1
0
Fork 0
mirror of https://github.com/kyverno/kyverno.git synced 2025-03-13 19:28:55 +00:00

fix: sort pod controllers for autogen rule (#10140)

Signed-off-by: ShutingZhao <shuting@nirmata.com>
This commit is contained in:
shuting 2024-04-30 20:26:12 +08:00 committed by GitHub
parent 77f1f97f6e
commit 96ffbadd77
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
5 changed files with 16 additions and 9 deletions

View file

@ -43,7 +43,7 @@ func checkAutogenSupport(needed *bool, subjects ...kyvernov1.ResourceDescription
// stripCronJob removes CronJob from controllers
func stripCronJob(controllers string) string {
var newControllers []string
controllerArr := strings.Split(controllers, ",")
controllerArr := splitKinds(controllers, ",")
for _, c := range controllerArr {
if c == PodControllerCronJob {
continue
@ -134,7 +134,7 @@ func GetRequestedControllers(meta *metav1.ObjectMeta) sets.Set[string] {
if controllers == "none" {
return sets.New[string]()
}
return sets.New(strings.Split(controllers, ",")...)
return sets.New(splitKinds(controllers, ",")...)
}
// GetControllers computes the autogen controllers that should be applied to a policy.

View file

@ -1,6 +1,7 @@
package autogen
import (
"sort"
"strings"
kyvernov1 "github.com/kyverno/kyverno/api/kyverno/v1"
@ -255,7 +256,7 @@ func generateRuleForControllers(rule *kyvernov1.Rule, controllers string) *kyver
"ReplicaSet": 1,
"ReplicationController": 1,
}
for _, value := range strings.Split(controllers, ",") {
for _, value := range splitKinds(controllers, ",") {
if _, ok := controllersList[value]; ok {
controllersValidated = append(controllersValidated, value)
}
@ -276,13 +277,19 @@ func generateRuleForControllers(rule *kyvernov1.Rule, controllers string) *kyver
rule,
"template",
"spec/template",
strings.Split(controllers, ","),
splitKinds(controllers, ","),
func(r kyvernov1.ResourceFilters, kinds []string) kyvernov1.ResourceFilters {
return getAnyAllAutogenRule(r, "Pod", kinds)
},
)
}
func splitKinds(controllers, separator string) []string {
kinds := strings.Split(controllers, separator)
sort.Strings(kinds)
return kinds
}
func generateCronJobRule(rule *kyvernov1.Rule, controllers string) *kyvernov1.Rule {
hasCronJob := strings.Contains(controllers, PodControllerCronJob) || strings.Contains(controllers, "all")
if !hasCronJob {

View file

@ -13,9 +13,9 @@ status:
- DaemonSet
- Deployment
- Job
- StatefulSet
- ReplicaSet
- ReplicationController
- StatefulSet
name: autogen-allowed-fluxcd-annotations
validate:
deny:

View file

@ -41,8 +41,8 @@ status:
- resources:
kinds:
- Deployment
- StatefulSet
- Job
- StatefulSet
name: autogen-require-image-tag
validate:
message: An image tag is required.
@ -57,8 +57,8 @@ status:
- resources:
kinds:
- Deployment
- StatefulSet
- Job
- StatefulSet
name: autogen-validate-image-tag
validate:
message: Using a mutable image tag e.g. 'latest' is not allowed.

View file

@ -43,9 +43,9 @@ status:
- DaemonSet
- Deployment
- Job
- StatefulSet
- ReplicaSet
- ReplicationController
- StatefulSet
name: autogen-require-image-tag
validate:
message: An image tag is required.
@ -78,9 +78,9 @@ status:
- DaemonSet
- Deployment
- Job
- StatefulSet
- ReplicaSet
- ReplicationController
- StatefulSet
name: autogen-validate-image-tag
validate:
message: Using a mutable image tag e.g. 'latest' is not allowed.