From b66c1b7f0cb51e381956d2217c528b0e1b79abaa Mon Sep 17 00:00:00 2001 From: shivkumar dudhani Date: Wed, 4 Sep 2019 10:40:49 -0700 Subject: [PATCH] remove exlude kind checks --- pkg/namespace/utils.go | 48 ------------------------------------------ pkg/webhooks/report.go | 44 -------------------------------------- pkg/webhooks/utils.go | 45 +-------------------------------------- 3 files changed, 1 insertion(+), 136 deletions(-) diff --git a/pkg/namespace/utils.go b/pkg/namespace/utils.go index ee0922fc44..6f648e8344 100644 --- a/pkg/namespace/utils.go +++ b/pkg/namespace/utils.go @@ -4,52 +4,4 @@ const ( wqNamespace string = "namespace" workerCount int = 1 wqRetryLimit int = 5 - policyKind string = "Policy" ) - -// func namespaceMeetsRuleDescription(ns *corev1.Namespace, resourceDescription v1alpha1.ResourceDescription) bool { -// //REWORK Not needed but verify the 'Namespace' is defined in the list of supported kinds -// if !findKind(resourceDescription.Kinds, "Namespace") { -// return false -// } -// if resourceDescription.Name != nil { -// if !wildcard.Match(*resourceDescription.Name, ns.Name) { -// return false -// } -// } - -// if resourceDescription.Selector != nil { -// selector, err := metav1.LabelSelectorAsSelector(resourceDescription.Selector) -// if err != nil { -// return false -// } - -// labelSet := convertLabelsToLabelSet(ns.Labels) -// // labels -// if !selector.Matches(labelSet) { -// return false -// } -// } -// return true -// } - -// func convertLabelsToLabelSet(labelMap map[string]string) labels.Set { -// labelSet := make(labels.Set, len(labelMap)) -// // REWORK: check if the below works -// // if x, ok := labelMap.(labels.Set); !ok { - -// // } -// for k, v := range labelMap { -// labelSet[k] = v -// } -// return labelSet -// } - -// func findKind(kinds []string, kindGVK string) bool { -// for _, kind := range kinds { -// if kind == kindGVK { -// return true -// } -// } -// return false -// } diff --git a/pkg/webhooks/report.go b/pkg/webhooks/report.go index a5fc8ef080..ab446254ca 100644 --- a/pkg/webhooks/report.go +++ b/pkg/webhooks/report.go @@ -94,47 +94,3 @@ func generateEvents(engineResponses []engine.EngineResponseNew, onUpdate bool) [ } return events } - -// //TODO: change validation from bool -> enum(validation, mutation) -// func newEventInfoFromPolicyInfo(policyInfoList []info.PolicyInfo, onUpdate bool, ruleType info.RuleType) []*event.Info { -// var eventsInfo []*event.Info -// ok, msg := isAdmSuccesful(policyInfoList) -// // Some policies failed to apply succesfully -// if !ok { -// for _, pi := range policyInfoList { -// if pi.IsSuccessful() { -// continue -// } -// rules := pi.FailedRules() -// ruleNames := strings.Join(rules, ";") -// if !onUpdate { -// // CREATE -// eventsInfo = append(eventsInfo, -// event.NewEvent(policyKind, "", pi.Name, event.RequestBlocked, event.FPolicyApplyBlockCreate, pi.RNamespace+"/"+pi.RName, ruleNames)) - -// glog.V(3).Infof("Rule(s) %s of policy %s blocked resource creation, error: %s\n", ruleNames, pi.Name, msg) -// } else { -// // UPDATE -// eventsInfo = append(eventsInfo, -// event.NewEvent(pi.RKind, pi.RNamespace, pi.RName, event.RequestBlocked, event.FPolicyApplyBlockUpdate, ruleNames, pi.Name)) -// eventsInfo = append(eventsInfo, -// event.NewEvent(policyKind, "", pi.Name, event.RequestBlocked, event.FPolicyBlockResourceUpdate, pi.RNamespace+"/"+pi.RName, ruleNames)) -// glog.V(3).Infof("Request blocked events info has prepared for %s/%s and %s/%s\n", policyKind, pi.Name, pi.RKind, pi.RName) -// } -// } -// } else { -// if !onUpdate { -// // All policies were applied succesfully -// // CREATE -// for _, pi := range policyInfoList { -// rules := pi.SuccessfulRules() -// ruleNames := strings.Join(rules, ";") -// eventsInfo = append(eventsInfo, -// event.NewEvent(pi.RKind, pi.RNamespace, pi.RName, event.PolicyApplied, event.SRulesApply, ruleNames, pi.Name)) - -// glog.V(3).Infof("Success event info has prepared for %s/%s\n", pi.RKind, pi.RName) -// } -// } -// } -// return eventsInfo -// } diff --git a/pkg/webhooks/utils.go b/pkg/webhooks/utils.go index c7dcac6d8b..5c658553ce 100644 --- a/pkg/webhooks/utils.go +++ b/pkg/webhooks/utils.go @@ -9,23 +9,6 @@ import ( "github.com/nirmata/kyverno/pkg/engine" ) -const policyKind = "Policy" - -// func isAdmSuccesful(policyInfos []info.PolicyInfo) (bool, string) { -// var admSuccess = true -// var errMsgs []string -// for _, pi := range policyInfos { -// if !pi.IsSuccessful() { -// admSuccess = false -// errMsgs = append(errMsgs, fmt.Sprintf("\nPolicy %s failed with following rules", pi.Name)) -// // Get the error rules -// errorRules := pi.ErrorRules() -// errMsgs = append(errMsgs, errorRules) -// } -// } -// return admSuccess, strings.Join(errMsgs, ";") -// } - func isResponseSuccesful(engineReponses []engine.EngineResponseNew) bool { for _, er := range engineReponses { if !er.IsSuccesful() { @@ -82,26 +65,13 @@ func (i *ArrayFlags) Set(value string) error { // extract the kinds that the policy rules apply to func getApplicableKindsForPolicy(p *kyverno.ClusterPolicy) []string { - kindsMap := map[string]interface{}{} kinds := []string{} // iterate over the rules an identify all kinds // Matching for _, rule := range p.Spec.Rules { for _, k := range rule.MatchResources.Kinds { - kindsMap[k] = nil + kinds = append(kinds, k) } - // remove excluded ones - for _, k := range rule.ExcludeResources.Kinds { - if _, ok := kindsMap[k]; ok { - // delete kind - delete(kindsMap, k) - } - } - } - - // get the kinds - for k := range kindsMap { - kinds = append(kinds, k) } return kinds } @@ -112,19 +82,6 @@ const ( ReportViolation = "audit" ) -// // returns true -> if there is even one policy that blocks resource requst -// // returns false -> if all the policies are meant to report only, we dont block resource request -// func toBlock(pis []info.PolicyInfo) bool { -// for _, pi := range pis { -// if pi.ValidationFailureAction != ReportViolation { -// glog.V(3).Infoln("ValidationFailureAction set to enforce, blocking resource ceation") -// return true -// } -// } -// glog.V(3).Infoln("ValidationFailureAction set to audit, allowing resource creation, reporting with violation") -// return false -// } - func processResourceWithPatches(patch []byte, resource []byte) []byte { if patch == nil { return nil