mirrors/kyverno
1
0
Fork 0
mirror of https://github.com/kyverno/kyverno.git synced 2024-12-14 11:57:48 +00:00
Code Activity
kyverno/pkg/engine/validation.go
Mariam Fahmy 7f6fb24057
feat: support cel expression in validate rules (#7070) 
* feat: support cel expression in validate rules

Signed-off-by: Mariam Fahmy <mariamfahmy66@gmail.com>

* Adding CEL preconditions in kyverno policies

Signed-off-by: Mariam Fahmy <mariamfahmy66@gmail.com>

* Support parameter resources in validate.cel subrule

Signed-off-by: Mariam Fahmy <mariamfahmy66@gmail.com>

* fix

Signed-off-by: Mariam Fahmy <mariamfahmy66@gmail.com>

* Adding CEL preconditions in kyverno policies

Signed-off-by: Mariam Fahmy <mariamfahmy66@gmail.com>

* Add kuttl tests for validate.cel subrule

Signed-off-by: Mariam Fahmy <mariamfahmy66@gmail.com>

* fix

Signed-off-by: Mariam Fahmy <mariamfahmy66@gmail.com>

* Fix disallow-host-path kuttl test

Signed-off-by: Mariam Fahmy <mariamfahmy66@gmail.com>

* Add kuttl test for cel preconditions

Signed-off-by: Mariam Fahmy <mariamfahmy66@gmail.com>

* Fix kuttl tests for validate.cel

Signed-off-by: Mariam Fahmy <mariamfahmy66@gmail.com>

* Use K8S API Validation and AuditAnnotation

Signed-off-by: Mariam Fahmy <mariamfahmy66@gmail.com>

* Use K8S API ParamKind and ParamRef

Signed-off-by: Mariam Fahmy <mariamfahmy66@gmail.com>

---------

Signed-off-by: Mariam Fahmy <mariamfahmy66@gmail.com>
Co-authored-by: Jim Bugwadia <jim@nirmata.com>
2023-05-31 14:30:55 -07:00

80 lines
2.2 KiB
Go
Raw Blame History

package engine
import (
"context"
"time"
"github.com/go-logr/logr"
kyvernov1 "github.com/kyverno/kyverno/api/kyverno/v1"
"github.com/kyverno/kyverno/pkg/autogen"
engineapi "github.com/kyverno/kyverno/pkg/engine/api"
"github.com/kyverno/kyverno/pkg/engine/handlers"
"github.com/kyverno/kyverno/pkg/engine/handlers/validation"
"github.com/kyverno/kyverno/pkg/engine/internal"
)
func (e *engine) validate(
ctx context.Context,
logger logr.Logger,
policyContext engineapi.PolicyContext,
) engineapi.PolicyResponse {
resp := engineapi.NewPolicyResponse()
policy := policyContext.Policy()
matchedResource := policyContext.NewResource()
applyRules := policy.GetSpec().GetApplyRules()
policyContext.JSONContext().Checkpoint()
defer policyContext.JSONContext().Restore()
for _, rule := range autogen.ComputeRules(policy) {
startTime := time.Now()
logger := internal.LoggerWithRule(logger, rule)
handlerFactory := func() (handlers.Handler, error) {
hasValidate := rule.HasValidate()
hasVerifyImageChecks := rule.HasVerifyImageChecks()
if !hasValidate && !hasVerifyImageChecks {
return nil, nil
}
if hasValidate {
hasVerifyManifest := rule.HasVerifyManifests()
hasValidatePss := rule.HasValidatePodSecurity()
hasValidateCEL := rule.HasValidateCEL()
if hasVerifyManifest {
return validation.NewValidateManifestHandler(
policyContext,
e.client,
)
} else if hasValidatePss {
return validation.NewValidatePssHandler()
} else if hasValidateCEL {
return validation.NewValidateCELHandler(e.client)
} else {
return validation.NewValidateResourceHandler()
}
} else if hasVerifyImageChecks {
return validation.NewValidateImageHandler(
policyContext,
policyContext.NewResource(),
rule,
e.configuration,
)
}
return nil, nil
}
resource, ruleResp := e.invokeRuleHandler(
ctx,
logger,
handlerFactory,
policyContext,
matchedResource,
rule,
engineapi.Validation,
)
matchedResource = resource
resp.Add(engineapi.NewExecutionStats(startTime, time.Now()), ruleResp...)
if applyRules == kyvernov1.ApplyOne && resp.RulesAppliedCount() > 0 {
break
}
}
return resp
}
View git blame Copy permalink