2023-09-06 01:01:31 +02:00
|
|
|
package policy
|
|
|
|
|
|
|
|
import (
|
|
|
|
"bufio"
|
|
|
|
"context"
|
|
|
|
"fmt"
|
|
|
|
"io"
|
|
|
|
"net/http"
|
|
|
|
"os"
|
|
|
|
"path/filepath"
|
|
|
|
|
|
|
|
"github.com/go-git/go-billy/v5"
|
|
|
|
kyvernov1 "github.com/kyverno/kyverno/api/kyverno/v1"
|
2023-09-14 17:17:02 +02:00
|
|
|
kyvernov2beta1 "github.com/kyverno/kyverno/api/kyverno/v2beta1"
|
|
|
|
"github.com/kyverno/kyverno/cmd/cli/kubectl-kyverno/data"
|
|
|
|
"github.com/kyverno/kyverno/cmd/cli/kubectl-kyverno/experimental"
|
2023-09-06 01:01:31 +02:00
|
|
|
"github.com/kyverno/kyverno/cmd/cli/kubectl-kyverno/source"
|
2023-10-29 10:39:39 +01:00
|
|
|
"github.com/kyverno/kyverno/ext/resource/convert"
|
2023-10-30 18:27:02 +01:00
|
|
|
resourceloader "github.com/kyverno/kyverno/ext/resource/loader"
|
2023-10-27 13:08:39 +02:00
|
|
|
extyaml "github.com/kyverno/kyverno/ext/yaml"
|
2023-09-06 01:01:31 +02:00
|
|
|
"github.com/kyverno/kyverno/pkg/utils/git"
|
|
|
|
yamlutils "github.com/kyverno/kyverno/pkg/utils/yaml"
|
|
|
|
"k8s.io/api/admissionregistration/v1alpha1"
|
2024-01-18 11:40:53 +02:00
|
|
|
"k8s.io/api/admissionregistration/v1beta1"
|
2023-09-14 17:17:02 +02:00
|
|
|
"k8s.io/apimachinery/pkg/runtime/schema"
|
|
|
|
"sigs.k8s.io/kubectl-validate/pkg/openapiclient"
|
2023-09-06 01:01:31 +02:00
|
|
|
)
|
|
|
|
|
2023-09-14 17:17:02 +02:00
|
|
|
var (
|
2023-09-22 05:10:15 +02:00
|
|
|
factory, _ = resourceloader.New(openapiclient.NewComposite(
|
2023-09-15 09:57:32 +02:00
|
|
|
openapiclient.NewHardcodedBuiltins("1.28"),
|
2023-09-14 17:17:02 +02:00
|
|
|
openapiclient.NewLocalCRDFiles(data.Crds(), data.CrdsFolder),
|
2023-09-22 05:10:15 +02:00
|
|
|
))
|
|
|
|
policyV1 = schema.GroupVersion(kyvernov1.GroupVersion).WithKind("Policy")
|
|
|
|
policyV2 = schema.GroupVersion(kyvernov2beta1.GroupVersion).WithKind("Policy")
|
|
|
|
clusterPolicyV1 = schema.GroupVersion(kyvernov1.GroupVersion).WithKind("ClusterPolicy")
|
|
|
|
clusterPolicyV2 = schema.GroupVersion(kyvernov2beta1.GroupVersion).WithKind("ClusterPolicy")
|
|
|
|
vapV1Alpha1 = v1alpha1.SchemeGroupVersion.WithKind("ValidatingAdmissionPolicy")
|
2024-01-18 11:40:53 +02:00
|
|
|
vapV1Beta1 = v1beta1.SchemeGroupVersion.WithKind("ValidatingAdmissionPolicy")
|
2023-09-15 09:57:32 +02:00
|
|
|
LegacyLoader = yamlutils.GetPolicy
|
|
|
|
KubectlValidateLoader = kubectlValidateLoader
|
|
|
|
defaultLoader = func(bytes []byte) ([]kyvernov1.PolicyInterface, []v1alpha1.ValidatingAdmissionPolicy, error) {
|
|
|
|
if experimental.UseKubectlValidate() {
|
|
|
|
return KubectlValidateLoader(bytes)
|
|
|
|
} else {
|
|
|
|
return LegacyLoader(bytes)
|
|
|
|
}
|
|
|
|
}
|
2023-09-14 17:17:02 +02:00
|
|
|
)
|
|
|
|
|
2023-09-15 09:57:32 +02:00
|
|
|
type loader = func([]byte) ([]kyvernov1.PolicyInterface, []v1alpha1.ValidatingAdmissionPolicy, error)
|
|
|
|
|
|
|
|
func Load(fs billy.Filesystem, resourcePath string, paths ...string) ([]kyvernov1.PolicyInterface, []v1alpha1.ValidatingAdmissionPolicy, error) {
|
|
|
|
return LoadWithLoader(nil, fs, resourcePath, paths...)
|
|
|
|
}
|
|
|
|
|
|
|
|
func LoadWithLoader(loader loader, fs billy.Filesystem, resourcePath string, paths ...string) ([]kyvernov1.PolicyInterface, []v1alpha1.ValidatingAdmissionPolicy, error) {
|
|
|
|
if loader == nil {
|
|
|
|
loader = defaultLoader
|
|
|
|
}
|
|
|
|
var pols []kyvernov1.PolicyInterface
|
|
|
|
var vaps []v1alpha1.ValidatingAdmissionPolicy
|
|
|
|
for _, path := range paths {
|
|
|
|
if source.IsStdin(path) {
|
|
|
|
p, v, err := stdinLoad(loader)
|
|
|
|
if err != nil {
|
|
|
|
return nil, nil, err
|
|
|
|
}
|
|
|
|
pols = append(pols, p...)
|
|
|
|
vaps = append(vaps, v...)
|
|
|
|
} else if fs != nil {
|
|
|
|
p, v, err := gitLoad(loader, fs, filepath.Join(resourcePath, path))
|
|
|
|
if err != nil {
|
|
|
|
return nil, nil, err
|
|
|
|
}
|
|
|
|
pols = append(pols, p...)
|
|
|
|
vaps = append(vaps, v...)
|
|
|
|
} else if source.IsHttp(path) {
|
|
|
|
p, v, err := httpLoad(loader, path)
|
|
|
|
if err != nil {
|
|
|
|
return nil, nil, err
|
|
|
|
}
|
|
|
|
pols = append(pols, p...)
|
|
|
|
vaps = append(vaps, v...)
|
|
|
|
} else {
|
|
|
|
p, v, err := fsLoad(loader, path)
|
|
|
|
if err != nil {
|
|
|
|
return nil, nil, err
|
|
|
|
}
|
|
|
|
pols = append(pols, p...)
|
|
|
|
vaps = append(vaps, v...)
|
|
|
|
}
|
2023-09-14 17:17:02 +02:00
|
|
|
}
|
2023-09-15 09:57:32 +02:00
|
|
|
return pols, vaps, nil
|
|
|
|
}
|
|
|
|
|
2023-09-22 05:10:15 +02:00
|
|
|
func kubectlValidateLoader(content []byte) ([]kyvernov1.PolicyInterface, []v1alpha1.ValidatingAdmissionPolicy, error) {
|
2023-10-27 13:08:39 +02:00
|
|
|
documents, err := extyaml.SplitDocuments(content)
|
2023-09-14 17:17:02 +02:00
|
|
|
if err != nil {
|
|
|
|
return nil, nil, err
|
|
|
|
}
|
2023-09-22 05:10:15 +02:00
|
|
|
var policies []kyvernov1.PolicyInterface
|
|
|
|
var vaps []v1alpha1.ValidatingAdmissionPolicy
|
2023-09-14 17:17:02 +02:00
|
|
|
for _, document := range documents {
|
2023-09-22 05:10:15 +02:00
|
|
|
gvk, untyped, err := factory.Load(document)
|
2023-09-14 17:17:02 +02:00
|
|
|
if err != nil {
|
|
|
|
return nil, nil, err
|
|
|
|
}
|
|
|
|
switch gvk {
|
|
|
|
case policyV1, policyV2:
|
2023-09-22 05:10:15 +02:00
|
|
|
typed, err := convert.To[kyvernov1.Policy](untyped)
|
|
|
|
if err != nil {
|
2023-09-14 17:17:02 +02:00
|
|
|
return nil, nil, err
|
|
|
|
}
|
2023-09-22 05:10:15 +02:00
|
|
|
policies = append(policies, typed)
|
2023-09-14 17:17:02 +02:00
|
|
|
case clusterPolicyV1, clusterPolicyV2:
|
2023-09-22 05:10:15 +02:00
|
|
|
typed, err := convert.To[kyvernov1.ClusterPolicy](untyped)
|
|
|
|
if err != nil {
|
2023-09-14 17:17:02 +02:00
|
|
|
return nil, nil, err
|
|
|
|
}
|
2023-09-22 05:10:15 +02:00
|
|
|
policies = append(policies, typed)
|
2024-01-18 11:40:53 +02:00
|
|
|
case vapV1Alpha1, vapV1Beta1:
|
2023-09-22 05:10:15 +02:00
|
|
|
typed, err := convert.To[v1alpha1.ValidatingAdmissionPolicy](untyped)
|
|
|
|
if err != nil {
|
2023-09-14 17:17:02 +02:00
|
|
|
return nil, nil, err
|
|
|
|
}
|
2023-09-22 05:10:15 +02:00
|
|
|
vaps = append(vaps, *typed)
|
2023-09-14 17:17:02 +02:00
|
|
|
default:
|
|
|
|
return nil, nil, fmt.Errorf("policy type not supported %s", gvk)
|
|
|
|
}
|
|
|
|
}
|
2023-09-22 05:10:15 +02:00
|
|
|
return policies, vaps, nil
|
2023-09-14 17:17:02 +02:00
|
|
|
}
|
|
|
|
|
2023-09-15 09:57:32 +02:00
|
|
|
func fsLoad(loader loader, path string) ([]kyvernov1.PolicyInterface, []v1alpha1.ValidatingAdmissionPolicy, error) {
|
2023-09-06 01:01:31 +02:00
|
|
|
var pols []kyvernov1.PolicyInterface
|
|
|
|
var vaps []v1alpha1.ValidatingAdmissionPolicy
|
|
|
|
fi, err := os.Stat(filepath.Clean(path))
|
|
|
|
if err != nil {
|
|
|
|
return nil, nil, err
|
|
|
|
}
|
|
|
|
if fi.IsDir() {
|
|
|
|
files, err := os.ReadDir(path)
|
|
|
|
if err != nil {
|
|
|
|
return nil, nil, err
|
|
|
|
}
|
|
|
|
for _, file := range files {
|
2023-09-15 09:57:32 +02:00
|
|
|
p, v, err := fsLoad(loader, filepath.Join(path, file.Name()))
|
2023-09-06 01:01:31 +02:00
|
|
|
if err != nil {
|
|
|
|
return nil, nil, err
|
|
|
|
}
|
|
|
|
pols = append(pols, p...)
|
|
|
|
vaps = append(vaps, v...)
|
|
|
|
}
|
|
|
|
} else if git.IsYaml(fi) {
|
|
|
|
fileBytes, err := os.ReadFile(filepath.Clean(path)) // #nosec G304
|
|
|
|
if err != nil {
|
|
|
|
return nil, nil, err
|
|
|
|
}
|
2023-09-15 09:57:32 +02:00
|
|
|
p, v, err := loader(fileBytes)
|
2023-09-06 01:01:31 +02:00
|
|
|
if err != nil {
|
|
|
|
return nil, nil, err
|
|
|
|
}
|
|
|
|
pols = append(pols, p...)
|
|
|
|
vaps = append(vaps, v...)
|
|
|
|
}
|
|
|
|
return pols, vaps, nil
|
|
|
|
}
|
|
|
|
|
2023-09-15 09:57:32 +02:00
|
|
|
func httpLoad(loader loader, path string) ([]kyvernov1.PolicyInterface, []v1alpha1.ValidatingAdmissionPolicy, error) {
|
2023-09-06 01:01:31 +02:00
|
|
|
// We accept here that a random URL might be called based on user provided input.
|
|
|
|
req, err := http.NewRequestWithContext(context.TODO(), http.MethodGet, path, nil)
|
|
|
|
if err != nil {
|
|
|
|
return nil, nil, fmt.Errorf("failed to process %v: %v", path, err)
|
|
|
|
}
|
|
|
|
resp, err := http.DefaultClient.Do(req)
|
|
|
|
if err != nil {
|
|
|
|
return nil, nil, fmt.Errorf("failed to process %v: %v", path, err)
|
|
|
|
}
|
|
|
|
defer resp.Body.Close()
|
|
|
|
if resp.StatusCode != http.StatusOK {
|
|
|
|
return nil, nil, fmt.Errorf("failed to process %v: %v", path, err)
|
|
|
|
}
|
|
|
|
fileBytes, err := io.ReadAll(resp.Body)
|
|
|
|
if err != nil {
|
|
|
|
return nil, nil, fmt.Errorf("failed to process %v: %v", path, err)
|
|
|
|
}
|
2023-09-15 09:57:32 +02:00
|
|
|
return loader(fileBytes)
|
2023-09-06 01:01:31 +02:00
|
|
|
}
|
|
|
|
|
2023-09-15 09:57:32 +02:00
|
|
|
func gitLoad(loader loader, fs billy.Filesystem, path string) ([]kyvernov1.PolicyInterface, []v1alpha1.ValidatingAdmissionPolicy, error) {
|
2023-09-06 01:01:31 +02:00
|
|
|
file, err := fs.Open(path)
|
|
|
|
if err != nil {
|
|
|
|
return nil, nil, err
|
|
|
|
}
|
|
|
|
fileBytes, err := io.ReadAll(file)
|
|
|
|
if err != nil {
|
|
|
|
return nil, nil, err
|
|
|
|
}
|
2023-09-15 09:57:32 +02:00
|
|
|
return loader(fileBytes)
|
2023-09-06 01:01:31 +02:00
|
|
|
}
|
|
|
|
|
2023-09-15 09:57:32 +02:00
|
|
|
func stdinLoad(loader loader) ([]kyvernov1.PolicyInterface, []v1alpha1.ValidatingAdmissionPolicy, error) {
|
2023-09-06 01:01:31 +02:00
|
|
|
policyStr := ""
|
|
|
|
scanner := bufio.NewScanner(os.Stdin)
|
|
|
|
for scanner.Scan() {
|
|
|
|
policyStr = policyStr + scanner.Text() + "\n"
|
|
|
|
}
|
2023-09-15 09:57:32 +02:00
|
|
|
return loader([]byte(policyStr))
|
2023-09-06 01:01:31 +02:00
|
|
|
}
|