From fa7c522b5c18e4a91a04c846b945947a9551985c Mon Sep 17 00:00:00 2001 From: shravan Date: Fri, 24 Jan 2020 09:51:40 +0530 Subject: [PATCH] 522 minor changes from tests --- go.mod | 4 ++-- pkg/engine/mutate/overlay.go | 10 ---------- pkg/engine/mutate/patches.go | 10 ---------- pkg/engine/policy/validate.go | 8 -------- pkg/policy/validation.go | 1 + pkg/webhooks/mutation.go | 5 +++++ pkg/webhooks/policyvalidation.go | 11 +++++++++++ 7 files changed, 19 insertions(+), 30 deletions(-) diff --git a/go.mod b/go.mod index aedde94e31..2133e83e77 100644 --- a/go.mod +++ b/go.mod @@ -8,7 +8,7 @@ require ( github.com/gogo/protobuf v1.3.1 // indirect github.com/golang/glog v0.0.0-20160126235308-23def4e6c14b github.com/golang/groupcache v0.0.0-20191227052852-215e87163ea7 // indirect - github.com/googleapis/gnostic v0.3.1 // indirect + github.com/googleapis/gnostic v0.3.1 github.com/hashicorp/golang-lru v0.5.3 // indirect github.com/imdario/mergo v0.3.8 // indirect github.com/jmespath/go-jmespath v0.0.0-20180206201540-c2b33e8439af @@ -30,7 +30,7 @@ require ( k8s.io/apimachinery v0.0.0-20190404173353-6a84e37a896d k8s.io/client-go v11.0.1-0.20190516230509-ae8359b20417+incompatible k8s.io/klog v1.0.0 // indirect - k8s.io/kube-openapi v0.0.0-20191107075043-30be4d16710a // indirect + k8s.io/kube-openapi v0.0.0-20191107075043-30be4d16710a k8s.io/utils v0.0.0-20200109141947-94aeca20bf09 // indirect ) diff --git a/pkg/engine/mutate/overlay.go b/pkg/engine/mutate/overlay.go index 9b672bf622..3c93e33b27 100644 --- a/pkg/engine/mutate/overlay.go +++ b/pkg/engine/mutate/overlay.go @@ -10,8 +10,6 @@ import ( "strings" "time" - "github.com/nirmata/kyverno/pkg/policy" - "github.com/golang/glog" "k8s.io/apimachinery/pkg/apis/meta/v1/unstructured" @@ -113,14 +111,6 @@ func ProcessOverlay(ctx context.EvalInterface, rule kyverno.Rule, resource unstr return resp, resource } - err = policy.ValidateResource(patchedResource.UnstructuredContent(), patchedResource.GetKind()) - if err != nil { - glog.V(4).Infoln(err) - resp.Success = false - resp.Message = fmt.Sprintf("failed to validate patchedResource: %v", err) - return resp, resource - } - // rule application succesfuly resp.Success = true resp.Message = fmt.Sprintf("successfully processed overlay") diff --git a/pkg/engine/mutate/patches.go b/pkg/engine/mutate/patches.go index 9d3f1dae18..bf22778e60 100644 --- a/pkg/engine/mutate/patches.go +++ b/pkg/engine/mutate/patches.go @@ -6,8 +6,6 @@ import ( "strings" "time" - "github.com/nirmata/kyverno/pkg/policy" - "github.com/golang/glog" kyverno "github.com/nirmata/kyverno/pkg/api/kyverno/v1" "github.com/nirmata/kyverno/pkg/engine/response" @@ -84,14 +82,6 @@ func ProcessPatches(rule kyverno.Rule, resource unstructured.Unstructured) (resp return resp, resource } - err = policy.ValidateResource(patchedResource.UnstructuredContent(), patchedResource.GetKind()) - if err != nil { - glog.V(4).Infoln(err) - resp.Success = false - resp.Message = fmt.Sprintf("failed to validate patchedResource: %v", err) - return resp, resource - } - // JSON patches processed succesfully resp.Success = true resp.Message = fmt.Sprintf("succesfully process JSON patches") diff --git a/pkg/engine/policy/validate.go b/pkg/engine/policy/validate.go index 90e0a2cf8b..b6e4fd6b28 100644 --- a/pkg/engine/policy/validate.go +++ b/pkg/engine/policy/validate.go @@ -8,8 +8,6 @@ import ( "strconv" "strings" - "github.com/nirmata/kyverno/pkg/policy" - kyverno "github.com/nirmata/kyverno/pkg/api/kyverno/v1" "github.com/nirmata/kyverno/pkg/engine/anchor" rbacv1 "k8s.io/api/rbac/v1" @@ -72,12 +70,6 @@ func Validate(p kyverno.ClusterPolicy) error { } } } - - err := policy.ValidatePolicyMutation(p) - if err != nil { - return fmt.Errorf("Policy has invalid mutations : %v", err) - } - return nil } diff --git a/pkg/policy/validation.go b/pkg/policy/validation.go index 1fb41ed07f..c9ff5c8cd8 100644 --- a/pkg/policy/validation.go +++ b/pkg/policy/validation.go @@ -49,6 +49,7 @@ func ValidatePolicyMutation(policy v1.ClusterPolicy) error { for kind := range allPossibleKinds { resource, _ := generateEmptyResource(validationGlobalState.definitions["io.k8s.api.core.v1."+kind]).(map[string]interface{}) newResource := unstructured.Unstructured{Object: resource} + newResource.SetKind(kind) policyContext := engine.PolicyContext{ Policy: policy, NewResource: newResource, diff --git a/pkg/webhooks/mutation.go b/pkg/webhooks/mutation.go index a9eb295a2f..c8c949e606 100644 --- a/pkg/webhooks/mutation.go +++ b/pkg/webhooks/mutation.go @@ -90,6 +90,11 @@ func (ws *WebhookServer) HandleMutation(request *v1beta1.AdmissionRequest, resou glog.V(4).Infof("Failed to apply policy %s on resource %s/%s\n", policy.Name, resource.GetNamespace(), resource.GetName()) continue } + err := policyctr.ValidateResource(engineResponse.PatchedResource.UnstructuredContent(), engineResponse.PatchedResource.GetKind()) + if err != nil { + glog.V(4).Infoln(err) + continue + } // gather patches patches = append(patches, engineResponse.GetPatches()...) glog.V(4).Infof("Mutation from policy %s has applied succesfully to %s %s/%s", policy.Name, request.Kind.Kind, resource.GetNamespace(), resource.GetName()) diff --git a/pkg/webhooks/policyvalidation.go b/pkg/webhooks/policyvalidation.go index 0ccff804e0..222bcd19b5 100644 --- a/pkg/webhooks/policyvalidation.go +++ b/pkg/webhooks/policyvalidation.go @@ -4,6 +4,8 @@ import ( "encoding/json" "fmt" + policy2 "github.com/nirmata/kyverno/pkg/policy" + "github.com/golang/glog" kyverno "github.com/nirmata/kyverno/pkg/api/kyverno/v1" policyvalidate "github.com/nirmata/kyverno/pkg/engine/policy" @@ -36,6 +38,15 @@ func (ws *WebhookServer) handlePolicyValidation(request *v1beta1.AdmissionReques } } + if err := policy2.ValidatePolicyMutation(*policy); err != nil { + admissionResp = &v1beta1.AdmissionResponse{ + Allowed: false, + Result: &metav1.Status{ + Message: err.Error(), + }, + } + } + if admissionResp.Allowed { // if the policy contains mutating & validation rules and it config does not exist we create one // queue the request