mirror of
https://github.com/kyverno/kyverno.git
synced 2025-03-28 10:28:36 +00:00
update testing v1
This commit is contained in:
shivkumar dudhani
parent
a5e1b43eb7
commit
9af6bf9003
7 changed files with 39 additions and 7 deletions
|
|
@ -218,6 +218,5 @@ spec:
|
|||
required:
|
||||
- name
|
||||
- type
|
||||
- status
|
||||
- message
|
||||
---
|
||||
|
|
@ -178,6 +178,7 @@ func (in *PolicyViolation) DeepCopyInto(out *PolicyViolation) {
|
|||
out.TypeMeta = in.TypeMeta
|
||||
in.ObjectMeta.DeepCopyInto(&out.ObjectMeta)
|
||||
in.Spec.DeepCopyInto(&out.Spec)
|
||||
in.Status.DeepCopyInto(&out.Status)
|
||||
return
|
||||
}
|
||||
|
||||
|
|
@ -254,6 +255,23 @@ func (in *PolicyViolationSpec) DeepCopy() *PolicyViolationSpec {
|
|||
return out
|
||||
}
|
||||
|
||||
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
|
||||
func (in *PolicyViolationStatus) DeepCopyInto(out *PolicyViolationStatus) {
|
||||
*out = *in
|
||||
in.LastUpdateTime.DeepCopyInto(&out.LastUpdateTime)
|
||||
return
|
||||
}
|
||||
|
||||
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PolicyViolationStatus.
|
||||
func (in *PolicyViolationStatus) DeepCopy() *PolicyViolationStatus {
|
||||
if in == nil {
|
||||
return nil
|
||||
}
|
||||
out := new(PolicyViolationStatus)
|
||||
in.DeepCopyInto(out)
|
||||
return out
|
||||
}
|
||||
|
||||
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
|
||||
func (in *ResourceDescription) DeepCopyInto(out *ResourceDescription) {
|
||||
*out = *in
|
||||
|
|
|
|||
|
|
@ -84,7 +84,7 @@ func NewPolicyViolationController(client *client.Client, kyvernoClient *kyvernoc
|
|||
pvc.pLister = pInformer.Lister()
|
||||
pvc.pvLister = pvInformer.Lister()
|
||||
pvc.pListerSynced = pInformer.Informer().HasSynced
|
||||
pvc.pvListerSynced = pInformer.Informer().HasSynced
|
||||
pvc.pvListerSynced = pvInformer.Informer().HasSynced
|
||||
|
||||
return &pvc, nil
|
||||
}
|
||||
|
|
|
|||
|
|
@ -15,5 +15,6 @@ func BuildPolicyViolation(policy string, resource kyverno.ResourceSpec, fRules [
|
|||
}
|
||||
//TODO: check if this can be removed or use unstructured?
|
||||
// pv.Kind = "PolicyViolation"
|
||||
pv.SetGenerateName("pv-")
|
||||
return pv
|
||||
}
|
||||
|
|
|
|||
|
|
@ -16,6 +16,7 @@ import (
|
|||
"github.com/nirmata/kyverno/pkg/event"
|
||||
"github.com/nirmata/kyverno/pkg/info"
|
||||
"github.com/nirmata/kyverno/pkg/policyviolation"
|
||||
"k8s.io/client-go/tools/cache"
|
||||
)
|
||||
|
||||
//TODO: change validation from bool -> enum(validation, mutation)
|
||||
|
|
@ -125,7 +126,7 @@ func buildPolicyViolationsForAPolicy(pi info.PolicyInfo) kyverno.PolicyViolation
|
|||
}
|
||||
|
||||
//generatePolicyViolations generate policyViolation resources for the rules that failed
|
||||
func generatePolicyViolations(pvLister lister.PolicyViolationLister, client *kyvernoclient.Clientset, policyInfos []info.PolicyInfo) {
|
||||
func generatePolicyViolations(pvListerSynced cache.InformerSynced, pvLister lister.PolicyViolationLister, client *kyvernoclient.Clientset, policyInfos []info.PolicyInfo) {
|
||||
var pvs []kyverno.PolicyViolation
|
||||
for _, policyInfo := range policyInfos {
|
||||
if !policyInfo.IsSuccessful() {
|
||||
|
|
@ -141,7 +142,7 @@ func generatePolicyViolations(pvLister lister.PolicyViolationLister, client *kyv
|
|||
glog.V(4).Infof("creating policyViolation resource for policy %s and resource %s/%s/%s", newPv.Spec.Policy, newPv.Spec.Kind, newPv.Spec.Namespace, newPv.Spec.Name)
|
||||
|
||||
// check if there was a previous violation for policy & resource combination
|
||||
curPv, err := getExistingPolicyViolationIfAny(pvLister, newPv)
|
||||
curPv, err := getExistingPolicyViolationIfAny(pvListerSynced, pvLister, newPv)
|
||||
if err != nil {
|
||||
continue
|
||||
}
|
||||
|
|
@ -171,9 +172,9 @@ func generatePolicyViolations(pvLister lister.PolicyViolationLister, client *kyv
|
|||
}
|
||||
|
||||
//TODO: change the name
|
||||
func getExistingPolicyViolationIfAny(pvLister lister.PolicyViolationLister, newPv kyverno.PolicyViolation) (*kyverno.PolicyViolation, error) {
|
||||
func getExistingPolicyViolationIfAny(pvListerSynced cache.InformerSynced, pvLister lister.PolicyViolationLister, newPv kyverno.PolicyViolation) (*kyverno.PolicyViolation, error) {
|
||||
// TODO: check for existing ov using label selectors on resource and policy
|
||||
labelMap := map[string]string{"policy": newPv.Spec.Name, "resource": newPv.Spec.ResourceSpec.ToKey()}
|
||||
labelMap := map[string]string{"policy": newPv.Spec.Policy, "resource": newPv.Spec.ResourceSpec.ToKey()}
|
||||
ls := &metav1.LabelSelector{}
|
||||
err := metav1.Convert_Map_string_To_string_To_v1_LabelSelector(&labelMap, ls, nil)
|
||||
if err != nil {
|
||||
|
|
@ -186,6 +187,14 @@ func getExistingPolicyViolationIfAny(pvLister lister.PolicyViolationLister, newP
|
|||
return nil, err
|
||||
}
|
||||
|
||||
//TODO: sync the cache before reading from it ?
|
||||
// check is this is needed ?
|
||||
// stopCh := make(chan struct{}, 0)
|
||||
// if !cache.WaitForCacheSync(stopCh, pvListerSynced) {
|
||||
// //TODO: can this be handled or avoided ?
|
||||
// glog.Info("unable to sync policy violation shared informer cache, might be out of sync")
|
||||
// }
|
||||
|
||||
pvs, err := pvLister.List(policyViolationSelector)
|
||||
if err != nil {
|
||||
glog.Errorf("unable to list policy violations with label selector %v: %v", policyViolationSelector, err)
|
||||
|
|
|
|||
|
|
@ -20,6 +20,7 @@ import (
|
|||
tlsutils "github.com/nirmata/kyverno/pkg/tls"
|
||||
"github.com/nirmata/kyverno/pkg/utils"
|
||||
v1beta1 "k8s.io/api/admission/v1beta1"
|
||||
"k8s.io/client-go/tools/cache"
|
||||
)
|
||||
|
||||
// WebhookServer contains configured TLS server with MutationWebhook.
|
||||
|
|
@ -30,6 +31,8 @@ type WebhookServer struct {
|
|||
kyvernoClient *kyvernoclient.Clientset
|
||||
pLister lister.PolicyLister
|
||||
pvLister lister.PolicyViolationLister
|
||||
pListerSynced cache.InformerSynced
|
||||
pvListerSynced cache.InformerSynced
|
||||
eventGen event.Interface
|
||||
filterK8Resources []utils.K8Resource
|
||||
}
|
||||
|
|
@ -61,6 +64,8 @@ func NewWebhookServer(
|
|||
kyvernoClient: kyvernoClient,
|
||||
pLister: pInformer.Lister(),
|
||||
pvLister: pvInormer.Lister(),
|
||||
pListerSynced: pInformer.Informer().HasSynced,
|
||||
pvListerSynced: pInformer.Informer().HasSynced,
|
||||
eventGen: eventGen,
|
||||
filterK8Resources: utils.ParseKinds(filterK8Resources),
|
||||
}
|
||||
|
|
|
|||
|
|
@ -95,7 +95,7 @@ func (ws *WebhookServer) HandleValidation(request *v1beta1.AdmissionRequest) *v1
|
|||
}
|
||||
|
||||
// ADD POLICY VIOLATIONS
|
||||
generatePolicyViolations(ws.pvLister, ws.kyvernoClient, policyInfos)
|
||||
generatePolicyViolations(ws.pvListerSynced, ws.pvLister, ws.kyvernoClient, policyInfos)
|
||||
|
||||
return &v1beta1.AdmissionResponse{
|
||||
Allowed: true,
|
||||
|
|
|
|||
Loading…
Add table
Reference in a new issue