mirrors/kyverno
mirrors/kyverno
1
0
Fork 0
mirror of https://github.com/kyverno/kyverno.git synced 2025-03-31 03:45:17 +00:00
Code Activity

Reduce throttling - skip sending API request for filtered resources (#1489)

Browse source 
* skip sending API request for filtered resource

* fix PR comment

Signed-off-by: Shuting Zhao <shutting06@gmail.com>

* fixes https://github.com/kyverno/kyverno/issues/1490

Signed-off-by: Shuting Zhao <shutting06@gmail.com>
This commit is contained in:
shuting 2021-01-21 18:58:53 -08:00 committed by GitHub
parent 42879683d8
commit 62a4a3a7da
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
5 changed files with 35 additions and 11 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

6
cmd/initContainer/main.go
View file

@ -259,7 +259,7 @@ func removeClusterPolicyReport(client *client.Client, kind string) error {
logger := log.Log.WithName("removeClusterPolicyReport") logger := log.Log.WithName("removeClusterPolicyReport")
cpolrs, err := client.ListResource("", kind, "", nil) cpolrs, err := client.ListResource("", kind, "", nil)
if err != nil && !errors.IsNotFound(err) { if err != nil {
logger.Error(err, "failed to list clusterPolicyReport") logger.Error(err, "failed to list clusterPolicyReport")
return nil return nil
} }
@ -304,7 +304,7 @@ func removeReportChangeRequest(client *client.Client, kind string) error {
ns := getKyvernoNameSpace() ns := getKyvernoNameSpace()
rcrList, err := client.ListResource("", kind, ns, nil) rcrList, err := client.ListResource("", kind, ns, nil)
if err != nil && !errors.IsNotFound(err) { if err != nil {
logger.Error(err, "failed to list reportChangeRequest") logger.Error(err, "failed to list reportChangeRequest")
return nil return nil
} }
@ -318,7 +318,7 @@ func removeReportChangeRequest(client *client.Client, kind string) error {
func removeClusterReportChangeRequest(client *client.Client, kind string) error { func removeClusterReportChangeRequest(client *client.Client, kind string) error {
crcrList, err := client.ListResource("", kind, "", nil) crcrList, err := client.ListResource("", kind, "", nil)
if err != nil && !errors.IsNotFound(err) { if err != nil {
log.Log.Error(err, "failed to list clusterReportChangeRequest") log.Log.Error(err, "failed to list clusterReportChangeRequest")
return nil return nil
} }

13
pkg/config/dynamicconfig.go
View file

@ -74,12 +74,25 @@ func (cd *ConfigData) GetExcludeUsername() []string {
return cd.excludeUsername return cd.excludeUsername
} }
// FilterNamespaces filters exclude namespace
func (cd *ConfigData) FilterNamespaces(namespaces []string) []string {
var results []string
for _, ns := range namespaces {
if !cd.ToFilter("", ns, "") {
results = append(results, ns)
}
}
return results
}
// Interface to be used by consumer to check filters // Interface to be used by consumer to check filters
type Interface interface { type Interface interface {
ToFilter(kind, namespace, name string) bool ToFilter(kind, namespace, name string) bool
GetExcludeGroupRole() []string GetExcludeGroupRole() []string
GetExcludeUsername() []string GetExcludeUsername() []string
RestrictDevelopmentUsername() []string RestrictDevelopmentUsername() []string
FilterNamespaces(namespaces []string) []string
} }
// NewConfigData ... // NewConfigData ...

21
pkg/policy/common.go
View file

@ -91,25 +91,32 @@ func ExcludePod(resourceMap map[string]unstructured.Unstructured, log logr.Logge
return resourceMap return resourceMap
} }
// GetNamespacesForRule gets the matched namespaces list for the given rule // getNamespacesForRule gets the matched namespaces list for the given rule
func GetNamespacesForRule(rule *kyverno.Rule, nslister listerv1.NamespaceLister, log logr.Logger) []string { func (pc *PolicyController) getNamespacesForRule(rule *kyverno.Rule, log logr.Logger) []string {
var results []string
var matchedNS []string
defer func() {
results = pc.configHandler.FilterNamespaces(matchedNS)
}()
if len(rule.MatchResources.Namespaces) == 0 { if len(rule.MatchResources.Namespaces) == 0 {
return GetAllNamespaces(nslister, log) matchedNS = GetAllNamespaces(pc.nsLister, log)
return results
} }
var wildcards []string var wildcards []string
var results []string
for _, nsName := range rule.MatchResources.Namespaces { for _, nsName := range rule.MatchResources.Namespaces {
if HasWildcard(nsName) { if HasWildcard(nsName) {
wildcards = append(wildcards, nsName) wildcards = append(wildcards, nsName)
} }
results = append(results, nsName) matchedNS = append(matchedNS, nsName)
} }
if len(wildcards) > 0 { if len(wildcards) > 0 {
wildcardMatches := GetMatchingNamespaces(wildcards, nslister, log) wildcardMatches := GetMatchingNamespaces(wildcards, pc.nsLister, log)
results = append(results, wildcardMatches...) matchedNS = append(matchedNS, wildcardMatches...)
} }
return results return results

2
pkg/policy/existing.go
View file

@ -43,7 +43,7 @@ func (pc *PolicyController) processExistingResources(policy *kyverno.ClusterPoli
continue continue
} }
namespaces := GetNamespacesForRule(&rule, pc.nsLister, logger) namespaces := pc.getNamespacesForRule(&rule, logger)
for _, ns := range namespaces { for _, ns := range namespaces {
pc.applyAndReportPerNamespace(policy, k, ns, rule, logger) pc.applyAndReportPerNamespace(policy, k, ns, rule, logger)
} }

4
pkg/policyreport/builder.go
View file

@ -49,6 +49,10 @@ func GeneratePRsFromEngineResponse(ers []*response.EngineResponse, log logr.Logg
continue continue
} }
if len(er.PolicyResponse.Rules) == 0 {
continue
}
// build policy violation info // build policy violation info
pvInfos = append(pvInfos, buildPVInfo(er)) pvInfos = append(pvInfos, buildPVInfo(er))
} }