1
0
Fork 0
mirror of https://github.com/kyverno/kyverno.git synced 2024-12-14 11:57:48 +00:00
kyverno/pkg/webhooks/server.go

611 lines
21 KiB
Go
Raw Normal View History

2019-05-13 18:33:01 +00:00
package webhooks
import (
"context"
"crypto/tls"
"encoding/json"
"errors"
"fmt"
"io/ioutil"
"net/http"
"time"
2020-03-17 18:05:20 +00:00
"github.com/go-logr/logr"
2020-04-27 13:08:03 +00:00
"github.com/julienschmidt/httprouter"
2020-04-10 17:54:54 +00:00
v1 "github.com/nirmata/kyverno/pkg/api/kyverno/v1"
"github.com/nirmata/kyverno/pkg/checker"
2020-07-10 23:59:17 +00:00
"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
2019-08-17 16:58:14 +00:00
kyvernoclient "github.com/nirmata/kyverno/pkg/client/clientset/versioned"
kyvernoinformer "github.com/nirmata/kyverno/pkg/client/informers/externalversions/kyverno/v1"
2019-11-13 21:41:08 +00:00
kyvernolister "github.com/nirmata/kyverno/pkg/client/listers/kyverno/v1"
"github.com/nirmata/kyverno/pkg/config"
client "github.com/nirmata/kyverno/pkg/dclient"
context2 "github.com/nirmata/kyverno/pkg/engine/context"
2020-07-10 22:25:05 +00:00
enginutils "github.com/nirmata/kyverno/pkg/engine/utils"
2019-06-27 01:04:50 +00:00
"github.com/nirmata/kyverno/pkg/event"
"github.com/nirmata/kyverno/pkg/openapi"
"github.com/nirmata/kyverno/pkg/policycache"
"github.com/nirmata/kyverno/pkg/policystatus"
2019-11-12 22:41:29 +00:00
"github.com/nirmata/kyverno/pkg/policyviolation"
tlsutils "github.com/nirmata/kyverno/pkg/tls"
2019-11-11 22:52:09 +00:00
userinfo "github.com/nirmata/kyverno/pkg/userinfo"
"github.com/nirmata/kyverno/pkg/utils"
"github.com/nirmata/kyverno/pkg/webhookconfig"
"github.com/nirmata/kyverno/pkg/webhooks/generate"
v1beta1 "k8s.io/api/admission/v1beta1"
2019-08-24 01:34:23 +00:00
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
rbacinformer "k8s.io/client-go/informers/rbac/v1"
rbaclister "k8s.io/client-go/listers/rbac/v1"
2019-08-12 17:02:07 +00:00
"k8s.io/client-go/tools/cache"
"github.com/nirmata/kyverno/pkg/resourcecache"
)
// WebhookServer contains configured TLS server with MutationWebhook.
type WebhookServer struct {
2019-11-15 23:59:37 +00:00
server http.Server
client *client.Client
kyvernoClient *kyvernoclient.Clientset
2019-11-15 23:59:37 +00:00
// list/get cluster policy resource
pLister kyvernolister.ClusterPolicyLister
2019-11-15 23:59:37 +00:00
// returns true if the cluster policy store has synced atleast
pSynced cache.InformerSynced
2019-11-15 23:59:37 +00:00
// list/get role binding resource
rbLister rbaclister.RoleBindingLister
// list/get role binding resource
rLister rbaclister.RoleLister
// list/get role binding resource
crLister rbaclister.ClusterRoleLister
2019-11-15 23:59:37 +00:00
// return true if role bining store has synced atleast once
rbSynced cache.InformerSynced
2020-07-10 23:59:17 +00:00
// return true if role store has synced atleast once
rSynced cache.InformerSynced
2019-11-15 23:59:37 +00:00
// list/get cluster role binding resource
crbLister rbaclister.ClusterRoleBindingLister
2019-11-15 23:59:37 +00:00
// return true if cluster role binding store has synced atleast once
crbSynced cache.InformerSynced
2020-07-10 23:59:17 +00:00
// return true if cluster role store has synced atleast once
crSynced cache.InformerSynced
2019-11-15 23:59:37 +00:00
// generate events
eventGen event.Interface
// policy cache
pCache policycache.Interface
2019-11-15 23:59:37 +00:00
// webhook registration client
webhookRegistrationClient *webhookconfig.WebhookRegistrationClient
// API to send policy stats for aggregation
statusListener policystatus.Listener
2019-10-19 00:38:46 +00:00
// helpers to validate against current loaded configuration
configHandler config.Interface
2019-10-19 00:38:46 +00:00
// channel for cleanup notification
cleanUp chan<- struct{}
// last request time
lastReqTime *checker.LastReqTime
2019-11-12 22:41:29 +00:00
// policy violation generator
pvGenerator policyviolation.GeneratorInterface
// generate request generator
grGenerator *generate.Generator
resourceWebhookWatcher *webhookconfig.ResourceWebhookRegister
auditHandler AuditHandler
log logr.Logger
openAPIController *openapi.Controller
2020-08-05 18:23:27 +00:00
supportMutateValidate bool
// resCache - controls creation and fetching of resource informer cache
resCache resourcecache.ResourceCacheIface
}
// NewWebhookServer creates new instance of WebhookServer accordingly to given configuration
// Policy Controller and Kubernetes Client should be initialized in configuration
func NewWebhookServer(
kyvernoClient *kyvernoclient.Clientset,
client *client.Client,
tlsPair *tlsutils.TlsPemPair,
pInformer kyvernoinformer.ClusterPolicyInformer,
rbInformer rbacinformer.RoleBindingInformer,
crbInformer rbacinformer.ClusterRoleBindingInformer,
rInformer rbacinformer.RoleInformer,
crInformer rbacinformer.ClusterRoleInformer,
eventGen event.Interface,
pCache policycache.Interface,
webhookRegistrationClient *webhookconfig.WebhookRegistrationClient,
statusSync policystatus.Listener,
configHandler config.Interface,
pvGenerator policyviolation.GeneratorInterface,
grGenerator *generate.Generator,
resourceWebhookWatcher *webhookconfig.ResourceWebhookRegister,
auditHandler AuditHandler,
2020-08-05 18:23:27 +00:00
supportMutateValidate bool,
2020-03-17 18:05:20 +00:00
cleanUp chan<- struct{},
log logr.Logger,
2020-03-27 13:36:06 +00:00
openAPIController *openapi.Controller,
resCache resourcecache.ResourceCacheIface,
2020-03-17 18:05:20 +00:00
) (*WebhookServer, error) {
if tlsPair == nil {
return nil, errors.New("NewWebhookServer is not initialized properly")
}
var tlsConfig tls.Config
pair, err := tls.X509KeyPair(tlsPair.Certificate, tlsPair.PrivateKey)
if err != nil {
return nil, err
}
tlsConfig.Certificates = []tls.Certificate{pair}
ws := &WebhookServer{
2020-07-10 23:59:17 +00:00
client: client,
kyvernoClient: kyvernoClient,
pLister: pInformer.Lister(),
pSynced: pInformer.Informer().HasSynced,
rbLister: rbInformer.Lister(),
rbSynced: rbInformer.Informer().HasSynced,
rLister: rInformer.Lister(),
rSynced: rInformer.Informer().HasSynced,
crbLister: crbInformer.Lister(),
crLister: crInformer.Lister(),
crbSynced: crbInformer.Informer().HasSynced,
2020-07-10 23:59:17 +00:00
crSynced: crInformer.Informer().HasSynced,
eventGen: eventGen,
pCache: pCache,
webhookRegistrationClient: webhookRegistrationClient,
statusListener: statusSync,
configHandler: configHandler,
cleanUp: cleanUp,
lastReqTime: resourceWebhookWatcher.LastReqTime,
pvGenerator: pvGenerator,
grGenerator: grGenerator,
resourceWebhookWatcher: resourceWebhookWatcher,
auditHandler: auditHandler,
2020-03-17 18:05:20 +00:00
log: log,
2020-03-27 13:36:06 +00:00
openAPIController: openAPIController,
2020-08-05 18:23:27 +00:00
supportMutateValidate: supportMutateValidate,
resCache: resCache,
}
2020-04-27 13:08:03 +00:00
mux := httprouter.New()
2020-08-05 18:23:27 +00:00
mux.HandlerFunc("POST", config.MutatingWebhookServicePath, ws.handlerFunc(ws.ResourceMutation, true))
mux.HandlerFunc("POST", config.ValidatingWebhookServicePath, ws.handlerFunc(ws.resourceValidation, true))
mux.HandlerFunc("POST", config.PolicyMutatingWebhookServicePath, ws.handlerFunc(ws.policyMutation, true))
mux.HandlerFunc("POST", config.PolicyValidatingWebhookServicePath, ws.handlerFunc(ws.policyValidation, true))
mux.HandlerFunc("POST", config.VerifyMutatingWebhookServicePath, ws.handlerFunc(ws.verifyHandler, false))
// Handle Liveness responds to a Kubernetes Liveness probe
// Fail this request if Kubernetes should restart this instance
mux.HandlerFunc("GET", config.LivenessServicePath, func(w http.ResponseWriter, r *http.Request) {
defer r.Body.Close()
w.WriteHeader(http.StatusOK)
})
// Handle Readiness responds to a Kubernetes Readiness probe
// Fail this request if this instance can't accept traffic, but Kubernetes shouldn't restart it
mux.HandlerFunc("GET", config.ReadinessServicePath, func(w http.ResponseWriter, r *http.Request) {
defer r.Body.Close()
w.WriteHeader(http.StatusOK)
})
ws.server = http.Server{
Addr: ":443", // Listen on port for HTTPS requests
TLSConfig: &tlsConfig,
Handler: mux,
ReadTimeout: 15 * time.Second,
WriteTimeout: 15 * time.Second,
}
return ws, nil
}
2020-03-29 02:06:18 +00:00
func (ws *WebhookServer) handlerFunc(handler func(request *v1beta1.AdmissionRequest) *v1beta1.AdmissionResponse, filter bool) http.HandlerFunc {
return func(rw http.ResponseWriter, r *http.Request) {
2020-03-29 02:06:18 +00:00
startTime := time.Now()
ws.lastReqTime.SetTime(startTime)
admissionReview := ws.bodyToAdmissionReview(r, rw)
2020-03-29 02:06:18 +00:00
if admissionReview == nil {
ws.log.Info("failed to parse admission review request", "request", r)
2020-03-29 02:06:18 +00:00
return
2020-03-25 05:23:03 +00:00
}
logger := ws.log.WithName("handlerFunc").WithValues("kind", admissionReview.Request.Kind, "namespace", admissionReview.Request.Namespace,
"name", admissionReview.Request.Name, "operation", admissionReview.Request.Operation, "uid", admissionReview.Request.UID)
2020-03-29 02:06:18 +00:00
admissionReview.Response = &v1beta1.AdmissionResponse{
Allowed: true,
UID: admissionReview.Request.UID,
2020-03-25 05:23:03 +00:00
}
2020-03-29 02:06:18 +00:00
// Do not process the admission requests for kinds that are in filterKinds for filtering
request := admissionReview.Request
if filter && ws.configHandler.ToFilter(request.Kind.Kind, request.Namespace, request.Name) {
writeResponse(rw, admissionReview)
2020-03-29 02:06:18 +00:00
return
}
2020-04-22 14:45:16 +00:00
admissionReview.Response = handler(request)
writeResponse(rw, admissionReview)
logger.V(4).Info("request processed", "processingTime", time.Since(startTime).String())
2020-05-19 01:30:39 +00:00
return
}
}
func writeResponse(rw http.ResponseWriter, admissionReview *v1beta1.AdmissionReview) {
responseJSON, err := json.Marshal(admissionReview)
if err != nil {
http.Error(rw, fmt.Sprintf("Could not encode response: %v", err), http.StatusInternalServerError)
return
}
rw.Header().Set("Content-Type", "application/json; charset=utf-8")
if _, err := rw.Write(responseJSON); err != nil {
http.Error(rw, fmt.Sprintf("could not write response: %v", err), http.StatusInternalServerError)
}
}
2020-08-05 18:23:27 +00:00
func (ws *WebhookServer) ResourceMutation(request *v1beta1.AdmissionRequest) *v1beta1.AdmissionResponse {
2020-08-05 18:23:27 +00:00
logger := ws.log.WithName("ResourceMutation").WithValues("uid", request.UID, "kind", request.Kind.Kind, "namespace", request.Namespace, "name", request.Name, "operation", request.Operation)
2020-07-08 21:22:32 +00:00
2020-05-19 03:01:20 +00:00
if excludeKyvernoResources(request.Kind.Kind) {
return &v1beta1.AdmissionResponse{
Allowed: true,
Result: &metav1.Status{
Status: "Success",
},
}
}
logger.V(6).Info("received an admission request in mutating webhook")
mutatePolicies := ws.pCache.Get(policycache.Mutate, nil)
validatePolicies := ws.pCache.Get(policycache.ValidateEnforce, nil)
generatePolicies := ws.pCache.Get(policycache.Generate, nil)
// Get namespace policies from the cache for the requested resource namespace
nsMutatePolicies := ws.pCache.Get(policycache.Mutate, &request.Namespace)
mutatePolicies = append(mutatePolicies, nsMutatePolicies...)
2019-11-11 22:52:09 +00:00
// getRoleRef only if policy has roles/clusterroles defined
2020-04-10 17:54:54 +00:00
var roles, clusterRoles []string
var err error
if containRBACinfo(mutatePolicies, validatePolicies, generatePolicies) {
roles, clusterRoles, err = userinfo.GetRoleRef(ws.rbLister, ws.crbLister, request, ws.configHandler)
2019-11-11 22:52:09 +00:00
if err != nil {
// TODO(shuting): continue apply policy if error getting roleRef?
logger.Error(err, "failed to get RBAC information for request")
2019-11-11 22:52:09 +00:00
}
2019-11-09 02:56:24 +00:00
}
// convert RAW to unstructured
resource, err := utils.ConvertResource(request.Object.Raw, request.Kind.Group, request.Kind.Version, request.Kind.Kind, request.Namespace)
if err != nil {
2020-03-17 18:05:20 +00:00
logger.Error(err, "failed to convert RAW resource to unstructured format")
return &v1beta1.AdmissionResponse{
Allowed: false,
Result: &metav1.Status{
Status: "Failure",
Message: err.Error(),
},
}
}
2020-04-10 17:54:54 +00:00
userRequestInfo := v1.RequestInfo{
Roles: roles,
ClusterRoles: clusterRoles,
AdmissionUserInfo: *request.UserInfo.DeepCopy()}
2020-04-10 17:54:54 +00:00
// build context
ctx := context2.NewContext()
err = ctx.AddRequest(request)
if err != nil {
logger.Error(err, "failed to load incoming request in context")
}
2020-04-10 17:54:54 +00:00
err = ctx.AddUserInfo(userRequestInfo)
if err != nil {
logger.Error(err, "failed to load userInfo in context")
}
err = ctx.AddSA(userRequestInfo.AdmissionUserInfo.Username)
if err != nil {
logger.Error(err, "failed to load service account in context")
}
var patches []byte
patchedResource := request.Object.Raw
2020-08-05 18:23:27 +00:00
if ws.supportMutateValidate {
// MUTATION
// mutation failure should not block the resource creation
// any mutation failure is reported as the violation
if resource.GetDeletionTimestamp() == nil {
patches = ws.HandleMutation(request, resource, mutatePolicies, ctx, userRequestInfo)
logger.V(6).Info("", "generated patches", string(patches))
// patch the resource with patches before handling validation rules
patchedResource = processResourceWithPatches(patches, request.Object.Raw, logger)
logger.V(6).Info("", "patchedResource", string(patchedResource))
}
if ws.resourceWebhookWatcher != nil && ws.resourceWebhookWatcher.RunValidationInMutatingWebhook == "true" {
// push admission request to audit handler, this won't block the admission request
ws.auditHandler.Add(request.DeepCopy())
// VALIDATION
ok, msg := HandleValidation(request, validatePolicies, nil, ctx, userRequestInfo, ws.statusListener, ws.eventGen, ws.pvGenerator, ws.log, ws.configHandler, ws.resCache)
if !ok {
logger.Info("admission request denied")
return &v1beta1.AdmissionResponse{
Allowed: false,
Result: &metav1.Status{
Status: "Failure",
Message: msg,
},
}
2020-01-11 13:03:11 +00:00
}
2019-08-24 01:34:23 +00:00
}
2020-05-21 00:08:30 +00:00
} else {
2020-05-21 15:29:35 +00:00
logger.Info("mutate and validate rules are not supported prior to Kubernetes 1.14.0")
}
// GENERATE
// Only applied during resource creation and update
// Success -> Generate Request CR created successfully
// Failed -> Failed to create Generate Request CR
2020-07-08 21:22:32 +00:00
if request.Operation == v1beta1.Create || request.Operation == v1beta1.Update {
go ws.HandleGenerate(request.DeepCopy(), generatePolicies, ctx, userRequestInfo, ws.configHandler)
}
// Succesful processing of mutation & validation rules in policy
2019-08-24 01:34:23 +00:00
patchType := v1beta1.PatchTypeJSONPatch
return &v1beta1.AdmissionResponse{
Allowed: true,
Result: &metav1.Status{
Status: "Success",
},
Patch: patches,
PatchType: &patchType,
}
}
2020-04-10 17:54:54 +00:00
func (ws *WebhookServer) resourceValidation(request *v1beta1.AdmissionRequest) *v1beta1.AdmissionResponse {
2020-05-21 00:08:30 +00:00
logger := ws.log.WithName("resourceValidation").WithValues("uid", request.UID, "kind", request.Kind.Kind, "namespace", request.Namespace, "name", request.Name, "operation", request.Operation)
2020-07-10 23:59:17 +00:00
if request.Operation == v1beta1.Delete || request.Operation == v1beta1.Update {
if err := ws.excludeKyvernoResources(request); err != nil {
return &v1beta1.AdmissionResponse{
Allowed: false,
Result: &metav1.Status{
Status: "Failure",
Message: err.Error(),
},
2020-07-09 12:48:35 +00:00
}
}
2020-07-09 12:48:35 +00:00
}
2020-07-10 23:59:17 +00:00
2020-08-05 18:23:27 +00:00
if !ws.supportMutateValidate {
2020-05-21 15:29:35 +00:00
logger.Info("mutate and validate rules are not supported prior to Kubernetes 1.14.0")
2020-05-21 00:08:30 +00:00
return &v1beta1.AdmissionResponse{
Allowed: true,
Result: &metav1.Status{
Status: "Success",
},
}
}
2020-05-19 03:01:20 +00:00
if excludeKyvernoResources(request.Kind.Kind) {
return &v1beta1.AdmissionResponse{
Allowed: true,
Result: &metav1.Status{
Status: "Success",
},
}
}
logger.V(6).Info("received an admission request in validating webhook")
// push admission request to audit handler, this won't block the admission request
ws.auditHandler.Add(request.DeepCopy())
policies := ws.pCache.Get(policycache.ValidateEnforce, nil)
// Get namespace policies from the cache for the requested resource namespace
nsPolicies := ws.pCache.Get(policycache.ValidateEnforce, &request.Namespace)
policies = append(policies, nsPolicies...)
if len(policies) == 0 {
logger.V(4).Info("No enforce Validation policy found, returning")
2020-01-11 13:03:11 +00:00
return &v1beta1.AdmissionResponse{Allowed: true}
}
var roles, clusterRoles []string
2020-07-10 23:59:17 +00:00
var err error
2020-01-11 13:03:11 +00:00
// getRoleRef only if policy has roles/clusterroles defined
if containRBACinfo(policies) {
roles, clusterRoles, err = userinfo.GetRoleRef(ws.rbLister, ws.crbLister, request, ws.configHandler)
2020-01-11 13:03:11 +00:00
if err != nil {
logger.Error(err, "failed to get RBAC information for request")
return &v1beta1.AdmissionResponse{
Allowed: false,
Result: &metav1.Status{
Status: "Failure",
Message: err.Error(),
},
}
2020-01-11 13:03:11 +00:00
}
logger = logger.WithValues("username", request.UserInfo.Username,
"groups", request.UserInfo.Groups, "roles", roles, "clusterRoles", clusterRoles)
2020-01-11 13:03:11 +00:00
}
2020-04-10 17:54:54 +00:00
userRequestInfo := v1.RequestInfo{
Roles: roles,
ClusterRoles: clusterRoles,
AdmissionUserInfo: request.UserInfo}
// build context
ctx := context2.NewContext()
err = ctx.AddRequest(request)
if err != nil {
logger.Error(err, "failed to load incoming request in context")
}
2020-04-10 17:54:54 +00:00
err = ctx.AddUserInfo(userRequestInfo)
if err != nil {
logger.Error(err, "failed to load userInfo in context")
}
err = ctx.AddSA(userRequestInfo.AdmissionUserInfo.Username)
if err != nil {
logger.Error(err, "failed to load service account in context")
}
ok, msg := HandleValidation(request, policies, nil, ctx, userRequestInfo, ws.statusListener, ws.eventGen, ws.pvGenerator, ws.log, ws.configHandler, ws.resCache)
2020-05-21 00:08:30 +00:00
if !ok {
logger.Info("admission request denied")
return &v1beta1.AdmissionResponse{
Allowed: false,
Result: &metav1.Status{
Status: "Failure",
Message: msg,
},
2020-01-11 13:03:11 +00:00
}
}
return &v1beta1.AdmissionResponse{
Allowed: true,
Result: &metav1.Status{
Status: "Success",
},
}
}
// RunAsync TLS server in separate thread and returns control immediately
2019-10-25 21:55:48 +00:00
func (ws *WebhookServer) RunAsync(stopCh <-chan struct{}) {
2020-03-17 18:05:20 +00:00
logger := ws.log
2020-07-10 23:59:17 +00:00
if !cache.WaitForCacheSync(stopCh, ws.pSynced, ws.rbSynced, ws.crbSynced, ws.rSynced, ws.crSynced) {
2020-03-17 18:05:20 +00:00
logger.Info("failed to sync informer cache")
2019-11-15 23:59:37 +00:00
}
go func(ws *WebhookServer) {
2020-03-17 18:05:20 +00:00
logger.V(3).Info("started serving requests", "addr", ws.server.Addr)
2019-08-28 00:00:16 +00:00
if err := ws.server.ListenAndServeTLS("", ""); err != http.ErrServerClosed {
2020-03-17 18:05:20 +00:00
logger.Error(err, "failed to listen to requests")
}
}(ws)
2020-03-17 18:05:20 +00:00
logger.Info("starting")
// verifies if the admission control is enabled and active
// resync: 60 seconds
// deadline: 60 seconds (send request)
// max deadline: deadline*3 (set the deployment annotation as false)
go ws.lastReqTime.Run(ws.pLister, ws.eventGen, ws.client, checker.DefaultResync, checker.DefaultDeadline, stopCh)
}
// Stop TLS server and returns control after the server is shut down
func (ws *WebhookServer) Stop(ctx context.Context) {
2020-03-17 18:05:20 +00:00
logger := ws.log
// cleanUp
// remove the static webhookconfigurations
go ws.webhookRegistrationClient.RemoveWebhookConfigurations(ws.cleanUp)
// shutdown http.Server with context timeout
err := ws.server.Shutdown(ctx)
if err != nil {
// Error from closing listeners, or context timeout:
2020-03-17 18:05:20 +00:00
logger.Error(err, "shutting down server")
ws.server.Close()
}
}
// bodyToAdmissionReview creates AdmissionReview object from request body
// Answers to the http.ResponseWriter if request is not valid
func (ws *WebhookServer) bodyToAdmissionReview(request *http.Request, writer http.ResponseWriter) *v1beta1.AdmissionReview {
2020-03-17 18:05:20 +00:00
logger := ws.log
if request.Body == nil {
logger.Info("empty body", "req", request.URL.String())
http.Error(writer, "empty body", http.StatusBadRequest)
return nil
}
defer request.Body.Close()
body, err := ioutil.ReadAll(request.Body)
if err != nil {
logger.Info("failed to read HTTP body", "req", request.URL.String())
http.Error(writer, "failed to read HTTP body", http.StatusBadRequest)
}
contentType := request.Header.Get("Content-Type")
if contentType != "application/json" {
2020-03-17 18:05:20 +00:00
logger.Info("invalid Content-Type", "contextType", contentType)
http.Error(writer, "invalid Content-Type, expect `application/json`", http.StatusUnsupportedMediaType)
return nil
}
admissionReview := &v1beta1.AdmissionReview{}
if err := json.Unmarshal(body, &admissionReview); err != nil {
2020-03-17 18:05:20 +00:00
logger.Error(err, "failed to decode request body to type 'AdmissionReview")
http.Error(writer, "Can't decode body as AdmissionReview", http.StatusExpectationFailed)
return nil
}
2019-06-06 00:43:59 +00:00
return admissionReview
}
2020-07-10 23:59:17 +00:00
// excludeKyvernoResources will check resource can have acces or not
func (ws *WebhookServer) excludeKyvernoResources(request *v1beta1.AdmissionRequest) error {
logger := ws.log.WithName("resourceValidation").WithValues("uid", request.UID, "kind", request.Kind.Kind, "namespace", request.Namespace, "name", request.Name, "operation", request.Operation)
var resource *unstructured.Unstructured
var err error
var isManagedResourceCheck bool
if request.Operation == v1beta1.Delete {
resource, err = enginutils.ConvertToUnstructured(request.OldObject.Raw)
isManagedResourceCheck = true
} else if request.Operation == v1beta1.Update {
resource, err = enginutils.ConvertToUnstructured(request.Object.Raw)
isManagedResourceCheck = true
}
2020-07-10 23:59:17 +00:00
if err != nil {
logger.Error(err, "failed to convert object resource to unstructured format")
return err
2020-07-10 23:59:17 +00:00
}
if isManagedResourceCheck {
2020-07-11 00:01:48 +00:00
labels := resource.GetLabels()
2020-07-10 23:59:17 +00:00
if labels != nil {
2020-07-16 00:19:20 +00:00
if labels["app.kubernetes.io/managed-by"] == "kyverno" && labels["policy.kyverno.io/synchronize"] == "enable" {
isAuthorized, err := userinfo.IsRoleAuthorize(ws.rbLister, ws.crbLister, ws.rLister, ws.crLister, request, ws.configHandler)
if err != nil {
return fmt.Errorf("failed to get RBAC infromation for request %v", err)
}
if !isAuthorized {
// convert RAW to unstructured
return fmt.Errorf("resource is managed by a Kyverno policy and cannot be update manually. You can edit the policy %s to update this resource.", labels["policy.kyverno.io/policy-name"])
}
2020-07-10 23:59:17 +00:00
}
}
}
2020-07-10 23:59:17 +00:00
return nil
}