mirrors/kyverno
mirrors/kyverno
1
0
Fork 0
mirror of https://github.com/kyverno/kyverno.git synced 2025-03-06 07:57:07 +00:00
Code Activity
kyverno/pkg/policy/validate/validate.go

205 lines
4.4 KiB
Go
Raw Normal View History

refactor & validate operations for generate rules in PolicyValidation
2020-03-11 18:14:23 -07:00
package validate
import (
fix: block generate policies when lack of permission to operate downstream resources (#6610) * debug Signed-off-by: ShutingZhao <shuting@nirmata.com> * return on errors only Signed-off-by: ShutingZhao <shuting@nirmata.com> * update clusterrolebinding Signed-off-by: ShutingZhao <shuting@nirmata.com> * update clusterrolebinding Signed-off-by: ShutingZhao <shuting@nirmata.com> * remove debug Signed-off-by: ShutingZhao <shuting@nirmata.com> * add kuttl tests Signed-off-by: ShutingZhao <shuting@nirmata.com> * fix ns Signed-off-by: ShutingZhao <shuting@nirmata.com> --------- Signed-off-by: ShutingZhao <shuting@nirmata.com>
2023-03-22 21:14:57 +08:00
"context"
refactor & validate operations for generate rules in PolicyValidation
2020-03-11 18:14:23 -07:00
"fmt"
chore: make kyverno api import aliases consistent (#3939) Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com>
2022-05-17 13:12:43 +02:00
kyvernov1 "github.com/kyverno/kyverno/api/kyverno/v1"
Replaces manually written logic with regex for matching anchor elements (#6133) * uses regular expressions Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com> * adds regex capture Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com> * creates anchor instance Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com> * remove IsAnchor Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * more Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * added interface Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com> * remove static funcs Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * adapt Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * value receiver Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * simplify Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * fix Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * error Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * renames Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * private Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * nit Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * fix Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * fix Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * ficx Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * refactor Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * test Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * tests Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * test Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * fix Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * error Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * unit tests Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * refactor Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * fix Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * fix Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * unit tests Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * fix Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * fix Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * fix Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> --------- Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com> Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> Co-authored-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> Co-authored-by: Charles-Edouard Brétéché <charled.breteche@gmail.com> Co-authored-by: shuting <shuting@nirmata.com>
2023-01-30 17:47:19 +05:30
"github.com/kyverno/kyverno/pkg/engine/anchor"
update nirmata/kyverno to kyverno/kyverno
2020-10-07 11:12:31 -07:00
"github.com/kyverno/kyverno/pkg/policy/common"
refactor & validate operations for generate rules in PolicyValidation
2020-03-11 18:14:23 -07:00
)
add validation; add 'element' to context Signed-off-by: Jim Bugwadia <jim@nirmata.com>
2021-10-02 16:53:02 -07:00
// Validate validates a 'validate' rule
refactor & validate operations for generate rules in PolicyValidation
2020-03-11 18:14:23 -07:00
type Validate struct {
// rule to hold 'validate' rule specifications
chore: make kyverno api import aliases consistent (#3939) Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com>
2022-05-17 13:12:43 +02:00
rule *kyvernov1.Validation
refactor & validate operations for generate rules in PolicyValidation
2020-03-11 18:14:23 -07:00
}
chore: enable gofmt and gofumpt linters (#3931) Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com>
2022-05-17 08:19:03 +02:00
// NewValidateFactory returns a new instance of Mutate validation checker
chore: make kyverno api import aliases consistent (#3939) Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com>
2022-05-17 13:12:43 +02:00
func NewValidateFactory(rule *kyvernov1.Validation) *Validate {
refactor & validate operations for generate rules in PolicyValidation
2020-03-11 18:14:23 -07:00
m := Validate{
rule: rule,
}
add validation; add 'element' to context Signed-off-by: Jim Bugwadia <jim@nirmata.com>
2021-10-02 16:53:02 -07:00
refactor & validate operations for generate rules in PolicyValidation
2020-03-11 18:14:23 -07:00
return &m
}
chore: enable gofmt and gofumpt linters (#3931) Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com>
2022-05-17 08:19:03 +02:00
// Validate validates the 'validate' rule
fix: block generate policies when lack of permission to operate downstream resources (#6610) * debug Signed-off-by: ShutingZhao <shuting@nirmata.com> * return on errors only Signed-off-by: ShutingZhao <shuting@nirmata.com> * update clusterrolebinding Signed-off-by: ShutingZhao <shuting@nirmata.com> * update clusterrolebinding Signed-off-by: ShutingZhao <shuting@nirmata.com> * remove debug Signed-off-by: ShutingZhao <shuting@nirmata.com> * add kuttl tests Signed-off-by: ShutingZhao <shuting@nirmata.com> * fix ns Signed-off-by: ShutingZhao <shuting@nirmata.com> --------- Signed-off-by: ShutingZhao <shuting@nirmata.com>
2023-03-22 21:14:57 +08:00
func (v *Validate) Validate(ctx context.Context) (string, error) {
add validation; add 'element' to context Signed-off-by: Jim Bugwadia <jim@nirmata.com>
2021-10-02 16:53:02 -07:00
if err := v.validateElements(); err != nil {
refactor & validate operations for generate rules in PolicyValidation
2020-03-11 18:14:23 -07:00
return "", err
}
fix: CRD generation (#3334) Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com>
2022-03-06 20:07:51 +01:00
if target := v.rule.GetPattern(); target != nil {
Replaces manually written logic with regex for matching anchor elements (#6133) * uses regular expressions Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com> * adds regex capture Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com> * creates anchor instance Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com> * remove IsAnchor Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * more Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * added interface Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com> * remove static funcs Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * adapt Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * value receiver Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * simplify Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * fix Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * error Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * renames Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * private Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * nit Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * fix Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * fix Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * ficx Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * refactor Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * test Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * tests Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * test Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * fix Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * error Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * unit tests Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * refactor Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * fix Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * fix Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * unit tests Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * fix Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * fix Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * fix Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> --------- Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com> Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> Co-authored-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> Co-authored-by: Charles-Edouard Brétéché <charled.breteche@gmail.com> Co-authored-by: shuting <shuting@nirmata.com>
2023-01-30 17:47:19 +05:30
if path, err := common.ValidatePattern(target, "/", func(a anchor.Anchor) bool {
return anchor.IsCondition(a) ||
anchor.IsExistence(a) ||
anchor.IsEquality(a) ||
anchor.IsNegation(a) ||
anchor.IsGlobal(a)
}); err != nil {
refactor & validate operations for generate rules in PolicyValidation
2020-03-11 18:14:23 -07:00
return fmt.Sprintf("pattern.%s", path), err
}
}
fix: CRD generation (#3334) Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com>
2022-03-06 20:07:51 +01:00
if target := v.rule.GetAnyPattern(); target != nil {
add validation; add 'element' to context Signed-off-by: Jim Bugwadia <jim@nirmata.com>
2021-10-02 16:53:02 -07:00
anyPattern, err := v.rule.DeserializeAnyPattern()
properly deserialize anyPattern
2020-11-13 16:25:51 -08:00
if err != nil {
Switch to use annotations to store resource info in cluster/reportChangeRequest (#1625) * skip sending API request for filtered resource * fix PR comment Signed-off-by: Shuting Zhao <shutting06@gmail.com> * fixes https://github.com/kyverno/kyverno/issues/1490 Signed-off-by: Shuting Zhao <shutting06@gmail.com> * fix bug - namespace is not returned properly Signed-off-by: Shuting Zhao <shutting06@gmail.com> * reduce throttling - list resource using lister * refactor resource cache * fix test Signed-off-by: Shuting Zhao <shutting06@gmail.com> * fix label selector Signed-off-by: Shuting Zhao <shutting06@gmail.com> * fix build failure Signed-off-by: Shuting Zhao <shutting06@gmail.com> * fixes #1480 * store resource name and kind in (c)rcr's annotation
2021-02-19 09:09:41 -08:00
return "anyPattern", fmt.Errorf("failed to deserialize anyPattern, expect array: %v", err)
properly deserialize anyPattern
2020-11-13 16:25:51 -08:00
}
for i, pattern := range anyPattern {
Replaces manually written logic with regex for matching anchor elements (#6133) * uses regular expressions Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com> * adds regex capture Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com> * creates anchor instance Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com> * remove IsAnchor Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * more Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * added interface Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com> * remove static funcs Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * adapt Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * value receiver Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * simplify Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * fix Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * error Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * renames Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * private Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * nit Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * fix Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * fix Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * ficx Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * refactor Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * test Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * tests Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * test Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * fix Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * error Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * unit tests Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * refactor Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * fix Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * fix Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * unit tests Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * fix Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * fix Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * fix Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> --------- Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com> Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> Co-authored-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> Co-authored-by: Charles-Edouard Brétéché <charled.breteche@gmail.com> Co-authored-by: shuting <shuting@nirmata.com>
2023-01-30 17:47:19 +05:30
if path, err := common.ValidatePattern(pattern, "/", func(a anchor.Anchor) bool {
return anchor.IsCondition(a) ||
anchor.IsExistence(a) ||
anchor.IsEquality(a) ||
anchor.IsNegation(a) ||
anchor.IsGlobal(a)
}); err != nil {
refactor & validate operations for generate rules in PolicyValidation
2020-03-11 18:14:23 -07:00
return fmt.Sprintf("anyPattern[%d].%s", i, path), err
}
}
}
add validation; add 'element' to context Signed-off-by: Jim Bugwadia <jim@nirmata.com>
2021-10-02 16:53:02 -07:00
if v.rule.ForEachValidation != nil {
support list foreach (#2522) * support list foreach * fix testcase for each * fix mutate issue * Fix mutate patch issue * fix yaml * fix e2e test foreach validate list * code indentation * fix comments * delete unwanted files
2021-10-14 12:50:52 +05:30
for _, foreach := range v.rule.ForEachValidation {
if err := v.validateForEach(foreach); err != nil {
return "", err
}
add validation; add 'element' to context Signed-off-by: Jim Bugwadia <jim@nirmata.com>
2021-10-02 16:53:02 -07:00
}
}
feat: support cel expression in validate rules (#7070) * feat: support cel expression in validate rules Signed-off-by: Mariam Fahmy <mariamfahmy66@gmail.com> * Adding CEL preconditions in kyverno policies Signed-off-by: Mariam Fahmy <mariamfahmy66@gmail.com> * Support parameter resources in validate.cel subrule Signed-off-by: Mariam Fahmy <mariamfahmy66@gmail.com> * fix Signed-off-by: Mariam Fahmy <mariamfahmy66@gmail.com> * Adding CEL preconditions in kyverno policies Signed-off-by: Mariam Fahmy <mariamfahmy66@gmail.com> * Add kuttl tests for validate.cel subrule Signed-off-by: Mariam Fahmy <mariamfahmy66@gmail.com> * fix Signed-off-by: Mariam Fahmy <mariamfahmy66@gmail.com> * Fix disallow-host-path kuttl test Signed-off-by: Mariam Fahmy <mariamfahmy66@gmail.com> * Add kuttl test for cel preconditions Signed-off-by: Mariam Fahmy <mariamfahmy66@gmail.com> * Fix kuttl tests for validate.cel Signed-off-by: Mariam Fahmy <mariamfahmy66@gmail.com> * Use K8S API Validation and AuditAnnotation Signed-off-by: Mariam Fahmy <mariamfahmy66@gmail.com> * Use K8S API ParamKind and ParamRef Signed-off-by: Mariam Fahmy <mariamfahmy66@gmail.com> --------- Signed-off-by: Mariam Fahmy <mariamfahmy66@gmail.com> Co-authored-by: Jim Bugwadia <jim@nirmata.com>
2023-06-01 00:30:55 +03:00
if v.rule.CEL != nil {
for _, expression := range v.rule.CEL.Expressions {
if expression.Expression == "" {
return "", fmt.Errorf("cel.expressions.expression is required")
}
}
if v.rule.CEL.ParamKind != nil {
if v.rule.CEL.ParamKind.APIVersion == "" {
return "", fmt.Errorf("cel.paramKind.apiVersion is required")
}
if v.rule.CEL.ParamKind.Kind == "" {
return "", fmt.Errorf("cel.paramKind.kind is required")
}
if v.rule.CEL.ParamRef == nil {
return "", fmt.Errorf("cel.paramRef is required")
}
}
if v.rule.CEL.ParamRef != nil {
if v.rule.CEL.ParamRef.Name == "" {
return "", fmt.Errorf("cel.paramRef.name is required")
}
if v.rule.CEL.ParamKind == nil {
return "", fmt.Errorf("cel.paramKind is required")
}
}
if v.rule.CEL.AuditAnnotations != nil {
for _, auditAnnotation := range v.rule.CEL.AuditAnnotations {
if auditAnnotation.Key == "" {
return "", fmt.Errorf("cel.auditAnnotation.key is required")
}
if auditAnnotation.ValueExpression == "" {
return "", fmt.Errorf("cel.auditAnnotation.valueExpression is required")
}
}
}
}
refactor & validate operations for generate rules in PolicyValidation
2020-03-11 18:14:23 -07:00
return "", nil
}
add validation; add 'element' to context Signed-off-by: Jim Bugwadia <jim@nirmata.com>
2021-10-02 16:53:02 -07:00
func (v *Validate) validateElements() error {
count := validationElemCount(v.rule)
format Signed-off-by: Jim Bugwadia <jim@nirmata.com>
2021-10-02 16:57:40 -07:00
if count == 0 {
feat: support cel expression in validate rules (#7070) * feat: support cel expression in validate rules Signed-off-by: Mariam Fahmy <mariamfahmy66@gmail.com> * Adding CEL preconditions in kyverno policies Signed-off-by: Mariam Fahmy <mariamfahmy66@gmail.com> * Support parameter resources in validate.cel subrule Signed-off-by: Mariam Fahmy <mariamfahmy66@gmail.com> * fix Signed-off-by: Mariam Fahmy <mariamfahmy66@gmail.com> * Adding CEL preconditions in kyverno policies Signed-off-by: Mariam Fahmy <mariamfahmy66@gmail.com> * Add kuttl tests for validate.cel subrule Signed-off-by: Mariam Fahmy <mariamfahmy66@gmail.com> * fix Signed-off-by: Mariam Fahmy <mariamfahmy66@gmail.com> * Fix disallow-host-path kuttl test Signed-off-by: Mariam Fahmy <mariamfahmy66@gmail.com> * Add kuttl test for cel preconditions Signed-off-by: Mariam Fahmy <mariamfahmy66@gmail.com> * Fix kuttl tests for validate.cel Signed-off-by: Mariam Fahmy <mariamfahmy66@gmail.com> * Use K8S API Validation and AuditAnnotation Signed-off-by: Mariam Fahmy <mariamfahmy66@gmail.com> * Use K8S API ParamKind and ParamRef Signed-off-by: Mariam Fahmy <mariamfahmy66@gmail.com> --------- Signed-off-by: Mariam Fahmy <mariamfahmy66@gmail.com> Co-authored-by: Jim Bugwadia <jim@nirmata.com>
2023-06-01 00:30:55 +03:00
return fmt.Errorf("one of pattern, anyPattern, deny, foreach, cel must be specified")
add validation; add 'element' to context Signed-off-by: Jim Bugwadia <jim@nirmata.com>
2021-10-02 16:53:02 -07:00
}
if count > 1 {
feat: support cel expression in validate rules (#7070) * feat: support cel expression in validate rules Signed-off-by: Mariam Fahmy <mariamfahmy66@gmail.com> * Adding CEL preconditions in kyverno policies Signed-off-by: Mariam Fahmy <mariamfahmy66@gmail.com> * Support parameter resources in validate.cel subrule Signed-off-by: Mariam Fahmy <mariamfahmy66@gmail.com> * fix Signed-off-by: Mariam Fahmy <mariamfahmy66@gmail.com> * Adding CEL preconditions in kyverno policies Signed-off-by: Mariam Fahmy <mariamfahmy66@gmail.com> * Add kuttl tests for validate.cel subrule Signed-off-by: Mariam Fahmy <mariamfahmy66@gmail.com> * fix Signed-off-by: Mariam Fahmy <mariamfahmy66@gmail.com> * Fix disallow-host-path kuttl test Signed-off-by: Mariam Fahmy <mariamfahmy66@gmail.com> * Add kuttl test for cel preconditions Signed-off-by: Mariam Fahmy <mariamfahmy66@gmail.com> * Fix kuttl tests for validate.cel Signed-off-by: Mariam Fahmy <mariamfahmy66@gmail.com> * Use K8S API Validation and AuditAnnotation Signed-off-by: Mariam Fahmy <mariamfahmy66@gmail.com> * Use K8S API ParamKind and ParamRef Signed-off-by: Mariam Fahmy <mariamfahmy66@gmail.com> --------- Signed-off-by: Mariam Fahmy <mariamfahmy66@gmail.com> Co-authored-by: Jim Bugwadia <jim@nirmata.com>
2023-06-01 00:30:55 +03:00
return fmt.Errorf("only one of pattern, anyPattern, deny, foreach, cel can be specified")
add validation; add 'element' to context Signed-off-by: Jim Bugwadia <jim@nirmata.com>
2021-10-02 16:53:02 -07:00
}
return nil
}
chore: make kyverno api import aliases consistent (#3939) Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com>
2022-05-17 13:12:43 +02:00
func validationElemCount(v *kyvernov1.Validation) int {
add validation; add 'element' to context Signed-off-by: Jim Bugwadia <jim@nirmata.com>
2021-10-02 16:53:02 -07:00
if v == nil {
return 0
}
count := 0
fix: CRD generation (#3334) Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com>
2022-03-06 20:07:51 +01:00
if v.GetPattern() != nil {
add validation; add 'element' to context Signed-off-by: Jim Bugwadia <jim@nirmata.com>
2021-10-02 16:53:02 -07:00
count++
}
fix: CRD generation (#3334) Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com>
2022-03-06 20:07:51 +01:00
if v.GetAnyPattern() != nil {
add validation; add 'element' to context Signed-off-by: Jim Bugwadia <jim@nirmata.com>
2021-10-02 16:53:02 -07:00
count++
}
if v.Deny != nil {
count++
}
if v.ForEachValidation != nil {
Extend Pod Security Admission (#4364) * init commit for pss Signed-off-by: ShutingZhao <shuting@nirmata.com> * add test for Volume Type control * add test for App Armor control except ExemptProfile. Fix PSS profile check in EvaluatePSS() * remove unused code, still a JMESPATH problem with app armor ExemptProfile() * test for Host Process / Host Namespaces controls * test for Privileged containers controls * test for HostPathVolume control * test for HostPorts control * test for HostPorts control * test for SELinux control * test for Proc mount type control * Set to baseline * test for Seccomp control * test for Sysctl control * test for Privilege escalation control * test for Run as non root control * test for Restricted Seccomp control * Add problems to address * add solutions to problems * Add validate rule for PSA * api.Version --> string. latest by default * Exclude all values for a restrictedField * add tests for kyverno engine * code to be used to match kyverno rule's namespace * Refacto pkg/pss * fix multiple problems: not matching containers, add contains methods, select the right container when we have the same exclude.RestrictedField for multiple containers: * EvaluatePod * Use EvaluatePod in kyverno engine * Set pod instead of container in context to use full Jmespath. e.g.: securityContext.capabilities.add --> spec.containers[*].securityContext.capabilities.add * Check if PSSCheckResult matched at least one exclude value * add tests for engine * fix engine validation test * config * update go.mod and go.sum * crds * Check validate value: add PodSecurity * exclude all restrictedFields when we only specify the controlName * ExemptProfile(): check if exclud.RestrictedField matches at least one restrictedField.path * handle containers, initContainers, ephemeralContainers when we only specify the controlName (all restrictedFields are excluded) * refacto pks/pss/evaluate.go and add pkg/engine/validation_test.go * add all controls with containers in restrictedFields as comments * add tests for capabilities and privileged containers and fix some errors * add tests for host ports control * add tests for proc mount control * add tests for privilege escalation control * add tests for capabilities control * remove comments * new algo * refacto algo, working. Add test for hostProcess control * remove unused code * fix getPodWithNotMatchingContainers(), add tests for host namespaces control * refacto ExemptProfile() * get values for a specific container. add test for SELinuxOptions control * fix allowedValues for SELinuxOptions * add tests for seccompProfile_baseline control * refacto checkContainers(), add test for seccomp control * add test for running as non root control * add some tests for runAsUser control, have to update current PSA version * add sysctls control * add allowed values for restrictedVolumes control * add some tests for appArmor, volume types controls * add tests for volume types control * add tests for hostPath volume control * finish merge conflicts and add tests for runAsUser * update charts and crds * exclude.images optional * change volume types control exclude values * add appAmor control * fix: did not match any exclude value for pod-level restrictedFields * create autogen for validate.PodSecurity * clean code, remove logs * fix sonatype lift errors * fix sonatype lift errors: duplication * fix crash in pkg/policy/validate/ tests and unmarshall errors for pkg/engine tests * beginning of autogen implement for validate.exclude * Autogen for validation.PodSecurity * working autogen with simple tests * change validate.PodSecurity failure response format * make codegen * fix lint errors, remove debug prints * fix tags * fix tags * fix crash when deleting pods matching validate.podSecurity rule. Only check validatePodSecurity() when it's not a delete request * Changes requested * Changes requested 2 * Changes requested 3 * Changes requested 4 * Changes requested and make codegen * fix host namespaces control * fix lint * fix codegen error * update docs/crd/v1/index.html Signed-off-by: ShutingZhao <shuting@nirmata.com> * fix path Signed-off-by: ShutingZhao <shuting@nirmata.com> * update crd schema Signed-off-by: ShutingZhao <shuting@nirmata.com> * update charts/kyverno/templates/crds.yaml Signed-off-by: ShutingZhao <shuting@nirmata.com> Signed-off-by: ShutingZhao <shuting@nirmata.com> Co-authored-by: ShutingZhao <shuting@nirmata.com>
2022-08-31 11:16:31 +02:00
count++
}
if v.PodSecurity != nil {
add validation; add 'element' to context Signed-off-by: Jim Bugwadia <jim@nirmata.com>
2021-10-02 16:53:02 -07:00
count++
}
feat: support cel expression in validate rules (#7070) * feat: support cel expression in validate rules Signed-off-by: Mariam Fahmy <mariamfahmy66@gmail.com> * Adding CEL preconditions in kyverno policies Signed-off-by: Mariam Fahmy <mariamfahmy66@gmail.com> * Support parameter resources in validate.cel subrule Signed-off-by: Mariam Fahmy <mariamfahmy66@gmail.com> * fix Signed-off-by: Mariam Fahmy <mariamfahmy66@gmail.com> * Adding CEL preconditions in kyverno policies Signed-off-by: Mariam Fahmy <mariamfahmy66@gmail.com> * Add kuttl tests for validate.cel subrule Signed-off-by: Mariam Fahmy <mariamfahmy66@gmail.com> * fix Signed-off-by: Mariam Fahmy <mariamfahmy66@gmail.com> * Fix disallow-host-path kuttl test Signed-off-by: Mariam Fahmy <mariamfahmy66@gmail.com> * Add kuttl test for cel preconditions Signed-off-by: Mariam Fahmy <mariamfahmy66@gmail.com> * Fix kuttl tests for validate.cel Signed-off-by: Mariam Fahmy <mariamfahmy66@gmail.com> * Use K8S API Validation and AuditAnnotation Signed-off-by: Mariam Fahmy <mariamfahmy66@gmail.com> * Use K8S API ParamKind and ParamRef Signed-off-by: Mariam Fahmy <mariamfahmy66@gmail.com> --------- Signed-off-by: Mariam Fahmy <mariamfahmy66@gmail.com> Co-authored-by: Jim Bugwadia <jim@nirmata.com>
2023-06-01 00:30:55 +03:00
if v.CEL != nil {
count++
}
Yaml signing and verification (#4235) * enable YAML verification using k8s-manifest-sigstore Signed-off-by: Ruriko Kudo <rurikudo@ibm.com> comment out role and rolebinding for dryrun Signed-off-by: Ruriko Kudo <rurikudo@ibm.com> update k8s-manifest-sigstore version Signed-off-by: Ruriko Kudo <rurikudo@ibm.com> fix pubkey setting Signed-off-by: Ruriko Kudo <rurikudo@ibm.com> fix pubkey setting Signed-off-by: Ruriko Kudo <rurikudo@ibm.com> fix log message Signed-off-by: Ruriko Kudo <rurikudo@ibm.com> change default value of dryrun option Signed-off-by: Ruriko Kudo <rurikudo@ibm.com> update crd Signed-off-by: Ruriko Kudo <rurikudo@ibm.com> support gpg signature Signed-off-by: Ruriko Kudo <rurikudo@ibm.com> * upgrade manifest sigstore version and support multi sigs Signed-off-by: Ruriko Kudo <rurikudo@ibm.com> fix validate.manifest rule Signed-off-by: Ruriko Kudo <rurikudo@ibm.com> update crd and add small fix Signed-off-by: Ruriko Kudo <rurikudo@ibm.com> fix manifest verify policy Signed-off-by: Ruriko Kudo <rurikudo@ibm.com> set cosign experimental env when keyless verification Signed-off-by: Ruriko Kudo <rurikudo@ibm.com> * improve default ignoreFields Signed-off-by: Ruriko Kudo <rurikudo@ibm.com> * fix manifest verify policy Signed-off-by: Ruriko Kudo <rurikudo@ibm.com> fix manifest verify policy Signed-off-by: Ruriko Kudo <rurikudo@ibm.com> fix manifest verify policy Signed-off-by: Ruriko Kudo <rurikudo@ibm.com> * add unit-test for k8smanifest Signed-off-by: Ruriko Kudo <rurikudo@ibm.com> update install yaml Signed-off-by: Ruriko Kudo <rurikudo@ibm.com> * update k8s-manifest-sigstore version and support one or more signatures Signed-off-by: Ruriko Kudo <rurikudo@ibm.com> add unit-test for k8smanifest multi-signature Signed-off-by: Ruriko Kudo <rurikudo@ibm.com> fix verifyManifest result message Signed-off-by: Ruriko Kudo <rurikudo@ibm.com> fix verifyManifest result message Signed-off-by: Ruriko Kudo <rurikudo@ibm.com> * fix manifest verify policy and move dryrun rbac to dryrun dir Signed-off-by: Ruriko Kudo <rurikudo@ibm.com> * update k8s-manifest-sigstore version Signed-off-by: Ruriko Kudo <rurikudo@ibm.com> update k8s-manifest-sigstore version Signed-off-by: Ruriko Kudo <rurikudo@ibm.com> update k8s-manifest-sigstore version and resolve conflict Signed-off-by: Ruriko Kudo <rurikudo@ibm.com> enable YAML verification using k8s-manifest-sigstore Signed-off-by: Ruriko Kudo <rurikudo@ibm.com> comment out role and rolebinding for dryrun Signed-off-by: Ruriko Kudo <rurikudo@ibm.com> fix pubkey setting Signed-off-by: Ruriko Kudo <rurikudo@ibm.com> fix pubkey setting Signed-off-by: Ruriko Kudo <rurikudo@ibm.com> update crd Signed-off-by: Ruriko Kudo <rurikudo@ibm.com> upgrade manifest sigstore version and support multi sigs Signed-off-by: Ruriko Kudo <rurikudo@ibm.com> fix validate.manifest rule Signed-off-by: Ruriko Kudo <rurikudo@ibm.com> update crd and add small fix Signed-off-by: Ruriko Kudo <rurikudo@ibm.com> fix manifest verify policy Signed-off-by: Ruriko Kudo <rurikudo@ibm.com> update k8s-manifest-sigstore version and support one or more signatures Signed-off-by: Ruriko Kudo <rurikudo@ibm.com> fix verifyManifest result message Signed-off-by: Ruriko Kudo <rurikudo@ibm.com> fix verifyManifest result message Signed-off-by: Ruriko Kudo <rurikudo@ibm.com> fix manifest verify policy and move dryrun rbac to dryrun dir Signed-off-by: Ruriko Kudo <rurikudo@ibm.com> add small fix Signed-off-by: Ruriko Kudo <rurikudo@ibm.com> * remove generic name Signed-off-by: Ruriko Kudo <rurikudo@ibm.com> * fix sonatype-lift issue and unit-test error Signed-off-by: Ruriko Kudo <rurikudo@ibm.com> * fix gofumpt error Signed-off-by: Ruriko Kudo <rurikudo@ibm.com> * update manifest rule to use attestor Signed-off-by: Riko Kudo <rurikudo@ibm.com> * remove unused value Signed-off-by: Riko Kudo <rurikudo@ibm.com> * resolve conflict Signed-off-by: Riko Kudo <rurikudo@ibm.com> * fix install.yaml Signed-off-by: Riko Kudo <rurikudo@ibm.com> * fix to set COSIGN_EXPERIMENTAL env variable when keyless verification Signed-off-by: Riko Kudo <rurikudo@ibm.com> * fix misspell Signed-off-by: Riko Kudo <rurikudo@ibm.com> * enable kyverno cli in validate.manifests rule (#3) * enable kyverno cli in validate.manifests rule Signed-off-by: Riko Kudo <rurikudo@ibm.com> * update k8s-manifest-sigstore version and improve error handling for better result output Signed-off-by: Riko Kudo <rurikudo@ibm.com> * update crds and deepcopy Signed-off-by: Riko Kudo <rurikudo@ibm.com> * update unit test Signed-off-by: Riko Kudo <rurikudo@ibm.com> * update k8s-manifest-sigstore version Signed-off-by: Riko Kudo <rurikudo@ibm.com> * change to use spec.rules.exclude.subjects instead of skipUsers (#4) Signed-off-by: Riko Kudo <rurikudo@ibm.com> * update k8s-manifest-sigstore version Signed-off-by: Riko Kudo <rurikudo@ibm.com> * fix yaml signing sigstore (#5) * update k8s-manifest-sigstore version Signed-off-by: Riko Kudo <rurikudo@ibm.com> * add a comment for dryrun option field Signed-off-by: Riko Kudo <rurikudo@ibm.com> * enable to include ClusterPolicy/Policy in match resource Signed-off-by: Riko Kudo <rurikudo@ibm.com> * fix log style and env variable settings Signed-off-by: Riko Kudo <rurikudo@ibm.com> * simplify manifest verify func Signed-off-by: Riko Kudo <rurikudo@ibm.com> * fix func name Signed-off-by: Riko Kudo <rurikudo@ibm.com> Signed-off-by: Riko Kudo <rurikudo@ibm.com> * fix sonatype warning Signed-off-by: Riko Kudo <rurikudo@ibm.com> * fix default ignoreFields Signed-off-by: Riko Kudo <rurikudo@ibm.com> * fix yaml signing sigstore rbac (#6) * fix dryrun rbac to have minimal permissions Signed-off-by: Riko Kudo <rurikudo@ibm.com> * fix lint error Signed-off-by: Riko Kudo <rurikudo@ibm.com> Signed-off-by: Riko Kudo <rurikudo@ibm.com> * fix unit-test error Signed-off-by: Riko Kudo <rurikudo@ibm.com> * fix gofumpt error Signed-off-by: Riko Kudo <rurikudo@ibm.com> * fix log style Signed-off-by: Riko Kudo <rurikudo@ibm.com> * updated CRD documentation Signed-off-by: Riko Kudo <rurikudo@ibm.com> * resolve go.mod conflicts Signed-off-by: Riko Kudo <rurikudo@ibm.com> * updated helm stuff Signed-off-by: Riko Kudo <rurikudo@ibm.com> Signed-off-by: Ruriko Kudo <rurikudo@ibm.com> Signed-off-by: Riko Kudo <rurikudo@ibm.com> Co-authored-by: Jim Bugwadia <jim@nirmata.com>
2022-08-31 02:14:54 +09:00
if v.Manifests != nil && len(v.Manifests.Attestors) != 0 {
count++
}
add validation; add 'element' to context Signed-off-by: Jim Bugwadia <jim@nirmata.com>
2021-10-02 16:53:02 -07:00
return count
}
chore: make kyverno api import aliases consistent (#3939) Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com>
2022-05-17 13:12:43 +02:00
func (v *Validate) validateForEach(foreach kyvernov1.ForEachValidation) error {
add validation; add 'element' to context Signed-off-by: Jim Bugwadia <jim@nirmata.com>
2021-10-02 16:53:02 -07:00
if foreach.List == "" {
return fmt.Errorf("foreach.list is required")
refactor & validate operations for generate rules in PolicyValidation
2020-03-11 18:14:23 -07:00
}
add validation; add 'element' to context Signed-off-by: Jim Bugwadia <jim@nirmata.com>
2021-10-02 16:53:02 -07:00
count := foreachElemCount(foreach)
format Signed-off-by: Jim Bugwadia <jim@nirmata.com>
2021-10-02 16:57:40 -07:00
if count == 0 {
fix validation checks for foreach and nested foreach (#5875) Signed-off-by: Jim Bugwadia <jim@nirmata.com> Signed-off-by: Jim Bugwadia <jim@nirmata.com>
2023-01-04 21:22:43 -08:00
return fmt.Errorf("one of pattern, anyPattern, deny, or a nested foreach must be specified")
add validation; add 'element' to context Signed-off-by: Jim Bugwadia <jim@nirmata.com>
2021-10-02 16:53:02 -07:00
}
if count > 1 {
fix validation checks for foreach and nested foreach (#5875) Signed-off-by: Jim Bugwadia <jim@nirmata.com> Signed-off-by: Jim Bugwadia <jim@nirmata.com>
2023-01-04 21:22:43 -08:00
return fmt.Errorf("only one of pattern, anyPattern, deny, or a nested foreach can be specified")
refactor & validate operations for generate rules in PolicyValidation
2020-03-11 18:14:23 -07:00
}
return nil
}
add validation; add 'element' to context Signed-off-by: Jim Bugwadia <jim@nirmata.com>
2021-10-02 16:53:02 -07:00
chore: make kyverno api import aliases consistent (#3939) Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com>
2022-05-17 13:12:43 +02:00
func foreachElemCount(foreach kyvernov1.ForEachValidation) int {
add validation; add 'element' to context Signed-off-by: Jim Bugwadia <jim@nirmata.com>
2021-10-02 16:53:02 -07:00
count := 0
fix: CRD generation (#3334) Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com>
2022-03-06 20:07:51 +01:00
if foreach.GetPattern() != nil {
add validation; add 'element' to context Signed-off-by: Jim Bugwadia <jim@nirmata.com>
2021-10-02 16:53:02 -07:00
count++
}
fix: CRD generation (#3334) Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com>
2022-03-06 20:07:51 +01:00
if foreach.GetAnyPattern() != nil {
add validation; add 'element' to context Signed-off-by: Jim Bugwadia <jim@nirmata.com>
2021-10-02 16:53:02 -07:00
count++
}
if foreach.Deny != nil {
count++
}
fix validation checks for foreach and nested foreach (#5875) Signed-off-by: Jim Bugwadia <jim@nirmata.com> Signed-off-by: Jim Bugwadia <jim@nirmata.com>
2023-01-04 21:22:43 -08:00
if foreach.ForEachValidation != nil {
count++
}
add validation; add 'element' to context Signed-off-by: Jim Bugwadia <jim@nirmata.com>
2021-10-02 16:53:02 -07:00
return count
}
Copy permalink