mirrors/kyverno
mirrors/kyverno
1
0
Fork 0
mirror of https://github.com/kyverno/kyverno.git synced 2025-03-31 03:45:17 +00:00
Code Activity

fixing merge issues

Browse source
This commit is contained in:
shravan 2020-01-17 00:09:39 +05:30
parent 79999c4948
commit f41b7124ac
8 changed files with 15 additions and 6 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

1
Makefile
View file

@ -12,6 +12,7 @@ REGISTRY=index.docker.io
REPO=$(REGISTRY)/nirmata/kyverno REPO=$(REGISTRY)/nirmata/kyverno
IMAGE_TAG=$(GIT_VERSION) IMAGE_TAG=$(GIT_VERSION)
GOOS ?= $(shell go env GOOS) GOOS ?= $(shell go env GOOS)
PACKAGE ?=github.com/nirmata/kyverno
LD_FLAGS="-s -w -X $(PACKAGE)/pkg/version.BuildVersion=$(GIT_VERSION) -X $(PACKAGE)/pkg/version.BuildHash=$(GIT_HASH) -X $(PACKAGE)/pkg/version.BuildTime=$(TIMESTAMP)" LD_FLAGS="-s -w -X $(PACKAGE)/pkg/version.BuildVersion=$(GIT_VERSION) -X $(PACKAGE)/pkg/version.BuildHash=$(GIT_HASH) -X $(PACKAGE)/pkg/version.BuildTime=$(TIMESTAMP)"
################################## ##################################

4
definitions/install.yaml
View file

@ -520,10 +520,10 @@ spec:
serviceAccountName: kyverno-service-account serviceAccountName: kyverno-service-account
initContainers: initContainers:
- name: kyverno-pre - name: kyverno-pre
image: nirmata/kyvernopre:v1.1.0 image: nirmata/kyvernopre:v1.1.1
containers: containers:
- name: kyverno - name: kyverno
image: nirmata/kyverno:v1.1.0 image: nirmata/kyverno:v1.1.1
args: args:
- "--filterK8Resources=[Event,*,*][*,kube-system,*][*,kube-public,*][*,kube-node-lease,*][Node,*,*][APIService,*,*][TokenReview,*,*][SubjectAccessReview,*,*][*,kyverno,*]" - "--filterK8Resources=[Event,*,*][*,kube-system,*][*,kube-public,*][*,kube-node-lease,*][Node,*,*][APIService,*,*][TokenReview,*,*][SubjectAccessReview,*,*][*,kyverno,*]"
# customize webhook timout # customize webhook timout

4
pkg/engine/mutate/overlay.go
View file

@ -387,11 +387,11 @@ func preparePath(path string) string {
} }
annPath := "/metadata/annotations/" annPath := "/metadata/annotations/"
idx := strings.Index(path, annPath)
// escape slash in annotation patch // escape slash in annotation patch
if strings.Contains(path, annPath) { if strings.Contains(path, annPath) {
idx := strings.Index(path, annPath)
p := path[idx+len(annPath):] p := path[idx+len(annPath):]
path = annPath + strings.ReplaceAll(p, "/", "~1") path = path[:idx+len(annPath)] + strings.ReplaceAll(p, "/", "~1")
} }
return path return path
} }

2
pkg/engine/mutation.go
View file

@ -156,7 +156,7 @@ var podTemplateRule = kyverno.Rule{
"template": map[string]interface{}{ "template": map[string]interface{}{
"metadata": map[string]interface{}{ "metadata": map[string]interface{}{
"annotations": map[string]interface{}{ "annotations": map[string]interface{}{
"pod-policies.kyverno.io/autogen-applied": "true", "+(pod-policies.kyverno.io/autogen-applied)": "true",
}, },
}, },
}, },

3
pkg/engine/utils/utils.go
View file

@ -25,11 +25,12 @@ func (ri RuleType) String() string {
} }
// ApplyPatches patches given resource with given patches and returns patched document // ApplyPatches patches given resource with given patches and returns patched document
// return origin resource if any error occurs
func ApplyPatches(resource []byte, patches [][]byte) ([]byte, error) { func ApplyPatches(resource []byte, patches [][]byte) ([]byte, error) {
joinedPatches := JoinPatches(patches) joinedPatches := JoinPatches(patches)
patch, err := jsonpatch.DecodePatch(joinedPatches) patch, err := jsonpatch.DecodePatch(joinedPatches)
if err != nil { if err != nil {
return nil, err return resource, err
} }
patchedDocument, err := patch.Apply(resource) patchedDocument, err := patch.Apply(resource)

4
pkg/webhookconfig/common.go
View file

@ -63,6 +63,7 @@ func (wrc *WebhookRegistrationClient) constructOwner() v1.OwnerReference {
func generateDebugWebhook(name, url string, caData []byte, validate bool, timeoutSeconds int32, resource, apiGroups, apiVersions string, operationTypes []admregapi.OperationType) admregapi.Webhook { func generateDebugWebhook(name, url string, caData []byte, validate bool, timeoutSeconds int32, resource, apiGroups, apiVersions string, operationTypes []admregapi.OperationType) admregapi.Webhook {
sideEffect := admregapi.SideEffectClassNoneOnDryRun sideEffect := admregapi.SideEffectClassNoneOnDryRun
failurePolicy := admregapi.Ignore
return admregapi.Webhook{ return admregapi.Webhook{
Name: name, Name: name,
ClientConfig: admregapi.WebhookClientConfig{ ClientConfig: admregapi.WebhookClientConfig{
@ -88,11 +89,13 @@ func generateDebugWebhook(name, url string, caData []byte, validate bool, timeou
}, },
AdmissionReviewVersions: []string{"v1beta1"}, AdmissionReviewVersions: []string{"v1beta1"},
TimeoutSeconds: &timeoutSeconds, TimeoutSeconds: &timeoutSeconds,
FailurePolicy: &failurePolicy,
} }
} }
func generateWebhook(name, servicePath string, caData []byte, validation bool, timeoutSeconds int32, resource, apiGroups, apiVersions string, operationTypes []admregapi.OperationType) admregapi.Webhook { func generateWebhook(name, servicePath string, caData []byte, validation bool, timeoutSeconds int32, resource, apiGroups, apiVersions string, operationTypes []admregapi.OperationType) admregapi.Webhook {
sideEffect := admregapi.SideEffectClassNoneOnDryRun sideEffect := admregapi.SideEffectClassNoneOnDryRun
failurePolicy := admregapi.Ignore
return admregapi.Webhook{ return admregapi.Webhook{
Name: name, Name: name,
ClientConfig: admregapi.WebhookClientConfig{ ClientConfig: admregapi.WebhookClientConfig{
@ -122,5 +125,6 @@ func generateWebhook(name, servicePath string, caData []byte, validation bool, t
}, },
AdmissionReviewVersions: []string{"v1beta1"}, AdmissionReviewVersions: []string{"v1beta1"},
TimeoutSeconds: &timeoutSeconds, TimeoutSeconds: &timeoutSeconds,
FailurePolicy: &failurePolicy,
} }
} }

2
pkg/webhooks/mutation.go
View file

@ -91,6 +91,8 @@ func (ws *WebhookServer) HandleMutation(request *v1beta1.AdmissionRequest, resou
// gather patches // gather patches
patches = append(patches, engineResponse.GetPatches()...) patches = append(patches, engineResponse.GetPatches()...)
glog.V(4).Infof("Mutation from policy %s has applied succesfully to %s %s/%s", policy.Name, request.Kind.Kind, resource.GetNamespace(), resource.GetName()) glog.V(4).Infof("Mutation from policy %s has applied succesfully to %s %s/%s", policy.Name, request.Kind.Kind, resource.GetNamespace(), resource.GetName())
policyContext.NewResource = engineResponse.PatchedResource
} }
// generate annotations // generate annotations

1
samples/best_practices/disallow_default_namespace.yaml
View file

@ -3,6 +3,7 @@ kind: ClusterPolicy
metadata: metadata:
name: disallow-default-namespace name: disallow-default-namespace
annotations: annotations:
pod-policies.kyverno.io/autogen-controllers: none
policies.kyverno.io/category: Workload Isolation policies.kyverno.io/category: Workload Isolation
policies.kyverno.io/description: Kubernetes namespaces are an optional feature policies.kyverno.io/description: Kubernetes namespaces are an optional feature
that provide a way to segment and isolate cluster resources across multiple that provide a way to segment and isolate cluster resources across multiple