Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

518 pod controller #573

Merged
merged 36 commits into from
Jan 2, 2020
Merged

518 pod controller #573

merged 36 commits into from
Jan 2, 2020

Conversation

realshuting
Copy link
Member

@realshuting realshuting commented Dec 27, 2019
edited

Fix #518, tested #572.

shivkumar dudhani and others added 27 commits December 11, 2019 09:45
initial commit
12edc56
variable substitution
7c9bc6f
update tests
8b1e084
update test
507c43d
refactor engine packages for validate & generate
b5de11f
update vendor
bee6f90
update toml
80867b7
support variable substitution in overlay mutation
8414681
merge master
5659f2f
missing update
0bd05fd
fix indentation in logs
c4da72a
store context values as single JSON document using merge patches.
38987d5
Merge branch 'master' into 529_query
615f1ae
Merge branch 'master' into 529_query
a86aa06
remove duplicate functions
2a56a8e
fix message string
d04f49b
@realshuting
add omitempty to types
e3a8cab
@realshuting
generate rule for pod controllers
74b85d8
@realshuting
add unit test
cc87ea7
@realshuting
Merge branch '529_query' into 518_pod_controller
8be4db3
@realshuting
Merge commit 'f1330ede8234eb4d449eb9ec72b41c627488350d' into 518_pod_…
1f0187e 
…controller
@realshuting
fix merge error
a8aa835
@realshuting
update autogen annotation for pod controllers
b525589
@realshuting
- insert annotation to podTemplate; - skip apply rule on pod if annot…
54ecb77 
…ation exists
@realshuting
Merge branch 'master' into 518_pod_controller
f0d943e
@realshuting
skip process existing pod if annotation present
0761966
@realshuting
fix rule mis-application
eb6ab9d
@realshuting realshuting changed the base branch from master to 529_query December 27, 2019 03:15
@realshuting realshuting mentioned this pull request Dec 28, 2019
Closed
@realshuting realshuting changed the title [WIP] 518 pod controller 518 pod controller Dec 28, 2019
@shivdudhani shivdudhani changed the base branch from 529_query to master December 31, 2019 01:09
@realshuting
Merge commit '5b8ab3842b43a72cc675b93b8b72e290adfca1d2' into 518_pod_…
d36934f 
…controller

# Conflicts:
#	pkg/api/kyverno/v1/types.go
#	pkg/engine/mutation.go
#	pkg/engine/mutation_test.go
#	pkg/engine/validation.go
#	pkg/policy/existing.go
@realshuting
Merge pull request #584 from nirmata/371_omitempty
2d022d4 
add anchors for omitempty tag
shivdudhani
shivdudhani approved these changes Jan 2, 2020
View reviewed changes
Copy link
Contributor

@shivdudhani shivdudhani left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Approving this for now due to time, as this is intermediate changes and will be re-worked soon.
In future will be better to decouple the logic from engine. As the engine api should not return different results fro policy-controller and admission control. But the behavior should be handed my the caller of the engine api.
Alos use background flag to identify if the policy is to be processed in background, but this is a user controlled flag.

pkg/api/kyverno/v1/types.go Outdated Show resolved Hide resolved
pkg/api/kyverno/v1/types.go Outdated Show resolved Hide resolved
pkg/engine/mutation.go
@@ -39,7 +48,7 @@ func Mutate(policyContext PolicyContext) (resp response.EngineResponse) {

for _, rule := range policy.Spec.Rules {
//TODO: to be checked before calling the resources as well
if !rule.HasMutate() {
if !rule.HasMutate() && !strings.Contains(PodControllers, resource.GetKind()) {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Use slice of strings instead of comma-separated string of values.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Any reason to change to a slice?

pkg/engine/mutation.go

if strings.Contains(PodControllers, resource.GetKind()) {
var ruleResponse response.RuleResponse
ruleResponse, patchedResource = processOverlay(ctx, podTemplateRule, patchedResource)
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Would the annotation be also added for existing resources?
When policy-contoller is processing values in the background. For mutation, we don't apply patches to the resource.
With this, we will create a policy violation if the annotation is not present.

Shouldn't we add annotations in admission control only and not the policy-controller ?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

See: https://github.com/nirmata/kyverno/blob/2d022d457a48363c58ea224a681e92dfa6b83af0/pkg/engine/mutation.go#L97-L98

@realshuting
Copy link
Member Author

@shivdudhani
Please note the initial proposal was to have a built-in policy that handles the case of generating rule on pod controller: https://github.com/nirmata/kyverno/issues/518#issuecomment-564727039. "As the engine api should not return different results fro policy-controller and admission control": the way we generate the annotation patch on pod is by applying podTemplateRule, this rule should be included in the built-in policy as well.

@shivdudhani
Copy link
Contributor

@realshuting
The generation of new rules will be part of policy mutation. But from policy engine API takes resource and policy as input, but to my understanding, we do checks for rules on pod-controllers inside the policy engine. Ideal we would want to process this outside.

Also we skip some rules in background mode which does not depend on background flag, so let's capture those scenarios as its tricky, and can be handled in later fixes.

The intent to have a clear separation of logic in code. As we now have no control if the auto-generate rules as an update, we should capture the cases in an issue so that we can work on them in the future.

@realshuting realshuting mentioned this pull request Jan 2, 2020
Closed
@realshuting
Copy link
Member Author

Yes we should be able to handle the scenario when policy updates, track #586.

And as you mentioned: ".. from policy engine API takes resource and policy as input .., .. we do checks for rules on pod-controllers inside the policy engine", the problem here is engine accepts A policy while annotation patches are generated PER rule, maybe later with the built-in policy, we should be able to express this condition(applies to incoming resource) in the rule definition.

@realshuting realshuting merged commit db4d3d2 into master Jan 2, 2020
@realshuting realshuting deleted the 518_pod_controller branch January 2, 2020 22:16
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@shivdudhani shivdudhani shivdudhani approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Pod policies should automatically be applied to pod controllers
2 participants
@realshuting @shivdudhani