kyverno/pkg/cel/engine/engine.go

package engine

import (
	"context"
	"fmt"

	kyvernov2alpha1 "github.com/kyverno/kyverno/api/kyverno/v2alpha1"
	"github.com/kyverno/kyverno/pkg/cel/policy"
	"github.com/kyverno/kyverno/pkg/cel/utils"
	engineapi "github.com/kyverno/kyverno/pkg/engine/api"
	"github.com/kyverno/kyverno/pkg/engine/handlers"
	kubeutils "github.com/kyverno/kyverno/pkg/utils/kube"
	corev1 "k8s.io/api/core/v1"
	"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
)

type EngineRequest struct {
	Resource *unstructured.Unstructured
}

type EngineResponse struct {
	Resource *unstructured.Unstructured
	Policies []PolicyResponse
}

type PolicyResponse struct {
	Policy kyvernov2alpha1.ValidatingPolicy
	Rules  []engineapi.RuleResponse
}

type Engine interface {
	Handle(context.Context, EngineRequest, ...policy.CompiledPolicy) (EngineResponse, error)
}

type NamespaceResolver = func(string) *corev1.Namespace

type engine struct {
	nsResolver NamespaceResolver
	provider   Provider
}

func NewEngine(provider Provider, nsResolver NamespaceResolver) *engine {
	return &engine{
		nsResolver: nsResolver,
		provider:   provider,
	}
}

func (e *engine) Handle(ctx context.Context, request EngineRequest) (EngineResponse, error) {
	response := EngineResponse{
		Resource: request.Resource,
	}
	policies, err := e.provider.CompiledPolicies(ctx)
	if err != nil {
		return response, err
	}
	// resolve namespace
	var namespace *unstructured.Unstructured
	if ns := request.Resource.GetNamespace(); ns != "" {
		coreNs := e.nsResolver(ns)
		if coreNs != nil {
			ns, err := kubeutils.ObjToUnstructured(coreNs)
			if err != nil {
				return response, err
			}
			namespace = ns
		}
	}
	for _, policy := range policies {
		response.Policies = append(response.Policies, e.handlePolicy(ctx, policy, request.Resource, namespace))
	}
	return response, nil
}

func (e *engine) handlePolicy(ctx context.Context, policy CompiledPolicy, resource *unstructured.Unstructured, namespace *unstructured.Unstructured) PolicyResponse {
	var rules []engineapi.RuleResponse
	results, err := policy.CompiledPolicy.Evaluate(ctx, resource, namespace, nil)
	// TODO: error is about match conditions here ?
	if err != nil {
		rules = handlers.WithResponses(engineapi.RuleError("evaluation", engineapi.Validation, "failed to load context", err, nil))
	} else {
		for index, result := range results {
			ruleName := fmt.Sprintf("rule-%d", index)
			if result.Error != nil {
				rules = append(rules, *engineapi.RuleError(ruleName, engineapi.Validation, "error", err, nil))
			} else if result, err := utils.ConvertToNative[bool](result.Result); err != nil {
				rules = append(rules, *engineapi.RuleError(ruleName, engineapi.Validation, "conversion error", err, nil))
			} else if result {
				rules = append(rules, *engineapi.RulePass(ruleName, engineapi.Validation, "success", nil))
			} else {
				rules = append(rules, *engineapi.RuleFail(ruleName, engineapi.Validation, "failure", nil))
			}
		}
	}
	return PolicyResponse{
		Policy: policy.Policy,
		Rules:  rules,
	}
}
feat(cli,apply): load validating policies (#11933) Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> 2025-01-17 10:53:17 +01:00			`package engine`

			`import (`
			`"context"`
feat: introduce evaluation results in cel engine (#11971) Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> 2025-01-21 17:41:45 +01:00			`"fmt"`
feat(cli,apply): load validating policies (#11933) Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> 2025-01-17 10:53:17 +01:00
feat: use policy provider (#11947) Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> 2025-01-20 10:43:05 +01:00			`kyvernov2alpha1 "github.com/kyverno/kyverno/api/kyverno/v2alpha1"`
feat(cli,apply): load validating policies (#11933) Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> 2025-01-17 10:53:17 +01:00			`"github.com/kyverno/kyverno/pkg/cel/policy"`
feat: introduce evaluation results in cel engine (#11971) Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> 2025-01-21 17:41:45 +01:00			`"github.com/kyverno/kyverno/pkg/cel/utils"`
feat: use policy provider (#11947) Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> 2025-01-20 10:43:05 +01:00			`engineapi "github.com/kyverno/kyverno/pkg/engine/api"`
			`"github.com/kyverno/kyverno/pkg/engine/handlers"`
feat: add namespace support in CLI values (#11958) Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> 2025-01-20 12:43:13 +01:00			`kubeutils "github.com/kyverno/kyverno/pkg/utils/kube"`
			`corev1 "k8s.io/api/core/v1"`
feat(cli,apply): load validating policies (#11933) Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> 2025-01-17 10:53:17 +01:00			`"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"`
			`)`

			`type EngineRequest struct {`
feat: add namespace support in CLI values (#11958) Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> 2025-01-20 12:43:13 +01:00			`Resource *unstructured.Unstructured`
feat(cli,apply): load validating policies (#11933) Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> 2025-01-17 10:53:17 +01:00			`}`

feat: use policy provider (#11947) Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> 2025-01-20 10:43:05 +01:00			`type EngineResponse struct {`
			`Resource *unstructured.Unstructured`
			`Policies []PolicyResponse`
			`}`

			`type PolicyResponse struct {`
			`Policy kyvernov2alpha1.ValidatingPolicy`
			`Rules []engineapi.RuleResponse`
			`}`

feat(cli,apply): load validating policies (#11933) Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> 2025-01-17 10:53:17 +01:00			`type Engine interface {`
			`Handle(context.Context, EngineRequest, ...policy.CompiledPolicy) (EngineResponse, error)`
			`}`

feat: add namespace support in CLI values (#11958) Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> 2025-01-20 12:43:13 +01:00			`type NamespaceResolver = func(string) *corev1.Namespace`

feat: use policy provider (#11947) Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> 2025-01-20 10:43:05 +01:00			`type engine struct {`
feat: add namespace support in CLI values (#11958) Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> 2025-01-20 12:43:13 +01:00			`nsResolver NamespaceResolver`
			`provider Provider`
feat: use policy provider (#11947) Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> 2025-01-20 10:43:05 +01:00			`}`
feat(cli,apply): load validating policies (#11933) Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> 2025-01-17 10:53:17 +01:00
feat: add namespace support in CLI values (#11958) Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> 2025-01-20 12:43:13 +01:00			`func NewEngine(provider Provider, nsResolver NamespaceResolver) *engine {`
feat: use policy provider (#11947) Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> 2025-01-20 10:43:05 +01:00			`return &engine{`
feat: add namespace support in CLI values (#11958) Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> 2025-01-20 12:43:13 +01:00			`nsResolver: nsResolver,`
			`provider: provider,`
feat: use policy provider (#11947) Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> 2025-01-20 10:43:05 +01:00			`}`
feat(cli,apply): load validating policies (#11933) Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> 2025-01-17 10:53:17 +01:00			`}`

feat: use policy provider (#11947) Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> 2025-01-20 10:43:05 +01:00			`func (e *engine) Handle(ctx context.Context, request EngineRequest) (EngineResponse, error) {`
			`response := EngineResponse{`
			`Resource: request.Resource,`
			`}`
			`policies, err := e.provider.CompiledPolicies(ctx)`
			`if err != nil {`
			`return response, err`
			`}`
feat: add namespace support in CLI values (#11958) Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> 2025-01-20 12:43:13 +01:00			`// resolve namespace`
			`var namespace *unstructured.Unstructured`
			`if ns := request.Resource.GetNamespace(); ns != "" {`
			`coreNs := e.nsResolver(ns)`
			`if coreNs != nil {`
			`ns, err := kubeutils.ObjToUnstructured(coreNs)`
			`if err != nil {`
			`return response, err`
			`}`
			`namespace = ns`
			`}`
			`}`
feat(cli,apply): load validating policies (#11933) Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> 2025-01-17 10:53:17 +01:00			`for _, policy := range policies {`
feat: add namespace support in CLI values (#11958) Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> 2025-01-20 12:43:13 +01:00			`response.Policies = append(response.Policies, e.handlePolicy(ctx, policy, request.Resource, namespace))`
feat(cli,apply): load validating policies (#11933) Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> 2025-01-17 10:53:17 +01:00			`}`
			`return response, nil`
			`}`
feat: use policy provider (#11947) Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> 2025-01-20 10:43:05 +01:00
refactor: reduce generic policy interface (#11977) Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> 2025-01-22 17:32:30 +01:00			`func (e engine) handlePolicy(ctx context.Context, policy CompiledPolicy, resource unstructured.Unstructured, namespace *unstructured.Unstructured) PolicyResponse {`
feat: use policy provider (#11947) Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> 2025-01-20 10:43:05 +01:00			`var rules []engineapi.RuleResponse`
fix: implement cel context lib correctly (#11983) * fix: implement cel context lib correctly Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * more changes Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> --------- Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> 2025-01-23 12:02:33 +01:00			`results, err := policy.CompiledPolicy.Evaluate(ctx, resource, namespace, nil)`
feat: introduce evaluation results in cel engine (#11971) Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> 2025-01-21 17:41:45 +01:00			`// TODO: error is about match conditions here ?`
feat: use policy provider (#11947) Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> 2025-01-20 10:43:05 +01:00			`if err != nil {`
feat: introduce evaluation results in cel engine (#11971) Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> 2025-01-21 17:41:45 +01:00			`rules = handlers.WithResponses(engineapi.RuleError("evaluation", engineapi.Validation, "failed to load context", err, nil))`
feat: use policy provider (#11947) Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> 2025-01-20 10:43:05 +01:00			`} else {`
feat: introduce evaluation results in cel engine (#11971) Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> 2025-01-21 17:41:45 +01:00			`for index, result := range results {`
			`ruleName := fmt.Sprintf("rule-%d", index)`
			`if result.Error != nil {`
			`rules = append(rules, *engineapi.RuleError(ruleName, engineapi.Validation, "error", err, nil))`
			`} else if result, err := utils.ConvertToNative[bool](result.Result); err != nil {`
			`rules = append(rules, *engineapi.RuleError(ruleName, engineapi.Validation, "conversion error", err, nil))`
			`} else if result {`
			`rules = append(rules, *engineapi.RulePass(ruleName, engineapi.Validation, "success", nil))`
			`} else {`
			`rules = append(rules, *engineapi.RuleFail(ruleName, engineapi.Validation, "failure", nil))`
			`}`
			`}`
feat: use policy provider (#11947) Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> 2025-01-20 10:43:05 +01:00			`}`
			`return PolicyResponse{`
refactor: reduce generic policy interface (#11977) Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> 2025-01-22 17:32:30 +01:00			`Policy: policy.Policy,`
feat: use policy provider (#11947) Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> 2025-01-20 10:43:05 +01:00			`Rules: rules,`
			`}`
			`}`