mirrors/kyverno
mirrors/kyverno
1
0
Fork 0
mirror of https://github.com/kyverno/kyverno.git synced 2025-03-24 08:36:46 +00:00
Code Activity

feat: webhook integration image verification policies (#12403)

Browse source 
Signed-off-by: Vishal Choudhary <vishal.choudhary@nirmata.com>
Co-authored-by: shuting <shuting@nirmata.com>
This commit is contained in:
Vishal Choudhary 2025-03-14 14:07:42 +05:30 committed by GitHub
parent 400b0b82dd
commit e190f84845
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
1 changed files with 34 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

34
pkg/webhooks/resource/ivpol/handler.go
View file

@ -14,6 +14,7 @@ import (
admissionutils "github.com/kyverno/kyverno/pkg/utils/admission"
jsonutils "github.com/kyverno/kyverno/pkg/utils/json"
"github.com/kyverno/kyverno/pkg/webhooks/handlers"
"go.uber.org/multierr"
admissionregistrationv1 "k8s.io/api/admissionregistration/v1"
)
@ -42,6 +43,15 @@ func (h *handler) Mutate(ctx context.Context, logger logr.Logger, admissionReque
return h.mutationResponse(request, response, rawPatches)
}
func (h *handler) Validate(ctx context.Context, logger logr.Logger, admissionRequest handlers.AdmissionRequest, failurePolicy string, startTime time.Time) handlers.AdmissionResponse {
request := celengine.RequestFromAdmission(h.context, admissionRequest.AdmissionRequest)
response, err := h.engine.HandleValidating(ctx, request)
if err != nil {
return admissionutils.Response(admissionRequest.UID, err)
}
return h.validationResponse(request, response)
}
func (h *handler) mutationResponse(request celengine.EngineRequest, response eval.ImageVerifyEngineResponse, rawPatches []byte) handlers.AdmissionResponse {
var warnings []string
for _, policy := range response.Policies {
@ -56,3 +66,27 @@ func (h *handler) mutationResponse(request celengine.EngineRequest, response eva
}
return admissionutils.MutationResponse(request.AdmissionRequest().UID, rawPatches, warnings...)
}
func (h *handler) validationResponse(request celengine.EngineRequest, response eval.ImageVerifyEngineResponse) handlers.AdmissionResponse {
var errs []error
var warnings []string
for _, policy := range response.Policies {
if policy.Actions.Has(admissionregistrationv1.Deny) {
switch policy.Result.Status() {
case engineapi.RuleStatusFail:
errs = append(errs, fmt.Errorf("Policy %s failed: %s", policy.Policy.GetName(), policy.Result.Message()))
case engineapi.RuleStatusError:
errs = append(errs, fmt.Errorf("Policy %s error: %s", policy.Policy.GetName(), policy.Result.Message()))
}
}
if policy.Actions.Has(admissionregistrationv1.Warn) {
switch policy.Result.Status() {
case engineapi.RuleStatusFail:
warnings = append(warnings, fmt.Sprintf("Policy %s failed: %s", policy.Policy.GetName(), policy.Result.Message()))
case engineapi.RuleStatusError:
warnings = append(warnings, fmt.Sprintf("Policy %s error: %s", policy.Policy.GetName(), policy.Result.Message()))
}
}
}
return admissionutils.Response(request.AdmissionRequest().UID, multierr.Combine(errs...), warnings...)
}