From f41b7124ac04736fd51ffdaffe15512429f4e721 Mon Sep 17 00:00:00 2001 From: shravan Date: Fri, 17 Jan 2020 00:09:39 +0530 Subject: [PATCH] fixing merge issues --- Makefile | 1 + definitions/install.yaml | 4 ++-- pkg/engine/mutate/overlay.go | 4 ++-- pkg/engine/mutation.go | 2 +- pkg/engine/utils/utils.go | 3 ++- pkg/webhookconfig/common.go | 4 ++++ pkg/webhooks/mutation.go | 2 ++ samples/best_practices/disallow_default_namespace.yaml | 1 + 8 files changed, 15 insertions(+), 6 deletions(-) diff --git a/Makefile b/Makefile index 732a1facce..506f4fb2a1 100644 --- a/Makefile +++ b/Makefile @@ -12,6 +12,7 @@ REGISTRY=index.docker.io REPO=$(REGISTRY)/nirmata/kyverno IMAGE_TAG=$(GIT_VERSION) GOOS ?= $(shell go env GOOS) +PACKAGE ?=github.com/nirmata/kyverno LD_FLAGS="-s -w -X $(PACKAGE)/pkg/version.BuildVersion=$(GIT_VERSION) -X $(PACKAGE)/pkg/version.BuildHash=$(GIT_HASH) -X $(PACKAGE)/pkg/version.BuildTime=$(TIMESTAMP)" ################################## diff --git a/definitions/install.yaml b/definitions/install.yaml index fd7fc1a58b..8e5b660096 100644 --- a/definitions/install.yaml +++ b/definitions/install.yaml @@ -520,10 +520,10 @@ spec: serviceAccountName: kyverno-service-account initContainers: - name: kyverno-pre - image: nirmata/kyvernopre:v1.1.0 + image: nirmata/kyvernopre:v1.1.1 containers: - name: kyverno - image: nirmata/kyverno:v1.1.0 + image: nirmata/kyverno:v1.1.1 args: - "--filterK8Resources=[Event,*,*][*,kube-system,*][*,kube-public,*][*,kube-node-lease,*][Node,*,*][APIService,*,*][TokenReview,*,*][SubjectAccessReview,*,*][*,kyverno,*]" # customize webhook timout diff --git a/pkg/engine/mutate/overlay.go b/pkg/engine/mutate/overlay.go index 51b0640b25..59d1f50865 100644 --- a/pkg/engine/mutate/overlay.go +++ b/pkg/engine/mutate/overlay.go @@ -387,11 +387,11 @@ func preparePath(path string) string { } annPath := "/metadata/annotations/" - idx := strings.Index(path, annPath) // escape slash in annotation patch if strings.Contains(path, annPath) { + idx := strings.Index(path, annPath) p := path[idx+len(annPath):] - path = annPath + strings.ReplaceAll(p, "/", "~1") + path = path[:idx+len(annPath)] + strings.ReplaceAll(p, "/", "~1") } return path } diff --git a/pkg/engine/mutation.go b/pkg/engine/mutation.go index ee0cc32295..e7500c4c97 100644 --- a/pkg/engine/mutation.go +++ b/pkg/engine/mutation.go @@ -156,7 +156,7 @@ var podTemplateRule = kyverno.Rule{ "template": map[string]interface{}{ "metadata": map[string]interface{}{ "annotations": map[string]interface{}{ - "pod-policies.kyverno.io/autogen-applied": "true", + "+(pod-policies.kyverno.io/autogen-applied)": "true", }, }, }, diff --git a/pkg/engine/utils/utils.go b/pkg/engine/utils/utils.go index de103fe930..8dbb1bec26 100644 --- a/pkg/engine/utils/utils.go +++ b/pkg/engine/utils/utils.go @@ -25,11 +25,12 @@ func (ri RuleType) String() string { } // ApplyPatches patches given resource with given patches and returns patched document +// return origin resource if any error occurs func ApplyPatches(resource []byte, patches [][]byte) ([]byte, error) { joinedPatches := JoinPatches(patches) patch, err := jsonpatch.DecodePatch(joinedPatches) if err != nil { - return nil, err + return resource, err } patchedDocument, err := patch.Apply(resource) diff --git a/pkg/webhookconfig/common.go b/pkg/webhookconfig/common.go index 00cfa79ef3..d73fcafb13 100644 --- a/pkg/webhookconfig/common.go +++ b/pkg/webhookconfig/common.go @@ -63,6 +63,7 @@ func (wrc *WebhookRegistrationClient) constructOwner() v1.OwnerReference { func generateDebugWebhook(name, url string, caData []byte, validate bool, timeoutSeconds int32, resource, apiGroups, apiVersions string, operationTypes []admregapi.OperationType) admregapi.Webhook { sideEffect := admregapi.SideEffectClassNoneOnDryRun + failurePolicy := admregapi.Ignore return admregapi.Webhook{ Name: name, ClientConfig: admregapi.WebhookClientConfig{ @@ -88,11 +89,13 @@ func generateDebugWebhook(name, url string, caData []byte, validate bool, timeou }, AdmissionReviewVersions: []string{"v1beta1"}, TimeoutSeconds: &timeoutSeconds, + FailurePolicy: &failurePolicy, } } func generateWebhook(name, servicePath string, caData []byte, validation bool, timeoutSeconds int32, resource, apiGroups, apiVersions string, operationTypes []admregapi.OperationType) admregapi.Webhook { sideEffect := admregapi.SideEffectClassNoneOnDryRun + failurePolicy := admregapi.Ignore return admregapi.Webhook{ Name: name, ClientConfig: admregapi.WebhookClientConfig{ @@ -122,5 +125,6 @@ func generateWebhook(name, servicePath string, caData []byte, validation bool, t }, AdmissionReviewVersions: []string{"v1beta1"}, TimeoutSeconds: &timeoutSeconds, + FailurePolicy: &failurePolicy, } } diff --git a/pkg/webhooks/mutation.go b/pkg/webhooks/mutation.go index 7193661630..f10289eced 100644 --- a/pkg/webhooks/mutation.go +++ b/pkg/webhooks/mutation.go @@ -91,6 +91,8 @@ func (ws *WebhookServer) HandleMutation(request *v1beta1.AdmissionRequest, resou // gather patches patches = append(patches, engineResponse.GetPatches()...) glog.V(4).Infof("Mutation from policy %s has applied succesfully to %s %s/%s", policy.Name, request.Kind.Kind, resource.GetNamespace(), resource.GetName()) + + policyContext.NewResource = engineResponse.PatchedResource } // generate annotations diff --git a/samples/best_practices/disallow_default_namespace.yaml b/samples/best_practices/disallow_default_namespace.yaml index 64b1fe8844..0f579f4d49 100644 --- a/samples/best_practices/disallow_default_namespace.yaml +++ b/samples/best_practices/disallow_default_namespace.yaml @@ -3,6 +3,7 @@ kind: ClusterPolicy metadata: name: disallow-default-namespace annotations: + pod-policies.kyverno.io/autogen-controllers: none policies.kyverno.io/category: Workload Isolation policies.kyverno.io/description: Kubernetes namespaces are an optional feature that provide a way to segment and isolate cluster resources across multiple