kyverno/pkg/policymutation/cronjob.go

package policymutation

import (
	"fmt"
	"reflect"
	"strings"

	"github.com/go-logr/logr"
	kyverno "github.com/kyverno/kyverno/pkg/api/kyverno/v1"
	"github.com/kyverno/kyverno/pkg/engine"
	"github.com/kyverno/kyverno/pkg/engine/variables"
	"github.com/kyverno/kyverno/pkg/utils"
)

func generateCronJobRule(rule kyverno.Rule, controllers string, log logr.Logger) kyvernoRule {
	logger := log.WithName("handleCronJob")

	hasCronJob := strings.Contains(controllers, engine.PodControllerCronJob) || strings.Contains(controllers, "all")
	if !hasCronJob {
		return kyvernoRule{}
	}

	logger.V(3).Info("generating rule for cronJob")
	jobRule := generateRuleForControllers(rule, "Job", logger)

	if reflect.DeepEqual(jobRule, kyvernoRule{}) {
		return kyvernoRule{}
	}

	cronJobRule := &jobRule

	name := fmt.Sprintf("autogen-cronjob-%s", rule.Name)
	if len(name) > 63 {
		name = name[:63]
	}
	cronJobRule.Name = name

	if len(jobRule.MatchResources.Any) > 0 {
		rule := cronJobAnyAllAutogenRule(cronJobRule.MatchResources.Any)
		cronJobRule.MatchResources.Any = rule
	} else if len(jobRule.MatchResources.All) > 0 {
		rule := cronJobAnyAllAutogenRule(cronJobRule.MatchResources.All)
		cronJobRule.MatchResources.All = rule
	} else {
		cronJobRule.MatchResources.Kinds = []string{engine.PodControllerCronJob}
	}

	if (jobRule.ExcludeResources) != nil && len(jobRule.ExcludeResources.Any) > 0 {
		rule := cronJobAnyAllAutogenRule(cronJobRule.ExcludeResources.Any)
		cronJobRule.ExcludeResources.Any = rule
	} else if (jobRule.ExcludeResources) != nil && len(jobRule.ExcludeResources.All) > 0 {
		rule := cronJobAnyAllAutogenRule(cronJobRule.ExcludeResources.All)
		cronJobRule.ExcludeResources.All = rule
	} else {
		if (jobRule.ExcludeResources) != nil && (len(jobRule.ExcludeResources.Kinds) > 0) {
			cronJobRule.ExcludeResources.Kinds = []string{engine.PodControllerCronJob}
		}
	}

	if (jobRule.Mutation != nil) && (jobRule.Mutation.Overlay != nil) {
		newMutation := &kyverno.Mutation{
			Overlay: map[string]interface{}{
				"spec": map[string]interface{}{
					"jobTemplate": jobRule.Mutation.Overlay,
				},
			},
		}

		cronJobRule.Mutation = newMutation.DeepCopy()
		return *cronJobRule
	}

	if (jobRule.Mutation != nil) && (jobRule.Mutation.PatchStrategicMerge != nil) {
		newMutation := &kyverno.Mutation{
			PatchStrategicMerge: map[string]interface{}{
				"spec": map[string]interface{}{
					"jobTemplate": jobRule.Mutation.PatchStrategicMerge,
				},
			},
		}
		cronJobRule.Mutation = newMutation.DeepCopy()
		return *cronJobRule
	}

	if (jobRule.Validation != nil) && (jobRule.Validation.Pattern != nil) {
		newValidate := &kyverno.Validation{
			Message: variables.FindAndShiftReferences(log, rule.Validation.Message, "spec/jobTemplate/spec/template", "pattern"),
			Pattern: map[string]interface{}{
				"spec": map[string]interface{}{
					"jobTemplate": jobRule.Validation.Pattern,
				},
			},
		}
		cronJobRule.Validation = newValidate.DeepCopy()
		return *cronJobRule
	}

	if (jobRule.Validation != nil) && (jobRule.Validation.ForEachValidation != nil) && (jobRule.Validation.ForEachValidation.Pattern != nil) {
		newValidate := &kyverno.Validation{
			Message:           variables.FindAndShiftReferences(log, rule.Validation.Message, "spec/jobTemplate/spec/template", "pattern"),
			ForEachValidation: jobRule.Validation.ForEachValidation,
		}
		cronJobRule.Validation = newValidate.DeepCopy()
		return *cronJobRule
	}

	if (jobRule.Validation != nil) && (jobRule.Validation.AnyPattern != nil) {
		var patterns []interface{}
		anyPatterns, err := jobRule.Validation.DeserializeAnyPattern()
		if err != nil {
			logger.Error(err, "failed to deserialize anyPattern, expect type array")
		}

		for _, pattern := range anyPatterns {
			newPattern := map[string]interface{}{
				"spec": map[string]interface{}{
					"jobTemplate": pattern,
				},
			}

			patterns = append(patterns, newPattern)
		}

		cronJobRule.Validation = &kyverno.Validation{
			Message:    variables.FindAndShiftReferences(log, rule.Validation.Message, "spec/jobTemplate/spec/template", "anyPattern"),
			AnyPattern: patterns,
		}
		return *cronJobRule
	}

	if (jobRule.Validation != nil) && (jobRule.Validation.ForEachValidation != nil) && (jobRule.Validation.ForEachValidation.AnyPattern != nil) {
		cronJobRule.Validation = &kyverno.Validation{
			Message:           variables.FindAndShiftReferences(log, rule.Validation.Message, "spec/jobTemplate/spec/template", "anyPattern"),
			ForEachValidation: jobRule.Validation.ForEachValidation,
		}
		return *cronJobRule
	}

	if (jobRule.Validation != nil) && (jobRule.Validation.ForEachValidation != nil) && (jobRule.Validation.ForEachValidation.Deny != nil) {
		cronJobRule.Validation = &kyverno.Validation{
			Message:           variables.FindAndShiftReferences(log, rule.Validation.Message, "spec/jobTemplate/spec/template", "anyPattern"),
			ForEachValidation: jobRule.Validation.ForEachValidation,
		}
		return *cronJobRule
	}

	return kyvernoRule{}
}

// stripCronJob removes CronJob from controllers
func stripCronJob(controllers string) string {
	var newControllers []string

	controllerArr := strings.Split(controllers, ",")
	for _, c := range controllerArr {
		if c == engine.PodControllerCronJob {
			continue
		}

		newControllers = append(newControllers, c)
	}

	if len(newControllers) == 0 {
		return ""
	}

	return strings.Join(newControllers, ",")
}

func cronJobAnyAllAutogenRule(v kyverno.ResourceFilters) kyverno.ResourceFilters {
	anyKind := v.DeepCopy()
	for i, value := range v {
		if utils.ContainsPod(value.Kinds, "Job") {
			anyKind[i].Kinds = []string{engine.PodControllerCronJob}
		}
	}
	return anyKind
}
810 support cronJob for auto-gen (#1089) * add watch policy to clusterrole kyverno:customresources * - improve auto-gen policy application logic - remove unused code * move method to common util * auto-gen rule for cronJob * update doc * set CronJob as default auto-gen pod controller * - update doc; - fix test * remove unused code 2020-09-01 09:11:20 -07:00			`package policymutation`

			`import (`
			`"fmt"`
bug fix - nil pointer (#1093) * add watch policy to clusterrole kyverno:customresources * fix build * fix nil pointer 2020-09-01 17:23:54 -07:00			`"reflect"`
810 support cronJob for auto-gen (#1089) * add watch policy to clusterrole kyverno:customresources * - improve auto-gen policy application logic - remove unused code * move method to common util * auto-gen rule for cronJob * update doc * set CronJob as default auto-gen pod controller * - update doc; - fix test * remove unused code 2020-09-01 09:11:20 -07:00			`"strings"`

			`"github.com/go-logr/logr"`
update nirmata/kyverno to kyverno/kyverno 2020-10-07 11:12:31 -07:00			`kyverno "github.com/kyverno/kyverno/pkg/api/kyverno/v1"`
			`"github.com/kyverno/kyverno/pkg/engine"`
Fix #1506; Resolve path reference in entire rule instead of just pattern/overlay Signed-off-by: Max Goncharenko <kacejot@fex.net> 2021-03-11 22:06:04 +02:00			`"github.com/kyverno/kyverno/pkg/engine/variables"`
Fix Autogen issue for any/all block and new rule foreach (#2471) * Fix Autogen issue for any/all block and Support gvk in match kind block * remove log and fix test * Fix issues * Fix cronjob issue * Fix autogen for Foreach * Fix autogen for For each * Fix for each issue * adding missing assignements * Update autogen for foreach rule 2021-10-07 04:49:55 +05:30			`"github.com/kyverno/kyverno/pkg/utils"`
810 support cronJob for auto-gen (#1089) * add watch policy to clusterrole kyverno:customresources * - improve auto-gen policy application logic - remove unused code * move method to common util * auto-gen rule for cronJob * update doc * set CronJob as default auto-gen pod controller * - update doc; - fix test * remove unused code 2020-09-01 09:11:20 -07:00			`)`

			`func generateCronJobRule(rule kyverno.Rule, controllers string, log logr.Logger) kyvernoRule {`
			`logger := log.WithName("handleCronJob")`

			`hasCronJob := strings.Contains(controllers, engine.PodControllerCronJob) \|\| strings.Contains(controllers, "all")`
			`if !hasCronJob {`
			`return kyvernoRule{}`
			`}`

properly deserialize anyPattern 2020-11-13 16:25:51 -08:00			`logger.V(3).Info("generating rule for cronJob")`
810 support cronJob for auto-gen (#1089) * add watch policy to clusterrole kyverno:customresources * - improve auto-gen policy application logic - remove unused code * move method to common util * auto-gen rule for cronJob * update doc * set CronJob as default auto-gen pod controller * - update doc; - fix test * remove unused code 2020-09-01 09:11:20 -07:00			`jobRule := generateRuleForControllers(rule, "Job", logger)`

bug fix - nil pointer (#1093) * add watch policy to clusterrole kyverno:customresources * fix build * fix nil pointer 2020-09-01 17:23:54 -07:00			`if reflect.DeepEqual(jobRule, kyvernoRule{}) {`
			`return kyvernoRule{}`
			`}`

810 support cronJob for auto-gen (#1089) * add watch policy to clusterrole kyverno:customresources * - improve auto-gen policy application logic - remove unused code * move method to common util * auto-gen rule for cronJob * update doc * set CronJob as default auto-gen pod controller * - update doc; - fix test * remove unused code 2020-09-01 09:11:20 -07:00			`cronJobRule := &jobRule`
Switch to use annotations to store resource info in cluster/reportChangeRequest (#1625) * skip sending API request for filtered resource * fix PR comment Signed-off-by: Shuting Zhao <shutting06@gmail.com> * fixes https://github.com/kyverno/kyverno/issues/1490 Signed-off-by: Shuting Zhao <shutting06@gmail.com> * fix bug - namespace is not returned properly Signed-off-by: Shuting Zhao <shutting06@gmail.com> * reduce throttling - list resource using lister * refactor resource cache * fix test Signed-off-by: Shuting Zhao <shutting06@gmail.com> * fix label selector Signed-off-by: Shuting Zhao <shutting06@gmail.com> * fix build failure Signed-off-by: Shuting Zhao <shutting06@gmail.com> * fixes #1480 * store resource name and kind in (c)rcr's annotation 2021-02-19 09:09:41 -08:00
			`name := fmt.Sprintf("autogen-cronjob-%s", rule.Name)`
			`if len(name) > 63 {`
			`name = name[:63]`
			`}`
			`cronJobRule.Name = name`

Fix Autogen issue for any/all block and new rule foreach (#2471) * Fix Autogen issue for any/all block and Support gvk in match kind block * remove log and fix test * Fix issues * Fix cronjob issue * Fix autogen for Foreach * Fix autogen for For each * Fix for each issue * adding missing assignements * Update autogen for foreach rule 2021-10-07 04:49:55 +05:30			`if len(jobRule.MatchResources.Any) > 0 {`
			`rule := cronJobAnyAllAutogenRule(cronJobRule.MatchResources.Any)`
			`cronJobRule.MatchResources.Any = rule`
			`} else if len(jobRule.MatchResources.All) > 0 {`
			`rule := cronJobAnyAllAutogenRule(cronJobRule.MatchResources.All)`
			`cronJobRule.MatchResources.All = rule`
			`} else {`
			`cronJobRule.MatchResources.Kinds = []string{engine.PodControllerCronJob}`
			`}`

			`if (jobRule.ExcludeResources) != nil && len(jobRule.ExcludeResources.Any) > 0 {`
			`rule := cronJobAnyAllAutogenRule(cronJobRule.ExcludeResources.Any)`
			`cronJobRule.ExcludeResources.Any = rule`
			`} else if (jobRule.ExcludeResources) != nil && len(jobRule.ExcludeResources.All) > 0 {`
			`rule := cronJobAnyAllAutogenRule(cronJobRule.ExcludeResources.All)`
			`cronJobRule.ExcludeResources.All = rule`
			`} else {`
			`if (jobRule.ExcludeResources) != nil && (len(jobRule.ExcludeResources.Kinds) > 0) {`
			`cronJobRule.ExcludeResources.Kinds = []string{engine.PodControllerCronJob}`
			`}`
810 support cronJob for auto-gen (#1089) * add watch policy to clusterrole kyverno:customresources * - improve auto-gen policy application logic - remove unused code * move method to common util * auto-gen rule for cronJob * update doc * set CronJob as default auto-gen pod controller * - update doc; - fix test * remove unused code 2020-09-01 09:11:20 -07:00			`}`

			`if (jobRule.Mutation != nil) && (jobRule.Mutation.Overlay != nil) {`
			`newMutation := &kyverno.Mutation{`
			`Overlay: map[string]interface{}{`
			`"spec": map[string]interface{}{`
			`"jobTemplate": jobRule.Mutation.Overlay,`
			`},`
			`},`
			`}`

			`cronJobRule.Mutation = newMutation.DeepCopy()`
			`return *cronJobRule`
			`}`

added autogen for patch strategic merge (#1104) 2020-09-05 04:50:20 +05:30			`if (jobRule.Mutation != nil) && (jobRule.Mutation.PatchStrategicMerge != nil) {`
			`newMutation := &kyverno.Mutation{`
			`PatchStrategicMerge: map[string]interface{}{`
			`"spec": map[string]interface{}{`
			`"jobTemplate": jobRule.Mutation.PatchStrategicMerge,`
			`},`
			`},`
			`}`
			`cronJobRule.Mutation = newMutation.DeepCopy()`
			`return *cronJobRule`
			`}`

810 support cronJob for auto-gen (#1089) * add watch policy to clusterrole kyverno:customresources * - improve auto-gen policy application logic - remove unused code * move method to common util * auto-gen rule for cronJob * update doc * set CronJob as default auto-gen pod controller * - update doc; - fix test * remove unused code 2020-09-01 09:11:20 -07:00			`if (jobRule.Validation != nil) && (jobRule.Validation.Pattern != nil) {`
			`newValidate := &kyverno.Validation{`
Fix #1506; Resolve path reference in entire rule instead of just pattern/overlay Signed-off-by: Max Goncharenko <kacejot@fex.net> 2021-03-11 22:06:04 +02:00			`Message: variables.FindAndShiftReferences(log, rule.Validation.Message, "spec/jobTemplate/spec/template", "pattern"),`
810 support cronJob for auto-gen (#1089) * add watch policy to clusterrole kyverno:customresources * - improve auto-gen policy application logic - remove unused code * move method to common util * auto-gen rule for cronJob * update doc * set CronJob as default auto-gen pod controller * - update doc; - fix test * remove unused code 2020-09-01 09:11:20 -07:00			`Pattern: map[string]interface{}{`
			`"spec": map[string]interface{}{`
			`"jobTemplate": jobRule.Validation.Pattern,`
			`},`
			`},`
			`}`
			`cronJobRule.Validation = newValidate.DeepCopy()`
			`return *cronJobRule`
			`}`

Fix Autogen issue for any/all block and new rule foreach (#2471) * Fix Autogen issue for any/all block and Support gvk in match kind block * remove log and fix test * Fix issues * Fix cronjob issue * Fix autogen for Foreach * Fix autogen for For each * Fix for each issue * adding missing assignements * Update autogen for foreach rule 2021-10-07 04:49:55 +05:30			`if (jobRule.Validation != nil) && (jobRule.Validation.ForEachValidation != nil) && (jobRule.Validation.ForEachValidation.Pattern != nil) {`
			`newValidate := &kyverno.Validation{`
			`Message: variables.FindAndShiftReferences(log, rule.Validation.Message, "spec/jobTemplate/spec/template", "pattern"),`
			`ForEachValidation: jobRule.Validation.ForEachValidation,`
			`}`
			`cronJobRule.Validation = newValidate.DeepCopy()`
			`return *cronJobRule`
			`}`

properly deserialize anyPattern 2020-11-13 16:25:51 -08:00			`if (jobRule.Validation != nil) && (jobRule.Validation.AnyPattern != nil) {`
810 support cronJob for auto-gen (#1089) * add watch policy to clusterrole kyverno:customresources * - improve auto-gen policy application logic - remove unused code * move method to common util * auto-gen rule for cronJob * update doc * set CronJob as default auto-gen pod controller * - update doc; - fix test * remove unused code 2020-09-01 09:11:20 -07:00			`var patterns []interface{}`
Switch to use annotations to store resource info in cluster/reportChangeRequest (#1625) * skip sending API request for filtered resource * fix PR comment Signed-off-by: Shuting Zhao <shutting06@gmail.com> * fixes https://github.com/kyverno/kyverno/issues/1490 Signed-off-by: Shuting Zhao <shutting06@gmail.com> * fix bug - namespace is not returned properly Signed-off-by: Shuting Zhao <shutting06@gmail.com> * reduce throttling - list resource using lister * refactor resource cache * fix test Signed-off-by: Shuting Zhao <shutting06@gmail.com> * fix label selector Signed-off-by: Shuting Zhao <shutting06@gmail.com> * fix build failure Signed-off-by: Shuting Zhao <shutting06@gmail.com> * fixes #1480 * store resource name and kind in (c)rcr's annotation 2021-02-19 09:09:41 -08:00			`anyPatterns, err := jobRule.Validation.DeserializeAnyPattern()`
properly deserialize anyPattern 2020-11-13 16:25:51 -08:00			`if err != nil {`
Switch to use annotations to store resource info in cluster/reportChangeRequest (#1625) * skip sending API request for filtered resource * fix PR comment Signed-off-by: Shuting Zhao <shutting06@gmail.com> * fixes https://github.com/kyverno/kyverno/issues/1490 Signed-off-by: Shuting Zhao <shutting06@gmail.com> * fix bug - namespace is not returned properly Signed-off-by: Shuting Zhao <shutting06@gmail.com> * reduce throttling - list resource using lister * refactor resource cache * fix test Signed-off-by: Shuting Zhao <shutting06@gmail.com> * fix label selector Signed-off-by: Shuting Zhao <shutting06@gmail.com> * fix build failure Signed-off-by: Shuting Zhao <shutting06@gmail.com> * fixes #1480 * store resource name and kind in (c)rcr's annotation 2021-02-19 09:09:41 -08:00			`logger.Error(err, "failed to deserialize anyPattern, expect type array")`
properly deserialize anyPattern 2020-11-13 16:25:51 -08:00			`}`

			`for _, pattern := range anyPatterns {`
810 support cronJob for auto-gen (#1089) * add watch policy to clusterrole kyverno:customresources * - improve auto-gen policy application logic - remove unused code * move method to common util * auto-gen rule for cronJob * update doc * set CronJob as default auto-gen pod controller * - update doc; - fix test * remove unused code 2020-09-01 09:11:20 -07:00			`newPattern := map[string]interface{}{`
			`"spec": map[string]interface{}{`
			`"jobTemplate": pattern,`
			`},`
			`}`

			`patterns = append(patterns, newPattern)`
			`}`

			`cronJobRule.Validation = &kyverno.Validation{`
Fix #1506; Resolve path reference in entire rule instead of just pattern/overlay Signed-off-by: Max Goncharenko <kacejot@fex.net> 2021-03-11 22:06:04 +02:00			`Message: variables.FindAndShiftReferences(log, rule.Validation.Message, "spec/jobTemplate/spec/template", "anyPattern"),`
810 support cronJob for auto-gen (#1089) * add watch policy to clusterrole kyverno:customresources * - improve auto-gen policy application logic - remove unused code * move method to common util * auto-gen rule for cronJob * update doc * set CronJob as default auto-gen pod controller * - update doc; - fix test * remove unused code 2020-09-01 09:11:20 -07:00			`AnyPattern: patterns,`
			`}`
			`return *cronJobRule`
			`}`

Fix Autogen issue for any/all block and new rule foreach (#2471) * Fix Autogen issue for any/all block and Support gvk in match kind block * remove log and fix test * Fix issues * Fix cronjob issue * Fix autogen for Foreach * Fix autogen for For each * Fix for each issue * adding missing assignements * Update autogen for foreach rule 2021-10-07 04:49:55 +05:30			`if (jobRule.Validation != nil) && (jobRule.Validation.ForEachValidation != nil) && (jobRule.Validation.ForEachValidation.AnyPattern != nil) {`
			`cronJobRule.Validation = &kyverno.Validation{`
			`Message: variables.FindAndShiftReferences(log, rule.Validation.Message, "spec/jobTemplate/spec/template", "anyPattern"),`
			`ForEachValidation: jobRule.Validation.ForEachValidation,`
			`}`
			`return *cronJobRule`
			`}`

			`if (jobRule.Validation != nil) && (jobRule.Validation.ForEachValidation != nil) && (jobRule.Validation.ForEachValidation.Deny != nil) {`
			`cronJobRule.Validation = &kyverno.Validation{`
			`Message: variables.FindAndShiftReferences(log, rule.Validation.Message, "spec/jobTemplate/spec/template", "anyPattern"),`
			`ForEachValidation: jobRule.Validation.ForEachValidation,`
			`}`
			`return *cronJobRule`
			`}`

810 support cronJob for auto-gen (#1089) * add watch policy to clusterrole kyverno:customresources * - improve auto-gen policy application logic - remove unused code * move method to common util * auto-gen rule for cronJob * update doc * set CronJob as default auto-gen pod controller * - update doc; - fix test * remove unused code 2020-09-01 09:11:20 -07:00			`return kyvernoRule{}`
			`}`

			`// stripCronJob removes CronJob from controllers`
			`func stripCronJob(controllers string) string {`
			`var newControllers []string`

			`controllerArr := strings.Split(controllers, ",")`
			`for _, c := range controllerArr {`
			`if c == engine.PodControllerCronJob {`
			`continue`
			`}`

			`newControllers = append(newControllers, c)`
			`}`

			`if len(newControllers) == 0 {`
			`return ""`
			`}`

			`return strings.Join(newControllers, ",")`
			`}`
Fix Autogen issue for any/all block and new rule foreach (#2471) * Fix Autogen issue for any/all block and Support gvk in match kind block * remove log and fix test * Fix issues * Fix cronjob issue * Fix autogen for Foreach * Fix autogen for For each * Fix for each issue * adding missing assignements * Update autogen for foreach rule 2021-10-07 04:49:55 +05:30
			`func cronJobAnyAllAutogenRule(v kyverno.ResourceFilters) kyverno.ResourceFilters {`
			`anyKind := v.DeepCopy()`
			`for i, value := range v {`
			`if utils.ContainsPod(value.Kinds, "Job") {`
			`anyKind[i].Kinds = []string{engine.PodControllerCronJob}`
			`}`
			`}`
			`return anyKind`
			`}`