mirrors/kyverno
1
0
Fork 0
mirror of https://github.com/kyverno/kyverno.git synced 2024-12-14 11:57:48 +00:00
Code Activity

fix: change generic policy to not return any (#9463)

Browse source 
Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>
This commit is contained in:
Charles-Edouard Brétéché 2024-01-20 18:20:22 +01:00 committed by GitHub
parent 8ff23a7d06
commit 8795916e14
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
8 changed files with 28 additions and 21 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

7
cmd/cli/kubectl-kyverno/processor/result.go
View file

@ -1,7 +1,6 @@
package processor
import (
kyvernov1 "github.com/kyverno/kyverno/api/kyverno/v1"
"github.com/kyverno/kyverno/cmd/cli/kubectl-kyverno/policy/annotations"
"github.com/kyverno/kyverno/pkg/autogen"
engineapi "github.com/kyverno/kyverno/pkg/engine/api"
@ -34,7 +33,7 @@ func (rc *ResultCounts) addEngineResponse(auditWarn bool, response engineapi.Eng
if polType := genericPolicy.GetType(); polType == engineapi.ValidatingAdmissionPolicyType {
return
}
policy := genericPolicy.GetPolicy().(kyvernov1.PolicyInterface)
policy := genericPolicy.AsKyvernoPolicy()
scored := annotations.Scored(policy.GetAnnotations())
for _, rule := range autogen.ComputeRules(policy) {
if rule.HasValidate() || rule.HasVerifyImageChecks() || rule.HasVerifyImages() {
@ -72,7 +71,7 @@ func (rc *ResultCounts) addGenerateResponse(auditWarn bool, resPath string, resp
if polType := genericPolicy.GetType(); polType == engineapi.ValidatingAdmissionPolicyType {
return
}
policy := genericPolicy.GetPolicy().(kyvernov1.PolicyInterface)
policy := genericPolicy.AsKyvernoPolicy()
for _, policyRule := range autogen.ComputeRules(policy) {
for _, ruleResponse := range response.PolicyResponse.Rules {
if policyRule.Name == ruleResponse.Name() {
@ -96,7 +95,7 @@ func (rc *ResultCounts) addMutateResponse(resourcePath string, response engineap
if polType := genericPolicy.GetType(); polType == engineapi.ValidatingAdmissionPolicyType {
return false
}
policy := genericPolicy.GetPolicy().(kyvernov1.PolicyInterface)
policy := genericPolicy.AsKyvernoPolicy()
var policyHasMutate bool
for _, rule := range autogen.ComputeRules(policy) {
if rule.HasMutate() {

4
pkg/controllers/report/background/controller.go
View file

@ -324,9 +324,9 @@ func (c *controller) reconcileReport(
var key string
var err error
if policy.GetType() == engineapi.KyvernoPolicyType {
key, err = cache.MetaNamespaceKeyFunc(policy.GetPolicy().(kyvernov1.PolicyInterface))
key, err = cache.MetaNamespaceKeyFunc(policy.AsKyvernoPolicy())
} else {
key, err = cache.MetaNamespaceKeyFunc(policy.GetPolicy().(admissionregistrationv1alpha1.ValidatingAdmissionPolicy))
key, err = cache.MetaNamespaceKeyFunc(policy.AsValidatingAdmissionPolicy())
}
if err != nil {
return err

7
pkg/controllers/report/utils/scanner.go
View file

@ -12,7 +12,6 @@ import (
"github.com/kyverno/kyverno/pkg/engine/jmespath"
"github.com/kyverno/kyverno/pkg/validatingadmissionpolicy"
"go.uber.org/multierr"
admissionregistrationv1alpha1 "k8s.io/api/admissionregistration/v1alpha1"
"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
)
@ -54,7 +53,7 @@ func (s *scanner) ScanResource(ctx context.Context, resource unstructured.Unstru
var response *engineapi.EngineResponse
if policy.GetType() == engineapi.KyvernoPolicyType {
var err error
pol := policy.GetPolicy().(kyvernov1.PolicyInterface)
pol := policy.AsKyvernoPolicy()
response, err = s.validateResource(ctx, resource, nsLabels, pol)
if err != nil {
logger.Error(err, "failed to scan resource")
@ -74,8 +73,8 @@ func (s *scanner) ScanResource(ctx context.Context, resource unstructured.Unstru
}
}
} else {
pol := policy.GetPolicy().(admissionregistrationv1alpha1.ValidatingAdmissionPolicy)
res := validatingadmissionpolicy.Validate(pol, resource)
pol := policy.AsValidatingAdmissionPolicy()
res := validatingadmissionpolicy.Validate(*pol, resource)
response = &res
}
results[&policies[i]] = ScanResult{response, multierr.Combine(errors...)}

2
pkg/engine/api/engineresponse.go
View file

@ -198,7 +198,7 @@ func (er EngineResponse) GetValidationFailureAction() kyvernov1.ValidationFailur
if polType := pol.GetType(); polType == ValidatingAdmissionPolicyType {
return ""
}
spec := pol.GetPolicy().(kyvernov1.PolicyInterface).GetSpec()
spec := pol.AsKyvernoPolicy().GetSpec()
for _, v := range spec.ValidationFailureActionOverrides {
if !v.Action.IsValid() {
continue

20
pkg/engine/api/policy.go
View file

@ -19,8 +19,10 @@ const (
// GenericPolicy abstracts the policy type (Kyverno policy vs Validating admission policy)
// It is intended to be used in EngineResponse
type GenericPolicy interface {
// GetPolicy returns either kyverno policy or validating admission policy
GetPolicy() interface{}
// AsKyvernoPolicy returns the kyverno policy
AsKyvernoPolicy() kyvernov1.PolicyInterface
// AsValidatingAdmissionPolicy returns the validating admission policy
AsValidatingAdmissionPolicy() *v1alpha1.ValidatingAdmissionPolicy
// GetType returns policy type
GetType() PolicyType
// GetAPIVersion returns policy API version
@ -45,10 +47,14 @@ type KyvernoPolicy struct {
policy kyvernov1.PolicyInterface
}
func (p *KyvernoPolicy) GetPolicy() interface{} {
func (p *KyvernoPolicy) AsKyvernoPolicy() kyvernov1.PolicyInterface {
return p.policy
}
func (p *KyvernoPolicy) AsValidatingAdmissionPolicy() *v1alpha1.ValidatingAdmissionPolicy {
return nil
}
func (p *KyvernoPolicy) GetType() PolicyType {
return KyvernoPolicyType
}
@ -95,8 +101,12 @@ type ValidatingAdmissionPolicy struct {
policy v1alpha1.ValidatingAdmissionPolicy
}
func (p *ValidatingAdmissionPolicy) GetPolicy() interface{} {
return p.policy
func (p *ValidatingAdmissionPolicy) AsKyvernoPolicy() kyvernov1.PolicyInterface {
return nil
}
func (p *ValidatingAdmissionPolicy) AsValidatingAdmissionPolicy() *v1alpha1.ValidatingAdmissionPolicy {
return &p.policy
}
func (p *ValidatingAdmissionPolicy) GetType() PolicyType {

2
pkg/engine/metrics.go
View file

@ -22,7 +22,7 @@ func (e *engine) reportMetrics(
if e.resultCounter == nil && e.durationHistogram == nil {
return
}
policy := response.Policy().GetPolicy().(kyvernov1.PolicyInterface)
policy := response.Policy().AsKyvernoPolicy()
if name, namespace, policyType, backgroundMode, validationMode, err := metrics.GetPolicyInfos(policy); err != nil {
logger.Error(err, "failed to get policy infos for metrics reporting")
} else {

4
pkg/event/events.go
View file

@ -77,7 +77,7 @@ func NewPolicyAppliedEvent(source Source, engineResponse engineapi.EngineRespons
var action Action
policy := engineResponse.Policy()
if policy.GetType() == engineapi.KyvernoPolicyType {
pol := engineResponse.Policy().GetPolicy().(kyvernov1.PolicyInterface)
pol := engineResponse.Policy().AsKyvernoPolicy()
hasValidate := pol.GetSpec().HasValidate()
hasVerifyImages := pol.GetSpec().HasVerifyImages()
hasMutate := pol.GetSpec().HasMutate()
@ -226,7 +226,7 @@ func NewPolicyExceptionEvents(engineResponse engineapi.EngineResponse, ruleResp
exception := ruleResp.Exception()
exceptionName, exceptionNamespace := exception.GetName(), exception.GetNamespace()
policyMessage := fmt.Sprintf("resource %s was skipped from rule %s due to policy exception %s/%s", resourceKey(engineResponse.PatchedResource), ruleResp.Name(), exceptionNamespace, exceptionName)
pol := engineResponse.Policy().GetPolicy().(kyvernov1.PolicyInterface)
pol := engineResponse.Policy().AsKyvernoPolicy()
var exceptionMessage string
if pol.GetNamespace() == "" {
exceptionMessage = fmt.Sprintf("resource %s was skipped from policy rule %s/%s", resourceKey(engineResponse.PatchedResource), pol.GetName(), ruleResp.Name())

3
pkg/utils/report/results.go
View file

@ -9,7 +9,6 @@ import (
"github.com/go-logr/logr"
"github.com/kyverno/kyverno/api/kyverno"
kyvernov1 "github.com/kyverno/kyverno/api/kyverno/v1"
kyvernov1alpha2 "github.com/kyverno/kyverno/api/kyverno/v1alpha2"
policyreportv1alpha2 "github.com/kyverno/kyverno/api/policyreport/v1alpha2"
engineapi "github.com/kyverno/kyverno/pkg/engine/api"
@ -91,7 +90,7 @@ func EngineResponseToReportResults(response engineapi.EngineResponse) []policyre
pol := response.Policy()
var results []policyreportv1alpha2.PolicyReportResult
if pol.GetType() == engineapi.KyvernoPolicyType {
key, _ := cache.MetaNamespaceKeyFunc(pol.GetPolicy().(kyvernov1.PolicyInterface))
key, _ := cache.MetaNamespaceKeyFunc(pol.AsKyvernoPolicy())
for _, ruleResult := range response.PolicyResponse.Rules {
annotations := pol.GetAnnotations()
result := policyreportv1alpha2.PolicyReportResult{