mirrors/kyverno
mirrors/kyverno
1
0
Fork 0
mirror of https://github.com/kyverno/kyverno.git synced 2025-03-31 03:45:17 +00:00
Code Activity

fix pv cleanup #496

Browse source
This commit is contained in:
Shuting Zhao 2019-11-14 12:01:41 -08:00
parent 865637652e
commit c140f660f6
1 changed files with 84 additions and 37 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

121
pkg/policy/cleanup.go
View file

@ -20,62 +20,88 @@ func (pc *PolicyController) cleanUpPolicyViolation(pResponse engine.PolicyRespon
// - recursively get owner by queries the api server for owner information of the resource
// there can be multiple violations as a resource can have multiple owners
pvs, err := getPv(pc.pvLister, pc.client, pResponse.Policy, pResponse.Resource.Kind, pResponse.Resource.Namespace, pResponse.Resource.Name)
pvs, err := getPVs(pc.pvLister, pc.nspvLister, pc.client, pResponse.Policy, pResponse.Resource.Kind, pResponse.Resource.Namespace, pResponse.Resource.Name)
if err != nil {
glog.Errorf("failed to cleanUp violations: %v", err)
}
for _, pv := range pvs {
if reflect.DeepEqual(pv, kyverno.ClusterPolicyViolation{}) {
continue
if len(pvs) == 0 {
return
}
switch pvs[0].(type) {
case kyverno.ClusterPolicyViolation:
for _, pv := range pvs {
typedPV := pv.(kyverno.ClusterPolicyViolation)
if reflect.DeepEqual(typedPV, kyverno.ClusterPolicyViolation{}) {
continue
}
glog.V(4).Infof("cleanup cluster violation %s on %s", typedPV.Name, typedPV.Spec.ResourceSpec.ToKey())
if err := pc.pvControl.DeletePolicyViolation(typedPV.Name); err != nil {
glog.Errorf("failed to delete cluster policy violation: %v", err)
continue
}
}
glog.V(4).Infof("cleanup violations %s, on %s/%s/%s", pv.Name, pv.Spec.Kind, pv.Spec.Namespace, pv.Spec.Name)
if err := pc.pvControl.DeletePolicyViolation(pv.Name); err != nil {
glog.Errorf("failed to delete policy violation: %v", err)
continue
case kyverno.NamespacedPolicyViolation:
for _, pv := range pvs {
typedPV := pv.(kyverno.NamespacedPolicyViolation)
if reflect.DeepEqual(typedPV, kyverno.NamespacedPolicyViolation{}) {
continue
}
glog.V(4).Infof("cleanup namespaced violation %s on %s", typedPV.Name, typedPV.Spec.ResourceSpec.ToKey())
if err := pc.pvControl.DeleteNamespacedPolicyViolation(typedPV.Namespace, typedPV.Name); err != nil {
glog.Errorf("failed to delete namespaced policy violation: %v", err)
continue
}
}
}
}
func getPv(pvLister kyvernolister.ClusterPolicyViolationLister, client *dclient.Client, policyName, kind, namespace, name string) ([]kyverno.ClusterPolicyViolation, error) {
var pvs []kyverno.ClusterPolicyViolation
// getPVs gets clusterPolicyViolations or namespacedPolicyViolations depends on the resource scope
func getPVs(pvLister kyvernolister.ClusterPolicyViolationLister, nspvLister kyvernolister.NamespacedPolicyViolationLister,
client *dclient.Client, policyName, kind, namespace, name string) ([]interface{}, error) {
var pvs []interface{}
var err error
// Check Violation on resource
pv, err := getPVOnResource(pvLister, policyName, kind, namespace, name)
pv, err := getPVOnResource(pvLister, nspvLister, policyName, kind, namespace, name)
if err != nil {
glog.V(4).Infof("error while fetching pv: %v", err)
return []kyverno.ClusterPolicyViolation{}, err
glog.V(4).Infof("error while fetching violation on existing resource: %v", err)
return nil, err
}
if !reflect.DeepEqual(pv, kyverno.ClusterPolicyViolation{}) {
// found a pv on resource
if pv != nil {
// found a violation on resource
pvs = append(pvs, pv)
return pvs, nil
}
// Check Violations on owner
pvs, err = getPVonOwnerRef(pvLister, client, policyName, kind, namespace, name)
pvs, err = getPVonOwnerRef(pvLister, nspvLister, client, policyName, kind, namespace, name)
if err != nil {
glog.V(4).Infof("error while fetching pv: %v", err)
return []kyverno.ClusterPolicyViolation{}, err
return nil, err
}
return pvs, nil
}
func getPVonOwnerRef(pvLister kyvernolister.ClusterPolicyViolationLister, dclient *dclient.Client, policyName, kind, namespace, name string) ([]kyverno.ClusterPolicyViolation, error) {
var pvs []kyverno.ClusterPolicyViolation
func getPVonOwnerRef(pvLister kyvernolister.ClusterPolicyViolationLister, nspvLister kyvernolister.NamespacedPolicyViolationLister,
dclient *dclient.Client, policyName, kind, namespace, name string) ([]interface{}, error) {
var pvs []interface{}
// get resource
resource, err := dclient.GetResource(kind, namespace, name)
if err != nil {
glog.V(4).Infof("error while fetching the resource: %v", err)
return pvs, err
}
// get owners
// getOwners returns nil if there is any error
owners := map[kyverno.ResourceSpec]interface{}{}
policyviolation.GetOwner(dclient, owners, *resource)
// as we can have multiple top level owners to a resource
// check if pv exists on each one
// does not check for cycles
for owner := range owners {
pv, err := getPVOnResource(pvLister, policyName, owner.Kind, owner.Namespace, owner.Name)
pv, err := getPVOnResource(pvLister, nspvLister, policyName, owner.Kind, owner.Namespace, owner.Name)
if err != nil {
glog.Errorf("error while fetching resource owners: %v", err)
continue
@ -86,24 +112,45 @@ func getPVonOwnerRef(pvLister kyvernolister.ClusterPolicyViolationLister, dclien
}
// Wont do the claiming of objects, just lookup based on selectors and owner references
func getPVOnResource(pvLister kyvernolister.ClusterPolicyViolationLister, policyName, kind, namespace, name string) (kyverno.ClusterPolicyViolation, error) {
// returns cluster policy violation if resource is cluster wide, otherwise return ns pv
func getPVOnResource(pvLister kyvernolister.ClusterPolicyViolationLister, nspvLister kyvernolister.NamespacedPolicyViolationLister, policyName, kind, namespace, name string) (interface{}, error) {
// cluster policy violation
if namespace == "" {
pvs, err := pvLister.List(labels.Everything())
if err != nil {
glog.V(2).Infof("unable to list policy violations : %v", err)
return kyverno.ClusterPolicyViolation{}, fmt.Errorf("failed to list cluster pv: %v", err)
}
pvs, err := pvLister.List(labels.Everything())
if err != nil {
glog.Errorf("unable to list policy violations : %v", err)
return kyverno.ClusterPolicyViolation{}, err
}
for _, pv := range pvs {
// find a policy on same resource and policy combination
if pv.Spec.Policy == policyName &&
pv.Spec.ResourceSpec.Kind == kind &&
pv.Spec.ResourceSpec.Namespace == namespace &&
pv.Spec.ResourceSpec.Name == name {
return *pv, nil
for _, pv := range pvs {
// find a policy on same resource and policy combination
if pv.Spec.Policy == policyName &&
pv.Spec.ResourceSpec.Kind == kind &&
pv.Spec.ResourceSpec.Namespace == namespace &&
pv.Spec.ResourceSpec.Name == name {
return *pv, nil
}
}
}
return kyverno.ClusterPolicyViolation{}, nil
// namespaced policy violation
nspvs, err := nspvLister.List(labels.Everything())
if err != nil {
glog.V(2).Infof("failed to list namespaced pv: %v", err)
return kyverno.NamespacedPolicyViolation{}, fmt.Errorf("failed to list namespaced pv: %v", err)
}
for _, nspv := range nspvs {
// find a policy on same resource and policy combination
if nspv.Spec.Policy == policyName &&
nspv.Spec.ResourceSpec.Kind == kind &&
nspv.Spec.ResourceSpec.Namespace == namespace &&
nspv.Spec.ResourceSpec.Name == name {
return *nspv, nil
}
}
return nil, nil
}
func converLabelToSelector(labelMap map[string]string) (labels.Selector, error) {