1
0
Fork 0
mirror of https://github.com/kyverno/kyverno.git synced 2024-12-15 17:51:20 +00:00

fix: HasVerifyImages check (#6668)

* fix: HasVerifyImages check

Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>

* fix

Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>

---------

Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>
This commit is contained in:
Charles-Edouard Brétéché 2023-03-24 09:52:26 +01:00 committed by GitHub
parent d73822b5f8
commit 5a9befd847
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
4 changed files with 36 additions and 20 deletions

View file

@ -3,9 +3,9 @@ package v1
import (
"encoding/json"
"fmt"
"reflect"
"github.com/kyverno/kyverno/pkg/pss/utils"
datautils "github.com/kyverno/kyverno/pkg/utils/data"
wildcard "github.com/kyverno/kyverno/pkg/utils/wildcard"
"k8s.io/apiextensions-apiserver/pkg/apis/apiextensions"
apiextv1 "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1"
@ -96,12 +96,17 @@ type Rule struct {
// HasMutate checks for mutate rule
func (r *Rule) HasMutate() bool {
return !reflect.DeepEqual(r.Mutation, Mutation{})
return !datautils.DeepEqual(r.Mutation, Mutation{})
}
// HasVerifyImages checks for verifyImages rule
func (r *Rule) HasVerifyImages() bool {
return r.VerifyImages != nil && !reflect.DeepEqual(r.VerifyImages, ImageVerification{})
for _, verifyImage := range r.VerifyImages {
if !datautils.DeepEqual(verifyImage, ImageVerification{}) {
return true
}
}
return false
}
// HasYAMLSignatureVerify checks for validate.manifests rule
@ -133,12 +138,12 @@ func (p *ClusterPolicy) HasYAMLSignatureVerify() bool {
// HasValidate checks for validate rule
func (r *Rule) HasValidate() bool {
return !reflect.DeepEqual(r.Validation, Validation{})
return !datautils.DeepEqual(r.Validation, Validation{})
}
// HasGenerate checks for generate rule
func (r *Rule) HasGenerate() bool {
return !reflect.DeepEqual(r.Generation, Generation{})
return !datautils.DeepEqual(r.Generation, Generation{})
}
// IsMutateExisting checks if the mutate rule applies to existing resources
@ -195,14 +200,14 @@ func (r *Rule) ValidateMatchExcludeConflict(path *field.Path) (errs field.ErrorL
if len(r.MatchResources.Any) > 0 && len(r.ExcludeResources.Any) > 0 {
for _, rmr := range r.MatchResources.Any {
for _, rer := range r.ExcludeResources.Any {
if reflect.DeepEqual(rmr, rer) {
if datautils.DeepEqual(rmr, rer) {
return append(errs, field.Invalid(path, r, "Rule is matching an empty set"))
}
}
}
return errs
}
if reflect.DeepEqual(r.ExcludeResources, MatchResources{}) {
if datautils.DeepEqual(r.ExcludeResources, MatchResources{}) {
return errs
}
excludeRoles := sets.New(r.ExcludeResources.Roles...)
@ -340,7 +345,7 @@ func (r *Rule) ValidateMatchExcludeConflict(path *field.Path) (errs field.ErrorL
return errs
}
if r.MatchResources.Annotations != nil && r.ExcludeResources.Annotations != nil {
if !(reflect.DeepEqual(r.MatchResources.Annotations, r.ExcludeResources.Annotations)) {
if !datautils.DeepEqual(r.MatchResources.Annotations, r.ExcludeResources.Annotations) {
return errs
}
}

View file

@ -17,10 +17,9 @@ limitations under the License.
package v2alpha1
import (
"reflect"
kyvernov1 "github.com/kyverno/kyverno/api/kyverno/v1"
kyvernov2beta1 "github.com/kyverno/kyverno/api/kyverno/v2beta1"
datautils "github.com/kyverno/kyverno/pkg/utils/data"
"github.com/robfig/cron"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
"k8s.io/apimachinery/pkg/util/sets"
@ -210,14 +209,14 @@ func (spec *CleanupPolicySpec) ValidateMatchExcludeConflict(path *field.Path) (e
if len(spec.MatchResources.Any) > 0 && len(spec.ExcludeResources.Any) > 0 {
for _, rmr := range spec.MatchResources.Any {
for _, rer := range spec.ExcludeResources.Any {
if reflect.DeepEqual(rmr, rer) {
if datautils.DeepEqual(rmr, rer) {
return append(errs, field.Invalid(path, spec, "CleanupPolicy is matching an empty set"))
}
}
}
return errs
}
if reflect.DeepEqual(spec.ExcludeResources, kyvernov2beta1.MatchResources{}) {
if datautils.DeepEqual(spec.ExcludeResources, &kyvernov2beta1.MatchResources{}) {
return errs
}
return append(errs, field.Invalid(path, spec, "CleanupPolicy is matching an empty set"))

View file

@ -2,9 +2,9 @@ package v2beta1
import (
"fmt"
"reflect"
kyvernov1 "github.com/kyverno/kyverno/api/kyverno/v1"
datautils "github.com/kyverno/kyverno/pkg/utils/data"
"k8s.io/apimachinery/pkg/util/sets"
"k8s.io/apimachinery/pkg/util/validation/field"
)
@ -64,12 +64,17 @@ type Rule struct {
// HasMutate checks for mutate rule
func (r *Rule) HasMutate() bool {
return !reflect.DeepEqual(r.Mutation, kyvernov1.Mutation{})
return !datautils.DeepEqual(r.Mutation, kyvernov1.Mutation{})
}
// HasVerifyImages checks for verifyImages rule
func (r *Rule) HasVerifyImages() bool {
return r.VerifyImages != nil && !reflect.DeepEqual(r.VerifyImages, ImageVerification{})
for _, verifyImage := range r.VerifyImages {
if !datautils.DeepEqual(verifyImage, ImageVerification{}) {
return true
}
}
return false
}
// HasYAMLSignatureVerify checks for validate.manifests rule
@ -101,12 +106,12 @@ func (p *ClusterPolicy) HasYAMLSignatureVerify() bool {
// HasValidate checks for validate rule
func (r *Rule) HasValidate() bool {
return !reflect.DeepEqual(r.Validation, Validation{})
return !datautils.DeepEqual(r.Validation, Validation{})
}
// HasGenerate checks for generate rule
func (r *Rule) HasGenerate() bool {
return !reflect.DeepEqual(r.Generation, kyvernov1.Generation{})
return !datautils.DeepEqual(r.Generation, kyvernov1.Generation{})
}
// IsMutateExisting checks if the mutate rule applies to existing resources
@ -158,17 +163,17 @@ func (r *Rule) ValidateMatchExcludeConflict(path *field.Path) (errs field.ErrorL
if len(r.MatchResources.Any) > 0 && len(r.ExcludeResources.Any) > 0 {
for _, rmr := range r.MatchResources.Any {
for _, rer := range r.ExcludeResources.Any {
if reflect.DeepEqual(rmr, rer) {
if datautils.DeepEqual(rmr, rer) {
return append(errs, field.Invalid(path, r, "Rule is matching an empty set"))
}
}
}
return errs
}
if reflect.DeepEqual(r.ExcludeResources.Any, r.MatchResources.Any) {
if datautils.DeepEqual(r.ExcludeResources.Any, r.MatchResources.Any) {
return errs
}
if reflect.DeepEqual(r.ExcludeResources.All, r.MatchResources.All) {
if datautils.DeepEqual(r.ExcludeResources.All, r.MatchResources.All) {
return errs
}
return append(errs, field.Invalid(path, r, "Rule is matching an empty set"))

7
pkg/utils/data/equal.go Normal file
View file

@ -0,0 +1,7 @@
package data
import "reflect"
func DeepEqual[T any](a T, b T) bool {
return reflect.DeepEqual(a, b)
}