mirror of
https://github.com/kyverno/kyverno.git
synced 2025-03-31 03:45:17 +00:00
initial process existing
This commit is contained in:
shivkumar dudhani
parent
ca3e5da02c
commit
e74ae16f5b
4 changed files with 125 additions and 12 deletions
|
|
@ -50,7 +50,7 @@ func (c *Client) submitAndApproveCertificateRequest(req *certificates.Certificat
|
|||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
csrList, err := c.ListResource(CSRs, "")
|
||||
csrList, err := c.ListResource(CSRs, "", nil)
|
||||
if err != nil {
|
||||
return nil, fmt.Errorf("Unable to list existing certificate requests: %v", err)
|
||||
}
|
||||
|
|
|
|||
|
|
@ -11,6 +11,7 @@ import (
|
|||
apps "k8s.io/api/apps/v1"
|
||||
certificates "k8s.io/api/certificates/v1beta1"
|
||||
v1 "k8s.io/api/core/v1"
|
||||
helperv1 "k8s.io/apimachinery/pkg/apis/meta/v1"
|
||||
meta "k8s.io/apimachinery/pkg/apis/meta/v1"
|
||||
"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
|
||||
"k8s.io/apimachinery/pkg/runtime"
|
||||
|
|
@ -112,8 +113,12 @@ func (c *Client) GetResource(resource string, namespace string, name string) (*u
|
|||
|
||||
// ListResource returns the list of resources in unstructured/json format
|
||||
// Access items using []Items
|
||||
func (c *Client) ListResource(resource string, namespace string) (*unstructured.UnstructuredList, error) {
|
||||
return c.getResourceInterface(resource, namespace).List(meta.ListOptions{})
|
||||
func (c *Client) ListResource(resource string, namespace string, lselector *meta.LabelSelector) (*unstructured.UnstructuredList, error) {
|
||||
options := meta.ListOptions{}
|
||||
if lselector != nil {
|
||||
options = meta.ListOptions{LabelSelector: helperv1.FormatLabelSelector(lselector)}
|
||||
}
|
||||
return c.getResourceInterface(resource, namespace).List(options)
|
||||
}
|
||||
|
||||
// DeleteResouce deletes the specified resource
|
||||
|
|
|
|||
|
|
@ -1,9 +1,13 @@
|
|||
package engine
|
||||
|
||||
import (
|
||||
jsonpatch "github.com/evanphx/json-patch"
|
||||
"github.com/golang/glog"
|
||||
"github.com/minio/minio/pkg/wildcard"
|
||||
types "github.com/nirmata/kyverno/pkg/apis/policy/v1alpha1"
|
||||
"github.com/nirmata/kyverno/pkg/event"
|
||||
"github.com/nirmata/kyverno/pkg/violation"
|
||||
client "github.com/nirmata/kyverno/pkg/dclient"
|
||||
"github.com/nirmata/kyverno/pkg/info"
|
||||
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
|
||||
)
|
||||
|
||||
// As the logic to process the policies in stateless, we do not need to define struct and implement behaviors for it
|
||||
|
|
@ -12,12 +16,110 @@ import (
|
|||
// the caller is responsible to apply the changes to the resource
|
||||
|
||||
// ProcessExisting checks for mutation and validation violations of existing resources
|
||||
func ProcessExisting(policy types.Policy, rawResource []byte) ([]violation.Info, []event.Info, error) {
|
||||
var violations []violation.Info
|
||||
var events []event.Info
|
||||
func ProcessExisting(client *client.Client, policy *types.Policy) []*info.PolicyInfo {
|
||||
glog.Info("Applying policy %s on existing resources", policy.Name)
|
||||
// policyInfo := info.NewPolicyInfo(policy.Name,
|
||||
// rname,
|
||||
// rns)
|
||||
resources := []*resourceInfo{}
|
||||
|
||||
// TODO:
|
||||
// Mutate()
|
||||
// Validate()
|
||||
return violations, events, nil
|
||||
for _, rule := range policy.Spec.Rules {
|
||||
for _, k := range rule.Kinds {
|
||||
// kind -> resource
|
||||
gvr := client.DiscoveryClient.GetGVRFromKind(k)
|
||||
// label selectors
|
||||
// namespace ? should it be default or allow policy to specify it
|
||||
list, err := client.ListResource(gvr.Resource, "", rule.ResourceDescription.Selector)
|
||||
if err != nil {
|
||||
glog.Errorf("unable to list resource for %s with label selector %s", gvr.Resource, rule.Selector.String())
|
||||
glog.Errorf("unable to apply policy %s rule %s. err: %s", policy.Name, rule.Name, err)
|
||||
continue
|
||||
}
|
||||
for _, res := range list.Items {
|
||||
name := rule.ResourceDescription.Name
|
||||
gvk := res.GroupVersionKind()
|
||||
if name != nil {
|
||||
// wild card matching
|
||||
if !wildcard.Match(*name, res.GetName()) {
|
||||
continue
|
||||
}
|
||||
}
|
||||
ri := &resourceInfo{resource: &res, gvk: &metav1.GroupVersionKind{Group: gvk.Group,
|
||||
Version: gvk.Version,
|
||||
Kind: gvk.Kind}}
|
||||
resources = append(resources, ri)
|
||||
|
||||
}
|
||||
}
|
||||
}
|
||||
policyInfos := []*info.PolicyInfo{}
|
||||
// for the filtered resource apply policy
|
||||
for _, r := range resources {
|
||||
|
||||
policyInfo, err := applyPolicy(client, policy, r)
|
||||
if err != nil {
|
||||
glog.Error("unable to apply policy %s on resource %s/%s", policy.Name, r.resource.GetName(), r.resource.GetNamespace())
|
||||
glog.Error(err)
|
||||
continue
|
||||
}
|
||||
// Create events from the policyInfo
|
||||
policyInfos = append(policyInfos, policyInfo)
|
||||
}
|
||||
|
||||
return policyInfos
|
||||
}
|
||||
|
||||
func applyPolicy(client *client.Client, policy *types.Policy, res *resourceInfo) (*info.PolicyInfo, error) {
|
||||
policyInfo := info.NewPolicyInfo(policy.Name, res.resource.GetName(), res.resource.GetNamespace())
|
||||
glog.Infof("Applying policy %s with %d rules\n", policy.ObjectMeta.Name, len(policy.Spec.Rules))
|
||||
rawResource, err := res.resource.MarshalJSON()
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
// Mutate
|
||||
mruleInfos, err := mutation(policy, rawResource, res.gvk)
|
||||
policyInfo.AddRuleInfos(mruleInfos)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
// Validation
|
||||
vruleInfos, err := Validate(*policy, rawResource, *res.gvk)
|
||||
policyInfo.AddRuleInfos(vruleInfos)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
// Generate
|
||||
gruleInfos := Generate(client, *policy, rawResource, *res.gvk)
|
||||
policyInfo.AddRuleInfos(gruleInfos)
|
||||
|
||||
return policyInfo, nil
|
||||
}
|
||||
|
||||
func mutation(p *types.Policy, rawResource []byte, gvk *metav1.GroupVersionKind) ([]*info.RuleInfo, error) {
|
||||
patches, ruleInfos := Mutate(*p, rawResource, *gvk)
|
||||
// option 2: (original Resource + patch) compare with (original resource)
|
||||
mergePatches := JoinPatches(patches)
|
||||
// merge the patches
|
||||
patch, err := jsonpatch.DecodePatch(mergePatches)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
// apply the patches returned by mutate to the original resource
|
||||
patchedResource, err := patch.Apply(rawResource)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
// compare (original Resource + patch) vs (original resource)
|
||||
// to verify if they are equal
|
||||
ruleInfo := info.NewRuleInfo("mutation rules")
|
||||
if !jsonpatch.Equal(patchedResource, rawResource) {
|
||||
//resource does not match so there was a mutation rule violated
|
||||
// TODO : check the rule name "mutation rules"
|
||||
ruleInfo.Fail()
|
||||
ruleInfo.Add("resource does not satisfy mutation rules")
|
||||
} else {
|
||||
ruleInfo.Add("resource satisfys the mutation rule")
|
||||
}
|
||||
ruleInfos = append(ruleInfos, ruleInfo)
|
||||
return ruleInfos, nil
|
||||
}
|
||||
|
|
|
|||
|
|
@ -8,6 +8,7 @@ import (
|
|||
|
||||
"github.com/minio/minio/pkg/wildcard"
|
||||
kubepolicy "github.com/nirmata/kyverno/pkg/apis/policy/v1alpha1"
|
||||
"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
|
||||
|
||||
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
|
||||
"k8s.io/apimachinery/pkg/labels"
|
||||
|
|
@ -244,3 +245,8 @@ func convertToFloat(value interface{}) (float64, error) {
|
|||
return 0, fmt.Errorf("Could not convert %T to float64", value)
|
||||
}
|
||||
}
|
||||
|
||||
type resourceInfo struct {
|
||||
resource *unstructured.Unstructured
|
||||
gvk *metav1.GroupVersionKind
|
||||
}
|
||||
|
|
|
|||
Loading…
Add table
Reference in a new issue