MCPcopy
hub / github.com/open-policy-agent/gatekeeper / Handle

Method Handle

pkg/webhook/policy.go:139–235  ·  view source on GitHub ↗

Handle the validation request nolint: gocritic // Must accept admission.Request as a struct to satisfy Handler interface.

(ctx context.Context, req admission.Request)

Source from the content-addressed store, hash-verified

137// Handle the validation request
138// nolint: gocritic // Must accept admission.Request as a struct to satisfy Handler interface.
139func (h *validationHandler) Handle(ctx context.Context, req admission.Request) admission.Response {
140 timeStart := time.Now()
141
142 if isGkServiceAccount(req.UserInfo) {
143 return admission.Allowed("Gatekeeper does not self-manage")
144 }
145
146 if userErr, err := h.validateGatekeeperResources(ctx, &req); err != nil {
147 var code int32
148 if userErr {
149 code = http.StatusUnprocessableEntity
150 } else {
151 code = http.StatusInternalServerError
152 }
153 return admission.Errored(code, err)
154 }
155
156 requestResponse := unknownResponse
157 defer func() {
158 if h.reporter != nil {
159 isDryRun := "false"
160 if req.DryRun != nil && *req.DryRun {
161 isDryRun = "true"
162 }
163 if err := h.reporter.ReportValidationRequest(ctx, requestResponse, isDryRun, time.Since(timeStart)); err != nil {
164 h.log.Error(err, "failed to report request")
165 }
166 }
167 }()
168
169 // namespace is excluded from webhook using config
170 isExcludedNamespace, err := h.skipExcludedNamespace(&req.AdmissionRequest, process.Webhook)
171 if err != nil {
172 h.log.Error(err, "error while excluding namespace")
173 }
174
175 if isExcludedNamespace {
176 requestResponse = allowResponse
177 return admission.Allowed("Namespace is set to be ignored by Gatekeeper config")
178 }
179
180 resp, err := h.reviewRequest(ctx, &req)
181 if err != nil {
182 h.log.Error(err, "error executing query")
183 requestResponse = errorResponse
184 return admission.Errored(http.StatusInternalServerError, err)
185 }
186
187 if *logStatsAdmission {
188 logging.LogStatsEntries(
189 h.opa,
190 h.log.WithValues(
191 logging.Process, "admission",
192 logging.EventType, "review_response_stats",
193 logging.ResourceGroup, req.Kind.Group,
194 logging.ResourceAPIVersion, req.Kind.Version,
195 logging.ResourceKind, req.Kind.Kind,
196 logging.ResourceNamespace, req.Namespace,

Callers 4

TestReviewDefaultNSFunction · 0.95
TestExcludedNamespacesFunction · 0.95
newPromSrvFunction · 0.45

Calls 9

reviewRequestMethod · 0.95
getValidationMessagesMethod · 0.95
LogStatsEntriesFunction · 0.92
isGkServiceAccountFunction · 0.85
ResultsMethod · 0.80
ErrorMethod · 0.45
skipExcludedNamespaceMethod · 0.45

Tested by 3

TestReviewDefaultNSFunction · 0.76
TestExcludedNamespacesFunction · 0.76