mirrors/kyverno
mirrors/kyverno
1
0
Fork 0
mirror of https://github.com/kyverno/kyverno.git synced 2025-03-31 03:45:17 +00:00
Code Activity

Merge pull request #38 from nirmata/28-Stateless-policy-engine

Browse source 
28-stateless policy engine
This commit is contained in:
Max Goncharenko 2019-05-15 15:52:35 +03:00 committed by GitHub
commit b57749672e
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
12 changed files with 124 additions and 174 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

18
examples/ConfigMapGenerator-SecretGenerator/policy-cm-test.yaml Normal file
View file

@ -0,0 +1,18 @@
apiVersion : kubepolicy.nirmata.io/v1alpha1
kind: Policy
metadata :
name: "policy-configmapgenerator-test"
spec:
rules:
- name: "Policy ConfigMap sample rule"
resource:
kind : Namespace
name: "ns2"
generate:
kind: ConfigMap
name: copied-cm
copyFrom:
namespace: default
name: game-config
data:
secretData: "data from cmg"

5
main.go
View file

@ -8,7 +8,6 @@ import (
policyclientset "github.com/nirmata/kube-policy/pkg/client/clientset/versioned"
informers "github.com/nirmata/kube-policy/pkg/client/informers/externalversions"
controller "github.com/nirmata/kube-policy/pkg/controller"
engine "github.com/nirmata/kube-policy/pkg/engine"
event "github.com/nirmata/kube-policy/pkg/event"
violation "github.com/nirmata/kube-policy/pkg/violation"
"github.com/nirmata/kube-policy/pkg/webhooks"
@ -43,11 +42,9 @@ func main() {
eventController := event.NewEventController(kubeclient, policyInformer.Lister(), nil)
violationBuilder := violation.NewPolicyViolationBuilder(kubeclient, policyInformer.Lister(), policyClientset, eventController, nil)
policyEngine := engine.NewPolicyEngine(kubeclient, nil)
policyController := controller.NewPolicyController(policyClientset,
policyInformer,
policyEngine,
violationBuilder,
eventController,
nil,
@ -62,7 +59,7 @@ func main() {
log.Fatalf("Failed to initialize TLS key/certificate pair: %v\n", err)
}
server, err := webhooks.NewWebhookServer(tlsPair, kubeclient, policyInformer.Lister(), policyEngine, nil)
server, err := webhooks.NewWebhookServer(tlsPair, policyInformer.Lister(), nil)
if err != nil {
log.Fatalf("Unable to create webhook server: %v\n", err)
}

4
pkg/apis/policy/v1alpha1/utils.go
View file

@ -74,8 +74,8 @@ func (pcf *CopyFrom) Validate() error {
// Validate returns error if generator is configured incompletely
func (pcg *Generation) Validate() error {
if pcg.Name == "" {
return errors.New("The generator is unnamed")
if pcg.Name == "" || pcg.Kind == "" {
return errors.New("Name or/and Kind of generator is not specified")
}
return pcg.CopyFrom.Validate()

4
pkg/controller/controller.go
View file

@ -11,7 +11,6 @@ import (
policyclientset "github.com/nirmata/kube-policy/pkg/client/clientset/versioned"
infomertypes "github.com/nirmata/kube-policy/pkg/client/informers/externalversions/policy/v1alpha1"
lister "github.com/nirmata/kube-policy/pkg/client/listers/policy/v1alpha1"
engine "github.com/nirmata/kube-policy/pkg/engine"
event "github.com/nirmata/kube-policy/pkg/event"
violation "github.com/nirmata/kube-policy/pkg/violation"
"k8s.io/apimachinery/pkg/api/errors"
@ -28,7 +27,6 @@ type PolicyController struct {
policyLister lister.PolicyLister
policyInterface policyclientset.Interface
policySynced cache.InformerSynced
policyEngine engine.PolicyEngine
violationBuilder violation.Generator
eventBuilder event.Generator
logger *log.Logger
@ -38,7 +36,6 @@ type PolicyController struct {
// NewPolicyController from cmd args
func NewPolicyController(policyInterface policyclientset.Interface,
policyInformer infomertypes.PolicyInformer,
policyEngine engine.PolicyEngine,
violationBuilder violation.Generator,
eventController event.Generator,
logger *log.Logger,
@ -53,7 +50,6 @@ func NewPolicyController(policyInterface policyclientset.Interface,
policyLister: policyInformer.Lister(),
policyInterface: policyInterface,
policySynced: policyInformer.Informer().HasSynced,
policyEngine: policyEngine,
violationBuilder: violationBuilder,
eventBuilder: eventController,
logger: logger,

3
pkg/controller/processPolicy.go
View file

@ -5,6 +5,7 @@ import (
"fmt"
types "github.com/nirmata/kube-policy/pkg/apis/policy/v1alpha1"
engine "github.com/nirmata/kube-policy/pkg/engine"
event "github.com/nirmata/kube-policy/pkg/event"
violation "github.com/nirmata/kube-policy/pkg/violation"
"k8s.io/apimachinery/pkg/labels"
@ -56,7 +57,7 @@ func (pc *PolicyController) processPolicy(policy types.Policy) (
continue
}
violation, eventInfos, err := pc.policyEngine.ProcessExisting(policy, rawResource)
violation, eventInfos, err := engine.ProcessExisting(policy, rawResource)
if err != nil {
pc.logger.Printf("Failed to process rule %s, err: %v\n", rule.Name, err)
continue

105
pkg/engine/engine.go
View file

@ -1,107 +1,22 @@
package engine
import (
"fmt"
"log"
kubeClient "github.com/nirmata/kube-policy/kubeclient"
types "github.com/nirmata/kube-policy/pkg/apis/policy/v1alpha1"
"github.com/nirmata/kube-policy/pkg/engine/mutation"
event "github.com/nirmata/kube-policy/pkg/event"
violation "github.com/nirmata/kube-policy/pkg/violation"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
"github.com/nirmata/kube-policy/pkg/event"
"github.com/nirmata/kube-policy/pkg/violation"
)
type PolicyEngine interface {
// Mutate should be called from admission contoller
// when there is an creation / update of the resource
// ProcessMutation(policy types.Policy, rawResource []byte) (patchBytes []byte, events []Events, err error)
Mutate(policy types.Policy, rawResource []byte, gvk metav1.GroupVersionKind) []mutation.PatchBytes
// As the logic to process the policies in stateless, we do not need to define struct and implement behaviors for it
// Instead we expose them as standalone functions passing the logger and the required atrributes
// The each function returns the changes that need to be applied on the resource
// the caller is responsible to apply the changes to the resource
// Validate should be called from admission contoller
// when there is an creation / update of the resource
Validate(policy types.Policy, rawResource []byte, gvk metav1.GroupVersionKind) bool
// ProcessExisting should be called from policy controller
// when there is an create / update of the policy
// we should process the policy on matched resources, generate violations accordingly
// TODO: This method should not be in PolicyEngine. Validate will do this work instead
ProcessExisting(policy types.Policy, rawResource []byte) ([]violation.Info, []event.Info, error)
// TODO: Add Generate method
// Generate()
}
type policyEngine struct {
kubeClient *kubeClient.KubeClient
logger *log.Logger
}
// NewPolicyEngine creates new instance of policyEngine
func NewPolicyEngine(kubeClient *kubeClient.KubeClient, logger *log.Logger) PolicyEngine {
return &policyEngine{
kubeClient: kubeClient,
logger: logger,
}
}
func (p *policyEngine) ProcessExisting(policy types.Policy, rawResource []byte) ([]violation.Info, []event.Info, error) {
func ProcessExisting(policy types.Policy, rawResource []byte) ([]violation.Info, []event.Info, error) {
var violations []violation.Info
var events []event.Info
for _, rule := range policy.Spec.Rules {
err := rule.Validate()
if err != nil {
p.logger.Printf("Invalid rule detected: #%s in policy %s, err: %v\n", rule.Name, policy.ObjectMeta.Name, err)
continue
}
//if ok, err := mutation.ResourceMeetsRules(rawResource, rule.ResourceDescription); !ok {
// p.logger.Printf("Rule %s of policy %s is not applicable to the request", rule.Name, policy.Name)
// return nil, nil, err
//}
violation, eventInfos, err := p.processRuleOnResource(policy.Name, rule, rawResource)
if err != nil {
p.logger.Printf("Failed to process rule %s, err: %v\n", rule.Name, err)
continue
}
// } else {
// policyPatches = append(policyPatches, processedPatches...)
// }
violations = append(violations, violation)
events = append(events, eventInfos...)
}
// TODO:
// Mutate()
// Validate()
return violations, events, nil
}
func (p *policyEngine) processRuleOnResource(policyName string, rule types.Rule, rawResource []byte) (
violation.Info, []event.Info, error) {
var violationInfo violation.Info
var eventInfos []event.Info
resourceKind := mutation.ParseKindFromObject(rawResource)
resourceName := mutation.ParseNameFromObject(rawResource)
resourceNamespace := mutation.ParseNamespaceFromObject(rawResource)
rulePatchesProcessed, err := mutation.ProcessPatches(rule.Mutation.Patches, nil)
if err != nil {
return violationInfo, eventInfos, fmt.Errorf("Failed to process patches from rule %s: %v", rule.Name, err)
}
if rulePatchesProcessed != nil {
log.Printf("Rule %s: prepared %d patches", rule.Name, len(rulePatchesProcessed))
violationInfo = violation.NewViolation(policyName, resourceKind, resourceNamespace+"/"+resourceName, rule.Name)
// add a violation to queue
// add an event to policy
//TODO: event msg
eventInfos = append(eventInfos, event.NewEvent("Policy", policyName, event.PolicyViolation, event.FResourcePolcy))
// add an event to resource
eventInfos = append(eventInfos, event.NewEvent(resourceKind, resourceNamespace+"/"+resourceName, event.PolicyViolation, event.FResourcePolcy))
}
return violationInfo, eventInfos, nil
}

94
pkg/engine/generation.go
View file

@ -2,53 +2,77 @@ package engine
import (
"fmt"
"log"
kubepolicy "github.com/nirmata/kube-policy/pkg/apis/policy/v1alpha1"
"github.com/nirmata/kube-policy/pkg/engine/mutation"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
)
// TODO: To be reworked due to spec policy-v2
// Applies "configMapGenerator" and "secretGenerator" described in PolicyRule
func (p *policyEngine) applyRuleGenerators(rawResource []byte, rule kubepolicy.Rule) error {
kind := mutation.ParseKindFromObject(rawResource)
// configMapGenerator and secretGenerator can be applied only to namespaces
if kind == "Namespace" {
namespaceName := mutation.ParseNameFromObject(rawResource)
err := p.applyConfigGenerator(rule.Generation, namespaceName, "ConfigMap")
if err == nil {
err = p.applyConfigGenerator(rule.Generation, namespaceName, "Secret")
}
return err
}
return nil
type GenerationResponse struct {
Generator *kubepolicy.Generation
Namespace string
}
// Creates resourceKind (ConfigMap or Secret) with parameters specified in generator in cluster specified in request.
func (p *policyEngine) applyConfigGenerator(generator *kubepolicy.Generation, namespace string, configKind string) error {
if generator == nil {
// Generate should be called to process generate rules on the resource
// TODO: extend kubeclient(will change to dynamic client) to create resources
func Generate(policy kubepolicy.Policy, rawResource []byte, gvk metav1.GroupVersionKind) []GenerationResponse {
// configMapGenerator and secretGenerator can be applied only to namespaces
if gvk.Kind != "Namespace" {
return nil
}
var generateResps []GenerationResponse
for i, rule := range policy.Spec.Rules {
// Checks for preconditions
// TODO: Rework PolicyEngine interface that it receives not a policy, but mutation object for
// Mutate, validation for Validate and so on. It will allow to bring this checks outside of PolicyEngine
// to common part as far as they present for all: mutation, validation, generation
err := rule.Validate()
if err != nil {
log.Printf("Rule has invalid structure: rule number = %d, rule name = %s in policy %s, err: %v\n", i, rule.Name, policy.ObjectMeta.Name, err)
continue
}
ok, err := mutation.ResourceMeetsRules(rawResource, rule.ResourceDescription, gvk)
if err != nil {
log.Printf("Rule has invalid data: rule number = %d, rule name = %s in policy %s, err: %v\n", i, rule.Name, policy.ObjectMeta.Name, err)
continue
}
if !ok {
log.Printf("Rule is not applicable to the request: rule name = %s in policy %s \n", rule.Name, policy.ObjectMeta.Name)
continue
}
generateResps, err = applyRuleGenerator(rawResource, rule.Generation)
if err != nil {
log.Printf("Failed to apply rule generator: %v", err)
} else {
generateResps = append(generateResps, generateResps...)
}
}
return generateResps
}
// Applies "configMapGenerator" and "secretGenerator" described in PolicyRule
// TODO: plan to support all kinds of generator
func applyRuleGenerator(rawResource []byte, generator *kubepolicy.Generation) ([]GenerationResponse, error) {
var generateResps []GenerationResponse
if generator == nil {
return nil, nil
}
err := generator.Validate()
if err != nil {
return fmt.Errorf("Generator for '%s' is invalid: %s", configKind, err)
return nil, fmt.Errorf("Generator for '%s' is invalid: %s", generator.Kind, err)
}
switch configKind {
case "ConfigMap":
err = p.kubeClient.GenerateConfigMap(*generator, namespace)
case "Secret":
err = p.kubeClient.GenerateSecret(*generator, namespace)
default:
err = fmt.Errorf("Unsupported config Kind '%s'", configKind)
}
if err != nil {
return fmt.Errorf("Unable to apply generator for %s '%s/%s' : %s", configKind, namespace, generator.Name, err)
}
return nil
namespaceName := mutation.ParseNameFromObject(rawResource)
generateResps = append(generateResps, GenerationResponse{generator, namespaceName})
return generateResps, nil
}

15
pkg/engine/mutation.go
View file

@ -1,13 +1,16 @@
package engine
import (
"log"
kubepolicy "github.com/nirmata/kube-policy/pkg/apis/policy/v1alpha1"
"github.com/nirmata/kube-policy/pkg/engine/mutation"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
)
// Mutate performs mutation. Overlay first and then mutation patches
func (p *policyEngine) Mutate(policy kubepolicy.Policy, rawResource []byte, gvk metav1.GroupVersionKind) []mutation.PatchBytes {
// TODO: return events and violations
func Mutate(policy kubepolicy.Policy, rawResource []byte, gvk metav1.GroupVersionKind) []mutation.PatchBytes {
var policyPatches []mutation.PatchBytes
for i, rule := range policy.Spec.Rules {
@ -19,18 +22,18 @@ func (p *policyEngine) Mutate(policy kubepolicy.Policy, rawResource []byte, gvk
err := rule.Validate()
if err != nil {
p.logger.Printf("Rule has invalid structure: rule number = %d, rule name = %s in policy %s, err: %v\n", i, rule.Name, policy.ObjectMeta.Name, err)
log.Printf("Rule has invalid structure: rule number = %d, rule name = %s in policy %s, err: %v\n", i, rule.Name, policy.ObjectMeta.Name, err)
continue
}
ok, err := mutation.ResourceMeetsRules(rawResource, rule.ResourceDescription, gvk)
if err != nil {
p.logger.Printf("Rule has invalid data: rule number = %d, rule name = %s in policy %s, err: %v\n", i, rule.Name, policy.ObjectMeta.Name, err)
log.Printf("Rule has invalid data: rule number = %d, rule name = %s in policy %s, err: %v\n", i, rule.Name, policy.ObjectMeta.Name, err)
continue
}
if !ok {
p.logger.Printf("Rule is not applicable t the request: rule number = %d, rule name = %s in policy %s, err: %v\n", i, rule.Name, policy.ObjectMeta.Name, err)
log.Printf("Rule is not applicable to the request: rule number = %d, rule name = %s in policy %s, err: %v\n", i, rule.Name, policy.ObjectMeta.Name, err)
continue
}
@ -43,7 +46,7 @@ func (p *policyEngine) Mutate(policy kubepolicy.Policy, rawResource []byte, gvk
if rule.Mutation.Overlay != nil {
overlayPatches, err := mutation.ProcessOverlay(rule.Mutation.Overlay, rawResource)
if err != nil {
p.logger.Printf("Overlay application failed: rule number = %d, rule name = %s in policy %s, err: %v\n", i, rule.Name, policy.ObjectMeta.Name, err)
log.Printf("Overlay application failed: rule number = %d, rule name = %s in policy %s, err: %v\n", i, rule.Name, policy.ObjectMeta.Name, err)
} else {
policyPatches = append(policyPatches, overlayPatches...)
}
@ -54,7 +57,7 @@ func (p *policyEngine) Mutate(policy kubepolicy.Policy, rawResource []byte, gvk
if rule.Mutation.Patches != nil {
processedPatches, err := mutation.ProcessPatches(rule.Mutation.Patches, rawResource)
if err != nil {
p.logger.Printf("Patches application failed: rule number = %d, rule name = %s in policy %s, err: %v\n", i, rule.Name, policy.ObjectMeta.Name, err)
log.Printf("Patches application failed: rule number = %d, rule name = %s in policy %s, err: %v\n", i, rule.Name, policy.ObjectMeta.Name, err)
} else {
policyPatches = append(policyPatches, processedPatches...)
}

13
pkg/engine/validation.go
View file

@ -3,13 +3,14 @@ package engine
import (
"encoding/json"
"fmt"
"log"
kubepolicy "github.com/nirmata/kube-policy/pkg/apis/policy/v1alpha1"
"github.com/nirmata/kube-policy/pkg/engine/mutation"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
)
func (p *policyEngine) Validate(policy kubepolicy.Policy, rawResource []byte, gvk metav1.GroupVersionKind) bool {
func Validate(policy kubepolicy.Policy, rawResource []byte, gvk metav1.GroupVersionKind) bool {
var resource interface{}
json.Unmarshal(rawResource, &resource)
@ -23,18 +24,18 @@ func (p *policyEngine) Validate(policy kubepolicy.Policy, rawResource []byte, gv
err := rule.Validate()
if err != nil {
p.logger.Printf("Rule has invalid structure: rule number = %d, rule name = %s in policy %s, err: %v\n", i, rule.Name, policy.ObjectMeta.Name, err)
log.Printf("Rule has invalid structure: rule number = %d, rule name = %s in policy %s, err: %v\n", i, rule.Name, policy.ObjectMeta.Name, err)
continue
}
ok, err := mutation.ResourceMeetsRules(rawResource, rule.ResourceDescription, gvk)
if err != nil {
p.logger.Printf("Rule has invalid data: rule number = %d, rule name = %s in policy %s, err: %v\n", i, rule.Name, policy.ObjectMeta.Name, err)
log.Printf("Rule has invalid data: rule number = %d, rule name = %s in policy %s, err: %v\n", i, rule.Name, policy.ObjectMeta.Name, err)
continue
}
if !ok {
p.logger.Printf("Rule is not applicable t the request: rule number = %d, rule name = %s in policy %s, err: %v\n", i, rule.Name, policy.ObjectMeta.Name, err)
log.Printf("Rule is not applicable to the request: rule number = %d, rule name = %s in policy %s, err: %v\n", i, rule.Name, policy.ObjectMeta.Name, err)
continue
}
@ -43,10 +44,10 @@ func (p *policyEngine) Validate(policy kubepolicy.Policy, rawResource []byte, gv
}
if err := traverseAndValidate(resource, rule.Validation.Pattern); err != nil {
p.logger.Printf("Validation with the rule %s has failed %s: %s\n", rule.Name, err.Error(), *rule.Validation.Message)
log.Printf("Validation with the rule %s has failed %s: %s\n", rule.Name, err.Error(), *rule.Validation.Message)
allowed = false
} else {
p.logger.Printf("Validation rule %s is successful %s: %s\n", rule.Name, err.Error(), *rule.Validation.Message)
log.Printf("Validation rule %s is successful %s: %s\n", rule.Name, err.Error(), *rule.Validation.Message)
}
}

3
pkg/webhooks/admission_test.go
View file

@ -1,9 +1,10 @@
package webhooks_test
import (
"gotest.tools/assert"
"testing"
"gotest.tools/assert"
types "github.com/nirmata/kube-policy/pkg/apis/policy/v1alpha1"
"github.com/nirmata/kube-policy/webhooks"
v1beta1 "k8s.io/api/admission/v1beta1"

23
pkg/webhooks/registration_test.go
View file

@ -1,21 +1,20 @@
package webhooks_test
import (
"gotest.tools/assert"
"bytes"
"io/ioutil"
"testing"
"bytes"
"github.com/nirmata/kube-policy/webhooks"
"github.com/nirmata/kube-policy/pkg/webhooks"
"gotest.tools/assert"
rest "k8s.io/client-go/rest"
)
func TestExtractCA_EmptyBundle(t *testing.T) {
CAFile := "resources/CAFile"
config := &rest.Config {
TLSClientConfig: rest.TLSClientConfig {
config := &rest.Config{
TLSClientConfig: rest.TLSClientConfig{
CAData: nil,
CAFile: CAFile,
},
@ -30,8 +29,8 @@ func TestExtractCA_EmptyBundle(t *testing.T) {
func TestExtractCA_EmptyCAFile(t *testing.T) {
CABundle := []byte(`LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUN5RENDQWJDZ0F3SUJBZ0lCQURBTkJna3Foa2lHOXcwQkFRc0ZBREFWTVJNd0VRWURWUVFERXdwcmRXSmwKY201bGRHVnpNQjRYRFRFNU1ETXhPVEUwTURjd05Gb1hEVEk1TURNeE5qRTBNRGN3TkZvd0ZURVRNQkVHQTFVRQpBeE1LYTNWaVpYSnVaWFJsY3pDQ0FTSXdEUVlKS29aSWh2Y05BUUVCQlFBRGdnRVBBRENDQVFvQ2dnRUJBTStQClVLVmExcm9tQndOZzdqNnBBSGo5TDQ4RVJpdEplRzRXM1pUYmNMNWNKbnVTQmFsc1h1TWpQTGZmbUV1VEZIdVAKenRqUlBEUHcreEg1d3VTWFF2U0tIaXF2VE1pUm9DSlJFa09sQXpIa1dQM0VrdnUzNzRqZDVGV3Q3NEhnRk91cApIZ1ZwdUxPblczK2NDVE5iQ3VkeDFMVldRbGgwQzJKbm1Lam5uS1YrTkxzNFJVaVk1dk91ekpuNHl6QldLRjM2CmJLZ3ZDOVpMWlFSM3dZcnJNZWllYzBnWVY2VlJtaGgxSjRDV3V1UWd0ckM2d2NJanFWZFdEUlJyNHFMdEtDcDIKQVNIZmNieitwcEdHblJ5Z2FzcWNJdnpiNUVwV3NIRGtHRStUUW5WQ0JmTmsxN0NEOTZBQ1pmRWVybzEvWE16MgpRbzZvcUE0dnF5ZkdWWVU5RVZFQ0F3RUFBYU1qTUNFd0RnWURWUjBQQVFIL0JBUURBZ0trTUE4R0ExVWRFd0VCCi93UUZNQU1CQWY4d0RRWUpLb1pJaHZjTkFRRUxCUUFEZ2dFQkFNWFVpUVJpdUc4cGdzcHMrZTdGZWdCdEJOZEcKZlFUdHVLRWFUZ0U0RjQwamJ3UmdrN25DTHlsSHgvRG04aVRRQmsyWjR4WnNuY0huRys4SkwrckRLdlJBSE5iVQpsYnpReXA1V3FwdjdPcThwZ01wU0o5bTdVY3BGZmRVZkorNW43aXFnTGdMb3lhNmtRVTR2Rk0yTE1rWjI5NVpxCmVId0hnREo5Z3IwWGNyOWM1L2tRdkxFc2Z2WU5QZVhuamNyWXlDb2JNcVduSElxeVd3cHM1VTJOaGgraXhSZEIKbzRRL3RJS04xOU93WGZBaVc5SENhNzZMb3ZXaUhPU2UxVnFzK1h1N1A5ckx4eW1vQm91aFcxVmZ0bUo5Qy9vTAp3cFVuNnlXRCttY0tkZ3J5QTFjTWJ4Q281bUd6YTNLaFk1QTd5eDQ1cThkSEIzTWU4d0FCam1wWEs0ST0KLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo=`)
config := &rest.Config {
TLSClientConfig: rest.TLSClientConfig {
config := &rest.Config{
TLSClientConfig: rest.TLSClientConfig{
CAData: CABundle,
CAFile: "",
},
@ -42,8 +41,8 @@ func TestExtractCA_EmptyCAFile(t *testing.T) {
}
func TestExtractCA_EmptyConfig(t *testing.T) {
config := &rest.Config {
TLSClientConfig: rest.TLSClientConfig {
config := &rest.Config{
TLSClientConfig: rest.TLSClientConfig{
CAData: nil,
CAFile: "",
},
@ -54,8 +53,8 @@ func TestExtractCA_EmptyConfig(t *testing.T) {
}
func TestExtractCA_InvalidFile(t *testing.T) {
config := &rest.Config {
TLSClientConfig: rest.TLSClientConfig {
config := &rest.Config{
TLSClientConfig: rest.TLSClientConfig{
CAData: nil,
CAFile: "somenonexistingfile",
},

9
pkg/webhooks/server.go
View file

@ -13,7 +13,6 @@ import (
"time"
"github.com/nirmata/kube-policy/config"
"github.com/nirmata/kube-policy/kubeclient"
policylister "github.com/nirmata/kube-policy/pkg/client/listers/policy/v1alpha1"
engine "github.com/nirmata/kube-policy/pkg/engine"
"github.com/nirmata/kube-policy/pkg/engine/mutation"
@ -27,7 +26,6 @@ import (
// MutationWebhook gets policies from policyController and takes control of the cluster with kubeclient.
type WebhookServer struct {
server http.Server
policyEngine engine.PolicyEngine
policyLister policylister.PolicyLister
logger *log.Logger
}
@ -36,9 +34,7 @@ type WebhookServer struct {
// Policy Controller and Kubernetes Client should be initialized in configuration
func NewWebhookServer(
tlsPair *tlsutils.TlsPemPair,
kubeClient *kubeclient.KubeClient,
policyLister policylister.PolicyLister,
policyEngine engine.PolicyEngine,
logger *log.Logger) (*WebhookServer, error) {
if logger == nil {
logger = log.New(os.Stdout, "Webhook Server: ", log.LstdFlags)
@ -56,7 +52,6 @@ func NewWebhookServer(
tlsConfig.Certificates = []tls.Certificate{pair}
ws := &WebhookServer{
policyEngine: policyEngine,
policyLister: policyLister,
logger: logger,
}
@ -148,7 +143,7 @@ func (ws *WebhookServer) HandleMutation(request *v1beta1.AdmissionRequest) *v1be
for _, policy := range policies {
ws.logger.Printf("Applying policy %s with %d rules\n", policy.ObjectMeta.Name, len(policy.Spec.Rules))
policyPatches := ws.policyEngine.Mutate(*policy, request.Object.Raw, request.Kind)
policyPatches := engine.Mutate(*policy, request.Object.Raw, request.Kind)
allPatches = append(allPatches, policyPatches...)
if len(policyPatches) > 0 {
@ -181,7 +176,7 @@ func (ws *WebhookServer) HandleValidation(request *v1beta1.AdmissionRequest) *v1
for _, policy := range policies {
ws.logger.Printf("Validating resource with policy %s with %d rules", policy.ObjectMeta.Name, len(policy.Spec.Rules))
if ok := ws.policyEngine.Validate(*policy, request.Object.Raw, request.Kind); !ok {
if ok := engine.Validate(*policy, request.Object.Raw, request.Kind); !ok {
ws.logger.Printf("Validation has failed: %v\n", err)
utilruntime.HandleError(err)
allowed = false