mirror of
https://github.com/kyverno/kyverno.git
synced 2024-12-15 17:51:20 +00:00
refactor: add engine utils sub package (#3552)
Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com>
This commit is contained in:
Charles-Edouard Brétéché
GitHub
parent
bd953cf4fa
commit
3bc0e062f9
6 changed files with 40 additions and 48 deletions
|
|
@ -87,3 +87,11 @@ func ResponseSuccessWithPatch(allowed bool, msg string, patch []byte) *v1beta1.A
|
||||||
}
|
}
|
||||||
return r
|
return r
|
||||||
}
|
}
|
||||||
|
|
||||||
|
func GetResourceName(request *v1beta1.AdmissionRequest) string {
|
||||||
|
resourceName := request.Kind.Kind + "/" + request.Name
|
||||||
|
if request.Namespace != "" {
|
||||||
|
resourceName = request.Namespace + "/" + resourceName
|
||||||
|
}
|
||||||
|
return resourceName
|
||||||
|
}
|
||||||
|
|
|
||||||
21
pkg/utils/engine/response.go
Normal file
21
pkg/utils/engine/response.go
Normal file
|
|
@ -0,0 +1,21 @@
|
||||||
|
package engine
|
||||||
|
|
||||||
|
import (
|
||||||
|
kyverno "github.com/kyverno/kyverno/api/kyverno/v1"
|
||||||
|
"github.com/kyverno/kyverno/pkg/engine/response"
|
||||||
|
)
|
||||||
|
|
||||||
|
// IsResponseSuccessful return true if all responses are successful
|
||||||
|
func IsResponseSuccessful(engineReponses []*response.EngineResponse) bool {
|
||||||
|
for _, er := range engineReponses {
|
||||||
|
if !er.IsSuccessful() {
|
||||||
|
return false
|
||||||
|
}
|
||||||
|
}
|
||||||
|
return true
|
||||||
|
}
|
||||||
|
|
||||||
|
// CheckEngineResponse return true if engine response is not successful and validation failure action is set to 'enforce'
|
||||||
|
func CheckEngineResponse(er *response.EngineResponse) bool {
|
||||||
|
return !er.IsSuccessful() && er.GetValidationFailureAction() == kyverno.Enforce
|
||||||
|
}
|
||||||
|
|
@ -10,6 +10,7 @@ import (
|
||||||
enginectx "github.com/kyverno/kyverno/pkg/engine/context"
|
enginectx "github.com/kyverno/kyverno/pkg/engine/context"
|
||||||
"github.com/kyverno/kyverno/pkg/engine/response"
|
"github.com/kyverno/kyverno/pkg/engine/response"
|
||||||
engineutils "github.com/kyverno/kyverno/pkg/engine/utils"
|
engineutils "github.com/kyverno/kyverno/pkg/engine/utils"
|
||||||
|
engineutils2 "github.com/kyverno/kyverno/pkg/utils/engine"
|
||||||
"github.com/pkg/errors"
|
"github.com/pkg/errors"
|
||||||
yamlv2 "gopkg.in/yaml.v2"
|
yamlv2 "gopkg.in/yaml.v2"
|
||||||
"k8s.io/api/admission/v1beta1"
|
"k8s.io/api/admission/v1beta1"
|
||||||
|
|
@ -17,25 +18,11 @@ import (
|
||||||
"k8s.io/apimachinery/pkg/runtime/schema"
|
"k8s.io/apimachinery/pkg/runtime/schema"
|
||||||
)
|
)
|
||||||
|
|
||||||
// isResponseSuccessful return true if all responses are successful
|
|
||||||
func isResponseSuccessful(engineReponses []*response.EngineResponse) bool {
|
|
||||||
for _, er := range engineReponses {
|
|
||||||
if !er.IsSuccessful() {
|
|
||||||
return false
|
|
||||||
}
|
|
||||||
}
|
|
||||||
return true
|
|
||||||
}
|
|
||||||
|
|
||||||
func checkEngineResponse(er *response.EngineResponse) bool {
|
|
||||||
return !er.IsSuccessful() && er.GetValidationFailureAction() == kyverno.Enforce
|
|
||||||
}
|
|
||||||
|
|
||||||
// returns true -> if there is even one policy that blocks resource request
|
// returns true -> if there is even one policy that blocks resource request
|
||||||
// returns false -> if all the policies are meant to report only, we dont block resource request
|
// returns false -> if all the policies are meant to report only, we dont block resource request
|
||||||
func toBlockResource(engineReponses []*response.EngineResponse, log logr.Logger) bool {
|
func toBlockResource(engineReponses []*response.EngineResponse, log logr.Logger) bool {
|
||||||
for _, er := range engineReponses {
|
for _, er := range engineReponses {
|
||||||
if checkEngineResponse(er) {
|
if engineutils2.CheckEngineResponse(er) {
|
||||||
log.Info("spec.ValidationFailureAction set to enforce blocking resource request", "policy", er.PolicyResponse.Policy.Name)
|
log.Info("spec.ValidationFailureAction set to enforce blocking resource request", "policy", er.PolicyResponse.Policy.Name)
|
||||||
return true
|
return true
|
||||||
}
|
}
|
||||||
|
|
@ -50,7 +37,7 @@ func getEnforceFailureErrorMsg(engineResponses []*response.EngineResponse) strin
|
||||||
policyToRule := make(map[string]interface{})
|
policyToRule := make(map[string]interface{})
|
||||||
var resourceName string
|
var resourceName string
|
||||||
for _, er := range engineResponses {
|
for _, er := range engineResponses {
|
||||||
if checkEngineResponse(er) {
|
if engineutils2.CheckEngineResponse(er) {
|
||||||
ruleToReason := make(map[string]string)
|
ruleToReason := make(map[string]string)
|
||||||
for _, rule := range er.PolicyResponse.Rules {
|
for _, rule := range er.PolicyResponse.Rules {
|
||||||
if rule.Status != response.RuleStatusPass {
|
if rule.Status != response.RuleStatusPass {
|
||||||
|
|
@ -84,23 +71,6 @@ func getErrorMsg(engineReponses []*response.EngineResponse) string {
|
||||||
return fmt.Sprintf("Resource %s %s", resourceInfo, strings.Join(str, ";"))
|
return fmt.Sprintf("Resource %s %s", resourceInfo, strings.Join(str, ";"))
|
||||||
}
|
}
|
||||||
|
|
||||||
//ArrayFlags to store filterkinds
|
|
||||||
type ArrayFlags []string
|
|
||||||
|
|
||||||
func (i *ArrayFlags) String() string {
|
|
||||||
var sb strings.Builder
|
|
||||||
for _, str := range *i {
|
|
||||||
sb.WriteString(str)
|
|
||||||
}
|
|
||||||
return sb.String()
|
|
||||||
}
|
|
||||||
|
|
||||||
//Set setter for array flags
|
|
||||||
func (i *ArrayFlags) Set(value string) error {
|
|
||||||
*i = append(*i, value)
|
|
||||||
return nil
|
|
||||||
}
|
|
||||||
|
|
||||||
// patchRequest applies patches to the request.Object and returns a new copy of the request
|
// patchRequest applies patches to the request.Object and returns a new copy of the request
|
||||||
func patchRequest(patches []byte, request *v1beta1.AdmissionRequest, logger logr.Logger) *v1beta1.AdmissionRequest {
|
func patchRequest(patches []byte, request *v1beta1.AdmissionRequest, logger logr.Logger) *v1beta1.AdmissionRequest {
|
||||||
patchedResource := processResourceWithPatches(patches, request.Object.Raw, logger)
|
patchedResource := processResourceWithPatches(patches, request.Object.Raw, logger)
|
||||||
|
|
|
||||||
|
|
@ -11,6 +11,7 @@ import (
|
||||||
"github.com/kyverno/kyverno/pkg/engine"
|
"github.com/kyverno/kyverno/pkg/engine"
|
||||||
"github.com/kyverno/kyverno/pkg/engine/response"
|
"github.com/kyverno/kyverno/pkg/engine/response"
|
||||||
"github.com/kyverno/kyverno/pkg/utils"
|
"github.com/kyverno/kyverno/pkg/utils"
|
||||||
|
engineutils "github.com/kyverno/kyverno/pkg/utils/engine"
|
||||||
jsonutils "github.com/kyverno/kyverno/pkg/utils/json"
|
jsonutils "github.com/kyverno/kyverno/pkg/utils/json"
|
||||||
"github.com/pkg/errors"
|
"github.com/pkg/errors"
|
||||||
"k8s.io/api/admission/v1beta1"
|
"k8s.io/api/admission/v1beta1"
|
||||||
|
|
@ -124,7 +125,7 @@ func (ws *WebhookServer) handleMutation(
|
||||||
}
|
}
|
||||||
|
|
||||||
// if any of the policies fails, print out the error
|
// if any of the policies fails, print out the error
|
||||||
if !isResponseSuccessful(engineResponses) {
|
if !engineutils.IsResponseSuccessful(engineResponses) {
|
||||||
logger.Error(errors.New(getErrorMsg(engineResponses)), "failed to apply mutation rules on the resource, reporting policy violation")
|
logger.Error(errors.New(getErrorMsg(engineResponses)), "failed to apply mutation rules on the resource, reporting policy violation")
|
||||||
}
|
}
|
||||||
}()
|
}()
|
||||||
|
|
|
||||||
|
|
@ -4,14 +4,14 @@ import (
|
||||||
"reflect"
|
"reflect"
|
||||||
"time"
|
"time"
|
||||||
|
|
||||||
v1 "github.com/kyverno/kyverno/api/kyverno/v1"
|
|
||||||
"github.com/kyverno/kyverno/pkg/event"
|
|
||||||
|
|
||||||
"github.com/go-logr/logr"
|
"github.com/go-logr/logr"
|
||||||
|
v1 "github.com/kyverno/kyverno/api/kyverno/v1"
|
||||||
"github.com/kyverno/kyverno/pkg/engine"
|
"github.com/kyverno/kyverno/pkg/engine"
|
||||||
"github.com/kyverno/kyverno/pkg/engine/response"
|
"github.com/kyverno/kyverno/pkg/engine/response"
|
||||||
|
"github.com/kyverno/kyverno/pkg/event"
|
||||||
"github.com/kyverno/kyverno/pkg/metrics"
|
"github.com/kyverno/kyverno/pkg/metrics"
|
||||||
"github.com/kyverno/kyverno/pkg/policyreport"
|
"github.com/kyverno/kyverno/pkg/policyreport"
|
||||||
|
admissionutils "github.com/kyverno/kyverno/pkg/utils/admission"
|
||||||
v1beta1 "k8s.io/api/admission/v1beta1"
|
v1beta1 "k8s.io/api/admission/v1beta1"
|
||||||
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
|
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
|
||||||
"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
|
"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
|
||||||
|
|
@ -38,7 +38,7 @@ func (v *validationHandler) handleValidation(
|
||||||
return true, ""
|
return true, ""
|
||||||
}
|
}
|
||||||
|
|
||||||
resourceName := getResourceName(request)
|
resourceName := admissionutils.GetResourceName(request)
|
||||||
logger := v.log.WithValues("action", "validate", "resource", resourceName, "operation", request.Operation, "gvk", request.Kind.String())
|
logger := v.log.WithValues("action", "validate", "resource", resourceName, "operation", request.Operation, "gvk", request.Kind.String())
|
||||||
|
|
||||||
var deletionTimeStamp *metav1.Time
|
var deletionTimeStamp *metav1.Time
|
||||||
|
|
@ -137,15 +137,6 @@ func (v *validationHandler) handleValidation(
|
||||||
return true, ""
|
return true, ""
|
||||||
}
|
}
|
||||||
|
|
||||||
func getResourceName(request *v1beta1.AdmissionRequest) string {
|
|
||||||
resourceName := request.Kind.Kind + "/" + request.Name
|
|
||||||
if request.Namespace != "" {
|
|
||||||
resourceName = request.Namespace + "/" + resourceName
|
|
||||||
}
|
|
||||||
|
|
||||||
return resourceName
|
|
||||||
}
|
|
||||||
|
|
||||||
func buildDeletionPrInfo(oldR unstructured.Unstructured) policyreport.Info {
|
func buildDeletionPrInfo(oldR unstructured.Unstructured) policyreport.Info {
|
||||||
return policyreport.Info{
|
return policyreport.Info{
|
||||||
Namespace: oldR.GetNamespace(),
|
Namespace: oldR.GetNamespace(),
|
||||||
|
|
|
||||||
|
|
@ -8,6 +8,7 @@ import (
|
||||||
"github.com/kyverno/kyverno/pkg/engine"
|
"github.com/kyverno/kyverno/pkg/engine"
|
||||||
"github.com/kyverno/kyverno/pkg/engine/response"
|
"github.com/kyverno/kyverno/pkg/engine/response"
|
||||||
"github.com/kyverno/kyverno/pkg/policyreport"
|
"github.com/kyverno/kyverno/pkg/policyreport"
|
||||||
|
admissionutils "github.com/kyverno/kyverno/pkg/utils/admission"
|
||||||
jsonutils "github.com/kyverno/kyverno/pkg/utils/json"
|
jsonutils "github.com/kyverno/kyverno/pkg/utils/json"
|
||||||
"k8s.io/api/admission/v1beta1"
|
"k8s.io/api/admission/v1beta1"
|
||||||
)
|
)
|
||||||
|
|
@ -30,7 +31,7 @@ func (ws *WebhookServer) handleVerifyImages(request *v1beta1.AdmissionRequest,
|
||||||
return true, "", nil
|
return true, "", nil
|
||||||
}
|
}
|
||||||
|
|
||||||
resourceName := getResourceName(request)
|
resourceName := admissionutils.GetResourceName(request)
|
||||||
logger := ws.log.WithValues("action", "verifyImages", "resource", resourceName, "operation", request.Operation, "gvk", request.Kind.String())
|
logger := ws.log.WithValues("action", "verifyImages", "resource", resourceName, "operation", request.Operation, "gvk", request.Kind.String())
|
||||||
|
|
||||||
var engineResponses []*response.EngineResponse
|
var engineResponses []*response.EngineResponse
|
||||||
|
|
|
||||||
Loading…
Reference in a new issue