2022-09-28 13:45:16 +02:00
|
|
|
package utils
|
|
|
|
|
|
|
|
|
|
import (
|
|
|
|
|
"github.com/go-logr/logr"
|
|
|
|
|
kyvernov1 "github.com/kyverno/kyverno/api/kyverno/v1"
|
|
|
|
|
"github.com/kyverno/kyverno/pkg/clients/dclient"
|
|
|
|
|
"github.com/kyverno/kyverno/pkg/engine"
|
|
|
|
|
"github.com/kyverno/kyverno/pkg/engine/context"
|
|
|
|
|
"github.com/kyverno/kyverno/pkg/engine/response"
|
2022-10-18 17:23:02 +02:00
|
|
|
"go.uber.org/multierr"
|
2022-09-28 13:45:16 +02:00
|
|
|
"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
|
|
|
|
|
)
|
|
|
|
|
|
|
|
|
|
type scanner struct {
|
|
|
|
|
logger logr.Logger
|
|
|
|
|
client dclient.Interface
|
|
|
|
|
excludeGroupRole []string
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
type ScanResult struct {
|
|
|
|
|
EngineResponse *response.EngineResponse
|
|
|
|
|
Error error
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
type Scanner interface {
|
|
|
|
|
ScanResource(unstructured.Unstructured, map[string]string, ...kyvernov1.PolicyInterface) map[kyvernov1.PolicyInterface]ScanResult
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
func NewScanner(logger logr.Logger, client dclient.Interface, excludeGroupRole ...string) Scanner {
|
|
|
|
|
return &scanner{
|
|
|
|
|
logger: logger,
|
|
|
|
|
client: client,
|
|
|
|
|
excludeGroupRole: excludeGroupRole,
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
func (s *scanner) ScanResource(resource unstructured.Unstructured, nsLabels map[string]string, policies ...kyvernov1.PolicyInterface) map[kyvernov1.PolicyInterface]ScanResult {
|
|
|
|
|
results := map[kyvernov1.PolicyInterface]ScanResult{}
|
|
|
|
|
for _, policy := range policies {
|
2022-10-18 17:23:02 +02:00
|
|
|
var errors []error
|
|
|
|
|
response, err := s.validateResource(resource, nsLabels, policy)
|
2022-09-28 13:45:16 +02:00
|
|
|
if err != nil {
|
|
|
|
|
s.logger.Error(err, "failed to scan resource")
|
2022-10-18 17:23:02 +02:00
|
|
|
errors = append(errors, err)
|
2022-09-28 13:45:16 +02:00
|
|
|
}
|
2022-10-18 17:23:02 +02:00
|
|
|
spec := policy.GetSpec()
|
|
|
|
|
if spec.HasVerifyImages() {
|
|
|
|
|
ivResponse, err := s.validateImages(resource, nsLabels, policy)
|
|
|
|
|
if err != nil {
|
|
|
|
|
s.logger.Error(err, "failed to scan images")
|
|
|
|
|
errors = append(errors, err)
|
|
|
|
|
}
|
|
|
|
|
if response == nil {
|
|
|
|
|
response = ivResponse
|
|
|
|
|
} else {
|
|
|
|
|
response.PolicyResponse.Rules = append(response.PolicyResponse.Rules, ivResponse.PolicyResponse.Rules...)
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
results[policy] = ScanResult{response, multierr.Combine(errors...)}
|
2022-09-28 13:45:16 +02:00
|
|
|
}
|
|
|
|
|
return results
|
|
|
|
|
}
|
|
|
|
|
|
2022-10-18 17:23:02 +02:00
|
|
|
func (s *scanner) validateResource(resource unstructured.Unstructured, nsLabels map[string]string, policy kyvernov1.PolicyInterface) (*response.EngineResponse, error) {
|
2022-09-28 13:45:16 +02:00
|
|
|
ctx := context.NewContext()
|
2022-10-13 16:03:49 +02:00
|
|
|
if err := ctx.AddResource(resource.Object); err != nil {
|
2022-09-28 13:45:16 +02:00
|
|
|
return nil, err
|
|
|
|
|
}
|
2022-10-13 16:03:49 +02:00
|
|
|
if err := ctx.AddNamespace(resource.GetNamespace()); err != nil {
|
2022-09-28 13:45:16 +02:00
|
|
|
return nil, err
|
|
|
|
|
}
|
|
|
|
|
if err := ctx.AddImageInfos(&resource); err != nil {
|
|
|
|
|
return nil, err
|
|
|
|
|
}
|
2022-10-13 16:03:49 +02:00
|
|
|
if err := ctx.AddOperation("CREATE"); err != nil {
|
|
|
|
|
return nil, err
|
|
|
|
|
}
|
2022-12-02 09:14:23 +01:00
|
|
|
policyCtx := engine.NewPolicyContextWithJsonContext(ctx).
|
|
|
|
|
WithNewResource(resource).
|
|
|
|
|
WithPolicy(policy).
|
|
|
|
|
WithClient(s.client).
|
|
|
|
|
WithNamespaceLabels(nsLabels).
|
|
|
|
|
WithExcludeGroupRole(s.excludeGroupRole...)
|
2022-09-28 13:45:16 +02:00
|
|
|
return engine.Validate(policyCtx), nil
|
|
|
|
|
}
|
2022-10-18 17:23:02 +02:00
|
|
|
|
|
|
|
|
func (s *scanner) validateImages(resource unstructured.Unstructured, nsLabels map[string]string, policy kyvernov1.PolicyInterface) (*response.EngineResponse, error) {
|
|
|
|
|
ctx := context.NewContext()
|
|
|
|
|
if err := ctx.AddResource(resource.Object); err != nil {
|
|
|
|
|
return nil, err
|
|
|
|
|
}
|
|
|
|
|
if err := ctx.AddNamespace(resource.GetNamespace()); err != nil {
|
|
|
|
|
return nil, err
|
|
|
|
|
}
|
|
|
|
|
if err := ctx.AddImageInfos(&resource); err != nil {
|
|
|
|
|
return nil, err
|
|
|
|
|
}
|
|
|
|
|
if err := ctx.AddOperation("CREATE"); err != nil {
|
|
|
|
|
return nil, err
|
|
|
|
|
}
|
2022-12-02 09:14:23 +01:00
|
|
|
policyCtx := engine.NewPolicyContextWithJsonContext(ctx).
|
|
|
|
|
WithNewResource(resource).
|
|
|
|
|
WithPolicy(policy).
|
|
|
|
|
WithClient(s.client).
|
|
|
|
|
WithNamespaceLabels(nsLabels).
|
|
|
|
|
WithExcludeGroupRole(s.excludeGroupRole...)
|
2022-10-18 17:23:02 +02:00
|
|
|
response, _ := engine.VerifyAndPatchImages(policyCtx)
|
|
|
|
|
if len(response.PolicyResponse.Rules) > 0 {
|
|
|
|
|
s.logger.Info("validateImages", "policy", policy, "response", response)
|
|
|
|
|
}
|
|
|
|
|
return response, nil
|
|
|
|
|
}
|
