mirror of
https://github.com/kyverno/kyverno.git
synced 2025-03-07 00:17:13 +00:00
40 lines
1.3 KiB
Go
40 lines
1.3 KiB
Go
package webhooks
|
|
|
|
import (
|
|
"errors"
|
|
|
|
engine "github.com/nirmata/kyverno/pkg/engine"
|
|
v1beta1 "k8s.io/api/admission/v1beta1"
|
|
"k8s.io/apimachinery/pkg/labels"
|
|
)
|
|
|
|
func (ws *WebhookServer) removePolicyViolation(request *v1beta1.AdmissionRequest) error {
|
|
// Get the list of policies that apply on the resource
|
|
policies, err := ws.policyLister.List(labels.NewSelector())
|
|
if err != nil {
|
|
// Unable to connect to policy Lister to access policies
|
|
return errors.New("Unable to connect to policy controller to access policies. Clean Up of Policy Violations is not being done")
|
|
}
|
|
for _, policy := range policies {
|
|
// check if policy has a rule for the admission request kind
|
|
if !StringInSlice(request.Kind.Kind, getApplicableKindsForPolicy(policy)) {
|
|
continue
|
|
}
|
|
// get the details from the request
|
|
rname := request.Name
|
|
rns := request.Namespace
|
|
rkind := request.Kind.Kind
|
|
// check if the resource meets the policy Resource description
|
|
for _, rule := range policy.Spec.Rules {
|
|
ok := engine.ResourceMeetsDescription(request.Object.Raw, rule.MatchResources.ResourceDescription, rule.ExcludeResources.ResourceDescription, request.Kind)
|
|
if ok {
|
|
// Check if the policy has a violation for this resource
|
|
err := ws.violationBuilder.ResourceRemoval(policy.Name, rkind, rns, rname)
|
|
if err != nil {
|
|
return err
|
|
}
|
|
}
|
|
}
|
|
}
|
|
return nil
|
|
}
|