2020-07-10 18:12:19 +05:30
|
|
|
package common
|
|
|
|
|
|
2021-02-04 02:39:42 +05:30
|
|
|
import (
|
|
|
|
|
"encoding/json"
|
2021-04-29 22:39:44 +05:30
|
|
|
"fmt"
|
2021-03-05 06:15:52 +05:30
|
|
|
"strings"
|
2021-06-08 12:37:19 -07:00
|
|
|
"time"
|
2021-02-04 02:39:42 +05:30
|
|
|
|
2021-10-29 18:13:20 +02:00
|
|
|
kyverno "github.com/kyverno/kyverno/api/kyverno/v1"
|
2021-09-02 12:40:40 +05:30
|
|
|
apierrors "k8s.io/apimachinery/pkg/api/errors"
|
|
|
|
|
|
2021-02-04 02:39:42 +05:30
|
|
|
"github.com/go-logr/logr"
|
2021-07-01 00:30:02 +05:30
|
|
|
dclient "github.com/kyverno/kyverno/pkg/dclient"
|
2021-02-04 02:39:42 +05:30
|
|
|
enginutils "github.com/kyverno/kyverno/pkg/engine/utils"
|
2021-06-08 12:37:19 -07:00
|
|
|
"github.com/pkg/errors"
|
2021-02-04 02:39:42 +05:30
|
|
|
v1 "k8s.io/api/core/v1"
|
2021-02-16 00:57:09 +05:30
|
|
|
"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
|
2021-02-04 02:39:42 +05:30
|
|
|
"k8s.io/client-go/informers"
|
|
|
|
|
listerv1 "k8s.io/client-go/listers/core/v1"
|
|
|
|
|
"sigs.k8s.io/controller-runtime/pkg/log"
|
|
|
|
|
)
|
|
|
|
|
|
2020-07-10 18:12:19 +05:30
|
|
|
// Policy Reporting Modes
|
|
|
|
|
const (
|
2021-10-29 16:06:03 +01:00
|
|
|
// Enforce blocks the request on failure
|
|
|
|
|
Enforce = "enforce"
|
|
|
|
|
// Audit indicates not to block the request on failure, but report failiures as policy violations
|
|
|
|
|
Audit = "audit"
|
2020-07-10 18:12:19 +05:30
|
|
|
)
|
2020-11-09 11:26:12 -08:00
|
|
|
|
|
|
|
|
// Policy Reporting Types
|
|
|
|
|
const (
|
|
|
|
|
PolicyViolation = "POLICYVIOLATION"
|
|
|
|
|
PolicyReport = "POLICYREPORT"
|
|
|
|
|
)
|
2021-02-04 02:39:42 +05:30
|
|
|
|
|
|
|
|
// GetNamespaceSelectorsFromGenericInformer - extracting the namespacelabels when generic informer is passed
|
|
|
|
|
func GetNamespaceSelectorsFromGenericInformer(kind, namespaceOfResource string, nsInformer informers.GenericInformer, logger logr.Logger) map[string]string {
|
|
|
|
|
namespaceLabels := make(map[string]string)
|
|
|
|
|
if kind != "Namespace" {
|
|
|
|
|
runtimeNamespaceObj, err := nsInformer.Lister().Get(namespaceOfResource)
|
|
|
|
|
if err != nil {
|
|
|
|
|
log.Log.Error(err, "failed to get the namespace", "name", namespaceOfResource)
|
2021-02-16 00:57:09 +05:30
|
|
|
return namespaceLabels
|
2021-02-04 02:39:42 +05:30
|
|
|
}
|
|
|
|
|
|
2021-02-16 00:57:09 +05:30
|
|
|
unstructuredObj := runtimeNamespaceObj.(*unstructured.Unstructured)
|
|
|
|
|
return unstructuredObj.GetLabels()
|
|
|
|
|
}
|
2021-02-04 02:39:42 +05:30
|
|
|
return namespaceLabels
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// GetNamespaceSelectorsFromNamespaceLister - extract the namespacelabels when namespace lister is passed
|
|
|
|
|
func GetNamespaceSelectorsFromNamespaceLister(kind, namespaceOfResource string, nsLister listerv1.NamespaceLister, logger logr.Logger) map[string]string {
|
|
|
|
|
namespaceLabels := make(map[string]string)
|
2021-11-17 15:09:00 +01:00
|
|
|
if kind != "Namespace" && namespaceOfResource != "" {
|
2021-02-04 02:39:42 +05:30
|
|
|
namespaceObj, err := nsLister.Get(namespaceOfResource)
|
|
|
|
|
if err != nil {
|
|
|
|
|
log.Log.Error(err, "failed to get the namespace", "name", namespaceOfResource)
|
2021-02-16 00:57:09 +05:30
|
|
|
return namespaceLabels
|
2021-02-04 02:39:42 +05:30
|
|
|
}
|
|
|
|
|
return GetNamespaceLabels(namespaceObj, logger)
|
|
|
|
|
}
|
|
|
|
|
return namespaceLabels
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// GetNamespaceLabels - from namespace obj
|
|
|
|
|
func GetNamespaceLabels(namespaceObj *v1.Namespace, logger logr.Logger) map[string]string {
|
|
|
|
|
namespaceObj.Kind = "Namespace"
|
|
|
|
|
namespaceRaw, err := json.Marshal(namespaceObj)
|
2021-10-13 22:45:23 +02:00
|
|
|
if err != nil {
|
|
|
|
|
logger.Error(err, "failed to marshal namespace")
|
|
|
|
|
}
|
2021-02-04 02:39:42 +05:30
|
|
|
namespaceUnstructured, err := enginutils.ConvertToUnstructured(namespaceRaw)
|
|
|
|
|
if err != nil {
|
|
|
|
|
logger.Error(err, "failed to convert object resource to unstructured format")
|
|
|
|
|
}
|
|
|
|
|
return namespaceUnstructured.GetLabels()
|
|
|
|
|
}
|
2021-03-05 06:15:52 +05:30
|
|
|
|
|
|
|
|
// GetKindFromGVK - get kind and APIVersion from GVK
|
|
|
|
|
func GetKindFromGVK(str string) (apiVersion string, kind string) {
|
|
|
|
|
if strings.Count(str, "/") == 0 {
|
|
|
|
|
return "", str
|
|
|
|
|
}
|
|
|
|
|
splitString := strings.Split(str, "/")
|
|
|
|
|
if strings.Count(str, "/") == 1 {
|
|
|
|
|
return splitString[0], splitString[1]
|
|
|
|
|
}
|
|
|
|
|
return splitString[0] + "/" + splitString[1], splitString[2]
|
|
|
|
|
}
|
2021-04-29 22:39:44 +05:30
|
|
|
|
|
|
|
|
func VariableToJSON(key, value string) []byte {
|
|
|
|
|
var subString string
|
|
|
|
|
splitBySlash := strings.Split(key, "\"")
|
|
|
|
|
if len(splitBySlash) > 1 {
|
|
|
|
|
subString = splitBySlash[1]
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
startString := ""
|
|
|
|
|
endString := ""
|
|
|
|
|
lenOfVariableString := 0
|
|
|
|
|
addedSlashString := false
|
|
|
|
|
for _, k := range strings.Split(splitBySlash[0], ".") {
|
|
|
|
|
if k != "" {
|
|
|
|
|
startString += fmt.Sprintf(`{"%s":`, k)
|
|
|
|
|
endString += `}`
|
|
|
|
|
lenOfVariableString = lenOfVariableString + len(k) + 1
|
|
|
|
|
if lenOfVariableString >= len(splitBySlash[0]) && len(splitBySlash) > 1 && !addedSlashString {
|
|
|
|
|
startString += fmt.Sprintf(`{"%s":`, subString)
|
|
|
|
|
endString += `}`
|
|
|
|
|
addedSlashString = true
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
2021-05-04 09:39:31 -04:00
|
|
|
midString := fmt.Sprintf(`"%s"`, strings.Replace(value, `"`, `\"`, -1))
|
2021-04-29 22:39:44 +05:30
|
|
|
finalString := startString + midString + endString
|
|
|
|
|
var jsonData = []byte(finalString)
|
|
|
|
|
return jsonData
|
|
|
|
|
}
|
2021-06-08 12:37:19 -07:00
|
|
|
|
2021-10-29 16:06:03 +01:00
|
|
|
// RetryFunc allows retrying a function on error within a given timeout
|
2021-06-08 12:37:19 -07:00
|
|
|
func RetryFunc(retryInterval, timeout time.Duration, run func() error, logger logr.Logger) func() error {
|
|
|
|
|
return func() error {
|
|
|
|
|
registerTimeout := time.After(timeout)
|
|
|
|
|
registerTicker := time.NewTicker(retryInterval)
|
|
|
|
|
defer registerTicker.Stop()
|
|
|
|
|
var err error
|
|
|
|
|
|
|
|
|
|
loop:
|
|
|
|
|
for {
|
|
|
|
|
select {
|
|
|
|
|
case <-registerTicker.C:
|
|
|
|
|
err = run()
|
|
|
|
|
if err != nil {
|
|
|
|
|
logger.V(3).Info("Failed to register admission control webhooks", "reason", err.Error())
|
|
|
|
|
} else {
|
|
|
|
|
break loop
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
case <-registerTimeout:
|
|
|
|
|
return errors.Wrap(err, "Timeout registering admission control webhooks")
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
return nil
|
|
|
|
|
}
|
|
|
|
|
}
|
2021-07-01 00:30:02 +05:30
|
|
|
|
|
|
|
|
func ProcessDeletePolicyForCloneGenerateRule(rules []kyverno.Rule, client *dclient.Client, pName string, logger logr.Logger) bool {
|
|
|
|
|
generatePolicyWithClone := false
|
|
|
|
|
for _, rule := range rules {
|
2021-07-09 18:01:46 -07:00
|
|
|
if rule.Generation.Clone.Name == "" {
|
|
|
|
|
continue
|
|
|
|
|
}
|
2021-07-01 00:30:02 +05:30
|
|
|
|
2021-07-09 18:01:46 -07:00
|
|
|
logger.V(4).Info("generate policy with clone, remove policy name from label of source resource")
|
|
|
|
|
generatePolicyWithClone = true
|
2021-07-01 00:30:02 +05:30
|
|
|
|
2021-07-09 18:01:46 -07:00
|
|
|
retryCount := 0
|
|
|
|
|
for retryCount < 5 {
|
|
|
|
|
err := updateSourceResource(pName, rule, client, logger)
|
|
|
|
|
if err != nil {
|
|
|
|
|
logger.Error(err, "failed to update generate source resource labels")
|
|
|
|
|
if apierrors.IsConflict(err) {
|
|
|
|
|
retryCount++
|
|
|
|
|
} else {
|
|
|
|
|
break
|
2021-07-01 00:30:02 +05:30
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
return generatePolicyWithClone
|
|
|
|
|
}
|
2021-07-09 18:01:46 -07:00
|
|
|
|
|
|
|
|
func updateSourceResource(pName string, rule kyverno.Rule, client *dclient.Client, log logr.Logger) error {
|
|
|
|
|
obj, err := client.GetResource("", rule.Generation.Kind, rule.Generation.Clone.Namespace, rule.Generation.Clone.Name)
|
|
|
|
|
if err != nil {
|
|
|
|
|
return errors.Wrapf(err, "source resource %s/%s/%s not found", rule.Generation.Kind, rule.Generation.Clone.Namespace, rule.Generation.Clone.Name)
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
update := false
|
|
|
|
|
labels := obj.GetLabels()
|
|
|
|
|
update, labels = removePolicyFromLabels(pName, labels)
|
|
|
|
|
if update {
|
|
|
|
|
return nil
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
obj.SetLabels(labels)
|
|
|
|
|
_, err = client.UpdateResource(obj.GetAPIVersion(), rule.Generation.Kind, rule.Generation.Clone.Namespace, obj, false)
|
|
|
|
|
return err
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
func removePolicyFromLabels(pName string, labels map[string]string) (bool, map[string]string) {
|
|
|
|
|
if len(labels) == 0 {
|
|
|
|
|
return false, labels
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if labels["generate.kyverno.io/clone-policy-name"] != "" {
|
|
|
|
|
policyNames := labels["generate.kyverno.io/clone-policy-name"]
|
|
|
|
|
if strings.Contains(policyNames, pName) {
|
|
|
|
|
updatedPolicyNames := strings.Replace(policyNames, pName, "", -1)
|
|
|
|
|
labels["generate.kyverno.io/clone-policy-name"] = updatedPolicyNames
|
|
|
|
|
return true, labels
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
return false, labels
|
|
|
|
|
}
|
2021-09-02 12:40:40 +05:30
|
|
|
|
|
|
|
|
func GetFormatedKind(str string) (kind string) {
|
|
|
|
|
if strings.Count(str, "/") == 0 {
|
|
|
|
|
return strings.Title(str)
|
|
|
|
|
}
|
|
|
|
|
splitString := strings.Split(str, "/")
|
|
|
|
|
if strings.Count(str, "/") == 1 {
|
|
|
|
|
return splitString[0] + "/" + strings.Title(splitString[1])
|
|
|
|
|
}
|
|
|
|
|
return splitString[0] + "/" + splitString[1] + "/" + strings.Title(splitString[2])
|
|
|
|
|
}
|
