mirrors/kyverno
mirrors/kyverno
1
0
Fork 0
mirror of https://github.com/kyverno/kyverno.git synced 2025-03-28 10:28:36 +00:00
Code Activity

fixes 268_bug

Browse source
This commit is contained in:
shivkumar dudhani 2019-08-07 18:13:43 -07:00
parent d16e398d38
commit 87994e4a77
2 changed files with 14 additions and 4 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

5
examples/policy_generate_networkPolicy.yaml
View file

@ -1,9 +1,10 @@
apiVersion: kyverno.io/v1alpha1
kind: Policy
metadata:
name: "default-networkPolicy"
name: "defaultnetworkpolicy"
spec:
rules:
validationFailureAction: audit
- name: "default-networkPolicy"
match:
resources:
@ -12,7 +13,7 @@ spec:
name: "devtest"
generate:
kind: NetworkPolicy
name: default-networkPolicy
name: defaultnetworkpolicy
data:
spec:
# select all pods in the namespace

13
pkg/engine/generation.go
View file

@ -21,7 +21,7 @@ func Generate(client *client.Client, policy *v1alpha1.Policy, ns unstructured.Un
continue
}
ri := info.NewRuleInfo(rule.Name, info.Generation)
err := applyRuleGenerator(client, ns, rule.Generation)
err := applyRuleGenerator(client, ns, rule.Generation, policy.Spec.ValidationFailureAction)
if err != nil {
ri.Fail()
ri.Addf("Rule %s: Failed to apply rule generator, err %v.", rule.Name, err)
@ -34,7 +34,7 @@ func Generate(client *client.Client, policy *v1alpha1.Policy, ns unstructured.Un
return ris
}
func applyRuleGenerator(client *client.Client, ns unstructured.Unstructured, gen *v1alpha1.Generation) error {
func applyRuleGenerator(client *client.Client, ns unstructured.Unstructured, gen *v1alpha1.Generation, validationFailureAction string) error {
var err error
resource := &unstructured.Unstructured{}
var rdata map[string]interface{}
@ -80,6 +80,15 @@ func applyRuleGenerator(client *client.Client, ns unstructured.Unstructured, gen
// Reset resource version
resource.SetResourceVersion("")
if validationFailureAction != "audit" {
// if not audit, then enforce..
// with enforce we will block the creation of resource and instead generate an error
// the error will then create a policyViolation so that the resource owner can add the defaults
return errors.New("policy flag validationFailureAction:'audit' blocked the creation of default resource for the namespace")
}
// for "audit" mode, the resource will create the resource
// but wont generate a policy violation as the generate controller doesnt know if the generate request
// is a new resource via admission controller or via syncing its cache after a controller restart
_, err = client.CreateResource(gen.Kind, ns.GetName(), resource, false)
if err != nil {
return err