Skip to content

Commit

Permalink
Merge branch 'release-1.12' into release-1.12
Browse files Browse the repository at this point in the history
  • Loading branch information
realshuting authored Jul 9, 2024
2 parents 235b2fc + 587d916 commit d5a1f12
Show file tree
Hide file tree
Showing 9 changed files with 26 additions and 35 deletions.
5 changes: 1 addition & 4 deletions pkg/engine/background.go
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,6 @@ package engine

import (
"context"
"time"

"github.com/go-logr/logr"
kyvernov1 "github.com/kyverno/kyverno/api/kyverno/v1"
Expand All @@ -20,17 +19,15 @@ import (
//
// 2. returns the list of rules that are applicable on this policy and resource, if 1 succeed
func (e *engine) applyBackgroundChecks(
ctx context.Context,
logger logr.Logger,
policyContext engineapi.PolicyContext,
) engineapi.PolicyResponse {
return e.filterRules(policyContext, logger, time.Now())
return e.filterRules(policyContext, logger)
}

func (e *engine) filterRules(
policyContext engineapi.PolicyContext,
logger logr.Logger,
startTime time.Time,
) engineapi.PolicyResponse {
policy := policyContext.Policy()
resp := engineapi.NewPolicyResponse()
Expand Down
4 changes: 2 additions & 2 deletions pkg/engine/engine.go
Original file line number Diff line number Diff line change
Expand Up @@ -123,7 +123,7 @@ func (e *engine) Generate(
response := engineapi.NewEngineResponseFromPolicyContext(policyContext)
logger := internal.LoggerWithPolicyContext(logging.WithName("engine.generate"), policyContext)
if internal.MatchPolicyContext(logger, e.client, policyContext, e.configuration) {
policyResponse := e.generateResponse(ctx, logger, policyContext)
policyResponse := e.generateResponse(logger, policyContext)
response = response.WithPolicyResponse(policyResponse)
}
response = response.WithStats(engineapi.NewExecutionStats(startTime, time.Now()))
Expand Down Expand Up @@ -158,7 +158,7 @@ func (e *engine) ApplyBackgroundChecks(
response := engineapi.NewEngineResponseFromPolicyContext(policyContext)
logger := internal.LoggerWithPolicyContext(logging.WithName("engine.background"), policyContext)
if internal.MatchPolicyContext(logger, e.client, policyContext, e.configuration) {
policyResponse := e.applyBackgroundChecks(ctx, logger, policyContext)
policyResponse := e.applyBackgroundChecks(logger, policyContext)
response = response.WithPolicyResponse(policyResponse)
}
response = response.WithStats(engineapi.NewExecutionStats(startTime, time.Now()))
Expand Down
6 changes: 3 additions & 3 deletions pkg/engine/forceMutate.go
Original file line number Diff line number Diff line change
Expand Up @@ -51,7 +51,7 @@ func ForceMutate(
}
} else {
m := r.Mutation
patchedResource, err = applyPatches(r.Name, m.GetPatchStrategicMerge(), m.PatchesJSON6902, patchedResource, logger)
patchedResource, err = applyPatches(m.GetPatchStrategicMerge(), m.PatchesJSON6902, patchedResource, logger)
if err != nil {
return patchedResource, err
}
Expand All @@ -73,7 +73,7 @@ func applyForEachMutate(name string, foreach []kyvernov1.ForEachMutation, resour
return applyForEachMutate(name, nestedForEach, patchedResource, logger)
}

patchedResource, err = applyPatches(name, fe.GetPatchStrategicMerge(), fe.PatchesJSON6902, patchedResource, logger)
patchedResource, err = applyPatches(fe.GetPatchStrategicMerge(), fe.PatchesJSON6902, patchedResource, logger)
if err != nil {
return resource, err
}
Expand All @@ -82,7 +82,7 @@ func applyForEachMutate(name string, foreach []kyvernov1.ForEachMutation, resour
return patchedResource, nil
}

func applyPatches(name string, mergePatch apiextensions.JSON, jsonPatch string, resource unstructured.Unstructured, logger logr.Logger) (unstructured.Unstructured, error) {
func applyPatches(mergePatch apiextensions.JSON, jsonPatch string, resource unstructured.Unstructured, logger logr.Logger) (unstructured.Unstructured, error) {
patcher := mutate.NewPatcher(mergePatch, jsonPatch)
resourceBytes, err := resource.MarshalJSON()
if err != nil {
Expand Down
5 changes: 2 additions & 3 deletions pkg/engine/fuzz_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -213,15 +213,14 @@ func FuzzPodBypass(f *testing.F) {
validateContext,
pc.WithPolicy(testPolicy.ClusterPolicy),
)
failurePolicy := kyverno.Fail
blocked := blockRequest([]engineapi.EngineResponse{er}, failurePolicy)
blocked := blockRequest([]engineapi.EngineResponse{er})
if blocked != shouldBlock {
panic(fmt.Sprintf("\nDid not block a resource that should be blocked:\n%s\n should have been blocked by \n%+v\n\nshouldBlock was %t\nblocked was %t\n", string(resource), testPolicy.ClusterPolicy, shouldBlock, blocked))
}
})
}

func blockRequest(engineResponses []engineapi.EngineResponse, failurePolicy kyverno.FailurePolicyType) bool {
func blockRequest(engineResponses []engineapi.EngineResponse) bool {
for _, er := range engineResponses {
if er.IsFailed() {
return true
Expand Down
3 changes: 0 additions & 3 deletions pkg/engine/generation.go
Original file line number Diff line number Diff line change
@@ -1,8 +1,6 @@
package engine

import (
"context"

"github.com/go-logr/logr"
"github.com/kyverno/kyverno/pkg/autogen"
engineapi "github.com/kyverno/kyverno/pkg/engine/api"
Expand All @@ -11,7 +9,6 @@ import (

// GenerateResponse checks for validity of generate rule on the resource
func (e *engine) generateResponse(
ctx context.Context,
logger logr.Logger,
policyContext engineapi.PolicyContext,
) engineapi.PolicyResponse {
Expand Down
4 changes: 2 additions & 2 deletions pkg/engine/image_verify_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -711,7 +711,7 @@ func Test_SignaturesMultiKeyZeroGoodKey(t *testing.T) {
func Test_RuleSelectorImageVerify(t *testing.T) {

policyContext := buildContext(t, testSampleSingleKeyPolicy, testSampleResource, "")
rule := newStaticKeyRule("match-all", "*", testOtherKey)
rule := newStaticKeyRule("match-all", testOtherKey)
spec := policyContext.Policy().GetSpec()
spec.Rules = append(spec.Rules, *rule)

Expand All @@ -730,7 +730,7 @@ func Test_RuleSelectorImageVerify(t *testing.T) {
assert.Equal(t, resp.PolicyResponse.Rules[0].Status(), engineapi.RuleStatusPass, resp.PolicyResponse.Rules[0].Message())
}

func newStaticKeyRule(name, imageReference, key string) *kyvernov1.Rule {
func newStaticKeyRule(name, key string) *kyvernov1.Rule {
return &kyvernov1.Rule{
Name: name,
MatchResources: kyvernov1.MatchResources{
Expand Down
6 changes: 2 additions & 4 deletions pkg/engine/internal/imageverifier.go
Original file line number Diff line number Diff line change
Expand Up @@ -347,7 +347,7 @@ func (iv *ImageVerifier) verifyImage(
iv.ivm.Add(image, engineapi.ImageVerificationSkip)
return engineapi.RuleSkip(iv.rule.Name, engineapi.ImageVerify, fmt.Sprintf("skipping image reference image %s, policy %s ruleName %s", image, iv.policyContext.Policy().GetName(), iv.rule.Name)).WithEmitWarning(true), ""
}
ruleResp, cosignResp := iv.verifyAttestors(ctx, imageVerify.Attestors, imageVerify, imageInfo, "")
ruleResp, cosignResp := iv.verifyAttestors(ctx, imageVerify.Attestors, imageVerify, imageInfo)
if ruleResp.Status() != engineapi.RuleStatusPass {
return ruleResp, ""
}
Expand All @@ -367,7 +367,6 @@ func (iv *ImageVerifier) verifyAttestors(
attestors []kyvernov1.AttestorSet,
imageVerify kyvernov1.ImageVerification,
imageInfo apiutils.ImageInfo,
predicateType string,
) (*engineapi.RuleResponse, *images.Response) {
var cosignResponse *images.Response
image := imageInfo.String()
Expand Down Expand Up @@ -536,7 +535,7 @@ func (iv *ImageVerifier) buildVerifier(
) (images.ImageVerifier, *images.Options, string) {
switch imageVerify.Type {
case kyvernov1.Notary:
return iv.buildNotaryVerifier(attestor, imageVerify, image, attestation)
return iv.buildNotaryVerifier(attestor, image, attestation)
default:
return iv.buildCosignVerifier(attestor, imageVerify, image, attestation)
}
Expand Down Expand Up @@ -654,7 +653,6 @@ func (iv *ImageVerifier) buildCosignVerifier(

func (iv *ImageVerifier) buildNotaryVerifier(
attestor kyvernov1.Attestor,
imageVerify kyvernov1.ImageVerification,
image string,
attestation *kyvernov1.Attestation,
) (images.ImageVerifier, *images.Options, string) {
Expand Down
4 changes: 2 additions & 2 deletions pkg/engine/internal/match.go
Original file line number Diff line number Diff line change
Expand Up @@ -31,7 +31,7 @@ func MatchPolicyContext(logger logr.Logger, client engineapi.Client, policyConte
}

if policy.GetSpec().GetMatchConditions() != nil {
if !checkMatchConditions(logger, client, policyContext, gvk, subresource) {
if !checkMatchConditions(logger, policyContext, gvk, subresource) {
logger.V(4).Info("webhookConfiguration.matchConditions doesn't match request")
return false
}
Expand Down Expand Up @@ -66,7 +66,7 @@ func checkNamespacedPolicy(policy kyvernov1.PolicyInterface, resources ...unstru
return true
}

func checkMatchConditions(logger logr.Logger, client engineapi.Client, policyContext engineapi.PolicyContext, gvk schema.GroupVersionKind, subresource string) bool {
func checkMatchConditions(logger logr.Logger, policyContext engineapi.PolicyContext, gvk schema.GroupVersionKind, subresource string) bool {
policy := policyContext.Policy()
old := policyContext.OldResource()
new := policyContext.NewResource()
Expand Down
24 changes: 12 additions & 12 deletions pkg/engine/mutation_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -61,7 +61,7 @@ func loadUnstructured(t *testing.T, bytes []byte) unstructured.Unstructured {
return resource
}

func createContext(t *testing.T, policy kyverno.PolicyInterface, resource unstructured.Unstructured, operation kyverno.AdmissionOperation) *PolicyContext {
func createContext(t *testing.T, policy kyverno.PolicyInterface, resource unstructured.Unstructured) *PolicyContext {
ctx, err := NewPolicyContext(
jp,
resource,
Expand Down Expand Up @@ -125,7 +125,7 @@ func Test_VariableSubstitutionPatchStrategicMerge(t *testing.T) {
}`)
policy := loadResource[kyverno.ClusterPolicy](t, policyRaw)
resource := loadUnstructured(t, resourceRaw)
policyContext := createContext(t, &policy, resource, kyverno.Create)
policyContext := createContext(t, &policy, resource)

er := testMutate(context.TODO(), nil, nil, policyContext, nil)
require.Equal(t, 1, len(er.PolicyResponse.Rules))
Expand Down Expand Up @@ -186,7 +186,7 @@ func Test_variableSubstitutionPathNotExist(t *testing.T) {

policy := loadResource[kyverno.ClusterPolicy](t, policyRaw)
resource := loadUnstructured(t, resourceRaw)
policyContext := createContext(t, &policy, resource, kyverno.Create)
policyContext := createContext(t, &policy, resource)

er := testMutate(context.TODO(), nil, nil, policyContext, nil)
assert.Equal(t, len(er.PolicyResponse.Rules), 1)
Expand Down Expand Up @@ -252,7 +252,7 @@ func Test_variableSubstitutionCLI(t *testing.T) {

policy := loadResource[kyverno.ClusterPolicy](t, policyRaw)
resource := loadUnstructured(t, resourceRaw)
policyContext := createContext(t, &policy, resource, kyverno.Create)
policyContext := createContext(t, &policy, resource)
ctxLoaderFactory := factories.DefaultContextLoaderFactory(
nil,
factories.WithInitializer(func(jsonContext enginecontext.Interface) error {
Expand Down Expand Up @@ -357,7 +357,7 @@ func Test_chained_rules(t *testing.T) {
}`)
policy := loadResource[kyverno.ClusterPolicy](t, policyRaw)
resource := loadUnstructured(t, resourceRaw)
policyContext := createContext(t, &policy, resource, kyverno.Create)
policyContext := createContext(t, &policy, resource)

er := testMutate(context.TODO(), nil, nil, policyContext, nil)
require.Equal(t, 2, len(er.PolicyResponse.Rules))
Expand Down Expand Up @@ -432,7 +432,7 @@ func Test_precondition(t *testing.T) {
}`)
policy := loadResource[kyverno.ClusterPolicy](t, policyRaw)
resource := loadUnstructured(t, resourceRaw)
policyContext := createContext(t, &policy, resource, kyverno.Create)
policyContext := createContext(t, &policy, resource)

er := testMutate(context.TODO(), nil, nil, policyContext, nil)
require.Equal(t, 1, len(er.PolicyResponse.Rules))
Expand Down Expand Up @@ -515,7 +515,7 @@ func Test_nonZeroIndexNumberPatchesJson6902(t *testing.T) {

policy := loadResource[kyverno.ClusterPolicy](t, []byte(policyRaw))
resource := loadUnstructured(t, []byte(resourceRaw))
policyContext := createContext(t, &policy, resource, kyverno.Create)
policyContext := createContext(t, &policy, resource)

er := testMutate(context.TODO(), nil, nil, policyContext, nil)
require.Equal(t, 2, len(er.PolicyResponse.Rules))
Expand Down Expand Up @@ -954,7 +954,7 @@ func Test_foreach_order_mutation_(t *testing.T) {
}`)
policy := loadResource[kyverno.ClusterPolicy](t, policyRaw)
resource := loadUnstructured(t, resourceRaw)
policyContext := createContext(t, &policy, resource, kyverno.Create)
policyContext := createContext(t, &policy, resource)

er := testMutate(context.TODO(), nil, nil, policyContext, nil)

Expand Down Expand Up @@ -1054,7 +1054,7 @@ func Test_patchStrategicMerge_descending(t *testing.T) {
}`)
policy := loadResource[kyverno.ClusterPolicy](t, policyRaw)
resource := loadUnstructured(t, resourceRaw)
policyContext := createContext(t, &policy, resource, kyverno.Create)
policyContext := createContext(t, &policy, resource)

er := testMutate(context.TODO(), nil, nil, policyContext, nil)

Expand Down Expand Up @@ -1154,7 +1154,7 @@ func Test_patchStrategicMerge_ascending(t *testing.T) {
}`)
policy := loadResource[kyverno.ClusterPolicy](t, policyRaw)
resource := loadUnstructured(t, resourceRaw)
policyContext := createContext(t, &policy, resource, kyverno.Create)
policyContext := createContext(t, &policy, resource)

er := testMutate(context.TODO(), nil, nil, policyContext, nil)

Expand Down Expand Up @@ -1348,7 +1348,7 @@ func Test_mutate_nested_foreach(t *testing.T) {
policy := loadResource[kyverno.ClusterPolicy](t, policyRaw)
resource := loadUnstructured(t, resourceRaw)
expected := loadUnstructured(t, expectedRaw)
policyContext := createContext(t, &policy, resource, kyverno.Create)
policyContext := createContext(t, &policy, resource)

er := testMutate(context.TODO(), nil, nil, policyContext, nil)
require.Equal(t, 1, len(er.PolicyResponse.Rules))
Expand Down Expand Up @@ -1848,7 +1848,7 @@ func Test_mutate_existing_resources(t *testing.T) {
targets = append(targets, &target)
patchedTargets = append(patchedTargets, loadUnstructured(t, test.patchedTargets[i]))
}
policyContext := createContext(t, &policy, trigger, kyverno.Create)
policyContext := createContext(t, &policy, trigger)

gvrToListKind := map[schema.GroupVersionResource]string{
{Group: patchedTargets[0].GroupVersionKind().Group, Version: patchedTargets[0].GroupVersionKind().Version, Resource: patchedTargets[0].GroupVersionKind().Kind}: test.targetList,
Expand Down

0 comments on commit d5a1f12

Please sign in to comment.