feat: add new filtering handlers (#5472)

Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>
2025-03-31 03:45:17 +00:00 · 2022-11-25 09:58:13 +01:00 · 2022-11-25 09:58:13 +01:00 · fa88f4a2ff
commit fa88f4a2ff
parent 67bd7b1edc
4 changed files with 69 additions and 65 deletions
--- a/pkg/webhooks/handlers/filter.go
+++ b/pkg/webhooks/handlers/filter.go
@ -8,12 +8,21 @@ import (
 	"github.com/kyverno/kyverno/pkg/config"
 	webhookutils "github.com/kyverno/kyverno/pkg/webhooks/utils"
 	admissionv1 "k8s.io/api/admission/v1"
+	"k8s.io/apimachinery/pkg/util/sets"
 )

 func (inner AdmissionHandler) WithFilter(configuration config.Configuration) AdmissionHandler {
 	return inner.withFilter(configuration).WithTrace("FILTER")
 }

+func (inner AdmissionHandler) WithOperationFilter(operations ...admissionv1.Operation) AdmissionHandler {
+	return inner.withOperationFilter(operations...).WithTrace("OPERATION")
+}
+
+func (inner AdmissionHandler) WithSubResourceFilter(subresources ...string) AdmissionHandler {
+	return inner.withSubResourceFilter(subresources...).WithTrace("SUBRESOURCE")
+}
+
 func (inner AdmissionHandler) withFilter(c config.Configuration) AdmissionHandler {
 	return func(ctx context.Context, logger logr.Logger, request *admissionv1.AdmissionRequest, startTime time.Time) *admissionv1.AdmissionResponse {
 		if c.ToFilter(request.Kind.Kind, request.Namespace, request.Name) {
@ -25,3 +34,26 @@ func (inner AdmissionHandler) withFilter(c config.Configuration) AdmissionHandle
 		return inner(ctx, logger, request, startTime)
 	}
 }
+
+func (inner AdmissionHandler) withOperationFilter(operations ...admissionv1.Operation) AdmissionHandler {
+	allowed := sets.NewString()
+	for _, operation := range operations {
+		allowed.Insert(string(operation))
+	}
+	return func(ctx context.Context, logger logr.Logger, request *admissionv1.AdmissionRequest, startTime time.Time) *admissionv1.AdmissionResponse {
+		if allowed.Has(string(request.Operation)) {
+			return inner(ctx, logger, request, startTime)
+		}
+		return nil
+	}
+}
+
+func (inner AdmissionHandler) withSubResourceFilter(subresources ...string) AdmissionHandler {
+	allowed := sets.NewString(subresources...)
+	return func(ctx context.Context, logger logr.Logger, request *admissionv1.AdmissionRequest, startTime time.Time) *admissionv1.AdmissionResponse {
+		if request.SubResource == "" || allowed.Has(request.SubResource) {
+			return inner(ctx, logger, request, startTime)
+		}
+		return nil
+	}
+}
--- a/pkg/webhooks/policy/handlers.go
+++ b/pkg/webhooks/policy/handlers.go
@ -26,10 +26,6 @@ func NewHandlers(client dclient.Interface, openApiManager openapi.Manager) webho
 }

 func (h *handlers) Validate(ctx context.Context, logger logr.Logger, request *admissionv1.AdmissionRequest, _ time.Time) *admissionv1.AdmissionResponse {
-	if request.SubResource != "" {
-		logger.V(4).Info("skip policy validation on status update")
-		return admissionutils.ResponseSuccess()
-	}
 	policy, _, err := admissionutils.GetPolicies(request)
 	if err != nil {
 		logger.Error(err, "failed to unmarshal policies from admission request")
@ -38,7 +34,6 @@ func (h *handlers) Validate(ctx context.Context, logger logr.Logger, request *ad
 	warnings, err := policyvalidate.Validate(policy, h.client, false, h.openApiManager)
 	if err != nil {
 		logger.Error(err, "policy validation errors")
-		return admissionutils.Response(err, warnings...)
 	}
 	return admissionutils.Response(err, warnings...)
 }
--- a/pkg/webhooks/resource/handlers.go
+++ b/pkg/webhooks/resource/handlers.go
@ -142,9 +142,6 @@ func (h *handlers) Validate(ctx context.Context, logger logr.Logger, request *ad
 }

 func (h *handlers) Mutate(ctx context.Context, logger logr.Logger, request *admissionv1.AdmissionRequest, failurePolicy string, startTime time.Time) *admissionv1.AdmissionResponse {
-	if request.Operation == admissionv1.Delete {
-		return admissionutils.ResponseSuccess()
-	}
 	kind := request.Kind.Kind
 	logger = logger.WithValues("kind", kind)
 	logger.V(4).Info("received an admission request in mutating webhook")
--- a/pkg/webhooks/server.go
+++ b/pkg/webhooks/server.go
@ -80,24 +80,33 @@ func NewServer(
 	policyLogger := logger.WithName("policy")
 	verifyLogger := logger.WithName("verify")
 	registerWebhookHandlers(
-		resourceLogger.WithName("mutate"),
 		mux,
 		"MUTATE",
 		config.MutatingWebhookServicePath,
-		configuration,
-		metricsConfig,
 		resourceHandlers.Mutate,
-		debugModeOpts,
+		func(handler handlers.AdmissionHandler) handlers.HttpHandler {
+			return handler.
+				WithFilter(configuration).
+				WithProtection(toggle.ProtectManagedResources.Enabled()).
+				WithDump(debugModeOpts.DumpPayload).
+				WithOperationFilter(admissionv1.Create, admissionv1.Update, admissionv1.Connect).
+				WithMetrics(metricsConfig).
+				WithAdmission(resourceLogger.WithName("mutate"))
+		},
 	)
 	registerWebhookHandlers(
-		resourceLogger.WithName("validate"),
 		mux,
 		"VALIDATE",
 		config.ValidatingWebhookServicePath,
-		configuration,
-		metricsConfig,
 		resourceHandlers.Validate,
-		debugModeOpts,
+		func(handler handlers.AdmissionHandler) handlers.HttpHandler {
+			return handler.
+				WithFilter(configuration).
+				WithProtection(toggle.ProtectManagedResources.Enabled()).
+				WithDump(debugModeOpts.DumpPayload).
+				WithMetrics(metricsConfig).
+				WithAdmission(resourceLogger.WithName("validate"))
+		},
 	)
 	mux.HandlerFunc(
 		"POST",
@ -113,6 +122,7 @@ func NewServer(
 		config.PolicyValidatingWebhookServicePath,
 		handlers.FromAdmissionFunc("VALIDATE", policyHandlers.Validate).
 			WithDump(debugModeOpts.DumpPayload).
+			WithSubResourceFilter().
 			WithMetrics(metricsConfig).
 			WithAdmission(policyLogger.WithName("validate")).
 			ToHandlerFunc(),
@ -213,61 +223,31 @@ func (s *server) cleanup(ctx context.Context) {
 }

 func registerWebhookHandlers(
-	logger logr.Logger,
 	mux *httprouter.Router,
 	name string,
 	basePath string,
-	configuration config.Configuration,
-	metricsConfig *metrics.MetricsConfig,
 	handlerFunc func(context.Context, logr.Logger, *admissionv1.AdmissionRequest, string, time.Time) *admissionv1.AdmissionResponse,
-	debugModeOpts DebugModeOptions,
+	builder func(handler handlers.AdmissionHandler) handlers.HttpHandler,
 ) {
-	mux.HandlerFunc(
-		"POST",
-		basePath,
-		handlers.FromAdmissionFunc(
-			name,
-			func(ctx context.Context, logger logr.Logger, request *admissionv1.AdmissionRequest, startTime time.Time) *admissionv1.AdmissionResponse {
-				return handlerFunc(ctx, logger, request, "all", startTime)
-			},
-		).
-			WithFilter(configuration).
-			WithProtection(toggle.ProtectManagedResources.Enabled()).
-			WithDump(debugModeOpts.DumpPayload).
-			WithMetrics(metricsConfig).
-			WithAdmission(logger).
-			ToHandlerFunc(),
+	all := handlers.FromAdmissionFunc(
+		name,
+		func(ctx context.Context, logger logr.Logger, request *admissionv1.AdmissionRequest, startTime time.Time) *admissionv1.AdmissionResponse {
+			return handlerFunc(ctx, logger, request, "all", startTime)
+		},
 	)
-	mux.HandlerFunc(
-		"POST",
-		basePath+"/fail",
-		handlers.FromAdmissionFunc(
-			name,
-			func(ctx context.Context, logger logr.Logger, request *admissionv1.AdmissionRequest, startTime time.Time) *admissionv1.AdmissionResponse {
-				return handlerFunc(ctx, logger, request, "fail", startTime)
-			},
-		).
-			WithFilter(configuration).
-			WithProtection(toggle.ProtectManagedResources.Enabled()).
-			WithDump(debugModeOpts.DumpPayload).
-			WithMetrics(metricsConfig).
-			WithAdmission(logger).
-			ToHandlerFunc(),
+	ignore := handlers.FromAdmissionFunc(
+		name,
+		func(ctx context.Context, logger logr.Logger, request *admissionv1.AdmissionRequest, startTime time.Time) *admissionv1.AdmissionResponse {
+			return handlerFunc(ctx, logger, request, "ignore", startTime)
+		},
 	)
-	mux.HandlerFunc(
-		"POST",
-		basePath+"/ignore",
-		handlers.FromAdmissionFunc(
-			name,
-			func(ctx context.Context, logger logr.Logger, request *admissionv1.AdmissionRequest, startTime time.Time) *admissionv1.AdmissionResponse {
-				return handlerFunc(ctx, logger, request, "ignore", startTime)
-			},
-		).
-			WithFilter(configuration).
-			WithProtection(toggle.ProtectManagedResources.Enabled()).
-			WithDump(debugModeOpts.DumpPayload).
-			WithMetrics(metricsConfig).
-			WithAdmission(logger).
-			ToHandlerFunc(),
+	fail := handlers.FromAdmissionFunc(
+		name,
+		func(ctx context.Context, logger logr.Logger, request *admissionv1.AdmissionRequest, startTime time.Time) *admissionv1.AdmissionResponse {
+			return handlerFunc(ctx, logger, request, "fail", startTime)
+		},
 	)
+	mux.HandlerFunc("POST", basePath, builder(all).ToHandlerFunc())
+	mux.HandlerFunc("POST", basePath+"/ignore", builder(ignore).ToHandlerFunc())
+	mux.HandlerFunc("POST", basePath+"/fail", builder(fail).ToHandlerFunc())
 }