mirror of
https://github.com/kyverno/kyverno.git
synced 2024-12-14 11:57:48 +00:00
1ef9b876e1
* feat: allow changes to preexisting resources that violate a validate foreach, cel or pss policy Signed-off-by: Vishal Choudhary <vishal.choudhary@nirmata.com> * fix: do old object verification as create operation this fixes the case where we are checking request.operation in a deny condition Signed-off-by: Vishal Choudhary <vishal.choudhary@nirmata.com> * fix: update the json context in set operation Signed-off-by: Vishal Choudhary <vishal.choudhary@nirmata.com> * fix: typo Signed-off-by: Vishal Choudhary <vishal.choudhary@nirmata.com> * fix: update error message Signed-off-by: Vishal Choudhary <vishal.choudhary@nirmata.com> * fix: add match and exclude check Signed-off-by: Vishal Choudhary <vishal.choudhary@nirmata.com> * fix: match exclude in if Signed-off-by: Vishal Choudhary <vishal.choudhary@nirmata.com> * feat: add option to disable validation of old object Signed-off-by: Vishal Choudhary <vishal.choudhary@nirmata.com> * fix: tests Signed-off-by: Vishal Choudhary <vishal.choudhary@nirmata.com> * fix: unit tests Signed-off-by: Vishal Choudhary <vishal.choudhary@nirmata.com> * feat: chainsaw tests Signed-off-by: Vishal Choudhary <vishal.choudhary@nirmata.com> * fix: update readme Signed-off-by: Vishal Choudhary <vishal.choudhary@nirmata.com> * fix: conflicts Signed-off-by: Vishal Choudhary <vishal.choudhary@nirmata.com> * fix: chainsaw tests Signed-off-by: Vishal Choudhary <vishal.choudhary@nirmata.com> * fix: tests Signed-off-by: Vishal Choudhary <vishal.choudhary@nirmata.com> * fix: ci Signed-off-by: Vishal Choudhary <vishal.choudhary@nirmata.com> * fix: nil ptr error Signed-off-by: Vishal Choudhary <vishal.choudhary@nirmata.com> * fix: linter Signed-off-by: Vishal Choudhary <vishal.choudhary@nirmata.com> * fix: linter Signed-off-by: Vishal Choudhary <vishal.choudhary@nirmata.com> * feat: old obj verification in assert Signed-off-by: Vishal Choudhary <vishal.choudhary@nirmata.com> * fix: codegen Signed-off-by: Vishal Choudhary <vishal.choudhary@nirmata.com> * feat: chainsaw tests Signed-off-by: Vishal Choudhary <vishal.choudhary@nirmata.com> * feat: chainsaw test for assert Signed-off-by: Vishal Choudhary <vishal.choudhary@nirmata.com> * fix: cleanup Signed-off-by: Vishal Choudhary <vishal.choudhary@nirmata.com> * fix: chainsaw tests Signed-off-by: Vishal Choudhary <vishal.choudhary@nirmata.com> * fix: pss Signed-off-by: Vishal Choudhary <vishal.choudhary@nirmata.com> * feat: common functions for allow existing violations Signed-off-by: Vishal Choudhary <vishal.choudhary@nirmata.com> * fix: types Signed-off-by: Vishal Choudhary <vishal.choudhary@nirmata.com> * fix: typos Signed-off-by: Vishal Choudhary <vishal.choudhary@nirmata.com> * fix: pss old resource Signed-off-by: Vishal Choudhary <vishal.choudhary@nirmata.com> * feat: chainsaw test for PSS Signed-off-by: Vishal Choudhary <vishal.choudhary@nirmata.com> * fix: use old objects Signed-off-by: Vishal Choudhary <vishal.choudhary@nirmata.com> * fix: more merge changes Signed-off-by: Vishal Choudhary <vishal.choudhary@nirmata.com> * fix: e2e matrxix Signed-off-by: Vishal Choudhary <vishal.choudhary@nirmata.com> * fix: refactor and dont return error when old obj validation fails Signed-off-by: Vishal Choudhary <vishal.choudhary@nirmata.com> * fix: return resp when not matched Signed-off-by: Vishal Choudhary <vishal.choudhary@nirmata.com> * fix: add logs and return skip when old object validation fails Signed-off-by: Vishal Choudhary <vishal.choudhary@nirmata.com> * Update validate_resource.go Co-authored-by: shuting <shutting06@gmail.com> Signed-off-by: Vishal Choudhary <vishal.choudhary@nirmata.com> * Update validate_pss.go Co-authored-by: shuting <shutting06@gmail.com> Signed-off-by: Vishal Choudhary <vishal.choudhary@nirmata.com> * Update validate_assert.go Co-authored-by: shuting <shutting06@gmail.com> Signed-off-by: Vishal Choudhary <vishal.choudhary@nirmata.com> --------- Signed-off-by: Vishal Choudhary <vishal.choudhary@nirmata.com> Co-authored-by: Jim Bugwadia <jim@nirmata.com> Co-authored-by: shuting <shuting@nirmata.com> Co-authored-by: shuting <shutting06@gmail.com>
114 lines
3 KiB
Go
114 lines
3 KiB
Go
package utils
|
|
|
|
import (
|
|
"fmt"
|
|
|
|
jsonpatch "github.com/evanphx/json-patch/v5"
|
|
kyvernov1 "github.com/kyverno/kyverno/api/kyverno/v1"
|
|
engineapi "github.com/kyverno/kyverno/pkg/engine/api"
|
|
"github.com/kyverno/kyverno/pkg/logging"
|
|
jsonutils "github.com/kyverno/kyverno/pkg/utils/json"
|
|
"k8s.io/apiextensions-apiserver/pkg/apis/apiextensions"
|
|
"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
|
|
)
|
|
|
|
func IsDeleteRequest(ctx engineapi.PolicyContext) bool {
|
|
if ctx == nil {
|
|
return false
|
|
}
|
|
|
|
if op := ctx.Operation(); string(op) != "" {
|
|
return op == kyvernov1.Delete
|
|
}
|
|
|
|
// if the NewResource is empty, the request is a DELETE
|
|
newResource := ctx.NewResource()
|
|
return IsEmptyUnstructured(&newResource)
|
|
}
|
|
|
|
func IsEmptyUnstructured(u *unstructured.Unstructured) bool {
|
|
if u == nil {
|
|
return true
|
|
}
|
|
if u.Object == nil {
|
|
return true
|
|
}
|
|
return false
|
|
}
|
|
|
|
// ApplyPatches patches given resource with given patches and returns patched document
|
|
// return original resource if any error occurs
|
|
func ApplyPatches(resource []byte, patches [][]byte) ([]byte, error) {
|
|
if len(patches) == 0 {
|
|
return resource, nil
|
|
}
|
|
joinedPatches := jsonutils.JoinPatches(patches...)
|
|
patch, err := jsonpatch.DecodePatch(joinedPatches)
|
|
if err != nil {
|
|
logging.V(4).Info("failed to decode JSON patch", "patch", patch)
|
|
return resource, err
|
|
}
|
|
|
|
patchedDocument, err := patch.Apply(resource)
|
|
if err != nil {
|
|
logging.V(4).Info("failed to apply JSON patch", "patch", patch)
|
|
return resource, err
|
|
}
|
|
|
|
logging.V(4).Info("applied JSON patch", "patch", patch)
|
|
return patchedDocument, err
|
|
}
|
|
|
|
// ApplyPatchNew patches given resource with given joined patches
|
|
func ApplyPatchNew(resource, patch []byte) ([]byte, error) {
|
|
jsonpatch, err := jsonpatch.DecodePatch(patch)
|
|
if err != nil {
|
|
return resource, err
|
|
}
|
|
|
|
patchedResource, err := jsonpatch.Apply(resource)
|
|
if err != nil {
|
|
return resource, err
|
|
}
|
|
|
|
return patchedResource, err
|
|
}
|
|
|
|
func TransformConditions(original apiextensions.JSON) (interface{}, error) {
|
|
if original == nil {
|
|
return kyvernov1.AnyAllConditions{}, nil
|
|
}
|
|
|
|
switch typedValue := original.(type) {
|
|
case *kyvernov1.AnyAllConditions:
|
|
if typedValue == nil {
|
|
return kyvernov1.AnyAllConditions{}, nil
|
|
}
|
|
return *typedValue.DeepCopy(), nil
|
|
case kyvernov1.AnyAllConditions:
|
|
return *typedValue.DeepCopy(), nil
|
|
case []kyvernov1.Condition: // backwards compatibility
|
|
var copies []kyvernov1.Condition
|
|
for _, condition := range typedValue {
|
|
copies = append(copies, *condition.DeepCopy())
|
|
}
|
|
return copies, nil
|
|
}
|
|
return nil, fmt.Errorf("invalid preconditions")
|
|
}
|
|
|
|
func IsSameRuleResponse(r1 *engineapi.RuleResponse, r2 *engineapi.RuleResponse) bool {
|
|
if r1.Name() != r2.Name() ||
|
|
r1.RuleType() != r2.RuleType() ||
|
|
r1.Message() != r2.Message() ||
|
|
r1.Status() != r2.Status() {
|
|
return false
|
|
}
|
|
|
|
return true
|
|
}
|
|
|
|
func IsUpdateRequest(ctx engineapi.PolicyContext) bool {
|
|
// is the OldObject and NewObject are available, the request is an UPDATE
|
|
return (ctx.OldResource().Object != nil && ctx.NewResource().Object != nil) || ctx.Operation() == kyvernov1.Update
|
|
}
|