kyverno/pkg/policyviolation/clusterpv.go

package policyviolation

import (
	"fmt"

	"github.com/go-logr/logr"
	kyverno "github.com/nirmata/kyverno/pkg/api/kyverno/v1"
	kyvernov1 "github.com/nirmata/kyverno/pkg/client/clientset/versioned/typed/kyverno/v1"
	kyvernolister "github.com/nirmata/kyverno/pkg/client/listers/kyverno/v1"
	client "github.com/nirmata/kyverno/pkg/dclient"
	"github.com/nirmata/kyverno/pkg/policystatus"
	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
)

//ClusterPV ...
type clusterPV struct {
	// dynamic client
	dclient *client.Client
	// get/list cluster policy violation
	cpvLister kyvernolister.ClusterPolicyViolationLister
	// policy violation interface
	kyvernoInterface kyvernov1.KyvernoV1Interface
	// logger
	log logr.Logger
	// update policy stats with violationCount
	policyStatusListener policystatus.Listener
}

func newClusterPV(log logr.Logger, dclient *client.Client,
	cpvLister kyvernolister.ClusterPolicyViolationLister,
	kyvernoInterface kyvernov1.KyvernoV1Interface,
	policyStatus policystatus.Listener,
) *clusterPV {
	cpv := clusterPV{
		dclient:              dclient,
		cpvLister:            cpvLister,
		kyvernoInterface:     kyvernoInterface,
		log:                  log,
		policyStatusListener: policyStatus,
	}
	return &cpv
}

func (cpv *clusterPV) create(pv kyverno.PolicyViolationTemplate) error {
	newPv := kyverno.ClusterPolicyViolation(pv)
	// PV already exists
	oldPv, err := cpv.getExisting(newPv)
	if err != nil {
		return err
	}
	if oldPv == nil {
		// create a new policy violation
		return cpv.createPV(&newPv)
	}
	// policy violation exists
	// skip if there is not change, else update the violation
	return cpv.updatePV(&newPv, oldPv)
}

func (cpv *clusterPV) getExisting(newPv kyverno.ClusterPolicyViolation) (*kyverno.ClusterPolicyViolation, error) {
	logger := cpv.log.WithValues("namespace", newPv.Namespace, "name", newPv.Name)
	var err error
	// use labels
	policyLabelmap := map[string]string{"policy": newPv.Spec.Policy, "resource": newPv.Spec.ResourceSpec.ToKey()}
	ls, err := converLabelToSelector(policyLabelmap)
	if err != nil {
		return nil, err
	}

	pvs, err := cpv.cpvLister.List(ls)
	if err != nil {
		logger.Error(err, "failed to list cluster policy violations")
		return nil, err
	}

	for _, pv := range pvs {
		// find a policy on same resource and policy combination
		if pv.Spec.Policy == newPv.Spec.Policy &&
			pv.Spec.ResourceSpec.Kind == newPv.Spec.ResourceSpec.Kind &&
			pv.Spec.ResourceSpec.Name == newPv.Spec.ResourceSpec.Name {
			return pv, nil
		}
	}
	return nil, nil
}

func (cpv *clusterPV) createPV(newPv *kyverno.ClusterPolicyViolation) error {
	var err error
	logger := cpv.log.WithValues("policy", newPv.Spec.Policy, "kind", newPv.Spec.ResourceSpec.Kind, "namespace", newPv.Spec.ResourceSpec.Namespace, "name", newPv.Spec.ResourceSpec.Name)
	logger.V(4).Info("creating new policy violation")
	obj, err := retryGetResource(cpv.dclient, newPv.Spec.ResourceSpec)
	if err != nil {
		return fmt.Errorf("failed to retry getting resource for policy violation %s/%s: %v", newPv.Name, newPv.Spec.Policy, err)
	}

	if obj.GetDeletionTimestamp() != nil {
		return nil
	}

	// set owner reference to resource
	ownerRef, ok := createOwnerReference(obj)
	if !ok {
		return nil
	}

	newPv.SetOwnerReferences([]metav1.OwnerReference{ownerRef})

	// create resource
	_, err = cpv.kyvernoInterface.ClusterPolicyViolations().Create(newPv)
	if err != nil {
		logger.Error(err, "failed to create cluster policy violation")
		return err
	}

	if newPv.Annotations["fromSync"] != "true" {
		cpv.policyStatusListener.Send(violationCount{policyName: newPv.Spec.Policy, violatedRules: newPv.Spec.ViolatedRules})
	}

	logger.Info("cluster policy violation created")
	return nil
}

func (cpv *clusterPV) updatePV(newPv, oldPv *kyverno.ClusterPolicyViolation) error {
	logger := cpv.log.WithValues("policy", newPv.Spec.Policy, "kind", newPv.Spec.ResourceSpec.Kind, "namespace", newPv.Spec.ResourceSpec.Namespace, "name", newPv.Spec.ResourceSpec.Name)
	var err error
	// check if there is any update
	if !hasViolationSpecChanged(newPv.Spec.DeepCopy(), oldPv.Spec.DeepCopy()) {
		logger.V(4).Info("policy violation spec did not change, not upadating the resource")
		return nil
	}
	// set name
	newPv.SetName(oldPv.Name)
	newPv.SetResourceVersion(oldPv.ResourceVersion)
	newPv.SetOwnerReferences(oldPv.GetOwnerReferences())

	// update resource
	_, err = cpv.kyvernoInterface.ClusterPolicyViolations().Update(newPv)
	if err != nil {
		return fmt.Errorf("failed to update cluster policy violation: %v", err)
	}
	logger.Info("cluster policy violation updated")

	if newPv.Annotations["fromSync"] != "true" {
		cpv.policyStatusListener.Send(violationCount{policyName: newPv.Spec.Policy, violatedRules: newPv.Spec.ViolatedRules})
	}
	return nil
}
remove namespace from resource spec 2019-11-15 12:03:58 -08:00			`package policyviolation`

			`import (`
			`"fmt"`

refactor logging 2020-03-17 16:25:34 -07:00			`"github.com/go-logr/logr"`
remove namespace from resource spec 2019-11-15 12:03:58 -08:00			`kyverno "github.com/nirmata/kyverno/pkg/api/kyverno/v1"`
			`kyvernov1 "github.com/nirmata/kyverno/pkg/client/clientset/versioned/typed/kyverno/v1"`
			`kyvernolister "github.com/nirmata/kyverno/pkg/client/listers/kyverno/v1"`
			`client "github.com/nirmata/kyverno/pkg/dclient"`
527 renamed package and send listner instead of entire sync object 2020-03-07 12:53:37 +05:30			`"github.com/nirmata/kyverno/pkg/policystatus"`
refactor policy violation resource 2019-11-26 18:07:15 -08:00			`metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"`
remove namespace from resource spec 2019-11-15 12:03:58 -08:00			`)`

refactor policy violation resource 2019-11-26 18:07:15 -08:00			`//ClusterPV ...`
			`type clusterPV struct {`
			`// dynamic client`
			`dclient *client.Client`
			`// get/list cluster policy violation`
			`cpvLister kyvernolister.ClusterPolicyViolationLister`
			`// policy violation interface`
			`kyvernoInterface kyvernov1.KyvernoV1Interface`
refactor logging 2020-03-17 16:25:34 -07:00			`// logger`
			`log logr.Logger`
527 prototype changes to handle generate stats - also changes made to handle stats such as violation count and generated resources count - currently untested 2020-02-24 20:12:39 +05:30			`// update policy stats with violationCount`
527 renamed package and send listner instead of entire sync object 2020-03-07 12:53:37 +05:30			`policyStatusListener policystatus.Listener`
remove namespace from resource spec 2019-11-15 12:03:58 -08:00			`}`

refactor logging 2020-03-17 16:25:34 -07:00			`func newClusterPV(log logr.Logger, dclient *client.Client,`
refactor policy violation resource 2019-11-26 18:07:15 -08:00			`cpvLister kyvernolister.ClusterPolicyViolationLister,`
			`kyvernoInterface kyvernov1.KyvernoV1Interface,`
527 renamed package and send listner instead of entire sync object 2020-03-07 12:53:37 +05:30			`policyStatus policystatus.Listener,`
refactor policy violation resource 2019-11-26 18:07:15 -08:00			`) *clusterPV {`
			`cpv := clusterPV{`
527 renamed package and send listner instead of entire sync object 2020-03-07 12:53:37 +05:30			`dclient: dclient,`
			`cpvLister: cpvLister,`
			`kyvernoInterface: kyvernoInterface,`
Merge branch 'master' into access_check 2020-03-17 17:23:18 -07:00			`log: log,`
527 renamed package and send listner instead of entire sync object 2020-03-07 12:53:37 +05:30			`policyStatusListener: policyStatus,`
remove namespace from resource spec 2019-11-15 12:03:58 -08:00			`}`
refactor policy violation resource 2019-11-26 18:07:15 -08:00			`return &cpv`
remove namespace from resource spec 2019-11-15 12:03:58 -08:00			`}`
refactor policy violation resource 2019-11-26 18:07:15 -08:00
add missing files 2019-12-12 16:35:37 -08:00			`func (cpv *clusterPV) create(pv kyverno.PolicyViolationTemplate) error {`
refactor policy violation resource 2019-11-26 18:07:15 -08:00			`newPv := kyverno.ClusterPolicyViolation(pv)`
remove namespace from resource spec 2019-11-15 12:03:58 -08:00			`// PV already exists`
refactor policy violation resource 2019-11-26 18:07:15 -08:00			`oldPv, err := cpv.getExisting(newPv)`
remove namespace from resource spec 2019-11-15 12:03:58 -08:00			`if err != nil {`
refactor policy violation resource 2019-11-26 18:07:15 -08:00			`return err`
remove namespace from resource spec 2019-11-15 12:03:58 -08:00			`}`
refactor policy violation resource 2019-11-26 18:07:15 -08:00			`if oldPv == nil {`
			`// create a new policy violation`
			`return cpv.createPV(&newPv)`
remove namespace from resource spec 2019-11-15 12:03:58 -08:00			`}`
refactor policy violation resource 2019-11-26 18:07:15 -08:00			`// policy violation exists`
			`// skip if there is not change, else update the violation`
			`return cpv.updatePV(&newPv, oldPv)`
			`}`
remove namespace from resource spec 2019-11-15 12:03:58 -08:00
refactor policy violation resource 2019-11-26 18:07:15 -08:00			`func (cpv clusterPV) getExisting(newPv kyverno.ClusterPolicyViolation) (kyverno.ClusterPolicyViolation, error) {`
refactor logging 2020-03-17 16:25:34 -07:00			`logger := cpv.log.WithValues("namespace", newPv.Namespace, "name", newPv.Name)`
CR fixes 2019-12-11 11:15:13 -08:00			`var err error`
			`// use labels`
			`policyLabelmap := map[string]string{"policy": newPv.Spec.Policy, "resource": newPv.Spec.ResourceSpec.ToKey()}`
			`ls, err := converLabelToSelector(policyLabelmap)`
			`if err != nil {`
			`return nil, err`
			`}`

			`pvs, err := cpv.cpvLister.List(ls)`
remove namespace from resource spec 2019-11-15 12:03:58 -08:00			`if err != nil {`
refactor logging 2020-03-17 16:25:34 -07:00			`logger.Error(err, "failed to list cluster policy violations")`
refactor policy violation resource 2019-11-26 18:07:15 -08:00			`return nil, err`
remove namespace from resource spec 2019-11-15 12:03:58 -08:00			`}`

refactor policy violation resource 2019-11-26 18:07:15 -08:00			`for _, pv := range pvs {`
			`// find a policy on same resource and policy combination`
			`if pv.Spec.Policy == newPv.Spec.Policy &&`
			`pv.Spec.ResourceSpec.Kind == newPv.Spec.ResourceSpec.Kind &&`
			`pv.Spec.ResourceSpec.Name == newPv.Spec.ResourceSpec.Name {`
			`return pv, nil`
			`}`
			`}`
			`return nil, nil`
remove namespace from resource spec 2019-11-15 12:03:58 -08:00			`}`

refactor policy violation resource 2019-11-26 18:07:15 -08:00			`func (cpv clusterPV) createPV(newPv kyverno.ClusterPolicyViolation) error {`
			`var err error`
refactor logging 2020-03-17 16:25:34 -07:00			`logger := cpv.log.WithValues("policy", newPv.Spec.Policy, "kind", newPv.Spec.ResourceSpec.Kind, "namespace", newPv.Spec.ResourceSpec.Namespace, "name", newPv.Spec.ResourceSpec.Name)`
			`logger.V(4).Info("creating new policy violation")`
cleanup resource & policy 2019-12-02 17:15:47 -08:00			`obj, err := retryGetResource(cpv.dclient, newPv.Spec.ResourceSpec)`
refactor policy violation resource 2019-11-26 18:07:15 -08:00			`if err != nil {`
			`return fmt.Errorf("failed to retry getting resource for policy violation %s/%s: %v", newPv.Name, newPv.Spec.Policy, err)`
remove namespace from resource spec 2019-11-15 12:03:58 -08:00			`}`
- fix violations re-create on the same resource - skip background processing if a resource is to be deleted 2020-05-26 13:56:07 -07:00
			`if obj.GetDeletionTimestamp() != nil {`
			`return nil`
			`}`

refactor policy violation resource 2019-11-26 18:07:15 -08:00			`// set owner reference to resource`
- fix violations re-create on the same resource - skip background processing if a resource is to be deleted 2020-05-26 13:56:07 -07:00			`ownerRef, ok := createOwnerReference(obj)`
			`if !ok {`
			`return nil`
			`}`

refactor policy violation resource 2019-11-26 18:07:15 -08:00			`newPv.SetOwnerReferences([]metav1.OwnerReference{ownerRef})`
remove namespace from resource spec 2019-11-15 12:03:58 -08:00
refactor policy violation resource 2019-11-26 18:07:15 -08:00			`// create resource`
			`_, err = cpv.kyvernoInterface.ClusterPolicyViolations().Create(newPv)`
			`if err != nil {`
refactor logging 2020-03-17 16:25:34 -07:00			`logger.Error(err, "failed to create cluster policy violation")`
refactor policy violation resource 2019-11-26 18:07:15 -08:00			`return err`
remove namespace from resource spec 2019-11-15 12:03:58 -08:00			`}`
527 prototype changes to handle generate stats - also changes made to handle stats such as violation count and generated resources count - currently untested 2020-02-24 20:12:39 +05:30
527 skippings stats for sync pv 2020-02-26 00:26:09 +05:30			`if newPv.Annotations["fromSync"] != "true" {`
527 renamed package and send listner instead of entire sync object 2020-03-07 12:53:37 +05:30			`cpv.policyStatusListener.Send(violationCount{policyName: newPv.Spec.Policy, violatedRules: newPv.Spec.ViolatedRules})`
527 skippings stats for sync pv 2020-02-26 00:26:09 +05:30			`}`

refactor logging 2020-03-17 16:25:34 -07:00			`logger.Info("cluster policy violation created")`
refactor policy violation resource 2019-11-26 18:07:15 -08:00			`return nil`
remove namespace from resource spec 2019-11-15 12:03:58 -08:00			`}`

refactor policy violation resource 2019-11-26 18:07:15 -08:00			`func (cpv clusterPV) updatePV(newPv, oldPv kyverno.ClusterPolicyViolation) error {`
refactor logging 2020-03-17 16:25:34 -07:00			`logger := cpv.log.WithValues("policy", newPv.Spec.Policy, "kind", newPv.Spec.ResourceSpec.Kind, "namespace", newPv.Spec.ResourceSpec.Namespace, "name", newPv.Spec.ResourceSpec.Name)`
refactor policy violation resource 2019-11-26 18:07:15 -08:00			`var err error`
			`// check if there is any update`
fix violation updates when there's no change 2020-06-01 19:37:48 -07:00			`if !hasViolationSpecChanged(newPv.Spec.DeepCopy(), oldPv.Spec.DeepCopy()) {`
refactor logging 2020-03-17 16:25:34 -07:00			`logger.V(4).Info("policy violation spec did not change, not upadating the resource")`
refactor policy violation resource 2019-11-26 18:07:15 -08:00			`return nil`
remove namespace from resource spec 2019-11-15 12:03:58 -08:00			`}`
refactor policy violation resource 2019-11-26 18:07:15 -08:00			`// set name`
			`newPv.SetName(oldPv.Name)`
CR fixes 2019-12-11 11:15:13 -08:00			`newPv.SetResourceVersion(oldPv.ResourceVersion)`
set ownerReference in pv update 2020-05-26 17:18:42 -07:00			`newPv.SetOwnerReferences(oldPv.GetOwnerReferences())`
remove namespace from resource spec 2019-11-15 12:03:58 -08:00
refactor policy violation resource 2019-11-26 18:07:15 -08:00			`// update resource`
			`_, err = cpv.kyvernoInterface.ClusterPolicyViolations().Update(newPv)`
remove namespace from resource spec 2019-11-15 12:03:58 -08:00			`if err != nil {`
refactor policy violation resource 2019-11-26 18:07:15 -08:00			`return fmt.Errorf("failed to update cluster policy violation: %v", err)`
remove namespace from resource spec 2019-11-15 12:03:58 -08:00			`}`
set ownerReference in pv update 2020-05-26 17:18:42 -07:00			`logger.Info("cluster policy violation updated")`
remove namespace from resource spec 2019-11-15 12:03:58 -08:00
527 skippings stats for sync pv 2020-02-26 00:26:09 +05:30			`if newPv.Annotations["fromSync"] != "true" {`
527 renamed package and send listner instead of entire sync object 2020-03-07 12:53:37 +05:30			`cpv.policyStatusListener.Send(violationCount{policyName: newPv.Spec.Policy, violatedRules: newPv.Spec.ViolatedRules})`
527 skippings stats for sync pv 2020-02-26 00:26:09 +05:30			`}`
refactor policy violation resource 2019-11-26 18:07:15 -08:00			`return nil`
remove namespace from resource spec 2019-11-15 12:03:58 -08:00			`}`