2019-05-13 18:17:28 -07:00
|
|
|
package engine
|
|
|
|
|
|
2019-05-14 18:10:25 +03:00
|
|
|
import (
|
2022-12-09 14:45:11 +01:00
|
|
|
"context"
|
2021-09-26 02:12:31 -07:00
|
|
|
"encoding/json"
|
2019-06-20 18:21:55 +03:00
|
|
|
"fmt"
|
|
|
|
|
"reflect"
|
2020-12-07 11:26:04 -08:00
|
|
|
"strings"
|
2019-08-19 16:40:10 -07:00
|
|
|
"time"
|
2019-05-16 19:31:02 +03:00
|
|
|
|
2022-05-17 07:56:48 +02:00
|
|
|
"github.com/go-logr/logr"
|
|
|
|
|
gojmespath "github.com/jmespath/go-jmespath"
|
2022-05-17 13:12:43 +02:00
|
|
|
kyvernov1 "github.com/kyverno/kyverno/api/kyverno/v1"
|
2022-03-28 16:01:27 +02:00
|
|
|
"github.com/kyverno/kyverno/pkg/autogen"
|
2023-01-02 18:14:40 +01:00
|
|
|
"github.com/kyverno/kyverno/pkg/config"
|
2023-01-30 12:41:09 +01:00
|
|
|
engineapi "github.com/kyverno/kyverno/pkg/engine/api"
|
2023-02-07 05:30:15 +01:00
|
|
|
"github.com/kyverno/kyverno/pkg/engine/internal"
|
2020-10-07 11:12:31 -07:00
|
|
|
"github.com/kyverno/kyverno/pkg/engine/validate"
|
|
|
|
|
"github.com/kyverno/kyverno/pkg/engine/variables"
|
Extend Pod Security Admission (#4364)
* init commit for pss
Signed-off-by: ShutingZhao <shuting@nirmata.com>
* add test for Volume Type control
* add test for App Armor control except ExemptProfile. Fix PSS profile check in EvaluatePSS()
* remove unused code, still a JMESPATH problem with app armor ExemptProfile()
* test for Host Process / Host Namespaces controls
* test for Privileged containers controls
* test for HostPathVolume control
* test for HostPorts control
* test for HostPorts control
* test for SELinux control
* test for Proc mount type control
* Set to baseline
* test for Seccomp control
* test for Sysctl control
* test for Privilege escalation control
* test for Run as non root control
* test for Restricted Seccomp control
* Add problems to address
* add solutions to problems
* Add validate rule for PSA
* api.Version --> string. latest by default
* Exclude all values for a restrictedField
* add tests for kyverno engine
* code to be used to match kyverno rule's namespace
* Refacto pkg/pss
* fix multiple problems: not matching containers, add contains methods, select the right container when we have the same exclude.RestrictedField for multiple containers:
* EvaluatePod
* Use EvaluatePod in kyverno engine
* Set pod instead of container in context to use full Jmespath. e.g.: securityContext.capabilities.add --> spec.containers[*].securityContext.capabilities.add
* Check if PSSCheckResult matched at least one exclude value
* add tests for engine
* fix engine validation test
* config
* update go.mod and go.sum
* crds
* Check validate value: add PodSecurity
* exclude all restrictedFields when we only specify the controlName
* ExemptProfile(): check if exclud.RestrictedField matches at least one restrictedField.path
* handle containers, initContainers, ephemeralContainers when we only specify the controlName (all restrictedFields are excluded)
* refacto pks/pss/evaluate.go and add pkg/engine/validation_test.go
* add all controls with containers in restrictedFields as comments
* add tests for capabilities and privileged containers and fix some errors
* add tests for host ports control
* add tests for proc mount control
* add tests for privilege escalation control
* add tests for capabilities control
* remove comments
* new algo
* refacto algo, working. Add test for hostProcess control
* remove unused code
* fix getPodWithNotMatchingContainers(), add tests for host namespaces control
* refacto ExemptProfile()
* get values for a specific container. add test for SELinuxOptions control
* fix allowedValues for SELinuxOptions
* add tests for seccompProfile_baseline control
* refacto checkContainers(), add test for seccomp control
* add test for running as non root control
* add some tests for runAsUser control, have to update current PSA version
* add sysctls control
* add allowed values for restrictedVolumes control
* add some tests for appArmor, volume types controls
* add tests for volume types control
* add tests for hostPath volume control
* finish merge conflicts and add tests for runAsUser
* update charts and crds
* exclude.images optional
* change volume types control exclude values
* add appAmor control
* fix: did not match any exclude value for pod-level restrictedFields
* create autogen for validate.PodSecurity
* clean code, remove logs
* fix sonatype lift errors
* fix sonatype lift errors: duplication
* fix crash in pkg/policy/validate/ tests and unmarshall errors for pkg/engine tests
* beginning of autogen implement for validate.exclude
* Autogen for validation.PodSecurity
* working autogen with simple tests
* change validate.PodSecurity failure response format
* make codegen
* fix lint errors, remove debug prints
* fix tags
* fix tags
* fix crash when deleting pods matching validate.podSecurity rule. Only check validatePodSecurity() when it's not a delete request
* Changes requested
* Changes requested 2
* Changes requested 3
* Changes requested 4
* Changes requested and make codegen
* fix host namespaces control
* fix lint
* fix codegen error
* update docs/crd/v1/index.html
Signed-off-by: ShutingZhao <shuting@nirmata.com>
* fix path
Signed-off-by: ShutingZhao <shuting@nirmata.com>
* update crd schema
Signed-off-by: ShutingZhao <shuting@nirmata.com>
* update charts/kyverno/templates/crds.yaml
Signed-off-by: ShutingZhao <shuting@nirmata.com>
Signed-off-by: ShutingZhao <shuting@nirmata.com>
Co-authored-by: ShutingZhao <shuting@nirmata.com>
2022-08-31 11:16:31 +02:00
|
|
|
"github.com/kyverno/kyverno/pkg/pss"
|
2022-12-12 21:32:11 +01:00
|
|
|
"github.com/kyverno/kyverno/pkg/tracing"
|
2022-12-12 07:20:20 -08:00
|
|
|
"github.com/kyverno/kyverno/pkg/utils/api"
|
2022-12-22 07:39:54 +01:00
|
|
|
datautils "github.com/kyverno/kyverno/pkg/utils/data"
|
2022-12-12 21:32:11 +01:00
|
|
|
"go.opentelemetry.io/otel/trace"
|
Extend Pod Security Admission (#4364)
* init commit for pss
Signed-off-by: ShutingZhao <shuting@nirmata.com>
* add test for Volume Type control
* add test for App Armor control except ExemptProfile. Fix PSS profile check in EvaluatePSS()
* remove unused code, still a JMESPATH problem with app armor ExemptProfile()
* test for Host Process / Host Namespaces controls
* test for Privileged containers controls
* test for HostPathVolume control
* test for HostPorts control
* test for HostPorts control
* test for SELinux control
* test for Proc mount type control
* Set to baseline
* test for Seccomp control
* test for Sysctl control
* test for Privilege escalation control
* test for Run as non root control
* test for Restricted Seccomp control
* Add problems to address
* add solutions to problems
* Add validate rule for PSA
* api.Version --> string. latest by default
* Exclude all values for a restrictedField
* add tests for kyverno engine
* code to be used to match kyverno rule's namespace
* Refacto pkg/pss
* fix multiple problems: not matching containers, add contains methods, select the right container when we have the same exclude.RestrictedField for multiple containers:
* EvaluatePod
* Use EvaluatePod in kyverno engine
* Set pod instead of container in context to use full Jmespath. e.g.: securityContext.capabilities.add --> spec.containers[*].securityContext.capabilities.add
* Check if PSSCheckResult matched at least one exclude value
* add tests for engine
* fix engine validation test
* config
* update go.mod and go.sum
* crds
* Check validate value: add PodSecurity
* exclude all restrictedFields when we only specify the controlName
* ExemptProfile(): check if exclud.RestrictedField matches at least one restrictedField.path
* handle containers, initContainers, ephemeralContainers when we only specify the controlName (all restrictedFields are excluded)
* refacto pks/pss/evaluate.go and add pkg/engine/validation_test.go
* add all controls with containers in restrictedFields as comments
* add tests for capabilities and privileged containers and fix some errors
* add tests for host ports control
* add tests for proc mount control
* add tests for privilege escalation control
* add tests for capabilities control
* remove comments
* new algo
* refacto algo, working. Add test for hostProcess control
* remove unused code
* fix getPodWithNotMatchingContainers(), add tests for host namespaces control
* refacto ExemptProfile()
* get values for a specific container. add test for SELinuxOptions control
* fix allowedValues for SELinuxOptions
* add tests for seccompProfile_baseline control
* refacto checkContainers(), add test for seccomp control
* add test for running as non root control
* add some tests for runAsUser control, have to update current PSA version
* add sysctls control
* add allowed values for restrictedVolumes control
* add some tests for appArmor, volume types controls
* add tests for volume types control
* add tests for hostPath volume control
* finish merge conflicts and add tests for runAsUser
* update charts and crds
* exclude.images optional
* change volume types control exclude values
* add appAmor control
* fix: did not match any exclude value for pod-level restrictedFields
* create autogen for validate.PodSecurity
* clean code, remove logs
* fix sonatype lift errors
* fix sonatype lift errors: duplication
* fix crash in pkg/policy/validate/ tests and unmarshall errors for pkg/engine tests
* beginning of autogen implement for validate.exclude
* Autogen for validation.PodSecurity
* working autogen with simple tests
* change validate.PodSecurity failure response format
* make codegen
* fix lint errors, remove debug prints
* fix tags
* fix tags
* fix crash when deleting pods matching validate.podSecurity rule. Only check validatePodSecurity() when it's not a delete request
* Changes requested
* Changes requested 2
* Changes requested 3
* Changes requested 4
* Changes requested and make codegen
* fix host namespaces control
* fix lint
* fix codegen error
* update docs/crd/v1/index.html
Signed-off-by: ShutingZhao <shuting@nirmata.com>
* fix path
Signed-off-by: ShutingZhao <shuting@nirmata.com>
* update crd schema
Signed-off-by: ShutingZhao <shuting@nirmata.com>
* update charts/kyverno/templates/crds.yaml
Signed-off-by: ShutingZhao <shuting@nirmata.com>
Signed-off-by: ShutingZhao <shuting@nirmata.com>
Co-authored-by: ShutingZhao <shuting@nirmata.com>
2022-08-31 11:16:31 +02:00
|
|
|
appsv1 "k8s.io/api/apps/v1"
|
|
|
|
|
batchv1 "k8s.io/api/batch/v1"
|
|
|
|
|
corev1 "k8s.io/api/core/v1"
|
2022-05-17 07:56:48 +02:00
|
|
|
"k8s.io/apiextensions-apiserver/pkg/apis/apiextensions"
|
Extend Pod Security Admission (#4364)
* init commit for pss
Signed-off-by: ShutingZhao <shuting@nirmata.com>
* add test for Volume Type control
* add test for App Armor control except ExemptProfile. Fix PSS profile check in EvaluatePSS()
* remove unused code, still a JMESPATH problem with app armor ExemptProfile()
* test for Host Process / Host Namespaces controls
* test for Privileged containers controls
* test for HostPathVolume control
* test for HostPorts control
* test for HostPorts control
* test for SELinux control
* test for Proc mount type control
* Set to baseline
* test for Seccomp control
* test for Sysctl control
* test for Privilege escalation control
* test for Run as non root control
* test for Restricted Seccomp control
* Add problems to address
* add solutions to problems
* Add validate rule for PSA
* api.Version --> string. latest by default
* Exclude all values for a restrictedField
* add tests for kyverno engine
* code to be used to match kyverno rule's namespace
* Refacto pkg/pss
* fix multiple problems: not matching containers, add contains methods, select the right container when we have the same exclude.RestrictedField for multiple containers:
* EvaluatePod
* Use EvaluatePod in kyverno engine
* Set pod instead of container in context to use full Jmespath. e.g.: securityContext.capabilities.add --> spec.containers[*].securityContext.capabilities.add
* Check if PSSCheckResult matched at least one exclude value
* add tests for engine
* fix engine validation test
* config
* update go.mod and go.sum
* crds
* Check validate value: add PodSecurity
* exclude all restrictedFields when we only specify the controlName
* ExemptProfile(): check if exclud.RestrictedField matches at least one restrictedField.path
* handle containers, initContainers, ephemeralContainers when we only specify the controlName (all restrictedFields are excluded)
* refacto pks/pss/evaluate.go and add pkg/engine/validation_test.go
* add all controls with containers in restrictedFields as comments
* add tests for capabilities and privileged containers and fix some errors
* add tests for host ports control
* add tests for proc mount control
* add tests for privilege escalation control
* add tests for capabilities control
* remove comments
* new algo
* refacto algo, working. Add test for hostProcess control
* remove unused code
* fix getPodWithNotMatchingContainers(), add tests for host namespaces control
* refacto ExemptProfile()
* get values for a specific container. add test for SELinuxOptions control
* fix allowedValues for SELinuxOptions
* add tests for seccompProfile_baseline control
* refacto checkContainers(), add test for seccomp control
* add test for running as non root control
* add some tests for runAsUser control, have to update current PSA version
* add sysctls control
* add allowed values for restrictedVolumes control
* add some tests for appArmor, volume types controls
* add tests for volume types control
* add tests for hostPath volume control
* finish merge conflicts and add tests for runAsUser
* update charts and crds
* exclude.images optional
* change volume types control exclude values
* add appAmor control
* fix: did not match any exclude value for pod-level restrictedFields
* create autogen for validate.PodSecurity
* clean code, remove logs
* fix sonatype lift errors
* fix sonatype lift errors: duplication
* fix crash in pkg/policy/validate/ tests and unmarshall errors for pkg/engine tests
* beginning of autogen implement for validate.exclude
* Autogen for validation.PodSecurity
* working autogen with simple tests
* change validate.PodSecurity failure response format
* make codegen
* fix lint errors, remove debug prints
* fix tags
* fix tags
* fix crash when deleting pods matching validate.podSecurity rule. Only check validatePodSecurity() when it's not a delete request
* Changes requested
* Changes requested 2
* Changes requested 3
* Changes requested 4
* Changes requested and make codegen
* fix host namespaces control
* fix lint
* fix codegen error
* update docs/crd/v1/index.html
Signed-off-by: ShutingZhao <shuting@nirmata.com>
* fix path
Signed-off-by: ShutingZhao <shuting@nirmata.com>
* update crd schema
Signed-off-by: ShutingZhao <shuting@nirmata.com>
* update charts/kyverno/templates/crds.yaml
Signed-off-by: ShutingZhao <shuting@nirmata.com>
Signed-off-by: ShutingZhao <shuting@nirmata.com>
Co-authored-by: ShutingZhao <shuting@nirmata.com>
2022-08-31 11:16:31 +02:00
|
|
|
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
|
2019-08-13 11:32:12 -07:00
|
|
|
"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
|
2019-05-14 18:10:25 +03:00
|
|
|
)
|
|
|
|
|
|
2023-02-06 13:49:04 +01:00
|
|
|
func (e *engine) validate(
|
2023-01-31 15:30:40 +01:00
|
|
|
ctx context.Context,
|
2023-01-31 16:28:48 +01:00
|
|
|
policyContext engineapi.PolicyContext,
|
2023-02-07 05:30:15 +01:00
|
|
|
) *engineapi.EngineResponse {
|
2019-09-03 15:48:13 -07:00
|
|
|
startTime := time.Now()
|
2023-02-07 05:30:15 +01:00
|
|
|
logger := internal.BuildLogger(policyContext)
|
2022-04-19 08:35:12 -07:00
|
|
|
logger.V(4).Info("start validate policy processing", "startTime", startTime)
|
2023-02-07 17:51:25 +01:00
|
|
|
policyResponse := e.validateResource(ctx, logger, policyContext)
|
|
|
|
|
defer logger.V(4).Info("finished policy processing", "processingTime", policyResponse.ProcessingTime.String(), "validationRulesApplied", policyResponse.RulesAppliedCount)
|
|
|
|
|
engineResponse := &engineapi.EngineResponse{PolicyResponse: *policyResponse}
|
|
|
|
|
return internal.BuildResponse(policyContext, engineResponse, startTime)
|
2020-01-09 17:44:11 -08:00
|
|
|
}
|
|
|
|
|
|
2023-02-06 13:49:04 +01:00
|
|
|
func (e *engine) validateResource(
|
2023-01-31 15:30:40 +01:00
|
|
|
ctx context.Context,
|
|
|
|
|
log logr.Logger,
|
2023-01-31 16:28:48 +01:00
|
|
|
enginectx engineapi.PolicyContext,
|
2023-02-07 17:51:25 +01:00
|
|
|
) *engineapi.PolicyResponse {
|
|
|
|
|
resp := &engineapi.PolicyResponse{}
|
2020-12-23 15:10:07 -08:00
|
|
|
|
2023-01-31 16:28:48 +01:00
|
|
|
enginectx.JSONContext().Checkpoint()
|
|
|
|
|
defer enginectx.JSONContext().Restore()
|
2021-02-01 23:22:19 -08:00
|
|
|
|
2023-01-31 16:28:48 +01:00
|
|
|
rules := autogen.ComputeRules(enginectx.Policy())
|
2022-07-29 00:02:26 -07:00
|
|
|
matchCount := 0
|
2023-01-31 16:28:48 +01:00
|
|
|
applyRules := enginectx.Policy().GetSpec().GetApplyRules()
|
|
|
|
|
newResource := enginectx.NewResource()
|
|
|
|
|
oldResource := enginectx.OldResource()
|
2022-07-29 00:02:26 -07:00
|
|
|
|
2023-01-31 16:28:48 +01:00
|
|
|
if enginectx.Policy().IsNamespaced() {
|
|
|
|
|
polNs := enginectx.Policy().GetNamespace()
|
|
|
|
|
if enginectx.NewResource().Object != nil && (newResource.GetNamespace() != polNs || newResource.GetNamespace() == "") {
|
2022-09-26 06:47:37 +02:00
|
|
|
return resp
|
|
|
|
|
}
|
2023-01-31 16:28:48 +01:00
|
|
|
if enginectx.OldResource().Object != nil && (oldResource.GetNamespace() != polNs || oldResource.GetNamespace() == "") {
|
2022-09-26 06:47:37 +02:00
|
|
|
return resp
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
2022-03-09 16:28:31 +01:00
|
|
|
for i := range rules {
|
|
|
|
|
rule := &rules[i]
|
2022-07-29 00:02:26 -07:00
|
|
|
log.V(3).Info("processing validation rule", "matchCount", matchCount, "applyRules", applyRules)
|
2023-01-31 16:28:48 +01:00
|
|
|
enginectx.JSONContext().Reset()
|
2021-09-26 02:12:31 -07:00
|
|
|
startTime := time.Now()
|
2022-12-12 21:32:11 +01:00
|
|
|
ruleResp := tracing.ChildSpan1(
|
|
|
|
|
ctx,
|
|
|
|
|
"pkg/engine",
|
|
|
|
|
fmt.Sprintf("RULE %s", rule.Name),
|
2023-01-30 12:41:09 +01:00
|
|
|
func(ctx context.Context, span trace.Span) *engineapi.RuleResponse {
|
2022-12-12 21:32:11 +01:00
|
|
|
hasValidate := rule.HasValidate()
|
|
|
|
|
hasValidateImage := rule.HasImagesValidationChecks()
|
|
|
|
|
hasYAMLSignatureVerify := rule.HasYAMLSignatureVerify()
|
|
|
|
|
if !hasValidate && !hasValidateImage {
|
|
|
|
|
return nil
|
|
|
|
|
}
|
|
|
|
|
log = log.WithValues("rule", rule.Name)
|
2023-01-05 11:53:44 +05:30
|
|
|
kindsInPolicy := append(rule.MatchResources.GetKinds(), rule.ExcludeResources.GetKinds()...)
|
2023-02-07 16:09:15 +01:00
|
|
|
subresourceGVKToAPIResource := GetSubresourceGVKToAPIResourceMap(e.client, kindsInPolicy, enginectx)
|
2023-01-05 11:53:44 +05:30
|
|
|
|
2023-02-06 13:49:04 +01:00
|
|
|
if !matches(log, rule, enginectx, subresourceGVKToAPIResource, e.configuration) {
|
2022-12-12 21:32:11 +01:00
|
|
|
return nil
|
|
|
|
|
}
|
2022-12-20 23:35:26 -05:00
|
|
|
// check if there is a corresponding policy exception
|
2023-02-07 17:51:25 +01:00
|
|
|
ruleResp := hasPolicyExceptions(log, engineapi.Validation, e.exceptionSelector, enginectx, rule, subresourceGVKToAPIResource, e.configuration)
|
2022-12-20 23:35:26 -05:00
|
|
|
if ruleResp != nil {
|
|
|
|
|
return ruleResp
|
2022-12-16 04:13:14 -05:00
|
|
|
}
|
2022-12-12 21:32:11 +01:00
|
|
|
log.V(3).Info("processing validation rule", "matchCount", matchCount, "applyRules", applyRules)
|
2023-01-31 16:28:48 +01:00
|
|
|
enginectx.JSONContext().Reset()
|
2022-12-12 21:32:11 +01:00
|
|
|
if hasValidate && !hasYAMLSignatureVerify {
|
2023-02-06 13:49:04 +01:00
|
|
|
return e.processValidationRule(ctx, log, enginectx, rule)
|
2022-12-12 21:32:11 +01:00
|
|
|
} else if hasValidateImage {
|
2023-02-06 13:49:04 +01:00
|
|
|
return e.processImageValidationRule(ctx, log, enginectx, rule)
|
2022-12-12 21:32:11 +01:00
|
|
|
} else if hasYAMLSignatureVerify {
|
2023-02-07 16:09:15 +01:00
|
|
|
return processYAMLValidationRule(e.client, log, enginectx, rule)
|
2022-12-12 21:32:11 +01:00
|
|
|
}
|
|
|
|
|
return nil
|
|
|
|
|
},
|
|
|
|
|
)
|
2021-09-26 02:12:31 -07:00
|
|
|
if ruleResp != nil {
|
2023-02-07 17:51:25 +01:00
|
|
|
internal.AddRuleResponse(resp, ruleResp, startTime)
|
|
|
|
|
log.V(4).Info("finished processing rule", "processingTime", ruleResp.ExecutionStats.ProcessingTime.String())
|
|
|
|
|
}
|
|
|
|
|
if applyRules == kyvernov1.ApplyOne && resp.RulesAppliedCount > 0 {
|
|
|
|
|
break
|
2019-09-03 15:48:13 -07:00
|
|
|
}
|
2021-09-26 02:12:31 -07:00
|
|
|
}
|
2020-01-07 15:13:57 -08:00
|
|
|
|
2021-09-26 02:12:31 -07:00
|
|
|
return resp
|
|
|
|
|
}
|
2021-01-07 11:24:38 -08:00
|
|
|
|
2023-02-06 13:49:04 +01:00
|
|
|
func (e *engine) processValidationRule(
|
2023-01-31 15:30:40 +01:00
|
|
|
ctx context.Context,
|
|
|
|
|
log logr.Logger,
|
2023-01-31 16:28:48 +01:00
|
|
|
policyContext engineapi.PolicyContext,
|
2023-01-31 15:30:40 +01:00
|
|
|
rule *kyvernov1.Rule,
|
|
|
|
|
) *engineapi.RuleResponse {
|
2023-02-06 13:49:04 +01:00
|
|
|
v := newValidator(log, e.contextLoader, policyContext, rule)
|
2022-12-09 14:45:11 +01:00
|
|
|
return v.validate(ctx)
|
2021-09-26 02:12:31 -07:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
type validator struct {
|
2021-09-27 23:40:05 -07:00
|
|
|
log logr.Logger
|
2023-01-31 16:28:48 +01:00
|
|
|
policyContext engineapi.PolicyContext
|
2022-05-17 13:12:43 +02:00
|
|
|
rule *kyvernov1.Rule
|
|
|
|
|
contextEntries []kyvernov1.ContextEntry
|
2021-09-26 02:12:31 -07:00
|
|
|
anyAllConditions apiextensions.JSON
|
2021-09-27 23:40:05 -07:00
|
|
|
pattern apiextensions.JSON
|
|
|
|
|
anyPattern apiextensions.JSON
|
2022-05-17 13:12:43 +02:00
|
|
|
deny *kyvernov1.Deny
|
Extend Pod Security Admission (#4364)
* init commit for pss
Signed-off-by: ShutingZhao <shuting@nirmata.com>
* add test for Volume Type control
* add test for App Armor control except ExemptProfile. Fix PSS profile check in EvaluatePSS()
* remove unused code, still a JMESPATH problem with app armor ExemptProfile()
* test for Host Process / Host Namespaces controls
* test for Privileged containers controls
* test for HostPathVolume control
* test for HostPorts control
* test for HostPorts control
* test for SELinux control
* test for Proc mount type control
* Set to baseline
* test for Seccomp control
* test for Sysctl control
* test for Privilege escalation control
* test for Run as non root control
* test for Restricted Seccomp control
* Add problems to address
* add solutions to problems
* Add validate rule for PSA
* api.Version --> string. latest by default
* Exclude all values for a restrictedField
* add tests for kyverno engine
* code to be used to match kyverno rule's namespace
* Refacto pkg/pss
* fix multiple problems: not matching containers, add contains methods, select the right container when we have the same exclude.RestrictedField for multiple containers:
* EvaluatePod
* Use EvaluatePod in kyverno engine
* Set pod instead of container in context to use full Jmespath. e.g.: securityContext.capabilities.add --> spec.containers[*].securityContext.capabilities.add
* Check if PSSCheckResult matched at least one exclude value
* add tests for engine
* fix engine validation test
* config
* update go.mod and go.sum
* crds
* Check validate value: add PodSecurity
* exclude all restrictedFields when we only specify the controlName
* ExemptProfile(): check if exclud.RestrictedField matches at least one restrictedField.path
* handle containers, initContainers, ephemeralContainers when we only specify the controlName (all restrictedFields are excluded)
* refacto pks/pss/evaluate.go and add pkg/engine/validation_test.go
* add all controls with containers in restrictedFields as comments
* add tests for capabilities and privileged containers and fix some errors
* add tests for host ports control
* add tests for proc mount control
* add tests for privilege escalation control
* add tests for capabilities control
* remove comments
* new algo
* refacto algo, working. Add test for hostProcess control
* remove unused code
* fix getPodWithNotMatchingContainers(), add tests for host namespaces control
* refacto ExemptProfile()
* get values for a specific container. add test for SELinuxOptions control
* fix allowedValues for SELinuxOptions
* add tests for seccompProfile_baseline control
* refacto checkContainers(), add test for seccomp control
* add test for running as non root control
* add some tests for runAsUser control, have to update current PSA version
* add sysctls control
* add allowed values for restrictedVolumes control
* add some tests for appArmor, volume types controls
* add tests for volume types control
* add tests for hostPath volume control
* finish merge conflicts and add tests for runAsUser
* update charts and crds
* exclude.images optional
* change volume types control exclude values
* add appAmor control
* fix: did not match any exclude value for pod-level restrictedFields
* create autogen for validate.PodSecurity
* clean code, remove logs
* fix sonatype lift errors
* fix sonatype lift errors: duplication
* fix crash in pkg/policy/validate/ tests and unmarshall errors for pkg/engine tests
* beginning of autogen implement for validate.exclude
* Autogen for validation.PodSecurity
* working autogen with simple tests
* change validate.PodSecurity failure response format
* make codegen
* fix lint errors, remove debug prints
* fix tags
* fix tags
* fix crash when deleting pods matching validate.podSecurity rule. Only check validatePodSecurity() when it's not a delete request
* Changes requested
* Changes requested 2
* Changes requested 3
* Changes requested 4
* Changes requested and make codegen
* fix host namespaces control
* fix lint
* fix codegen error
* update docs/crd/v1/index.html
Signed-off-by: ShutingZhao <shuting@nirmata.com>
* fix path
Signed-off-by: ShutingZhao <shuting@nirmata.com>
* update crd schema
Signed-off-by: ShutingZhao <shuting@nirmata.com>
* update charts/kyverno/templates/crds.yaml
Signed-off-by: ShutingZhao <shuting@nirmata.com>
Signed-off-by: ShutingZhao <shuting@nirmata.com>
Co-authored-by: ShutingZhao <shuting@nirmata.com>
2022-08-31 11:16:31 +02:00
|
|
|
podSecurity *kyvernov1.PodSecurity
|
2022-12-12 11:24:13 -08:00
|
|
|
forEach []kyvernov1.ForEachValidation
|
2023-02-02 11:58:34 +01:00
|
|
|
contextLoader engineapi.ContextLoaderFactory
|
2022-12-12 07:20:20 -08:00
|
|
|
nesting int
|
2021-09-26 02:12:31 -07:00
|
|
|
}
|
|
|
|
|
|
2023-02-02 11:58:34 +01:00
|
|
|
func newValidator(log logr.Logger, contextLoader engineapi.ContextLoaderFactory, ctx engineapi.PolicyContext, rule *kyvernov1.Rule) *validator {
|
2021-09-26 02:12:31 -07:00
|
|
|
ruleCopy := rule.DeepCopy()
|
|
|
|
|
return &validator{
|
2021-09-27 23:40:05 -07:00
|
|
|
log: log,
|
|
|
|
|
rule: ruleCopy,
|
2022-12-12 07:20:20 -08:00
|
|
|
policyContext: ctx,
|
2023-01-31 15:30:40 +01:00
|
|
|
contextLoader: contextLoader,
|
2021-09-27 23:40:05 -07:00
|
|
|
contextEntries: ruleCopy.Context,
|
2022-03-06 20:07:51 +01:00
|
|
|
anyAllConditions: ruleCopy.GetAnyAllConditions(),
|
|
|
|
|
pattern: ruleCopy.Validation.GetPattern(),
|
|
|
|
|
anyPattern: ruleCopy.Validation.GetAnyPattern(),
|
2021-09-27 23:40:05 -07:00
|
|
|
deny: ruleCopy.Validation.Deny,
|
Extend Pod Security Admission (#4364)
* init commit for pss
Signed-off-by: ShutingZhao <shuting@nirmata.com>
* add test for Volume Type control
* add test for App Armor control except ExemptProfile. Fix PSS profile check in EvaluatePSS()
* remove unused code, still a JMESPATH problem with app armor ExemptProfile()
* test for Host Process / Host Namespaces controls
* test for Privileged containers controls
* test for HostPathVolume control
* test for HostPorts control
* test for HostPorts control
* test for SELinux control
* test for Proc mount type control
* Set to baseline
* test for Seccomp control
* test for Sysctl control
* test for Privilege escalation control
* test for Run as non root control
* test for Restricted Seccomp control
* Add problems to address
* add solutions to problems
* Add validate rule for PSA
* api.Version --> string. latest by default
* Exclude all values for a restrictedField
* add tests for kyverno engine
* code to be used to match kyverno rule's namespace
* Refacto pkg/pss
* fix multiple problems: not matching containers, add contains methods, select the right container when we have the same exclude.RestrictedField for multiple containers:
* EvaluatePod
* Use EvaluatePod in kyverno engine
* Set pod instead of container in context to use full Jmespath. e.g.: securityContext.capabilities.add --> spec.containers[*].securityContext.capabilities.add
* Check if PSSCheckResult matched at least one exclude value
* add tests for engine
* fix engine validation test
* config
* update go.mod and go.sum
* crds
* Check validate value: add PodSecurity
* exclude all restrictedFields when we only specify the controlName
* ExemptProfile(): check if exclud.RestrictedField matches at least one restrictedField.path
* handle containers, initContainers, ephemeralContainers when we only specify the controlName (all restrictedFields are excluded)
* refacto pks/pss/evaluate.go and add pkg/engine/validation_test.go
* add all controls with containers in restrictedFields as comments
* add tests for capabilities and privileged containers and fix some errors
* add tests for host ports control
* add tests for proc mount control
* add tests for privilege escalation control
* add tests for capabilities control
* remove comments
* new algo
* refacto algo, working. Add test for hostProcess control
* remove unused code
* fix getPodWithNotMatchingContainers(), add tests for host namespaces control
* refacto ExemptProfile()
* get values for a specific container. add test for SELinuxOptions control
* fix allowedValues for SELinuxOptions
* add tests for seccompProfile_baseline control
* refacto checkContainers(), add test for seccomp control
* add test for running as non root control
* add some tests for runAsUser control, have to update current PSA version
* add sysctls control
* add allowed values for restrictedVolumes control
* add some tests for appArmor, volume types controls
* add tests for volume types control
* add tests for hostPath volume control
* finish merge conflicts and add tests for runAsUser
* update charts and crds
* exclude.images optional
* change volume types control exclude values
* add appAmor control
* fix: did not match any exclude value for pod-level restrictedFields
* create autogen for validate.PodSecurity
* clean code, remove logs
* fix sonatype lift errors
* fix sonatype lift errors: duplication
* fix crash in pkg/policy/validate/ tests and unmarshall errors for pkg/engine tests
* beginning of autogen implement for validate.exclude
* Autogen for validation.PodSecurity
* working autogen with simple tests
* change validate.PodSecurity failure response format
* make codegen
* fix lint errors, remove debug prints
* fix tags
* fix tags
* fix crash when deleting pods matching validate.podSecurity rule. Only check validatePodSecurity() when it's not a delete request
* Changes requested
* Changes requested 2
* Changes requested 3
* Changes requested 4
* Changes requested and make codegen
* fix host namespaces control
* fix lint
* fix codegen error
* update docs/crd/v1/index.html
Signed-off-by: ShutingZhao <shuting@nirmata.com>
* fix path
Signed-off-by: ShutingZhao <shuting@nirmata.com>
* update crd schema
Signed-off-by: ShutingZhao <shuting@nirmata.com>
* update charts/kyverno/templates/crds.yaml
Signed-off-by: ShutingZhao <shuting@nirmata.com>
Signed-off-by: ShutingZhao <shuting@nirmata.com>
Co-authored-by: ShutingZhao <shuting@nirmata.com>
2022-08-31 11:16:31 +02:00
|
|
|
podSecurity: ruleCopy.Validation.PodSecurity,
|
2022-12-12 11:24:13 -08:00
|
|
|
forEach: ruleCopy.Validation.ForEachValidation,
|
2021-09-26 02:12:31 -07:00
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
2023-01-31 15:30:40 +01:00
|
|
|
func newForEachValidator(
|
|
|
|
|
foreach kyvernov1.ForEachValidation,
|
2023-02-02 11:58:34 +01:00
|
|
|
contextLoader engineapi.ContextLoaderFactory,
|
2023-01-31 15:30:40 +01:00
|
|
|
nesting int,
|
|
|
|
|
rule *kyvernov1.Rule,
|
2023-01-31 16:28:48 +01:00
|
|
|
ctx engineapi.PolicyContext,
|
2023-01-31 15:30:40 +01:00
|
|
|
log logr.Logger,
|
|
|
|
|
) (*validator, error) {
|
2021-09-26 02:12:31 -07:00
|
|
|
ruleCopy := rule.DeepCopy()
|
2022-12-22 07:39:54 +01:00
|
|
|
anyAllConditions, err := datautils.ToMap(foreach.AnyAllConditions)
|
2021-10-19 15:34:53 +05:30
|
|
|
if err != nil {
|
2023-02-01 14:38:04 +08:00
|
|
|
return nil, fmt.Errorf("failed to convert ruleCopy.Validation.ForEachValidation.AnyAllConditions: %w", err)
|
2022-12-12 07:20:20 -08:00
|
|
|
}
|
|
|
|
|
|
2022-12-12 11:24:13 -08:00
|
|
|
nestedForEach, err := api.DeserializeJSONArray[kyvernov1.ForEachValidation](foreach.ForEachValidation)
|
2022-12-12 07:20:20 -08:00
|
|
|
if err != nil {
|
2023-02-01 14:38:04 +08:00
|
|
|
return nil, fmt.Errorf("failed to convert ruleCopy.Validation.ForEachValidation.AnyAllConditions: %w", err)
|
2021-10-19 15:34:53 +05:30
|
|
|
}
|
2022-01-04 17:36:33 -08:00
|
|
|
|
2021-10-19 15:34:53 +05:30
|
|
|
return &validator{
|
|
|
|
|
log: log,
|
2022-12-12 07:20:20 -08:00
|
|
|
policyContext: ctx,
|
2021-10-19 15:34:53 +05:30
|
|
|
rule: ruleCopy,
|
2023-01-31 15:30:40 +01:00
|
|
|
contextLoader: contextLoader,
|
2022-01-04 17:36:33 -08:00
|
|
|
contextEntries: foreach.Context,
|
2021-10-19 15:34:53 +05:30
|
|
|
anyAllConditions: anyAllConditions,
|
2022-03-06 20:07:51 +01:00
|
|
|
pattern: foreach.GetPattern(),
|
|
|
|
|
anyPattern: foreach.GetAnyPattern(),
|
2022-01-04 17:36:33 -08:00
|
|
|
deny: foreach.Deny,
|
2022-12-12 11:24:13 -08:00
|
|
|
forEach: nestedForEach,
|
2022-12-12 07:20:20 -08:00
|
|
|
nesting: nesting,
|
|
|
|
|
}, nil
|
2021-09-26 02:12:31 -07:00
|
|
|
}
|
|
|
|
|
|
2023-01-30 12:41:09 +01:00
|
|
|
func (v *validator) validate(ctx context.Context) *engineapi.RuleResponse {
|
2022-12-09 14:45:11 +01:00
|
|
|
if err := v.loadContext(ctx); err != nil {
|
2023-02-07 05:30:15 +01:00
|
|
|
return internal.RuleError(v.rule, engineapi.Validation, "failed to load context", err)
|
2021-09-26 02:12:31 -07:00
|
|
|
}
|
|
|
|
|
|
2023-02-07 17:51:25 +01:00
|
|
|
preconditionsPassed, err := internal.CheckPreconditions(v.log, v.policyContext, v.anyAllConditions)
|
2021-09-26 02:12:31 -07:00
|
|
|
if err != nil {
|
2023-02-07 05:30:15 +01:00
|
|
|
return internal.RuleError(v.rule, engineapi.Validation, "failed to evaluate preconditions", err)
|
2022-01-04 17:36:33 -08:00
|
|
|
}
|
2022-04-27 08:09:52 -07:00
|
|
|
|
2022-07-14 09:35:27 +05:30
|
|
|
if !preconditionsPassed {
|
2023-02-07 17:51:25 +01:00
|
|
|
return internal.RuleSkip(v.rule, engineapi.Validation, "preconditions not met")
|
2021-09-26 02:12:31 -07:00
|
|
|
}
|
|
|
|
|
|
2022-02-17 09:18:49 -08:00
|
|
|
if v.deny != nil {
|
|
|
|
|
return v.validateDeny()
|
|
|
|
|
}
|
|
|
|
|
|
2021-09-27 14:28:55 -07:00
|
|
|
if v.pattern != nil || v.anyPattern != nil {
|
2021-09-26 02:12:31 -07:00
|
|
|
if err = v.substitutePatterns(); err != nil {
|
2023-02-07 05:30:15 +01:00
|
|
|
return internal.RuleError(v.rule, engineapi.Validation, "variable substitution failed", err)
|
2021-07-28 19:54:50 +03:00
|
|
|
}
|
|
|
|
|
|
2021-09-26 02:12:31 -07:00
|
|
|
ruleResponse := v.validateResourceWithRule()
|
|
|
|
|
return ruleResponse
|
|
|
|
|
}
|
2022-09-10 09:58:10 -07:00
|
|
|
|
|
|
|
|
if v.podSecurity != nil {
|
2022-12-12 07:20:20 -08:00
|
|
|
if !isDeleteRequest(v.policyContext) {
|
Extend Pod Security Admission (#4364)
* init commit for pss
Signed-off-by: ShutingZhao <shuting@nirmata.com>
* add test for Volume Type control
* add test for App Armor control except ExemptProfile. Fix PSS profile check in EvaluatePSS()
* remove unused code, still a JMESPATH problem with app armor ExemptProfile()
* test for Host Process / Host Namespaces controls
* test for Privileged containers controls
* test for HostPathVolume control
* test for HostPorts control
* test for HostPorts control
* test for SELinux control
* test for Proc mount type control
* Set to baseline
* test for Seccomp control
* test for Sysctl control
* test for Privilege escalation control
* test for Run as non root control
* test for Restricted Seccomp control
* Add problems to address
* add solutions to problems
* Add validate rule for PSA
* api.Version --> string. latest by default
* Exclude all values for a restrictedField
* add tests for kyverno engine
* code to be used to match kyverno rule's namespace
* Refacto pkg/pss
* fix multiple problems: not matching containers, add contains methods, select the right container when we have the same exclude.RestrictedField for multiple containers:
* EvaluatePod
* Use EvaluatePod in kyverno engine
* Set pod instead of container in context to use full Jmespath. e.g.: securityContext.capabilities.add --> spec.containers[*].securityContext.capabilities.add
* Check if PSSCheckResult matched at least one exclude value
* add tests for engine
* fix engine validation test
* config
* update go.mod and go.sum
* crds
* Check validate value: add PodSecurity
* exclude all restrictedFields when we only specify the controlName
* ExemptProfile(): check if exclud.RestrictedField matches at least one restrictedField.path
* handle containers, initContainers, ephemeralContainers when we only specify the controlName (all restrictedFields are excluded)
* refacto pks/pss/evaluate.go and add pkg/engine/validation_test.go
* add all controls with containers in restrictedFields as comments
* add tests for capabilities and privileged containers and fix some errors
* add tests for host ports control
* add tests for proc mount control
* add tests for privilege escalation control
* add tests for capabilities control
* remove comments
* new algo
* refacto algo, working. Add test for hostProcess control
* remove unused code
* fix getPodWithNotMatchingContainers(), add tests for host namespaces control
* refacto ExemptProfile()
* get values for a specific container. add test for SELinuxOptions control
* fix allowedValues for SELinuxOptions
* add tests for seccompProfile_baseline control
* refacto checkContainers(), add test for seccomp control
* add test for running as non root control
* add some tests for runAsUser control, have to update current PSA version
* add sysctls control
* add allowed values for restrictedVolumes control
* add some tests for appArmor, volume types controls
* add tests for volume types control
* add tests for hostPath volume control
* finish merge conflicts and add tests for runAsUser
* update charts and crds
* exclude.images optional
* change volume types control exclude values
* add appAmor control
* fix: did not match any exclude value for pod-level restrictedFields
* create autogen for validate.PodSecurity
* clean code, remove logs
* fix sonatype lift errors
* fix sonatype lift errors: duplication
* fix crash in pkg/policy/validate/ tests and unmarshall errors for pkg/engine tests
* beginning of autogen implement for validate.exclude
* Autogen for validation.PodSecurity
* working autogen with simple tests
* change validate.PodSecurity failure response format
* make codegen
* fix lint errors, remove debug prints
* fix tags
* fix tags
* fix crash when deleting pods matching validate.podSecurity rule. Only check validatePodSecurity() when it's not a delete request
* Changes requested
* Changes requested 2
* Changes requested 3
* Changes requested 4
* Changes requested and make codegen
* fix host namespaces control
* fix lint
* fix codegen error
* update docs/crd/v1/index.html
Signed-off-by: ShutingZhao <shuting@nirmata.com>
* fix path
Signed-off-by: ShutingZhao <shuting@nirmata.com>
* update crd schema
Signed-off-by: ShutingZhao <shuting@nirmata.com>
* update charts/kyverno/templates/crds.yaml
Signed-off-by: ShutingZhao <shuting@nirmata.com>
Signed-off-by: ShutingZhao <shuting@nirmata.com>
Co-authored-by: ShutingZhao <shuting@nirmata.com>
2022-08-31 11:16:31 +02:00
|
|
|
ruleResponse := v.validatePodSecurity()
|
|
|
|
|
return ruleResponse
|
|
|
|
|
}
|
|
|
|
|
}
|
2021-09-26 02:12:31 -07:00
|
|
|
|
2022-12-12 11:24:13 -08:00
|
|
|
if v.forEach != nil {
|
2022-12-12 07:20:20 -08:00
|
|
|
ruleResponse := v.validateForEach(ctx)
|
|
|
|
|
return ruleResponse
|
|
|
|
|
}
|
|
|
|
|
|
2022-09-10 09:58:10 -07:00
|
|
|
v.log.V(2).Info("invalid validation rule: podSecurity, patterns, or deny expected")
|
2021-09-26 02:12:31 -07:00
|
|
|
return nil
|
|
|
|
|
}
|
|
|
|
|
|
2023-01-30 12:41:09 +01:00
|
|
|
func (v *validator) validateForEach(ctx context.Context) *engineapi.RuleResponse {
|
2021-10-14 12:50:52 +05:30
|
|
|
applyCount := 0
|
2022-12-12 11:24:13 -08:00
|
|
|
for _, foreach := range v.forEach {
|
2023-02-07 05:30:15 +01:00
|
|
|
elements, err := evaluateList(foreach.List, v.policyContext.JSONContext())
|
2021-10-14 12:50:52 +05:30
|
|
|
if err != nil {
|
2022-08-18 18:54:59 +05:30
|
|
|
v.log.V(2).Info("failed to evaluate list", "list", foreach.List, "error", err.Error())
|
2021-10-19 15:34:53 +05:30
|
|
|
continue
|
2021-03-02 10:01:06 +05:30
|
|
|
}
|
2023-01-31 15:30:40 +01:00
|
|
|
resp, count := v.validateElements(ctx, foreach, elements, foreach.ElementScope)
|
2023-01-30 12:41:09 +01:00
|
|
|
if resp.Status != engineapi.RuleStatusPass {
|
2022-01-04 17:36:33 -08:00
|
|
|
return resp
|
2021-10-14 12:50:52 +05:30
|
|
|
}
|
2022-01-04 17:36:33 -08:00
|
|
|
applyCount += count
|
2021-09-27 23:40:05 -07:00
|
|
|
}
|
|
|
|
|
if applyCount == 0 {
|
2022-12-12 11:24:13 -08:00
|
|
|
if v.forEach == nil {
|
2022-12-12 07:20:20 -08:00
|
|
|
return nil
|
|
|
|
|
}
|
2023-02-07 17:51:25 +01:00
|
|
|
return internal.RuleSkip(v.rule, engineapi.Validation, "rule skipped")
|
2021-09-26 02:12:31 -07:00
|
|
|
}
|
2023-02-07 05:30:15 +01:00
|
|
|
return internal.RuleResponse(*v.rule, engineapi.Validation, "rule passed", engineapi.RuleStatusPass)
|
2021-09-26 02:12:31 -07:00
|
|
|
}
|
2021-07-28 19:54:50 +03:00
|
|
|
|
2023-01-31 15:30:40 +01:00
|
|
|
func (v *validator) validateElements(ctx context.Context, foreach kyvernov1.ForEachValidation, elements []interface{}, elementScope *bool) (*engineapi.RuleResponse, int) {
|
2023-01-31 16:28:48 +01:00
|
|
|
v.policyContext.JSONContext().Checkpoint()
|
|
|
|
|
defer v.policyContext.JSONContext().Restore()
|
2022-01-04 17:36:33 -08:00
|
|
|
applyCount := 0
|
|
|
|
|
|
2023-01-30 16:30:47 +01:00
|
|
|
for index, element := range elements {
|
|
|
|
|
if element == nil {
|
2022-11-04 15:05:25 +05:30
|
|
|
continue
|
|
|
|
|
}
|
2022-12-12 07:20:20 -08:00
|
|
|
|
|
|
|
|
v.policyContext.JSONContext().Reset()
|
|
|
|
|
policyContext := v.policyContext.Copy()
|
2023-01-30 16:30:47 +01:00
|
|
|
if err := addElementToContext(policyContext, element, index, v.nesting, elementScope); err != nil {
|
2022-01-04 17:36:33 -08:00
|
|
|
v.log.Error(err, "failed to add element to context")
|
2023-02-07 05:30:15 +01:00
|
|
|
return internal.RuleError(v.rule, engineapi.Validation, "failed to process foreach", err), applyCount
|
2022-01-04 17:36:33 -08:00
|
|
|
}
|
|
|
|
|
|
2023-01-31 15:30:40 +01:00
|
|
|
foreachValidator, err := newForEachValidator(foreach, v.contextLoader, v.nesting+1, v.rule, policyContext, v.log)
|
2022-12-12 07:20:20 -08:00
|
|
|
if err != nil {
|
|
|
|
|
v.log.Error(err, "failed to create foreach validator")
|
2023-02-07 05:30:15 +01:00
|
|
|
return internal.RuleError(v.rule, engineapi.Validation, "failed to create foreach validator", err), applyCount
|
2022-12-12 07:20:20 -08:00
|
|
|
}
|
|
|
|
|
|
2022-12-09 14:45:11 +01:00
|
|
|
r := foreachValidator.validate(ctx)
|
2022-01-04 17:36:33 -08:00
|
|
|
if r == nil {
|
2022-08-18 18:54:59 +05:30
|
|
|
v.log.V(2).Info("skip rule due to empty result")
|
2022-01-04 17:36:33 -08:00
|
|
|
continue
|
2023-01-30 12:41:09 +01:00
|
|
|
} else if r.Status == engineapi.RuleStatusSkip {
|
2022-08-18 18:54:59 +05:30
|
|
|
v.log.V(2).Info("skip rule", "reason", r.Message)
|
2022-01-04 17:36:33 -08:00
|
|
|
continue
|
2023-01-30 12:41:09 +01:00
|
|
|
} else if r.Status != engineapi.RuleStatusPass {
|
|
|
|
|
if r.Status == engineapi.RuleStatusError {
|
2023-01-30 16:30:47 +01:00
|
|
|
if index < len(elements)-1 {
|
2022-08-18 10:04:36 +05:30
|
|
|
continue
|
|
|
|
|
}
|
|
|
|
|
msg := fmt.Sprintf("validation failure: %v", r.Message)
|
2023-02-07 05:30:15 +01:00
|
|
|
return internal.RuleResponse(*v.rule, engineapi.Validation, msg, r.Status), applyCount
|
2022-08-18 10:04:36 +05:30
|
|
|
}
|
2022-01-23 05:54:22 -08:00
|
|
|
msg := fmt.Sprintf("validation failure: %v", r.Message)
|
2023-02-07 05:30:15 +01:00
|
|
|
return internal.RuleResponse(*v.rule, engineapi.Validation, msg, r.Status), applyCount
|
2022-01-04 17:36:33 -08:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
applyCount++
|
|
|
|
|
}
|
|
|
|
|
|
2023-02-07 05:30:15 +01:00
|
|
|
return internal.RuleResponse(*v.rule, engineapi.Validation, "", engineapi.RuleStatusPass), applyCount
|
2022-01-04 17:36:33 -08:00
|
|
|
}
|
|
|
|
|
|
2023-01-31 16:28:48 +01:00
|
|
|
func addElementToContext(ctx engineapi.PolicyContext, element interface{}, index, nesting int, elementScope *bool) error {
|
2023-01-30 16:30:47 +01:00
|
|
|
data, err := variables.DocumentToUntyped(element)
|
2021-09-27 14:28:55 -07:00
|
|
|
if err != nil {
|
|
|
|
|
return err
|
|
|
|
|
}
|
2023-01-30 16:30:47 +01:00
|
|
|
if err := ctx.JSONContext().AddElement(data, index, nesting); err != nil {
|
2023-02-01 14:38:04 +08:00
|
|
|
return fmt.Errorf("failed to add element (%v) to JSON context: %w", element, err)
|
2021-09-27 14:28:55 -07:00
|
|
|
}
|
2022-05-02 17:39:37 +01:00
|
|
|
dataMap, ok := data.(map[string]interface{})
|
|
|
|
|
// We set scoped to true by default if the data is a map
|
|
|
|
|
// otherwise we do not do element scoped foreach unless the user
|
|
|
|
|
// has explicitly set it to true
|
|
|
|
|
scoped := ok
|
|
|
|
|
|
|
|
|
|
// If the user has explicitly provided an element scope
|
|
|
|
|
// we check if data is a map or not. In case it is not a map and the user
|
|
|
|
|
// has set elementscoped to true, we throw an error.
|
|
|
|
|
// Otherwise we set the value to what is specified by the user.
|
|
|
|
|
if elementScope != nil {
|
|
|
|
|
if *elementScope && !ok {
|
|
|
|
|
return fmt.Errorf("cannot use elementScope=true foreach rules for elements that are not maps, expected type=map got type=%T", data)
|
|
|
|
|
}
|
|
|
|
|
scoped = *elementScope
|
|
|
|
|
}
|
|
|
|
|
if scoped {
|
2022-01-04 17:36:33 -08:00
|
|
|
u := unstructured.Unstructured{}
|
2022-05-02 17:39:37 +01:00
|
|
|
u.SetUnstructuredContent(dataMap)
|
2023-01-31 16:28:48 +01:00
|
|
|
ctx.SetElement(u)
|
2022-01-04 17:36:33 -08:00
|
|
|
}
|
2021-09-27 14:28:55 -07:00
|
|
|
return nil
|
|
|
|
|
}
|
|
|
|
|
|
2022-12-09 14:45:11 +01:00
|
|
|
func (v *validator) loadContext(ctx context.Context) error {
|
2023-02-07 05:30:15 +01:00
|
|
|
if err := internal.LoadContext(ctx, v.contextLoader, v.contextEntries, v.policyContext, v.rule.Name); err != nil {
|
2021-09-26 02:12:31 -07:00
|
|
|
if _, ok := err.(gojmespath.NotFoundError); ok {
|
|
|
|
|
v.log.V(3).Info("failed to load context", "reason", err.Error())
|
|
|
|
|
} else {
|
|
|
|
|
v.log.Error(err, "failed to load context")
|
2020-12-23 15:10:07 -08:00
|
|
|
}
|
2021-09-26 02:12:31 -07:00
|
|
|
|
|
|
|
|
return err
|
2020-05-05 19:19:47 +05:30
|
|
|
}
|
2020-12-23 15:10:07 -08:00
|
|
|
|
2021-09-26 02:12:31 -07:00
|
|
|
return nil
|
2020-05-05 19:19:47 +05:30
|
|
|
}
|
|
|
|
|
|
2023-01-30 12:41:09 +01:00
|
|
|
func (v *validator) validateDeny() *engineapi.RuleResponse {
|
2023-02-07 17:51:25 +01:00
|
|
|
if deny, err := internal.CheckDenyPreconditions(v.log, v.policyContext, v.deny.GetAnyAllConditions()); err != nil {
|
|
|
|
|
return internal.RuleError(v.rule, engineapi.Validation, "failed to check deny preconditions", err)
|
|
|
|
|
} else {
|
|
|
|
|
if deny {
|
|
|
|
|
return internal.RuleResponse(*v.rule, engineapi.Validation, v.getDenyMessage(deny), engineapi.RuleStatusFail)
|
|
|
|
|
}
|
|
|
|
|
return internal.RuleResponse(*v.rule, engineapi.Validation, v.getDenyMessage(deny), engineapi.RuleStatusPass)
|
2021-09-26 02:12:31 -07:00
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
func (v *validator) getDenyMessage(deny bool) string {
|
|
|
|
|
if !deny {
|
|
|
|
|
return fmt.Sprintf("validation rule '%s' passed.", v.rule.Name)
|
|
|
|
|
}
|
|
|
|
|
msg := v.rule.Validation.Message
|
|
|
|
|
if msg == "" {
|
|
|
|
|
return fmt.Sprintf("validation error: rule %s failed", v.rule.Name)
|
|
|
|
|
}
|
2023-01-31 16:28:48 +01:00
|
|
|
raw, err := variables.SubstituteAll(v.log, v.policyContext.JSONContext(), msg)
|
2021-09-26 02:12:31 -07:00
|
|
|
if err != nil {
|
|
|
|
|
return msg
|
|
|
|
|
}
|
2022-12-13 21:30:36 +01:00
|
|
|
switch typed := raw.(type) {
|
|
|
|
|
case string:
|
|
|
|
|
return typed
|
|
|
|
|
default:
|
|
|
|
|
return "the produced message didn't resolve to a string, check your policy definition."
|
|
|
|
|
}
|
2021-09-26 02:12:31 -07:00
|
|
|
}
|
|
|
|
|
|
Extend Pod Security Admission (#4364)
* init commit for pss
Signed-off-by: ShutingZhao <shuting@nirmata.com>
* add test for Volume Type control
* add test for App Armor control except ExemptProfile. Fix PSS profile check in EvaluatePSS()
* remove unused code, still a JMESPATH problem with app armor ExemptProfile()
* test for Host Process / Host Namespaces controls
* test for Privileged containers controls
* test for HostPathVolume control
* test for HostPorts control
* test for HostPorts control
* test for SELinux control
* test for Proc mount type control
* Set to baseline
* test for Seccomp control
* test for Sysctl control
* test for Privilege escalation control
* test for Run as non root control
* test for Restricted Seccomp control
* Add problems to address
* add solutions to problems
* Add validate rule for PSA
* api.Version --> string. latest by default
* Exclude all values for a restrictedField
* add tests for kyverno engine
* code to be used to match kyverno rule's namespace
* Refacto pkg/pss
* fix multiple problems: not matching containers, add contains methods, select the right container when we have the same exclude.RestrictedField for multiple containers:
* EvaluatePod
* Use EvaluatePod in kyverno engine
* Set pod instead of container in context to use full Jmespath. e.g.: securityContext.capabilities.add --> spec.containers[*].securityContext.capabilities.add
* Check if PSSCheckResult matched at least one exclude value
* add tests for engine
* fix engine validation test
* config
* update go.mod and go.sum
* crds
* Check validate value: add PodSecurity
* exclude all restrictedFields when we only specify the controlName
* ExemptProfile(): check if exclud.RestrictedField matches at least one restrictedField.path
* handle containers, initContainers, ephemeralContainers when we only specify the controlName (all restrictedFields are excluded)
* refacto pks/pss/evaluate.go and add pkg/engine/validation_test.go
* add all controls with containers in restrictedFields as comments
* add tests for capabilities and privileged containers and fix some errors
* add tests for host ports control
* add tests for proc mount control
* add tests for privilege escalation control
* add tests for capabilities control
* remove comments
* new algo
* refacto algo, working. Add test for hostProcess control
* remove unused code
* fix getPodWithNotMatchingContainers(), add tests for host namespaces control
* refacto ExemptProfile()
* get values for a specific container. add test for SELinuxOptions control
* fix allowedValues for SELinuxOptions
* add tests for seccompProfile_baseline control
* refacto checkContainers(), add test for seccomp control
* add test for running as non root control
* add some tests for runAsUser control, have to update current PSA version
* add sysctls control
* add allowed values for restrictedVolumes control
* add some tests for appArmor, volume types controls
* add tests for volume types control
* add tests for hostPath volume control
* finish merge conflicts and add tests for runAsUser
* update charts and crds
* exclude.images optional
* change volume types control exclude values
* add appAmor control
* fix: did not match any exclude value for pod-level restrictedFields
* create autogen for validate.PodSecurity
* clean code, remove logs
* fix sonatype lift errors
* fix sonatype lift errors: duplication
* fix crash in pkg/policy/validate/ tests and unmarshall errors for pkg/engine tests
* beginning of autogen implement for validate.exclude
* Autogen for validation.PodSecurity
* working autogen with simple tests
* change validate.PodSecurity failure response format
* make codegen
* fix lint errors, remove debug prints
* fix tags
* fix tags
* fix crash when deleting pods matching validate.podSecurity rule. Only check validatePodSecurity() when it's not a delete request
* Changes requested
* Changes requested 2
* Changes requested 3
* Changes requested 4
* Changes requested and make codegen
* fix host namespaces control
* fix lint
* fix codegen error
* update docs/crd/v1/index.html
Signed-off-by: ShutingZhao <shuting@nirmata.com>
* fix path
Signed-off-by: ShutingZhao <shuting@nirmata.com>
* update crd schema
Signed-off-by: ShutingZhao <shuting@nirmata.com>
* update charts/kyverno/templates/crds.yaml
Signed-off-by: ShutingZhao <shuting@nirmata.com>
Signed-off-by: ShutingZhao <shuting@nirmata.com>
Co-authored-by: ShutingZhao <shuting@nirmata.com>
2022-08-31 11:16:31 +02:00
|
|
|
func getSpec(v *validator) (podSpec *corev1.PodSpec, metadata *metav1.ObjectMeta, err error) {
|
2023-01-31 16:28:48 +01:00
|
|
|
newResource := v.policyContext.NewResource()
|
|
|
|
|
kind := newResource.GetKind()
|
Extend Pod Security Admission (#4364)
* init commit for pss
Signed-off-by: ShutingZhao <shuting@nirmata.com>
* add test for Volume Type control
* add test for App Armor control except ExemptProfile. Fix PSS profile check in EvaluatePSS()
* remove unused code, still a JMESPATH problem with app armor ExemptProfile()
* test for Host Process / Host Namespaces controls
* test for Privileged containers controls
* test for HostPathVolume control
* test for HostPorts control
* test for HostPorts control
* test for SELinux control
* test for Proc mount type control
* Set to baseline
* test for Seccomp control
* test for Sysctl control
* test for Privilege escalation control
* test for Run as non root control
* test for Restricted Seccomp control
* Add problems to address
* add solutions to problems
* Add validate rule for PSA
* api.Version --> string. latest by default
* Exclude all values for a restrictedField
* add tests for kyverno engine
* code to be used to match kyverno rule's namespace
* Refacto pkg/pss
* fix multiple problems: not matching containers, add contains methods, select the right container when we have the same exclude.RestrictedField for multiple containers:
* EvaluatePod
* Use EvaluatePod in kyverno engine
* Set pod instead of container in context to use full Jmespath. e.g.: securityContext.capabilities.add --> spec.containers[*].securityContext.capabilities.add
* Check if PSSCheckResult matched at least one exclude value
* add tests for engine
* fix engine validation test
* config
* update go.mod and go.sum
* crds
* Check validate value: add PodSecurity
* exclude all restrictedFields when we only specify the controlName
* ExemptProfile(): check if exclud.RestrictedField matches at least one restrictedField.path
* handle containers, initContainers, ephemeralContainers when we only specify the controlName (all restrictedFields are excluded)
* refacto pks/pss/evaluate.go and add pkg/engine/validation_test.go
* add all controls with containers in restrictedFields as comments
* add tests for capabilities and privileged containers and fix some errors
* add tests for host ports control
* add tests for proc mount control
* add tests for privilege escalation control
* add tests for capabilities control
* remove comments
* new algo
* refacto algo, working. Add test for hostProcess control
* remove unused code
* fix getPodWithNotMatchingContainers(), add tests for host namespaces control
* refacto ExemptProfile()
* get values for a specific container. add test for SELinuxOptions control
* fix allowedValues for SELinuxOptions
* add tests for seccompProfile_baseline control
* refacto checkContainers(), add test for seccomp control
* add test for running as non root control
* add some tests for runAsUser control, have to update current PSA version
* add sysctls control
* add allowed values for restrictedVolumes control
* add some tests for appArmor, volume types controls
* add tests for volume types control
* add tests for hostPath volume control
* finish merge conflicts and add tests for runAsUser
* update charts and crds
* exclude.images optional
* change volume types control exclude values
* add appAmor control
* fix: did not match any exclude value for pod-level restrictedFields
* create autogen for validate.PodSecurity
* clean code, remove logs
* fix sonatype lift errors
* fix sonatype lift errors: duplication
* fix crash in pkg/policy/validate/ tests and unmarshall errors for pkg/engine tests
* beginning of autogen implement for validate.exclude
* Autogen for validation.PodSecurity
* working autogen with simple tests
* change validate.PodSecurity failure response format
* make codegen
* fix lint errors, remove debug prints
* fix tags
* fix tags
* fix crash when deleting pods matching validate.podSecurity rule. Only check validatePodSecurity() when it's not a delete request
* Changes requested
* Changes requested 2
* Changes requested 3
* Changes requested 4
* Changes requested and make codegen
* fix host namespaces control
* fix lint
* fix codegen error
* update docs/crd/v1/index.html
Signed-off-by: ShutingZhao <shuting@nirmata.com>
* fix path
Signed-off-by: ShutingZhao <shuting@nirmata.com>
* update crd schema
Signed-off-by: ShutingZhao <shuting@nirmata.com>
* update charts/kyverno/templates/crds.yaml
Signed-off-by: ShutingZhao <shuting@nirmata.com>
Signed-off-by: ShutingZhao <shuting@nirmata.com>
Co-authored-by: ShutingZhao <shuting@nirmata.com>
2022-08-31 11:16:31 +02:00
|
|
|
|
2022-11-15 01:35:05 +05:30
|
|
|
if kind == "DaemonSet" || kind == "Deployment" || kind == "Job" || kind == "StatefulSet" || kind == "ReplicaSet" || kind == "ReplicationController" {
|
Extend Pod Security Admission (#4364)
* init commit for pss
Signed-off-by: ShutingZhao <shuting@nirmata.com>
* add test for Volume Type control
* add test for App Armor control except ExemptProfile. Fix PSS profile check in EvaluatePSS()
* remove unused code, still a JMESPATH problem with app armor ExemptProfile()
* test for Host Process / Host Namespaces controls
* test for Privileged containers controls
* test for HostPathVolume control
* test for HostPorts control
* test for HostPorts control
* test for SELinux control
* test for Proc mount type control
* Set to baseline
* test for Seccomp control
* test for Sysctl control
* test for Privilege escalation control
* test for Run as non root control
* test for Restricted Seccomp control
* Add problems to address
* add solutions to problems
* Add validate rule for PSA
* api.Version --> string. latest by default
* Exclude all values for a restrictedField
* add tests for kyverno engine
* code to be used to match kyverno rule's namespace
* Refacto pkg/pss
* fix multiple problems: not matching containers, add contains methods, select the right container when we have the same exclude.RestrictedField for multiple containers:
* EvaluatePod
* Use EvaluatePod in kyverno engine
* Set pod instead of container in context to use full Jmespath. e.g.: securityContext.capabilities.add --> spec.containers[*].securityContext.capabilities.add
* Check if PSSCheckResult matched at least one exclude value
* add tests for engine
* fix engine validation test
* config
* update go.mod and go.sum
* crds
* Check validate value: add PodSecurity
* exclude all restrictedFields when we only specify the controlName
* ExemptProfile(): check if exclud.RestrictedField matches at least one restrictedField.path
* handle containers, initContainers, ephemeralContainers when we only specify the controlName (all restrictedFields are excluded)
* refacto pks/pss/evaluate.go and add pkg/engine/validation_test.go
* add all controls with containers in restrictedFields as comments
* add tests for capabilities and privileged containers and fix some errors
* add tests for host ports control
* add tests for proc mount control
* add tests for privilege escalation control
* add tests for capabilities control
* remove comments
* new algo
* refacto algo, working. Add test for hostProcess control
* remove unused code
* fix getPodWithNotMatchingContainers(), add tests for host namespaces control
* refacto ExemptProfile()
* get values for a specific container. add test for SELinuxOptions control
* fix allowedValues for SELinuxOptions
* add tests for seccompProfile_baseline control
* refacto checkContainers(), add test for seccomp control
* add test for running as non root control
* add some tests for runAsUser control, have to update current PSA version
* add sysctls control
* add allowed values for restrictedVolumes control
* add some tests for appArmor, volume types controls
* add tests for volume types control
* add tests for hostPath volume control
* finish merge conflicts and add tests for runAsUser
* update charts and crds
* exclude.images optional
* change volume types control exclude values
* add appAmor control
* fix: did not match any exclude value for pod-level restrictedFields
* create autogen for validate.PodSecurity
* clean code, remove logs
* fix sonatype lift errors
* fix sonatype lift errors: duplication
* fix crash in pkg/policy/validate/ tests and unmarshall errors for pkg/engine tests
* beginning of autogen implement for validate.exclude
* Autogen for validation.PodSecurity
* working autogen with simple tests
* change validate.PodSecurity failure response format
* make codegen
* fix lint errors, remove debug prints
* fix tags
* fix tags
* fix crash when deleting pods matching validate.podSecurity rule. Only check validatePodSecurity() when it's not a delete request
* Changes requested
* Changes requested 2
* Changes requested 3
* Changes requested 4
* Changes requested and make codegen
* fix host namespaces control
* fix lint
* fix codegen error
* update docs/crd/v1/index.html
Signed-off-by: ShutingZhao <shuting@nirmata.com>
* fix path
Signed-off-by: ShutingZhao <shuting@nirmata.com>
* update crd schema
Signed-off-by: ShutingZhao <shuting@nirmata.com>
* update charts/kyverno/templates/crds.yaml
Signed-off-by: ShutingZhao <shuting@nirmata.com>
Signed-off-by: ShutingZhao <shuting@nirmata.com>
Co-authored-by: ShutingZhao <shuting@nirmata.com>
2022-08-31 11:16:31 +02:00
|
|
|
var deployment appsv1.Deployment
|
|
|
|
|
|
2023-01-31 16:28:48 +01:00
|
|
|
resourceBytes, err := newResource.MarshalJSON()
|
Extend Pod Security Admission (#4364)
* init commit for pss
Signed-off-by: ShutingZhao <shuting@nirmata.com>
* add test for Volume Type control
* add test for App Armor control except ExemptProfile. Fix PSS profile check in EvaluatePSS()
* remove unused code, still a JMESPATH problem with app armor ExemptProfile()
* test for Host Process / Host Namespaces controls
* test for Privileged containers controls
* test for HostPathVolume control
* test for HostPorts control
* test for HostPorts control
* test for SELinux control
* test for Proc mount type control
* Set to baseline
* test for Seccomp control
* test for Sysctl control
* test for Privilege escalation control
* test for Run as non root control
* test for Restricted Seccomp control
* Add problems to address
* add solutions to problems
* Add validate rule for PSA
* api.Version --> string. latest by default
* Exclude all values for a restrictedField
* add tests for kyverno engine
* code to be used to match kyverno rule's namespace
* Refacto pkg/pss
* fix multiple problems: not matching containers, add contains methods, select the right container when we have the same exclude.RestrictedField for multiple containers:
* EvaluatePod
* Use EvaluatePod in kyverno engine
* Set pod instead of container in context to use full Jmespath. e.g.: securityContext.capabilities.add --> spec.containers[*].securityContext.capabilities.add
* Check if PSSCheckResult matched at least one exclude value
* add tests for engine
* fix engine validation test
* config
* update go.mod and go.sum
* crds
* Check validate value: add PodSecurity
* exclude all restrictedFields when we only specify the controlName
* ExemptProfile(): check if exclud.RestrictedField matches at least one restrictedField.path
* handle containers, initContainers, ephemeralContainers when we only specify the controlName (all restrictedFields are excluded)
* refacto pks/pss/evaluate.go and add pkg/engine/validation_test.go
* add all controls with containers in restrictedFields as comments
* add tests for capabilities and privileged containers and fix some errors
* add tests for host ports control
* add tests for proc mount control
* add tests for privilege escalation control
* add tests for capabilities control
* remove comments
* new algo
* refacto algo, working. Add test for hostProcess control
* remove unused code
* fix getPodWithNotMatchingContainers(), add tests for host namespaces control
* refacto ExemptProfile()
* get values for a specific container. add test for SELinuxOptions control
* fix allowedValues for SELinuxOptions
* add tests for seccompProfile_baseline control
* refacto checkContainers(), add test for seccomp control
* add test for running as non root control
* add some tests for runAsUser control, have to update current PSA version
* add sysctls control
* add allowed values for restrictedVolumes control
* add some tests for appArmor, volume types controls
* add tests for volume types control
* add tests for hostPath volume control
* finish merge conflicts and add tests for runAsUser
* update charts and crds
* exclude.images optional
* change volume types control exclude values
* add appAmor control
* fix: did not match any exclude value for pod-level restrictedFields
* create autogen for validate.PodSecurity
* clean code, remove logs
* fix sonatype lift errors
* fix sonatype lift errors: duplication
* fix crash in pkg/policy/validate/ tests and unmarshall errors for pkg/engine tests
* beginning of autogen implement for validate.exclude
* Autogen for validation.PodSecurity
* working autogen with simple tests
* change validate.PodSecurity failure response format
* make codegen
* fix lint errors, remove debug prints
* fix tags
* fix tags
* fix crash when deleting pods matching validate.podSecurity rule. Only check validatePodSecurity() when it's not a delete request
* Changes requested
* Changes requested 2
* Changes requested 3
* Changes requested 4
* Changes requested and make codegen
* fix host namespaces control
* fix lint
* fix codegen error
* update docs/crd/v1/index.html
Signed-off-by: ShutingZhao <shuting@nirmata.com>
* fix path
Signed-off-by: ShutingZhao <shuting@nirmata.com>
* update crd schema
Signed-off-by: ShutingZhao <shuting@nirmata.com>
* update charts/kyverno/templates/crds.yaml
Signed-off-by: ShutingZhao <shuting@nirmata.com>
Signed-off-by: ShutingZhao <shuting@nirmata.com>
Co-authored-by: ShutingZhao <shuting@nirmata.com>
2022-08-31 11:16:31 +02:00
|
|
|
if err != nil {
|
|
|
|
|
return nil, nil, err
|
|
|
|
|
}
|
|
|
|
|
err = json.Unmarshal(resourceBytes, &deployment)
|
|
|
|
|
if err != nil {
|
|
|
|
|
return nil, nil, err
|
|
|
|
|
}
|
|
|
|
|
podSpec = &deployment.Spec.Template.Spec
|
|
|
|
|
metadata = &deployment.Spec.Template.ObjectMeta
|
|
|
|
|
return podSpec, metadata, nil
|
|
|
|
|
} else if kind == "CronJob" {
|
|
|
|
|
var cronJob batchv1.CronJob
|
|
|
|
|
|
2023-01-31 16:28:48 +01:00
|
|
|
resourceBytes, err := newResource.MarshalJSON()
|
Extend Pod Security Admission (#4364)
* init commit for pss
Signed-off-by: ShutingZhao <shuting@nirmata.com>
* add test for Volume Type control
* add test for App Armor control except ExemptProfile. Fix PSS profile check in EvaluatePSS()
* remove unused code, still a JMESPATH problem with app armor ExemptProfile()
* test for Host Process / Host Namespaces controls
* test for Privileged containers controls
* test for HostPathVolume control
* test for HostPorts control
* test for HostPorts control
* test for SELinux control
* test for Proc mount type control
* Set to baseline
* test for Seccomp control
* test for Sysctl control
* test for Privilege escalation control
* test for Run as non root control
* test for Restricted Seccomp control
* Add problems to address
* add solutions to problems
* Add validate rule for PSA
* api.Version --> string. latest by default
* Exclude all values for a restrictedField
* add tests for kyverno engine
* code to be used to match kyverno rule's namespace
* Refacto pkg/pss
* fix multiple problems: not matching containers, add contains methods, select the right container when we have the same exclude.RestrictedField for multiple containers:
* EvaluatePod
* Use EvaluatePod in kyverno engine
* Set pod instead of container in context to use full Jmespath. e.g.: securityContext.capabilities.add --> spec.containers[*].securityContext.capabilities.add
* Check if PSSCheckResult matched at least one exclude value
* add tests for engine
* fix engine validation test
* config
* update go.mod and go.sum
* crds
* Check validate value: add PodSecurity
* exclude all restrictedFields when we only specify the controlName
* ExemptProfile(): check if exclud.RestrictedField matches at least one restrictedField.path
* handle containers, initContainers, ephemeralContainers when we only specify the controlName (all restrictedFields are excluded)
* refacto pks/pss/evaluate.go and add pkg/engine/validation_test.go
* add all controls with containers in restrictedFields as comments
* add tests for capabilities and privileged containers and fix some errors
* add tests for host ports control
* add tests for proc mount control
* add tests for privilege escalation control
* add tests for capabilities control
* remove comments
* new algo
* refacto algo, working. Add test for hostProcess control
* remove unused code
* fix getPodWithNotMatchingContainers(), add tests for host namespaces control
* refacto ExemptProfile()
* get values for a specific container. add test for SELinuxOptions control
* fix allowedValues for SELinuxOptions
* add tests for seccompProfile_baseline control
* refacto checkContainers(), add test for seccomp control
* add test for running as non root control
* add some tests for runAsUser control, have to update current PSA version
* add sysctls control
* add allowed values for restrictedVolumes control
* add some tests for appArmor, volume types controls
* add tests for volume types control
* add tests for hostPath volume control
* finish merge conflicts and add tests for runAsUser
* update charts and crds
* exclude.images optional
* change volume types control exclude values
* add appAmor control
* fix: did not match any exclude value for pod-level restrictedFields
* create autogen for validate.PodSecurity
* clean code, remove logs
* fix sonatype lift errors
* fix sonatype lift errors: duplication
* fix crash in pkg/policy/validate/ tests and unmarshall errors for pkg/engine tests
* beginning of autogen implement for validate.exclude
* Autogen for validation.PodSecurity
* working autogen with simple tests
* change validate.PodSecurity failure response format
* make codegen
* fix lint errors, remove debug prints
* fix tags
* fix tags
* fix crash when deleting pods matching validate.podSecurity rule. Only check validatePodSecurity() when it's not a delete request
* Changes requested
* Changes requested 2
* Changes requested 3
* Changes requested 4
* Changes requested and make codegen
* fix host namespaces control
* fix lint
* fix codegen error
* update docs/crd/v1/index.html
Signed-off-by: ShutingZhao <shuting@nirmata.com>
* fix path
Signed-off-by: ShutingZhao <shuting@nirmata.com>
* update crd schema
Signed-off-by: ShutingZhao <shuting@nirmata.com>
* update charts/kyverno/templates/crds.yaml
Signed-off-by: ShutingZhao <shuting@nirmata.com>
Signed-off-by: ShutingZhao <shuting@nirmata.com>
Co-authored-by: ShutingZhao <shuting@nirmata.com>
2022-08-31 11:16:31 +02:00
|
|
|
if err != nil {
|
|
|
|
|
return nil, nil, err
|
|
|
|
|
}
|
|
|
|
|
err = json.Unmarshal(resourceBytes, &cronJob)
|
|
|
|
|
if err != nil {
|
|
|
|
|
return nil, nil, err
|
|
|
|
|
}
|
|
|
|
|
podSpec = &cronJob.Spec.JobTemplate.Spec.Template.Spec
|
|
|
|
|
metadata = &cronJob.Spec.JobTemplate.ObjectMeta
|
|
|
|
|
} else if kind == "Pod" {
|
|
|
|
|
var pod corev1.Pod
|
|
|
|
|
|
2023-01-31 16:28:48 +01:00
|
|
|
resourceBytes, err := newResource.MarshalJSON()
|
Extend Pod Security Admission (#4364)
* init commit for pss
Signed-off-by: ShutingZhao <shuting@nirmata.com>
* add test for Volume Type control
* add test for App Armor control except ExemptProfile. Fix PSS profile check in EvaluatePSS()
* remove unused code, still a JMESPATH problem with app armor ExemptProfile()
* test for Host Process / Host Namespaces controls
* test for Privileged containers controls
* test for HostPathVolume control
* test for HostPorts control
* test for HostPorts control
* test for SELinux control
* test for Proc mount type control
* Set to baseline
* test for Seccomp control
* test for Sysctl control
* test for Privilege escalation control
* test for Run as non root control
* test for Restricted Seccomp control
* Add problems to address
* add solutions to problems
* Add validate rule for PSA
* api.Version --> string. latest by default
* Exclude all values for a restrictedField
* add tests for kyverno engine
* code to be used to match kyverno rule's namespace
* Refacto pkg/pss
* fix multiple problems: not matching containers, add contains methods, select the right container when we have the same exclude.RestrictedField for multiple containers:
* EvaluatePod
* Use EvaluatePod in kyverno engine
* Set pod instead of container in context to use full Jmespath. e.g.: securityContext.capabilities.add --> spec.containers[*].securityContext.capabilities.add
* Check if PSSCheckResult matched at least one exclude value
* add tests for engine
* fix engine validation test
* config
* update go.mod and go.sum
* crds
* Check validate value: add PodSecurity
* exclude all restrictedFields when we only specify the controlName
* ExemptProfile(): check if exclud.RestrictedField matches at least one restrictedField.path
* handle containers, initContainers, ephemeralContainers when we only specify the controlName (all restrictedFields are excluded)
* refacto pks/pss/evaluate.go and add pkg/engine/validation_test.go
* add all controls with containers in restrictedFields as comments
* add tests for capabilities and privileged containers and fix some errors
* add tests for host ports control
* add tests for proc mount control
* add tests for privilege escalation control
* add tests for capabilities control
* remove comments
* new algo
* refacto algo, working. Add test for hostProcess control
* remove unused code
* fix getPodWithNotMatchingContainers(), add tests for host namespaces control
* refacto ExemptProfile()
* get values for a specific container. add test for SELinuxOptions control
* fix allowedValues for SELinuxOptions
* add tests for seccompProfile_baseline control
* refacto checkContainers(), add test for seccomp control
* add test for running as non root control
* add some tests for runAsUser control, have to update current PSA version
* add sysctls control
* add allowed values for restrictedVolumes control
* add some tests for appArmor, volume types controls
* add tests for volume types control
* add tests for hostPath volume control
* finish merge conflicts and add tests for runAsUser
* update charts and crds
* exclude.images optional
* change volume types control exclude values
* add appAmor control
* fix: did not match any exclude value for pod-level restrictedFields
* create autogen for validate.PodSecurity
* clean code, remove logs
* fix sonatype lift errors
* fix sonatype lift errors: duplication
* fix crash in pkg/policy/validate/ tests and unmarshall errors for pkg/engine tests
* beginning of autogen implement for validate.exclude
* Autogen for validation.PodSecurity
* working autogen with simple tests
* change validate.PodSecurity failure response format
* make codegen
* fix lint errors, remove debug prints
* fix tags
* fix tags
* fix crash when deleting pods matching validate.podSecurity rule. Only check validatePodSecurity() when it's not a delete request
* Changes requested
* Changes requested 2
* Changes requested 3
* Changes requested 4
* Changes requested and make codegen
* fix host namespaces control
* fix lint
* fix codegen error
* update docs/crd/v1/index.html
Signed-off-by: ShutingZhao <shuting@nirmata.com>
* fix path
Signed-off-by: ShutingZhao <shuting@nirmata.com>
* update crd schema
Signed-off-by: ShutingZhao <shuting@nirmata.com>
* update charts/kyverno/templates/crds.yaml
Signed-off-by: ShutingZhao <shuting@nirmata.com>
Signed-off-by: ShutingZhao <shuting@nirmata.com>
Co-authored-by: ShutingZhao <shuting@nirmata.com>
2022-08-31 11:16:31 +02:00
|
|
|
if err != nil {
|
|
|
|
|
return nil, nil, err
|
|
|
|
|
}
|
|
|
|
|
err = json.Unmarshal(resourceBytes, &pod)
|
|
|
|
|
if err != nil {
|
|
|
|
|
return nil, nil, err
|
|
|
|
|
}
|
|
|
|
|
podSpec = &pod.Spec
|
|
|
|
|
metadata = &pod.ObjectMeta
|
|
|
|
|
return podSpec, metadata, nil
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if err != nil {
|
|
|
|
|
return nil, nil, err
|
|
|
|
|
}
|
|
|
|
|
return podSpec, metadata, err
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// Unstructured
|
2023-01-30 12:41:09 +01:00
|
|
|
func (v *validator) validatePodSecurity() *engineapi.RuleResponse {
|
Extend Pod Security Admission (#4364)
* init commit for pss
Signed-off-by: ShutingZhao <shuting@nirmata.com>
* add test for Volume Type control
* add test for App Armor control except ExemptProfile. Fix PSS profile check in EvaluatePSS()
* remove unused code, still a JMESPATH problem with app armor ExemptProfile()
* test for Host Process / Host Namespaces controls
* test for Privileged containers controls
* test for HostPathVolume control
* test for HostPorts control
* test for HostPorts control
* test for SELinux control
* test for Proc mount type control
* Set to baseline
* test for Seccomp control
* test for Sysctl control
* test for Privilege escalation control
* test for Run as non root control
* test for Restricted Seccomp control
* Add problems to address
* add solutions to problems
* Add validate rule for PSA
* api.Version --> string. latest by default
* Exclude all values for a restrictedField
* add tests for kyverno engine
* code to be used to match kyverno rule's namespace
* Refacto pkg/pss
* fix multiple problems: not matching containers, add contains methods, select the right container when we have the same exclude.RestrictedField for multiple containers:
* EvaluatePod
* Use EvaluatePod in kyverno engine
* Set pod instead of container in context to use full Jmespath. e.g.: securityContext.capabilities.add --> spec.containers[*].securityContext.capabilities.add
* Check if PSSCheckResult matched at least one exclude value
* add tests for engine
* fix engine validation test
* config
* update go.mod and go.sum
* crds
* Check validate value: add PodSecurity
* exclude all restrictedFields when we only specify the controlName
* ExemptProfile(): check if exclud.RestrictedField matches at least one restrictedField.path
* handle containers, initContainers, ephemeralContainers when we only specify the controlName (all restrictedFields are excluded)
* refacto pks/pss/evaluate.go and add pkg/engine/validation_test.go
* add all controls with containers in restrictedFields as comments
* add tests for capabilities and privileged containers and fix some errors
* add tests for host ports control
* add tests for proc mount control
* add tests for privilege escalation control
* add tests for capabilities control
* remove comments
* new algo
* refacto algo, working. Add test for hostProcess control
* remove unused code
* fix getPodWithNotMatchingContainers(), add tests for host namespaces control
* refacto ExemptProfile()
* get values for a specific container. add test for SELinuxOptions control
* fix allowedValues for SELinuxOptions
* add tests for seccompProfile_baseline control
* refacto checkContainers(), add test for seccomp control
* add test for running as non root control
* add some tests for runAsUser control, have to update current PSA version
* add sysctls control
* add allowed values for restrictedVolumes control
* add some tests for appArmor, volume types controls
* add tests for volume types control
* add tests for hostPath volume control
* finish merge conflicts and add tests for runAsUser
* update charts and crds
* exclude.images optional
* change volume types control exclude values
* add appAmor control
* fix: did not match any exclude value for pod-level restrictedFields
* create autogen for validate.PodSecurity
* clean code, remove logs
* fix sonatype lift errors
* fix sonatype lift errors: duplication
* fix crash in pkg/policy/validate/ tests and unmarshall errors for pkg/engine tests
* beginning of autogen implement for validate.exclude
* Autogen for validation.PodSecurity
* working autogen with simple tests
* change validate.PodSecurity failure response format
* make codegen
* fix lint errors, remove debug prints
* fix tags
* fix tags
* fix crash when deleting pods matching validate.podSecurity rule. Only check validatePodSecurity() when it's not a delete request
* Changes requested
* Changes requested 2
* Changes requested 3
* Changes requested 4
* Changes requested and make codegen
* fix host namespaces control
* fix lint
* fix codegen error
* update docs/crd/v1/index.html
Signed-off-by: ShutingZhao <shuting@nirmata.com>
* fix path
Signed-off-by: ShutingZhao <shuting@nirmata.com>
* update crd schema
Signed-off-by: ShutingZhao <shuting@nirmata.com>
* update charts/kyverno/templates/crds.yaml
Signed-off-by: ShutingZhao <shuting@nirmata.com>
Signed-off-by: ShutingZhao <shuting@nirmata.com>
Co-authored-by: ShutingZhao <shuting@nirmata.com>
2022-08-31 11:16:31 +02:00
|
|
|
// Marshal pod metadata and spec
|
|
|
|
|
podSpec, metadata, err := getSpec(v)
|
|
|
|
|
if err != nil {
|
2023-02-07 05:30:15 +01:00
|
|
|
return internal.RuleError(v.rule, engineapi.Validation, "Error while getting new resource", err)
|
Extend Pod Security Admission (#4364)
* init commit for pss
Signed-off-by: ShutingZhao <shuting@nirmata.com>
* add test for Volume Type control
* add test for App Armor control except ExemptProfile. Fix PSS profile check in EvaluatePSS()
* remove unused code, still a JMESPATH problem with app armor ExemptProfile()
* test for Host Process / Host Namespaces controls
* test for Privileged containers controls
* test for HostPathVolume control
* test for HostPorts control
* test for HostPorts control
* test for SELinux control
* test for Proc mount type control
* Set to baseline
* test for Seccomp control
* test for Sysctl control
* test for Privilege escalation control
* test for Run as non root control
* test for Restricted Seccomp control
* Add problems to address
* add solutions to problems
* Add validate rule for PSA
* api.Version --> string. latest by default
* Exclude all values for a restrictedField
* add tests for kyverno engine
* code to be used to match kyverno rule's namespace
* Refacto pkg/pss
* fix multiple problems: not matching containers, add contains methods, select the right container when we have the same exclude.RestrictedField for multiple containers:
* EvaluatePod
* Use EvaluatePod in kyverno engine
* Set pod instead of container in context to use full Jmespath. e.g.: securityContext.capabilities.add --> spec.containers[*].securityContext.capabilities.add
* Check if PSSCheckResult matched at least one exclude value
* add tests for engine
* fix engine validation test
* config
* update go.mod and go.sum
* crds
* Check validate value: add PodSecurity
* exclude all restrictedFields when we only specify the controlName
* ExemptProfile(): check if exclud.RestrictedField matches at least one restrictedField.path
* handle containers, initContainers, ephemeralContainers when we only specify the controlName (all restrictedFields are excluded)
* refacto pks/pss/evaluate.go and add pkg/engine/validation_test.go
* add all controls with containers in restrictedFields as comments
* add tests for capabilities and privileged containers and fix some errors
* add tests for host ports control
* add tests for proc mount control
* add tests for privilege escalation control
* add tests for capabilities control
* remove comments
* new algo
* refacto algo, working. Add test for hostProcess control
* remove unused code
* fix getPodWithNotMatchingContainers(), add tests for host namespaces control
* refacto ExemptProfile()
* get values for a specific container. add test for SELinuxOptions control
* fix allowedValues for SELinuxOptions
* add tests for seccompProfile_baseline control
* refacto checkContainers(), add test for seccomp control
* add test for running as non root control
* add some tests for runAsUser control, have to update current PSA version
* add sysctls control
* add allowed values for restrictedVolumes control
* add some tests for appArmor, volume types controls
* add tests for volume types control
* add tests for hostPath volume control
* finish merge conflicts and add tests for runAsUser
* update charts and crds
* exclude.images optional
* change volume types control exclude values
* add appAmor control
* fix: did not match any exclude value for pod-level restrictedFields
* create autogen for validate.PodSecurity
* clean code, remove logs
* fix sonatype lift errors
* fix sonatype lift errors: duplication
* fix crash in pkg/policy/validate/ tests and unmarshall errors for pkg/engine tests
* beginning of autogen implement for validate.exclude
* Autogen for validation.PodSecurity
* working autogen with simple tests
* change validate.PodSecurity failure response format
* make codegen
* fix lint errors, remove debug prints
* fix tags
* fix tags
* fix crash when deleting pods matching validate.podSecurity rule. Only check validatePodSecurity() when it's not a delete request
* Changes requested
* Changes requested 2
* Changes requested 3
* Changes requested 4
* Changes requested and make codegen
* fix host namespaces control
* fix lint
* fix codegen error
* update docs/crd/v1/index.html
Signed-off-by: ShutingZhao <shuting@nirmata.com>
* fix path
Signed-off-by: ShutingZhao <shuting@nirmata.com>
* update crd schema
Signed-off-by: ShutingZhao <shuting@nirmata.com>
* update charts/kyverno/templates/crds.yaml
Signed-off-by: ShutingZhao <shuting@nirmata.com>
Signed-off-by: ShutingZhao <shuting@nirmata.com>
Co-authored-by: ShutingZhao <shuting@nirmata.com>
2022-08-31 11:16:31 +02:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
pod := &corev1.Pod{
|
|
|
|
|
Spec: *podSpec,
|
|
|
|
|
ObjectMeta: *metadata,
|
|
|
|
|
}
|
2022-09-28 18:03:53 +08:00
|
|
|
allowed, pssChecks, err := pss.EvaluatePod(v.podSecurity, pod)
|
Extend Pod Security Admission (#4364)
* init commit for pss
Signed-off-by: ShutingZhao <shuting@nirmata.com>
* add test for Volume Type control
* add test for App Armor control except ExemptProfile. Fix PSS profile check in EvaluatePSS()
* remove unused code, still a JMESPATH problem with app armor ExemptProfile()
* test for Host Process / Host Namespaces controls
* test for Privileged containers controls
* test for HostPathVolume control
* test for HostPorts control
* test for HostPorts control
* test for SELinux control
* test for Proc mount type control
* Set to baseline
* test for Seccomp control
* test for Sysctl control
* test for Privilege escalation control
* test for Run as non root control
* test for Restricted Seccomp control
* Add problems to address
* add solutions to problems
* Add validate rule for PSA
* api.Version --> string. latest by default
* Exclude all values for a restrictedField
* add tests for kyverno engine
* code to be used to match kyverno rule's namespace
* Refacto pkg/pss
* fix multiple problems: not matching containers, add contains methods, select the right container when we have the same exclude.RestrictedField for multiple containers:
* EvaluatePod
* Use EvaluatePod in kyverno engine
* Set pod instead of container in context to use full Jmespath. e.g.: securityContext.capabilities.add --> spec.containers[*].securityContext.capabilities.add
* Check if PSSCheckResult matched at least one exclude value
* add tests for engine
* fix engine validation test
* config
* update go.mod and go.sum
* crds
* Check validate value: add PodSecurity
* exclude all restrictedFields when we only specify the controlName
* ExemptProfile(): check if exclud.RestrictedField matches at least one restrictedField.path
* handle containers, initContainers, ephemeralContainers when we only specify the controlName (all restrictedFields are excluded)
* refacto pks/pss/evaluate.go and add pkg/engine/validation_test.go
* add all controls with containers in restrictedFields as comments
* add tests for capabilities and privileged containers and fix some errors
* add tests for host ports control
* add tests for proc mount control
* add tests for privilege escalation control
* add tests for capabilities control
* remove comments
* new algo
* refacto algo, working. Add test for hostProcess control
* remove unused code
* fix getPodWithNotMatchingContainers(), add tests for host namespaces control
* refacto ExemptProfile()
* get values for a specific container. add test for SELinuxOptions control
* fix allowedValues for SELinuxOptions
* add tests for seccompProfile_baseline control
* refacto checkContainers(), add test for seccomp control
* add test for running as non root control
* add some tests for runAsUser control, have to update current PSA version
* add sysctls control
* add allowed values for restrictedVolumes control
* add some tests for appArmor, volume types controls
* add tests for volume types control
* add tests for hostPath volume control
* finish merge conflicts and add tests for runAsUser
* update charts and crds
* exclude.images optional
* change volume types control exclude values
* add appAmor control
* fix: did not match any exclude value for pod-level restrictedFields
* create autogen for validate.PodSecurity
* clean code, remove logs
* fix sonatype lift errors
* fix sonatype lift errors: duplication
* fix crash in pkg/policy/validate/ tests and unmarshall errors for pkg/engine tests
* beginning of autogen implement for validate.exclude
* Autogen for validation.PodSecurity
* working autogen with simple tests
* change validate.PodSecurity failure response format
* make codegen
* fix lint errors, remove debug prints
* fix tags
* fix tags
* fix crash when deleting pods matching validate.podSecurity rule. Only check validatePodSecurity() when it's not a delete request
* Changes requested
* Changes requested 2
* Changes requested 3
* Changes requested 4
* Changes requested and make codegen
* fix host namespaces control
* fix lint
* fix codegen error
* update docs/crd/v1/index.html
Signed-off-by: ShutingZhao <shuting@nirmata.com>
* fix path
Signed-off-by: ShutingZhao <shuting@nirmata.com>
* update crd schema
Signed-off-by: ShutingZhao <shuting@nirmata.com>
* update charts/kyverno/templates/crds.yaml
Signed-off-by: ShutingZhao <shuting@nirmata.com>
Signed-off-by: ShutingZhao <shuting@nirmata.com>
Co-authored-by: ShutingZhao <shuting@nirmata.com>
2022-08-31 11:16:31 +02:00
|
|
|
if err != nil {
|
2023-02-07 05:30:15 +01:00
|
|
|
return internal.RuleError(v.rule, engineapi.Validation, "failed to parse pod security api version", err)
|
Extend Pod Security Admission (#4364)
* init commit for pss
Signed-off-by: ShutingZhao <shuting@nirmata.com>
* add test for Volume Type control
* add test for App Armor control except ExemptProfile. Fix PSS profile check in EvaluatePSS()
* remove unused code, still a JMESPATH problem with app armor ExemptProfile()
* test for Host Process / Host Namespaces controls
* test for Privileged containers controls
* test for HostPathVolume control
* test for HostPorts control
* test for HostPorts control
* test for SELinux control
* test for Proc mount type control
* Set to baseline
* test for Seccomp control
* test for Sysctl control
* test for Privilege escalation control
* test for Run as non root control
* test for Restricted Seccomp control
* Add problems to address
* add solutions to problems
* Add validate rule for PSA
* api.Version --> string. latest by default
* Exclude all values for a restrictedField
* add tests for kyverno engine
* code to be used to match kyverno rule's namespace
* Refacto pkg/pss
* fix multiple problems: not matching containers, add contains methods, select the right container when we have the same exclude.RestrictedField for multiple containers:
* EvaluatePod
* Use EvaluatePod in kyverno engine
* Set pod instead of container in context to use full Jmespath. e.g.: securityContext.capabilities.add --> spec.containers[*].securityContext.capabilities.add
* Check if PSSCheckResult matched at least one exclude value
* add tests for engine
* fix engine validation test
* config
* update go.mod and go.sum
* crds
* Check validate value: add PodSecurity
* exclude all restrictedFields when we only specify the controlName
* ExemptProfile(): check if exclud.RestrictedField matches at least one restrictedField.path
* handle containers, initContainers, ephemeralContainers when we only specify the controlName (all restrictedFields are excluded)
* refacto pks/pss/evaluate.go and add pkg/engine/validation_test.go
* add all controls with containers in restrictedFields as comments
* add tests for capabilities and privileged containers and fix some errors
* add tests for host ports control
* add tests for proc mount control
* add tests for privilege escalation control
* add tests for capabilities control
* remove comments
* new algo
* refacto algo, working. Add test for hostProcess control
* remove unused code
* fix getPodWithNotMatchingContainers(), add tests for host namespaces control
* refacto ExemptProfile()
* get values for a specific container. add test for SELinuxOptions control
* fix allowedValues for SELinuxOptions
* add tests for seccompProfile_baseline control
* refacto checkContainers(), add test for seccomp control
* add test for running as non root control
* add some tests for runAsUser control, have to update current PSA version
* add sysctls control
* add allowed values for restrictedVolumes control
* add some tests for appArmor, volume types controls
* add tests for volume types control
* add tests for hostPath volume control
* finish merge conflicts and add tests for runAsUser
* update charts and crds
* exclude.images optional
* change volume types control exclude values
* add appAmor control
* fix: did not match any exclude value for pod-level restrictedFields
* create autogen for validate.PodSecurity
* clean code, remove logs
* fix sonatype lift errors
* fix sonatype lift errors: duplication
* fix crash in pkg/policy/validate/ tests and unmarshall errors for pkg/engine tests
* beginning of autogen implement for validate.exclude
* Autogen for validation.PodSecurity
* working autogen with simple tests
* change validate.PodSecurity failure response format
* make codegen
* fix lint errors, remove debug prints
* fix tags
* fix tags
* fix crash when deleting pods matching validate.podSecurity rule. Only check validatePodSecurity() when it's not a delete request
* Changes requested
* Changes requested 2
* Changes requested 3
* Changes requested 4
* Changes requested and make codegen
* fix host namespaces control
* fix lint
* fix codegen error
* update docs/crd/v1/index.html
Signed-off-by: ShutingZhao <shuting@nirmata.com>
* fix path
Signed-off-by: ShutingZhao <shuting@nirmata.com>
* update crd schema
Signed-off-by: ShutingZhao <shuting@nirmata.com>
* update charts/kyverno/templates/crds.yaml
Signed-off-by: ShutingZhao <shuting@nirmata.com>
Signed-off-by: ShutingZhao <shuting@nirmata.com>
Co-authored-by: ShutingZhao <shuting@nirmata.com>
2022-08-31 11:16:31 +02:00
|
|
|
}
|
2023-01-30 12:41:09 +01:00
|
|
|
podSecurityChecks := &engineapi.PodSecurityChecks{
|
2022-12-20 06:57:23 +01:00
|
|
|
Level: v.podSecurity.Level,
|
|
|
|
|
Version: v.podSecurity.Version,
|
|
|
|
|
Checks: pssChecks,
|
|
|
|
|
}
|
Extend Pod Security Admission (#4364)
* init commit for pss
Signed-off-by: ShutingZhao <shuting@nirmata.com>
* add test for Volume Type control
* add test for App Armor control except ExemptProfile. Fix PSS profile check in EvaluatePSS()
* remove unused code, still a JMESPATH problem with app armor ExemptProfile()
* test for Host Process / Host Namespaces controls
* test for Privileged containers controls
* test for HostPathVolume control
* test for HostPorts control
* test for HostPorts control
* test for SELinux control
* test for Proc mount type control
* Set to baseline
* test for Seccomp control
* test for Sysctl control
* test for Privilege escalation control
* test for Run as non root control
* test for Restricted Seccomp control
* Add problems to address
* add solutions to problems
* Add validate rule for PSA
* api.Version --> string. latest by default
* Exclude all values for a restrictedField
* add tests for kyverno engine
* code to be used to match kyverno rule's namespace
* Refacto pkg/pss
* fix multiple problems: not matching containers, add contains methods, select the right container when we have the same exclude.RestrictedField for multiple containers:
* EvaluatePod
* Use EvaluatePod in kyverno engine
* Set pod instead of container in context to use full Jmespath. e.g.: securityContext.capabilities.add --> spec.containers[*].securityContext.capabilities.add
* Check if PSSCheckResult matched at least one exclude value
* add tests for engine
* fix engine validation test
* config
* update go.mod and go.sum
* crds
* Check validate value: add PodSecurity
* exclude all restrictedFields when we only specify the controlName
* ExemptProfile(): check if exclud.RestrictedField matches at least one restrictedField.path
* handle containers, initContainers, ephemeralContainers when we only specify the controlName (all restrictedFields are excluded)
* refacto pks/pss/evaluate.go and add pkg/engine/validation_test.go
* add all controls with containers in restrictedFields as comments
* add tests for capabilities and privileged containers and fix some errors
* add tests for host ports control
* add tests for proc mount control
* add tests for privilege escalation control
* add tests for capabilities control
* remove comments
* new algo
* refacto algo, working. Add test for hostProcess control
* remove unused code
* fix getPodWithNotMatchingContainers(), add tests for host namespaces control
* refacto ExemptProfile()
* get values for a specific container. add test for SELinuxOptions control
* fix allowedValues for SELinuxOptions
* add tests for seccompProfile_baseline control
* refacto checkContainers(), add test for seccomp control
* add test for running as non root control
* add some tests for runAsUser control, have to update current PSA version
* add sysctls control
* add allowed values for restrictedVolumes control
* add some tests for appArmor, volume types controls
* add tests for volume types control
* add tests for hostPath volume control
* finish merge conflicts and add tests for runAsUser
* update charts and crds
* exclude.images optional
* change volume types control exclude values
* add appAmor control
* fix: did not match any exclude value for pod-level restrictedFields
* create autogen for validate.PodSecurity
* clean code, remove logs
* fix sonatype lift errors
* fix sonatype lift errors: duplication
* fix crash in pkg/policy/validate/ tests and unmarshall errors for pkg/engine tests
* beginning of autogen implement for validate.exclude
* Autogen for validation.PodSecurity
* working autogen with simple tests
* change validate.PodSecurity failure response format
* make codegen
* fix lint errors, remove debug prints
* fix tags
* fix tags
* fix crash when deleting pods matching validate.podSecurity rule. Only check validatePodSecurity() when it's not a delete request
* Changes requested
* Changes requested 2
* Changes requested 3
* Changes requested 4
* Changes requested and make codegen
* fix host namespaces control
* fix lint
* fix codegen error
* update docs/crd/v1/index.html
Signed-off-by: ShutingZhao <shuting@nirmata.com>
* fix path
Signed-off-by: ShutingZhao <shuting@nirmata.com>
* update crd schema
Signed-off-by: ShutingZhao <shuting@nirmata.com>
* update charts/kyverno/templates/crds.yaml
Signed-off-by: ShutingZhao <shuting@nirmata.com>
Signed-off-by: ShutingZhao <shuting@nirmata.com>
Co-authored-by: ShutingZhao <shuting@nirmata.com>
2022-08-31 11:16:31 +02:00
|
|
|
if allowed {
|
|
|
|
|
msg := fmt.Sprintf("Validation rule '%s' passed.", v.rule.Name)
|
2023-02-07 05:30:15 +01:00
|
|
|
rspn := internal.RuleResponse(*v.rule, engineapi.Validation, msg, engineapi.RuleStatusPass)
|
2022-12-20 06:57:23 +01:00
|
|
|
rspn.PodSecurityChecks = podSecurityChecks
|
|
|
|
|
return rspn
|
Extend Pod Security Admission (#4364)
* init commit for pss
Signed-off-by: ShutingZhao <shuting@nirmata.com>
* add test for Volume Type control
* add test for App Armor control except ExemptProfile. Fix PSS profile check in EvaluatePSS()
* remove unused code, still a JMESPATH problem with app armor ExemptProfile()
* test for Host Process / Host Namespaces controls
* test for Privileged containers controls
* test for HostPathVolume control
* test for HostPorts control
* test for HostPorts control
* test for SELinux control
* test for Proc mount type control
* Set to baseline
* test for Seccomp control
* test for Sysctl control
* test for Privilege escalation control
* test for Run as non root control
* test for Restricted Seccomp control
* Add problems to address
* add solutions to problems
* Add validate rule for PSA
* api.Version --> string. latest by default
* Exclude all values for a restrictedField
* add tests for kyverno engine
* code to be used to match kyverno rule's namespace
* Refacto pkg/pss
* fix multiple problems: not matching containers, add contains methods, select the right container when we have the same exclude.RestrictedField for multiple containers:
* EvaluatePod
* Use EvaluatePod in kyverno engine
* Set pod instead of container in context to use full Jmespath. e.g.: securityContext.capabilities.add --> spec.containers[*].securityContext.capabilities.add
* Check if PSSCheckResult matched at least one exclude value
* add tests for engine
* fix engine validation test
* config
* update go.mod and go.sum
* crds
* Check validate value: add PodSecurity
* exclude all restrictedFields when we only specify the controlName
* ExemptProfile(): check if exclud.RestrictedField matches at least one restrictedField.path
* handle containers, initContainers, ephemeralContainers when we only specify the controlName (all restrictedFields are excluded)
* refacto pks/pss/evaluate.go and add pkg/engine/validation_test.go
* add all controls with containers in restrictedFields as comments
* add tests for capabilities and privileged containers and fix some errors
* add tests for host ports control
* add tests for proc mount control
* add tests for privilege escalation control
* add tests for capabilities control
* remove comments
* new algo
* refacto algo, working. Add test for hostProcess control
* remove unused code
* fix getPodWithNotMatchingContainers(), add tests for host namespaces control
* refacto ExemptProfile()
* get values for a specific container. add test for SELinuxOptions control
* fix allowedValues for SELinuxOptions
* add tests for seccompProfile_baseline control
* refacto checkContainers(), add test for seccomp control
* add test for running as non root control
* add some tests for runAsUser control, have to update current PSA version
* add sysctls control
* add allowed values for restrictedVolumes control
* add some tests for appArmor, volume types controls
* add tests for volume types control
* add tests for hostPath volume control
* finish merge conflicts and add tests for runAsUser
* update charts and crds
* exclude.images optional
* change volume types control exclude values
* add appAmor control
* fix: did not match any exclude value for pod-level restrictedFields
* create autogen for validate.PodSecurity
* clean code, remove logs
* fix sonatype lift errors
* fix sonatype lift errors: duplication
* fix crash in pkg/policy/validate/ tests and unmarshall errors for pkg/engine tests
* beginning of autogen implement for validate.exclude
* Autogen for validation.PodSecurity
* working autogen with simple tests
* change validate.PodSecurity failure response format
* make codegen
* fix lint errors, remove debug prints
* fix tags
* fix tags
* fix crash when deleting pods matching validate.podSecurity rule. Only check validatePodSecurity() when it's not a delete request
* Changes requested
* Changes requested 2
* Changes requested 3
* Changes requested 4
* Changes requested and make codegen
* fix host namespaces control
* fix lint
* fix codegen error
* update docs/crd/v1/index.html
Signed-off-by: ShutingZhao <shuting@nirmata.com>
* fix path
Signed-off-by: ShutingZhao <shuting@nirmata.com>
* update crd schema
Signed-off-by: ShutingZhao <shuting@nirmata.com>
* update charts/kyverno/templates/crds.yaml
Signed-off-by: ShutingZhao <shuting@nirmata.com>
Signed-off-by: ShutingZhao <shuting@nirmata.com>
Co-authored-by: ShutingZhao <shuting@nirmata.com>
2022-08-31 11:16:31 +02:00
|
|
|
} else {
|
2022-09-28 18:03:53 +08:00
|
|
|
msg := fmt.Sprintf(`Validation rule '%s' failed. It violates PodSecurity "%s:%s": %s`, v.rule.Name, v.podSecurity.Level, v.podSecurity.Version, pss.FormatChecksPrint(pssChecks))
|
2023-02-07 05:30:15 +01:00
|
|
|
rspn := internal.RuleResponse(*v.rule, engineapi.Validation, msg, engineapi.RuleStatusFail)
|
2022-12-20 06:57:23 +01:00
|
|
|
rspn.PodSecurityChecks = podSecurityChecks
|
|
|
|
|
return rspn
|
Extend Pod Security Admission (#4364)
* init commit for pss
Signed-off-by: ShutingZhao <shuting@nirmata.com>
* add test for Volume Type control
* add test for App Armor control except ExemptProfile. Fix PSS profile check in EvaluatePSS()
* remove unused code, still a JMESPATH problem with app armor ExemptProfile()
* test for Host Process / Host Namespaces controls
* test for Privileged containers controls
* test for HostPathVolume control
* test for HostPorts control
* test for HostPorts control
* test for SELinux control
* test for Proc mount type control
* Set to baseline
* test for Seccomp control
* test for Sysctl control
* test for Privilege escalation control
* test for Run as non root control
* test for Restricted Seccomp control
* Add problems to address
* add solutions to problems
* Add validate rule for PSA
* api.Version --> string. latest by default
* Exclude all values for a restrictedField
* add tests for kyverno engine
* code to be used to match kyverno rule's namespace
* Refacto pkg/pss
* fix multiple problems: not matching containers, add contains methods, select the right container when we have the same exclude.RestrictedField for multiple containers:
* EvaluatePod
* Use EvaluatePod in kyverno engine
* Set pod instead of container in context to use full Jmespath. e.g.: securityContext.capabilities.add --> spec.containers[*].securityContext.capabilities.add
* Check if PSSCheckResult matched at least one exclude value
* add tests for engine
* fix engine validation test
* config
* update go.mod and go.sum
* crds
* Check validate value: add PodSecurity
* exclude all restrictedFields when we only specify the controlName
* ExemptProfile(): check if exclud.RestrictedField matches at least one restrictedField.path
* handle containers, initContainers, ephemeralContainers when we only specify the controlName (all restrictedFields are excluded)
* refacto pks/pss/evaluate.go and add pkg/engine/validation_test.go
* add all controls with containers in restrictedFields as comments
* add tests for capabilities and privileged containers and fix some errors
* add tests for host ports control
* add tests for proc mount control
* add tests for privilege escalation control
* add tests for capabilities control
* remove comments
* new algo
* refacto algo, working. Add test for hostProcess control
* remove unused code
* fix getPodWithNotMatchingContainers(), add tests for host namespaces control
* refacto ExemptProfile()
* get values for a specific container. add test for SELinuxOptions control
* fix allowedValues for SELinuxOptions
* add tests for seccompProfile_baseline control
* refacto checkContainers(), add test for seccomp control
* add test for running as non root control
* add some tests for runAsUser control, have to update current PSA version
* add sysctls control
* add allowed values for restrictedVolumes control
* add some tests for appArmor, volume types controls
* add tests for volume types control
* add tests for hostPath volume control
* finish merge conflicts and add tests for runAsUser
* update charts and crds
* exclude.images optional
* change volume types control exclude values
* add appAmor control
* fix: did not match any exclude value for pod-level restrictedFields
* create autogen for validate.PodSecurity
* clean code, remove logs
* fix sonatype lift errors
* fix sonatype lift errors: duplication
* fix crash in pkg/policy/validate/ tests and unmarshall errors for pkg/engine tests
* beginning of autogen implement for validate.exclude
* Autogen for validation.PodSecurity
* working autogen with simple tests
* change validate.PodSecurity failure response format
* make codegen
* fix lint errors, remove debug prints
* fix tags
* fix tags
* fix crash when deleting pods matching validate.podSecurity rule. Only check validatePodSecurity() when it's not a delete request
* Changes requested
* Changes requested 2
* Changes requested 3
* Changes requested 4
* Changes requested and make codegen
* fix host namespaces control
* fix lint
* fix codegen error
* update docs/crd/v1/index.html
Signed-off-by: ShutingZhao <shuting@nirmata.com>
* fix path
Signed-off-by: ShutingZhao <shuting@nirmata.com>
* update crd schema
Signed-off-by: ShutingZhao <shuting@nirmata.com>
* update charts/kyverno/templates/crds.yaml
Signed-off-by: ShutingZhao <shuting@nirmata.com>
Signed-off-by: ShutingZhao <shuting@nirmata.com>
Co-authored-by: ShutingZhao <shuting@nirmata.com>
2022-08-31 11:16:31 +02:00
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
2023-01-30 12:41:09 +01:00
|
|
|
func (v *validator) validateResourceWithRule() *engineapi.RuleResponse {
|
2023-01-31 16:28:48 +01:00
|
|
|
element := v.policyContext.Element()
|
|
|
|
|
if !isEmptyUnstructured(&element) {
|
|
|
|
|
return v.validatePatterns(element)
|
2021-10-02 16:53:02 -07:00
|
|
|
}
|
2022-12-12 07:20:20 -08:00
|
|
|
if isDeleteRequest(v.policyContext) {
|
2021-09-26 02:12:31 -07:00
|
|
|
v.log.V(3).Info("skipping validation on deleted resource")
|
2021-01-02 01:10:14 -08:00
|
|
|
return nil
|
2020-06-24 10:26:04 -07:00
|
|
|
}
|
2023-01-31 16:28:48 +01:00
|
|
|
resp := v.validatePatterns(v.policyContext.NewResource())
|
2022-02-17 09:18:49 -08:00
|
|
|
return resp
|
|
|
|
|
}
|
|
|
|
|
|
2023-01-31 16:28:48 +01:00
|
|
|
func isDeleteRequest(ctx engineapi.PolicyContext) bool {
|
|
|
|
|
newResource := ctx.NewResource()
|
2022-02-17 09:18:49 -08:00
|
|
|
// if the OldResource is not empty, and the NewResource is empty, the request is a DELETE
|
2023-01-31 16:28:48 +01:00
|
|
|
return isEmptyUnstructured(&newResource)
|
2022-02-17 09:18:49 -08:00
|
|
|
}
|
2020-08-07 17:09:24 -07:00
|
|
|
|
2021-10-02 16:53:02 -07:00
|
|
|
func isEmptyUnstructured(u *unstructured.Unstructured) bool {
|
|
|
|
|
if u == nil {
|
|
|
|
|
return true
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if reflect.DeepEqual(*u, unstructured.Unstructured{}) {
|
|
|
|
|
return true
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
return false
|
2020-12-23 15:10:07 -08:00
|
|
|
}
|
2020-05-05 19:19:47 +05:30
|
|
|
|
2020-12-23 15:10:07 -08:00
|
|
|
// matches checks if either the new or old resource satisfies the filter conditions defined in the rule
|
2023-02-06 06:49:47 +01:00
|
|
|
func matches(
|
|
|
|
|
logger logr.Logger,
|
|
|
|
|
rule *kyvernov1.Rule,
|
|
|
|
|
ctx engineapi.PolicyContext,
|
|
|
|
|
subresourceGVKToAPIResource map[string]*metav1.APIResource,
|
|
|
|
|
cfg config.Configuration,
|
|
|
|
|
) bool {
|
|
|
|
|
err := MatchesResourceDescription(subresourceGVKToAPIResource, ctx.NewResource(), *rule, ctx.AdmissionInfo(), cfg.GetExcludeGroupRole(), ctx.NamespaceLabels(), "", ctx.SubResource())
|
2020-12-23 15:10:07 -08:00
|
|
|
if err == nil {
|
|
|
|
|
return true
|
|
|
|
|
}
|
2020-12-08 22:52:37 -08:00
|
|
|
|
2022-12-09 22:15:23 +05:30
|
|
|
if !reflect.DeepEqual(ctx.OldResource, unstructured.Unstructured{}) {
|
2023-02-06 06:49:47 +01:00
|
|
|
err := MatchesResourceDescription(subresourceGVKToAPIResource, ctx.OldResource(), *rule, ctx.AdmissionInfo(), cfg.GetExcludeGroupRole(), ctx.NamespaceLabels(), "", ctx.SubResource())
|
2020-12-23 15:10:07 -08:00
|
|
|
if err == nil {
|
|
|
|
|
return true
|
2019-09-03 15:48:13 -07:00
|
|
|
}
|
|
|
|
|
}
|
2019-10-15 20:56:41 -07:00
|
|
|
|
2022-05-05 14:06:18 -07:00
|
|
|
logger.V(5).Info("resource does not match rule", "reason", err.Error())
|
2020-12-23 15:10:07 -08:00
|
|
|
return false
|
2019-11-13 13:13:07 -08:00
|
|
|
}
|
|
|
|
|
|
2019-08-21 12:38:15 -07:00
|
|
|
// validatePatterns validate pattern and anyPattern
|
2023-01-30 12:41:09 +01:00
|
|
|
func (v *validator) validatePatterns(resource unstructured.Unstructured) *engineapi.RuleResponse {
|
2021-09-26 02:12:31 -07:00
|
|
|
if v.pattern != nil {
|
2021-09-30 23:34:04 -07:00
|
|
|
if err := validate.MatchPattern(v.log, resource.Object, v.pattern); err != nil {
|
2021-10-29 16:06:03 +01:00
|
|
|
pe, ok := err.(*validate.PatternError)
|
|
|
|
|
if ok {
|
2021-09-30 23:34:04 -07:00
|
|
|
v.log.V(3).Info("validation error", "path", pe.Path, "error", err.Error())
|
2021-10-03 03:15:22 -07:00
|
|
|
|
|
|
|
|
if pe.Skip {
|
2023-02-07 17:51:25 +01:00
|
|
|
return internal.RuleSkip(v.rule, engineapi.Validation, pe.Error())
|
2021-10-03 03:15:22 -07:00
|
|
|
}
|
2020-05-26 10:36:56 -07:00
|
|
|
|
2021-09-30 23:34:04 -07:00
|
|
|
if pe.Path == "" {
|
2023-02-07 05:30:15 +01:00
|
|
|
return internal.RuleResponse(*v.rule, engineapi.Validation, v.buildErrorMessage(err, ""), engineapi.RuleStatusError)
|
2021-09-30 23:34:04 -07:00
|
|
|
}
|
2020-01-09 17:44:11 -08:00
|
|
|
|
2023-02-07 05:30:15 +01:00
|
|
|
return internal.RuleResponse(*v.rule, engineapi.Validation, v.buildErrorMessage(err, pe.Path), engineapi.RuleStatusFail)
|
2021-09-30 23:34:04 -07:00
|
|
|
}
|
2021-10-29 16:06:03 +01:00
|
|
|
|
2023-02-07 05:30:15 +01:00
|
|
|
return internal.RuleResponse(*v.rule, engineapi.Validation, v.buildErrorMessage(err, pe.Path), engineapi.RuleStatusError)
|
2020-02-14 11:59:28 -08:00
|
|
|
}
|
2020-12-04 12:05:24 -08:00
|
|
|
|
2021-09-26 02:12:31 -07:00
|
|
|
v.log.V(4).Info("successfully processed rule")
|
|
|
|
|
msg := fmt.Sprintf("validation rule '%s' passed.", v.rule.Name)
|
2023-02-07 05:30:15 +01:00
|
|
|
return internal.RuleResponse(*v.rule, engineapi.Validation, msg, engineapi.RuleStatusPass)
|
2019-05-14 18:10:25 +03:00
|
|
|
}
|
|
|
|
|
|
2021-09-26 02:12:31 -07:00
|
|
|
if v.anyPattern != nil {
|
2020-02-14 11:59:28 -08:00
|
|
|
var failedAnyPatternsErrors []error
|
2022-11-28 18:31:51 +05:30
|
|
|
var skippedAnyPatternErrors []error
|
2020-02-14 11:59:28 -08:00
|
|
|
var err error
|
2020-11-13 16:25:51 -08:00
|
|
|
|
2021-09-26 02:12:31 -07:00
|
|
|
anyPatterns, err := deserializeAnyPattern(v.anyPattern)
|
2020-11-13 16:25:51 -08:00
|
|
|
if err != nil {
|
2021-09-26 02:12:31 -07:00
|
|
|
msg := fmt.Sprintf("failed to deserialize anyPattern, expected type array: %v", err)
|
2023-02-07 05:30:15 +01:00
|
|
|
return internal.RuleResponse(*v.rule, engineapi.Validation, msg, engineapi.RuleStatusError)
|
2020-11-13 16:25:51 -08:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
for idx, pattern := range anyPatterns {
|
2021-09-30 23:34:04 -07:00
|
|
|
err := validate.MatchPattern(v.log, resource.Object, pattern)
|
2020-02-14 11:59:28 -08:00
|
|
|
if err == nil {
|
2021-09-26 02:12:31 -07:00
|
|
|
msg := fmt.Sprintf("validation rule '%s' anyPattern[%d] passed.", v.rule.Name, idx)
|
2023-02-07 05:30:15 +01:00
|
|
|
return internal.RuleResponse(*v.rule, engineapi.Validation, msg, engineapi.RuleStatusPass)
|
2019-09-05 12:44:38 -07:00
|
|
|
}
|
2020-12-07 11:26:04 -08:00
|
|
|
|
2021-09-30 23:34:04 -07:00
|
|
|
if pe, ok := err.(*validate.PatternError); ok {
|
2022-11-28 18:31:51 +05:30
|
|
|
var patternErr error
|
2021-09-30 23:34:04 -07:00
|
|
|
v.log.V(3).Info("validation rule failed", "anyPattern[%d]", idx, "path", pe.Path)
|
2022-11-28 18:31:51 +05:30
|
|
|
|
|
|
|
|
if pe.Skip {
|
|
|
|
|
patternErr = fmt.Errorf("rule %s[%d] skipped: %s", v.rule.Name, idx, err.Error())
|
|
|
|
|
skippedAnyPatternErrors = append(skippedAnyPatternErrors, patternErr)
|
2021-09-30 23:34:04 -07:00
|
|
|
} else {
|
2022-11-28 18:31:51 +05:30
|
|
|
if pe.Path == "" {
|
|
|
|
|
patternErr = fmt.Errorf("rule %s[%d] failed: %s", v.rule.Name, idx, err.Error())
|
|
|
|
|
} else {
|
|
|
|
|
patternErr = fmt.Errorf("rule %s[%d] failed at path %s", v.rule.Name, idx, pe.Path)
|
|
|
|
|
}
|
2021-09-30 23:34:04 -07:00
|
|
|
failedAnyPatternsErrors = append(failedAnyPatternsErrors, patternErr)
|
|
|
|
|
}
|
2021-09-26 02:12:31 -07:00
|
|
|
}
|
2019-09-05 12:44:38 -07:00
|
|
|
}
|
2019-11-04 17:54:06 -08:00
|
|
|
|
2020-02-14 11:59:28 -08:00
|
|
|
// Any Pattern validation errors
|
2022-11-28 18:31:51 +05:30
|
|
|
if len(skippedAnyPatternErrors) > 0 && len(failedAnyPatternsErrors) == 0 {
|
|
|
|
|
var errorStr []string
|
|
|
|
|
for _, err := range skippedAnyPatternErrors {
|
|
|
|
|
errorStr = append(errorStr, err.Error())
|
|
|
|
|
}
|
|
|
|
|
v.log.V(4).Info(fmt.Sprintf("Validation rule '%s' skipped. %s", v.rule.Name, errorStr))
|
2023-02-07 17:51:25 +01:00
|
|
|
return internal.RuleSkip(v.rule, engineapi.Validation, strings.Join(errorStr, " "))
|
2022-11-28 18:31:51 +05:30
|
|
|
} else if len(failedAnyPatternsErrors) > 0 {
|
2020-02-14 11:59:28 -08:00
|
|
|
var errorStr []string
|
|
|
|
|
for _, err := range failedAnyPatternsErrors {
|
|
|
|
|
errorStr = append(errorStr, err.Error())
|
|
|
|
|
}
|
2020-12-07 11:26:04 -08:00
|
|
|
|
2021-09-26 02:12:31 -07:00
|
|
|
v.log.V(4).Info(fmt.Sprintf("Validation rule '%s' failed. %s", v.rule.Name, errorStr))
|
|
|
|
|
msg := buildAnyPatternErrorMessage(v.rule, errorStr)
|
2023-02-07 05:30:15 +01:00
|
|
|
return internal.RuleResponse(*v.rule, engineapi.Validation, msg, engineapi.RuleStatusFail)
|
2020-01-09 17:44:11 -08:00
|
|
|
}
|
2019-08-21 12:38:15 -07:00
|
|
|
}
|
2021-01-02 01:10:14 -08:00
|
|
|
|
2023-02-07 05:30:15 +01:00
|
|
|
return internal.RuleResponse(*v.rule, engineapi.Validation, v.rule.Validation.Message, engineapi.RuleStatusPass)
|
2019-05-15 19:25:49 +03:00
|
|
|
}
|
2020-12-07 11:26:04 -08:00
|
|
|
|
2021-09-27 23:40:05 -07:00
|
|
|
func deserializeAnyPattern(anyPattern apiextensions.JSON) ([]interface{}, error) {
|
2021-09-26 02:12:31 -07:00
|
|
|
if anyPattern == nil {
|
|
|
|
|
return nil, nil
|
2020-12-07 11:26:04 -08:00
|
|
|
}
|
|
|
|
|
|
2021-09-26 02:12:31 -07:00
|
|
|
ap, err := json.Marshal(anyPattern)
|
|
|
|
|
if err != nil {
|
|
|
|
|
return nil, err
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
var res []interface{}
|
|
|
|
|
if err := json.Unmarshal(ap, &res); err != nil {
|
|
|
|
|
return nil, err
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
return res, nil
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
func (v *validator) buildErrorMessage(err error, path string) string {
|
|
|
|
|
if v.rule.Validation.Message == "" {
|
|
|
|
|
if path != "" {
|
|
|
|
|
return fmt.Sprintf("validation error: rule %s failed at path %s", v.rule.Name, path)
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
return fmt.Sprintf("validation error: rule %s execution error: %s", v.rule.Name, err.Error())
|
|
|
|
|
}
|
|
|
|
|
|
2023-01-31 16:28:48 +01:00
|
|
|
msgRaw, sErr := variables.SubstituteAll(v.log, v.policyContext.JSONContext(), v.rule.Validation.Message)
|
2021-10-02 16:53:02 -07:00
|
|
|
if sErr != nil {
|
2022-10-13 12:16:47 +02:00
|
|
|
v.log.V(2).Info("failed to substitute variables in message", "error", sErr)
|
|
|
|
|
return fmt.Sprintf("validation error: variables substitution error in rule %s execution error: %s", v.rule.Name, err.Error())
|
|
|
|
|
} else {
|
|
|
|
|
msg := msgRaw.(string)
|
|
|
|
|
if !strings.HasSuffix(msg, ".") {
|
|
|
|
|
msg = msg + "."
|
|
|
|
|
}
|
|
|
|
|
if path != "" {
|
|
|
|
|
return fmt.Sprintf("validation error: %s rule %s failed at path %s", msg, v.rule.Name, path)
|
|
|
|
|
}
|
|
|
|
|
return fmt.Sprintf("validation error: %s rule %s execution error: %s", msg, v.rule.Name, err.Error())
|
2020-12-07 11:26:04 -08:00
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
2022-05-17 13:12:43 +02:00
|
|
|
func buildAnyPatternErrorMessage(rule *kyvernov1.Rule, errors []string) string {
|
2020-12-07 11:26:04 -08:00
|
|
|
errStr := strings.Join(errors, " ")
|
|
|
|
|
if rule.Validation.Message == "" {
|
|
|
|
|
return fmt.Sprintf("validation error: %s", errStr)
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if strings.HasSuffix(rule.Validation.Message, ".") {
|
|
|
|
|
return fmt.Sprintf("validation error: %s %s", rule.Validation.Message, errStr)
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
return fmt.Sprintf("validation error: %s. %s", rule.Validation.Message, errStr)
|
|
|
|
|
}
|
2021-07-28 19:54:50 +03:00
|
|
|
|
2021-09-27 23:40:05 -07:00
|
|
|
func (v *validator) substitutePatterns() error {
|
2021-09-26 02:12:31 -07:00
|
|
|
if v.pattern != nil {
|
2023-01-31 16:28:48 +01:00
|
|
|
i, err := variables.SubstituteAll(v.log, v.policyContext.JSONContext(), v.pattern)
|
2021-09-26 02:12:31 -07:00
|
|
|
if err != nil {
|
|
|
|
|
return err
|
2021-07-28 19:54:50 +03:00
|
|
|
}
|
2021-09-26 02:12:31 -07:00
|
|
|
v.pattern = i.(apiextensions.JSON)
|
|
|
|
|
return nil
|
|
|
|
|
}
|
2021-07-28 19:54:50 +03:00
|
|
|
|
2021-09-26 02:12:31 -07:00
|
|
|
if v.anyPattern != nil {
|
2023-01-31 16:28:48 +01:00
|
|
|
i, err := variables.SubstituteAll(v.log, v.policyContext.JSONContext(), v.anyPattern)
|
2021-09-26 02:12:31 -07:00
|
|
|
if err != nil {
|
|
|
|
|
return err
|
2021-07-28 19:54:50 +03:00
|
|
|
}
|
2021-09-26 02:12:31 -07:00
|
|
|
v.anyPattern = i.(apiextensions.JSON)
|
|
|
|
|
return nil
|
2021-07-28 19:54:50 +03:00
|
|
|
}
|
|
|
|
|
|
2021-09-26 02:12:31 -07:00
|
|
|
return nil
|
2021-07-28 19:54:50 +03:00
|
|
|
}
|
