mirrors/kyverno
mirrors/kyverno
1
0
Fork 0
mirror of https://github.com/kyverno/kyverno.git synced 2025-03-15 12:17:56 +00:00
Code Activity

fix: change generic policy to not return any (#9463)

Browse source 
Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>
This commit is contained in:
Charles-Edouard Brétéché 2024-01-20 18:20:22 +01:00 committed by GitHub
parent 8ff23a7d06
commit 8795916e14
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
8 changed files with 28 additions and 21 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

7
cmd/cli/kubectl-kyverno/processor/result.go
View file

@ -1,7 +1,6 @@
package processor package processor
import ( import (
kyvernov1 "github.com/kyverno/kyverno/api/kyverno/v1"
"github.com/kyverno/kyverno/cmd/cli/kubectl-kyverno/policy/annotations" "github.com/kyverno/kyverno/cmd/cli/kubectl-kyverno/policy/annotations"
"github.com/kyverno/kyverno/pkg/autogen" "github.com/kyverno/kyverno/pkg/autogen"
engineapi "github.com/kyverno/kyverno/pkg/engine/api" engineapi "github.com/kyverno/kyverno/pkg/engine/api"
@ -34,7 +33,7 @@ func (rc *ResultCounts) addEngineResponse(auditWarn bool, response engineapi.Eng
if polType := genericPolicy.GetType(); polType == engineapi.ValidatingAdmissionPolicyType { if polType := genericPolicy.GetType(); polType == engineapi.ValidatingAdmissionPolicyType {
return return
} }
policy := genericPolicy.GetPolicy().(kyvernov1.PolicyInterface) policy := genericPolicy.AsKyvernoPolicy()
scored := annotations.Scored(policy.GetAnnotations()) scored := annotations.Scored(policy.GetAnnotations())
for _, rule := range autogen.ComputeRules(policy) { for _, rule := range autogen.ComputeRules(policy) {
if rule.HasValidate() || rule.HasVerifyImageChecks() || rule.HasVerifyImages() { if rule.HasValidate() || rule.HasVerifyImageChecks() || rule.HasVerifyImages() {
@ -72,7 +71,7 @@ func (rc *ResultCounts) addGenerateResponse(auditWarn bool, resPath string, resp
if polType := genericPolicy.GetType(); polType == engineapi.ValidatingAdmissionPolicyType { if polType := genericPolicy.GetType(); polType == engineapi.ValidatingAdmissionPolicyType {
return return
} }
policy := genericPolicy.GetPolicy().(kyvernov1.PolicyInterface) policy := genericPolicy.AsKyvernoPolicy()
for _, policyRule := range autogen.ComputeRules(policy) { for _, policyRule := range autogen.ComputeRules(policy) {
for _, ruleResponse := range response.PolicyResponse.Rules { for _, ruleResponse := range response.PolicyResponse.Rules {
if policyRule.Name == ruleResponse.Name() { if policyRule.Name == ruleResponse.Name() {
@ -96,7 +95,7 @@ func (rc *ResultCounts) addMutateResponse(resourcePath string, response engineap
if polType := genericPolicy.GetType(); polType == engineapi.ValidatingAdmissionPolicyType { if polType := genericPolicy.GetType(); polType == engineapi.ValidatingAdmissionPolicyType {
return false return false
} }
policy := genericPolicy.GetPolicy().(kyvernov1.PolicyInterface) policy := genericPolicy.AsKyvernoPolicy()
var policyHasMutate bool var policyHasMutate bool
for _, rule := range autogen.ComputeRules(policy) { for _, rule := range autogen.ComputeRules(policy) {
if rule.HasMutate() { if rule.HasMutate() {

4
pkg/controllers/report/background/controller.go
View file

@ -324,9 +324,9 @@ func (c *controller) reconcileReport(
var key string var key string
var err error var err error
if policy.GetType() == engineapi.KyvernoPolicyType { if policy.GetType() == engineapi.KyvernoPolicyType {
key, err = cache.MetaNamespaceKeyFunc(policy.GetPolicy().(kyvernov1.PolicyInterface)) key, err = cache.MetaNamespaceKeyFunc(policy.AsKyvernoPolicy())
} else { } else {
key, err = cache.MetaNamespaceKeyFunc(policy.GetPolicy().(admissionregistrationv1alpha1.ValidatingAdmissionPolicy)) key, err = cache.MetaNamespaceKeyFunc(policy.AsValidatingAdmissionPolicy())
} }
if err != nil { if err != nil {
return err return err

7
pkg/controllers/report/utils/scanner.go
View file

@ -12,7 +12,6 @@ import (
"github.com/kyverno/kyverno/pkg/engine/jmespath" "github.com/kyverno/kyverno/pkg/engine/jmespath"
"github.com/kyverno/kyverno/pkg/validatingadmissionpolicy" "github.com/kyverno/kyverno/pkg/validatingadmissionpolicy"
"go.uber.org/multierr" "go.uber.org/multierr"
admissionregistrationv1alpha1 "k8s.io/api/admissionregistration/v1alpha1"
"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured" "k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
) )
@ -54,7 +53,7 @@ func (s *scanner) ScanResource(ctx context.Context, resource unstructured.Unstru
var response *engineapi.EngineResponse var response *engineapi.EngineResponse
if policy.GetType() == engineapi.KyvernoPolicyType { if policy.GetType() == engineapi.KyvernoPolicyType {
var err error var err error
pol := policy.GetPolicy().(kyvernov1.PolicyInterface) pol := policy.AsKyvernoPolicy()
response, err = s.validateResource(ctx, resource, nsLabels, pol) response, err = s.validateResource(ctx, resource, nsLabels, pol)
if err != nil { if err != nil {
logger.Error(err, "failed to scan resource") logger.Error(err, "failed to scan resource")
@ -74,8 +73,8 @@ func (s *scanner) ScanResource(ctx context.Context, resource unstructured.Unstru
} }
} }
} else { } else {
pol := policy.GetPolicy().(admissionregistrationv1alpha1.ValidatingAdmissionPolicy) pol := policy.AsValidatingAdmissionPolicy()
res := validatingadmissionpolicy.Validate(pol, resource) res := validatingadmissionpolicy.Validate(*pol, resource)
response = &res response = &res
} }
results[&policies[i]] = ScanResult{response, multierr.Combine(errors...)} results[&policies[i]] = ScanResult{response, multierr.Combine(errors...)}

2
pkg/engine/api/engineresponse.go
View file

@ -198,7 +198,7 @@ func (er EngineResponse) GetValidationFailureAction() kyvernov1.ValidationFailur
if polType := pol.GetType(); polType == ValidatingAdmissionPolicyType { if polType := pol.GetType(); polType == ValidatingAdmissionPolicyType {
return "" return ""
} }
spec := pol.GetPolicy().(kyvernov1.PolicyInterface).GetSpec() spec := pol.AsKyvernoPolicy().GetSpec()
for _, v := range spec.ValidationFailureActionOverrides { for _, v := range spec.ValidationFailureActionOverrides {
if !v.Action.IsValid() { if !v.Action.IsValid() {
continue continue

20
pkg/engine/api/policy.go
View file

@ -19,8 +19,10 @@ const (
// GenericPolicy abstracts the policy type (Kyverno policy vs Validating admission policy) // GenericPolicy abstracts the policy type (Kyverno policy vs Validating admission policy)
// It is intended to be used in EngineResponse // It is intended to be used in EngineResponse
type GenericPolicy interface { type GenericPolicy interface {
// GetPolicy returns either kyverno policy or validating admission policy // AsKyvernoPolicy returns the kyverno policy
GetPolicy() interface{} AsKyvernoPolicy() kyvernov1.PolicyInterface
// AsValidatingAdmissionPolicy returns the validating admission policy
AsValidatingAdmissionPolicy() *v1alpha1.ValidatingAdmissionPolicy
// GetType returns policy type // GetType returns policy type
GetType() PolicyType GetType() PolicyType
// GetAPIVersion returns policy API version // GetAPIVersion returns policy API version
@ -45,10 +47,14 @@ type KyvernoPolicy struct {
policy kyvernov1.PolicyInterface policy kyvernov1.PolicyInterface
} }
func (p *KyvernoPolicy) GetPolicy() interface{} { func (p *KyvernoPolicy) AsKyvernoPolicy() kyvernov1.PolicyInterface {
return p.policy return p.policy
} }
func (p *KyvernoPolicy) AsValidatingAdmissionPolicy() *v1alpha1.ValidatingAdmissionPolicy {
return nil
}
func (p *KyvernoPolicy) GetType() PolicyType { func (p *KyvernoPolicy) GetType() PolicyType {
return KyvernoPolicyType return KyvernoPolicyType
} }
@ -95,8 +101,12 @@ type ValidatingAdmissionPolicy struct {
policy v1alpha1.ValidatingAdmissionPolicy policy v1alpha1.ValidatingAdmissionPolicy
} }
func (p *ValidatingAdmissionPolicy) GetPolicy() interface{} { func (p *ValidatingAdmissionPolicy) AsKyvernoPolicy() kyvernov1.PolicyInterface {
return p.policy return nil
}
func (p *ValidatingAdmissionPolicy) AsValidatingAdmissionPolicy() *v1alpha1.ValidatingAdmissionPolicy {
return &p.policy
} }
func (p *ValidatingAdmissionPolicy) GetType() PolicyType { func (p *ValidatingAdmissionPolicy) GetType() PolicyType {

2
pkg/engine/metrics.go
View file

@ -22,7 +22,7 @@ func (e *engine) reportMetrics(
if e.resultCounter == nil && e.durationHistogram == nil { if e.resultCounter == nil && e.durationHistogram == nil {
return return
} }
policy := response.Policy().GetPolicy().(kyvernov1.PolicyInterface) policy := response.Policy().AsKyvernoPolicy()
if name, namespace, policyType, backgroundMode, validationMode, err := metrics.GetPolicyInfos(policy); err != nil { if name, namespace, policyType, backgroundMode, validationMode, err := metrics.GetPolicyInfos(policy); err != nil {
logger.Error(err, "failed to get policy infos for metrics reporting") logger.Error(err, "failed to get policy infos for metrics reporting")
} else { } else {

4
pkg/event/events.go
View file

@ -77,7 +77,7 @@ func NewPolicyAppliedEvent(source Source, engineResponse engineapi.EngineRespons
var action Action var action Action
policy := engineResponse.Policy() policy := engineResponse.Policy()
if policy.GetType() == engineapi.KyvernoPolicyType { if policy.GetType() == engineapi.KyvernoPolicyType {
pol := engineResponse.Policy().GetPolicy().(kyvernov1.PolicyInterface) pol := engineResponse.Policy().AsKyvernoPolicy()
hasValidate := pol.GetSpec().HasValidate() hasValidate := pol.GetSpec().HasValidate()
hasVerifyImages := pol.GetSpec().HasVerifyImages() hasVerifyImages := pol.GetSpec().HasVerifyImages()
hasMutate := pol.GetSpec().HasMutate() hasMutate := pol.GetSpec().HasMutate()
@ -226,7 +226,7 @@ func NewPolicyExceptionEvents(engineResponse engineapi.EngineResponse, ruleResp
exception := ruleResp.Exception() exception := ruleResp.Exception()
exceptionName, exceptionNamespace := exception.GetName(), exception.GetNamespace() exceptionName, exceptionNamespace := exception.GetName(), exception.GetNamespace()
policyMessage := fmt.Sprintf("resource %s was skipped from rule %s due to policy exception %s/%s", resourceKey(engineResponse.PatchedResource), ruleResp.Name(), exceptionNamespace, exceptionName) policyMessage := fmt.Sprintf("resource %s was skipped from rule %s due to policy exception %s/%s", resourceKey(engineResponse.PatchedResource), ruleResp.Name(), exceptionNamespace, exceptionName)
pol := engineResponse.Policy().GetPolicy().(kyvernov1.PolicyInterface) pol := engineResponse.Policy().AsKyvernoPolicy()
var exceptionMessage string var exceptionMessage string
if pol.GetNamespace() == "" { if pol.GetNamespace() == "" {
exceptionMessage = fmt.Sprintf("resource %s was skipped from policy rule %s/%s", resourceKey(engineResponse.PatchedResource), pol.GetName(), ruleResp.Name()) exceptionMessage = fmt.Sprintf("resource %s was skipped from policy rule %s/%s", resourceKey(engineResponse.PatchedResource), pol.GetName(), ruleResp.Name())

3
pkg/utils/report/results.go
View file

@ -9,7 +9,6 @@ import (
"github.com/go-logr/logr" "github.com/go-logr/logr"
"github.com/kyverno/kyverno/api/kyverno" "github.com/kyverno/kyverno/api/kyverno"
kyvernov1 "github.com/kyverno/kyverno/api/kyverno/v1"
kyvernov1alpha2 "github.com/kyverno/kyverno/api/kyverno/v1alpha2" kyvernov1alpha2 "github.com/kyverno/kyverno/api/kyverno/v1alpha2"
policyreportv1alpha2 "github.com/kyverno/kyverno/api/policyreport/v1alpha2" policyreportv1alpha2 "github.com/kyverno/kyverno/api/policyreport/v1alpha2"
engineapi "github.com/kyverno/kyverno/pkg/engine/api" engineapi "github.com/kyverno/kyverno/pkg/engine/api"
@ -91,7 +90,7 @@ func EngineResponseToReportResults(response engineapi.EngineResponse) []policyre
pol := response.Policy() pol := response.Policy()
var results []policyreportv1alpha2.PolicyReportResult var results []policyreportv1alpha2.PolicyReportResult
if pol.GetType() == engineapi.KyvernoPolicyType { if pol.GetType() == engineapi.KyvernoPolicyType {
key, _ := cache.MetaNamespaceKeyFunc(pol.GetPolicy().(kyvernov1.PolicyInterface)) key, _ := cache.MetaNamespaceKeyFunc(pol.AsKyvernoPolicy())
for _, ruleResult := range response.PolicyResponse.Rules { for _, ruleResult := range response.PolicyResponse.Rules {
annotations := pol.GetAnnotations() annotations := pol.GetAnnotations()
result := policyreportv1alpha2.PolicyReportResult{ result := policyreportv1alpha2.PolicyReportResult{