mirror of
https://github.com/kyverno/kyverno.git
synced 2024-12-14 11:57:48 +00:00
added validation log
This commit is contained in:
Yuvraj
parent
19c2fa8463
commit
85d2ac9f84
2 changed files with 51 additions and 33 deletions
|
|
@ -266,15 +266,17 @@ func applyRule(log logr.Logger, client *dclient.Client, rule kyverno.Rule, resou
|
|||
// - app.kubernetes.io/managed-by: kyverno
|
||||
// - kyverno.io/generated-by: kind/namespace/name (trigger resource)
|
||||
manageLabels(newResource, resource)
|
||||
|
||||
logger := log.WithValues("genKind", genKind, "genNamespace", genNamespace, "genName", genName)
|
||||
if mode == Create {
|
||||
if mode == Create {
|
||||
// Add Synchronize label
|
||||
label := newResource.GetLabels()
|
||||
if rule.Generation.Synchronize {
|
||||
newResource.SetLabels(map[string]string{"app.kubernetes.io/synchronize": "enable" })
|
||||
label["app.kubernetes.io/synchronize"] = "enable"
|
||||
}else{
|
||||
newResource.SetLabels(map[string]string{"app.kubernetes.io/synchronize": "disable" })
|
||||
label["app.kubernetes.io/synchronize"] = "disable"
|
||||
}
|
||||
newResource.SetLabels(label)
|
||||
|
||||
// Reset resource version
|
||||
newResource.SetResourceVersion("")
|
||||
// Create the resource
|
||||
|
|
|
|||
|
|
@ -7,6 +7,7 @@ import (
|
|||
"errors"
|
||||
"fmt"
|
||||
"io/ioutil"
|
||||
apierrors "k8s.io/apimachinery/pkg/api/errors"
|
||||
"net/http"
|
||||
"time"
|
||||
|
||||
|
|
@ -237,34 +238,6 @@ func (ws *WebhookServer) resourceMutation(request *v1beta1.AdmissionRequest) *v1
|
|||
|
||||
logger := ws.log.WithName("resourceMutation").WithValues("uid", request.UID, "kind", request.Kind.Kind, "namespace", request.Namespace, "name", request.Name, "operation", request.Operation)
|
||||
|
||||
if request.Operation == v1beta1.Delete || request.Operation == v1beta1.Update {
|
||||
// convert RAW to unstructured
|
||||
resource, err := enginutils.ConvertToUnstructured(request.OldObject.Raw)
|
||||
if err != nil {
|
||||
//TODO: skip applying the admission control ?
|
||||
logger.Error(err, "failed to convert RAR resource to unstructured format")
|
||||
return &v1beta1.AdmissionResponse{
|
||||
Allowed: false,
|
||||
Result: &metav1.Status{
|
||||
Status: "Failure",
|
||||
Message: err.Error(),
|
||||
},
|
||||
}
|
||||
}
|
||||
labels := resource.GetLabels()
|
||||
if labels != nil {
|
||||
if labels["app.kubernetes.io/managed-by"] == "kyverno" && labels["app.kubernetes.io/synchronize"] == "enable" {
|
||||
return &v1beta1.AdmissionResponse{
|
||||
Allowed: false,
|
||||
Result: &metav1.Status{
|
||||
Status: "Failure",
|
||||
Message: "You don't have permission to update resourses that is generated by kyverno",
|
||||
},
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
if excludeKyvernoResources(request.Kind.Kind) {
|
||||
return &v1beta1.AdmissionResponse{
|
||||
Allowed: true,
|
||||
|
|
@ -294,7 +267,6 @@ func (ws *WebhookServer) resourceMutation(request *v1beta1.AdmissionRequest) *v1
|
|||
resource, err := utils.ConvertResource(request.Object.Raw, request.Kind.Group, request.Kind.Version, request.Kind.Kind, request.Namespace)
|
||||
if err != nil {
|
||||
logger.Error(err, "failed to convert RAW resource to unstructured format")
|
||||
|
||||
return &v1beta1.AdmissionResponse{
|
||||
Allowed: false,
|
||||
Result: &metav1.Status{
|
||||
|
|
@ -395,6 +367,50 @@ func (ws *WebhookServer) resourceMutation(request *v1beta1.AdmissionRequest) *v1
|
|||
func (ws *WebhookServer) resourceValidation(request *v1beta1.AdmissionRequest) *v1beta1.AdmissionResponse {
|
||||
logger := ws.log.WithName("resourceValidation").WithValues("uid", request.UID, "kind", request.Kind.Kind, "namespace", request.Namespace, "name", request.Name, "operation", request.Operation)
|
||||
|
||||
if request.Operation == v1beta1.Delete || request.Operation == v1beta1.Update {
|
||||
// convert RAW to unstructured
|
||||
resource, err := enginutils.ConvertToUnstructured(request.Object.Raw)
|
||||
if err != nil {
|
||||
//TODO: skip applying the admission control ?
|
||||
logger.Error(err, "failed to convert RAR resource to unstructured format")
|
||||
|
||||
return &v1beta1.AdmissionResponse{
|
||||
Allowed: false,
|
||||
Result: &metav1.Status{
|
||||
Status: "Failure",
|
||||
Message: err.Error(),
|
||||
},
|
||||
}
|
||||
}
|
||||
|
||||
oldResource, err := ws.client.GetResource(resource.GetKind(),resource.GetNamespace(),resource.GetName());
|
||||
if err != nil {
|
||||
if !apierrors.IsNotFound(err) {
|
||||
logger.Error(err, "failed to get resource")
|
||||
return &v1beta1.AdmissionResponse{
|
||||
Allowed: false,
|
||||
Result: &metav1.Status{
|
||||
Status: "Failure",
|
||||
Message: err.Error(),
|
||||
},
|
||||
}
|
||||
}
|
||||
}
|
||||
labels := oldResource.GetLabels()
|
||||
if labels != nil {
|
||||
if labels["app.kubernetes.io/managed-by"] == "kyverno" && labels["app.kubernetes.io/synchronize"] == "enable" {
|
||||
return &v1beta1.AdmissionResponse{
|
||||
Allowed: false,
|
||||
Result: &metav1.Status{
|
||||
Status: "Failure",
|
||||
Message: "You don't have permission to update resourses that is generated by kyverno",
|
||||
},
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
}
|
||||
|
||||
if !ws.supportMudateValidate {
|
||||
logger.Info("mutate and validate rules are not supported prior to Kubernetes 1.14.0")
|
||||
return &v1beta1.AdmissionResponse{
|
||||
|
|
|
|||
Loading…
Reference in a new issue