kyverno/webhooks/admission.go

package webhooks

import (
	"encoding/json"

	types "github.com/nirmata/kube-policy/pkg/apis/policy/v1alpha1"
	"k8s.io/api/admission/v1beta1"
	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
	"k8s.io/apimachinery/pkg/labels"
)

var supportedKinds = [...]string{
	"ConfigMap",
	"CronJob",
	"DaemonSet",
	"Deployment",
	"Endpoint",
	"HorizontalPodAutoscaler",
	"Ingress",
	"Job",
	"LimitRange",
	"Namespace",
	"NetworkPolicy",
	"PersistentVolumeClaim",
	"PodDisruptionBudget",
	"PodTemplate",
	"ResourceQuota",
	"Secret",
	"Service",
	"StatefulSet",
}

func kindIsSupported(kind string) bool {
	for _, k := range supportedKinds {
		if k == kind {
			return true
		}
	}
	return false
}

// AdmissionIsRequired checks for admission if kind is supported
func AdmissionIsRequired(request *v1beta1.AdmissionRequest) bool {
	// Here you can make additional hardcoded checks
	return kindIsSupported(request.Kind.Kind)
}

// IsRuleApplicableToRequest checks requests kind, name and labels to fit the policy
func IsRuleApplicableToRequest(policyResource types.PolicyResource, request *v1beta1.AdmissionRequest) bool {
	if policyResource.Selector == nil && policyResource.Name == nil {
		// TBD: selector or name MUST be specified
		return false
	}

	if policyResource.Kind != request.Kind.Kind {
		return false
	}

	if request.Object.Raw != nil {
		meta := parseMetadataFromObject(request.Object.Raw)
		name := parseNameFromMetadata(meta)

		if policyResource.Name != nil && *policyResource.Name != name {
			return false
		}

		if policyResource.Selector != nil {
			selector, err := metav1.LabelSelectorAsSelector(policyResource.Selector)

			if err != nil {
				// TODO: log that selector is invalid
				return false
			}

			labelMap := parseLabelsFromMetadata(meta)

			if !selector.Matches(labelMap) {
				return false
			}
		}
	}

	return true
}

func parseMetadataFromObject(bytes []byte) map[string]interface{} {
	var objectJSON map[string]interface{}
	json.Unmarshal(bytes, &objectJSON)

	return objectJSON["metadata"].(map[string]interface{})
}

func parseLabelsFromMetadata(meta map[string]interface{}) labels.Set {
	if interfaceMap, ok := meta["labels"].(map[string]interface{}); ok {
		labelMap := make(labels.Set, len(interfaceMap))

		for key, value := range interfaceMap {
			labelMap[key] = value.(string)
		}
		return labelMap
	}
	return nil
}

func parseNameFromMetadata(meta map[string]interface{}) string {
	if name, ok := meta["name"].(string); ok {
		return name
	}
	return ""
}
NK-10: Controller renamed to PolicyController. Created MutationWebhook class in new webhook package. Implemented filtering of incoming objects by Kind. Implemented simple usage of PolicyController in MutationWebhook. 2019-02-21 20:31:18 +02:00			`package webhooks`

NK-10: Refactored policy types, used patch operation struct from there instead of internal struct. Implemented checking of incoming request to correspond the policy rule, added tests. Implemented generation of JSON patches according to patches in policy object, added tests. Implemented base version of Mutate function as a wrapper for all mutation functions. 2019-02-22 18:12:14 +02:00			`import (`
NK-23: Thre creation of default loggers moved to inside classes. Removed fatal termination from object constructors. Implemented new KubeClient class with test method which creates a Secret. Improved comments for the types structures. Added WebhookServerConfig structure instead of the most parameters to NewWebhookServer. 2019-03-04 20:40:02 +02:00			`"encoding/json"`
NK-22: Fixed build error with Selector pointer. Added comments. Changed tab to 4 spaces identation. Added unit tests for LabelSelector. 2019-03-01 14:16:20 +02:00
NK-23: Thre creation of default loggers moved to inside classes. Removed fatal termination from object constructors. Implemented new KubeClient class with test method which creates a Secret. Improved comments for the types structures. Added WebhookServerConfig structure instead of the most parameters to NewWebhookServer. 2019-03-04 20:40:02 +02:00			`types "github.com/nirmata/kube-policy/pkg/apis/policy/v1alpha1"`
			`"k8s.io/api/admission/v1beta1"`
			`metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"`
			`"k8s.io/apimachinery/pkg/labels"`
NK-10: Refactored policy types, used patch operation struct from there instead of internal struct. Implemented checking of incoming request to correspond the policy rule, added tests. Implemented generation of JSON patches according to patches in policy object, added tests. Implemented base version of Mutate function as a wrapper for all mutation functions. 2019-02-22 18:12:14 +02:00			`)`
NK-10: Controller renamed to PolicyController. Created MutationWebhook class in new webhook package. Implemented filtering of incoming objects by Kind. Implemented simple usage of PolicyController in MutationWebhook. 2019-02-21 20:31:18 +02:00
			`var supportedKinds = [...]string{`
NK-23: Thre creation of default loggers moved to inside classes. Removed fatal termination from object constructors. Implemented new KubeClient class with test method which creates a Secret. Improved comments for the types structures. Added WebhookServerConfig structure instead of the most parameters to NewWebhookServer. 2019-03-04 20:40:02 +02:00			`"ConfigMap",`
			`"CronJob",`
			`"DaemonSet",`
			`"Deployment",`
			`"Endpoint",`
			`"HorizontalPodAutoscaler",`
			`"Ingress",`
			`"Job",`
			`"LimitRange",`
			`"Namespace",`
			`"NetworkPolicy",`
			`"PersistentVolumeClaim",`
			`"PodDisruptionBudget",`
			`"PodTemplate",`
			`"ResourceQuota",`
			`"Secret",`
			`"Service",`
			`"StatefulSet",`
NK-10: Controller renamed to PolicyController. Created MutationWebhook class in new webhook package. Implemented filtering of incoming objects by Kind. Implemented simple usage of PolicyController in MutationWebhook. 2019-02-21 20:31:18 +02:00			`}`

			`func kindIsSupported(kind string) bool {`
NK-23: Thre creation of default loggers moved to inside classes. Removed fatal termination from object constructors. Implemented new KubeClient class with test method which creates a Secret. Improved comments for the types structures. Added WebhookServerConfig structure instead of the most parameters to NewWebhookServer. 2019-03-04 20:40:02 +02:00			`for _, k := range supportedKinds {`
			`if k == kind {`
			`return true`
			`}`
			`}`
			`return false`
NK-10: Controller renamed to PolicyController. Created MutationWebhook class in new webhook package. Implemented filtering of incoming objects by Kind. Implemented simple usage of PolicyController in MutationWebhook. 2019-02-21 20:31:18 +02:00			`}`

NK-21: Added checking request by selector. Added tests for this logic. Added test policy file for selectors. 2019-02-26 20:05:07 +02:00			`// AdmissionIsRequired checks for admission if kind is supported`
NK-10: Controller renamed to PolicyController. Created MutationWebhook class in new webhook package. Implemented filtering of incoming objects by Kind. Implemented simple usage of PolicyController in MutationWebhook. 2019-02-21 20:31:18 +02:00			`func AdmissionIsRequired(request *v1beta1.AdmissionRequest) bool {`
NK-23: Thre creation of default loggers moved to inside classes. Removed fatal termination from object constructors. Implemented new KubeClient class with test method which creates a Secret. Improved comments for the types structures. Added WebhookServerConfig structure instead of the most parameters to NewWebhookServer. 2019-03-04 20:40:02 +02:00			`// Here you can make additional hardcoded checks`
			`return kindIsSupported(request.Kind.Kind)`
NK-10: Controller renamed to PolicyController. Created MutationWebhook class in new webhook package. Implemented filtering of incoming objects by Kind. Implemented simple usage of PolicyController in MutationWebhook. 2019-02-21 20:31:18 +02:00			`}`
NK-10: Refactored policy types, used patch operation struct from there instead of internal struct. Implemented checking of incoming request to correspond the policy rule, added tests. Implemented generation of JSON patches according to patches in policy object, added tests. Implemented base version of Mutate function as a wrapper for all mutation functions. 2019-02-22 18:12:14 +02:00
NK-21: Added checking request by selector. Added tests for this logic. Added test policy file for selectors. 2019-02-26 20:05:07 +02:00			`// IsRuleApplicableToRequest checks requests kind, name and labels to fit the policy`
			`func IsRuleApplicableToRequest(policyResource types.PolicyResource, request *v1beta1.AdmissionRequest) bool {`
NK-23: Thre creation of default loggers moved to inside classes. Removed fatal termination from object constructors. Implemented new KubeClient class with test method which creates a Secret. Improved comments for the types structures. Added WebhookServerConfig structure instead of the most parameters to NewWebhookServer. 2019-03-04 20:40:02 +02:00			`if policyResource.Selector == nil && policyResource.Name == nil {`
			`// TBD: selector or name MUST be specified`
			`return false`
			`}`
NK-22: Fixed build error with Selector pointer. Added comments. Changed tab to 4 spaces identation. Added unit tests for LabelSelector. 2019-03-01 14:16:20 +02:00
NK-23: Thre creation of default loggers moved to inside classes. Removed fatal termination from object constructors. Implemented new KubeClient class with test method which creates a Secret. Improved comments for the types structures. Added WebhookServerConfig structure instead of the most parameters to NewWebhookServer. 2019-03-04 20:40:02 +02:00			`if policyResource.Kind != request.Kind.Kind {`
			`return false`
			`}`
NK-21: Added checking request by selector. Added tests for this logic. Added test policy file for selectors. 2019-02-26 20:05:07 +02:00
NK-23: Thre creation of default loggers moved to inside classes. Removed fatal termination from object constructors. Implemented new KubeClient class with test method which creates a Secret. Improved comments for the types structures. Added WebhookServerConfig structure instead of the most parameters to NewWebhookServer. 2019-03-04 20:40:02 +02:00			`if request.Object.Raw != nil {`
			`meta := parseMetadataFromObject(request.Object.Raw)`
			`name := parseNameFromMetadata(meta)`
NK-22: Fixed build error with Selector pointer. Added comments. Changed tab to 4 spaces identation. Added unit tests for LabelSelector. 2019-03-01 14:16:20 +02:00
NK-23: Thre creation of default loggers moved to inside classes. Removed fatal termination from object constructors. Implemented new KubeClient class with test method which creates a Secret. Improved comments for the types structures. Added WebhookServerConfig structure instead of the most parameters to NewWebhookServer. 2019-03-04 20:40:02 +02:00			`if policyResource.Name != nil && *policyResource.Name != name {`
			`return false`
			`}`
NK-22: Fixed build error with Selector pointer. Added comments. Changed tab to 4 spaces identation. Added unit tests for LabelSelector. 2019-03-01 14:16:20 +02:00
NK-23: Thre creation of default loggers moved to inside classes. Removed fatal termination from object constructors. Implemented new KubeClient class with test method which creates a Secret. Improved comments for the types structures. Added WebhookServerConfig structure instead of the most parameters to NewWebhookServer. 2019-03-04 20:40:02 +02:00			`if policyResource.Selector != nil {`
			`selector, err := metav1.LabelSelectorAsSelector(policyResource.Selector)`
NK-22: Fixed build error with Selector pointer. Added comments. Changed tab to 4 spaces identation. Added unit tests for LabelSelector. 2019-03-01 14:16:20 +02:00
NK-23: Thre creation of default loggers moved to inside classes. Removed fatal termination from object constructors. Implemented new KubeClient class with test method which creates a Secret. Improved comments for the types structures. Added WebhookServerConfig structure instead of the most parameters to NewWebhookServer. 2019-03-04 20:40:02 +02:00			`if err != nil {`
			`// TODO: log that selector is invalid`
			`return false`
			`}`
NK-22: Fixed build error with Selector pointer. Added comments. Changed tab to 4 spaces identation. Added unit tests for LabelSelector. 2019-03-01 14:16:20 +02:00
NK-23: Thre creation of default loggers moved to inside classes. Removed fatal termination from object constructors. Implemented new KubeClient class with test method which creates a Secret. Improved comments for the types structures. Added WebhookServerConfig structure instead of the most parameters to NewWebhookServer. 2019-03-04 20:40:02 +02:00			`labelMap := parseLabelsFromMetadata(meta)`
NK-22: Fixed build error with Selector pointer. Added comments. Changed tab to 4 spaces identation. Added unit tests for LabelSelector. 2019-03-01 14:16:20 +02:00
NK-23: Thre creation of default loggers moved to inside classes. Removed fatal termination from object constructors. Implemented new KubeClient class with test method which creates a Secret. Improved comments for the types structures. Added WebhookServerConfig structure instead of the most parameters to NewWebhookServer. 2019-03-04 20:40:02 +02:00			`if !selector.Matches(labelMap) {`
			`return false`
			`}`
			`}`
			`}`
NK-22: Fixed build error with Selector pointer. Added comments. Changed tab to 4 spaces identation. Added unit tests for LabelSelector. 2019-03-01 14:16:20 +02:00
NK-23: Thre creation of default loggers moved to inside classes. Removed fatal termination from object constructors. Implemented new KubeClient class with test method which creates a Secret. Improved comments for the types structures. Added WebhookServerConfig structure instead of the most parameters to NewWebhookServer. 2019-03-04 20:40:02 +02:00			`return true`
NK-10: Refactored policy types, used patch operation struct from there instead of internal struct. Implemented checking of incoming request to correspond the policy rule, added tests. Implemented generation of JSON patches according to patches in policy object, added tests. Implemented base version of Mutate function as a wrapper for all mutation functions. 2019-02-22 18:12:14 +02:00			`}`
NK-21: Added checking request by selector. Added tests for this logic. Added test policy file for selectors. 2019-02-26 20:05:07 +02:00
			`func parseMetadataFromObject(bytes []byte) map[string]interface{} {`
NK-23: Thre creation of default loggers moved to inside classes. Removed fatal termination from object constructors. Implemented new KubeClient class with test method which creates a Secret. Improved comments for the types structures. Added WebhookServerConfig structure instead of the most parameters to NewWebhookServer. 2019-03-04 20:40:02 +02:00			`var objectJSON map[string]interface{}`
			`json.Unmarshal(bytes, &objectJSON)`
NK-22: Fixed build error with Selector pointer. Added comments. Changed tab to 4 spaces identation. Added unit tests for LabelSelector. 2019-03-01 14:16:20 +02:00
NK-23: Thre creation of default loggers moved to inside classes. Removed fatal termination from object constructors. Implemented new KubeClient class with test method which creates a Secret. Improved comments for the types structures. Added WebhookServerConfig structure instead of the most parameters to NewWebhookServer. 2019-03-04 20:40:02 +02:00			`return objectJSON["metadata"].(map[string]interface{})`
NK-21: Added checking request by selector. Added tests for this logic. Added test policy file for selectors. 2019-02-26 20:05:07 +02:00			`}`

			`func parseLabelsFromMetadata(meta map[string]interface{}) labels.Set {`
NK-23: Thre creation of default loggers moved to inside classes. Removed fatal termination from object constructors. Implemented new KubeClient class with test method which creates a Secret. Improved comments for the types structures. Added WebhookServerConfig structure instead of the most parameters to NewWebhookServer. 2019-03-04 20:40:02 +02:00			`if interfaceMap, ok := meta["labels"].(map[string]interface{}); ok {`
			`labelMap := make(labels.Set, len(interfaceMap))`

			`for key, value := range interfaceMap {`
			`labelMap[key] = value.(string)`
			`}`
			`return labelMap`
			`}`
			`return nil`
NK-21: Added checking request by selector. Added tests for this logic. Added test policy file for selectors. 2019-02-26 20:05:07 +02:00			`}`

			`func parseNameFromMetadata(meta map[string]interface{}) string {`
NK-23: Thre creation of default loggers moved to inside classes. Removed fatal termination from object constructors. Implemented new KubeClient class with test method which creates a Secret. Improved comments for the types structures. Added WebhookServerConfig structure instead of the most parameters to NewWebhookServer. 2019-03-04 20:40:02 +02:00			`if name, ok := meta["name"].(string); ok {`
			`return name`
			`}`
			`return ""`
NK-22: Fixed build error with Selector pointer. Added comments. Changed tab to 4 spaces identation. Added unit tests for LabelSelector. 2019-03-01 14:16:20 +02:00			`}`