mirrors/kyverno
mirrors/kyverno
1
0
Fork 0
mirror of https://github.com/kyverno/kyverno.git synced 2025-03-06 16:06:56 +00:00
Code Activity

feat: add CEL variables type checking (#11920)

Browse source 
* feat: add CEL variables support

Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>

* feat: add CEL variables type checking

Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>

* more types

Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>

* provider

Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>

---------

Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>
This commit is contained in:
Charles-Edouard Brétéché 2025-01-14 15:57:55 +01:00 committed by GitHub
parent 4678078c3d
commit 6af7ab8905
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
2 changed files with 26 additions and 8 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

24
pkg/cel/policy/compiler.go
View file

@ -10,6 +10,7 @@ import (
"github.com/kyverno/kyverno/pkg/cel/libs/context"
admissionregistrationv1 "k8s.io/api/admissionregistration/v1"
"k8s.io/apimachinery/pkg/util/validation/field"
apiservercel "k8s.io/apiserver/pkg/cel"
)
const (
@ -37,17 +38,24 @@ func (c *compiler) Compile(policy *kyvernov2alpha1.ValidatingPolicy) (*CompiledP
if err != nil {
return nil, append(allErrs, field.InternalError(nil, err))
}
provider := NewVariablesProvider(base.CELTypeProvider())
env, err := base.Extend(
options := []cel.EnvOption{
cel.Variable(ContextKey, context.ContextType),
cel.Variable(NamespaceObjectKey, cel.DynType),
cel.Variable(NamespaceObjectKey, namespaceType.CelType()),
cel.Variable(ObjectKey, cel.DynType),
cel.Variable(OldObjectKey, cel.DynType),
cel.Variable(RequestKey, cel.DynType),
cel.Variable(RequestKey, requestType.CelType()),
cel.Variable(VariablesKey, VariablesType),
// TODO: params, authorizer, authorizer.requestResource ?
cel.CustomTypeProvider(provider),
)
}
variablesProvider := NewVariablesProvider(base.CELTypeProvider())
declProvider := apiservercel.NewDeclTypeProvider(namespaceType, requestType)
declOptions, err := declProvider.EnvOptions(variablesProvider)
if err != nil {
// TODO: proper error handling
panic(err)
}
options = append(options, declOptions...)
// TODO: params, authorizer, authorizer.requestResource ?
env, err := base.Extend(options...)
if err != nil {
return nil, append(allErrs, field.InternalError(nil, err))
}
@ -81,7 +89,7 @@ func (c *compiler) Compile(policy *kyvernov2alpha1.ValidatingPolicy) (*CompiledP
if err := issues.Err(); err != nil {
return nil, append(allErrs, field.Invalid(path, variable.Expression, err.Error()))
}
provider.RegisterField(variable.Name, ast.OutputType())
variablesProvider.RegisterField(variable.Name, ast.OutputType())
prog, err := env.Program(ast)
if err != nil {
return nil, append(allErrs, field.Invalid(path, variable.Expression, err.Error()))

10
pkg/cel/policy/types.go Normal file
View file

@ -0,0 +1,10 @@
package policy
import (
apiservercel "k8s.io/apiserver/pkg/admission/plugin/cel"
)
var (
namespaceType = apiservercel.BuildNamespaceType()
requestType = apiservercel.BuildRequestType()
)