kyverno/pkg/webhooks/policyvalidation.go

package webhooks

import (
	"encoding/json"
	"errors"
	"fmt"
	"reflect"

	"github.com/golang/glog"
	kyverno "github.com/nirmata/kyverno/pkg/api/kyverno/v1alpha1"
	"github.com/nirmata/kyverno/pkg/utils"
	v1beta1 "k8s.io/api/admission/v1beta1"
	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
)

//HandlePolicyValidation performs the validation check on policy resource
func (ws *WebhookServer) handlePolicyValidation(request *v1beta1.AdmissionRequest) *v1beta1.AdmissionResponse {
	var policy *kyverno.ClusterPolicy
	admissionResp := &v1beta1.AdmissionResponse{
		Allowed: true,
	}

	//TODO: can this happen? wont this be picked by OpenAPI spec schema ?
	raw := request.Object.Raw
	if err := json.Unmarshal(raw, &policy); err != nil {
		glog.Errorf("Failed to unmarshal policy admission request, err %v\n", err)
		return &v1beta1.AdmissionResponse{Allowed: false,
			Result: &metav1.Status{
				Message: fmt.Sprintf("Failed to unmarshal policy admission request err %v", err),
			}}
	}

	if err := ws.validatePolicy(policy); err != nil {
		admissionResp = &v1beta1.AdmissionResponse{
			Allowed: false,
			Result: &metav1.Status{
				Message: err.Error(),
			},
		}
	}

	// helper function to evaluate if policy has validtion or mutation rules defined
	hasMutateOrValidate := func() bool {
		for _, rule := range policy.Spec.Rules {
			if rule.HasMutate() || rule.HasValidate() {
				return true
			}
		}
		return false
	}

	if admissionResp.Allowed {
		if hasMutateOrValidate() {
			// create mutating resource mutatingwebhookconfiguration if not present
			if err := ws.webhookRegistrationClient.CreateResourceMutatingWebhookConfiguration(); err != nil {
				glog.Error("failed to created resource mutating webhook configuration, policies wont be applied on the resource")
			}
		}
	}
	return admissionResp
}

func (ws *WebhookServer) validatePolicy(policy *kyverno.ClusterPolicy) error {
	// validate only one type of rule defined per rule
	if err := validateRuleType(policy); err != nil {
		return err
	}

	// validate resource description block

	// validate ^() can only be used on array

	// check for uniqueness of rule names while CREATE/DELET
	if err := validateUniqueRuleName(policy); err != nil {
		return err
	}

	if err := validateOverlayPattern(policy); err != nil {
		return err
	}

	return nil
}

// validateRuleType checks only one type of rule is defined per rule
func validateRuleType(policy *kyverno.ClusterPolicy) error {
	for _, rule := range policy.Spec.Rules {
		mutate := rule.HasMutate()
		validate := rule.HasValidate()
		generate := rule.HasGenerate()

		if !mutate && !validate && !generate {
			return fmt.Errorf("No rule defined in '%s'", rule.Name)
		}

		if (mutate && !validate && !generate) ||
			(!mutate && validate && !generate) ||
			(!mutate && !validate && generate) {
			return nil
		}

		return fmt.Errorf("Multiple types of rule defined in rule '%s', only one type of rule is allowed per rule", rule.Name)
	}

	return nil
}

// Verify if the Rule names are unique within a policy
func validateUniqueRuleName(policy *kyverno.ClusterPolicy) error {
	var ruleNames []string

	for _, rule := range policy.Spec.Rules {
		if utils.ContainsString(ruleNames, rule.Name) {
			msg := fmt.Sprintf(`The policy "%s" is invalid: duplicate rule name: "%s"`, policy.Name, rule.Name)
			glog.Errorln(msg)
			return errors.New(msg)
		}
		ruleNames = append(ruleNames, rule.Name)
	}

	glog.V(4).Infof("Policy validation passed")
	return nil
}

// validateOverlayPattern checks one of pattern/anyPattern must exist
func validateOverlayPattern(policy *kyverno.ClusterPolicy) error {
	for _, rule := range policy.Spec.Rules {
		if reflect.DeepEqual(rule.Validation, kyverno.Validation{}) {
			continue
		}

		if rule.Validation.Pattern == nil && len(rule.Validation.AnyPattern) == 0 {
			return errors.New(fmt.Sprintf("Invalid policy, neither pattern nor anyPattern found in validate rule %s", rule.Name))
		}

		if rule.Validation.Pattern != nil && len(rule.Validation.AnyPattern) != 0 {
			return errors.New(fmt.Sprintf("Invalid policy, either pattern or anyPattern is allowed in validate rule %s", rule.Name))
		}
	}

	return nil
}

func failResponseWithMsg(msg string) *v1beta1.AdmissionResponse {
	return &v1beta1.AdmissionResponse{
		Allowed: false,
		Result: &metav1.Status{
			Message: msg,
		},
	}
}
restructure webhooks pkg 2019-07-15 16:07:56 -07:00			`package webhooks`

			`import (`
			`"encoding/json"`
only allow one type of rule defined in a single rule 2019-09-26 18:02:24 -07:00			`"errors"`
restructure webhooks pkg 2019-07-15 16:07:56 -07:00			`"fmt"`
add anyPattern in crd definition 2019-08-20 17:56:02 -07:00			`"reflect"`
restructure webhooks pkg 2019-07-15 16:07:56 -07:00
			`"github.com/golang/glog"`
clean up 2019-08-14 10:01:47 -07:00			`kyverno "github.com/nirmata/kyverno/pkg/api/kyverno/v1alpha1"`
restructure webhooks pkg 2019-07-15 16:07:56 -07:00			`"github.com/nirmata/kyverno/pkg/utils"`
			`v1beta1 "k8s.io/api/admission/v1beta1"`
			`metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"`
			`)`

			`//HandlePolicyValidation performs the validation check on policy resource`
endpoint for policy mutation + refactor + graceful shutdown 2019-08-27 16:44:10 -07:00			`func (ws WebhookServer) handlePolicyValidation(request v1beta1.AdmissionRequest) *v1beta1.AdmissionResponse {`
change CRD Name to ClusterPolicy & ClusterPolicyViolations 2019-09-03 14:51:51 -07:00			`var policy *kyverno.ClusterPolicy`
implement deletion logic 2019-08-08 13:09:40 -07:00			`admissionResp := &v1beta1.AdmissionResponse{`
			`Allowed: true,`
			`}`
return on delete request 2019-08-21 16:42:42 -07:00
endpoint for policy mutation + refactor + graceful shutdown 2019-08-27 16:44:10 -07:00			`//TODO: can this happen? wont this be picked by OpenAPI spec schema ?`
return on delete request 2019-08-21 16:42:42 -07:00			`raw := request.Object.Raw`
implement deletion logic 2019-08-08 13:09:40 -07:00			`if err := json.Unmarshal(raw, &policy); err != nil {`
			`glog.Errorf("Failed to unmarshal policy admission request, err %v\n", err)`
add anyPattern in validate rule 2019-08-21 12:38:15 -07:00			`return &v1beta1.AdmissionResponse{Allowed: false,`
			`Result: &metav1.Status{`
			`Message: fmt.Sprintf("Failed to unmarshal policy admission request err %v", err),`
			`}}`
implement deletion logic 2019-08-08 13:09:40 -07:00			`}`
only allow one type of rule defined in a single rule 2019-09-26 18:02:24 -07:00
			`if err := ws.validatePolicy(policy); err != nil {`
			`admissionResp = &v1beta1.AdmissionResponse{`
			`Allowed: false,`
			`Result: &metav1.Status{`
			`Message: err.Error(),`
			`},`
			`}`
			`}`
register webhookconfigurations when policy first applied 2019-08-07 18:01:28 -07:00
refactor webhook configuration 2019-09-04 13:43:12 -07:00			`// helper function to evaluate if policy has validtion or mutation rules defined`
			`hasMutateOrValidate := func() bool {`
			`for _, rule := range policy.Spec.Rules {`
only allow one type of rule defined in a single rule 2019-09-26 18:02:24 -07:00			`if rule.HasMutate() \|\| rule.HasValidate() {`
refactor webhook configuration 2019-09-04 13:43:12 -07:00			`return true`
			`}`
			`}`
			`return false`
register webhookconfigurations when policy first applied 2019-08-07 18:01:28 -07:00			`}`
implement deletion logic 2019-08-08 13:09:40 -07:00
refactor webhook configuration 2019-09-04 13:43:12 -07:00			`if admissionResp.Allowed {`
			`if hasMutateOrValidate() {`
			`// create mutating resource mutatingwebhookconfiguration if not present`
			`if err := ws.webhookRegistrationClient.CreateResourceMutatingWebhookConfiguration(); err != nil {`
			`glog.Error("failed to created resource mutating webhook configuration, policies wont be applied on the resource")`
			`}`
			`}`
			`}`
register webhookconfigurations when policy first applied 2019-08-07 18:01:28 -07:00			`return admissionResp`
restructure webhooks pkg 2019-07-15 16:07:56 -07:00			`}`

only allow one type of rule defined in a single rule 2019-09-26 18:02:24 -07:00			`func (ws WebhookServer) validatePolicy(policy kyverno.ClusterPolicy) error {`
			`// validate only one type of rule defined per rule`
			`if err := validateRuleType(policy); err != nil {`
			`return err`
			`}`

			`// validate resource description block`

			`// validate ^() can only be used on array`

			`// check for uniqueness of rule names while CREATE/DELET`
			`if err := validateUniqueRuleName(policy); err != nil {`
			`return err`
			`}`

			`if err := validateOverlayPattern(policy); err != nil {`
			`return err`
add anyPattern in crd definition 2019-08-20 17:56:02 -07:00			`}`

only allow one type of rule defined in a single rule 2019-09-26 18:02:24 -07:00			`return nil`
add anyPattern in crd definition 2019-08-20 17:56:02 -07:00			`}`

only allow one type of rule defined in a single rule 2019-09-26 18:02:24 -07:00			`// validateRuleType checks only one type of rule is defined per rule`
			`func validateRuleType(policy *kyverno.ClusterPolicy) error {`
add anyPattern in crd definition 2019-08-20 17:56:02 -07:00			`for _, rule := range policy.Spec.Rules {`
only allow one type of rule defined in a single rule 2019-09-26 18:02:24 -07:00			`mutate := rule.HasMutate()`
			`validate := rule.HasValidate()`
			`generate := rule.HasGenerate()`
add anyPattern in validate rule 2019-08-21 12:38:15 -07:00
only allow one type of rule defined in a single rule 2019-09-26 18:02:24 -07:00			`if !mutate && !validate && !generate {`
			`return fmt.Errorf("No rule defined in '%s'", rule.Name)`
add anyPattern in crd definition 2019-08-20 17:56:02 -07:00			`}`
add check for validate rule 2019-08-21 14:06:06 -07:00
only allow one type of rule defined in a single rule 2019-09-26 18:02:24 -07:00			`if (mutate && !validate && !generate) \|\|`
			`(!mutate && validate && !generate) \|\|`
			`(!mutate && !validate && generate) {`
			`return nil`
add check for validate rule 2019-08-21 14:06:06 -07:00			`}`
only allow one type of rule defined in a single rule 2019-09-26 18:02:24 -07:00
			`return fmt.Errorf("Multiple types of rule defined in rule '%s', only one type of rule is allowed per rule", rule.Name)`
add anyPattern in crd definition 2019-08-20 17:56:02 -07:00			`}`

only allow one type of rule defined in a single rule 2019-09-26 18:02:24 -07:00			`return nil`
add anyPattern in crd definition 2019-08-20 17:56:02 -07:00			`}`

restructure webhooks pkg 2019-07-15 16:07:56 -07:00			`// Verify if the Rule names are unique within a policy`
only allow one type of rule defined in a single rule 2019-09-26 18:02:24 -07:00			`func validateUniqueRuleName(policy *kyverno.ClusterPolicy) error {`
restructure webhooks pkg 2019-07-15 16:07:56 -07:00			`var ruleNames []string`

			`for _, rule := range policy.Spec.Rules {`
support wild cards for namespaces in rule resource description 2019-09-12 17:11:55 -07:00			`if utils.ContainsString(ruleNames, rule.Name) {`
restructure webhooks pkg 2019-07-15 16:07:56 -07:00			msg := fmt.Sprintf(`The policy "%s" is invalid: duplicate rule name: "%s"`, policy.Name, rule.Name)
			`glog.Errorln(msg)`
only allow one type of rule defined in a single rule 2019-09-26 18:02:24 -07:00			`return errors.New(msg)`
restructure webhooks pkg 2019-07-15 16:07:56 -07:00			`}`
			`ruleNames = append(ruleNames, rule.Name)`
			`}`

update document 2019-08-21 18:47:49 -07:00			`glog.V(4).Infof("Policy validation passed")`
only allow one type of rule defined in a single rule 2019-09-26 18:02:24 -07:00			`return nil`
			`}`

			`// validateOverlayPattern checks one of pattern/anyPattern must exist`
			`func validateOverlayPattern(policy *kyverno.ClusterPolicy) error {`
			`for _, rule := range policy.Spec.Rules {`
			`if reflect.DeepEqual(rule.Validation, kyverno.Validation{}) {`
			`continue`
			`}`

			`if rule.Validation.Pattern == nil && len(rule.Validation.AnyPattern) == 0 {`
			`return errors.New(fmt.Sprintf("Invalid policy, neither pattern nor anyPattern found in validate rule %s", rule.Name))`
			`}`

			`if rule.Validation.Pattern != nil && len(rule.Validation.AnyPattern) != 0 {`
			`return errors.New(fmt.Sprintf("Invalid policy, either pattern or anyPattern is allowed in validate rule %s", rule.Name))`
			`}`
			`}`

			`return nil`
			`}`

			`func failResponseWithMsg(msg string) *v1beta1.AdmissionResponse {`
restructure webhooks pkg 2019-07-15 16:07:56 -07:00			`return &v1beta1.AdmissionResponse{`
only allow one type of rule defined in a single rule 2019-09-26 18:02:24 -07:00			`Allowed: false,`
			`Result: &metav1.Status{`
			`Message: msg,`
			`},`
restructure webhooks pkg 2019-07-15 16:07:56 -07:00			`}`
			`}`