mirror of
https://github.com/kyverno/kyverno.git
synced 2024-12-14 11:57:48 +00:00
refactor: add engine utils sub package (#3552)
Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com>
This commit is contained in:
Charles-Edouard Brétéché
GitHub
parent
bd953cf4fa
commit
3bc0e062f9
6 changed files with 40 additions and 48 deletions
|
|
@ -87,3 +87,11 @@ func ResponseSuccessWithPatch(allowed bool, msg string, patch []byte) *v1beta1.A
|
|||
}
|
||||
return r
|
||||
}
|
||||
|
||||
func GetResourceName(request *v1beta1.AdmissionRequest) string {
|
||||
resourceName := request.Kind.Kind + "/" + request.Name
|
||||
if request.Namespace != "" {
|
||||
resourceName = request.Namespace + "/" + resourceName
|
||||
}
|
||||
return resourceName
|
||||
}
|
||||
|
|
|
|||
21
pkg/utils/engine/response.go
Normal file
21
pkg/utils/engine/response.go
Normal file
|
|
@ -0,0 +1,21 @@
|
|||
package engine
|
||||
|
||||
import (
|
||||
kyverno "github.com/kyverno/kyverno/api/kyverno/v1"
|
||||
"github.com/kyverno/kyverno/pkg/engine/response"
|
||||
)
|
||||
|
||||
// IsResponseSuccessful return true if all responses are successful
|
||||
func IsResponseSuccessful(engineReponses []*response.EngineResponse) bool {
|
||||
for _, er := range engineReponses {
|
||||
if !er.IsSuccessful() {
|
||||
return false
|
||||
}
|
||||
}
|
||||
return true
|
||||
}
|
||||
|
||||
// CheckEngineResponse return true if engine response is not successful and validation failure action is set to 'enforce'
|
||||
func CheckEngineResponse(er *response.EngineResponse) bool {
|
||||
return !er.IsSuccessful() && er.GetValidationFailureAction() == kyverno.Enforce
|
||||
}
|
||||
|
|
@ -10,6 +10,7 @@ import (
|
|||
enginectx "github.com/kyverno/kyverno/pkg/engine/context"
|
||||
"github.com/kyverno/kyverno/pkg/engine/response"
|
||||
engineutils "github.com/kyverno/kyverno/pkg/engine/utils"
|
||||
engineutils2 "github.com/kyverno/kyverno/pkg/utils/engine"
|
||||
"github.com/pkg/errors"
|
||||
yamlv2 "gopkg.in/yaml.v2"
|
||||
"k8s.io/api/admission/v1beta1"
|
||||
|
|
@ -17,25 +18,11 @@ import (
|
|||
"k8s.io/apimachinery/pkg/runtime/schema"
|
||||
)
|
||||
|
||||
// isResponseSuccessful return true if all responses are successful
|
||||
func isResponseSuccessful(engineReponses []*response.EngineResponse) bool {
|
||||
for _, er := range engineReponses {
|
||||
if !er.IsSuccessful() {
|
||||
return false
|
||||
}
|
||||
}
|
||||
return true
|
||||
}
|
||||
|
||||
func checkEngineResponse(er *response.EngineResponse) bool {
|
||||
return !er.IsSuccessful() && er.GetValidationFailureAction() == kyverno.Enforce
|
||||
}
|
||||
|
||||
// returns true -> if there is even one policy that blocks resource request
|
||||
// returns false -> if all the policies are meant to report only, we dont block resource request
|
||||
func toBlockResource(engineReponses []*response.EngineResponse, log logr.Logger) bool {
|
||||
for _, er := range engineReponses {
|
||||
if checkEngineResponse(er) {
|
||||
if engineutils2.CheckEngineResponse(er) {
|
||||
log.Info("spec.ValidationFailureAction set to enforce blocking resource request", "policy", er.PolicyResponse.Policy.Name)
|
||||
return true
|
||||
}
|
||||
|
|
@ -50,7 +37,7 @@ func getEnforceFailureErrorMsg(engineResponses []*response.EngineResponse) strin
|
|||
policyToRule := make(map[string]interface{})
|
||||
var resourceName string
|
||||
for _, er := range engineResponses {
|
||||
if checkEngineResponse(er) {
|
||||
if engineutils2.CheckEngineResponse(er) {
|
||||
ruleToReason := make(map[string]string)
|
||||
for _, rule := range er.PolicyResponse.Rules {
|
||||
if rule.Status != response.RuleStatusPass {
|
||||
|
|
@ -84,23 +71,6 @@ func getErrorMsg(engineReponses []*response.EngineResponse) string {
|
|||
return fmt.Sprintf("Resource %s %s", resourceInfo, strings.Join(str, ";"))
|
||||
}
|
||||
|
||||
//ArrayFlags to store filterkinds
|
||||
type ArrayFlags []string
|
||||
|
||||
func (i *ArrayFlags) String() string {
|
||||
var sb strings.Builder
|
||||
for _, str := range *i {
|
||||
sb.WriteString(str)
|
||||
}
|
||||
return sb.String()
|
||||
}
|
||||
|
||||
//Set setter for array flags
|
||||
func (i *ArrayFlags) Set(value string) error {
|
||||
*i = append(*i, value)
|
||||
return nil
|
||||
}
|
||||
|
||||
// patchRequest applies patches to the request.Object and returns a new copy of the request
|
||||
func patchRequest(patches []byte, request *v1beta1.AdmissionRequest, logger logr.Logger) *v1beta1.AdmissionRequest {
|
||||
patchedResource := processResourceWithPatches(patches, request.Object.Raw, logger)
|
||||
|
|
|
|||
|
|
@ -11,6 +11,7 @@ import (
|
|||
"github.com/kyverno/kyverno/pkg/engine"
|
||||
"github.com/kyverno/kyverno/pkg/engine/response"
|
||||
"github.com/kyverno/kyverno/pkg/utils"
|
||||
engineutils "github.com/kyverno/kyverno/pkg/utils/engine"
|
||||
jsonutils "github.com/kyverno/kyverno/pkg/utils/json"
|
||||
"github.com/pkg/errors"
|
||||
"k8s.io/api/admission/v1beta1"
|
||||
|
|
@ -124,7 +125,7 @@ func (ws *WebhookServer) handleMutation(
|
|||
}
|
||||
|
||||
// if any of the policies fails, print out the error
|
||||
if !isResponseSuccessful(engineResponses) {
|
||||
if !engineutils.IsResponseSuccessful(engineResponses) {
|
||||
logger.Error(errors.New(getErrorMsg(engineResponses)), "failed to apply mutation rules on the resource, reporting policy violation")
|
||||
}
|
||||
}()
|
||||
|
|
|
|||
|
|
@ -4,14 +4,14 @@ import (
|
|||
"reflect"
|
||||
"time"
|
||||
|
||||
v1 "github.com/kyverno/kyverno/api/kyverno/v1"
|
||||
"github.com/kyverno/kyverno/pkg/event"
|
||||
|
||||
"github.com/go-logr/logr"
|
||||
v1 "github.com/kyverno/kyverno/api/kyverno/v1"
|
||||
"github.com/kyverno/kyverno/pkg/engine"
|
||||
"github.com/kyverno/kyverno/pkg/engine/response"
|
||||
"github.com/kyverno/kyverno/pkg/event"
|
||||
"github.com/kyverno/kyverno/pkg/metrics"
|
||||
"github.com/kyverno/kyverno/pkg/policyreport"
|
||||
admissionutils "github.com/kyverno/kyverno/pkg/utils/admission"
|
||||
v1beta1 "k8s.io/api/admission/v1beta1"
|
||||
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
|
||||
"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
|
||||
|
|
@ -38,7 +38,7 @@ func (v *validationHandler) handleValidation(
|
|||
return true, ""
|
||||
}
|
||||
|
||||
resourceName := getResourceName(request)
|
||||
resourceName := admissionutils.GetResourceName(request)
|
||||
logger := v.log.WithValues("action", "validate", "resource", resourceName, "operation", request.Operation, "gvk", request.Kind.String())
|
||||
|
||||
var deletionTimeStamp *metav1.Time
|
||||
|
|
@ -137,15 +137,6 @@ func (v *validationHandler) handleValidation(
|
|||
return true, ""
|
||||
}
|
||||
|
||||
func getResourceName(request *v1beta1.AdmissionRequest) string {
|
||||
resourceName := request.Kind.Kind + "/" + request.Name
|
||||
if request.Namespace != "" {
|
||||
resourceName = request.Namespace + "/" + resourceName
|
||||
}
|
||||
|
||||
return resourceName
|
||||
}
|
||||
|
||||
func buildDeletionPrInfo(oldR unstructured.Unstructured) policyreport.Info {
|
||||
return policyreport.Info{
|
||||
Namespace: oldR.GetNamespace(),
|
||||
|
|
|
|||
|
|
@ -8,6 +8,7 @@ import (
|
|||
"github.com/kyverno/kyverno/pkg/engine"
|
||||
"github.com/kyverno/kyverno/pkg/engine/response"
|
||||
"github.com/kyverno/kyverno/pkg/policyreport"
|
||||
admissionutils "github.com/kyverno/kyverno/pkg/utils/admission"
|
||||
jsonutils "github.com/kyverno/kyverno/pkg/utils/json"
|
||||
"k8s.io/api/admission/v1beta1"
|
||||
)
|
||||
|
|
@ -30,7 +31,7 @@ func (ws *WebhookServer) handleVerifyImages(request *v1beta1.AdmissionRequest,
|
|||
return true, "", nil
|
||||
}
|
||||
|
||||
resourceName := getResourceName(request)
|
||||
resourceName := admissionutils.GetResourceName(request)
|
||||
logger := ws.log.WithValues("action", "verifyImages", "resource", resourceName, "operation", request.Operation, "gvk", request.Kind.String())
|
||||
|
||||
var engineResponses []*response.EngineResponse
|
||||
|
|
|
|||
Loading…
Reference in a new issue