mirrors/kyverno
mirrors/kyverno
1
0
Fork 0
mirror of https://github.com/kyverno/kyverno.git synced 2025-03-06 16:06:56 +00:00
Code Activity
kyverno/pkg/background/common/context.go
shuting 845a83d3e2
Cherry-pick #4022 (#4033) 
* Cherry-pick #4022

Signed-off-by: ShutingZhao <shuting@nirmata.com>

* Remove unused file
2022-05-30 09:26:03 +05:30

111 lines
3.2 KiB
Go
Raw Blame History

package common
import (
"fmt"
"reflect"
"github.com/go-logr/logr"
kyverno "github.com/kyverno/kyverno/api/kyverno/v1"
urkyverno "github.com/kyverno/kyverno/api/kyverno/v1beta1"
"github.com/kyverno/kyverno/pkg/config"
dclient "github.com/kyverno/kyverno/pkg/dclient"
"github.com/kyverno/kyverno/pkg/engine"
"github.com/kyverno/kyverno/pkg/engine/context"
utils "github.com/kyverno/kyverno/pkg/utils"
"github.com/pkg/errors"
"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
)
func NewBackgroundContext(dclient dclient.Interface, ur *urkyverno.UpdateRequest,
policy kyverno.PolicyInterface, trigger *unstructured.Unstructured,
cfg config.Configuration, namespaceLabels map[string]string, logger logr.Logger) (*engine.PolicyContext, bool, error) {
ctx := context.NewContext()
var new, old unstructured.Unstructured
var err error
if ur.Spec.Context.AdmissionRequestInfo.AdmissionRequest != nil {
if err := ctx.AddRequest(ur.Spec.Context.AdmissionRequestInfo.AdmissionRequest); err != nil {
return nil, false, errors.Wrap(err, "failed to load request in context")
}
new, old, err = utils.ExtractResources(nil, ur.Spec.Context.AdmissionRequestInfo.AdmissionRequest)
if err != nil {
return nil, false, errors.Wrap(err, "failed to load request in context")
}
if !reflect.DeepEqual(new, unstructured.Unstructured{}) {
if !check(&new, trigger) {
err := fmt.Errorf("resources don't match")
return nil, false, errors.Wrapf(err, "resource %v", ur.Spec.Resource)
}
}
}
if trigger == nil {
trigger = &old
}
if trigger == nil {
return nil, false, errors.New("trigger resource does not exist")
}
err = ctx.AddResource(trigger.Object)
if err != nil {
return nil, false, errors.Wrap(err, "failed to load resource in context")
}
err = ctx.AddOldResource(old.Object)
if err != nil {
return nil, false, errors.Wrap(err, "failed to load resource in context")
}
err = ctx.AddUserInfo(ur.Spec.Context.UserRequestInfo)
if err != nil {
return nil, false, errors.Wrapf(err, "failed to load SA in context")
}
err = ctx.AddServiceAccount(ur.Spec.Context.UserRequestInfo.AdmissionUserInfo.Username)
if err != nil {
return nil, false, errors.Wrapf(err, "failed to load UserInfo in context")
}
if err := ctx.AddImageInfos(trigger); err != nil {
logger.Error(err, "unable to add image info to variables context")
}
policyContext := &engine.PolicyContext{
NewResource: *trigger,
OldResource: old,
Policy: policy,
AdmissionInfo: ur.Spec.Context.UserRequestInfo,
ExcludeGroupRole: cfg.GetExcludeGroupRole(),
ExcludeResourceFunc: cfg.ToFilter,
JSONContext: ctx,
NamespaceLabels: namespaceLabels,
Client: dclient,
AdmissionOperation: false,
}
return policyContext, false, nil
}
func check(admissionRsc, existingRsc *unstructured.Unstructured) bool {
if existingRsc == nil {
return admissionRsc == nil
}
if admissionRsc.GetName() != existingRsc.GetName() {
return false
}
if admissionRsc.GetNamespace() != existingRsc.GetNamespace() {
return false
}
if admissionRsc.GetKind() != existingRsc.GetKind() {
return false
}
if admissionRsc.GetAPIVersion() != existingRsc.GetAPIVersion() {
return false
}
return true
}
View git blame Copy permalink