2020-03-11 18:14:23 -07:00
package generate
import (
"fmt"
"reflect"
2022-01-04 17:36:33 -08:00
commonAnchors "github.com/kyverno/kyverno/pkg/engine/anchor"
2020-03-17 11:05:20 -07:00
"github.com/go-logr/logr"
2021-10-29 18:13:20 +02:00
kyverno "github.com/kyverno/kyverno/api/kyverno/v1"
2020-10-07 11:12:31 -07:00
dclient "github.com/kyverno/kyverno/pkg/dclient"
"github.com/kyverno/kyverno/pkg/engine/variables"
"github.com/kyverno/kyverno/pkg/policy/common"
2020-03-11 18:14:23 -07:00
)
// Generate provides implementation to validate 'generate' rule
type Generate struct {
// rule to hold 'generate' rule specifications
rule kyverno . Generation
// authCheck to check access for operations
authCheck Operations
2020-03-17 11:05:20 -07:00
//logger
log logr . Logger
2020-03-11 18:14:23 -07:00
}
//NewGenerateFactory returns a new instance of Generate validation checker
2020-03-17 11:05:20 -07:00
func NewGenerateFactory ( client * dclient . Client , rule kyverno . Generation , log logr . Logger ) * Generate {
2020-03-11 18:14:23 -07:00
g := Generate {
rule : rule ,
2020-03-17 11:05:20 -07:00
authCheck : NewAuth ( client , log ) ,
log : log ,
2020-03-11 18:14:23 -07:00
}
return & g
}
2020-03-11 18:14:42 -07:00
//Validate validates the 'generate' rule
2020-03-11 18:14:23 -07:00
func ( g * Generate ) Validate ( ) ( string , error ) {
rule := g . rule
if rule . Data != nil && rule . Clone != ( kyverno . CloneFrom { } ) {
2020-12-14 02:43:16 -08:00
return "" , fmt . Errorf ( "only one of data or clone can be specified" )
2020-03-11 18:14:23 -07:00
}
2020-12-12 21:19:37 -08:00
2020-03-11 18:14:23 -07:00
kind , name , namespace := rule . Kind , rule . Name , rule . Namespace
if name == "" {
return "name" , fmt . Errorf ( "name cannot be empty" )
}
if kind == "" {
return "kind" , fmt . Errorf ( "kind cannot be empty" )
}
// Can I generate resource
if ! reflect . DeepEqual ( rule . Clone , kyverno . CloneFrom { } ) {
if path , err := g . validateClone ( rule . Clone , kind ) ; err != nil {
return fmt . Sprintf ( "clone.%s" , path ) , err
}
}
if rule . Data != nil {
//TODO: is this required ?? as anchors can only be on pattern and not resource
// we can add this check by not sure if its needed here
2020-08-29 06:52:22 +05:30
if path , err := common . ValidatePattern ( rule . Data , "/" , [ ] commonAnchors . IsAnchor { } ) ; err != nil {
2020-03-11 18:14:23 -07:00
return fmt . Sprintf ( "data.%s" , path ) , fmt . Errorf ( "anchors not supported on generate resources: %v" , err )
}
}
// Kyverno generate-controller create/update/deletes the resources specified in generate rule of policy
// kyverno uses SA 'kyverno-service-account' and has default ClusterRoles and ClusterRoleBindings
2021-02-22 12:08:26 -08:00
// instructions to modify the RBAC for kyverno are mentioned at https://github.com/kyverno/kyverno/blob/master/documentation/installation.md
2020-03-11 18:14:23 -07:00
// - operations required: create/update/delete/get
// If kind and namespace contain variables, then we cannot resolve then so we skip the processing
if err := g . canIGenerate ( kind , namespace ) ; err != nil {
return "" , err
}
return "" , nil
}
func ( g * Generate ) validateClone ( c kyverno . CloneFrom , kind string ) ( string , error ) {
if c . Name == "" {
return "name" , fmt . Errorf ( "name cannot be empty" )
}
2020-11-16 13:02:45 -08:00
2020-03-11 18:14:23 -07:00
namespace := c . Namespace
// Skip if there is variable defined
if ! variables . IsVariable ( kind ) && ! variables . IsVariable ( namespace ) {
// GET
ok , err := g . authCheck . CanIGet ( kind , namespace )
if err != nil {
return "" , err
}
if ! ok {
return "" , fmt . Errorf ( "kyverno does not have permissions to 'get' resource %s/%s. Update permissions in ClusterRole 'kyverno:generatecontroller'" , kind , namespace )
}
} else {
2020-03-17 11:05:20 -07:00
g . log . V ( 4 ) . Info ( "name & namespace uses variables, so cannot be resolved. Skipping Auth Checks." )
2020-03-11 18:14:23 -07:00
}
return "" , nil
}
2021-02-22 12:08:26 -08:00
//canIGenerate returns a error if kyverno cannot perform operations
2020-03-11 18:14:23 -07:00
func ( g * Generate ) canIGenerate ( kind , namespace string ) error {
// Skip if there is variable defined
authCheck := g . authCheck
if ! variables . IsVariable ( kind ) && ! variables . IsVariable ( namespace ) {
// CREATE
ok , err := authCheck . CanICreate ( kind , namespace )
if err != nil {
// machinery error
return err
}
if ! ok {
return fmt . Errorf ( "kyverno does not have permissions to 'create' resource %s/%s. Update permissions in ClusterRole 'kyverno:generatecontroller'" , kind , namespace )
}
// UPDATE
ok , err = authCheck . CanIUpdate ( kind , namespace )
if err != nil {
// machinery error
return err
}
if ! ok {
return fmt . Errorf ( "kyverno does not have permissions to 'update' resource %s/%s. Update permissions in ClusterRole 'kyverno:generatecontroller'" , kind , namespace )
}
// GET
ok , err = authCheck . CanIGet ( kind , namespace )
if err != nil {
// machinery error
return err
}
if ! ok {
return fmt . Errorf ( "kyverno does not have permissions to 'get' resource %s/%s. Update permissions in ClusterRole 'kyverno:generatecontroller'" , kind , namespace )
}
// DELETE
ok , err = authCheck . CanIDelete ( kind , namespace )
if err != nil {
// machinery error
return err
}
if ! ok {
return fmt . Errorf ( "kyverno does not have permissions to 'delete' resource %s/%s. Update permissions in ClusterRole 'kyverno:generatecontroller'" , kind , namespace )
}
} else {
2020-03-17 11:05:20 -07:00
g . log . V ( 4 ) . Info ( "name & namespace uses variables, so cannot be resolved. Skipping Auth Checks." )
2020-03-11 18:14:23 -07:00
}
return nil
}
