mirrors/kyverno
mirrors/kyverno
1
0
Fork 0
mirror of https://github.com/kyverno/kyverno.git synced 2025-03-06 16:06:56 +00:00
Code Activity

remove policy exception dependancy from globalcontext and add some tests (#11788)

Browse source 
Signed-off-by: Damien Degois <damien@degois.info>
Co-authored-by: shuting <shuting@nirmata.com>
This commit is contained in:
Damien Degois 2025-01-03 17:16:37 +01:00 committed by GitHub
parent e0fe6ec59a
commit c282f71212
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
4 changed files with 27 additions and 50 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

5
cmd/kyverno/main.go
View file

@ -40,7 +40,6 @@ import (
runtimeutils "github.com/kyverno/kyverno/pkg/utils/runtime" runtimeutils "github.com/kyverno/kyverno/pkg/utils/runtime"
"github.com/kyverno/kyverno/pkg/validatingadmissionpolicy" "github.com/kyverno/kyverno/pkg/validatingadmissionpolicy"
"github.com/kyverno/kyverno/pkg/validation/exception" "github.com/kyverno/kyverno/pkg/validation/exception"
"github.com/kyverno/kyverno/pkg/validation/globalcontext"
"github.com/kyverno/kyverno/pkg/webhooks" "github.com/kyverno/kyverno/pkg/webhooks"
webhooksexception "github.com/kyverno/kyverno/pkg/webhooks/exception" webhooksexception "github.com/kyverno/kyverno/pkg/webhooks/exception"
webhooksglobalcontext "github.com/kyverno/kyverno/pkg/webhooks/globalcontext" webhooksglobalcontext "github.com/kyverno/kyverno/pkg/webhooks/globalcontext"
@ -585,9 +584,7 @@ func main() {
Enabled: internal.PolicyExceptionEnabled(), Enabled: internal.PolicyExceptionEnabled(),
Namespace: internal.ExceptionNamespace(), Namespace: internal.ExceptionNamespace(),
}) })
globalContextHandlers := webhooksglobalcontext.NewHandlers(globalcontext.ValidationOptions{ globalContextHandlers := webhooksglobalcontext.NewHandlers()
Enabled: internal.PolicyExceptionEnabled(),
})
server := webhooks.NewServer( server := webhooks.NewServer(
signalCtx, signalCtx,
policyHandlers, policyHandlers,

13
pkg/validation/globalcontext/validate.go
View file

@ -7,20 +7,9 @@ import (
kyvernov2alpha1 "github.com/kyverno/kyverno/api/kyverno/v2alpha1" kyvernov2alpha1 "github.com/kyverno/kyverno/api/kyverno/v2alpha1"
) )
const (
disabledGctx = "Global context entry would not be processed until it is enabled."
)
type ValidationOptions struct {
Enabled bool
}
// Validate checks global context entry is valid // Validate checks global context entry is valid
func Validate(ctx context.Context, logger logr.Logger, gctx *kyvernov2alpha1.GlobalContextEntry, opts ValidationOptions) ([]string, error) { func Validate(ctx context.Context, logger logr.Logger, gctx *kyvernov2alpha1.GlobalContextEntry) ([]string, error) {
var warnings []string var warnings []string
if !opts.Enabled {
warnings = append(warnings, disabledGctx)
}
errs := gctx.Validate() errs := gctx.Validate()
return warnings, errs.ToAggregate() return warnings, errs.ToAggregate()
} }

45
pkg/validation/globalcontext/validate_test.go
View file

@ -11,7 +11,6 @@ import (
func Test_Validate(t *testing.T) { func Test_Validate(t *testing.T) {
type args struct { type args struct {
opts ValidationOptions
resource []byte resource []byte
} }
tc := []struct { tc := []struct {
@ -21,45 +20,41 @@ func Test_Validate(t *testing.T) {
wantErr bool wantErr bool
}{ }{
{ {
name: "GlobalContextEntry disabled.", name: "GlobalContextEntry with both KubernetesResource and APICall present",
args: args{ args: args{
opts: ValidationOptions{
Enabled: false,
},
resource: []byte(`{"apiVersion":"kyverno.io/v2alpha1","kind":"GlobalContextEntry","metadata":{"name":"ingress"},"spec":{"apiCall":{"service":{"url":"https://svc.kyverno/example","caBundle":"-----BEGIN CERTIFICATE-----\n-----REDACTED-----\n-----END CERTIFICATE-----"},"refreshInterval":"10ns"}}}`),
},
want: 1,
wantErr: false,
},
{
name: "GlobalContextEntry enabled, both KubernetesResource and APICall present",
args: args{
opts: ValidationOptions{
Enabled: true,
},
resource: []byte(`{"apiVersion":"kyverno.io/v2alpha1","kind":"GlobalContextEntry","metadata":{"name":"ingress"},"spec":{"apiCall":{"service":{"url":"https://svc.kyverno/example","caBundle":"-----BEGIN CERTIFICATE-----\n-----REDACTED-----\n-----END CERTIFICATE-----"},"refreshInterval":"10ns"},"kubernetesResource":{"group":"apis/networking.k8s.io","version":"v1","resource":"ingresses","namespace":"apps"}}}`), resource: []byte(`{"apiVersion":"kyverno.io/v2alpha1","kind":"GlobalContextEntry","metadata":{"name":"ingress"},"spec":{"apiCall":{"service":{"url":"https://svc.kyverno/example","caBundle":"-----BEGIN CERTIFICATE-----\n-----REDACTED-----\n-----END CERTIFICATE-----"},"refreshInterval":"10ns"},"kubernetesResource":{"group":"apis/networking.k8s.io","version":"v1","resource":"ingresses","namespace":"apps"}}}`),
}, },
want: 0, want: 0,
wantErr: true, wantErr: true,
}, },
{ {
name: "GlobalContextEntry enabled, neither KubernetesResource nor APICall present", name: "GlobalContextEntry with neither KubernetesResource nor APICall present",
args: args{ args: args{
opts: ValidationOptions{
Enabled: true,
},
resource: []byte(`{"apiVersion":"kyverno.io/v2alpha1","kind":"GlobalContextEntry","metadata":{"name":"ingress"},"spec":{}}`), resource: []byte(`{"apiVersion":"kyverno.io/v2alpha1","kind":"GlobalContextEntry","metadata":{"name":"ingress"},"spec":{}}`),
}, },
want: 0, want: 0,
wantErr: true, wantErr: true,
}, },
{ {
name: "GlobalContextEntry enabled.", name: "GlobalContextEntry with only KubernetesResource present",
args: args{ args: args{
opts: ValidationOptions{ resource: []byte(`{"apiVersion":"kyverno.io/v2alpha1","kind":"GlobalContextEntry","metadata":{"name":"gce-kubernetesresource"},"spec":{"kubernetesResource":{"group":"apis/networking.k8s.io","version":"v1","resource":"ingresses","namespace":"apps"}}}`),
Enabled: true,
}, },
resource: []byte(`{"apiVersion":"kyverno.io/v2alpha1","kind":"GlobalContextEntry","metadata":{"name":"ingress"},"spec":{"apiCall":{"service":{"url":"https://svc.kyverno/example","caBundle":"-----BEGIN CERTIFICATE-----\n-----REDACTED-----\n-----END CERTIFICATE-----"},"refreshInterval":"10ns"}}}`), want: 0,
wantErr: false,
},
{
name: "GlobalContextEntry with a core KubernetesResource present",
args: args{
resource: []byte(`{"apiVersion":"kyverno.io/v2alpha1","kind":"GlobalContextEntry","metadata":{"name":"gce-kubernetesresource"},"spec":{"kubernetesResource":{"version":"v1","resource":"namespaces"}}}`),
},
want: 0,
wantErr: false,
},
{
name: "GlobalContextEntry with only APICall present",
args: args{
resource: []byte(`{"apiVersion":"kyverno.io/v2alpha1","kind":"GlobalContextEntry","metadata":{"name":"gce-apicall"},"spec":{"apiCall":{"service":{"url":"https://svc.kyverno/example","caBundle":"-----BEGIN CERTIFICATE-----\n-----REDACTED-----\n-----END CERTIFICATE-----"},"refreshInterval":"10ns"}}}`),
}, },
want: 0, want: 0,
wantErr: false, wantErr: false,
@ -69,7 +64,7 @@ func Test_Validate(t *testing.T) {
t.Run(c.name, func(t *testing.T) { t.Run(c.name, func(t *testing.T) {
gctx, err := admissionutils.UnmarshalGlobalContextEntry(c.args.resource) gctx, err := admissionutils.UnmarshalGlobalContextEntry(c.args.resource)
assert.NilError(t, err) assert.NilError(t, err)
warnings, err := Validate(context.Background(), logging.GlobalLogger(), gctx, c.args.opts) warnings, err := Validate(context.Background(), logging.GlobalLogger(), gctx)
if c.wantErr { if c.wantErr {
assert.Assert(t, err != nil) assert.Assert(t, err != nil)
} else { } else {

12
pkg/webhooks/globalcontext/validate.go
View file

@ -11,14 +11,10 @@ import (
"github.com/kyverno/kyverno/pkg/webhooks/handlers" "github.com/kyverno/kyverno/pkg/webhooks/handlers"
) )
type gctxHandlers struct { type gctxHandlers struct{}
validationOptions validation.ValidationOptions
}
func NewHandlers(validationOptions validation.ValidationOptions) webhooks.GlobalContextHandlers { func NewHandlers() webhooks.GlobalContextHandlers {
return &gctxHandlers{ return &gctxHandlers{}
validationOptions: validationOptions,
}
} }
// Validate performs the validation check on global context entries // Validate performs the validation check on global context entries
@ -28,7 +24,7 @@ func (h *gctxHandlers) Validate(ctx context.Context, logger logr.Logger, request
logger.Error(err, "failed to unmarshal global context entry from admission request") logger.Error(err, "failed to unmarshal global context entry from admission request")
return admissionutils.Response(request.UID, err) return admissionutils.Response(request.UID, err)
} }
warnings, err := validation.Validate(ctx, logger, gctx, h.validationOptions) warnings, err := validation.Validate(ctx, logger, gctx)
if err != nil { if err != nil {
logger.Error(err, "global context entry validation errors") logger.Error(err, "global context entry validation errors")
} }