kyverno/pkg/webhooks/mutation.go

package webhooks

import (
	"github.com/golang/glog"
	"github.com/nirmata/kyverno/pkg/api/kyverno/v1alpha1"
	engine "github.com/nirmata/kyverno/pkg/engine"
	policyctr "github.com/nirmata/kyverno/pkg/policy"
	"github.com/nirmata/kyverno/pkg/utils"
	v1beta1 "k8s.io/api/admission/v1beta1"
	"k8s.io/apimachinery/pkg/runtime/schema"
)

// HandleMutation handles mutating webhook admission request
func (ws *WebhookServer) HandleMutation(request *v1beta1.AdmissionRequest,
	policies []*v1alpha1.ClusterPolicy, roles, clusterRoles []string) (bool, []byte, string) {
	glog.V(4).Infof("Receive request in mutating webhook: Kind=%s, Namespace=%s Name=%s UID=%s patchOperation=%s",
		request.Kind.Kind, request.Namespace, request.Name, request.UID, request.Operation)

	var patches [][]byte
	var policyStats []policyctr.PolicyStat

	// gather stats from the engine response
	gatherStat := func(policyName string, policyResponse engine.PolicyResponse) {
		ps := policyctr.PolicyStat{}
		ps.PolicyName = policyName
		ps.Stats.MutationExecutionTime = policyResponse.ProcessingTime
		ps.Stats.RulesAppliedCount = policyResponse.RulesAppliedCount
		// capture rule level stats
		for _, rule := range policyResponse.Rules {
			rs := policyctr.RuleStatinfo{}
			rs.RuleName = rule.Name
			rs.ExecutionTime = rule.RuleStats.ProcessingTime
			if rule.Success {
				rs.RuleAppliedCount++
			} else {
				rs.RulesFailedCount++
			}
			if rule.Patches != nil {
				rs.MutationCount++
			}
			ps.Stats.Rules = append(ps.Stats.Rules, rs)
		}
		policyStats = append(policyStats, ps)
	}
	// send stats for aggregation
	sendStat := func(blocked bool) {
		for _, stat := range policyStats {
			stat.Stats.ResourceBlocked = utils.Btoi(blocked)
			//SEND
			ws.policyStatus.SendStat(stat)
		}
	}
	// convert RAW to unstructured
	resource, err := engine.ConvertToUnstructured(request.Object.Raw)
	if err != nil {
		//TODO: skip applying the amiddions control ?
		glog.Errorf("unable to convert raw resource to unstructured: %v", err)
		return true, nil, ""
	}

	//TODO: check if resource gvk is available in raw resource,
	//TODO: check if the name and namespace is also passed right in the resource?
	// if not then set it from the api request
	resource.SetGroupVersionKind(schema.GroupVersionKind{Group: request.Kind.Group, Version: request.Kind.Version, Kind: request.Kind.Kind})

	var engineResponses []engine.EngineResponse
	policyContext := engine.PolicyContext{
		Resource: *resource,
		AdmissionInfo: engine.RequestInfo{
			Roles:             roles,
			ClusterRoles:      clusterRoles,
			AdmissionUserInfo: request.UserInfo},
	}

	for _, policy := range policies {
		policyContext.Policy = *policy
		// check if policy has a rule for the admission request kind
		if !utils.ContainsString(getApplicableKindsForPolicy(policy), request.Kind.Kind) {
			continue
		}

		glog.V(2).Infof("Handling mutation for Kind=%s, Namespace=%s Name=%s UID=%s patchOperation=%s",
			resource.GetKind(), resource.GetNamespace(), resource.GetName(), request.UID, request.Operation)
		// TODO: this can be
		engineResponse := engine.Mutate(policyContext)
		engineResponses = append(engineResponses, engineResponse)
		// Gather policy application statistics
		gatherStat(policy.Name, engineResponse.PolicyResponse)
		if !engineResponse.IsSuccesful() {
			glog.V(4).Infof("Failed to apply policy %s on resource %s/%s\n", policy.Name, resource.GetNamespace(), resource.GetName())
			continue
		}
		// gather patches
		patches = append(patches, engineResponse.GetPatches()...)

		glog.V(4).Infof("Mutation from policy %s has applied succesfully to %s %s/%s", policy.Name, request.Kind.Kind, resource.GetNamespace(), resource.GetName())
		//TODO: check if there is an order to policy application on resource
		// resource = &engineResponse.PatchedResource
	}

	// generate annotations
	if annPatches := generateAnnotationPatches(engineResponses); annPatches != nil {
		patches = append(patches, annPatches)
	}

	// ADD EVENTS
	events := generateEvents(engineResponses, (request.Operation == v1beta1.Update))
	ws.eventGen.Add(events...)

	if isResponseSuccesful(engineResponses) {
		sendStat(false)
		patch := engine.JoinPatches(patches)
		return true, patch, ""
	}

	sendStat(true)
	glog.Errorf("Failed to mutate the resource\n")
	return false, nil, getErrorMsg(engineResponses)
}
restructure webhooks pkg 2019-07-15 16:07:56 -07:00			`package webhooks`

			`import (`
			`"github.com/golang/glog"`
Get policy list once in handleAdmissionRequest 2019-11-07 12:13:16 -08:00			`"github.com/nirmata/kyverno/pkg/api/kyverno/v1alpha1"`
restructure webhooks pkg 2019-07-15 16:07:56 -07:00			`engine "github.com/nirmata/kyverno/pkg/engine"`
recieve stats + update violation status move to aggregator 2019-08-20 12:51:25 -07:00			`policyctr "github.com/nirmata/kyverno/pkg/policy"`
resource description: support list of namespaces 2019-08-17 09:45:57 -07:00			`"github.com/nirmata/kyverno/pkg/utils"`
restructure webhooks pkg 2019-07-15 16:07:56 -07:00			`v1beta1 "k8s.io/api/admission/v1beta1"`
clean up mutation 2019-08-09 12:59:37 -07:00			`"k8s.io/apimachinery/pkg/runtime/schema"`
restructure webhooks pkg 2019-07-15 16:07:56 -07:00			`)`

			`// HandleMutation handles mutating webhook admission request`
change engine interface to take policyContext struct 2019-11-08 18:57:27 -08:00			`func (ws WebhookServer) HandleMutation(request v1beta1.AdmissionRequest,`
			`policies []*v1alpha1.ClusterPolicy, roles, clusterRoles []string) (bool, []byte, string) {`
initial redesign 2019-08-23 18:34:23 -07:00			`glog.V(4).Infof("Receive request in mutating webhook: Kind=%s, Namespace=%s Name=%s UID=%s patchOperation=%s",`
			`request.Kind.Kind, request.Namespace, request.Name, request.UID, request.Operation)`

clean up mutation 2019-08-09 12:59:37 -07:00			`var patches [][]byte`
recieve stats + update violation status move to aggregator 2019-08-20 12:51:25 -07:00			`var policyStats []policyctr.PolicyStat`
initial redesign 2019-08-23 18:34:23 -07:00
recieve stats + update violation status move to aggregator 2019-08-20 12:51:25 -07:00			`// gather stats from the engine response`
initial redesign 2019-08-23 18:34:23 -07:00			`gatherStat := func(policyName string, policyResponse engine.PolicyResponse) {`
recieve stats + update violation status move to aggregator 2019-08-20 12:51:25 -07:00			`ps := policyctr.PolicyStat{}`
			`ps.PolicyName = policyName`
initial redesign 2019-08-23 18:34:23 -07:00			`ps.Stats.MutationExecutionTime = policyResponse.ProcessingTime`
			`ps.Stats.RulesAppliedCount = policyResponse.RulesAppliedCount`
aggregate rule status 2019-09-03 17:43:36 -07:00			`// capture rule level stats`
			`for _, rule := range policyResponse.Rules {`
			`rs := policyctr.RuleStatinfo{}`
			`rs.RuleName = rule.Name`
			`rs.ExecutionTime = rule.RuleStats.ProcessingTime`
			`if rule.Success {`
			`rs.RuleAppliedCount++`
			`} else {`
			`rs.RulesFailedCount++`
			`}`
rule to show violation count 2019-09-03 18:31:57 -07:00			`if rule.Patches != nil {`
			`rs.MutationCount++`
			`}`
aggregate rule status 2019-09-03 17:43:36 -07:00			`ps.Stats.Rules = append(ps.Stats.Rules, rs)`
			`}`
recieve stats + update violation status move to aggregator 2019-08-20 12:51:25 -07:00			`policyStats = append(policyStats, ps)`
			`}`
			`// send stats for aggregation`
			`sendStat := func(blocked bool) {`
			`for _, stat := range policyStats {`
update policy status 2019-08-20 16:40:20 -07:00			`stat.Stats.ResourceBlocked = utils.Btoi(blocked)`
recieve stats + update violation status move to aggregator 2019-08-20 12:51:25 -07:00			`//SEND`
			`ws.policyStatus.SendStat(stat)`
			`}`
			`}`
initial redesign 2019-08-23 18:34:23 -07:00			`// convert RAW to unstructured`
Merge branch 'policyViolation' into 254_dynamic_webhook_configurations # Conflicts: # main.go # pkg/annotations/annotations.go # pkg/annotations/controller.go # pkg/controller/controller.go # pkg/controller/controller_test.go # pkg/engine/engine.go # pkg/engine/generation.go # pkg/engine/mutation.go # pkg/engine/validation.go # pkg/event/controller.go # pkg/webhooks/mutation.go # pkg/webhooks/policyvalidation.go # pkg/webhooks/report.go # pkg/webhooks/server.go # pkg/webhooks/validation.go 2019-08-14 19:00:37 -07:00			`resource, err := engine.ConvertToUnstructured(request.Object.Raw)`
clean up mutation 2019-08-09 12:59:37 -07:00			`if err != nil {`
initial redesign 2019-08-23 18:34:23 -07:00			`//TODO: skip applying the amiddions control ?`
clean up mutation 2019-08-09 12:59:37 -07:00			`glog.Errorf("unable to convert raw resource to unstructured: %v", err)`
initial redesign 2019-08-23 18:34:23 -07:00			`return true, nil, ""`
- Patch resource between every rule application - move mutation & validation to mutate webhook 2019-08-14 11:51:01 -07:00			`}`
restructure webhooks pkg 2019-07-15 16:07:56 -07:00
clean up mutation 2019-08-09 12:59:37 -07:00			`//TODO: check if resource gvk is available in raw resource,`
initial redesign 2019-08-23 18:34:23 -07:00			`//TODO: check if the name and namespace is also passed right in the resource?`
clean up mutation 2019-08-09 12:59:37 -07:00			`// if not then set it from the api request`
			`resource.SetGroupVersionKind(schema.GroupVersionKind{Group: request.Kind.Group, Version: request.Kind.Version, Kind: request.Kind.Kind})`
- Patch resource between every rule application - move mutation & validation to mutate webhook 2019-08-14 11:51:01 -07:00
update engineResponse Name 2019-10-08 10:57:24 -07:00			`var engineResponses []engine.EngineResponse`
change engine interface to take policyContext struct 2019-11-08 18:57:27 -08:00			`policyContext := engine.PolicyContext{`
			`Resource: *resource,`
			`AdmissionInfo: engine.RequestInfo{`
			`Roles: roles,`
			`ClusterRoles: clusterRoles,`
			`AdmissionUserInfo: request.UserInfo},`
			`}`
- Patch resource between every rule application - move mutation & validation to mutate webhook 2019-08-14 11:51:01 -07:00
change engine interface to take policyContext struct 2019-11-08 18:57:27 -08:00			`for _, policy := range policies {`
			`policyContext.Policy = *policy`
restructure webhooks pkg 2019-07-15 16:07:56 -07:00			`// check if policy has a rule for the admission request kind`
support wild cards for namespaces in rule resource description 2019-09-12 17:11:55 -07:00			`if !utils.ContainsString(getApplicableKindsForPolicy(policy), request.Kind.Kind) {`
restructure webhooks pkg 2019-07-15 16:07:56 -07:00			`continue`
			`}`

cleanup pv with dependant when blocked admission request pass 2019-10-23 23:18:58 -07:00			`glog.V(2).Infof("Handling mutation for Kind=%s, Namespace=%s Name=%s UID=%s patchOperation=%s",`
clean up mutation 2019-08-09 12:59:37 -07:00			`resource.GetKind(), resource.GetNamespace(), resource.GetName(), request.UID, request.Operation)`
initial redesign 2019-08-23 18:34:23 -07:00			`// TODO: this can be`
change engine interface to take policyContext struct 2019-11-08 18:57:27 -08:00			`engineResponse := engine.Mutate(policyContext)`
initial redesign 2019-08-23 18:34:23 -07:00			`engineResponses = append(engineResponses, engineResponse)`
recieve stats + update violation status move to aggregator 2019-08-20 12:51:25 -07:00			`// Gather policy application statistics`
initial redesign 2019-08-23 18:34:23 -07:00			`gatherStat(policy.Name, engineResponse.PolicyResponse)`
			`if !engineResponse.IsSuccesful() {`
Merge branch 'policyViolation' into 254_dynamic_webhook_configurations # Conflicts: # main.go # pkg/annotations/annotations.go # pkg/annotations/controller.go # pkg/controller/controller.go # pkg/controller/controller_test.go # pkg/engine/engine.go # pkg/engine/generation.go # pkg/engine/mutation.go # pkg/engine/validation.go # pkg/event/controller.go # pkg/webhooks/mutation.go # pkg/webhooks/policyvalidation.go # pkg/webhooks/report.go # pkg/webhooks/server.go # pkg/webhooks/validation.go 2019-08-14 19:00:37 -07:00			`glog.V(4).Infof("Failed to apply policy %s on resource %s/%s\n", policy.Name, resource.GetNamespace(), resource.GetName())`
clean up mutation 2019-08-09 12:59:37 -07:00			`continue`
restructure webhooks pkg 2019-07-15 16:07:56 -07:00			`}`
initial redesign 2019-08-23 18:34:23 -07:00			`// gather patches`
fix patches 2019-08-26 16:10:19 -07:00			`patches = append(patches, engineResponse.GetPatches()...)`
fix 365 annotation_bug 2019-10-07 18:31:14 -07:00
clean up mutation 2019-08-09 12:59:37 -07:00			`glog.V(4).Infof("Mutation from policy %s has applied succesfully to %s %s/%s", policy.Name, request.Kind.Kind, resource.GetNamespace(), resource.GetName())`
initial redesign 2019-08-23 18:34:23 -07:00			`//TODO: check if there is an order to policy application on resource`
			`// resource = &engineResponse.PatchedResource`
restructure webhooks pkg 2019-07-15 16:07:56 -07:00			`}`

fix 365 annotation_bug 2019-10-07 18:31:14 -07:00			`// generate annotations`
fix patches annotation 2019-11-11 18:52:26 -08:00			`if annPatches := generateAnnotationPatches(engineResponses); annPatches != nil {`
fix 365 annotation_bug 2019-10-07 18:31:14 -07:00			`patches = append(patches, annPatches)`
			`}`

clean up mutation 2019-08-09 12:59:37 -07:00			`// ADD EVENTS`
replace policyInfo with engineResponse 2019-08-26 13:34:42 -07:00			`events := generateEvents(engineResponses, (request.Operation == v1beta1.Update))`
			`ws.eventGen.Add(events...)`

initial redesign 2019-08-23 18:34:23 -07:00			`if isResponseSuccesful(engineResponses) {`
recieve stats + update violation status move to aggregator 2019-08-20 12:51:25 -07:00			`sendStat(false)`
initial redesign 2019-08-23 18:34:23 -07:00			`patch := engine.JoinPatches(patches)`
			`return true, patch, ""`
restructure webhooks pkg 2019-07-15 16:07:56 -07:00			`}`
- Patch resource between every rule application - move mutation & validation to mutate webhook 2019-08-14 11:51:01 -07:00
recieve stats + update violation status move to aggregator 2019-08-20 12:51:25 -07:00			`sendStat(true)`
initial redesign 2019-08-23 18:34:23 -07:00			`glog.Errorf("Failed to mutate the resource\n")`
			`return false, nil, getErrorMsg(engineResponses)`
restructure webhooks pkg 2019-07-15 16:07:56 -07:00			`}`