644 untested prototype changes

2025-03-29 10:55:05 +00:00 · 2020-01-30 16:12:26 +05:30 · 2020-01-30 16:12:26 +05:30 · 4021453760
commit 4021453760
parent 3343d73b76
4 changed files with 35 additions and 17 deletions
--- a/pkg/engine/generation.go
+++ b/pkg/engine/generation.go
@ -6,7 +6,6 @@ import (
 	"github.com/golang/glog"
 	kyverno "github.com/nirmata/kyverno/pkg/api/kyverno/v1"
 	"github.com/nirmata/kyverno/pkg/engine/context"
-	"github.com/nirmata/kyverno/pkg/engine/rbac"
 	"github.com/nirmata/kyverno/pkg/engine/response"
 	"github.com/nirmata/kyverno/pkg/engine/utils"
 	"github.com/nirmata/kyverno/pkg/engine/variables"
@ -29,9 +28,6 @@ func filterRule(rule kyverno.Rule, resource unstructured.Unstructured, admission
 	if !rule.HasGenerate() {
 		return nil
 	}
-	if !rbac.MatchAdmissionInfo(rule, admissionInfo) {
-		return nil
-	}
 	if !MatchesResourceDescription(resource, rule) {
 		return nil
 	}
--- a/pkg/engine/mutation.go
+++ b/pkg/engine/mutation.go
@ -9,7 +9,6 @@ import (
 	"github.com/golang/glog"
 	kyverno "github.com/nirmata/kyverno/pkg/api/kyverno/v1"
 	"github.com/nirmata/kyverno/pkg/engine/mutate"
-	"github.com/nirmata/kyverno/pkg/engine/rbac"
 	"github.com/nirmata/kyverno/pkg/engine/response"
 	"github.com/nirmata/kyverno/pkg/engine/utils"
 	"github.com/nirmata/kyverno/pkg/engine/variables"
@ -57,11 +56,6 @@ func Mutate(policyContext PolicyContext) (resp response.EngineResponse) {
 		}

 		startTime := time.Now()
-		if !rbac.MatchAdmissionInfo(rule, policyContext.AdmissionInfo) {
-			glog.V(3).Infof("rule '%s' cannot be applied on %s/%s/%s, admission permission: %v",
-				rule.Name, resource.GetKind(), resource.GetNamespace(), resource.GetName(), policyContext.AdmissionInfo)
-			continue
-		}
 		glog.V(4).Infof("Time: Mutate matchAdmissionInfo %v", time.Since(startTime))

 		// check if the resource satisfies the filter conditions defined in the rule
--- a/pkg/engine/validation.go
+++ b/pkg/engine/validation.go
@ -10,7 +10,6 @@ import (
 	"github.com/golang/glog"
 	kyverno "github.com/nirmata/kyverno/pkg/api/kyverno/v1"
 	"github.com/nirmata/kyverno/pkg/engine/context"
-	"github.com/nirmata/kyverno/pkg/engine/rbac"
 	"github.com/nirmata/kyverno/pkg/engine/response"
 	"github.com/nirmata/kyverno/pkg/engine/utils"
 	"github.com/nirmata/kyverno/pkg/engine/validate"
@ -101,12 +100,6 @@ func validateResource(ctx context.EvalInterface, policy kyverno.ClusterPolicy, r
 				newPathNotPresentRuleResponse(rule.Name, utils.Validation.String(), fmt.Sprintf("path not present: %s", paths)))
 			continue
 		}
-
-		if !rbac.MatchAdmissionInfo(rule, admissionInfo) {
-			glog.V(3).Infof("rule '%s' cannot be applied on %s/%s/%s, admission permission: %v",
-				rule.Name, resource.GetKind(), resource.GetNamespace(), resource.GetName(), admissionInfo)
-			continue
-		}
 		glog.V(4).Infof("Time: Validate matchAdmissionInfo %v", time.Since(startTime))

 		// check if the resource satisfies the filter conditions defined in the rule
--- a/pkg/webhooks/server.go
+++ b/pkg/webhooks/server.go
@ -10,6 +10,12 @@ import (
 	"net/http"
 	"time"

+	"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
+
+	v1 "github.com/nirmata/kyverno/pkg/api/kyverno/v1"
+
+	"github.com/nirmata/kyverno/pkg/engine/rbac"
+
 	"github.com/golang/glog"
 	"github.com/nirmata/kyverno/pkg/checker"
 	kyvernoclient "github.com/nirmata/kyverno/pkg/client/clientset/versioned"
@ -189,6 +195,27 @@ func (ws *WebhookServer) serve(w http.ResponseWriter, r *http.Request) {
 	}
 }

+func filterPolicyRulesBasedOnMatchExclude(policies []v1.ClusterPolicy, userRequestInfo v1.RequestInfo, resource unstructured.Unstructured) []v1.ClusterPolicy {
+	var updatedPolcies []v1.ClusterPolicy
+	for _, policy := range policies {
+		var validRules []v1.Rule
+		for _, rule := range policy.Spec.Rules {
+			if !rbac.MatchAdmissionInfo(rule, userRequestInfo) {
+				glog.V(3).Infof("rule '%s' cannot be applied on %s/%s/%s, admission permission: %v",
+					rule.Name, resource.GetKind(), resource.GetNamespace(), resource.GetName(), userRequestInfo)
+				continue
+			}
+			validRules = append(validRules, rule)
+		}
+		policy.Spec.Rules = validRules
+		if len(policy.Spec.Rules) > 0 {
+			updatedPolcies = append(updatedPolcies, policy)
+		}
+	}
+
+	return updatedPolcies
+}
+
 func (ws *WebhookServer) handleAdmissionRequest(request *v1beta1.AdmissionRequest) *v1beta1.AdmissionResponse {
 	policies, err := ws.pMetaStore.LookUp(request.Kind.Kind, request.Namespace)
 	if err != nil {
@ -234,6 +261,14 @@ func (ws *WebhookServer) handleAdmissionRequest(request *v1beta1.AdmissionReques
 		}
 	}

+	userRequestInfo := v1.RequestInfo{
+		Roles:             roles,
+		ClusterRoles:      clusterRoles,
+		AdmissionUserInfo: request.UserInfo,
+	}
+
+	policies = filterPolicyRulesBasedOnMatchExclude(policies, userRequestInfo, resource)
+
 	// MUTATION
 	// mutation failure should not block the resource creation
 	// any mutation failure is reported as the violation