change flag & corrections

2025-04-09 10:42:22 +00:00 · 2019-07-16 15:53:14 -07:00 · 2019-07-16 15:53:14 -07:00 · a36ed10425
commit a36ed10425
parent 68a48373ae
6 changed files with 43 additions and 18 deletions
--- a/pkg/info/info.go
+++ b/pkg/info/info.go
@ -19,20 +19,20 @@ type PolicyInfo struct {
 	// empty on non-namespaced resources
 	RNamespace string
 	//TODO: add check/enum for types
-	Mode    string // BlockChanges, ReportViolation
-	Rules   []*RuleInfo
-	success bool
+	ValidationFailureAction string // BlockChanges, ReportViolation
+	Rules                   []*RuleInfo
+	success                 bool
 }

 //NewPolicyInfo returns a new policy info
-func NewPolicyInfo(policyName, rKind, rName, rNamespace, mode string) *PolicyInfo {
+func NewPolicyInfo(policyName, rKind, rName, rNamespace, validationFailureAction string) *PolicyInfo {
 	return &PolicyInfo{
-		Name:       policyName,
-		RKind:      rKind,
-		RName:      rName,
-		RNamespace: rNamespace,
-		success:    true, // fail to be set explicity
-		Mode:       mode,
+		Name:                    policyName,
+		RKind:                   rKind,
+		RName:                   rName,
+		RNamespace:              rNamespace,
+		success:                 true, // fail to be set explicity
+		ValidationFailureAction: validationFailureAction,
 	}
 }

--- a/pkg/violation/builder.go
+++ b/pkg/violation/builder.go
@ -82,7 +82,7 @@ func (b *builder) processViolation(info *Info) error {
 		}
 	}
 	// Info:
-	// Resource - Kind, Namespace, Name
+	// Key - Kind, Namespace, Name
 	// policy - Name
 	//	violation, ok := currVs[info.getKey()]
 	// Key -> resource
@ -232,6 +232,7 @@ func isRuleNamesEqual(currRules []interface{}, newRules []v1alpha1.FailedRule) b
 			return false
 		}
 		glog.Info(reflect.TypeOf(rfule["name"]))
+		// name
 		name, ok := rfule["name"].(string)
 		if !ok {
 			return false
@ -239,6 +240,16 @@ func isRuleNamesEqual(currRules []interface{}, newRules []v1alpha1.FailedRule) b
 		if name != newRules[i].Name {
 			return false
 		}
+		// type
+
+		rtype, ok := rfule["type"].(string)
+		if !ok {
+			return false
+		}
+		if rtype != newRules[i].Type {
+			return false
+		}
+
 	}
 	return true
 }
--- a/pkg/webhooks/mutation.go
+++ b/pkg/webhooks/mutation.go
@ -68,7 +68,7 @@ func (ws *WebhookServer) HandleMutation(request *v1beta1.AdmissionRequest) *v1be
 	}

 	if len(allPatches) > 0 {
-		eventsInfo, _ := newEventInfoFromPolicyInfo(policyInfos, (request.Operation == v1beta1.Update))
+		eventsInfo, _ := newEventInfoFromPolicyInfo(policyInfos, (request.Operation == v1beta1.Update), false)
 		ws.eventController.Add(eventsInfo...)
 	}

--- a/pkg/webhooks/report.go
+++ b/pkg/webhooks/report.go
@ -10,13 +10,17 @@ import (
 	"github.com/nirmata/kyverno/pkg/info"
 )

-func newEventInfoFromPolicyInfo(policyInfoList []*info.PolicyInfo, onUpdate bool) ([]*event.Info, []*violation.Info) {
+//TODO: change validation from bool -> enum(validation, mutation)
+func newEventInfoFromPolicyInfo(policyInfoList []*info.PolicyInfo, onUpdate bool, validation bool) ([]*event.Info, []*violation.Info) {
 	var eventsInfo []*event.Info
 	var violations []*violation.Info
 	ok, msg := isAdmSuccesful(policyInfoList)
 	// Some policies failed to apply succesfully
 	if !ok {
 		for _, pi := range policyInfoList {
+			if pi.IsSuccessful() {
+				continue
+			}
 			rules := pi.FailedRules()
 			ruleNames := strings.Join(rules, ";")
 			if !onUpdate {
@ -34,7 +38,7 @@ func newEventInfoFromPolicyInfo(policyInfoList []*info.PolicyInfo, onUpdate bool
 				glog.V(3).Infof("Request blocked events info has prepared for %s/%s and %s/%s\n", policyKind, pi.Name, pi.RKind, pi.RName)
 			}
 			// if report flag is set
-			if pi.Mode == "reportViolation" {
+			if pi.ValidationFailureAction == ReportViolation && validation {
 				// Create Violations
 				v := violation.BuldNewViolation(pi.Name, pi.RKind, pi.RNamespace, pi.RName, event.PolicyViolation.String(), pi.GetFailedRules())
 				violations = append(violations, v)
--- a/pkg/webhooks/utils.go
+++ b/pkg/webhooks/utils.go
@ -85,6 +85,15 @@ func getApplicableKindsForPolicy(p *v1alpha1.Policy) []string {

 // Policy Reporting Modes
 const (
-	BlockChanges    = "blockChanges"
-	ReportViolation = "reportViolation"
+	BlockChanges    = "block"
+	ReportViolation = "report"
 )
+
+func toBlock(pis []*info.PolicyInfo) bool {
+	for _, pi := range pis {
+		if pi.ValidationFailureAction != ReportViolation {
+			return true
+		}
+	}
+	return false
+}
--- a/pkg/webhooks/validation.go
+++ b/pkg/webhooks/validation.go
@ -76,7 +76,7 @@ func (ws *WebhookServer) HandleValidation(request *v1beta1.AdmissionRequest) *v1
 	}

 	if len(policyInfos) > 0 && len(policyInfos[0].Rules) != 0 {
-		eventsInfo, violations = newEventInfoFromPolicyInfo(policyInfos, (request.Operation == v1beta1.Update))
+		eventsInfo, violations = newEventInfoFromPolicyInfo(policyInfos, (request.Operation == v1beta1.Update), true)
 		// If the validationFailureAction flag is set "report",
 		// then we dont block the request and report the violations
 		ws.violationBuilder.Add(violations...)
@ -88,7 +88,8 @@ func (ws *WebhookServer) HandleValidation(request *v1beta1.AdmissionRequest) *v1
 	// violations are created if "report" flag is set
 	// and if there are any then we dont bock the resource creation
 	// Even if one the policy being applied
-	if !ok && violations == nil {
+
+	if !ok && toBlock(policyInfos) {
 		return &v1beta1.AdmissionResponse{
 			Allowed: false,
 			Result: &metav1.Status{