mirrors/kyverno
mirrors/kyverno
1
0
Fork 0
mirror of https://github.com/kyverno/kyverno.git synced 2025-03-26 01:24:26 +00:00
Code Activity
kyverno/pkg/imageverification/evaluator/validate.go
shuting 5c5a5fc0b0
feat: reconcile ivpol.status (#12392) 
* feat: update ivpol.status api

Signed-off-by: ShutingZhao <shuting@nirmata.com>

* chore: fix unit tests

Signed-off-by: ShutingZhao <shuting@nirmata.com>

* chore: update codegen

Signed-off-by: ShutingZhao <shuting@nirmata.com>

* chore: update codegen

Signed-off-by: ShutingZhao <shuting@nirmata.com>

* feat: reconcile ivpol.status

Signed-off-by: ShutingZhao <shuting@nirmata.com>

* fix: unit tests

Signed-off-by: ShutingZhao <shuting@nirmata.com>

* fix: linter issues

Signed-off-by: ShutingZhao <shuting@nirmata.com>

* fix: autogen fields replacement

Signed-off-by: ShutingZhao <shuting@nirmata.com>

* chore: add unit tests

Signed-off-by: ShutingZhao <shuting@nirmata.com>

* feat: update ivpol autogen rules

Signed-off-by: ShutingZhao <shuting@nirmata.com>

* feat: invoke ivpol webhook handler

Signed-off-by: ShutingZhao <shuting@nirmata.com>

---------

Signed-off-by: ShutingZhao <shuting@nirmata.com>
Signed-off-by: shuting <shuting@nirmata.com>
2025-03-15 05:29:19 +05:30

85 lines
2.9 KiB
Go
Raw Blame History

package eval
import (
"encoding/json"
"strings"
"github.com/kyverno/kyverno/api/kyverno"
policiesv1alpha1 "github.com/kyverno/kyverno/api/policies.kyverno.io/v1alpha1"
engineapi "github.com/kyverno/kyverno/pkg/engine/api"
"gomodules.xyz/jsonpatch/v2"
admissionregistrationv1 "k8s.io/api/admissionregistration/v1"
"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
"k8s.io/apimachinery/pkg/util/sets"
)
type ImageVerificationOutcome struct {
// Name is the rule name specified in policy
Name string `json:"name,omitempty"`
// RuleType is the rule type (Mutation,Generation,Validation) for Kyverno Policy
RuleType engineapi.RuleType `json:"ruleType,omitempty"`
// Message is the message response from the rule application
Message string `json:"message,omitempty"`
// Status rule status
Status engineapi.RuleStatus `json:"status,omitempty"`
// EmitWarning enable passing rule message as warning to api server warning header
EmitWarning bool `json:"emitWarning,omitempty"`
// Properties are the additional properties from the rule that will be added to the policy report result
Properties map[string]string `json:"properties,omitempty"`
}
type ImageVerifyEngineResponse struct {
Resource *unstructured.Unstructured
Policies []ImageVerifyPolicyResponse
}
type ImageVerifyPolicyResponse struct {
Policy *policiesv1alpha1.ImageVerificationPolicy
Actions sets.Set[admissionregistrationv1.ValidationAction]
Result engineapi.RuleResponse
}
func outcomeFromPolicyResponse(responses map[string]ImageVerifyPolicyResponse) map[string]ImageVerificationOutcome {
outcomes := make(map[string]ImageVerificationOutcome)
for pol, resp := range responses {
outcomes[pol] = ImageVerificationOutcome{
Name: resp.Result.Name(),
RuleType: resp.Result.RuleType(),
Message: resp.Result.Message(),
Status: resp.Result.Status(),
EmitWarning: resp.Result.EmitWarning(),
Properties: resp.Result.Properties(),
}
}
return outcomes
}
func MakeImageVerifyOutcomePatch(hasAnnotations bool, responses map[string]ImageVerifyPolicyResponse) ([]jsonpatch.JsonPatchOperation, error) {
patches := make([]jsonpatch.JsonPatchOperation, 0)
annotationKey := "/metadata/annotations/" + strings.ReplaceAll(kyverno.AnnotationImageVerifyOutcomes, "/", "~1")
if !hasAnnotations {
patch := jsonpatch.JsonPatchOperation{
Operation: "add",
Path: "/metadata/annotations",
Value: map[string]string{},
}
logger.V(4).Info("adding annotation patch", "patch", patch)
patches = append(patches, patch)
}
outcomes := outcomeFromPolicyResponse(responses)
data, err := json.Marshal(outcomes)
if err != nil {
return nil, err
}
patch := jsonpatch.JsonPatchOperation{
Operation: "add",
Path: annotationKey,
Value: string(data),
}
logger.V(4).Info("adding image verification patch", "patch", patch)
patches = append(patches, patch)
return patches, nil
}
View git blame Copy permalink