mirror of
https://github.com/kyverno/kyverno.git
synced 2025-03-05 07:26:55 +00:00
bug fix auto-gen annotation reported as violation (#902)
* fix auto-gen annotation reported as violation * update log
This commit is contained in:
shuting
GitHub
parent
32cd23963a
commit
b3a1e51a84
4 changed files with 7 additions and 32 deletions
|
|
@ -21,6 +21,7 @@ const (
|
|||
PodControllersAnnotation = "pod-policies.kyverno.io/autogen-controllers"
|
||||
//PodTemplateAnnotation defines the annotation key for Pod-Template
|
||||
PodTemplateAnnotation = "pod-policies.kyverno.io/autogen-applied"
|
||||
PodControllerRuleName = "podControllerAnnotation"
|
||||
)
|
||||
|
||||
// Mutate performs mutation. Overlay first and then mutation patches
|
||||
|
|
@ -102,7 +103,7 @@ func Mutate(policyContext PolicyContext) (resp response.EngineResponse) {
|
|||
if autoGenPolicy(&policy) && strings.Contains(PodControllers, resource.GetKind()) {
|
||||
if !patchedResourceHasPodControllerAnnotation(patchedResource) {
|
||||
var ruleResponse response.RuleResponse
|
||||
ruleResponse, patchedResource = mutate.ProcessOverlay(logger, "podControllerAnnotation", podTemplateRule.Mutation.Overlay, patchedResource)
|
||||
ruleResponse, patchedResource = mutate.ProcessOverlay(logger, PodControllerRuleName, podTemplateRule.Mutation.Overlay, patchedResource)
|
||||
if !ruleResponse.Success {
|
||||
logger.Info("failed to insert annotation for podTemplate", "error", ruleResponse.Message)
|
||||
} else {
|
||||
|
|
@ -168,7 +169,6 @@ func endMutateResultResponse(logger logr.Logger, resp *response.EngineResponse,
|
|||
// podTemplateRule mutate pod template with annotation
|
||||
// pod-policies.kyverno.io/autogen-applied=true
|
||||
var podTemplateRule = kyverno.Rule{
|
||||
Name: "autogen-annotate-podtemplate",
|
||||
Mutation: kyverno.Mutation{
|
||||
Overlay: map[string]interface{}{
|
||||
"spec": map[string]interface{}{
|
||||
|
|
|
|||
|
|
@ -17,12 +17,6 @@ import (
|
|||
"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
|
||||
)
|
||||
|
||||
const (
|
||||
// JSON patch uses ~1 for / characters
|
||||
// see: https://tools.ietf.org/html/rfc6901#section-3
|
||||
PodTemplateAnnotationApplied = "pod-policies.kyverno.io~1autogen-applied"
|
||||
)
|
||||
|
||||
// applyPolicy applies policy on a resource
|
||||
//TODO: generation rules
|
||||
func applyPolicy(policy kyverno.ClusterPolicy, resource unstructured.Unstructured, logger logr.Logger) (responses []response.EngineResponse) {
|
||||
|
|
@ -87,11 +81,12 @@ func getFailedOverallRuleInfo(resource unstructured.Unstructured, engineResponse
|
|||
for index, rule := range engineResponse.PolicyResponse.Rules {
|
||||
log.V(4).Info("verifying if policy rule was applied before", "rule", rule.Name)
|
||||
|
||||
patches := dropKyvernoAnnotation(rule.Patches, log)
|
||||
if len(patches) == 0 {
|
||||
if rule.Name == engine.PodControllerRuleName {
|
||||
continue
|
||||
}
|
||||
|
||||
patches := rule.Patches
|
||||
|
||||
patch, err := jsonpatch.DecodePatch(utils.JoinPatches(patches))
|
||||
if err != nil {
|
||||
log.Error(err, "failed to decode JSON patch", "patches", patches)
|
||||
|
|
@ -104,6 +99,7 @@ func getFailedOverallRuleInfo(resource unstructured.Unstructured, engineResponse
|
|||
log.Error(err, "failed to apply JSON patch", "patches", patches)
|
||||
return response.EngineResponse{}, err
|
||||
}
|
||||
|
||||
if !jsonpatch.Equal(patchedResource, rawResource) {
|
||||
log.V(4).Info("policy rule conditions not satisfied by resource", "rule", rule.Name)
|
||||
engineResponse.PolicyResponse.Rules[index].Success = false
|
||||
|
|
@ -135,25 +131,6 @@ func extractPatchPath(patches [][]byte, log logr.Logger) string {
|
|||
return strings.Join(resultPath, ";")
|
||||
}
|
||||
|
||||
func dropKyvernoAnnotation(patches [][]byte, log logr.Logger) (resultPathes [][]byte) {
|
||||
for _, patch := range patches {
|
||||
var data jsonPatch
|
||||
if err := json.Unmarshal(patch, &data); err != nil {
|
||||
log.Error(err, "failed to decode the generate patch", "patch", string(patch))
|
||||
continue
|
||||
}
|
||||
|
||||
value := fmt.Sprintf("%v", data.Value)
|
||||
if strings.Contains(value, engine.PodTemplateAnnotation) ||
|
||||
strings.Contains(value, PodTemplateAnnotationApplied) {
|
||||
continue
|
||||
}
|
||||
|
||||
resultPathes = append(resultPathes, patch)
|
||||
}
|
||||
return
|
||||
}
|
||||
|
||||
func mergeRuleRespose(mutation, validation response.EngineResponse) response.EngineResponse {
|
||||
mutation.PolicyResponse.Rules = append(mutation.PolicyResponse.Rules, validation.PolicyResponse.Rules...)
|
||||
return mutation
|
||||
|
|
|
|||
|
|
@ -247,8 +247,6 @@ func (gen *Generator) syncHandler(info Info) error {
|
|||
if err := handler.create(pv); err != nil {
|
||||
failure = true
|
||||
logger.Error(err, "failed to create policy violation")
|
||||
} else {
|
||||
logger.Info("created policy violation", "key", info.toKey())
|
||||
}
|
||||
|
||||
if failure {
|
||||
|
|
|
|||
|
|
@ -80,7 +80,7 @@ func (ws *WebhookServer) HandleValidation(
|
|||
continue
|
||||
}
|
||||
|
||||
logger.Info("valiadtion rules from policy applied succesfully", "policy", policy.Name)
|
||||
logger.Info("validation rules from policy applied succesfully", "policy", policy.Name)
|
||||
}
|
||||
// If Validation fails then reject the request
|
||||
// no violations will be created on "enforce"
|
||||
|
|
|
|||
Loading…
Add table
Reference in a new issue