mirror of
https://github.com/kyverno/kyverno.git
synced 2025-03-31 03:45:17 +00:00
Fixed issue with absent kind in resource raw data in PolicyEngine
This commit is contained in:
Maxim Goncharenko
parent
c4a9e339f8
commit
bcdbe420a8
6 changed files with 21 additions and 20 deletions
|
|
@ -3,10 +3,11 @@ package policyengine
|
|||
import (
|
||||
kubepolicy "github.com/nirmata/kube-policy/pkg/apis/policy/v1alpha1"
|
||||
"github.com/nirmata/kube-policy/pkg/policyengine/mutation"
|
||||
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
|
||||
)
|
||||
|
||||
// Mutate performs mutation. Overlay first and then mutation patches
|
||||
func (p *policyEngine) Mutate(policy kubepolicy.Policy, rawResource []byte) []mutation.PatchBytes {
|
||||
func (p *policyEngine) Mutate(policy kubepolicy.Policy, rawResource []byte, gvk metav1.GroupVersionKind) []mutation.PatchBytes {
|
||||
var policyPatches []mutation.PatchBytes
|
||||
|
||||
for i, rule := range policy.Spec.Rules {
|
||||
|
|
@ -22,7 +23,7 @@ func (p *policyEngine) Mutate(policy kubepolicy.Policy, rawResource []byte) []mu
|
|||
continue
|
||||
}
|
||||
|
||||
ok, err := mutation.ResourceMeetsRules(rawResource, rule.ResourceDescription)
|
||||
ok, err := mutation.ResourceMeetsRules(rawResource, rule.ResourceDescription, gvk)
|
||||
if err != nil {
|
||||
p.logger.Printf("Rule has invalid data: rule number = %d, rule name = %s in policy %s, err: %v\n", i, rule.Name, policy.ObjectMeta.Name, err)
|
||||
continue
|
||||
|
|
|
|||
|
|
@ -70,9 +70,8 @@ func ParseRegexPolicyResourceName(policyResourceName string) (string, bool) {
|
|||
}
|
||||
|
||||
// ResourceMeetsRules checks requests kind, name and labels to fit the policy
|
||||
func ResourceMeetsRules(resourceRaw []byte, description kubepolicy.ResourceDescription) (bool, error) {
|
||||
kind := ParseKindFromObject(resourceRaw)
|
||||
if description.Kind != kind {
|
||||
func ResourceMeetsRules(resourceRaw []byte, description kubepolicy.ResourceDescription, gvk metav1.GroupVersionKind) (bool, error) {
|
||||
if description.Kind != gvk.Kind {
|
||||
return false, nil
|
||||
}
|
||||
|
||||
|
|
|
|||
|
|
@ -9,17 +9,18 @@ import (
|
|||
event "github.com/nirmata/kube-policy/pkg/event"
|
||||
"github.com/nirmata/kube-policy/pkg/policyengine/mutation"
|
||||
policyviolation "github.com/nirmata/kube-policy/pkg/policyviolation"
|
||||
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
|
||||
)
|
||||
|
||||
type PolicyEngine interface {
|
||||
// Mutate should be called from admission contoller
|
||||
// when there is an creation / update of the resource
|
||||
// ProcessMutation(policy types.Policy, rawResource []byte) (patchBytes []byte, events []Events, err error)
|
||||
Mutate(policy types.Policy, rawResource []byte) []mutation.PatchBytes
|
||||
Mutate(policy types.Policy, rawResource []byte, gvk metav1.GroupVersionKind) []mutation.PatchBytes
|
||||
|
||||
// Validate should be called from admission contoller
|
||||
// when there is an creation / update of the resource
|
||||
Validate(policy types.Policy, rawResource []byte) bool
|
||||
Validate(policy types.Policy, rawResource []byte, gvk metav1.GroupVersionKind) bool
|
||||
|
||||
// ProcessExisting should be called from policy controller
|
||||
// when there is an create / update of the policy
|
||||
|
|
@ -54,10 +55,10 @@ func (p *policyEngine) ProcessExisting(policy types.Policy, rawResource []byte)
|
|||
continue
|
||||
}
|
||||
|
||||
if ok, err := mutation.ResourceMeetsRules(rawResource, rule.ResourceDescription); !ok {
|
||||
p.logger.Printf("Rule %s of policy %s is not applicable to the request", rule.Name, policy.Name)
|
||||
return nil, nil, err
|
||||
}
|
||||
//if ok, err := mutation.ResourceMeetsRules(rawResource, rule.ResourceDescription); !ok {
|
||||
// p.logger.Printf("Rule %s of policy %s is not applicable to the request", rule.Name, policy.Name)
|
||||
// return nil, nil, err
|
||||
//}
|
||||
|
||||
violation, eventInfos, err := p.processRuleOnResource(policy.Name, rule, rawResource)
|
||||
if err != nil {
|
||||
|
|
|
|||
|
|
@ -6,9 +6,10 @@ import (
|
|||
|
||||
kubepolicy "github.com/nirmata/kube-policy/pkg/apis/policy/v1alpha1"
|
||||
"github.com/nirmata/kube-policy/pkg/policyengine/mutation"
|
||||
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
|
||||
)
|
||||
|
||||
func (p *policyEngine) Validate(policy kubepolicy.Policy, rawResource []byte) bool {
|
||||
func (p *policyEngine) Validate(policy kubepolicy.Policy, rawResource []byte, gvk metav1.GroupVersionKind) bool {
|
||||
var resource interface{}
|
||||
json.Unmarshal(rawResource, &resource)
|
||||
|
||||
|
|
@ -26,7 +27,7 @@ func (p *policyEngine) Validate(policy kubepolicy.Policy, rawResource []byte) bo
|
|||
continue
|
||||
}
|
||||
|
||||
ok, err := mutation.ResourceMeetsRules(rawResource, rule.ResourceDescription)
|
||||
ok, err := mutation.ResourceMeetsRules(rawResource, rule.ResourceDescription, gvk)
|
||||
if err != nil {
|
||||
p.logger.Printf("Rule has invalid data: rule number = %d, rule name = %s in policy %s, err: %v\n", i, rule.Name, policy.ObjectMeta.Name, err)
|
||||
continue
|
||||
|
|
|
|||
|
|
@ -148,7 +148,7 @@ func (ws *WebhookServer) HandleMutation(request *v1beta1.AdmissionRequest) *v1be
|
|||
for _, policy := range policies {
|
||||
ws.logger.Printf("Applying policy %s with %d rules\n", policy.ObjectMeta.Name, len(policy.Spec.Rules))
|
||||
|
||||
policyPatches := ws.policyEngine.Mutate(*policy, request.Object.Raw)
|
||||
policyPatches := ws.policyEngine.Mutate(*policy, request.Object.Raw, request.Kind)
|
||||
allPatches = append(allPatches, policyPatches...)
|
||||
|
||||
if len(policyPatches) > 0 {
|
||||
|
|
@ -181,7 +181,7 @@ func (ws *WebhookServer) HandleValidation(request *v1beta1.AdmissionRequest) *v1
|
|||
for _, policy := range policies {
|
||||
ws.logger.Printf("Validating resource with policy %s with %d rules", policy.ObjectMeta.Name, len(policy.Spec.Rules))
|
||||
|
||||
if ok := ws.policyEngine.Validate(*policy, request.Object.Raw); !ok {
|
||||
if ok := ws.policyEngine.Validate(*policy, request.Object.Raw, request.Kind); !ok {
|
||||
ws.logger.Printf("Validation has failed: %v\n", err)
|
||||
utilruntime.HandleError(err)
|
||||
allowed = false
|
||||
|
|
|
|||
|
|
@ -6,7 +6,6 @@ import (
|
|||
|
||||
types "github.com/nirmata/kube-policy/pkg/apis/policy/v1alpha1"
|
||||
event "github.com/nirmata/kube-policy/pkg/event"
|
||||
"github.com/nirmata/kube-policy/pkg/policyengine/mutation"
|
||||
policyviolation "github.com/nirmata/kube-policy/pkg/policyviolation"
|
||||
"k8s.io/apimachinery/pkg/labels"
|
||||
"k8s.io/apimachinery/pkg/runtime"
|
||||
|
|
@ -86,7 +85,7 @@ func (pc *PolicyController) filterResourceByRule(rule types.Rule) ([]runtime.Obj
|
|||
|
||||
for _, resource := range resources {
|
||||
// TODO:
|
||||
rawResource, err := json.Marshal(resource)
|
||||
//rawResource, err := json.Marshal(resource)
|
||||
// objKind := resource.GetObjectKind()
|
||||
// codecFactory := serializer.NewCodecFactory(runtime.NewScheme())
|
||||
// codecFactory.EncoderForVersion()
|
||||
|
|
@ -97,9 +96,9 @@ func (pc *PolicyController) filterResourceByRule(rule types.Rule) ([]runtime.Obj
|
|||
}
|
||||
|
||||
// filter the resource by name and label
|
||||
if ok, _ := mutation.ResourceMeetsRules(rawResource, rule.ResourceDescription); ok {
|
||||
targetResources = append(targetResources, resource)
|
||||
}
|
||||
//if ok, _ := mutation.ResourceMeetsRules(rawResource, rule.ResourceDescription); ok {
|
||||
// targetResources = append(targetResources, resource)
|
||||
//}
|
||||
}
|
||||
return targetResources, nil
|
||||
}
|
||||
|
|
|
|||
Loading…
Add table
Reference in a new issue