mirror of
https://github.com/kyverno/kyverno.git
synced 2025-03-28 10:28:36 +00:00
bug fixes
This commit is contained in:
evalsocket
parent
44a164b184
commit
8289450c1c
2 changed files with 53 additions and 43 deletions
|
|
@ -47,14 +47,13 @@ func (c *Controller) applyGenerate(resource unstructured.Unstructured, gr kyvern
|
|||
policy, err := c.pLister.Get(gr.Spec.Policy)
|
||||
if err != nil {
|
||||
if apierrors.IsNotFound(err) {
|
||||
if err := c.client.DeleteResource(gr.Spec.Resource.Kind, gr.Spec.Resource.Namespace, gr.Spec.Resource.Name,false); err != nil {
|
||||
if err := c.client.DeleteResource(gr.Spec.Resource.Kind, gr.Spec.Resource.Namespace, gr.Spec.Resource.Name, false); err != nil {
|
||||
logger.V(4).Info("Generated resource is deleted")
|
||||
return nil, err
|
||||
}
|
||||
return nil,nil
|
||||
return nil, nil
|
||||
}
|
||||
logger.Error(err, "error in getting policy")
|
||||
return nil, nil
|
||||
}
|
||||
|
||||
resourceRaw, err := resource.MarshalJSON()
|
||||
|
|
@ -267,16 +266,17 @@ func applyRule(log logr.Logger, client *dclient.Client, rule kyverno.Rule, resou
|
|||
// - kyverno.io/generated-by: kind/namespace/name (trigger resource)
|
||||
manageLabels(newResource, resource)
|
||||
logger := log.WithValues("genKind", genKind, "genNamespace", genNamespace, "genName", genName)
|
||||
if mode == Create {
|
||||
// Add Synchronize label
|
||||
label := newResource.GetLabels()
|
||||
if rule.Generation.Synchronize {
|
||||
label["app.kubernetes.io/synchronize"] = "enable"
|
||||
}else{
|
||||
label["app.kubernetes.io/synchronize"] = "disable"
|
||||
}
|
||||
newResource.SetLabels(label)
|
||||
|
||||
// Add Synchronize label
|
||||
label := newResource.GetLabels()
|
||||
if rule.Generation.Synchronize {
|
||||
label["app.kubernetes.io/synchronize"] = "enable"
|
||||
} else {
|
||||
label["app.kubernetes.io/synchronize"] = "disable"
|
||||
}
|
||||
newResource.SetLabels(label)
|
||||
|
||||
if mode == Create {
|
||||
// Reset resource version
|
||||
newResource.SetResourceVersion("")
|
||||
// Create the resource
|
||||
|
|
@ -289,13 +289,15 @@ func applyRule(log logr.Logger, client *dclient.Client, rule kyverno.Rule, resou
|
|||
logger.V(4).Info("created new resource")
|
||||
|
||||
} else if mode == Update {
|
||||
label := newResource.GetLabels();
|
||||
label := newResource.GetLabels()
|
||||
|
||||
if label != nil {
|
||||
if label["app.kubernetes.io/synchronize"] == "enable" {
|
||||
logger.V(4).Info("updating existing resource")
|
||||
// Update the resource
|
||||
_, err := client.UpdateResource(genKind, genNamespace, newResource, false)
|
||||
if err != nil {
|
||||
logger.Error(err, "updating existing resource")
|
||||
// Failed to update resource
|
||||
return noGenResource, err
|
||||
}
|
||||
|
|
@ -304,6 +306,8 @@ func applyRule(log logr.Logger, client *dclient.Client, rule kyverno.Rule, resou
|
|||
} else {
|
||||
logger.V(4).Info("Synchronize resource is disabled")
|
||||
}
|
||||
} else {
|
||||
logger.V(4).Info("Synchronize resource is disabled")
|
||||
}
|
||||
|
||||
}
|
||||
|
|
|
|||
|
|
@ -2,6 +2,8 @@ package userinfo
|
|||
|
||||
import (
|
||||
"fmt"
|
||||
"strings"
|
||||
|
||||
"github.com/nirmata/kyverno/pkg/engine"
|
||||
"github.com/nirmata/kyverno/pkg/utils"
|
||||
v1beta1 "k8s.io/api/admission/v1beta1"
|
||||
|
|
@ -10,7 +12,6 @@ import (
|
|||
labels "k8s.io/apimachinery/pkg/labels"
|
||||
rbaclister "k8s.io/client-go/listers/rbac/v1"
|
||||
"sigs.k8s.io/controller-runtime/pkg/log"
|
||||
"strings"
|
||||
)
|
||||
|
||||
const (
|
||||
|
|
@ -19,7 +20,7 @@ const (
|
|||
SaPrefix = "system:serviceaccount:"
|
||||
)
|
||||
|
||||
var defaultSuffixs = []string{"system:","kyverno:"}
|
||||
var defaultSuffixs = []string{"system:", "kyverno:"}
|
||||
|
||||
//GetRoleRef gets the list of roles and cluster roles for the incoming api-request
|
||||
func GetRoleRef(rbLister rbaclister.RoleBindingLister, crbLister rbaclister.ClusterRoleBindingLister, request *v1beta1.AdmissionRequest) (roles []string, clusterRoles []string, err error) {
|
||||
|
|
@ -129,58 +130,63 @@ func matchUserOrGroup(subject rbacv1.Subject, userInfo authenticationv1.UserInfo
|
|||
return false
|
||||
}
|
||||
|
||||
|
||||
//IsRoleAuthorize is role authorize or not
|
||||
func IsRoleAuthorize(rbLister rbaclister.RoleBindingLister, crbLister rbaclister.ClusterRoleBindingLister,rLister rbaclister.RoleLister, crLister rbaclister.ClusterRoleLister, request *v1beta1.AdmissionRequest) (bool,error) {
|
||||
|
||||
func IsRoleAuthorize(rbLister rbaclister.RoleBindingLister, crbLister rbaclister.ClusterRoleBindingLister, rLister rbaclister.RoleLister, crLister rbaclister.ClusterRoleLister, request *v1beta1.AdmissionRequest) (bool, error) {
|
||||
if strings.Contains(request.UserInfo.Username, SaPrefix) {
|
||||
roles,clusterRoles,err := GetRoleRef(rbLister,crbLister,request)
|
||||
roles, clusterRoles, err := GetRoleRef(rbLister, crbLister, request)
|
||||
if err != nil {
|
||||
return false, err
|
||||
}
|
||||
|
||||
for _,e := range clusterRoles {
|
||||
role,err := crLister.Get(e);
|
||||
if err != nil {
|
||||
return false, err
|
||||
}
|
||||
labels := role.GetLabels()
|
||||
if labels["kubernetes.io/bootstrapping"] == "rbac-defaults" {
|
||||
return true,nil
|
||||
}
|
||||
}
|
||||
for _,e := range roles {
|
||||
roleData := strings.Split(e, ":")
|
||||
role, err := rLister.Roles(roleData[0]).Get(roleData[1]);
|
||||
for _, e := range clusterRoles {
|
||||
if strings.Contains(e, "kyverno:") {
|
||||
return true, nil
|
||||
} else {
|
||||
role, err := crLister.Get(e)
|
||||
if err != nil {
|
||||
return false, err
|
||||
}
|
||||
labels := role.GetLabels()
|
||||
|
||||
if labels["kubernetes.io/bootstrapping"] == "rbac-defaults" {
|
||||
return true, nil
|
||||
}
|
||||
}
|
||||
}
|
||||
for _, e := range roles {
|
||||
roleData := strings.Split(e, ":")
|
||||
role, err := rLister.Roles(roleData[0]).Get(roleData[1])
|
||||
if err != nil {
|
||||
return false, err
|
||||
}
|
||||
labels := role.GetLabels()
|
||||
if !strings.Contains(e, "kyverno:") {
|
||||
if labels["kubernetes.io/bootstrapping"] == "rbac-defaults" {
|
||||
return true, nil
|
||||
}
|
||||
}
|
||||
}
|
||||
} else {
|
||||
// User or Group
|
||||
excludeDevelopmentRole := []string{"minikube-user","kubernetes-admin"}
|
||||
for _,e := range excludeDevelopmentRole {
|
||||
if strings.Contains(request.UserInfo.Username,e){
|
||||
return false,nil
|
||||
excludeDevelopmentRole := []string{"minikube-user", "kubernetes-admin"}
|
||||
for _, e := range excludeDevelopmentRole {
|
||||
if strings.Contains(request.UserInfo.Username, e) {
|
||||
return false, nil
|
||||
}
|
||||
}
|
||||
var matchedRoles []bool
|
||||
for _,e := range request.UserInfo.Groups {
|
||||
for _,defaultSuffix := range defaultSuffixs {
|
||||
if strings.Contains(e,defaultSuffix) {
|
||||
for _, e := range request.UserInfo.Groups {
|
||||
for _, defaultSuffix := range defaultSuffixs {
|
||||
if strings.Contains(e, defaultSuffix) {
|
||||
matchedRoles = append(matchedRoles, true)
|
||||
break;
|
||||
break
|
||||
}
|
||||
}
|
||||
}
|
||||
if len(matchedRoles) == len(request.UserInfo.Groups) {
|
||||
return true,nil
|
||||
return true, nil
|
||||
}
|
||||
}
|
||||
|
||||
return false,nil
|
||||
}
|
||||
return false, nil
|
||||
}
|
||||
|
|
|
|||
Loading…
Add table
Reference in a new issue