From 4cb44bce09ceefe2e3864a5602f1d9a09987848e Mon Sep 17 00:00:00 2001 From: shravan Date: Tue, 14 Apr 2020 19:06:48 +0530 Subject: [PATCH] 744 save commit --- definitions/install.yaml | 26 +++++++++++++------------- definitions/install_debug.yaml | 26 +++++++++++++------------- pkg/api/kyverno/v1/types.go | 7 +------ pkg/api/kyverno/v1/utils.go | 4 ---- pkg/engine/deny.go | 26 -------------------------- pkg/policy/validate.go | 6 +----- pkg/webhooks/server.go | 14 -------------- 7 files changed, 28 insertions(+), 81 deletions(-) delete mode 100644 pkg/engine/deny.go diff --git a/definitions/install.yaml b/definitions/install.yaml index 1d01a8cb8a..72ba5cf550 100644 --- a/definitions/install.yaml +++ b/definitions/install.yaml @@ -176,19 +176,6 @@ spec: - key # can be of any type - operator # typed - value # can be of any type - deny: - type: object - properties: - message: - type: string - conditions: - type: array - items: - type: object - required: - - key # can be of any type - - operator # typed - - value # can be of any type mutate: type: object properties: @@ -221,6 +208,19 @@ spec: AnyValue: {} anyPattern: AnyValue: {} + deny: + type: object + properties: + message: + type: string + conditions: + type: array + items: + type: object + required: + - key # can be of any type + - operator # typed + - value # can be of any type generate: type: object required: diff --git a/definitions/install_debug.yaml b/definitions/install_debug.yaml index 7c8812163e..3c416a9ede 100644 --- a/definitions/install_debug.yaml +++ b/definitions/install_debug.yaml @@ -176,19 +176,6 @@ spec: - key # can be of any type - operator # typed - value # can be of any type - deny: - type: object - properties: - message: - type: string - conditions: - type: array - items: - type: object - required: - - key # can be of any type - - operator # typed - - value # can be of any type mutate: type: object properties: @@ -221,6 +208,19 @@ spec: AnyValue: {} anyPattern: AnyValue: {} + deny: + type: object + properties: + message: + type: string + conditions: + type: array + items: + type: object + required: + - key # can be of any type + - operator # typed + - value # can be of any type generate: type: object required: diff --git a/pkg/api/kyverno/v1/types.go b/pkg/api/kyverno/v1/types.go index c4f57cce38..c85fe9a1a7 100644 --- a/pkg/api/kyverno/v1/types.go +++ b/pkg/api/kyverno/v1/types.go @@ -141,12 +141,6 @@ type Rule struct { Mutation Mutation `json:"mutate,omitempty"` Validation Validation `json:"validate,omitempty"` Generation Generation `json:"generate,omitempty"` - Deny *Deny `json:"deny,omitempty"` -} - -type Deny struct { - Message string `json:"message,omitempty"` - Conditions []Condition `json:"conditions,omitempty"` } //Condition defines the evaluation condition @@ -217,6 +211,7 @@ type Validation struct { Message string `json:"message,omitempty"` Pattern interface{} `json:"pattern,omitempty"` AnyPattern []interface{} `json:"anyPattern,omitempty"` + Deny []Condition `json:"deny,omitempty"` } // Generation describes which resources will be created when other resource is created diff --git a/pkg/api/kyverno/v1/utils.go b/pkg/api/kyverno/v1/utils.go index f08b91ee5c..abe266eabd 100644 --- a/pkg/api/kyverno/v1/utils.go +++ b/pkg/api/kyverno/v1/utils.go @@ -27,10 +27,6 @@ func (r Rule) HasGenerate() bool { return !reflect.DeepEqual(r.Generation, Generation{}) } -func (r Rule) HasDeny() bool { - return r.Deny != nil -} - // DeepCopyInto is declared because k8s:deepcopy-gen is // not able to generate this method for interface{} member func (in *Mutation) DeepCopyInto(out *Mutation) { diff --git a/pkg/engine/deny.go b/pkg/engine/deny.go deleted file mode 100644 index 0179f8a3f6..0000000000 --- a/pkg/engine/deny.go +++ /dev/null @@ -1,26 +0,0 @@ -package engine - -import ( - "fmt" - - "github.com/go-logr/logr" - "github.com/nirmata/kyverno/pkg/engine/context" - - v1 "github.com/nirmata/kyverno/pkg/api/kyverno/v1" - "github.com/nirmata/kyverno/pkg/engine/variables" -) - -func Deny(logger logr.Logger, policy v1.ClusterPolicy, ctx *context.Context) error { - for _, rule := range policy.Spec.Rules { - if rule.Deny != nil { - sliceCopy := make([]v1.Condition, len(rule.Deny.Conditions)) - copy(sliceCopy, rule.Deny.Conditions) - - if !variables.EvaluateConditions(logger, ctx, sliceCopy) { - return fmt.Errorf("request has been denied by policy %s due to - %s", policy.Name, rule.Deny.Message) - } - } - } - - return nil -} diff --git a/pkg/policy/validate.go b/pkg/policy/validate.go index abc3cfad8a..04741669ea 100644 --- a/pkg/policy/validate.go +++ b/pkg/policy/validate.go @@ -239,10 +239,6 @@ func ruleOnlyDealsWithResourceMetaData(rule kyverno.Rule) bool { } func validateResources(rule kyverno.Rule) (string, error) { - if rule.HasDeny() { - return "", nil - } - // validate userInfo in match and exclude if path, err := validateUserInfo(rule); err != nil { return fmt.Sprintf("resources.%s", path), err @@ -274,7 +270,7 @@ func validateUniqueRuleName(p kyverno.ClusterPolicy) (string, error) { // validateRuleType checks only one type of rule is defined per rule func validateRuleType(r kyverno.Rule) error { - ruleTypes := []bool{r.HasMutate(), r.HasValidate(), r.HasGenerate(), r.HasDeny()} + ruleTypes := []bool{r.HasMutate(), r.HasValidate(), r.HasGenerate()} operationCount := func() int { count := 0 diff --git a/pkg/webhooks/server.go b/pkg/webhooks/server.go index bef9e6d6a5..350f3a6ccb 100644 --- a/pkg/webhooks/server.go +++ b/pkg/webhooks/server.go @@ -13,8 +13,6 @@ import ( v1 "github.com/nirmata/kyverno/pkg/api/kyverno/v1" context2 "github.com/nirmata/kyverno/pkg/engine/context" - "github.com/nirmata/kyverno/pkg/engine" - "github.com/nirmata/kyverno/pkg/openapi" "github.com/go-logr/logr" @@ -259,18 +257,6 @@ func (ws *WebhookServer) resourceMutation(request *v1beta1.AdmissionRequest) *v1 logger.Error(err, "failed to load service account in context") } - for _, policy := range policies { - if err := engine.Deny(logger, policy, ctx); err != nil { - return &v1beta1.AdmissionResponse{ - Allowed: false, - Result: &metav1.Status{ - Status: "Failure", - Message: err.Error(), - }, - } - } - } - // MUTATION // mutation failure should not block the resource creation // any mutation failure is reported as the violation