1
0
Fork 0
mirror of https://github.com/kyverno/kyverno.git synced 2025-01-20 18:52:16 +00:00

remove exlude kind checks

This commit is contained in:
shivkumar dudhani 2019-09-04 10:40:49 -07:00
parent 5a6814a588
commit b66c1b7f0c
3 changed files with 1 additions and 136 deletions

View file

@ -4,52 +4,4 @@ const (
wqNamespace string = "namespace" wqNamespace string = "namespace"
workerCount int = 1 workerCount int = 1
wqRetryLimit int = 5 wqRetryLimit int = 5
policyKind string = "Policy"
) )
// func namespaceMeetsRuleDescription(ns *corev1.Namespace, resourceDescription v1alpha1.ResourceDescription) bool {
// //REWORK Not needed but verify the 'Namespace' is defined in the list of supported kinds
// if !findKind(resourceDescription.Kinds, "Namespace") {
// return false
// }
// if resourceDescription.Name != nil {
// if !wildcard.Match(*resourceDescription.Name, ns.Name) {
// return false
// }
// }
// if resourceDescription.Selector != nil {
// selector, err := metav1.LabelSelectorAsSelector(resourceDescription.Selector)
// if err != nil {
// return false
// }
// labelSet := convertLabelsToLabelSet(ns.Labels)
// // labels
// if !selector.Matches(labelSet) {
// return false
// }
// }
// return true
// }
// func convertLabelsToLabelSet(labelMap map[string]string) labels.Set {
// labelSet := make(labels.Set, len(labelMap))
// // REWORK: check if the below works
// // if x, ok := labelMap.(labels.Set); !ok {
// // }
// for k, v := range labelMap {
// labelSet[k] = v
// }
// return labelSet
// }
// func findKind(kinds []string, kindGVK string) bool {
// for _, kind := range kinds {
// if kind == kindGVK {
// return true
// }
// }
// return false
// }

View file

@ -94,47 +94,3 @@ func generateEvents(engineResponses []engine.EngineResponseNew, onUpdate bool) [
} }
return events return events
} }
// //TODO: change validation from bool -> enum(validation, mutation)
// func newEventInfoFromPolicyInfo(policyInfoList []info.PolicyInfo, onUpdate bool, ruleType info.RuleType) []*event.Info {
// var eventsInfo []*event.Info
// ok, msg := isAdmSuccesful(policyInfoList)
// // Some policies failed to apply succesfully
// if !ok {
// for _, pi := range policyInfoList {
// if pi.IsSuccessful() {
// continue
// }
// rules := pi.FailedRules()
// ruleNames := strings.Join(rules, ";")
// if !onUpdate {
// // CREATE
// eventsInfo = append(eventsInfo,
// event.NewEvent(policyKind, "", pi.Name, event.RequestBlocked, event.FPolicyApplyBlockCreate, pi.RNamespace+"/"+pi.RName, ruleNames))
// glog.V(3).Infof("Rule(s) %s of policy %s blocked resource creation, error: %s\n", ruleNames, pi.Name, msg)
// } else {
// // UPDATE
// eventsInfo = append(eventsInfo,
// event.NewEvent(pi.RKind, pi.RNamespace, pi.RName, event.RequestBlocked, event.FPolicyApplyBlockUpdate, ruleNames, pi.Name))
// eventsInfo = append(eventsInfo,
// event.NewEvent(policyKind, "", pi.Name, event.RequestBlocked, event.FPolicyBlockResourceUpdate, pi.RNamespace+"/"+pi.RName, ruleNames))
// glog.V(3).Infof("Request blocked events info has prepared for %s/%s and %s/%s\n", policyKind, pi.Name, pi.RKind, pi.RName)
// }
// }
// } else {
// if !onUpdate {
// // All policies were applied succesfully
// // CREATE
// for _, pi := range policyInfoList {
// rules := pi.SuccessfulRules()
// ruleNames := strings.Join(rules, ";")
// eventsInfo = append(eventsInfo,
// event.NewEvent(pi.RKind, pi.RNamespace, pi.RName, event.PolicyApplied, event.SRulesApply, ruleNames, pi.Name))
// glog.V(3).Infof("Success event info has prepared for %s/%s\n", pi.RKind, pi.RName)
// }
// }
// }
// return eventsInfo
// }

View file

@ -9,23 +9,6 @@ import (
"github.com/nirmata/kyverno/pkg/engine" "github.com/nirmata/kyverno/pkg/engine"
) )
const policyKind = "Policy"
// func isAdmSuccesful(policyInfos []info.PolicyInfo) (bool, string) {
// var admSuccess = true
// var errMsgs []string
// for _, pi := range policyInfos {
// if !pi.IsSuccessful() {
// admSuccess = false
// errMsgs = append(errMsgs, fmt.Sprintf("\nPolicy %s failed with following rules", pi.Name))
// // Get the error rules
// errorRules := pi.ErrorRules()
// errMsgs = append(errMsgs, errorRules)
// }
// }
// return admSuccess, strings.Join(errMsgs, ";")
// }
func isResponseSuccesful(engineReponses []engine.EngineResponseNew) bool { func isResponseSuccesful(engineReponses []engine.EngineResponseNew) bool {
for _, er := range engineReponses { for _, er := range engineReponses {
if !er.IsSuccesful() { if !er.IsSuccesful() {
@ -82,26 +65,13 @@ func (i *ArrayFlags) Set(value string) error {
// extract the kinds that the policy rules apply to // extract the kinds that the policy rules apply to
func getApplicableKindsForPolicy(p *kyverno.ClusterPolicy) []string { func getApplicableKindsForPolicy(p *kyverno.ClusterPolicy) []string {
kindsMap := map[string]interface{}{}
kinds := []string{} kinds := []string{}
// iterate over the rules an identify all kinds // iterate over the rules an identify all kinds
// Matching // Matching
for _, rule := range p.Spec.Rules { for _, rule := range p.Spec.Rules {
for _, k := range rule.MatchResources.Kinds { for _, k := range rule.MatchResources.Kinds {
kindsMap[k] = nil kinds = append(kinds, k)
} }
// remove excluded ones
for _, k := range rule.ExcludeResources.Kinds {
if _, ok := kindsMap[k]; ok {
// delete kind
delete(kindsMap, k)
}
}
}
// get the kinds
for k := range kindsMap {
kinds = append(kinds, k)
} }
return kinds return kinds
} }
@ -112,19 +82,6 @@ const (
ReportViolation = "audit" ReportViolation = "audit"
) )
// // returns true -> if there is even one policy that blocks resource requst
// // returns false -> if all the policies are meant to report only, we dont block resource request
// func toBlock(pis []info.PolicyInfo) bool {
// for _, pi := range pis {
// if pi.ValidationFailureAction != ReportViolation {
// glog.V(3).Infoln("ValidationFailureAction set to enforce, blocking resource ceation")
// return true
// }
// }
// glog.V(3).Infoln("ValidationFailureAction set to audit, allowing resource creation, reporting with violation")
// return false
// }
func processResourceWithPatches(patch []byte, resource []byte) []byte { func processResourceWithPatches(patch []byte, resource []byte) []byte {
if patch == nil { if patch == nil {
return nil return nil