mirror of
https://github.com/kyverno/kyverno.git
synced 2025-03-31 03:45:17 +00:00
update testing v1
This commit is contained in:
shivkumar dudhani
parent
a5e1b43eb7
commit
9af6bf9003
7 changed files with 39 additions and 7 deletions
|
|
@ -218,6 +218,5 @@ spec:
|
||||||
required:
|
required:
|
||||||
- name
|
- name
|
||||||
- type
|
- type
|
||||||
- status
|
|
||||||
- message
|
- message
|
||||||
---
|
---
|
||||||
|
|
@ -178,6 +178,7 @@ func (in *PolicyViolation) DeepCopyInto(out *PolicyViolation) {
|
||||||
out.TypeMeta = in.TypeMeta
|
out.TypeMeta = in.TypeMeta
|
||||||
in.ObjectMeta.DeepCopyInto(&out.ObjectMeta)
|
in.ObjectMeta.DeepCopyInto(&out.ObjectMeta)
|
||||||
in.Spec.DeepCopyInto(&out.Spec)
|
in.Spec.DeepCopyInto(&out.Spec)
|
||||||
|
in.Status.DeepCopyInto(&out.Status)
|
||||||
return
|
return
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
@ -254,6 +255,23 @@ func (in *PolicyViolationSpec) DeepCopy() *PolicyViolationSpec {
|
||||||
return out
|
return out
|
||||||
}
|
}
|
||||||
|
|
||||||
|
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
|
||||||
|
func (in *PolicyViolationStatus) DeepCopyInto(out *PolicyViolationStatus) {
|
||||||
|
*out = *in
|
||||||
|
in.LastUpdateTime.DeepCopyInto(&out.LastUpdateTime)
|
||||||
|
return
|
||||||
|
}
|
||||||
|
|
||||||
|
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PolicyViolationStatus.
|
||||||
|
func (in *PolicyViolationStatus) DeepCopy() *PolicyViolationStatus {
|
||||||
|
if in == nil {
|
||||||
|
return nil
|
||||||
|
}
|
||||||
|
out := new(PolicyViolationStatus)
|
||||||
|
in.DeepCopyInto(out)
|
||||||
|
return out
|
||||||
|
}
|
||||||
|
|
||||||
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
|
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
|
||||||
func (in *ResourceDescription) DeepCopyInto(out *ResourceDescription) {
|
func (in *ResourceDescription) DeepCopyInto(out *ResourceDescription) {
|
||||||
*out = *in
|
*out = *in
|
||||||
|
|
|
||||||
|
|
@ -84,7 +84,7 @@ func NewPolicyViolationController(client *client.Client, kyvernoClient *kyvernoc
|
||||||
pvc.pLister = pInformer.Lister()
|
pvc.pLister = pInformer.Lister()
|
||||||
pvc.pvLister = pvInformer.Lister()
|
pvc.pvLister = pvInformer.Lister()
|
||||||
pvc.pListerSynced = pInformer.Informer().HasSynced
|
pvc.pListerSynced = pInformer.Informer().HasSynced
|
||||||
pvc.pvListerSynced = pInformer.Informer().HasSynced
|
pvc.pvListerSynced = pvInformer.Informer().HasSynced
|
||||||
|
|
||||||
return &pvc, nil
|
return &pvc, nil
|
||||||
}
|
}
|
||||||
|
|
|
||||||
|
|
@ -15,5 +15,6 @@ func BuildPolicyViolation(policy string, resource kyverno.ResourceSpec, fRules [
|
||||||
}
|
}
|
||||||
//TODO: check if this can be removed or use unstructured?
|
//TODO: check if this can be removed or use unstructured?
|
||||||
// pv.Kind = "PolicyViolation"
|
// pv.Kind = "PolicyViolation"
|
||||||
|
pv.SetGenerateName("pv-")
|
||||||
return pv
|
return pv
|
||||||
}
|
}
|
||||||
|
|
|
||||||
|
|
@ -16,6 +16,7 @@ import (
|
||||||
"github.com/nirmata/kyverno/pkg/event"
|
"github.com/nirmata/kyverno/pkg/event"
|
||||||
"github.com/nirmata/kyverno/pkg/info"
|
"github.com/nirmata/kyverno/pkg/info"
|
||||||
"github.com/nirmata/kyverno/pkg/policyviolation"
|
"github.com/nirmata/kyverno/pkg/policyviolation"
|
||||||
|
"k8s.io/client-go/tools/cache"
|
||||||
)
|
)
|
||||||
|
|
||||||
//TODO: change validation from bool -> enum(validation, mutation)
|
//TODO: change validation from bool -> enum(validation, mutation)
|
||||||
|
|
@ -125,7 +126,7 @@ func buildPolicyViolationsForAPolicy(pi info.PolicyInfo) kyverno.PolicyViolation
|
||||||
}
|
}
|
||||||
|
|
||||||
//generatePolicyViolations generate policyViolation resources for the rules that failed
|
//generatePolicyViolations generate policyViolation resources for the rules that failed
|
||||||
func generatePolicyViolations(pvLister lister.PolicyViolationLister, client *kyvernoclient.Clientset, policyInfos []info.PolicyInfo) {
|
func generatePolicyViolations(pvListerSynced cache.InformerSynced, pvLister lister.PolicyViolationLister, client *kyvernoclient.Clientset, policyInfos []info.PolicyInfo) {
|
||||||
var pvs []kyverno.PolicyViolation
|
var pvs []kyverno.PolicyViolation
|
||||||
for _, policyInfo := range policyInfos {
|
for _, policyInfo := range policyInfos {
|
||||||
if !policyInfo.IsSuccessful() {
|
if !policyInfo.IsSuccessful() {
|
||||||
|
|
@ -141,7 +142,7 @@ func generatePolicyViolations(pvLister lister.PolicyViolationLister, client *kyv
|
||||||
glog.V(4).Infof("creating policyViolation resource for policy %s and resource %s/%s/%s", newPv.Spec.Policy, newPv.Spec.Kind, newPv.Spec.Namespace, newPv.Spec.Name)
|
glog.V(4).Infof("creating policyViolation resource for policy %s and resource %s/%s/%s", newPv.Spec.Policy, newPv.Spec.Kind, newPv.Spec.Namespace, newPv.Spec.Name)
|
||||||
|
|
||||||
// check if there was a previous violation for policy & resource combination
|
// check if there was a previous violation for policy & resource combination
|
||||||
curPv, err := getExistingPolicyViolationIfAny(pvLister, newPv)
|
curPv, err := getExistingPolicyViolationIfAny(pvListerSynced, pvLister, newPv)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
continue
|
continue
|
||||||
}
|
}
|
||||||
|
|
@ -171,9 +172,9 @@ func generatePolicyViolations(pvLister lister.PolicyViolationLister, client *kyv
|
||||||
}
|
}
|
||||||
|
|
||||||
//TODO: change the name
|
//TODO: change the name
|
||||||
func getExistingPolicyViolationIfAny(pvLister lister.PolicyViolationLister, newPv kyverno.PolicyViolation) (*kyverno.PolicyViolation, error) {
|
func getExistingPolicyViolationIfAny(pvListerSynced cache.InformerSynced, pvLister lister.PolicyViolationLister, newPv kyverno.PolicyViolation) (*kyverno.PolicyViolation, error) {
|
||||||
// TODO: check for existing ov using label selectors on resource and policy
|
// TODO: check for existing ov using label selectors on resource and policy
|
||||||
labelMap := map[string]string{"policy": newPv.Spec.Name, "resource": newPv.Spec.ResourceSpec.ToKey()}
|
labelMap := map[string]string{"policy": newPv.Spec.Policy, "resource": newPv.Spec.ResourceSpec.ToKey()}
|
||||||
ls := &metav1.LabelSelector{}
|
ls := &metav1.LabelSelector{}
|
||||||
err := metav1.Convert_Map_string_To_string_To_v1_LabelSelector(&labelMap, ls, nil)
|
err := metav1.Convert_Map_string_To_string_To_v1_LabelSelector(&labelMap, ls, nil)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
|
|
@ -186,6 +187,14 @@ func getExistingPolicyViolationIfAny(pvLister lister.PolicyViolationLister, newP
|
||||||
return nil, err
|
return nil, err
|
||||||
}
|
}
|
||||||
|
|
||||||
|
//TODO: sync the cache before reading from it ?
|
||||||
|
// check is this is needed ?
|
||||||
|
// stopCh := make(chan struct{}, 0)
|
||||||
|
// if !cache.WaitForCacheSync(stopCh, pvListerSynced) {
|
||||||
|
// //TODO: can this be handled or avoided ?
|
||||||
|
// glog.Info("unable to sync policy violation shared informer cache, might be out of sync")
|
||||||
|
// }
|
||||||
|
|
||||||
pvs, err := pvLister.List(policyViolationSelector)
|
pvs, err := pvLister.List(policyViolationSelector)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
glog.Errorf("unable to list policy violations with label selector %v: %v", policyViolationSelector, err)
|
glog.Errorf("unable to list policy violations with label selector %v: %v", policyViolationSelector, err)
|
||||||
|
|
|
||||||
|
|
@ -20,6 +20,7 @@ import (
|
||||||
tlsutils "github.com/nirmata/kyverno/pkg/tls"
|
tlsutils "github.com/nirmata/kyverno/pkg/tls"
|
||||||
"github.com/nirmata/kyverno/pkg/utils"
|
"github.com/nirmata/kyverno/pkg/utils"
|
||||||
v1beta1 "k8s.io/api/admission/v1beta1"
|
v1beta1 "k8s.io/api/admission/v1beta1"
|
||||||
|
"k8s.io/client-go/tools/cache"
|
||||||
)
|
)
|
||||||
|
|
||||||
// WebhookServer contains configured TLS server with MutationWebhook.
|
// WebhookServer contains configured TLS server with MutationWebhook.
|
||||||
|
|
@ -30,6 +31,8 @@ type WebhookServer struct {
|
||||||
kyvernoClient *kyvernoclient.Clientset
|
kyvernoClient *kyvernoclient.Clientset
|
||||||
pLister lister.PolicyLister
|
pLister lister.PolicyLister
|
||||||
pvLister lister.PolicyViolationLister
|
pvLister lister.PolicyViolationLister
|
||||||
|
pListerSynced cache.InformerSynced
|
||||||
|
pvListerSynced cache.InformerSynced
|
||||||
eventGen event.Interface
|
eventGen event.Interface
|
||||||
filterK8Resources []utils.K8Resource
|
filterK8Resources []utils.K8Resource
|
||||||
}
|
}
|
||||||
|
|
@ -61,6 +64,8 @@ func NewWebhookServer(
|
||||||
kyvernoClient: kyvernoClient,
|
kyvernoClient: kyvernoClient,
|
||||||
pLister: pInformer.Lister(),
|
pLister: pInformer.Lister(),
|
||||||
pvLister: pvInormer.Lister(),
|
pvLister: pvInormer.Lister(),
|
||||||
|
pListerSynced: pInformer.Informer().HasSynced,
|
||||||
|
pvListerSynced: pInformer.Informer().HasSynced,
|
||||||
eventGen: eventGen,
|
eventGen: eventGen,
|
||||||
filterK8Resources: utils.ParseKinds(filterK8Resources),
|
filterK8Resources: utils.ParseKinds(filterK8Resources),
|
||||||
}
|
}
|
||||||
|
|
|
||||||
|
|
@ -95,7 +95,7 @@ func (ws *WebhookServer) HandleValidation(request *v1beta1.AdmissionRequest) *v1
|
||||||
}
|
}
|
||||||
|
|
||||||
// ADD POLICY VIOLATIONS
|
// ADD POLICY VIOLATIONS
|
||||||
generatePolicyViolations(ws.pvLister, ws.kyvernoClient, policyInfos)
|
generatePolicyViolations(ws.pvListerSynced, ws.pvLister, ws.kyvernoClient, policyInfos)
|
||||||
|
|
||||||
return &v1beta1.AdmissionResponse{
|
return &v1beta1.AdmissionResponse{
|
||||||
Allowed: true,
|
Allowed: true,
|
||||||
|
|
|
||||||
Loading…
Add table
Reference in a new issue