2023-04-18 14:08:17 +02:00
|
|
|
package test
|
|
|
|
|
|
|
|
|
|
import (
|
|
|
|
|
"fmt"
|
2023-09-14 01:55:19 +02:00
|
|
|
"io"
|
2023-04-18 14:08:17 +02:00
|
|
|
|
2023-09-11 15:41:36 +02:00
|
|
|
kyvernov1 "github.com/kyverno/kyverno/api/kyverno/v1"
|
2024-06-20 11:44:43 +02:00
|
|
|
kyvernov2 "github.com/kyverno/kyverno/api/kyverno/v2"
|
2023-12-20 13:45:26 +01:00
|
|
|
"github.com/kyverno/kyverno/cmd/cli/kubectl-kyverno/deprecations"
|
2024-02-01 03:58:14 +05:30
|
|
|
"github.com/kyverno/kyverno/cmd/cli/kubectl-kyverno/exception"
|
2023-09-06 02:06:44 +02:00
|
|
|
"github.com/kyverno/kyverno/cmd/cli/kubectl-kyverno/log"
|
2023-09-13 17:10:12 +02:00
|
|
|
"github.com/kyverno/kyverno/cmd/cli/kubectl-kyverno/path"
|
2023-09-06 01:01:31 +02:00
|
|
|
"github.com/kyverno/kyverno/cmd/cli/kubectl-kyverno/policy"
|
2023-09-06 06:48:55 +02:00
|
|
|
"github.com/kyverno/kyverno/cmd/cli/kubectl-kyverno/processor"
|
2023-09-05 15:19:05 +02:00
|
|
|
"github.com/kyverno/kyverno/cmd/cli/kubectl-kyverno/resource"
|
2023-09-06 17:17:12 +02:00
|
|
|
"github.com/kyverno/kyverno/cmd/cli/kubectl-kyverno/store"
|
2023-09-05 13:09:45 +02:00
|
|
|
"github.com/kyverno/kyverno/cmd/cli/kubectl-kyverno/test"
|
2023-09-05 19:10:27 +02:00
|
|
|
"github.com/kyverno/kyverno/cmd/cli/kubectl-kyverno/userinfo"
|
2023-04-18 14:08:17 +02:00
|
|
|
"github.com/kyverno/kyverno/cmd/cli/kubectl-kyverno/utils/common"
|
2023-09-06 16:03:51 +02:00
|
|
|
"github.com/kyverno/kyverno/cmd/cli/kubectl-kyverno/variables"
|
2023-10-27 11:50:36 +02:00
|
|
|
"github.com/kyverno/kyverno/ext/output/pluralize"
|
2024-10-16 15:24:37 +02:00
|
|
|
"github.com/kyverno/kyverno/pkg/autogen"
|
2023-04-18 14:08:17 +02:00
|
|
|
"github.com/kyverno/kyverno/pkg/background/generate"
|
|
|
|
|
"github.com/kyverno/kyverno/pkg/clients/dclient"
|
2023-04-24 18:31:42 +08:00
|
|
|
"github.com/kyverno/kyverno/pkg/config"
|
2023-04-18 14:08:17 +02:00
|
|
|
engineapi "github.com/kyverno/kyverno/pkg/engine/api"
|
2023-04-28 21:54:17 +08:00
|
|
|
policyvalidation "github.com/kyverno/kyverno/pkg/validation/policy"
|
2023-04-18 14:08:17 +02:00
|
|
|
"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
|
2024-12-19 09:42:54 +02:00
|
|
|
"k8s.io/apimachinery/pkg/runtime"
|
|
|
|
|
"k8s.io/apimachinery/pkg/runtime/schema"
|
2023-04-18 14:08:17 +02:00
|
|
|
)
|
|
|
|
|
|
2024-12-19 09:42:54 +02:00
|
|
|
type TestResponse struct {
|
|
|
|
|
Trigger map[string][]engineapi.EngineResponse
|
|
|
|
|
Target map[string][]engineapi.EngineResponse
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
func runTest(out io.Writer, testCase test.TestCase, registryAccess bool) (*TestResponse, error) {
|
2023-09-05 15:19:05 +02:00
|
|
|
// don't process test case with errors
|
|
|
|
|
if testCase.Err != nil {
|
|
|
|
|
return nil, testCase.Err
|
2023-04-18 14:08:17 +02:00
|
|
|
}
|
2023-09-14 01:55:19 +02:00
|
|
|
fmt.Fprintln(out, "Loading test", testCase.Test.Name, "(", testCase.Path, ")", "...")
|
2023-09-05 15:19:05 +02:00
|
|
|
isGit := testCase.Fs != nil
|
|
|
|
|
testDir := testCase.Dir()
|
|
|
|
|
var dClient dclient.Interface
|
|
|
|
|
// values/variables
|
2023-09-14 01:55:19 +02:00
|
|
|
fmt.Fprintln(out, " Loading values/variables", "...")
|
2023-12-20 13:45:26 +01:00
|
|
|
vars, err := variables.New(out, testCase.Fs, testDir, testCase.Test.Variables, testCase.Test.Values)
|
2023-04-18 14:08:17 +02:00
|
|
|
if err != nil {
|
2023-09-12 18:07:06 +02:00
|
|
|
err = fmt.Errorf("failed to decode yaml (%w)", err)
|
2023-09-05 15:19:05 +02:00
|
|
|
return nil, err
|
2023-04-18 14:08:17 +02:00
|
|
|
}
|
2023-09-05 15:19:05 +02:00
|
|
|
// user info
|
2024-06-20 11:44:43 +02:00
|
|
|
var userInfo *kyvernov2.RequestInfo
|
2023-09-05 15:19:05 +02:00
|
|
|
if testCase.Test.UserInfo != "" {
|
2023-09-14 01:55:19 +02:00
|
|
|
fmt.Fprintln(out, " Loading user infos", "...")
|
2023-09-18 12:51:35 +02:00
|
|
|
info, err := userinfo.Load(testCase.Fs, testCase.Test.UserInfo, testDir)
|
2023-04-18 14:08:17 +02:00
|
|
|
if err != nil {
|
2024-05-21 00:17:49 -07:00
|
|
|
return nil, fmt.Errorf("error: failed to load request info (%s)", err)
|
2023-04-18 14:08:17 +02:00
|
|
|
}
|
2023-12-20 13:45:26 +01:00
|
|
|
deprecations.CheckUserInfo(out, testCase.Test.UserInfo, info)
|
2023-09-18 12:51:35 +02:00
|
|
|
userInfo = &info.RequestInfo
|
2023-04-18 14:08:17 +02:00
|
|
|
}
|
2023-09-05 15:19:05 +02:00
|
|
|
// policies
|
2023-09-14 01:55:19 +02:00
|
|
|
fmt.Fprintln(out, " Loading policies", "...")
|
2023-09-13 17:10:12 +02:00
|
|
|
policyFullPath := path.GetFullPaths(testCase.Test.Policies, testDir, isGit)
|
2024-05-21 00:17:49 -07:00
|
|
|
results, err := policy.Load(testCase.Fs, testDir, policyFullPath...)
|
2023-04-18 14:08:17 +02:00
|
|
|
if err != nil {
|
2024-05-21 00:17:49 -07:00
|
|
|
return nil, fmt.Errorf("error: failed to load policies (%s)", err)
|
2023-04-18 14:08:17 +02:00
|
|
|
}
|
2023-09-05 15:19:05 +02:00
|
|
|
// resources
|
2023-09-14 01:55:19 +02:00
|
|
|
fmt.Fprintln(out, " Loading resources", "...")
|
2023-09-13 17:10:12 +02:00
|
|
|
resourceFullPath := path.GetFullPaths(testCase.Test.Resources, testDir, isGit)
|
2024-05-21 00:17:49 -07:00
|
|
|
resources, err := common.GetResourceAccordingToResourcePath(out, testCase.Fs, resourceFullPath, false, results.Policies, results.VAPs, dClient, "", false, testDir)
|
2023-09-05 15:19:05 +02:00
|
|
|
if err != nil {
|
2024-05-21 00:17:49 -07:00
|
|
|
return nil, fmt.Errorf("error: failed to load resources (%s)", err)
|
2023-04-18 14:08:17 +02:00
|
|
|
}
|
2023-09-05 15:19:05 +02:00
|
|
|
uniques, duplicates := resource.RemoveDuplicates(resources)
|
|
|
|
|
if len(duplicates) > 0 {
|
|
|
|
|
for dup := range duplicates {
|
2024-05-21 00:17:49 -07:00
|
|
|
fmt.Fprintln(out, " warning: found duplicated resource", dup.Kind, dup.Name, dup.Namespace)
|
2023-05-10 11:12:53 +03:00
|
|
|
}
|
|
|
|
|
}
|
2024-12-19 09:42:54 +02:00
|
|
|
|
|
|
|
|
targetResourcesPath := path.GetFullPaths(testCase.Test.TargetResources, testDir, isGit)
|
|
|
|
|
targetResources, err := common.GetResourceAccordingToResourcePath(out, testCase.Fs, targetResourcesPath, false, results.Policies, results.VAPs, dClient, "", false, testDir)
|
|
|
|
|
if err != nil {
|
|
|
|
|
return nil, fmt.Errorf("error: failed to load target resources (%s)", err)
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
targets := []runtime.Object{}
|
|
|
|
|
for _, t := range targetResources {
|
|
|
|
|
targets = append(targets, t)
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// this will be a dclient containing all target resources. a policy may not do anything with any targets in these
|
|
|
|
|
dClient, err = dclient.NewFakeClient(runtime.NewScheme(), map[schema.GroupVersionResource]string{}, targets...)
|
|
|
|
|
if err != nil {
|
|
|
|
|
return nil, err
|
|
|
|
|
}
|
|
|
|
|
dClient.SetDiscovery(dclient.NewFakeDiscoveryClient(nil))
|
|
|
|
|
|
2024-02-01 03:58:14 +05:30
|
|
|
// exceptions
|
|
|
|
|
fmt.Fprintln(out, " Loading exceptions", "...")
|
|
|
|
|
exceptionFullPath := path.GetFullPaths(testCase.Test.PolicyExceptions, testDir, isGit)
|
|
|
|
|
exceptions, err := exception.Load(exceptionFullPath...)
|
|
|
|
|
if err != nil {
|
2024-05-21 00:17:49 -07:00
|
|
|
return nil, fmt.Errorf("error: failed to load exceptions (%s)", err)
|
2024-02-01 03:58:14 +05:30
|
|
|
}
|
|
|
|
|
// Validates that exceptions cannot be used with ValidatingAdmissionPolicies.
|
2024-05-21 00:17:49 -07:00
|
|
|
if len(results.VAPs) > 0 && len(exceptions) > 0 {
|
|
|
|
|
return nil, fmt.Errorf("error: use of exceptions with ValidatingAdmissionPolicies is not supported")
|
2024-02-01 03:58:14 +05:30
|
|
|
}
|
2023-09-06 16:03:51 +02:00
|
|
|
// init store
|
2023-12-19 15:45:53 +01:00
|
|
|
var store store.Store
|
2023-09-06 16:03:51 +02:00
|
|
|
store.SetLocal(true)
|
2023-12-19 15:45:53 +01:00
|
|
|
store.SetRegistryAccess(registryAccess)
|
2023-09-06 16:03:51 +02:00
|
|
|
if vars != nil {
|
2023-12-19 15:45:53 +01:00
|
|
|
vars.SetInStore(&store)
|
2023-09-06 16:03:51 +02:00
|
|
|
}
|
2024-05-21 00:17:49 -07:00
|
|
|
|
|
|
|
|
policyCount := len(results.Policies) + len(results.VAPs)
|
|
|
|
|
policyPlural := pluralize.Pluralize(len(results.Policies)+len(results.VAPs), "policy", "policies")
|
|
|
|
|
resourceCount := len(uniques)
|
|
|
|
|
resourcePlural := pluralize.Pluralize(len(uniques), "resource", "resources")
|
2024-02-01 03:58:14 +05:30
|
|
|
if len(exceptions) > 0 {
|
2024-05-21 00:17:49 -07:00
|
|
|
exceptionCount := len(exceptions)
|
|
|
|
|
exceptionsPlural := pluralize.Pluralize(len(exceptions), "exception", "exceptions")
|
|
|
|
|
fmt.Fprintln(out, " Applying", policyCount, policyPlural, "to", resourceCount, resourcePlural, "with", exceptionCount, exceptionsPlural, "...")
|
2024-02-01 03:58:14 +05:30
|
|
|
} else {
|
2024-05-21 00:17:49 -07:00
|
|
|
fmt.Fprintln(out, " Applying", policyCount, policyPlural, "to", resourceCount, resourcePlural, "...")
|
2024-02-01 03:58:14 +05:30
|
|
|
}
|
2024-05-21 00:17:49 -07:00
|
|
|
|
2023-09-05 15:19:05 +02:00
|
|
|
// TODO document the code below
|
2023-04-18 14:08:17 +02:00
|
|
|
ruleToCloneSourceResource := map[string]string{}
|
2024-05-21 00:17:49 -07:00
|
|
|
for _, policy := range results.Policies {
|
2024-10-16 15:24:37 +02:00
|
|
|
for _, rule := range autogen.Default.ComputeRules(policy, "") {
|
2023-09-05 15:19:05 +02:00
|
|
|
for _, res := range testCase.Test.Results {
|
2023-07-28 03:32:30 +03:00
|
|
|
if res.IsValidatingAdmissionPolicy {
|
2023-05-10 11:12:53 +03:00
|
|
|
continue
|
|
|
|
|
}
|
2024-01-31 02:39:47 +01:00
|
|
|
// TODO: what if two policies have a rule with the same name ?
|
2023-04-18 14:08:17 +02:00
|
|
|
if rule.Name == res.Rule {
|
|
|
|
|
if rule.HasGenerate() {
|
2023-12-07 06:03:27 +00:00
|
|
|
if len(rule.Generation.CloneList.Kinds) != 0 { // cloneList
|
|
|
|
|
// We cannot cast this to an unstructured object because it doesn't have a kind.
|
2023-09-04 11:34:27 +02:00
|
|
|
if isGit {
|
|
|
|
|
ruleToCloneSourceResource[rule.Name] = res.CloneSourceResource
|
|
|
|
|
} else {
|
2023-09-13 17:10:12 +02:00
|
|
|
ruleToCloneSourceResource[rule.Name] = path.GetFullPath(res.CloneSourceResource, testDir)
|
2023-09-04 11:34:27 +02:00
|
|
|
}
|
2023-12-07 06:03:27 +00:00
|
|
|
} else { // clone or data
|
|
|
|
|
ruleUnstr, err := generate.GetUnstrRule(rule.Generation.DeepCopy())
|
|
|
|
|
if err != nil {
|
|
|
|
|
fmt.Fprintf(out, " Error: failed to get unstructured rule (%s)\n", err)
|
|
|
|
|
break
|
|
|
|
|
}
|
|
|
|
|
genClone, _, err := unstructured.NestedMap(ruleUnstr.Object, "clone")
|
|
|
|
|
if err != nil {
|
|
|
|
|
fmt.Fprintf(out, " Error: failed to read data (%s)\n", err)
|
|
|
|
|
break
|
|
|
|
|
}
|
|
|
|
|
if len(genClone) != 0 {
|
|
|
|
|
if isGit {
|
|
|
|
|
ruleToCloneSourceResource[rule.Name] = res.CloneSourceResource
|
|
|
|
|
} else {
|
|
|
|
|
ruleToCloneSourceResource[rule.Name] = path.GetFullPath(res.CloneSourceResource, testDir)
|
|
|
|
|
}
|
|
|
|
|
}
|
2023-04-18 14:08:17 +02:00
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
break
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
}
|
2023-09-11 15:41:36 +02:00
|
|
|
// validate policies
|
2024-05-21 00:17:49 -07:00
|
|
|
validPolicies := make([]kyvernov1.PolicyInterface, 0, len(results.Policies))
|
|
|
|
|
for _, pol := range results.Policies {
|
2023-09-05 15:19:05 +02:00
|
|
|
// TODO we should return this info to the caller
|
2024-08-20 01:55:32 -07:00
|
|
|
sa := config.KyvernoUserName(config.KyvernoServiceAccountName())
|
|
|
|
|
_, err := policyvalidation.Validate(pol, nil, nil, nil, true, sa, sa)
|
2023-04-18 14:08:17 +02:00
|
|
|
if err != nil {
|
2023-09-06 16:03:51 +02:00
|
|
|
log.Log.Error(err, "skipping invalid policy", "name", pol.GetName())
|
2023-04-18 14:08:17 +02:00
|
|
|
continue
|
|
|
|
|
}
|
2023-09-11 15:41:36 +02:00
|
|
|
validPolicies = append(validPolicies, pol)
|
|
|
|
|
}
|
|
|
|
|
// execute engine
|
|
|
|
|
var engineResponses []engineapi.EngineResponse
|
|
|
|
|
var resultCounts processor.ResultCounts
|
2024-12-19 09:42:54 +02:00
|
|
|
testResponse := TestResponse{
|
|
|
|
|
Trigger: map[string][]engineapi.EngineResponse{},
|
|
|
|
|
Target: map[string][]engineapi.EngineResponse{},
|
|
|
|
|
}
|
2023-09-11 15:41:36 +02:00
|
|
|
for _, resource := range uniques {
|
2024-12-19 09:42:54 +02:00
|
|
|
// the policy processor is for multiple policies at once
|
2023-09-11 15:41:36 +02:00
|
|
|
processor := processor.PolicyProcessor{
|
2023-12-19 15:45:53 +01:00
|
|
|
Store: &store,
|
2023-09-11 15:41:36 +02:00
|
|
|
Policies: validPolicies,
|
|
|
|
|
Resource: *resource,
|
2024-02-01 03:58:14 +05:30
|
|
|
PolicyExceptions: exceptions,
|
2023-09-11 15:41:36 +02:00
|
|
|
MutateLogPath: "",
|
|
|
|
|
Variables: vars,
|
|
|
|
|
UserInfo: userInfo,
|
|
|
|
|
PolicyReport: true,
|
|
|
|
|
NamespaceSelectorMap: vars.NamespaceSelectors(),
|
|
|
|
|
Rc: &resultCounts,
|
|
|
|
|
RuleToCloneSourceResource: ruleToCloneSourceResource,
|
2024-12-19 09:42:54 +02:00
|
|
|
Cluster: false,
|
2023-09-11 15:41:36 +02:00
|
|
|
Client: dClient,
|
|
|
|
|
Subresources: vars.Subresources(),
|
2024-12-19 09:42:54 +02:00
|
|
|
Out: io.Discard,
|
2023-05-10 11:12:53 +03:00
|
|
|
}
|
2023-09-11 15:41:36 +02:00
|
|
|
ers, err := processor.ApplyPoliciesOnResource()
|
|
|
|
|
if err != nil {
|
2023-09-12 18:07:06 +02:00
|
|
|
return nil, fmt.Errorf("failed to apply policies on resource %v (%w)", resource.GetName(), err)
|
2023-09-11 15:41:36 +02:00
|
|
|
}
|
2024-12-19 09:42:54 +02:00
|
|
|
resourceKey := generateResourceKey(resource)
|
2023-09-11 15:41:36 +02:00
|
|
|
engineResponses = append(engineResponses, ers...)
|
2024-12-19 09:42:54 +02:00
|
|
|
testResponse.Trigger[resourceKey] = ers
|
|
|
|
|
}
|
|
|
|
|
for _, targetResource := range targetResources {
|
|
|
|
|
for _, engineResponse := range engineResponses {
|
|
|
|
|
if r, _ := extractPatchedTargetFromEngineResponse(targetResource.GetAPIVersion(), targetResource.GetKind(), targetResource.GetName(), targetResource.GetNamespace(), engineResponse); r != nil {
|
|
|
|
|
resourceKey := generateResourceKey(targetResource)
|
|
|
|
|
testResponse.Target[resourceKey] = append(testResponse.Target[resourceKey], engineResponse)
|
|
|
|
|
}
|
|
|
|
|
}
|
2023-05-10 11:12:53 +03:00
|
|
|
}
|
2024-12-19 09:42:54 +02:00
|
|
|
|
2023-09-11 12:49:02 +02:00
|
|
|
for _, resource := range uniques {
|
|
|
|
|
processor := processor.ValidatingAdmissionPolicyProcessor{
|
2024-05-21 00:17:49 -07:00
|
|
|
Policies: results.VAPs,
|
|
|
|
|
Bindings: results.VAPBindings,
|
2024-02-21 16:00:42 +02:00
|
|
|
Resource: resource,
|
|
|
|
|
NamespaceSelectorMap: vars.NamespaceSelectors(),
|
|
|
|
|
PolicyReport: true,
|
|
|
|
|
Rc: &resultCounts,
|
2023-09-11 12:49:02 +02:00
|
|
|
}
|
|
|
|
|
ers, err := processor.ApplyPolicyOnResource()
|
|
|
|
|
if err != nil {
|
2023-09-12 18:07:06 +02:00
|
|
|
return nil, fmt.Errorf("failed to apply policies on resource %s (%w)", resource.GetName(), err)
|
2023-04-18 14:08:17 +02:00
|
|
|
}
|
2024-12-19 09:42:54 +02:00
|
|
|
resourceKey := generateResourceKey(resource)
|
|
|
|
|
testResponse.Trigger[resourceKey] = append(testResponse.Trigger[resourceKey], ers...)
|
2023-04-18 14:08:17 +02:00
|
|
|
}
|
2024-12-19 09:42:54 +02:00
|
|
|
// this is an array of responses of all policies, generated by all of their rules
|
|
|
|
|
return &testResponse, nil
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
func generateResourceKey(resource *unstructured.Unstructured) string {
|
|
|
|
|
return resource.GetAPIVersion() + "," + resource.GetKind() + "," + resource.GetNamespace() + "," + resource.GetName()
|
2023-04-18 14:08:17 +02:00
|
|
|
}
|
