mirror of
https://github.com/kyverno/kyverno.git
synced 2025-03-31 03:45:17 +00:00
fix: exception validation follow up (#5697)
* fix: exception validation follow up Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * fix Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>
This commit is contained in:
Charles-Edouard Brétéché
GitHub
parent
560c4b7aef
commit
66ba0fc5ec
4 changed files with 17 additions and 10 deletions
|
|
@ -40,12 +40,6 @@ type PolicyException struct {
|
||||||
// Validate implements programmatic validation
|
// Validate implements programmatic validation
|
||||||
func (p *PolicyException) Validate() (errs field.ErrorList) {
|
func (p *PolicyException) Validate() (errs field.ErrorList) {
|
||||||
errs = append(errs, p.Spec.Validate(field.NewPath("spec"))...)
|
errs = append(errs, p.Spec.Validate(field.NewPath("spec"))...)
|
||||||
// errs = append(errs, ValidateSchedule(path.Child("schedule"), p.Schedule)...)
|
|
||||||
// errs = append(errs, p.MatchResources.Validate(path.Child("match"), namespaced, clusterResources)...)
|
|
||||||
// if p.ExcludeResources != nil {
|
|
||||||
// errs = append(errs, p.ExcludeResources.Validate(path.Child("exclude"), namespaced, clusterResources)...)
|
|
||||||
// }
|
|
||||||
// errs = append(errs, p.ValidateMatchExcludeConflict(path)...)
|
|
||||||
return errs
|
return errs
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -48,6 +48,7 @@ import (
|
||||||
"github.com/kyverno/kyverno/pkg/utils"
|
"github.com/kyverno/kyverno/pkg/utils"
|
||||||
runtimeutils "github.com/kyverno/kyverno/pkg/utils/runtime"
|
runtimeutils "github.com/kyverno/kyverno/pkg/utils/runtime"
|
||||||
"github.com/kyverno/kyverno/pkg/webhooks"
|
"github.com/kyverno/kyverno/pkg/webhooks"
|
||||||
|
webhooksexception "github.com/kyverno/kyverno/pkg/webhooks/exception"
|
||||||
webhookspolicy "github.com/kyverno/kyverno/pkg/webhooks/policy"
|
webhookspolicy "github.com/kyverno/kyverno/pkg/webhooks/policy"
|
||||||
webhooksresource "github.com/kyverno/kyverno/pkg/webhooks/resource"
|
webhooksresource "github.com/kyverno/kyverno/pkg/webhooks/resource"
|
||||||
webhookgenerate "github.com/kyverno/kyverno/pkg/webhooks/updaterequest"
|
webhookgenerate "github.com/kyverno/kyverno/pkg/webhooks/updaterequest"
|
||||||
|
|
@ -633,9 +634,11 @@ func main() {
|
||||||
openApiManager,
|
openApiManager,
|
||||||
admissionReports,
|
admissionReports,
|
||||||
)
|
)
|
||||||
|
exceptionHandlers := webhooksexception.NewHandlers()
|
||||||
server := webhooks.NewServer(
|
server := webhooks.NewServer(
|
||||||
policyHandlers,
|
policyHandlers,
|
||||||
resourceHandlers,
|
resourceHandlers,
|
||||||
|
exceptionHandlers,
|
||||||
configuration,
|
configuration,
|
||||||
metricsConfig,
|
metricsConfig,
|
||||||
webhooks.DebugModeOptions{
|
webhooks.DebugModeOptions{
|
||||||
|
|
|
||||||
|
|
@ -7,13 +7,18 @@ import (
|
||||||
"github.com/go-logr/logr"
|
"github.com/go-logr/logr"
|
||||||
admissionutils "github.com/kyverno/kyverno/pkg/utils/admission"
|
admissionutils "github.com/kyverno/kyverno/pkg/utils/admission"
|
||||||
validation "github.com/kyverno/kyverno/pkg/validation/exception"
|
validation "github.com/kyverno/kyverno/pkg/validation/exception"
|
||||||
|
"github.com/kyverno/kyverno/pkg/webhooks"
|
||||||
admissionv1 "k8s.io/api/admission/v1"
|
admissionv1 "k8s.io/api/admission/v1"
|
||||||
)
|
)
|
||||||
|
|
||||||
// TODO: wrap this into an interface passed at server creation time
|
type handlers struct{}
|
||||||
|
|
||||||
|
func NewHandlers() webhooks.ExceptionHandlers {
|
||||||
|
return &handlers{}
|
||||||
|
}
|
||||||
|
|
||||||
// Validate performs the validation check on policy exception resources
|
// Validate performs the validation check on policy exception resources
|
||||||
func Validate(ctx context.Context, logger logr.Logger, request *admissionv1.AdmissionRequest, startTime time.Time) *admissionv1.AdmissionResponse {
|
func (h *handlers) Validate(ctx context.Context, logger logr.Logger, request *admissionv1.AdmissionRequest, startTime time.Time) *admissionv1.AdmissionResponse {
|
||||||
polex, _, err := admissionutils.GetPolicyExceptions(request)
|
polex, _, err := admissionutils.GetPolicyExceptions(request)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
logger.Error(err, "failed to unmarshal policy exceptions from admission request")
|
logger.Error(err, "failed to unmarshal policy exceptions from admission request")
|
||||||
|
|
|
||||||
|
|
@ -14,7 +14,6 @@ import (
|
||||||
"github.com/kyverno/kyverno/pkg/toggle"
|
"github.com/kyverno/kyverno/pkg/toggle"
|
||||||
controllerutils "github.com/kyverno/kyverno/pkg/utils/controller"
|
controllerutils "github.com/kyverno/kyverno/pkg/utils/controller"
|
||||||
runtimeutils "github.com/kyverno/kyverno/pkg/utils/runtime"
|
runtimeutils "github.com/kyverno/kyverno/pkg/utils/runtime"
|
||||||
"github.com/kyverno/kyverno/pkg/webhooks/exception"
|
|
||||||
"github.com/kyverno/kyverno/pkg/webhooks/handlers"
|
"github.com/kyverno/kyverno/pkg/webhooks/handlers"
|
||||||
admissionv1 "k8s.io/api/admission/v1"
|
admissionv1 "k8s.io/api/admission/v1"
|
||||||
admissionregistrationv1 "k8s.io/api/admissionregistration/v1"
|
admissionregistrationv1 "k8s.io/api/admissionregistration/v1"
|
||||||
|
|
@ -38,6 +37,11 @@ type Server interface {
|
||||||
Cleanup() <-chan struct{}
|
Cleanup() <-chan struct{}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
type ExceptionHandlers interface {
|
||||||
|
// Validate performs the validation check on exception resources
|
||||||
|
Validate(context.Context, logr.Logger, *admissionv1.AdmissionRequest, time.Time) *admissionv1.AdmissionResponse
|
||||||
|
}
|
||||||
|
|
||||||
type PolicyHandlers interface {
|
type PolicyHandlers interface {
|
||||||
// Mutate performs the mutation of policy resources
|
// Mutate performs the mutation of policy resources
|
||||||
Mutate(context.Context, logr.Logger, *admissionv1.AdmissionRequest, time.Time) *admissionv1.AdmissionResponse
|
Mutate(context.Context, logr.Logger, *admissionv1.AdmissionRequest, time.Time) *admissionv1.AdmissionResponse
|
||||||
|
|
@ -67,6 +71,7 @@ type TlsProvider func() ([]byte, []byte, error)
|
||||||
func NewServer(
|
func NewServer(
|
||||||
policyHandlers PolicyHandlers,
|
policyHandlers PolicyHandlers,
|
||||||
resourceHandlers ResourceHandlers,
|
resourceHandlers ResourceHandlers,
|
||||||
|
exceptionHandlers ExceptionHandlers,
|
||||||
configuration config.Configuration,
|
configuration config.Configuration,
|
||||||
metricsConfig metrics.MetricsConfigManager,
|
metricsConfig metrics.MetricsConfigManager,
|
||||||
debugModeOpts DebugModeOptions,
|
debugModeOpts DebugModeOptions,
|
||||||
|
|
@ -132,7 +137,7 @@ func NewServer(
|
||||||
mux.HandlerFunc(
|
mux.HandlerFunc(
|
||||||
"POST",
|
"POST",
|
||||||
config.ExceptionValidatingWebhookServicePath,
|
config.ExceptionValidatingWebhookServicePath,
|
||||||
handlers.FromAdmissionFunc("VALIDATE", exception.Validate).
|
handlers.FromAdmissionFunc("VALIDATE", exceptionHandlers.Validate).
|
||||||
WithDump(debugModeOpts.DumpPayload).
|
WithDump(debugModeOpts.DumpPayload).
|
||||||
WithSubResourceFilter().
|
WithSubResourceFilter().
|
||||||
WithMetrics(exceptionLogger, metricsConfig.Config(), metrics.WebhookValidating).
|
WithMetrics(exceptionLogger, metricsConfig.Config(), metrics.WebhookValidating).
|
||||||
|
|
|
||||||
Loading…
Add table
Reference in a new issue