mirror of
https://github.com/kyverno/kyverno.git
synced 2025-03-06 07:57:07 +00:00
a9fef256c7
* updates for foreach and mutate Signed-off-by: Jim Bugwadia <jim@nirmata.com> * allow tests to pass on Windows Signed-off-by: Jim Bugwadia <jim@nirmata.com> * fix tests Signed-off-by: Jim Bugwadia <jim@nirmata.com> * fix linter check Signed-off-by: Jim Bugwadia <jim@nirmata.com> * add elementIndex variable Signed-off-by: Jim Bugwadia <jim@nirmata.com> * fmt Signed-off-by: Jim Bugwadia <jim@nirmata.com> * fix jsonResult usage Signed-off-by: Jim Bugwadia <jim@nirmata.com> * add mutate validation and fix error in validate.foreach Signed-off-by: Jim Bugwadia <jim@nirmata.com> * format Signed-off-by: Jim Bugwadia <jim@nirmata.com> * update message Signed-off-by: Jim Bugwadia <jim@nirmata.com> * do not skip validation for all array entries when one is skipped Signed-off-by: Jim Bugwadia <jim@nirmata.com> * add foreach tests Signed-off-by: Jim Bugwadia <jim@nirmata.com> * fix fmt Signed-off-by: Jim Bugwadia <jim@nirmata.com> * fix format errors Signed-off-by: Jim Bugwadia <jim@nirmata.com> * remove unused declarations Signed-off-by: Jim Bugwadia <jim@nirmata.com> * revert namespaceWithLabelYaml Signed-off-by: Jim Bugwadia <jim@nirmata.com> * fix mutate of element list Signed-off-by: Jim Bugwadia <jim@nirmata.com> * update CRDs Signed-off-by: Jim Bugwadia <jim@nirmata.com> * Update api/kyverno/v1/policy_types.go Co-authored-by: Steven E. Harris <seh@panix.com> * Update pkg/engine/forceMutate.go Co-authored-by: Steven E. Harris <seh@panix.com> * Update pkg/engine/forceMutate.go Co-authored-by: Steven E. Harris <seh@panix.com> * Update pkg/engine/forceMutate.go Co-authored-by: Steven E. Harris <seh@panix.com> * Update pkg/engine/mutation.go Co-authored-by: Steven E. Harris <seh@panix.com> * Update pkg/engine/mutation.go Co-authored-by: Steven E. Harris <seh@panix.com> * Update pkg/engine/mutation.go Co-authored-by: Steven E. Harris <seh@panix.com> * Update pkg/engine/validate/validate.go Co-authored-by: Steven E. Harris <seh@panix.com> * Update pkg/engine/validate/validate.go Co-authored-by: Steven E. Harris <seh@panix.com> * Update test/cli/test/custom-functions/policy.yaml Co-authored-by: Steven E. Harris <seh@panix.com> * Update test/cli/test/foreach/policies.yaml Co-authored-by: Steven E. Harris <seh@panix.com> * accept review comments and format Signed-off-by: Jim Bugwadia <jim@nirmata.com> * add comments to strategicMergePatch buffer Signed-off-by: Jim Bugwadia <jim@nirmata.com> * load context and evaluate preconditions foreach element Signed-off-by: Jim Bugwadia <jim@nirmata.com> * add test for foreach mutate context and precondition * precondition testcase * address review comments Signed-off-by: Jim Bugwadia <jim@nirmata.com> * update message Signed-off-by: Jim Bugwadia <jim@nirmata.com> * format Signed-off-by: Jim Bugwadia <jim@nirmata.com> Co-authored-by: Steven E. Harris <seh@panix.com> Co-authored-by: Vyankatesh Kudtarkar <vyankateshkd@gmail.com>
101 lines
3.3 KiB
Go
101 lines
3.3 KiB
Go
package patch
|
|
|
|
import (
|
|
"fmt"
|
|
"time"
|
|
|
|
jsonpatch "github.com/evanphx/json-patch/v5"
|
|
"github.com/go-logr/logr"
|
|
"github.com/kyverno/kyverno/pkg/engine/response"
|
|
"github.com/kyverno/kyverno/pkg/engine/utils"
|
|
"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
|
|
"sigs.k8s.io/yaml"
|
|
)
|
|
|
|
// ProcessPatchJSON6902 ...
|
|
func ProcessPatchJSON6902(ruleName string, patchesJSON6902 []byte, resource unstructured.Unstructured, log logr.Logger) (resp response.RuleResponse, patchedResource unstructured.Unstructured) {
|
|
logger := log.WithValues("rule", ruleName)
|
|
startTime := time.Now()
|
|
logger.V(4).Info("started JSON6902 patch", "startTime", startTime)
|
|
resp.Name = ruleName
|
|
resp.Type = utils.Mutation.String()
|
|
defer func() {
|
|
resp.RuleStats.ProcessingTime = time.Since(startTime)
|
|
resp.RuleStats.RuleExecutionTimestamp = startTime.Unix()
|
|
logger.V(4).Info("applied JSON6902 patch", "processingTime", resp.RuleStats.ProcessingTime.String())
|
|
}()
|
|
|
|
resourceRaw, err := resource.MarshalJSON()
|
|
if err != nil {
|
|
resp.Status = response.RuleStatusFail
|
|
logger.Error(err, "failed to marshal resource")
|
|
resp.Message = fmt.Sprintf("failed to marshal resource: %v", err)
|
|
return resp, resource
|
|
}
|
|
|
|
patchedResourceRaw, err := applyPatchesWithOptions(resourceRaw, patchesJSON6902)
|
|
if err != nil {
|
|
resp.Status = response.RuleStatusFail
|
|
logger.Error(err, "failed to apply JSON Patch")
|
|
resp.Message = fmt.Sprintf("failed to apply JSON Patch: %v", err)
|
|
return resp, resource
|
|
}
|
|
|
|
patchesBytes, err := generatePatches(resourceRaw, patchedResourceRaw)
|
|
if err != nil {
|
|
resp.Status = response.RuleStatusFail
|
|
logger.Error(err, "unable generate patch bytes from base and patched document, apply patchesJSON6902 directly")
|
|
resp.Message = fmt.Sprintf("unable generate patch bytes from base and patched document, apply patchesJSON6902 directly: %v", err)
|
|
return resp, resource
|
|
}
|
|
|
|
for _, p := range patchesBytes {
|
|
log.V(4).Info("generated JSON Patch (RFC 6902)", "patch", string(p))
|
|
}
|
|
|
|
err = patchedResource.UnmarshalJSON(patchedResourceRaw)
|
|
if err != nil {
|
|
logger.Error(err, "failed to unmarshal resource")
|
|
resp.Status = response.RuleStatusFail
|
|
resp.Message = fmt.Sprintf("failed to unmarshal resource: %v", err)
|
|
return resp, resource
|
|
}
|
|
|
|
resp.Status = response.RuleStatusPass
|
|
resp.Message = string("applied JSON Patch")
|
|
resp.Patches = patchesBytes
|
|
return resp, patchedResource
|
|
}
|
|
|
|
func applyPatchesWithOptions(resource, patch []byte) ([]byte, error) {
|
|
patches, err := jsonpatch.DecodePatch(patch)
|
|
if err != nil {
|
|
return resource, fmt.Errorf("failed to decode patches: %v", err)
|
|
}
|
|
|
|
options := &jsonpatch.ApplyOptions{SupportNegativeIndices: true, AllowMissingPathOnRemove: true, EnsurePathExistsOnAdd: true}
|
|
patchedResource, err := patches.ApplyWithOptions(resource, options)
|
|
if err != nil {
|
|
return resource, err
|
|
}
|
|
|
|
return patchedResource, nil
|
|
}
|
|
|
|
func ConvertPatchesToJSON(patchesJSON6902 string) ([]byte, error) {
|
|
if len(patchesJSON6902) == 0 {
|
|
return []byte(patchesJSON6902), nil
|
|
}
|
|
|
|
if patchesJSON6902[0] != '[' {
|
|
// If the patch doesn't look like a JSON6902 patch, we
|
|
// try to parse it to json.
|
|
op, err := yaml.YAMLToJSON([]byte(patchesJSON6902))
|
|
if err != nil {
|
|
return nil, fmt.Errorf("failed to convert patchesJSON6902 to JSON: %v", err)
|
|
}
|
|
return op, nil
|
|
}
|
|
|
|
return []byte(patchesJSON6902), nil
|
|
}
|