2020-07-02 12:49:10 -07:00
|
|
|
package policycache
|
|
|
|
|
|
|
|
|
|
import (
|
|
|
|
|
"sync"
|
|
|
|
|
|
|
|
|
|
"github.com/go-logr/logr"
|
2020-10-07 11:12:31 -07:00
|
|
|
kyverno "github.com/kyverno/kyverno/pkg/api/kyverno/v1"
|
2021-05-07 00:32:06 +05:30
|
|
|
kyvernolister "github.com/kyverno/kyverno/pkg/client/listers/kyverno/v1"
|
|
|
|
|
policy2 "github.com/kyverno/kyverno/pkg/policy"
|
2020-07-02 12:49:10 -07:00
|
|
|
)
|
|
|
|
|
|
|
|
|
|
type pMap struct {
|
|
|
|
|
sync.RWMutex
|
2021-05-07 00:32:06 +05:30
|
|
|
|
|
|
|
|
// kindDataMap field stores names of ClusterPolicies and Namespaced Policies.
|
|
|
|
|
// Since both the policy name use same type (i.e. string), Both policies can be differentiated based on
|
|
|
|
|
// "namespace". namespace policy get stored with policy namespace with policy name"
|
|
|
|
|
// kindDataMap {"kind": {{"policytype" : {"policyName","nsname/policyName}}},"kind2": {{"policytype" : {"nsname/policyName" }}}}
|
|
|
|
|
kindDataMap map[string]map[PolicyType][]string
|
2020-07-09 11:48:34 -07:00
|
|
|
|
|
|
|
|
// nameCacheMap stores the names of all existing policies in dataMap
|
2020-08-19 21:37:23 +05:30
|
|
|
// Policy names are stored as <namespace>/<name>
|
2020-07-09 11:48:34 -07:00
|
|
|
nameCacheMap map[PolicyType]map[string]bool
|
2020-07-02 12:49:10 -07:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// policyCache ...
|
|
|
|
|
type policyCache struct {
|
|
|
|
|
pMap
|
|
|
|
|
logr.Logger
|
2021-05-07 00:32:06 +05:30
|
|
|
// list/get cluster policy resource
|
|
|
|
|
pLister kyvernolister.ClusterPolicyLister
|
|
|
|
|
|
|
|
|
|
// npLister can list/get namespace policy from the shared informer's store
|
|
|
|
|
npLister kyvernolister.PolicyLister
|
2020-07-02 12:49:10 -07:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// Interface ...
|
2021-05-07 00:32:06 +05:30
|
|
|
// Interface get method use for to get policy names and mostly use to test cache testcases
|
2020-07-02 12:49:10 -07:00
|
|
|
type Interface interface {
|
|
|
|
|
Add(policy *kyverno.ClusterPolicy)
|
|
|
|
|
Remove(policy *kyverno.ClusterPolicy)
|
2021-05-07 00:32:06 +05:30
|
|
|
GetPolicyObject(pkey PolicyType, kind *string, nspace *string) []*kyverno.ClusterPolicy
|
|
|
|
|
get(pkey PolicyType, kind *string, nspace *string) []string
|
2020-07-02 12:49:10 -07:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// newPolicyCache ...
|
2021-05-07 00:32:06 +05:30
|
|
|
func newPolicyCache(log logr.Logger, pLister kyvernolister.ClusterPolicyLister, npLister kyvernolister.PolicyLister) Interface {
|
2020-07-09 11:48:34 -07:00
|
|
|
namesCache := map[PolicyType]map[string]bool{
|
|
|
|
|
Mutate: make(map[string]bool),
|
|
|
|
|
ValidateEnforce: make(map[string]bool),
|
|
|
|
|
ValidateAudit: make(map[string]bool),
|
|
|
|
|
Generate: make(map[string]bool),
|
|
|
|
|
}
|
|
|
|
|
|
2020-07-02 12:49:10 -07:00
|
|
|
return &policyCache{
|
|
|
|
|
pMap{
|
2020-07-09 11:48:34 -07:00
|
|
|
nameCacheMap: namesCache,
|
2021-05-07 00:32:06 +05:30
|
|
|
kindDataMap: make(map[string]map[PolicyType][]string),
|
2020-07-02 12:49:10 -07:00
|
|
|
},
|
|
|
|
|
log,
|
2021-05-07 00:32:06 +05:30
|
|
|
pLister,
|
|
|
|
|
npLister,
|
2020-07-02 12:49:10 -07:00
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// Add a policy to cache
|
|
|
|
|
func (pc *policyCache) Add(policy *kyverno.ClusterPolicy) {
|
|
|
|
|
pc.pMap.add(policy)
|
|
|
|
|
pc.Logger.V(4).Info("policy is added to cache", "name", policy.GetName())
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// Get the list of matched policies
|
2021-05-07 00:32:06 +05:30
|
|
|
func (pc *policyCache) get(pkey PolicyType, kind, nspace *string) []string {
|
|
|
|
|
return pc.pMap.get(pkey, kind, nspace)
|
|
|
|
|
}
|
|
|
|
|
func (pc *policyCache) GetPolicyObject(pkey PolicyType, kind, nspace *string) []*kyverno.ClusterPolicy {
|
|
|
|
|
return pc.getPolicyObject(pkey, kind, nspace)
|
2020-07-02 12:49:10 -07:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// Remove a policy from cache
|
|
|
|
|
func (pc *policyCache) Remove(policy *kyverno.ClusterPolicy) {
|
|
|
|
|
pc.pMap.remove(policy)
|
|
|
|
|
pc.Logger.V(4).Info("policy is removed from cache", "name", policy.GetName())
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
func (m *pMap) add(policy *kyverno.ClusterPolicy) {
|
|
|
|
|
m.Lock()
|
|
|
|
|
defer m.Unlock()
|
|
|
|
|
|
|
|
|
|
enforcePolicy := policy.Spec.ValidationFailureAction == "enforce"
|
2020-07-09 11:48:34 -07:00
|
|
|
mutateMap := m.nameCacheMap[Mutate]
|
|
|
|
|
validateEnforceMap := m.nameCacheMap[ValidateEnforce]
|
|
|
|
|
validateAuditMap := m.nameCacheMap[ValidateAudit]
|
|
|
|
|
generateMap := m.nameCacheMap[Generate]
|
2020-08-19 21:37:23 +05:30
|
|
|
var pName = policy.GetName()
|
|
|
|
|
pSpace := policy.GetNamespace()
|
|
|
|
|
if pSpace != "" {
|
|
|
|
|
pName = pSpace + "/" + pName
|
|
|
|
|
}
|
2020-07-02 12:49:10 -07:00
|
|
|
for _, rule := range policy.Spec.Rules {
|
2021-05-07 00:32:06 +05:30
|
|
|
|
|
|
|
|
for _, kind := range rule.MatchResources.Kinds {
|
|
|
|
|
_, ok := m.kindDataMap[kind]
|
|
|
|
|
if !ok {
|
|
|
|
|
m.kindDataMap[kind] = make(map[PolicyType][]string)
|
2020-07-02 12:49:10 -07:00
|
|
|
}
|
|
|
|
|
|
2021-05-07 00:32:06 +05:30
|
|
|
if rule.HasMutate() {
|
|
|
|
|
if !mutateMap[kind+"/"+pName] {
|
|
|
|
|
mutateMap[kind+"/"+pName] = true
|
|
|
|
|
mutatePolicy := m.kindDataMap[kind][Mutate]
|
|
|
|
|
m.kindDataMap[kind][Mutate] = append(mutatePolicy, pName)
|
2020-07-09 11:48:34 -07:00
|
|
|
}
|
|
|
|
|
continue
|
|
|
|
|
}
|
2021-05-07 00:32:06 +05:30
|
|
|
if rule.HasValidate() {
|
|
|
|
|
if enforcePolicy {
|
|
|
|
|
if !validateEnforceMap[kind+"/"+pName] {
|
|
|
|
|
validateEnforceMap[kind+"/"+pName] = true
|
|
|
|
|
validatePolicy := m.kindDataMap[kind][ValidateEnforce]
|
|
|
|
|
m.kindDataMap[kind][ValidateEnforce] = append(validatePolicy, pName)
|
|
|
|
|
}
|
2020-08-19 21:37:23 +05:30
|
|
|
continue
|
|
|
|
|
}
|
2021-05-07 00:32:06 +05:30
|
|
|
|
|
|
|
|
// ValidateAudit
|
|
|
|
|
if !validateAuditMap[kind+"/"+pName] {
|
|
|
|
|
validateAuditMap[kind+"/"+pName] = true
|
|
|
|
|
validatePolicy := m.kindDataMap[kind][ValidateAudit]
|
|
|
|
|
m.kindDataMap[kind][ValidateAudit] = append(validatePolicy, pName)
|
|
|
|
|
}
|
|
|
|
|
continue
|
2020-07-02 12:49:10 -07:00
|
|
|
}
|
|
|
|
|
|
2021-05-07 00:32:06 +05:30
|
|
|
if rule.HasGenerate() {
|
|
|
|
|
if !generateMap[kind+"/"+pName] {
|
|
|
|
|
generateMap[kind+"/"+pName] = true
|
|
|
|
|
generatePolicy := m.kindDataMap[kind][Generate]
|
|
|
|
|
m.kindDataMap[kind][Generate] = append(generatePolicy, pName)
|
2020-08-19 21:37:23 +05:30
|
|
|
}
|
2021-05-07 00:32:06 +05:30
|
|
|
continue
|
2020-07-02 12:49:10 -07:00
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
}
|
2020-07-09 11:48:34 -07:00
|
|
|
m.nameCacheMap[Mutate] = mutateMap
|
|
|
|
|
m.nameCacheMap[ValidateEnforce] = validateEnforceMap
|
|
|
|
|
m.nameCacheMap[ValidateAudit] = validateAuditMap
|
|
|
|
|
m.nameCacheMap[Generate] = generateMap
|
2020-07-02 12:49:10 -07:00
|
|
|
}
|
|
|
|
|
|
2021-05-07 00:32:06 +05:30
|
|
|
func (pc *pMap) get(key PolicyType, kind, namespace *string) (names []string) {
|
|
|
|
|
pc.RLock()
|
|
|
|
|
defer pc.RUnlock()
|
|
|
|
|
for _, policyName := range pc.kindDataMap[*kind][key] {
|
|
|
|
|
ns, key, isNamespacedPolicy := policy2.ParseNamespacedPolicy(policyName)
|
|
|
|
|
if !isNamespacedPolicy {
|
|
|
|
|
names = append(names, key)
|
|
|
|
|
} else {
|
|
|
|
|
if ns == *namespace {
|
|
|
|
|
names = append(names, policyName)
|
|
|
|
|
}
|
|
|
|
|
}
|
2020-08-19 21:37:23 +05:30
|
|
|
}
|
2021-05-07 00:32:06 +05:30
|
|
|
return names
|
2020-07-02 12:49:10 -07:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
func (m *pMap) remove(policy *kyverno.ClusterPolicy) {
|
|
|
|
|
m.Lock()
|
|
|
|
|
defer m.Unlock()
|
2020-08-19 21:37:23 +05:30
|
|
|
var pName = policy.GetName()
|
|
|
|
|
pSpace := policy.GetNamespace()
|
|
|
|
|
if pSpace != "" {
|
|
|
|
|
pName = pSpace + "/" + pName
|
|
|
|
|
}
|
|
|
|
|
|
2021-05-07 00:32:06 +05:30
|
|
|
for _, rule := range policy.Spec.Rules {
|
|
|
|
|
for _, kind := range rule.MatchResources.Kinds {
|
|
|
|
|
dataMap := m.kindDataMap[kind]
|
|
|
|
|
for policyType, policies := range dataMap {
|
|
|
|
|
var newPolicies []string
|
|
|
|
|
for _, p := range policies {
|
|
|
|
|
if p == pName {
|
|
|
|
|
continue
|
|
|
|
|
}
|
|
|
|
|
newPolicies = append(newPolicies, p)
|
2020-08-19 21:37:23 +05:30
|
|
|
}
|
2021-05-07 00:32:06 +05:30
|
|
|
m.kindDataMap[kind][policyType] = newPolicies
|
2020-07-02 12:49:10 -07:00
|
|
|
}
|
2021-05-07 00:32:06 +05:30
|
|
|
for _, nameCache := range m.nameCacheMap {
|
|
|
|
|
if ok := nameCache[kind+"/"+pName]; ok {
|
|
|
|
|
delete(nameCache, kind+"/"+pName)
|
2020-08-19 21:37:23 +05:30
|
|
|
}
|
|
|
|
|
}
|
2020-07-02 12:49:10 -07:00
|
|
|
|
2020-08-19 21:37:23 +05:30
|
|
|
}
|
2020-07-02 12:49:10 -07:00
|
|
|
}
|
2021-05-07 00:32:06 +05:30
|
|
|
}
|
|
|
|
|
func (m *policyCache) getPolicyObject(key PolicyType, kind *string, nspace *string) (policyObject []*kyverno.ClusterPolicy) {
|
|
|
|
|
policyNames := m.pMap.get(key, kind, nspace)
|
|
|
|
|
for _, policyName := range policyNames {
|
|
|
|
|
var policy *kyverno.ClusterPolicy
|
|
|
|
|
ns, key, isNamespacedPolicy := policy2.ParseNamespacedPolicy(policyName)
|
|
|
|
|
if !isNamespacedPolicy {
|
|
|
|
|
policy, _ = m.pLister.Get(key)
|
|
|
|
|
} else {
|
|
|
|
|
if ns == *nspace {
|
|
|
|
|
nspolicy, _ := m.npLister.Policies(ns).Get(key)
|
|
|
|
|
policy = policy2.ConvertPolicyToClusterPolicy(nspolicy)
|
|
|
|
|
}
|
2020-07-13 20:29:39 -07:00
|
|
|
}
|
2021-05-07 00:32:06 +05:30
|
|
|
policyObject = append(policyObject, policy)
|
2020-07-13 20:29:39 -07:00
|
|
|
}
|
2021-05-07 00:32:06 +05:30
|
|
|
return policyObject
|
2020-07-02 12:49:10 -07:00
|
|
|
}
|
