mirror of
https://github.com/kyverno/kyverno.git
synced 2025-03-31 03:45:17 +00:00
refactor: ExcludeResources validation (#3445)
Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com> Co-authored-by: Prateek Pandey <prateek.pandey@nirmata.com>
This commit is contained in:
Charles-Edouard Brétéché
GitHub
parent
11bbb4f83e
commit
d129b7a4c7
2 changed files with 1 additions and 32 deletions
|
|
@ -135,5 +135,6 @@ func (r *Rule) Validate(path *field.Path, namespaced bool, clusterResources sets
|
|||
var errs field.ErrorList
|
||||
errs = append(errs, r.ValidateRuleType(path)...)
|
||||
errs = append(errs, r.MatchResources.Validate(path.Child("match"), namespaced, clusterResources)...)
|
||||
errs = append(errs, r.ExcludeResources.Validate(path.Child("exclude"), namespaced, clusterResources)...)
|
||||
return errs
|
||||
}
|
||||
|
|
|
|||
|
|
@ -1201,39 +1201,7 @@ func validateMatchedResourceDescription(rd kyverno.ResourceDescription) (string,
|
|||
// checkClusterResourceInMatchAndExclude returns false if namespaced ClusterPolicy contains cluster wide resources in
|
||||
// Match and Exclude block
|
||||
func checkClusterResourceInMatchAndExclude(rule kyverno.Rule, clusterResources sets.String, mock bool, res []*metav1.APIResourceList) error {
|
||||
// Contains Namespaces in Exclude->ResourceDescription
|
||||
if len(rule.ExcludeResources.ResourceDescription.Namespaces) > 0 {
|
||||
return fmt.Errorf("namespaced cluster policy : field namespaces not allowed in exclude.resources")
|
||||
}
|
||||
|
||||
if !mock {
|
||||
// Contains "Cluster Wide Resources" in Exclude->ResourceDescription->Kinds
|
||||
for _, kind := range rule.ExcludeResources.ResourceDescription.Kinds {
|
||||
if clusterResources.Has(kind) {
|
||||
return fmt.Errorf("namespaced policy : cluster-wide resource '%s' not allowed in exclude.resources.kinds", kind)
|
||||
}
|
||||
}
|
||||
|
||||
// Contains "Cluster Wide Resources" in Exclude->All->ResourceFilter->ResourceDescription->Kinds
|
||||
for _, allResourceFilter := range rule.ExcludeResources.All {
|
||||
fmt.Println(allResourceFilter.ResourceDescription)
|
||||
for _, kind := range allResourceFilter.ResourceDescription.Kinds {
|
||||
if clusterResources.Has(kind) {
|
||||
return fmt.Errorf("namespaced policy : cluster-wide resource '%s' not allowed in match.resources.kinds", kind)
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
// Contains "Cluster Wide Resources" in Exclude->Any->ResourceFilter->ResourceDescription->Kinds
|
||||
for _, allResourceFilter := range rule.ExcludeResources.Any {
|
||||
fmt.Println(allResourceFilter.ResourceDescription)
|
||||
for _, kind := range allResourceFilter.ResourceDescription.Kinds {
|
||||
if clusterResources.Has(kind) {
|
||||
return fmt.Errorf("namespaced policy : cluster-wide resource '%s' not allowed in match.resources.kinds", kind)
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
// Check for generate policy
|
||||
// - if resource to be generated is namespaced resource then the namespace field
|
||||
// should be mentioned
|
||||
|
|
|
|||
Loading…
Add table
Reference in a new issue