mirrors/kyverno
mirrors/kyverno
1
0
Fork 0
mirror of https://github.com/kyverno/kyverno.git synced 2025-03-31 03:45:17 +00:00
Code Activity

522 restructured files

Browse source
This commit is contained in:
shravan 2020-01-25 14:53:12 +05:30
parent 1b707f10a0
commit 78cae242c5
11 changed files with 50 additions and 70 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

4
cmd/kyverno/main.go
View file

@ -5,6 +5,8 @@ import (
"flag"
"time"
"github.com/nirmata/kyverno/pkg/openapi"
"k8s.io/client-go/discovery"
"github.com/golang/glog"
@ -212,7 +214,7 @@ func main() {
glog.Fatalf("OpenApiDoc request failed: %v\n", err)
}
if err := policy.UseCustomOpenApiDocument(openApiDoc); err != nil {
if err := openapi.UseCustomOpenApiDocument(openApiDoc); err != nil {
glog.Fatalf("Could not set custom OpenApi document: %v\n", err)
}

11
pkg/engine/policy/utils.go
View file

@ -1,11 +0,0 @@
package policy
//Contains Check if strint is contained in a list of string
func containString(list []string, element string) bool {
for _, e := range list {
if e == element {
return true
}
}
return false
}

50
pkg/policy/validation.go → pkg/openapi/validation.go
View file

@ -1,4 +1,4 @@
package policy
package openapi
import (
"fmt"
@ -24,7 +24,7 @@ import (
"gopkg.in/yaml.v2"
)
var validationGlobalState struct {
var openApiGlobalState struct {
document *openapi_v2.Document
definitions map[string]*openapi_v2.Schema
kindToDefinitionName map[string]string
@ -46,31 +46,31 @@ func UseCustomOpenApiDocument(customDoc []byte) error {
return err
}
validationGlobalState.document, err = openapi_v2.NewDocument(spec, compiler.NewContext("$root", nil))
openApiGlobalState.document, err = openapi_v2.NewDocument(spec, compiler.NewContext("$root", nil))
if err != nil {
return err
}
validationGlobalState.definitions = make(map[string]*openapi_v2.Schema)
validationGlobalState.kindToDefinitionName = make(map[string]string)
for _, definition := range validationGlobalState.document.GetDefinitions().AdditionalProperties {
validationGlobalState.definitions[definition.GetName()] = definition.GetValue()
openApiGlobalState.definitions = make(map[string]*openapi_v2.Schema)
openApiGlobalState.kindToDefinitionName = make(map[string]string)
for _, definition := range openApiGlobalState.document.GetDefinitions().AdditionalProperties {
openApiGlobalState.definitions[definition.GetName()] = definition.GetValue()
path := strings.Split(definition.GetName(), ".")
validationGlobalState.kindToDefinitionName[path[len(path)-1]] = definition.GetName()
openApiGlobalState.kindToDefinitionName[path[len(path)-1]] = definition.GetName()
}
validationGlobalState.models, err = proto.NewOpenAPIData(validationGlobalState.document)
openApiGlobalState.models, err = proto.NewOpenAPIData(openApiGlobalState.document)
if err != nil {
return err
}
validationGlobalState.isSet = true
openApiGlobalState.isSet = true
return nil
}
func ValidatePolicyMutation(policy v1.ClusterPolicy) error {
if !validationGlobalState.isSet {
if !openApiGlobalState.isSet {
glog.V(4).Info("Cannot Validate policy: Validation global state not set")
return nil
}
@ -89,7 +89,7 @@ func ValidatePolicyMutation(policy v1.ClusterPolicy) error {
newPolicy := policy
newPolicy.Spec.Rules = rules
resource, _ := generateEmptyResource(validationGlobalState.definitions[validationGlobalState.kindToDefinitionName[kind]]).(map[string]interface{})
resource, _ := generateEmptyResource(openApiGlobalState.definitions[openApiGlobalState.kindToDefinitionName[kind]]).(map[string]interface{})
newResource := unstructured.Unstructured{Object: resource}
newResource.SetKind(kind)
policyContext := engine.PolicyContext{
@ -117,14 +117,14 @@ func ValidatePolicyMutation(policy v1.ClusterPolicy) error {
}
func ValidateResource(patchedResource interface{}, kind string) error {
if !validationGlobalState.isSet {
if !openApiGlobalState.isSet {
glog.V(4).Info("Cannot Validate resource: Validation global state not set")
return nil
}
kind = validationGlobalState.kindToDefinitionName[kind]
kind = openApiGlobalState.kindToDefinitionName[kind]
schema := validationGlobalState.models.LookupModel(kind)
schema := openApiGlobalState.models.LookupModel(kind)
if schema == nil {
return fmt.Errorf("pre-validation: couldn't find model %s", kind)
}
@ -142,27 +142,27 @@ func ValidateResource(patchedResource interface{}, kind string) error {
}
func setValidationGlobalState() error {
if !validationGlobalState.isSet {
if !openApiGlobalState.isSet {
var err error
validationGlobalState.document, err = getSchemaDocument()
openApiGlobalState.document, err = getSchemaDocument()
if err != nil {
return err
}
validationGlobalState.definitions = make(map[string]*openapi_v2.Schema)
validationGlobalState.kindToDefinitionName = make(map[string]string)
for _, definition := range validationGlobalState.document.GetDefinitions().AdditionalProperties {
validationGlobalState.definitions[definition.GetName()] = definition.GetValue()
openApiGlobalState.definitions = make(map[string]*openapi_v2.Schema)
openApiGlobalState.kindToDefinitionName = make(map[string]string)
for _, definition := range openApiGlobalState.document.GetDefinitions().AdditionalProperties {
openApiGlobalState.definitions[definition.GetName()] = definition.GetValue()
path := strings.Split(definition.GetName(), ".")
validationGlobalState.kindToDefinitionName[path[len(path)-1]] = definition.GetName()
openApiGlobalState.kindToDefinitionName[path[len(path)-1]] = definition.GetName()
}
validationGlobalState.models, err = proto.NewOpenAPIData(validationGlobalState.document)
openApiGlobalState.models, err = proto.NewOpenAPIData(openApiGlobalState.document)
if err != nil {
return err
}
validationGlobalState.isSet = true
openApiGlobalState.isSet = true
}
return nil
}
@ -182,7 +182,7 @@ func generateEmptyResource(kindSchema *openapi_v2.Schema) interface{} {
types := kindSchema.GetType().GetValue()
if kindSchema.GetXRef() != "" {
return generateEmptyResource(validationGlobalState.definitions[strings.TrimPrefix(kindSchema.GetXRef(), "#/definitions/")])
return generateEmptyResource(openApiGlobalState.definitions[strings.TrimPrefix(kindSchema.GetXRef(), "#/definitions/")])
}
if len(types) != 1 {

2
pkg/policy/validation_test.go → pkg/openapi/validation_test.go
View file

@ -1,4 +1,4 @@
package policy
package openapi
import (
"encoding/json"

0
pkg/engine/policy/background.go → pkg/policy/background.go
View file

9
pkg/policy/controller.go
View file

@ -13,7 +13,6 @@ import (
kyvernolister "github.com/nirmata/kyverno/pkg/client/listers/kyverno/v1"
"github.com/nirmata/kyverno/pkg/config"
client "github.com/nirmata/kyverno/pkg/dclient"
"github.com/nirmata/kyverno/pkg/engine/policy"
"github.com/nirmata/kyverno/pkg/event"
"github.com/nirmata/kyverno/pkg/policystore"
"github.com/nirmata/kyverno/pkg/policyviolation"
@ -164,7 +163,7 @@ func (pc *PolicyController) addPolicy(obj interface{}) {
// TODO: code might seem vague, awaiting resolution of issue https://github.com/nirmata/kyverno/issues/598
if p.Spec.Background == nil {
// if userInfo is not defined in policy we process the policy
if err := policy.ContainsUserInfo(*p); err != nil {
if err := ContainsUserInfo(*p); err != nil {
return
}
} else {
@ -173,7 +172,7 @@ func (pc *PolicyController) addPolicy(obj interface{}) {
}
// If userInfo is used then skip the policy
// ideally this should be handled by background flag only
if err := policy.ContainsUserInfo(*p); err != nil {
if err := ContainsUserInfo(*p); err != nil {
// contains userInfo used in policy
return
}
@ -196,7 +195,7 @@ func (pc *PolicyController) updatePolicy(old, cur interface{}) {
// TODO: code might seem vague, awaiting resolution of issue https://github.com/nirmata/kyverno/issues/598
if curP.Spec.Background == nil {
// if userInfo is not defined in policy we process the policy
if err := policy.ContainsUserInfo(*curP); err != nil {
if err := ContainsUserInfo(*curP); err != nil {
return
}
} else {
@ -205,7 +204,7 @@ func (pc *PolicyController) updatePolicy(old, cur interface{}) {
}
// If userInfo is used then skip the policy
// ideally this should be handled by background flag only
if err := policy.ContainsUserInfo(*curP); err != nil {
if err := ContainsUserInfo(*curP); err != nil {
// contains userInfo used in policy
return
}

20
pkg/policy/utils.go
View file

@ -1,17 +1,11 @@
package policy
import kyverno "github.com/nirmata/kyverno/pkg/api/kyverno/v1"
// reEvaulatePolicy checks if the policy needs to be re-evaulated
// during re-evaulation we remove all the old policy violations and re-create new ones
// - Rule count changes
// - Rule resource description changes
// - Rule operation changes
// - Rule name changed
func reEvaulatePolicy(curP, oldP *kyverno.ClusterPolicy) bool {
// count of rules changed
if len(curP.Spec.Rules) != len(curP.Spec.Rules) {
}
//Contains Check if strint is contained in a list of string
func containString(list []string, element string) bool {
for _, e := range list {
if e == element {
return true
}
}
return false
}

7
pkg/engine/policy/validate.go → pkg/policy/validate.go
View file

@ -8,6 +8,8 @@ import (
"strconv"
"strings"
"github.com/nirmata/kyverno/pkg/openapi"
kyverno "github.com/nirmata/kyverno/pkg/api/kyverno/v1"
"github.com/nirmata/kyverno/pkg/engine/anchor"
rbacv1 "k8s.io/api/rbac/v1"
@ -70,6 +72,11 @@ func Validate(p kyverno.ClusterPolicy) error {
}
}
}
if err := openapi.ValidatePolicyMutation(p); err != nil {
return fmt.Errorf("Failed to validate policy: %v", err)
}
return nil
}

0
pkg/engine/policy/validate_test.go → pkg/policy/validate_test.go
View file

3
pkg/webhooks/mutation.go
View file

@ -9,6 +9,7 @@ import (
"github.com/nirmata/kyverno/pkg/engine/context"
"github.com/nirmata/kyverno/pkg/engine/response"
engineutils "github.com/nirmata/kyverno/pkg/engine/utils"
"github.com/nirmata/kyverno/pkg/openapi"
policyctr "github.com/nirmata/kyverno/pkg/policy"
"github.com/nirmata/kyverno/pkg/policyviolation"
"github.com/nirmata/kyverno/pkg/utils"
@ -90,7 +91,7 @@ func (ws *WebhookServer) HandleMutation(request *v1beta1.AdmissionRequest, resou
glog.V(4).Infof("Failed to apply policy %s on resource %s/%s\n", policy.Name, resource.GetNamespace(), resource.GetName())
continue
}
err := policyctr.ValidateResource(engineResponse.PatchedResource.UnstructuredContent(), engineResponse.PatchedResource.GetKind())
err := openapi.ValidateResource(engineResponse.PatchedResource.UnstructuredContent(), engineResponse.PatchedResource.GetKind())
if err != nil {
glog.V(4).Infoln(err)
continue

14
pkg/webhooks/policyvalidation.go
View file

@ -4,11 +4,9 @@ import (
"encoding/json"
"fmt"
policy2 "github.com/nirmata/kyverno/pkg/policy"
"github.com/golang/glog"
kyverno "github.com/nirmata/kyverno/pkg/api/kyverno/v1"
policyvalidate "github.com/nirmata/kyverno/pkg/engine/policy"
policyvalidate "github.com/nirmata/kyverno/pkg/policy"
v1beta1 "k8s.io/api/admission/v1beta1"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
)
@ -37,16 +35,6 @@ func (ws *WebhookServer) handlePolicyValidation(request *v1beta1.AdmissionReques
},
}
}
if err := policy2.ValidatePolicyMutation(*policy); err != nil {
admissionResp = &v1beta1.AdmissionResponse{
Allowed: false,
Result: &metav1.Status{
Message: err.Error(),
},
}
}
if admissionResp.Allowed {
// if the policy contains mutating & validation rules and it config does not exist we create one
// queue the request