mirror of
https://github.com/kyverno/kyverno.git
synced 2025-03-09 17:37:12 +00:00
76e306dbc2
* refactor: use more engine internals Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * imageverifier Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * fix Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * fix Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * rule skip and exceptions fix Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * fix Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> --------- Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>
71 lines
2.9 KiB
Go
71 lines
2.9 KiB
Go
package internal
|
|
|
|
import (
|
|
"fmt"
|
|
"reflect"
|
|
"time"
|
|
|
|
kyvernov1 "github.com/kyverno/kyverno/api/kyverno/v1"
|
|
engineapi "github.com/kyverno/kyverno/pkg/engine/api"
|
|
"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
|
|
)
|
|
|
|
func RuleError(rule *kyvernov1.Rule, ruleType engineapi.RuleType, msg string, err error) *engineapi.RuleResponse {
|
|
return RuleResponse(*rule, ruleType, fmt.Sprintf("%s: %s", msg, err.Error()), engineapi.RuleStatusError)
|
|
}
|
|
|
|
func RuleSkip(rule *kyvernov1.Rule, ruleType engineapi.RuleType, msg string) *engineapi.RuleResponse {
|
|
return RuleResponse(*rule, ruleType, msg, engineapi.RuleStatusSkip)
|
|
}
|
|
|
|
func RuleResponse(rule kyvernov1.Rule, ruleType engineapi.RuleType, msg string, status engineapi.RuleStatus) *engineapi.RuleResponse {
|
|
resp := &engineapi.RuleResponse{
|
|
Name: rule.Name,
|
|
Type: ruleType,
|
|
Message: msg,
|
|
Status: status,
|
|
}
|
|
return resp
|
|
}
|
|
|
|
func AddRuleResponse(resp *engineapi.PolicyResponse, ruleResp *engineapi.RuleResponse, startTime time.Time) {
|
|
ruleResp.ExecutionStats.ProcessingTime = time.Since(startTime)
|
|
ruleResp.ExecutionStats.Timestamp = startTime.Unix()
|
|
resp.Rules = append(resp.Rules, *ruleResp)
|
|
if ruleResp.Status == engineapi.RuleStatusPass || ruleResp.Status == engineapi.RuleStatusFail {
|
|
resp.RulesAppliedCount++
|
|
} else if ruleResp.Status == engineapi.RuleStatusError {
|
|
resp.RulesErrorCount++
|
|
}
|
|
}
|
|
|
|
func BuildResponse(ctx engineapi.PolicyContext, resp *engineapi.EngineResponse, startTime time.Time) *engineapi.EngineResponse {
|
|
resp.NamespaceLabels = ctx.NamespaceLabels()
|
|
if reflect.DeepEqual(resp, engineapi.EngineResponse{}) {
|
|
return resp
|
|
}
|
|
if reflect.DeepEqual(resp.PatchedResource, unstructured.Unstructured{}) {
|
|
// for delete requests patched resource will be oldResource since newResource is empty
|
|
resource := ctx.NewResource()
|
|
if reflect.DeepEqual(resource, unstructured.Unstructured{}) {
|
|
resource = ctx.OldResource()
|
|
}
|
|
resp.PatchedResource = resource
|
|
}
|
|
policy := ctx.Policy()
|
|
resp.Policy = policy
|
|
resp.PolicyResponse.Policy.Name = policy.GetName()
|
|
resp.PolicyResponse.Policy.Namespace = policy.GetNamespace()
|
|
resp.PolicyResponse.Resource.Name = resp.PatchedResource.GetName()
|
|
resp.PolicyResponse.Resource.Namespace = resp.PatchedResource.GetNamespace()
|
|
resp.PolicyResponse.Resource.Kind = resp.PatchedResource.GetKind()
|
|
resp.PolicyResponse.Resource.APIVersion = resp.PatchedResource.GetAPIVersion()
|
|
resp.PolicyResponse.ValidationFailureAction = policy.GetSpec().ValidationFailureAction
|
|
for _, v := range policy.GetSpec().ValidationFailureActionOverrides {
|
|
newOverrides := engineapi.ValidationFailureActionOverride{Action: v.Action, Namespaces: v.Namespaces, NamespaceSelector: v.NamespaceSelector}
|
|
resp.PolicyResponse.ValidationFailureActionOverrides = append(resp.PolicyResponse.ValidationFailureActionOverrides, newOverrides)
|
|
}
|
|
resp.PolicyResponse.ProcessingTime = time.Since(startTime)
|
|
resp.PolicyResponse.Timestamp = startTime.Unix()
|
|
return resp
|
|
}
|