mirror of
https://github.com/kyverno/kyverno.git
synced 2025-03-31 03:45:17 +00:00
lookup policies from policy store in webhook
This commit is contained in:
Shuting Zhao
parent
fc35a52ad8
commit
81ac13cb05
4 changed files with 10 additions and 28 deletions
|
|
@ -2,6 +2,7 @@ package webhooks
|
|||
|
||||
import (
|
||||
"github.com/golang/glog"
|
||||
kyverno "github.com/nirmata/kyverno/pkg/api/kyverno/v1alpha1"
|
||||
engine "github.com/nirmata/kyverno/pkg/engine"
|
||||
policyctr "github.com/nirmata/kyverno/pkg/policy"
|
||||
"github.com/nirmata/kyverno/pkg/utils"
|
||||
|
|
@ -10,7 +11,7 @@ import (
|
|||
)
|
||||
|
||||
// HandleMutation handles mutating webhook admission request
|
||||
func (ws *WebhookServer) HandleMutation(request *v1beta1.AdmissionRequest, roles, clusterRoles []string) (bool, []byte, string) {
|
||||
func (ws *WebhookServer) HandleMutation(request *v1beta1.AdmissionRequest, policies []kyverno.ClusterPolicy, roles, clusterRoles []string) (bool, []byte, string) {
|
||||
glog.V(4).Infof("Receive request in mutating webhook: Kind=%s, Namespace=%s Name=%s UID=%s patchOperation=%s",
|
||||
request.Kind.Kind, request.Namespace, request.Name, request.UID, request.Operation)
|
||||
|
||||
|
|
@ -60,15 +61,7 @@ func (ws *WebhookServer) HandleMutation(request *v1beta1.AdmissionRequest, roles
|
|||
//TODO: check if the name and namespace is also passed right in the resource?
|
||||
// if not then set it from the api request
|
||||
resource.SetGroupVersionKind(schema.GroupVersionKind{Group: request.Kind.Group, Version: request.Kind.Version, Kind: request.Kind.Kind})
|
||||
// lookup policies based on operation,kind, namespace
|
||||
policies, err := ws.pMetaStore.LookUp(resource.GetKind(), resource.GetNamespace())
|
||||
if err != nil {
|
||||
//TODO check if the CRD is created ?
|
||||
// Unable to connect to policy Lister to access policies
|
||||
glog.Errorln("Unable to connect to policy controller to access policies. Mutation Rules are NOT being applied")
|
||||
glog.Warning(err)
|
||||
return true, nil, ""
|
||||
}
|
||||
|
||||
var engineResponses []engine.EngineResponse
|
||||
policyContext := engine.PolicyContext{
|
||||
Resource: *resource,
|
||||
|
|
|
|||
|
|
@ -26,7 +26,6 @@ import (
|
|||
"github.com/nirmata/kyverno/pkg/webhookconfig"
|
||||
v1beta1 "k8s.io/api/admission/v1beta1"
|
||||
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
|
||||
"k8s.io/apimachinery/pkg/labels"
|
||||
rbacinformer "k8s.io/client-go/informers/rbac/v1"
|
||||
rbaclister "k8s.io/client-go/listers/rbac/v1"
|
||||
"k8s.io/client-go/tools/cache"
|
||||
|
|
@ -183,16 +182,15 @@ func (ws *WebhookServer) serve(w http.ResponseWriter, r *http.Request) {
|
|||
}
|
||||
|
||||
func (ws *WebhookServer) handleAdmissionRequest(request *v1beta1.AdmissionRequest) *v1beta1.AdmissionResponse {
|
||||
// TODO: this will be replaced by policy store lookup
|
||||
policies, err := ws.pLister.List(labels.NewSelector())
|
||||
policies, err := ws.pMetaStore.LookUp(request.Kind.Kind, request.Namespace)
|
||||
if err != nil {
|
||||
// Unable to connect to policy Lister to access policies
|
||||
glog.Errorf("Unable to connect to policy controller to access policies. Policies are NOT being applied: %v", err)
|
||||
return &v1beta1.AdmissionResponse{Allowed: true}
|
||||
}
|
||||
|
||||
var roles, clusterRoles []string
|
||||
|
||||
// TODO(shuting): replace containRBACinfo after policy cache lookup is introduced
|
||||
// getRoleRef only if policy has roles/clusterroles defined
|
||||
startTime := time.Now()
|
||||
if containRBACinfo(policies) {
|
||||
|
|
@ -206,7 +204,7 @@ func (ws *WebhookServer) handleAdmissionRequest(request *v1beta1.AdmissionReques
|
|||
glog.V(4).Infof("Time: webhook GetRoleRef %v", time.Since(startTime))
|
||||
|
||||
// MUTATION
|
||||
ok, patches, msg := ws.HandleMutation(request, roles, clusterRoles)
|
||||
ok, patches, msg := ws.HandleMutation(request, policies, roles, clusterRoles)
|
||||
if !ok {
|
||||
glog.V(4).Infof("Deny admission request: %v/%s/%s", request.Kind, request.Namespace, request.Name)
|
||||
return &v1beta1.AdmissionResponse{
|
||||
|
|
@ -222,7 +220,7 @@ func (ws *WebhookServer) handleAdmissionRequest(request *v1beta1.AdmissionReques
|
|||
patchedResource := processResourceWithPatches(patches, request.Object.Raw)
|
||||
|
||||
// VALIDATION
|
||||
ok, msg = ws.HandleValidation(request, patchedResource, roles, clusterRoles)
|
||||
ok, msg = ws.HandleValidation(request, policies, patchedResource, roles, clusterRoles)
|
||||
if !ok {
|
||||
glog.V(4).Infof("Deny admission request: %v/%s/%s", request.Kind, request.Namespace, request.Name)
|
||||
return &v1beta1.AdmissionResponse{
|
||||
|
|
|
|||
|
|
@ -99,7 +99,7 @@ func processResourceWithPatches(patch []byte, resource []byte) []byte {
|
|||
return resource
|
||||
}
|
||||
|
||||
func containRBACinfo(policies []*kyverno.ClusterPolicy) bool {
|
||||
func containRBACinfo(policies []kyverno.ClusterPolicy) bool {
|
||||
for _, policy := range policies {
|
||||
for _, rule := range policy.Spec.Rules {
|
||||
if len(rule.MatchResources.Roles) > 0 || len(rule.MatchResources.ClusterRoles) > 0 {
|
||||
|
|
|
|||
|
|
@ -4,6 +4,7 @@ import (
|
|||
"time"
|
||||
|
||||
"github.com/golang/glog"
|
||||
kyverno "github.com/nirmata/kyverno/pkg/api/kyverno/v1alpha1"
|
||||
engine "github.com/nirmata/kyverno/pkg/engine"
|
||||
policyctr "github.com/nirmata/kyverno/pkg/policy"
|
||||
"github.com/nirmata/kyverno/pkg/utils"
|
||||
|
|
@ -14,7 +15,7 @@ import (
|
|||
// handleValidation handles validating webhook admission request
|
||||
// If there are no errors in validating rule we apply generation rules
|
||||
// patchedResource is the (resource + patches) after applying mutation rules
|
||||
func (ws *WebhookServer) HandleValidation(request *v1beta1.AdmissionRequest, patchedResource []byte, roles, clusterRoles []string) (bool, string) {
|
||||
func (ws *WebhookServer) HandleValidation(request *v1beta1.AdmissionRequest, policies []kyverno.ClusterPolicy, patchedResource []byte, roles, clusterRoles []string) (bool, string) {
|
||||
glog.V(4).Infof("Receive request in validating webhook: Kind=%s, Namespace=%s Name=%s UID=%s patchOperation=%s",
|
||||
request.Kind.Kind, request.Namespace, request.Name, request.UID, request.Operation)
|
||||
|
||||
|
|
@ -71,16 +72,6 @@ func (ws *WebhookServer) HandleValidation(request *v1beta1.AdmissionRequest, pat
|
|||
// resource namespace is empty for the first CREATE operation
|
||||
resource.SetNamespace(request.Namespace)
|
||||
|
||||
// lookup policies based on operation,kind, namespace
|
||||
policies, err := ws.pMetaStore.LookUp(resource.GetKind(), resource.GetNamespace())
|
||||
if err != nil {
|
||||
//TODO check if the CRD is created ?
|
||||
// Unable to connect to policy Lister to access policies
|
||||
glog.Error("Unable to connect to policy controller to access policies. Validation Rules are NOT being applied")
|
||||
glog.Warning(err)
|
||||
return true, ""
|
||||
}
|
||||
|
||||
policyContext := engine.PolicyContext{
|
||||
Resource: *resource,
|
||||
AdmissionInfo: engine.RequestInfo{
|
||||
|
|
|
|||
Loading…
Add table
Reference in a new issue