From 74fed89a17f59b151460c8d8d3c11d761986b4fc Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Charles-Edouard=20Br=C3=A9t=C3=A9ch=C3=A9?= Date: Sun, 10 Sep 2023 21:10:02 +0200 Subject: [PATCH] fix: simplify cli autogen and labels selector check (#8325) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Charles-Edouard Brétéché --- .../processor/policy_processor.go | 41 ++----------------- cmd/cli/kubectl-kyverno/processor/utils.go | 31 ++++++++++++++ 2 files changed, 35 insertions(+), 37 deletions(-) diff --git a/cmd/cli/kubectl-kyverno/processor/policy_processor.go b/cmd/cli/kubectl-kyverno/processor/policy_processor.go index 7d18d63968..38cb2f8747 100644 --- a/cmd/cli/kubectl-kyverno/processor/policy_processor.go +++ b/cmd/cli/kubectl-kyverno/processor/policy_processor.go @@ -57,42 +57,9 @@ func (p *PolicyProcessor) ApplyPolicyOnResource() ([]engineapi.EngineResponse, e if p.Variables["request.operation"] == "DELETE" { operation = kyvernov1.Delete } + rules := autogen.ComputeRules(p.Policy) - policyWithNamespaceSelector := false -OuterLoop: - for _, p := range autogen.ComputeRules(p.Policy) { - if p.MatchResources.ResourceDescription.NamespaceSelector != nil || - p.ExcludeResources.ResourceDescription.NamespaceSelector != nil { - policyWithNamespaceSelector = true - break - } - for _, m := range p.MatchResources.Any { - if m.ResourceDescription.NamespaceSelector != nil { - policyWithNamespaceSelector = true - break OuterLoop - } - } - for _, m := range p.MatchResources.All { - if m.ResourceDescription.NamespaceSelector != nil { - policyWithNamespaceSelector = true - break OuterLoop - } - } - for _, e := range p.ExcludeResources.Any { - if e.ResourceDescription.NamespaceSelector != nil { - policyWithNamespaceSelector = true - break OuterLoop - } - } - for _, e := range p.ExcludeResources.All { - if e.ResourceDescription.NamespaceSelector != nil { - policyWithNamespaceSelector = true - break OuterLoop - } - } - } - - if policyWithNamespaceSelector { + if needsNamespaceLabels(rules...) { resourceNamespace := p.Resource.GetNamespace() namespaceLabels = p.NamespaceSelectorMap[p.Resource.GetNamespace()] if resourceNamespace != "default" && len(namespaceLabels) < 1 { @@ -195,7 +162,7 @@ OuterLoop: } var policyHasValidate bool - for _, rule := range autogen.ComputeRules(p.Policy) { + for _, rule := range rules { if rule.HasValidate() || rule.HasVerifyImageChecks() { policyHasValidate = true } @@ -214,7 +181,7 @@ OuterLoop: } var policyHasGenerate bool - for _, rule := range autogen.ComputeRules(p.Policy) { + for _, rule := range rules { if rule.HasGenerate() { policyHasGenerate = true } diff --git a/cmd/cli/kubectl-kyverno/processor/utils.go b/cmd/cli/kubectl-kyverno/processor/utils.go index f834b489a5..ead22ffe72 100644 --- a/cmd/cli/kubectl-kyverno/processor/utils.go +++ b/cmd/cli/kubectl-kyverno/processor/utils.go @@ -3,6 +3,7 @@ package processor import ( "strings" + kyvernov1 "github.com/kyverno/kyverno/api/kyverno/v1" engineapi "github.com/kyverno/kyverno/pkg/engine/api" ) @@ -77,3 +78,33 @@ func combineRuleResponses(imageResponse engineapi.EngineResponse) engineapi.Engi imageResponse.PolicyResponse.Rules = combineRuleResponses return imageResponse } + +func needsNamespaceLabels(rules ...kyvernov1.Rule) bool { + for _, p := range rules { + if p.MatchResources.ResourceDescription.NamespaceSelector != nil || + p.ExcludeResources.ResourceDescription.NamespaceSelector != nil { + return true + } + for _, m := range p.MatchResources.Any { + if m.ResourceDescription.NamespaceSelector != nil { + return true + } + } + for _, m := range p.MatchResources.All { + if m.ResourceDescription.NamespaceSelector != nil { + return true + } + } + for _, e := range p.ExcludeResources.Any { + if e.ResourceDescription.NamespaceSelector != nil { + return true + } + } + for _, e := range p.ExcludeResources.All { + if e.ResourceDescription.NamespaceSelector != nil { + return true + } + } + } + return false +}