kyverno/pkg/policystore/policystore.go

package policystore

import (
	"sync"

	"github.com/golang/glog"
	kyverno "github.com/nirmata/kyverno/pkg/api/kyverno/v1"
	kyvernoinformer "github.com/nirmata/kyverno/pkg/client/informers/externalversions/kyverno/v1"
	kyvernolister "github.com/nirmata/kyverno/pkg/client/listers/kyverno/v1"
	"k8s.io/client-go/tools/cache"
)

type policyMap map[string]interface{}
type namespaceMap map[string]policyMap
type kindMap map[string]namespaceMap

//PolicyStore Store the meta-data information to faster lookup policies
type PolicyStore struct {
	data map[string]namespaceMap
	mu   sync.RWMutex
	// list/get cluster policy
	pLister kyvernolister.ClusterPolicyLister
	// returns true if the cluster policy store has been synced at least once
	pSynched cache.InformerSynced
}

//UpdateInterface provides api to update policies
type UpdateInterface interface {
	// Register a new policy
	Register(policy kyverno.ClusterPolicy)
	// Remove policy information
	UnRegister(policy kyverno.ClusterPolicy) error
}

//LookupInterface provides api to lookup policies
type LookupInterface interface {
	// Lookup based on kind and namespaces
	LookUp(kind, namespace string) ([]kyverno.ClusterPolicy, error)
}

// NewPolicyStore returns a new policy store
func NewPolicyStore(pInformer kyvernoinformer.ClusterPolicyInformer) *PolicyStore {
	ps := PolicyStore{
		data:     make(kindMap),
		pLister:  pInformer.Lister(),
		pSynched: pInformer.Informer().HasSynced,
	}
	return &ps
}

//Run checks syncing
func (ps *PolicyStore) Run(stopCh <-chan struct{}) {
	if !cache.WaitForCacheSync(stopCh, ps.pSynched) {
		glog.Error("policy meta store: failed to sync informer cache")
	}
}

//Register a new policy
func (ps *PolicyStore) Register(policy kyverno.ClusterPolicy) {
	glog.V(4).Infof("adding resources %s", policy.Name)
	ps.mu.Lock()
	defer ps.mu.Unlock()
	var pmap policyMap
	// add an entry for each rule in policy
	for _, rule := range policy.Spec.Rules {
		//		rule.MatchResources.Kinds - List - mandatory - atleast on entry
		for _, kind := range rule.MatchResources.Kinds {
			kindMap := ps.addKind(kind)
			// namespaces
			if len(rule.MatchResources.Namespaces) == 0 {
				// all namespaces - *
				pmap = addNamespace(kindMap, "*")
			} else {
				for _, ns := range rule.MatchResources.Namespaces {
					pmap = addNamespace(kindMap, ns)
				}
			}
			// add policy to the pmap
			addPolicyElement(pmap, policy.Name)
		}
	}
}

//LookUp look up the resources
func (ps *PolicyStore) LookUp(kind, namespace string) ([]kyverno.ClusterPolicy, error) {
	ret := []kyverno.ClusterPolicy{}
	// lookup meta-store
	policyNames := ps.lookUp(kind, namespace)
	for _, policyName := range policyNames {
		policy, err := ps.pLister.Get(policyName)
		if err != nil {
			return nil, err
		}
		ret = append(ret, *policy)
	}
	return ret, nil
}

//UnRegister Remove policy information
func (ps *PolicyStore) UnRegister(policy kyverno.ClusterPolicy) error {
	ps.mu.Lock()
	defer ps.mu.Unlock()
	for _, rule := range policy.Spec.Rules {
		for _, kind := range rule.MatchResources.Kinds {
			// get kind Map
			kindMap := ps.getKind(kind)
			if kindMap == nil {
				// kind does not exist
				return nil
			}
			if len(rule.MatchResources.Namespaces) == 0 {
				namespace := "*"
				pmap := getNamespace(kindMap, namespace)
				// remove element
				delete(pmap, policy.Name)
			} else {
				for _, ns := range rule.MatchResources.Namespaces {
					pmap := getNamespace(kindMap, ns)
					// remove element
					delete(pmap, policy.Name)
				}
			}
		}
	}
	return nil
}

//LookUp lookups up the policies for kind and namespace
// returns a list of <policy, rule> that statisfy the filters
func (ps *PolicyStore) lookUp(kind, namespace string) []string {
	ps.mu.RLock()
	defer ps.mu.RUnlock()
	var policyMap policyMap
	var ret []string
	// kind
	kindMap := ps.getKind(kind)
	if kindMap == nil {
		return []string{}
	}
	// get namespace specific policies
	policyMap = kindMap[namespace]
	ret = append(ret, transform(policyMap)...)
	// get policies on all namespaces
	policyMap = kindMap["*"]
	ret = append(ret, transform(policyMap)...)
	return unique(ret)
}

func unique(intSlice []string) []string {
	keys := make(map[string]bool)
	list := []string{}
	for _, entry := range intSlice {
		if _, value := keys[entry]; !value {
			keys[entry] = true
			list = append(list, entry)
		}
	}
	return list
}

// generates a copy
func transform(pmap policyMap) []string {
	ret := []string{}
	for k := range pmap {
		ret = append(ret, k)
	}
	return ret
}

func (ps *PolicyStore) addKind(kind string) namespaceMap {
	val, ok := ps.data[kind]
	if ok {
		return val
	}
	ps.data[kind] = make(namespaceMap)
	return ps.data[kind]
}

func (ps *PolicyStore) getKind(kind string) namespaceMap {
	return ps.data[kind]
}

func addNamespace(kindMap map[string]policyMap, namespace string) policyMap {
	val, ok := kindMap[namespace]
	if ok {
		return val
	}
	kindMap[namespace] = make(policyMap)
	return kindMap[namespace]
}

func getNamespace(kindMap map[string]policyMap, namespace string) policyMap {
	return kindMap[namespace]
}

func addPolicyElement(pmap policyMap, name string) {
	var emptyInterface interface{}

	if _, ok := pmap[name]; !ok {
		pmap[name] = emptyInterface
	}
}
policy store test 2019-08-13 13:15:32 -07:00			`package policystore`

			`import (`
			`"sync"`

wat for cache sync and cleanup 2019-11-15 15:59:37 -08:00			`"github.com/golang/glog"`
update apiversion to v1 in code 2019-11-13 13:41:08 -08:00			`kyverno "github.com/nirmata/kyverno/pkg/api/kyverno/v1"`
wat for cache sync and cleanup 2019-11-15 15:59:37 -08:00			`kyvernoinformer "github.com/nirmata/kyverno/pkg/client/informers/externalversions/kyverno/v1"`
update apiversion to v1 in code 2019-11-13 13:41:08 -08:00			`kyvernolister "github.com/nirmata/kyverno/pkg/client/listers/kyverno/v1"`
wat for cache sync and cleanup 2019-11-15 15:59:37 -08:00			`"k8s.io/client-go/tools/cache"`
policy store test 2019-08-13 13:15:32 -07:00			`)`

introduce policy violation generator 2019-11-12 14:41:29 -08:00			`type policyMap map[string]interface{}`
			`type namespaceMap map[string]policyMap`
			`type kindMap map[string]namespaceMap`
introduce policy store 2019-11-11 11:10:25 -08:00
			`//PolicyStore Store the meta-data information to faster lookup policies`
			`type PolicyStore struct {`
wat for cache sync and cleanup 2019-11-15 15:59:37 -08:00			`data map[string]namespaceMap`
			`mu sync.RWMutex`
			`// list/get cluster policy`
introduce policy violation generator 2019-11-12 14:41:29 -08:00			`pLister kyvernolister.ClusterPolicyLister`
wat for cache sync and cleanup 2019-11-15 15:59:37 -08:00			`// returns true if the cluster policy store has been synced at least once`
			`pSynched cache.InformerSynced`
policy store test 2019-08-13 13:15:32 -07:00			`}`

introduce policy violation generator 2019-11-12 14:41:29 -08:00			`//UpdateInterface provides api to update policies`
			`type UpdateInterface interface {`
introduce policy store 2019-11-11 11:10:25 -08:00			`// Register a new policy`
			`Register(policy kyverno.ClusterPolicy)`
			`// Remove policy information`
			`UnRegister(policy kyverno.ClusterPolicy) error`
introduce policy violation generator 2019-11-12 14:41:29 -08:00			`}`

			`//LookupInterface provides api to lookup policies`
			`type LookupInterface interface {`
introduce policy store 2019-11-11 11:10:25 -08:00			`// Lookup based on kind and namespaces`
introduce policy violation generator 2019-11-12 14:41:29 -08:00			`LookUp(kind, namespace string) ([]kyverno.ClusterPolicy, error)`
introduce policy store 2019-11-11 11:10:25 -08:00			`}`

			`// NewPolicyStore returns a new policy store`
wat for cache sync and cleanup 2019-11-15 15:59:37 -08:00			`func NewPolicyStore(pInformer kyvernoinformer.ClusterPolicyInformer) *PolicyStore {`
introduce policy store 2019-11-11 11:10:25 -08:00			`ps := PolicyStore{`
wat for cache sync and cleanup 2019-11-15 15:59:37 -08:00			`data: make(kindMap),`
			`pLister: pInformer.Lister(),`
			`pSynched: pInformer.Informer().HasSynced,`
policy store test 2019-08-13 13:15:32 -07:00			`}`
introduce policy store 2019-11-11 11:10:25 -08:00			`return &ps`
			`}`
policy store test 2019-08-13 13:15:32 -07:00
wat for cache sync and cleanup 2019-11-15 15:59:37 -08:00			`//Run checks syncing`
			`func (ps *PolicyStore) Run(stopCh <-chan struct{}) {`
			`if !cache.WaitForCacheSync(stopCh, ps.pSynched) {`
			`glog.Error("policy meta store: failed to sync informer cache")`
			`}`
			`}`

introduce policy store 2019-11-11 11:10:25 -08:00			`//Register a new policy`
			`func (ps *PolicyStore) Register(policy kyverno.ClusterPolicy) {`
538 (#587) * initial commit * background policy validation * correct message * skip non-background policy process for add/update * add Generate Request CR * generate Request Generator Initial * test generate request CR generation * initial commit gr generator * generate controller initial framework * add crd for generate request * gr cleanup controller initial commit * cleanup controller initial * generate mid-commit * generate rule processing * create PV on generate error * embed resource type * testing phase 1- generate resources with variable substitution * fix tests * comment broken test #586 * add printer column for state * return if existing resource for clone * set resync time to 2 mins & remove resource version check in update handler for gr * generate events for reporting * fix logs * cleanup * CR fixes * fix logs 2020-01-07 10:33:28 -08:00			`glog.V(4).Infof("adding resources %s", policy.Name)`
introduce policy store 2019-11-11 11:10:25 -08:00			`ps.mu.Lock()`
			`defer ps.mu.Unlock()`
			`var pmap policyMap`
			`// add an entry for each rule in policy`
			`for _, rule := range policy.Spec.Rules {`
			`// rule.MatchResources.Kinds - List - mandatory - atleast on entry`
			`for _, kind := range rule.MatchResources.Kinds {`
introduce policy violation generator 2019-11-12 14:41:29 -08:00			`kindMap := ps.addKind(kind)`
introduce policy store 2019-11-11 11:10:25 -08:00			`// namespaces`
			`if len(rule.MatchResources.Namespaces) == 0 {`
			`// all namespaces - *`
			`pmap = addNamespace(kindMap, "*")`
			`} else {`
			`for _, ns := range rule.MatchResources.Namespaces {`
			`pmap = addNamespace(kindMap, ns)`
			`}`
			`}`
			`// add policy to the pmap`
introduce policy violation generator 2019-11-12 14:41:29 -08:00			`addPolicyElement(pmap, policy.Name)`
			`}`
			`}`
			`}`

			`//LookUp look up the resources`
			`func (ps *PolicyStore) LookUp(kind, namespace string) ([]kyverno.ClusterPolicy, error) {`
			`ret := []kyverno.ClusterPolicy{}`
			`// lookup meta-store`
			`policyNames := ps.lookUp(kind, namespace)`
			`for _, policyName := range policyNames {`
			`policy, err := ps.pLister.Get(policyName)`
			`if err != nil {`
			`return nil, err`
policy store test 2019-08-13 13:15:32 -07:00			`}`
introduce policy violation generator 2019-11-12 14:41:29 -08:00			`ret = append(ret, *policy)`
introduce policy store 2019-11-11 11:10:25 -08:00			`}`
introduce policy violation generator 2019-11-12 14:41:29 -08:00			`return ret, nil`
introduce policy store 2019-11-11 11:10:25 -08:00			`}`

			`//UnRegister Remove policy information`
			`func (ps *PolicyStore) UnRegister(policy kyverno.ClusterPolicy) error {`
			`ps.mu.Lock()`
			`defer ps.mu.Unlock()`
			`for _, rule := range policy.Spec.Rules {`
			`for _, kind := range rule.MatchResources.Kinds {`
			`// get kind Map`
introduce policy violation generator 2019-11-12 14:41:29 -08:00			`kindMap := ps.getKind(kind)`
introduce policy store 2019-11-11 11:10:25 -08:00			`if kindMap == nil {`
			`// kind does not exist`
			`return nil`
			`}`
			`if len(rule.MatchResources.Namespaces) == 0 {`
			`namespace := "*"`
			`pmap := getNamespace(kindMap, namespace)`
			`// remove element`
introduce policy violation generator 2019-11-12 14:41:29 -08:00			`delete(pmap, policy.Name)`
introduce policy store 2019-11-11 11:10:25 -08:00			`} else {`
			`for _, ns := range rule.MatchResources.Namespaces {`
			`pmap := getNamespace(kindMap, ns)`
			`// remove element`
introduce policy violation generator 2019-11-12 14:41:29 -08:00			`delete(pmap, policy.Name)`
introduce policy store 2019-11-11 11:10:25 -08:00			`}`
			`}`
policy store test 2019-08-13 13:15:32 -07:00			`}`
introduce policy store 2019-11-11 11:10:25 -08:00			`}`
			`return nil`
			`}`
policy store test 2019-08-13 13:15:32 -07:00
introduce policy store 2019-11-11 11:10:25 -08:00			`//LookUp lookups up the policies for kind and namespace`
			`// returns a list of <policy, rule> that statisfy the filters`
introduce policy violation generator 2019-11-12 14:41:29 -08:00			`func (ps *PolicyStore) lookUp(kind, namespace string) []string {`
introduce policy store 2019-11-11 11:10:25 -08:00			`ps.mu.RLock()`
			`defer ps.mu.RUnlock()`
			`var policyMap policyMap`
introduce policy violation generator 2019-11-12 14:41:29 -08:00			`var ret []string`
introduce policy store 2019-11-11 11:10:25 -08:00			`// kind`
introduce policy violation generator 2019-11-12 14:41:29 -08:00			`kindMap := ps.getKind(kind)`
introduce policy store 2019-11-11 11:10:25 -08:00			`if kindMap == nil {`
introduce policy violation generator 2019-11-12 14:41:29 -08:00			`return []string{}`
introduce policy store 2019-11-11 11:10:25 -08:00			`}`
			`// get namespace specific policies`
			`policyMap = kindMap[namespace]`
			`ret = append(ret, transform(policyMap)...)`
			`// get policies on all namespaces`
			`policyMap = kindMap["*"]`
			`ret = append(ret, transform(policyMap)...)`
introduce policy violation generator 2019-11-12 14:41:29 -08:00			`return unique(ret)`
			`}`

			`func unique(intSlice []string) []string {`
			`keys := make(map[string]bool)`
			`list := []string{}`
			`for _, entry := range intSlice {`
			`if _, value := keys[entry]; !value {`
			`keys[entry] = true`
			`list = append(list, entry)`
			`}`
			`}`
			`return list`
introduce policy store 2019-11-11 11:10:25 -08:00			`}`
policy store test 2019-08-13 13:15:32 -07:00
introduce policy store 2019-11-11 11:10:25 -08:00			`// generates a copy`
introduce policy violation generator 2019-11-12 14:41:29 -08:00			`func transform(pmap policyMap) []string {`
			`ret := []string{}`
introduce policy store 2019-11-11 11:10:25 -08:00			`for k := range pmap {`
			`ret = append(ret, k)`
			`}`
			`return ret`
			`}`
policy store test 2019-08-13 13:15:32 -07:00
introduce policy violation generator 2019-11-12 14:41:29 -08:00			`func (ps *PolicyStore) addKind(kind string) namespaceMap {`
			`val, ok := ps.data[kind]`
introduce policy store 2019-11-11 11:10:25 -08:00			`if ok {`
			`return val`
			`}`
introduce policy violation generator 2019-11-12 14:41:29 -08:00			`ps.data[kind] = make(namespaceMap)`
			`return ps.data[kind]`
policy store test 2019-08-13 13:15:32 -07:00			`}`

introduce policy violation generator 2019-11-12 14:41:29 -08:00			`func (ps *PolicyStore) getKind(kind string) namespaceMap {`
			`return ps.data[kind]`
introduce policy store 2019-11-11 11:10:25 -08:00			`}`

			`func addNamespace(kindMap map[string]policyMap, namespace string) policyMap {`
			`val, ok := kindMap[namespace]`
			`if ok {`
			`return val`
			`}`
			`kindMap[namespace] = make(policyMap)`
			`return kindMap[namespace]`
			`}`

			`func getNamespace(kindMap map[string]policyMap, namespace string) policyMap {`
			`return kindMap[namespace]`
			`}`

introduce policy violation generator 2019-11-12 14:41:29 -08:00			`func addPolicyElement(pmap policyMap, name string) {`
introduce policy store 2019-11-11 11:10:25 -08:00			`var emptyInterface interface{}`
introduce policy violation generator 2019-11-12 14:41:29 -08:00
			`if _, ok := pmap[name]; !ok {`
			`pmap[name] = emptyInterface`
policy store test 2019-08-13 13:15:32 -07:00			`}`
			`}`