mirror of
https://github.com/kyverno/kyverno.git
synced 2025-03-06 07:57:07 +00:00
47 lines
1.3 KiB
Go
47 lines
1.3 KiB
Go
package utils
|
|
|
|
import (
|
|
"github.com/go-logr/logr"
|
|
kyvernov2 "github.com/kyverno/kyverno/api/kyverno/v2"
|
|
engineapi "github.com/kyverno/kyverno/pkg/engine/api"
|
|
"github.com/kyverno/kyverno/pkg/utils/conditions"
|
|
matched "github.com/kyverno/kyverno/pkg/utils/match"
|
|
)
|
|
|
|
// MatchesException takes a list of exceptions and checks if there is an exception applies to the incoming resource.
|
|
// It returns the matched policy exception.
|
|
func MatchesException(
|
|
polexs []kyvernov2.PolicyException,
|
|
policyContext engineapi.PolicyContext,
|
|
logger logr.Logger,
|
|
) *kyvernov2.PolicyException {
|
|
gvk, subresource := policyContext.ResourceKind()
|
|
resource := policyContext.NewResource()
|
|
if resource.Object == nil {
|
|
resource = policyContext.OldResource()
|
|
}
|
|
for _, polex := range polexs {
|
|
err := matched.CheckMatchesResources(
|
|
resource,
|
|
polex.Spec.Match,
|
|
policyContext.NamespaceLabels(),
|
|
policyContext.AdmissionInfo(),
|
|
gvk,
|
|
subresource,
|
|
)
|
|
// if there's no error it means a match
|
|
if err == nil {
|
|
if polex.Spec.Conditions != nil {
|
|
passed, err := conditions.CheckAnyAllConditions(logger, policyContext.JSONContext(), *polex.Spec.Conditions)
|
|
if err != nil {
|
|
return nil
|
|
}
|
|
if !passed {
|
|
return nil
|
|
}
|
|
}
|
|
return &polex
|
|
}
|
|
}
|
|
return nil
|
|
}
|