mirrors/kyverno
mirrors/kyverno
1
0
Fork 0
mirror of https://github.com/kyverno/kyverno.git synced 2025-03-31 03:45:17 +00:00
Code Activity

Move generate process in validating webhook (#2615)

Browse source 
* moved generate process in validating webhook

Signed-off-by: NoSkillGirl <singhpooja240393@gmail.com>

* moving handle generate source resource update logic

Signed-off-by: NoSkillGirl <singhpooja240393@gmail.com>
This commit is contained in:
Pooja Singh 2021-10-29 15:09:01 +05:30 committed by GitHub
parent f67ab9162b
commit adf39ed6fb
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
1 changed files with 13 additions and 12 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

25
pkg/webhooks/server.go
View file

@ -300,20 +300,14 @@ func (ws *WebhookServer) resourceMutation(request *v1beta1.AdmissionRequest) *v1
requestTime := time.Now().Unix()
kind := request.Kind.Kind
mutatePolicies := ws.pCache.GetPolicies(policycache.Mutate, kind, request.Namespace)
generatePolicies := ws.pCache.GetPolicies(policycache.Generate, kind, request.Namespace)
verifyImagesPolicies := ws.pCache.GetPolicies(policycache.VerifyImages, kind, request.Namespace)
if len(mutatePolicies) == 0 && len(generatePolicies) == 0 && len(verifyImagesPolicies) == 0 {
if len(mutatePolicies) == 0 && len(verifyImagesPolicies) == 0 {
logger.V(4).Info("no policies matched admission request")
if request.Operation == v1beta1.Update {
// handle generate source resource updates
go ws.handleUpdatesForGenerateRules(request, []*v1.ClusterPolicy{})
}
return successResponse(nil)
}
addRoles := containsRBACInfo(mutatePolicies, generatePolicies)
addRoles := containsRBACInfo(mutatePolicies)
policyContext, err := ws.buildPolicyContext(request, addRoles)
if err != nil {
logger.Error(err, "failed to build policy context")
@ -334,9 +328,6 @@ func (ws *WebhookServer) resourceMutation(request *v1beta1.AdmissionRequest) *v1
return failureResponse(err.Error())
}
newRequest = patchRequest(imagePatches, newRequest, logger)
ws.applyGeneratePolicies(newRequest, policyContext, generatePolicies, requestTime, logger)
var patches = append(mutatePatches, imagePatches...)
return successResponse(patches)
}
@ -488,6 +479,7 @@ func (ws *WebhookServer) resourceValidation(request *v1beta1.AdmissionRequest) *
if request.Operation == v1beta1.Delete {
ws.handleDelete(request)
}
if excludeKyvernoResources(request.Kind.Kind) {
return successResponse(nil)
}
@ -500,9 +492,15 @@ func (ws *WebhookServer) resourceValidation(request *v1beta1.AdmissionRequest) *
// Get namespace policies from the cache for the requested resource namespace
nsPolicies := ws.pCache.GetPolicies(policycache.ValidateEnforce, kind, request.Namespace)
policies = append(policies, nsPolicies...)
generatePolicies := ws.pCache.GetPolicies(policycache.Generate, kind, request.Namespace)
if len(generatePolicies) == 0 && request.Operation == v1beta1.Update {
// handle generate source resource updates
go ws.handleUpdatesForGenerateRules(request, []*v1.ClusterPolicy{})
}
var roles, clusterRoles []string
if containsRBACInfo(policies) {
if containsRBACInfo(policies, generatePolicies) {
var err error
roles, clusterRoles, err = userinfo.GetRoleRef(ws.rbLister, ws.crbLister, request, ws.configHandler)
if err != nil {
@ -561,6 +559,9 @@ func (ws *WebhookServer) resourceValidation(request *v1beta1.AdmissionRequest) *
// push admission request to audit handler, this won't block the admission request
ws.auditHandler.Add(request.DeepCopy())
// process generate policies
ws.applyGeneratePolicies(request, policyContext, generatePolicies, admissionRequestTimestamp, logger)
return successResponse(nil)
}