Add auto exemption

giantswarm · Jan 7, 2025 · e482a1d · e482a1d
1 parent 5ba7afa
commit e482a1d
Show file tree

Hide file tree

Showing 3 changed files with 62 additions and 2 deletions.
diff --git a/internal/controller/chart_controller.go b/internal/controller/chart_controller.go
@@ -37,6 +37,7 @@ import (
 	"sigs.k8s.io/controller-runtime/pkg/log"
 
 	"github.com/giantswarm/kyverno-policy-operator/internal/utils"
+	edgedbutils "github.com/giantswarm/kyverno-policy-operator/internal/utils/edgedb"
 )
 
 // ChartReconciler reconciles a ClusterPolicy object
@@ -58,6 +59,10 @@ type Metadata struct {
 	Namespace string `yaml:"namespace"`
 }
 
+var (
+	PolicyKindCache = make(map[string][]edgedbutils.KyvernoClusterPolicy)
+)
+
 func (r *ChartReconciler) Reconcile(ctx context.Context, req ctrl.Request) (ctrl.Result, error) {
 	_ = log.FromContext(ctx)
 	_ = r.Log.WithValues("giantswarm chart", req.NamespacedName)
@@ -84,16 +89,32 @@ func (r *ChartReconciler) Reconcile(ctx context.Context, req ctrl.Request) (ctrl
 			log.Log.Error(err, "unable to fetch helm manifest")
 			return ctrl.Result{}, err
 		} else {
-			fmt.Println("Manifests for release: ", chart.Spec.Name)
 			for _, m := range manifest {
-				fmt.Println(m)
+				// Check if manifest Kind is part of the cache
+				if _, ok := PolicyKindCache[m.Kind]; !ok {
+					// Get the policies that affect this Kind
+					policies, err := edgedbutils.GetPoliciesToExempt(ctx, r.EdgeDBClient, m.Kind)
+					if err != nil {
+						log.Log.Error(err, "unable to fetch policies")
+						return ctrl.Result{}, err
+					}
+					PolicyKindCache[m.Kind] = policies
+				}
+				if len(PolicyKindCache[m.Kind]) == 0 {
+					// No policies for this Kind
+					continue
+				} else {
+					// Create exceptions for the policies
+				}
 			}
 		}
 	}
 
 	return utils.JitterRequeue(DefaultRequeueDuration, r.MaxJitterPercent, r.Log), nil
 }
 
+func cacheKind(kind string) {}
+
 func getReleaseTemplate(releaseName string, namespace string) ([]Manifest, error) {
 
 	args := []string{"get", "manifest", "-n", namespace, releaseName}

diff --git a/internal/utils/edgedb/queries.go b/internal/utils/edgedb/queries.go
@@ -0,0 +1,31 @@
+package edgedbutils
+
+import (
+	"context"
+	_ "embed"
+
+	"github.com/edgedb/edgedb-go"
+)
+
+type KyvernoClusterPolicy struct {
+	ID        edgedb.UUID `edgedb:"id"`
+	Name      string      `edgedb:"name"`
+	RuleNames []string    `edgedb:"ruleNames"`
+}
+
+//go:embed queries/selectPolicies.edgeql
+var selectKyvernoClusterPoliciesQuery string
+
+// GetPoliciesToExempt returns a list of policies that affect a certain resource Kind
+func GetPoliciesToExempt(ctx context.Context, client *edgedb.Client, kind string) ([]KyvernoClusterPolicy, error) {
+	var kyvernoClusterPolicies []KyvernoClusterPolicy
+
+	err := client.QuerySingle(
+		ctx,
+		selectKyvernoClusterPoliciesQuery,
+		&kyvernoClusterPolicies,
+		kind,
+	)
+
+	return kyvernoClusterPolicies, err
+}
diff --git a/internal/utils/edgedb/queries/selectPolicies.edgeql b/internal/utils/edgedb/queries/selectPolicies.edgeql
@@ -0,0 +1,8 @@
+WITH
+    workload_kind := <str>$0,
+SELECT KyvernoClusterPolicy {
+    id,
+    name,
+    ruleNames,
+}
+FILTER contains(.targetKinds, workload_kind) AND .gsExempt = true;