mirror of
https://github.com/kyverno/kyverno.git
synced 2025-03-06 16:06:56 +00:00
481798c836
* chore: remove v1beta1 updaterequest definitions Signed-off-by: ShutingZhao <shuting@nirmata.com> * feat: update UR to map a policy instead a rule; adapt UR mapping changes for admission review Signed-off-by: ShutingZhao <shuting@nirmata.com> * feat: update code-gen Signed-off-by: ShutingZhao <shuting@nirmata.com> * fix: linter Signed-off-by: ShutingZhao <shuting@nirmata.com> * fix: remove unused function Signed-off-by: ShutingZhao <shuting@nirmata.com> * fix: add missing files Signed-off-by: ShutingZhao <shuting@nirmata.com> * fix: add missing files Signed-off-by: ShutingZhao <shuting@nirmata.com> * chore: update ur in policy controller Signed-off-by: ShutingZhao <shuting@nirmata.com> * feat: update crds Signed-off-by: ShutingZhao <shuting@nirmata.com> * feat: adapt ur changes in the background controller Signed-off-by: ShutingZhao <shuting@nirmata.com> * fix: linter Signed-off-by: ShutingZhao <shuting@nirmata.com> * fix: more linter Signed-off-by: ShutingZhao <shuting@nirmata.com> * feat: modify mapping relationship for deletion events Signed-off-by: ShutingZhao <shuting@nirmata.com> * feat: remedy missing target for policy application Signed-off-by: ShutingZhao <shuting@nirmata.com> * fix: fetching logic for triggers Signed-off-by: ShutingZhao <shuting@nirmata.com> * fix: clean up targets upon policy deletion Signed-off-by: ShutingZhao <shuting@nirmata.com> * chore: update crds Signed-off-by: ShutingZhao <shuting@nirmata.com> * merge main Signed-off-by: ShutingZhao <shuting@nirmata.com> * merge main Signed-off-by: ShutingZhao <shuting@nirmata.com> * fix: adds delay before assertion Signed-off-by: ShutingZhao <shuting@nirmata.com> * chore: update docs Signed-off-by: ShutingZhao <shuting@nirmata.com> * fix: wrong yaml format Signed-off-by: ShutingZhao <shuting@nirmata.com> * feat: update error handling logic Signed-off-by: ShutingZhao <shuting@nirmata.com> * fix(attempt): enable more debug info Signed-off-by: ShutingZhao <shuting@nirmata.com> * fix(attempt): enable debug log Signed-off-by: ShutingZhao <shuting@nirmata.com> * fix(attempt): enable debug log Signed-off-by: ShutingZhao <shuting@nirmata.com> * fix(attempt): enable debug log Signed-off-by: ShutingZhao <shuting@nirmata.com> * fix: makefile to update ur crds Signed-off-by: ShutingZhao <shuting@nirmata.com> * fix: generate existing Signed-off-by: ShutingZhao <shuting@nirmata.com> * fix: skip empty ur generation Signed-off-by: ShutingZhao <shuting@nirmata.com> * fix: update install.yaml Signed-off-by: ShutingZhao <shuting@nirmata.com> --------- Signed-off-by: ShutingZhao <shuting@nirmata.com>
102 lines
2.9 KiB
Go
102 lines
2.9 KiB
Go
package common
|
|
|
|
import (
|
|
"fmt"
|
|
|
|
"github.com/go-logr/logr"
|
|
kyvernov1 "github.com/kyverno/kyverno/api/kyverno/v1"
|
|
kyvernov2 "github.com/kyverno/kyverno/api/kyverno/v2"
|
|
"github.com/kyverno/kyverno/pkg/clients/dclient"
|
|
"github.com/kyverno/kyverno/pkg/config"
|
|
"github.com/kyverno/kyverno/pkg/engine"
|
|
"github.com/kyverno/kyverno/pkg/engine/jmespath"
|
|
admissionutils "github.com/kyverno/kyverno/pkg/utils/admission"
|
|
"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
|
|
)
|
|
|
|
func NewBackgroundContext(
|
|
logger logr.Logger,
|
|
dclient dclient.Interface,
|
|
urContext kyvernov2.UpdateRequestSpecContext,
|
|
policy kyvernov1.PolicyInterface,
|
|
trigger *unstructured.Unstructured,
|
|
cfg config.Configuration,
|
|
jp jmespath.Interface,
|
|
namespaceLabels map[string]string,
|
|
) (*engine.PolicyContext, error) {
|
|
var new, old unstructured.Unstructured
|
|
var err error
|
|
|
|
if urContext.AdmissionRequestInfo.AdmissionRequest != nil {
|
|
new, old, err = admissionutils.ExtractResources(nil, *urContext.AdmissionRequestInfo.AdmissionRequest)
|
|
if err != nil {
|
|
return nil, fmt.Errorf("failed to load request in context: %w", err)
|
|
}
|
|
if new.Object != nil {
|
|
if !check(&new, trigger) {
|
|
return nil, fmt.Errorf("resources don't match, want: %v/%v, got: %v/%v",
|
|
trigger.GetNamespace(), trigger.GetName(), new.GetNamespace(), new.GetName())
|
|
}
|
|
}
|
|
}
|
|
if trigger == nil {
|
|
trigger = &old
|
|
}
|
|
if trigger == nil {
|
|
return nil, fmt.Errorf("trigger resource does not exist")
|
|
}
|
|
|
|
var policyContext *engine.PolicyContext
|
|
if urContext.AdmissionRequestInfo.AdmissionRequest == nil {
|
|
policyContext, err = engine.NewPolicyContext(
|
|
jp,
|
|
*trigger,
|
|
kyvernov1.AdmissionOperation(urContext.AdmissionRequestInfo.Operation),
|
|
&urContext.UserRequestInfo,
|
|
cfg,
|
|
)
|
|
} else {
|
|
policyContext, err = engine.NewPolicyContextFromAdmissionRequest(
|
|
jp,
|
|
*urContext.AdmissionRequestInfo.AdmissionRequest,
|
|
urContext.UserRequestInfo,
|
|
trigger.GroupVersionKind(),
|
|
cfg,
|
|
)
|
|
}
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
policyContext = policyContext.
|
|
WithPolicy(policy).
|
|
WithNewResource(*trigger).
|
|
WithOldResource(old).
|
|
WithNamespaceLabels(namespaceLabels).
|
|
WithAdmissionOperation(false)
|
|
if err = policyContext.JSONContext().AddResource(trigger.Object); err != nil {
|
|
return nil, fmt.Errorf("failed to load resource in context: %w", err)
|
|
}
|
|
if err = policyContext.JSONContext().AddOldResource(old.Object); err != nil {
|
|
return nil, fmt.Errorf("failed to load resource in context: %w", err)
|
|
}
|
|
return policyContext, nil
|
|
}
|
|
|
|
func check(admissionRsc, existingRsc *unstructured.Unstructured) bool {
|
|
if existingRsc == nil {
|
|
return admissionRsc == nil
|
|
}
|
|
if admissionRsc.GetName() != existingRsc.GetName() {
|
|
return false
|
|
}
|
|
if admissionRsc.GetNamespace() != existingRsc.GetNamespace() {
|
|
return false
|
|
}
|
|
if admissionRsc.GetKind() != existingRsc.GetKind() {
|
|
return false
|
|
}
|
|
if admissionRsc.GetAPIVersion() != existingRsc.GetAPIVersion() {
|
|
return false
|
|
}
|
|
return true
|
|
}
|