mirrors/kyverno
mirrors/kyverno
1
0
Fork 0
mirror of https://github.com/kyverno/kyverno.git synced 2025-03-31 03:45:17 +00:00
Code Activity

744 fixing previous commit implementation

Browse source
This commit is contained in:
shravan 2020-05-07 14:38:15 +05:30
parent 6f01bb4d59
commit ba0de32454
1 changed files with 12 additions and 9 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

21
pkg/engine/validation.go
View file

@ -52,15 +52,12 @@ func Validate(policyContext PolicyContext) (resp response.EngineResponse) {
endResultResponse(logger, &resp, startTime)
}()
// deny logic will only be applied to requests from user - system related requests are ignored.
if admissionInfo.AdmissionUserInfo.Username == "kubernetes-admin" {
// If request is delete, newR will be empty
if reflect.DeepEqual(newR, unstructured.Unstructured{}) {
return *isRequestDenied(logger, ctx, policy, oldR, admissionInfo)
} else {
if denyResp := isRequestDenied(logger, ctx, policy, newR, admissionInfo); !denyResp.IsSuccesful() {
return *denyResp
}
// If request is delete, newR will be empty
if reflect.DeepEqual(newR, unstructured.Unstructured{}) {
return *isRequestDenied(logger, ctx, policy, oldR, admissionInfo)
} else {
if denyResp := isRequestDenied(logger, ctx, policy, newR, admissionInfo); !denyResp.IsSuccesful() {
return *denyResp
}
}
@ -99,6 +96,12 @@ func incrementAppliedCount(resp *response.EngineResponse) {
func isRequestDenied(log logr.Logger, ctx context.EvalInterface, policy kyverno.ClusterPolicy, resource unstructured.Unstructured, admissionInfo kyverno.RequestInfo) *response.EngineResponse {
resp := &response.EngineResponse{}
// deny logic will only be applied to requests from user - system related requests are ignored.
if admissionInfo.AdmissionUserInfo.Username != "kubernetes-admin" {
return resp
}
for _, rule := range policy.Spec.Rules {
if !rule.HasValidate() {
continue