mirrors/kyverno
mirrors/kyverno
1
0
Fork 0
mirror of https://github.com/kyverno/kyverno.git synced 2025-03-31 03:45:17 +00:00
Code Activity

Merge pull request #1352 from kyverno/1332_wildcards_in_labels

Browse source 
1332 wildcards in labels and annotations
This commit is contained in:
Jim Bugwadia 2020-12-03 13:56:56 -08:00 committed by GitHub
commit 9cae63ea03
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
13 changed files with 1218 additions and 3007 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

1283
charts/kyverno/crds/crds.yaml
View file

File diff suppressed because it is too large Load diff

72
definitions/crds/kyverno.io_clusterpolicies.yaml
View file

@ -54,13 +54,16 @@ spec:
name).
type: boolean
rules:
description: Rules is a list of Rule instances
description: Rules is a list of Rule instances. A Policy contains
multiple rules and each rule can validate, mutate, or generate resources.
items:
description: Rule defines a validation, mutation, or generation
control for matching resources.
control for matching resources. Each rules contains a match declaration
to select resources, and an optional exclude declaration to specify
which resources to exclude.
properties:
context:
description: Context defines data sources and variables that
description: Context defines variables and data sources that
can be used during rule execution.
items:
description: ContextEntry adds variables and data sources
@ -79,8 +82,10 @@ spec:
type: object
type: array
exclude:
description: ExcludeResources selects resources to which the
policy rule should not be applied.
description: ExcludeResources defines when this policy rule
should not be applied. The exclude criteria can include resource
information (e.g. kind, name, namespace, labels) and admission
review request information like the name or role.
properties:
clusterRoles:
description: ClusterRoles is the list of cluster-wide role
@ -95,10 +100,11 @@ spec:
annotations:
additionalProperties:
type: string
description: Annotations is a map of annotations (string
key-value pairs). Annotation values supports wildcard
characters "*" (matches zero or many characters) and
"?" (at least one character).
description: Annotations is a map of annotations (key-value
pairs of type string). Annotation keys and values
support the wildcard characters "*" (matches zero
or many characters) and "?" (matches at least one
character).
type: object
kinds:
description: Kinds is a list of resource kinds.
@ -118,7 +124,13 @@ spec:
type: string
type: array
selector:
description: Selector is a label selector.
description: 'Selector is a label selector. Label keys
and values in `matchLabels` support the wildcard characters
`*` (matches zero or many characters) and `?` (matches
one character). Wildcards allows writing label selectors
like ["storage.k8s.io/*": "*"]. Note that using ["*"
: "*"] matches any key and value but does not match
an empty label set.'
properties:
matchExpressions:
description: matchExpressions is a list of label
@ -208,7 +220,7 @@ spec:
type: array
type: object
generate:
description: Generation creates new resources.
description: Generation is used to create new resources.
properties:
apiVersion:
description: APIVersion specifies resource apiVersion.
@ -246,8 +258,11 @@ spec:
type: boolean
type: object
match:
description: MatchResources selects resources to which the policy
rule should be applied. At least one kind is required.
description: MatchResources defines when this policy rule should
be applied. The match criteria can include resource information
(e.g. kind, name, namespace, labels) and admission review
request information like the user name or role. At least one
kind is required.
properties:
clusterRoles:
description: ClusterRoles is the list of cluster-wide role
@ -262,10 +277,11 @@ spec:
annotations:
additionalProperties:
type: string
description: Annotations is a map of annotations (string
key-value pairs). Annotation values supports wildcard
characters "*" (matches zero or many characters) and
"?" (at least one character).
description: Annotations is a map of annotations (key-value
pairs of type string). Annotation keys and values
support the wildcard characters "*" (matches zero
or many characters) and "?" (matches at least one
character).
type: object
kinds:
description: Kinds is a list of resource kinds.
@ -285,7 +301,13 @@ spec:
type: string
type: array
selector:
description: Selector is a label selector.
description: 'Selector is a label selector. Label keys
and values in `matchLabels` support the wildcard characters
`*` (matches zero or many characters) and `?` (matches
one character). Wildcards allows writing label selectors
like ["storage.k8s.io/*": "*"]. Note that using ["*"
: "*"] matches any key and value but does not match
an empty label set.'
properties:
matchExpressions:
description: matchExpressions is a list of label
@ -375,7 +397,7 @@ spec:
type: array
type: object
mutate:
description: Mutation modifies matching resources.
description: Mutation is used to modify matching resources.
properties:
overlay:
description: Overlay specifies an overlay pattern to modify
@ -415,12 +437,14 @@ spec:
type: string
type: object
name:
description: Name is a label to identify the rule, Must be unique
within the policy.
description: Name is a label to identify the rule, It must be
unique within the policy.
type: string
preconditions:
description: Conditions enabled variable-based conditional rule
execution.
description: Conditions enable variable-based conditional rule
execution. This is useful for finer control of when an rule
is applied. A condition can reference object data using JMESPath
notation.
items:
description: Condition defines variable-based conditional
criteria for rule execution.
@ -445,7 +469,7 @@ spec:
type: object
type: array
validate:
description: Validation checks matching resources.
description: Validation is used to validate matching resources.
properties:
anyPattern:
description: AnyPattern specifies list of validation patterns.

76
definitions/crds/kyverno.io_policies.yaml
View file

@ -45,7 +45,7 @@ spec:
metadata:
type: object
spec:
description: Spec declares policy behaviors.
description: Spec defines policy behaviors and contains one or rules.
properties:
background:
description: Background controls if rules are applied to existing
@ -55,13 +55,16 @@ spec:
name).
type: boolean
rules:
description: Rules is a list of Rule instances
description: Rules is a list of Rule instances. A Policy contains
multiple rules and each rule can validate, mutate, or generate resources.
items:
description: Rule defines a validation, mutation, or generation
control for matching resources.
control for matching resources. Each rules contains a match declaration
to select resources, and an optional exclude declaration to specify
which resources to exclude.
properties:
context:
description: Context defines data sources and variables that
description: Context defines variables and data sources that
can be used during rule execution.
items:
description: ContextEntry adds variables and data sources
@ -80,8 +83,10 @@ spec:
type: object
type: array
exclude:
description: ExcludeResources selects resources to which the
policy rule should not be applied.
description: ExcludeResources defines when this policy rule
should not be applied. The exclude criteria can include resource
information (e.g. kind, name, namespace, labels) and admission
review request information like the name or role.
properties:
clusterRoles:
description: ClusterRoles is the list of cluster-wide role
@ -96,10 +101,11 @@ spec:
annotations:
additionalProperties:
type: string
description: Annotations is a map of annotations (string
key-value pairs). Annotation values supports wildcard
characters "*" (matches zero or many characters) and
"?" (at least one character).
description: Annotations is a map of annotations (key-value
pairs of type string). Annotation keys and values
support the wildcard characters "*" (matches zero
or many characters) and "?" (matches at least one
character).
type: object
kinds:
description: Kinds is a list of resource kinds.
@ -119,7 +125,13 @@ spec:
type: string
type: array
selector:
description: Selector is a label selector.
description: 'Selector is a label selector. Label keys
and values in `matchLabels` support the wildcard characters
`*` (matches zero or many characters) and `?` (matches
one character). Wildcards allows writing label selectors
like ["storage.k8s.io/*": "*"]. Note that using ["*"
: "*"] matches any key and value but does not match
an empty label set.'
properties:
matchExpressions:
description: matchExpressions is a list of label
@ -209,7 +221,7 @@ spec:
type: array
type: object
generate:
description: Generation creates new resources.
description: Generation is used to create new resources.
properties:
apiVersion:
description: APIVersion specifies resource apiVersion.
@ -247,8 +259,11 @@ spec:
type: boolean
type: object
match:
description: MatchResources selects resources to which the policy
rule should be applied. At least one kind is required.
description: MatchResources defines when this policy rule should
be applied. The match criteria can include resource information
(e.g. kind, name, namespace, labels) and admission review
request information like the user name or role. At least one
kind is required.
properties:
clusterRoles:
description: ClusterRoles is the list of cluster-wide role
@ -263,10 +278,11 @@ spec:
annotations:
additionalProperties:
type: string
description: Annotations is a map of annotations (string
key-value pairs). Annotation values supports wildcard
characters "*" (matches zero or many characters) and
"?" (at least one character).
description: Annotations is a map of annotations (key-value
pairs of type string). Annotation keys and values
support the wildcard characters "*" (matches zero
or many characters) and "?" (matches at least one
character).
type: object
kinds:
description: Kinds is a list of resource kinds.
@ -286,7 +302,13 @@ spec:
type: string
type: array
selector:
description: Selector is a label selector.
description: 'Selector is a label selector. Label keys
and values in `matchLabels` support the wildcard characters
`*` (matches zero or many characters) and `?` (matches
one character). Wildcards allows writing label selectors
like ["storage.k8s.io/*": "*"]. Note that using ["*"
: "*"] matches any key and value but does not match
an empty label set.'
properties:
matchExpressions:
description: matchExpressions is a list of label
@ -376,7 +398,7 @@ spec:
type: array
type: object
mutate:
description: Mutation modifies matching resources.
description: Mutation is used to modify matching resources.
properties:
overlay:
description: Overlay specifies an overlay pattern to modify
@ -416,12 +438,14 @@ spec:
type: string
type: object
name:
description: Name is a label to identify the rule, Must be unique
within the policy.
description: Name is a label to identify the rule, It must be
unique within the policy.
type: string
preconditions:
description: Conditions enabled variable-based conditional rule
execution.
description: Conditions enable variable-based conditional rule
execution. This is useful for finer control of when an rule
is applied. A condition can reference object data using JMESPath
notation.
items:
description: Condition defines variable-based conditional
criteria for rule execution.
@ -446,7 +470,7 @@ spec:
type: object
type: array
validate:
description: Validation checks matching resources.
description: Validation is used to validate matching resources.
properties:
anyPattern:
description: AnyPattern specifies list of validation patterns.
@ -502,7 +526,7 @@ spec:
type: string
type: object
status:
description: Status contains policy runtime data.
description: Status contains policy runtime information.
properties:
averageExecutionTime:
description: AvgExecutionTime is the average time taken to process

1283
definitions/install.yaml
View file

File diff suppressed because it is too large Load diff

1283
definitions/install_debug.yaml
View file

File diff suppressed because it is too large Load diff

48
pkg/api/kyverno/v1/policy_types.go
View file

@ -27,18 +27,21 @@ type Policy struct {
metav1.TypeMeta `json:",inline,omitempty" yaml:",inline,omitempty"`
metav1.ObjectMeta `json:"metadata,omitempty" yaml:"metadata,omitempty"`
// Spec declares policy behaviors.
// Spec defines policy behaviors and contains one or rules.
Spec Spec `json:"spec" yaml:"spec"`
// Status contains policy runtime data.
// Status contains policy runtime information.
// +optional
Status PolicyStatus `json:"status,omitempty" yaml:"status,omitempty"`
}
// Spec contains a set of Rule instances and other policy controls.
// Spec contains a list of Rule instances and other policy controls.
type Spec struct {
// Rules is a list of Rule instances
// Rules is a list of Rule instances. A Policy contains multiple rules and
// each rule can validate, mutate, or generate resources.
Rules []Rule `json:"rules,omitempty" yaml:"rules,omitempty"`
// ValidationFailureAction controls if a validation policy rule failure should disallow
// the admission review request (enforce), or allow (audit) the admission review request
// and report an error in a policy report. Optional. The default value is "audit".
@ -53,35 +56,44 @@ type Spec struct {
}
// Rule defines a validation, mutation, or generation control for matching resources.
// Each rules contains a match declaration to select resources, and an optional exclude
// declaration to specify which resources to exclude.
type Rule struct {
// Name is a label to identify the rule, Must be unique within the policy.
// Name is a label to identify the rule, It must be unique within the policy.
Name string `json:"name,omitempty" yaml:"name,omitempty"`
// Context defines data sources and variables that can be used during rule execution.
// Context defines variables and data sources that can be used during rule execution.
// +optional
Context []ContextEntry `json:"context,omitempty" yaml:"context,omitempty"`
// MatchResources selects resources to which the policy rule should be applied.
// MatchResources defines when this policy rule should be applied. The match
// criteria can include resource information (e.g. kind, name, namespace, labels)
// and admission review request information like the user name or role.
// At least one kind is required.
MatchResources MatchResources `json:"match,omitempty" yaml:"match,omitempty"`
// ExcludeResources selects resources to which the policy rule should not be applied.
// ExcludeResources defines when this policy rule should not be applied. The exclude
// criteria can include resource information (e.g. kind, name, namespace, labels)
// and admission review request information like the name or role.
// +optional
ExcludeResources ExcludeResources `json:"exclude,omitempty" yaml:"exclude,omitempty"`
// Conditions enabled variable-based conditional rule execution.
// Conditions enable variable-based conditional rule execution. This is useful for
// finer control of when an rule is applied. A condition can reference object data
// using JMESPath notation.
// +optional
Conditions []Condition `json:"preconditions,omitempty" yaml:"preconditions,omitempty"`
// Mutation modifies matching resources.
// Mutation is used to modify matching resources.
// +optional
Mutation Mutation `json:"mutate,omitempty" yaml:"mutate,omitempty"`
// Validation checks matching resources.
// Validation is used to validate matching resources.
// +optional
Validation Validation `json:"validate,omitempty" yaml:"validate,omitempty"`
// Generation creates new resources.
// Generation is used to create new resources.
// +optional
Generation Generation `json:"generate,omitempty" yaml:"generate,omitempty"`
}
@ -117,6 +129,7 @@ type Condition struct {
// ConditionOperator is the operation performed on condition key and value.
// +kubebuilder:validation:Enum=Equals;NotEquals;In;NotIn
type ConditionOperator string
const (
// Equal evaluates if the key is equal to the value.
// Deprecated. Use Equals instead.
@ -188,13 +201,16 @@ type ResourceDescription struct {
// +optional
Namespaces []string `json:"namespaces,omitempty" yaml:"namespaces,omitempty"`
// Annotations is a map of annotations (string key-value pairs). Annotation values
// supports wildcard characters "*" (matches zero or many characters) and
// "?" (at least one character).
// Annotations is a map of annotations (key-value pairs of type string). Annotation keys
// and values support the wildcard characters "*" (matches zero or many characters) and
// "?" (matches at least one character).
// +optional
Annotations map[string]string `json:"annotations,omitempty" yaml:"annotations,omitempty"`
// Selector is a label selector.
// Selector is a label selector. Label keys and values in `matchLabels` support the wildcard
// characters `*` (matches zero or many characters) and `?` (matches one character).
// Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that
// using ["*" : "*"] matches any key and value but does not match an empty label set.
// +optional
Selector *metav1.LabelSelector `json:"selector,omitempty" yaml:"selector,omitempty"`
}

73
pkg/engine/utils.go
View file

@ -4,22 +4,22 @@ import (
"encoding/json"
"errors"
"fmt"
"reflect"
"time"
"github.com/go-logr/logr"
kyverno "github.com/kyverno/kyverno/pkg/api/kyverno/v1"
"github.com/kyverno/kyverno/pkg/engine/context"
"github.com/kyverno/kyverno/pkg/resourcecache"
"github.com/kyverno/kyverno/pkg/utils"
"github.com/minio/minio/pkg/wildcard"
authenticationv1 "k8s.io/api/authentication/v1"
rbacv1 "k8s.io/api/rbac/v1"
"sigs.k8s.io/controller-runtime/pkg/log"
kyverno "github.com/kyverno/kyverno/pkg/api/kyverno/v1"
"github.com/minio/minio/pkg/wildcard"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
"k8s.io/apimachinery/pkg/labels"
"github.com/kyverno/kyverno/pkg/engine/context"
"github.com/kyverno/kyverno/pkg/resourcecache"
"k8s.io/apimachinery/pkg/runtime"
"reflect"
"sigs.k8s.io/controller-runtime/pkg/log"
"strings"
"time"
)
//EngineStats stores in the statistics for a single application of resource
@ -54,18 +54,29 @@ func checkNameSpace(namespaces []string, resourceNameSpace string) bool {
}
func checkAnnotations(annotations map[string]string, resourceAnnotations map[string]string) bool {
if len(annotations) == 0 {
return true
}
for k, v := range annotations {
if len(resourceAnnotations) == 0 {
return false
match := false
for k1, v1 := range resourceAnnotations {
if wildcard.Match(k, k1) && wildcard.Match(v, v1) {
match = true
break
}
}
if resourceAnnotations[k] != v {
if match == false {
return false
}
}
return true
}
func checkSelector(labelSelector *metav1.LabelSelector, resourceLabels map[string]string) (bool, error) {
replaceWildcardsInSelector(labelSelector, resourceLabels)
selector, err := metav1.LabelSelectorAsSelector(labelSelector)
if err != nil {
log.Log.Error(err, "failed to build label selector")
@ -79,6 +90,48 @@ func checkSelector(labelSelector *metav1.LabelSelector, resourceLabels map[strin
return false, nil
}
// replaceWildcardsInSelector replaces label selector keys and values containing
// wildcard characters with matching keys and values from the resource labels.
func replaceWildcardsInSelector(labelSelector *metav1.LabelSelector, resourceLabels map[string]string) {
result := map[string]string{}
for k, v := range labelSelector.MatchLabels {
if containsWildcards(k) || containsWildcards(v) {
matchK, matchV := expandWildcards(k, v, resourceLabels)
result[matchK] = matchV
} else {
result[k] = v
}
}
labelSelector.MatchLabels = result
}
func containsWildcards(s string) bool {
return strings.Contains(s, "*") || strings.Contains(s, "?")
}
func expandWildcards(k, v string, labels map[string]string) (key string, val string) {
for k1, v1 := range labels {
if wildcard.Match(k, k1) {
if wildcard.Match(v, v1) {
return k1, v1
}
}
}
k = replaceWildCardChars(k)
v = replaceWildCardChars(v)
return k, v
}
// replaceWildCardChars will replace '*' and '?' characters which are not
// supported by Kubernetes with a '0'.
func replaceWildCardChars(s string) string {
s = strings.Replace(s, "*", "0", -1)
s = strings.Replace(s, "?", "0", -1)
return s
}
// doesResourceMatchConditionBlock filters the resource with defined conditions
// for a match / exclude block, it has the following attributes:
// ResourceDescription:

72
pkg/engine/utils_test.go
View file

@ -480,3 +480,75 @@ func TestResourceDescriptionExclude_Label_Expression_Match(t *testing.T) {
t.Errorf("Testcase has failed due to the following:\n Function has returned no error, even though it was supposed to fail")
}
}
func TestWildCardLabels(t *testing.T) {
testSelector(t, &metav1.LabelSelector{}, map[string]string{}, true)
testSelector(t, &metav1.LabelSelector{}, map[string]string{"foo": "bar"}, true)
testSelector(t, &metav1.LabelSelector{MatchLabels: map[string]string{"test.io/*": "bar"}},
map[string]string{"foo": "bar"}, false)
testSelector(t, &metav1.LabelSelector{MatchLabels: map[string]string{"scale.test.io/*": "bar"}},
map[string]string{"foo": "bar"}, false)
testSelector(t, &metav1.LabelSelector{MatchLabels: map[string]string{"test.io/*": "bar"}},
map[string]string{"test.io/scale": "foo", "test.io/functional": "bar"}, true)
testSelector(t, &metav1.LabelSelector{MatchLabels: map[string]string{"test.io/*": "*"}},
map[string]string{"test.io/scale": "foo", "test.io/functional": "bar"}, true)
testSelector(t, &metav1.LabelSelector{MatchLabels: map[string]string{"test.io/*": "a*"}},
map[string]string{"test.io/scale": "foo", "test.io/functional": "bar"}, false)
testSelector(t, &metav1.LabelSelector{MatchLabels: map[string]string{"test.io/scale": "f??"}},
map[string]string{"test.io/scale": "foo", "test.io/functional": "bar"}, true)
testSelector(t, &metav1.LabelSelector{MatchLabels: map[string]string{"*": "*"}},
map[string]string{"test.io/scale": "foo", "test.io/functional": "bar"}, true)
testSelector(t, &metav1.LabelSelector{MatchLabels: map[string]string{"test.io/functional": "foo"}},
map[string]string{"test.io/scale": "foo", "test.io/functional": "bar"}, false)
testSelector(t, &metav1.LabelSelector{MatchLabels: map[string]string{"*": "*"}},
map[string]string{}, false)
}
func testSelector(t *testing.T, s *metav1.LabelSelector, l map[string]string, match bool) {
res, err := checkSelector(s, l)
if err != nil {
t.Errorf("selector %v failed to select labels %v: %v", s.MatchLabels, l, err)
return
}
if res != match {
t.Errorf("select %v -> labels %v: expected %v received %v", s.MatchLabels, l, match, res)
}
}
func TestWildCardAnnotation(t *testing.T) {
// test single annotation values
testAnnotationMatch(t, map[string]string{}, map[string]string{}, true)
testAnnotationMatch(t, map[string]string{"test/*": "*"}, map[string]string{}, false)
testAnnotationMatch(t, map[string]string{"test/*": "*"}, map[string]string{"tes1/test": "*"}, false)
testAnnotationMatch(t, map[string]string{"test/*": "*"}, map[string]string{"test/test": "*"}, true)
testAnnotationMatch(t, map[string]string{"test/*": "*"}, map[string]string{"test/bar": "foo"}, true)
testAnnotationMatch(t, map[string]string{"test/b*": "*"}, map[string]string{"test/bar": "foo"}, true)
// test multiple annotation values
testAnnotationMatch(t, map[string]string{"test/b*": "*", "test2/*": "*"},
map[string]string{"test/bar": "foo"}, false)
testAnnotationMatch(t, map[string]string{"test/b*": "*", "test2/*": "*"},
map[string]string{"test/bar": "foo", "test2/123": "bar"}, true)
testAnnotationMatch(t, map[string]string{"test/b*": "*", "test2/*": "*"},
map[string]string{"test/bar": "foo", "test2/123": "bar", "test3/123": "bar2"}, true)
}
func testAnnotationMatch(t *testing.T, policy map[string]string, resource map[string]string, match bool) {
res := checkAnnotations(policy, resource)
if res != match {
t.Errorf("annotations %v -> labels %v: expected %v received %v", policy, resource, match, res)
}
}

6
pkg/policymutation/policymutation.go
View file

@ -213,8 +213,8 @@ func defaultvalidationFailureAction(policy *kyverno.ClusterPolicy, log logr.Logg
// as these fields may not be applicable to pod controllers
// scenario B: "none", user explicitly disable this feature -> skip
// scenario C: some certain controllers that user set -> generate on defined controllers
// copy entrie match / exclude block, it's users' responsibility to
// make sure all fields are applicable to pod cotrollers
// copy entire match / exclude block, it's users' responsibility to
// make sure all fields are applicable to pod controllers
// GeneratePodControllerRule returns two patches: rulePatches and annotation patch(if necessary)
func GeneratePodControllerRule(policy kyverno.ClusterPolicy, log logr.Logger) (patches [][]byte, errs []error) {
@ -385,7 +385,7 @@ func generateRuleForControllers(rule kyverno.Rule, controllers string, log logr.
return kyvernoRule{}
}
// Support backword compatibility
// Support backwards compatibility
skipAutoGeneration := false
var controllersValidated []string
if controllers == "all" {

21
pkg/webhooks/common.go
View file

@ -15,8 +15,8 @@ import (
"k8s.io/apimachinery/pkg/runtime/schema"
)
// isResponseSuccesful return true if all responses are successful
func isResponseSuccesful(engineReponses []response.EngineResponse) bool {
// isResponseSuccessful return true if all responses are successful
func isResponseSuccessful(engineReponses []response.EngineResponse) bool {
for _, er := range engineReponses {
if !er.IsSuccessful() {
return false
@ -110,7 +110,7 @@ func processResourceWithPatches(patch []byte, resource []byte, log logr.Logger)
return resource
}
func containRBACinfo(policies ...[]*kyverno.ClusterPolicy) bool {
func containRBACInfo(policies ...[]*kyverno.ClusterPolicy) bool {
for _, policySlice := range policies {
for _, policy := range policySlice {
for _, rule := range policy.Spec.Rules {
@ -167,10 +167,21 @@ func convertResource(raw []byte, group, version, kind, namespace string) (unstru
func excludeKyvernoResources(kind string) bool {
switch kind {
case "ClusterPolicy", "GenerateRequest", "Policy", "ClusterPolicyReport", "PolicyReport", "ClusterReportChangeRequest", "ReportChangeRequest":
case "ClusterPolicy":
return true
case "Policy":
return true
case "ClusterPolicyReport":
return true
case "PolicyReport":
return true
case "ReportChangeRequest":
return true
case "GenerateRequest":
return true
case "ClusterReportChangeRequest":
return true
default:
return false
}
}

2
pkg/webhooks/mutation.go
View file

@ -106,7 +106,7 @@ func (ws *WebhookServer) HandleMutation(
}
// if any of the policies fails, print out the error
if !isResponseSuccesful(engineResponses) {
if !isResponseSuccessful(engineResponses) {
logger.Info("failed to apply mutation rules on the resource, reporting policy violation", "errors", getErrorMsg(engineResponses))
}
}()

4
pkg/webhooks/server.go
View file

@ -287,7 +287,7 @@ func (ws *WebhookServer) ResourceMutation(request *v1beta1.AdmissionRequest) *v1
// getRoleRef only if policy has roles/clusterroles defined
var roles, clusterRoles []string
var err error
if containRBACinfo(mutatePolicies, validatePolicies, generatePolicies) {
if containRBACInfo(mutatePolicies, validatePolicies, generatePolicies) {
roles, clusterRoles, err = userinfo.GetRoleRef(ws.rbLister, ws.crbLister, request, ws.configHandler)
if err != nil {
logger.Error(err, "failed to get RBAC information for request")
@ -414,7 +414,7 @@ func (ws *WebhookServer) resourceValidation(request *v1beta1.AdmissionRequest) *
var roles, clusterRoles []string
var err error
// getRoleRef only if policy has roles/clusterroles defined
if containRBACinfo(policies) {
if containRBACInfo(policies) {
roles, clusterRoles, err = userinfo.GetRoleRef(ws.rbLister, ws.crbLister, request, ws.configHandler)
if err != nil {
logger.Error(err, "failed to get RBAC information for request")

2
pkg/webhooks/validate_audit.go
View file

@ -143,7 +143,7 @@ func (h *auditHandler) process(request *v1beta1.AdmissionRequest) error {
nsPolicies := h.pCache.Get(policycache.ValidateAudit, &request.Namespace)
policies = append(policies, nsPolicies...)
// getRoleRef only if policy has roles/clusterroles defined
if containRBACinfo(policies) {
if containRBACInfo(policies) {
roles, clusterRoles, err = userinfo.GetRoleRef(h.rbLister, h.crbLister, request, h.configHandler)
if err != nil {
logger.Error(err, "failed to get RBAC information for request")