diff --git a/README.md b/README.md index 0796068..cbb5be8 100644 --- a/README.md +++ b/README.md @@ -301,10 +301,10 @@ The `/v1/policies/exception` API provides a way to create an Exception for a giv "name": "local-path-provisioner", "namespace": "local-path-storage" }, - "policy": { + "policies": [{ "name": "disallow-capabilities-strict", "rules": ["autogen-require-drop-all"] - } + }] } ``` diff --git a/plugins/kyverno/pkg/server/v1/handler.go b/plugins/kyverno/pkg/server/v1/handler.go index 6ed78cc..079b941 100644 --- a/plugins/kyverno/pkg/server/v1/handler.go +++ b/plugins/kyverno/pkg/server/v1/handler.go @@ -72,46 +72,50 @@ func (h *APIHandler) Exception(ctx *gin.Context) { return } - if len(request.Policy.Rules) == 0 { - name, namespace := utils.SplitPolicyName(request.Policy.Name) - - policy, err := h.client.GetCRD(ctx, name, namespace) - if err != nil { - ctx.AbortWithError(http.StatusNotFound, err) - } - - var rules []string - - if policy.GetSpec() != nil { - rules = utils.Map(policy.GetSpec().Rules, func(rule v1.Rule) string { - return rule.Name - }) - } - - if policy.GetStatus() != nil { - rules = append(rules, utils.Map(policy.GetStatus().Autogen.Rules, func(rule v1.Rule) string { - return rule.Name - })...) + for i, policy := range request.Policies { + if len(policy.Rules) == 0 { + name, namespace := utils.SplitPolicyName(policy.Name) + + policy, err := h.client.GetCRD(ctx, name, namespace) + if err != nil { + ctx.AbortWithError(http.StatusNotFound, err) + } + + var rules []string + + if policy.GetSpec() != nil { + rules = utils.Map(policy.GetSpec().Rules, func(rule v1.Rule) string { + return rule.Name + }) + } + + if policy.GetStatus() != nil { + rules = append(rules, utils.Map(policy.GetStatus().Autogen.Rules, func(rule v1.Rule) string { + return rule.Name + })...) + } + + request.Policies[i].Rules = rules } - - request.Policy.Rules = rules } kinds := []string{request.Resource.Kind} if utils.Contains(ControllerKinds, request.Resource.Kind) { kinds = append(kinds, "Pod") - if len(request.Policy.Rules) == 1 && strings.HasPrefix(request.Policy.Rules[0], "autogen-cronjob-") { - request.Policy.Rules = append( - request.Policy.Rules, - strings.Replace(request.Policy.Rules[0], "autogen-cronjob-", "autogen-", 1), - strings.TrimPrefix(request.Policy.Rules[0], "autogen-cronjob-"), - ) - } else if len(request.Policy.Rules) == 1 && strings.HasPrefix(request.Policy.Rules[0], "autogen-") { - request.Policy.Rules = append( - request.Policy.Rules, - strings.TrimPrefix(request.Policy.Rules[0], "autogen-"), - ) + for i, policy := range request.Policies { + if len(policy.Rules) == 1 && strings.HasPrefix(policy.Rules[0], "autogen-cronjob-") { + request.Policies[i].Rules = append( + policy.Rules, + strings.Replace(policy.Rules[0], "autogen-cronjob-", "autogen-", 1), + strings.TrimPrefix(policy.Rules[0], "autogen-cronjob-"), + ) + } else if len(policy.Rules) == 1 && strings.HasPrefix(policy.Rules[0], "autogen-") { + request.Policies[i].Rules = append( + policy.Rules, + strings.TrimPrefix(policy.Rules[0], "autogen-"), + ) + } } } @@ -123,6 +127,14 @@ func (h *APIHandler) Exception(ctx *gin.Context) { kinds = append(kinds, "Job") } + exPolicies := make([]v2beta1.Exception, 0, len(request.Policies)) + for _, p := range request.Policies { + exPolicies = append(exPolicies, v2beta1.Exception{ + PolicyName: p.Name, + RuleNames: p.Rules, + }) + } + exception := v2beta1.PolicyException{ TypeMeta: metav1.TypeMeta{ Kind: "PolicyException", @@ -133,12 +145,7 @@ func (h *APIHandler) Exception(ctx *gin.Context) { Namespace: request.Resource.Namespace, }, Spec: v2beta1.PolicyExceptionSpec{ - Exceptions: []v2beta1.Exception{ - { - PolicyName: request.Policy.Name, - RuleNames: request.Policy.Rules, - }, - }, + Exceptions: exPolicies, Match: v2beta1.MatchResources{ Any: []v1.ResourceFilter{ { diff --git a/sdk/api/model.go b/sdk/api/model.go index b459e26..cbc2815 100644 --- a/sdk/api/model.go +++ b/sdk/api/model.go @@ -69,8 +69,8 @@ type ExceptionPolicy struct { } type ExceptionRequest struct { - Resource Resource `json:"resource"` - Policy ExceptionPolicy `json:"policy"` + Resource Resource `json:"resource"` + Policies []*ExceptionPolicy `json:"policies"` } type ExceptionResponse struct {