mirror of
https://github.com/kyverno/kyverno.git
synced 2025-04-08 10:04:25 +00:00
Merge branch '455_namespace_pv' of https://github.com/nirmata/kyverno into 455_namespace_pv
This commit is contained in:
Shuting Zhao
commit
4a85aaa9ad
1 changed files with 27 additions and 11 deletions
|
|
@ -34,7 +34,7 @@ func BuildPolicyViolation(policy string, resource kyverno.ResourceSpec, fRules [
|
|||
}
|
||||
|
||||
//CreatePV creates policy violation resource based on the engine responses
|
||||
func CreatePV(pvLister kyvernolister.ClusterPolicyViolationLister, client *kyvernoclient.Clientset, engineResponses []engine.EngineResponse) {
|
||||
func CreateClusterPV(pvLister kyvernolister.ClusterPolicyViolationLister, client *kyvernoclient.Clientset, engineResponses []engine.EngineResponse) {
|
||||
var pvs []kyverno.ClusterPolicyViolation
|
||||
for _, er := range engineResponses {
|
||||
// ignore creation of PV for resoruces that are yet to be assigned a name
|
||||
|
|
@ -51,11 +51,11 @@ func CreatePV(pvLister kyvernolister.ClusterPolicyViolationLister, client *kyver
|
|||
}
|
||||
}
|
||||
|
||||
createPV(pvLister, client, pvs)
|
||||
createClusterPV(pvLister, client, pvs)
|
||||
}
|
||||
|
||||
// CreatePVWhenBlocked creates pv on resource owner only when admission request is denied
|
||||
func CreatePVWhenBlocked(pvLister kyvernolister.ClusterPolicyViolationLister, client *kyvernoclient.Clientset,
|
||||
func CreateClusterPVWhenBlocked(pvLister kyvernolister.ClusterPolicyViolationLister, client *kyvernoclient.Clientset,
|
||||
dclient *dclient.Client, engineResponses []engine.EngineResponse) {
|
||||
var pvs []kyverno.ClusterPolicyViolation
|
||||
for _, er := range engineResponses {
|
||||
|
|
@ -67,10 +67,10 @@ func CreatePVWhenBlocked(pvLister kyvernolister.ClusterPolicyViolationLister, cl
|
|||
er.PatchedResource.GetKind(), er.PatchedResource.GetNamespace(), er.PatchedResource.GetName())
|
||||
}
|
||||
}
|
||||
createPV(pvLister, client, pvs)
|
||||
createClusterPV(pvLister, client, pvs)
|
||||
}
|
||||
|
||||
func createPV(pvLister kyvernolister.ClusterPolicyViolationLister, client *kyvernoclient.Clientset, pvs []kyverno.ClusterPolicyViolation) {
|
||||
func createClusterPV(pvLister kyvernolister.ClusterPolicyViolationLister, client *kyvernoclient.Clientset, pvs []kyverno.ClusterPolicyViolation) {
|
||||
if len(pvs) == 0 {
|
||||
return
|
||||
}
|
||||
|
|
@ -80,7 +80,8 @@ func createPV(pvLister kyvernolister.ClusterPolicyViolationLister, client *kyver
|
|||
// check if there was a previous policy voilation for policy & resource combination
|
||||
curPv, err := getExistingPolicyViolationIfAny(nil, pvLister, newPv)
|
||||
if err != nil {
|
||||
glog.Error(err)
|
||||
// TODO(shuting): remove
|
||||
// glog.Error(err)
|
||||
continue
|
||||
}
|
||||
if curPv == nil {
|
||||
|
|
@ -114,6 +115,21 @@ func createPV(pvLister kyvernolister.ClusterPolicyViolationLister, client *kyver
|
|||
}
|
||||
}
|
||||
|
||||
//buildClusterPolicyViolation returns an value of type PolicyViolation
|
||||
func buildClusterPolicyViolation(policy string, resource kyverno.ResourceSpec, fRules []kyverno.ViolatedRule) kyverno.ClusterPolicyViolation {
|
||||
pv := kyverno.ClusterPolicyViolation{
|
||||
Spec: kyverno.PolicyViolationSpec{
|
||||
Policy: policy,
|
||||
ResourceSpec: resource,
|
||||
ViolatedRules: fRules,
|
||||
},
|
||||
}
|
||||
//TODO: check if this can be removed or use unstructured?
|
||||
// pv.Kind = "PolicyViolation"
|
||||
pv.SetGenerateName("pv-")
|
||||
return pv
|
||||
}
|
||||
|
||||
func buildPVForPolicy(er engine.EngineResponse) kyverno.ClusterPolicyViolation {
|
||||
pvResourceSpec := kyverno.ResourceSpec{
|
||||
Kind: er.PolicyResponse.Resource.Kind,
|
||||
|
|
@ -123,11 +139,11 @@ func buildPVForPolicy(er engine.EngineResponse) kyverno.ClusterPolicyViolation {
|
|||
|
||||
violatedRules := newViolatedRules(er, "")
|
||||
|
||||
return BuildPolicyViolation(er.PolicyResponse.Policy, pvResourceSpec, violatedRules)
|
||||
return buildClusterPolicyViolation(er.PolicyResponse.Policy, pvResourceSpec, violatedRules)
|
||||
}
|
||||
|
||||
func buildPVWithOwner(dclient *dclient.Client, er engine.EngineResponse) (pvs []kyverno.ClusterPolicyViolation) {
|
||||
msg := fmt.Sprintf("Request Blocked for resource %s/%s; ", er.PolicyResponse.Resource.Kind, er.PolicyResponse.Resource.Name)
|
||||
msg := fmt.Sprintf("Request Blocked for resource %s/%s; ", er.PolicyResponse.Resource.Namespace, er.PolicyResponse.Resource.Kind)
|
||||
violatedRules := newViolatedRules(er, msg)
|
||||
|
||||
// create violation on resource owner (if exist) when action is set to enforce
|
||||
|
|
@ -140,11 +156,11 @@ func buildPVWithOwner(dclient *dclient.Client, er engine.EngineResponse) (pvs []
|
|||
Kind: er.PolicyResponse.Resource.Kind,
|
||||
Name: er.PolicyResponse.Resource.Name,
|
||||
}
|
||||
return append(pvs, BuildPolicyViolation(er.PolicyResponse.Policy, pvResourceSpec, violatedRules))
|
||||
return append(pvs, buildClusterPolicyViolation(er.PolicyResponse.Policy, pvResourceSpec, violatedRules))
|
||||
}
|
||||
|
||||
for _, owner := range owners {
|
||||
pvs = append(pvs, BuildPolicyViolation(er.PolicyResponse.Policy, owner, violatedRules))
|
||||
pvs = append(pvs, buildClusterPolicyViolation(er.PolicyResponse.Policy, owner, violatedRules))
|
||||
}
|
||||
return
|
||||
}
|
||||
|
|
@ -163,7 +179,7 @@ func getExistingPolicyViolationIfAny(pvListerSynced cache.InformerSynced, pvList
|
|||
}
|
||||
//TODO: ideally there should be only one policy violation returned
|
||||
if len(pvs) > 1 {
|
||||
glog.Errorf("more than one policy violation exists with labels %v", labelMap)
|
||||
glog.V(4).Infof("more than one policy violation exists with labels %v", labelMap)
|
||||
return nil, fmt.Errorf("more than one policy violation exists with labels %v", labelMap)
|
||||
}
|
||||
|
||||
Loading…
Add table
Reference in a new issue