mirror of
https://github.com/kyverno/kyverno.git
synced 2024-12-14 11:57:48 +00:00
refactor: autogen package logger (#3727)
Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com>
This commit is contained in:
Charles-Edouard Brétéché
GitHub
parent
61a1d40e5e
commit
de84b8071d
7 changed files with 41 additions and 45 deletions
|
|
@ -6,7 +6,6 @@ import (
|
|||
"strconv"
|
||||
"strings"
|
||||
|
||||
"github.com/go-logr/logr"
|
||||
kyverno "github.com/kyverno/kyverno/api/kyverno/v1"
|
||||
"github.com/kyverno/kyverno/pkg/toggle"
|
||||
"github.com/kyverno/kyverno/pkg/utils"
|
||||
|
|
@ -14,7 +13,6 @@ import (
|
|||
kubeutils "github.com/kyverno/kyverno/pkg/utils/kube"
|
||||
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
|
||||
"k8s.io/apimachinery/pkg/util/sets"
|
||||
log "sigs.k8s.io/controller-runtime/pkg/log"
|
||||
)
|
||||
|
||||
const (
|
||||
|
|
@ -26,7 +24,6 @@ const (
|
|||
|
||||
var (
|
||||
podControllersKindsSet = sets.NewString(append(strings.Split(PodControllers, ","), "Pod")...)
|
||||
podSet = sets.NewString("Pod")
|
||||
)
|
||||
|
||||
func isKindOtherthanPod(kinds []string) bool {
|
||||
|
|
@ -72,7 +69,7 @@ func stripCronJob(controllers string) string {
|
|||
// - Pod and PodControllers are not defined
|
||||
// - mutate.Patches/mutate.PatchesJSON6902/validate.deny/generate rule is defined
|
||||
// - otherwise it returns all pod controllers
|
||||
func CanAutoGen(spec *kyverno.Spec, log logr.Logger) (applyAutoGen bool, controllers string) {
|
||||
func CanAutoGen(spec *kyverno.Spec) (applyAutoGen bool, controllers string) {
|
||||
needed := false
|
||||
for _, rule := range spec.Rules {
|
||||
if rule.Mutation.PatchesJSON6902 != "" || rule.HasGenerate() {
|
||||
|
|
@ -80,30 +77,30 @@ func CanAutoGen(spec *kyverno.Spec, log logr.Logger) (applyAutoGen bool, control
|
|||
}
|
||||
match, exclude := rule.MatchResources, rule.ExcludeResources
|
||||
if !checkAutogenSupport(&needed, match.ResourceDescription, exclude.ResourceDescription) {
|
||||
log.V(3).Info("skip generating rule on pod controllers: Name / Selector in resource description may not be applicable.", "rule", rule.Name)
|
||||
logger.V(3).Info("skip generating rule on pod controllers: Name / Selector in resource description may not be applicable.", "rule", rule.Name)
|
||||
return false, ""
|
||||
}
|
||||
for _, value := range match.Any {
|
||||
if !checkAutogenSupport(&needed, value.ResourceDescription) {
|
||||
log.V(3).Info("skip generating rule on pod controllers: Name / Selector in match any block is not be applicable.", "rule", rule.Name)
|
||||
logger.V(3).Info("skip generating rule on pod controllers: Name / Selector in match any block is not be applicable.", "rule", rule.Name)
|
||||
return false, ""
|
||||
}
|
||||
}
|
||||
for _, value := range match.All {
|
||||
if !checkAutogenSupport(&needed, value.ResourceDescription) {
|
||||
log.V(3).Info("skip generating rule on pod controllers: Name / Selector in match all block is not be applicable.", "rule", rule.Name)
|
||||
logger.V(3).Info("skip generating rule on pod controllers: Name / Selector in match all block is not be applicable.", "rule", rule.Name)
|
||||
return false, ""
|
||||
}
|
||||
}
|
||||
for _, value := range exclude.Any {
|
||||
if !checkAutogenSupport(&needed, value.ResourceDescription) {
|
||||
log.V(3).Info("skip generating rule on pod controllers: Name / Selector in exclude any block is not be applicable.", "rule", rule.Name)
|
||||
logger.V(3).Info("skip generating rule on pod controllers: Name / Selector in exclude any block is not be applicable.", "rule", rule.Name)
|
||||
return false, ""
|
||||
}
|
||||
}
|
||||
for _, value := range exclude.All {
|
||||
if !checkAutogenSupport(&needed, value.ResourceDescription) {
|
||||
log.V(3).Info("skip generating rule on pod controllers: Name / Selector in exclud all block is not be applicable.", "rule", rule.Name)
|
||||
logger.V(3).Info("skip generating rule on pod controllers: Name / Selector in exclud all block is not be applicable.", "rule", rule.Name)
|
||||
return false, ""
|
||||
}
|
||||
}
|
||||
|
|
@ -115,8 +112,8 @@ func CanAutoGen(spec *kyverno.Spec, log logr.Logger) (applyAutoGen bool, control
|
|||
}
|
||||
|
||||
// GetSupportedControllers returns the supported autogen controllers for a given spec.
|
||||
func GetSupportedControllers(spec *kyverno.Spec, log logr.Logger) []string {
|
||||
apply, controllers := CanAutoGen(spec, log)
|
||||
func GetSupportedControllers(spec *kyverno.Spec) []string {
|
||||
apply, controllers := CanAutoGen(spec)
|
||||
if !apply || controllers == "none" {
|
||||
return nil
|
||||
}
|
||||
|
|
@ -141,9 +138,9 @@ func GetRequestedControllers(meta *metav1.ObjectMeta) []string {
|
|||
|
||||
// GetControllers computes the autogen controllers that should be applied to a policy.
|
||||
// It returns the requested, supported and effective controllers (intersection of requested and supported ones).
|
||||
func GetControllers(meta *metav1.ObjectMeta, spec *kyverno.Spec, log logr.Logger) ([]string, []string, []string) {
|
||||
func GetControllers(meta *metav1.ObjectMeta, spec *kyverno.Spec) ([]string, []string, []string) {
|
||||
// compute supported and requested controllers
|
||||
supported, requested := GetSupportedControllers(spec, log), GetRequestedControllers(meta)
|
||||
supported, requested := GetSupportedControllers(spec), GetRequestedControllers(meta)
|
||||
// no specific request, we can return supported controllers without further filtering
|
||||
if requested == nil {
|
||||
return requested, supported, supported
|
||||
|
|
@ -168,13 +165,13 @@ func GetControllers(meta *metav1.ObjectMeta, spec *kyverno.Spec, log logr.Logger
|
|||
// make sure all fields are applicable to pod controllers
|
||||
|
||||
// GenerateRulePatches generates rule for podControllers based on scenario A and C
|
||||
func GenerateRulePatches(spec *kyverno.Spec, controllers string, log logr.Logger) (rulePatches [][]byte, errs []error) {
|
||||
func GenerateRulePatches(spec *kyverno.Spec, controllers string) (rulePatches [][]byte, errs []error) {
|
||||
var ruleIndex = make(map[string]int)
|
||||
for index, rule := range spec.Rules {
|
||||
ruleIndex[rule.Name] = index
|
||||
}
|
||||
insertIdx := len(spec.Rules)
|
||||
genRules := generateRules(spec, controllers, log)
|
||||
genRules := generateRules(spec, controllers)
|
||||
for i := range genRules {
|
||||
patchPostion := insertIdx
|
||||
convertToPatches := func(genRule kyvernoRule, patchPostion int) []byte {
|
||||
|
|
@ -218,17 +215,17 @@ func GenerateRulePatches(spec *kyverno.Spec, controllers string, log logr.Logger
|
|||
// make sure all fields are applicable to pod controllers
|
||||
|
||||
// generateRules generates rule for podControllers based on scenario A and C
|
||||
func generateRules(spec *kyverno.Spec, controllers string, log logr.Logger) []kyverno.Rule {
|
||||
func generateRules(spec *kyverno.Spec, controllers string) []kyverno.Rule {
|
||||
var rules []kyverno.Rule
|
||||
for i := range spec.Rules {
|
||||
// handle all other controllers other than CronJob
|
||||
if genRule := createRule(generateRuleForControllers(&spec.Rules[i], stripCronJob(controllers), log)); genRule != nil {
|
||||
if genRule := createRule(generateRuleForControllers(&spec.Rules[i], stripCronJob(controllers))); genRule != nil {
|
||||
if convRule, err := convertRule(*genRule, "Pod"); err == nil {
|
||||
rules = append(rules, *convRule)
|
||||
}
|
||||
}
|
||||
// handle CronJob, it appends an additional rule
|
||||
if genRule := createRule(generateCronJobRule(&spec.Rules[i], controllers, log)); genRule != nil {
|
||||
if genRule := createRule(generateCronJobRule(&spec.Rules[i], controllers)); genRule != nil {
|
||||
if convRule, err := convertRule(*genRule, "Cronjob"); err == nil {
|
||||
rules = append(rules, *convRule)
|
||||
}
|
||||
|
|
@ -276,7 +273,7 @@ func ComputeRules(p kyverno.PolicyInterface) []kyverno.Rule {
|
|||
if !toggle.AutogenInternals() {
|
||||
return spec.Rules
|
||||
}
|
||||
applyAutoGen, desiredControllers := CanAutoGen(spec, log.Log)
|
||||
applyAutoGen, desiredControllers := CanAutoGen(spec)
|
||||
if !applyAutoGen {
|
||||
desiredControllers = "none"
|
||||
}
|
||||
|
|
@ -292,7 +289,7 @@ func ComputeRules(p kyverno.PolicyInterface) []kyverno.Rule {
|
|||
if actualControllers == "none" {
|
||||
return spec.Rules
|
||||
}
|
||||
genRules := generateRules(spec.DeepCopy(), actualControllers, log.Log)
|
||||
genRules := generateRules(spec.DeepCopy(), actualControllers)
|
||||
if len(genRules) == 0 {
|
||||
return spec.Rules
|
||||
}
|
||||
|
|
|
|||
|
|
@ -13,7 +13,6 @@ import (
|
|||
"github.com/kyverno/kyverno/pkg/utils"
|
||||
"gotest.tools/assert"
|
||||
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
|
||||
"sigs.k8s.io/controller-runtime/pkg/log"
|
||||
)
|
||||
|
||||
func Test_getAutogenRuleName(t *testing.T) {
|
||||
|
|
@ -135,7 +134,7 @@ func Test_CanAutoGen(t *testing.T) {
|
|||
err := json.Unmarshal(test.policy, &policy)
|
||||
assert.NilError(t, err)
|
||||
|
||||
applyAutoGen, controllers := CanAutoGen(&policy.Spec, log.Log)
|
||||
applyAutoGen, controllers := CanAutoGen(&policy.Spec)
|
||||
if !applyAutoGen {
|
||||
controllers = "none"
|
||||
}
|
||||
|
|
@ -227,7 +226,7 @@ func Test_GetSupportedControllers(t *testing.T) {
|
|||
err := json.Unmarshal(test.policy, &policy)
|
||||
assert.NilError(t, err)
|
||||
|
||||
controllers := GetSupportedControllers(&policy.Spec, log.Log)
|
||||
controllers := GetSupportedControllers(&policy.Spec)
|
||||
|
||||
var expectedControllers []string
|
||||
if test.expectedControllers != "none" {
|
||||
|
|
@ -305,7 +304,7 @@ func Test_Any(t *testing.T) {
|
|||
},
|
||||
}
|
||||
|
||||
rulePatches, errs := GenerateRulePatches(spec, PodControllers, log.Log)
|
||||
rulePatches, errs := GenerateRulePatches(spec, PodControllers)
|
||||
if len(errs) != 0 {
|
||||
t.Log(errs)
|
||||
}
|
||||
|
|
@ -343,7 +342,7 @@ func Test_All(t *testing.T) {
|
|||
},
|
||||
}
|
||||
|
||||
rulePatches, errs := GenerateRulePatches(spec, PodControllers, log.Log)
|
||||
rulePatches, errs := GenerateRulePatches(spec, PodControllers)
|
||||
if len(errs) != 0 {
|
||||
t.Log(errs)
|
||||
}
|
||||
|
|
@ -376,7 +375,7 @@ func Test_Exclude(t *testing.T) {
|
|||
spec := policy.GetSpec()
|
||||
spec.Rules[0].ExcludeResources.Namespaces = []string{"fake-namespce"}
|
||||
|
||||
rulePatches, errs := GenerateRulePatches(spec, PodControllers, log.Log)
|
||||
rulePatches, errs := GenerateRulePatches(spec, PodControllers)
|
||||
if len(errs) != 0 {
|
||||
t.Log(errs)
|
||||
}
|
||||
|
|
@ -411,7 +410,7 @@ func Test_CronJobOnly(t *testing.T) {
|
|||
kyverno.PodControllersAnnotation: controllers,
|
||||
})
|
||||
|
||||
rulePatches, errs := GenerateRulePatches(policy.GetSpec(), controllers, log.Log)
|
||||
rulePatches, errs := GenerateRulePatches(policy.GetSpec(), controllers)
|
||||
if len(errs) != 0 {
|
||||
t.Log(errs)
|
||||
}
|
||||
|
|
@ -440,7 +439,7 @@ func Test_ForEachPod(t *testing.T) {
|
|||
spec := policy.GetSpec()
|
||||
spec.Rules[0].ExcludeResources.Namespaces = []string{"fake-namespce"}
|
||||
|
||||
rulePatches, errs := GenerateRulePatches(spec, PodControllers, log.Log)
|
||||
rulePatches, errs := GenerateRulePatches(spec, PodControllers)
|
||||
if len(errs) != 0 {
|
||||
t.Log(errs)
|
||||
}
|
||||
|
|
@ -482,7 +481,7 @@ func Test_CronJob_hasExclude(t *testing.T) {
|
|||
rule.ExcludeResources.Namespaces = []string{"test"}
|
||||
spec.Rules[0] = *rule
|
||||
|
||||
rulePatches, errs := GenerateRulePatches(spec, controllers, log.Log)
|
||||
rulePatches, errs := GenerateRulePatches(spec, controllers)
|
||||
if len(errs) != 0 {
|
||||
t.Log(errs)
|
||||
}
|
||||
|
|
@ -513,7 +512,7 @@ func Test_CronJobAndDeployment(t *testing.T) {
|
|||
kyverno.PodControllersAnnotation: controllers,
|
||||
})
|
||||
|
||||
rulePatches, errs := GenerateRulePatches(policy.GetSpec(), controllers, log.Log)
|
||||
rulePatches, errs := GenerateRulePatches(policy.GetSpec(), controllers)
|
||||
if len(errs) != 0 {
|
||||
t.Log(errs)
|
||||
}
|
||||
|
|
@ -541,7 +540,7 @@ func Test_UpdateVariablePath(t *testing.T) {
|
|||
|
||||
policy := policies[0]
|
||||
|
||||
rulePatches, errs := GenerateRulePatches(policy.GetSpec(), PodControllers, log.Log)
|
||||
rulePatches, errs := GenerateRulePatches(policy.GetSpec(), PodControllers)
|
||||
if len(errs) != 0 {
|
||||
t.Log(errs)
|
||||
}
|
||||
|
|
@ -579,7 +578,7 @@ func Test_Deny(t *testing.T) {
|
|||
},
|
||||
}
|
||||
|
||||
rulePatches, errs := GenerateRulePatches(spec, PodControllers, log.Log)
|
||||
rulePatches, errs := GenerateRulePatches(spec, PodControllers)
|
||||
if len(errs) != 0 {
|
||||
t.Log(errs)
|
||||
}
|
||||
|
|
|
|||
5
pkg/autogen/log.go
Normal file
5
pkg/autogen/log.go
Normal file
|
|
@ -0,0 +1,5 @@
|
|||
package autogen
|
||||
|
||||
import "sigs.k8s.io/controller-runtime/pkg/log"
|
||||
|
||||
var logger = log.Log.WithName("autogen")
|
||||
|
|
@ -4,7 +4,6 @@ import (
|
|||
"reflect"
|
||||
"strings"
|
||||
|
||||
"github.com/go-logr/logr"
|
||||
kyverno "github.com/kyverno/kyverno/api/kyverno/v1"
|
||||
"github.com/kyverno/kyverno/pkg/engine/variables"
|
||||
"github.com/kyverno/kyverno/pkg/utils"
|
||||
|
|
@ -70,7 +69,7 @@ func createRule(rule *kyverno.Rule) *kyvernoRule {
|
|||
|
||||
type generateResourceFilters func(kyverno.ResourceFilters, []string) kyverno.ResourceFilters
|
||||
|
||||
func generateRule(logger logr.Logger, name string, rule *kyverno.Rule, tplKey, shift string, kinds []string, grf generateResourceFilters) *kyverno.Rule {
|
||||
func generateRule(name string, rule *kyverno.Rule, tplKey, shift string, kinds []string, grf generateResourceFilters) *kyverno.Rule {
|
||||
if rule == nil {
|
||||
return nil
|
||||
}
|
||||
|
|
@ -213,8 +212,7 @@ func getAnyAllAutogenRule(v kyverno.ResourceFilters, match string, kinds []strin
|
|||
return anyKind
|
||||
}
|
||||
|
||||
func generateRuleForControllers(rule *kyverno.Rule, controllers string, log logr.Logger) *kyverno.Rule {
|
||||
logger := log.WithName("generateRuleForControllers")
|
||||
func generateRuleForControllers(rule *kyverno.Rule, controllers string) *kyverno.Rule {
|
||||
if isAutogenRuleName(rule.Name) || controllers == "" {
|
||||
logger.V(5).Info("skip generateRuleForControllers")
|
||||
return nil
|
||||
|
|
@ -249,7 +247,6 @@ func generateRuleForControllers(rule *kyverno.Rule, controllers string, log logr
|
|||
}
|
||||
}
|
||||
return generateRule(
|
||||
logger,
|
||||
getAutogenRuleName("autogen", rule.Name),
|
||||
rule,
|
||||
"template",
|
||||
|
|
@ -261,17 +258,15 @@ func generateRuleForControllers(rule *kyverno.Rule, controllers string, log logr
|
|||
)
|
||||
}
|
||||
|
||||
func generateCronJobRule(rule *kyverno.Rule, controllers string, log logr.Logger) *kyverno.Rule {
|
||||
logger := log.WithName("generateCronJobRule")
|
||||
func generateCronJobRule(rule *kyverno.Rule, controllers string) *kyverno.Rule {
|
||||
hasCronJob := strings.Contains(controllers, PodControllerCronJob) || strings.Contains(controllers, "all")
|
||||
if !hasCronJob {
|
||||
return nil
|
||||
}
|
||||
logger.V(3).Info("generating rule for cronJob")
|
||||
return generateRule(
|
||||
logger,
|
||||
getAutogenRuleName("autogen-cronjob", rule.Name),
|
||||
generateRuleForControllers(rule, controllers, log),
|
||||
generateRuleForControllers(rule, controllers),
|
||||
"jobTemplate",
|
||||
"spec/jobTemplate/spec/template",
|
||||
[]string{PodControllerCronJob},
|
||||
|
|
|
|||
|
|
@ -641,7 +641,7 @@ func missingAutoGenRules(policy kyverno.PolicyInterface, log logr.Logger) bool {
|
|||
var podRuleName []string
|
||||
ruleCount := 1
|
||||
spec := policy.GetSpec()
|
||||
if canApplyAutoGen, _ := autogen.CanAutoGen(spec, log); canApplyAutoGen {
|
||||
if canApplyAutoGen, _ := autogen.CanAutoGen(spec); canApplyAutoGen {
|
||||
for _, rule := range autogen.ComputeRules(policy) {
|
||||
podRuleName = append(podRuleName, rule.Name)
|
||||
}
|
||||
|
|
|
|||
|
|
@ -195,7 +195,7 @@ func defaultFailurePolicy(spec *kyverno.Spec, log logr.Logger) ([]byte, string)
|
|||
// GeneratePodControllerRule returns two patches: rulePatches and annotation patch(if necessary)
|
||||
func GeneratePodControllerRule(policy kyverno.PolicyInterface, log logr.Logger) (patches [][]byte, errs []error) {
|
||||
spec := policy.GetSpec()
|
||||
applyAutoGen, desiredControllers := autogen.CanAutoGen(spec, log)
|
||||
applyAutoGen, desiredControllers := autogen.CanAutoGen(spec)
|
||||
|
||||
if !applyAutoGen {
|
||||
desiredControllers = "none"
|
||||
|
|
@ -227,7 +227,7 @@ func GeneratePodControllerRule(policy kyverno.PolicyInterface, log logr.Logger)
|
|||
|
||||
log.V(3).Info("auto generating rule for pod controllers", "controllers", actualControllers)
|
||||
|
||||
p, err := autogen.GenerateRulePatches(spec, actualControllers, log)
|
||||
p, err := autogen.GenerateRulePatches(spec, actualControllers)
|
||||
patches = append(patches, p...)
|
||||
errs = append(errs, err...)
|
||||
return
|
||||
|
|
|
|||
|
|
@ -705,7 +705,7 @@ func (m *webhookConfigManager) compareAndUpdateWebhook(webhookKind, webhookName
|
|||
func (m *webhookConfigManager) updateStatus(namespace, name string, ready bool) error {
|
||||
update := func(meta *metav1.ObjectMeta, spec *kyverno.Spec, status *kyverno.PolicyStatus) bool {
|
||||
copy := status.DeepCopy()
|
||||
requested, _, activated := autogen.GetControllers(meta, spec, m.log)
|
||||
requested, _, activated := autogen.GetControllers(meta, spec)
|
||||
status.SetReady(ready)
|
||||
status.Autogen.Requested = requested
|
||||
status.Autogen.Activated = activated
|
||||
|
|
|
|||
Loading…
Reference in a new issue