mirror of
https://github.com/kyverno/kyverno.git
synced 2025-03-31 03:45:17 +00:00
Removes check for strategicMergePatch in forceMutate (#1898)
* Pass by value in policy cache Signed-off-by: Shuting Zhao <shutting06@gmail.com> * Removes check for strategicMergePatch in forceMutate Signed-off-by: Shuting Zhao <shutting06@gmail.com> * Removes failed test Signed-off-by: Shuting Zhao <shutting06@gmail.com>
This commit is contained in:
shuting
GitHub
parent
6b0334f776
commit
62dfab7f96
6 changed files with 38 additions and 132 deletions
|
|
@ -88,14 +88,6 @@ func ForceMutate(ctx context.EvalInterface, policy kyverno.ClusterPolicy, resour
|
|||
}
|
||||
}
|
||||
|
||||
if rule.Mutation.PatchStrategicMerge != nil {
|
||||
var resp response.RuleResponse
|
||||
resp, resource = mutate.ProcessStrategicMergePatch(rule.Name, rule.Mutation.PatchStrategicMerge, resource, logger.WithValues("rule", rule.Name))
|
||||
if !resp.Success {
|
||||
return unstructured.Unstructured{}, fmt.Errorf(resp.Message)
|
||||
}
|
||||
}
|
||||
|
||||
if rule.Mutation.PatchesJSON6902 != "" {
|
||||
var resp response.RuleResponse
|
||||
jsonPatches, err := yaml.YAMLToJSON([]byte(rule.Mutation.PatchesJSON6902))
|
||||
|
|
|
|||
|
|
@ -150,92 +150,6 @@ func Test_ForceMutateSubstituteVarsWithNilContext(t *testing.T) {
|
|||
assert.DeepEqual(t, expectedResource, mutatedResource.UnstructuredContent())
|
||||
}
|
||||
|
||||
func Test_ForceMutateSubstituteVarsWithPatchStrategicMerge(t *testing.T) {
|
||||
rawPolicy := []byte(`
|
||||
{
|
||||
"apiVersion": "kyverno.io/v1",
|
||||
"kind": "ClusterPolicy",
|
||||
"metadata": {
|
||||
"name": "strategic-merge-patch"
|
||||
},
|
||||
"spec": {
|
||||
"rules": [
|
||||
{
|
||||
"name": "set-image-pull-policy-add-command",
|
||||
"match": {
|
||||
"resources": {
|
||||
"kinds": [
|
||||
"Pod"
|
||||
]
|
||||
}
|
||||
},
|
||||
"mutate": {
|
||||
"patchStrategicMerge": {
|
||||
"spec": {
|
||||
"volumes": [
|
||||
{
|
||||
"emptyDir": {
|
||||
"medium": "Memory"
|
||||
},
|
||||
"name": "cache-volume"
|
||||
}
|
||||
]
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
]
|
||||
}
|
||||
}
|
||||
`)
|
||||
|
||||
rawResource := []byte(`
|
||||
{
|
||||
"apiVersion": "v1",
|
||||
"kind": "Pod",
|
||||
"metadata": {
|
||||
"name": "check-root-user"
|
||||
},
|
||||
"spec": {
|
||||
"volumes": [
|
||||
{
|
||||
"name": "cache-volume",
|
||||
"emptyDir": { }
|
||||
},
|
||||
{
|
||||
"name": "cache-volume2",
|
||||
"emptyDir": {
|
||||
"medium": "Memory"
|
||||
}
|
||||
}
|
||||
]
|
||||
}
|
||||
}
|
||||
`)
|
||||
|
||||
expectedRawResource := []byte(`
|
||||
{"apiVersion":"v1","kind":"Pod","metadata":{"name":"check-root-user"},"spec":{"volumes":[{"emptyDir":{"medium":"Memory"},"name":"cache-volume"},{"emptyDir":{"medium":"Memory"},"name":"cache-volume2"}]}}
|
||||
`)
|
||||
|
||||
var expectedResource interface{}
|
||||
assert.NilError(t, json.Unmarshal(expectedRawResource, &expectedResource))
|
||||
|
||||
var policy kyverno.ClusterPolicy
|
||||
err := json.Unmarshal(rawPolicy, &policy)
|
||||
assert.NilError(t, err)
|
||||
|
||||
resourceUnstructured, err := utils.ConvertToUnstructured(rawResource)
|
||||
assert.NilError(t, err)
|
||||
ctx := context.NewContext()
|
||||
err = ctx.AddResource(rawResource)
|
||||
assert.NilError(t, err)
|
||||
|
||||
mutatedResource, err := ForceMutate(ctx, policy, *resourceUnstructured)
|
||||
assert.NilError(t, err)
|
||||
|
||||
assert.DeepEqual(t, expectedResource, mutatedResource.UnstructuredContent())
|
||||
}
|
||||
|
||||
func Test_ForceMutateSubstituteVarsWithPatchesJson6902(t *testing.T) {
|
||||
rawPolicy := []byte(`
|
||||
{
|
||||
|
|
|
|||
|
|
@ -39,8 +39,8 @@ type policyCache struct {
|
|||
type Interface interface {
|
||||
Add(policy *kyverno.ClusterPolicy)
|
||||
Remove(policy *kyverno.ClusterPolicy)
|
||||
GetPolicyObject(pkey PolicyType, kind *string, nspace *string) []*kyverno.ClusterPolicy
|
||||
get(pkey PolicyType, kind *string, nspace *string) []string
|
||||
GetPolicyObject(pkey PolicyType, kind string, nspace string) []*kyverno.ClusterPolicy
|
||||
get(pkey PolicyType, kind string, nspace string) []string
|
||||
}
|
||||
|
||||
// newPolicyCache ...
|
||||
|
|
@ -70,10 +70,10 @@ func (pc *policyCache) Add(policy *kyverno.ClusterPolicy) {
|
|||
}
|
||||
|
||||
// Get the list of matched policies
|
||||
func (pc *policyCache) get(pkey PolicyType, kind, nspace *string) []string {
|
||||
func (pc *policyCache) get(pkey PolicyType, kind, nspace string) []string {
|
||||
return pc.pMap.get(pkey, kind, nspace)
|
||||
}
|
||||
func (pc *policyCache) GetPolicyObject(pkey PolicyType, kind, nspace *string) []*kyverno.ClusterPolicy {
|
||||
func (pc *policyCache) GetPolicyObject(pkey PolicyType, kind, nspace string) []*kyverno.ClusterPolicy {
|
||||
return pc.getPolicyObject(pkey, kind, nspace)
|
||||
}
|
||||
|
||||
|
|
@ -148,15 +148,15 @@ func (m *pMap) add(policy *kyverno.ClusterPolicy) {
|
|||
m.nameCacheMap[Generate] = generateMap
|
||||
}
|
||||
|
||||
func (pc *pMap) get(key PolicyType, kind, namespace *string) (names []string) {
|
||||
func (pc *pMap) get(key PolicyType, kind, namespace string) (names []string) {
|
||||
pc.RLock()
|
||||
defer pc.RUnlock()
|
||||
for _, policyName := range pc.kindDataMap[*kind][key] {
|
||||
for _, policyName := range pc.kindDataMap[kind][key] {
|
||||
ns, key, isNamespacedPolicy := policy2.ParseNamespacedPolicy(policyName)
|
||||
if !isNamespacedPolicy {
|
||||
names = append(names, key)
|
||||
} else {
|
||||
if ns == *namespace {
|
||||
if ns == namespace {
|
||||
names = append(names, policyName)
|
||||
}
|
||||
}
|
||||
|
|
@ -195,7 +195,7 @@ func (m *pMap) remove(policy *kyverno.ClusterPolicy) {
|
|||
}
|
||||
}
|
||||
}
|
||||
func (m *policyCache) getPolicyObject(key PolicyType, kind *string, nspace *string) (policyObject []*kyverno.ClusterPolicy) {
|
||||
func (m *policyCache) getPolicyObject(key PolicyType, kind string, nspace string) (policyObject []*kyverno.ClusterPolicy) {
|
||||
policyNames := m.pMap.get(key, kind, nspace)
|
||||
for _, policyName := range policyNames {
|
||||
var policy *kyverno.ClusterPolicy
|
||||
|
|
@ -203,7 +203,7 @@ func (m *policyCache) getPolicyObject(key PolicyType, kind *string, nspace *stri
|
|||
if !isNamespacedPolicy {
|
||||
policy, _ = m.pLister.Get(key)
|
||||
} else {
|
||||
if ns == *nspace {
|
||||
if ns == nspace {
|
||||
nspolicy, _ := m.npLister.Policies(ns).Get(key)
|
||||
policy = policy2.ConvertPolicyToClusterPolicy(nspolicy)
|
||||
}
|
||||
|
|
|
|||
|
|
@ -54,16 +54,16 @@ func Test_All(t *testing.T) {
|
|||
for _, kind := range rule.MatchResources.Kinds {
|
||||
|
||||
// get
|
||||
mutate := pCache.get(Mutate, &kind, nil)
|
||||
mutate := pCache.get(Mutate, kind, "")
|
||||
if len(mutate) != 1 {
|
||||
t.Errorf("expected 1 mutate policy, found %v", len(mutate))
|
||||
}
|
||||
|
||||
validateEnforce := pCache.get(ValidateEnforce, &kind, nil)
|
||||
validateEnforce := pCache.get(ValidateEnforce, kind, "")
|
||||
if len(validateEnforce) != 1 {
|
||||
t.Errorf("expected 1 validate policy, found %v", len(validateEnforce))
|
||||
}
|
||||
generate := pCache.get(Generate, &kind, nil)
|
||||
generate := pCache.get(Generate, kind, "")
|
||||
if len(generate) != 1 {
|
||||
t.Errorf("expected 1 generate policy, found %v", len(generate))
|
||||
}
|
||||
|
|
@ -73,7 +73,7 @@ func Test_All(t *testing.T) {
|
|||
// remove
|
||||
pCache.Remove(policy)
|
||||
kind := "pod"
|
||||
validateEnforce := pCache.get(ValidateEnforce, &kind, nil)
|
||||
validateEnforce := pCache.get(ValidateEnforce, kind, "")
|
||||
assert.Assert(t, len(validateEnforce) == 0)
|
||||
}
|
||||
|
||||
|
|
@ -86,16 +86,16 @@ func Test_Add_Duplicate_Policy(t *testing.T) {
|
|||
for _, rule := range policy.Spec.Rules {
|
||||
for _, kind := range rule.MatchResources.Kinds {
|
||||
|
||||
mutate := pCache.get(Mutate, &kind, nil)
|
||||
mutate := pCache.get(Mutate, kind, "")
|
||||
if len(mutate) != 1 {
|
||||
t.Errorf("expected 1 mutate policy, found %v", len(mutate))
|
||||
}
|
||||
|
||||
validateEnforce := pCache.get(ValidateEnforce, &kind, nil)
|
||||
validateEnforce := pCache.get(ValidateEnforce, kind, "")
|
||||
if len(validateEnforce) != 1 {
|
||||
t.Errorf("expected 1 validate policy, found %v", len(validateEnforce))
|
||||
}
|
||||
generate := pCache.get(Generate, &kind, nil)
|
||||
generate := pCache.get(Generate, kind, "")
|
||||
if len(generate) != 1 {
|
||||
t.Errorf("expected 1 generate policy, found %v", len(generate))
|
||||
}
|
||||
|
|
@ -115,12 +115,12 @@ func Test_Add_Validate_Audit(t *testing.T) {
|
|||
for _, rule := range policy.Spec.Rules {
|
||||
for _, kind := range rule.MatchResources.Kinds {
|
||||
|
||||
validateEnforce := pCache.get(ValidateEnforce, &kind, nil)
|
||||
validateEnforce := pCache.get(ValidateEnforce, kind, "")
|
||||
if len(validateEnforce) != 1 {
|
||||
t.Errorf("expected 1 mutate policy, found %v", len(validateEnforce))
|
||||
}
|
||||
|
||||
validateAudit := pCache.get(ValidateAudit, &kind, nil)
|
||||
validateAudit := pCache.get(ValidateAudit, kind, "")
|
||||
if len(validateEnforce) != 1 {
|
||||
t.Errorf("expected 1 validate policy, found %v", len(validateAudit))
|
||||
}
|
||||
|
|
@ -133,13 +133,13 @@ func Test_Add_Remove(t *testing.T) {
|
|||
policy := newPolicy(t)
|
||||
kind := "Pod"
|
||||
pCache.Add(policy)
|
||||
validateEnforce := pCache.get(ValidateEnforce, &kind, nil)
|
||||
validateEnforce := pCache.get(ValidateEnforce, kind, "")
|
||||
if len(validateEnforce) != 1 {
|
||||
t.Errorf("expected 1 validate enforce policy, found %v", len(validateEnforce))
|
||||
}
|
||||
|
||||
pCache.Remove(policy)
|
||||
deletedValidateEnforce := pCache.get(ValidateEnforce, &kind, nil)
|
||||
deletedValidateEnforce := pCache.get(ValidateEnforce, kind, "")
|
||||
if len(deletedValidateEnforce) != 0 {
|
||||
t.Errorf("expected 0 validate enforce policy, found %v", len(deletedValidateEnforce))
|
||||
}
|
||||
|
|
@ -378,16 +378,16 @@ func Test_Ns_All(t *testing.T) {
|
|||
for _, kind := range rule.MatchResources.Kinds {
|
||||
|
||||
// get
|
||||
mutate := pCache.get(Mutate, &kind, &nspace)
|
||||
mutate := pCache.get(Mutate, kind, nspace)
|
||||
if len(mutate) != 1 {
|
||||
t.Errorf("expected 1 mutate policy, found %v", len(mutate))
|
||||
}
|
||||
|
||||
validateEnforce := pCache.get(ValidateEnforce, &kind, &nspace)
|
||||
validateEnforce := pCache.get(ValidateEnforce, kind, nspace)
|
||||
if len(validateEnforce) != 1 {
|
||||
t.Errorf("expected 1 validate policy, found %v", len(validateEnforce))
|
||||
}
|
||||
generate := pCache.get(Generate, &kind, &nspace)
|
||||
generate := pCache.get(Generate, kind, nspace)
|
||||
if len(generate) != 1 {
|
||||
t.Errorf("expected 1 generate policy, found %v", len(generate))
|
||||
}
|
||||
|
|
@ -396,7 +396,7 @@ func Test_Ns_All(t *testing.T) {
|
|||
// remove
|
||||
pCache.Remove(policy)
|
||||
kind := "pod"
|
||||
validateEnforce := pCache.get(ValidateEnforce, &kind, &nspace)
|
||||
validateEnforce := pCache.get(ValidateEnforce, kind, nspace)
|
||||
assert.Assert(t, len(validateEnforce) == 0)
|
||||
}
|
||||
|
||||
|
|
@ -410,16 +410,16 @@ func Test_Ns_Add_Duplicate_Policy(t *testing.T) {
|
|||
for _, rule := range policy.Spec.Rules {
|
||||
for _, kind := range rule.MatchResources.Kinds {
|
||||
|
||||
mutate := pCache.get(Mutate, &kind, &nspace)
|
||||
mutate := pCache.get(Mutate, kind, nspace)
|
||||
if len(mutate) != 1 {
|
||||
t.Errorf("expected 1 mutate policy, found %v", len(mutate))
|
||||
}
|
||||
|
||||
validateEnforce := pCache.get(ValidateEnforce, &kind, &nspace)
|
||||
validateEnforce := pCache.get(ValidateEnforce, kind, nspace)
|
||||
if len(validateEnforce) != 1 {
|
||||
t.Errorf("expected 1 validate policy, found %v", len(validateEnforce))
|
||||
}
|
||||
generate := pCache.get(Generate, &kind, &nspace)
|
||||
generate := pCache.get(Generate, kind, nspace)
|
||||
if len(generate) != 1 {
|
||||
t.Errorf("expected 1 generate policy, found %v", len(generate))
|
||||
}
|
||||
|
|
@ -439,12 +439,12 @@ func Test_Ns_Add_Validate_Audit(t *testing.T) {
|
|||
for _, rule := range policy.Spec.Rules {
|
||||
for _, kind := range rule.MatchResources.Kinds {
|
||||
|
||||
validateEnforce := pCache.get(ValidateEnforce, &kind, &nspace)
|
||||
validateEnforce := pCache.get(ValidateEnforce, kind, nspace)
|
||||
if len(validateEnforce) != 1 {
|
||||
t.Errorf("expected 1 validate policy, found %v", len(validateEnforce))
|
||||
}
|
||||
|
||||
validateAudit := pCache.get(ValidateAudit, &kind, &nspace)
|
||||
validateAudit := pCache.get(ValidateAudit, kind, nspace)
|
||||
if len(validateEnforce) != 1 {
|
||||
t.Errorf("expected 1 validate policy, found %v", len(validateAudit))
|
||||
}
|
||||
|
|
@ -458,13 +458,13 @@ func Test_Ns_Add_Remove(t *testing.T) {
|
|||
nspace := policy.GetNamespace()
|
||||
kind := "Pod"
|
||||
pCache.Add(policy)
|
||||
validateEnforce := pCache.get(ValidateEnforce, &kind, &nspace)
|
||||
validateEnforce := pCache.get(ValidateEnforce, kind, nspace)
|
||||
if len(validateEnforce) != 1 {
|
||||
t.Errorf("expected 1 validate enforce policy, found %v", len(validateEnforce))
|
||||
}
|
||||
|
||||
pCache.Remove(policy)
|
||||
deletedValidateEnforce := pCache.get(ValidateEnforce, &kind, &nspace)
|
||||
deletedValidateEnforce := pCache.get(ValidateEnforce, kind, nspace)
|
||||
if len(deletedValidateEnforce) != 0 {
|
||||
t.Errorf("expected 0 validate enforce policy, found %v", len(deletedValidateEnforce))
|
||||
}
|
||||
|
|
|
|||
|
|
@ -308,11 +308,11 @@ func (ws *WebhookServer) ResourceMutation(request *v1beta1.AdmissionRequest) *v1
|
|||
}
|
||||
|
||||
logger.V(6).Info("received an admission request in mutating webhook")
|
||||
mutatePolicies := ws.pCache.GetPolicyObject(policycache.Mutate, &request.Kind.Kind, nil)
|
||||
generatePolicies := ws.pCache.GetPolicyObject(policycache.Generate, &request.Kind.Kind, nil)
|
||||
mutatePolicies := ws.pCache.GetPolicyObject(policycache.Mutate, request.Kind.Kind, "")
|
||||
generatePolicies := ws.pCache.GetPolicyObject(policycache.Generate, request.Kind.Kind, "")
|
||||
|
||||
// Get namespace policies from the cache for the requested resource namespace
|
||||
nsMutatePolicies := ws.pCache.GetPolicyObject(policycache.Mutate, &request.Kind.Kind, &request.Namespace)
|
||||
nsMutatePolicies := ws.pCache.GetPolicyObject(policycache.Mutate, request.Kind.Kind, request.Namespace)
|
||||
mutatePolicies = append(mutatePolicies, nsMutatePolicies...)
|
||||
|
||||
// convert RAW to unstructured
|
||||
|
|
@ -395,9 +395,9 @@ func (ws *WebhookServer) resourceValidation(request *v1beta1.AdmissionRequest) *
|
|||
|
||||
logger.V(6).Info("received an admission request in validating webhook")
|
||||
|
||||
policies := ws.pCache.GetPolicyObject(policycache.ValidateEnforce, &request.Kind.Kind, nil)
|
||||
policies := ws.pCache.GetPolicyObject(policycache.ValidateEnforce, request.Kind.Kind, "")
|
||||
// Get namespace policies from the cache for the requested resource namespace
|
||||
nsPolicies := ws.pCache.GetPolicyObject(policycache.ValidateEnforce, &request.Kind.Kind, &request.Namespace)
|
||||
nsPolicies := ws.pCache.GetPolicyObject(policycache.ValidateEnforce, request.Kind.Kind, request.Namespace)
|
||||
policies = append(policies, nsPolicies...)
|
||||
if len(policies) == 0 {
|
||||
// push admission request to audit handler, this won't block the admission request
|
||||
|
|
|
|||
|
|
@ -149,9 +149,9 @@ func (h *auditHandler) process(request *v1beta1.AdmissionRequest) error {
|
|||
var err error
|
||||
|
||||
logger := h.log.WithName("process")
|
||||
policies := h.pCache.GetPolicyObject(policycache.ValidateAudit, &request.Kind.Kind, nil)
|
||||
policies := h.pCache.GetPolicyObject(policycache.ValidateAudit, request.Kind.Kind, "")
|
||||
// Get namespace policies from the cache for the requested resource namespace
|
||||
nsPolicies := h.pCache.GetPolicyObject(policycache.ValidateAudit, &request.Kind.Kind, &request.Namespace)
|
||||
nsPolicies := h.pCache.GetPolicyObject(policycache.ValidateAudit, request.Kind.Kind, request.Namespace)
|
||||
policies = append(policies, nsPolicies...)
|
||||
// getRoleRef only if policy has roles/clusterroles defined
|
||||
if containRBACInfo(policies) {
|
||||
|
|
|
|||
Loading…
Add table
Reference in a new issue