mirror of
https://github.com/kyverno/kyverno.git
synced 2025-03-15 20:20:22 +00:00
fix: improve banned types management in reports (#4953)
Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com>
This commit is contained in:
parent
e749907302
commit
47780bf37f
4 changed files with 45 additions and 11 deletions
|
@ -152,7 +152,13 @@ func (c serverPreferredResources) findResource(apiVersion string, kind string) (
|
||||||
logger.Error(err, "failed to parse GV", "groupVersion", serverResource.GroupVersion)
|
logger.Error(err, "failed to parse GV", "groupVersion", serverResource.GroupVersion)
|
||||||
return nil, schema.GroupVersionResource{}, err
|
return nil, schema.GroupVersionResource{}, err
|
||||||
}
|
}
|
||||||
|
// We potentially need to fix Group and Version with what the list is for
|
||||||
|
if resource.Group == "" {
|
||||||
|
resource.Group = gv.Group
|
||||||
|
}
|
||||||
|
if resource.Version == "" {
|
||||||
|
resource.Version = gv.Version
|
||||||
|
}
|
||||||
return &resource, gv.WithResource(resource.Name), nil
|
return &resource, gv.WithResource(resource.Name), nil
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
|
@ -126,24 +126,27 @@ func (c *controller) updateDynamicWatchers(ctx context.Context) error {
|
||||||
return err
|
return err
|
||||||
}
|
}
|
||||||
kinds := utils.BuildKindSet(logger, utils.RemoveNonValidationPolicies(logger, append(clusterPolicies, policies...)...)...)
|
kinds := utils.BuildKindSet(logger, utils.RemoveNonValidationPolicies(logger, append(clusterPolicies, policies...)...)...)
|
||||||
gvrs := map[string]schema.GroupVersionResource{}
|
gvrs := map[schema.GroupVersionKind]schema.GroupVersionResource{}
|
||||||
for _, kind := range kinds.List() {
|
for _, kind := range kinds.List() {
|
||||||
apiVersion, kind := kubeutils.GetKindFromGVK(kind)
|
apiVersion, kind := kubeutils.GetKindFromGVK(kind)
|
||||||
apiResource, gvr, err := c.client.Discovery().FindResource(apiVersion, kind)
|
apiResource, gvr, err := c.client.Discovery().FindResource(apiVersion, kind)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
logger.Error(err, "failed to get gvr from kind", "kind", kind)
|
logger.Error(err, "failed to get gvr from kind", "kind", kind)
|
||||||
} else if apiVersion == "" && kind == "Event" {
|
|
||||||
logger.Info("Event cannot be an owner, skipping", "apiVersion", apiVersion, "kind", kind)
|
|
||||||
} else {
|
} else {
|
||||||
if pkgutils.ContainsString(apiResource.Verbs, "list") && pkgutils.ContainsString(apiResource.Verbs, "watch") {
|
gvk := schema.GroupVersionKind{Group: apiResource.Group, Version: apiResource.Version, Kind: apiResource.Kind}
|
||||||
gvrs[kind] = gvr
|
if !reportutils.IsGvkSupported(gvk) {
|
||||||
|
logger.Info("kind is not supported", "gvk", gvk)
|
||||||
} else {
|
} else {
|
||||||
logger.Info("list/watch not supported for kind", "kind", kind)
|
if pkgutils.ContainsString(apiResource.Verbs, "list") && pkgutils.ContainsString(apiResource.Verbs, "watch") {
|
||||||
|
gvrs[gvk] = gvr
|
||||||
|
} else {
|
||||||
|
logger.Info("list/watch not supported for kind", "kind", kind)
|
||||||
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
dynamicWatchers := map[schema.GroupVersionResource]*watcher{}
|
dynamicWatchers := map[schema.GroupVersionResource]*watcher{}
|
||||||
for kind, gvr := range gvrs {
|
for gvk, gvr := range gvrs {
|
||||||
// if we already have one, transfer it to the new map
|
// if we already have one, transfer it to the new map
|
||||||
if c.dynamicWatchers[gvr] != nil {
|
if c.dynamicWatchers[gvr] != nil {
|
||||||
dynamicWatchers[gvr] = c.dynamicWatchers[gvr]
|
dynamicWatchers[gvr] = c.dynamicWatchers[gvr]
|
||||||
|
@ -156,7 +159,7 @@ func (c *controller) updateDynamicWatchers(ctx context.Context) error {
|
||||||
} else {
|
} else {
|
||||||
w := &watcher{
|
w := &watcher{
|
||||||
watcher: watchInterface,
|
watcher: watchInterface,
|
||||||
gvk: gvr.GroupVersion().WithKind(kind),
|
gvk: gvk,
|
||||||
hashes: map[types.UID]Resource{},
|
hashes: map[types.UID]Resource{},
|
||||||
}
|
}
|
||||||
go func() {
|
go func() {
|
||||||
|
|
20
pkg/utils/report/support.go
Normal file
20
pkg/utils/report/support.go
Normal file
|
@ -0,0 +1,20 @@
|
||||||
|
package report
|
||||||
|
|
||||||
|
import (
|
||||||
|
corev1 "k8s.io/api/core/v1"
|
||||||
|
eventsv1 "k8s.io/api/events/v1"
|
||||||
|
eventsv1beta1 "k8s.io/api/events/v1beta1"
|
||||||
|
"k8s.io/apimachinery/pkg/runtime/schema"
|
||||||
|
)
|
||||||
|
|
||||||
|
// bannedOwners are GVKs that are not allowed to be owners of other resources
|
||||||
|
var bannedOwners = map[schema.GroupVersionKind]struct{}{
|
||||||
|
corev1.SchemeGroupVersion.WithKind("Event"): {},
|
||||||
|
eventsv1.SchemeGroupVersion.WithKind("Event"): {},
|
||||||
|
eventsv1beta1.SchemeGroupVersion.WithKind("Event"): {},
|
||||||
|
}
|
||||||
|
|
||||||
|
func IsGvkSupported(gvk schema.GroupVersionKind) bool {
|
||||||
|
_, exists := bannedOwners[gvk]
|
||||||
|
return !exists
|
||||||
|
}
|
|
@ -20,6 +20,7 @@ import (
|
||||||
admissionv1 "k8s.io/api/admission/v1"
|
admissionv1 "k8s.io/api/admission/v1"
|
||||||
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
|
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
|
||||||
"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
|
"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
|
||||||
|
"k8s.io/apimachinery/pkg/runtime/schema"
|
||||||
)
|
)
|
||||||
|
|
||||||
type ValidationHandler interface {
|
type ValidationHandler interface {
|
||||||
|
@ -163,17 +164,21 @@ func (v *validationHandler) handleAudit(
|
||||||
if !v.admissionReports {
|
if !v.admissionReports {
|
||||||
return
|
return
|
||||||
}
|
}
|
||||||
// we don't need reports for deletions and when it's about sub resources
|
// we don't need reports for deletions and when it's about sub resources
|
||||||
if request.Operation == admissionv1.Delete || request.SubResource != "" {
|
if request.Operation == admissionv1.Delete || request.SubResource != "" {
|
||||||
return
|
return
|
||||||
}
|
}
|
||||||
|
// check if the resource supports reporting
|
||||||
|
if !reportutils.IsGvkSupported(schema.GroupVersionKind(request.Kind)) {
|
||||||
|
return
|
||||||
|
}
|
||||||
responses, err := v.buildAuditResponses(resource, request, namespaceLabels)
|
responses, err := v.buildAuditResponses(resource, request, namespaceLabels)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
v.log.Error(err, "failed to build audit responses")
|
v.log.Error(err, "failed to build audit responses")
|
||||||
}
|
}
|
||||||
responses = append(responses, engineResponses...)
|
responses = append(responses, engineResponses...)
|
||||||
report := reportutils.NewAdmissionReport(resource, request, request.Kind, responses...)
|
report := reportutils.NewAdmissionReport(resource, request, request.Kind, responses...)
|
||||||
// if it's not a creation, the resource already exists, we can set the owner
|
// if it's not a creation, the resource already exists, we can set the owner
|
||||||
if request.Operation != admissionv1.Create {
|
if request.Operation != admissionv1.Create {
|
||||||
gv := metav1.GroupVersion{Group: request.Kind.Group, Version: request.Kind.Version}
|
gv := metav1.GroupVersion{Group: request.Kind.Group, Version: request.Kind.Version}
|
||||||
controllerutils.SetOwner(report, gv.String(), request.Kind.Kind, resource.GetName(), resource.GetUID())
|
controllerutils.SetOwner(report, gv.String(), request.Kind.Kind, resource.GetName(), resource.GetUID())
|
||||||
|
|
Loading…
Add table
Reference in a new issue