github/kubescape
1
0
Fork 0
mirror of https://github.com/kubescape/kubescape.git synced 2026-02-14 18:09:55 +00:00
Code Issues Packages Projects Releases Wiki Activity

execute the ResourceEnumerator

Browse Source
This commit is contained in:
dwertent
2021-12-09 13:41:19 +02:00
parent e7917277e7
commit 3ca61b218e
2 changed files with 11 additions and 13 deletions
Download Patch File Download Diff File Expand all files Collapse all files

17
opaprocessor/processorhandler.go
View File

@@ -168,10 +168,6 @@ func (opap *OPAProcessor) processRule(rule *reporthandling.PolicyRule) (*reporth
inputRawResources := workloadinterface.ListMetaToMap(inputResources)
if inputRawResources, err = opap.executePreRun(rule, inputRawResources); err != nil {
return nil, err
}
ruleReport, err := opap.runOPAOnSingleRule(rule, inputRawResources, ruleData)
if err != nil {
// ruleReport.RuleStatus.Status = reporthandling.StatusFailed
@@ -182,7 +178,12 @@ func (opap *OPAProcessor) processRule(rule *reporthandling.PolicyRule) (*reporth
ruleReport.RuleStatus.Status = reporthandling.StatusPassed
}
inputResources = workloadinterface.ListMapToMeta(inputRawResources)
// the failed resources are a subgroup of the enumeratedData, so we store the enumeratedData like it was the input data
enumeratedData, err := opap.enumerateData(rule, inputRawResources)
if err != nil {
return nil, err
}
inputResources = workloadinterface.ListMapToMeta(enumeratedData)
ruleReport.ListInputKinds = workloadinterface.ListMetaIDs(inputResources)
// remove all data from responses, leave only the metadata
@@ -261,12 +262,12 @@ func (opap *OPAProcessor) regoEval(inputObj []map[string]interface{}, compiledRe
return results, nil
}
func (opap *OPAProcessor) executePreRun(rule *reporthandling.PolicyRule, k8sObjects []map[string]interface{}) ([]map[string]interface{}, error) {
func (opap *OPAProcessor) enumerateData(rule *reporthandling.PolicyRule, k8sObjects []map[string]interface{}) ([]map[string]interface{}, error) {
if preRuleData(rule) == "" {
if ruleEnumeratorData(rule) == "" {
return k8sObjects, nil
}
ruleReport, err := opap.runOPAOnSingleRule(rule, k8sObjects, preRuleData)
ruleReport, err := opap.runOPAOnSingleRule(rule, k8sObjects, ruleEnumeratorData)
if err != nil {
return nil, err
}

7
opaprocessor/processorhandlerutils.go
View File

@@ -144,9 +144,6 @@ func ruleData(rule *reporthandling.PolicyRule) string {
return rule.Rule
}
func preRuleData(rule *reporthandling.PolicyRule) string {
if len(rule.PreRun) > 0 {
return rule.PreRun[0]
}
return ""
func ruleEnumeratorData(rule *reporthandling.PolicyRule) string {
return rule.ResourceEnumerator
}