feat: process cel engine response in webhook handler (#12047)

Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>
2025-03-06 07:57:07 +00:00 · 2025-01-31 12:07:22 +01:00 · 2025-01-31 12:07:22 +01:00 · f59b78aef0
commit f59b78aef0
parent b8f7a83942
3 changed files with 28 additions and 4 deletions
--- a/pkg/cel/engine/criteria.go
+++ b/pkg/cel/engine/criteria.go
@ -12,11 +12,17 @@ type matchCriteria struct {

 // GetParsedNamespaceSelector returns the converted LabelSelector which implements labels.Selector
 func (m *matchCriteria) GetParsedNamespaceSelector() (labels.Selector, error) {
+	if m.constraints.NamespaceSelector == nil {
+		return labels.Everything(), nil
+	}
 	return metav1.LabelSelectorAsSelector(m.constraints.NamespaceSelector)
 }

 // GetParsedObjectSelector returns the converted LabelSelector which implements labels.Selector
 func (m *matchCriteria) GetParsedObjectSelector() (labels.Selector, error) {
+	if m.constraints.ObjectSelector == nil {
+		return labels.Everything(), nil
+	}
 	return metav1.LabelSelectorAsSelector(m.constraints.ObjectSelector)
 }

--- a/pkg/cel/engine/engine.go
+++ b/pkg/cel/engine/engine.go
@ -122,8 +122,10 @@ func (e *engine) handlePolicy(ctx context.Context, policy CompiledPolicy, attr a
 	}
 	if e.matcher != nil {
 		criteria := matchCriteria{constraints: policy.Policy.Spec.MatchConstraints}
-		// TODO: err handling
-		if matches, err := e.matcher.Match(&criteria, attr, namespace); err != nil || !matches {
+		if matches, err := e.matcher.Match(&criteria, attr, namespace); err != nil {
+			response.Rules = handlers.WithResponses(engineapi.RuleError("match", engineapi.Validation, "failed to execute matching", err, nil))
+			return response
+		} else if !matches {
 			return response
 		}
 	}
--- a/pkg/webhooks/server.go
+++ b/pkg/webhooks/server.go
@ -13,6 +13,7 @@ import (
 	celengine "github.com/kyverno/kyverno/pkg/cel/engine"
 	"github.com/kyverno/kyverno/pkg/clients/dclient"
 	"github.com/kyverno/kyverno/pkg/config"
+	engineapi "github.com/kyverno/kyverno/pkg/engine/api"
 	"github.com/kyverno/kyverno/pkg/logging"
 	"github.com/kyverno/kyverno/pkg/metrics"
 	"github.com/kyverno/kyverno/pkg/toggle"
@ -20,6 +21,7 @@ import (
 	controllerutils "github.com/kyverno/kyverno/pkg/utils/controller"
 	runtimeutils "github.com/kyverno/kyverno/pkg/utils/runtime"
 	"github.com/kyverno/kyverno/pkg/webhooks/handlers"
+	"go.uber.org/multierr"
 	admissionv1 "k8s.io/api/admission/v1"
 	apierrors "k8s.io/apimachinery/pkg/api/errors"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
@ -139,10 +141,24 @@ func NewServer(
 		"VPOL",
 		config.ValidatingPolicyServicePath,
 		func(ctx context.Context, logger logr.Logger, request handlers.AdmissionRequest, failurePolicy string, startTime time.Time) admissionv1.AdmissionResponse {
-			_, err := celEngine.Handle(ctx, celengine.EngineRequest{
+			response, err := celEngine.Handle(ctx, celengine.EngineRequest{
 				Request: &request.AdmissionRequest,
 			})
-			return admissionutils.Response(request.UID, err)
+			if err != nil {
+				return admissionutils.Response(request.UID, err)
+			}
+			var errs []error
+			for _, policy := range response.Policies {
+				for _, rule := range policy.Rules {
+					switch rule.Status() {
+					case engineapi.RuleStatusFail:
+						errs = append(errs, fmt.Errorf("Policy %s rule %s failed: %s", policy.Policy.GetName(), rule.Name(), rule.Message()))
+					case engineapi.RuleStatusError:
+						errs = append(errs, fmt.Errorf("Policy %s rule %s error: %s", policy.Policy.GetName(), rule.Name(), rule.Message()))
+					}
+				}
+			}
+			return admissionutils.Response(request.UID, multierr.Combine(errs...))
 		},
 		func(handler handlers.AdmissionHandler) handlers.HttpHandler {
 			return handler.