mirror of
https://github.com/kyverno/kyverno.git
synced 2024-12-14 11:57:48 +00:00
update engineResponse Name
This commit is contained in:
shivkumar dudhani
parent
ed960ad277
commit
70ff2fa177
16 changed files with 38 additions and 108 deletions
|
|
@ -16,7 +16,7 @@ import (
|
|||
)
|
||||
|
||||
//Generate apply generation rules on a resource
|
||||
func Generate(client *client.Client, policy kyverno.ClusterPolicy, ns unstructured.Unstructured) (response EngineResponseNew) {
|
||||
func Generate(client *client.Client, policy kyverno.ClusterPolicy, ns unstructured.Unstructured) (response EngineResponse) {
|
||||
startTime := time.Now()
|
||||
// policy information
|
||||
func() {
|
||||
|
|
|
|||
|
|
@ -10,7 +10,7 @@ import (
|
|||
)
|
||||
|
||||
// Mutate performs mutation. Overlay first and then mutation patches
|
||||
func Mutate(policy kyverno.ClusterPolicy, resource unstructured.Unstructured) (response EngineResponseNew) {
|
||||
func Mutate(policy kyverno.ClusterPolicy, resource unstructured.Unstructured) (response EngineResponse) {
|
||||
startTime := time.Now()
|
||||
// policy information
|
||||
func() {
|
||||
|
|
|
|||
|
|
@ -7,8 +7,8 @@ import (
|
|||
"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
|
||||
)
|
||||
|
||||
//EngineResponseNew engine response to the action
|
||||
type EngineResponseNew struct {
|
||||
//EngineResponse engine response to the action
|
||||
type EngineResponse struct {
|
||||
// Resource patched with the engine action changes
|
||||
PatchedResource unstructured.Unstructured
|
||||
// Policy Response
|
||||
|
|
@ -74,7 +74,7 @@ type RuleStats struct {
|
|||
}
|
||||
|
||||
//IsSuccesful checks if any rule has failed or not
|
||||
func (er EngineResponseNew) IsSuccesful() bool {
|
||||
func (er EngineResponse) IsSuccesful() bool {
|
||||
for _, r := range er.PolicyResponse.Rules {
|
||||
if !r.Success {
|
||||
return false
|
||||
|
|
@ -84,7 +84,7 @@ func (er EngineResponseNew) IsSuccesful() bool {
|
|||
}
|
||||
|
||||
//GetPatches returns all the patches joined
|
||||
func (er EngineResponseNew) GetPatches() [][]byte {
|
||||
func (er EngineResponse) GetPatches() [][]byte {
|
||||
var patches [][]byte
|
||||
for _, r := range er.PolicyResponse.Rules {
|
||||
if r.Patches != nil {
|
||||
|
|
@ -96,16 +96,16 @@ func (er EngineResponseNew) GetPatches() [][]byte {
|
|||
}
|
||||
|
||||
//GetFailedRules returns failed rules
|
||||
func (er EngineResponseNew) GetFailedRules() []string {
|
||||
func (er EngineResponse) GetFailedRules() []string {
|
||||
return er.getRules(false)
|
||||
}
|
||||
|
||||
//GetSuccessRules returns success rules
|
||||
func (er EngineResponseNew) GetSuccessRules() []string {
|
||||
func (er EngineResponse) GetSuccessRules() []string {
|
||||
return er.getRules(true)
|
||||
}
|
||||
|
||||
func (er EngineResponseNew) getRules(success bool) []string {
|
||||
func (er EngineResponse) getRules(success bool) []string {
|
||||
var rules []string
|
||||
for _, r := range er.PolicyResponse.Rules {
|
||||
if r.Success == success {
|
||||
|
|
|
|||
|
|
@ -15,7 +15,7 @@ import (
|
|||
)
|
||||
|
||||
//Validate applies validation rules from policy on the resource
|
||||
func Validate(policy kyverno.ClusterPolicy, resource unstructured.Unstructured) (response EngineResponseNew) {
|
||||
func Validate(policy kyverno.ClusterPolicy, resource unstructured.Unstructured) (response EngineResponse) {
|
||||
startTime := time.Now()
|
||||
// policy information
|
||||
func() {
|
||||
|
|
|
|||
|
|
@ -85,7 +85,7 @@ func buildKey(policy, pv, kind, ns, name, rv string) string {
|
|||
return policy + "/" + pv + "/" + kind + "/" + ns + "/" + name + "/" + rv
|
||||
}
|
||||
|
||||
func (nsc *NamespaceController) processNamespace(namespace corev1.Namespace) []engine.EngineResponseNew {
|
||||
func (nsc *NamespaceController) processNamespace(namespace corev1.Namespace) []engine.EngineResponse {
|
||||
// convert to unstructured
|
||||
unstr, err := runtime.DefaultUnstructuredConverter.ToUnstructured(&namespace)
|
||||
if err != nil {
|
||||
|
|
@ -99,7 +99,7 @@ func (nsc *NamespaceController) processNamespace(namespace corev1.Namespace) []e
|
|||
// get all the policies that have a generate rule and resource description satifies the namespace
|
||||
// apply policy on resource
|
||||
policies := listpolicies(ns, nsc.pLister)
|
||||
var engineResponses []engine.EngineResponseNew
|
||||
var engineResponses []engine.EngineResponse
|
||||
for _, policy := range policies {
|
||||
// pre-processing, check if the policy and resource version has been processed before
|
||||
if !nsc.rm.ProcessResource(policy.Name, policy.ResourceVersion, ns.GetKind(), ns.GetNamespace(), ns.GetName(), ns.GetResourceVersion()) {
|
||||
|
|
@ -185,13 +185,13 @@ func listpolicies(ns unstructured.Unstructured, pLister kyvernolister.ClusterPol
|
|||
return filteredpolicies
|
||||
}
|
||||
|
||||
func applyPolicy(client *client.Client, resource unstructured.Unstructured, p kyverno.ClusterPolicy, policyStatus policyctr.PolicyStatusInterface) engine.EngineResponseNew {
|
||||
func applyPolicy(client *client.Client, resource unstructured.Unstructured, p kyverno.ClusterPolicy, policyStatus policyctr.PolicyStatusInterface) engine.EngineResponse {
|
||||
var policyStats []policyctr.PolicyStat
|
||||
// gather stats from the engine response
|
||||
gatherStat := func(policyName string, policyResponse engine.PolicyResponse) {
|
||||
ps := policyctr.PolicyStat{}
|
||||
ps.PolicyName = policyName
|
||||
ps.Stats.MutationExecutionTime = policyResponse.ProcessingTime
|
||||
ps.Stats.GenerationExecutionTime = policyResponse.ProcessingTime
|
||||
ps.Stats.RulesAppliedCount = policyResponse.RulesAppliedCount
|
||||
// capture rule level stats
|
||||
for _, rule := range policyResponse.Rules {
|
||||
|
|
|
|||
|
|
@ -9,7 +9,7 @@ import (
|
|||
"github.com/nirmata/kyverno/pkg/policyviolation"
|
||||
)
|
||||
|
||||
func (nsc *NamespaceController) report(engineResponses []engine.EngineResponseNew) {
|
||||
func (nsc *NamespaceController) report(engineResponses []engine.EngineResponse) {
|
||||
// generate events
|
||||
// generate policy violations
|
||||
for _, er := range engineResponses {
|
||||
|
|
@ -25,7 +25,7 @@ func (nsc *NamespaceController) report(engineResponses []engine.EngineResponseNe
|
|||
}
|
||||
|
||||
//reportEvents generates events for the failed resources
|
||||
func reportEvents(engineResponse engine.EngineResponseNew, eventGen event.Interface) {
|
||||
func reportEvents(engineResponse engine.EngineResponse, eventGen event.Interface) {
|
||||
if engineResponse.IsSuccesful() {
|
||||
return
|
||||
}
|
||||
|
|
|
|||
|
|
@ -15,7 +15,7 @@ import (
|
|||
|
||||
// applyPolicy applies policy on a resource
|
||||
//TODO: generation rules
|
||||
func applyPolicy(policy kyverno.ClusterPolicy, resource unstructured.Unstructured, policyStatus PolicyStatusInterface) (responses []engine.EngineResponseNew) {
|
||||
func applyPolicy(policy kyverno.ClusterPolicy, resource unstructured.Unstructured, policyStatus PolicyStatusInterface) (responses []engine.EngineResponse) {
|
||||
startTime := time.Now()
|
||||
var policyStats []PolicyStat
|
||||
glog.V(4).Infof("Started apply policy %s on resource %s/%s/%s (%v)", policy.Name, resource.GetKind(), resource.GetNamespace(), resource.GetName(), startTime)
|
||||
|
|
@ -54,8 +54,8 @@ func applyPolicy(policy kyverno.ClusterPolicy, resource unstructured.Unstructure
|
|||
policyStatus.SendStat(stat)
|
||||
}
|
||||
}
|
||||
var engineResponses []engine.EngineResponseNew
|
||||
var engineResponse engine.EngineResponseNew
|
||||
var engineResponses []engine.EngineResponse
|
||||
var engineResponse engine.EngineResponse
|
||||
var err error
|
||||
|
||||
//MUTATION
|
||||
|
|
@ -79,7 +79,7 @@ func applyPolicy(policy kyverno.ClusterPolicy, resource unstructured.Unstructure
|
|||
//TODO: GENERATION
|
||||
return engineResponses
|
||||
}
|
||||
func mutation(policy kyverno.ClusterPolicy, resource unstructured.Unstructured, policyStatus PolicyStatusInterface) (engine.EngineResponseNew, error) {
|
||||
func mutation(policy kyverno.ClusterPolicy, resource unstructured.Unstructured, policyStatus PolicyStatusInterface) (engine.EngineResponse, error) {
|
||||
engineResponse := engine.Mutate(policy, resource)
|
||||
if !engineResponse.IsSuccesful() {
|
||||
glog.V(4).Infof("mutation had errors reporting them")
|
||||
|
|
@ -95,11 +95,11 @@ func mutation(policy kyverno.ClusterPolicy, resource unstructured.Unstructured,
|
|||
}
|
||||
|
||||
// getFailedOverallRuleInfo gets detailed info for over-all mutation failure
|
||||
func getFailedOverallRuleInfo(resource unstructured.Unstructured, engineResponse engine.EngineResponseNew) (engine.EngineResponseNew, error) {
|
||||
func getFailedOverallRuleInfo(resource unstructured.Unstructured, engineResponse engine.EngineResponse) (engine.EngineResponse, error) {
|
||||
rawResource, err := resource.MarshalJSON()
|
||||
if err != nil {
|
||||
glog.V(4).Infof("unable to marshal resource: %v\n", err)
|
||||
return engine.EngineResponseNew{}, err
|
||||
return engine.EngineResponse{}, err
|
||||
}
|
||||
|
||||
// resource does not match so there was a mutation rule violated
|
||||
|
|
@ -112,14 +112,14 @@ func getFailedOverallRuleInfo(resource unstructured.Unstructured, engineResponse
|
|||
patch, err := jsonpatch.DecodePatch(utils.JoinPatches(rule.Patches))
|
||||
if err != nil {
|
||||
glog.V(4).Infof("unable to decode patch %s: %v", rule.Patches, err)
|
||||
return engine.EngineResponseNew{}, err
|
||||
return engine.EngineResponse{}, err
|
||||
}
|
||||
|
||||
// apply the patches returned by mutate to the original resource
|
||||
patchedResource, err := patch.Apply(rawResource)
|
||||
if err != nil {
|
||||
glog.V(4).Infof("unable to apply patch %s: %v", rule.Patches, err)
|
||||
return engine.EngineResponseNew{}, err
|
||||
return engine.EngineResponse{}, err
|
||||
}
|
||||
|
||||
if !jsonpatch.Equal(patchedResource, rawResource) {
|
||||
|
|
|
|||
|
|
@ -16,11 +16,11 @@ import (
|
|||
"k8s.io/apimachinery/pkg/labels"
|
||||
)
|
||||
|
||||
func (pc *PolicyController) processExistingResources(policy kyverno.ClusterPolicy) []engine.EngineResponseNew {
|
||||
func (pc *PolicyController) processExistingResources(policy kyverno.ClusterPolicy) []engine.EngineResponse {
|
||||
// Parse through all the resources
|
||||
// drops the cache after configured rebuild time
|
||||
pc.rm.Drop()
|
||||
var engineResponses []engine.EngineResponseNew
|
||||
var engineResponses []engine.EngineResponse
|
||||
// get resource that are satisfy the resource description defined in the rules
|
||||
resourceMap := listResources(pc.client, policy, pc.filterK8Resources)
|
||||
for _, resource := range resourceMap {
|
||||
|
|
|
|||
|
|
@ -9,7 +9,7 @@ import (
|
|||
"github.com/nirmata/kyverno/pkg/policyviolation"
|
||||
)
|
||||
|
||||
func (pc *PolicyController) report(engineResponses []engine.EngineResponseNew) {
|
||||
func (pc *PolicyController) report(engineResponses []engine.EngineResponse) {
|
||||
// generate events
|
||||
// generate policy violations
|
||||
for _, policyInfo := range engineResponses {
|
||||
|
|
@ -26,7 +26,7 @@ func (pc *PolicyController) report(engineResponses []engine.EngineResponseNew) {
|
|||
}
|
||||
|
||||
//reportEvents generates events for the failed resources
|
||||
func reportEvents(engineResponse engine.EngineResponseNew, eventGen event.Interface) {
|
||||
func reportEvents(engineResponse engine.EngineResponse, eventGen event.Interface) {
|
||||
if engineResponse.IsSuccesful() {
|
||||
return
|
||||
}
|
||||
|
|
|
|||
|
|
@ -28,31 +28,7 @@ func BuildPolicyViolation(policy string, resource kyverno.ResourceSpec, fRules [
|
|||
return pv
|
||||
}
|
||||
|
||||
// buildPolicyViolationsForAPolicy returns a policy violation object if there are any rules that fail
|
||||
// func buildPolicyViolationsForAPolicy(pi info.PolicyInfo) kyverno.PolicyViolation {
|
||||
// var fRules []kyverno.ViolatedRule
|
||||
// var pv kyverno.PolicyViolation
|
||||
// for _, r := range pi.Rules {
|
||||
// if !r.IsSuccessful() {
|
||||
// fRules = append(fRules, kyverno.ViolatedRule{Name: r.Name, Message: r.GetErrorString(), Type: r.RuleType.String()})
|
||||
// }
|
||||
// }
|
||||
// if len(fRules) > 0 {
|
||||
// glog.V(4).Infof("building policy violation for policy %s on resource %s/%s/%s", pi.Name, pi.RKind, pi.RNamespace, pi.RName)
|
||||
// // there is an error
|
||||
// pv = BuildPolicyViolation(pi.Name, kyverno.ResourceSpec{
|
||||
// Kind: pi.RKind,
|
||||
// Namespace: pi.RNamespace,
|
||||
// Name: pi.RName,
|
||||
// },
|
||||
// fRules,
|
||||
// )
|
||||
|
||||
// }
|
||||
// return pv
|
||||
// }
|
||||
|
||||
func buildPVForPolicy(er engine.EngineResponseNew) kyverno.ClusterPolicyViolation {
|
||||
func buildPVForPolicy(er engine.EngineResponse) kyverno.ClusterPolicyViolation {
|
||||
var violatedRules []kyverno.ViolatedRule
|
||||
glog.V(4).Infof("building policy violation for engine response %v", er)
|
||||
for _, r := range er.PolicyResponse.Rules {
|
||||
|
|
@ -78,7 +54,7 @@ func buildPVForPolicy(er engine.EngineResponseNew) kyverno.ClusterPolicyViolatio
|
|||
}
|
||||
|
||||
//CreatePV creates policy violation resource based on the engine responses
|
||||
func CreatePV(pvLister kyvernolister.ClusterPolicyViolationLister, client *kyvernoclient.Clientset, engineResponses []engine.EngineResponseNew) {
|
||||
func CreatePV(pvLister kyvernolister.ClusterPolicyViolationLister, client *kyvernoclient.Clientset, engineResponses []engine.EngineResponse) {
|
||||
var pvs []kyverno.ClusterPolicyViolation
|
||||
for _, er := range engineResponses {
|
||||
// ignore creation of PV for resoruces that are yet to be assigned a name
|
||||
|
|
@ -130,53 +106,6 @@ func CreatePV(pvLister kyvernolister.ClusterPolicyViolationLister, client *kyver
|
|||
}
|
||||
}
|
||||
|
||||
// //GeneratePolicyViolations generate policyViolation resources for the rules that failed
|
||||
// //TODO: check if pvListerSynced is needed
|
||||
// func GeneratePolicyViolations(pvListerSynced cache.InformerSynced, pvLister kyvernolister.PolicyViolationLister, client *kyvernoclient.Clientset, policyInfos []info.PolicyInfo) {
|
||||
// var pvs []kyverno.PolicyViolation
|
||||
// for _, policyInfo := range policyInfos {
|
||||
// if !policyInfo.IsSuccessful() {
|
||||
// if pv := buildPolicyViolationsForAPolicy(policyInfo); !reflect.DeepEqual(pv, kyverno.PolicyViolation{}) {
|
||||
// pvs = append(pvs, pv)
|
||||
// }
|
||||
// }
|
||||
// }
|
||||
|
||||
// if len(pvs) > 0 {
|
||||
// for _, newPv := range pvs {
|
||||
// // generate PolicyViolation objects
|
||||
// glog.V(4).Infof("creating policyViolation resource for policy %s and resource %s/%s/%s", newPv.Spec.Policy, newPv.Spec.Kind, newPv.Spec.Namespace, newPv.Spec.Name)
|
||||
|
||||
// // check if there was a previous violation for policy & resource combination
|
||||
// curPv, err := getExistingPolicyViolationIfAny(pvListerSynced, pvLister, newPv)
|
||||
// if err != nil {
|
||||
// continue
|
||||
// }
|
||||
// if curPv == nil {
|
||||
// // no existing policy violation, create a new one
|
||||
// _, err := client.KyvernoV1alpha1().PolicyViolations().Create(&newPv)
|
||||
// if err != nil {
|
||||
// glog.Error(err)
|
||||
// }
|
||||
// continue
|
||||
// }
|
||||
// // compare the policyviolation spec for existing resource if present else
|
||||
// if reflect.DeepEqual(curPv.Spec, newPv.Spec) {
|
||||
// // if they are equal there has been no change so dont update the polivy violation
|
||||
// glog.Infof("policy violation spec %v did not change so not updating it", newPv.Spec)
|
||||
// continue
|
||||
// }
|
||||
// // spec changed so update the policyviolation
|
||||
// //TODO: wont work, as name is not defined yet
|
||||
// _, err = client.KyvernoV1alpha1().PolicyViolations().Update(&newPv)
|
||||
// if err != nil {
|
||||
// glog.Error(err)
|
||||
// continue
|
||||
// }
|
||||
// }
|
||||
// }
|
||||
// }
|
||||
|
||||
//TODO: change the name
|
||||
func getExistingPolicyViolationIfAny(pvListerSynced cache.InformerSynced, pvLister kyvernolister.ClusterPolicyViolationLister, newPv kyverno.ClusterPolicyViolation) (*kyverno.ClusterPolicyViolation, error) {
|
||||
// TODO: check for existing ov using label selectors on resource and policy
|
||||
|
|
|
|||
|
|
@ -140,7 +140,7 @@ func runTestCase(t *testing.T, tc scaseT) bool {
|
|||
// convert resource -> unstructured.Unstructured
|
||||
resource := loadPolicyResource(t, tc.Input.Resource)
|
||||
|
||||
var er engine.EngineResponseNew
|
||||
var er engine.EngineResponse
|
||||
// Mutation
|
||||
er = engine.Mutate(*policy, *resource)
|
||||
// validate te response
|
||||
|
|
|
|||
|
|
@ -26,6 +26,7 @@ var kindToResource = map[string]string{
|
|||
"Endpoints": "endpoints",
|
||||
"Namespace": "namespaces",
|
||||
"Secret": "secrets",
|
||||
"Service": "services",
|
||||
"Deployment": "deployments",
|
||||
"NetworkPolicy": "networkpolicies",
|
||||
}
|
||||
|
|
|
|||
|
|
@ -70,7 +70,7 @@ func (ws *WebhookServer) HandleMutation(request *v1beta1.AdmissionRequest) (bool
|
|||
return true, nil, ""
|
||||
}
|
||||
|
||||
var engineResponses []engine.EngineResponseNew
|
||||
var engineResponses []engine.EngineResponse
|
||||
for _, policy := range policies {
|
||||
|
||||
// check if policy has a rule for the admission request kind
|
||||
|
|
|
|||
|
|
@ -11,7 +11,7 @@ import (
|
|||
)
|
||||
|
||||
//generateEvents generates event info for the engine responses
|
||||
func generateEvents(engineResponses []engine.EngineResponseNew, onUpdate bool) []event.Info {
|
||||
func generateEvents(engineResponses []engine.EngineResponse, onUpdate bool) []event.Info {
|
||||
var events []event.Info
|
||||
if !isResponseSuccesful(engineResponses) {
|
||||
for _, er := range engineResponses {
|
||||
|
|
|
|||
|
|
@ -9,7 +9,7 @@ import (
|
|||
"github.com/nirmata/kyverno/pkg/engine"
|
||||
)
|
||||
|
||||
func isResponseSuccesful(engineReponses []engine.EngineResponseNew) bool {
|
||||
func isResponseSuccesful(engineReponses []engine.EngineResponse) bool {
|
||||
for _, er := range engineReponses {
|
||||
if !er.IsSuccesful() {
|
||||
return false
|
||||
|
|
@ -20,7 +20,7 @@ func isResponseSuccesful(engineReponses []engine.EngineResponseNew) bool {
|
|||
|
||||
// returns true -> if there is even one policy that blocks resource request
|
||||
// returns false -> if all the policies are meant to report only, we dont block resource request
|
||||
func toBlockResource(engineReponses []engine.EngineResponseNew) bool {
|
||||
func toBlockResource(engineReponses []engine.EngineResponse) bool {
|
||||
for _, er := range engineReponses {
|
||||
if er.PolicyResponse.ValidationFailureAction == Enforce {
|
||||
glog.V(4).Infof("ValidationFailureAction set to enforce for policy %s , blocking resource request ", er.PolicyResponse.Policy)
|
||||
|
|
@ -31,7 +31,7 @@ func toBlockResource(engineReponses []engine.EngineResponseNew) bool {
|
|||
return false
|
||||
}
|
||||
|
||||
func getErrorMsg(engineReponses []engine.EngineResponseNew) string {
|
||||
func getErrorMsg(engineReponses []engine.EngineResponse) string {
|
||||
var str []string
|
||||
for _, er := range engineReponses {
|
||||
if !er.IsSuccesful() {
|
||||
|
|
|
|||
|
|
@ -76,7 +76,7 @@ func (ws *WebhookServer) HandleValidation(request *v1beta1.AdmissionRequest, pat
|
|||
return true, ""
|
||||
}
|
||||
|
||||
var engineResponses []engine.EngineResponseNew
|
||||
var engineResponses []engine.EngineResponse
|
||||
for _, policy := range policies {
|
||||
|
||||
if !utils.ContainsString(getApplicableKindsForPolicy(policy), request.Kind.Kind) {
|
||||
|
|
|
|||
Loading…
Reference in a new issue