2020-07-09 11:48:34 -07:00
|
|
|
package webhooks
|
|
|
|
|
|
|
|
|
|
import (
|
2021-01-07 16:26:59 -08:00
|
|
|
"strings"
|
2020-12-23 17:48:00 -08:00
|
|
|
"time"
|
|
|
|
|
|
2021-02-04 02:39:42 +05:30
|
|
|
"github.com/kyverno/kyverno/pkg/common"
|
|
|
|
|
client "github.com/kyverno/kyverno/pkg/dclient"
|
|
|
|
|
|
2020-07-09 11:48:34 -07:00
|
|
|
"github.com/go-logr/logr"
|
2020-10-07 11:12:31 -07:00
|
|
|
v1 "github.com/kyverno/kyverno/pkg/api/kyverno/v1"
|
|
|
|
|
"github.com/kyverno/kyverno/pkg/config"
|
|
|
|
|
"github.com/kyverno/kyverno/pkg/event"
|
|
|
|
|
"github.com/kyverno/kyverno/pkg/policycache"
|
2020-11-09 11:26:12 -08:00
|
|
|
"github.com/kyverno/kyverno/pkg/policyreport"
|
2020-10-07 11:12:31 -07:00
|
|
|
"github.com/kyverno/kyverno/pkg/policystatus"
|
|
|
|
|
"github.com/kyverno/kyverno/pkg/resourcecache"
|
|
|
|
|
"github.com/kyverno/kyverno/pkg/userinfo"
|
2020-07-09 11:48:34 -07:00
|
|
|
"github.com/minio/minio/cmd/logger"
|
|
|
|
|
"k8s.io/api/admission/v1beta1"
|
|
|
|
|
utilruntime "k8s.io/apimachinery/pkg/util/runtime"
|
|
|
|
|
"k8s.io/apimachinery/pkg/util/wait"
|
2021-02-04 02:39:42 +05:30
|
|
|
informers "k8s.io/client-go/informers/core/v1"
|
2020-07-09 11:48:34 -07:00
|
|
|
rbacinformer "k8s.io/client-go/informers/rbac/v1"
|
2021-02-04 02:39:42 +05:30
|
|
|
listerv1 "k8s.io/client-go/listers/core/v1"
|
2020-07-09 11:48:34 -07:00
|
|
|
rbaclister "k8s.io/client-go/listers/rbac/v1"
|
|
|
|
|
"k8s.io/client-go/tools/cache"
|
|
|
|
|
"k8s.io/client-go/util/workqueue"
|
|
|
|
|
)
|
|
|
|
|
|
|
|
|
|
const (
|
|
|
|
|
workQueueName = "validate-audit-handler"
|
|
|
|
|
workQueueRetryLimit = 3
|
|
|
|
|
)
|
|
|
|
|
|
2020-11-17 13:07:30 -08:00
|
|
|
// AuditHandler applies validate audit policies to the admission request
|
2020-07-09 11:48:34 -07:00
|
|
|
// the handler adds the request to the work queue and returns immediately
|
|
|
|
|
// the request is processed in background, with the exact same logic
|
|
|
|
|
// when process the admission request in the webhook
|
|
|
|
|
type AuditHandler interface {
|
|
|
|
|
Add(request *v1beta1.AdmissionRequest)
|
|
|
|
|
Run(workers int, stopCh <-chan struct{})
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
type auditHandler struct {
|
2021-02-01 12:59:13 -08:00
|
|
|
client *client.Client
|
2020-07-09 11:48:34 -07:00
|
|
|
queue workqueue.RateLimitingInterface
|
|
|
|
|
pCache policycache.Interface
|
|
|
|
|
eventGen event.Interface
|
|
|
|
|
statusListener policystatus.Listener
|
2020-11-09 11:26:12 -08:00
|
|
|
prGenerator policyreport.GeneratorInterface
|
2020-07-09 11:48:34 -07:00
|
|
|
|
2021-02-04 02:39:42 +05:30
|
|
|
rbLister rbaclister.RoleBindingLister
|
|
|
|
|
rbSynced cache.InformerSynced
|
|
|
|
|
crbLister rbaclister.ClusterRoleBindingLister
|
|
|
|
|
crbSynced cache.InformerSynced
|
|
|
|
|
nsLister listerv1.NamespaceLister
|
|
|
|
|
nsListerSynced cache.InformerSynced
|
2020-07-09 11:48:34 -07:00
|
|
|
|
2020-08-14 12:21:06 -07:00
|
|
|
log logr.Logger
|
2020-08-07 17:09:24 -07:00
|
|
|
configHandler config.Interface
|
2021-01-29 17:38:23 -08:00
|
|
|
resCache resourcecache.ResourceCache
|
2020-07-09 11:48:34 -07:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// NewValidateAuditHandler returns a new instance of audit policy handler
|
|
|
|
|
func NewValidateAuditHandler(pCache policycache.Interface,
|
|
|
|
|
eventGen event.Interface,
|
|
|
|
|
statusListener policystatus.Listener,
|
2020-11-09 11:26:12 -08:00
|
|
|
prGenerator policyreport.GeneratorInterface,
|
2020-07-09 11:48:34 -07:00
|
|
|
rbInformer rbacinformer.RoleBindingInformer,
|
|
|
|
|
crbInformer rbacinformer.ClusterRoleBindingInformer,
|
2021-02-04 02:39:42 +05:30
|
|
|
namespaces informers.NamespaceInformer,
|
2020-08-07 17:09:24 -07:00
|
|
|
log logr.Logger,
|
2020-09-23 02:41:49 +05:30
|
|
|
dynamicConfig config.Interface,
|
2021-02-01 12:59:13 -08:00
|
|
|
resCache resourcecache.ResourceCache,
|
|
|
|
|
client *client.Client) AuditHandler {
|
2020-07-09 11:48:34 -07:00
|
|
|
|
|
|
|
|
return &auditHandler{
|
|
|
|
|
pCache: pCache,
|
|
|
|
|
queue: workqueue.NewNamedRateLimitingQueue(workqueue.DefaultControllerRateLimiter(), workQueueName),
|
|
|
|
|
eventGen: eventGen,
|
|
|
|
|
statusListener: statusListener,
|
|
|
|
|
rbLister: rbInformer.Lister(),
|
|
|
|
|
rbSynced: rbInformer.Informer().HasSynced,
|
|
|
|
|
crbLister: crbInformer.Lister(),
|
|
|
|
|
crbSynced: crbInformer.Informer().HasSynced,
|
2021-02-04 02:39:42 +05:30
|
|
|
nsLister: namespaces.Lister(),
|
|
|
|
|
nsListerSynced: namespaces.Informer().HasSynced,
|
2020-07-09 11:48:34 -07:00
|
|
|
log: log,
|
2020-11-09 11:26:12 -08:00
|
|
|
prGenerator: prGenerator,
|
2020-08-14 12:21:06 -07:00
|
|
|
configHandler: dynamicConfig,
|
2020-09-23 02:41:49 +05:30
|
|
|
resCache: resCache,
|
2021-02-01 12:59:13 -08:00
|
|
|
client: client,
|
2020-07-09 11:48:34 -07:00
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
func (h *auditHandler) Add(request *v1beta1.AdmissionRequest) {
|
|
|
|
|
h.log.V(4).Info("admission request added", "uid", request.UID, "kind", request.Kind.Kind, "namespace", request.Namespace, "name", request.Name, "operation", request.Operation)
|
|
|
|
|
h.queue.Add(request)
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
func (h *auditHandler) Run(workers int, stopCh <-chan struct{}) {
|
|
|
|
|
h.log.V(4).Info("starting")
|
|
|
|
|
|
|
|
|
|
defer func() {
|
|
|
|
|
utilruntime.HandleCrash()
|
|
|
|
|
h.log.V(4).Info("shutting down")
|
|
|
|
|
}()
|
|
|
|
|
|
|
|
|
|
if !cache.WaitForCacheSync(stopCh, h.rbSynced, h.crbSynced) {
|
|
|
|
|
logger.Info("failed to sync informer cache")
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
for i := 0; i < workers; i++ {
|
2020-12-23 17:48:00 -08:00
|
|
|
go wait.Until(h.runWorker, time.Second, stopCh)
|
2020-07-09 11:48:34 -07:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
<-stopCh
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
func (h *auditHandler) runWorker() {
|
|
|
|
|
for h.processNextWorkItem() {
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
func (h *auditHandler) processNextWorkItem() bool {
|
|
|
|
|
obj, shutdown := h.queue.Get()
|
|
|
|
|
if shutdown {
|
|
|
|
|
return false
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
defer h.queue.Done(obj)
|
|
|
|
|
|
|
|
|
|
request, ok := obj.(*v1beta1.AdmissionRequest)
|
|
|
|
|
if !ok {
|
|
|
|
|
h.queue.Forget(obj)
|
|
|
|
|
logger.Info("incorrect type: expecting type 'AdmissionRequest'", "object", obj)
|
2020-12-23 17:48:00 -08:00
|
|
|
return true
|
2020-07-09 11:48:34 -07:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
err := h.process(request)
|
2021-01-07 16:26:59 -08:00
|
|
|
h.handleErr(err, obj, request)
|
2020-07-09 11:48:34 -07:00
|
|
|
|
|
|
|
|
return true
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
func (h *auditHandler) process(request *v1beta1.AdmissionRequest) error {
|
|
|
|
|
var roles, clusterRoles []string
|
|
|
|
|
var err error
|
|
|
|
|
|
|
|
|
|
logger := h.log.WithName("process")
|
2021-05-07 18:07:41 -07:00
|
|
|
policies := h.pCache.GetPolicyObject(policycache.ValidateAudit, request.Kind.Kind, "")
|
2020-08-19 21:37:23 +05:30
|
|
|
// Get namespace policies from the cache for the requested resource namespace
|
2021-05-07 18:07:41 -07:00
|
|
|
nsPolicies := h.pCache.GetPolicyObject(policycache.ValidateAudit, request.Kind.Kind, request.Namespace)
|
2020-08-19 21:37:23 +05:30
|
|
|
policies = append(policies, nsPolicies...)
|
2020-07-09 11:48:34 -07:00
|
|
|
// getRoleRef only if policy has roles/clusterroles defined
|
2020-12-01 22:50:40 -08:00
|
|
|
if containRBACInfo(policies) {
|
2020-08-14 12:21:06 -07:00
|
|
|
roles, clusterRoles, err = userinfo.GetRoleRef(h.rbLister, h.crbLister, request, h.configHandler)
|
2020-07-09 11:48:34 -07:00
|
|
|
if err != nil {
|
|
|
|
|
logger.Error(err, "failed to get RBAC information for request")
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
userRequestInfo := v1.RequestInfo{
|
|
|
|
|
Roles: roles,
|
|
|
|
|
ClusterRoles: clusterRoles,
|
|
|
|
|
AdmissionUserInfo: request.UserInfo}
|
|
|
|
|
|
2021-03-23 10:34:03 -07:00
|
|
|
ctx, err := newVariablesContext(request, &userRequestInfo)
|
2020-07-09 11:48:34 -07:00
|
|
|
if err != nil {
|
2021-03-23 10:34:03 -07:00
|
|
|
logger.Error(err, "unable to build variable context")
|
2020-07-09 11:48:34 -07:00
|
|
|
}
|
|
|
|
|
|
2021-02-04 02:39:42 +05:30
|
|
|
namespaceLabels := make(map[string]string)
|
|
|
|
|
if request.Kind.Kind != "Namespace" && request.Namespace != "" {
|
|
|
|
|
namespaceLabels = common.GetNamespaceSelectorsFromNamespaceLister(request.Kind.Kind, request.Namespace, h.nsLister, logger)
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
HandleValidation(request, policies, nil, ctx, userRequestInfo, h.statusListener, h.eventGen, h.prGenerator, logger, h.configHandler, h.resCache, h.client, namespaceLabels)
|
2020-07-09 11:48:34 -07:00
|
|
|
return nil
|
|
|
|
|
}
|
|
|
|
|
|
2021-01-07 16:26:59 -08:00
|
|
|
func (h *auditHandler) handleErr(err error, key interface{}, request *v1beta1.AdmissionRequest) {
|
|
|
|
|
logger := h.log.WithName("handleErr")
|
|
|
|
|
if err == nil {
|
|
|
|
|
h.queue.Forget(key)
|
|
|
|
|
return
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
k := strings.Join([]string{request.Kind.Kind, request.Namespace, request.Name}, "/")
|
|
|
|
|
if h.queue.NumRequeues(key) < workQueueRetryLimit {
|
|
|
|
|
logger.V(3).Info("retrying processing admission request", "key", k, "error", err.Error())
|
|
|
|
|
h.queue.AddRateLimited(key)
|
|
|
|
|
return
|
|
|
|
|
}
|
2020-07-09 11:48:34 -07:00
|
|
|
|
2021-01-07 16:26:59 -08:00
|
|
|
logger.Error(err, "failed to process admission request", "key", k)
|
|
|
|
|
h.queue.Forget(key)
|
2020-07-09 11:48:34 -07:00
|
|
|
}
|
