mirror of
https://github.com/kyverno/kyverno.git
synced 2025-03-31 03:45:17 +00:00
fix event resource name + add filtered kinds to policy controller & namespace + fix messages
This commit is contained in:
parent
fdc4703258
commit
5dab189743
10 changed files with 65 additions and 52 deletions
|
@ -78,19 +78,19 @@ func applyRuleGenerator(client *client.Client, ns unstructured.Unstructured, rul
|
|||
// check if the rule is create, if yes, then verify if the specified configuration is present in the resource
|
||||
ok, err := checkResource(rule.Generation.Data, obj)
|
||||
if err != nil {
|
||||
glog.V(4).Infof("generate rule:: unable to check if configuration %v, is present in resource %s/%s/%s", rule.Generation.Data, rule.Generation.Kind, ns.GetName(), rule.Generation.Name)
|
||||
glog.V(4).Infof("generate rule: unable to check if configuration %v, is present in resource '%s/%s' in namespace '%s'", rule.Generation.Data, rule.Generation.Kind, rule.Generation.Name, ns.GetName())
|
||||
response.Success = false
|
||||
response.Message = fmt.Sprintf("unable to check if configuration %v, is present in resource %s/%s/%s", rule.Generation.Data, rule.Generation.Kind, ns.GetName(), rule.Generation.Name)
|
||||
response.Message = fmt.Sprintf("unable to check if configuration %v, is present in resource '%s/%s' in namespace '%s'", rule.Generation.Data, rule.Generation.Kind, rule.Generation.Name, ns.GetName())
|
||||
return response
|
||||
}
|
||||
if !ok {
|
||||
glog.V(4).Infof("generate rule:: configuration %v not present in resource %s/%s/%s", rule.Generation.Data, rule.Generation.Kind, ns.GetName(), rule.Generation.Name)
|
||||
glog.V(4).Infof("generate rule: configuration %v not present in resource '%s/%s' in namespace '%s'", rule.Generation.Data, rule.Generation.Kind, rule.Generation.Name, ns.GetName())
|
||||
response.Success = false
|
||||
response.Message = fmt.Sprintf("configuration %v not present in resource %s/%s/%s", rule.Generation.Data, rule.Generation.Kind, ns.GetName(), rule.Generation.Name)
|
||||
response.Message = fmt.Sprintf("configuration %v not present in resource '%s/%s' in namespace '%s'", rule.Generation.Data, rule.Generation.Kind, rule.Generation.Name, ns.GetName())
|
||||
return response
|
||||
}
|
||||
response.Success = true
|
||||
response.Message = fmt.Sprintf("required configuration %v is present in resource %s/%s/%s", rule.Generation.Data, rule.Generation.Kind, ns.GetName(), rule.Generation.Name)
|
||||
response.Message = fmt.Sprintf("required configuration %v is present in resource '%s/%s' in namespace '%s'", rule.Generation.Data, rule.Generation.Kind, rule.Generation.Name, ns.GetName())
|
||||
return response
|
||||
}
|
||||
rdata, err = runtime.DefaultUnstructuredConverter.ToUnstructured(&rule.Generation.Data)
|
||||
|
@ -106,26 +106,26 @@ func applyRuleGenerator(client *client.Client, ns unstructured.Unstructured, rul
|
|||
// 1> Check if resource exists
|
||||
_, err := client.GetResource(rule.Generation.Kind, ns.GetName(), rule.Generation.Name)
|
||||
if err == nil {
|
||||
glog.V(4).Infof("generate rule: resource %s/%s/%s already present", rule.Generation.Kind, ns.GetName(), rule.Generation.Name)
|
||||
glog.V(4).Infof("generate rule: resource '%s/%s' already present in namespace '%s'", rule.Generation.Kind, rule.Generation.Name, ns.GetName())
|
||||
response.Success = true
|
||||
response.Message = fmt.Sprintf("resource %s/%s/%s already present", rule.Generation.Kind, ns.GetName(), rule.Generation.Name)
|
||||
response.Message = fmt.Sprintf("resource '%s/%s' already present in namespace '%s'", rule.Generation.Kind, rule.Generation.Name, ns.GetName())
|
||||
return response
|
||||
}
|
||||
// 2> If clone already exists return
|
||||
resource, err = client.GetResource(rule.Generation.Kind, rule.Generation.Clone.Namespace, rule.Generation.Clone.Name)
|
||||
if err != nil {
|
||||
glog.V(4).Infof("generate rule: clone reference resource %s/%s/%s not present: %v", rule.Generation.Kind, rule.Generation.Clone.Namespace, rule.Generation.Clone.Name, err)
|
||||
glog.V(4).Infof("generate rule: clone reference resource '%s/%s' not present in namespace '%s': %v", rule.Generation.Kind, rule.Generation.Clone.Name, rule.Generation.Clone.Namespace, err)
|
||||
response.Success = false
|
||||
response.Message = fmt.Sprintf("clone reference resource %s/%s/%s not present: %v", rule.Generation.Kind, rule.Generation.Clone.Namespace, rule.Generation.Clone.Name, err)
|
||||
response.Message = fmt.Sprintf("clone reference resource '%s/%s' not present in namespace '%s': %v", rule.Generation.Kind, rule.Generation.Clone.Name, rule.Generation.Clone.Namespace, err)
|
||||
return response
|
||||
}
|
||||
glog.V(4).Infof("generate rule: clone reference resource %s/%s/%s present", rule.Generation.Kind, rule.Generation.Clone.Namespace, rule.Generation.Clone.Name)
|
||||
glog.V(4).Infof("generate rule: clone reference resource '%s/%s' present in namespace '%s'", rule.Generation.Kind, rule.Generation.Clone.Name, rule.Generation.Clone.Namespace)
|
||||
rdata = resource.UnstructuredContent()
|
||||
}
|
||||
if processExisting {
|
||||
glog.V(4).Infof("resource %s not found in existing namespace %s", rule.Generation.Name, ns.GetName())
|
||||
glog.V(4).Infof("resource '%s/%s' not found in existing namespace '%s'", rule.Generation.Kind, rule.Generation.Name, ns.GetName())
|
||||
response.Success = false
|
||||
response.Message = fmt.Sprintf("resource %s not found in existing namespace %s", rule.Generation.Name, ns.GetName())
|
||||
response.Message = fmt.Sprintf("resource '%s/%s' not found in existing namespace '%s'", rule.Generation.Kind, rule.Generation.Name, ns.GetName())
|
||||
// for existing resources we generate an error which indirectly generates a policy violation
|
||||
return response
|
||||
}
|
||||
|
|
|
@ -1505,7 +1505,7 @@ func TestValidateMapElement_OneElementInArrayNotPass(t *testing.T) {
|
|||
func TestValidate_ServiceTest(t *testing.T) {
|
||||
rawPolicy := []byte(`{
|
||||
"apiVersion":"kyverno.nirmata.io/v1alpha1",
|
||||
"kind":"Policy",
|
||||
"kind":"ClusterPolicy",
|
||||
"metadata":{
|
||||
"name":"policy-service"
|
||||
},
|
||||
|
@ -1597,7 +1597,7 @@ func TestValidate_ServiceTest(t *testing.T) {
|
|||
func TestValidate_MapHasFloats(t *testing.T) {
|
||||
rawPolicy := []byte(`{
|
||||
"apiVersion":"kyverno.nirmata.io/v1alpha1",
|
||||
"kind":"Policy",
|
||||
"kind":"ClusterPolicy",
|
||||
"metadata":{
|
||||
"name":"policy-deployment-changed"
|
||||
},
|
||||
|
|
|
@ -147,7 +147,7 @@ func (gen *Generator) syncHandler(key Info) error {
|
|||
var robj runtime.Object
|
||||
var err error
|
||||
switch key.Kind {
|
||||
case "Policy":
|
||||
case "ClusterPolicy":
|
||||
//TODO: policy is clustered resource so wont need namespace
|
||||
robj, err = gen.pLister.Get(key.Name)
|
||||
if err != nil {
|
||||
|
|
|
@ -147,7 +147,7 @@ func extractPolicy(fileDir string) (*kyverno.ClusterPolicy, error) {
|
|||
return nil, fmt.Errorf("failed to decode policy %s, err: %v", policy.Name, err)
|
||||
}
|
||||
|
||||
if policy.TypeMeta.Kind != "Policy" {
|
||||
if policy.TypeMeta.Kind != "ClusterPolicy" {
|
||||
return nil, fmt.Errorf("failed to parse policy")
|
||||
}
|
||||
|
||||
|
|
|
@ -9,6 +9,7 @@ import (
|
|||
client "github.com/nirmata/kyverno/pkg/dclient"
|
||||
"github.com/nirmata/kyverno/pkg/event"
|
||||
"github.com/nirmata/kyverno/pkg/policy"
|
||||
"github.com/nirmata/kyverno/pkg/utils"
|
||||
"k8s.io/apimachinery/pkg/api/errors"
|
||||
|
||||
kyvernoclient "github.com/nirmata/kyverno/pkg/client/clientset/versioned"
|
||||
|
@ -53,6 +54,8 @@ type NamespaceController struct {
|
|||
queue workqueue.RateLimitingInterface
|
||||
// Resource manager, manages the mapping for already processed resource
|
||||
rm resourceManager
|
||||
// filter the resources defined in the list
|
||||
filterK8Resources []utils.K8Resource
|
||||
}
|
||||
|
||||
//NewNamespaceController returns a new Controller to manage generation rules
|
||||
|
@ -62,14 +65,16 @@ func NewNamespaceController(kyvernoClient *kyvernoclient.Clientset,
|
|||
pInformer kyvernoinformer.ClusterPolicyInformer,
|
||||
pvInformer kyvernoinformer.ClusterPolicyViolationInformer,
|
||||
policyStatus policy.PolicyStatusInterface,
|
||||
eventGen event.Interface) *NamespaceController {
|
||||
eventGen event.Interface,
|
||||
filterK8Resources string) *NamespaceController {
|
||||
//TODO: do we need to event recorder for this controller?
|
||||
// create the controller
|
||||
nsc := &NamespaceController{
|
||||
client: client,
|
||||
kyvernoClient: kyvernoClient,
|
||||
eventGen: eventGen,
|
||||
queue: workqueue.NewNamedRateLimitingQueue(workqueue.DefaultControllerRateLimiter(), "namespace"),
|
||||
client: client,
|
||||
kyvernoClient: kyvernoClient,
|
||||
eventGen: eventGen,
|
||||
queue: workqueue.NewNamedRateLimitingQueue(workqueue.DefaultControllerRateLimiter(), "namespace"),
|
||||
filterK8Resources: utils.ParseKinds(filterK8Resources),
|
||||
}
|
||||
|
||||
nsInformer.Informer().AddEventHandler(cache.ResourceEventHandlerFuncs{
|
||||
|
@ -201,6 +206,14 @@ func (nsc *NamespaceController) syncNamespace(key string) error {
|
|||
// TODO: Deep-copy only when needed.
|
||||
n := namespace.DeepCopy()
|
||||
|
||||
// skip processing namespace if its been filtered
|
||||
// exclude the filtered resources
|
||||
if utils.SkipFilteredResources("Namespace", "", namespace.Name, nsc.filterK8Resources) {
|
||||
//TODO: improve the text
|
||||
glog.V(4).Infof("excluding namespace %s as its a filtered resource",namespace.Name )
|
||||
return nil
|
||||
}
|
||||
|
||||
// process generate rules
|
||||
engineResponses := nsc.processNamespace(*n)
|
||||
// report errors
|
||||
|
|
|
@ -29,29 +29,29 @@ func reportEvents(engineResponse engine.EngineResponseNew, eventGen event.Interf
|
|||
if engineResponse.IsSuccesful() {
|
||||
return
|
||||
}
|
||||
glog.V(4).Infof("reporting results for policy %s application on resource %s/%s/%s", engineResponse.PolicyResponse.Policy, engineResponse.PolicyResponse.Resource.Kind, engineResponse.PolicyResponse.Resource.Namespace, engineResponse.PolicyResponse.Resource.Name)
|
||||
glog.V(4).Infof("reporting results for policy '%s' application on resource '%s/%s/%s'", engineResponse.PolicyResponse.Policy, engineResponse.PolicyResponse.Resource.Kind, engineResponse.PolicyResponse.Resource.Namespace, engineResponse.PolicyResponse.Resource.Name)
|
||||
for _, rule := range engineResponse.PolicyResponse.Rules {
|
||||
if rule.Success {
|
||||
return
|
||||
}
|
||||
// generate event on resource for each failed rule
|
||||
glog.V(4).Infof("generation event on resource %s/%s/%s for policy %s", engineResponse.PolicyResponse.Resource.Kind, engineResponse.PolicyResponse.Resource.Namespace, engineResponse.PolicyResponse.Resource.Name, engineResponse.PolicyResponse.Policy)
|
||||
glog.V(4).Infof("generation event on resource '%s/%s' for policy '%s'", engineResponse.PolicyResponse.Resource.Kind, engineResponse.PolicyResponse.Resource.Name, engineResponse.PolicyResponse.Policy)
|
||||
e := event.Info{}
|
||||
e.Kind = engineResponse.PolicyResponse.Resource.Kind
|
||||
e.Namespace = engineResponse.PolicyResponse.Resource.Namespace
|
||||
e.Name = engineResponse.PolicyResponse.Policy
|
||||
e.Namespace = "" // event generate on namespace resource
|
||||
e.Name = engineResponse.PolicyResponse.Resource.Name
|
||||
e.Reason = "Failure"
|
||||
e.Message = fmt.Sprintf("policy %s (%s) rule %s failed to apply. %v", engineResponse.PolicyResponse.Policy, rule.Type, rule.Name, rule.Message)
|
||||
e.Message = fmt.Sprintf("policy '%s' (%s) rule '%s' failed to apply. %v", engineResponse.PolicyResponse.Policy, rule.Type, rule.Name, rule.Message)
|
||||
eventGen.Add(e)
|
||||
|
||||
}
|
||||
// generate a event on policy for all failed rules
|
||||
glog.V(4).Infof("generation event on policy %s", engineResponse.PolicyResponse.Policy)
|
||||
glog.V(4).Infof("generation event on policy '%s'", engineResponse.PolicyResponse.Policy)
|
||||
e := event.Info{}
|
||||
e.Kind = "Policy"
|
||||
e.Kind = "ClusterPolicy"
|
||||
e.Namespace = ""
|
||||
e.Name = engineResponse.PolicyResponse.Policy
|
||||
e.Reason = "Failure"
|
||||
e.Message = fmt.Sprintf("failed to apply rules %v on resource %s/%s/%s", engineResponse.GetFailedRules(), engineResponse.PolicyResponse.Resource.Kind, engineResponse.PolicyResponse.Resource.Namespace, engineResponse.PolicyResponse.Resource.Name)
|
||||
e.Message = fmt.Sprintf("failed to apply policy '%s' rules '%v' on resource '%s/%s/%s'", engineResponse.PolicyResponse.Policy, engineResponse.GetFailedRules(), engineResponse.PolicyResponse.Resource.Kind, engineResponse.PolicyResponse.Resource.Namespace, engineResponse.PolicyResponse.Resource.Name)
|
||||
eventGen.Add(e)
|
||||
}
|
||||
|
|
|
@ -81,7 +81,7 @@ type PolicyController struct {
|
|||
|
||||
// NewPolicyController create a new PolicyController
|
||||
func NewPolicyController(kyvernoClient *kyvernoclient.Clientset, client *client.Client, pInformer kyvernoinformer.ClusterPolicyInformer, pvInformer kyvernoinformer.ClusterPolicyViolationInformer,
|
||||
eventGen event.Interface, webhookInformer webhookinformer.MutatingWebhookConfigurationInformer, webhookRegistrationClient *webhookconfig.WebhookRegistrationClient) (*PolicyController, error) {
|
||||
eventGen event.Interface, webhookInformer webhookinformer.MutatingWebhookConfigurationInformer, webhookRegistrationClient *webhookconfig.WebhookRegistrationClient, filterK8Resources string) (*PolicyController, error) {
|
||||
// Event broad caster
|
||||
eventBroadcaster := record.NewBroadcaster()
|
||||
eventBroadcaster.StartLogging(glog.Infof)
|
||||
|
@ -98,6 +98,7 @@ func NewPolicyController(kyvernoClient *kyvernoclient.Clientset, client *client.
|
|||
eventRecorder: eventBroadcaster.NewRecorder(scheme.Scheme, v1.EventSource{Component: "policy_controller"}),
|
||||
queue: workqueue.NewNamedRateLimitingQueue(workqueue.DefaultControllerRateLimiter(), "policy"),
|
||||
webhookRegistrationClient: webhookRegistrationClient,
|
||||
filterK8Resources: utils.ParseKinds(filterK8Resources),
|
||||
}
|
||||
|
||||
pc.pvControl = RealPVControl{Client: kyvernoClient, Recorder: pc.eventRecorder}
|
||||
|
|
|
@ -66,8 +66,6 @@ func listResources(client *client.Client, policy kyverno.ClusterPolicy, filterK8
|
|||
// get all namespaces
|
||||
namespaces = getAllNamespaces(client)
|
||||
}
|
||||
// check if exclude namespace is not clashing
|
||||
// namespaces = excludeNamespaces(namespaces, rule.ExcludeResources.Namespaces)
|
||||
|
||||
// get resources in the namespaces
|
||||
for _, ns := range namespaces {
|
||||
|
@ -101,13 +99,6 @@ func getResourcesPerNamespace(kind string, client *client.Client, namespace stri
|
|||
continue
|
||||
}
|
||||
}
|
||||
// // exclude name
|
||||
// if rule.ExcludeResources.Name != "" {
|
||||
// if wildcard.Match(rule.ExcludeResources.Name, r.GetName()) {
|
||||
// glog.V(4).Infof("skipping resource %s/%s due to exclude condition name=%s mistatch", r.GetNamespace(), r.GetName(), rule.MatchResources.Name)
|
||||
// continue
|
||||
// }
|
||||
// }
|
||||
// Skip the filtered resources
|
||||
if utils.SkipFilteredResources(r.GetKind(), r.GetNamespace(), r.GetName(), filterK8Resources) {
|
||||
continue
|
||||
|
@ -117,13 +108,14 @@ func getResourcesPerNamespace(kind string, client *client.Client, namespace stri
|
|||
resourceMap[string(r.GetUID())] = r
|
||||
}
|
||||
|
||||
// All the included resource
|
||||
// Need to exclude
|
||||
excludeResources(resourceMap, rule.ExcludeResources.ResourceDescription)
|
||||
// exclude the resources
|
||||
// skip resources to be filtered
|
||||
excludeResources(resourceMap, rule.ExcludeResources.ResourceDescription, filterK8Resources)
|
||||
// glog.V(4).Infof("resource map: %v", resourceMap)
|
||||
return resourceMap
|
||||
}
|
||||
|
||||
func excludeResources(included map[string]unstructured.Unstructured, exclude kyverno.ResourceDescription) {
|
||||
func excludeResources(included map[string]unstructured.Unstructured, exclude kyverno.ResourceDescription, filterK8Resources []utils.K8Resource) {
|
||||
if reflect.DeepEqual(exclude, (kyverno.ResourceDescription{})) {
|
||||
return
|
||||
}
|
||||
|
@ -203,6 +195,13 @@ func excludeResources(included map[string]unstructured.Unstructured, exclude kyv
|
|||
if ret := excludeKind(resource.GetKind()); ret != NotEvaluate {
|
||||
excludeEval = append(excludeEval, ret)
|
||||
}
|
||||
// exclude the filtered resources
|
||||
if utils.SkipFilteredResources(resource.GetKind(), resource.GetNamespace(), resource.GetName(), filterK8Resources) {
|
||||
//TODO: improve the text
|
||||
glog.V(4).Infof("excluding resource %s/%s/%s as its satisfies the filtered resources", resource.GetKind(), resource.GetNamespace(), resource.GetName())
|
||||
delete(included, uid)
|
||||
continue
|
||||
}
|
||||
|
||||
func() bool {
|
||||
for _, ret := range excludeEval {
|
||||
|
|
|
@ -30,31 +30,31 @@ func reportEvents(engineResponse engine.EngineResponseNew, eventGen event.Interf
|
|||
if engineResponse.IsSuccesful() {
|
||||
return
|
||||
}
|
||||
glog.V(4).Infof("reporting results for policy %s application on resource %s/%s/%s", engineResponse.PolicyResponse.Policy, engineResponse.PolicyResponse.Resource.Kind, engineResponse.PolicyResponse.Resource.Namespace, engineResponse.PolicyResponse.Resource.Name)
|
||||
glog.V(4).Infof("reporting results for policy '%s' application on resource '%s/%s/%s'", engineResponse.PolicyResponse.Policy, engineResponse.PolicyResponse.Resource.Kind, engineResponse.PolicyResponse.Resource.Namespace, engineResponse.PolicyResponse.Resource.Name)
|
||||
for _, rule := range engineResponse.PolicyResponse.Rules {
|
||||
if rule.Success {
|
||||
return
|
||||
}
|
||||
|
||||
// generate event on resource for each failed rule
|
||||
glog.V(4).Infof("generation event on resource %s/%s/%s for policy %s", engineResponse.PolicyResponse.Resource.Kind, engineResponse.PolicyResponse.Resource.Namespace, engineResponse.PolicyResponse.Resource.Name, engineResponse.PolicyResponse.Policy)
|
||||
glog.V(4).Infof("generation event on resource '%s/%s/%s' for policy '%s'", engineResponse.PolicyResponse.Resource.Kind, engineResponse.PolicyResponse.Resource.Namespace, engineResponse.PolicyResponse.Resource.Name, engineResponse.PolicyResponse.Policy)
|
||||
e := event.Info{}
|
||||
e.Kind = engineResponse.PolicyResponse.Resource.Kind
|
||||
e.Namespace = engineResponse.PolicyResponse.Resource.Namespace
|
||||
e.Name = engineResponse.PolicyResponse.Policy
|
||||
e.Name = engineResponse.PolicyResponse.Resource.Name
|
||||
e.Reason = "Failure"
|
||||
e.Message = fmt.Sprintf("policy %s (%s) rule %s failed to apply. %v", engineResponse.PolicyResponse.Policy, rule.Type, rule.Name, rule.Message)
|
||||
e.Message = fmt.Sprintf("policy '%s' (%s) rule '%s' failed to apply. %v", engineResponse.PolicyResponse.Policy, rule.Type, rule.Name, rule.Message)
|
||||
eventGen.Add(e)
|
||||
|
||||
}
|
||||
// generate a event on policy for all failed rules
|
||||
glog.V(4).Infof("generation event on policy %s", engineResponse.PolicyResponse.Policy)
|
||||
glog.V(4).Infof("generation event on policy '%s'", engineResponse.PolicyResponse.Policy)
|
||||
e := event.Info{}
|
||||
e.Kind = "Policy"
|
||||
e.Kind = "ClusterPolicy"
|
||||
e.Namespace = ""
|
||||
e.Name = engineResponse.PolicyResponse.Policy
|
||||
e.Reason = "Failure"
|
||||
e.Message = fmt.Sprintf("failed to apply rules %v on resource %s/%s/%s", engineResponse.GetFailedRules(), engineResponse.PolicyResponse.Resource.Kind, engineResponse.PolicyResponse.Resource.Namespace, engineResponse.PolicyResponse.Resource.Name)
|
||||
e.Message = fmt.Sprintf("failed to apply policy '%s' rules '%v' on resource '%s/%s/%s'", engineResponse.PolicyResponse.Policy, engineResponse.GetFailedRules(), engineResponse.PolicyResponse.Resource.Kind, engineResponse.PolicyResponse.Resource.Namespace, engineResponse.PolicyResponse.Resource.Name)
|
||||
eventGen.Add(e)
|
||||
|
||||
}
|
||||
|
|
|
@ -40,7 +40,7 @@ func generateEvents(engineResponses []engine.EngineResponseNew, onUpdate bool) [
|
|||
|
||||
// event on policy
|
||||
e = event.NewEventNew(
|
||||
"Policy",
|
||||
"ClusterPolicy",
|
||||
kyverno.SchemeGroupVersion.String(),
|
||||
"",
|
||||
er.PolicyResponse.Policy,
|
||||
|
@ -56,7 +56,7 @@ func generateEvents(engineResponses []engine.EngineResponseNew, onUpdate bool) [
|
|||
// CREATE
|
||||
// event on policy
|
||||
e := event.NewEventNew(
|
||||
"Policy",
|
||||
"ClusterPolicy",
|
||||
kyverno.SchemeGroupVersion.String(),
|
||||
"",
|
||||
er.PolicyResponse.Policy,
|
||||
|
|
Loading…
Add table
Reference in a new issue