8000 fix: use the generic policy in the CLI (cherry-pick #13035) by MariamFahmy98 · Pull Request #13059 · kyverno/kyverno · GitHub
[go: up one dir, main page]
More Web Proxy on the site http://driver.im/
Skip to content

fix: use the generic policy in the CLI (cherry-pick #13035) #13059

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 2 commits into from
May 7, 2025
Merged

fix: use the generic policy in the CLI (cherry-pick #13035) #13059

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
5f3aec9
fix: use the generic policy in the CLI
MariamFahmy98 May 6, 2025
fe84447
Merge branch 'release-1.14' into cherry-pick-13035
kyverno-bot May 7, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
11 changes: 9 additions & 2 deletions cmd/cli/kubectl-kyverno/commands/apply/command.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -583,8 +583,15 @@ func (c *ApplyCommandConfig) applyImageValidatingPolicies(
return responses, nil
}

func (c *ApplyCommandConfig) loadResources(out io.Writer, paths []string, policies []kyvernov1.PolicyInterface, vap []admissionregistrationv1.ValidatingAdmissionPolicy, dClient dclient.Interface) ([]*unstructured.Unstructured, []*unstructured.Unstructured, error) {
resources, err := common.GetResourceAccordingToResourcePath(out, nil, paths, c.Cluster, policies, vap, dClient, c.Namespace, c.PolicyReport, "")
func (c *ApplyCommandConfig) loadResources(out io.Writer, paths []string, policies []kyvernov1.PolicyInterface, vaps []admissionregistrationv1.ValidatingAdmissionPolicy, dClient dclient.Interface) ([]*unstructured.Unstructured, []*unstructured.Unstructured, error) {
genericPolicies := make([]engineapi.GenericPolicy, 0, len(policies)+len(vaps))
for _, pol := range policies {
genericPolicies = append(genericPolicies, engineapi.NewKyvernoPolicy(pol))
}
for _, pol := range vaps {
genericPolicies = append(genericPolicies, engineapi.NewValidatingAdmissionPolicy(&pol))
}
resources, err := common.GetResourceAccordingToResourcePath(out, nil, paths, c.Cluster, genericPolicies, dClient, c.Namespace, c.PolicyReport, "")
if err != nil {
return resources, nil, fmt.Errorf("failed to load resources (%w)", err)
}
Expand Down
11 changes: 9 additions & 2 deletions cmd/cli/kubectl-kyverno/commands/test/test.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -85,10 +85,17 @@
if err != nil {
return nil, fmt.Errorf("error: failed to load policies (%s)", err)
}
genericPolicies := make([]engineapi.GenericPolicy, 0, len(results.Policies)+len(results.VAPs))
for _, pol := range results.Policies {
genericPolicies = append(genericPolicies, engineapi.NewKyvernoPolicy(pol))
}

Check warning on line 91 in cmd/cli/kubectl-kyverno/commands/test/test.go

View check run for this annotation

Codecov / codecov/patch

cmd/cli/kubectl-kyverno/commands/test/test.go#L90-L91 

Added lines #L90 - L91 were not covered by tests
for _, pol := range results.VAPs {
genericPolicies = append(genericPolicies, engineapi.NewValidatingAdmissionPolicy(&pol))
}

Check warning on line 94 in cmd/cli/kubectl-kyverno/commands/test/test.go

View check run for this annotation

Codecov / codecov/patch

cmd/cli/kubectl-kyverno/commands/test/test.go#L93-L94 

Added lines #L93 - L94 were not covered by tests
// resources
fmt.Fprintln(out, " Loading resources", "...")
resourceFullPath := path.GetFullPaths(testCase.Test.Resources, testDir, isGit)
resources, err := common.GetResourceAccordingToResourcePath(out, testCase.Fs, resourceFullPath, false, results.Policies, results.VAPs, dClient, "", false, testDir)
resources, err := common.GetResourceAccordingToResourcePath(out, testCase.Fs, resourceFullPath, false, genericPolicies, dClient, "", false, testDir)
if err != nil {
return nil, fmt.Errorf("error: failed to load resources (%s)", err)
}
Expand All @@ -110,7 +117,7 @@
}
}
targetResourcesPath := path.GetFullPaths(testCase.Test.TargetResources, testDir, isGit)
targetResources, err := common.GetResourceAccordingToResourcePath(out, testCase.Fs, targetResourcesPath, false, results.Policies, results.VAPs, dClient, "", false, testDir)
targetResources, err := common.GetResourceAccordingToResourcePath(out, testCase.Fs, targetResourcesPath, false, genericPolicies, dClient, "", false, testDir)
if err != nil {
return nil, fmt.Errorf("error: failed to load target resources (%s)", err)
}
Expand Down
7 changes: 3 additions & 4 deletions cmd/cli/kubectl-kyverno/utils/common/common.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -15,8 +15,8 @@
"github.com/kyverno/kyverno/cmd/cli/kubectl-kyverno/source"
"github.com/kyverno/kyverno/pkg/autogen"
"github.com/kyverno/kyverno/pkg/clients/dclient"
engineapi "github.com/kyverno/kyverno/pkg/engine/api"
kubeutils "github.com/kyverno/kyverno/pkg/utils/kube"
admissionregistrationv1 "k8s.io/api/admissionregistration/v1"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
"k8s.io/apimachinery/pkg/runtime/schema"
Expand All @@ -29,8 +29,7 @@
fs billy.Filesystem,
resourcePaths []string,
cluster bool,
policies []kyvernov1.PolicyInterface,
validatingAdmissionPolicies []admissionregistrationv1.ValidatingAdmissionPolicy,
policies []engineapi.GenericPolicy,
dClient dclient.Interface,
namespace string,
policyReport bool,
Expand Down Expand Up @@ -77,7 +76,7 @@
resourcePaths = listOfFiles
}
}
resources, err = GetResources(out, policies, validatingAdmissionPolicies, resourcePaths, dClient, cluster, namespace, policyReport)
resources, err = GetResources(out, policies, resourcePaths, dClient, cluster, namespace, policyReport)

Check warning on line 79 in cmd/cli/kubectl-kyverno/utils/common/common.go

View check run for this annotation

Codecov / codecov/patch

cmd/cli/kubectl-kyverno/utils/common/common.go#L79 

Added line #L79 was not covered by tests
if err != nil {
return resources, err
}
Expand Down
72 changes: 51 additions & 21 deletions cmd/cli/kubectl-kyverno/utils/common/fetch.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -13,7 +13,9 @@
"github.com/kyverno/kyverno/cmd/cli/kubectl-kyverno/log"
"github.com/kyverno/kyverno/cmd/cli/kubectl-kyverno/resource"
"github.com/kyverno/kyverno/pkg/admissionpolicy"
"github.com/kyverno/kyverno/pkg/autogen"
"github.com/kyverno/kyverno/pkg/clients/dclient"
engineapi "github.com/kyverno/kyverno/pkg/engine/api"
kubeutils "github.com/kyverno/kyverno/pkg/utils/kube"
utils "github.com/kyverno/kyverno/pkg/utils/restmapper"
admissionregistrationv1 "k8s.io/api/admissionregistration/v1"
Expand All @@ -28,8 +30,7 @@
// - the k8s cluster, if given
func GetResources(
out io.Writer,
policies []kyvernov1.PolicyInterface,
validatingAdmissionPolicies []admissionregistrationv1.ValidatingAdmissionPolicy,
policies []engineapi.GenericPolicy,
resourcePaths []string,
dClient dclient.Interface,
cluster bool,
Expand All @@ -40,33 +41,62 @@
var err error

if cluster && dClient != nil {
if len(policies) > 0 {
matchedResources := &KyvernoResources{
policies: policies,
}

resources, err = matchedResources.FetchResourcesFromPolicy(out, resourcePaths, dClient, namespace, policyReport)
if err != nil {
return resources, err
}
resources, err = fetchResourcesFromPolicy(out, policies, resourcePaths, 8000 dClient, namespace, policyReport)
if err != nil {
return resources, err

Check warning on line 46 in cmd/cli/kubectl-kyverno/utils/common/fetch.go

View check run for this annotation

Codecov / codecov/patch

cmd/cli/kubectl-kyverno/utils/common/fetch.go#L44-L46 

Added lines #L44 - L46 were not covered by tests
}
} else if len(resourcePaths) > 0 {
resources, err = whenClusterIsFalse(out, resourcePaths, policyReport)
if err != nil {
return resources, err
}

Check warning on line 52 in cmd/cli/kubectl-kyverno/utils/common/fetch.go

View check run for this annotation

Codecov / codecov/patch

cmd/cli/kubectl-kyverno/utils/common/fetch.go#L48-L52 

Added lines #L48 - L52 were not covered by tests
}
return resources, err

Check warning on line 54 in cmd/cli/kubectl-kyverno/utils/common/fetch.go

View check run for this annotation

Codecov / codecov/patch

cmd/cli/kubectl-kyverno/utils/common/fetch.go#L54 

Added line #L54 was not covered by tests
}

if len(validatingAdmissionPolicies) > 0 {
matchedResources := &ValidatingAdmissionResources{
policies: validatingAdmissionPolicies,
}
func fetchResourcesFromPolicy(
out io.Writer,
policies []engineapi.GenericPolicy,
resourcePaths []string,
dClient dclient.Interface,
namespace string,
policyReport bool,
) ([]*unstructured.Unstructured, error) {
var resources []*unstructured.Unstructured
var err error

Check warning on line 66 in cmd/cli/kubectl-kyverno/utils/common/fetch.go

View check run for this annotation

Codecov / codecov/patch

cmd/cli/kubectl-kyverno/utils/common/fetch.go#L64-L66 

Added lines #L64 - L66 were not covered by tests

resources, err = matchedResources.FetchResourcesFromPolicy(out, resourcePaths, dClient, namespace, policyReport)
resourceTypesMap := make(map[schema.GroupVersionKind]bool)
var subresourceMap map[schema.GroupVersionKind]v1alpha1.Subresource

for _, policy := range policies {
if kpol := policy.AsKyvernoPolicy(); kpol != nil {
for _, rule := range autogen.Default.ComputeRules(kpol, "") {
var resourceTypesInRule map[schema.GroupVersionKind]bool
resourceTypesInRule, subresourceMap = GetKindsFromRule(rule, dClient)
6D47 for resourceKind := range resourceTypesInRule {
resourceTypesMap[resourceKind] = true
}

Check warning on line 78 in cmd/cli/kubectl-kyverno/utils/common/fetch.go

View check run for this annotation

Codecov / codecov/patch

cmd/cli/kubectl-kyverno/utils/common/fetch.go#L68-L78 

Added lines #L68 - L78 were not covered by tests
}
} else if vap := policy.AsValidatingAdmissionPolicy(); vap != nil {
definition := vap.GetDefinition()
var resourceTypesInRule map[schema.GroupVersionKind]bool
resourceTypesInRule, subresourceMap = getKindsFromValidatingAdmissionPolicy(*definition, dClient)

Check warning on line 83 in cmd/cli/kubectl-kyverno/utils/common/fetch.go

View check run for this annotation

Codecov / codecov/patch

cmd/cli/kubectl-kyverno/utils/common/fetch.go#L80-L83 

Added lines #L80 - L83 were not covered by tests
if err != nil {
return resources, err
}
}
} else if len(resourcePaths) > 0 {
resources, err = whenClusterIsFalse(out, resourcePaths, policyReport)
if err != nil {
return resources, err
for resourceKind := range resourceTypesInRule {
resourceTypesMap[resourceKind] = true
}

Check warning on line 89 in cmd/cli/kubectl-kyverno/utils/common/fetch.go

View check run for this annotation

Codecov / codecov/patch

cmd/cli/kubectl-kyverno/utils/common/fetch.go#L87-L89 

Added lines #L87 - L89 were not covered by tests
}
}

resourceTypes := make([]schema.GroupVersionKind, 0, len(resourceTypesMap))
for kind := range resourceTypesMap {
resourceTypes = append(resourceTypes, kind)
}

Check warning on line 96 in cmd/cli/kubectl-kyverno/utils/common/fetch.go

View check run for this annotation

Codecov / codecov/patch

cmd/cli/kubectl-kyverno/utils/common/fetch.go#L93-L96 

Added lines #L93 - L96 were not covered by tests

resources, err = whenClusterIsTrue(out, resourceTypes, subresourceMap, dClient, namespace, resourcePaths, policyReport)

Check warning on line 99 in cmd/cli/kubectl-kyverno/utils/common/fetch.go

View check run for this annotation

Codecov / codecov/patch

cmd/cli/kubectl-kyverno/utils/common/fetch.go#L98-L99 

Added lines #L98 - L99 were not covered by tests
return resources, err
}

Expand Down
43 changes: 0 additions & 43 deletions cmd/cli/kubectl-kyverno/utils/common/kyverno_resources_types.go
View file
Open in desktop

This file was deleted.

39 changes: 0 additions & 39 deletions cmd/cli/kubectl-kyverno/utils/common/validating_admission_resources.go
View file
Open in desktop

This file was deleted.

Loading
0