2019-05-14 01:17:28 +00:00
|
|
|
package engine
|
2019-05-10 05:26:22 +00:00
|
|
|
|
|
|
|
|
import (
|
2021-04-13 18:44:43 +00:00
|
|
|
"fmt"
|
2019-08-19 23:40:10 +00:00
|
|
|
"time"
|
2020-11-18 22:31:43 +00:00
|
|
|
|
2020-03-17 18:05:20 +00:00
|
|
|
"github.com/go-logr/logr"
|
2021-07-14 21:50:28 +00:00
|
|
|
gojmespath "github.com/jmespath/go-jmespath"
|
2020-10-07 18:12:31 +00:00
|
|
|
kyverno "github.com/kyverno/kyverno/pkg/api/kyverno/v1"
|
|
|
|
|
"github.com/kyverno/kyverno/pkg/engine/mutate"
|
|
|
|
|
"github.com/kyverno/kyverno/pkg/engine/response"
|
2021-04-13 18:44:43 +00:00
|
|
|
"github.com/kyverno/kyverno/pkg/engine/utils"
|
2020-10-07 18:12:31 +00:00
|
|
|
"github.com/kyverno/kyverno/pkg/engine/variables"
|
2020-01-16 19:57:28 +00:00
|
|
|
"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
|
2020-03-17 23:25:34 +00:00
|
|
|
"sigs.k8s.io/controller-runtime/pkg/log"
|
2019-05-10 05:26:22 +00:00
|
|
|
)
|
|
|
|
|
|
2019-12-26 23:34:19 +00:00
|
|
|
const (
|
2020-09-01 16:11:20 +00:00
|
|
|
// PodControllerCronJob represent CronJob string
|
|
|
|
|
PodControllerCronJob = "CronJob"
|
2020-01-24 20:05:53 +00:00
|
|
|
//PodControllers stores the list of Pod-controllers in csv string
|
2020-09-01 16:11:20 +00:00
|
|
|
PodControllers = "DaemonSet,Deployment,Job,StatefulSet,CronJob"
|
2020-01-24 20:05:53 +00:00
|
|
|
//PodControllersAnnotation defines the annotation key for Pod-Controllers
|
2019-12-26 23:34:19 +00:00
|
|
|
PodControllersAnnotation = "pod-policies.kyverno.io/autogen-controllers"
|
|
|
|
|
)
|
|
|
|
|
|
2019-05-13 18:27:47 +00:00
|
|
|
// Mutate performs mutation. Overlay first and then mutation patches
|
2020-12-23 23:10:07 +00:00
|
|
|
func Mutate(policyContext *PolicyContext) (resp *response.EngineResponse) {
|
|
|
|
|
resp = &response.EngineResponse{}
|
2019-08-24 01:34:23 +00:00
|
|
|
startTime := time.Now()
|
2019-11-09 02:57:27 +00:00
|
|
|
policy := policyContext.Policy
|
2020-07-09 18:48:34 +00:00
|
|
|
patchedResource := policyContext.NewResource
|
2020-12-23 23:10:07 +00:00
|
|
|
ctx := policyContext.JSONContext
|
2020-09-22 21:11:49 +00:00
|
|
|
|
|
|
|
|
resCache := policyContext.ResourceCache
|
2020-07-09 18:48:34 +00:00
|
|
|
logger := log.Log.WithName("EngineMutate").WithValues("policy", policy.Name, "kind", patchedResource.GetKind(),
|
|
|
|
|
"namespace", patchedResource.GetNamespace(), "name", patchedResource.GetName())
|
|
|
|
|
|
2020-05-26 17:36:56 +00:00
|
|
|
logger.V(4).Info("start policy processing", "startTime", startTime)
|
2020-01-16 19:57:28 +00:00
|
|
|
|
2020-12-23 23:10:07 +00:00
|
|
|
startMutateResultResponse(resp, policy, patchedResource)
|
|
|
|
|
defer endMutateResultResponse(logger, resp, startTime)
|
2020-06-24 17:26:04 +00:00
|
|
|
|
2020-12-23 23:10:07 +00:00
|
|
|
if ManagedPodResource(policy, patchedResource) {
|
2021-07-10 01:01:46 +00:00
|
|
|
logger.V(5).Info("changes to pods managed by workload controllers are not permitted", "policy", policy.GetName())
|
2020-06-24 17:26:04 +00:00
|
|
|
resp.PatchedResource = patchedResource
|
|
|
|
|
return
|
|
|
|
|
}
|
|
|
|
|
|
2021-02-02 07:22:19 +00:00
|
|
|
policyContext.JSONContext.Checkpoint()
|
|
|
|
|
defer policyContext.JSONContext.Restore()
|
|
|
|
|
|
2021-07-28 16:54:50 +00:00
|
|
|
var err error
|
|
|
|
|
|
2019-08-24 01:34:23 +00:00
|
|
|
for _, rule := range policy.Spec.Rules {
|
2020-08-05 16:11:23 +00:00
|
|
|
if !rule.HasMutate() {
|
2019-08-24 01:34:23 +00:00
|
|
|
continue
|
|
|
|
|
}
|
2019-11-09 02:57:27 +00:00
|
|
|
|
2021-07-10 01:01:46 +00:00
|
|
|
var ruleResponse response.RuleResponse
|
|
|
|
|
logger := logger.WithValues("rule", rule.Name)
|
|
|
|
|
|
2020-08-14 19:21:06 +00:00
|
|
|
excludeResource := []string{}
|
2020-08-08 00:09:24 +00:00
|
|
|
if len(policyContext.ExcludeGroupRole) > 0 {
|
|
|
|
|
excludeResource = policyContext.ExcludeGroupRole
|
|
|
|
|
}
|
2020-12-23 23:10:07 +00:00
|
|
|
|
2021-07-28 16:54:50 +00:00
|
|
|
if err = MatchesResourceDescription(patchedResource, rule, policyContext.AdmissionInfo, excludeResource, policyContext.NamespaceLabels); err != nil {
|
2021-01-07 19:24:38 +00:00
|
|
|
logger.V(4).Info("rule not matched", "reason", err.Error())
|
2019-08-24 01:34:23 +00:00
|
|
|
continue
|
|
|
|
|
}
|
2020-10-15 00:39:45 +00:00
|
|
|
|
2021-01-07 19:24:38 +00:00
|
|
|
logger.V(3).Info("matched mutate rule")
|
|
|
|
|
|
2021-07-22 21:23:03 +00:00
|
|
|
// Restore() is meant for restoring context loaded from external lookup (APIServer & ConfigMap)
|
|
|
|
|
// while we need to keep updated resource in the JSON context as rules can be chained
|
|
|
|
|
resource, err := policyContext.JSONContext.Query("request.object")
|
2021-02-02 07:22:19 +00:00
|
|
|
policyContext.JSONContext.Restore()
|
2021-07-22 21:23:03 +00:00
|
|
|
if err == nil && resource != nil {
|
|
|
|
|
if err := ctx.AddResourceAsObject(resource.(map[string]interface{})); err != nil {
|
|
|
|
|
logger.WithName("RestoreContext").Error(err, "unable to update resource object")
|
|
|
|
|
}
|
|
|
|
|
} else {
|
|
|
|
|
logger.WithName("RestoreContext").Error(err, "failed to quey resource object")
|
|
|
|
|
}
|
|
|
|
|
|
2021-04-29 17:09:44 +00:00
|
|
|
if err := LoadContext(logger, rule.Context, resCache, policyContext, rule.Name); err != nil {
|
2021-07-14 21:50:28 +00:00
|
|
|
if _, ok := err.(gojmespath.NotFoundError); ok {
|
|
|
|
|
logger.V(3).Info("failed to load context", "reason", err.Error())
|
|
|
|
|
} else {
|
|
|
|
|
logger.Error(err, "failed to load context")
|
|
|
|
|
}
|
2020-09-22 21:11:49 +00:00
|
|
|
continue
|
|
|
|
|
}
|
2020-01-07 23:13:57 +00:00
|
|
|
|
2021-07-28 16:54:50 +00:00
|
|
|
rule.AnyAllConditions, err = variables.SubstituteAllInPreconditions(logger, ctx, rule.AnyAllConditions)
|
|
|
|
|
if err != nil {
|
|
|
|
|
logger.V(3).Info("failed to substitute vars in preconditions, skip current rule", "rule name", rule.Name)
|
|
|
|
|
continue
|
|
|
|
|
}
|
|
|
|
|
|
2020-02-04 20:13:41 +00:00
|
|
|
// operate on the copy of the conditions, as we perform variable substitution
|
2021-03-02 04:31:06 +00:00
|
|
|
copyConditions, err := copyConditions(rule.AnyAllConditions)
|
|
|
|
|
if err != nil {
|
|
|
|
|
logger.V(2).Info("failed to load context", "reason", err.Error())
|
|
|
|
|
continue
|
|
|
|
|
}
|
2020-01-07 23:13:57 +00:00
|
|
|
// evaluate pre-conditions
|
2020-06-30 18:53:27 +00:00
|
|
|
// - handle variable substitutions
|
2021-07-28 16:54:50 +00:00
|
|
|
if !variables.EvaluateConditions(logger, ctx, copyConditions) {
|
2020-05-26 17:36:56 +00:00
|
|
|
logger.V(3).Info("resource fails the preconditions")
|
2020-01-07 23:13:57 +00:00
|
|
|
continue
|
|
|
|
|
}
|
|
|
|
|
|
2021-07-22 21:23:03 +00:00
|
|
|
if rule, err = variables.SubstituteAllInRule(logger, ctx, rule); err != nil {
|
2021-04-13 18:44:43 +00:00
|
|
|
ruleResp := response.RuleResponse{
|
|
|
|
|
Name: rule.Name,
|
|
|
|
|
Type: utils.Validation.String(),
|
|
|
|
|
Message: fmt.Sprintf("variable substitution failed for rule %s: %s", rule.Name, err.Error()),
|
2021-04-16 00:33:34 +00:00
|
|
|
Success: true,
|
2021-04-13 18:44:43 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
incrementAppliedCount(resp)
|
|
|
|
|
resp.PolicyResponse.Rules = append(resp.PolicyResponse.Rules, ruleResp)
|
2021-04-16 00:33:34 +00:00
|
|
|
|
|
|
|
|
logger.Error(err, "failed to substitute variables, skip current rule", "rule name", rule.Name)
|
2021-04-13 18:44:43 +00:00
|
|
|
continue
|
|
|
|
|
}
|
|
|
|
|
|
2020-02-14 19:59:28 +00:00
|
|
|
mutation := rule.Mutation.DeepCopy()
|
2020-08-05 16:11:23 +00:00
|
|
|
mutateHandler := mutate.CreateMutateHandler(rule.Name, mutation, patchedResource, ctx, logger)
|
|
|
|
|
ruleResponse, patchedResource = mutateHandler.Handle()
|
|
|
|
|
if ruleResponse.Success {
|
|
|
|
|
// - overlay pattern does not match the resource conditions
|
|
|
|
|
if ruleResponse.Patches == nil {
|
|
|
|
|
continue
|
2019-08-24 01:34:23 +00:00
|
|
|
}
|
2020-12-23 23:10:07 +00:00
|
|
|
|
2020-08-05 16:11:23 +00:00
|
|
|
logger.V(4).Info("mutate rule applied successfully", "ruleName", rule.Name)
|
2019-08-24 01:34:23 +00:00
|
|
|
}
|
|
|
|
|
|
2021-07-22 21:37:09 +00:00
|
|
|
if err := ctx.AddResourceAsObject(patchedResource.Object); err != nil {
|
|
|
|
|
logger.Error(err, "failed to update resource in the JSON context")
|
|
|
|
|
}
|
|
|
|
|
|
2020-08-05 16:11:23 +00:00
|
|
|
resp.PolicyResponse.Rules = append(resp.PolicyResponse.Rules, ruleResponse)
|
2020-12-23 23:10:07 +00:00
|
|
|
incrementAppliedRuleCount(resp)
|
2020-06-26 00:24:10 +00:00
|
|
|
}
|
|
|
|
|
|
2019-12-12 23:02:59 +00:00
|
|
|
resp.PatchedResource = patchedResource
|
|
|
|
|
return resp
|
2019-08-24 01:34:23 +00:00
|
|
|
}
|
2020-04-04 17:09:21 +00:00
|
|
|
|
2020-02-14 19:59:28 +00:00
|
|
|
func incrementAppliedRuleCount(resp *response.EngineResponse) {
|
|
|
|
|
resp.PolicyResponse.RulesAppliedCount++
|
|
|
|
|
}
|
2019-12-26 23:34:19 +00:00
|
|
|
|
2020-01-16 19:57:28 +00:00
|
|
|
func startMutateResultResponse(resp *response.EngineResponse, policy kyverno.ClusterPolicy, resource unstructured.Unstructured) {
|
2020-12-23 23:10:07 +00:00
|
|
|
if resp == nil {
|
|
|
|
|
return
|
|
|
|
|
}
|
|
|
|
|
|
2021-06-29 21:43:11 +00:00
|
|
|
resp.PolicyResponse.Policy.Name = policy.GetName()
|
|
|
|
|
resp.PolicyResponse.Policy.Namespace = policy.GetNamespace()
|
2020-01-16 19:57:28 +00:00
|
|
|
resp.PolicyResponse.Resource.Name = resource.GetName()
|
|
|
|
|
resp.PolicyResponse.Resource.Namespace = resource.GetNamespace()
|
|
|
|
|
resp.PolicyResponse.Resource.Kind = resource.GetKind()
|
|
|
|
|
resp.PolicyResponse.Resource.APIVersion = resource.GetAPIVersion()
|
|
|
|
|
}
|
|
|
|
|
|
2020-03-17 18:05:20 +00:00
|
|
|
func endMutateResultResponse(logger logr.Logger, resp *response.EngineResponse, startTime time.Time) {
|
2020-12-23 23:10:07 +00:00
|
|
|
if resp == nil {
|
|
|
|
|
return
|
|
|
|
|
}
|
|
|
|
|
|
2020-01-16 19:57:28 +00:00
|
|
|
resp.PolicyResponse.ProcessingTime = time.Since(startTime)
|
2021-05-15 13:45:04 +00:00
|
|
|
resp.PolicyResponse.PolicyExecutionTimestamp = startTime.Unix()
|
2021-01-07 19:24:38 +00:00
|
|
|
logger.V(5).Info("finished processing policy", "processingTime", resp.PolicyResponse.ProcessingTime.String(), "mutationRulesApplied", resp.PolicyResponse.RulesAppliedCount)
|
2019-12-26 23:34:19 +00:00
|
|
|
}
|
