-
Notifications
You must be signed in to change notification settings - Fork 776
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
feat: add exception logic #5712
feat: add exception logic #5712
Conversation
Codecov Report
@@ Coverage Diff @@
## main #5712 +/- ##
==========================================
- Coverage 34.62% 34.62% -0.01%
==========================================
Files 190 190
Lines 21080 21106 +26
==========================================
+ Hits 7300 7307 +7
- Misses 12970 12986 +16
- Partials 810 813 +3
📣 We’re building smart automated test selection to slash your CI/CD build times. Learn more |
Looks good to me. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
looks good! a few minor comments for improvements.
pkg/engine/background.go
Outdated
if err == nil && exception != nil { | ||
key, err := cache.MetaNamespaceKeyFunc(exception) | ||
logger := logging.WithName("exception") | ||
// TODO: increase metrics |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
what does those comment mean? do we need to increment the rule metrics or something else?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This is recommended by @eddycharly .
I assume this is to instrument the triggered exception count.
cc: @eddycharly Pls fix me if I'm understanding wrong, or anything you'd like to point out.
pkg/engine/background.go
Outdated
// check if there is a corresponding policy exception | ||
exception, err := matchesException(policyContext, &rule) | ||
// if we found an exception | ||
if err == nil && exception != nil { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
can we make the handling of the exception reusable for all the rule types? Currently we are duplicating the same 15-20 lines of code in each.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yeah, that sounds good. So I extracted the logic to a separate function shouldRespondException
. Will that be good?
pkg/engine/background.go
Outdated
logger := logging.WithName("exception") | ||
// TODO: increase metrics | ||
if err != nil { | ||
logger.Error(err, "failed to compute policy exception key", "namespace", exception.GetNamespace(), "name", exception.GetName()) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We need to report a rule error in this case.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Sounds good! Updated with a RuleResponse returned( assume:Status: response.RuleStatusError
). Will that be good?
pkg/engine/background.go
Outdated
logger.V(3).Info("policy rule skipped due to policy exception", "exception", key) | ||
return &response.RuleResponse{ | ||
Name: rule.Name, | ||
Message: "Rule skipped because of PolicyException" + key, |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Can we make the text lower case? `rule skipped due to policy exception " + key
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yeah, sounds good!
d760469
to
60c244a
Compare
pkg/engine/validation.go
Outdated
log.Error(err, "failed to compute policy exception key", "namespace", exception.GetNamespace(), "name", exception.GetName()) | ||
return &response.RuleResponse{ | ||
Name: rule.Name, | ||
Message: "failed to find matched exception" + key, |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
needs a space after "...exception" before we + key
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thx for letting me know 👍
pkg/engine/validation.go
Outdated
// if we found an exception | ||
if err == nil && exception != nil { | ||
key, err := cache.MetaNamespaceKeyFunc(exception) | ||
// TODO: increase metrics |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
remove as we are returning an error which counts in the metrics
pkg/engine/validation.go
Outdated
@@ -800,3 +788,29 @@ func matchesException(policyContext *PolicyContext, rule *kyvernov1.Rule) (*kyve | |||
} | |||
return nil, nil | |||
} | |||
|
|||
func shouldRespondException(ctx *PolicyContext, rule *kyvernov1.Rule, log logr.Logger) *response.RuleResponse { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
rename to hasPolicyExceptions
pkg/engine/validation.go
Outdated
log.V(3).Info("policy rule skipped due to policy exception", "exception", key) | ||
return &response.RuleResponse{ | ||
Name: rule.Name, | ||
Message: "rule skipped due to policy exception" + key, |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
missing space after "....exception"
pkg/engine/validation.go
Outdated
@@ -800,3 +788,29 @@ func matchesException(policyContext *PolicyContext, rule *kyvernov1.Rule) (*kyve | |||
} | |||
return nil, nil | |||
} | |||
|
|||
func shouldRespondException(ctx *PolicyContext, rule *kyvernov1.Rule, log logr.Logger) *response.RuleResponse { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
change return to (bool, *response.RuleResponse)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
If it returns true
then we process the response. Otherwise, we expect a nil response.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
As discussed in channel, comment has been added to make it clear.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
minor comments, please check!
Signed-off-by: Eileen Yu <eileenylj@gmail.com>
60c244a
to
c90823b
Compare
Signed-off-by: Eileen Yu <eileenylj@gmail.com> Signed-off-by: Eileen Yu <eileenylj@gmail.com> Co-authored-by: Jim Bugwadia <jim@nirmata.com> Signed-off-by: Md Sahil <Mohdssahil1@gmail.com>
Signed-off-by: Eileen Yu <eileenylj@gmail.com> Signed-off-by: Eileen Yu <eileenylj@gmail.com> Co-authored-by: Jim Bugwadia <jim@nirmata.com> Signed-off-by: MdSahil-oss <Mohdssahil1@gmail.com>
Signed-off-by: Eileen Yu <eileenylj@gmail.com> Signed-off-by: Eileen Yu <eileenylj@gmail.com> Co-authored-by: Jim Bugwadia <jim@nirmata.com> Signed-off-by: MdSahil-oss <Mohdssahil1@gmail.com>
Signed-off-by: Eileen Yu eileenylj@gmail.com
Explanation
Add policy exception logic to:
Related issue
#2627
Milestone of this PR
What type of PR is this
Proposed Changes
Proof Manifests
Checklist
Further Comments