mirrors/kyverno
mirrors/kyverno
1
0
Fork 0
mirror of https://github.com/kyverno/kyverno.git synced 2025-03-05 15:37:19 +00:00
Code Activity

add new fields to UR; add helpers (#6294)

Browse source 
Signed-off-by: ShutingZhao <shuting@nirmata.com>
This commit is contained in:
shuting 2023-02-10 22:56:17 +08:00 committed by GitHub
parent 43924e131c
commit 6ff2790957
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
14 changed files with 110 additions and 19 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

6
api/kyverno/v1/resource_spec_types.go
View file

@ -1,5 +1,7 @@
package v1 package v1
import "strings"
type ResourceSpec struct { type ResourceSpec struct {
// APIVersion specifies resource apiVersion. // APIVersion specifies resource apiVersion.
// +optional // +optional
@ -18,3 +20,7 @@ func (s ResourceSpec) GetName() string { return s.Name }
func (s ResourceSpec) GetNamespace() string { return s.Namespace } func (s ResourceSpec) GetNamespace() string { return s.Namespace }
func (s ResourceSpec) GetKind() string { return s.Kind } func (s ResourceSpec) GetKind() string { return s.Kind }
func (s ResourceSpec) GetAPIVersion() string { return s.APIVersion } func (s ResourceSpec) GetAPIVersion() string { return s.APIVersion }
func (s ResourceSpec) String() string {
return strings.Join([]string{s.APIVersion, s.Kind, s.Namespace, s.Name}, "/")
}

23
api/kyverno/v1beta1/updaterequest_types.go
View file

@ -83,6 +83,13 @@ type UpdateRequestSpec struct {
// Specifies the name of the policy. // Specifies the name of the policy.
Policy string `json:"policy" yaml:"policy"` Policy string `json:"policy" yaml:"policy"`
// Rule is the associate rule name of the current UR.
Rule string `json:"rule" yaml:"rule"`
// Synchronize represents the sync behavior of the corresponding rule
// Optional. Defaults to "false" if not specified.
Synchronize bool `json:"synchronize,omitempty" yaml:"synchronize,omitempty"`
// ResourceSpec is the information to identify the update request. // ResourceSpec is the information to identify the update request.
Resource kyvernov1.ResourceSpec `json:"resource" yaml:"resource"` Resource kyvernov1.ResourceSpec `json:"resource" yaml:"resource"`
@ -152,3 +159,19 @@ type UpdateRequestList struct {
func (s *UpdateRequestSpec) GetRequestType() RequestType { func (s *UpdateRequestSpec) GetRequestType() RequestType {
return s.Type return s.Type
} }
func (s *UpdateRequestSpec) GetPolicyKey() string {
return s.Policy
}
func (s *UpdateRequestSpec) GetRuleName() string {
return s.Rule
}
func (s *UpdateRequestSpec) GetSynchronize() bool {
return s.Synchronize
}
func (s *UpdateRequestSpec) GetResource() kyvernov1.ResourceSpec {
return s.Resource
}

8
charts/kyverno/templates/crds/crds.yaml
View file

@ -30532,10 +30532,18 @@ spec:
description: Namespace specifies resource namespace. description: Namespace specifies resource namespace.
type: string type: string
type: object type: object
rule:
description: Rule is the associate rule name of the current UR.
type: string
synchronize:
description: Synchronize represents the sync behavior of the corresponding
rule Optional. Defaults to "false" if not specified.
type: boolean
required: required:
- context - context
- policy - policy
- resource - resource
- rule
type: object type: object
status: status:
description: Status contains statistics related to update request. description: Status contains statistics related to update request.

8
config/crds/kyverno.io_updaterequests.yaml
View file

@ -341,10 +341,18 @@ spec:
description: Namespace specifies resource namespace. description: Namespace specifies resource namespace.
type: string type: string
type: object type: object
rule:
description: Rule is the associate rule name of the current UR.
type: string
synchronize:
description: Synchronize represents the sync behavior of the corresponding
rule Optional. Defaults to "false" if not specified.
type: boolean
required: required:
- context - context
- policy - policy
- resource - resource
- rule
type: object type: object
status: status:
description: Status contains statistics related to update request. description: Status contains statistics related to update request.

46
docs/user/crd/index.html
View file

@ -4386,6 +4386,29 @@ string
</tr> </tr>
<tr> <tr>
<td> <td>
<code>rule</code><br/>
<em>
string
</em>
</td>
<td>
<p>Rule is the associate rule name of the current UR.</p>
</td>
</tr>
<tr>
<td>
<code>synchronize</code><br/>
<em>
bool
</em>
</td>
<td>
<p>Synchronize represents the sync behavior of the corresponding rule
Optional. Defaults to &ldquo;false&rdquo; if not specified.</p>
</td>
</tr>
<tr>
<td>
<code>resource</code><br/> <code>resource</code><br/>
<em> <em>
<a href="#kyverno.io/v1.ResourceSpec"> <a href="#kyverno.io/v1.ResourceSpec">
@ -4585,6 +4608,29 @@ string
</tr> </tr>
<tr> <tr>
<td> <td>
<code>rule</code><br/>
<em>
string
</em>
</td>
<td>
<p>Rule is the associate rule name of the current UR.</p>
</td>
</tr>
<tr>
<td>
<code>synchronize</code><br/>
<em>
bool
</em>
</td>
<td>
<p>Synchronize represents the sync behavior of the corresponding rule
Optional. Defaults to &ldquo;false&rdquo; if not specified.</p>
</td>
</tr>
<tr>
<td>
<code>resource</code><br/> <code>resource</code><br/>
<em> <em>
<a href="#kyverno.io/v1.ResourceSpec"> <a href="#kyverno.io/v1.ResourceSpec">

2
pkg/background/common/context.go
View file

@ -39,7 +39,7 @@ func NewBackgroundContext(dclient dclient.Interface, ur *kyvernov1beta1.UpdateRe
if !reflect.DeepEqual(new, unstructured.Unstructured{}) { if !reflect.DeepEqual(new, unstructured.Unstructured{}) {
if !check(&new, trigger) { if !check(&new, trigger) {
err := fmt.Errorf("resources don't match") err := fmt.Errorf("resources don't match")
return nil, false, fmt.Errorf("resource %v: %w", ur.Spec.Resource, err) return nil, false, fmt.Errorf("resource %v: %w", ur.Spec.GetResource().String(), err)
} }
} }
} }

4
pkg/background/common/resource.go
View file

@ -16,7 +16,7 @@ import (
) )
func GetResource(client dclient.Interface, urSpec kyvernov1beta1.UpdateRequestSpec, log logr.Logger) (*unstructured.Unstructured, error) { func GetResource(client dclient.Interface, urSpec kyvernov1beta1.UpdateRequestSpec, log logr.Logger) (*unstructured.Unstructured, error) {
resourceSpec := urSpec.Resource resourceSpec := urSpec.GetResource()
get := func() (*unstructured.Unstructured, error) { get := func() (*unstructured.Unstructured, error) {
if resourceSpec.Kind == "Namespace" { if resourceSpec.Kind == "Namespace" {
@ -24,7 +24,7 @@ func GetResource(client dclient.Interface, urSpec kyvernov1beta1.UpdateRequestSp
} }
resource, err := client.GetResource(context.TODO(), resourceSpec.APIVersion, resourceSpec.Kind, resourceSpec.Namespace, resourceSpec.Name) resource, err := client.GetResource(context.TODO(), resourceSpec.APIVersion, resourceSpec.Kind, resourceSpec.Namespace, resourceSpec.Name)
if err != nil { if err != nil {
if urSpec.Type == kyvernov1beta1.Mutate && errors.IsNotFound(err) && urSpec.Context.AdmissionRequestInfo.Operation == admissionv1.Delete { if urSpec.GetRequestType() == kyvernov1beta1.Mutate && errors.IsNotFound(err) && urSpec.Context.AdmissionRequestInfo.Operation == admissionv1.Delete {
log.V(4).Info("trigger resource does not exist for mutateExisting rule", "operation", urSpec.Context.AdmissionRequestInfo.Operation) log.V(4).Info("trigger resource does not exist for mutateExisting rule", "operation", urSpec.Context.AdmissionRequestInfo.Operation)
return nil, nil return nil, nil
} }

4
pkg/background/generate/generate.go
View file

@ -86,7 +86,7 @@ func NewGenerateController(
} }
func (c *GenerateController) ProcessUR(ur *kyvernov1beta1.UpdateRequest) error { func (c *GenerateController) ProcessUR(ur *kyvernov1beta1.UpdateRequest) error {
logger := c.log.WithValues("name", ur.Name, "policy", ur.Spec.Policy, "kind", ur.Spec.Resource.Kind, "apiVersion", ur.Spec.Resource.APIVersion, "namespace", ur.Spec.Resource.Namespace, "name", ur.Spec.Resource.Name) logger := c.log.WithValues("name", ur.GetName(), "policy", ur.Spec.GetPolicyKey(), "resource", ur.Spec.GetResource().String())
var err error var err error
var resource *unstructured.Unstructured var resource *unstructured.Unstructured
var genResources []kyvernov1.ResourceSpec var genResources []kyvernov1.ResourceSpec
@ -148,7 +148,7 @@ func (c *GenerateController) ProcessUR(ur *kyvernov1beta1.UpdateRequest) error {
const doesNotApply = "policy does not apply to resource" const doesNotApply = "policy does not apply to resource"
func (c *GenerateController) applyGenerate(resource unstructured.Unstructured, ur kyvernov1beta1.UpdateRequest, namespaceLabels map[string]string) ([]kyvernov1.ResourceSpec, bool, error) { func (c *GenerateController) applyGenerate(resource unstructured.Unstructured, ur kyvernov1beta1.UpdateRequest, namespaceLabels map[string]string) ([]kyvernov1.ResourceSpec, bool, error) {
logger := c.log.WithValues("name", ur.GetName(), "policy", ur.Spec.Policy, "kind", ur.Spec.Resource.Kind, "apiVersion", ur.Spec.Resource.APIVersion, "namespace", ur.Spec.Resource.Namespace, "name", ur.Spec.Resource.Name) logger := c.log.WithValues("name", ur.GetName(), "policy", ur.Spec.GetPolicyKey(), "resource", ur.Spec.GetResource().String())
logger.V(3).Info("applying generate policy rule") logger.V(3).Info("applying generate policy rule")
policy, err := c.getPolicySpec(ur) policy, err := c.getPolicySpec(ur)

2
pkg/background/mutate/mutate.go
View file

@ -70,7 +70,7 @@ func NewMutateExistingController(
} }
func (c *MutateExistingController) ProcessUR(ur *kyvernov1beta1.UpdateRequest) error { func (c *MutateExistingController) ProcessUR(ur *kyvernov1beta1.UpdateRequest) error {
logger := c.log.WithValues("name", ur.Name, "policy", ur.Spec.Policy, "kind", ur.Spec.Resource.Kind, "apiVersion", ur.Spec.Resource.APIVersion, "namespace", ur.Spec.Resource.Namespace, "name", ur.Spec.Resource.Name) logger := c.log.WithValues("name", ur.GetName(), "policy", ur.Spec.GetPolicyKey(), "resource", ur.Spec.GetResource().String())
var errs []error var errs []error
policy, err := c.getPolicy(ur.Spec.Policy) policy, err := c.getPolicy(ur.Spec.Policy)

6
pkg/background/update_request_controller.go
View file

@ -195,7 +195,7 @@ func (c *controller) syncUpdateRequest(key string) error {
} }
// try to get the linked policy // try to get the linked policy
if _, err := c.getPolicy(ur.Spec.Policy); err != nil { if _, err := c.getPolicy(ur.Spec.Policy); err != nil {
if apierrors.IsNotFound(err) && ur.Spec.Type == kyvernov1beta1.Mutate { if apierrors.IsNotFound(err) && ur.Spec.GetRequestType() == kyvernov1beta1.Mutate {
// here only takes care of mutateExisting policies // here only takes care of mutateExisting policies
// generate cleanup controller handles policy deletion // generate cleanup controller handles policy deletion
selector := &metav1.LabelSelector{ selector := &metav1.LabelSelector{
@ -387,7 +387,7 @@ func (c *controller) deleteUR(obj interface{}) {
func (c *controller) processUR(ur *kyvernov1beta1.UpdateRequest) error { func (c *controller) processUR(ur *kyvernov1beta1.UpdateRequest) error {
statusControl := common.NewStatusControl(c.kyvernoClient, c.urLister) statusControl := common.NewStatusControl(c.kyvernoClient, c.urLister)
switch ur.Spec.Type { switch ur.Spec.GetRequestType() {
case kyvernov1beta1.Mutate: case kyvernov1beta1.Mutate:
ctrl := mutate.NewMutateExistingController(c.client, statusControl, c.engine, c.cpolLister, c.polLister, c.nsLister, c.configuration, c.eventGen, logger) ctrl := mutate.NewMutateExistingController(c.client, statusControl, c.engine, c.cpolLister, c.polLister, c.nsLister, c.configuration, c.eventGen, logger)
return ctrl.ProcessUR(ur) return ctrl.ProcessUR(ur)
@ -399,7 +399,7 @@ func (c *controller) processUR(ur *kyvernov1beta1.UpdateRequest) error {
} }
func (c *controller) cleanUR(ur *kyvernov1beta1.UpdateRequest) error { func (c *controller) cleanUR(ur *kyvernov1beta1.UpdateRequest) error {
if ur.Spec.Type == kyvernov1beta1.Mutate && ur.Status.State == kyvernov1beta1.Completed { if ur.Spec.GetRequestType() == kyvernov1beta1.Mutate && ur.Status.State == kyvernov1beta1.Completed {
return c.kyvernoClient.KyvernoV1beta1().UpdateRequests(config.KyvernoNamespace()).Delete(context.TODO(), ur.GetName(), metav1.DeleteOptions{}) return c.kyvernoClient.KyvernoV1beta1().UpdateRequests(config.KyvernoNamespace()).Delete(context.TODO(), ur.GetName(), metav1.DeleteOptions{})
} }
return nil return nil

2
pkg/client/listers/kyverno/v1beta1/updaterequest_expansion.go
View file

@ -33,7 +33,7 @@ func (s updateRequestNamespaceLister) GetUpdateRequestsForClusterPolicy(policy s
return nil, err return nil, err
} }
for idx, ur := range urs { for idx, ur := range urs {
if ur.Spec.Policy == policy { if ur.Spec.GetPolicyKey() == policy {
list = append(list, urs[idx]) list = append(list, urs[idx])
} }
} }

2
pkg/policy/policy_controller.go
View file

@ -567,7 +567,7 @@ func generateTriggers(client dclient.Interface, rule kyvernov1.Rule, log logr.Lo
func updateUR(kyvernoClient versioned.Interface, urLister kyvernov1beta1listers.UpdateRequestNamespaceLister, policyKey string, urList []*kyvernov1beta1.UpdateRequest, logger logr.Logger) { func updateUR(kyvernoClient versioned.Interface, urLister kyvernov1beta1listers.UpdateRequestNamespaceLister, policyKey string, urList []*kyvernov1beta1.UpdateRequest, logger logr.Logger) {
for _, ur := range urList { for _, ur := range urList {
if policyKey == ur.Spec.Policy { if policyKey == ur.Spec.GetPolicyKey() {
_, err := backgroundcommon.Update(kyvernoClient, urLister, ur.GetName(), func(ur *kyvernov1beta1.UpdateRequest) { _, err := backgroundcommon.Update(kyvernoClient, urLister, ur.GetName(), func(ur *kyvernov1beta1.UpdateRequest) {
urLabels := ur.Labels urLabels := ur.Labels
if len(urLabels) == 0 { if len(urLabels) == 0 {

2
pkg/webhooks/resource/handlers.go
View file

@ -212,7 +212,7 @@ func (h *handlers) handleDelete(logger logr.Logger, request *admissionv1.Admissi
return return
} }
if ur.Spec.Type == kyvernov1beta1.Mutate { if ur.Spec.GetRequestType() == kyvernov1beta1.Mutate {
return return
} }
h.urUpdater.UpdateAnnotation(logger, ur.GetName()) h.urUpdater.UpdateAnnotation(logger, ur.GetName())

14
pkg/webhooks/updaterequest/generator.go
View file

@ -41,7 +41,7 @@ func NewGenerator(client versioned.Interface, urInformer kyvernov1beta1informers
// Apply creates update request resource // Apply creates update request resource
func (g *generator) Apply(ctx context.Context, ur kyvernov1beta1.UpdateRequestSpec, action admissionv1.Operation) error { func (g *generator) Apply(ctx context.Context, ur kyvernov1beta1.UpdateRequestSpec, action admissionv1.Operation) error {
logger.V(4).Info("reconcile Update Request", "request", ur) logger.V(4).Info("reconcile Update Request", "request", ur)
if action == admissionv1.Delete && ur.Type == kyvernov1beta1.Generate { if action == admissionv1.Delete && ur.GetRequestType() == kyvernov1beta1.Generate {
return nil return nil
} }
go g.applyResource(context.TODO(), ur) go g.applyResource(context.TODO(), ur)
@ -64,17 +64,17 @@ func (g *generator) applyResource(ctx context.Context, urSpec kyvernov1beta1.Upd
} }
func (g *generator) tryApplyResource(ctx context.Context, urSpec kyvernov1beta1.UpdateRequestSpec) error { func (g *generator) tryApplyResource(ctx context.Context, urSpec kyvernov1beta1.UpdateRequestSpec) error {
l := logger.WithValues("ruleType", urSpec.Type, "kind", urSpec.Resource.Kind, "name", urSpec.Resource.Name, "namespace", urSpec.Resource.Namespace) l := logger.WithValues("ruleType", urSpec.GetRequestType(), "resource", urSpec.GetResource().String())
var queryLabels labels.Set var queryLabels labels.Set
if urSpec.Type == kyvernov1beta1.Mutate { if urSpec.GetRequestType() == kyvernov1beta1.Mutate {
queryLabels = common.MutateLabelsSet(urSpec.Policy, urSpec.Resource) queryLabels = common.MutateLabelsSet(urSpec.Policy, urSpec.GetResource())
} else if urSpec.Type == kyvernov1beta1.Generate { } else if urSpec.GetRequestType() == kyvernov1beta1.Generate {
queryLabels = common.GenerateLabelsSet(urSpec.Policy, urSpec.Resource) queryLabels = common.GenerateLabelsSet(urSpec.Policy, urSpec.GetResource())
} }
urList, err := g.urLister.List(labels.SelectorFromSet(queryLabels)) urList, err := g.urLister.List(labels.SelectorFromSet(queryLabels))
if err != nil { if err != nil {
l.Error(err, "failed to get update request for the resource", "kind", urSpec.Resource.Kind, "name", urSpec.Resource.Name, "namespace", urSpec.Resource.Namespace) l.Error(err, "failed to get update request for the resource", "resource", urSpec.GetResource().String())
return err return err
} }
for _, v := range urList { for _, v := range urList {