mirrors/kyverno
1
0
Fork 0
mirror of https://github.com/kyverno/kyverno.git synced 2024-12-14 11:57:48 +00:00
Code Activity

feat: add config exclusions in the engine (#7420)

Browse source 
Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>
This commit is contained in:
Charles-Edouard Brétéché 2023-06-05 13:47:46 +02:00 committed by GitHub
parent 5d5011d5d9
commit ff7cda2694
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
1 changed files with 8 additions and 2 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

10
pkg/engine/engine.go
View file

@ -183,11 +183,17 @@ func (e *engine) ContextLoader(
}
// matches checks if either the new or old resource satisfies the filter conditions defined in the rule
func matches(
func (e *engine) matches(
rule kyvernov1.Rule,
policyContext engineapi.PolicyContext,
resource unstructured.Unstructured,
) error {
if policyContext.AdmissionOperation() {
request := policyContext.AdmissionInfo()
if e.configuration.IsExcluded(request.AdmissionUserInfo.Username, request.AdmissionUserInfo.Groups, request.Roles, request.ClusterRoles) {
return fmt.Errorf("excluded by configuration")
}
}
gvk, subresource := policyContext.ResourceKind()
err := engineutils.MatchesResourceDescription(
resource,
@ -236,7 +242,7 @@ func (e *engine) invokeRuleHandler(
fmt.Sprintf("RULE %s", rule.Name),
func(ctx context.Context, span trace.Span) (unstructured.Unstructured, []engineapi.RuleResponse) {
// check if resource and rule match
if err := matches(rule, policyContext, resource); err != nil {
if err := e.matches(rule, policyContext, resource); err != nil {
logger.V(4).Info("rule not matched", "reason", err.Error())
return resource, nil
}