From f5748b1e704cd50c75541d00170b31de69f0d6df Mon Sep 17 00:00:00 2001 From: Vyankatesh Kudtarkar Date: Mon, 17 Oct 2022 20:17:06 +0530 Subject: [PATCH] remove RBACInfo check (#5015) --- pkg/webhooks/utils/policy_context_builder.go | 68 ++------------------ 1 file changed, 4 insertions(+), 64 deletions(-) diff --git a/pkg/webhooks/utils/policy_context_builder.go b/pkg/webhooks/utils/policy_context_builder.go index f4e8a1c3ca..d2cb2bc855 100644 --- a/pkg/webhooks/utils/policy_context_builder.go +++ b/pkg/webhooks/utils/policy_context_builder.go @@ -1,12 +1,8 @@ package utils import ( - "encoding/json" - "strings" - kyvernov1 "github.com/kyverno/kyverno/api/kyverno/v1" kyvernov1beta1 "github.com/kyverno/kyverno/api/kyverno/v1beta1" - "github.com/kyverno/kyverno/pkg/autogen" "github.com/kyverno/kyverno/pkg/clients/dclient" "github.com/kyverno/kyverno/pkg/config" "github.com/kyverno/kyverno/pkg/engine" @@ -22,60 +18,6 @@ type PolicyContextBuilder interface { Build(*admissionv1.AdmissionRequest, ...kyvernov1.PolicyInterface) (*engine.PolicyContext, error) } -func checkForRBACInfo(rule kyvernov1.Rule) bool { - if len(rule.MatchResources.Roles) > 0 || len(rule.MatchResources.ClusterRoles) > 0 || len(rule.ExcludeResources.Roles) > 0 || len(rule.ExcludeResources.ClusterRoles) > 0 { - return true - } - if len(rule.MatchResources.All) > 0 { - for _, rf := range rule.MatchResources.All { - if len(rf.UserInfo.Roles) > 0 || len(rf.UserInfo.ClusterRoles) > 0 { - return true - } - } - } - if len(rule.MatchResources.Any) > 0 { - for _, rf := range rule.MatchResources.Any { - if len(rf.UserInfo.Roles) > 0 || len(rf.UserInfo.ClusterRoles) > 0 { - return true - } - } - } - if len(rule.ExcludeResources.All) > 0 { - for _, rf := range rule.ExcludeResources.All { - if len(rf.UserInfo.Roles) > 0 || len(rf.UserInfo.ClusterRoles) > 0 { - return true - } - } - } - if len(rule.ExcludeResources.Any) > 0 { - for _, rf := range rule.ExcludeResources.Any { - if len(rf.UserInfo.Roles) > 0 || len(rf.UserInfo.ClusterRoles) > 0 { - return true - } - } - } - - if bytes, err := json.Marshal(rule); err != nil { - return false - } else { - if strings.Contains(string(bytes), "request.roles") || strings.Contains(string(bytes), "request.clusterRoles") { - return true - } - } - return false -} - -func containsRBACInfo(policies ...kyvernov1.PolicyInterface) bool { - for _, policy := range policies { - for _, rule := range autogen.ComputeRules(policy) { - if checkForRBACInfo(rule) { - return true - } - } - } - return false -} - func newVariablesContext(request *admissionv1.AdmissionRequest, userRequestInfo *kyvernov1beta1.RequestInfo) (enginectx.Interface, error) { ctx := enginectx.NewContext() if err := ctx.AddRequest(request); err != nil { @@ -112,15 +54,13 @@ func NewPolicyContextBuilder( } func (b *policyContextBuilder) Build(request *admissionv1.AdmissionRequest, policies ...kyvernov1.PolicyInterface) (*engine.PolicyContext, error) { + var err error userRequestInfo := kyvernov1beta1.RequestInfo{ AdmissionUserInfo: *request.UserInfo.DeepCopy(), } - if containsRBACInfo(policies...) { - var err error - userRequestInfo.Roles, userRequestInfo.ClusterRoles, err = userinfo.GetRoleRef(b.rbLister, b.crbLister, request, b.configuration) - if err != nil { - return nil, errors.Wrap(err, "failed to fetch RBAC information for request") - } + userRequestInfo.Roles, userRequestInfo.ClusterRoles, err = userinfo.GetRoleRef(b.rbLister, b.crbLister, request, b.configuration) + if err != nil { + return nil, errors.Wrap(err, "failed to fetch RBAC information for request") } ctx, err := newVariablesContext(request, &userRequestInfo) if err != nil {