mirror of
https://github.com/kyverno/kyverno.git
synced 2025-03-28 02:18:15 +00:00
refactor: remove PolicySpec from engine api (#6159)
* refactor: introduce engine api package Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * status Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * refactor: clean engine api package Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * cleanup Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * more tests Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * refactor: remove PolicySpec from engine api Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * fix Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * fix Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * rm Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * fix Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * constructor Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * fix Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * fix Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> --------- Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> Co-authored-by: shuting <shuting@nirmata.com>
This commit is contained in:
Charles-Edouard Brétéché
GitHub
parent
3a48c1fcaa
commit
ed5cf2cdde
22 changed files with 114 additions and 94 deletions
|
|
@ -94,6 +94,7 @@ func Test_buildPolicyReports(t *testing.T) {
|
|||
|
||||
var er engineapi.EngineResponse
|
||||
err = json.Unmarshal(rawEngRes, &er)
|
||||
er.Policy = &policy
|
||||
assert.NilError(t, err)
|
||||
|
||||
info := kyvCommon.ProcessValidateEngineResponse(&policy, &er, "", rc, true, false)
|
||||
|
|
@ -130,6 +131,7 @@ func Test_buildPolicyResults(t *testing.T) {
|
|||
|
||||
var er engineapi.EngineResponse
|
||||
err = json.Unmarshal(rawEngRes, &er)
|
||||
er.Policy = &policy
|
||||
assert.NilError(t, err)
|
||||
|
||||
info := kyvCommon.ProcessValidateEngineResponse(&policy, &er, "", rc, true, false)
|
||||
|
|
|
|||
|
|
@ -432,11 +432,11 @@ func buildPolicyResults(engineResponses []*engineapi.EngineResponse, testResults
|
|||
now := metav1.Timestamp{Seconds: time.Now().Unix()}
|
||||
|
||||
for _, resp := range engineResponses {
|
||||
policyName := resp.PolicyResponse.Policy.Name
|
||||
policyName := resp.Policy.GetName()
|
||||
resourceName := resp.PolicyResponse.Resource.Name
|
||||
resourceKind := resp.PolicyResponse.Resource.Kind
|
||||
resourceNamespace := resp.PolicyResponse.Resource.Namespace
|
||||
policyNamespace := resp.PolicyResponse.Policy.Namespace
|
||||
policyNamespace := resp.Policy.GetNamespace()
|
||||
|
||||
var rules []string
|
||||
for _, rule := range resp.PolicyResponse.Rules {
|
||||
|
|
|
|||
|
|
@ -789,7 +789,7 @@ func ProcessValidateEngineResponse(policy kyvernov1.PolicyInterface, validateRes
|
|||
|
||||
func buildPVInfo(er *engineapi.EngineResponse, violatedRules []kyvernov1.ViolatedRule) Info {
|
||||
info := Info{
|
||||
PolicyName: er.PolicyResponse.Policy.Name,
|
||||
PolicyName: er.Policy.GetName(),
|
||||
Namespace: er.PatchedResource.GetNamespace(),
|
||||
Results: []EngineResponseResult{
|
||||
{
|
||||
|
|
@ -1115,7 +1115,7 @@ func handleGeneratePolicy(generateResponse *engineapi.EngineResponse, policyCont
|
|||
gr := kyvernov1beta1.UpdateRequest{
|
||||
Spec: kyvernov1beta1.UpdateRequestSpec{
|
||||
Type: kyvernov1beta1.Generate,
|
||||
Policy: generateResponse.PolicyResponse.Policy.Name,
|
||||
Policy: generateResponse.Policy.GetName(),
|
||||
Resource: kyvernov1.ResourceSpec{
|
||||
Kind: generateResponse.PolicyResponse.Resource.Kind,
|
||||
Namespace: generateResponse.PolicyResponse.Resource.Namespace,
|
||||
|
|
|
|||
|
|
@ -209,7 +209,7 @@ func (c *GenerateController) applyGenerate(resource unstructured.Unstructured, u
|
|||
if r.Status != engineapi.RuleStatusPass {
|
||||
logger.V(4).Info("querying all update requests")
|
||||
selector := labels.SelectorFromSet(labels.Set(map[string]string{
|
||||
kyvernov1beta1.URGeneratePolicyLabel: engineResponse.PolicyResponse.Policy.Name,
|
||||
kyvernov1beta1.URGeneratePolicyLabel: engineResponse.Policy.GetName(),
|
||||
kyvernov1beta1.URGenerateResourceNameLabel: engineResponse.PolicyResponse.Resource.Name,
|
||||
kyvernov1beta1.URGenerateResourceKindLabel: engineResponse.PolicyResponse.Resource.Kind,
|
||||
kyvernov1beta1.URGenerateResourceNSLabel: engineResponse.PolicyResponse.Resource.Namespace,
|
||||
|
|
|
|||
|
|
@ -23,7 +23,7 @@ func GenerateEvents(logger logr.Logger, eventGen event.Interface, config config.
|
|||
|
||||
func generateSuccessEvents(log logr.Logger, ers ...*engineapi.EngineResponse) (eventInfos []event.Info) {
|
||||
for _, er := range ers {
|
||||
logger := log.WithValues("policy", er.PolicyResponse.Policy, "kind", er.PolicyResponse.Resource.Kind, "namespace", er.PolicyResponse.Resource.Namespace, "name", er.PolicyResponse.Resource.Name)
|
||||
logger := log.WithValues("policy", er.Policy.GetName(), "kind", er.PolicyResponse.Resource.Kind, "namespace", er.PolicyResponse.Resource.Namespace, "name", er.PolicyResponse.Resource.Name)
|
||||
if !er.IsFailed() {
|
||||
logger.V(4).Info("generating event on policy for success rules")
|
||||
e := event.NewPolicyAppliedEvent(event.PolicyController, er)
|
||||
|
|
@ -55,7 +55,7 @@ func generateFailEvents(log logr.Logger, ers ...*engineapi.EngineResponse) (even
|
|||
func generateFailEventsPerEr(log logr.Logger, er *engineapi.EngineResponse) []event.Info {
|
||||
var eventInfos []event.Info
|
||||
logger := log.WithValues(
|
||||
"policy", er.PolicyResponse.Policy.Name,
|
||||
"policy", er.Policy.GetName(),
|
||||
"kind", er.PolicyResponse.Resource.Kind,
|
||||
"namespace", er.PolicyResponse.Resource.Namespace,
|
||||
"name", er.PolicyResponse.Resource.Name,
|
||||
|
|
|
|||
|
|
@ -21,6 +21,14 @@ type EngineResponse struct {
|
|||
NamespaceLabels map[string]string
|
||||
}
|
||||
|
||||
func NewEngineResponse(
|
||||
policy kyvernov1.PolicyInterface,
|
||||
) *EngineResponse {
|
||||
return &EngineResponse{
|
||||
Policy: policy,
|
||||
}
|
||||
}
|
||||
|
||||
// IsOneOf checks if any rule has status in a given list
|
||||
func (er EngineResponse) IsOneOf(status ...RuleStatus) bool {
|
||||
for _, r := range er.PolicyResponse.Rules {
|
||||
|
|
|
|||
|
|
@ -13,8 +13,6 @@ type ValidationFailureActionOverride struct {
|
|||
|
||||
// PolicyResponse policy application response
|
||||
type PolicyResponse struct {
|
||||
// Policy contains policy details
|
||||
Policy PolicySpec
|
||||
// Resource contains resource details
|
||||
Resource ResourceSpec
|
||||
// PolicyStats contains policy statistics
|
||||
|
|
|
|||
|
|
@ -1,7 +0,0 @@
|
|||
package api
|
||||
|
||||
// PolicySpec policy
|
||||
type PolicySpec struct {
|
||||
Name string
|
||||
Namespace string
|
||||
}
|
||||
|
|
@ -37,24 +37,19 @@ func (e *engine) filterRules(
|
|||
name := newResource.GetName()
|
||||
namespace := newResource.GetNamespace()
|
||||
apiVersion := newResource.GetAPIVersion()
|
||||
resp := &engineapi.EngineResponse{
|
||||
PolicyResponse: engineapi.PolicyResponse{
|
||||
Policy: engineapi.PolicySpec{
|
||||
Name: policy.GetName(),
|
||||
Namespace: policy.GetNamespace(),
|
||||
},
|
||||
PolicyStats: engineapi.PolicyStats{
|
||||
ExecutionStats: engineapi.ExecutionStats{
|
||||
Timestamp: startTime.Unix(),
|
||||
},
|
||||
},
|
||||
Resource: engineapi.ResourceSpec{
|
||||
Kind: kind,
|
||||
Name: name,
|
||||
Namespace: namespace,
|
||||
APIVersion: apiVersion,
|
||||
resp := engineapi.NewEngineResponse(policy)
|
||||
resp.PolicyResponse = engineapi.PolicyResponse{
|
||||
PolicyStats: engineapi.PolicyStats{
|
||||
ExecutionStats: engineapi.ExecutionStats{
|
||||
Timestamp: startTime.Unix(),
|
||||
},
|
||||
},
|
||||
Resource: engineapi.ResourceSpec{
|
||||
Kind: kind,
|
||||
Name: name,
|
||||
Namespace: namespace,
|
||||
APIVersion: apiVersion,
|
||||
},
|
||||
}
|
||||
|
||||
if e.configuration.ToFilter(kind, namespace, name) {
|
||||
|
|
|
|||
|
|
@ -9,7 +9,6 @@ import (
|
|||
"github.com/kyverno/kyverno/pkg/autogen"
|
||||
engineapi "github.com/kyverno/kyverno/pkg/engine/api"
|
||||
"github.com/kyverno/kyverno/pkg/engine/internal"
|
||||
"k8s.io/client-go/tools/cache"
|
||||
)
|
||||
|
||||
// GenerateResponse checks for validity of generate rule on the resource
|
||||
|
|
@ -33,28 +32,19 @@ func (e *engine) filterGenerateRules(
|
|||
name := newResource.GetName()
|
||||
namespace := newResource.GetNamespace()
|
||||
apiVersion := newResource.GetAPIVersion()
|
||||
pNamespace, pName, err := cache.SplitMetaNamespaceKey(policyNameKey)
|
||||
if err != nil {
|
||||
logger.Error(err, "failed to spilt name and namespace", "policy.key", policyNameKey)
|
||||
}
|
||||
resp := &engineapi.EngineResponse{
|
||||
PolicyResponse: engineapi.PolicyResponse{
|
||||
Policy: engineapi.PolicySpec{
|
||||
Name: pName,
|
||||
Namespace: pNamespace,
|
||||
},
|
||||
PolicyStats: engineapi.PolicyStats{
|
||||
ExecutionStats: engineapi.ExecutionStats{
|
||||
Timestamp: startTime.Unix(),
|
||||
},
|
||||
},
|
||||
Resource: engineapi.ResourceSpec{
|
||||
Kind: kind,
|
||||
Name: name,
|
||||
Namespace: namespace,
|
||||
APIVersion: apiVersion,
|
||||
resp := engineapi.NewEngineResponse(policyContext.Policy())
|
||||
resp.PolicyResponse = engineapi.PolicyResponse{
|
||||
PolicyStats: engineapi.PolicyStats{
|
||||
ExecutionStats: engineapi.ExecutionStats{
|
||||
Timestamp: startTime.Unix(),
|
||||
},
|
||||
},
|
||||
Resource: engineapi.ResourceSpec{
|
||||
Kind: kind,
|
||||
Name: name,
|
||||
Namespace: namespace,
|
||||
APIVersion: apiVersion,
|
||||
},
|
||||
}
|
||||
if e.configuration.ToFilter(kind, namespace, name) {
|
||||
logger.Info("resource excluded")
|
||||
|
|
|
|||
|
|
@ -24,9 +24,8 @@ func (e *engine) verifyAndPatchImages(
|
|||
logger logr.Logger,
|
||||
policyContext engineapi.PolicyContext,
|
||||
) (*engineapi.EngineResponse, *engineapi.ImageVerificationMetadata) {
|
||||
resp := &engineapi.EngineResponse{}
|
||||
|
||||
policy := policyContext.Policy()
|
||||
resp := engineapi.NewEngineResponse(policy)
|
||||
startTime := time.Now()
|
||||
defer func() {
|
||||
internal.BuildResponse(policyContext, resp, startTime)
|
||||
|
|
|
|||
|
|
@ -58,8 +58,6 @@ func BuildResponse(ctx engineapi.PolicyContext, resp *engineapi.EngineResponse,
|
|||
}
|
||||
policy := ctx.Policy()
|
||||
resp.Policy = policy
|
||||
resp.PolicyResponse.Policy.Name = policy.GetName()
|
||||
resp.PolicyResponse.Policy.Namespace = policy.GetNamespace()
|
||||
resp.PolicyResponse.Resource.Name = resp.PatchedResource.GetName()
|
||||
resp.PolicyResponse.Resource.Namespace = resp.PatchedResource.GetNamespace()
|
||||
resp.PolicyResponse.Resource.Kind = resp.PatchedResource.GetKind()
|
||||
|
|
|
|||
|
|
@ -28,9 +28,7 @@ func (e *engine) mutate(
|
|||
) (resp *engineapi.EngineResponse) {
|
||||
startTime := time.Now()
|
||||
policy := policyContext.Policy()
|
||||
resp = &engineapi.EngineResponse{
|
||||
Policy: policy,
|
||||
}
|
||||
resp = engineapi.NewEngineResponse(policy)
|
||||
matchedResource := policyContext.NewResource()
|
||||
enginectx := policyContext.JSONContext()
|
||||
var skippedRules []string
|
||||
|
|
@ -350,9 +348,6 @@ func startMutateResultResponse(resp *engineapi.EngineResponse, policy kyvernov1.
|
|||
if resp == nil {
|
||||
return
|
||||
}
|
||||
|
||||
resp.PolicyResponse.Policy.Name = policy.GetName()
|
||||
resp.PolicyResponse.Policy.Namespace = policy.GetNamespace()
|
||||
resp.PolicyResponse.Resource.Name = resource.GetName()
|
||||
resp.PolicyResponse.Resource.Namespace = resource.GetNamespace()
|
||||
resp.PolicyResponse.Resource.Kind = resource.GetKind()
|
||||
|
|
@ -363,7 +358,6 @@ func endMutateResultResponse(logger logr.Logger, resp *engineapi.EngineResponse,
|
|||
if resp == nil {
|
||||
return
|
||||
}
|
||||
|
||||
resp.PolicyResponse.ProcessingTime = time.Since(startTime)
|
||||
resp.PolicyResponse.Timestamp = startTime.Unix()
|
||||
logger.V(5).Info("finished processing policy", "processingTime", resp.PolicyResponse.ProcessingTime.String(), "mutationRulesApplied", resp.PolicyResponse.RulesAppliedCount)
|
||||
|
|
|
|||
|
|
@ -12,8 +12,8 @@ import (
|
|||
func NewPolicyFailEvent(source Source, reason Reason, engineResponse *engineapi.EngineResponse, ruleResp *engineapi.RuleResponse, blocked bool) Info {
|
||||
return Info{
|
||||
Kind: getPolicyKind(engineResponse.Policy),
|
||||
Name: engineResponse.PolicyResponse.Policy.Name,
|
||||
Namespace: engineResponse.PolicyResponse.Policy.Namespace,
|
||||
Name: engineResponse.Policy.GetName(),
|
||||
Namespace: engineResponse.Policy.GetNamespace(),
|
||||
Reason: reason,
|
||||
Source: source,
|
||||
Message: buildPolicyEventMessage(ruleResp, engineResponse.GetResourceSpec(), blocked),
|
||||
|
|
@ -60,8 +60,8 @@ func NewPolicyAppliedEvent(source Source, engineResponse *engineapi.EngineRespon
|
|||
|
||||
return Info{
|
||||
Kind: getPolicyKind(engineResponse.Policy),
|
||||
Name: engineResponse.PolicyResponse.Policy.Name,
|
||||
Namespace: engineResponse.PolicyResponse.Policy.Namespace,
|
||||
Name: engineResponse.Policy.GetName(),
|
||||
Namespace: engineResponse.Policy.GetNamespace(),
|
||||
Reason: PolicyApplied,
|
||||
Source: source,
|
||||
Message: bldr.String(),
|
||||
|
|
@ -127,15 +127,15 @@ func NewPolicyExceptionEvents(engineResponse *engineapi.EngineResponse, ruleResp
|
|||
exceptionName, exceptionNamespace := getExceptionEventInfoFromRuleResponseMsg(ruleResp.Message)
|
||||
policyMessage := fmt.Sprintf("resource %s was skipped from rule %s due to policy exception %s/%s", engineResponse.PatchedResource.GetName(), ruleResp.Name, exceptionNamespace, exceptionName)
|
||||
var exceptionMessage string
|
||||
if engineResponse.PolicyResponse.Policy.Namespace == "" {
|
||||
exceptionMessage = fmt.Sprintf("resource %s was skipped from policy rule %s/%s", engineResponse.PatchedResource.GetName(), engineResponse.PolicyResponse.Policy.Name, ruleResp.Name)
|
||||
if engineResponse.Policy.GetNamespace() == "" {
|
||||
exceptionMessage = fmt.Sprintf("resource %s was skipped from policy rule %s/%s", engineResponse.PatchedResource.GetName(), engineResponse.Policy.GetName(), ruleResp.Name)
|
||||
} else {
|
||||
exceptionMessage = fmt.Sprintf("resource %s was skipped from policy rule %s/%s/%s", engineResponse.PatchedResource.GetName(), engineResponse.PolicyResponse.Policy.Namespace, engineResponse.PolicyResponse.Policy.Name, ruleResp.Name)
|
||||
exceptionMessage = fmt.Sprintf("resource %s was skipped from policy rule %s/%s/%s", engineResponse.PatchedResource.GetName(), engineResponse.Policy.GetNamespace(), engineResponse.Policy.GetName(), ruleResp.Name)
|
||||
}
|
||||
policyEvent := Info{
|
||||
Kind: getPolicyKind(engineResponse.Policy),
|
||||
Name: engineResponse.PolicyResponse.Policy.Name,
|
||||
Namespace: engineResponse.PolicyResponse.Policy.Namespace,
|
||||
Name: engineResponse.Policy.GetName(),
|
||||
Namespace: engineResponse.Policy.GetNamespace(),
|
||||
Reason: PolicySkipped,
|
||||
Message: policyMessage,
|
||||
}
|
||||
|
|
|
|||
|
|
@ -95,14 +95,14 @@ func annotationFromEngineResponses(engineResponses []*engineapi.EngineResponse,
|
|||
annotationContent := make(map[string]string)
|
||||
for _, engineResponse := range engineResponses {
|
||||
if !engineResponse.IsSuccessful() {
|
||||
log.V(3).Info("skip building annotation; policy failed to apply", "policy", engineResponse.PolicyResponse.Policy.Name)
|
||||
log.V(3).Info("skip building annotation; policy failed to apply", "policy", engineResponse.Policy.GetName())
|
||||
continue
|
||||
}
|
||||
rulePatches := annotationFromPolicyResponse(engineResponse.PolicyResponse, log)
|
||||
if rulePatches == nil {
|
||||
continue
|
||||
}
|
||||
policyName := engineResponse.PolicyResponse.Policy.Name
|
||||
policyName := engineResponse.Policy.GetName()
|
||||
for _, rulePatch := range rulePatches {
|
||||
annotationContent[rulePatch.RuleName+"."+policyName+".kyverno.io"] = OperationToPastTense[rulePatch.Op] + " " + rulePatch.Path
|
||||
}
|
||||
|
|
|
|||
|
|
@ -3,20 +3,21 @@ package utils
|
|||
import (
|
||||
"testing"
|
||||
|
||||
kyvernov1 "github.com/kyverno/kyverno/api/kyverno/v1"
|
||||
engineapi "github.com/kyverno/kyverno/pkg/engine/api"
|
||||
"github.com/kyverno/kyverno/pkg/logging"
|
||||
"gotest.tools/assert"
|
||||
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
|
||||
"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
|
||||
)
|
||||
|
||||
func newPolicyResponse(policy, rule string, patchesStr []string, status engineapi.RuleStatus) engineapi.PolicyResponse {
|
||||
func newPolicyResponse(rule string, patchesStr []string, status engineapi.RuleStatus) engineapi.PolicyResponse {
|
||||
var patches [][]byte
|
||||
for _, p := range patchesStr {
|
||||
patches = append(patches, []byte(p))
|
||||
}
|
||||
|
||||
return engineapi.PolicyResponse{
|
||||
Policy: engineapi.PolicySpec{Name: policy},
|
||||
Rules: []engineapi.RuleResponse{
|
||||
{
|
||||
Name: rule,
|
||||
|
|
@ -29,6 +30,11 @@ func newPolicyResponse(policy, rule string, patchesStr []string, status engineap
|
|||
|
||||
func newEngineResponse(policy, rule string, patchesStr []string, status engineapi.RuleStatus, annotation map[string]interface{}) *engineapi.EngineResponse {
|
||||
return &engineapi.EngineResponse{
|
||||
Policy: &kyvernov1.ClusterPolicy{
|
||||
ObjectMeta: metav1.ObjectMeta{
|
||||
Name: policy,
|
||||
},
|
||||
},
|
||||
PatchedResource: unstructured.Unstructured{
|
||||
Object: map[string]interface{}{
|
||||
"metadata": map[string]interface{}{
|
||||
|
|
@ -36,7 +42,7 @@ func newEngineResponse(policy, rule string, patchesStr []string, status engineap
|
|||
},
|
||||
},
|
||||
},
|
||||
PolicyResponse: newPolicyResponse(policy, rule, patchesStr, status),
|
||||
PolicyResponse: newPolicyResponse(rule, patchesStr, status),
|
||||
}
|
||||
}
|
||||
|
||||
|
|
|
|||
|
|
@ -245,7 +245,7 @@ func (h *generationHandler) handleUpdateGenerateTargetResource(ctx context.Conte
|
|||
func (h *generationHandler) deleteGR(ctx context.Context, engineResponse *engineapi.EngineResponse) {
|
||||
h.log.V(4).Info("querying all update requests")
|
||||
selector := labels.SelectorFromSet(labels.Set(map[string]string{
|
||||
kyvernov1beta1.URGeneratePolicyLabel: engineResponse.PolicyResponse.Policy.Name,
|
||||
kyvernov1beta1.URGeneratePolicyLabel: engineResponse.Policy.GetName(),
|
||||
kyvernov1beta1.URGenerateResourceNameLabel: engineResponse.PolicyResponse.Resource.Name,
|
||||
kyvernov1beta1.URGenerateResourceKindLabel: engineResponse.PolicyResponse.Resource.Kind,
|
||||
kyvernov1beta1.URGenerateResourceNSLabel: engineResponse.PolicyResponse.Resource.Namespace,
|
||||
|
|
|
|||
|
|
@ -141,10 +141,10 @@ func applyUpdateRequest(
|
|||
|
||||
func transform(admissionRequestInfo kyvernov1beta1.AdmissionRequestInfoObject, userRequestInfo kyvernov1beta1.RequestInfo, er *engineapi.EngineResponse, ruleType kyvernov1beta1.RequestType) kyvernov1beta1.UpdateRequestSpec {
|
||||
var PolicyNameNamespaceKey string
|
||||
if er.PolicyResponse.Policy.Namespace != "" {
|
||||
PolicyNameNamespaceKey = er.PolicyResponse.Policy.Namespace + "/" + er.PolicyResponse.Policy.Name
|
||||
if er.Policy.GetNamespace() != "" {
|
||||
PolicyNameNamespaceKey = er.Policy.GetNamespace() + "/" + er.Policy.GetName()
|
||||
} else {
|
||||
PolicyNameNamespaceKey = er.PolicyResponse.Policy.Name
|
||||
PolicyNameNamespaceKey = er.Policy.GetName()
|
||||
}
|
||||
|
||||
ur := kyvernov1beta1.UpdateRequestSpec{
|
||||
|
|
|
|||
|
|
@ -71,10 +71,10 @@ func applyUpdateRequest(
|
|||
|
||||
func transform(admissionRequestInfo kyvernov1beta1.AdmissionRequestInfoObject, userRequestInfo kyvernov1beta1.RequestInfo, er *engineapi.EngineResponse, ruleType kyvernov1beta1.RequestType) kyvernov1beta1.UpdateRequestSpec {
|
||||
var PolicyNameNamespaceKey string
|
||||
if er.PolicyResponse.Policy.Namespace != "" {
|
||||
PolicyNameNamespaceKey = er.PolicyResponse.Policy.Namespace + "/" + er.PolicyResponse.Policy.Name
|
||||
if er.Policy.GetNamespace() != "" {
|
||||
PolicyNameNamespaceKey = er.Policy.GetNamespace() + "/" + er.Policy.GetName()
|
||||
} else {
|
||||
PolicyNameNamespaceKey = er.PolicyResponse.Policy.Name
|
||||
PolicyNameNamespaceKey = er.Policy.GetName()
|
||||
}
|
||||
|
||||
ur := kyvernov1beta1.UpdateRequestSpec{
|
||||
|
|
|
|||
|
|
@ -26,7 +26,7 @@ func getAction(hasViolations bool, i int) string {
|
|||
func BlockRequest(engineResponses []*engineapi.EngineResponse, failurePolicy kyvernov1.FailurePolicyType, log logr.Logger) bool {
|
||||
for _, er := range engineResponses {
|
||||
if engineutils.BlockRequest(er, failurePolicy) {
|
||||
log.V(2).Info("blocking admission request", "policy", er.PolicyResponse.Policy.Name)
|
||||
log.V(2).Info("blocking admission request", "policy", er.Policy.GetName())
|
||||
return true
|
||||
}
|
||||
}
|
||||
|
|
@ -52,7 +52,7 @@ func GetBlockedMessages(engineResponses []*engineapi.EngineResponse) string {
|
|||
}
|
||||
}
|
||||
if len(ruleToReason) != 0 {
|
||||
failures[er.PolicyResponse.Policy.Name] = ruleToReason
|
||||
failures[er.Policy.GetName()] = ruleToReason
|
||||
}
|
||||
}
|
||||
if len(failures) == 0 {
|
||||
|
|
|
|||
|
|
@ -7,6 +7,7 @@ import (
|
|||
kyvernov1 "github.com/kyverno/kyverno/api/kyverno/v1"
|
||||
engineapi "github.com/kyverno/kyverno/pkg/engine/api"
|
||||
"github.com/stretchr/testify/assert"
|
||||
v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
|
||||
)
|
||||
|
||||
func Test_getAction(t *testing.T) {
|
||||
|
|
@ -58,6 +59,11 @@ func TestBlockRequest(t *testing.T) {
|
|||
args: args{
|
||||
engineResponses: []*engineapi.EngineResponse{
|
||||
{
|
||||
Policy: &kyvernov1.ClusterPolicy{
|
||||
ObjectMeta: v1.ObjectMeta{
|
||||
Name: "test",
|
||||
},
|
||||
},
|
||||
PolicyResponse: engineapi.PolicyResponse{
|
||||
ValidationFailureAction: "Enforce",
|
||||
Rules: []engineapi.RuleResponse{
|
||||
|
|
@ -79,6 +85,11 @@ func TestBlockRequest(t *testing.T) {
|
|||
args: args{
|
||||
engineResponses: []*engineapi.EngineResponse{
|
||||
{
|
||||
Policy: &kyvernov1.ClusterPolicy{
|
||||
ObjectMeta: v1.ObjectMeta{
|
||||
Name: "test",
|
||||
},
|
||||
},
|
||||
PolicyResponse: engineapi.PolicyResponse{
|
||||
ValidationFailureAction: "Audit",
|
||||
Rules: []engineapi.RuleResponse{
|
||||
|
|
@ -100,6 +111,11 @@ func TestBlockRequest(t *testing.T) {
|
|||
args: args{
|
||||
engineResponses: []*engineapi.EngineResponse{
|
||||
{
|
||||
Policy: &kyvernov1.ClusterPolicy{
|
||||
ObjectMeta: v1.ObjectMeta{
|
||||
Name: "test",
|
||||
},
|
||||
},
|
||||
PolicyResponse: engineapi.PolicyResponse{
|
||||
ValidationFailureAction: "Audit",
|
||||
Rules: []engineapi.RuleResponse{
|
||||
|
|
@ -121,6 +137,11 @@ func TestBlockRequest(t *testing.T) {
|
|||
args: args{
|
||||
engineResponses: []*engineapi.EngineResponse{
|
||||
{
|
||||
Policy: &kyvernov1.ClusterPolicy{
|
||||
ObjectMeta: v1.ObjectMeta{
|
||||
Name: "test",
|
||||
},
|
||||
},
|
||||
PolicyResponse: engineapi.PolicyResponse{
|
||||
ValidationFailureAction: "Audit",
|
||||
Rules: []engineapi.RuleResponse{
|
||||
|
|
@ -142,6 +163,11 @@ func TestBlockRequest(t *testing.T) {
|
|||
args: args{
|
||||
engineResponses: []*engineapi.EngineResponse{
|
||||
{
|
||||
Policy: &kyvernov1.ClusterPolicy{
|
||||
ObjectMeta: v1.ObjectMeta{
|
||||
Name: "test",
|
||||
},
|
||||
},
|
||||
PolicyResponse: engineapi.PolicyResponse{
|
||||
ValidationFailureAction: "Audit",
|
||||
Rules: []engineapi.RuleResponse{
|
||||
|
|
@ -163,6 +189,11 @@ func TestBlockRequest(t *testing.T) {
|
|||
args: args{
|
||||
engineResponses: []*engineapi.EngineResponse{
|
||||
{
|
||||
Policy: &kyvernov1.ClusterPolicy{
|
||||
ObjectMeta: v1.ObjectMeta{
|
||||
Name: "test",
|
||||
},
|
||||
},
|
||||
PolicyResponse: engineapi.PolicyResponse{
|
||||
ValidationFailureAction: "Audit",
|
||||
Rules: []engineapi.RuleResponse{
|
||||
|
|
@ -201,10 +232,12 @@ func TestGetBlockedMessages(t *testing.T) {
|
|||
args: args{
|
||||
engineResponses: []*engineapi.EngineResponse{
|
||||
{
|
||||
PolicyResponse: engineapi.PolicyResponse{
|
||||
Policy: engineapi.PolicySpec{
|
||||
Policy: &kyvernov1.ClusterPolicy{
|
||||
ObjectMeta: v1.ObjectMeta{
|
||||
Name: "test",
|
||||
},
|
||||
},
|
||||
PolicyResponse: engineapi.PolicyResponse{
|
||||
ValidationFailureAction: "Enforce",
|
||||
Rules: []engineapi.RuleResponse{
|
||||
{
|
||||
|
|
@ -228,10 +261,12 @@ func TestGetBlockedMessages(t *testing.T) {
|
|||
args: args{
|
||||
engineResponses: []*engineapi.EngineResponse{
|
||||
{
|
||||
PolicyResponse: engineapi.PolicyResponse{
|
||||
Policy: engineapi.PolicySpec{
|
||||
Policy: &kyvernov1.ClusterPolicy{
|
||||
ObjectMeta: v1.ObjectMeta{
|
||||
Name: "test",
|
||||
},
|
||||
},
|
||||
PolicyResponse: engineapi.PolicyResponse{
|
||||
ValidationFailureAction: "Enforce",
|
||||
Rules: []engineapi.RuleResponse{
|
||||
{
|
||||
|
|
@ -255,10 +290,12 @@ func TestGetBlockedMessages(t *testing.T) {
|
|||
args: args{
|
||||
engineResponses: []*engineapi.EngineResponse{
|
||||
{
|
||||
PolicyResponse: engineapi.PolicyResponse{
|
||||
Policy: engineapi.PolicySpec{
|
||||
Policy: &kyvernov1.ClusterPolicy{
|
||||
ObjectMeta: v1.ObjectMeta{
|
||||
Name: "test",
|
||||
},
|
||||
},
|
||||
PolicyResponse: engineapi.PolicyResponse{
|
||||
ValidationFailureAction: "Enforce",
|
||||
Rules: []engineapi.RuleResponse{
|
||||
{
|
||||
|
|
|
|||
|
|
@ -14,7 +14,7 @@ func GetErrorMsg(engineReponses []*engineapi.EngineResponse) string {
|
|||
if !er.IsSuccessful() {
|
||||
// resource in engineReponses is identical as this was called per admission request
|
||||
resourceInfo = fmt.Sprintf("%s/%s/%s", er.PolicyResponse.Resource.Kind, er.PolicyResponse.Resource.Namespace, er.PolicyResponse.Resource.Name)
|
||||
str = append(str, fmt.Sprintf("failed policy %s:", er.PolicyResponse.Policy.Name))
|
||||
str = append(str, fmt.Sprintf("failed policy %s:", er.Policy.GetName()))
|
||||
for _, rule := range er.PolicyResponse.Rules {
|
||||
if rule.Status != engineapi.RuleStatusPass {
|
||||
str = append(str, rule.String())
|
||||
|
|
|
|||
Loading…
Add table
Reference in a new issue