mirror of
https://github.com/kyverno/kyverno.git
synced 2024-12-14 11:57:48 +00:00
Merge pull request #1375 from kyverno/1292_match_namespace
match/exclude ns resource name
This commit is contained in:
Jim Bugwadia
GitHub
commit
b7cecd04ed
4 changed files with 20 additions and 4 deletions
|
|
@ -32,6 +32,8 @@ func Generate(policyContext PolicyContext) (resp response.EngineResponse) {
|
|||
return filterRules(policy, new, old, admissionInfo, ctx, logger, policyContext.ExcludeGroupRole, resCache, jsonContext)
|
||||
}
|
||||
|
||||
// filterRule checks if a rule matches the rule selection criteria.
|
||||
//
|
||||
func filterRule(rule kyverno.Rule, new, old unstructured.Unstructured, admissionInfo kyverno.RequestInfo, ctx context.EvalInterface, log logr.Logger, excludeGroupRole []string, resCache resourcecache.ResourceCacheIface, jsonContext *context.Context) *response.RuleResponse {
|
||||
if !rule.HasGenerate() {
|
||||
return nil
|
||||
|
|
@ -67,6 +69,7 @@ func filterRule(rule kyverno.Rule, new, old unstructured.Unstructured, admission
|
|||
log.V(4).Info("preconditions not satisfied, skipping rule", "rule", rule.Name)
|
||||
return nil
|
||||
}
|
||||
|
||||
// build rule Response
|
||||
return &response.RuleResponse{
|
||||
Name: rule.Name,
|
||||
|
|
@ -89,10 +92,12 @@ func filterRules(policy kyverno.ClusterPolicy, new, old unstructured.Unstructure
|
|||
},
|
||||
},
|
||||
}
|
||||
|
||||
for _, rule := range policy.Spec.Rules {
|
||||
if ruleResp := filterRule(rule, new, old, admissionInfo, ctx, log, excludeGroupRole, resCache, jsonContext); ruleResp != nil {
|
||||
resp.PolicyResponse.Rules = append(resp.PolicyResponse.Rules, *ruleResp)
|
||||
}
|
||||
}
|
||||
|
||||
return resp
|
||||
}
|
||||
|
|
|
|||
|
|
@ -65,7 +65,7 @@ func Mutate(policyContext PolicyContext) (resp response.EngineResponse) {
|
|||
|
||||
// add configmap json data to context
|
||||
if err := AddResourceToContext(logger, rule.Context, resCache, jsonContext); err != nil {
|
||||
logger.V(4).Info("cannot add configmaps to context", "reason", err.Error())
|
||||
logger.V(4).Info("failed to add configmaps to context", "reason", err.Error())
|
||||
continue
|
||||
}
|
||||
|
||||
|
|
|
|||
|
|
@ -45,12 +45,18 @@ func checkName(name, resourceName string) bool {
|
|||
return wildcard.Match(name, resourceName)
|
||||
}
|
||||
|
||||
func checkNameSpace(namespaces []string, resourceNameSpace string) bool {
|
||||
func checkNameSpace(namespaces []string, resource unstructured.Unstructured) bool {
|
||||
resourceNameSpace := resource.GetNamespace()
|
||||
if resource.GetKind() == "Namespace" {
|
||||
resourceNameSpace = resource.GetName()
|
||||
}
|
||||
|
||||
for _, namespace := range namespaces {
|
||||
if wildcard.Match(namespace, resourceNameSpace) {
|
||||
return true
|
||||
}
|
||||
}
|
||||
|
||||
return false
|
||||
}
|
||||
|
||||
|
|
@ -108,26 +114,31 @@ func checkSelector(labelSelector *metav1.LabelSelector, resourceLabels map[strin
|
|||
// should be: OR (across & inside) attributes
|
||||
func doesResourceMatchConditionBlock(conditionBlock kyverno.ResourceDescription, userInfo kyverno.UserInfo, admissionInfo kyverno.RequestInfo, resource unstructured.Unstructured, dynamicConfig []string) []error {
|
||||
var errs []error
|
||||
|
||||
if len(conditionBlock.Kinds) > 0 {
|
||||
if !checkKind(conditionBlock.Kinds, resource.GetKind()) {
|
||||
errs = append(errs, fmt.Errorf("kind does not match %v", conditionBlock.Kinds))
|
||||
}
|
||||
}
|
||||
|
||||
if conditionBlock.Name != "" {
|
||||
if !checkName(conditionBlock.Name, resource.GetName()) {
|
||||
errs = append(errs, fmt.Errorf("name does not match"))
|
||||
}
|
||||
}
|
||||
|
||||
if len(conditionBlock.Namespaces) > 0 {
|
||||
if !checkNameSpace(conditionBlock.Namespaces, resource.GetNamespace()) {
|
||||
if !checkNameSpace(conditionBlock.Namespaces, resource) {
|
||||
errs = append(errs, fmt.Errorf("namespace does not match"))
|
||||
}
|
||||
}
|
||||
|
||||
if len(conditionBlock.Annotations) > 0 {
|
||||
if !checkAnnotations(conditionBlock.Annotations, resource.GetAnnotations()) {
|
||||
errs = append(errs, fmt.Errorf("annotations does not match"))
|
||||
}
|
||||
}
|
||||
|
||||
if conditionBlock.Selector != nil {
|
||||
hasPassed, err := checkSelector(conditionBlock.Selector, resource.GetLabels())
|
||||
if err != nil {
|
||||
|
|
|
|||
|
|
@ -55,7 +55,7 @@ func Validate(policyContext PolicyContext) (resp response.EngineResponse) {
|
|||
for i := range resp.PolicyResponse.Rules {
|
||||
messageInterface, err := variables.SubstituteVars(logger, ctx, resp.PolicyResponse.Rules[i].Message)
|
||||
if err != nil {
|
||||
logger.V(4).Info("failed to substitute JMES value", "error", err.Error())
|
||||
logger.V(4).Info("failed to substitute variables", "error", err.Error())
|
||||
continue
|
||||
}
|
||||
resp.PolicyResponse.Rules[i].Message, _ = messageInterface.(string)
|
||||
|
|
|
|||
Loading…
Reference in a new issue