mirror of
https://github.com/kyverno/kyverno.git
synced 2025-03-10 09:56:55 +00:00
b98c0775f2
* handle nested contexts Signed-off-by: Jim Bugwadia <jim@nirmata.com> * add feature flag Signed-off-by: Jim Bugwadia <jim@nirmata.com> * fix tests Signed-off-by: Jim Bugwadia <jim@nirmata.com> * add kuttl tests Signed-off-by: Jim Bugwadia <jim@nirmata.com> * fix linter issues Signed-off-by: Jim Bugwadia <jim@nirmata.com> * fix CLI regclient Signed-off-by: Jim Bugwadia <jim@nirmata.com> * fix: token permissions on report vulns workflow (#7611) Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * fix: token permissions (#7619) Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * fix: update the flag descriptions of the reports-controller (#7617) Signed-off-by: emmanuel-ferdman <emmanuelferdman@gmail.com> * fix: panic if env var not defined (#7613) * fix: panic if env var not defined Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * fix Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * fix Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> --------- Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * use toggles instead of a flag Signed-off-by: Jim Bugwadia <jim@nirmata.com> * update toggle name Signed-off-by: Jim Bugwadia <jim@nirmata.com> * update toggle name Signed-off-by: Jim Bugwadia <jim@nirmata.com> * fix roles Signed-off-by: Jim Bugwadia <jim@nirmata.com> * fix role Signed-off-by: Jim Bugwadia <jim@nirmata.com> * update manifests Signed-off-by: Jim Bugwadia <jim@nirmata.com> * remove extra unlock Signed-off-by: Jim Bugwadia <jim@nirmata.com> * fix loader reset Signed-off-by: Jim Bugwadia <jim@nirmata.com> * add tests Signed-off-by: Jim Bugwadia <jim@nirmata.com> * propagate context Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * cm resolver Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * level management Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * address review comments Signed-off-by: Jim Bugwadia <jim@nirmata.com> * add enableDeferredLoading to other controllers Signed-off-by: Jim Bugwadia <jim@nirmata.com> * re-enable ACR credhelper Signed-off-by: Jim Bugwadia <jim@nirmata.com> * improve tests Signed-off-by: Jim Bugwadia <jim@nirmata.com> * remove image registry client init Signed-off-by: Jim Bugwadia <jim@nirmata.com> * check for invalid reset/restore Signed-off-by: Jim Bugwadia <jim@nirmata.com> * recursive kuttl test Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * add pre/post queries Signed-off-by: Jim Bugwadia <jim@nirmata.com> * add check for a recursive match Signed-off-by: Jim Bugwadia <jim@nirmata.com> * new test suite Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * eval loaders at creation level Signed-off-by: Jim Bugwadia <jim@nirmata.com> * kuttl test Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * add an index for resolving deps in order Signed-off-by: Jim Bugwadia <jim@nirmata.com> * improve comment Signed-off-by: Jim Bugwadia <jim@nirmata.com> * extract remove method Signed-off-by: Jim Bugwadia <jim@nirmata.com> * merge main Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * flags Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * feature flag Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * fix flag Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * update unit tests Signed-off-by: ShutingZhao <shuting@nirmata.com> * two rules kuttl test Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * update unit tests Signed-off-by: ShutingZhao <shuting@nirmata.com> * revert Signed-off-by: ShutingZhao <shuting@nirmata.com> * per rule checkpoint Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * fix Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * fix mutate chained rules Signed-off-by: ShutingZhao <shuting@nirmata.com> * per rule checpoint/restore Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * log error Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> --------- Signed-off-by: Jim Bugwadia <jim@nirmata.com> Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> Signed-off-by: emmanuel-ferdman <emmanuelferdman@gmail.com> Signed-off-by: ShutingZhao <shuting@nirmata.com> Co-authored-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> Co-authored-by: Emmanuel Ferdman <emmanuelferdman@gmail.com> Co-authored-by: shuting <shuting@nirmata.com>
114 lines
3.5 KiB
Go
114 lines
3.5 KiB
Go
package factories
|
|
|
|
import (
|
|
"context"
|
|
"fmt"
|
|
|
|
"github.com/go-logr/logr"
|
|
kyvernov1 "github.com/kyverno/kyverno/api/kyverno/v1"
|
|
engineapi "github.com/kyverno/kyverno/pkg/engine/api"
|
|
enginecontext "github.com/kyverno/kyverno/pkg/engine/context"
|
|
"github.com/kyverno/kyverno/pkg/engine/context/loaders"
|
|
"github.com/kyverno/kyverno/pkg/engine/jmespath"
|
|
"github.com/kyverno/kyverno/pkg/logging"
|
|
"github.com/kyverno/kyverno/pkg/toggle"
|
|
)
|
|
|
|
type ContextLoaderFactoryOptions func(*contextLoader)
|
|
|
|
func DefaultContextLoaderFactory(cmResolver engineapi.ConfigmapResolver, opts ...ContextLoaderFactoryOptions) engineapi.ContextLoaderFactory {
|
|
return func(_ kyvernov1.PolicyInterface, _ kyvernov1.Rule) engineapi.ContextLoader {
|
|
cl := &contextLoader{
|
|
logger: logging.WithName("DefaultContextLoaderFactory"),
|
|
cmResolver: cmResolver,
|
|
}
|
|
for _, o := range opts {
|
|
o(cl)
|
|
}
|
|
return cl
|
|
}
|
|
}
|
|
|
|
func WithInitializer(initializer engineapi.Initializer) ContextLoaderFactoryOptions {
|
|
return func(cl *contextLoader) {
|
|
cl.initializers = append(cl.initializers, initializer)
|
|
}
|
|
}
|
|
|
|
type contextLoader struct {
|
|
logger logr.Logger
|
|
cmResolver engineapi.ConfigmapResolver
|
|
initializers []engineapi.Initializer
|
|
}
|
|
|
|
func (l *contextLoader) Load(
|
|
ctx context.Context,
|
|
jp jmespath.Interface,
|
|
client engineapi.RawClient,
|
|
rclientFactory engineapi.RegistryClientFactory,
|
|
contextEntries []kyvernov1.ContextEntry,
|
|
jsonContext enginecontext.Interface,
|
|
) error {
|
|
for _, init := range l.initializers {
|
|
if err := init(jsonContext); err != nil {
|
|
return err
|
|
}
|
|
}
|
|
for _, entry := range contextEntries {
|
|
loader, err := l.newLoader(ctx, jp, client, rclientFactory, entry, jsonContext)
|
|
if err != nil {
|
|
return fmt.Errorf("failed to create deferred loader for context entry %s", entry.Name)
|
|
}
|
|
if loader != nil {
|
|
if toggle.FromContext(ctx).EnableDeferredLoading() {
|
|
if err := jsonContext.AddDeferredLoader(loader); err != nil {
|
|
return err
|
|
}
|
|
} else {
|
|
if err := loader.LoadData(); err != nil {
|
|
return err
|
|
}
|
|
}
|
|
}
|
|
}
|
|
return nil
|
|
}
|
|
|
|
func (l *contextLoader) newLoader(
|
|
ctx context.Context,
|
|
jp jmespath.Interface,
|
|
client engineapi.RawClient,
|
|
rclientFactory engineapi.RegistryClientFactory,
|
|
entry kyvernov1.ContextEntry,
|
|
jsonContext enginecontext.Interface,
|
|
) (enginecontext.DeferredLoader, error) {
|
|
if entry.ConfigMap != nil {
|
|
if l.cmResolver != nil {
|
|
l := loaders.NewConfigMapLoader(ctx, l.logger, entry, l.cmResolver, jsonContext)
|
|
return enginecontext.NewDeferredLoader(entry.Name, l)
|
|
} else {
|
|
l.logger.Info("disabled loading of ConfigMap context entry %s", entry.Name)
|
|
return nil, nil
|
|
}
|
|
} else if entry.APICall != nil {
|
|
if client != nil {
|
|
l := loaders.NewAPILoader(ctx, l.logger, entry, jsonContext, jp, client)
|
|
return enginecontext.NewDeferredLoader(entry.Name, l)
|
|
} else {
|
|
l.logger.Info("disabled loading of APICall context entry %s", entry.Name)
|
|
return nil, nil
|
|
}
|
|
} else if entry.ImageRegistry != nil {
|
|
if rclientFactory != nil {
|
|
l := loaders.NewImageDataLoader(ctx, l.logger, entry, jsonContext, jp, rclientFactory)
|
|
return enginecontext.NewDeferredLoader(entry.Name, l)
|
|
} else {
|
|
l.logger.Info("disabled loading of ImageRegistry context entry %s", entry.Name)
|
|
return nil, nil
|
|
}
|
|
} else if entry.Variable != nil {
|
|
l := loaders.NewVariableLoader(l.logger, entry, jsonContext, jp)
|
|
return enginecontext.NewDeferredLoader(entry.Name, l)
|
|
}
|
|
return nil, fmt.Errorf("missing ConfigMap|APICall|ImageRegistry|Variable in context entry %s", entry.Name)
|
|
}
|