kyverno/pkg/policy/existing.go

package policy

import (
	"sync"
	"time"

	"github.com/go-logr/logr"
	kyverno "github.com/kyverno/kyverno/pkg/api/kyverno/v1"
	"github.com/kyverno/kyverno/pkg/engine"
	"github.com/kyverno/kyverno/pkg/engine/response"
	"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
)

func (pc *PolicyController) processExistingResources(policy *kyverno.ClusterPolicy) []response.EngineResponse {
	logger := pc.log.WithValues("policy", policy.Name)
	// Parse through all the resources
	// drops the cache after configured rebuild time
	pc.rm.Drop()
	var engineResponses []response.EngineResponse
	// get resource that are satisfy the resource description defined in the rules
	resourceMap := pc.listResources(policy)
	for _, resource := range resourceMap {
		// pre-processing, check if the policy and resource version has been processed before
		if !pc.rm.ProcessResource(policy.Name, policy.ResourceVersion, resource.GetKind(), resource.GetNamespace(), resource.GetName(), resource.GetResourceVersion()) {
			logger.V(4).Info("policy and resource already processed", "policyResourceVersion", policy.ResourceVersion, "resourceResourceVersion", resource.GetResourceVersion(), "kind", resource.GetKind(), "namespace", resource.GetNamespace(), "name", resource.GetName())
			continue
		}

		// apply the policy on each
		engineResponse := applyPolicy(*policy, resource, logger, pc.configHandler.GetExcludeGroupRole(), pc.resCache)
		// get engine response for mutation & validation independently
		engineResponses = append(engineResponses, engineResponse...)
		// post-processing, register the resource as processed
		pc.rm.RegisterResource(policy.GetName(), policy.GetResourceVersion(), resource.GetKind(), resource.GetNamespace(), resource.GetName(), resource.GetResourceVersion())
	}
	return engineResponses
}

func (pc *PolicyController) listResources(policy *kyverno.ClusterPolicy) map[string]unstructured.Unstructured {
	pc.log.V(4).Info("list resources to be processed")

	// key uid
	resourceMap := map[string]unstructured.Unstructured{}

	for _, rule := range policy.Spec.Rules {
		for _, k := range rule.MatchResources.Kinds {

			resourceSchema, _, err := pc.client.DiscoveryClient.FindResource("", k)
			if err != nil {
				pc.log.Error(err, "failed to find resource", "kind", k)
				continue
			}

			if !resourceSchema.Namespaced {
				rMap := GetResourcesPerNamespace(k, pc.client, "", rule, pc.configHandler, pc.log)
				MergeResources(resourceMap, rMap)
			} else {
				namespaces := GetNamespacesForRule(&rule, pc.nsLister, pc.log)
				for _, ns := range namespaces {
					rMap := GetResourcesPerNamespace(k, pc.client, ns, rule, pc.configHandler, pc.log)
					MergeResources(resourceMap, rMap)
				}
			}
		}
	}

	return excludeAutoGenResources(*policy, resourceMap, pc.log)
}

// excludeAutoGenResources filter out the pods / jobs with ownerReference
func excludeAutoGenResources(policy kyverno.ClusterPolicy, resourceMap map[string]unstructured.Unstructured, log logr.Logger) map[string]unstructured.Unstructured {
	for uid, r := range resourceMap {
		if engine.SkipPolicyApplication(policy, r) {
			log.V(4).Info("exclude resource", "namespace", r.GetNamespace(), "kind", r.GetKind(), "name", r.GetName())
			delete(resourceMap, uid)
		}
	}

	return resourceMap
}

//Condition defines condition type
type Condition int

const (
	//NotEvaluate to not evaluate condition
	NotEvaluate Condition = 0
	// Process to evaluate condition
	Process Condition = 1
	// Skip to ignore/skip the condition
	Skip Condition = 2
)

// merge b into a map
func mergeResources(a, b map[string]unstructured.Unstructured) {
	for k, v := range b {
		a[k] = v
	}
}

//NewResourceManager returns a new ResourceManager
func NewResourceManager(rebuildTime int64) *ResourceManager {
	rm := ResourceManager{
		data:        make(map[string]interface{}),
		time:        time.Now(),
		rebuildTime: rebuildTime,
	}
	// set time it was built
	return &rm
}

// ResourceManager stores the details on already processed resources for caching
type ResourceManager struct {
	// we drop and re-build the cache
	// based on the memory consumer of by the map
	data        map[string]interface{}
	mux         sync.RWMutex
	time        time.Time
	rebuildTime int64 // after how many seconds should we rebuild the cache
}

type resourceManager interface {
	ProcessResource(policy, pv, kind, ns, name, rv string) bool
	//TODO	removeResource(kind, ns, name string) error
	RegisterResource(policy, pv, kind, ns, name, rv string)
	// reload
	Drop()
}

//Drop drop the cache after every rebuild interval mins
//TODO: or drop based on the size
func (rm *ResourceManager) Drop() {
	timeSince := time.Since(rm.time)
	if timeSince > time.Duration(rm.rebuildTime)*time.Second {
		rm.mux.Lock()
		defer rm.mux.Unlock()
		rm.data = map[string]interface{}{}
		rm.time = time.Now()
	}
}

var empty struct{}

//RegisterResource stores if the policy is processed on this resource version
func (rm *ResourceManager) RegisterResource(policy, pv, kind, ns, name, rv string) {
	rm.mux.Lock()
	defer rm.mux.Unlock()
	// add the resource
	key := buildKey(policy, pv, kind, ns, name, rv)
	rm.data[key] = empty
}

//ProcessResource returns true if the policy was not applied on the resource
func (rm *ResourceManager) ProcessResource(policy, pv, kind, ns, name, rv string) bool {
	rm.mux.RLock()
	defer rm.mux.RUnlock()

	key := buildKey(policy, pv, kind, ns, name, rv)
	_, ok := rm.data[key]
	return !ok
}

func buildKey(policy, pv, kind, ns, name, rv string) string {
	return policy + "/" + pv + "/" + kind + "/" + ns + "/" + name + "/" + rv
}
existing resource processing v1 2019-08-13 09:37:02 -07:00			`package policy`

			`import (`
			`"sync"`
			`"time"`

logs & access 2020-03-17 11:05:20 -07:00			`"github.com/go-logr/logr"`
update nirmata/kyverno to kyverno/kyverno 2020-10-07 11:12:31 -07:00			`kyverno "github.com/kyverno/kyverno/pkg/api/kyverno/v1"`
			`"github.com/kyverno/kyverno/pkg/engine"`
			`"github.com/kyverno/kyverno/pkg/engine/response"`
existing resource processing v1 2019-08-13 09:37:02 -07:00			`"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"`
			`)`

skip generate violation on pre-exist pod (#952) 2020-06-25 09:52:54 -07:00			`func (pc PolicyController) processExistingResources(policy kyverno.ClusterPolicy) []response.EngineResponse {`
logs & access 2020-03-17 11:05:20 -07:00			`logger := pc.log.WithValues("policy", policy.Name)`
existing resource processing v1 2019-08-13 09:37:02 -07:00			`// Parse through all the resources`
			`// drops the cache after configured rebuild time`
			`pc.rm.Drop()`
refactor engine packages for validate & generate 2019-12-12 15:02:59 -08:00			`var engineResponses []response.EngineResponse`
existing resource processing v1 2019-08-13 09:37:02 -07:00			`// get resource that are satisfy the resource description defined in the rules`
Bugfix/659 support wildcards for namespaces (#871) * - support wildcards for namespaces * do not annotate resource, unless policy is an autogen policy * close HTTP body * improve messages * remove policy store Policy store was not fully implemented and simply provided a way to list all polices and get a policy by name, which can be done via standard client-go interfaces. We need to revisit and design a better PolicyStore that provides fast lookups for matching policies based on names, namespaces, etc. * handle wildcard namespaces in background processing * fix unit tests 1) remove platform dependent path usage 2) remove policy store * add test case for mutate with wildcard namespaces 2020-05-26 10:36:56 -07:00			`resourceMap := pc.listResources(policy)`
existing resource processing v1 2019-08-13 09:37:02 -07:00			`for _, resource := range resourceMap {`
			`// pre-processing, check if the policy and resource version has been processed before`
			`if !pc.rm.ProcessResource(policy.Name, policy.ResourceVersion, resource.GetKind(), resource.GetNamespace(), resource.GetName(), resource.GetResourceVersion()) {`
logs & access 2020-03-17 11:05:20 -07:00			`logger.V(4).Info("policy and resource already processed", "policyResourceVersion", policy.ResourceVersion, "resourceResourceVersion", resource.GetResourceVersion(), "kind", resource.GetKind(), "namespace", resource.GetNamespace(), "name", resource.GetName())`
existing resource processing v1 2019-08-13 09:37:02 -07:00			`continue`
			`}`
skip process existing pod if annotation present 2019-12-26 18:41:14 -08:00
existing resource processing v1 2019-08-13 09:37:02 -07:00			`// apply the policy on each`
Feature/configmaps var 724 (#1118) * added configmap data substitution for foreground mutate and validate * added configmap data substitution for foreground mutate and validate fmt * added configmap lookup for background * added comments to resource cache * added configmap data lookup in preConditions * added parse strings in In operator and configmap lookup docs * added configmap lookup docs * modified configmap lookup docs 2020-09-23 02:41:49 +05:30			`engineResponse := applyPolicy(*policy, resource, logger, pc.configHandler.GetExcludeGroupRole(), pc.resCache)`
linter suggestions (#655) * cleanup phase 1 * linter fixes phase 2 2020-01-24 12:05:53 -08:00			`// get engine response for mutation & validation independently`
replace policyInfo with engineResponse 2019-08-26 13:34:42 -07:00			`engineResponses = append(engineResponses, engineResponse...)`
existing resource processing v1 2019-08-13 09:37:02 -07:00			`// post-processing, register the resource as processed`
			`pc.rm.RegisterResource(policy.GetName(), policy.GetResourceVersion(), resource.GetKind(), resource.GetNamespace(), resource.GetName(), resource.GetResourceVersion())`
			`}`
replace policyInfo with engineResponse 2019-08-26 13:34:42 -07:00			`return engineResponses`
add process existing for mutation & validation + come cleanup 2019-08-13 11:32:12 -07:00			`}`

skip generate violation on pre-exist pod (#952) 2020-06-25 09:52:54 -07:00			`func (pc PolicyController) listResources(policy kyverno.ClusterPolicy) map[string]unstructured.Unstructured {`
			`pc.log.V(4).Info("list resources to be processed")`

existing resource processing v1 2019-08-13 09:37:02 -07:00			`// key uid`
			`resourceMap := map[string]unstructured.Unstructured{}`

			`for _, rule := range policy.Spec.Rules {`
			`for _, k := range rule.MatchResources.Kinds {`
remove unnecessary comments and reduce cache resync intervals 2020-05-17 09:51:18 -07:00
Feature/api version 852 (#1028) * apiVersion support for generate * added apiVersion to crds 2020-08-07 09:47:33 +05:30			`resourceSchema, _, err := pc.client.DiscoveryClient.FindResource("", k)`
remove unnecessary comments and reduce cache resync intervals 2020-05-17 09:51:18 -07:00			`if err != nil {`
Bugfix/659 support wildcards for namespaces (#871) * - support wildcards for namespaces * do not annotate resource, unless policy is an autogen policy * close HTTP body * improve messages * remove policy store Policy store was not fully implemented and simply provided a way to list all polices and get a policy by name, which can be done via standard client-go interfaces. We need to revisit and design a better PolicyStore that provides fast lookups for matching policies based on names, namespaces, etc. * handle wildcard namespaces in background processing * fix unit tests 1) remove platform dependent path usage 2) remove policy store * add test case for mutate with wildcard namespaces 2020-05-26 10:36:56 -07:00			`pc.log.Error(err, "failed to find resource", "kind", k)`
remove unnecessary comments and reduce cache resync intervals 2020-05-17 09:51:18 -07:00			`continue`
existing resource processing v1 2019-08-13 09:37:02 -07:00			`}`

remove unnecessary comments and reduce cache resync intervals 2020-05-17 09:51:18 -07:00			`if !resourceSchema.Namespaced {`
common function added 2020-08-28 16:41:16 +05:30			`rMap := GetResourcesPerNamespace(k, pc.client, "", rule, pc.configHandler, pc.log)`
			`MergeResources(resourceMap, rMap)`
remove unnecessary comments and reduce cache resync intervals 2020-05-17 09:51:18 -07:00			`} else {`
common function added 2020-08-28 16:41:16 +05:30			`namespaces := GetNamespacesForRule(&rule, pc.nsLister, pc.log)`
remove unnecessary comments and reduce cache resync intervals 2020-05-17 09:51:18 -07:00			`for _, ns := range namespaces {`
common function added 2020-08-28 16:41:16 +05:30			`rMap := GetResourcesPerNamespace(k, pc.client, ns, rule, pc.configHandler, pc.log)`
			`MergeResources(resourceMap, rMap)`
remove unnecessary comments and reduce cache resync intervals 2020-05-17 09:51:18 -07:00			`}`
			`}`
existing resource processing v1 2019-08-13 09:37:02 -07:00			`}`
			`}`
remove unnecessary comments and reduce cache resync intervals 2020-05-17 09:51:18 -07:00
810 support cronJob for auto-gen (#1089) * add watch policy to clusterrole kyverno:customresources * - improve auto-gen policy application logic - remove unused code * move method to common util * auto-gen rule for cronJob * update doc * set CronJob as default auto-gen pod controller * - update doc; - fix test * remove unused code 2020-09-01 09:11:20 -07:00			`return excludeAutoGenResources(*policy, resourceMap, pc.log)`
skip generate violation on pre-exist pod (#952) 2020-06-25 09:52:54 -07:00			`}`

810 support cronJob for auto-gen (#1089) * add watch policy to clusterrole kyverno:customresources * - improve auto-gen policy application logic - remove unused code * move method to common util * auto-gen rule for cronJob * update doc * set CronJob as default auto-gen pod controller * - update doc; - fix test * remove unused code 2020-09-01 09:11:20 -07:00			`// excludeAutoGenResources filter out the pods / jobs with ownerReference`
			`func excludeAutoGenResources(policy kyverno.ClusterPolicy, resourceMap map[string]unstructured.Unstructured, log logr.Logger) map[string]unstructured.Unstructured {`
skip generate violation on pre-exist pod (#952) 2020-06-25 09:52:54 -07:00			`for uid, r := range resourceMap {`
810 support cronJob for auto-gen (#1089) * add watch policy to clusterrole kyverno:customresources * - improve auto-gen policy application logic - remove unused code * move method to common util * auto-gen rule for cronJob * update doc * set CronJob as default auto-gen pod controller * - update doc; - fix test * remove unused code 2020-09-01 09:11:20 -07:00			`if engine.SkipPolicyApplication(policy, r) {`
			`log.V(4).Info("exclude resource", "namespace", r.GetNamespace(), "kind", r.GetKind(), "name", r.GetName())`
skip generate violation on pre-exist pod (#952) 2020-06-25 09:52:54 -07:00			`delete(resourceMap, uid)`
			`}`
			`}`

existing resource processing v1 2019-08-13 09:37:02 -07:00			`return resourceMap`
			`}`

linter suggestions (#655) * cleanup phase 1 * linter fixes phase 2 2020-01-24 12:05:53 -08:00			`//Condition defines condition type`
check the exclude conditions with AND 2019-09-03 19:31:42 -07:00			`type Condition int`

			`const (`
linter suggestions (#655) * cleanup phase 1 * linter fixes phase 2 2020-01-24 12:05:53 -08:00			`//NotEvaluate to not evaluate condition`
check the exclude conditions with AND 2019-09-03 19:31:42 -07:00			`NotEvaluate Condition = 0`
linter suggestions (#655) * cleanup phase 1 * linter fixes phase 2 2020-01-24 12:05:53 -08:00			`// Process to evaluate condition`
			`Process Condition = 1`
			`// Skip to ignore/skip the condition`
			`Skip Condition = 2`
check the exclude conditions with AND 2019-09-03 19:31:42 -07:00			`)`

existing resource processing v1 2019-08-13 09:37:02 -07:00			`// merge b into a map`
Bugfix/659 support wildcards for namespaces (#871) * - support wildcards for namespaces * do not annotate resource, unless policy is an autogen policy * close HTTP body * improve messages * remove policy store Policy store was not fully implemented and simply provided a way to list all polices and get a policy by name, which can be done via standard client-go interfaces. We need to revisit and design a better PolicyStore that provides fast lookups for matching policies based on names, namespaces, etc. * handle wildcard namespaces in background processing * fix unit tests 1) remove platform dependent path usage 2) remove policy store * add test case for mutate with wildcard namespaces 2020-05-26 10:36:56 -07:00			`func mergeResources(a, b map[string]unstructured.Unstructured) {`
existing resource processing v1 2019-08-13 09:37:02 -07:00			`for k, v := range b {`
			`a[k] = v`
			`}`
			`}`

clean up 2019-08-14 10:01:47 -07:00			`//NewResourceManager returns a new ResourceManager`
existing resource processing v1 2019-08-13 09:37:02 -07:00			`func NewResourceManager(rebuildTime int64) *ResourceManager {`
			`rm := ResourceManager{`
			`data: make(map[string]interface{}),`
			`time: time.Now(),`
			`rebuildTime: rebuildTime,`
			`}`
			`// set time it was built`
			`return &rm`
			`}`

clean up 2019-08-14 10:01:47 -07:00			`// ResourceManager stores the details on already processed resources for caching`
existing resource processing v1 2019-08-13 09:37:02 -07:00			`type ResourceManager struct {`
			`// we drop and re-build the cache`
			`// based on the memory consumer of by the map`
			`data map[string]interface{}`
			`mux sync.RWMutex`
			`time time.Time`
			`rebuildTime int64 // after how many seconds should we rebuild the cache`
			`}`

			`type resourceManager interface {`
			`ProcessResource(policy, pv, kind, ns, name, rv string) bool`
			`//TODO removeResource(kind, ns, name string) error`
			`RegisterResource(policy, pv, kind, ns, name, rv string)`
			`// reload`
			`Drop()`
			`}`

			`//Drop drop the cache after every rebuild interval mins`
			`//TODO: or drop based on the size`
			`func (rm *ResourceManager) Drop() {`
check cache drop for process existing 2019-08-13 10:03:00 -07:00			`timeSince := time.Since(rm.time)`
			`if timeSince > time.Duration(rm.rebuildTime)*time.Second {`
existing resource processing v1 2019-08-13 09:37:02 -07:00			`rm.mux.Lock()`
			`defer rm.mux.Unlock()`
			`rm.data = map[string]interface{}{}`
check cache drop for process existing 2019-08-13 10:03:00 -07:00			`rm.time = time.Now()`
existing resource processing v1 2019-08-13 09:37:02 -07:00			`}`
			`}`

			`var empty struct{}`

			`//RegisterResource stores if the policy is processed on this resource version`
			`func (rm *ResourceManager) RegisterResource(policy, pv, kind, ns, name, rv string) {`
			`rm.mux.Lock()`
			`defer rm.mux.Unlock()`
			`// add the resource`
			`key := buildKey(policy, pv, kind, ns, name, rv)`
			`rm.data[key] = empty`
			`}`

			`//ProcessResource returns true if the policy was not applied on the resource`
			`func (rm *ResourceManager) ProcessResource(policy, pv, kind, ns, name, rv string) bool {`
			`rm.mux.RLock()`
			`defer rm.mux.RUnlock()`

			`key := buildKey(policy, pv, kind, ns, name, rv)`
			`_, ok := rm.data[key]`
linter fix (#657) 2020-01-27 08:58:53 -08:00			`return !ok`
existing resource processing v1 2019-08-13 09:37:02 -07:00			`}`

			`func buildKey(policy, pv, kind, ns, name, rv string) string {`
			`return policy + "/" + pv + "/" + kind + "/" + ns + "/" + name + "/" + rv`
			`}`