mirror of
https://github.com/kyverno/kyverno.git
synced 2025-03-16 12:40:43 +00:00
52d091c5a3
* Remove lock embedded in CRD controller, use concurrent map to store shcemas * delete rcr info from data store * skip policy validation on status update * - remove status check in policy mutation; - fix test * Remove fqdncn flag * add flag profiling port * skip policy mutation & validation on status update * sync policy status every minute * update log messages
54 lines
1.7 KiB
Go
54 lines
1.7 KiB
Go
package webhooks
|
|
|
|
import (
|
|
"encoding/json"
|
|
"fmt"
|
|
"time"
|
|
|
|
kyverno "github.com/kyverno/kyverno/pkg/api/kyverno/v1"
|
|
policyvalidate "github.com/kyverno/kyverno/pkg/policy"
|
|
v1beta1 "k8s.io/api/admission/v1beta1"
|
|
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
|
|
)
|
|
|
|
//HandlePolicyValidation performs the validation check on policy resource
|
|
func (ws *WebhookServer) policyValidation(request *v1beta1.AdmissionRequest) *v1beta1.AdmissionResponse {
|
|
logger := ws.log.WithValues("action", "policy validation", "uid", request.UID, "kind", request.Kind, "namespace", request.Namespace, "name", request.Name, "operation", request.Operation)
|
|
var policy *kyverno.ClusterPolicy
|
|
|
|
if err := json.Unmarshal(request.Object.Raw, &policy); err != nil {
|
|
logger.Error(err, "failed to unmarshal policy admission request")
|
|
return &v1beta1.AdmissionResponse{
|
|
Allowed: true,
|
|
Result: &metav1.Status{
|
|
Message: fmt.Sprintf("failed to validate policy, check kyverno controller logs for details: %v", err),
|
|
},
|
|
}
|
|
}
|
|
|
|
if request.Operation == v1beta1.Update {
|
|
admissionResponse := hasPolicyChanged(policy, request.OldObject.Raw, logger)
|
|
if admissionResponse != nil {
|
|
logger.V(4).Info("skip policy validation on status update")
|
|
return admissionResponse
|
|
}
|
|
}
|
|
|
|
startTime := time.Now()
|
|
logger.V(3).Info("start policy change validation")
|
|
defer logger.V(3).Info("finished policy change validation", "time", time.Since(startTime).String())
|
|
|
|
if err := policyvalidate.Validate(policy, ws.client, false, ws.openAPIController); err != nil {
|
|
logger.Error(err, "policy validation errors")
|
|
return &v1beta1.AdmissionResponse{
|
|
Allowed: false,
|
|
Result: &metav1.Status{
|
|
Message: err.Error(),
|
|
},
|
|
}
|
|
}
|
|
|
|
return &v1beta1.AdmissionResponse{
|
|
Allowed: true,
|
|
}
|
|
}
|