kyverno/pkg/webhooks/common.go

package webhooks

import (
	"fmt"
	"strings"

	"github.com/go-logr/logr"
	kyverno "github.com/kyverno/kyverno/pkg/api/kyverno/v1"
	"github.com/kyverno/kyverno/pkg/common"
	"github.com/kyverno/kyverno/pkg/engine/response"
	engineutils "github.com/kyverno/kyverno/pkg/engine/utils"
	yamlv2 "gopkg.in/yaml.v2"
	"k8s.io/api/admission/v1beta1"
	"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
	"k8s.io/apimachinery/pkg/runtime/schema"
)

// isResponseSuccessful return true if all responses are successful
func isResponseSuccessful(engineReponses []*response.EngineResponse) bool {
	for _, er := range engineReponses {
		if !er.IsSuccessful() {
			return false
		}
	}
	return true
}

// returns true -> if there is even one policy that blocks resource request
// returns false -> if all the policies are meant to report only, we dont block resource request
func toBlockResource(engineReponses []*response.EngineResponse, log logr.Logger) bool {
	for _, er := range engineReponses {
		if !er.IsSuccessful() && er.PolicyResponse.ValidationFailureAction == common.Enforce {
			log.Info("spec.ValidationFailureAction set to enforce blocking resource request", "policy", er.PolicyResponse.Policy)
			return true
		}
	}
	log.V(4).Info("spec.ValidationFailureAction set to audit for all applicable policies, won't block resource operation")
	return false
}

// getEnforceFailureErrorMsg gets the error messages for failed enforce policy
func getEnforceFailureErrorMsg(engineResponses []*response.EngineResponse) string {
	policyToRule := make(map[string]interface{})
	var resourceName string
	for _, er := range engineResponses {
		if !er.IsSuccessful() && er.PolicyResponse.ValidationFailureAction == common.Enforce {
			ruleToReason := make(map[string]string)
			for _, rule := range er.PolicyResponse.Rules {
				if !rule.Success {
					ruleToReason[rule.Name] = rule.Message
				}
			}
			resourceName = fmt.Sprintf("%s/%s/%s", er.PolicyResponse.Resource.Kind, er.PolicyResponse.Resource.Namespace, er.PolicyResponse.Resource.Name)

			policyToRule[er.PolicyResponse.Policy] = ruleToReason
		}
	}

	result, _ := yamlv2.Marshal(policyToRule)
	return "\n\nresource " + resourceName + " was blocked due to the following policies\n\n" + string(result)
}

// getErrorMsg gets all failed engine response message
func getErrorMsg(engineReponses []*response.EngineResponse) string {
	var str []string
	var resourceInfo string

	for _, er := range engineReponses {
		if !er.IsSuccessful() {
			// resource in engineReponses is identical as this was called per admission request
			resourceInfo = fmt.Sprintf("%s/%s/%s", er.PolicyResponse.Resource.Kind, er.PolicyResponse.Resource.Namespace, er.PolicyResponse.Resource.Name)
			str = append(str, fmt.Sprintf("failed policy %s:", er.PolicyResponse.Policy))
			for _, rule := range er.PolicyResponse.Rules {
				if !rule.Success {
					str = append(str, rule.ToString())
				}
			}
		}
	}
	return fmt.Sprintf("Resource %s %s", resourceInfo, strings.Join(str, ";"))
}

//ArrayFlags to store filterkinds
type ArrayFlags []string

func (i *ArrayFlags) String() string {
	var sb strings.Builder
	for _, str := range *i {
		sb.WriteString(str)
	}
	return sb.String()
}

//Set setter for array flags
func (i *ArrayFlags) Set(value string) error {
	*i = append(*i, value)
	return nil
}

func processResourceWithPatches(patch []byte, resource []byte, log logr.Logger) []byte {
	if patch == nil {
		return resource
	}

	resource, err := engineutils.ApplyPatchNew(resource, patch)
	if err != nil {
		log.Error(err, "failed to patch resource:", "patch", string(patch), "resource", string(resource))
		return nil
	}
	return resource
}

func containRBACInfo(policies ...[]*kyverno.ClusterPolicy) bool {
	for _, policySlice := range policies {
		for _, policy := range policySlice {
			for _, rule := range policy.Spec.Rules {
				if len(rule.MatchResources.Roles) > 0 || len(rule.MatchResources.ClusterRoles) > 0 || len(rule.ExcludeResources.Roles) > 0 || len(rule.ExcludeResources.ClusterRoles) > 0 {
					return true
				}
			}
		}
	}
	return false
}

// extracts the new and old resource as unstructured
func extractResources(newRaw []byte, request *v1beta1.AdmissionRequest) (unstructured.Unstructured, unstructured.Unstructured, error) {
	var emptyResource unstructured.Unstructured

	// New Resource
	if newRaw == nil {
		newRaw = request.Object.Raw
	}
	if newRaw == nil {
		return emptyResource, emptyResource, fmt.Errorf("new resource is not defined")
	}

	new, err := convertResource(newRaw, request.Kind.Group, request.Kind.Version, request.Kind.Kind, request.Namespace)
	if err != nil {
		return emptyResource, emptyResource, fmt.Errorf("failed to convert new raw to unstructured: %v", err)
	}

	// Old Resource - Optional
	oldRaw := request.OldObject.Raw
	if oldRaw == nil {
		return new, emptyResource, nil
	}

	old, err := convertResource(oldRaw, request.Kind.Group, request.Kind.Version, request.Kind.Kind, request.Namespace)
	if err != nil {
		return emptyResource, emptyResource, fmt.Errorf("failed to convert old raw to unstructured: %v", err)
	}
	return new, old, err
}

// convertResource converts raw bytes to an unstructured object
func convertResource(raw []byte, group, version, kind, namespace string) (unstructured.Unstructured, error) {
	obj, err := engineutils.ConvertToUnstructured(raw)
	if err != nil {
		return unstructured.Unstructured{}, fmt.Errorf("failed to convert raw to unstructured: %v", err)
	}

	obj.SetGroupVersionKind(schema.GroupVersionKind{Group: group, Version: version, Kind: kind})
	obj.SetNamespace(namespace)
	return *obj, nil
}

func excludeKyvernoResources(kind string) bool {
	switch kind {
	case "ClusterPolicy":
		return true
	case "Policy":
		return true
	case "ClusterPolicyReport":
		return true
	case "PolicyReport":
		return true
	case "ReportChangeRequest":
		return true
	case "GenerateRequest":
		return true
	case "ClusterReportChangeRequest":
		return true
	default:
		return false
	}
}
support comma seperated kinds 2019-06-18 11:47:45 -07:00			`package webhooks`

			`import (`
restructure webhooks pkg 2019-07-15 16:07:56 -07:00			`"fmt"`
support comma seperated kinds 2019-06-18 11:47:45 -07:00			`"strings"`
code review corrections 2019-06-19 14:05:23 -07:00
logs & access 2020-03-17 11:05:20 -07:00			`"github.com/go-logr/logr"`
update nirmata/kyverno to kyverno/kyverno 2020-10-07 11:12:31 -07:00			`kyverno "github.com/kyverno/kyverno/pkg/api/kyverno/v1"`
			`"github.com/kyverno/kyverno/pkg/common"`
			`"github.com/kyverno/kyverno/pkg/engine/response"`
			`engineutils "github.com/kyverno/kyverno/pkg/engine/utils"`
744 fixing broken delete 2020-04-22 20:45:15 +05:30			`yamlv2 "gopkg.in/yaml.v2"`
skip validation if the resource updates dont violate policy rules (#477) 2019-11-13 13:13:07 -08:00			`"k8s.io/api/admission/v1beta1"`
			`"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"`
			`"k8s.io/apimachinery/pkg/runtime/schema"`
support comma seperated kinds 2019-06-18 11:47:45 -07:00			`)`

fix typos and improve readability 2020-12-01 22:50:40 -08:00			`// isResponseSuccessful return true if all responses are successful`
update validation logic 2020-12-23 15:10:07 -08:00			`func isResponseSuccessful(engineReponses []*response.EngineResponse) bool {`
initial redesign 2019-08-23 18:34:23 -07:00			`for _, er := range engineReponses {`
update logging, naming, and event retry (#959) * update logging and naming * check per policy patch count 2020-06-30 11:53:27 -07:00			`if !er.IsSuccessful() {`
initial redesign 2019-08-23 18:34:23 -07:00			`return false`
			`}`
			`}`
			`return true`
			`}`

set default ValidationFailureAction to 'audit' 2019-09-06 10:18:45 -07:00			`// returns true -> if there is even one policy that blocks resource request`
initial redesign 2019-08-23 18:34:23 -07:00			`// returns false -> if all the policies are meant to report only, we dont block resource request`
update validation logic 2020-12-23 15:10:07 -08:00			`func toBlockResource(engineReponses []*response.EngineResponse, log logr.Logger) bool {`
initial redesign 2019-08-23 18:34:23 -07:00			`for _, er := range engineReponses {`
added auto-gen policy rule for cli 2020-07-10 18:12:19 +05:30			`if !er.IsSuccessful() && er.PolicyResponse.ValidationFailureAction == common.Enforce {`
Bug fix: perform OR across types in UserInfo (#992) * remove policy name cache entry on policy DELETE * buugfix: perform OR in userInfo match * add function description 2020-07-14 20:23:30 -07:00			`log.Info("spec.ValidationFailureAction set to enforce blocking resource request", "policy", er.PolicyResponse.Policy)`
initial redesign 2019-08-23 18:34:23 -07:00			`return true`
			`}`
			`}`
fix variable substitution 2020-11-25 00:21:51 -08:00			`log.V(4).Info("spec.ValidationFailureAction set to audit for all applicable policies, won't block resource operation")`
initial redesign 2019-08-23 18:34:23 -07:00			`return false`
			`}`

change to use validationFailureAction for the mutation failure action 2020-01-16 11:57:28 -08:00			`// getEnforceFailureErrorMsg gets the error messages for failed enforce policy`
update validation logic 2020-12-23 15:10:07 -08:00			`func getEnforceFailureErrorMsg(engineResponses []*response.EngineResponse) string {`
725 changed returned error 2020-03-06 17:11:33 +05:30			`policyToRule := make(map[string]interface{})`
			`var resourceName string`
725 error response now returns rule message if it exists 2020-03-16 14:08:13 +05:30			`for _, er := range engineResponses {`
added auto-gen policy rule for cli 2020-07-10 18:12:19 +05:30			`if !er.IsSuccessful() && er.PolicyResponse.ValidationFailureAction == common.Enforce {`
725 changed returned error 2020-03-06 17:11:33 +05:30			`ruleToReason := make(map[string]string)`
change to use validationFailureAction for the mutation failure action 2020-01-16 11:57:28 -08:00			`for _, rule := range er.PolicyResponse.Rules {`
			`if !rule.Success {`
725 changed returned error 2020-03-06 17:11:33 +05:30			`ruleToReason[rule.Name] = rule.Message`
change to use validationFailureAction for the mutation failure action 2020-01-16 11:57:28 -08:00			`}`
			`}`
725 changed returned error 2020-03-06 17:11:33 +05:30			`resourceName = fmt.Sprintf("%s/%s/%s", er.PolicyResponse.Resource.Kind, er.PolicyResponse.Resource.Namespace, er.PolicyResponse.Resource.Name)`
725 validationfailureaction enforce now returns a more concise error 2020-03-06 03:47:49 +05:30
725 changed returned error 2020-03-06 17:11:33 +05:30			`policyToRule[er.PolicyResponse.Policy] = ruleToReason`
change to use validationFailureAction for the mutation failure action 2020-01-16 11:57:28 -08:00			`}`
			`}`
725 validationfailureaction enforce now returns a more concise error 2020-03-06 03:47:49 +05:30
725 changed returned error 2020-03-06 17:11:33 +05:30			`result, _ := yamlv2.Marshal(policyToRule)`
			`return "\n\nresource " + resourceName + " was blocked due to the following policies\n\n" + string(result)`
change to use validationFailureAction for the mutation failure action 2020-01-16 11:57:28 -08:00			`}`

			`// getErrorMsg gets all failed engine response message`
update validation logic 2020-12-23 15:10:07 -08:00			`func getErrorMsg(engineReponses []*response.EngineResponse) string {`
initial redesign 2019-08-23 18:34:23 -07:00			`var str []string`
- remove resource info per rule; - add resource info in each failed admission request 2019-11-06 17:14:32 -08:00			`var resourceInfo string`

initial redesign 2019-08-23 18:34:23 -07:00			`for _, er := range engineReponses {`
update logging, naming, and event retry (#959) * update logging and naming * check per policy patch count 2020-06-30 11:53:27 -07:00			`if !er.IsSuccessful() {`
- remove resource info per rule; - add resource info in each failed admission request 2019-11-06 17:14:32 -08:00			`// resource in engineReponses is identical as this was called per admission request`
			`resourceInfo = fmt.Sprintf("%s/%s/%s", er.PolicyResponse.Resource.Kind, er.PolicyResponse.Resource.Namespace, er.PolicyResponse.Resource.Name)`
- remove policy violation created on owner and related logic; - use generic call to create violation info 2020-01-06 17:07:11 -08:00			`str = append(str, fmt.Sprintf("failed policy %s:", er.PolicyResponse.Policy))`
initial redesign 2019-08-23 18:34:23 -07:00			`for _, rule := range er.PolicyResponse.Rules {`
			`if !rule.Success {`
			`str = append(str, rule.ToString())`
			`}`
			`}`
			`}`
			`}`
- remove policy violation created on owner and related logic; - use generic call to create violation info 2020-01-06 17:07:11 -08:00			`return fmt.Sprintf("Resource %s %s", resourceInfo, strings.Join(str, ";"))`
initial redesign 2019-08-23 18:34:23 -07:00			`}`

comments 2019-07-23 00:55:45 -04:00			`//ArrayFlags to store filterkinds`
support comma seperated kinds 2019-06-18 11:47:45 -07:00			`type ArrayFlags []string`

			`func (i *ArrayFlags) String() string {`
			`var sb strings.Builder`
			`for _, str := range *i {`
			`sb.WriteString(str)`
			`}`
			`return sb.String()`
			`}`

comments 2019-07-23 00:55:45 -04:00			`//Set setter for array flags`
support comma seperated kinds 2019-06-18 11:47:45 -07:00			`func (i *ArrayFlags) Set(value string) error {`
			`i = append(i, value)`
			`return nil`
			`}`
code review corrections 2019-06-19 14:05:23 -07:00
logs & access 2020-03-17 11:05:20 -07:00			`func processResourceWithPatches(patch []byte, resource []byte, log logr.Logger) []byte {`
initial redesign 2019-08-23 18:34:23 -07:00			`if patch == nil {`
pass in original resource to validation if patches from mutation is nil 2020-01-13 10:15:52 -08:00			`return resource`
initial redesign 2019-08-23 18:34:23 -07:00			`}`
fix 365 annotation_bug 2019-10-07 18:31:14 -07:00
move mutation to subpackage pkg/engine/mutate 2020-01-07 17:06:17 -08:00			`resource, err := engineutils.ApplyPatchNew(resource, patch)`
initial redesign 2019-08-23 18:34:23 -07:00			`if err != nil {`
Remove unnecessary JSON patches; fixes strategicMergePatch for tolerations (#1478) * ignore certain paths when generates JSON patches Signed-off-by: Shuting Zhao <shutting06@gmail.com> * remove extra comment Signed-off-by: Shuting Zhao <shutting06@gmail.com> * fix https://github.com/kyverno/kyverno/issues/1339 Signed-off-by: Shuting Zhao <shutting06@gmail.com> * resolve PR comments Signed-off-by: Shuting Zhao <shutting06@gmail.com> * update comment Signed-off-by: Shuting Zhao <shutting06@gmail.com> 2021-01-19 11:08:06 -08:00			`log.Error(err, "failed to patch resource:", "patch", string(patch), "resource", string(resource))`
initial redesign 2019-08-23 18:34:23 -07:00			`return nil`
			`}`
			`return resource`
			`}`
make getRoleRef a separate package 2019-11-11 14:52:09 -08:00
fix typos and improve readability 2020-12-01 22:50:40 -08:00			`func containRBACInfo(policies ...[]*kyverno.ClusterPolicy) bool {`
Add policy cache based on policyType (#960) * add policy cache based on policyType * fetch policy from cache in webhook * add unit test for policy cache * update log for exclude resources filter * skip webhook mutation on DELETE operation * remove duplicate k8s version check * add description 2020-07-02 12:49:10 -07:00			`for _, policySlice := range policies {`
			`for _, policy := range policySlice {`
			`for _, rule := range policy.Spec.Rules {`
			`if len(rule.MatchResources.Roles) > 0 \|\| len(rule.MatchResources.ClusterRoles) > 0 \|\| len(rule.ExcludeResources.Roles) > 0 \|\| len(rule.ExcludeResources.ClusterRoles) > 0 {`
			`return true`
			`}`
make getRoleRef a separate package 2019-11-11 14:52:09 -08:00			`}`
			`}`
			`}`
			`return false`
			`}`
skip validation if the resource updates dont violate policy rules (#477) 2019-11-13 13:13:07 -08:00
			`// extracts the new and old resource as unstructured`
- fix validation to process on patched resource; - format code 2020-01-07 11:32:52 -08:00			`func extractResources(newRaw []byte, request *v1beta1.AdmissionRequest) (unstructured.Unstructured, unstructured.Unstructured, error) {`
skip validation if the resource updates dont violate policy rules (#477) 2019-11-13 13:13:07 -08:00			`var emptyResource unstructured.Unstructured`
- fix validation to process on patched resource; - format code 2020-01-07 11:32:52 -08:00
skip validation if the resource updates dont violate policy rules (#477) 2019-11-13 13:13:07 -08:00			`// New Resource`
resolving merge conflicts 2020-01-11 18:33:11 +05:30			`if newRaw == nil {`
			`newRaw = request.Object.Raw`
			`}`
skip validation if the resource updates dont violate policy rules (#477) 2019-11-13 13:13:07 -08:00			`if newRaw == nil {`
			`return emptyResource, emptyResource, fmt.Errorf("new resource is not defined")`
			`}`
- fix validation to process on patched resource; - format code 2020-01-07 11:32:52 -08:00
			`new, err := convertResource(newRaw, request.Kind.Group, request.Kind.Version, request.Kind.Kind, request.Namespace)`
skip validation if the resource updates dont violate policy rules (#477) 2019-11-13 13:13:07 -08:00			`if err != nil {`
			`return emptyResource, emptyResource, fmt.Errorf("failed to convert new raw to unstructured: %v", err)`
			`}`
- fix validation to process on patched resource; - format code 2020-01-07 11:32:52 -08:00
skip validation if the resource updates dont violate policy rules (#477) 2019-11-13 13:13:07 -08:00			`// Old Resource - Optional`
			`oldRaw := request.OldObject.Raw`
			`if oldRaw == nil {`
- fix validation to process on patched resource; - format code 2020-01-07 11:32:52 -08:00			`return new, emptyResource, nil`
skip validation if the resource updates dont violate policy rules (#477) 2019-11-13 13:13:07 -08:00			`}`
- fix validation to process on patched resource; - format code 2020-01-07 11:32:52 -08:00
			`old, err := convertResource(oldRaw, request.Kind.Group, request.Kind.Version, request.Kind.Kind, request.Namespace)`
skip validation if the resource updates dont violate policy rules (#477) 2019-11-13 13:13:07 -08:00			`if err != nil {`
			`return emptyResource, emptyResource, fmt.Errorf("failed to convert old raw to unstructured: %v", err)`
			`}`
- fix validation to process on patched resource; - format code 2020-01-07 11:32:52 -08:00			`return new, old, err`
skip validation if the resource updates dont violate policy rules (#477) 2019-11-13 13:13:07 -08:00			`}`

- fix validation to process on patched resource; - format code 2020-01-07 11:32:52 -08:00			`// convertResource converts raw bytes to an unstructured object`
			`func convertResource(raw []byte, group, version, kind, namespace string) (unstructured.Unstructured, error) {`
move mutation to subpackage pkg/engine/mutate 2020-01-07 17:06:17 -08:00			`obj, err := engineutils.ConvertToUnstructured(raw)`
skip validation if the resource updates dont violate policy rules (#477) 2019-11-13 13:13:07 -08:00			`if err != nil {`
- fix validation to process on patched resource; - format code 2020-01-07 11:32:52 -08:00			`return unstructured.Unstructured{}, fmt.Errorf("failed to convert raw to unstructured: %v", err)`
skip validation if the resource updates dont violate policy rules (#477) 2019-11-13 13:13:07 -08:00			`}`
- fix validation to process on patched resource; - format code 2020-01-07 11:32:52 -08:00
			`obj.SetGroupVersionKind(schema.GroupVersionKind{Group: group, Version: version, Kind: kind})`
			`obj.SetNamespace(namespace)`
			`return *obj, nil`
skip validation if the resource updates dont violate policy rules (#477) 2019-11-13 13:13:07 -08:00			`}`
fix DENY pending for DELETE request 2020-05-18 20:01:20 -07:00
			`func excludeKyvernoResources(kind string) bool {`
			`switch kind {`
fix typos and improve readability 2020-12-01 22:50:40 -08:00			`case "ClusterPolicy":`
			`return true`
			`case "Policy":`
			`return true`
			`case "ClusterPolicyReport":`
			`return true`
			`case "PolicyReport":`
			`return true`
			`case "ReportChangeRequest":`
			`return true`
			`case "GenerateRequest":`
			`return true`
			`case "ClusterReportChangeRequest":`
fix DENY pending for DELETE request 2020-05-18 20:01:20 -07:00			`return true`
			`default:`
			`return false`
			`}`
			`}`