mirror of
https://github.com/kyverno/kyverno.git
synced 2025-03-07 00:17:13 +00:00
77 lines
2.2 KiB
Go
77 lines
2.2 KiB
Go
package controller
|
|
|
|
import (
|
|
"github.com/golang/glog"
|
|
"github.com/minio/minio/pkg/wildcard"
|
|
"github.com/nirmata/kyverno/pkg/annotations"
|
|
v1alpha1 "github.com/nirmata/kyverno/pkg/apis/policy/v1alpha1"
|
|
client "github.com/nirmata/kyverno/pkg/dclient"
|
|
"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
|
|
"k8s.io/apimachinery/pkg/runtime"
|
|
)
|
|
|
|
func cleanAnnotations(client *client.Client, obj interface{}) {
|
|
// get the policy struct from interface
|
|
unstr, err := runtime.DefaultUnstructuredConverter.ToUnstructured(obj)
|
|
if err != nil {
|
|
glog.Error(err)
|
|
return
|
|
}
|
|
policy := v1alpha1.Policy{}
|
|
if err := runtime.DefaultUnstructuredConverter.FromUnstructured(unstr, &policy); err != nil {
|
|
glog.Error(err)
|
|
return
|
|
}
|
|
// Get the resources that apply to the policy
|
|
// key uid
|
|
resourceMap := map[string]unstructured.Unstructured{}
|
|
for _, rule := range policy.Spec.Rules {
|
|
for _, k := range rule.Kinds {
|
|
if k == "Namespace" {
|
|
continue
|
|
}
|
|
// kind -> resource
|
|
gvr := client.DiscoveryClient.GetGVRFromKind(k)
|
|
// label selectors
|
|
// namespace ? should it be default or allow policy to specify it
|
|
namespace := "default"
|
|
if rule.ResourceDescription.Namespace != nil {
|
|
namespace = *rule.ResourceDescription.Namespace
|
|
}
|
|
list, err := client.ListResource(k, namespace, rule.ResourceDescription.Selector)
|
|
if err != nil {
|
|
glog.Errorf("unable to list resource for %s with label selector %s", gvr.Resource, rule.Selector.String())
|
|
glog.Errorf("unable to apply policy %s rule %s. err: %s", policy.Name, rule.Name, err)
|
|
continue
|
|
}
|
|
for _, res := range list.Items {
|
|
name := rule.ResourceDescription.Name
|
|
if name != nil {
|
|
// wild card matching
|
|
if !wildcard.Match(*name, res.GetName()) {
|
|
continue
|
|
}
|
|
}
|
|
resourceMap[string(res.GetUID())] = res
|
|
}
|
|
}
|
|
}
|
|
|
|
// remove annotations for the resources
|
|
for _, obj := range resourceMap {
|
|
// get annotations
|
|
ann := obj.GetAnnotations()
|
|
|
|
_, patch, err := annotations.RemovePolicyJSONPatch(ann, annotations.BuildKey(policy.Name))
|
|
if err != nil {
|
|
glog.Error(err)
|
|
continue
|
|
}
|
|
// patch the resource
|
|
_, err = client.PatchResource(obj.GetKind(), obj.GetNamespace(), obj.GetName(), patch)
|
|
if err != nil {
|
|
glog.Error(err)
|
|
continue
|
|
}
|
|
}
|
|
}
|