From 43811733dc717d16934c8fe13dfe2c03e1cf43ac Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Charles-Edouard=20Br=C3=A9t=C3=A9ch=C3=A9?=
<charles.edouard@nirmata.com>
Date: Wed, 29 Mar 2023 19:44:09 +0200
Subject: [PATCH] refactor: remove rules pointer (#6722)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>
---
pkg/engine/background.go | 2 +-
pkg/engine/engine.go | 4 +-
pkg/engine/exceptions.go | 4 +-
.../handlers/mutation/mutate_existing.go | 2 +-
.../handlers/validation/validate_image.go | 10 ++--
.../handlers/validation/validate_manifest.go | 4 +-
.../handlers/validation/validate_resource.go | 46 +++++++++----------
pkg/engine/imageVerify.go | 21 ++++-----
pkg/engine/internal/imageverifier.go | 14 +++---
pkg/engine/internal/response.go | 12 ++---
10 files changed, 57 insertions(+), 62 deletions(-)
diff --git a/pkg/engine/background.go b/pkg/engine/background.go
index 007fa2bb2a..15e1fd5d32 100644
--- a/pkg/engine/background.go
+++ b/pkg/engine/background.go
@@ -129,7 +129,7 @@ func (e *engine) filterRule(
// evaluate pre-conditions
if !variables.EvaluateConditions(logger, ctx, copyConditions) {
logger.V(4).Info("skip rule as preconditions are not met", "rule", ruleCopy.Name)
- return internal.RuleSkip(ruleCopy, ruleType, "")
+ return internal.RuleSkip(*ruleCopy, ruleType, "")
}
// build rule Response
diff --git a/pkg/engine/engine.go b/pkg/engine/engine.go
index 90932a92c4..b388cb8dbb 100644
--- a/pkg/engine/engine.go
+++ b/pkg/engine/engine.go
@@ -208,10 +208,10 @@ func (e *engine) invokeRuleHandler(
// check preconditions
preconditionsPassed, err := internal.CheckPreconditions(logger, policyContext, rule.GetAnyAllConditions())
if err != nil {
- return resource, handlers.RuleResponses(internal.RuleError(&rule, ruleType, "failed to evaluate preconditions", err))
+ return resource, handlers.RuleResponses(internal.RuleError(rule, ruleType, "failed to evaluate preconditions", err))
}
if !preconditionsPassed {
- return resource, handlers.RuleResponses(internal.RuleSkip(&rule, ruleType, "preconditions not met"))
+ return resource, handlers.RuleResponses(internal.RuleSkip(rule, ruleType, "preconditions not met"))
}
// process handler
return handler.Process(ctx, logger, policyContext, resource, rule)
diff --git a/pkg/engine/exceptions.go b/pkg/engine/exceptions.go
index 78c247ef4d..cd0aad8b6d 100644
--- a/pkg/engine/exceptions.go
+++ b/pkg/engine/exceptions.go
@@ -85,10 +85,10 @@ func (e *engine) hasPolicyExceptions(
key, err := cache.MetaNamespaceKeyFunc(exception)
if err != nil {
logger.Error(err, "failed to compute policy exception key", "namespace", exception.GetNamespace(), "name", exception.GetName())
- response = internal.RuleError(&rule, ruleType, "failed to compute exception key", err)
+ response = internal.RuleError(rule, ruleType, "failed to compute exception key", err)
} else {
logger.V(3).Info("policy rule skipped due to policy exception", "exception", key)
- response = internal.RuleSkip(&rule, ruleType, "rule skipped due to policy exception "+key)
+ response = internal.RuleSkip(rule, ruleType, "rule skipped due to policy exception "+key)
response.Exception = exception
}
}
diff --git a/pkg/engine/handlers/mutation/mutate_existing.go b/pkg/engine/handlers/mutation/mutate_existing.go
index 5d202b8c11..409afefb71 100644
--- a/pkg/engine/handlers/mutation/mutate_existing.go
+++ b/pkg/engine/handlers/mutation/mutate_existing.go
@@ -42,7 +42,7 @@ func (h mutateExistingHandler) Process(
var patchedResources []resourceInfo
targets, err := loadTargets(h.client, rule.Mutation.Targets, policyContext, logger)
if err != nil {
- rr := internal.RuleError(&rule, engineapi.Mutation, "", err)
+ rr := internal.RuleError(rule, engineapi.Mutation, "", err)
responses = append(responses, *rr)
} else {
patchedResources = append(patchedResources, targets...)
diff --git a/pkg/engine/handlers/validation/validate_image.go b/pkg/engine/handlers/validation/validate_image.go
index 1359e8803c..0712b61bed 100644
--- a/pkg/engine/handlers/validation/validate_image.go
+++ b/pkg/engine/handlers/validation/validate_image.go
@@ -44,21 +44,21 @@ func (h validateImageHandler) Process(
h.configuration,
)
if err != nil {
- return resource, handlers.RuleResponses(internal.RuleError(&rule, engineapi.Validation, "", err))
+ return resource, handlers.RuleResponses(internal.RuleError(rule, engineapi.Validation, "", err))
}
if len(matchingImages) == 0 {
- return resource, handlers.RuleResponses(internal.RuleSkip(&rule, engineapi.Validation, "image verified"))
+ return resource, handlers.RuleResponses(internal.RuleSkip(rule, engineapi.Validation, "image verified"))
}
preconditionsPassed, err := internal.CheckPreconditions(logger, policyContext, rule.RawAnyAllConditions)
if err != nil {
- return resource, handlers.RuleResponses(internal.RuleError(&rule, engineapi.Validation, "failed to evaluate preconditions", err))
+ return resource, handlers.RuleResponses(internal.RuleError(rule, engineapi.Validation, "failed to evaluate preconditions", err))
}
if !preconditionsPassed {
if policyContext.Policy().GetSpec().ValidationFailureAction.Audit() {
return resource, nil
}
- return resource, handlers.RuleResponses(internal.RuleSkip(&rule, engineapi.Validation, "preconditions not met"))
+ return resource, handlers.RuleResponses(internal.RuleSkip(rule, engineapi.Validation, "preconditions not met"))
}
for _, v := range rule.VerifyImages {
imageVerify := v.Convert()
@@ -79,7 +79,7 @@ func (h validateImageHandler) Process(
}
}
logger.V(4).Info("validated image", "rule", rule.Name)
- return resource, handlers.RuleResponses(internal.RulePass(&rule, engineapi.Validation, "image verified"))
+ return resource, handlers.RuleResponses(internal.RulePass(rule, engineapi.Validation, "image verified"))
}
func validateImage(ctx engineapi.PolicyContext, imageVerify *kyvernov1.ImageVerification, name string, imageInfo apiutils.ImageInfo, log logr.Logger) error {
diff --git a/pkg/engine/handlers/validation/validate_manifest.go b/pkg/engine/handlers/validation/validate_manifest.go
index d263fad886..f43087e73f 100644
--- a/pkg/engine/handlers/validation/validate_manifest.go
+++ b/pkg/engine/handlers/validation/validate_manifest.go
@@ -57,13 +57,13 @@ func (h validateManifestHandler) Process(
verified, reason, err := h.verifyManifest(ctx, logger, policyContext, *rule.Validation.Manifests)
if err != nil {
logger.V(3).Info("verifyManifest return err", "error", err.Error())
- return resource, handlers.RuleResponses(internal.RuleError(&rule, engineapi.Validation, "error occurred during manifest verification", err))
+ return resource, handlers.RuleResponses(internal.RuleError(rule, engineapi.Validation, "error occurred during manifest verification", err))
}
logger.V(3).Info("verifyManifest result", "verified", strconv.FormatBool(verified), "reason", reason)
if !verified {
return resource, handlers.RuleResponses(internal.RuleResponse(rule, engineapi.Validation, reason, engineapi.RuleStatusFail))
}
- return resource, handlers.RuleResponses(internal.RulePass(&rule, engineapi.Validation, reason))
+ return resource, handlers.RuleResponses(internal.RulePass(rule, engineapi.Validation, reason))
}
func (h validateManifestHandler) verifyManifest(
diff --git a/pkg/engine/handlers/validation/validate_resource.go b/pkg/engine/handlers/validation/validate_resource.go
index 61a2b1b632..659a70d90d 100644
--- a/pkg/engine/handlers/validation/validate_resource.go
+++ b/pkg/engine/handlers/validation/validate_resource.go
@@ -47,14 +47,14 @@ func (h validateResourceHandler) Process(
) (unstructured.Unstructured, []engineapi.RuleResponse) {
policy := policyContext.Policy()
contextLoader := h.contextLoader(policy, rule)
- v := newValidator(logger, contextLoader, policyContext, &rule)
+ v := newValidator(logger, contextLoader, policyContext, rule)
return resource, handlers.RuleResponses(v.validate(ctx))
}
type validator struct {
log logr.Logger
policyContext engineapi.PolicyContext
- rule *kyvernov1.Rule
+ rule kyvernov1.Rule
contextEntries []kyvernov1.ContextEntry
anyAllConditions apiextensions.JSON
pattern apiextensions.JSON
@@ -66,20 +66,19 @@ type validator struct {
nesting int
}
-func newValidator(log logr.Logger, contextLoader engineapi.EngineContextLoader, ctx engineapi.PolicyContext, rule *kyvernov1.Rule) *validator {
- ruleCopy := rule.DeepCopy()
+func newValidator(log logr.Logger, contextLoader engineapi.EngineContextLoader, ctx engineapi.PolicyContext, rule kyvernov1.Rule) *validator {
return &validator{
log: log,
- rule: ruleCopy,
+ rule: rule,
policyContext: ctx,
contextLoader: contextLoader,
- contextEntries: ruleCopy.Context,
- anyAllConditions: ruleCopy.GetAnyAllConditions(),
- pattern: ruleCopy.Validation.GetPattern(),
- anyPattern: ruleCopy.Validation.GetAnyPattern(),
- deny: ruleCopy.Validation.Deny,
- podSecurity: ruleCopy.Validation.PodSecurity,
- forEach: ruleCopy.Validation.ForEachValidation,
+ contextEntries: rule.Context,
+ anyAllConditions: rule.GetAnyAllConditions(),
+ pattern: rule.Validation.GetPattern(),
+ anyPattern: rule.Validation.GetAnyPattern(),
+ deny: rule.Validation.Deny,
+ podSecurity: rule.Validation.PodSecurity,
+ forEach: rule.Validation.ForEachValidation,
}
}
@@ -87,11 +86,10 @@ func newForEachValidator(
foreach kyvernov1.ForEachValidation,
contextLoader engineapi.EngineContextLoader,
nesting int,
- rule *kyvernov1.Rule,
+ rule kyvernov1.Rule,
ctx engineapi.PolicyContext,
log logr.Logger,
) (*validator, error) {
- ruleCopy := rule.DeepCopy()
anyAllConditions, err := datautils.ToMap(foreach.AnyAllConditions)
if err != nil {
return nil, fmt.Errorf("failed to convert ruleCopy.Validation.ForEachValidation.AnyAllConditions: %w", err)
@@ -105,7 +103,7 @@ func newForEachValidator(
return &validator{
log: log,
policyContext: ctx,
- rule: ruleCopy,
+ rule: rule,
contextLoader: contextLoader,
contextEntries: foreach.Context,
anyAllConditions: anyAllConditions,
@@ -219,10 +217,10 @@ func (v *validator) validateElements(ctx context.Context, foreach kyvernov1.ForE
continue
}
msg := fmt.Sprintf("validation failure: %v", r.Message)
- return internal.RuleResponse(*v.rule, engineapi.Validation, msg, r.Status), applyCount
+ return internal.RuleResponse(v.rule, engineapi.Validation, msg, r.Status), applyCount
}
msg := fmt.Sprintf("validation failure: %v", r.Message)
- return internal.RuleResponse(*v.rule, engineapi.Validation, msg, r.Status), applyCount
+ return internal.RuleResponse(v.rule, engineapi.Validation, msg, r.Status), applyCount
}
applyCount++
@@ -250,7 +248,7 @@ func (v *validator) validateDeny() *engineapi.RuleResponse {
return internal.RuleError(v.rule, engineapi.Validation, "failed to check deny preconditions", err)
} else {
if deny {
- return internal.RuleResponse(*v.rule, engineapi.Validation, v.getDenyMessage(deny), engineapi.RuleStatusFail)
+ return internal.RuleResponse(v.rule, engineapi.Validation, v.getDenyMessage(deny), engineapi.RuleStatusFail)
}
return internal.RulePass(v.rule, engineapi.Validation, v.getDenyMessage(deny))
}
@@ -357,7 +355,7 @@ func (v *validator) validatePodSecurity() *engineapi.RuleResponse {
return rspn
} else {
msg := fmt.Sprintf(`Validation rule '%s' failed. It violates PodSecurity "%s:%s": %s`, v.rule.Name, v.podSecurity.Level, v.podSecurity.Version, pss.FormatChecksPrint(pssChecks))
- rspn := internal.RuleResponse(*v.rule, engineapi.Validation, msg, engineapi.RuleStatusFail)
+ rspn := internal.RuleResponse(v.rule, engineapi.Validation, msg, engineapi.RuleStatusFail)
rspn.PodSecurityChecks = podSecurityChecks
return rspn
}
@@ -389,13 +387,13 @@ func (v *validator) validatePatterns(resource unstructured.Unstructured) *engine
}
if pe.Path == "" {
- return internal.RuleResponse(*v.rule, engineapi.Validation, v.buildErrorMessage(err, ""), engineapi.RuleStatusError)
+ return internal.RuleResponse(v.rule, engineapi.Validation, v.buildErrorMessage(err, ""), engineapi.RuleStatusError)
}
- return internal.RuleResponse(*v.rule, engineapi.Validation, v.buildErrorMessage(err, pe.Path), engineapi.RuleStatusFail)
+ return internal.RuleResponse(v.rule, engineapi.Validation, v.buildErrorMessage(err, pe.Path), engineapi.RuleStatusFail)
}
- return internal.RuleResponse(*v.rule, engineapi.Validation, v.buildErrorMessage(err, pe.Path), engineapi.RuleStatusError)
+ return internal.RuleResponse(v.rule, engineapi.Validation, v.buildErrorMessage(err, pe.Path), engineapi.RuleStatusError)
}
v.log.V(4).Info("successfully processed rule")
@@ -454,7 +452,7 @@ func (v *validator) validatePatterns(resource unstructured.Unstructured) *engine
v.log.V(4).Info(fmt.Sprintf("Validation rule '%s' failed. %s", v.rule.Name, errorStr))
msg := buildAnyPatternErrorMessage(v.rule, errorStr)
- return internal.RuleResponse(*v.rule, engineapi.Validation, msg, engineapi.RuleStatusFail)
+ return internal.RuleResponse(v.rule, engineapi.Validation, msg, engineapi.RuleStatusFail)
}
}
@@ -504,7 +502,7 @@ func (v *validator) buildErrorMessage(err error, path string) string {
}
}
-func buildAnyPatternErrorMessage(rule *kyvernov1.Rule, errors []string) string {
+func buildAnyPatternErrorMessage(rule kyvernov1.Rule, errors []string) string {
errStr := strings.Join(errors, " ")
if rule.Validation.Message == "" {
return fmt.Sprintf("validation error: %s", errStr)
diff --git a/pkg/engine/imageVerify.go b/pkg/engine/imageVerify.go
index 165a704212..fc62c06ee6 100644
--- a/pkg/engine/imageVerify.go
+++ b/pkg/engine/imageVerify.go
@@ -40,12 +40,9 @@ func (e *engine) verifyAndPatchImages(
defer policyContext.JSONContext().Restore()
ivm := engineapi.ImageVerificationMetadata{}
- rules := autogen.ComputeRules(policyContext.Policy())
applyRules := policy.GetSpec().GetApplyRules()
- for i := range rules {
- rule := &rules[i]
-
+ for _, rule := range autogen.ComputeRules(policyContext.Policy()) {
tracing.ChildSpan(
ctx,
"pkg/engine",
@@ -67,7 +64,7 @@ func (e *engine) doVerifyAndPatch(
ctx context.Context,
logger logr.Logger,
policyContext engineapi.PolicyContext,
- rule *kyvernov1.Rule,
+ rule kyvernov1.Rule,
resp *engineapi.EngineResponse,
ivm *engineapi.ImageVerificationMetadata,
) {
@@ -75,15 +72,15 @@ func (e *engine) doVerifyAndPatch(
return
}
startTime := time.Now()
- logger = internal.LoggerWithRule(logger, *rule)
+ logger = internal.LoggerWithRule(logger, rule)
- if err := matches(*rule, policyContext, policyContext.NewResource()); err != nil {
+ if err := matches(rule, policyContext, policyContext.NewResource()); err != nil {
logger.V(5).Info("resource does not match rule", "reason", err.Error())
return
}
// check if there is a corresponding policy exception
- ruleResp := e.hasPolicyExceptions(logger, engineapi.ImageVerify, policyContext, *rule)
+ ruleResp := e.hasPolicyExceptions(logger, engineapi.ImageVerify, policyContext, rule)
if ruleResp != nil {
resp.PolicyResponse.Rules = append(resp.PolicyResponse.Rules, *ruleResp)
return
@@ -94,7 +91,7 @@ func (e *engine) doVerifyAndPatch(
ruleImages, imageRefs, err := engineutils.ExtractMatchingImages(
policyContext.NewResource(),
policyContext.JSONContext(),
- *rule,
+ rule,
e.configuration,
)
if err != nil {
@@ -118,7 +115,7 @@ func (e *engine) doVerifyAndPatch(
return
}
policyContext.JSONContext().Restore()
- if err := internal.LoadContext(ctx, e, policyContext, *rule); err != nil {
+ if err := internal.LoadContext(ctx, e, policyContext, rule); err != nil {
internal.AddRuleResponse(
&resp.PolicyResponse,
internal.RuleError(rule, engineapi.ImageVerify, "failed to load context", err),
@@ -126,7 +123,7 @@ func (e *engine) doVerifyAndPatch(
)
return
}
- ruleCopy, err := substituteVariables(rule, policyContext.JSONContext(), logger)
+ ruleCopy, err := substituteVariables(&rule, policyContext.JSONContext(), logger)
if err != nil {
internal.AddRuleResponse(
&resp.PolicyResponse,
@@ -139,7 +136,7 @@ func (e *engine) doVerifyAndPatch(
logger,
e.rclient,
policyContext,
- ruleCopy,
+ *ruleCopy,
ivm,
)
for _, imageVerify := range ruleCopy.VerifyImages {
diff --git a/pkg/engine/internal/imageverifier.go b/pkg/engine/internal/imageverifier.go
index 3a3697a8a3..136f204e1f 100644
--- a/pkg/engine/internal/imageverifier.go
+++ b/pkg/engine/internal/imageverifier.go
@@ -29,7 +29,7 @@ type ImageVerifier struct {
logger logr.Logger
rclient registryclient.Client
policyContext engineapi.PolicyContext
- rule *kyvernov1.Rule
+ rule kyvernov1.Rule
ivm *engineapi.ImageVerificationMetadata
}
@@ -37,7 +37,7 @@ func NewImageVerifier(
logger logr.Logger,
rclient registryclient.Client,
policyContext engineapi.PolicyContext,
- rule *kyvernov1.Rule,
+ rule kyvernov1.Rule,
ivm *engineapi.ImageVerificationMetadata,
) *ImageVerifier {
return &ImageVerifier{
@@ -197,7 +197,7 @@ func (iv *ImageVerifier) Verify(
if HasImageVerifiedAnnotationChanged(iv.policyContext, iv.logger) {
msg := engineapi.ImageVerifyAnnotationKey + " annotation cannot be changed"
iv.logger.Info("image verification error", "reason", msg)
- responses = append(responses, RuleResponse(*iv.rule, engineapi.ImageVerify, msg, engineapi.RuleStatusFail))
+ responses = append(responses, RuleResponse(iv.rule, engineapi.ImageVerify, msg, engineapi.RuleStatusFail))
continue
}
@@ -312,7 +312,7 @@ func (iv *ImageVerifier) handleRegistryErrors(image string, err error) *engineap
if errors.As(err, &netErr) {
return RuleError(iv.rule, engineapi.ImageVerify, fmt.Sprintf("failed to verify image %s", image), err)
}
- return RuleResponse(*iv.rule, engineapi.ImageVerify, msg, engineapi.RuleStatusFail)
+ return RuleResponse(iv.rule, engineapi.ImageVerify, msg, engineapi.RuleStatusFail)
}
func (iv *ImageVerifier) verifyAttestations(
@@ -326,7 +326,7 @@ func (iv *ImageVerifier) verifyAttestations(
path := fmt.Sprintf(".attestations[%d]", i)
if attestation.PredicateType == "" {
- return RuleResponse(*iv.rule, engineapi.ImageVerify, path+": missing predicateType", engineapi.RuleStatusFail), ""
+ return RuleResponse(iv.rule, engineapi.ImageVerify, path+": missing predicateType", engineapi.RuleStatusFail), ""
}
if len(attestation.Attestors) == 0 {
@@ -356,7 +356,7 @@ func (iv *ImageVerifier) verifyAttestations(
attestationError = iv.verifyAttestation(cosignResp.Statements, attestation, imageInfo)
if attestationError != nil {
attestationError = fmt.Errorf("%s: %w", entryPath+subPath, attestationError)
- return RuleResponse(*iv.rule, engineapi.ImageVerify, attestationError.Error(), engineapi.RuleStatusFail), ""
+ return RuleResponse(iv.rule, engineapi.ImageVerify, attestationError.Error(), engineapi.RuleStatusFail), ""
}
verifiedCount++
@@ -368,7 +368,7 @@ func (iv *ImageVerifier) verifyAttestations(
if verifiedCount < requiredCount {
msg := fmt.Sprintf("image attestations verification failed, verifiedCount: %v, requiredCount: %v", verifiedCount, requiredCount)
- return RuleResponse(*iv.rule, engineapi.ImageVerify, msg, engineapi.RuleStatusFail), ""
+ return RuleResponse(iv.rule, engineapi.ImageVerify, msg, engineapi.RuleStatusFail), ""
}
}
diff --git a/pkg/engine/internal/response.go b/pkg/engine/internal/response.go
index 7c9a9d8828..1f02e7491a 100644
--- a/pkg/engine/internal/response.go
+++ b/pkg/engine/internal/response.go
@@ -8,16 +8,16 @@ import (
engineapi "github.com/kyverno/kyverno/pkg/engine/api"
)
-func RuleError(rule *kyvernov1.Rule, ruleType engineapi.RuleType, msg string, err error) *engineapi.RuleResponse {
- return RuleResponse(*rule, ruleType, fmt.Sprintf("%s: %s", msg, err.Error()), engineapi.RuleStatusError)
+func RuleError(rule kyvernov1.Rule, ruleType engineapi.RuleType, msg string, err error) *engineapi.RuleResponse {
+ return RuleResponse(rule, ruleType, fmt.Sprintf("%s: %s", msg, err.Error()), engineapi.RuleStatusError)
}
-func RuleSkip(rule *kyvernov1.Rule, ruleType engineapi.RuleType, msg string) *engineapi.RuleResponse {
- return RuleResponse(*rule, ruleType, msg, engineapi.RuleStatusSkip)
+func RuleSkip(rule kyvernov1.Rule, ruleType engineapi.RuleType, msg string) *engineapi.RuleResponse {
+ return RuleResponse(rule, ruleType, msg, engineapi.RuleStatusSkip)
}
-func RulePass(rule *kyvernov1.Rule, ruleType engineapi.RuleType, msg string) *engineapi.RuleResponse {
- return RuleResponse(*rule, ruleType, msg, engineapi.RuleStatusPass)
+func RulePass(rule kyvernov1.Rule, ruleType engineapi.RuleType, msg string) *engineapi.RuleResponse {
+ return RuleResponse(rule, ruleType, msg, engineapi.RuleStatusPass)
}
func RuleResponse(rule kyvernov1.Rule, ruleType engineapi.RuleType, msg string, status engineapi.RuleStatus) *engineapi.RuleResponse {