policy %s has applied to %s %s/%s", policy.Name, request.Kind.Kind, namespace, name)
|
||||
}
|
||||
glog.Info(admissionResult.String())
|
||||
}
|
||||
|
||||
message := "\n" + admissionResult.String()
|
||||
glog.Info(message)
|
||||
|
||||
if admissionResult.GetReason() == result.Success {
|
||||
patchType := v1beta1.PatchTypeJSONPatch
|
||||
|
@ -183,8 +188,6 @@ func (ws *WebhookServer) HandleMutation(request *v1beta1.AdmissionRequest) *v1be
|
|||
|
||||
// HandleValidation handles validating webhook admission request
|
||||
func (ws *WebhookServer) HandleValidation(request *v1beta1.AdmissionRequest) *v1beta1.AdmissionResponse {
|
||||
glog.Infof("Handling validation for Kind=%s, Namespace=%s Name=%s UID=%s patchOperation=%s",
|
||||
request.Kind.Kind, request.Namespace, request.Name, request.UID, request.Operation)
|
||||
|
||||
policies, err := ws.policyLister.List(labels.NewSelector())
|
||||
if err != nil {
|
||||
|
@ -194,6 +197,14 @@ func (ws *WebhookServer) HandleValidation(request *v1beta1.AdmissionRequest) *v1
|
|||
|
||||
admissionResult := result.NewAdmissionResult(string(request.UID))
|
||||
for _, policy := range policies {
|
||||
|
||||
if !StringInSlice(request.Kind.Kind, getApplicableKindsForPolicy(policy)) {
|
||||
continue
|
||||
}
|
||||
|
||||
glog.V(3).Infof("Handling validation for Kind=%s, Namespace=%s Name=%s UID=%s patchOperation=%s",
|
||||
request.Kind.Kind, request.Namespace, request.Name, request.UID, request.Operation)
|
||||
|
||||
glog.Infof("Validating resource with policy %s with %d rules", policy.ObjectMeta.Name, len(policy.Spec.Rules))
|
||||
validationResult := engine.Validate(*policy, request.Object.Raw, request.Kind)
|
||||
admissionResult = result.Append(admissionResult, validationResult)
|
||||
|
@ -201,10 +212,10 @@ func (ws *WebhookServer) HandleValidation(request *v1beta1.AdmissionRequest) *v1
|
|||
if validationError := validationResult.ToError(); validationError != nil {
|
||||
glog.Warningf(validationError.Error())
|
||||
}
|
||||
glog.Info(admissionResult.String())
|
||||
}
|
||||
|
||||
message := "\n" + admissionResult.String()
|
||||
glog.Info(message)
|
||||
|
||||
// Generation loop after all validation succeeded
|
||||
var response *v1beta1.AdmissionResponse
|
||||
|
@ -213,7 +224,7 @@ func (ws *WebhookServer) HandleValidation(request *v1beta1.AdmissionRequest) *v1
|
|||
for _, policy := range policies {
|
||||
engine.Generate(ws.client, *policy, request.Object.Raw, request.Kind)
|
||||
}
|
||||
glog.Info("Validation is successful")
|
||||
glog.V(3).Info("Validation is successful")
|
||||
|
||||
response = &v1beta1.AdmissionResponse{
|
||||
Allowed: true,
|
||||
|
|
|
@ -2,6 +2,8 @@ package webhooks
|
|||
|
||||
import (
|
||||
"strings"
|
||||
|
||||
"github.com/nirmata/kyverno/pkg/apis/policy/v1alpha1"
|
||||
)
|
||||
|
||||
//StringInSlice checks if string is present in slice of strings
|
||||
|
@ -43,3 +45,21 @@ func (i *ArrayFlags) Set(value string) error {
|
|||
*i = append(*i, value)
|
||||
return nil
|
||||
}
|
||||
|
||||
// extract the kinds that the policy rules apply to
|
||||
func getApplicableKindsForPolicy(p *v1alpha1.Policy) []string {
|
||||
kindsMap := map[string]interface{}{}
|
||||
kinds := []string{}
|
||||
// iterate over the rules an identify all kinds
|
||||
for _, rule := range p.Spec.Rules {
|
||||
for _, k := range rule.ResourceDescription.Kinds {
|
||||
kindsMap[k] = nil
|
||||
}
|
||||
}
|
||||
|
||||
// get the kinds
|
||||
for k := range kindsMap {
|
||||
kinds = append(kinds, k)
|
||||
}
|
||||
return kinds
|
||||
}
|
||||
|
|
Loading…
Reference in a new issue