mirror of
https://github.com/kyverno/kyverno.git
synced 2025-03-31 03:45:17 +00:00
744 save commit
This commit is contained in:
shravan
parent
b6f01db0b1
commit
4cb44bce09
7 changed files with 28 additions and 81 deletions
|
|
@ -176,19 +176,6 @@ spec:
|
|||
- key # can be of any type
|
||||
- operator # typed
|
||||
- value # can be of any type
|
||||
deny:
|
||||
type: object
|
||||
properties:
|
||||
message:
|
||||
type: string
|
||||
conditions:
|
||||
type: array
|
||||
items:
|
||||
type: object
|
||||
required:
|
||||
- key # can be of any type
|
||||
- operator # typed
|
||||
- value # can be of any type
|
||||
mutate:
|
||||
type: object
|
||||
properties:
|
||||
|
|
@ -221,6 +208,19 @@ spec:
|
|||
AnyValue: {}
|
||||
anyPattern:
|
||||
AnyValue: {}
|
||||
deny:
|
||||
type: object
|
||||
properties:
|
||||
message:
|
||||
type: string
|
||||
conditions:
|
||||
type: array
|
||||
items:
|
||||
type: object
|
||||
required:
|
||||
- key # can be of any type
|
||||
- operator # typed
|
||||
- value # can be of any type
|
||||
generate:
|
||||
type: object
|
||||
required:
|
||||
|
|
|
|||
|
|
@ -176,19 +176,6 @@ spec:
|
|||
- key # can be of any type
|
||||
- operator # typed
|
||||
- value # can be of any type
|
||||
deny:
|
||||
type: object
|
||||
properties:
|
||||
message:
|
||||
type: string
|
||||
conditions:
|
||||
type: array
|
||||
items:
|
||||
type: object
|
||||
required:
|
||||
- key # can be of any type
|
||||
- operator # typed
|
||||
- value # can be of any type
|
||||
mutate:
|
||||
type: object
|
||||
properties:
|
||||
|
|
@ -221,6 +208,19 @@ spec:
|
|||
AnyValue: {}
|
||||
anyPattern:
|
||||
AnyValue: {}
|
||||
deny:
|
||||
type: object
|
||||
properties:
|
||||
message:
|
||||
type: string
|
||||
conditions:
|
||||
type: array
|
||||
items:
|
||||
type: object
|
||||
required:
|
||||
- key # can be of any type
|
||||
- operator # typed
|
||||
- value # can be of any type
|
||||
generate:
|
||||
type: object
|
||||
required:
|
||||
|
|
|
|||
|
|
@ -141,12 +141,6 @@ type Rule struct {
|
|||
Mutation Mutation `json:"mutate,omitempty"`
|
||||
Validation Validation `json:"validate,omitempty"`
|
||||
Generation Generation `json:"generate,omitempty"`
|
||||
Deny *Deny `json:"deny,omitempty"`
|
||||
}
|
||||
|
||||
type Deny struct {
|
||||
Message string `json:"message,omitempty"`
|
||||
Conditions []Condition `json:"conditions,omitempty"`
|
||||
}
|
||||
|
||||
//Condition defines the evaluation condition
|
||||
|
|
@ -217,6 +211,7 @@ type Validation struct {
|
|||
Message string `json:"message,omitempty"`
|
||||
Pattern interface{} `json:"pattern,omitempty"`
|
||||
AnyPattern []interface{} `json:"anyPattern,omitempty"`
|
||||
Deny []Condition `json:"deny,omitempty"`
|
||||
}
|
||||
|
||||
// Generation describes which resources will be created when other resource is created
|
||||
|
|
|
|||
|
|
@ -27,10 +27,6 @@ func (r Rule) HasGenerate() bool {
|
|||
return !reflect.DeepEqual(r.Generation, Generation{})
|
||||
}
|
||||
|
||||
func (r Rule) HasDeny() bool {
|
||||
return r.Deny != nil
|
||||
}
|
||||
|
||||
// DeepCopyInto is declared because k8s:deepcopy-gen is
|
||||
// not able to generate this method for interface{} member
|
||||
func (in *Mutation) DeepCopyInto(out *Mutation) {
|
||||
|
|
|
|||
|
|
@ -1,26 +0,0 @@
|
|||
package engine
|
||||
|
||||
import (
|
||||
"fmt"
|
||||
|
||||
"github.com/go-logr/logr"
|
||||
"github.com/nirmata/kyverno/pkg/engine/context"
|
||||
|
||||
v1 "github.com/nirmata/kyverno/pkg/api/kyverno/v1"
|
||||
"github.com/nirmata/kyverno/pkg/engine/variables"
|
||||
)
|
||||
|
||||
func Deny(logger logr.Logger, policy v1.ClusterPolicy, ctx *context.Context) error {
|
||||
for _, rule := range policy.Spec.Rules {
|
||||
if rule.Deny != nil {
|
||||
sliceCopy := make([]v1.Condition, len(rule.Deny.Conditions))
|
||||
copy(sliceCopy, rule.Deny.Conditions)
|
||||
|
||||
if !variables.EvaluateConditions(logger, ctx, sliceCopy) {
|
||||
return fmt.Errorf("request has been denied by policy %s due to - %s", policy.Name, rule.Deny.Message)
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
return nil
|
||||
}
|
||||
|
|
@ -239,10 +239,6 @@ func ruleOnlyDealsWithResourceMetaData(rule kyverno.Rule) bool {
|
|||
}
|
||||
|
||||
func validateResources(rule kyverno.Rule) (string, error) {
|
||||
if rule.HasDeny() {
|
||||
return "", nil
|
||||
}
|
||||
|
||||
// validate userInfo in match and exclude
|
||||
if path, err := validateUserInfo(rule); err != nil {
|
||||
return fmt.Sprintf("resources.%s", path), err
|
||||
|
|
@ -274,7 +270,7 @@ func validateUniqueRuleName(p kyverno.ClusterPolicy) (string, error) {
|
|||
|
||||
// validateRuleType checks only one type of rule is defined per rule
|
||||
func validateRuleType(r kyverno.Rule) error {
|
||||
ruleTypes := []bool{r.HasMutate(), r.HasValidate(), r.HasGenerate(), r.HasDeny()}
|
||||
ruleTypes := []bool{r.HasMutate(), r.HasValidate(), r.HasGenerate()}
|
||||
|
||||
operationCount := func() int {
|
||||
count := 0
|
||||
|
|
|
|||
|
|
@ -13,8 +13,6 @@ import (
|
|||
v1 "github.com/nirmata/kyverno/pkg/api/kyverno/v1"
|
||||
context2 "github.com/nirmata/kyverno/pkg/engine/context"
|
||||
|
||||
"github.com/nirmata/kyverno/pkg/engine"
|
||||
|
||||
"github.com/nirmata/kyverno/pkg/openapi"
|
||||
|
||||
"github.com/go-logr/logr"
|
||||
|
|
@ -259,18 +257,6 @@ func (ws *WebhookServer) resourceMutation(request *v1beta1.AdmissionRequest) *v1
|
|||
logger.Error(err, "failed to load service account in context")
|
||||
}
|
||||
|
||||
for _, policy := range policies {
|
||||
if err := engine.Deny(logger, policy, ctx); err != nil {
|
||||
return &v1beta1.AdmissionResponse{
|
||||
Allowed: false,
|
||||
Result: &metav1.Status{
|
||||
Status: "Failure",
|
||||
Message: err.Error(),
|
||||
},
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
// MUTATION
|
||||
// mutation failure should not block the resource creation
|
||||
// any mutation failure is reported as the violation
|
||||
|
|
|
|||
Loading…
Add table
Reference in a new issue