feat: add user info in cel engine (#12410)

Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>
2025-03-23 00:01:55 +00:00 · 2025-03-14 10:35:44 +01:00 · 2025-03-14 10:35:44 +01:00 · ff7f57713e
commit ff7f57713e
parent e190f84845
4 changed files with 23 additions and 7 deletions
--- a/cmd/cli/kubectl-kyverno/commands/apply/command.go
+++ b/cmd/cli/kubectl-kyverno/commands/apply/command.go
@ -43,6 +43,7 @@ import (
 	"github.com/spf13/cobra"
 	admissionv1 "k8s.io/api/admission/v1"
 	admissionregistrationv1 "k8s.io/api/admissionregistration/v1"
+	authenticationv1 "k8s.io/api/authentication/v1"
 	corev1 "k8s.io/api/core/v1"
 	"k8s.io/apimachinery/pkg/api/meta"
 	"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
@ -285,7 +286,7 @@ func (c *ApplyCommandConfig) applyCommandHelper(out io.Writer) (*processor.Resul
 	if err != nil {
 		return rc, resources1, skippedInvalidPolicies, responses1, err
 	}
-	responses3, err := c.applyValidatingPolicies(vps, jsonPayloads, celexceptions, resources1, variables.Namespace, rc, dClient)
+	responses3, err := c.applyValidatingPolicies(vps, jsonPayloads, celexceptions, resources1, variables.Namespace, userInfo, rc, dClient)
 	if err != nil {
 		return rc, resources1, skippedInvalidPolicies, responses1, err
 	}
@ -416,6 +417,7 @@ func (c *ApplyCommandConfig) applyValidatingPolicies(
 	exceptions []*policiesv1alpha1.CELPolicyException,
 	resources []*unstructured.Unstructured,
 	namespaceProvider func(string) *corev1.Namespace,
+	userInfo *kyvernov2.RequestInfo,
 	rc *processor.ResultCounts,
 	dclient dclient.Interface,
 ) ([]engineapi.EngineResponse, error) {
@ -484,6 +486,10 @@ func (c *ApplyCommandConfig) applyValidatingPolicies(
 			return responses, fmt.Errorf("failed to map gvk to gvr %s (%v)\n", gvk, err)
 		}
 		gvr := mapping.Resource
+		var user authenticationv1.UserInfo
+		if userInfo != nil {
+			user = userInfo.AdmissionUserInfo
+		}
 		// create engine request
 		request := engine.Request(
 			contextProvider,
@ -495,6 +501,7 @@ func (c *ApplyCommandConfig) applyValidatingPolicies(
 			resource.GetNamespace(),
 			// TODO: how to manage other operations ?
 			admissionv1.Create,
+			user,
 			resource,
 			nil,
 			false,
--- a/cmd/cli/kubectl-kyverno/commands/test/test.go
+++ b/cmd/cli/kubectl-kyverno/commands/test/test.go
@ -32,6 +32,7 @@ import (
 	engineapi "github.com/kyverno/kyverno/pkg/engine/api"
 	policyvalidation "github.com/kyverno/kyverno/pkg/validation/policy"
 	admissionv1 "k8s.io/api/admission/v1"
+	authenticationv1 "k8s.io/api/authentication/v1"
 	"k8s.io/apimachinery/pkg/api/meta"
 	"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
 	"k8s.io/apimachinery/pkg/runtime"
@ -298,6 +299,10 @@ func runTest(out io.Writer, testCase test.TestCase, registryAccess bool) (*TestR
 				return nil, fmt.Errorf("failed to map gvk to gvr %s (%v)\n", gvk, err)
 			}
 			gvr := mapping.Resource
+			var user authenticationv1.UserInfo
+			if userInfo != nil {
+				user = userInfo.AdmissionUserInfo
+			}
 			// create engine request
 			request := engine.Request(
 				contextProvider,
@ -309,6 +314,7 @@ func runTest(out io.Writer, testCase test.TestCase, registryAccess bool) (*TestR
 				resource.GetNamespace(),
 				// TODO: how to manage other operations ?
 				admissionv1.Create,
+				user,
 				resource,
 				nil,
 				false,
--- a/pkg/cel/engine/vpolengine.go
+++ b/pkg/cel/engine/vpolengine.go
@ -14,6 +14,7 @@ import (
 	admissionutils "github.com/kyverno/kyverno/pkg/utils/admission"
 	admissionv1 "k8s.io/api/admission/v1"
 	admissionregistrationv1 "k8s.io/api/admissionregistration/v1"
+	authenticationv1 "k8s.io/api/authentication/v1"
 	corev1 "k8s.io/api/core/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
@ -53,7 +54,7 @@ func Request(
 	name string,
 	namespace string,
 	operation admissionv1.Operation,
-	// userInfo authenticationv1.UserInfo,
+	userInfo authenticationv1.UserInfo,
 	object runtime.Object,
 	oldObject runtime.Object,
 	dryRun bool,
@ -69,11 +70,11 @@ func Request(
 		Name:               name,
 		Namespace:          namespace,
 		Operation:          operation,
-		// UserInfo: userInfo,
-		Object:    runtime.RawExtension{Object: object},
-		OldObject: runtime.RawExtension{Object: oldObject},
-		DryRun:    &dryRun,
-		Options:   runtime.RawExtension{Object: options},
+		UserInfo:           userInfo,
+		Object:             runtime.RawExtension{Object: object},
+		OldObject:          runtime.RawExtension{Object: oldObject},
+		DryRun:             &dryRun,
+		Options:            runtime.RawExtension{Object: options},
 	}
 	return RequestFromAdmission(context, request)
 }
--- a/pkg/controllers/report/utils/scanner.go
+++ b/pkg/controllers/report/utils/scanner.go
@ -21,6 +21,7 @@ import (
 	"go.uber.org/multierr"
 	admissionv1 "k8s.io/api/admission/v1"
 	admissionregistrationv1 "k8s.io/api/admissionregistration/v1"
+	authenticationv1 "k8s.io/api/authentication/v1"
 	corev1 "k8s.io/api/core/v1"
 	"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
 	"k8s.io/apimachinery/pkg/runtime/schema"
@ -177,6 +178,7 @@ func (s *scanner) ScanResource(
 				resource.GetName(),
 				resource.GetNamespace(),
 				admissionv1.Create,
+				authenticationv1.UserInfo{},
 				&resource,
 				nil,
 				false,