Merge branch 'NK-22_Refactoring'

2025-03-31 03:45:17 +00:00 · 2019-03-01 18:02:48 +02:00 · 2019-03-01 18:02:48 +02:00 · 43a6ec1abf
commit 43a6ec1abf
parent c3b903a94b d593fe1a92
13 changed files with 669 additions and 571 deletions
--- a/crd/sample-policy.yaml
+++ b/crd/sample-policy.yaml
@ -1,4 +1,4 @@
-apiVersion: nirmata.io/v1alpha1
+apiVersion: policy.nirmata.io/v1alpha1
 kind: Policy
 metadata:
  name: hello-policy
--- a/crd/selector-policy.yaml
+++ b/crd/selector-policy.yaml
@ -1,4 +1,4 @@
-apiVersion: nirmata.io/v1alpha1
+apiVersion: policy.nirmata.io/v1alpha1
 kind : Policy
 metadata:
  name: selector-policy
--- a/pkg/apis/policy/v1alpha1/types.go
+++ b/pkg/apis/policy/v1alpha1/types.go
@ -33,7 +33,7 @@ type PolicyRule struct {
 type PolicyResource struct {
    Kind     string                `json:"kind"`
    Name     *string               `json:"name"`
-	Selector metav1.LabelSelector `json:"selector,omitempty"`
+    Selector *metav1.LabelSelector `json:"selector,omitempty"`
 }

 // PolicyPatch is TODO
--- a/webhooks/admission.go
+++ b/webhooks/admission.go
@ -1,11 +1,12 @@
 package webhooks

 import (
-	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
-	types "github.com/nirmata/kube-policy/pkg/apis/policy/v1alpha1"
-	"k8s.io/apimachinery/pkg/labels"
-	"k8s.io/api/admission/v1beta1"
    "encoding/json"
+
+    types "github.com/nirmata/kube-policy/pkg/apis/policy/v1alpha1"
+    "k8s.io/api/admission/v1beta1"
+    metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+    "k8s.io/apimachinery/pkg/labels"
 )

 var supportedKinds = [...]string{
@ -59,7 +60,7 @@ func IsRuleApplicableToRequest(policyResource types.PolicyResource, request *v1b
        meta := parseMetadataFromObject(request.Object.Raw)
        name := parseNameFromMetadata(meta)

-		if (policyResource.Name != nil && *policyResource.Name != name) {
+        if policyResource.Name != nil && *policyResource.Name != name {
            return false
        }

--- a/webhooks/admission_test.go
+++ b/webhooks/admission_test.go
@ -51,12 +51,12 @@ func TestAdmissionIsRequired(t *testing.T) {

 func TestIsRuleResourceFitsRequest_Kind(t *testing.T) {
    resourceName := "test-config-map"
-	resource := types.PolicyResource {
+    resource := types.PolicyResource{
        Kind: "ConfigMap",
        Name: &resourceName,
    }
-	request := v1beta1.AdmissionRequest {
-		Kind: metav1.GroupVersionKind{ Kind: "ConfigMap" },
+    request := v1beta1.AdmissionRequest{
+        Kind: metav1.GroupVersionKind{Kind: "ConfigMap"},
    }

    objectByteArray := []byte(`{"metadata":{"name":"test-config-map","namespace":"default","creationTimestamp":null,"labels":{"label1":"test1","label2":"test2"}}}`)
@ -69,7 +69,7 @@ func TestIsRuleResourceFitsRequest_Kind(t *testing.T) {

 func TestIsRuleResourceFitsRequest_Name(t *testing.T) {
    resourceName := "test-config-map"
-	resource := types.PolicyResource {
+    resource := types.PolicyResource{
        Kind: "ConfigMap",
        Name: &resourceName,
    }
@ -92,13 +92,54 @@ func TestIsRuleResourceFitsRequest_Name(t *testing.T) {
    assertEq(t, false, webhooks.IsRuleApplicableToRequest(resource, &request))
 }

-func TestIsRuleResourceFitsRequest_Selector(t *testing.T) {
-	resource := types.PolicyResource {
+func TestIsRuleResourceFitsRequest_MatchExpressions(t *testing.T) {
+    request := v1beta1.AdmissionRequest{
+        Kind: metav1.GroupVersionKind{Kind: "ConfigMap"},
+    }
+
+    resource := types.PolicyResource{
        Kind: "ConfigMap",
-		Selector: &metav1.LabelSelector {
-            MatchLabels: map[string]string {
-				"label1" : "test1",
-				"label2" : "test2",
+        Selector: &metav1.LabelSelector{
+            MatchLabels: nil,
+            MatchExpressions: []metav1.LabelSelectorRequirement{
+                metav1.LabelSelectorRequirement{
+                    Key:      "label2",
+                    Operator: "NotIn",
+                    Values: []string{
+                        "sometest1",
+                    },
+                },
+                metav1.LabelSelectorRequirement{
+                    Key:      "label1",
+                    Operator: "In",
+                    Values: []string{
+                        "test1",
+                        "test8",
+                        "test201",
+                    },
+                },
+                metav1.LabelSelectorRequirement{
+                    Key:      "label3",
+                    Operator: "DoesNotExist",
+                    Values:   nil,
+                },
+            },
+        },
+    }
+
+    objectByteArray := []byte(`{"metadata":{"name":"test-config-map","namespace":"default","creationTimestamp":null,"labels":{"label1":"test1","label2":"test2"}}}`)
+    request.Object.Raw = objectByteArray
+
+    assertEq(t, true, webhooks.IsRuleApplicableToRequest(resource, &request))
+}
+
+func TestIsRuleResourceFitsRequest_MatchLabels(t *testing.T) {
+    resource := types.PolicyResource{
+        Kind: "ConfigMap",
+        Selector: &metav1.LabelSelector{
+            MatchLabels: map[string]string{
+                "label1": "test1",
+                "label2": "test2",
            },
            MatchExpressions: nil,
        },
@ -116,18 +157,68 @@ func TestIsRuleResourceFitsRequest_Selector(t *testing.T) {
    request.Object.Raw = objectByteArray
    assertEq(t, false, webhooks.IsRuleApplicableToRequest(resource, &request))

-	resource = types.PolicyResource {
+    resource = types.PolicyResource{
        Kind: "ConfigMap",
-		Selector: &metav1.LabelSelector {
-            MatchLabels: map[string]string {
-				"label3" : "test1",
-				"label2" : "test2",
+        Selector: &metav1.LabelSelector{
+            MatchLabels: map[string]string{
+                "label3": "test1",
+                "label2": "test2",
            },
            MatchExpressions: nil,
        },
    }

    assertEq(t, true, webhooks.IsRuleApplicableToRequest(resource, &request))
-
-	// TODO: MatchExpressions tests should be done
+}
+
+func TestIsRuleResourceFitsRequest_MatchLabelsAndMatchExpressions(t *testing.T) {
+    request := v1beta1.AdmissionRequest{
+        Kind: metav1.GroupVersionKind{Kind: "ConfigMap"},
+    }
+
+    resource := types.PolicyResource{
+        Kind: "ConfigMap",
+        Selector: &metav1.LabelSelector{
+            MatchLabels: map[string]string{
+                "label1": "test1",
+            },
+            MatchExpressions: []metav1.LabelSelectorRequirement{
+                metav1.LabelSelectorRequirement{
+                    Key:      "label2",
+                    Operator: "In",
+                    Values: []string{
+                        "test2",
+                    },
+                },
+            },
+        },
+    }
+
+    objectByteArray := []byte(`{"metadata":{"name":"test-config-map","namespace":"default","creationTimestamp":null,"labels":{"label1":"test1","label2":"test2"}}}`)
+    request.Object.Raw = objectByteArray
+
+    assertEq(t, true, webhooks.IsRuleApplicableToRequest(resource, &request))
+
+    resource = types.PolicyResource{
+        Kind: "ConfigMap",
+        Selector: &metav1.LabelSelector{
+            MatchLabels: map[string]string{
+                "label1": "test1",
+            },
+            MatchExpressions: []metav1.LabelSelectorRequirement{
+                metav1.LabelSelectorRequirement{
+                    Key:      "label2",
+                    Operator: "NotIn",
+                    Values: []string{
+                        "sometest1",
+                    },
+                },
+            },
+        },
+    }
+
+    objectByteArray = []byte(`{"metadata":{"name":"test-config-map","namespace":"default","creationTimestamp":null,"labels":{"label1":"test1","label2":"test2"}}}`)
+    request.Object.Raw = objectByteArray
+
+    assertEq(t, true, webhooks.IsRuleApplicableToRequest(resource, &request))
 }
--- a/webhooks/mutation.go
+++ b/webhooks/mutation.go
@ -10,10 +10,14 @@ import (
    metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 )

+// MutationWebhook is a data type that represents
+// buisness logic for resource mutation
 type MutationWebhook struct {
    logger *log.Logger
 }

+// NewMutationWebhook is a method that returns new instance
+// of MutationWebhook struct
 func NewMutationWebhook(logger *log.Logger) (*MutationWebhook, error) {
    if logger == nil {
        return nil, errors.New("Logger must be set for the mutation webhook")
@ -21,6 +25,7 @@ func NewMutationWebhook(logger *log.Logger) (*MutationWebhook, error) {
    return &MutationWebhook{logger: logger}, nil
 }

+// Mutate applies admission to request
 func (mw *MutationWebhook) Mutate(request *v1beta1.AdmissionRequest, policies []types.Policy) *v1beta1.AdmissionResponse {
    mw.logger.Printf("AdmissionReview for Kind=%v, Namespace=%v Name=%v UID=%v patchOperation=%v UserInfo=%v",
        request.Kind.Kind, request.Namespace, request.Name, request.UID, request.Operation, request.UserInfo)
@ -31,7 +36,7 @@ func (mw *MutationWebhook) Mutate(request *v1beta1.AdmissionRequest, policies []

    var allPatches []types.PolicyPatch
    for _, policy := range policies {
-		var stopOnError bool = true
+        stopOnError := true
        if policy.Spec.FailurePolicy != nil && *policy.Spec.FailurePolicy == "continueOnError" {
            stopOnError = false
        }
@ -78,7 +83,7 @@ func (mw *MutationWebhook) Mutate(request *v1beta1.AdmissionRequest, policies []
 func (mw *MutationWebhook) applyPolicyRule(request *v1beta1.AdmissionRequest, rule types.PolicyRule) ([]types.PolicyPatch, error) {
    var allPatches []types.PolicyPatch
    if rule.Patches == nil && rule.ConfigMapGenerator == nil && rule.SecretGenerator == nil {
-		return nil, errors.New("The rule is empty!")
+        return nil, errors.New("The rule is empty")
    }

    allPatches = append(allPatches, rule.Patches...)
@ -94,6 +99,7 @@ func (mw *MutationWebhook) applyPolicyRule(request *v1beta1.AdmissionRequest, ru
    return allPatches, nil
 }

+// SerializePatches converts JSON patches to byte array
 func SerializePatches(patches []types.PolicyPatch) ([]byte, error) {
    var result []byte
    result = append(result, []byte("[\n")...)