mirror of
https://github.com/kyverno/kyverno.git
synced 2025-03-27 18:13:17 +00:00
d812982b2e
* feat: webhook support for image verification Signed-off-by: Vishal Choudhary <vishal.choudhary@nirmata.com> * feat: add validation Signed-off-by: Vishal Choudhary <vishal.choudhary@nirmata.com> * fix: add tests Signed-off-by: Vishal Choudhary <vishal.choudhary@nirmata.com> * fix: tests Signed-off-by: Vishal Choudhary <vishal.choudhary@nirmata.com> * fix: ci Signed-off-by: Vishal Choudhary <vishal.choudhary@nirmata.com> * fix: codegen Signed-off-by: Vishal Choudhary <vishal.choudhary@nirmata.com> * fix: trim prefix Signed-off-by: Vishal Choudhary <vishal.choudhary@nirmata.com> * fix: only use matched policies Signed-off-by: Vishal Choudhary <vishal.choudhary@nirmata.com> * fix: conflicts Signed-off-by: Vishal Choudhary <vishal.choudhary@nirmata.com> * fix: remove commented code Signed-off-by: Vishal Choudhary <vishal.choudhary@nirmata.com> --------- Signed-off-by: Vishal Choudhary <vishal.choudhary@nirmata.com> Co-authored-by: shuting <shuting@nirmata.com>
58 lines
2.1 KiB
Go
58 lines
2.1 KiB
Go
package ivpol
|
|
|
|
import (
|
|
"context"
|
|
"fmt"
|
|
"time"
|
|
|
|
"github.com/go-logr/logr"
|
|
celengine "github.com/kyverno/kyverno/pkg/cel/engine"
|
|
celpolicy "github.com/kyverno/kyverno/pkg/cel/policy"
|
|
engineapi "github.com/kyverno/kyverno/pkg/engine/api"
|
|
"github.com/kyverno/kyverno/pkg/engine/mutate/patch"
|
|
eval "github.com/kyverno/kyverno/pkg/imageverification/evaluator"
|
|
admissionutils "github.com/kyverno/kyverno/pkg/utils/admission"
|
|
jsonutils "github.com/kyverno/kyverno/pkg/utils/json"
|
|
"github.com/kyverno/kyverno/pkg/webhooks/handlers"
|
|
admissionregistrationv1 "k8s.io/api/admissionregistration/v1"
|
|
)
|
|
|
|
type handler struct {
|
|
context celpolicy.Context
|
|
engine celengine.ImageVerifyEngine
|
|
}
|
|
|
|
func New(
|
|
engine celengine.ImageVerifyEngine,
|
|
context celpolicy.Context,
|
|
) *handler {
|
|
return &handler{
|
|
context: context,
|
|
engine: engine,
|
|
}
|
|
}
|
|
|
|
func (h *handler) Mutate(ctx context.Context, logger logr.Logger, admissionRequest handlers.AdmissionRequest, failurePolicy string, startTime time.Time) handlers.AdmissionResponse {
|
|
request := celengine.RequestFromAdmission(h.context, admissionRequest.AdmissionRequest)
|
|
response, patches, err := h.engine.HandleMutating(ctx, request)
|
|
if err != nil {
|
|
return admissionutils.Response(admissionRequest.UID, err)
|
|
}
|
|
rawPatches := jsonutils.JoinPatches(patch.ConvertPatches(patches...)...)
|
|
return h.mutationResponse(request, response, rawPatches)
|
|
}
|
|
|
|
func (h *handler) mutationResponse(request celengine.EngineRequest, response eval.ImageVerifyEngineResponse, rawPatches []byte) handlers.AdmissionResponse {
|
|
var warnings []string
|
|
for _, policy := range response.Policies {
|
|
if policy.Actions.Has(admissionregistrationv1.Warn) {
|
|
switch policy.Result.Status() {
|
|
case engineapi.RuleStatusFail:
|
|
warnings = append(warnings, fmt.Sprintf("Policy %s failed: %s", policy.Policy.GetName(), policy.Result.Message()))
|
|
case engineapi.RuleStatusError:
|
|
warnings = append(warnings, fmt.Sprintf("Policy %s error: %s", policy.Policy.GetName(), policy.Result.Message()))
|
|
}
|
|
}
|
|
}
|
|
return admissionutils.MutationResponse(request.AdmissionRequest().UID, rawPatches, warnings...)
|
|
}
|