This repository has been archived by the owner on Jul 18, 2019. It is now read-only.
-
Notifications
You must be signed in to change notification settings - Fork 2
/
accept.go
115 lines (97 loc) · 2.94 KB
/
accept.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
package rules
import (
"github.com/golang/glog"
"k8s.io/apimachinery/pkg/runtime/schema"
"github.com/openshift/origin/pkg/image/admission/imagepolicy/api"
)
type Accepter interface {
Covers(schema.GroupResource) bool
Accepts(*ImagePolicyAttributes) bool
}
// mappedAccepter implements the Accepter interface for a map of group resources and accepters
type mappedAccepter map[schema.GroupResource]Accepter
func (a mappedAccepter) Covers(gr schema.GroupResource) bool {
_, ok := a[gr]
return ok
}
// Accepts returns true if no Accepter is registered for the group resource in attributes,
// or if the registered Accepter also returns true.
func (a mappedAccepter) Accepts(attr *ImagePolicyAttributes) bool {
accepter, ok := a[attr.Resource]
if !ok {
return true
}
return accepter.Accepts(attr)
}
type executionAccepter struct {
rules []api.ImageExecutionPolicyRule
covers schema.GroupResource
defaultReject bool
integratedRegistryMatcher RegistryMatcher
}
// NewExecutionRuleseAccepter creates an Accepter from the provided rules.
func NewExecutionRulesAccepter(rules []api.ImageExecutionPolicyRule, integratedRegistryMatcher RegistryMatcher) (Accepter, error) {
mapped := make(mappedAccepter)
for _, rule := range rules {
over, selectors, err := imageConditionInfo(&rule.ImageCondition)
if err != nil {
return nil, err
}
rule.ImageCondition.MatchImageLabelSelectors = selectors
for gr := range over {
a, ok := mapped[gr]
if !ok {
a = &executionAccepter{
covers: gr,
integratedRegistryMatcher: integratedRegistryMatcher,
}
mapped[gr] = a
}
byResource := a.(*executionAccepter)
byResource.rules = append(byResource.rules, rule)
}
}
for _, a := range mapped {
byResource := a.(*executionAccepter)
if len(byResource.rules) > 0 {
// if all rules are reject, the default behavior is allow
allReject := true
for _, rule := range byResource.rules {
if !rule.Reject {
allReject = false
break
}
}
byResource.defaultReject = !allReject
}
}
return mapped, nil
}
func (r *executionAccepter) Covers(gr schema.GroupResource) bool {
return r.covers == gr
}
func (r *executionAccepter) Accepts(attrs *ImagePolicyAttributes) bool {
if attrs.Resource != r.covers {
return true
}
anyMatched := false
for _, rule := range r.rules {
if attrs.ExcludedRules.Has(rule.Name) && !rule.IgnoreNamespaceOverride {
continue
}
// if we don't have a resolved image and we're supposed to skip the rule if that happens,
// continue here. Otherwise, the reject option is impossible to reason about.
if attrs.Image == nil && rule.SkipOnResolutionFailure {
continue
}
matches := matchImageCondition(&rule.ImageCondition, r.integratedRegistryMatcher, attrs)
glog.V(5).Infof("Validate image %v against rule %q: %t", attrs.Name, rule.Name, matches)
if matches {
if rule.Reject {
return false
}
anyMatched = true
}
}
return anyMatched || !r.defaultReject
}