mirror of
https://github.com/kyverno/kyverno.git
synced 2025-03-13 19:28:55 +00:00
fix: sort pod controllers for autogen rule (#10140)
Signed-off-by: ShutingZhao <shuting@nirmata.com>
This commit is contained in:
parent
77f1f97f6e
commit
96ffbadd77
5 changed files with 16 additions and 9 deletions
|
@ -43,7 +43,7 @@ func checkAutogenSupport(needed *bool, subjects ...kyvernov1.ResourceDescription
|
|||
// stripCronJob removes CronJob from controllers
|
||||
func stripCronJob(controllers string) string {
|
||||
var newControllers []string
|
||||
controllerArr := strings.Split(controllers, ",")
|
||||
controllerArr := splitKinds(controllers, ",")
|
||||
for _, c := range controllerArr {
|
||||
if c == PodControllerCronJob {
|
||||
continue
|
||||
|
@ -134,7 +134,7 @@ func GetRequestedControllers(meta *metav1.ObjectMeta) sets.Set[string] {
|
|||
if controllers == "none" {
|
||||
return sets.New[string]()
|
||||
}
|
||||
return sets.New(strings.Split(controllers, ",")...)
|
||||
return sets.New(splitKinds(controllers, ",")...)
|
||||
}
|
||||
|
||||
// GetControllers computes the autogen controllers that should be applied to a policy.
|
||||
|
|
|
@ -1,6 +1,7 @@
|
|||
package autogen
|
||||
|
||||
import (
|
||||
"sort"
|
||||
"strings"
|
||||
|
||||
kyvernov1 "github.com/kyverno/kyverno/api/kyverno/v1"
|
||||
|
@ -255,7 +256,7 @@ func generateRuleForControllers(rule *kyvernov1.Rule, controllers string) *kyver
|
|||
"ReplicaSet": 1,
|
||||
"ReplicationController": 1,
|
||||
}
|
||||
for _, value := range strings.Split(controllers, ",") {
|
||||
for _, value := range splitKinds(controllers, ",") {
|
||||
if _, ok := controllersList[value]; ok {
|
||||
controllersValidated = append(controllersValidated, value)
|
||||
}
|
||||
|
@ -276,13 +277,19 @@ func generateRuleForControllers(rule *kyvernov1.Rule, controllers string) *kyver
|
|||
rule,
|
||||
"template",
|
||||
"spec/template",
|
||||
strings.Split(controllers, ","),
|
||||
splitKinds(controllers, ","),
|
||||
func(r kyvernov1.ResourceFilters, kinds []string) kyvernov1.ResourceFilters {
|
||||
return getAnyAllAutogenRule(r, "Pod", kinds)
|
||||
},
|
||||
)
|
||||
}
|
||||
|
||||
func splitKinds(controllers, separator string) []string {
|
||||
kinds := strings.Split(controllers, separator)
|
||||
sort.Strings(kinds)
|
||||
return kinds
|
||||
}
|
||||
|
||||
func generateCronJobRule(rule *kyvernov1.Rule, controllers string) *kyvernov1.Rule {
|
||||
hasCronJob := strings.Contains(controllers, PodControllerCronJob) || strings.Contains(controllers, "all")
|
||||
if !hasCronJob {
|
||||
|
|
|
@ -13,9 +13,9 @@ status:
|
|||
- DaemonSet
|
||||
- Deployment
|
||||
- Job
|
||||
- StatefulSet
|
||||
- ReplicaSet
|
||||
- ReplicationController
|
||||
- StatefulSet
|
||||
name: autogen-allowed-fluxcd-annotations
|
||||
validate:
|
||||
deny:
|
||||
|
|
|
@ -41,8 +41,8 @@ status:
|
|||
- resources:
|
||||
kinds:
|
||||
- Deployment
|
||||
- StatefulSet
|
||||
- Job
|
||||
- StatefulSet
|
||||
name: autogen-require-image-tag
|
||||
validate:
|
||||
message: An image tag is required.
|
||||
|
@ -57,8 +57,8 @@ status:
|
|||
- resources:
|
||||
kinds:
|
||||
- Deployment
|
||||
- StatefulSet
|
||||
- Job
|
||||
- StatefulSet
|
||||
name: autogen-validate-image-tag
|
||||
validate:
|
||||
message: Using a mutable image tag e.g. 'latest' is not allowed.
|
||||
|
|
|
@ -43,9 +43,9 @@ status:
|
|||
- DaemonSet
|
||||
- Deployment
|
||||
- Job
|
||||
- StatefulSet
|
||||
- ReplicaSet
|
||||
- ReplicationController
|
||||
- StatefulSet
|
||||
name: autogen-require-image-tag
|
||||
validate:
|
||||
message: An image tag is required.
|
||||
|
@ -78,9 +78,9 @@ status:
|
|||
- DaemonSet
|
||||
- Deployment
|
||||
- Job
|
||||
- StatefulSet
|
||||
- ReplicaSet
|
||||
- ReplicationController
|
||||
- StatefulSet
|
||||
name: autogen-validate-image-tag
|
||||
validate:
|
||||
message: Using a mutable image tag e.g. 'latest' is not allowed.
|
||||
|
|
Loading…
Add table
Reference in a new issue