mirror of
https://github.com/kyverno/kyverno.git
synced 2025-01-20 18:52:16 +00:00
a9fef256c7
* updates for foreach and mutate Signed-off-by: Jim Bugwadia <jim@nirmata.com> * allow tests to pass on Windows Signed-off-by: Jim Bugwadia <jim@nirmata.com> * fix tests Signed-off-by: Jim Bugwadia <jim@nirmata.com> * fix linter check Signed-off-by: Jim Bugwadia <jim@nirmata.com> * add elementIndex variable Signed-off-by: Jim Bugwadia <jim@nirmata.com> * fmt Signed-off-by: Jim Bugwadia <jim@nirmata.com> * fix jsonResult usage Signed-off-by: Jim Bugwadia <jim@nirmata.com> * add mutate validation and fix error in validate.foreach Signed-off-by: Jim Bugwadia <jim@nirmata.com> * format Signed-off-by: Jim Bugwadia <jim@nirmata.com> * update message Signed-off-by: Jim Bugwadia <jim@nirmata.com> * do not skip validation for all array entries when one is skipped Signed-off-by: Jim Bugwadia <jim@nirmata.com> * add foreach tests Signed-off-by: Jim Bugwadia <jim@nirmata.com> * fix fmt Signed-off-by: Jim Bugwadia <jim@nirmata.com> * fix format errors Signed-off-by: Jim Bugwadia <jim@nirmata.com> * remove unused declarations Signed-off-by: Jim Bugwadia <jim@nirmata.com> * revert namespaceWithLabelYaml Signed-off-by: Jim Bugwadia <jim@nirmata.com> * fix mutate of element list Signed-off-by: Jim Bugwadia <jim@nirmata.com> * update CRDs Signed-off-by: Jim Bugwadia <jim@nirmata.com> * Update api/kyverno/v1/policy_types.go Co-authored-by: Steven E. Harris <seh@panix.com> * Update pkg/engine/forceMutate.go Co-authored-by: Steven E. Harris <seh@panix.com> * Update pkg/engine/forceMutate.go Co-authored-by: Steven E. Harris <seh@panix.com> * Update pkg/engine/forceMutate.go Co-authored-by: Steven E. Harris <seh@panix.com> * Update pkg/engine/mutation.go Co-authored-by: Steven E. Harris <seh@panix.com> * Update pkg/engine/mutation.go Co-authored-by: Steven E. Harris <seh@panix.com> * Update pkg/engine/mutation.go Co-authored-by: Steven E. Harris <seh@panix.com> * Update pkg/engine/validate/validate.go Co-authored-by: Steven E. Harris <seh@panix.com> * Update pkg/engine/validate/validate.go Co-authored-by: Steven E. Harris <seh@panix.com> * Update test/cli/test/custom-functions/policy.yaml Co-authored-by: Steven E. Harris <seh@panix.com> * Update test/cli/test/foreach/policies.yaml Co-authored-by: Steven E. Harris <seh@panix.com> * accept review comments and format Signed-off-by: Jim Bugwadia <jim@nirmata.com> * add comments to strategicMergePatch buffer Signed-off-by: Jim Bugwadia <jim@nirmata.com> * load context and evaluate preconditions foreach element Signed-off-by: Jim Bugwadia <jim@nirmata.com> * add test for foreach mutate context and precondition * precondition testcase * address review comments Signed-off-by: Jim Bugwadia <jim@nirmata.com> * update message Signed-off-by: Jim Bugwadia <jim@nirmata.com> * format Signed-off-by: Jim Bugwadia <jim@nirmata.com> Co-authored-by: Steven E. Harris <seh@panix.com> Co-authored-by: Vyankatesh Kudtarkar <vyankateshkd@gmail.com>
71 lines
2 KiB
Go
71 lines
2 KiB
Go
package policy
|
|
|
|
import (
|
|
"fmt"
|
|
|
|
"github.com/kyverno/kyverno/pkg/policy/mutate"
|
|
|
|
kyverno "github.com/kyverno/kyverno/api/kyverno/v1"
|
|
dclient "github.com/kyverno/kyverno/pkg/dclient"
|
|
"github.com/kyverno/kyverno/pkg/policy/generate"
|
|
"github.com/kyverno/kyverno/pkg/policy/validate"
|
|
"github.com/kyverno/kyverno/pkg/utils"
|
|
"sigs.k8s.io/controller-runtime/pkg/log"
|
|
)
|
|
|
|
//Validation provides methods to validate a rule
|
|
type Validation interface {
|
|
Validate() (string, error)
|
|
}
|
|
|
|
//validateAction performs validation on the rule actions
|
|
// - Mutate
|
|
// - Validation
|
|
// - Generate
|
|
func validateActions(idx int, rule *kyverno.Rule, client *dclient.Client, mock bool) error {
|
|
if rule == nil {
|
|
return nil
|
|
}
|
|
|
|
var checker Validation
|
|
|
|
// Mutate
|
|
if rule.HasMutate() {
|
|
checker = mutate.NewMutateFactory(rule.Mutation)
|
|
if path, err := checker.Validate(); err != nil {
|
|
return fmt.Errorf("path: spec.rules[%d].mutate.%s.: %v", idx, path, err)
|
|
}
|
|
}
|
|
|
|
// Validate
|
|
if rule.HasValidate() {
|
|
checker = validate.NewValidateFactory(&rule.Validation)
|
|
if path, err := checker.Validate(); err != nil {
|
|
return fmt.Errorf("path: spec.rules[%d].validate.%s.: %v", idx, path, err)
|
|
}
|
|
}
|
|
|
|
// Generate
|
|
if rule.HasGenerate() {
|
|
//TODO: this check is there to support offline validations
|
|
// generate uses selfSubjectReviews to verify actions
|
|
// this need to modified to use different implementation for online and offline mode
|
|
if mock {
|
|
checker = generate.NewFakeGenerate(rule.Generation)
|
|
if path, err := checker.Validate(); err != nil {
|
|
return fmt.Errorf("path: spec.rules[%d].generate.%s.: %v", idx, path, err)
|
|
}
|
|
} else {
|
|
checker = generate.NewGenerateFactory(client, rule.Generation, log.Log)
|
|
if path, err := checker.Validate(); err != nil {
|
|
return fmt.Errorf("path: spec.rules[%d].generate.%s.: %v", idx, path, err)
|
|
}
|
|
}
|
|
|
|
if utils.ContainsString(rule.MatchResources.Kinds, rule.Generation.Kind) {
|
|
return fmt.Errorf("generation kind and match resource kind should not be the same.")
|
|
}
|
|
}
|
|
|
|
return nil
|
|
}
|