mirror of
https://github.com/kyverno/kyverno.git
synced 2024-12-14 11:57:48 +00:00
b385693509
* feat: add interface for image verify cache Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com> * feat: add basic client for cache Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com> * feat: add ttl to client Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com> * feat: add flags and flag setup Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com> * feat: added a default image verify cache Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com> * feat: add propogation of cache to image verifier Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com> * feat: add useCache to image verification types Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com> * bug: add ivcache to image verifier Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com> * feat: add logger to cache Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com> * typo: DisabledImageVerfiyCache Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com> * typo: DisabledImageVerfiyCache Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com> * Update cmd/internal/flag.go Signed-off-by: shuting <shutting06@gmail.com> * feat: add use cache to v2beta1 crd Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com> * bug: change public attribute TTL to private Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com> * fix: replace nil in test with disabled cache Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com> * fix: convert ttl time to time.Duration Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com> * feat: update opts to use time.Duration Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com> * feat:add policy version and remove delete functions by adding policy version, old entries will automatically become outdated and we will not have to remove them manually Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com> * feat: remove clear and update get and set to take interface as input Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com> * style: fix lint issue Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com> --------- Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com> Signed-off-by: shuting <shutting06@gmail.com> Co-authored-by: shuting <shutting06@gmail.com> Co-authored-by: shuting <shuting@nirmata.com> Co-authored-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>
65 lines
1.8 KiB
Go
65 lines
1.8 KiB
Go
package engine
|
|
|
|
import (
|
|
"context"
|
|
"time"
|
|
|
|
"github.com/go-logr/logr"
|
|
kyvernov1 "github.com/kyverno/kyverno/api/kyverno/v1"
|
|
"github.com/kyverno/kyverno/pkg/autogen"
|
|
engineapi "github.com/kyverno/kyverno/pkg/engine/api"
|
|
"github.com/kyverno/kyverno/pkg/engine/handlers"
|
|
"github.com/kyverno/kyverno/pkg/engine/handlers/mutation"
|
|
"github.com/kyverno/kyverno/pkg/engine/internal"
|
|
"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
|
|
)
|
|
|
|
func (e *engine) verifyAndPatchImages(
|
|
ctx context.Context,
|
|
logger logr.Logger,
|
|
policyContext engineapi.PolicyContext,
|
|
) (engineapi.PolicyResponse, unstructured.Unstructured, engineapi.ImageVerificationMetadata) {
|
|
resp := engineapi.NewPolicyResponse()
|
|
policy := policyContext.Policy()
|
|
matchedResource := policyContext.NewResource()
|
|
applyRules := policy.GetSpec().GetApplyRules()
|
|
ivm := engineapi.ImageVerificationMetadata{}
|
|
|
|
policyContext.JSONContext().Checkpoint()
|
|
defer policyContext.JSONContext().Restore()
|
|
|
|
for _, rule := range autogen.ComputeRules(policy) {
|
|
startTime := time.Now()
|
|
logger := internal.LoggerWithRule(logger, rule)
|
|
handlerFactory := func() (handlers.Handler, error) {
|
|
if !rule.HasVerifyImages() {
|
|
return nil, nil
|
|
}
|
|
return mutation.NewMutateImageHandler(
|
|
policyContext,
|
|
matchedResource,
|
|
rule,
|
|
e.configuration,
|
|
e.rclientFactory,
|
|
e.ivCache,
|
|
&ivm,
|
|
e.imageSignatureRepository,
|
|
)
|
|
}
|
|
resource, ruleResp := e.invokeRuleHandler(
|
|
ctx,
|
|
logger,
|
|
handlerFactory,
|
|
policyContext,
|
|
matchedResource,
|
|
rule,
|
|
engineapi.ImageVerify,
|
|
)
|
|
matchedResource = resource
|
|
resp.Add(engineapi.NewExecutionStats(startTime, time.Now()), ruleResp...)
|
|
if applyRules == kyvernov1.ApplyOne && resp.RulesAppliedCount() > 0 {
|
|
break
|
|
}
|
|
}
|
|
return resp, matchedResource, ivm
|
|
}
|