kyverno/pkg/engine/generation.go

package engine

import (
	"encoding/json"
	"errors"

	"github.com/golang/glog"
	v1alpha1 "github.com/nirmata/kyverno/pkg/apis/policy/v1alpha1"
	client "github.com/nirmata/kyverno/pkg/dclient"
	"github.com/nirmata/kyverno/pkg/info"
	"github.com/nirmata/kyverno/pkg/utils"
	"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
	"k8s.io/apimachinery/pkg/runtime"
)

//Generate apply generation rules on a resource
func Generate(client *client.Client, policy *v1alpha1.Policy, ns unstructured.Unstructured) []*info.RuleInfo {
	ris := []*info.RuleInfo{}
	for _, rule := range policy.Spec.Rules {
		if rule.Generation == nil {
			continue
		}
		ri := info.NewRuleInfo(rule.Name, info.Generation)
		err := applyRuleGenerator(client, ns, rule.Generation, policy.Spec.ValidationFailureAction)
		if err != nil {
			ri.Fail()
			ri.Addf("Rule %s: Failed to apply rule generator, err %v.", rule.Name, err)
		} else {
			ri.Addf("Rule %s: Generation succesfully.", rule.Name)
		}
		ris = append(ris, ri)

	}
	return ris
}

func applyRuleGenerator(client *client.Client, ns unstructured.Unstructured, gen *v1alpha1.Generation, validationFailureAction string) error {
	var err error
	resource := &unstructured.Unstructured{}
	var rdata map[string]interface{}

	if gen.Data != nil {
		// 1> Check if resource exists
		obj, err := client.GetResource(gen.Kind, ns.GetName(), gen.Name)
		if err == nil {
			// 2> If already exsists, then verify the content is contained
			// found the resource
			// check if the rule is create, if yes, then verify if the specified configuration is present in the resource
			ok, err := checkResource(gen.Data, obj)
			if err != nil {
				return err
			}
			if !ok {
				return errors.New("rule configuration not present in resource")
			}
			return nil
		}
		rdata, err = runtime.DefaultUnstructuredConverter.ToUnstructured(&gen.Data)
		if err != nil {
			glog.Error(err)
			return err
		}
	}
	if gen.Clone != nil {
		// 1> Check if resource exists
		_, err := client.GetResource(gen.Kind, ns.GetName(), gen.Name)
		if err == nil {
			return nil
		}
		// 2> If already exists return
		resource, err = client.GetResource(gen.Kind, gen.Clone.Namespace, gen.Clone.Name)
		if err != nil {
			return err
		}
		rdata = resource.UnstructuredContent()
	}
	resource.SetUnstructuredContent(rdata)
	resource.SetName(gen.Name)
	resource.SetNamespace(ns.GetName())
	// Reset resource version
	resource.SetResourceVersion("")
	// TODO based on https://github.com/nirmata/kyverno/issues/268
	// if validationFailureAction != "audit" {
	// 	// if not audit, then enforce..
	// 	// with enforce we will block the creation of resource and instead generate an error
	// 	// the error will then create a policyViolation so that the resource owner can add the defaults
	// 	return errors.New("policy flag validationFailureAction:'audit' blocked the creation of default resource for the namespace")
	// }
	// for "audit" mode, the resource will create the resource
	// but wont generate a policy violation as the generate controller doesnt know if the generate request
	// is a new resource via admission controller or via syncing its cache after a controller
	_, err = client.CreateResource(gen.Kind, ns.GetName(), resource, false)
	if err != nil {
		return err
	}
	return nil
}

func checkResource(config interface{}, resource *unstructured.Unstructured) (bool, error) {
	var err error

	objByte, err := resource.MarshalJSON()
	if err != nil {
		// unable to parse the json
		return false, err
	}
	err = resource.UnmarshalJSON(objByte)
	if err != nil {
		// unable to parse the json
		return false, err
	}
	// marshall and unmarshall json to verify if its right format
	configByte, err := json.Marshal(config)
	if err != nil {
		// unable to marshall the config
		return false, err
	}
	var configData interface{}
	err = json.Unmarshal(configByte, &configData)
	if err != nil {
		// unable to unmarshall
		return false, err

	}

	var objData interface{}
	err = json.Unmarshal(objByte, &objData)
	if err != nil {
		// unable to unmarshall
		return false, err
	}

	// Check if the config is a subset of resource
	return utils.JSONsubsetValue(configData, objData), nil
}
Resolve PR 27 2019-05-13 18:17:28 -07:00			`package engine`
Updated code in the project to be compilable with new version of Policy. Moved logic from webhooks/mutation.go to policyengine/mutation.go and server.go 2019-05-13 21:27:47 +03:00
			`import (`
cleanup 2019-07-26 08:11:20 -04:00			`"encoding/json"`
			`"errors"`
Updated code in the project to be compilable with new version of Policy. Moved logic from webhooks/mutation.go to policyengine/mutation.go and server.go 2019-05-13 21:27:47 +03:00
support generation of any resource 2019-05-31 17:59:36 -07:00			`"github.com/golang/glog"`
cleanup 2019-07-26 08:11:20 -04:00			`v1alpha1 "github.com/nirmata/kyverno/pkg/apis/policy/v1alpha1"`
move client to pkg, helper script for self-signed certs & update documentation 2019-05-29 14:12:09 -07:00			`client "github.com/nirmata/kyverno/pkg/dclient"`
introduce info struct for engine responses 2019-06-25 18:16:02 -07:00			`"github.com/nirmata/kyverno/pkg/info"`
cleanup 2019-07-26 08:11:20 -04:00			`"github.com/nirmata/kyverno/pkg/utils"`
			`"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"`
			`"k8s.io/apimachinery/pkg/runtime"`
Updated code in the project to be compilable with new version of Policy. Moved logic from webhooks/mutation.go to policyengine/mutation.go and server.go 2019-05-13 21:27:47 +03:00			`)`

cleanup 2019-07-26 08:11:20 -04:00			`//Generate apply generation rules on a resource`
			`func Generate(client client.Client, policy v1alpha1.Policy, ns unstructured.Unstructured) []*info.RuleInfo {`
introduce info struct for engine responses 2019-06-25 18:16:02 -07:00			`ris := []*info.RuleInfo{}`
Fixed issue with validation error messages 2019-05-20 14:48:38 +03:00			`for _, rule := range policy.Spec.Rules {`
introduce info struct for engine responses 2019-06-25 18:16:02 -07:00			`if rule.Generation == nil {`
			`continue`
			`}`
rule info uses type of rule 2019-06-25 23:58:28 -07:00			`ri := info.NewRuleInfo(rule.Name, info.Generation)`
fixes 268_bug 2019-08-07 18:13:43 -07:00			`err := applyRuleGenerator(client, ns, rule.Generation, policy.Spec.ValidationFailureAction)`
Implement Generate() 2019-05-14 18:20:41 -07:00			`if err != nil {`
introduce info struct for engine responses 2019-06-25 18:16:02 -07:00			`ri.Fail()`
create event from policy info 2019-06-26 18:04:50 -07:00			`ri.Addf("Rule %s: Failed to apply rule generator, err %v.", rule.Name, err)`
introduce info struct for engine responses 2019-06-25 18:16:02 -07:00			`} else {`
create event from policy info 2019-06-26 18:04:50 -07:00			`ri.Addf("Rule %s: Generation succesfully.", rule.Name)`
Updated code in the project to be compilable with new version of Policy. Moved logic from webhooks/mutation.go to policyengine/mutation.go and server.go 2019-05-13 21:27:47 +03:00			`}`
introduce info struct for engine responses 2019-06-25 18:16:02 -07:00			`ris = append(ris, ri)`
cleanup 2019-07-26 08:11:20 -04:00
Updated code in the project to be compilable with new version of Policy. Moved logic from webhooks/mutation.go to policyengine/mutation.go and server.go 2019-05-13 21:27:47 +03:00			`}`
introduce info struct for engine responses 2019-06-25 18:16:02 -07:00			`return ris`
Updated code in the project to be compilable with new version of Policy. Moved logic from webhooks/mutation.go to policyengine/mutation.go and server.go 2019-05-13 21:27:47 +03:00			`}`

fixes 268_bug 2019-08-07 18:13:43 -07:00			`func applyRuleGenerator(client client.Client, ns unstructured.Unstructured, gen v1alpha1.Generation, validationFailureAction string) error {`
Merge branch 'develop' into lists-validation 2019-05-20 17:25:57 +03:00			`var err error`
cleanup 2019-07-26 08:11:20 -04:00			`resource := &unstructured.Unstructured{}`
			`var rdata map[string]interface{}`

			`if gen.Data != nil {`
			`// 1> Check if resource exists`
			`obj, err := client.GetResource(gen.Kind, ns.GetName(), gen.Name)`
			`if err == nil {`
			`// 2> If already exsists, then verify the content is contained`
			`// found the resource`
			`// check if the rule is create, if yes, then verify if the specified configuration is present in the resource`
			`ok, err := checkResource(gen.Data, obj)`
			`if err != nil {`
			`return err`
			`}`
			`if !ok {`
			`return errors.New("rule configuration not present in resource")`
			`}`
			`return nil`
			`}`
			`rdata, err = runtime.DefaultUnstructuredConverter.ToUnstructured(&gen.Data)`
			`if err != nil {`
			`glog.Error(err)`
			`return err`
			`}`
			`}`
			`if gen.Clone != nil {`
			`// 1> Check if resource exists`
			`_, err := client.GetResource(gen.Kind, ns.GetName(), gen.Name)`
			`if err == nil {`
			`return nil`
			`}`
			`// 2> If already exists return`
			`resource, err = client.GetResource(gen.Kind, gen.Clone.Namespace, gen.Clone.Name)`
			`if err != nil {`
			`return err`
			`}`
			`rdata = resource.UnstructuredContent()`
			`}`
			`resource.SetUnstructuredContent(rdata)`
			`resource.SetName(gen.Name)`
			`resource.SetNamespace(ns.GetName())`
			`// Reset resource version`
			`resource.SetResourceVersion("")`
update comment for bug_268 2019-08-07 18:24:55 -07:00			`// TODO based on https://github.com/nirmata/kyverno/issues/268`
			`// if validationFailureAction != "audit" {`
			`// // if not audit, then enforce..`
			`// // with enforce we will block the creation of resource and instead generate an error`
			`// // the error will then create a policyViolation so that the resource owner can add the defaults`
			`// return errors.New("policy flag validationFailureAction:'audit' blocked the creation of default resource for the namespace")`
			`// }`
fixes 268_bug 2019-08-07 18:13:43 -07:00			`// for "audit" mode, the resource will create the resource`
			`// but wont generate a policy violation as the generate controller doesnt know if the generate request`
update comment for bug_268 2019-08-07 18:24:55 -07:00			`// is a new resource via admission controller or via syncing its cache after a controller`
cleanup 2019-07-26 08:11:20 -04:00			`_, err = client.CreateResource(gen.Kind, ns.GetName(), resource, false)`
Finished Generate() logic to actual generating the resource 2019-05-16 14:09:02 -07:00			`if err != nil {`
cleanup 2019-07-26 08:11:20 -04:00			`return err`
Updated code in the project to be compilable with new version of Policy. Moved logic from webhooks/mutation.go to policyengine/mutation.go and server.go 2019-05-13 21:27:47 +03:00			`}`
Finished Generate() logic to actual generating the resource 2019-05-16 14:09:02 -07:00			`return nil`
Updated code in the project to be compilable with new version of Policy. Moved logic from webhooks/mutation.go to policyengine/mutation.go and server.go 2019-05-13 21:27:47 +03:00			`}`
cleanup 2019-07-26 08:11:20 -04:00
			`func checkResource(config interface{}, resource *unstructured.Unstructured) (bool, error) {`
			`var err error`

			`objByte, err := resource.MarshalJSON()`
			`if err != nil {`
			`// unable to parse the json`
			`return false, err`
			`}`
			`err = resource.UnmarshalJSON(objByte)`
			`if err != nil {`
			`// unable to parse the json`
			`return false, err`
			`}`
			`// marshall and unmarshall json to verify if its right format`
			`configByte, err := json.Marshal(config)`
			`if err != nil {`
			`// unable to marshall the config`
			`return false, err`
			`}`
			`var configData interface{}`
			`err = json.Unmarshal(configByte, &configData)`
			`if err != nil {`
			`// unable to unmarshall`
			`return false, err`

			`}`

			`var objData interface{}`
			`err = json.Unmarshal(objByte, &objData)`
			`if err != nil {`
			`// unable to unmarshall`
			`return false, err`
			`}`

			`// Check if the config is a subset of resource`
			`return utils.JSONsubsetValue(configData, objData), nil`
			`}`