kyverno/pkg/policystore/policystore.go

package policystore

import (
	"sync"

	"github.com/go-logr/logr"
	kyverno "github.com/nirmata/kyverno/pkg/api/kyverno/v1"
	kyvernoinformer "github.com/nirmata/kyverno/pkg/client/informers/externalversions/kyverno/v1"
	kyvernolister "github.com/nirmata/kyverno/pkg/client/listers/kyverno/v1"
	"k8s.io/apimachinery/pkg/labels"
	"k8s.io/client-go/tools/cache"
)

type policyMap map[string]interface{}
type namespaceMap map[string]policyMap
type kindMap map[string]namespaceMap

//PolicyStore Store the meta-data information to faster lookup policies
type PolicyStore struct {
	data map[string]namespaceMap
	mu   sync.RWMutex
	// list/get cluster policy
	pLister kyvernolister.ClusterPolicyLister
	// returns true if the cluster policy store has been synced at least once
	pSynched cache.InformerSynced
	log      logr.Logger
}

//UpdateInterface provides api to update policies
type UpdateInterface interface {
	// Register a new policy
	Register(policy kyverno.ClusterPolicy)
	// Remove policy information
	UnRegister(policy kyverno.ClusterPolicy) error
}

//LookupInterface provides api to lookup policies
type LookupInterface interface {
	ListAll() ([]kyverno.ClusterPolicy, error)
}

// NewPolicyStore returns a new policy store
func NewPolicyStore(pInformer kyvernoinformer.ClusterPolicyInformer,
	log logr.Logger) *PolicyStore {
	ps := PolicyStore{
		data:     make(kindMap),
		pLister:  pInformer.Lister(),
		pSynched: pInformer.Informer().HasSynced,
		log:      log,
	}
	return &ps
}

//Run checks syncing
func (ps *PolicyStore) Run(stopCh <-chan struct{}) {
	logger := ps.log
	if !cache.WaitForCacheSync(stopCh, ps.pSynched) {
		logger.Info("failed to sync informer cache")
	}
}

//Register a new policy
func (ps *PolicyStore) Register(policy kyverno.ClusterPolicy) {
	logger := ps.log
	logger.V(4).Info("adding policy", "name", policy.Name)
	ps.mu.Lock()
	defer ps.mu.Unlock()
	var pmap policyMap
	// add an entry for each rule in policy
	for _, rule := range policy.Spec.Rules {
		//		rule.MatchResources.Kinds - List - mandatory - atleast on entry
		for _, kind := range rule.MatchResources.Kinds {
			kindMap := ps.addKind(kind)
			// namespaces
			if len(rule.MatchResources.Namespaces) == 0 {
				// all namespaces - *
				pmap = addNamespace(kindMap, "*")
			} else {
				for _, ns := range rule.MatchResources.Namespaces {
					pmap = addNamespace(kindMap, ns)
				}
			}
			// add policy to the pmap
			addPolicyElement(pmap, policy.Name)
		}
	}
}

func (ps *PolicyStore) ListAll() ([]kyverno.ClusterPolicy, error) {
	policyPointers, err := ps.pLister.List(labels.NewSelector())
	if err != nil {
		return nil, err
	}

	var policies = make([]kyverno.ClusterPolicy, 0, len(policyPointers))
	for _, policy := range policyPointers {
		policies = append(policies, *policy)
	}

	return policies, nil
}

func (ps *PolicyStore) Get(policyName string) (*kyverno.ClusterPolicy, error) {
	return ps.pLister.Get(policyName)
}

//UnRegister Remove policy information
func (ps *PolicyStore) UnRegister(policy kyverno.ClusterPolicy) error {
	ps.mu.Lock()
	defer ps.mu.Unlock()
	for _, rule := range policy.Spec.Rules {
		for _, kind := range rule.MatchResources.Kinds {
			// get kind Map
			kindMap := ps.getKind(kind)
			if kindMap == nil {
				// kind does not exist
				return nil
			}
			if len(rule.MatchResources.Namespaces) == 0 {
				namespace := "*"
				pmap := getNamespace(kindMap, namespace)
				// remove element
				delete(pmap, policy.Name)
			} else {
				for _, ns := range rule.MatchResources.Namespaces {
					pmap := getNamespace(kindMap, ns)
					// remove element
					delete(pmap, policy.Name)
				}
			}
		}
	}
	return nil
}

func (ps *PolicyStore) addKind(kind string) namespaceMap {
	val, ok := ps.data[kind]
	if ok {
		return val
	}
	ps.data[kind] = make(namespaceMap)
	return ps.data[kind]
}

func (ps *PolicyStore) getKind(kind string) namespaceMap {
	return ps.data[kind]
}

func addNamespace(kindMap map[string]policyMap, namespace string) policyMap {
	val, ok := kindMap[namespace]
	if ok {
		return val
	}
	kindMap[namespace] = make(policyMap)
	return kindMap[namespace]
}

func getNamespace(kindMap map[string]policyMap, namespace string) policyMap {
	return kindMap[namespace]
}

func addPolicyElement(pmap policyMap, name string) {
	var emptyInterface interface{}

	if _, ok := pmap[name]; !ok {
		pmap[name] = emptyInterface
	}
}
policy store test 2019-08-13 13:15:32 -07:00			`package policystore`

			`import (`
			`"sync"`

logs & access 2020-03-17 11:05:20 -07:00			`"github.com/go-logr/logr"`
update apiversion to v1 in code 2019-11-13 13:41:08 -08:00			`kyverno "github.com/nirmata/kyverno/pkg/api/kyverno/v1"`
wat for cache sync and cleanup 2019-11-15 15:59:37 -08:00			`kyvernoinformer "github.com/nirmata/kyverno/pkg/client/informers/externalversions/kyverno/v1"`
update apiversion to v1 in code 2019-11-13 13:41:08 -08:00			`kyvernolister "github.com/nirmata/kyverno/pkg/client/listers/kyverno/v1"`
logs & access 2020-03-17 11:05:20 -07:00			`"k8s.io/apimachinery/pkg/labels"`
wat for cache sync and cleanup 2019-11-15 15:59:37 -08:00			`"k8s.io/client-go/tools/cache"`
policy store test 2019-08-13 13:15:32 -07:00			`)`

introduce policy violation generator 2019-11-12 14:41:29 -08:00			`type policyMap map[string]interface{}`
			`type namespaceMap map[string]policyMap`
			`type kindMap map[string]namespaceMap`
introduce policy store 2019-11-11 11:10:25 -08:00
			`//PolicyStore Store the meta-data information to faster lookup policies`
			`type PolicyStore struct {`
wat for cache sync and cleanup 2019-11-15 15:59:37 -08:00			`data map[string]namespaceMap`
			`mu sync.RWMutex`
			`// list/get cluster policy`
introduce policy violation generator 2019-11-12 14:41:29 -08:00			`pLister kyvernolister.ClusterPolicyLister`
wat for cache sync and cleanup 2019-11-15 15:59:37 -08:00			`// returns true if the cluster policy store has been synced at least once`
			`pSynched cache.InformerSynced`
logs & access 2020-03-17 11:05:20 -07:00			`log logr.Logger`
policy store test 2019-08-13 13:15:32 -07:00			`}`

introduce policy violation generator 2019-11-12 14:41:29 -08:00			`//UpdateInterface provides api to update policies`
			`type UpdateInterface interface {`
introduce policy store 2019-11-11 11:10:25 -08:00			`// Register a new policy`
			`Register(policy kyverno.ClusterPolicy)`
			`// Remove policy information`
			`UnRegister(policy kyverno.ClusterPolicy) error`
introduce policy violation generator 2019-11-12 14:41:29 -08:00			`}`

			`//LookupInterface provides api to lookup policies`
			`type LookupInterface interface {`
658 refactoring getall lookup name 2020-02-05 16:29:37 +05:30			`ListAll() ([]kyverno.ClusterPolicy, error)`
introduce policy store 2019-11-11 11:10:25 -08:00			`}`

			`// NewPolicyStore returns a new policy store`
logs & access 2020-03-17 11:05:20 -07:00			`func NewPolicyStore(pInformer kyvernoinformer.ClusterPolicyInformer,`
			`log logr.Logger) *PolicyStore {`
introduce policy store 2019-11-11 11:10:25 -08:00			`ps := PolicyStore{`
wat for cache sync and cleanup 2019-11-15 15:59:37 -08:00			`data: make(kindMap),`
			`pLister: pInformer.Lister(),`
			`pSynched: pInformer.Informer().HasSynced,`
logs & access 2020-03-17 11:05:20 -07:00			`log: log,`
policy store test 2019-08-13 13:15:32 -07:00			`}`
introduce policy store 2019-11-11 11:10:25 -08:00			`return &ps`
			`}`
policy store test 2019-08-13 13:15:32 -07:00
wat for cache sync and cleanup 2019-11-15 15:59:37 -08:00			`//Run checks syncing`
			`func (ps *PolicyStore) Run(stopCh <-chan struct{}) {`
logs & access 2020-03-17 11:05:20 -07:00			`logger := ps.log`
wat for cache sync and cleanup 2019-11-15 15:59:37 -08:00			`if !cache.WaitForCacheSync(stopCh, ps.pSynched) {`
logs & access 2020-03-17 11:05:20 -07:00			`logger.Info("failed to sync informer cache")`
wat for cache sync and cleanup 2019-11-15 15:59:37 -08:00			`}`
			`}`

introduce policy store 2019-11-11 11:10:25 -08:00			`//Register a new policy`
			`func (ps *PolicyStore) Register(policy kyverno.ClusterPolicy) {`
logs & access 2020-03-17 11:05:20 -07:00			`logger := ps.log`
			`logger.V(4).Info("adding policy", "name", policy.Name)`
introduce policy store 2019-11-11 11:10:25 -08:00			`ps.mu.Lock()`
			`defer ps.mu.Unlock()`
			`var pmap policyMap`
			`// add an entry for each rule in policy`
			`for _, rule := range policy.Spec.Rules {`
			`// rule.MatchResources.Kinds - List - mandatory - atleast on entry`
			`for _, kind := range rule.MatchResources.Kinds {`
introduce policy violation generator 2019-11-12 14:41:29 -08:00			`kindMap := ps.addKind(kind)`
introduce policy store 2019-11-11 11:10:25 -08:00			`// namespaces`
			`if len(rule.MatchResources.Namespaces) == 0 {`
			`// all namespaces - *`
			`pmap = addNamespace(kindMap, "*")`
			`} else {`
			`for _, ns := range rule.MatchResources.Namespaces {`
			`pmap = addNamespace(kindMap, ns)`
			`}`
			`}`
			`// add policy to the pmap`
introduce policy violation generator 2019-11-12 14:41:29 -08:00			`addPolicyElement(pmap, policy.Name)`
			`}`
			`}`
			`}`

658 refactoring getall lookup name 2020-02-05 16:29:37 +05:30			`func (ps *PolicyStore) ListAll() ([]kyverno.ClusterPolicy, error) {`
658 prototype changes without policy lookup update 2020-02-05 15:55:37 +05:30			`policyPointers, err := ps.pLister.List(labels.NewSelector())`
			`if err != nil {`
			`return nil, err`
			`}`

			`var policies = make([]kyverno.ClusterPolicy, 0, len(policyPointers))`
			`for _, policy := range policyPointers {`
			`policies = append(policies, *policy)`
			`}`

			`return policies, nil`
			`}`

527 untested prototype 2020-02-22 19:05:54 +05:30			`func (ps PolicyStore) Get(policyName string) (kyverno.ClusterPolicy, error) {`
			`return ps.pLister.Get(policyName)`
			`}`

introduce policy store 2019-11-11 11:10:25 -08:00			`//UnRegister Remove policy information`
			`func (ps *PolicyStore) UnRegister(policy kyverno.ClusterPolicy) error {`
			`ps.mu.Lock()`
			`defer ps.mu.Unlock()`
			`for _, rule := range policy.Spec.Rules {`
			`for _, kind := range rule.MatchResources.Kinds {`
			`// get kind Map`
introduce policy violation generator 2019-11-12 14:41:29 -08:00			`kindMap := ps.getKind(kind)`
introduce policy store 2019-11-11 11:10:25 -08:00			`if kindMap == nil {`
			`// kind does not exist`
			`return nil`
			`}`
			`if len(rule.MatchResources.Namespaces) == 0 {`
			`namespace := "*"`
			`pmap := getNamespace(kindMap, namespace)`
			`// remove element`
introduce policy violation generator 2019-11-12 14:41:29 -08:00			`delete(pmap, policy.Name)`
introduce policy store 2019-11-11 11:10:25 -08:00			`} else {`
			`for _, ns := range rule.MatchResources.Namespaces {`
			`pmap := getNamespace(kindMap, ns)`
			`// remove element`
introduce policy violation generator 2019-11-12 14:41:29 -08:00			`delete(pmap, policy.Name)`
introduce policy store 2019-11-11 11:10:25 -08:00			`}`
			`}`
policy store test 2019-08-13 13:15:32 -07:00			`}`
introduce policy store 2019-11-11 11:10:25 -08:00			`}`
			`return nil`
			`}`
policy store test 2019-08-13 13:15:32 -07:00
introduce policy violation generator 2019-11-12 14:41:29 -08:00			`func (ps *PolicyStore) addKind(kind string) namespaceMap {`
			`val, ok := ps.data[kind]`
introduce policy store 2019-11-11 11:10:25 -08:00			`if ok {`
			`return val`
			`}`
introduce policy violation generator 2019-11-12 14:41:29 -08:00			`ps.data[kind] = make(namespaceMap)`
			`return ps.data[kind]`
policy store test 2019-08-13 13:15:32 -07:00			`}`

introduce policy violation generator 2019-11-12 14:41:29 -08:00			`func (ps *PolicyStore) getKind(kind string) namespaceMap {`
			`return ps.data[kind]`
introduce policy store 2019-11-11 11:10:25 -08:00			`}`

			`func addNamespace(kindMap map[string]policyMap, namespace string) policyMap {`
			`val, ok := kindMap[namespace]`
			`if ok {`
			`return val`
			`}`
			`kindMap[namespace] = make(policyMap)`
			`return kindMap[namespace]`
			`}`

			`func getNamespace(kindMap map[string]policyMap, namespace string) policyMap {`
			`return kindMap[namespace]`
			`}`

introduce policy violation generator 2019-11-12 14:41:29 -08:00			`func addPolicyElement(pmap policyMap, name string) {`
introduce policy store 2019-11-11 11:10:25 -08:00			`var emptyInterface interface{}`
introduce policy violation generator 2019-11-12 14:41:29 -08:00
			`if _, ok := pmap[name]; !ok {`
			`pmap[name] = emptyInterface`
policy store test 2019-08-13 13:15:32 -07:00			`}`
			`}`