Skip to content
Permalink

Comparing changes

This is a direct comparison between two commits made in this repository or its related repositories. View the default comparison for this range or learn more about diff comparisons.

Open a pull request

Create a new pull request by comparing changes across two branches. If you need to, you can also . Learn more about diff comparisons here.
base repository: kubewarden/policy-evaluator
Failed to load repositories. Confirm that selected base ref is valid, then try again.
Loading
base: 93407bcecbd6aa825d8ac3ac642a3cd91dd66c68
Choose a base ref
..
head repository: kubewarden/policy-evaluator
Failed to load repositories. Confirm that selected head ref is valid, then try again.
Loading
compare: 6accdd3fe0c03d2bd0574d80581ff1bd4cb51a01
Choose a head ref
Showing with 19 additions and 22 deletions.
  1. +1 −1 src/callback_handler/mod.rs
  2. +2 −10 src/runtimes/rego/context_aware.rs
  3. +2 −0 src/runtimes/rego/opa_inventory.rs
  4. +13 −8 src/runtimes/rego/runtime.rs
  5. +1 −3 src/runtimes/rego/stack.rs
2 changes: 1 addition & 1 deletion src/callback_handler/mod.rs
Original file line number Diff line number Diff line change
@@ -307,7 +307,7 @@ impl CallbackHandler {
handle_callback!(
req,
format!("{api_version}/{kind}"),
"Is Kubernetes resource namespaced",
"Get Kubernetes resource plural name",
{
kubernetes::get_resource_plural_name(
self.kubernetes_client.as_mut(),
12 changes: 2 additions & 10 deletions src/runtimes/rego/context_aware.rs
Original file line number Diff line number Diff line change
@@ -10,17 +10,9 @@ use kube::api::ObjectList;
use tokio::sync::{mpsc, oneshot};

#[derive(serde::Serialize)]
pub(crate) struct EmptyContext(serde_json::Value);

impl Default for EmptyContext {
fn default() -> Self {
EmptyContext(serde_json::Value::Null)
}
}

#[derive(serde::Serialize)]
#[serde(untagged)]
pub(crate) enum KubernetesContext {
Empty(EmptyContext),
Empty,
Opa(OpaInventory),
Gatekeeper(GatekeeperInventory),
}
2 changes: 2 additions & 0 deletions src/runtimes/rego/opa_inventory.rs
Original file line number Diff line number Diff line change
@@ -86,6 +86,8 @@ impl ResourcesByName {
}
}

/// A wrapper around a dictionary that has the name of the namespace as key and the list of
/// ResourcesByName as value
#[derive(Serialize, Default)]
pub(crate) struct ResourcesByNamespace(HashMap<String, ResourcesByName>);

21 changes: 13 additions & 8 deletions src/runtimes/rego/runtime.rs
Original file line number Diff line number Diff line change
@@ -9,6 +9,8 @@ use crate::policy_evaluator::RegoPolicyExecutionMode;
use crate::policy_evaluator::{PolicySettings, ValidateRequest};
use crate::runtimes::rego::{context_aware, BurregoStack};

use super::context_aware::KubernetesContext;

pub(crate) struct Runtime<'a>(pub(crate) &'a mut BurregoStack);

impl<'a> Runtime<'a> {
@@ -38,15 +40,18 @@ impl<'a> Runtime<'a> {
// We don't know the data that is provided by the users via
// their settings, hence set the context aware data last, to
// ensure we overwrite what a user might have set.
let mut data = settings.clone();
if data
.insert("kubernetes".to_string(), json!(ctx_data))
.is_some()
{
warn!("OPA policy had user provided setting with key `kubernnetes`. This value has been overwritten with the actual kubernetes context data");
}
let data = match ctx_data {
KubernetesContext::Opa(ctx) => {
let mut data = settings.clone();
if data.insert("kubernetes".to_string(), json!(ctx)).is_some() {
warn!("OPA policy had user provided setting with key `kubernetes`. This value has been overwritten with the actual kubernetes context data");
}
json!(data)
}
_ => json!(settings),
};

(input, json!(data))
(input, data)
}
RegoPolicyExecutionMode::Gatekeeper => {
// Gatekeeper policies include a toplevel `review`
4 changes: 1 addition & 3 deletions src/runtimes/rego/stack.rs
Original file line number Diff line number Diff line change
@@ -23,9 +23,7 @@ impl BurregoStack {
ctx_aware_resources_allow_list: &HashSet<ContextAwareResource>,
) -> Result<context_aware::KubernetesContext> {
if ctx_aware_resources_allow_list.is_empty() {
return Ok(context_aware::KubernetesContext::Empty(
context_aware::EmptyContext::default(),
));
return Ok(context_aware::KubernetesContext::Empty);
}

match callback_channel {