mirror of
https://github.com/kyverno/kyverno.git
synced 2025-03-13 19:28:55 +00:00
Fixes kyverno cli container reorder (#7943)
* added combine rule response Signed-off-by: hackeramitkumar <amit9116260192@gmail.com> * added kyverno test cli tests Signed-off-by: hackeramitkumar <amit9116260192@gmail.com> * added kyverno test cli tests Signed-off-by: hackeramitkumar <amit9116260192@gmail.com> * small nits Signed-off-by: hackeramitkumar <amit9116260192@gmail.com> * added ; in between the err messages Signed-off-by: hackeramitkumar <amit9116260192@gmail.com> * removed fixed rulename and ruletype Signed-off-by: hackeramitkumar <amit9116260192@gmail.com> --------- Signed-off-by: hackeramitkumar <amit9116260192@gmail.com> Co-authored-by: Mariam Fahmy <mariam.fahmy@nirmata.com> Co-authored-by: shuting <shuting@nirmata.com>
This commit is contained in:
Amit kumar
GitHub
parent
b385693509
commit
92e2d23039
4 changed files with 140 additions and 0 deletions
|
|
@ -149,6 +149,7 @@ OuterLoop:
|
|||
}
|
||||
|
||||
mutateResponse := eng.Mutate(context.Background(), policyContext)
|
||||
combineRuleResponses(mutateResponse)
|
||||
engineResponses = append(engineResponses, mutateResponse)
|
||||
|
||||
err = processMutateEngineResponse(c, &mutateResponse, resPath)
|
||||
|
|
@ -170,6 +171,7 @@ OuterLoop:
|
|||
var validateResponse engineapi.EngineResponse
|
||||
if policyHasValidate {
|
||||
validateResponse = eng.Validate(context.Background(), policyContext)
|
||||
validateResponse = combineRuleResponses(validateResponse)
|
||||
ProcessValidateEngineResponse(c.Policy, validateResponse, resPath, c.Rc, c.PolicyReport, c.AuditWarn)
|
||||
}
|
||||
|
||||
|
|
@ -179,6 +181,7 @@ OuterLoop:
|
|||
|
||||
verifyImageResponse, _ := eng.VerifyAndPatchImages(context.TODO(), policyContext)
|
||||
if !verifyImageResponse.IsEmpty() {
|
||||
verifyImageResponse = combineRuleResponses(verifyImageResponse)
|
||||
engineResponses = append(engineResponses, verifyImageResponse)
|
||||
ProcessValidateEngineResponse(c.Policy, verifyImageResponse, resPath, c.Rc, c.PolicyReport, c.AuditWarn)
|
||||
}
|
||||
|
|
@ -199,6 +202,7 @@ OuterLoop:
|
|||
} else {
|
||||
generateResponse.PolicyResponse.Rules = newRuleResponse
|
||||
}
|
||||
combineRuleResponses(generateResponse)
|
||||
engineResponses = append(engineResponses, generateResponse)
|
||||
}
|
||||
updateResultCounts(c.Policy, &generateResponse, resPath, c.Rc, c.AuditWarn)
|
||||
|
|
@ -206,3 +210,75 @@ OuterLoop:
|
|||
|
||||
return engineResponses, nil
|
||||
}
|
||||
|
||||
func combineRuleResponses(imageResponse engineapi.EngineResponse) engineapi.EngineResponse {
|
||||
if imageResponse.PolicyResponse.RulesAppliedCount() == 0 {
|
||||
return imageResponse
|
||||
}
|
||||
|
||||
completeRuleResponses := imageResponse.PolicyResponse.Rules
|
||||
var combineRuleResponses []engineapi.RuleResponse
|
||||
|
||||
ruleNameType := make(map[string][]engineapi.RuleResponse)
|
||||
for _, rsp := range completeRuleResponses {
|
||||
key := rsp.Name() + ";" + string(rsp.RuleType())
|
||||
ruleNameType[key] = append(ruleNameType[key], rsp)
|
||||
}
|
||||
|
||||
for key, ruleResponses := range ruleNameType {
|
||||
tokens := strings.Split(key, ";")
|
||||
ruleName := tokens[0]
|
||||
ruleType := tokens[1]
|
||||
var failRuleResponses []engineapi.RuleResponse
|
||||
var errorRuleResponses []engineapi.RuleResponse
|
||||
var passRuleResponses []engineapi.RuleResponse
|
||||
var skipRuleResponses []engineapi.RuleResponse
|
||||
|
||||
ruleMesssage := ""
|
||||
for _, rsp := range ruleResponses {
|
||||
if rsp.Status() == engineapi.RuleStatusFail {
|
||||
failRuleResponses = append(failRuleResponses, rsp)
|
||||
} else if rsp.Status() == engineapi.RuleStatusError {
|
||||
errorRuleResponses = append(errorRuleResponses, rsp)
|
||||
} else if rsp.Status() == engineapi.RuleStatusPass {
|
||||
passRuleResponses = append(passRuleResponses, rsp)
|
||||
} else if rsp.Status() == engineapi.RuleStatusSkip {
|
||||
skipRuleResponses = append(skipRuleResponses, rsp)
|
||||
}
|
||||
}
|
||||
if len(errorRuleResponses) > 0 {
|
||||
for _, errRsp := range errorRuleResponses {
|
||||
ruleMesssage += errRsp.Message() + ";"
|
||||
}
|
||||
errorResponse := engineapi.NewRuleResponse(ruleName, engineapi.RuleType(ruleType), ruleMesssage, engineapi.RuleStatusError)
|
||||
combineRuleResponses = append(combineRuleResponses, *errorResponse)
|
||||
continue
|
||||
}
|
||||
|
||||
if len(failRuleResponses) > 0 {
|
||||
for _, failRsp := range failRuleResponses {
|
||||
ruleMesssage += failRsp.Message() + ";"
|
||||
}
|
||||
failResponse := engineapi.NewRuleResponse(ruleName, engineapi.RuleType(ruleType), ruleMesssage, engineapi.RuleStatusFail)
|
||||
combineRuleResponses = append(combineRuleResponses, *failResponse)
|
||||
continue
|
||||
}
|
||||
|
||||
if len(passRuleResponses) > 0 {
|
||||
for _, passRsp := range passRuleResponses {
|
||||
ruleMesssage += passRsp.Message() + ";"
|
||||
}
|
||||
passResponse := engineapi.NewRuleResponse(ruleName, engineapi.RuleType(ruleType), ruleMesssage, engineapi.RuleStatusPass)
|
||||
combineRuleResponses = append(combineRuleResponses, *passResponse)
|
||||
continue
|
||||
}
|
||||
|
||||
for _, skipRsp := range skipRuleResponses {
|
||||
ruleMesssage += skipRsp.Message() + ";"
|
||||
}
|
||||
skipResponse := engineapi.NewRuleResponse(ruleName, engineapi.RuleType(ruleType), ruleMesssage, engineapi.RuleStatusSkip)
|
||||
combineRuleResponses = append(combineRuleResponses, *skipResponse)
|
||||
}
|
||||
imageResponse.PolicyResponse.Rules = combineRuleResponses
|
||||
return imageResponse
|
||||
}
|
||||
|
|
|
|||
16
test/cli/test/container_reorder/kyverno-test.yaml
Normal file
16
test/cli/test/container_reorder/kyverno-test.yaml
Normal file
|
|
@ -0,0 +1,16 @@
|
|||
name: test-image-verify-signature
|
||||
policies:
|
||||
- policy.yml
|
||||
resources:
|
||||
- resources.yaml
|
||||
results:
|
||||
- policy: check-image
|
||||
rule: verify-signature
|
||||
resource: signed-first
|
||||
kind: Pod
|
||||
status: fail
|
||||
- policy: check-image
|
||||
rule: verify-signature
|
||||
resource: unsigned-first
|
||||
kind: Pod
|
||||
status: fail
|
||||
27
test/cli/test/container_reorder/policy.yml
Normal file
27
test/cli/test/container_reorder/policy.yml
Normal file
|
|
@ -0,0 +1,27 @@
|
|||
apiVersion: kyverno.io/v1
|
||||
kind: ClusterPolicy
|
||||
metadata:
|
||||
name: check-image
|
||||
annotations:
|
||||
pod-policies.kyverno.io/autogen-controllers: none
|
||||
spec:
|
||||
validationFailureAction: enforce
|
||||
background: false
|
||||
rules:
|
||||
- name: verify-signature
|
||||
match:
|
||||
resources:
|
||||
kinds:
|
||||
- Pod
|
||||
verifyImages:
|
||||
- imageReferences:
|
||||
- "*"
|
||||
attestors:
|
||||
- count: 1
|
||||
entries:
|
||||
- keys:
|
||||
publicKeys: |-
|
||||
-----BEGIN PUBLIC KEY-----
|
||||
MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEFN8gGjQua2g8N+aLx3Eff+/j5HxL
|
||||
bV+H2z50/0A4d8XyMUvizPQBtcgei43pqLj1850m3wSwI08z2+6zT1QaEg==
|
||||
-----END PUBLIC KEY-----
|
||||
21
test/cli/test/container_reorder/resources.yaml
Normal file
21
test/cli/test/container_reorder/resources.yaml
Normal file
|
|
@ -0,0 +1,21 @@
|
|||
apiVersion: v1
|
||||
kind: Pod
|
||||
metadata:
|
||||
name: signed-first
|
||||
spec:
|
||||
containers:
|
||||
- name: signed
|
||||
image: ghcr.io/hackeramitkumar/test5:app
|
||||
- name: unsigned
|
||||
image: ghcr.io/hackeramitkumar/test6:app
|
||||
---
|
||||
apiVersion: v1
|
||||
kind: Pod
|
||||
metadata:
|
||||
name: unsigned-first
|
||||
spec:
|
||||
containers:
|
||||
- name: unsigned
|
||||
image: ghcr.io/hackeramitkumar/test6:app
|
||||
- name: signed
|
||||
image: ghcr.io/hackeramitkumar/test5:app
|
||||
Loading…
Add table
Reference in a new issue