mirror of
https://github.com/kyverno/kyverno.git
synced 2025-03-09 17:37:12 +00:00
4e3f297da2
* fix: update match logic for old object validation Signed-off-by: Vishal Choudhary <vishal.choudhary@nirmata.com> * fix: linter Signed-off-by: Vishal Choudhary <vishal.choudhary@nirmata.com> * fix: failing test due to user info Signed-off-by: Vishal Choudhary <vishal.choudhary@nirmata.com> * fix: debug logs Signed-off-by: Vishal Choudhary <vishal.choudhary@nirmata.com> --------- Signed-off-by: Vishal Choudhary <vishal.choudhary@nirmata.com> Co-authored-by: shuting <shuting@nirmata.com>
34 lines
1.1 KiB
Go
34 lines
1.1 KiB
Go
package validation
|
|
|
|
import (
|
|
kyvernov1 "github.com/kyverno/kyverno/api/kyverno/v1"
|
|
kyvernov2 "github.com/kyverno/kyverno/api/kyverno/v2"
|
|
engineutils "github.com/kyverno/kyverno/pkg/engine/utils"
|
|
authenticationv1 "k8s.io/api/authentication/v1"
|
|
"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
|
|
)
|
|
|
|
func matchResource(resource unstructured.Unstructured, rule kyvernov1.Rule, namespaceLabels map[string]string, policyNamespace string, operation kyvernov1.AdmissionOperation) bool {
|
|
// cannot use admission info from the current request as the user can be different, if the rule matches on old request user info, it should skip
|
|
admissionInfo := kyvernov2.RequestInfo{
|
|
Roles: []string{"kyverno:invalidrole"},
|
|
ClusterRoles: []string{"kyverno:invalidrole"},
|
|
AdmissionUserInfo: authenticationv1.UserInfo{
|
|
Username: "kyverno:kyverno-invalid-controller",
|
|
UID: "kyverno:invaliduid",
|
|
Groups: []string{"kyverno:invalidgroup"},
|
|
},
|
|
}
|
|
|
|
err := engineutils.MatchesResourceDescription(
|
|
resource,
|
|
rule,
|
|
admissionInfo,
|
|
namespaceLabels,
|
|
policyNamespace,
|
|
resource.GroupVersionKind(),
|
|
"",
|
|
operation,
|
|
)
|
|
return err == nil
|
|
}
|