mirror of
https://github.com/kyverno/kyverno.git
synced 2025-03-06 07:57:07 +00:00
f06399200c
* remove wildcard permissions Signed-off-by: Jim Bugwadia <jim@nirmata.com> * update codegen Signed-off-by: Jim Bugwadia <jim@nirmata.com> * codegen Signed-off-by: Jim Bugwadia <jim@nirmata.com> * fix tests Signed-off-by: Jim Bugwadia <jim@nirmata.com> * fix background controller perms Signed-off-by: Jim Bugwadia <jim@nirmata.com> * remove secrets perm Signed-off-by: Jim Bugwadia <jim@nirmata.com> * update tests Signed-off-by: Jim Bugwadia <jim@nirmata.com> * update tests Signed-off-by: Jim Bugwadia <jim@nirmata.com> * fix reports-controller role Signed-off-by: Jim Bugwadia <jim@nirmata.com> * add wildcard check and limit generate policy checks based on `synchronize` Signed-off-by: Jim Bugwadia <jim@nirmata.com> * update manifest Signed-off-by: Jim Bugwadia <jim@nirmata.com> * fix permissions Signed-off-by: Jim Bugwadia <jim@nirmata.com> * fix wildcard check Signed-off-by: Jim Bugwadia <jim@nirmata.com> * update default QPS and burst for better performance and to prevent test failure Signed-off-by: Jim Bugwadia <jim@nirmata.com> * fix test permissions Signed-off-by: Jim Bugwadia <jim@nirmata.com> * fix test permissions Signed-off-by: Jim Bugwadia <jim@nirmata.com> * fix test permissions Signed-off-by: Jim Bugwadia <jim@nirmata.com> * fix test permissions Signed-off-by: Jim Bugwadia <jim@nirmata.com> * fix test permissions Signed-off-by: Jim Bugwadia <jim@nirmata.com> * fix test permissions Signed-off-by: Jim Bugwadia <jim@nirmata.com> * fix test permissions Signed-off-by: Jim Bugwadia <jim@nirmata.com> * fix perms Signed-off-by: Jim Bugwadia <jim@nirmata.com> * fix perms Signed-off-by: Jim Bugwadia <jim@nirmata.com> * fix test permissions Signed-off-by: Jim Bugwadia <jim@nirmata.com> * fix test permissions Signed-off-by: Jim Bugwadia <jim@nirmata.com> * fix merge issues Signed-off-by: Jim Bugwadia <jim@nirmata.com> * fix merge issues Signed-off-by: Jim Bugwadia <jim@nirmata.com> --------- Signed-off-by: Jim Bugwadia <jim@nirmata.com> Co-authored-by: Mariam Fahmy <mariam.fahmy@nirmata.com>
118 lines
4.6 KiB
Go
118 lines
4.6 KiB
Go
package resource
|
|
|
|
import (
|
|
"context"
|
|
"fmt"
|
|
"sync"
|
|
"time"
|
|
|
|
"github.com/go-logr/logr"
|
|
kyvernov1 "github.com/kyverno/kyverno/api/kyverno/v1"
|
|
kyvernov2 "github.com/kyverno/kyverno/api/kyverno/v2"
|
|
"github.com/kyverno/kyverno/pkg/autogen"
|
|
engineapi "github.com/kyverno/kyverno/pkg/engine/api"
|
|
"github.com/kyverno/kyverno/pkg/event"
|
|
datautils "github.com/kyverno/kyverno/pkg/utils/data"
|
|
"github.com/kyverno/kyverno/pkg/webhooks/handlers"
|
|
"github.com/kyverno/kyverno/pkg/webhooks/resource/generation"
|
|
webhookutils "github.com/kyverno/kyverno/pkg/webhooks/utils"
|
|
admissionv1 "k8s.io/api/admission/v1"
|
|
)
|
|
|
|
// handleBackgroundApplies applies generate and mutateExisting policies, and creates update requests for background reconcile
|
|
func (h *resourceHandlers) handleBackgroundApplies(ctx context.Context, logger logr.Logger, request handlers.AdmissionRequest, generatePolicies, mutatePolicies []kyvernov1.PolicyInterface, ts time.Time, wg *sync.WaitGroup) {
|
|
go h.handleMutateExisting(ctx, logger, request, mutatePolicies, ts, wg)
|
|
go h.handleGenerate(ctx, logger, request, generatePolicies, ts, wg)
|
|
}
|
|
|
|
func (h *resourceHandlers) handleMutateExisting(ctx context.Context, logger logr.Logger, request handlers.AdmissionRequest, policies []kyvernov1.PolicyInterface, admissionRequestTimestamp time.Time, wg *sync.WaitGroup) {
|
|
if wg != nil { // for unit testing purposes
|
|
defer wg.Done()
|
|
}
|
|
|
|
policyContext, err := h.buildPolicyContextFromAdmissionRequest(logger, request)
|
|
if err != nil {
|
|
logger.Error(err, "failed to create policy context")
|
|
return
|
|
}
|
|
|
|
if request.AdmissionRequest.Operation == admissionv1.Delete {
|
|
policyContext = policyContext.WithNewResource(policyContext.OldResource())
|
|
}
|
|
|
|
var engineResponses []*engineapi.EngineResponse
|
|
for _, policy := range policies {
|
|
if !policy.GetSpec().HasMutateExisting() {
|
|
continue
|
|
}
|
|
|
|
policyNew := skipBackgroundRequests(policy, logger, h.backgroundServiceAccountName, policyContext.AdmissionInfo().AdmissionUserInfo.Username)
|
|
if policyNew == nil {
|
|
continue
|
|
}
|
|
logger.V(4).Info("update request for mutateExisting policy")
|
|
|
|
// skip rules that don't specify the DELETE operation in case the admission request is of type DELETE
|
|
var skipped []string
|
|
for _, rule := range autogen.ComputeRules(policy, "") {
|
|
if request.AdmissionRequest.Operation == admissionv1.Delete && !webhookutils.MatchDeleteOperation(rule) {
|
|
skipped = append(skipped, rule.Name)
|
|
}
|
|
}
|
|
|
|
var rules []engineapi.RuleResponse
|
|
policyContext := policyContext.WithPolicy(policyNew)
|
|
engineResponse := h.engine.ApplyBackgroundChecks(ctx, policyContext)
|
|
|
|
for _, rule := range engineResponse.PolicyResponse.Rules {
|
|
if rule.Status() == engineapi.RuleStatusPass && !datautils.SliceContains(skipped, rule.Name()) {
|
|
rules = append(rules, rule)
|
|
}
|
|
}
|
|
|
|
if len(rules) > 0 {
|
|
engineResponse.PolicyResponse.Rules = rules
|
|
engineResponses = append(engineResponses, &engineResponse)
|
|
}
|
|
}
|
|
|
|
if failedResponse := applyUpdateRequest(ctx, request.AdmissionRequest, kyvernov2.Mutate, h.urGenerator, policyContext.AdmissionInfo(), request.Operation, engineResponses...); failedResponse != nil {
|
|
for _, failedUR := range failedResponse {
|
|
err := fmt.Errorf("failed to create update request: %v", failedUR.err)
|
|
|
|
var policy kyvernov1.PolicyInterface
|
|
for _, pol := range policies {
|
|
if pol.GetName() != failedUR.ur.Policy {
|
|
continue
|
|
}
|
|
policy = pol
|
|
}
|
|
resource := policyContext.NewResource()
|
|
events := event.NewBackgroundFailedEvent(err, policy, "", event.GeneratePolicyController,
|
|
kyvernov1.ResourceSpec{Kind: resource.GetKind(), Namespace: resource.GetNamespace(), Name: resource.GetName()})
|
|
h.eventGen.Add(events...)
|
|
}
|
|
}
|
|
}
|
|
|
|
func (h *resourceHandlers) handleGenerate(ctx context.Context, logger logr.Logger, request handlers.AdmissionRequest, generatePolicies []kyvernov1.PolicyInterface, ts time.Time, wg *sync.WaitGroup) {
|
|
if wg != nil { // for unit testing purposes
|
|
defer wg.Done()
|
|
}
|
|
|
|
policyContext, err := h.buildPolicyContextFromAdmissionRequest(logger, request)
|
|
if err != nil {
|
|
logger.Error(err, "failed to create policy context")
|
|
return
|
|
}
|
|
|
|
gh := generation.NewGenerationHandler(logger, h.engine, h.client, h.kyvernoClient, h.nsLister, h.urLister, h.cpolLister, h.polLister, h.urGenerator, h.eventGen, h.metricsConfig, h.backgroundServiceAccountName, h.reportsServiceAccountName)
|
|
var policies []kyvernov1.PolicyInterface
|
|
for _, p := range generatePolicies {
|
|
new := skipBackgroundRequests(p, logger, h.backgroundServiceAccountName, policyContext.AdmissionInfo().AdmissionUserInfo.Username)
|
|
if new != nil {
|
|
policies = append(policies, new)
|
|
}
|
|
}
|
|
gh.Handle(ctx, request.AdmissionRequest, policies, policyContext)
|
|
}
|