mirror of
https://github.com/kyverno/kyverno.git
synced 2025-03-09 17:37:12 +00:00
100 lines
2.4 KiB
Go
100 lines
2.4 KiB
Go
package webhooks
|
|
|
|
import (
|
|
"fmt"
|
|
"regexp"
|
|
|
|
types "github.com/nirmata/kube-policy/pkg/apis/policy/v1alpha1"
|
|
"k8s.io/api/admission/v1beta1"
|
|
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
|
|
)
|
|
|
|
var supportedKinds = [...]string{
|
|
"ConfigMap",
|
|
"CronJob",
|
|
"DaemonSet",
|
|
"Deployment",
|
|
"Endpoints",
|
|
"HorizontalPodAutoscaler",
|
|
"Ingress",
|
|
"Job",
|
|
"LimitRange",
|
|
"Namespace",
|
|
"NetworkPolicy",
|
|
"PersistentVolumeClaim",
|
|
"PodDisruptionBudget",
|
|
"PodTemplate",
|
|
"ResourceQuota",
|
|
"Secret",
|
|
"Service",
|
|
"StatefulSet",
|
|
}
|
|
|
|
func kindIsSupported(kind string) bool {
|
|
for _, k := range supportedKinds {
|
|
if k == kind {
|
|
return true
|
|
}
|
|
}
|
|
return false
|
|
}
|
|
|
|
// Checks for admission if kind is supported
|
|
func AdmissionIsRequired(request *v1beta1.AdmissionRequest) bool {
|
|
// Here you can make additional hardcoded checks
|
|
return kindIsSupported(request.Kind.Kind)
|
|
}
|
|
|
|
// Checks requests kind, name and labels to fit the policy
|
|
func IsRuleApplicableToRequest(policyResource types.PolicyResource, request *v1beta1.AdmissionRequest) (bool, error) {
|
|
return IsRuleApplicableToResource(request.Kind.Kind, request.Object.Raw, policyResource)
|
|
}
|
|
|
|
// kind is the type of object being manipulated
|
|
// Checks requests kind, name and labels to fit the policy
|
|
func IsRuleApplicableToResource(kind string, resourceRaw []byte, policyResource types.PolicyResource) (bool, error) {
|
|
if policyResource.Kind != kind {
|
|
return false, nil
|
|
}
|
|
|
|
if resourceRaw != nil {
|
|
meta := parseMetadataFromObject(resourceRaw)
|
|
name := parseNameFromMetadata(meta)
|
|
|
|
// if policyResource.Name != nil && *policyResource.Name != name {
|
|
// return false, false
|
|
// }
|
|
if policyResource.Name != nil {
|
|
fmt.Println("*policyResource.Name, name", *policyResource.Name, name)
|
|
|
|
// if no regex used, check if names are matched, return directly
|
|
if policyResource.Name != nil && *policyResource.Name == name {
|
|
return true, nil
|
|
}
|
|
|
|
// validation of regex is peformed when validating the policyResource
|
|
// refer to policyResource.Validate()
|
|
parseRegexPolicyResourceName(*policyResource.Name)
|
|
match, _ := regexp.MatchString(*policyResource.Name, name)
|
|
|
|
if !match {
|
|
return false, nil
|
|
}
|
|
|
|
if policyResource.Selector != nil {
|
|
selector, err := metav1.LabelSelectorAsSelector(policyResource.Selector)
|
|
|
|
if err != nil {
|
|
return false, err
|
|
}
|
|
|
|
labelMap := parseLabelsFromMetadata(meta)
|
|
|
|
if !selector.Matches(labelMap) {
|
|
return false, nil
|
|
}
|
|
}
|
|
}
|
|
}
|
|
return true, nil
|
|
}
|