2019-05-14 01:17:28 +00:00
|
|
|
package engine
|
2019-05-13 18:27:47 +00:00
|
|
|
|
|
|
|
|
import (
|
2021-02-03 21:09:42 +00:00
|
|
|
"time"
|
|
|
|
|
|
2022-01-05 01:36:33 +00:00
|
|
|
"github.com/kyverno/kyverno/pkg/engine/common"
|
|
|
|
|
|
2021-10-29 16:13:20 +00:00
|
|
|
kyverno "github.com/kyverno/kyverno/api/kyverno/v1"
|
2020-10-07 18:12:31 +00:00
|
|
|
"github.com/kyverno/kyverno/pkg/engine/response"
|
|
|
|
|
"github.com/kyverno/kyverno/pkg/engine/variables"
|
2020-03-17 23:25:34 +00:00
|
|
|
"sigs.k8s.io/controller-runtime/pkg/log"
|
2019-05-13 18:27:47 +00:00
|
|
|
)
|
|
|
|
|
|
2020-01-24 20:05:53 +00:00
|
|
|
// Generate checks for validity of generate rule on the resource
|
2020-12-09 06:52:37 +00:00
|
|
|
// 1. validate variables to be substitute in the general ruleInfo (match,exclude,condition)
|
2020-01-10 19:59:05 +00:00
|
|
|
// - the caller has to check the ruleResponse to determine whether the path exist
|
|
|
|
|
// 2. returns the list of rules that are applicable on this policy and resource, if 1 succeed
|
2021-02-01 20:59:13 +00:00
|
|
|
func Generate(policyContext *PolicyContext) (resp *response.EngineResponse) {
|
2021-05-15 13:45:04 +00:00
|
|
|
policyStartTime := time.Now()
|
|
|
|
|
return filterRules(policyContext, policyStartTime)
|
2020-12-16 20:29:16 +00:00
|
|
|
}
|
2020-08-08 00:09:24 +00:00
|
|
|
|
2021-05-15 13:45:04 +00:00
|
|
|
func filterRules(policyContext *PolicyContext, startTime time.Time) *response.EngineResponse {
|
2020-12-16 20:29:16 +00:00
|
|
|
kind := policyContext.NewResource.GetKind()
|
|
|
|
|
name := policyContext.NewResource.GetName()
|
|
|
|
|
namespace := policyContext.NewResource.GetNamespace()
|
2021-03-05 00:45:52 +00:00
|
|
|
apiVersion := policyContext.NewResource.GetAPIVersion()
|
2020-12-23 23:10:07 +00:00
|
|
|
resp := &response.EngineResponse{
|
2020-12-16 20:29:16 +00:00
|
|
|
PolicyResponse: response.PolicyResponse{
|
2021-06-29 21:43:11 +00:00
|
|
|
Policy: response.PolicySpec{
|
|
|
|
|
Name: policyContext.Policy.GetName(),
|
|
|
|
|
Namespace: policyContext.Policy.GetNamespace(),
|
|
|
|
|
},
|
2021-05-15 13:45:04 +00:00
|
|
|
PolicyStats: response.PolicyStats{
|
|
|
|
|
PolicyExecutionTimestamp: startTime.Unix(),
|
|
|
|
|
},
|
2020-12-16 20:29:16 +00:00
|
|
|
Resource: response.ResourceSpec{
|
2021-03-05 00:45:52 +00:00
|
|
|
Kind: kind,
|
|
|
|
|
Name: name,
|
|
|
|
|
Namespace: namespace,
|
|
|
|
|
APIVersion: apiVersion,
|
2020-12-16 20:29:16 +00:00
|
|
|
},
|
|
|
|
|
},
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if policyContext.ExcludeResourceFunc(kind, namespace, name) {
|
|
|
|
|
log.Log.WithName("Generate").Info("resource excluded", "kind", kind, "namespace", namespace, "name", name)
|
|
|
|
|
return resp
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
for _, rule := range policyContext.Policy.Spec.Rules {
|
|
|
|
|
if ruleResp := filterRule(rule, policyContext); ruleResp != nil {
|
|
|
|
|
resp.PolicyResponse.Rules = append(resp.PolicyResponse.Rules, *ruleResp)
|
|
|
|
|
}
|
|
|
|
|
}
|
2020-08-08 00:09:24 +00:00
|
|
|
|
2020-12-16 20:29:16 +00:00
|
|
|
return resp
|
2020-01-07 18:33:28 +00:00
|
|
|
}
|
2019-11-13 23:46:43 +00:00
|
|
|
|
2021-02-01 20:59:13 +00:00
|
|
|
func filterRule(rule kyverno.Rule, policyContext *PolicyContext) *response.RuleResponse {
|
2020-01-07 18:33:28 +00:00
|
|
|
if !rule.HasGenerate() {
|
|
|
|
|
return nil
|
|
|
|
|
}
|
2020-02-24 14:42:39 +00:00
|
|
|
|
2021-07-28 16:54:50 +00:00
|
|
|
var err error
|
2020-02-24 14:42:39 +00:00
|
|
|
startTime := time.Now()
|
2020-09-22 21:11:49 +00:00
|
|
|
|
2020-12-16 20:29:16 +00:00
|
|
|
policy := policyContext.Policy
|
|
|
|
|
newResource := policyContext.NewResource
|
|
|
|
|
oldResource := policyContext.OldResource
|
|
|
|
|
admissionInfo := policyContext.AdmissionInfo
|
2020-12-23 23:10:07 +00:00
|
|
|
ctx := policyContext.JSONContext
|
2020-12-16 20:29:16 +00:00
|
|
|
excludeGroupRole := policyContext.ExcludeGroupRole
|
2021-02-03 21:09:42 +00:00
|
|
|
namespaceLabels := policyContext.NamespaceLabels
|
2020-12-16 20:29:16 +00:00
|
|
|
|
|
|
|
|
logger := log.Log.WithName("Generate").WithValues("policy", policy.Name,
|
|
|
|
|
"kind", newResource.GetKind(), "namespace", newResource.GetNamespace(), "name", newResource.GetName())
|
|
|
|
|
|
2021-10-01 08:46:33 +00:00
|
|
|
if err = MatchesResourceDescription(newResource, rule, admissionInfo, excludeGroupRole, namespaceLabels, ""); err != nil {
|
2020-12-16 20:29:16 +00:00
|
|
|
|
|
|
|
|
// if the oldResource matched, return "false" to delete GR for it
|
2021-10-01 08:46:33 +00:00
|
|
|
if err = MatchesResourceDescription(oldResource, rule, admissionInfo, excludeGroupRole, namespaceLabels, ""); err == nil {
|
2020-12-01 20:30:08 +00:00
|
|
|
return &response.RuleResponse{
|
2021-09-28 06:40:05 +00:00
|
|
|
Name: rule.Name,
|
|
|
|
|
Type: "Generation",
|
2021-09-26 09:12:31 +00:00
|
|
|
Status: response.RuleStatusFail,
|
2020-12-01 20:30:08 +00:00
|
|
|
RuleStats: response.RuleStats{
|
2021-05-15 13:45:04 +00:00
|
|
|
ProcessingTime: time.Since(startTime),
|
|
|
|
|
RuleExecutionTimestamp: startTime.Unix(),
|
2020-12-01 20:30:08 +00:00
|
|
|
},
|
|
|
|
|
}
|
2020-08-31 18:25:13 +00:00
|
|
|
}
|
2020-12-16 20:29:16 +00:00
|
|
|
|
2020-12-01 20:30:08 +00:00
|
|
|
return nil
|
2020-01-07 18:33:28 +00:00
|
|
|
}
|
2020-10-15 00:39:45 +00:00
|
|
|
|
2021-02-02 07:22:19 +00:00
|
|
|
policyContext.JSONContext.Checkpoint()
|
|
|
|
|
defer policyContext.JSONContext.Restore()
|
|
|
|
|
|
2022-01-18 12:59:35 +00:00
|
|
|
if err = LoadContext(logger, rule.Context, policyContext, rule.Name); err != nil {
|
2021-02-22 20:08:26 +00:00
|
|
|
logger.V(4).Info("cannot add external data to the context", "reason", err.Error())
|
2020-09-22 21:11:49 +00:00
|
|
|
return nil
|
|
|
|
|
}
|
|
|
|
|
|
2021-07-30 19:07:01 +00:00
|
|
|
ruleCopy := rule.DeepCopy()
|
|
|
|
|
ruleCopy.AnyAllConditions, err = variables.SubstituteAllInPreconditions(logger, ctx, ruleCopy.AnyAllConditions)
|
2021-07-28 16:54:50 +00:00
|
|
|
if err != nil {
|
2021-07-30 19:07:01 +00:00
|
|
|
logger.V(4).Info("failed to substitute vars in preconditions, skip current rule", "rule name", ruleCopy.Name)
|
2021-07-28 16:54:50 +00:00
|
|
|
return nil
|
|
|
|
|
}
|
|
|
|
|
|
2020-02-04 20:13:41 +00:00
|
|
|
// operate on the copy of the conditions, as we perform variable substitution
|
2022-01-05 01:36:33 +00:00
|
|
|
copyConditions, err := common.TransformConditions(ruleCopy.AnyAllConditions)
|
2021-03-02 04:31:06 +00:00
|
|
|
if err != nil {
|
|
|
|
|
logger.V(4).Info("cannot copy AnyAllConditions", "reason", err.Error())
|
|
|
|
|
return nil
|
|
|
|
|
}
|
2020-01-07 23:13:57 +00:00
|
|
|
|
|
|
|
|
// evaluate pre-conditions
|
2021-07-28 16:54:50 +00:00
|
|
|
if !variables.EvaluateConditions(logger, ctx, copyConditions) {
|
2022-01-05 01:36:33 +00:00
|
|
|
logger.V(4).Info("skip rule as preconditions are not met", "rule", ruleCopy.Name)
|
2020-01-07 23:13:57 +00:00
|
|
|
return nil
|
|
|
|
|
}
|
2020-12-09 06:17:53 +00:00
|
|
|
|
2020-01-07 18:33:28 +00:00
|
|
|
// build rule Response
|
|
|
|
|
return &response.RuleResponse{
|
2021-09-28 06:40:05 +00:00
|
|
|
Name: ruleCopy.Name,
|
|
|
|
|
Type: "Generation",
|
2021-09-26 09:12:31 +00:00
|
|
|
Status: response.RuleStatusPass,
|
2020-02-24 14:42:39 +00:00
|
|
|
RuleStats: response.RuleStats{
|
2021-05-15 13:45:04 +00:00
|
|
|
ProcessingTime: time.Since(startTime),
|
|
|
|
|
RuleExecutionTimestamp: startTime.Unix(),
|
2020-02-24 14:42:39 +00:00
|
|
|
},
|
2019-08-19 23:40:10 +00:00
|
|
|
}
|
2020-01-07 18:33:28 +00:00
|
|
|
}
|
