mirror of
https://github.com/kyverno/kyverno.git
synced 2025-03-29 02:45:06 +00:00
minor validation changes
This commit is contained in:
NoSkillGirl
parent
afb6ad714c
commit
b61412ca7a
5 changed files with 31 additions and 28 deletions
|
|
@ -78,6 +78,7 @@ func main() {
|
|||
go http.ListenAndServe("localhost:6060", nil)
|
||||
}
|
||||
|
||||
// TODO: Do we need to print here? It anyways prints empty values
|
||||
version.PrintVersionInfo(log.Log)
|
||||
cleanUp := make(chan struct{})
|
||||
stopCh := signal.SetupSignalHandler()
|
||||
|
|
@ -145,7 +146,7 @@ func main() {
|
|||
// KYVERNO CRD INFORMER
|
||||
// watches CRD resources:
|
||||
// - Policy
|
||||
// - PolicyVolation
|
||||
// - PolicyViolation
|
||||
pInformer := kyvernoinformer.NewSharedInformerFactoryWithOptions(pclient, resyncPeriod)
|
||||
|
||||
// Configuration Data
|
||||
|
|
@ -332,7 +333,7 @@ func main() {
|
|||
go auditHandler.Run(10, stopCh)
|
||||
openAPISync.Run(1, stopCh)
|
||||
|
||||
// verifys if the admission control is enabled and active
|
||||
// verifies if the admission control is enabled and active
|
||||
// resync: 60 seconds
|
||||
// deadline: 60 seconds (send request)
|
||||
// max deadline: deadline*3 (set the deployment annotation as false)
|
||||
|
|
|
|||
|
|
@ -11,7 +11,7 @@ import (
|
|||
"k8s.io/apimachinery/pkg/runtime/schema"
|
||||
)
|
||||
|
||||
//CanIOptions provides utility ti check if user has authorization for the given operation
|
||||
//CanIOptions provides utility to check if user has authorization for the given operation
|
||||
type CanIOptions struct {
|
||||
namespace string
|
||||
verb string
|
||||
|
|
@ -20,7 +20,7 @@ type CanIOptions struct {
|
|||
log logr.Logger
|
||||
}
|
||||
|
||||
//NewCanI returns a new instance of operation access controler evaluator
|
||||
//NewCanI returns a new instance of operation access controller evaluator
|
||||
func NewCanI(client *client.Client, kind, namespace, verb string, log logr.Logger) *CanIOptions {
|
||||
o := CanIOptions{
|
||||
client: client,
|
||||
|
|
@ -38,7 +38,7 @@ func NewCanI(client *client.Client, kind, namespace, verb string, log logr.Logge
|
|||
// - operation is a combination of namespace, kind, verb
|
||||
// - can only evaluate a single verb
|
||||
// - group version resource is determined from the kind using the discovery client REST mapper
|
||||
// - If disallowed, the reason and evaluationError is avialable in the logs
|
||||
// - If disallowed, the reason and evaluationError is available in the logs
|
||||
// - each can generates a SelfSubjectAccessReview resource and response is evaluated for permissions
|
||||
func (o *CanIOptions) RunAccessCheck() (bool, error) {
|
||||
// get GroupVersionResource from RESTMapper
|
||||
|
|
|
|||
|
|
@ -9,9 +9,6 @@ import (
|
|||
"github.com/go-openapi/spec"
|
||||
"github.com/go-openapi/strfmt"
|
||||
"github.com/go-openapi/validate"
|
||||
//openapi_v2 "github.com/googleapis/gnostic/OpenAPIv2"
|
||||
//"github.com/googleapis/gnostic/compiler"
|
||||
//yaml_v2 "gopkg.in/yaml.v2"
|
||||
"io"
|
||||
"io/ioutil"
|
||||
"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
|
||||
|
|
@ -19,6 +16,9 @@ import (
|
|||
"path/filepath"
|
||||
"regexp"
|
||||
"strings"
|
||||
//openapi_v2 "github.com/googleapis/gnostic/OpenAPIv2"
|
||||
//"github.com/googleapis/gnostic/compiler"
|
||||
yaml_v2 "sigs.k8s.io/yaml"
|
||||
|
||||
jsonpatch "github.com/evanphx/json-patch"
|
||||
"github.com/go-logr/logr"
|
||||
|
|
@ -241,10 +241,12 @@ func ValidatePolicyAgainstCrd(policy *v1.ClusterPolicy, path string) error {
|
|||
}
|
||||
|
||||
var crd unstructured.Unstructured
|
||||
err = json.Unmarshal(bytes, &crd)
|
||||
err = yaml_v2.Unmarshal(bytes, &crd)
|
||||
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
log.Info("coming till here .................. 5")
|
||||
|
||||
// crdDefinitionPrior represents CRDs version prior to 1.16
|
||||
var crdDefinitionPrior struct {
|
||||
|
|
@ -273,14 +275,19 @@ func ValidatePolicyAgainstCrd(policy *v1.ClusterPolicy, path string) error {
|
|||
} `json:"spec"`
|
||||
}
|
||||
|
||||
log.Info("coming till here .................. 6")
|
||||
crdRaw, _ := json.Marshal(crd.Object)
|
||||
_ = json.Unmarshal(crdRaw, &crdDefinitionPrior)
|
||||
|
||||
log.Info("coming till here .................. 7")
|
||||
openV3schema := crdDefinitionPrior.Spec.Validation.OpenAPIV3Schema
|
||||
crdName := crdDefinitionPrior.Spec.Names.Kind
|
||||
fmt.Println(crdName)
|
||||
|
||||
log.Info("coming till here .................. 8")
|
||||
|
||||
if openV3schema == nil {
|
||||
log.Info("coming till here .................. coming into openV3Schema = nil")
|
||||
_ = json.Unmarshal(crdRaw, &crdDefinitionNew)
|
||||
for _, crdVersion := range crdDefinitionNew.Spec.Versions {
|
||||
if crdVersion.Storage {
|
||||
|
|
@ -291,27 +298,26 @@ func ValidatePolicyAgainstCrd(policy *v1.ClusterPolicy, path string) error {
|
|||
}
|
||||
}
|
||||
|
||||
log.Info("coming till here .................. 9")
|
||||
log.Info("crd", "openV3schema", openV3schema)
|
||||
|
||||
schemaRaw, _ := json.Marshal(openV3schema)
|
||||
if len(schemaRaw) < 1 {
|
||||
//log.Log.V(3).Info("could not parse crd schema", "name", crdName)
|
||||
return err
|
||||
}
|
||||
log.Info("coming till here .................. 10")
|
||||
|
||||
schemaRaw, err = addingDefaultFieldsToSchema(schemaRaw)
|
||||
if err != nil {
|
||||
//log.Log.Error(err, "could not parse crd schema", "name", crdName)
|
||||
return err
|
||||
}
|
||||
//schemaRaw, err = addingDefaultFieldsToSchema(schemaRaw)
|
||||
//if err != nil {
|
||||
// //log.Log.Error(err, "could not parse crd schema", "name", crdName)
|
||||
// //return err
|
||||
//}
|
||||
log.Info("coming till here .................. 11")
|
||||
|
||||
schema := new(spec.Schema)
|
||||
_ = json.Unmarshal(schemaRaw, schema)
|
||||
|
||||
input := map[string]interface{}{}
|
||||
fmt.Println(input)
|
||||
|
||||
// JSON data to validate
|
||||
//inputJSON := `{"name": "Ivan","address-1": "sesame street"}`
|
||||
//_ = json.Unmarshal([]byte(inputJSON), &input)
|
||||
|
||||
// strfmt.Default is the registry of recognized formats
|
||||
err = validate.AgainstSchema(schema, policy, strfmt.Default)
|
||||
|
|
@ -320,6 +326,7 @@ func ValidatePolicyAgainstCrd(policy *v1.ClusterPolicy, path string) error {
|
|||
} else {
|
||||
fmt.Printf("OK")
|
||||
}
|
||||
log.Info("coming till here .................. 14")
|
||||
|
||||
//var schema yaml_v2.MapSlice
|
||||
//_ = yaml_v2.Unmarshal(schemaRaw, &schema)
|
||||
|
|
|
|||
|
|
@ -49,19 +49,14 @@ func Command() *cobra.Command {
|
|||
|
||||
invalidPolicyFound := false
|
||||
for _, policy := range policies {
|
||||
//if common.PolicyHasVariables(*policy) {
|
||||
// invalidPolicyFound = true
|
||||
// fmt.Printf("Policy %s is invalid.\n", policy.Name)
|
||||
// log.Log.Error(errors.New("'validate' does not support policies with variables"), "Policy "+policy.Name+" is invalid")
|
||||
// continue
|
||||
//}
|
||||
|
||||
// if crd is passed, then validate policy against the crd
|
||||
if crdPath != "" {
|
||||
err := common.ValidatePolicyAgainstCrd(policy, crdPath)
|
||||
if err != nil {
|
||||
log.Log.Error(err, "policy "+policy.Name+" is invalid")
|
||||
os.Exit(1)
|
||||
//os.Exit(1)
|
||||
return err
|
||||
}
|
||||
}
|
||||
|
||||
|
|
|
|||
|
|
@ -69,7 +69,7 @@ func CRDInstalled(discovery client.IDiscovery, log logr.Logger) bool {
|
|||
logger := log.WithName("CRDInstalled")
|
||||
check := func(kind string) bool {
|
||||
gvr := discovery.GetGVRFromKind(kind)
|
||||
if reflect.DeepEqual(gvr, (schema.GroupVersionResource{})) {
|
||||
if reflect.DeepEqual(gvr, schema.GroupVersionResource{}) {
|
||||
logger.Info("CRD not installed", "kind", kind)
|
||||
return false
|
||||
}
|
||||
|
|
|
|||
Loading…
Add table
Reference in a new issue