check added for kyverno managed resource

2024-12-14 11:57:48 +00:00 · 2020-07-08 06:18:18 -07:00 · 2020-07-08 06:18:18 -07:00 · 604dc395d8
commit 604dc395d8
parent c4723e1d06
1 changed files with 29 additions and 0 deletions
--- a/pkg/webhooks/server.go
+++ b/pkg/webhooks/server.go
@ -28,6 +28,7 @@ import (
 	tlsutils "github.com/nirmata/kyverno/pkg/tls"
 	userinfo "github.com/nirmata/kyverno/pkg/userinfo"
 	"github.com/nirmata/kyverno/pkg/utils"
+	enginutils "github.com/nirmata/kyverno/pkg/engine/utils"
 	"github.com/nirmata/kyverno/pkg/webhookconfig"
 	"github.com/nirmata/kyverno/pkg/webhooks/generate"
 	v1beta1 "k8s.io/api/admission/v1beta1"
@ -333,7 +334,35 @@ func (ws *WebhookServer) resourceMutation(request *v1beta1.AdmissionRequest) *v1
 	// Only applied during resource creation and update
 	// Success -> Generate Request CR created successsfully
 	// Failed -> Failed to create Generate Request CR
+	if request.Operation == v1beta1.Delete || request.Operation == v1beta1.Update {
+		// convert RAW to unstructured
+		resource, err := enginutils.ConvertToUnstructured(request.OldObject.Raw)
+		if err != nil {
+			//TODO: skip applying the admission control ?
+			logger.Error(err, "failed to convert RAR resource to unstructured format")
+			return &v1beta1.AdmissionResponse{
+				Allowed: false,
+				Result: &metav1.Status{
+					Status:  "Failure",
+					Message: err.Error(),
+				},
+			}
+		}
+		labels := resource.GetLabels()
+		if labels != nil {
+			if labels["app.kubernetes.io/managed-by"] == "kyverno" {
+				return &v1beta1.AdmissionResponse{
+					Allowed: false,
+					Result: &metav1.Status{
+						Status:  "Failure",
+						Message: "You don't have permission to update resourses that is generated by kyverno",
+					},
+				}
+			}
+		}
+	}
 	if request.Operation == v1beta1.Create || request.Operation == v1beta1.Update {
+
 		ok, msg := ws.HandleGenerate(request, generatePolicies, ctx, userRequestInfo)
 		if !ok {
 			logger.Info("admission request denied")