mirror of
https://github.com/kyverno/kyverno.git
synced 2025-03-29 10:55:05 +00:00
Revert "644 untested prototype changes"
This reverts commit 4021453760.
This commit is contained in:
shravan
parent
4021453760
commit
3b37a61f5d
4 changed files with 17 additions and 35 deletions
|
|
@ -6,6 +6,7 @@ import (
|
|||
"github.com/golang/glog"
|
||||
kyverno "github.com/nirmata/kyverno/pkg/api/kyverno/v1"
|
||||
"github.com/nirmata/kyverno/pkg/engine/context"
|
||||
"github.com/nirmata/kyverno/pkg/engine/rbac"
|
||||
"github.com/nirmata/kyverno/pkg/engine/response"
|
||||
"github.com/nirmata/kyverno/pkg/engine/utils"
|
||||
"github.com/nirmata/kyverno/pkg/engine/variables"
|
||||
|
|
@ -28,6 +29,9 @@ func filterRule(rule kyverno.Rule, resource unstructured.Unstructured, admission
|
|||
if !rule.HasGenerate() {
|
||||
return nil
|
||||
}
|
||||
if !rbac.MatchAdmissionInfo(rule, admissionInfo) {
|
||||
return nil
|
||||
}
|
||||
if !MatchesResourceDescription(resource, rule) {
|
||||
return nil
|
||||
}
|
||||
|
|
|
|||
|
|
@ -9,6 +9,7 @@ import (
|
|||
"github.com/golang/glog"
|
||||
kyverno "github.com/nirmata/kyverno/pkg/api/kyverno/v1"
|
||||
"github.com/nirmata/kyverno/pkg/engine/mutate"
|
||||
"github.com/nirmata/kyverno/pkg/engine/rbac"
|
||||
"github.com/nirmata/kyverno/pkg/engine/response"
|
||||
"github.com/nirmata/kyverno/pkg/engine/utils"
|
||||
"github.com/nirmata/kyverno/pkg/engine/variables"
|
||||
|
|
@ -56,6 +57,11 @@ func Mutate(policyContext PolicyContext) (resp response.EngineResponse) {
|
|||
}
|
||||
|
||||
startTime := time.Now()
|
||||
if !rbac.MatchAdmissionInfo(rule, policyContext.AdmissionInfo) {
|
||||
glog.V(3).Infof("rule '%s' cannot be applied on %s/%s/%s, admission permission: %v",
|
||||
rule.Name, resource.GetKind(), resource.GetNamespace(), resource.GetName(), policyContext.AdmissionInfo)
|
||||
continue
|
||||
}
|
||||
glog.V(4).Infof("Time: Mutate matchAdmissionInfo %v", time.Since(startTime))
|
||||
|
||||
// check if the resource satisfies the filter conditions defined in the rule
|
||||
|
|
|
|||
|
|
@ -10,6 +10,7 @@ import (
|
|||
"github.com/golang/glog"
|
||||
kyverno "github.com/nirmata/kyverno/pkg/api/kyverno/v1"
|
||||
"github.com/nirmata/kyverno/pkg/engine/context"
|
||||
"github.com/nirmata/kyverno/pkg/engine/rbac"
|
||||
"github.com/nirmata/kyverno/pkg/engine/response"
|
||||
"github.com/nirmata/kyverno/pkg/engine/utils"
|
||||
"github.com/nirmata/kyverno/pkg/engine/validate"
|
||||
|
|
@ -100,6 +101,12 @@ func validateResource(ctx context.EvalInterface, policy kyverno.ClusterPolicy, r
|
|||
newPathNotPresentRuleResponse(rule.Name, utils.Validation.String(), fmt.Sprintf("path not present: %s", paths)))
|
||||
continue
|
||||
}
|
||||
|
||||
if !rbac.MatchAdmissionInfo(rule, admissionInfo) {
|
||||
glog.V(3).Infof("rule '%s' cannot be applied on %s/%s/%s, admission permission: %v",
|
||||
rule.Name, resource.GetKind(), resource.GetNamespace(), resource.GetName(), admissionInfo)
|
||||
continue
|
||||
}
|
||||
glog.V(4).Infof("Time: Validate matchAdmissionInfo %v", time.Since(startTime))
|
||||
|
||||
// check if the resource satisfies the filter conditions defined in the rule
|
||||
|
|
|
|||
|
|
@ -10,12 +10,6 @@ import (
|
|||
"net/http"
|
||||
"time"
|
||||
|
||||
"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
|
||||
|
||||
v1 "github.com/nirmata/kyverno/pkg/api/kyverno/v1"
|
||||
|
||||
"github.com/nirmata/kyverno/pkg/engine/rbac"
|
||||
|
||||
"github.com/golang/glog"
|
||||
"github.com/nirmata/kyverno/pkg/checker"
|
||||
kyvernoclient "github.com/nirmata/kyverno/pkg/client/clientset/versioned"
|
||||
|
|
@ -195,27 +189,6 @@ func (ws *WebhookServer) serve(w http.ResponseWriter, r *http.Request) {
|
|||
}
|
||||
}
|
||||
|
||||
func filterPolicyRulesBasedOnMatchExclude(policies []v1.ClusterPolicy, userRequestInfo v1.RequestInfo, resource unstructured.Unstructured) []v1.ClusterPolicy {
|
||||
var updatedPolcies []v1.ClusterPolicy
|
||||
for _, policy := range policies {
|
||||
var validRules []v1.Rule
|
||||
for _, rule := range policy.Spec.Rules {
|
||||
if !rbac.MatchAdmissionInfo(rule, userRequestInfo) {
|
||||
glog.V(3).Infof("rule '%s' cannot be applied on %s/%s/%s, admission permission: %v",
|
||||
rule.Name, resource.GetKind(), resource.GetNamespace(), resource.GetName(), userRequestInfo)
|
||||
continue
|
||||
}
|
||||
validRules = append(validRules, rule)
|
||||
}
|
||||
policy.Spec.Rules = validRules
|
||||
if len(policy.Spec.Rules) > 0 {
|
||||
updatedPolcies = append(updatedPolcies, policy)
|
||||
}
|
||||
}
|
||||
|
||||
return updatedPolcies
|
||||
}
|
||||
|
||||
func (ws *WebhookServer) handleAdmissionRequest(request *v1beta1.AdmissionRequest) *v1beta1.AdmissionResponse {
|
||||
policies, err := ws.pMetaStore.LookUp(request.Kind.Kind, request.Namespace)
|
||||
if err != nil {
|
||||
|
|
@ -261,14 +234,6 @@ func (ws *WebhookServer) handleAdmissionRequest(request *v1beta1.AdmissionReques
|
|||
}
|
||||
}
|
||||
|
||||
userRequestInfo := v1.RequestInfo{
|
||||
Roles: roles,
|
||||
ClusterRoles: clusterRoles,
|
||||
AdmissionUserInfo: request.UserInfo,
|
||||
}
|
||||
|
||||
policies = filterPolicyRulesBasedOnMatchExclude(policies, userRequestInfo, resource)
|
||||
|
||||
// MUTATION
|
||||
// mutation failure should not block the resource creation
|
||||
// any mutation failure is reported as the violation
|
||||
|
|
|
|||
Loading…
Add table
Reference in a new issue