mirror of
https://github.com/kyverno/kyverno.git
synced 2025-03-28 18:38:40 +00:00
refactor: remove more admission request pointers (#6774)
Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>
This commit is contained in:
Charles-Edouard Brétéché
GitHub
parent
40ac8eb863
commit
c9bbf38191
40 changed files with 185 additions and 172 deletions
cmd/cleanup-controller
pkg
background
engine
utils
admission
report
webhooks
exception
handlers
policy
resource
fake.go
server.gogeneration
handlers.gohandlers_test.goimageverification
mutation
updaterequest.goutils.govalidation
utils
|
|
@ -8,21 +8,21 @@ import (
|
|||
"github.com/kyverno/kyverno/pkg/clients/dclient"
|
||||
admissionutils "github.com/kyverno/kyverno/pkg/utils/admission"
|
||||
validation "github.com/kyverno/kyverno/pkg/validation/cleanuppolicy"
|
||||
admissionv1 "k8s.io/api/admission/v1"
|
||||
"github.com/kyverno/kyverno/pkg/webhooks/handlers"
|
||||
)
|
||||
|
||||
type handlers struct {
|
||||
type clenaupHandlers struct {
|
||||
client dclient.Interface
|
||||
}
|
||||
|
||||
func New(client dclient.Interface) *handlers {
|
||||
return &handlers{
|
||||
func New(client dclient.Interface) *clenaupHandlers {
|
||||
return &clenaupHandlers{
|
||||
client: client,
|
||||
}
|
||||
}
|
||||
|
||||
func (h *handlers) Validate(ctx context.Context, logger logr.Logger, request admissionv1.AdmissionRequest, _ time.Time) admissionv1.AdmissionResponse {
|
||||
policy, _, err := admissionutils.GetCleanupPolicies(&request)
|
||||
func (h *clenaupHandlers) Validate(ctx context.Context, logger logr.Logger, request handlers.AdmissionRequest, _ time.Time) handlers.AdmissionResponse {
|
||||
policy, _, err := admissionutils.GetCleanupPolicies(request.AdmissionRequest)
|
||||
if err != nil {
|
||||
logger.Error(err, "failed to unmarshal policies from admission request")
|
||||
return admissionutils.Response(request.UID, err)
|
||||
|
|
|
|||
|
|
@ -14,7 +14,6 @@ import (
|
|||
"github.com/kyverno/kyverno/pkg/metrics"
|
||||
"github.com/kyverno/kyverno/pkg/webhooks"
|
||||
"github.com/kyverno/kyverno/pkg/webhooks/handlers"
|
||||
admissionv1 "k8s.io/api/admission/v1"
|
||||
apierrors "k8s.io/apimachinery/pkg/api/errors"
|
||||
)
|
||||
|
||||
|
|
@ -31,7 +30,7 @@ type server struct {
|
|||
|
||||
type (
|
||||
TlsProvider = func() ([]byte, []byte, error)
|
||||
ValidationHandler = func(context.Context, logr.Logger, admissionv1.AdmissionRequest, time.Time) admissionv1.AdmissionResponse
|
||||
ValidationHandler = func(context.Context, logr.Logger, handlers.AdmissionRequest, time.Time) handlers.AdmissionResponse
|
||||
CleanupHandler = func(context.Context, logr.Logger, string, time.Time, config.Configuration) error
|
||||
)
|
||||
|
||||
|
|
|
|||
|
|
@ -26,11 +26,11 @@ func NewBackgroundContext(dclient dclient.Interface, ur *kyvernov1beta1.UpdateRe
|
|||
var err error
|
||||
|
||||
if ur.Spec.Context.AdmissionRequestInfo.AdmissionRequest != nil {
|
||||
if err := ctx.AddRequest(ur.Spec.Context.AdmissionRequestInfo.AdmissionRequest); err != nil {
|
||||
if err := ctx.AddRequest(*ur.Spec.Context.AdmissionRequestInfo.AdmissionRequest); err != nil {
|
||||
return nil, fmt.Errorf("failed to load request in context: %w", err)
|
||||
}
|
||||
|
||||
new, old, err = admissionutils.ExtractResources(nil, ur.Spec.Context.AdmissionRequestInfo.AdmissionRequest)
|
||||
new, old, err = admissionutils.ExtractResources(nil, *ur.Spec.Context.AdmissionRequestInfo.AdmissionRequest)
|
||||
if err != nil {
|
||||
return nil, fmt.Errorf("failed to load request in context: %w", err)
|
||||
}
|
||||
|
|
|
|||
|
|
@ -125,7 +125,7 @@ const doesNotApply = "policy does not apply to resource"
|
|||
func (c *GenerateController) getTrigger(spec kyvernov1beta1.UpdateRequestSpec) (*unstructured.Unstructured, error) {
|
||||
if spec.Context.AdmissionRequestInfo.Operation == admissionv1.Delete {
|
||||
request := spec.Context.AdmissionRequestInfo.AdmissionRequest
|
||||
_, oldResource, err := admissionutils.ExtractResources(nil, request)
|
||||
_, oldResource, err := admissionutils.ExtractResources(nil, *request)
|
||||
if err != nil {
|
||||
return nil, fmt.Errorf("failed to load resource from context: %w", err)
|
||||
}
|
||||
|
|
|
|||
|
|
@ -33,7 +33,7 @@ type EvalInterface interface {
|
|||
// Interface to manage context operations
|
||||
type Interface interface {
|
||||
// AddRequest marshals and adds the admission request to the context
|
||||
AddRequest(request *admissionv1.AdmissionRequest) error
|
||||
AddRequest(request admissionv1.AdmissionRequest) error
|
||||
|
||||
// AddVariable adds a variable to the context
|
||||
AddVariable(key string, value interface{}) error
|
||||
|
|
@ -131,7 +131,7 @@ func (ctx *context) addJSON(dataRaw []byte) error {
|
|||
}
|
||||
|
||||
// AddRequest adds an admission request to context
|
||||
func (ctx *context) AddRequest(request *admissionv1.AdmissionRequest) error {
|
||||
func (ctx *context) AddRequest(request admissionv1.AdmissionRequest) error {
|
||||
return addToContext(ctx, request, "request")
|
||||
}
|
||||
|
||||
|
|
|
|||
|
|
@ -27,7 +27,7 @@ func TestHasChanged(t *testing.T) {
|
|||
}
|
||||
|
||||
func TestRequestNotInitialize(t *testing.T) {
|
||||
request := &admissionv1.AdmissionRequest{}
|
||||
request := admissionv1.AdmissionRequest{}
|
||||
ctx := NewContext()
|
||||
ctx.AddRequest(request)
|
||||
|
||||
|
|
@ -36,7 +36,7 @@ func TestRequestNotInitialize(t *testing.T) {
|
|||
}
|
||||
|
||||
func TestMissingOldObject(t *testing.T) {
|
||||
request := &admissionv1.AdmissionRequest{}
|
||||
request := admissionv1.AdmissionRequest{}
|
||||
ctx := NewContext()
|
||||
ctx.AddRequest(request)
|
||||
request.Object.Raw = []byte(`{"a": {"b": 1, "c": 2}, "d": 3}`)
|
||||
|
|
@ -46,7 +46,7 @@ func TestMissingOldObject(t *testing.T) {
|
|||
}
|
||||
|
||||
func TestMissingObject(t *testing.T) {
|
||||
request := &admissionv1.AdmissionRequest{}
|
||||
request := admissionv1.AdmissionRequest{}
|
||||
ctx := NewContext()
|
||||
ctx.AddRequest(request)
|
||||
request.OldObject.Raw = []byte(`{"a": {"b": 1, "c": 2}, "d": 3}`)
|
||||
|
|
@ -56,7 +56,7 @@ func TestMissingObject(t *testing.T) {
|
|||
}
|
||||
|
||||
func createTestContext(obj, oldObj string) Interface {
|
||||
request := &admissionv1.AdmissionRequest{}
|
||||
request := admissionv1.AdmissionRequest{}
|
||||
request.Operation = "UPDATE"
|
||||
request.Object.Raw = []byte(obj)
|
||||
request.OldObject.Raw = []byte(oldObj)
|
||||
|
|
|
|||
|
|
@ -624,7 +624,7 @@ var (
|
|||
|
||||
func Test_VerifyManifest_SignedYAML(t *testing.T) {
|
||||
policyContext := buildContext(t, test_policy, signed_resource, "")
|
||||
var request *v1.AdmissionRequest
|
||||
var request v1.AdmissionRequest
|
||||
_ = json.Unmarshal([]byte(signed_adreq), &request)
|
||||
policyContext.JSONContext().AddRequest(request)
|
||||
policyContext.Policy().SetName("test-policy")
|
||||
|
|
@ -646,7 +646,7 @@ func Test_VerifyManifest_SignedYAML(t *testing.T) {
|
|||
|
||||
func Test_VerifyManifest_UnsignedYAML(t *testing.T) {
|
||||
policyContext := buildContext(t, test_policy, unsigned_resource, "")
|
||||
var request *v1.AdmissionRequest
|
||||
var request v1.AdmissionRequest
|
||||
_ = json.Unmarshal([]byte(unsigned_adreq), &request)
|
||||
policyContext.JSONContext().AddRequest(request)
|
||||
policyContext.Policy().SetName("test-policy")
|
||||
|
|
@ -668,7 +668,7 @@ func Test_VerifyManifest_UnsignedYAML(t *testing.T) {
|
|||
|
||||
func Test_VerifyManifest_InvalidYAML(t *testing.T) {
|
||||
policyContext := buildContext(t, test_policy, invalid_resource, "")
|
||||
var request *v1.AdmissionRequest
|
||||
var request v1.AdmissionRequest
|
||||
_ = json.Unmarshal([]byte(invalid_adreq), &request)
|
||||
policyContext.JSONContext().AddRequest(request)
|
||||
policyContext.Policy().SetName("test-policy")
|
||||
|
|
@ -690,7 +690,7 @@ func Test_VerifyManifest_InvalidYAML(t *testing.T) {
|
|||
|
||||
func Test_VerifyManifest_MustAll_InvalidYAML(t *testing.T) {
|
||||
policyContext := buildContext(t, test_policy, multi_sig_resource, "")
|
||||
var request *v1.AdmissionRequest
|
||||
var request v1.AdmissionRequest
|
||||
_ = json.Unmarshal([]byte(multi_sig_adreq), &request)
|
||||
policyContext.JSONContext().AddRequest(request)
|
||||
policyContext.Policy().SetName("test-policy")
|
||||
|
|
@ -718,7 +718,7 @@ func Test_VerifyManifest_MustAll_InvalidYAML(t *testing.T) {
|
|||
|
||||
func Test_VerifyManifest_MustAll_ValidYAML(t *testing.T) {
|
||||
policyContext := buildContext(t, test_policy, multi_sig2_resource, "")
|
||||
var request *v1.AdmissionRequest
|
||||
var request v1.AdmissionRequest
|
||||
_ = json.Unmarshal([]byte(multi_sig2_adreq), &request)
|
||||
policyContext.JSONContext().AddRequest(request)
|
||||
policyContext.Policy().SetName("test-policy")
|
||||
|
|
@ -750,7 +750,7 @@ func Test_VerifyManifest_MustAll_ValidYAML(t *testing.T) {
|
|||
|
||||
func Test_VerifyManifest_AtLeastOne(t *testing.T) {
|
||||
policyContext := buildContext(t, test_policy, multi_sig_resource, "")
|
||||
var request *v1.AdmissionRequest
|
||||
var request v1.AdmissionRequest
|
||||
_ = json.Unmarshal([]byte(multi_sig_adreq), &request)
|
||||
policyContext.JSONContext().AddRequest(request)
|
||||
policyContext.Policy().SetName("test-policy")
|
||||
|
|
|
|||
|
|
@ -191,7 +191,7 @@ func NewPolicyContext(operation kyvernov1.AdmissionOperation) *PolicyContext {
|
|||
|
||||
func NewPolicyContextFromAdmissionRequest(
|
||||
client dclient.IDiscovery,
|
||||
request *admissionv1.AdmissionRequest,
|
||||
request admissionv1.AdmissionRequest,
|
||||
admissionInfo kyvernov1beta1.RequestInfo,
|
||||
configuration config.Configuration,
|
||||
) (*PolicyContext, error) {
|
||||
|
|
@ -220,7 +220,7 @@ func NewPolicyContextFromAdmissionRequest(
|
|||
return policyContext, nil
|
||||
}
|
||||
|
||||
func newVariablesContext(request *admissionv1.AdmissionRequest, userRequestInfo *kyvernov1beta1.RequestInfo) (enginectx.Interface, error) {
|
||||
func newVariablesContext(request admissionv1.AdmissionRequest, userRequestInfo *kyvernov1beta1.RequestInfo) (enginectx.Interface, error) {
|
||||
ctx := enginectx.NewContext()
|
||||
if err := ctx.AddRequest(request); err != nil {
|
||||
return nil, fmt.Errorf("failed to load incoming request in context: %w", err)
|
||||
|
|
|
|||
|
|
@ -2082,7 +2082,7 @@ func executeTest(t *testing.T, test testCase) {
|
|||
t.Fatal(err)
|
||||
}
|
||||
|
||||
var request *admissionv1.AdmissionRequest
|
||||
var request admissionv1.AdmissionRequest
|
||||
err = json.Unmarshal(test.request, &request)
|
||||
if err != nil {
|
||||
t.Fatal(err)
|
||||
|
|
|
|||
|
|
@ -25,7 +25,7 @@ func UnmarshalCleanupPolicy(kind string, raw []byte) (kyvernov2alpha1.CleanupPol
|
|||
return nil, fmt.Errorf("admission request does not contain a cleanuppolicy")
|
||||
}
|
||||
|
||||
func GetCleanupPolicies(request *admissionv1.AdmissionRequest) (kyvernov2alpha1.CleanupPolicyInterface, kyvernov2alpha1.CleanupPolicyInterface, error) {
|
||||
func GetCleanupPolicies(request admissionv1.AdmissionRequest) (kyvernov2alpha1.CleanupPolicyInterface, kyvernov2alpha1.CleanupPolicyInterface, error) {
|
||||
var emptypolicy kyvernov2alpha1.CleanupPolicyInterface
|
||||
policy, err := UnmarshalCleanupPolicy(request.Kind.Kind, request.Object.Raw)
|
||||
if err != nil {
|
||||
|
|
|
|||
|
|
@ -4,6 +4,6 @@ import (
|
|||
admissionv1 "k8s.io/api/admission/v1"
|
||||
)
|
||||
|
||||
func IsDryRun(request *admissionv1.AdmissionRequest) bool {
|
||||
func IsDryRun(request admissionv1.AdmissionRequest) bool {
|
||||
return request.DryRun != nil && *request.DryRun
|
||||
}
|
||||
|
|
|
|||
|
|
@ -10,7 +10,7 @@ func TestIsDryRun(t *testing.T) {
|
|||
true := true
|
||||
false := false
|
||||
type args struct {
|
||||
request *admissionv1.AdmissionRequest
|
||||
request admissionv1.AdmissionRequest
|
||||
}
|
||||
tests := []struct {
|
||||
name string
|
||||
|
|
@ -18,19 +18,19 @@ func TestIsDryRun(t *testing.T) {
|
|||
want bool
|
||||
}{{
|
||||
args: args{
|
||||
request: &admissionv1.AdmissionRequest{},
|
||||
request: admissionv1.AdmissionRequest{},
|
||||
},
|
||||
want: false,
|
||||
}, {
|
||||
args: args{
|
||||
request: &admissionv1.AdmissionRequest{
|
||||
request: admissionv1.AdmissionRequest{
|
||||
DryRun: &true,
|
||||
},
|
||||
},
|
||||
want: true,
|
||||
}, {
|
||||
args: args{
|
||||
request: &admissionv1.AdmissionRequest{
|
||||
request: admissionv1.AdmissionRequest{
|
||||
DryRun: &false,
|
||||
},
|
||||
},
|
||||
|
|
|
|||
|
|
@ -15,7 +15,7 @@ func UnmarshalPolicyException(raw []byte) (*kyvernov2alpha1.PolicyException, err
|
|||
return exception, nil
|
||||
}
|
||||
|
||||
func GetPolicyExceptions(request *admissionv1.AdmissionRequest) (*kyvernov2alpha1.PolicyException, *kyvernov2alpha1.PolicyException, error) {
|
||||
func GetPolicyExceptions(request admissionv1.AdmissionRequest) (*kyvernov2alpha1.PolicyException, *kyvernov2alpha1.PolicyException, error) {
|
||||
var empty *kyvernov2alpha1.PolicyException
|
||||
exception, err := UnmarshalPolicyException(request.Object.Raw)
|
||||
if err != nil {
|
||||
|
|
|
|||
|
|
@ -25,11 +25,11 @@ func UnmarshalPolicy(kind string, raw []byte) (kyvernov1.PolicyInterface, error)
|
|||
return nil, fmt.Errorf("admission request does not contain a policy")
|
||||
}
|
||||
|
||||
func GetPolicy(request *admissionv1.AdmissionRequest) (kyvernov1.PolicyInterface, error) {
|
||||
func GetPolicy(request admissionv1.AdmissionRequest) (kyvernov1.PolicyInterface, error) {
|
||||
return UnmarshalPolicy(request.Kind.Kind, request.Object.Raw)
|
||||
}
|
||||
|
||||
func GetPolicies(request *admissionv1.AdmissionRequest) (kyvernov1.PolicyInterface, kyvernov1.PolicyInterface, error) {
|
||||
func GetPolicies(request admissionv1.AdmissionRequest) (kyvernov1.PolicyInterface, kyvernov1.PolicyInterface, error) {
|
||||
policy, err := UnmarshalPolicy(request.Kind.Kind, request.Object.Raw)
|
||||
if err != nil {
|
||||
return policy, nil, err
|
||||
|
|
|
|||
|
|
@ -9,7 +9,7 @@ import (
|
|||
"k8s.io/apimachinery/pkg/runtime/schema"
|
||||
)
|
||||
|
||||
func GetResourceName(request *admissionv1.AdmissionRequest) string {
|
||||
func GetResourceName(request admissionv1.AdmissionRequest) string {
|
||||
resourceName := request.Kind.Kind + "/" + request.Name
|
||||
if request.Namespace != "" {
|
||||
resourceName = request.Namespace + "/" + resourceName
|
||||
|
|
@ -18,7 +18,7 @@ func GetResourceName(request *admissionv1.AdmissionRequest) string {
|
|||
}
|
||||
|
||||
// ExtractResources extracts the new and old resource as unstructured
|
||||
func ExtractResources(newRaw []byte, request *admissionv1.AdmissionRequest) (unstructured.Unstructured, unstructured.Unstructured, error) {
|
||||
func ExtractResources(newRaw []byte, request admissionv1.AdmissionRequest) (unstructured.Unstructured, unstructured.Unstructured, error) {
|
||||
var emptyResource unstructured.Unstructured
|
||||
var newResource unstructured.Unstructured
|
||||
var oldResource unstructured.Unstructured
|
||||
|
|
|
|||
|
|
@ -10,7 +10,7 @@ import (
|
|||
|
||||
func TestGetResourceName(t *testing.T) {
|
||||
type args struct {
|
||||
request *admissionv1.AdmissionRequest
|
||||
request admissionv1.AdmissionRequest
|
||||
}
|
||||
tests := []struct {
|
||||
name string
|
||||
|
|
@ -19,7 +19,7 @@ func TestGetResourceName(t *testing.T) {
|
|||
}{{
|
||||
name: "with namespace",
|
||||
args: args{
|
||||
request: &admissionv1.AdmissionRequest{
|
||||
request: admissionv1.AdmissionRequest{
|
||||
Kind: v1.GroupVersionKind{
|
||||
Kind: "Pod",
|
||||
},
|
||||
|
|
@ -31,7 +31,7 @@ func TestGetResourceName(t *testing.T) {
|
|||
}, {
|
||||
name: "without namespace",
|
||||
args: args{
|
||||
request: &admissionv1.AdmissionRequest{
|
||||
request: admissionv1.AdmissionRequest{
|
||||
Kind: v1.GroupVersionKind{
|
||||
Kind: "Namespace",
|
||||
},
|
||||
|
|
|
|||
|
|
@ -27,7 +27,7 @@ func NewAdmissionReport(namespace, name string, gvr schema.GroupVersionResource,
|
|||
return report
|
||||
}
|
||||
|
||||
func BuildAdmissionReport(resource unstructured.Unstructured, request *admissionv1.AdmissionRequest, responses ...engineapi.EngineResponse) kyvernov1alpha2.ReportInterface {
|
||||
func BuildAdmissionReport(resource unstructured.Unstructured, request admissionv1.AdmissionRequest, responses ...engineapi.EngineResponse) kyvernov1alpha2.ReportInterface {
|
||||
report := NewAdmissionReport(resource.GetNamespace(), string(request.UID), schema.GroupVersionResource(request.Resource), resource)
|
||||
SetResponses(report, responses...)
|
||||
return report
|
||||
|
|
|
|||
|
|
@ -8,22 +8,22 @@ import (
|
|||
admissionutils "github.com/kyverno/kyverno/pkg/utils/admission"
|
||||
validation "github.com/kyverno/kyverno/pkg/validation/exception"
|
||||
"github.com/kyverno/kyverno/pkg/webhooks"
|
||||
admissionv1 "k8s.io/api/admission/v1"
|
||||
"github.com/kyverno/kyverno/pkg/webhooks/handlers"
|
||||
)
|
||||
|
||||
type handlers struct {
|
||||
type exceptionHandlers struct {
|
||||
validationOptions validation.ValidationOptions
|
||||
}
|
||||
|
||||
func NewHandlers(validationOptions validation.ValidationOptions) webhooks.ExceptionHandlers {
|
||||
return &handlers{
|
||||
return &exceptionHandlers{
|
||||
validationOptions: validationOptions,
|
||||
}
|
||||
}
|
||||
|
||||
// Validate performs the validation check on policy exception resources
|
||||
func (h *handlers) Validate(ctx context.Context, logger logr.Logger, request admissionv1.AdmissionRequest, startTime time.Time) admissionv1.AdmissionResponse {
|
||||
polex, _, err := admissionutils.GetPolicyExceptions(&request)
|
||||
func (h *exceptionHandlers) Validate(ctx context.Context, logger logr.Logger, request handlers.AdmissionRequest, startTime time.Time) handlers.AdmissionResponse {
|
||||
polex, _, err := admissionutils.GetPolicyExceptions(request.AdmissionRequest)
|
||||
if err != nil {
|
||||
logger.Error(err, "failed to unmarshal policy exceptions from admission request")
|
||||
return admissionutils.Response(request.UID, err)
|
||||
|
|
|
|||
|
|
@ -33,7 +33,7 @@ func (inner AdmissionHandler) withAdmission(logger logr.Logger) HttpHandler {
|
|||
HttpError(request.Context(), writer, request, logger, errors.New("invalid Content-Type"), http.StatusUnsupportedMediaType)
|
||||
return
|
||||
}
|
||||
admissionReview := &admissionv1.AdmissionReview{}
|
||||
var admissionReview admissionv1.AdmissionReview
|
||||
if err := json.Unmarshal(body, &admissionReview); err != nil {
|
||||
HttpError(request.Context(), writer, request, logger, err, http.StatusExpectationFailed)
|
||||
return
|
||||
|
|
@ -51,8 +51,11 @@ func (inner AdmissionHandler) withAdmission(logger logr.Logger) HttpHandler {
|
|||
Allowed: true,
|
||||
UID: admissionReview.Request.UID,
|
||||
}
|
||||
// TODO: check request is not nil ?
|
||||
admissionResponse := inner(request.Context(), logger, *admissionReview.Request, startTime)
|
||||
admissionRequest := AdmissionRequest{
|
||||
AdmissionRequest: *admissionReview.Request,
|
||||
// TODO: roles/clusterroles
|
||||
}
|
||||
admissionResponse := inner(request.Context(), logger, admissionRequest, startTime)
|
||||
admissionReview.Response = &admissionResponse
|
||||
responseJSON, err := json.Marshal(admissionReview)
|
||||
if err != nil {
|
||||
|
|
|
|||
|
|
@ -32,9 +32,9 @@ func (inner AdmissionHandler) withDump(
|
|||
rbLister rbacv1listers.RoleBindingLister,
|
||||
crbLister rbacv1listers.ClusterRoleBindingLister,
|
||||
) AdmissionHandler {
|
||||
return func(ctx context.Context, logger logr.Logger, request admissionv1.AdmissionRequest, startTime time.Time) admissionv1.AdmissionResponse {
|
||||
return func(ctx context.Context, logger logr.Logger, request AdmissionRequest, startTime time.Time) AdmissionResponse {
|
||||
response := inner(ctx, logger, request, startTime)
|
||||
dumpPayload(logger, rbLister, crbLister, &request, &response)
|
||||
dumpPayload(logger, rbLister, crbLister, request.AdmissionRequest, response)
|
||||
return response
|
||||
}
|
||||
}
|
||||
|
|
@ -43,17 +43,15 @@ func dumpPayload(
|
|||
logger logr.Logger,
|
||||
rbLister rbacv1listers.RoleBindingLister,
|
||||
crbLister rbacv1listers.ClusterRoleBindingLister,
|
||||
request *admissionv1.AdmissionRequest,
|
||||
response *admissionv1.AdmissionResponse,
|
||||
request admissionv1.AdmissionRequest,
|
||||
response AdmissionResponse,
|
||||
) {
|
||||
reqPayload, err := newAdmissionRequestPayload(request, rbLister, crbLister)
|
||||
if err != nil {
|
||||
logger.Error(err, "Failed to extract resources")
|
||||
} else {
|
||||
if response != nil {
|
||||
logger = logger.WithValues("AdmissionResponse", *response)
|
||||
}
|
||||
logger.Info("Logging admission request and response payload ", "AdmissionRequest", reqPayload)
|
||||
logger = logger.WithValues("AdmissionResponse", response, "AdmissionRequest", reqPayload)
|
||||
logger.Info("Logging admission request and response payload ")
|
||||
}
|
||||
}
|
||||
|
||||
|
|
@ -79,7 +77,7 @@ type admissionRequestPayload struct {
|
|||
}
|
||||
|
||||
func newAdmissionRequestPayload(
|
||||
request *admissionv1.AdmissionRequest,
|
||||
request admissionv1.AdmissionRequest,
|
||||
rbLister rbacv1listers.RoleBindingLister,
|
||||
crbLister rbacv1listers.ClusterRoleBindingLister,
|
||||
) (*admissionRequestPayload, error) {
|
||||
|
|
|
|||
|
|
@ -138,8 +138,8 @@ func Test_RedactPayload(t *testing.T) {
|
|||
|
||||
for _, c := range tc {
|
||||
t.Run(c.name, func(t *testing.T) {
|
||||
req := new(admissionv1.AdmissionRequest)
|
||||
err := json.Unmarshal(c.requestPayload, req)
|
||||
var req admissionv1.AdmissionRequest
|
||||
err := json.Unmarshal(c.requestPayload, &req)
|
||||
assert.NilError(t, err)
|
||||
payload, err := newAdmissionRequestPayload(req, nil, nil)
|
||||
assert.NilError(t, err)
|
||||
|
|
|
|||
|
|
@ -26,7 +26,7 @@ func (inner AdmissionHandler) WithSubResourceFilter(subresources ...string) Admi
|
|||
}
|
||||
|
||||
func (inner AdmissionHandler) withFilter(c config.Configuration) AdmissionHandler {
|
||||
return func(ctx context.Context, logger logr.Logger, request admissionv1.AdmissionRequest, startTime time.Time) admissionv1.AdmissionResponse {
|
||||
return func(ctx context.Context, logger logr.Logger, request AdmissionRequest, startTime time.Time) AdmissionResponse {
|
||||
// filter by username
|
||||
for _, username := range c.GetExcludedUsernames() {
|
||||
if wildcard.Match(username, request.UserInfo.Username) {
|
||||
|
|
@ -58,7 +58,7 @@ func (inner AdmissionHandler) withOperationFilter(operations ...admissionv1.Oper
|
|||
for _, operation := range operations {
|
||||
allowed.Insert(string(operation))
|
||||
}
|
||||
return func(ctx context.Context, logger logr.Logger, request admissionv1.AdmissionRequest, startTime time.Time) admissionv1.AdmissionResponse {
|
||||
return func(ctx context.Context, logger logr.Logger, request AdmissionRequest, startTime time.Time) AdmissionResponse {
|
||||
if allowed.Has(string(request.Operation)) {
|
||||
return inner(ctx, logger, request, startTime)
|
||||
}
|
||||
|
|
@ -68,7 +68,7 @@ func (inner AdmissionHandler) withOperationFilter(operations ...admissionv1.Oper
|
|||
|
||||
func (inner AdmissionHandler) withSubResourceFilter(subresources ...string) AdmissionHandler {
|
||||
allowed := sets.New(subresources...)
|
||||
return func(ctx context.Context, logger logr.Logger, request admissionv1.AdmissionRequest, startTime time.Time) admissionv1.AdmissionResponse {
|
||||
return func(ctx context.Context, logger logr.Logger, request AdmissionRequest, startTime time.Time) AdmissionResponse {
|
||||
if request.SubResource == "" || allowed.Has(request.SubResource) {
|
||||
return inner(ctx, logger, request, startTime)
|
||||
}
|
||||
|
|
|
|||
|
|
@ -13,7 +13,6 @@ import (
|
|||
"go.opentelemetry.io/otel/metric/global"
|
||||
"go.opentelemetry.io/otel/metric/instrument"
|
||||
semconv "go.opentelemetry.io/otel/semconv/v1.17.0"
|
||||
admissionv1 "k8s.io/api/admission/v1"
|
||||
)
|
||||
|
||||
func (inner AdmissionHandler) WithMetrics(logger logr.Logger, metricsConfig config.MetricsConfiguration, attrs ...attribute.KeyValue) AdmissionHandler {
|
||||
|
|
@ -36,7 +35,7 @@ func (inner AdmissionHandler) withMetrics(logger logr.Logger, metricsConfig conf
|
|||
if err != nil {
|
||||
logger.Error(err, "Failed to create instrument, kyverno_admission_review_duration_seconds")
|
||||
}
|
||||
return func(ctx context.Context, logger logr.Logger, request admissionv1.AdmissionRequest, startTime time.Time) admissionv1.AdmissionResponse {
|
||||
return func(ctx context.Context, logger logr.Logger, request AdmissionRequest, startTime time.Time) AdmissionResponse {
|
||||
response := inner(ctx, logger, request, startTime)
|
||||
namespace := request.Namespace
|
||||
if metricsConfig.CheckNamespace(namespace) {
|
||||
|
|
|
|||
|
|
@ -24,12 +24,12 @@ func (inner AdmissionHandler) WithProtection(enabled bool) AdmissionHandler {
|
|||
}
|
||||
|
||||
func (inner AdmissionHandler) withProtection() AdmissionHandler {
|
||||
return func(ctx context.Context, logger logr.Logger, request admissionv1.AdmissionRequest, startTime time.Time) admissionv1.AdmissionResponse {
|
||||
return func(ctx context.Context, logger logr.Logger, request AdmissionRequest, startTime time.Time) AdmissionResponse {
|
||||
// Allows deletion of namespace containing managed resources
|
||||
if request.Operation == admissionv1.Delete && request.UserInfo.Username == namespaceControllerUsername {
|
||||
return inner(ctx, logger, request, startTime)
|
||||
}
|
||||
newResource, oldResource, err := admissionutils.ExtractResources(nil, &request)
|
||||
newResource, oldResource, err := admissionutils.ExtractResources(nil, request.AdmissionRequest)
|
||||
if err != nil {
|
||||
logger.Error(err, "Failed to extract resources")
|
||||
return admissionutils.Response(request.UID, err)
|
||||
|
|
|
|||
|
|
@ -11,7 +11,6 @@ import (
|
|||
admissionutils "github.com/kyverno/kyverno/pkg/utils/admission"
|
||||
semconv "go.opentelemetry.io/otel/semconv/v1.17.0"
|
||||
"go.opentelemetry.io/otel/trace"
|
||||
admissionv1 "k8s.io/api/admission/v1"
|
||||
)
|
||||
|
||||
func (inner HttpHandler) WithTrace(name string) HttpHandler {
|
||||
|
|
@ -35,12 +34,12 @@ func (inner HttpHandler) WithTrace(name string) HttpHandler {
|
|||
}
|
||||
|
||||
func (inner AdmissionHandler) WithTrace(name string) AdmissionHandler {
|
||||
return func(ctx context.Context, logger logr.Logger, request admissionv1.AdmissionRequest, startTime time.Time) admissionv1.AdmissionResponse {
|
||||
return func(ctx context.Context, logger logr.Logger, request AdmissionRequest, startTime time.Time) AdmissionResponse {
|
||||
return tracing.Span1(
|
||||
ctx,
|
||||
"webhooks/handlers",
|
||||
fmt.Sprintf("%s %s %s", name, request.Operation, request.Kind),
|
||||
func(ctx context.Context, span trace.Span) admissionv1.AdmissionResponse {
|
||||
func(ctx context.Context, span trace.Span) AdmissionResponse {
|
||||
response := inner(ctx, logger, request, startTime)
|
||||
span.SetAttributes(
|
||||
tracing.ResponseUidKey.String(tracing.StringValue(string(response.UID))),
|
||||
|
|
@ -67,7 +66,7 @@ func (inner AdmissionHandler) WithTrace(name string) AdmissionHandler {
|
|||
tracing.RequestNamespaceKey.String(tracing.StringValue(request.Namespace)),
|
||||
tracing.RequestUidKey.String(tracing.StringValue(string(request.UID))),
|
||||
tracing.RequestOperationKey.String(tracing.StringValue(string(request.Operation))),
|
||||
tracing.RequestDryRunKey.Bool(admissionutils.IsDryRun(&request)),
|
||||
tracing.RequestDryRunKey.Bool(admissionutils.IsDryRun(request.AdmissionRequest)),
|
||||
tracing.RequestKindGroupKey.String(tracing.StringValue(request.Kind.Group)),
|
||||
tracing.RequestKindVersionKey.String(tracing.StringValue(request.Kind.Version)),
|
||||
tracing.RequestKindKindKey.String(tracing.StringValue(request.Kind.Kind)),
|
||||
|
|
|
|||
|
|
@ -9,8 +9,15 @@ import (
|
|||
admissionv1 "k8s.io/api/admission/v1"
|
||||
)
|
||||
|
||||
type AdmissionRequest struct {
|
||||
// AdmissionRequest is the original admission request.
|
||||
admissionv1.AdmissionRequest
|
||||
}
|
||||
|
||||
type AdmissionResponse = admissionv1.AdmissionResponse
|
||||
|
||||
type (
|
||||
AdmissionHandler func(context.Context, logr.Logger, admissionv1.AdmissionRequest, time.Time) admissionv1.AdmissionResponse
|
||||
AdmissionHandler func(context.Context, logr.Logger, AdmissionRequest, time.Time) AdmissionResponse
|
||||
HttpHandler func(http.ResponseWriter, *http.Request)
|
||||
)
|
||||
|
||||
|
|
|
|||
|
|
@ -8,10 +8,9 @@ import (
|
|||
"github.com/kyverno/kyverno/pkg/config"
|
||||
admissionutils "github.com/kyverno/kyverno/pkg/utils/admission"
|
||||
jsonutils "github.com/kyverno/kyverno/pkg/utils/json"
|
||||
admissionv1 "k8s.io/api/admission/v1"
|
||||
)
|
||||
|
||||
func Verify(ctx context.Context, logger logr.Logger, request admissionv1.AdmissionRequest, startTime time.Time) admissionv1.AdmissionResponse {
|
||||
func Verify(ctx context.Context, logger logr.Logger, request AdmissionRequest, startTime time.Time) AdmissionResponse {
|
||||
if request.Name != "kyverno-health" || request.Namespace != config.KyvernoNamespace() {
|
||||
return admissionutils.ResponseSuccess(request.UID)
|
||||
}
|
||||
|
|
|
|||
|
|
@ -10,23 +10,23 @@ import (
|
|||
policyvalidate "github.com/kyverno/kyverno/pkg/policy"
|
||||
admissionutils "github.com/kyverno/kyverno/pkg/utils/admission"
|
||||
"github.com/kyverno/kyverno/pkg/webhooks"
|
||||
admissionv1 "k8s.io/api/admission/v1"
|
||||
"github.com/kyverno/kyverno/pkg/webhooks/handlers"
|
||||
)
|
||||
|
||||
type handlers struct {
|
||||
type policyHandlers struct {
|
||||
client dclient.Interface
|
||||
openApiManager openapi.Manager
|
||||
}
|
||||
|
||||
func NewHandlers(client dclient.Interface, openApiManager openapi.Manager) webhooks.PolicyHandlers {
|
||||
return &handlers{
|
||||
return &policyHandlers{
|
||||
client: client,
|
||||
openApiManager: openApiManager,
|
||||
}
|
||||
}
|
||||
|
||||
func (h *handlers) Validate(ctx context.Context, logger logr.Logger, request admissionv1.AdmissionRequest, _ time.Time) admissionv1.AdmissionResponse {
|
||||
policy, oldPolicy, err := admissionutils.GetPolicies(&request)
|
||||
func (h *policyHandlers) Validate(ctx context.Context, logger logr.Logger, request handlers.AdmissionRequest, _ time.Time) handlers.AdmissionResponse {
|
||||
policy, oldPolicy, err := admissionutils.GetPolicies(request.AdmissionRequest)
|
||||
if err != nil {
|
||||
logger.Error(err, "failed to unmarshal policies from admission request")
|
||||
return admissionutils.Response(request.UID, err)
|
||||
|
|
@ -38,6 +38,6 @@ func (h *handlers) Validate(ctx context.Context, logger logr.Logger, request adm
|
|||
return admissionutils.Response(request.UID, err, warnings...)
|
||||
}
|
||||
|
||||
func (h *handlers) Mutate(_ context.Context, _ logr.Logger, request admissionv1.AdmissionRequest, _ time.Time) admissionv1.AdmissionResponse {
|
||||
func (h *policyHandlers) Mutate(_ context.Context, _ logr.Logger, request handlers.AdmissionRequest, _ time.Time) handlers.AdmissionResponse {
|
||||
return admissionutils.ResponseSuccess(request.UID)
|
||||
}
|
||||
|
|
|
|||
|
|
@ -42,7 +42,7 @@ func NewFakeHandlers(ctx context.Context, policyCache policycache.Cache) webhook
|
|||
peLister := kyvernoInformers.Kyverno().V2alpha1().PolicyExceptions().Lister()
|
||||
rclient := registryclient.NewOrDie()
|
||||
|
||||
return &handlers{
|
||||
return &resourceHandlers{
|
||||
client: dclient,
|
||||
rclient: rclient,
|
||||
configuration: configuration,
|
||||
|
|
|
|||
|
|
@ -25,7 +25,7 @@ import (
|
|||
)
|
||||
|
||||
type GenerationHandler interface {
|
||||
Handle(context.Context, *admissionv1.AdmissionRequest, []kyvernov1.PolicyInterface, *engine.PolicyContext)
|
||||
Handle(context.Context, admissionv1.AdmissionRequest, []kyvernov1.PolicyInterface, *engine.PolicyContext)
|
||||
}
|
||||
|
||||
func NewGenerationHandler(
|
||||
|
|
@ -72,7 +72,7 @@ type generationHandler struct {
|
|||
|
||||
func (h *generationHandler) Handle(
|
||||
ctx context.Context,
|
||||
request *admissionv1.AdmissionRequest,
|
||||
request admissionv1.AdmissionRequest,
|
||||
policies []kyvernov1.PolicyInterface,
|
||||
policyContext *engine.PolicyContext,
|
||||
) {
|
||||
|
|
@ -101,7 +101,7 @@ func getAppliedRules(policy kyvernov1.PolicyInterface, applied []engineapi.RuleR
|
|||
|
||||
func (h *generationHandler) handleTrigger(
|
||||
ctx context.Context,
|
||||
request *admissionv1.AdmissionRequest,
|
||||
request admissionv1.AdmissionRequest,
|
||||
policies []kyvernov1.PolicyInterface,
|
||||
policyContext *engine.PolicyContext,
|
||||
) {
|
||||
|
|
@ -132,7 +132,7 @@ func (h *generationHandler) handleTrigger(
|
|||
func (h *generationHandler) handleNonTrigger(
|
||||
ctx context.Context,
|
||||
policyContext *engine.PolicyContext,
|
||||
request *admissionv1.AdmissionRequest,
|
||||
request admissionv1.AdmissionRequest,
|
||||
) {
|
||||
resource := policyContext.OldResource()
|
||||
labels := resource.GetLabels()
|
||||
|
|
@ -146,7 +146,7 @@ func (h *generationHandler) handleNonTrigger(
|
|||
|
||||
func (h *generationHandler) applyGeneration(
|
||||
ctx context.Context,
|
||||
request *admissionv1.AdmissionRequest,
|
||||
request admissionv1.AdmissionRequest,
|
||||
policy kyvernov1.PolicyInterface,
|
||||
appliedRules []engineapi.RuleResponse,
|
||||
policyContext *engine.PolicyContext,
|
||||
|
|
@ -182,7 +182,7 @@ func (h *generationHandler) applyGeneration(
|
|||
// it can be 1. trigger deletion; 2. trigger no longer matches, when a rule fails
|
||||
func (h *generationHandler) syncTriggerAction(
|
||||
ctx context.Context,
|
||||
request *admissionv1.AdmissionRequest,
|
||||
request admissionv1.AdmissionRequest,
|
||||
policy kyvernov1.PolicyInterface,
|
||||
failedRules []engineapi.RuleResponse,
|
||||
policyContext *engine.PolicyContext,
|
||||
|
|
@ -231,7 +231,7 @@ func (h *generationHandler) syncTriggerAction(
|
|||
}
|
||||
}
|
||||
|
||||
func (h *generationHandler) createUR(ctx context.Context, policyContext *engine.PolicyContext, request *admissionv1.AdmissionRequest) (err error) {
|
||||
func (h *generationHandler) createUR(ctx context.Context, policyContext *engine.PolicyContext, request admissionv1.AdmissionRequest) (err error) {
|
||||
var policy kyvernov1.PolicyInterface
|
||||
new := policyContext.NewResource()
|
||||
labels := new.GetLabels()
|
||||
|
|
|
|||
|
|
@ -19,11 +19,11 @@ func buildURSpec(requestType kyvernov1beta1.RequestType, policyKey, ruleName str
|
|||
}
|
||||
}
|
||||
|
||||
func buildURContext(request *admissionv1.AdmissionRequest, policyContext *engine.PolicyContext) kyvernov1beta1.UpdateRequestSpecContext {
|
||||
func buildURContext(request admissionv1.AdmissionRequest, policyContext *engine.PolicyContext) kyvernov1beta1.UpdateRequestSpecContext {
|
||||
return kyvernov1beta1.UpdateRequestSpecContext{
|
||||
UserRequestInfo: policyContext.AdmissionInfo(),
|
||||
AdmissionRequestInfo: kyvernov1beta1.AdmissionRequestInfoObject{
|
||||
AdmissionRequest: request,
|
||||
AdmissionRequest: &request,
|
||||
Operation: request.Operation,
|
||||
},
|
||||
}
|
||||
|
|
|
|||
|
|
@ -23,18 +23,18 @@ import (
|
|||
engineutils "github.com/kyverno/kyverno/pkg/utils/engine"
|
||||
jsonutils "github.com/kyverno/kyverno/pkg/utils/json"
|
||||
"github.com/kyverno/kyverno/pkg/webhooks"
|
||||
"github.com/kyverno/kyverno/pkg/webhooks/handlers"
|
||||
"github.com/kyverno/kyverno/pkg/webhooks/resource/imageverification"
|
||||
"github.com/kyverno/kyverno/pkg/webhooks/resource/mutation"
|
||||
"github.com/kyverno/kyverno/pkg/webhooks/resource/validation"
|
||||
webhookgenerate "github.com/kyverno/kyverno/pkg/webhooks/updaterequest"
|
||||
webhookutils "github.com/kyverno/kyverno/pkg/webhooks/utils"
|
||||
admissionv1 "k8s.io/api/admission/v1"
|
||||
"k8s.io/apimachinery/pkg/runtime/schema"
|
||||
corev1listers "k8s.io/client-go/listers/core/v1"
|
||||
rbacv1listers "k8s.io/client-go/listers/rbac/v1"
|
||||
)
|
||||
|
||||
type handlers struct {
|
||||
type resourceHandlers struct {
|
||||
// clients
|
||||
client dclient.Interface
|
||||
kyvernoClient versioned.Interface
|
||||
|
|
@ -81,7 +81,7 @@ func NewHandlers(
|
|||
openApiManager openapi.ValidateInterface,
|
||||
admissionReports bool,
|
||||
) webhooks.ResourceHandlers {
|
||||
return &handlers{
|
||||
return &resourceHandlers{
|
||||
engine: engine,
|
||||
client: client,
|
||||
kyvernoClient: kyvernoClient,
|
||||
|
|
@ -101,7 +101,7 @@ func NewHandlers(
|
|||
}
|
||||
}
|
||||
|
||||
func (h *handlers) Validate(ctx context.Context, logger logr.Logger, request admissionv1.AdmissionRequest, failurePolicy string, startTime time.Time) admissionv1.AdmissionResponse {
|
||||
func (h *resourceHandlers) Validate(ctx context.Context, logger logr.Logger, request handlers.AdmissionRequest, failurePolicy string, startTime time.Time) handlers.AdmissionResponse {
|
||||
kind := request.Kind.Kind
|
||||
logger = logger.WithValues("kind", kind)
|
||||
logger.V(4).Info("received an admission request in validating webhook")
|
||||
|
|
@ -120,7 +120,7 @@ func (h *handlers) Validate(ctx context.Context, logger logr.Logger, request adm
|
|||
|
||||
logger.V(4).Info("processing policies for validate admission request", "validate", len(policies), "mutate", len(mutatePolicies), "generate", len(generatePolicies))
|
||||
|
||||
policyContext, err := h.pcBuilder.Build(&request)
|
||||
policyContext, err := h.pcBuilder.Build(request.AdmissionRequest)
|
||||
if err != nil {
|
||||
return errorResponse(logger, request.UID, err, "failed create policy context")
|
||||
}
|
||||
|
|
@ -132,18 +132,18 @@ func (h *handlers) Validate(ctx context.Context, logger logr.Logger, request adm
|
|||
policyContext = policyContext.WithNamespaceLabels(namespaceLabels)
|
||||
vh := validation.NewValidationHandler(logger, h.kyvernoClient, h.engine, h.pCache, h.pcBuilder, h.eventGen, h.admissionReports, h.metricsConfig, h.configuration)
|
||||
|
||||
ok, msg, warnings := vh.HandleValidation(ctx, &request, policies, policyContext, startTime)
|
||||
ok, msg, warnings := vh.HandleValidation(ctx, request.AdmissionRequest, policies, policyContext, startTime)
|
||||
if !ok {
|
||||
logger.Info("admission request denied")
|
||||
return admissionutils.Response(request.UID, errors.New(msg), warnings...)
|
||||
}
|
||||
if !admissionutils.IsDryRun(&request) {
|
||||
go h.handleBackgroundApplies(ctx, logger, &request, policyContext, generatePolicies, mutatePolicies, startTime)
|
||||
if !admissionutils.IsDryRun(request.AdmissionRequest) {
|
||||
go h.handleBackgroundApplies(ctx, logger, request.AdmissionRequest, policyContext, generatePolicies, mutatePolicies, startTime)
|
||||
}
|
||||
return admissionutils.ResponseSuccess(request.UID, warnings...)
|
||||
}
|
||||
|
||||
func (h *handlers) Mutate(ctx context.Context, logger logr.Logger, request admissionv1.AdmissionRequest, failurePolicy string, startTime time.Time) admissionv1.AdmissionResponse {
|
||||
func (h *resourceHandlers) Mutate(ctx context.Context, logger logr.Logger, request handlers.AdmissionRequest, failurePolicy string, startTime time.Time) handlers.AdmissionResponse {
|
||||
kind := request.Kind.Kind
|
||||
logger = logger.WithValues("kind", kind)
|
||||
logger.V(4).Info("received an admission request in mutating webhook")
|
||||
|
|
@ -155,26 +155,26 @@ func (h *handlers) Mutate(ctx context.Context, logger logr.Logger, request admis
|
|||
return admissionutils.ResponseSuccess(request.UID)
|
||||
}
|
||||
logger.V(4).Info("processing policies for mutate admission request", "mutatePolicies", len(mutatePolicies), "verifyImagesPolicies", len(verifyImagesPolicies))
|
||||
policyContext, err := h.pcBuilder.Build(&request)
|
||||
policyContext, err := h.pcBuilder.Build(request.AdmissionRequest)
|
||||
if err != nil {
|
||||
logger.Error(err, "failed to build policy context")
|
||||
return admissionutils.Response(request.UID, err)
|
||||
}
|
||||
mh := mutation.NewMutationHandler(logger, h.engine, h.eventGen, h.openApiManager, h.nsLister, h.metricsConfig)
|
||||
mutatePatches, mutateWarnings, err := mh.HandleMutation(ctx, &request, mutatePolicies, policyContext, startTime)
|
||||
mutatePatches, mutateWarnings, err := mh.HandleMutation(ctx, request.AdmissionRequest, mutatePolicies, policyContext, startTime)
|
||||
if err != nil {
|
||||
logger.Error(err, "mutation failed")
|
||||
return admissionutils.Response(request.UID, err)
|
||||
}
|
||||
newRequest := patchRequest(mutatePatches, request, logger)
|
||||
newRequest := patchRequest(mutatePatches, request.AdmissionRequest, logger)
|
||||
// rebuild context to process images updated via mutate policies
|
||||
policyContext, err = h.pcBuilder.Build(&newRequest)
|
||||
policyContext, err = h.pcBuilder.Build(newRequest)
|
||||
if err != nil {
|
||||
logger.Error(err, "failed to build policy context")
|
||||
return admissionutils.Response(request.UID, err)
|
||||
}
|
||||
ivh := imageverification.NewImageVerificationHandler(logger, h.kyvernoClient, h.engine, h.eventGen, h.admissionReports, h.configuration)
|
||||
imagePatches, imageVerifyWarnings, err := ivh.Handle(ctx, &newRequest, verifyImagesPolicies, policyContext)
|
||||
imagePatches, imageVerifyWarnings, err := ivh.Handle(ctx, newRequest, verifyImagesPolicies, policyContext)
|
||||
if err != nil {
|
||||
logger.Error(err, "image verification failed")
|
||||
return admissionutils.Response(request.UID, err)
|
||||
|
|
|
|||
|
|
@ -9,6 +9,7 @@ import (
|
|||
kyverno "github.com/kyverno/kyverno/api/kyverno/v1"
|
||||
log "github.com/kyverno/kyverno/pkg/logging"
|
||||
"github.com/kyverno/kyverno/pkg/policycache"
|
||||
"github.com/kyverno/kyverno/pkg/webhooks/handlers"
|
||||
"gotest.tools/assert"
|
||||
v1 "k8s.io/api/admission/v1"
|
||||
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
|
||||
|
|
@ -263,7 +264,7 @@ func Test_AdmissionResponseValid(t *testing.T) {
|
|||
ctx, cancel := context.WithCancel(context.Background())
|
||||
defer cancel()
|
||||
|
||||
handlers := NewFakeHandlers(ctx, policyCache)
|
||||
resourceHandlers := NewFakeHandlers(ctx, policyCache)
|
||||
|
||||
var validPolicy kyverno.ClusterPolicy
|
||||
err := json.Unmarshal([]byte(policyCheckLabel), &validPolicy)
|
||||
|
|
@ -272,27 +273,29 @@ func Test_AdmissionResponseValid(t *testing.T) {
|
|||
key := makeKey(&validPolicy)
|
||||
policyCache.Set(key, &validPolicy, policycache.TestResourceFinder{})
|
||||
|
||||
request := v1.AdmissionRequest{
|
||||
Operation: v1.Create,
|
||||
Kind: metav1.GroupVersionKind{Group: "", Version: "v1", Kind: "Pod"},
|
||||
Resource: metav1.GroupVersionResource{Group: "", Version: "v1", Resource: "pods"},
|
||||
Object: runtime.RawExtension{
|
||||
Raw: []byte(pod),
|
||||
request := handlers.AdmissionRequest{
|
||||
AdmissionRequest: v1.AdmissionRequest{
|
||||
Operation: v1.Create,
|
||||
Kind: metav1.GroupVersionKind{Group: "", Version: "v1", Kind: "Pod"},
|
||||
Resource: metav1.GroupVersionResource{Group: "", Version: "v1", Resource: "pods"},
|
||||
Object: runtime.RawExtension{
|
||||
Raw: []byte(pod),
|
||||
},
|
||||
RequestResource: &metav1.GroupVersionResource{Group: "", Version: "v1", Resource: "pods"},
|
||||
},
|
||||
RequestResource: &metav1.GroupVersionResource{Group: "", Version: "v1", Resource: "pods"},
|
||||
}
|
||||
|
||||
response := handlers.Mutate(ctx, logger, request, "", time.Now())
|
||||
response := resourceHandlers.Mutate(ctx, logger, request, "", time.Now())
|
||||
assert.Equal(t, response.Allowed, true)
|
||||
|
||||
response = handlers.Validate(ctx, logger, request, "", time.Now())
|
||||
response = resourceHandlers.Validate(ctx, logger, request, "", time.Now())
|
||||
assert.Equal(t, response.Allowed, true)
|
||||
assert.Equal(t, len(response.Warnings), 0)
|
||||
|
||||
validPolicy.Spec.ValidationFailureAction = "Enforce"
|
||||
policyCache.Set(key, &validPolicy, policycache.TestResourceFinder{})
|
||||
|
||||
response = handlers.Validate(ctx, logger, request, "", time.Now())
|
||||
response = resourceHandlers.Validate(ctx, logger, request, "", time.Now())
|
||||
assert.Equal(t, response.Allowed, false)
|
||||
assert.Equal(t, len(response.Warnings), 0)
|
||||
|
||||
|
|
@ -306,27 +309,29 @@ func Test_AdmissionResponseInvalid(t *testing.T) {
|
|||
ctx, cancel := context.WithCancel(context.Background())
|
||||
defer cancel()
|
||||
|
||||
handlers := NewFakeHandlers(ctx, policyCache)
|
||||
resourceHandlers := NewFakeHandlers(ctx, policyCache)
|
||||
|
||||
var invalidPolicy kyverno.ClusterPolicy
|
||||
err := json.Unmarshal([]byte(policyInvalid), &invalidPolicy)
|
||||
assert.NilError(t, err)
|
||||
|
||||
request := v1.AdmissionRequest{
|
||||
Operation: v1.Create,
|
||||
Kind: metav1.GroupVersionKind{Group: "", Version: "v1", Kind: "Pod"},
|
||||
Resource: metav1.GroupVersionResource{Group: "", Version: "v1", Resource: "pods"},
|
||||
Object: runtime.RawExtension{
|
||||
Raw: []byte(pod),
|
||||
request := handlers.AdmissionRequest{
|
||||
AdmissionRequest: v1.AdmissionRequest{
|
||||
Operation: v1.Create,
|
||||
Kind: metav1.GroupVersionKind{Group: "", Version: "v1", Kind: "Pod"},
|
||||
Resource: metav1.GroupVersionResource{Group: "", Version: "v1", Resource: "pods"},
|
||||
Object: runtime.RawExtension{
|
||||
Raw: []byte(pod),
|
||||
},
|
||||
RequestResource: &metav1.GroupVersionResource{Group: "", Version: "v1", Resource: "pods"},
|
||||
},
|
||||
RequestResource: &metav1.GroupVersionResource{Group: "", Version: "v1", Resource: "pods"},
|
||||
}
|
||||
|
||||
keyInvalid := makeKey(&invalidPolicy)
|
||||
invalidPolicy.Spec.ValidationFailureAction = "Enforce"
|
||||
policyCache.Set(keyInvalid, &invalidPolicy, policycache.TestResourceFinder{})
|
||||
|
||||
response := handlers.Validate(ctx, logger, request, "", time.Now())
|
||||
response := resourceHandlers.Validate(ctx, logger, request, "", time.Now())
|
||||
assert.Equal(t, response.Allowed, false)
|
||||
assert.Equal(t, len(response.Warnings), 0)
|
||||
|
||||
|
|
@ -334,7 +339,7 @@ func Test_AdmissionResponseInvalid(t *testing.T) {
|
|||
invalidPolicy.Spec.FailurePolicy = &ignore
|
||||
policyCache.Set(keyInvalid, &invalidPolicy, policycache.TestResourceFinder{})
|
||||
|
||||
response = handlers.Validate(ctx, logger, request, "", time.Now())
|
||||
response = resourceHandlers.Validate(ctx, logger, request, "", time.Now())
|
||||
assert.Equal(t, response.Allowed, true)
|
||||
assert.Equal(t, len(response.Warnings), 1)
|
||||
}
|
||||
|
|
@ -346,7 +351,7 @@ func Test_ImageVerify(t *testing.T) {
|
|||
ctx, cancel := context.WithCancel(context.Background())
|
||||
defer cancel()
|
||||
|
||||
handlers := NewFakeHandlers(ctx, policyCache)
|
||||
resourceHandlers := NewFakeHandlers(ctx, policyCache)
|
||||
|
||||
var policy kyverno.ClusterPolicy
|
||||
err := json.Unmarshal([]byte(policyVerifySignature), &policy)
|
||||
|
|
@ -355,20 +360,22 @@ func Test_ImageVerify(t *testing.T) {
|
|||
key := makeKey(&policy)
|
||||
policyCache.Set(key, &policy, policycache.TestResourceFinder{})
|
||||
|
||||
request := v1.AdmissionRequest{
|
||||
Operation: v1.Create,
|
||||
Kind: metav1.GroupVersionKind{Group: "", Version: "v1", Kind: "Pod"},
|
||||
Resource: metav1.GroupVersionResource{Group: "", Version: "v1", Resource: "pods"},
|
||||
Object: runtime.RawExtension{
|
||||
Raw: []byte(pod),
|
||||
request := handlers.AdmissionRequest{
|
||||
AdmissionRequest: v1.AdmissionRequest{
|
||||
Operation: v1.Create,
|
||||
Kind: metav1.GroupVersionKind{Group: "", Version: "v1", Kind: "Pod"},
|
||||
Resource: metav1.GroupVersionResource{Group: "", Version: "v1", Resource: "pods"},
|
||||
Object: runtime.RawExtension{
|
||||
Raw: []byte(pod),
|
||||
},
|
||||
RequestResource: &metav1.GroupVersionResource{Group: "", Version: "v1", Resource: "pods"},
|
||||
},
|
||||
RequestResource: &metav1.GroupVersionResource{Group: "", Version: "v1", Resource: "pods"},
|
||||
}
|
||||
|
||||
policy.Spec.ValidationFailureAction = "Enforce"
|
||||
policyCache.Set(key, &policy, policycache.TestResourceFinder{})
|
||||
|
||||
response := handlers.Mutate(ctx, logger, request, "", time.Now())
|
||||
response := resourceHandlers.Mutate(ctx, logger, request, "", time.Now())
|
||||
assert.Equal(t, response.Allowed, false)
|
||||
assert.Equal(t, len(response.Warnings), 0)
|
||||
|
||||
|
|
@ -376,7 +383,7 @@ func Test_ImageVerify(t *testing.T) {
|
|||
policy.Spec.FailurePolicy = &ignore
|
||||
policyCache.Set(key, &policy, policycache.TestResourceFinder{})
|
||||
|
||||
response = handlers.Mutate(ctx, logger, request, "", time.Now())
|
||||
response = resourceHandlers.Mutate(ctx, logger, request, "", time.Now())
|
||||
assert.Equal(t, response.Allowed, false)
|
||||
assert.Equal(t, len(response.Warnings), 0)
|
||||
}
|
||||
|
|
@ -388,7 +395,7 @@ func Test_MutateAndVerify(t *testing.T) {
|
|||
ctx, cancel := context.WithCancel(context.Background())
|
||||
defer cancel()
|
||||
|
||||
handlers := NewFakeHandlers(ctx, policyCache)
|
||||
resourceHandlers := NewFakeHandlers(ctx, policyCache)
|
||||
|
||||
var policy kyverno.ClusterPolicy
|
||||
err := json.Unmarshal([]byte(policyMutateAndVerify), &policy)
|
||||
|
|
@ -397,17 +404,19 @@ func Test_MutateAndVerify(t *testing.T) {
|
|||
key := makeKey(&policy)
|
||||
policyCache.Set(key, &policy, policycache.TestResourceFinder{})
|
||||
|
||||
request := v1.AdmissionRequest{
|
||||
Operation: v1.Create,
|
||||
Kind: metav1.GroupVersionKind{Group: "", Version: "v1", Kind: "Pod"},
|
||||
Resource: metav1.GroupVersionResource{Group: "", Version: "v1", Resource: "Pod"},
|
||||
Object: runtime.RawExtension{
|
||||
Raw: []byte(resourceMutateAndVerify),
|
||||
request := handlers.AdmissionRequest{
|
||||
AdmissionRequest: v1.AdmissionRequest{
|
||||
Operation: v1.Create,
|
||||
Kind: metav1.GroupVersionKind{Group: "", Version: "v1", Kind: "Pod"},
|
||||
Resource: metav1.GroupVersionResource{Group: "", Version: "v1", Resource: "Pod"},
|
||||
Object: runtime.RawExtension{
|
||||
Raw: []byte(resourceMutateAndVerify),
|
||||
},
|
||||
RequestResource: &metav1.GroupVersionResource{Group: "", Version: "v1", Resource: "pods"},
|
||||
},
|
||||
RequestResource: &metav1.GroupVersionResource{Group: "", Version: "v1", Resource: "pods"},
|
||||
}
|
||||
|
||||
response := handlers.Mutate(ctx, logger, request, "", time.Now())
|
||||
response := resourceHandlers.Mutate(ctx, logger, request, "", time.Now())
|
||||
assert.Equal(t, response.Allowed, true)
|
||||
assert.Equal(t, len(response.Warnings), 0)
|
||||
}
|
||||
|
|
|
|||
|
|
@ -25,7 +25,7 @@ import (
|
|||
)
|
||||
|
||||
type ImageVerificationHandler interface {
|
||||
Handle(context.Context, *admissionv1.AdmissionRequest, []kyvernov1.PolicyInterface, *engine.PolicyContext) ([]byte, []string, error)
|
||||
Handle(context.Context, admissionv1.AdmissionRequest, []kyvernov1.PolicyInterface, *engine.PolicyContext) ([]byte, []string, error)
|
||||
}
|
||||
|
||||
type imageVerificationHandler struct {
|
||||
|
|
@ -57,7 +57,7 @@ func NewImageVerificationHandler(
|
|||
|
||||
func (h *imageVerificationHandler) Handle(
|
||||
ctx context.Context,
|
||||
request *admissionv1.AdmissionRequest,
|
||||
request admissionv1.AdmissionRequest,
|
||||
policies []kyvernov1.PolicyInterface,
|
||||
policyContext *engine.PolicyContext,
|
||||
) ([]byte, []string, error) {
|
||||
|
|
@ -72,7 +72,7 @@ func (h *imageVerificationHandler) Handle(
|
|||
func (h *imageVerificationHandler) handleVerifyImages(
|
||||
ctx context.Context,
|
||||
logger logr.Logger,
|
||||
request *admissionv1.AdmissionRequest,
|
||||
request admissionv1.AdmissionRequest,
|
||||
policyContext *engine.PolicyContext,
|
||||
policies []kyvernov1.PolicyInterface,
|
||||
) (bool, string, []byte, []string) {
|
||||
|
|
@ -147,7 +147,7 @@ func isResourceDeleted(policyContext *engine.PolicyContext) bool {
|
|||
func (v *imageVerificationHandler) handleAudit(
|
||||
ctx context.Context,
|
||||
resource unstructured.Unstructured,
|
||||
request *admissionv1.AdmissionRequest,
|
||||
request admissionv1.AdmissionRequest,
|
||||
namespaceLabels map[string]string,
|
||||
engineResponses ...engineapi.EngineResponse,
|
||||
) {
|
||||
|
|
|
|||
|
|
@ -27,7 +27,7 @@ type MutationHandler interface {
|
|||
// HandleMutation handles validating webhook admission request
|
||||
// If there are no errors in validating rule we apply generation rules
|
||||
// patchedResource is the (resource + patches) after applying mutation rules
|
||||
HandleMutation(context.Context, *admissionv1.AdmissionRequest, []kyvernov1.PolicyInterface, *engine.PolicyContext, time.Time) ([]byte, []string, error)
|
||||
HandleMutation(context.Context, admissionv1.AdmissionRequest, []kyvernov1.PolicyInterface, *engine.PolicyContext, time.Time) ([]byte, []string, error)
|
||||
}
|
||||
|
||||
func NewMutationHandler(
|
||||
|
|
@ -59,7 +59,7 @@ type mutationHandler struct {
|
|||
|
||||
func (h *mutationHandler) HandleMutation(
|
||||
ctx context.Context,
|
||||
request *admissionv1.AdmissionRequest,
|
||||
request admissionv1.AdmissionRequest,
|
||||
policies []kyvernov1.PolicyInterface,
|
||||
policyContext *engine.PolicyContext,
|
||||
admissionRequestTimestamp time.Time,
|
||||
|
|
@ -76,7 +76,7 @@ func (h *mutationHandler) HandleMutation(
|
|||
// return value: generated patches, triggered policies, engine responses correspdonding to the triggered policies
|
||||
func (v *mutationHandler) applyMutations(
|
||||
ctx context.Context,
|
||||
request *admissionv1.AdmissionRequest,
|
||||
request admissionv1.AdmissionRequest,
|
||||
policies []kyvernov1.PolicyInterface,
|
||||
policyContext *engine.PolicyContext,
|
||||
) ([]byte, []engineapi.EngineResponse, error) {
|
||||
|
|
@ -151,7 +151,7 @@ func (v *mutationHandler) applyMutations(
|
|||
return jsonutils.JoinPatches(patches...), engineResponses, nil
|
||||
}
|
||||
|
||||
func (h *mutationHandler) applyMutation(ctx context.Context, request *admissionv1.AdmissionRequest, policyContext *engine.PolicyContext) (*engineapi.EngineResponse, [][]byte, error) {
|
||||
func (h *mutationHandler) applyMutation(ctx context.Context, request admissionv1.AdmissionRequest, policyContext *engine.PolicyContext) (*engineapi.EngineResponse, [][]byte, error) {
|
||||
if request.Kind.Kind != "Namespace" && request.Namespace != "" {
|
||||
policyContext = policyContext.WithNamespaceLabels(engineutils.GetNamespaceSelectorsFromNamespaceLister(request.Kind.Kind, request.Namespace, h.nsLister, h.log))
|
||||
}
|
||||
|
|
|
|||
|
|
@ -18,7 +18,7 @@ import (
|
|||
)
|
||||
|
||||
// handleBackgroundApplies applies generate and mutateExisting policies, and creates update requests for background reconcile
|
||||
func (h *handlers) handleBackgroundApplies(ctx context.Context, logger logr.Logger, request *admissionv1.AdmissionRequest, policyContext *engine.PolicyContext, generatePolicies, mutatePolicies []kyvernov1.PolicyInterface, ts time.Time) {
|
||||
func (h *resourceHandlers) handleBackgroundApplies(ctx context.Context, logger logr.Logger, request admissionv1.AdmissionRequest, policyContext *engine.PolicyContext, generatePolicies, mutatePolicies []kyvernov1.PolicyInterface, ts time.Time) {
|
||||
for _, username := range h.configuration.GetExcludedBackgroundUsernames() {
|
||||
if wildcard.Match(username, policyContext.AdmissionInfo().AdmissionUserInfo.Username) {
|
||||
return
|
||||
|
|
@ -28,7 +28,7 @@ func (h *handlers) handleBackgroundApplies(ctx context.Context, logger logr.Logg
|
|||
h.handleGenerate(ctx, logger, request, generatePolicies, policyContext, ts)
|
||||
}
|
||||
|
||||
func (h *handlers) handleMutateExisting(ctx context.Context, logger logr.Logger, request *admissionv1.AdmissionRequest, policies []kyvernov1.PolicyInterface, policyContext *engine.PolicyContext, admissionRequestTimestamp time.Time) {
|
||||
func (h *resourceHandlers) handleMutateExisting(ctx context.Context, logger logr.Logger, request admissionv1.AdmissionRequest, policies []kyvernov1.PolicyInterface, policyContext *engine.PolicyContext, admissionRequestTimestamp time.Time) {
|
||||
if request.Operation == admissionv1.Delete {
|
||||
policyContext = policyContext.WithNewResource(policyContext.OldResource())
|
||||
}
|
||||
|
|
@ -77,7 +77,7 @@ func (h *handlers) handleMutateExisting(ctx context.Context, logger logr.Logger,
|
|||
}
|
||||
}
|
||||
|
||||
func (h *handlers) handleGenerate(ctx context.Context, logger logr.Logger, request *admissionv1.AdmissionRequest, generatePolicies []kyvernov1.PolicyInterface, policyContext *engine.PolicyContext, ts time.Time) {
|
||||
func (h *resourceHandlers) handleGenerate(ctx context.Context, logger logr.Logger, request admissionv1.AdmissionRequest, generatePolicies []kyvernov1.PolicyInterface, policyContext *engine.PolicyContext, ts time.Time) {
|
||||
gh := generation.NewGenerationHandler(logger, h.engine, h.client, h.kyvernoClient, h.nsLister, h.urLister, h.cpolLister, h.polLister, h.urGenerator, h.eventGen, h.metricsConfig)
|
||||
go gh.Handle(ctx, request, generatePolicies, policyContext)
|
||||
}
|
||||
|
|
|
|||
|
|
@ -46,7 +46,7 @@ func processResourceWithPatches(patch []byte, resource []byte, log logr.Logger)
|
|||
|
||||
func applyUpdateRequest(
|
||||
ctx context.Context,
|
||||
request *admissionv1.AdmissionRequest,
|
||||
request admissionv1.AdmissionRequest,
|
||||
ruleType kyvernov1beta1.RequestType,
|
||||
urGenerator updaterequest.Generator,
|
||||
userRequestInfo kyvernov1beta1.RequestInfo,
|
||||
|
|
@ -54,7 +54,7 @@ func applyUpdateRequest(
|
|||
engineResponses ...*engineapi.EngineResponse,
|
||||
) (failedUpdateRequest []updateRequestResponse) {
|
||||
admissionRequestInfo := kyvernov1beta1.AdmissionRequestInfoObject{
|
||||
AdmissionRequest: request,
|
||||
AdmissionRequest: &request,
|
||||
Operation: action,
|
||||
}
|
||||
|
||||
|
|
|
|||
|
|
@ -29,7 +29,7 @@ type ValidationHandler interface {
|
|||
// HandleValidation handles validating webhook admission request
|
||||
// If there are no errors in validating rule we apply generation rules
|
||||
// patchedResource is the (resource + patches) after applying mutation rules
|
||||
HandleValidation(context.Context, *admissionv1.AdmissionRequest, []kyvernov1.PolicyInterface, *engine.PolicyContext, time.Time) (bool, string, []string)
|
||||
HandleValidation(context.Context, admissionv1.AdmissionRequest, []kyvernov1.PolicyInterface, *engine.PolicyContext, time.Time) (bool, string, []string)
|
||||
}
|
||||
|
||||
func NewValidationHandler(
|
||||
|
|
@ -70,7 +70,7 @@ type validationHandler struct {
|
|||
|
||||
func (v *validationHandler) HandleValidation(
|
||||
ctx context.Context,
|
||||
request *admissionv1.AdmissionRequest,
|
||||
request admissionv1.AdmissionRequest,
|
||||
policies []kyvernov1.PolicyInterface,
|
||||
policyContext *engine.PolicyContext,
|
||||
admissionRequestTimestamp time.Time,
|
||||
|
|
@ -145,7 +145,7 @@ func (v *validationHandler) HandleValidation(
|
|||
func (v *validationHandler) buildAuditResponses(
|
||||
ctx context.Context,
|
||||
resource unstructured.Unstructured,
|
||||
request *admissionv1.AdmissionRequest,
|
||||
request admissionv1.AdmissionRequest,
|
||||
namespaceLabels map[string]string,
|
||||
) ([]engineapi.EngineResponse, error) {
|
||||
gvr := schema.GroupVersionResource(request.Resource)
|
||||
|
|
@ -175,7 +175,7 @@ func (v *validationHandler) buildAuditResponses(
|
|||
func (v *validationHandler) handleAudit(
|
||||
ctx context.Context,
|
||||
resource unstructured.Unstructured,
|
||||
request *admissionv1.AdmissionRequest,
|
||||
request admissionv1.AdmissionRequest,
|
||||
namespaceLabels map[string]string,
|
||||
engineResponses ...engineapi.EngineResponse,
|
||||
) {
|
||||
|
|
|
|||
|
|
@ -39,21 +39,21 @@ type Server interface {
|
|||
|
||||
type ExceptionHandlers interface {
|
||||
// Validate performs the validation check on exception resources
|
||||
Validate(context.Context, logr.Logger, admissionv1.AdmissionRequest, time.Time) admissionv1.AdmissionResponse
|
||||
Validate(context.Context, logr.Logger, handlers.AdmissionRequest, time.Time) admissionv1.AdmissionResponse
|
||||
}
|
||||
|
||||
type PolicyHandlers interface {
|
||||
// Mutate performs the mutation of policy resources
|
||||
Mutate(context.Context, logr.Logger, admissionv1.AdmissionRequest, time.Time) admissionv1.AdmissionResponse
|
||||
Mutate(context.Context, logr.Logger, handlers.AdmissionRequest, time.Time) admissionv1.AdmissionResponse
|
||||
// Validate performs the validation check on policy resources
|
||||
Validate(context.Context, logr.Logger, admissionv1.AdmissionRequest, time.Time) admissionv1.AdmissionResponse
|
||||
Validate(context.Context, logr.Logger, handlers.AdmissionRequest, time.Time) admissionv1.AdmissionResponse
|
||||
}
|
||||
|
||||
type ResourceHandlers interface {
|
||||
// Mutate performs the mutation of kube resources
|
||||
Mutate(context.Context, logr.Logger, admissionv1.AdmissionRequest, string, time.Time) admissionv1.AdmissionResponse
|
||||
Mutate(context.Context, logr.Logger, handlers.AdmissionRequest, string, time.Time) admissionv1.AdmissionResponse
|
||||
// Validate performs the validation check on kube resources
|
||||
Validate(context.Context, logr.Logger, admissionv1.AdmissionRequest, string, time.Time) admissionv1.AdmissionResponse
|
||||
Validate(context.Context, logr.Logger, handlers.AdmissionRequest, string, time.Time) admissionv1.AdmissionResponse
|
||||
}
|
||||
|
||||
type server struct {
|
||||
|
|
@ -245,24 +245,24 @@ func registerWebhookHandlers(
|
|||
mux *httprouter.Router,
|
||||
name string,
|
||||
basePath string,
|
||||
handlerFunc func(context.Context, logr.Logger, admissionv1.AdmissionRequest, string, time.Time) admissionv1.AdmissionResponse,
|
||||
handlerFunc func(context.Context, logr.Logger, handlers.AdmissionRequest, string, time.Time) admissionv1.AdmissionResponse,
|
||||
builder func(handler handlers.AdmissionHandler) handlers.HttpHandler,
|
||||
) {
|
||||
all := handlers.FromAdmissionFunc(
|
||||
name,
|
||||
func(ctx context.Context, logger logr.Logger, request admissionv1.AdmissionRequest, startTime time.Time) admissionv1.AdmissionResponse {
|
||||
func(ctx context.Context, logger logr.Logger, request handlers.AdmissionRequest, startTime time.Time) admissionv1.AdmissionResponse {
|
||||
return handlerFunc(ctx, logger, request, "all", startTime)
|
||||
},
|
||||
)
|
||||
ignore := handlers.FromAdmissionFunc(
|
||||
name,
|
||||
func(ctx context.Context, logger logr.Logger, request admissionv1.AdmissionRequest, startTime time.Time) admissionv1.AdmissionResponse {
|
||||
func(ctx context.Context, logger logr.Logger, request handlers.AdmissionRequest, startTime time.Time) admissionv1.AdmissionResponse {
|
||||
return handlerFunc(ctx, logger, request, "ignore", startTime)
|
||||
},
|
||||
)
|
||||
fail := handlers.FromAdmissionFunc(
|
||||
name,
|
||||
func(ctx context.Context, logger logr.Logger, request admissionv1.AdmissionRequest, startTime time.Time) admissionv1.AdmissionResponse {
|
||||
func(ctx context.Context, logger logr.Logger, request handlers.AdmissionRequest, startTime time.Time) admissionv1.AdmissionResponse {
|
||||
return handlerFunc(ctx, logger, request, "fail", startTime)
|
||||
},
|
||||
)
|
||||
|
|
|
|||
|
|
@ -13,7 +13,7 @@ import (
|
|||
)
|
||||
|
||||
type PolicyContextBuilder interface {
|
||||
Build(*admissionv1.AdmissionRequest) (*engine.PolicyContext, error)
|
||||
Build(admissionv1.AdmissionRequest) (*engine.PolicyContext, error)
|
||||
}
|
||||
|
||||
type policyContextBuilder struct {
|
||||
|
|
@ -37,7 +37,7 @@ func NewPolicyContextBuilder(
|
|||
}
|
||||
}
|
||||
|
||||
func (b *policyContextBuilder) Build(request *admissionv1.AdmissionRequest) (*engine.PolicyContext, error) {
|
||||
func (b *policyContextBuilder) Build(request admissionv1.AdmissionRequest) (*engine.PolicyContext, error) {
|
||||
userRequestInfo := kyvernov1beta1.RequestInfo{
|
||||
AdmissionUserInfo: *request.UserInfo.DeepCopy(),
|
||||
}
|
||||
|
|
|
|||
Loading…
Add table
Reference in a new issue