mirrors/kyverno
mirrors/kyverno
1
0
Fork 0
mirror of https://github.com/kyverno/kyverno.git synced 2025-03-31 03:45:17 +00:00
Code Activity

Added Synchronize flag in Generate Request (#980)

Browse source 
* fix Synchronize flag issue
This commit is contained in:
Yuvraj 2020-07-13 13:42:11 -07:00 committed by GitHub
parent f9149dfd86
commit 4535f43283
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
8 changed files with 39 additions and 26 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

10
definitions/manifest/deployment.yaml
View file

@ -19,10 +19,10 @@ spec:
serviceAccountName: kyverno-service-account
initContainers:
- name: kyverno-pre
image: nirmata/kyvernopre:v1.1.6
image: nirmata/kyvernopre:v1.1.7-rc2
containers:
- name: kyverno
image: nirmata/kyverno:v1.1.6
image: nirmata/kyverno:v1.1.7-rc2
imagePullPolicy: Always
args:
- "--filterK8Resources=[Event,*,*][*,kube-system,*][*,kube-public,*][*,kube-node-lease,*][Node,*,*][APIService,*,*][TokenReview,*,*][SubjectAccessReview,*,*][*,kyverno,*][Binding,*,*][ReplicaSet,*,*]"
@ -36,6 +36,12 @@ spec:
env:
- name: INIT_CONFIG
value: init-config
- name: KYVERNO_NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
- name: KYVERNO_SVC
value: kyverno-svc
resources:
requests:
memory: "50Mi"

6
pkg/api/kyverno/v1/types.go
View file

@ -19,9 +19,9 @@ type GenerateRequest struct {
//GenerateRequestSpec stores the request specification
type GenerateRequestSpec struct {
Policy string `json:"policy"`
Resource ResourceSpec `json:"resource"`
Context GenerateRequestContext `json:"context"`
Policy string `json:"policy"`
Resource ResourceSpec `json:"resource"`
Context GenerateRequestContext `json:"context"`
}
//GenerateRequestContext stores the context to be shared

1
pkg/engine/response/response.go
View file

@ -13,6 +13,7 @@ type EngineResponse struct {
PatchedResource unstructured.Unstructured
// Policy Response
PolicyResponse PolicyResponse
}
//PolicyResponse policy application response

5
pkg/generate/generate.go
View file

@ -294,9 +294,8 @@ func applyRule(log logr.Logger, client *dclient.Client, rule kyverno.Rule, resou
} else if mode == Update {
label := newResource.GetLabels()
if label != nil {
if label["app.kubernetes.io/synchronize"] == "enable" {
if rule.Generation.Synchronize {
logger.V(4).Info("updating existing resource")
// Update the resource
_, err := client.UpdateResource(genKind, genNamespace, newResource, false)
@ -313,9 +312,7 @@ func applyRule(log logr.Logger, client *dclient.Client, rule kyverno.Rule, resou
} else {
logger.V(4).Info("Synchronize resource is disabled")
}
}
return newGenResource, nil
}

1
pkg/webhooks/generation.go
View file

@ -90,6 +90,7 @@ func applyGenerateRequest(gnGenerator generate.GenerateRequests, userRequestInfo
}
func transform(userRequestInfo kyverno.RequestInfo, er response.EngineResponse) kyverno.GenerateRequestSpec {
gr := kyverno.GenerateRequestSpec{
Policy: er.PolicyResponse.Policy,
Resource: kyverno.ResourceSpec{

39
pkg/webhooks/server.go
View file

@ -556,31 +556,36 @@ func (ws *WebhookServer) bodyToAdmissionReview(request *http.Request, writer htt
func (ws *WebhookServer) excludeKyvernoResources(request *v1beta1.AdmissionRequest) error {
logger := ws.log.WithName("resourceValidation").WithValues("uid", request.UID, "kind", request.Kind.Kind, "namespace", request.Namespace, "name", request.Name, "operation", request.Operation)
checked, err := userinfo.IsRoleAuthorize(ws.rbLister, ws.crbLister, ws.rLister, ws.crLister, request)
var resource *unstructured.Unstructured
var err error
var isManagedResourceCheck bool
if request.Operation == v1beta1.Delete {
resource, err = enginutils.ConvertToUnstructured(request.OldObject.Raw)
isManagedResourceCheck = true
} else if request.Operation == v1beta1.Update {
resource, err = enginutils.ConvertToUnstructured(request.Object.Raw)
isManagedResourceCheck = true
}
if err != nil {
logger.Error(err, "failed to get RBAC infromation for request")
logger.Error(err, "failed to convert object resource to unstructured format")
return err
}
if !checked {
// convert RAW to unstructured
var resource *unstructured.Unstructured
if request.Operation == v1beta1.Delete {
resource, err = enginutils.ConvertToUnstructured(request.OldObject.Raw)
} else {
resource, err = enginutils.ConvertToUnstructured(request.Object.Raw)
}
if err != nil {
logger.Error(err, "failed to convert RAR resource to unstructured format")
return err
}
if isManagedResourceCheck {
labels := resource.GetLabels()
if labels != nil {
if labels["app.kubernetes.io/managed-by"] == "kyverno" && labels["app.kubernetes.io/synchronize"] == "enable" {
return fmt.Errorf("Resource is managed by Kyverno, can't be changed manually. You can edit generate policy to update this resource")
isAuthorized, err := userinfo.IsRoleAuthorize(ws.rbLister, ws.crbLister, ws.rLister, ws.crLister, request)
if err != nil {
return fmt.Errorf("failed to get RBAC infromation for request %v",err)
}
if !isAuthorized {
// convert RAW to unstructured
return fmt.Errorf("Resource is managed by Kyverno, can't be changed manually. You can edit generate policy to update this resource")
}
}
}
}
return nil
}

1
samples/best_practices/add_network_policy.yaml
View file

@ -22,6 +22,7 @@ spec:
kind: NetworkPolicy
name: default-deny-ingress
namespace: "{{request.object.metadata.name}}"
synchronize : true
data:
spec:
# select all pods in the namespace

2
samples/best_practices/add_ns_quota.yaml
View file

@ -17,6 +17,7 @@ spec:
generate:
kind: ResourceQuota
name: default-resourcequota
synchronize : true
namespace: "{{request.object.metadata.name}}"
data:
spec:
@ -33,6 +34,7 @@ spec:
generate:
kind: LimitRange
name: default-limitrange
synchronize : true
namespace: "{{request.object.metadata.name}}"
data:
spec: