kyverno/pkg/webhooks/validation.go

package webhooks

import (
	jsonpatch "github.com/evanphx/json-patch"
	"github.com/golang/glog"
	engine "github.com/nirmata/kyverno/pkg/engine"
	"github.com/nirmata/kyverno/pkg/info"
	v1beta1 "k8s.io/api/admission/v1beta1"
	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
	"k8s.io/apimachinery/pkg/labels"
)

// HandleValidation handles validating webhook admission request
// If there are no errors in validating rule we apply generation rules
func (ws *WebhookServer) HandleValidation(request *v1beta1.AdmissionRequest) *v1beta1.AdmissionResponse {

	glog.V(4).Infof("Receive request in validating webhook: Kind=%s, Namespace=%s Name=%s UID=%s patchOperation=%s",
		request.Kind.Kind, request.Namespace, request.Name, request.UID, request.Operation)

	policyInfos := []*info.PolicyInfo{}
	policies, err := ws.policyLister.List(labels.NewSelector())
	if err != nil {
		// Unable to connect to policy Lister to access policies
		glog.Error("Unable to connect to policy controller to access policies. Validation Rules are NOT being applied")
		glog.Warning(err)
		return &v1beta1.AdmissionResponse{
			Allowed: true,
		}
	}

	rname := engine.ParseNameFromObject(request.Object.Raw)
	rns := engine.ParseNamespaceFromObject(request.Object.Raw)
	rkind := request.Kind.Kind
	if rkind == "" {
		glog.Errorf("failed to parse KIND from request: Namespace=%s Name=%s UID=%s patchOperation=%s\n", request.Namespace, request.Name, request.UID, request.Operation)
	}

	var annPatches []byte
	for _, policy := range policies {

		if !StringInSlice(request.Kind.Kind, getApplicableKindsForPolicy(policy)) {
			continue
		}
		//TODO: HACK Check if an update of annotations
		if checkIfOnlyAnnotationsUpdate(request) {
			// allow the update of resource to add annotations
			return &v1beta1.AdmissionResponse{
				Allowed: true,
			}
		}

		policyInfo := info.NewPolicyInfo(policy.Name,
			rkind,
			rname,
			rns,
			policy.Spec.ValidationFailureAction)

		glog.V(3).Infof("Handling validation for Kind=%s, Namespace=%s Name=%s UID=%s patchOperation=%s",
			request.Kind.Kind, rns, rname, request.UID, request.Operation)

		glog.Infof("Validating resource %s/%s/%s with policy %s with %d rules", rkind, rns, rname, policy.ObjectMeta.Name, len(policy.Spec.Rules))
		ruleInfos, err := engine.Validate(*policy, request.Object.Raw, request.Kind)
		if err != nil {
			// This is not policy error
			// but if unable to parse request raw resource
			// TODO : create event ? dont think so
			glog.Error(err)
			continue
		}
		policyInfo.AddRuleInfos(ruleInfos)

		if !policyInfo.IsSuccessful() {
			glog.Infof("Failed to apply policy %s on resource %s/%s", policy.Name, rname, rns)
			for _, r := range ruleInfos {
				glog.Warningf("%s: %s\n", r.Name, r.Msgs)
			}
		} else {
			// CleanUp Violations if exists
			err := ws.violationBuilder.RemoveInactiveViolation(policy.Name, request.Kind.Kind, rns, rname, info.Validation)
			if err != nil {
				glog.Info(err)
			}

			if len(ruleInfos) > 0 {
				glog.Infof("Validation from policy %s has applied succesfully to %s %s/%s", policy.Name, request.Kind.Kind, rname, rns)
			}
		}
		policyInfos = append(policyInfos, policyInfo)
		// annotations
		annPatch := addAnnotationsToResource(request.Object.Raw, policyInfo, info.Validation)
		if annPatch != nil {
			if annPatches == nil {
				annPatches = annPatch
			} else {
				annPatches, err = jsonpatch.MergePatch(annPatches, annPatch)
				if err != nil {
					glog.Error(err)
				}
			}
		}
	}

	if len(policyInfos) > 0 && len(policyInfos[0].Rules) != 0 {
		eventsInfo, violations := newEventInfoFromPolicyInfo(policyInfos, (request.Operation == v1beta1.Update), info.Validation)
		// If the validationFailureAction flag is set "report",
		// then we dont block the request and report the violations
		ws.violationBuilder.Add(violations...)
		ws.eventController.Add(eventsInfo...)
	}
	//	add annotations
	if annPatches != nil {
		ws.annotationsController.Add(rkind, rns, rname, annPatches)
	}
	// If Validation fails then reject the request
	ok, msg := isAdmSuccesful(policyInfos)
	// violations are created if "report" flag is set
	// and if there are any then we dont bock the resource creation
	// Even if one the policy being applied

	if !ok && toBlock(policyInfos) {
		return &v1beta1.AdmissionResponse{
			Allowed: false,
			Result: &metav1.Status{
				Message: msg,
			},
		}
	}

	return &v1beta1.AdmissionResponse{
		Allowed: true,
	}
	// Generation rules applied via generation controller
}
restructure webhooks pkg 2019-07-15 16:07:56 -07:00			`package webhooks`

			`import (`
annotation generation from policy controller 2019-07-17 17:53:13 -07:00			`jsonpatch "github.com/evanphx/json-patch"`
restructure webhooks pkg 2019-07-15 16:07:56 -07:00			`"github.com/golang/glog"`
			`engine "github.com/nirmata/kyverno/pkg/engine"`
			`"github.com/nirmata/kyverno/pkg/info"`
			`v1beta1 "k8s.io/api/admission/v1beta1"`
			`metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"`
			`"k8s.io/apimachinery/pkg/labels"`
			`)`

			`// HandleValidation handles validating webhook admission request`
			`// If there are no errors in validating rule we apply generation rules`
			`func (ws WebhookServer) HandleValidation(request v1beta1.AdmissionRequest) *v1beta1.AdmissionResponse {`
- update install_debug.yaml - add debug log 2019-07-23 17:54:31 -07:00
			`glog.V(4).Infof("Receive request in validating webhook: Kind=%s, Namespace=%s Name=%s UID=%s patchOperation=%s",`
- add debug log - tested fix 2019-07-21 14:13:00 -07:00			`request.Kind.Kind, request.Namespace, request.Name, request.UID, request.Operation)`

restructure webhooks pkg 2019-07-15 16:07:56 -07:00			`policyInfos := []*info.PolicyInfo{}`
			`policies, err := ws.policyLister.List(labels.NewSelector())`
			`if err != nil {`
			`// Unable to connect to policy Lister to access policies`
			`glog.Error("Unable to connect to policy controller to access policies. Validation Rules are NOT being applied")`
			`glog.Warning(err)`
			`return &v1beta1.AdmissionResponse{`
			`Allowed: true,`
			`}`
			`}`
annotations creation,update & removal 2019-07-17 23:13:28 -07:00
annotation generation from policy controller 2019-07-17 17:53:13 -07:00			`rname := engine.ParseNameFromObject(request.Object.Raw)`
			`rns := engine.ParseNamespaceFromObject(request.Object.Raw)`
testing 2019-07-20 23:58:46 -07:00			`rkind := request.Kind.Kind`
			`if rkind == "" {`
- add debug log - tested fix 2019-07-21 14:13:00 -07:00			`glog.Errorf("failed to parse KIND from request: Namespace=%s Name=%s UID=%s patchOperation=%s\n", request.Namespace, request.Name, request.UID, request.Operation)`
testing 2019-07-20 23:58:46 -07:00			`}`
restructure webhooks pkg 2019-07-15 16:07:56 -07:00
annotation generation from policy controller 2019-07-17 17:53:13 -07:00			`var annPatches []byte`
restructure webhooks pkg 2019-07-15 16:07:56 -07:00			`for _, policy := range policies {`

			`if !StringInSlice(request.Kind.Kind, getApplicableKindsForPolicy(policy)) {`
			`continue`
			`}`
bypass annotation additions 2019-07-19 12:47:20 -07:00			`//TODO: HACK Check if an update of annotations`
			`if checkIfOnlyAnnotationsUpdate(request) {`
			`// allow the update of resource to add annotations`
			`return &v1beta1.AdmissionResponse{`
			`Allowed: true,`
			`}`
			`}`
restructure webhooks pkg 2019-07-15 16:07:56 -07:00
			`policyInfo := info.NewPolicyInfo(policy.Name,`
			`rkind,`
			`rname,`
update flag & support ValidationFailureAction flag 2019-07-15 19:14:42 -07:00			`rns,`
			`policy.Spec.ValidationFailureAction)`
restructure webhooks pkg 2019-07-15 16:07:56 -07:00
			`glog.V(3).Infof("Handling validation for Kind=%s, Namespace=%s Name=%s UID=%s patchOperation=%s",`
			`request.Kind.Kind, rns, rname, request.UID, request.Operation)`

			`glog.Infof("Validating resource %s/%s/%s with policy %s with %d rules", rkind, rns, rname, policy.ObjectMeta.Name, len(policy.Spec.Rules))`
			`ruleInfos, err := engine.Validate(*policy, request.Object.Raw, request.Kind)`
			`if err != nil {`
			`// This is not policy error`
			`// but if unable to parse request raw resource`
			`// TODO : create event ? dont think so`
			`glog.Error(err)`
			`continue`
			`}`
			`policyInfo.AddRuleInfos(ruleInfos)`

			`if !policyInfo.IsSuccessful() {`
			`glog.Infof("Failed to apply policy %s on resource %s/%s", policy.Name, rname, rns)`
			`for _, r := range ruleInfos {`
remove rule name in failure even info 2019-07-19 17:52:24 -07:00			`glog.Warningf("%s: %s\n", r.Name, r.Msgs)`
restructure webhooks pkg 2019-07-15 16:07:56 -07:00			`}`
			`} else {`
flag, violations 2019-07-18 10:22:20 -07:00			`// CleanUp Violations if exists`
			`err := ws.violationBuilder.RemoveInactiveViolation(policy.Name, request.Kind.Kind, rns, rname, info.Validation)`
			`if err != nil {`
			`glog.Info(err)`
			`}`
restructure webhooks pkg 2019-07-15 16:07:56 -07:00
			`if len(ruleInfos) > 0 {`
			`glog.Infof("Validation from policy %s has applied succesfully to %s %s/%s", policy.Name, request.Kind.Kind, rname, rns)`
			`}`
			`}`
			`policyInfos = append(policyInfos, policyInfo)`
cleanUp 2019-07-19 15:10:40 -07:00			`// annotations`
annotations creation,update & removal 2019-07-17 23:13:28 -07:00			`annPatch := addAnnotationsToResource(request.Object.Raw, policyInfo, info.Validation)`
annotation generation from policy controller 2019-07-17 17:53:13 -07:00			`if annPatch != nil {`
			`if annPatches == nil {`
			`annPatches = annPatch`
			`} else {`
			`annPatches, err = jsonpatch.MergePatch(annPatches, annPatch)`
			`if err != nil {`
			`glog.Error(err)`
			`}`
			`}`
			`}`
restructure webhooks pkg 2019-07-15 16:07:56 -07:00			`}`

			`if len(policyInfos) > 0 && len(policyInfos[0].Rules) != 0 {`
flag, violations 2019-07-18 10:22:20 -07:00			`eventsInfo, violations := newEventInfoFromPolicyInfo(policyInfos, (request.Operation == v1beta1.Update), info.Validation)`
update flag & support ValidationFailureAction flag 2019-07-15 19:14:42 -07:00			`// If the validationFailureAction flag is set "report",`
			`// then we dont block the request and report the violations`
flag, violations 2019-07-18 10:22:20 -07:00			`ws.violationBuilder.Add(violations...)`
restructure webhooks pkg 2019-07-15 16:07:56 -07:00			`ws.eventController.Add(eventsInfo...)`
			`}`
annotations creation,update & removal 2019-07-17 23:13:28 -07:00			`// add annotations`
annotation generation from policy controller 2019-07-17 17:53:13 -07:00			`if annPatches != nil {`
			`ws.annotationsController.Add(rkind, rns, rname, annPatches)`
			`}`
restructure webhooks pkg 2019-07-15 16:07:56 -07:00			`// If Validation fails then reject the request`
			`ok, msg := isAdmSuccesful(policyInfos)`
update flag & support ValidationFailureAction flag 2019-07-15 19:14:42 -07:00			`// violations are created if "report" flag is set`
			`// and if there are any then we dont bock the resource creation`
			`// Even if one the policy being applied`
change flag & corrections 2019-07-16 15:53:14 -07:00
			`if !ok && toBlock(policyInfos) {`
restructure webhooks pkg 2019-07-15 16:07:56 -07:00			`return &v1beta1.AdmissionResponse{`
			`Allowed: false,`
			`Result: &metav1.Status{`
			`Message: msg,`
			`},`
			`}`
			`}`

			`return &v1beta1.AdmissionResponse{`
			`Allowed: true,`
			`}`
			`// Generation rules applied via generation controller`
			`}`