mirror of
https://github.com/kyverno/kyverno.git
synced 2025-03-06 07:57:07 +00:00
aa6400269e
* refactor: do not allow matching with subresource kind Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * fix kuttl Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * fix kuttl Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * fixes Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * fix Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * refactor: implement matching based on GVK/subresource Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * fix Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * fix Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * fix Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * fix Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> --------- Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>
51 lines
1.6 KiB
Go
51 lines
1.6 KiB
Go
package utils
|
|
|
|
import (
|
|
"fmt"
|
|
|
|
kyvernov1beta1 "github.com/kyverno/kyverno/api/kyverno/v1beta1"
|
|
"github.com/kyverno/kyverno/pkg/clients/dclient"
|
|
"github.com/kyverno/kyverno/pkg/config"
|
|
"github.com/kyverno/kyverno/pkg/engine"
|
|
"github.com/kyverno/kyverno/pkg/userinfo"
|
|
admissionv1 "k8s.io/api/admission/v1"
|
|
rbacv1listers "k8s.io/client-go/listers/rbac/v1"
|
|
)
|
|
|
|
type PolicyContextBuilder interface {
|
|
Build(*admissionv1.AdmissionRequest) (*engine.PolicyContext, error)
|
|
}
|
|
|
|
type policyContextBuilder struct {
|
|
configuration config.Configuration
|
|
client dclient.Interface
|
|
rbLister rbacv1listers.RoleBindingLister
|
|
crbLister rbacv1listers.ClusterRoleBindingLister
|
|
}
|
|
|
|
func NewPolicyContextBuilder(
|
|
configuration config.Configuration,
|
|
client dclient.Interface,
|
|
rbLister rbacv1listers.RoleBindingLister,
|
|
crbLister rbacv1listers.ClusterRoleBindingLister,
|
|
) PolicyContextBuilder {
|
|
return &policyContextBuilder{
|
|
configuration: configuration,
|
|
client: client,
|
|
rbLister: rbLister,
|
|
crbLister: crbLister,
|
|
}
|
|
}
|
|
|
|
func (b *policyContextBuilder) Build(request *admissionv1.AdmissionRequest) (*engine.PolicyContext, error) {
|
|
userRequestInfo := kyvernov1beta1.RequestInfo{
|
|
AdmissionUserInfo: *request.UserInfo.DeepCopy(),
|
|
}
|
|
if roles, clusterRoles, err := userinfo.GetRoleRef(b.rbLister, b.crbLister, request.UserInfo); err != nil {
|
|
return nil, fmt.Errorf("failed to fetch RBAC information for request: %w", err)
|
|
} else {
|
|
userRequestInfo.Roles = roles
|
|
userRequestInfo.ClusterRoles = clusterRoles
|
|
}
|
|
return engine.NewPolicyContextFromAdmissionRequest(b.client.Discovery(), request, userRequestInfo, b.configuration)
|
|
}
|