mirror of
https://github.com/kyverno/kyverno.git
synced 2025-03-31 03:45:17 +00:00
Finished Generate() logic to actual generating the resource
This commit is contained in:
shuting
parent
b58e4f5026
commit
e8de9a111a
7 changed files with 78 additions and 53 deletions
|
|
@ -3,29 +3,32 @@
|
|||
# To apply this policy you need to create secret and configMap in "default" namespace
|
||||
# and then create a namespace
|
||||
|
||||
apiVersion : policy.nirmata.io/v1alpha1
|
||||
apiVersion : kubepolicy.nirmata.io/v1alpha1
|
||||
kind : Policy
|
||||
metadata :
|
||||
name : "policy-ns-patch-cmg-sg"
|
||||
spec :
|
||||
failurePolicy: stopOnError
|
||||
rules:
|
||||
- resource :
|
||||
- name: "patchNamespace2"
|
||||
resource :
|
||||
kind : Namespace
|
||||
selector:
|
||||
matchLabels:
|
||||
LabelForSelector : "namespace2"
|
||||
patch:
|
||||
mutate:
|
||||
patches:
|
||||
- path: "/metadata/labels/isMutatedByPolicy"
|
||||
op: add
|
||||
value: "true"
|
||||
|
||||
- resource :
|
||||
- name: "copyCM"
|
||||
resource :
|
||||
kind : Namespace
|
||||
selector:
|
||||
matchLabels:
|
||||
LabelForSelector : "namespace2"
|
||||
configMapGenerator :
|
||||
generate :
|
||||
kind: ConfigMap
|
||||
name : copied-cm
|
||||
copyFrom :
|
||||
namespace : default
|
||||
|
|
@ -33,12 +36,14 @@ spec :
|
|||
data :
|
||||
secretData: "data from cmg"
|
||||
|
||||
- resource :
|
||||
- name: "generateCM"
|
||||
resource :
|
||||
kind : Namespace
|
||||
selector:
|
||||
matchLabels:
|
||||
LabelForSelector : "namespace2"
|
||||
configMapGenerator :
|
||||
generate :
|
||||
kind: ConfigMap
|
||||
name : generated-cm
|
||||
data :
|
||||
secretData: "very sensitive data from cmg"
|
||||
|
|
@ -49,13 +54,12 @@ spec :
|
|||
image.public.key=771
|
||||
rsa.public.key=42
|
||||
|
||||
- resource :
|
||||
- name: "generateSecret"
|
||||
resource :
|
||||
kind : Namespace
|
||||
selector:
|
||||
matchLabels:
|
||||
LabelForSelector : "namespace2"
|
||||
|
||||
secretGenerator :
|
||||
name: ns2
|
||||
generate :
|
||||
kind: Secret
|
||||
name : generated-secrets
|
||||
data :
|
||||
foo : bar
|
||||
|
|
@ -66,13 +70,12 @@ spec :
|
|||
foo1=bar1
|
||||
foo2=bar2
|
||||
|
||||
- resource :
|
||||
- name: "copySecret"
|
||||
resource :
|
||||
kind : Namespace
|
||||
selector:
|
||||
matchLabels:
|
||||
LabelForSelector : "namespace2"
|
||||
|
||||
secretGenerator :
|
||||
name: ns2
|
||||
generate :
|
||||
kind: Secret
|
||||
name : copied-secrets
|
||||
copyFrom :
|
||||
namespace : default
|
||||
|
|
|
|||
|
|
@ -67,11 +67,13 @@ func (kc *KubeClient) GenerateConfigMap(generator types.Generation, namespace st
|
|||
|
||||
var err error
|
||||
|
||||
if generator.CopyFrom != nil {
|
||||
kc.logger.Printf("Copying data from configmap %s/%s", generator.CopyFrom.Namespace, generator.CopyFrom.Name)
|
||||
configMap, err = kc.client.CoreV1().ConfigMaps(generator.CopyFrom.Namespace).Get(generator.CopyFrom.Name, metav1.GetOptions{})
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
}
|
||||
|
||||
configMap.ObjectMeta = metav1.ObjectMeta{
|
||||
Name: generator.Name,
|
||||
|
|
@ -101,11 +103,13 @@ func (kc *KubeClient) GenerateSecret(generator types.Generation, namespace strin
|
|||
|
||||
var err error
|
||||
|
||||
if generator.CopyFrom != nil {
|
||||
kc.logger.Printf("Copying data from secret %s/%s", generator.CopyFrom.Namespace, generator.CopyFrom.Name)
|
||||
secret, err = kc.client.CoreV1().Secrets(generator.CopyFrom.Namespace).Get(generator.CopyFrom.Name, metav1.GetOptions{})
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
}
|
||||
|
||||
secret.ObjectMeta = metav1.ObjectMeta{
|
||||
Name: generator.Name,
|
||||
|
|
|
|||
2
main.go
2
main.go
|
|
@ -59,7 +59,7 @@ func main() {
|
|||
log.Fatalf("Failed to initialize TLS key/certificate pair: %v\n", err)
|
||||
}
|
||||
|
||||
server, err := webhooks.NewWebhookServer(tlsPair, policyInformer.Lister(), nil)
|
||||
server, err := webhooks.NewWebhookServer(tlsPair, policyInformer.Lister(), kubeclient, nil)
|
||||
if err != nil {
|
||||
log.Fatalf("Unable to create webhook server: %v\n", err)
|
||||
}
|
||||
|
|
|
|||
|
|
@ -62,7 +62,7 @@ type Validation struct {
|
|||
type Generation struct {
|
||||
Kind string `json:"kind"`
|
||||
Name string `json:"name"`
|
||||
CopyFrom `json:"copyFrom"`
|
||||
CopyFrom *CopyFrom `json:"copyFrom,omitempty"`
|
||||
Data map[string]string `json:"data"`
|
||||
Labels map[string]string `json:"labels"`
|
||||
}
|
||||
|
|
|
|||
|
|
@ -78,8 +78,11 @@ func (pcg *Generation) Validate() error {
|
|||
return errors.New("Name or/and Kind of generator is not specified")
|
||||
}
|
||||
|
||||
if pcg.CopyFrom != nil {
|
||||
return pcg.CopyFrom.Validate()
|
||||
}
|
||||
return nil
|
||||
}
|
||||
|
||||
// DeepCopyInto is declared because k8s:deepcopy-gen is
|
||||
// not able to generate this method for interface{} member
|
||||
|
|
|
|||
|
|
@ -4,6 +4,7 @@ import (
|
|||
"fmt"
|
||||
"log"
|
||||
|
||||
kubeClient "github.com/nirmata/kube-policy/kubeclient"
|
||||
kubepolicy "github.com/nirmata/kube-policy/pkg/apis/policy/v1alpha1"
|
||||
"github.com/nirmata/kube-policy/pkg/engine/mutation"
|
||||
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
|
||||
|
|
@ -16,14 +17,12 @@ type GenerationResponse struct {
|
|||
|
||||
// Generate should be called to process generate rules on the resource
|
||||
// TODO: extend kubeclient(will change to dynamic client) to create resources
|
||||
func Generate(policy kubepolicy.Policy, rawResource []byte, gvk metav1.GroupVersionKind) []GenerationResponse {
|
||||
func Generate(policy kubepolicy.Policy, rawResource []byte, kubeClient *kubeClient.KubeClient, gvk metav1.GroupVersionKind) {
|
||||
// configMapGenerator and secretGenerator can be applied only to namespaces
|
||||
if gvk.Kind != "Namespace" {
|
||||
return nil
|
||||
return
|
||||
}
|
||||
|
||||
var generateResps []GenerationResponse
|
||||
|
||||
for i, rule := range policy.Spec.Rules {
|
||||
|
||||
// Checks for preconditions
|
||||
|
|
@ -48,31 +47,39 @@ func Generate(policy kubepolicy.Policy, rawResource []byte, gvk metav1.GroupVers
|
|||
continue
|
||||
}
|
||||
|
||||
generateResps, err = applyRuleGenerator(rawResource, rule.Generation)
|
||||
err = applyRuleGenerator(rawResource, rule.Generation, kubeClient)
|
||||
if err != nil {
|
||||
log.Printf("Failed to apply rule generator: %v", err)
|
||||
} else {
|
||||
generateResps = append(generateResps, generateResps...)
|
||||
}
|
||||
}
|
||||
|
||||
return generateResps
|
||||
}
|
||||
|
||||
// Applies "configMapGenerator" and "secretGenerator" described in PolicyRule
|
||||
// TODO: plan to support all kinds of generator
|
||||
func applyRuleGenerator(rawResource []byte, generator *kubepolicy.Generation) ([]GenerationResponse, error) {
|
||||
var generateResps []GenerationResponse
|
||||
func applyRuleGenerator(rawResource []byte, generator *kubepolicy.Generation, kubeClient *kubeClient.KubeClient) error {
|
||||
if generator == nil {
|
||||
return nil, nil
|
||||
return nil
|
||||
}
|
||||
|
||||
err := generator.Validate()
|
||||
if err != nil {
|
||||
return nil, fmt.Errorf("Generator for '%s' is invalid: %s", generator.Kind, err)
|
||||
return fmt.Errorf("Generator for '%s/%s' is invalid: %s", generator.Kind, generator.Name, err)
|
||||
}
|
||||
|
||||
namespaceName := mutation.ParseNameFromObject(rawResource)
|
||||
generateResps = append(generateResps, GenerationResponse{generator, namespaceName})
|
||||
return generateResps, nil
|
||||
namespace := mutation.ParseNameFromObject(rawResource)
|
||||
switch generator.Kind {
|
||||
case "ConfigMap":
|
||||
err = kubeClient.GenerateConfigMap(*generator, namespace)
|
||||
case "Secret":
|
||||
err = kubeClient.GenerateSecret(*generator, namespace)
|
||||
default:
|
||||
err = fmt.Errorf("Unsupported config Kind '%s'", generator.Kind)
|
||||
}
|
||||
|
||||
if err != nil {
|
||||
return fmt.Errorf("Unable to apply generator for %s '%s/%s' : %v", generator.Kind, namespace, generator.Name, err)
|
||||
}
|
||||
|
||||
log.Printf("Successfully applied generator %s/%s", generator.Kind, generator.Name)
|
||||
return nil
|
||||
}
|
||||
|
|
|
|||
|
|
@ -13,6 +13,7 @@ import (
|
|||
"time"
|
||||
|
||||
"github.com/nirmata/kube-policy/config"
|
||||
kubeClient "github.com/nirmata/kube-policy/kubeclient"
|
||||
policylister "github.com/nirmata/kube-policy/pkg/client/listers/policy/v1alpha1"
|
||||
engine "github.com/nirmata/kube-policy/pkg/engine"
|
||||
"github.com/nirmata/kube-policy/pkg/engine/mutation"
|
||||
|
|
@ -27,6 +28,7 @@ import (
|
|||
type WebhookServer struct {
|
||||
server http.Server
|
||||
policyLister policylister.PolicyLister
|
||||
kubeClient *kubeClient.KubeClient
|
||||
logger *log.Logger
|
||||
}
|
||||
|
||||
|
|
@ -35,6 +37,7 @@ type WebhookServer struct {
|
|||
func NewWebhookServer(
|
||||
tlsPair *tlsutils.TlsPemPair,
|
||||
policyLister policylister.PolicyLister,
|
||||
kubeClient *kubeClient.KubeClient,
|
||||
logger *log.Logger) (*WebhookServer, error) {
|
||||
if logger == nil {
|
||||
logger = log.New(os.Stdout, "Webhook Server: ", log.LstdFlags)
|
||||
|
|
@ -53,6 +56,7 @@ func NewWebhookServer(
|
|||
|
||||
ws := &WebhookServer{
|
||||
policyLister: policyLister,
|
||||
kubeClient: kubeClient,
|
||||
logger: logger,
|
||||
}
|
||||
|
||||
|
|
@ -174,6 +178,7 @@ func (ws *WebhookServer) HandleValidation(request *v1beta1.AdmissionRequest) *v1
|
|||
|
||||
allowed := true
|
||||
for _, policy := range policies {
|
||||
// validation
|
||||
ws.logger.Printf("Validating resource with policy %s with %d rules", policy.ObjectMeta.Name, len(policy.Spec.Rules))
|
||||
|
||||
if ok := engine.Validate(*policy, request.Object.Raw, request.Kind); !ok {
|
||||
|
|
@ -183,6 +188,9 @@ func (ws *WebhookServer) HandleValidation(request *v1beta1.AdmissionRequest) *v1
|
|||
} else {
|
||||
ws.logger.Println("Validation is successful")
|
||||
}
|
||||
|
||||
// generation
|
||||
engine.Generate(*policy, request.Object.Raw, ws.kubeClient, request.Kind)
|
||||
}
|
||||
|
||||
return &v1beta1.AdmissionResponse{
|
||||
|
|
|
|||
Loading…
Add table
Reference in a new issue