mirrors/kyverno
mirrors/kyverno
1
0
Fork 0
mirror of https://github.com/kyverno/kyverno.git synced 2025-03-31 03:45:17 +00:00
Code Activity

minor validation changes

Browse source
This commit is contained in:
NoSkillGirl 2020-08-30 14:13:20 +05:30
parent afb6ad714c
commit b61412ca7a
5 changed files with 31 additions and 28 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

5
cmd/kyverno/main.go
View file

@ -78,6 +78,7 @@ func main() {
go http.ListenAndServe("localhost:6060", nil) go http.ListenAndServe("localhost:6060", nil)
} }
// TODO: Do we need to print here? It anyways prints empty values
version.PrintVersionInfo(log.Log) version.PrintVersionInfo(log.Log)
cleanUp := make(chan struct{}) cleanUp := make(chan struct{})
stopCh := signal.SetupSignalHandler() stopCh := signal.SetupSignalHandler()
@ -145,7 +146,7 @@ func main() {
// KYVERNO CRD INFORMER // KYVERNO CRD INFORMER
// watches CRD resources: // watches CRD resources:
// - Policy // - Policy
// - PolicyVolation // - PolicyViolation
pInformer := kyvernoinformer.NewSharedInformerFactoryWithOptions(pclient, resyncPeriod) pInformer := kyvernoinformer.NewSharedInformerFactoryWithOptions(pclient, resyncPeriod)
// Configuration Data // Configuration Data
@ -332,7 +333,7 @@ func main() {
go auditHandler.Run(10, stopCh) go auditHandler.Run(10, stopCh)
openAPISync.Run(1, stopCh) openAPISync.Run(1, stopCh)
// verifys if the admission control is enabled and active // verifies if the admission control is enabled and active
// resync: 60 seconds // resync: 60 seconds
// deadline: 60 seconds (send request) // deadline: 60 seconds (send request)
// max deadline: deadline*3 (set the deployment annotation as false) // max deadline: deadline*3 (set the deployment annotation as false)

6
pkg/auth/auth.go
View file

@ -11,7 +11,7 @@ import (
"k8s.io/apimachinery/pkg/runtime/schema" "k8s.io/apimachinery/pkg/runtime/schema"
) )
//CanIOptions provides utility ti check if user has authorization for the given operation //CanIOptions provides utility to check if user has authorization for the given operation
type CanIOptions struct { type CanIOptions struct {
namespace string namespace string
verb string verb string
@ -20,7 +20,7 @@ type CanIOptions struct {
log logr.Logger log logr.Logger
} }
//NewCanI returns a new instance of operation access controler evaluator //NewCanI returns a new instance of operation access controller evaluator
func NewCanI(client *client.Client, kind, namespace, verb string, log logr.Logger) *CanIOptions { func NewCanI(client *client.Client, kind, namespace, verb string, log logr.Logger) *CanIOptions {
o := CanIOptions{ o := CanIOptions{
client: client, client: client,
@ -38,7 +38,7 @@ func NewCanI(client *client.Client, kind, namespace, verb string, log logr.Logge
// - operation is a combination of namespace, kind, verb // - operation is a combination of namespace, kind, verb
// - can only evaluate a single verb // - can only evaluate a single verb
// - group version resource is determined from the kind using the discovery client REST mapper // - group version resource is determined from the kind using the discovery client REST mapper
// - If disallowed, the reason and evaluationError is avialable in the logs // - If disallowed, the reason and evaluationError is available in the logs
// - each can generates a SelfSubjectAccessReview resource and response is evaluated for permissions // - each can generates a SelfSubjectAccessReview resource and response is evaluated for permissions
func (o *CanIOptions) RunAccessCheck() (bool, error) { func (o *CanIOptions) RunAccessCheck() (bool, error) {
// get GroupVersionResource from RESTMapper // get GroupVersionResource from RESTMapper

37
pkg/kyverno/common/common.go
View file

@ -9,9 +9,6 @@ import (
"github.com/go-openapi/spec" "github.com/go-openapi/spec"
"github.com/go-openapi/strfmt" "github.com/go-openapi/strfmt"
"github.com/go-openapi/validate" "github.com/go-openapi/validate"
//openapi_v2 "github.com/googleapis/gnostic/OpenAPIv2"
//"github.com/googleapis/gnostic/compiler"
//yaml_v2 "gopkg.in/yaml.v2"
"io" "io"
"io/ioutil" "io/ioutil"
"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured" "k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
@ -19,6 +16,9 @@ import (
"path/filepath" "path/filepath"
"regexp" "regexp"
"strings" "strings"
//openapi_v2 "github.com/googleapis/gnostic/OpenAPIv2"
//"github.com/googleapis/gnostic/compiler"
yaml_v2 "sigs.k8s.io/yaml"
jsonpatch "github.com/evanphx/json-patch" jsonpatch "github.com/evanphx/json-patch"
"github.com/go-logr/logr" "github.com/go-logr/logr"
@ -241,10 +241,12 @@ func ValidatePolicyAgainstCrd(policy *v1.ClusterPolicy, path string) error {
} }
var crd unstructured.Unstructured var crd unstructured.Unstructured
err = json.Unmarshal(bytes, &crd) err = yaml_v2.Unmarshal(bytes, &crd)
if err != nil { if err != nil {
return err return err
} }
log.Info("coming till here .................. 5")
// crdDefinitionPrior represents CRDs version prior to 1.16 // crdDefinitionPrior represents CRDs version prior to 1.16
var crdDefinitionPrior struct { var crdDefinitionPrior struct {
@ -273,14 +275,19 @@ func ValidatePolicyAgainstCrd(policy *v1.ClusterPolicy, path string) error {
} `json:"spec"` } `json:"spec"`
} }
log.Info("coming till here .................. 6")
crdRaw, _ := json.Marshal(crd.Object) crdRaw, _ := json.Marshal(crd.Object)
_ = json.Unmarshal(crdRaw, &crdDefinitionPrior) _ = json.Unmarshal(crdRaw, &crdDefinitionPrior)
log.Info("coming till here .................. 7")
openV3schema := crdDefinitionPrior.Spec.Validation.OpenAPIV3Schema openV3schema := crdDefinitionPrior.Spec.Validation.OpenAPIV3Schema
crdName := crdDefinitionPrior.Spec.Names.Kind crdName := crdDefinitionPrior.Spec.Names.Kind
fmt.Println(crdName) fmt.Println(crdName)
log.Info("coming till here .................. 8")
if openV3schema == nil { if openV3schema == nil {
log.Info("coming till here .................. coming into openV3Schema = nil")
_ = json.Unmarshal(crdRaw, &crdDefinitionNew) _ = json.Unmarshal(crdRaw, &crdDefinitionNew)
for _, crdVersion := range crdDefinitionNew.Spec.Versions { for _, crdVersion := range crdDefinitionNew.Spec.Versions {
if crdVersion.Storage { if crdVersion.Storage {
@ -291,27 +298,26 @@ func ValidatePolicyAgainstCrd(policy *v1.ClusterPolicy, path string) error {
} }
} }
log.Info("coming till here .................. 9")
log.Info("crd", "openV3schema", openV3schema)
schemaRaw, _ := json.Marshal(openV3schema) schemaRaw, _ := json.Marshal(openV3schema)
if len(schemaRaw) < 1 { if len(schemaRaw) < 1 {
//log.Log.V(3).Info("could not parse crd schema", "name", crdName) //log.Log.V(3).Info("could not parse crd schema", "name", crdName)
return err return err
} }
log.Info("coming till here .................. 10")
schemaRaw, err = addingDefaultFieldsToSchema(schemaRaw) //schemaRaw, err = addingDefaultFieldsToSchema(schemaRaw)
if err != nil { //if err != nil {
//log.Log.Error(err, "could not parse crd schema", "name", crdName) // //log.Log.Error(err, "could not parse crd schema", "name", crdName)
return err // //return err
} //}
log.Info("coming till here .................. 11")
schema := new(spec.Schema) schema := new(spec.Schema)
_ = json.Unmarshal(schemaRaw, schema) _ = json.Unmarshal(schemaRaw, schema)
input := map[string]interface{}{}
fmt.Println(input)
// JSON data to validate
//inputJSON := `{"name": "Ivan","address-1": "sesame street"}`
//_ = json.Unmarshal([]byte(inputJSON), &input)
// strfmt.Default is the registry of recognized formats // strfmt.Default is the registry of recognized formats
err = validate.AgainstSchema(schema, policy, strfmt.Default) err = validate.AgainstSchema(schema, policy, strfmt.Default)
@ -320,6 +326,7 @@ func ValidatePolicyAgainstCrd(policy *v1.ClusterPolicy, path string) error {
} else { } else {
fmt.Printf("OK") fmt.Printf("OK")
} }
log.Info("coming till here .................. 14")
//var schema yaml_v2.MapSlice //var schema yaml_v2.MapSlice
//_ = yaml_v2.Unmarshal(schemaRaw, &schema) //_ = yaml_v2.Unmarshal(schemaRaw, &schema)

9
pkg/kyverno/validate/command.go
View file

@ -49,19 +49,14 @@ func Command() *cobra.Command {
invalidPolicyFound := false invalidPolicyFound := false
for _, policy := range policies { for _, policy := range policies {
//if common.PolicyHasVariables(*policy) {
// invalidPolicyFound = true
// fmt.Printf("Policy %s is invalid.\n", policy.Name)
// log.Log.Error(errors.New("'validate' does not support policies with variables"), "Policy "+policy.Name+" is invalid")
// continue
//}
// if crd is passed, then validate policy against the crd // if crd is passed, then validate policy against the crd
if crdPath != "" { if crdPath != "" {
err := common.ValidatePolicyAgainstCrd(policy, crdPath) err := common.ValidatePolicyAgainstCrd(policy, crdPath)
if err != nil { if err != nil {
log.Log.Error(err, "policy "+policy.Name+" is invalid") log.Log.Error(err, "policy "+policy.Name+" is invalid")
os.Exit(1) //os.Exit(1)
return err
} }
} }

2
pkg/utils/util.go
View file

@ -69,7 +69,7 @@ func CRDInstalled(discovery client.IDiscovery, log logr.Logger) bool {
logger := log.WithName("CRDInstalled") logger := log.WithName("CRDInstalled")
check := func(kind string) bool { check := func(kind string) bool {
gvr := discovery.GetGVRFromKind(kind) gvr := discovery.GetGVRFromKind(kind)
if reflect.DeepEqual(gvr, (schema.GroupVersionResource{})) { if reflect.DeepEqual(gvr, schema.GroupVersionResource{}) {
logger.Info("CRD not installed", "kind", kind) logger.Info("CRD not installed", "kind", kind)
return false return false
} }