mirror of
https://github.com/kyverno/kyverno.git
synced 2025-03-31 03:45:17 +00:00
fix annotation patch in mutate rule
This commit is contained in:
Shuting Zhao
parent
18fc8d691d
commit
a1ce6e4297
4 changed files with 24 additions and 11 deletions
|
|
@ -4,7 +4,6 @@ import (
|
|||
"time"
|
||||
|
||||
"github.com/golang/glog"
|
||||
"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
|
||||
)
|
||||
|
||||
// Mutate performs mutation. Overlay first and then mutation patches
|
||||
|
|
@ -34,7 +33,7 @@ func Mutate(policyContext PolicyContext) (response EngineResponse) {
|
|||
response.PolicyResponse.RulesAppliedCount++
|
||||
}
|
||||
|
||||
var patchedResource unstructured.Unstructured
|
||||
patchedResource := policyContext.NewResource
|
||||
|
||||
for _, rule := range policy.Spec.Rules {
|
||||
//TODO: to be checked before calling the resources as well
|
||||
|
|
@ -61,13 +60,15 @@ func Mutate(policyContext PolicyContext) (response EngineResponse) {
|
|||
// Process Overlay
|
||||
if rule.Mutation.Overlay != nil {
|
||||
var ruleResponse RuleResponse
|
||||
ruleResponse, patchedResource = processOverlay(rule, resource)
|
||||
ruleResponse, patchedResource = processOverlay(rule, patchedResource)
|
||||
if ruleResponse.Success == true && ruleResponse.Patches == nil {
|
||||
// overlay pattern does not match the resource conditions
|
||||
glog.V(4).Infof(ruleResponse.Message)
|
||||
continue
|
||||
} else if ruleResponse.Success == true {
|
||||
glog.Infof("Mutate overlay in rule '%s' successfully applied on %s/%s/%s", rule.Name, resource.GetKind(), resource.GetNamespace(), resource.GetName())
|
||||
}
|
||||
glog.Infof("Mutate overlay in rule '%s' successfully applied on %s/%s/%s", rule.Name, resource.GetKind(), resource.GetNamespace(), resource.GetName())
|
||||
|
||||
response.PolicyResponse.Rules = append(response.PolicyResponse.Rules, ruleResponse)
|
||||
incrementAppliedRuleCount()
|
||||
}
|
||||
|
|
@ -75,7 +76,7 @@ func Mutate(policyContext PolicyContext) (response EngineResponse) {
|
|||
// Process Patches
|
||||
if rule.Mutation.Patches != nil {
|
||||
var ruleResponse RuleResponse
|
||||
ruleResponse, patchedResource = processPatches(rule, resource)
|
||||
ruleResponse, patchedResource = processPatches(rule, patchedResource)
|
||||
glog.Infof("Mutate patches in rule '%s' successfully applied on %s/%s/%s", rule.Name, resource.GetKind(), resource.GetNamespace(), resource.GetName())
|
||||
response.PolicyResponse.Rules = append(response.PolicyResponse.Rules, ruleResponse)
|
||||
incrementAppliedRuleCount()
|
||||
|
|
|
|||
|
|
@ -53,6 +53,11 @@ func processOverlay(rule kyverno.Rule, resource unstructured.Unstructured) (resp
|
|||
}
|
||||
}
|
||||
|
||||
if len(patches) == 0 {
|
||||
response.Success = true
|
||||
return response, resource
|
||||
}
|
||||
|
||||
// convert to RAW
|
||||
resourceRaw, err := resource.MarshalJSON()
|
||||
if err != nil {
|
||||
|
|
@ -65,11 +70,13 @@ func processOverlay(rule kyverno.Rule, resource unstructured.Unstructured) (resp
|
|||
var patchResource []byte
|
||||
patchResource, err = ApplyPatches(resourceRaw, patches)
|
||||
if err != nil {
|
||||
glog.Info("failed to apply patch")
|
||||
msg := fmt.Sprintf("failed to apply JSON patches: %v", err)
|
||||
glog.V(2).Info(msg)
|
||||
response.Success = false
|
||||
response.Message = fmt.Sprintf("failed to apply JSON patches: %v", err)
|
||||
response.Message = msg
|
||||
return response, resource
|
||||
}
|
||||
|
||||
err = patchedResource.UnmarshalJSON(patchResource)
|
||||
if err != nil {
|
||||
glog.Infof("failed to unmarshall resource to undstructured: %v", err)
|
||||
|
|
|
|||
|
|
@ -31,8 +31,12 @@ type response struct {
|
|||
|
||||
func generateAnnotationPatches(engineResponses []engine.EngineResponse) []byte {
|
||||
var annotations map[string]string
|
||||
if len(engineResponses) > 0 {
|
||||
annotations = engineResponses[0].PatchedResource.GetAnnotations()
|
||||
|
||||
for _, er := range engineResponses {
|
||||
if ann := er.PatchedResource.GetAnnotations(); ann != nil {
|
||||
annotations = ann
|
||||
break
|
||||
}
|
||||
}
|
||||
|
||||
if annotations == nil {
|
||||
|
|
@ -104,7 +108,7 @@ func annotationFromEngineResponses(engineResponses []engine.EngineResponse) []by
|
|||
|
||||
// return nil if there's no patches
|
||||
// otherwise result = null, len(result) = 4
|
||||
if policyPatches == nil {
|
||||
if len(policyPatches) == 0 {
|
||||
return nil
|
||||
}
|
||||
|
||||
|
|
|
|||
|
|
@ -59,6 +59,7 @@ func (ws *WebhookServer) HandleMutation(request *v1beta1.AdmissionRequest, polic
|
|||
|
||||
// if not then set it from the api request
|
||||
resource.SetGroupVersionKind(schema.GroupVersionKind{Group: request.Kind.Group, Version: request.Kind.Version, Kind: request.Kind.Kind})
|
||||
resource.SetNamespace(request.Namespace)
|
||||
var engineResponses []engine.EngineResponse
|
||||
policyContext := engine.PolicyContext{
|
||||
NewResource: *resource,
|
||||
|
|
@ -103,6 +104,6 @@ func (ws *WebhookServer) HandleMutation(request *v1beta1.AdmissionRequest, polic
|
|||
}
|
||||
|
||||
sendStat(true)
|
||||
glog.Errorf("Failed to mutate the resource\n")
|
||||
glog.Errorf("Failed to mutate the resource, %s\n", getErrorMsg(engineResponses))
|
||||
return false, nil, getErrorMsg(engineResponses)
|
||||
}
|
||||
|
|
|
|||
Loading…
Add table
Reference in a new issue