mirror of
https://github.com/kyverno/kyverno.git
synced 2025-03-13 19:28:55 +00:00
feat: propagate context to dynamic client (#5495)
Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> Co-authored-by: shuting <shuting@nirmata.com>
This commit is contained in:
parent
c6faee2559
commit
c3be9e36a5
26 changed files with 154 additions and 136 deletions
|
@ -8,6 +8,7 @@ import (
|
|||
"github.com/kyverno/kyverno/pkg/clients/dclient"
|
||||
"github.com/kyverno/kyverno/pkg/engine/variables"
|
||||
"github.com/kyverno/kyverno/pkg/policy/generate"
|
||||
"golang.org/x/net/context"
|
||||
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
|
||||
"k8s.io/apimachinery/pkg/util/sets"
|
||||
"k8s.io/client-go/discovery"
|
||||
|
@ -35,12 +36,12 @@ func NewCleanup(client dclient.Interface, cleanup kyvernov1alpha1.CleanupPolicyS
|
|||
}
|
||||
|
||||
// canIDelete returns a error if kyverno cannot perform operations
|
||||
func (c *Cleanup) CanIDelete(kind, namespace string) error {
|
||||
func (c *Cleanup) CanIDelete(ctx context.Context, kind, namespace string) error {
|
||||
// Skip if there is variable defined
|
||||
authCheck := c.authCheck
|
||||
if !variables.IsVariable(kind) && !variables.IsVariable(namespace) {
|
||||
// DELETE
|
||||
ok, err := authCheck.CanIDelete(kind, namespace)
|
||||
ok, err := authCheck.CanIDelete(ctx, kind, namespace)
|
||||
if err != nil {
|
||||
// machinery error
|
||||
return err
|
||||
|
|
|
@ -193,7 +193,7 @@ func getResourcesOfTypeFromCluster(resourceTypes []string, dClient dclient.Inter
|
|||
r := make(map[string]*unstructured.Unstructured)
|
||||
|
||||
for _, kind := range resourceTypes {
|
||||
resourceList, err := dClient.ListResource("", kind, namespace, nil)
|
||||
resourceList, err := dClient.ListResource(context.TODO(), "", kind, namespace, nil)
|
||||
if err != nil {
|
||||
continue
|
||||
}
|
||||
|
|
|
@ -1,6 +1,7 @@
|
|||
package auth
|
||||
|
||||
import (
|
||||
"context"
|
||||
"fmt"
|
||||
"reflect"
|
||||
|
||||
|
@ -18,7 +19,7 @@ type CanIOptions interface {
|
|||
// - group version resource is determined from the kind using the discovery client REST mapper
|
||||
// - If disallowed, the reason and evaluationError is available in the logs
|
||||
// - each can generates a SelfSubjectAccessReview resource and response is evaluated for permissions
|
||||
RunAccessCheck() (bool, error)
|
||||
RunAccessCheck(context.Context) (bool, error)
|
||||
}
|
||||
|
||||
type canIOptions struct {
|
||||
|
@ -44,7 +45,7 @@ func NewCanI(client dclient.Interface, kind, namespace, verb string) CanIOptions
|
|||
// - group version resource is determined from the kind using the discovery client REST mapper
|
||||
// - If disallowed, the reason and evaluationError is available in the logs
|
||||
// - each can generates a SelfSubjectAccessReview resource and response is evaluated for permissions
|
||||
func (o *canIOptions) RunAccessCheck() (bool, error) {
|
||||
func (o *canIOptions) RunAccessCheck(ctx context.Context) (bool, error) {
|
||||
// get GroupVersionResource from RESTMapper
|
||||
// get GVR from kind
|
||||
gvr, err := o.client.Discovery().GetGVRFromKind(o.kind)
|
||||
|
@ -75,7 +76,7 @@ func (o *canIOptions) RunAccessCheck() (bool, error) {
|
|||
logger := logger.WithValues("kind", sar.Kind, "namespace", sar.Namespace, "name", sar.Name)
|
||||
|
||||
// Create the Resource
|
||||
resp, err := o.client.CreateResource("", "SelfSubjectAccessReview", "", sar, false)
|
||||
resp, err := o.client.CreateResource(ctx, "", "SelfSubjectAccessReview", "", sar, false)
|
||||
if err != nil {
|
||||
logger.Error(err, "failed to create resource")
|
||||
return false, err
|
||||
|
|
|
@ -1,6 +1,7 @@
|
|||
package auth
|
||||
|
||||
import (
|
||||
"context"
|
||||
"testing"
|
||||
|
||||
"github.com/kyverno/kyverno/pkg/clients/dclient"
|
||||
|
@ -80,7 +81,7 @@ func TestCanIOptions_RunAccessCheck(t *testing.T) {
|
|||
for _, tt := range tests {
|
||||
t.Run(tt.name, func(t *testing.T) {
|
||||
o := NewCanI(tt.fields.client, tt.fields.kind, tt.fields.namespace, tt.fields.verb)
|
||||
got, err := o.RunAccessCheck()
|
||||
got, err := o.RunAccessCheck(context.TODO())
|
||||
if tt.wantErr {
|
||||
assert.Error(t, err)
|
||||
} else {
|
||||
|
|
|
@ -1,6 +1,7 @@
|
|||
package common
|
||||
|
||||
import (
|
||||
"context"
|
||||
"fmt"
|
||||
"time"
|
||||
|
||||
|
@ -20,7 +21,7 @@ func GetResource(client dclient.Interface, urSpec kyvernov1beta1.UpdateRequestSp
|
|||
if resourceSpec.Kind == "Namespace" {
|
||||
resourceSpec.Namespace = ""
|
||||
}
|
||||
resource, err := client.GetResource(resourceSpec.APIVersion, resourceSpec.Kind, resourceSpec.Namespace, resourceSpec.Name)
|
||||
resource, err := client.GetResource(context.TODO(), resourceSpec.APIVersion, resourceSpec.Kind, resourceSpec.Namespace, resourceSpec.Name)
|
||||
if err != nil {
|
||||
if urSpec.Type == kyvernov1beta1.Mutate && errors.IsNotFound(err) && urSpec.Context.AdmissionRequestInfo.Operation == admissionv1.Delete {
|
||||
log.V(4).Info("trigger resource does not exist for mutateExisting rule", "operation", urSpec.Context.AdmissionRequestInfo.Operation)
|
||||
|
|
|
@ -1,7 +1,7 @@
|
|||
package generate
|
||||
|
||||
import (
|
||||
contextdefault "context"
|
||||
"context"
|
||||
"encoding/json"
|
||||
"errors"
|
||||
"fmt"
|
||||
|
@ -22,7 +22,7 @@ import (
|
|||
pkgcommon "github.com/kyverno/kyverno/pkg/common"
|
||||
"github.com/kyverno/kyverno/pkg/config"
|
||||
"github.com/kyverno/kyverno/pkg/engine"
|
||||
"github.com/kyverno/kyverno/pkg/engine/context"
|
||||
enginecontext "github.com/kyverno/kyverno/pkg/engine/context"
|
||||
"github.com/kyverno/kyverno/pkg/engine/response"
|
||||
"github.com/kyverno/kyverno/pkg/engine/utils"
|
||||
"github.com/kyverno/kyverno/pkg/engine/variables"
|
||||
|
@ -121,7 +121,7 @@ func (c *GenerateController) ProcessUR(ur *kyvernov1beta1.UpdateRequest) error {
|
|||
// - trigger-resource is deleted
|
||||
// - generated-resources are deleted
|
||||
// - > Now delete the UpdateRequest CR
|
||||
return c.kyvernoClient.KyvernoV1beta1().UpdateRequests(config.KyvernoNamespace()).Delete(contextdefault.TODO(), ur.Name, metav1.DeleteOptions{})
|
||||
return c.kyvernoClient.KyvernoV1beta1().UpdateRequests(config.KyvernoNamespace()).Delete(context.TODO(), ur.Name, metav1.DeleteOptions{})
|
||||
} else {
|
||||
time.Sleep(time.Second * time.Duration(sleepCountInt))
|
||||
incrementedCountString := strconv.Itoa(sleepCountInt)
|
||||
|
@ -134,7 +134,7 @@ func (c *GenerateController) ProcessUR(ur *kyvernov1beta1.UpdateRequest) error {
|
|||
}
|
||||
|
||||
ur.SetAnnotations(urAnnotations)
|
||||
_, err := c.kyvernoClient.KyvernoV1beta1().UpdateRequests(config.KyvernoNamespace()).Update(contextdefault.TODO(), ur, metav1.UpdateOptions{})
|
||||
_, err := c.kyvernoClient.KyvernoV1beta1().UpdateRequests(config.KyvernoNamespace()).Update(context.TODO(), ur, metav1.UpdateOptions{})
|
||||
if err != nil {
|
||||
logger.Error(err, "failed to update annotation in update request for the resource", "update request", ur.Name, "resourceVersion", ur.GetResourceVersion())
|
||||
return err
|
||||
|
@ -219,7 +219,7 @@ func (c *GenerateController) applyGenerate(resource unstructured.Unstructured, u
|
|||
}
|
||||
|
||||
for _, v := range urList {
|
||||
err := c.kyvernoClient.KyvernoV1beta1().UpdateRequests(config.KyvernoNamespace()).Delete(contextdefault.TODO(), v.GetName(), metav1.DeleteOptions{})
|
||||
err := c.kyvernoClient.KyvernoV1beta1().UpdateRequests(config.KyvernoNamespace()).Delete(context.TODO(), v.GetName(), metav1.DeleteOptions{})
|
||||
if err != nil {
|
||||
logger.Error(err, "failed to delete update request")
|
||||
}
|
||||
|
@ -235,7 +235,7 @@ func (c *GenerateController) applyGenerate(resource unstructured.Unstructured, u
|
|||
|
||||
// cleanupClonedResource deletes cloned resource if sync is not enabled for the clone policy
|
||||
func (c *GenerateController) cleanupClonedResource(targetSpec kyvernov1.ResourceSpec) error {
|
||||
target, err := c.client.GetResource(targetSpec.APIVersion, targetSpec.Kind, targetSpec.Namespace, targetSpec.Name)
|
||||
target, err := c.client.GetResource(context.TODO(), targetSpec.APIVersion, targetSpec.Kind, targetSpec.Namespace, targetSpec.Name)
|
||||
if err != nil {
|
||||
if !apierrors.IsNotFound(err) {
|
||||
return fmt.Errorf("failed to find generated resource %s/%s: %v", targetSpec.Namespace, targetSpec.Name, err)
|
||||
|
@ -251,7 +251,7 @@ func (c *GenerateController) cleanupClonedResource(targetSpec kyvernov1.Resource
|
|||
clone := labels["generate.kyverno.io/clone-policy-name"] != ""
|
||||
|
||||
if syncEnabled && !clone {
|
||||
if err := c.client.DeleteResource(target.GetAPIVersion(), target.GetKind(), target.GetNamespace(), target.GetName(), false); err != nil {
|
||||
if err := c.client.DeleteResource(context.TODO(), target.GetAPIVersion(), target.GetKind(), target.GetNamespace(), target.GetName(), false); err != nil {
|
||||
return fmt.Errorf("cloned resource is not deleted %s/%s: %v", targetSpec.Namespace, targetSpec.Name, err)
|
||||
}
|
||||
}
|
||||
|
@ -407,7 +407,7 @@ func getResourceInfoForDataAndClone(rule kyvernov1.Rule) (kind, name, namespace,
|
|||
return
|
||||
}
|
||||
|
||||
func applyRule(log logr.Logger, client dclient.Interface, rule kyvernov1.Rule, resource unstructured.Unstructured, ctx context.EvalInterface, policy kyvernov1.PolicyInterface, ur kyvernov1beta1.UpdateRequest) ([]kyvernov1.ResourceSpec, error) {
|
||||
func applyRule(log logr.Logger, client dclient.Interface, rule kyvernov1.Rule, resource unstructured.Unstructured, ctx enginecontext.EvalInterface, policy kyvernov1.PolicyInterface, ur kyvernov1beta1.UpdateRequest) ([]kyvernov1.ResourceSpec, error) {
|
||||
rdatas := []GenerateResponse{}
|
||||
var cresp, dresp map[string]interface{}
|
||||
var err error
|
||||
|
@ -507,7 +507,7 @@ func applyRule(log logr.Logger, client dclient.Interface, rule kyvernov1.Rule, r
|
|||
newResource.SetLabels(label)
|
||||
|
||||
// Create the resource
|
||||
_, err = client.CreateResource(rdata.GenAPIVersion, rdata.GenKind, rdata.GenNamespace, newResource, false)
|
||||
_, err = client.CreateResource(context.TODO(), rdata.GenAPIVersion, rdata.GenKind, rdata.GenNamespace, newResource, false)
|
||||
if err != nil {
|
||||
if !apierrors.IsAlreadyExists(err) {
|
||||
newGenResources = append(newGenResources, noGenResource)
|
||||
|
@ -517,11 +517,11 @@ func applyRule(log logr.Logger, client dclient.Interface, rule kyvernov1.Rule, r
|
|||
logger.V(2).Info("created generate target resource")
|
||||
newGenResources = append(newGenResources, newGenResource(rdata.GenAPIVersion, rdata.GenKind, rdata.GenNamespace, rdata.GenName))
|
||||
} else if rdata.Action == Update {
|
||||
generatedObj, err := client.GetResource(rdata.GenAPIVersion, rdata.GenKind, rdata.GenNamespace, rdata.GenName)
|
||||
generatedObj, err := client.GetResource(context.TODO(), rdata.GenAPIVersion, rdata.GenKind, rdata.GenNamespace, rdata.GenName)
|
||||
if err != nil {
|
||||
logger.Error(err, fmt.Sprintf("generated resource not found name:%v namespace:%v kind:%v", genName, genNamespace, genKind))
|
||||
logger.V(2).Info(fmt.Sprintf("creating generate resource name:name:%v namespace:%v kind:%v", genName, genNamespace, genKind))
|
||||
_, err = client.CreateResource(rdata.GenAPIVersion, rdata.GenKind, rdata.GenNamespace, newResource, false)
|
||||
_, err = client.CreateResource(context.TODO(), rdata.GenAPIVersion, rdata.GenKind, rdata.GenNamespace, newResource, false)
|
||||
if err != nil {
|
||||
newGenResources = append(newGenResources, noGenResource)
|
||||
return newGenResources, err
|
||||
|
@ -543,7 +543,7 @@ func applyRule(log logr.Logger, client dclient.Interface, rule kyvernov1.Rule, r
|
|||
}
|
||||
|
||||
if _, err := ValidateResourceWithPattern(logger, generatedObj.Object, newResource.Object); err != nil {
|
||||
_, err = client.UpdateResource(rdata.GenAPIVersion, rdata.GenKind, rdata.GenNamespace, newResource, false)
|
||||
_, err = client.UpdateResource(context.TODO(), rdata.GenAPIVersion, rdata.GenKind, rdata.GenNamespace, newResource, false)
|
||||
if err != nil {
|
||||
logger.Error(err, "failed to update resource")
|
||||
newGenResources = append(newGenResources, noGenResource)
|
||||
|
@ -561,7 +561,7 @@ func applyRule(log logr.Logger, client dclient.Interface, rule kyvernov1.Rule, r
|
|||
currentGeneratedResourcelabel["policy.kyverno.io/synchronize"] = "disable"
|
||||
generatedObj.SetLabels(currentGeneratedResourcelabel)
|
||||
|
||||
_, err = client.UpdateResource(rdata.GenAPIVersion, rdata.GenKind, rdata.GenNamespace, generatedObj, false)
|
||||
_, err = client.UpdateResource(context.TODO(), rdata.GenAPIVersion, rdata.GenKind, rdata.GenNamespace, generatedObj, false)
|
||||
if err != nil {
|
||||
logger.Error(err, "failed to update label in existing resource")
|
||||
newGenResources = append(newGenResources, noGenResource)
|
||||
|
@ -593,7 +593,7 @@ func manageData(log logr.Logger, apiVersion, kind, namespace, name string, data
|
|||
return nil, Skip, err
|
||||
}
|
||||
|
||||
obj, err := client.GetResource(apiVersion, kind, namespace, name)
|
||||
obj, err := client.GetResource(context.TODO(), apiVersion, kind, namespace, name)
|
||||
if err != nil {
|
||||
if apierrors.IsNotFound(err) && len(ur.Status.GeneratedResources) != 0 && !synchronize {
|
||||
log.V(4).Info("synchronize is disable - skip re-create", "resource", obj)
|
||||
|
@ -637,13 +637,13 @@ func manageClone(log logr.Logger, apiVersion, kind, namespace, name, policy stri
|
|||
}
|
||||
|
||||
// check if the resource as reference in clone exists?
|
||||
obj, err := client.GetResource(apiVersion, kind, rNamespace, rName)
|
||||
obj, err := client.GetResource(context.TODO(), apiVersion, kind, rNamespace, rName)
|
||||
if err != nil {
|
||||
return nil, Skip, fmt.Errorf("source resource %s %s/%s/%s not found. %v", apiVersion, kind, rNamespace, rName, err)
|
||||
}
|
||||
|
||||
// check if cloned resource exists
|
||||
cobj, err := client.GetResource(apiVersion, kind, namespace, name)
|
||||
cobj, err := client.GetResource(context.TODO(), apiVersion, kind, namespace, name)
|
||||
if err != nil {
|
||||
if apierrors.IsNotFound(err) && len(ur.Status.GeneratedResources) != 0 && !clone.Synchronize {
|
||||
log.V(4).Info("synchronization is disabled, recreation will be skipped", "resource", cobj)
|
||||
|
@ -657,7 +657,7 @@ func manageClone(log logr.Logger, apiVersion, kind, namespace, name, policy stri
|
|||
}
|
||||
|
||||
// check if resource to be generated exists
|
||||
newResource, err := client.GetResource(apiVersion, kind, namespace, name)
|
||||
newResource, err := client.GetResource(context.TODO(), apiVersion, kind, namespace, name)
|
||||
if err == nil {
|
||||
obj.SetUID(newResource.GetUID())
|
||||
obj.SetSelfLink(newResource.GetSelfLink())
|
||||
|
@ -693,7 +693,7 @@ func manageCloneList(log logr.Logger, namespace, policy string, ur kyvernov1beta
|
|||
|
||||
for _, kind := range kinds {
|
||||
apiVersion, kind := kubeutils.GetKindFromGVK(kind)
|
||||
resources, err := client.ListResource(apiVersion, kind, rNamespace, clone.CloneList.Selector)
|
||||
resources, err := client.ListResource(context.TODO(), apiVersion, kind, rNamespace, clone.CloneList.Selector)
|
||||
if err != nil {
|
||||
response = append(response, GenerateResponse{
|
||||
Data: nil,
|
||||
|
@ -713,7 +713,7 @@ func manageCloneList(log logr.Logger, namespace, policy string, ur kyvernov1beta
|
|||
}
|
||||
|
||||
// check if the resource as reference in clone exists?
|
||||
obj, err := client.GetResource(apiVersion, kind, rNamespace, rName.GetName())
|
||||
obj, err := client.GetResource(context.TODO(), apiVersion, kind, rNamespace, rName.GetName())
|
||||
if err != nil {
|
||||
log.Error(err, "failed to get resoruce", apiVersion, "apiVersion", kind, "kind", rNamespace, "rNamespace", rName.GetName(), "name")
|
||||
response = append(response, GenerateResponse{
|
||||
|
@ -725,7 +725,7 @@ func manageCloneList(log logr.Logger, namespace, policy string, ur kyvernov1beta
|
|||
}
|
||||
|
||||
// check if cloned resource exists
|
||||
cobj, err := client.GetResource(apiVersion, kind, namespace, rName.GetName())
|
||||
cobj, err := client.GetResource(context.TODO(), apiVersion, kind, namespace, rName.GetName())
|
||||
if apierrors.IsNotFound(err) && len(ur.Status.GeneratedResources) != 0 && !clone.Synchronize {
|
||||
log.V(4).Info("synchronization is disabled, recreation will be skipped", "resource", cobj)
|
||||
response = append(response, GenerateResponse{
|
||||
|
@ -741,7 +741,7 @@ func manageCloneList(log logr.Logger, namespace, policy string, ur kyvernov1beta
|
|||
}
|
||||
|
||||
// check if resource to be generated exists
|
||||
newResource, err := client.GetResource(apiVersion, kind, namespace, rName.GetName())
|
||||
newResource, err := client.GetResource(context.TODO(), apiVersion, kind, namespace, rName.GetName())
|
||||
if err == nil && newResource != nil {
|
||||
obj.SetUID(newResource.GetUID())
|
||||
obj.SetSelfLink(newResource.GetSelfLink())
|
||||
|
@ -815,7 +815,7 @@ func (c *GenerateController) ApplyResource(resource *unstructured.Unstructured)
|
|||
return err
|
||||
}
|
||||
|
||||
_, err = c.client.CreateResource(apiVersion, kind, namespace, resource, false)
|
||||
_, err = c.client.CreateResource(context.TODO(), apiVersion, kind, namespace, resource, false)
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
|
@ -833,7 +833,7 @@ func NewGenerateControllerWithOnlyClient(client dclient.Interface) *GenerateCont
|
|||
|
||||
// GetUnstrResource converts ResourceSpec object to type Unstructured
|
||||
func (c *GenerateController) GetUnstrResource(genResourceSpec kyvernov1.ResourceSpec) (*unstructured.Unstructured, error) {
|
||||
resource, err := c.client.GetResource(genResourceSpec.APIVersion, genResourceSpec.Kind, genResourceSpec.Namespace, genResourceSpec.Name)
|
||||
resource, err := c.client.GetResource(context.TODO(), genResourceSpec.APIVersion, genResourceSpec.Kind, genResourceSpec.Namespace, genResourceSpec.Name)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
|
@ -842,7 +842,7 @@ func (c *GenerateController) GetUnstrResource(genResourceSpec kyvernov1.Resource
|
|||
|
||||
func deleteGeneratedResources(log logr.Logger, client dclient.Interface, ur kyvernov1beta1.UpdateRequest) error {
|
||||
for _, genResource := range ur.Status.GeneratedResources {
|
||||
err := client.DeleteResource("", genResource.Kind, genResource.Namespace, genResource.Name, false)
|
||||
err := client.DeleteResource(context.TODO(), "", genResource.Kind, genResource.Namespace, genResource.Name, false)
|
||||
if err != nil && !apierrors.IsNotFound(err) {
|
||||
return err
|
||||
}
|
||||
|
|
|
@ -1,6 +1,7 @@
|
|||
package mutate
|
||||
|
||||
import (
|
||||
"context"
|
||||
"encoding/json"
|
||||
"fmt"
|
||||
|
||||
|
@ -119,7 +120,7 @@ func (c *MutateExistingController) ProcessUR(ur *kyvernov1beta1.UpdateRequest) e
|
|||
|
||||
if r.Status == response.RuleStatusPass {
|
||||
patchedNew.SetResourceVersion("")
|
||||
_, updateErr := c.client.UpdateResource(patchedNew.GetAPIVersion(), patchedNew.GetKind(), patchedNew.GetNamespace(), patchedNew.Object, false)
|
||||
_, updateErr := c.client.UpdateResource(context.TODO(), patchedNew.GetAPIVersion(), patchedNew.GetKind(), patchedNew.GetNamespace(), patchedNew.Object, false)
|
||||
if updateErr != nil {
|
||||
errs = append(errs, updateErr)
|
||||
logger.WithName(rule.Name).Error(updateErr, "failed to update target resource", "namespace", patchedNew.GetNamespace(), "name", patchedNew.GetName())
|
||||
|
|
|
@ -275,7 +275,7 @@ func (c *controller) checkIfCleanupRequired(ur *kyvernov1beta1.UpdateRequest) er
|
|||
|
||||
// cleanupDataResource deletes resource if sync is enabled for data policy
|
||||
func (c *controller) cleanupDataResource(targetSpec kyvernov1.ResourceSpec) error {
|
||||
target, err := c.client.GetResource(targetSpec.APIVersion, targetSpec.Kind, targetSpec.Namespace, targetSpec.Name)
|
||||
target, err := c.client.GetResource(context.TODO(), targetSpec.APIVersion, targetSpec.Kind, targetSpec.Namespace, targetSpec.Name)
|
||||
if err != nil {
|
||||
if !apierrors.IsNotFound(err) {
|
||||
return fmt.Errorf("failed to find generated resource %s/%s: %v", targetSpec.Namespace, targetSpec.Name, err)
|
||||
|
@ -291,7 +291,7 @@ func (c *controller) cleanupDataResource(targetSpec kyvernov1.ResourceSpec) erro
|
|||
clone := labels["generate.kyverno.io/clone-policy-name"] != ""
|
||||
|
||||
if syncEnabled && !clone {
|
||||
if err := c.client.DeleteResource(target.GetAPIVersion(), target.GetKind(), target.GetNamespace(), target.GetName(), false); err != nil {
|
||||
if err := c.client.DeleteResource(context.TODO(), target.GetAPIVersion(), target.GetKind(), target.GetNamespace(), target.GetName(), false); err != nil {
|
||||
return fmt.Errorf("failed to delete data resource %s/%s: %v", targetSpec.Namespace, targetSpec.Name, err)
|
||||
}
|
||||
}
|
||||
|
|
|
@ -29,22 +29,22 @@ type Interface interface {
|
|||
// SetDiscovery sets the discovery client implementation
|
||||
SetDiscovery(discoveryClient IDiscovery)
|
||||
// RawAbsPath performs a raw call to the kubernetes API
|
||||
RawAbsPath(path string) ([]byte, error)
|
||||
RawAbsPath(ctx context.Context, path string) ([]byte, error)
|
||||
// GetResource returns the resource in unstructured/json format
|
||||
GetResource(apiVersion string, kind string, namespace string, name string, subresources ...string) (*unstructured.Unstructured, error)
|
||||
GetResource(ctx context.Context, apiVersion string, kind string, namespace string, name string, subresources ...string) (*unstructured.Unstructured, error)
|
||||
// PatchResource patches the resource
|
||||
PatchResource(apiVersion string, kind string, namespace string, name string, patch []byte) (*unstructured.Unstructured, error)
|
||||
PatchResource(ctx context.Context, apiVersion string, kind string, namespace string, name string, patch []byte) (*unstructured.Unstructured, error)
|
||||
// ListResource returns the list of resources in unstructured/json format
|
||||
// Access items using []Items
|
||||
ListResource(apiVersion string, kind string, namespace string, lselector *metav1.LabelSelector) (*unstructured.UnstructuredList, error)
|
||||
ListResource(ctx context.Context, apiVersion string, kind string, namespace string, lselector *metav1.LabelSelector) (*unstructured.UnstructuredList, error)
|
||||
// DeleteResource deletes the specified resource
|
||||
DeleteResource(apiVersion string, kind string, namespace string, name string, dryRun bool) error
|
||||
DeleteResource(ctx context.Context, apiVersion string, kind string, namespace string, name string, dryRun bool) error
|
||||
// CreateResource creates object for the specified resource/namespace
|
||||
CreateResource(apiVersion string, kind string, namespace string, obj interface{}, dryRun bool) (*unstructured.Unstructured, error)
|
||||
CreateResource(ctx context.Context, apiVersion string, kind string, namespace string, obj interface{}, dryRun bool) (*unstructured.Unstructured, error)
|
||||
// UpdateResource updates object for the specified resource/namespace
|
||||
UpdateResource(apiVersion string, kind string, namespace string, obj interface{}, dryRun bool) (*unstructured.Unstructured, error)
|
||||
UpdateResource(ctx context.Context, apiVersion string, kind string, namespace string, obj interface{}, dryRun bool) (*unstructured.Unstructured, error)
|
||||
// UpdateStatusResource updates the resource "status" subresource
|
||||
UpdateStatusResource(apiVersion string, kind string, namespace string, obj interface{}, dryRun bool) (*unstructured.Unstructured, error)
|
||||
UpdateStatusResource(ctx context.Context, apiVersion string, kind string, namespace string, obj interface{}, dryRun bool) (*unstructured.Unstructured, error)
|
||||
}
|
||||
|
||||
// Client enables interaction with k8 resource
|
||||
|
@ -120,21 +120,21 @@ func (c *client) getGroupVersionMapper(apiVersion string, kind string) schema.Gr
|
|||
}
|
||||
|
||||
// GetResource returns the resource in unstructured/json format
|
||||
func (c *client) GetResource(apiVersion string, kind string, namespace string, name string, subresources ...string) (*unstructured.Unstructured, error) {
|
||||
return c.getResourceInterface(apiVersion, kind, namespace).Get(context.TODO(), name, metav1.GetOptions{}, subresources...)
|
||||
func (c *client) GetResource(ctx context.Context, apiVersion string, kind string, namespace string, name string, subresources ...string) (*unstructured.Unstructured, error) {
|
||||
return c.getResourceInterface(apiVersion, kind, namespace).Get(ctx, name, metav1.GetOptions{}, subresources...)
|
||||
}
|
||||
|
||||
// RawAbsPath performs a raw call to the kubernetes API
|
||||
func (c *client) RawAbsPath(path string) ([]byte, error) {
|
||||
func (c *client) RawAbsPath(ctx context.Context, path string) ([]byte, error) {
|
||||
if c.rest == nil {
|
||||
return nil, errors.New("rest client not supported")
|
||||
}
|
||||
return c.rest.Get().RequestURI(path).DoRaw(context.TODO())
|
||||
return c.rest.Get().RequestURI(path).DoRaw(ctx)
|
||||
}
|
||||
|
||||
// PatchResource patches the resource
|
||||
func (c *client) PatchResource(apiVersion string, kind string, namespace string, name string, patch []byte) (*unstructured.Unstructured, error) {
|
||||
return c.getResourceInterface(apiVersion, kind, namespace).Patch(context.TODO(), name, types.JSONPatchType, patch, metav1.PatchOptions{})
|
||||
func (c *client) PatchResource(ctx context.Context, apiVersion string, kind string, namespace string, name string, patch []byte) (*unstructured.Unstructured, error) {
|
||||
return c.getResourceInterface(apiVersion, kind, namespace).Patch(ctx, name, types.JSONPatchType, patch, metav1.PatchOptions{})
|
||||
}
|
||||
|
||||
// GetDynamicInterface fetches underlying dynamic interface
|
||||
|
@ -144,58 +144,58 @@ func (c *client) GetDynamicInterface() dynamic.Interface {
|
|||
|
||||
// ListResource returns the list of resources in unstructured/json format
|
||||
// Access items using []Items
|
||||
func (c *client) ListResource(apiVersion string, kind string, namespace string, lselector *metav1.LabelSelector) (*unstructured.UnstructuredList, error) {
|
||||
func (c *client) ListResource(ctx context.Context, apiVersion string, kind string, namespace string, lselector *metav1.LabelSelector) (*unstructured.UnstructuredList, error) {
|
||||
options := metav1.ListOptions{}
|
||||
if lselector != nil {
|
||||
options = metav1.ListOptions{LabelSelector: metav1.FormatLabelSelector(lselector)}
|
||||
}
|
||||
return c.getResourceInterface(apiVersion, kind, namespace).List(context.TODO(), options)
|
||||
return c.getResourceInterface(apiVersion, kind, namespace).List(ctx, options)
|
||||
}
|
||||
|
||||
// DeleteResource deletes the specified resource
|
||||
func (c *client) DeleteResource(apiVersion string, kind string, namespace string, name string, dryRun bool) error {
|
||||
func (c *client) DeleteResource(ctx context.Context, apiVersion string, kind string, namespace string, name string, dryRun bool) error {
|
||||
options := metav1.DeleteOptions{}
|
||||
if dryRun {
|
||||
options = metav1.DeleteOptions{DryRun: []string{metav1.DryRunAll}}
|
||||
}
|
||||
return c.getResourceInterface(apiVersion, kind, namespace).Delete(context.TODO(), name, options)
|
||||
return c.getResourceInterface(apiVersion, kind, namespace).Delete(ctx, name, options)
|
||||
}
|
||||
|
||||
// CreateResource creates object for the specified resource/namespace
|
||||
func (c *client) CreateResource(apiVersion string, kind string, namespace string, obj interface{}, dryRun bool) (*unstructured.Unstructured, error) {
|
||||
func (c *client) CreateResource(ctx context.Context, apiVersion string, kind string, namespace string, obj interface{}, dryRun bool) (*unstructured.Unstructured, error) {
|
||||
options := metav1.CreateOptions{}
|
||||
if dryRun {
|
||||
options = metav1.CreateOptions{DryRun: []string{metav1.DryRunAll}}
|
||||
}
|
||||
// convert typed to unstructured obj
|
||||
if unstructuredObj, err := kubeutils.ConvertToUnstructured(obj); err == nil && unstructuredObj != nil {
|
||||
return c.getResourceInterface(apiVersion, kind, namespace).Create(context.TODO(), unstructuredObj, options)
|
||||
return c.getResourceInterface(apiVersion, kind, namespace).Create(ctx, unstructuredObj, options)
|
||||
}
|
||||
return nil, fmt.Errorf("unable to create resource ")
|
||||
}
|
||||
|
||||
// UpdateResource updates object for the specified resource/namespace
|
||||
func (c *client) UpdateResource(apiVersion string, kind string, namespace string, obj interface{}, dryRun bool) (*unstructured.Unstructured, error) {
|
||||
func (c *client) UpdateResource(ctx context.Context, apiVersion string, kind string, namespace string, obj interface{}, dryRun bool) (*unstructured.Unstructured, error) {
|
||||
options := metav1.UpdateOptions{}
|
||||
if dryRun {
|
||||
options = metav1.UpdateOptions{DryRun: []string{metav1.DryRunAll}}
|
||||
}
|
||||
// convert typed to unstructured obj
|
||||
if unstructuredObj, err := kubeutils.ConvertToUnstructured(obj); err == nil && unstructuredObj != nil {
|
||||
return c.getResourceInterface(apiVersion, kind, namespace).Update(context.TODO(), unstructuredObj, options)
|
||||
return c.getResourceInterface(apiVersion, kind, namespace).Update(ctx, unstructuredObj, options)
|
||||
}
|
||||
return nil, fmt.Errorf("unable to update resource ")
|
||||
}
|
||||
|
||||
// UpdateStatusResource updates the resource "status" subresource
|
||||
func (c *client) UpdateStatusResource(apiVersion string, kind string, namespace string, obj interface{}, dryRun bool) (*unstructured.Unstructured, error) {
|
||||
func (c *client) UpdateStatusResource(ctx context.Context, apiVersion string, kind string, namespace string, obj interface{}, dryRun bool) (*unstructured.Unstructured, error) {
|
||||
options := metav1.UpdateOptions{}
|
||||
if dryRun {
|
||||
options = metav1.UpdateOptions{DryRun: []string{metav1.DryRunAll}}
|
||||
}
|
||||
// convert typed to unstructured obj
|
||||
if unstructuredObj, err := kubeutils.ConvertToUnstructured(obj); err == nil && unstructuredObj != nil {
|
||||
return c.getResourceInterface(apiVersion, kind, namespace).UpdateStatus(context.TODO(), unstructuredObj, options)
|
||||
return c.getResourceInterface(apiVersion, kind, namespace).UpdateStatus(ctx, unstructuredObj, options)
|
||||
}
|
||||
return nil, fmt.Errorf("unable to update resource ")
|
||||
}
|
||||
|
|
|
@ -74,32 +74,32 @@ func newFixture(t *testing.T) *fixture {
|
|||
func TestCRUDResource(t *testing.T) {
|
||||
f := newFixture(t)
|
||||
// Get Resource
|
||||
_, err := f.client.GetResource("", "thekind", "ns-foo", "name-foo")
|
||||
_, err := f.client.GetResource(context.TODO(), "", "thekind", "ns-foo", "name-foo")
|
||||
if err != nil {
|
||||
t.Errorf("GetResource not working: %s", err)
|
||||
}
|
||||
// List Resources
|
||||
_, err = f.client.ListResource("", "thekind", "ns-foo", nil)
|
||||
_, err = f.client.ListResource(context.TODO(), "", "thekind", "ns-foo", nil)
|
||||
if err != nil {
|
||||
t.Errorf("ListResource not working: %s", err)
|
||||
}
|
||||
// DeleteResouce
|
||||
err = f.client.DeleteResource("", "thekind", "ns-foo", "name-bar", false)
|
||||
err = f.client.DeleteResource(context.TODO(), "", "thekind", "ns-foo", "name-bar", false)
|
||||
if err != nil {
|
||||
t.Errorf("DeleteResouce not working: %s", err)
|
||||
}
|
||||
// CreateResource
|
||||
_, err = f.client.CreateResource("", "thekind", "ns-foo", kubeutils.NewUnstructured("group/version", "TheKind", "ns-foo", "name-foo1"), false)
|
||||
_, err = f.client.CreateResource(context.TODO(), "", "thekind", "ns-foo", kubeutils.NewUnstructured("group/version", "TheKind", "ns-foo", "name-foo1"), false)
|
||||
if err != nil {
|
||||
t.Errorf("CreateResource not working: %s", err)
|
||||
}
|
||||
// UpdateResource
|
||||
_, err = f.client.UpdateResource("", "thekind", "ns-foo", kubeutils.NewUnstructuredWithSpec("group/version", "TheKind", "ns-foo", "name-foo1", map[string]interface{}{"foo": "bar"}), false)
|
||||
_, err = f.client.UpdateResource(context.TODO(), "", "thekind", "ns-foo", kubeutils.NewUnstructuredWithSpec("group/version", "TheKind", "ns-foo", "name-foo1", map[string]interface{}{"foo": "bar"}), false)
|
||||
if err != nil {
|
||||
t.Errorf("UpdateResource not working: %s", err)
|
||||
}
|
||||
// UpdateStatusResource
|
||||
_, err = f.client.UpdateStatusResource("", "thekind", "ns-foo", kubeutils.NewUnstructuredWithSpec("group/version", "TheKind", "ns-foo", "name-foo1", map[string]interface{}{"foo": "status"}), false)
|
||||
_, err = f.client.UpdateStatusResource(context.TODO(), "", "thekind", "ns-foo", kubeutils.NewUnstructuredWithSpec("group/version", "TheKind", "ns-foo", "name-foo1", map[string]interface{}{"foo": "status"}), false)
|
||||
if err != nil {
|
||||
t.Errorf("UpdateStatusResource not working: %s", err)
|
||||
}
|
||||
|
|
|
@ -1,6 +1,7 @@
|
|||
package common
|
||||
|
||||
import (
|
||||
"context"
|
||||
"encoding/json"
|
||||
"strings"
|
||||
"time"
|
||||
|
@ -109,7 +110,7 @@ func ProcessDeletePolicyForCloneGenerateRule(policy kyvernov1.PolicyInterface, c
|
|||
}
|
||||
|
||||
func updateSourceResource(pName string, rule kyvernov1.Rule, client dclient.Interface, log logr.Logger) error {
|
||||
obj, err := client.GetResource("", rule.Generation.Kind, rule.Generation.Clone.Namespace, rule.Generation.Clone.Name)
|
||||
obj, err := client.GetResource(context.TODO(), "", rule.Generation.Kind, rule.Generation.Clone.Namespace, rule.Generation.Clone.Name)
|
||||
if err != nil {
|
||||
return errors.Wrapf(err, "source resource %s/%s/%s not found", rule.Generation.Kind, rule.Generation.Clone.Namespace, rule.Generation.Clone.Name)
|
||||
}
|
||||
|
@ -122,7 +123,7 @@ func updateSourceResource(pName string, rule kyvernov1.Rule, client dclient.Inte
|
|||
}
|
||||
|
||||
obj.SetLabels(labels)
|
||||
_, err = client.UpdateResource(obj.GetAPIVersion(), rule.Generation.Kind, rule.Generation.Clone.Namespace, obj, false)
|
||||
_, err = client.UpdateResource(context.TODO(), obj.GetAPIVersion(), rule.Generation.Kind, rule.Generation.Clone.Namespace, obj, false)
|
||||
return err
|
||||
}
|
||||
|
||||
|
|
|
@ -220,7 +220,7 @@ func (c *controller) updateReport(ctx context.Context, meta metav1.Object, gvk s
|
|||
return nil
|
||||
}
|
||||
report := reportutils.DeepCopy(before)
|
||||
resource, err := c.client.GetResource(gvk.GroupVersion().String(), gvk.Kind, resource.Namespace, resource.Name)
|
||||
resource, err := c.client.GetResource(ctx, gvk.GroupVersion().String(), gvk.Kind, resource.Namespace, resource.Name)
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
|
@ -301,7 +301,7 @@ func (c *controller) updateReport(ctx context.Context, meta metav1.Object, gvk s
|
|||
// creations
|
||||
if len(toCreate) > 0 {
|
||||
scanner := utils.NewScanner(logger, c.client)
|
||||
resource, err := c.client.GetResource(gvk.GroupVersion().String(), gvk.Kind, resource.Namespace, resource.Name)
|
||||
resource, err := c.client.GetResource(ctx, gvk.GroupVersion().String(), gvk.Kind, resource.Namespace, resource.Name)
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
|
|
|
@ -1,6 +1,7 @@
|
|||
package engine
|
||||
|
||||
import (
|
||||
"context"
|
||||
"encoding/json"
|
||||
"fmt"
|
||||
|
||||
|
@ -316,7 +317,7 @@ func fetchAPIData(log logr.Logger, entry kyvernov1.ContextEntry, ctx *PolicyCont
|
|||
}
|
||||
|
||||
func getResource(ctx *PolicyContext, p string) ([]byte, error) {
|
||||
return ctx.Client.RawAbsPath(p)
|
||||
return ctx.Client.RawAbsPath(context.TODO(), p)
|
||||
}
|
||||
|
||||
func loadConfigMap(logger logr.Logger, entry kyvernov1.ContextEntry, ctx *PolicyContext) error {
|
||||
|
@ -350,7 +351,7 @@ func fetchConfigMap(logger logr.Logger, entry kyvernov1.ContextEntry, ctx *Polic
|
|||
namespace = "default"
|
||||
}
|
||||
|
||||
obj, err := ctx.Client.GetResource("v1", "ConfigMap", namespace.(string), name.(string))
|
||||
obj, err := ctx.Client.GetResource(context.TODO(), "v1", "ConfigMap", namespace.(string), name.(string))
|
||||
if err != nil {
|
||||
return nil, fmt.Errorf("failed to get configmap %s/%s : %v", namespace, name, err)
|
||||
}
|
||||
|
|
|
@ -1,6 +1,7 @@
|
|||
package engine
|
||||
|
||||
import (
|
||||
"context"
|
||||
"crypto/rand"
|
||||
"crypto/x509"
|
||||
_ "embed"
|
||||
|
@ -399,7 +400,7 @@ func checkManifestAnnotations(mnfstAnnotations map[string]string, annotations ma
|
|||
|
||||
func checkDryRunPermission(dclient dclient.Interface, kind, namespace string) (bool, error) {
|
||||
canI := auth.NewCanI(dclient, kind, namespace, "create")
|
||||
ok, err := canI.RunAccessCheck()
|
||||
ok, err := canI.RunAccessCheck(context.TODO())
|
||||
if err != nil {
|
||||
return false, err
|
||||
}
|
||||
|
|
|
@ -1,6 +1,7 @@
|
|||
package engine
|
||||
|
||||
import (
|
||||
"context"
|
||||
"fmt"
|
||||
|
||||
"github.com/go-logr/logr"
|
||||
|
@ -75,7 +76,7 @@ func getTargets(target kyvernov1.ResourceSpec, ctx *PolicyContext, logger logr.L
|
|||
|
||||
if namespace != "" && name != "" &&
|
||||
!wildcard.ContainsWildcard(namespace) && !wildcard.ContainsWildcard(name) {
|
||||
obj, err := ctx.Client.GetResource(target.APIVersion, target.Kind, namespace, name)
|
||||
obj, err := ctx.Client.GetResource(context.TODO(), target.APIVersion, target.Kind, namespace, name)
|
||||
if err != nil {
|
||||
return nil, fmt.Errorf("failed to get target %s/%s %s/%s : %v", target.APIVersion, target.Kind, namespace, name, err)
|
||||
}
|
||||
|
@ -84,7 +85,7 @@ func getTargets(target kyvernov1.ResourceSpec, ctx *PolicyContext, logger logr.L
|
|||
}
|
||||
|
||||
// list all targets if wildcard is specified
|
||||
objList, err := ctx.Client.ListResource(target.APIVersion, target.Kind, "", nil)
|
||||
objList, err := ctx.Client.ListResource(context.TODO(), target.APIVersion, target.Kind, "", nil)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
|
|
|
@ -1,6 +1,7 @@
|
|||
package engine
|
||||
|
||||
import (
|
||||
"context"
|
||||
"encoding/json"
|
||||
"reflect"
|
||||
"strings"
|
||||
|
@ -9,7 +10,7 @@ import (
|
|||
kyverno "github.com/kyverno/kyverno/api/kyverno/v1"
|
||||
"github.com/kyverno/kyverno/cmd/cli/kubectl-kyverno/utils/store"
|
||||
client "github.com/kyverno/kyverno/pkg/clients/dclient"
|
||||
"github.com/kyverno/kyverno/pkg/engine/context"
|
||||
enginecontext "github.com/kyverno/kyverno/pkg/engine/context"
|
||||
"github.com/kyverno/kyverno/pkg/engine/response"
|
||||
"github.com/kyverno/kyverno/pkg/engine/utils"
|
||||
"gotest.tools/assert"
|
||||
|
@ -77,8 +78,8 @@ func Test_VariableSubstitutionPatchStrategicMerge(t *testing.T) {
|
|||
}
|
||||
resourceUnstructured, err := utils.ConvertToUnstructured(resourceRaw)
|
||||
assert.NilError(t, err)
|
||||
ctx := context.NewContext()
|
||||
err = context.AddResource(ctx, resourceRaw)
|
||||
ctx := enginecontext.NewContext()
|
||||
err = enginecontext.AddResource(ctx, resourceRaw)
|
||||
if err != nil {
|
||||
t.Error(err)
|
||||
}
|
||||
|
@ -157,8 +158,8 @@ func Test_variableSubstitutionPathNotExist(t *testing.T) {
|
|||
resourceUnstructured, err := utils.ConvertToUnstructured(resourceRaw)
|
||||
assert.NilError(t, err)
|
||||
|
||||
ctx := context.NewContext()
|
||||
err = context.AddResource(ctx, resourceRaw)
|
||||
ctx := enginecontext.NewContext()
|
||||
err = enginecontext.AddResource(ctx, resourceRaw)
|
||||
assert.NilError(t, err)
|
||||
|
||||
policyContext := &PolicyContext{
|
||||
|
@ -252,8 +253,8 @@ func Test_variableSubstitutionCLI(t *testing.T) {
|
|||
resourceUnstructured, err := utils.ConvertToUnstructured(resourceRaw)
|
||||
assert.NilError(t, err)
|
||||
|
||||
ctx := context.NewContext()
|
||||
err = context.AddResource(ctx, resourceRaw)
|
||||
ctx := enginecontext.NewContext()
|
||||
err = enginecontext.AddResource(ctx, resourceRaw)
|
||||
assert.NilError(t, err)
|
||||
|
||||
policyContext := &PolicyContext{
|
||||
|
@ -355,7 +356,7 @@ func Test_chained_rules(t *testing.T) {
|
|||
resource, err := utils.ConvertToUnstructured(resourceRaw)
|
||||
assert.NilError(t, err)
|
||||
|
||||
ctx := context.NewContext()
|
||||
ctx := enginecontext.NewContext()
|
||||
err = ctx.AddResource(resource.Object)
|
||||
assert.NilError(t, err)
|
||||
|
||||
|
@ -368,7 +369,7 @@ func Test_chained_rules(t *testing.T) {
|
|||
err = ctx.AddImageInfos(resource)
|
||||
assert.NilError(t, err)
|
||||
|
||||
err = context.MutateResourceWithImageInfo(resourceRaw, ctx)
|
||||
err = enginecontext.MutateResourceWithImageInfo(resourceRaw, ctx)
|
||||
assert.NilError(t, err)
|
||||
|
||||
er := Mutate(policyContext)
|
||||
|
@ -449,8 +450,8 @@ func Test_precondition(t *testing.T) {
|
|||
resourceUnstructured, err := utils.ConvertToUnstructured(resourceRaw)
|
||||
assert.NilError(t, err)
|
||||
|
||||
ctx := context.NewContext()
|
||||
err = context.AddResource(ctx, resourceRaw)
|
||||
ctx := enginecontext.NewContext()
|
||||
err = enginecontext.AddResource(ctx, resourceRaw)
|
||||
assert.NilError(t, err)
|
||||
|
||||
policyContext := &PolicyContext{
|
||||
|
@ -546,8 +547,8 @@ func Test_nonZeroIndexNumberPatchesJson6902(t *testing.T) {
|
|||
resourceUnstructured, err := utils.ConvertToUnstructured(resourceRaw)
|
||||
assert.NilError(t, err)
|
||||
|
||||
ctx := context.NewContext()
|
||||
err = context.AddResource(ctx, resourceRaw)
|
||||
ctx := enginecontext.NewContext()
|
||||
err = enginecontext.AddResource(ctx, resourceRaw)
|
||||
assert.NilError(t, err)
|
||||
|
||||
policyContext := &PolicyContext{
|
||||
|
@ -634,7 +635,7 @@ func Test_foreach(t *testing.T) {
|
|||
resource, err := utils.ConvertToUnstructured(resourceRaw)
|
||||
assert.NilError(t, err)
|
||||
|
||||
ctx := context.NewContext()
|
||||
ctx := enginecontext.NewContext()
|
||||
err = ctx.AddResource(resource.Object)
|
||||
assert.NilError(t, err)
|
||||
|
||||
|
@ -647,7 +648,7 @@ func Test_foreach(t *testing.T) {
|
|||
err = ctx.AddImageInfos(resource)
|
||||
assert.NilError(t, err)
|
||||
|
||||
err = context.MutateResourceWithImageInfo(resourceRaw, ctx)
|
||||
err = enginecontext.MutateResourceWithImageInfo(resourceRaw, ctx)
|
||||
assert.NilError(t, err)
|
||||
|
||||
er := Mutate(policyContext)
|
||||
|
@ -741,7 +742,7 @@ func Test_foreach_element_mutation(t *testing.T) {
|
|||
resource, err := utils.ConvertToUnstructured(resourceRaw)
|
||||
assert.NilError(t, err)
|
||||
|
||||
ctx := context.NewContext()
|
||||
ctx := enginecontext.NewContext()
|
||||
err = ctx.AddResource(resource.Object)
|
||||
assert.NilError(t, err)
|
||||
|
||||
|
@ -754,7 +755,7 @@ func Test_foreach_element_mutation(t *testing.T) {
|
|||
err = ctx.AddImageInfos(resource)
|
||||
assert.NilError(t, err)
|
||||
|
||||
err = context.MutateResourceWithImageInfo(resourceRaw, ctx)
|
||||
err = enginecontext.MutateResourceWithImageInfo(resourceRaw, ctx)
|
||||
assert.NilError(t, err)
|
||||
|
||||
er := Mutate(policyContext)
|
||||
|
@ -867,7 +868,7 @@ func Test_Container_InitContainer_foreach(t *testing.T) {
|
|||
resource, err := utils.ConvertToUnstructured(resourceRaw)
|
||||
assert.NilError(t, err)
|
||||
|
||||
ctx := context.NewContext()
|
||||
ctx := enginecontext.NewContext()
|
||||
err = ctx.AddResource(resource.Object)
|
||||
assert.NilError(t, err)
|
||||
|
||||
|
@ -880,7 +881,7 @@ func Test_Container_InitContainer_foreach(t *testing.T) {
|
|||
err = ctx.AddImageInfos(resource)
|
||||
assert.NilError(t, err)
|
||||
|
||||
err = context.MutateResourceWithImageInfo(resourceRaw, ctx)
|
||||
err = enginecontext.MutateResourceWithImageInfo(resourceRaw, ctx)
|
||||
assert.NilError(t, err)
|
||||
|
||||
er := Mutate(policyContext)
|
||||
|
@ -994,7 +995,7 @@ func Test_foreach_order_mutation_(t *testing.T) {
|
|||
resource, err := utils.ConvertToUnstructured(resourceRaw)
|
||||
assert.NilError(t, err)
|
||||
|
||||
ctx := context.NewContext()
|
||||
ctx := enginecontext.NewContext()
|
||||
err = ctx.AddResource(resource.Object)
|
||||
assert.NilError(t, err)
|
||||
|
||||
|
@ -1007,7 +1008,7 @@ func Test_foreach_order_mutation_(t *testing.T) {
|
|||
err = ctx.AddImageInfos(resource)
|
||||
assert.NilError(t, err)
|
||||
|
||||
err = context.MutateResourceWithImageInfo(resourceRaw, ctx)
|
||||
err = enginecontext.MutateResourceWithImageInfo(resourceRaw, ctx)
|
||||
assert.NilError(t, err)
|
||||
|
||||
er := Mutate(policyContext)
|
||||
|
@ -1432,7 +1433,7 @@ func Test_mutate_existing_resources(t *testing.T) {
|
|||
target, err := utils.ConvertToUnstructured(target)
|
||||
assert.NilError(t, err)
|
||||
|
||||
ctx := context.NewContext()
|
||||
ctx := enginecontext.NewContext()
|
||||
err = ctx.AddResource(trigger.Object)
|
||||
assert.NilError(t, err)
|
||||
|
||||
|
@ -1446,7 +1447,7 @@ func Test_mutate_existing_resources(t *testing.T) {
|
|||
assert.NilError(t, err)
|
||||
dclient.SetDiscovery(client.NewFakeDiscoveryClient(nil))
|
||||
|
||||
_, err = dclient.GetResource(target.GetAPIVersion(), target.GetKind(), target.GetNamespace(), target.GetName())
|
||||
_, err = dclient.GetResource(context.TODO(), target.GetAPIVersion(), target.GetKind(), target.GetNamespace(), target.GetName())
|
||||
assert.NilError(t, err)
|
||||
|
||||
policyContext = &PolicyContext{
|
||||
|
@ -1549,8 +1550,8 @@ func Test_RuleSelectorMutate(t *testing.T) {
|
|||
|
||||
resourceUnstructured, err := utils.ConvertToUnstructured(resourceRaw)
|
||||
assert.NilError(t, err)
|
||||
ctx := context.NewContext()
|
||||
err = context.AddResource(ctx, resourceRaw)
|
||||
ctx := enginecontext.NewContext()
|
||||
err = enginecontext.AddResource(ctx, resourceRaw)
|
||||
if err != nil {
|
||||
t.Error(err)
|
||||
}
|
||||
|
@ -1932,7 +1933,7 @@ func Test_SpecialCharacters(t *testing.T) {
|
|||
}
|
||||
|
||||
// Create JSON context and add the resource.
|
||||
ctx := context.NewContext()
|
||||
ctx := enginecontext.NewContext()
|
||||
err = ctx.AddResource(resource.Object)
|
||||
if err != nil {
|
||||
t.Fatalf("ctx.AddResource() error = %v", err)
|
||||
|
|
|
@ -189,7 +189,7 @@ func (gen *Generator) syncHandler(key Info) error {
|
|||
return err
|
||||
}
|
||||
default:
|
||||
robj, err = gen.client.GetResource("", key.Kind, key.Namespace, key.Name)
|
||||
robj, err = gen.client.GetResource(context.TODO(), "", key.Kind, key.Namespace, key.Name)
|
||||
if err != nil {
|
||||
if !errors.IsNotFound(err) {
|
||||
logger.Error(err, "failed to get resource", "kind", key.Kind, "name", key.Name, "namespace", key.Namespace)
|
||||
|
|
|
@ -1,6 +1,7 @@
|
|||
package policy
|
||||
|
||||
import (
|
||||
"context"
|
||||
"reflect"
|
||||
"strings"
|
||||
|
||||
|
@ -45,7 +46,7 @@ func MergeResources(a, b map[string]unstructured.Unstructured) {
|
|||
|
||||
func (pc *PolicyController) getResourceList(kind, namespace string, labelSelector *metav1.LabelSelector, log logr.Logger) *unstructured.UnstructuredList {
|
||||
gv, k := kubeutils.GetKindFromGVK(kind)
|
||||
resourceList, err := pc.client.ListResource(gv, k, namespace, labelSelector)
|
||||
resourceList, err := pc.client.ListResource(context.TODO(), gv, k, namespace, labelSelector)
|
||||
if err != nil {
|
||||
log.Error(err, "failed to list resources", "kind", k, "namespace", namespace)
|
||||
return nil
|
||||
|
|
|
@ -1,6 +1,8 @@
|
|||
package generate
|
||||
|
||||
import (
|
||||
"context"
|
||||
|
||||
"github.com/go-logr/logr"
|
||||
"github.com/kyverno/kyverno/pkg/auth"
|
||||
"github.com/kyverno/kyverno/pkg/clients/dclient"
|
||||
|
@ -9,13 +11,13 @@ import (
|
|||
// Operations provides methods to performing operations on resource
|
||||
type Operations interface {
|
||||
// CanICreate returns 'true' if self can 'create' resource
|
||||
CanICreate(kind, namespace string) (bool, error)
|
||||
CanICreate(ctx context.Context, kind, namespace string) (bool, error)
|
||||
// CanIUpdate returns 'true' if self can 'update' resource
|
||||
CanIUpdate(kind, namespace string) (bool, error)
|
||||
CanIUpdate(ctx context.Context, kind, namespace string) (bool, error)
|
||||
// CanIDelete returns 'true' if self can 'delete' resource
|
||||
CanIDelete(kind, namespace string) (bool, error)
|
||||
CanIDelete(ctx context.Context, kind, namespace string) (bool, error)
|
||||
// CanIGet returns 'true' if self can 'get' resource
|
||||
CanIGet(kind, namespace string) (bool, error)
|
||||
CanIGet(ctx context.Context, kind, namespace string) (bool, error)
|
||||
}
|
||||
|
||||
// Auth provides implementation to check if caller/self/kyverno has access to perofrm operations
|
||||
|
@ -34,9 +36,9 @@ func NewAuth(client dclient.Interface, log logr.Logger) *Auth {
|
|||
}
|
||||
|
||||
// CanICreate returns 'true' if self can 'create' resource
|
||||
func (a *Auth) CanICreate(kind, namespace string) (bool, error) {
|
||||
func (a *Auth) CanICreate(ctx context.Context, kind, namespace string) (bool, error) {
|
||||
canI := auth.NewCanI(a.client, kind, namespace, "create")
|
||||
ok, err := canI.RunAccessCheck()
|
||||
ok, err := canI.RunAccessCheck(ctx)
|
||||
if err != nil {
|
||||
return false, err
|
||||
}
|
||||
|
@ -44,9 +46,9 @@ func (a *Auth) CanICreate(kind, namespace string) (bool, error) {
|
|||
}
|
||||
|
||||
// CanIUpdate returns 'true' if self can 'update' resource
|
||||
func (a *Auth) CanIUpdate(kind, namespace string) (bool, error) {
|
||||
func (a *Auth) CanIUpdate(ctx context.Context, kind, namespace string) (bool, error) {
|
||||
canI := auth.NewCanI(a.client, kind, namespace, "update")
|
||||
ok, err := canI.RunAccessCheck()
|
||||
ok, err := canI.RunAccessCheck(ctx)
|
||||
if err != nil {
|
||||
return false, err
|
||||
}
|
||||
|
@ -54,9 +56,9 @@ func (a *Auth) CanIUpdate(kind, namespace string) (bool, error) {
|
|||
}
|
||||
|
||||
// CanIDelete returns 'true' if self can 'delete' resource
|
||||
func (a *Auth) CanIDelete(kind, namespace string) (bool, error) {
|
||||
func (a *Auth) CanIDelete(ctx context.Context, kind, namespace string) (bool, error) {
|
||||
canI := auth.NewCanI(a.client, kind, namespace, "delete")
|
||||
ok, err := canI.RunAccessCheck()
|
||||
ok, err := canI.RunAccessCheck(ctx)
|
||||
if err != nil {
|
||||
return false, err
|
||||
}
|
||||
|
@ -64,9 +66,9 @@ func (a *Auth) CanIDelete(kind, namespace string) (bool, error) {
|
|||
}
|
||||
|
||||
// CanIGet returns 'true' if self can 'get' resource
|
||||
func (a *Auth) CanIGet(kind, namespace string) (bool, error) {
|
||||
func (a *Auth) CanIGet(ctx context.Context, kind, namespace string) (bool, error) {
|
||||
canI := auth.NewCanI(a.client, kind, namespace, "get")
|
||||
ok, err := canI.RunAccessCheck()
|
||||
ok, err := canI.RunAccessCheck(ctx)
|
||||
if err != nil {
|
||||
return false, err
|
||||
}
|
||||
|
|
|
@ -1,5 +1,7 @@
|
|||
package fake
|
||||
|
||||
import "context"
|
||||
|
||||
// FakeAuth providers implementation for testing, retuning true for all operations
|
||||
type FakeAuth struct{}
|
||||
|
||||
|
@ -10,21 +12,21 @@ func NewFakeAuth() *FakeAuth {
|
|||
}
|
||||
|
||||
// CanICreate returns 'true'
|
||||
func (a *FakeAuth) CanICreate(kind, namespace string) (bool, error) {
|
||||
func (a *FakeAuth) CanICreate(_ context.Context, kind, namespace string) (bool, error) {
|
||||
return true, nil
|
||||
}
|
||||
|
||||
// CanIUpdate returns 'true'
|
||||
func (a *FakeAuth) CanIUpdate(kind, namespace string) (bool, error) {
|
||||
func (a *FakeAuth) CanIUpdate(_ context.Context, kind, namespace string) (bool, error) {
|
||||
return true, nil
|
||||
}
|
||||
|
||||
// CanIDelete returns 'true'
|
||||
func (a *FakeAuth) CanIDelete(kind, namespace string) (bool, error) {
|
||||
func (a *FakeAuth) CanIDelete(_ context.Context, kind, namespace string) (bool, error) {
|
||||
return true, nil
|
||||
}
|
||||
|
||||
// CanIGet returns 'true'
|
||||
func (a *FakeAuth) CanIGet(kind, namespace string) (bool, error) {
|
||||
func (a *FakeAuth) CanIGet(_ context.Context, kind, namespace string) (bool, error) {
|
||||
return true, nil
|
||||
}
|
||||
|
|
|
@ -1,6 +1,7 @@
|
|||
package generate
|
||||
|
||||
import (
|
||||
"context"
|
||||
"fmt"
|
||||
"reflect"
|
||||
|
||||
|
@ -114,7 +115,7 @@ func (g *Generate) validateClone(c kyvernov1.CloneFrom, cl kyvernov1.CloneList,
|
|||
// Skip if there is variable defined
|
||||
if !variables.IsVariable(kind) && !variables.IsVariable(namespace) {
|
||||
// GET
|
||||
ok, err := g.authCheck.CanIGet(kind, namespace)
|
||||
ok, err := g.authCheck.CanIGet(context.TODO(), kind, namespace)
|
||||
if err != nil {
|
||||
return "", err
|
||||
}
|
||||
|
@ -133,7 +134,7 @@ func (g *Generate) canIGenerate(kind, namespace string) error {
|
|||
authCheck := g.authCheck
|
||||
if !variables.IsVariable(kind) && !variables.IsVariable(namespace) {
|
||||
// CREATE
|
||||
ok, err := authCheck.CanICreate(kind, namespace)
|
||||
ok, err := authCheck.CanICreate(context.TODO(), kind, namespace)
|
||||
if err != nil {
|
||||
// machinery error
|
||||
return err
|
||||
|
@ -142,7 +143,7 @@ func (g *Generate) canIGenerate(kind, namespace string) error {
|
|||
return fmt.Errorf("kyverno does not have permissions to 'create' resource %s/%s. Update permissions in ClusterRole 'kyverno:generate'", kind, namespace)
|
||||
}
|
||||
// UPDATE
|
||||
ok, err = authCheck.CanIUpdate(kind, namespace)
|
||||
ok, err = authCheck.CanIUpdate(context.TODO(), kind, namespace)
|
||||
if err != nil {
|
||||
// machinery error
|
||||
return err
|
||||
|
@ -151,7 +152,7 @@ func (g *Generate) canIGenerate(kind, namespace string) error {
|
|||
return fmt.Errorf("kyverno does not have permissions to 'update' resource %s/%s. Update permissions in ClusterRole 'kyverno:generate'", kind, namespace)
|
||||
}
|
||||
// GET
|
||||
ok, err = authCheck.CanIGet(kind, namespace)
|
||||
ok, err = authCheck.CanIGet(context.TODO(), kind, namespace)
|
||||
if err != nil {
|
||||
// machinery error
|
||||
return err
|
||||
|
@ -161,7 +162,7 @@ func (g *Generate) canIGenerate(kind, namespace string) error {
|
|||
}
|
||||
|
||||
// DELETE
|
||||
ok, err = authCheck.CanIDelete(kind, namespace)
|
||||
ok, err = authCheck.CanIDelete(context.TODO(), kind, namespace)
|
||||
if err != nil {
|
||||
// machinery error
|
||||
return err
|
||||
|
|
|
@ -380,7 +380,7 @@ func generateTriggers(client dclient.Interface, rule kyvernov1.Rule, log logr.Lo
|
|||
kinds := fetchUniqueKinds(rule)
|
||||
|
||||
for _, kind := range kinds {
|
||||
mlist, err := client.ListResource("", kind, "", rule.MatchResources.Selector)
|
||||
mlist, err := client.ListResource(context.TODO(), "", kind, "", rule.MatchResources.Selector)
|
||||
if err != nil {
|
||||
log.Error(err, "failed to list matched resource")
|
||||
continue
|
||||
|
|
|
@ -349,7 +349,7 @@ func Validate(policy kyvernov1.PolicyInterface, client dclient.Interface, mock b
|
|||
|
||||
// add label to source mentioned in policy
|
||||
if !mock && rule.Generation.Clone.Name != "" {
|
||||
obj, err := client.GetResource("", rule.Generation.Kind, rule.Generation.Clone.Namespace, rule.Generation.Clone.Name)
|
||||
obj, err := client.GetResource(context.TODO(), "", rule.Generation.Kind, rule.Generation.Clone.Namespace, rule.Generation.Clone.Name)
|
||||
if err != nil {
|
||||
logging.Error(err, fmt.Sprintf("source resource %s/%s/%s not found.", rule.Generation.Kind, rule.Generation.Clone.Namespace, rule.Generation.Clone.Name))
|
||||
continue
|
||||
|
@ -364,13 +364,13 @@ func Validate(policy kyvernov1.PolicyInterface, client dclient.Interface, mock b
|
|||
if !mock && len(rule.Generation.CloneList.Kinds) != 0 {
|
||||
for _, kind := range rule.Generation.CloneList.Kinds {
|
||||
apiVersion, kind := kubeutils.GetKindFromGVK(kind)
|
||||
resources, err := client.ListResource(apiVersion, kind, rule.Generation.CloneList.Namespace, rule.Generation.CloneList.Selector)
|
||||
resources, err := client.ListResource(context.TODO(), apiVersion, kind, rule.Generation.CloneList.Namespace, rule.Generation.CloneList.Selector)
|
||||
if err != nil {
|
||||
logging.Error(err, fmt.Sprintf("failed to list resources %s/%s.", kind, rule.Generation.CloneList.Namespace))
|
||||
continue
|
||||
}
|
||||
for _, rName := range resources.Items {
|
||||
obj, err := client.GetResource(apiVersion, kind, rule.Generation.CloneList.Namespace, rName.GetName())
|
||||
obj, err := client.GetResource(context.TODO(), apiVersion, kind, rule.Generation.CloneList.Namespace, rName.GetName())
|
||||
if err != nil {
|
||||
logging.Error(err, fmt.Sprintf("source resource %s/%s/%s not found.", kind, rule.Generation.Clone.Namespace, rule.Generation.Clone.Name))
|
||||
continue
|
||||
|
@ -418,7 +418,7 @@ func UpdateSourceResource(client dclient.Interface, kind, namespace string, poli
|
|||
obj.SetLabels(label)
|
||||
obj.SetResourceVersion("")
|
||||
|
||||
_, err := client.UpdateResource(obj.GetAPIVersion(), kind, namespace, obj, false)
|
||||
_, err := client.UpdateResource(context.TODO(), obj.GetAPIVersion(), kind, namespace, obj, false)
|
||||
if err != nil {
|
||||
logging.Error(err, "failed to update source", "kind", obj.GetKind(), "name", obj.GetName(), "namespace", obj.GetNamespace())
|
||||
return err
|
||||
|
|
|
@ -2,6 +2,7 @@ package testrunner
|
|||
|
||||
import (
|
||||
"bytes"
|
||||
"context"
|
||||
"encoding/json"
|
||||
"os"
|
||||
ospath "path"
|
||||
|
@ -13,7 +14,7 @@ import (
|
|||
kyvernov1 "github.com/kyverno/kyverno/api/kyverno/v1"
|
||||
"github.com/kyverno/kyverno/pkg/clients/dclient"
|
||||
"github.com/kyverno/kyverno/pkg/engine"
|
||||
"github.com/kyverno/kyverno/pkg/engine/context"
|
||||
enginecontext "github.com/kyverno/kyverno/pkg/engine/context"
|
||||
"github.com/kyverno/kyverno/pkg/engine/response"
|
||||
"github.com/stretchr/testify/assert"
|
||||
"gopkg.in/yaml.v3"
|
||||
|
@ -147,7 +148,7 @@ func runTestCase(t *testing.T, tc TestCase) bool {
|
|||
Policy: policy,
|
||||
NewResource: *resource,
|
||||
ExcludeGroupRole: []string{},
|
||||
JSONContext: context.NewContext(),
|
||||
JSONContext: enginecontext.NewContext(),
|
||||
}
|
||||
|
||||
er := engine.Mutate(ctx)
|
||||
|
@ -164,7 +165,7 @@ func runTestCase(t *testing.T, tc TestCase) bool {
|
|||
Policy: policy,
|
||||
NewResource: *resource,
|
||||
ExcludeGroupRole: []string{},
|
||||
JSONContext: context.NewContext(),
|
||||
JSONContext: enginecontext.NewContext(),
|
||||
}
|
||||
|
||||
er = engine.Validate(ctx)
|
||||
|
@ -189,7 +190,7 @@ func runTestCase(t *testing.T, tc TestCase) bool {
|
|||
ExcludeResourceFunc: func(s1, s2, s3 string) bool {
|
||||
return false
|
||||
},
|
||||
JSONContext: context.NewContext(),
|
||||
JSONContext: enginecontext.NewContext(),
|
||||
}
|
||||
|
||||
er = engine.ApplyBackgroundChecks(policyContext)
|
||||
|
@ -203,7 +204,7 @@ func runTestCase(t *testing.T, tc TestCase) bool {
|
|||
}
|
||||
|
||||
func createNamespace(client dclient.Interface, ns *unstructured.Unstructured) error {
|
||||
_, err := client.CreateResource("", "Namespace", "", ns, false)
|
||||
_, err := client.CreateResource(context.TODO(), "", "Namespace", "", ns, false)
|
||||
return err
|
||||
}
|
||||
|
||||
|
@ -212,7 +213,7 @@ func validateGeneratedResources(t *testing.T, client dclient.Interface, policy k
|
|||
t.Log("--validate if resources are generated---")
|
||||
// list of expected generated resources
|
||||
for _, resource := range expected {
|
||||
if _, err := client.GetResource("", resource.Kind, namespace, resource.Name); err != nil {
|
||||
if _, err := client.GetResource(context.TODO(), "", resource.Kind, namespace, resource.Name); err != nil {
|
||||
t.Errorf("generated resource %s/%s/%s not found. %v", resource.Kind, namespace, resource.Name, err)
|
||||
}
|
||||
}
|
||||
|
|
|
@ -213,7 +213,7 @@ func (h *generationHandler) handleUpdateGenerateTargetResource(request *admissio
|
|||
|
||||
cloneName := updatedRule.Generation.Clone.Name
|
||||
if cloneName != "" {
|
||||
obj, err := h.client.GetResource("", rule.Generation.Kind, rule.Generation.Clone.Namespace, rule.Generation.Clone.Name)
|
||||
obj, err := h.client.GetResource(context.TODO(), "", rule.Generation.Kind, rule.Generation.Clone.Namespace, rule.Generation.Clone.Name)
|
||||
if err != nil {
|
||||
h.log.Error(err, fmt.Sprintf("source resource %s/%s/%s not found.", rule.Generation.Kind, rule.Generation.Clone.Namespace, rule.Generation.Clone.Name))
|
||||
continue
|
||||
|
|
|
@ -1,6 +1,7 @@
|
|||
package generation
|
||||
|
||||
import (
|
||||
"context"
|
||||
"encoding/json"
|
||||
"strings"
|
||||
|
||||
|
@ -24,7 +25,7 @@ func getGeneratedByResource(newRes *unstructured.Unstructured, resLabels map[str
|
|||
if kind != "Namespace" {
|
||||
namespace = resLabels["kyverno.io/generated-by-namespace"]
|
||||
}
|
||||
obj, err := client.GetResource(apiVersion, kind, namespace, name)
|
||||
obj, err := client.GetResource(context.TODO(), apiVersion, kind, namespace, name)
|
||||
if err != nil {
|
||||
logger.Error(err, "source resource not found.")
|
||||
return rule, err
|
||||
|
|
Loading…
Add table
Reference in a new issue