2019-12-30 17:08:50 -08:00
|
|
|
package context
|
|
|
|
|
|
|
|
|
|
import (
|
|
|
|
|
"encoding/json"
|
2020-01-07 15:13:57 -08:00
|
|
|
"strings"
|
2019-12-30 17:08:50 -08:00
|
|
|
"sync"
|
|
|
|
|
|
2022-01-04 17:36:33 -08:00
|
|
|
"github.com/pkg/errors"
|
|
|
|
|
|
2021-02-25 15:21:55 -08:00
|
|
|
jsonpatch "github.com/evanphx/json-patch/v5"
|
2020-03-17 11:05:20 -07:00
|
|
|
"github.com/go-logr/logr"
|
2021-10-29 18:13:20 +02:00
|
|
|
kyverno "github.com/kyverno/kyverno/api/kyverno/v1"
|
2021-02-22 12:08:26 -08:00
|
|
|
"k8s.io/api/admission/v1beta1"
|
2021-03-23 10:34:03 -07:00
|
|
|
"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
|
2020-03-17 16:25:34 -07:00
|
|
|
"sigs.k8s.io/controller-runtime/pkg/log"
|
2019-12-30 17:08:50 -08:00
|
|
|
)
|
|
|
|
|
|
2020-01-24 12:05:53 -08:00
|
|
|
//Interface to manage context operations
|
2019-12-30 17:08:50 -08:00
|
|
|
type Interface interface {
|
2020-12-23 15:10:07 -08:00
|
|
|
|
2021-07-20 09:36:12 -07:00
|
|
|
// AddRequest marshals and adds the admission request to the context
|
|
|
|
|
AddRequest(request *v1beta1.AdmissionRequest) error
|
|
|
|
|
|
2020-12-23 15:10:07 -08:00
|
|
|
// AddJSON merges the json with context
|
2019-12-30 17:08:50 -08:00
|
|
|
AddJSON(dataRaw []byte) error
|
2020-12-23 15:10:07 -08:00
|
|
|
|
|
|
|
|
// AddResource merges resource json under request.object
|
2019-12-30 17:08:50 -08:00
|
|
|
AddResource(dataRaw []byte) error
|
2020-12-23 15:10:07 -08:00
|
|
|
|
|
|
|
|
// AddUserInfo merges userInfo json under kyverno.userInfo
|
2020-01-07 10:33:28 -08:00
|
|
|
AddUserInfo(userInfo kyverno.UserInfo) error
|
2020-12-23 15:10:07 -08:00
|
|
|
|
|
|
|
|
// AddServiceAccount merges ServiceAccount types
|
|
|
|
|
AddServiceAccount(userName string) error
|
|
|
|
|
|
2021-02-22 17:22:23 -08:00
|
|
|
// AddNamespace merges resource json under request.namespace
|
|
|
|
|
AddNamespace(namespace string) error
|
|
|
|
|
|
2019-12-30 17:08:50 -08:00
|
|
|
EvalInterface
|
|
|
|
|
}
|
|
|
|
|
|
2021-07-20 09:36:12 -07:00
|
|
|
//EvalInterface is used to query and inspect context data
|
2019-12-30 17:08:50 -08:00
|
|
|
type EvalInterface interface {
|
2021-07-20 09:36:12 -07:00
|
|
|
|
|
|
|
|
// Query accepts a JMESPath expression and returns matching data
|
2019-12-30 17:08:50 -08:00
|
|
|
Query(query string) (interface{}, error)
|
2021-07-20 09:36:12 -07:00
|
|
|
|
|
|
|
|
// HasChanged accepts a JMESPath expression and compares matching data in the
|
|
|
|
|
// request.object and request.oldObject context fields. If the data has changed
|
|
|
|
|
// it return `true`. If the data has not changed it returns false. If either
|
|
|
|
|
// request.object or request.oldObject are not found, an error is returned.
|
|
|
|
|
HasChanged(jmespath string) (bool, error)
|
2019-12-30 17:08:50 -08:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
//Context stores the data resources as JSON
|
|
|
|
|
type Context struct {
|
2021-09-27 23:40:05 -07:00
|
|
|
mutex sync.RWMutex
|
|
|
|
|
jsonRaw []byte
|
2021-09-26 02:12:31 -07:00
|
|
|
jsonRawCheckpoints [][]byte
|
2021-09-27 23:40:05 -07:00
|
|
|
images *Images
|
|
|
|
|
log logr.Logger
|
2019-12-30 17:08:50 -08:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
//NewContext returns a new context
|
2021-11-03 11:16:55 -07:00
|
|
|
func NewContext() *Context {
|
2019-12-30 17:08:50 -08:00
|
|
|
ctx := Context{
|
2021-09-27 23:40:05 -07:00
|
|
|
jsonRaw: []byte(`{}`), // empty json struct
|
|
|
|
|
log: log.Log.WithName("context"),
|
2021-09-26 02:12:31 -07:00
|
|
|
jsonRawCheckpoints: make([][]byte, 0),
|
2019-12-30 17:08:50 -08:00
|
|
|
}
|
2020-11-24 17:48:54 -08:00
|
|
|
|
2019-12-30 17:08:50 -08:00
|
|
|
return &ctx
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// AddJSON merges json data
|
|
|
|
|
func (ctx *Context) AddJSON(dataRaw []byte) error {
|
|
|
|
|
var err error
|
2021-02-01 23:22:19 -08:00
|
|
|
ctx.mutex.Lock()
|
|
|
|
|
defer ctx.mutex.Unlock()
|
2021-07-02 08:56:50 +03:00
|
|
|
|
2022-01-04 17:36:33 -08:00
|
|
|
ctx.jsonRaw, err = jsonpatch.MergeMergePatches(ctx.jsonRaw, dataRaw)
|
2019-12-30 17:08:50 -08:00
|
|
|
if err != nil {
|
2022-01-04 17:36:33 -08:00
|
|
|
return errors.Wrap(err, "failed to merge JSON data")
|
2019-12-30 17:08:50 -08:00
|
|
|
}
|
2022-01-04 17:36:33 -08:00
|
|
|
|
2019-12-30 17:08:50 -08:00
|
|
|
return nil
|
|
|
|
|
}
|
|
|
|
|
|
2021-10-29 16:06:03 +01:00
|
|
|
// AddJSONObject merges json data
|
2021-10-02 16:53:02 -07:00
|
|
|
func (ctx *Context) AddJSONObject(jsonData interface{}) error {
|
|
|
|
|
jsonBytes, err := json.Marshal(jsonData)
|
|
|
|
|
if err != nil {
|
|
|
|
|
return err
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
return ctx.AddJSON(jsonBytes)
|
|
|
|
|
}
|
|
|
|
|
|
2021-02-22 12:08:26 -08:00
|
|
|
// AddRequest adds an admission request to context
|
2020-04-15 21:17:14 +05:30
|
|
|
func (ctx *Context) AddRequest(request *v1beta1.AdmissionRequest) error {
|
|
|
|
|
modifiedResource := struct {
|
|
|
|
|
Request interface{} `json:"request"`
|
|
|
|
|
}{
|
|
|
|
|
Request: request,
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
objRaw, err := json.Marshal(modifiedResource)
|
|
|
|
|
if err != nil {
|
2020-05-06 01:02:39 +05:30
|
|
|
ctx.log.Error(err, "failed to marshal the request")
|
2020-04-15 21:17:14 +05:30
|
|
|
return err
|
|
|
|
|
}
|
2021-07-20 09:36:12 -07:00
|
|
|
|
2020-04-15 21:17:14 +05:30
|
|
|
return ctx.AddJSON(objRaw)
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
//AddResource data at path: request.object
|
2019-12-30 17:08:50 -08:00
|
|
|
func (ctx *Context) AddResource(dataRaw []byte) error {
|
|
|
|
|
|
2021-02-22 12:08:26 -08:00
|
|
|
// unmarshal the resource struct
|
2019-12-30 17:08:50 -08:00
|
|
|
var data interface{}
|
|
|
|
|
if err := json.Unmarshal(dataRaw, &data); err != nil {
|
2021-02-22 12:08:26 -08:00
|
|
|
ctx.log.Error(err, "failed to unmarshal the resource")
|
2019-12-30 17:08:50 -08:00
|
|
|
return err
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
modifiedResource := struct {
|
|
|
|
|
Request interface{} `json:"request"`
|
|
|
|
|
}{
|
|
|
|
|
Request: struct {
|
|
|
|
|
Object interface{} `json:"object"`
|
|
|
|
|
}{
|
|
|
|
|
Object: data,
|
|
|
|
|
},
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
objRaw, err := json.Marshal(modifiedResource)
|
|
|
|
|
if err != nil {
|
2021-07-24 00:02:48 +05:30
|
|
|
ctx.log.Error(err, "failed to marshal the resource")
|
|
|
|
|
return err
|
|
|
|
|
}
|
|
|
|
|
return ctx.AddJSON(objRaw)
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
//AddResourceInOldObject data at path: request.oldObject
|
|
|
|
|
func (ctx *Context) AddResourceInOldObject(dataRaw []byte) error {
|
|
|
|
|
|
|
|
|
|
// unmarshal the resource struct
|
|
|
|
|
var data interface{}
|
|
|
|
|
if err := json.Unmarshal(dataRaw, &data); err != nil {
|
|
|
|
|
ctx.log.Error(err, "failed to unmarshal the resource")
|
|
|
|
|
return err
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
modifiedResource := struct {
|
|
|
|
|
Request interface{} `json:"request"`
|
|
|
|
|
}{
|
|
|
|
|
Request: struct {
|
|
|
|
|
OldObject interface{} `json:"oldObject"`
|
|
|
|
|
}{
|
|
|
|
|
OldObject: data,
|
|
|
|
|
},
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
objRaw, err := json.Marshal(modifiedResource)
|
|
|
|
|
if err != nil {
|
2020-03-17 11:05:20 -07:00
|
|
|
ctx.log.Error(err, "failed to marshal the resource")
|
2019-12-30 17:08:50 -08:00
|
|
|
return err
|
|
|
|
|
}
|
|
|
|
|
return ctx.AddJSON(objRaw)
|
|
|
|
|
}
|
|
|
|
|
|
2021-07-22 14:23:03 -07:00
|
|
|
func (ctx *Context) AddResourceAsObject(data interface{}) error {
|
|
|
|
|
modifiedResource := struct {
|
|
|
|
|
Request interface{} `json:"request"`
|
|
|
|
|
}{
|
|
|
|
|
Request: struct {
|
|
|
|
|
Object interface{} `json:"object"`
|
|
|
|
|
}{
|
|
|
|
|
Object: data,
|
|
|
|
|
},
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
objRaw, err := json.Marshal(modifiedResource)
|
|
|
|
|
if err != nil {
|
|
|
|
|
ctx.log.Error(err, "failed to marshal the resource")
|
|
|
|
|
return err
|
|
|
|
|
}
|
2021-09-27 14:28:55 -07:00
|
|
|
|
2021-07-22 14:23:03 -07:00
|
|
|
return ctx.AddJSON(objRaw)
|
|
|
|
|
}
|
|
|
|
|
|
2020-01-24 12:05:53 -08:00
|
|
|
//AddUserInfo adds userInfo at path request.userInfo
|
2020-01-07 10:33:28 -08:00
|
|
|
func (ctx *Context) AddUserInfo(userRequestInfo kyverno.RequestInfo) error {
|
2020-05-05 19:19:47 +05:30
|
|
|
modifiedResource := struct {
|
|
|
|
|
Request interface{} `json:"request"`
|
|
|
|
|
}{
|
|
|
|
|
Request: userRequestInfo,
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
objRaw, err := json.Marshal(modifiedResource)
|
2019-12-30 17:08:50 -08:00
|
|
|
if err != nil {
|
2020-03-17 11:05:20 -07:00
|
|
|
ctx.log.Error(err, "failed to marshal the UserInfo")
|
2019-12-30 17:08:50 -08:00
|
|
|
return err
|
|
|
|
|
}
|
2021-10-06 22:59:28 +05:30
|
|
|
ctx.log.V(4).Info("Adding user info logs", "userRequestInfo", userRequestInfo)
|
2019-12-30 17:08:50 -08:00
|
|
|
return ctx.AddJSON(objRaw)
|
|
|
|
|
}
|
2020-01-07 15:13:57 -08:00
|
|
|
|
2020-12-23 15:10:07 -08:00
|
|
|
//AddServiceAccount removes prefix 'system:serviceaccount:' and namespace, then loads only SA name and SA namespace
|
|
|
|
|
func (ctx *Context) AddServiceAccount(userName string) error {
|
2020-01-07 15:13:57 -08:00
|
|
|
saPrefix := "system:serviceaccount:"
|
|
|
|
|
var sa string
|
|
|
|
|
saName := ""
|
|
|
|
|
saNamespace := ""
|
|
|
|
|
if len(userName) <= len(saPrefix) {
|
|
|
|
|
sa = ""
|
|
|
|
|
} else {
|
|
|
|
|
sa = userName[len(saPrefix):]
|
|
|
|
|
}
|
|
|
|
|
// filter namespace
|
|
|
|
|
groups := strings.Split(sa, ":")
|
|
|
|
|
if len(groups) >= 2 {
|
|
|
|
|
saName = groups[1]
|
|
|
|
|
saNamespace = groups[0]
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
saNameObj := struct {
|
|
|
|
|
SA string `json:"serviceAccountName"`
|
|
|
|
|
}{
|
|
|
|
|
SA: saName,
|
|
|
|
|
}
|
|
|
|
|
saNameRaw, err := json.Marshal(saNameObj)
|
|
|
|
|
if err != nil {
|
2020-03-17 11:05:20 -07:00
|
|
|
ctx.log.Error(err, "failed to marshal the SA")
|
2020-01-07 15:13:57 -08:00
|
|
|
return err
|
|
|
|
|
}
|
|
|
|
|
if err := ctx.AddJSON(saNameRaw); err != nil {
|
|
|
|
|
return err
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
saNsObj := struct {
|
|
|
|
|
SA string `json:"serviceAccountNamespace"`
|
|
|
|
|
}{
|
|
|
|
|
SA: saNamespace,
|
|
|
|
|
}
|
|
|
|
|
saNsRaw, err := json.Marshal(saNsObj)
|
|
|
|
|
if err != nil {
|
2020-03-17 11:05:20 -07:00
|
|
|
ctx.log.Error(err, "failed to marshal the SA namespace")
|
2020-01-07 15:13:57 -08:00
|
|
|
return err
|
|
|
|
|
}
|
|
|
|
|
if err := ctx.AddJSON(saNsRaw); err != nil {
|
|
|
|
|
return err
|
|
|
|
|
}
|
2021-10-06 22:59:28 +05:30
|
|
|
ctx.log.V(4).Info("Adding service account", "service account name", saName, "service account namespace", saNamespace)
|
2020-01-07 15:13:57 -08:00
|
|
|
return nil
|
|
|
|
|
}
|
2021-02-01 23:22:19 -08:00
|
|
|
|
2021-02-22 17:22:23 -08:00
|
|
|
// AddNamespace merges resource json under request.namespace
|
|
|
|
|
func (ctx *Context) AddNamespace(namespace string) error {
|
|
|
|
|
modifiedResource := struct {
|
|
|
|
|
Request interface{} `json:"request"`
|
|
|
|
|
}{
|
|
|
|
|
Request: struct {
|
|
|
|
|
Namespace string `json:"namespace"`
|
|
|
|
|
}{
|
|
|
|
|
Namespace: namespace,
|
|
|
|
|
},
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
objRaw, err := json.Marshal(modifiedResource)
|
|
|
|
|
if err != nil {
|
|
|
|
|
ctx.log.Error(err, "failed to marshal the resource")
|
|
|
|
|
return err
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
return ctx.AddJSON(objRaw)
|
|
|
|
|
}
|
|
|
|
|
|
2021-03-23 10:34:03 -07:00
|
|
|
func (ctx *Context) AddImageInfo(resource *unstructured.Unstructured) error {
|
|
|
|
|
initContainersImgs, containersImgs := extractImageInfo(resource, ctx.log)
|
|
|
|
|
if len(initContainersImgs) == 0 && len(containersImgs) == 0 {
|
|
|
|
|
return nil
|
|
|
|
|
}
|
|
|
|
|
|
2021-07-09 18:01:46 -07:00
|
|
|
images := newImages(initContainersImgs, containersImgs)
|
|
|
|
|
if images == nil {
|
|
|
|
|
return nil
|
|
|
|
|
}
|
2021-03-23 10:34:03 -07:00
|
|
|
|
2021-07-09 18:01:46 -07:00
|
|
|
ctx.images = images
|
|
|
|
|
imagesTag := struct {
|
2021-03-23 10:34:03 -07:00
|
|
|
Images interface{} `json:"images"`
|
|
|
|
|
}{
|
2021-07-09 18:01:46 -07:00
|
|
|
Images: images,
|
2021-03-23 10:34:03 -07:00
|
|
|
}
|
|
|
|
|
|
2021-07-09 18:01:46 -07:00
|
|
|
objRaw, err := json.Marshal(imagesTag)
|
2021-03-23 10:34:03 -07:00
|
|
|
if err != nil {
|
|
|
|
|
return err
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
return ctx.AddJSON(objRaw)
|
|
|
|
|
}
|
|
|
|
|
|
2021-07-09 18:01:46 -07:00
|
|
|
func (ctx *Context) ImageInfo() *Images {
|
|
|
|
|
return ctx.images
|
|
|
|
|
}
|
|
|
|
|
|
2021-09-26 02:12:31 -07:00
|
|
|
// Checkpoint creates a copy of the current internal state and
|
|
|
|
|
// pushes it into a stack of stored states.
|
2021-02-01 23:22:19 -08:00
|
|
|
func (ctx *Context) Checkpoint() {
|
|
|
|
|
ctx.mutex.Lock()
|
|
|
|
|
defer ctx.mutex.Unlock()
|
|
|
|
|
|
2021-09-26 02:12:31 -07:00
|
|
|
jsonRawCheckpoint := make([]byte, len(ctx.jsonRaw))
|
|
|
|
|
copy(jsonRawCheckpoint, ctx.jsonRaw)
|
|
|
|
|
|
|
|
|
|
ctx.jsonRawCheckpoints = append(ctx.jsonRawCheckpoints, jsonRawCheckpoint)
|
2021-02-01 23:22:19 -08:00
|
|
|
}
|
|
|
|
|
|
2021-09-26 02:12:31 -07:00
|
|
|
// Restore sets the internal state to the last checkpoint, and removes the checkpoint.
|
2021-02-01 23:22:19 -08:00
|
|
|
func (ctx *Context) Restore() {
|
2021-09-26 02:12:31 -07:00
|
|
|
ctx.reset(true)
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// Reset sets the internal state to the last checkpoint, but does not remove the checkpoint.
|
|
|
|
|
func (ctx *Context) Reset() {
|
|
|
|
|
ctx.reset(false)
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
func (ctx *Context) reset(remove bool) {
|
2021-02-01 23:22:19 -08:00
|
|
|
ctx.mutex.Lock()
|
|
|
|
|
defer ctx.mutex.Unlock()
|
|
|
|
|
|
2021-09-27 23:40:05 -07:00
|
|
|
if len(ctx.jsonRawCheckpoints) == 0 {
|
2021-02-01 23:22:19 -08:00
|
|
|
return
|
|
|
|
|
}
|
|
|
|
|
|
2021-09-26 02:12:31 -07:00
|
|
|
n := len(ctx.jsonRawCheckpoints) - 1
|
|
|
|
|
jsonRawCheckpoint := ctx.jsonRawCheckpoints[n]
|
|
|
|
|
|
|
|
|
|
ctx.jsonRaw = make([]byte, len(jsonRawCheckpoint))
|
|
|
|
|
copy(ctx.jsonRaw, jsonRawCheckpoint)
|
|
|
|
|
|
|
|
|
|
if remove {
|
|
|
|
|
ctx.jsonRawCheckpoints = ctx.jsonRawCheckpoints[:n]
|
|
|
|
|
}
|
2021-02-07 20:26:56 -08:00
|
|
|
}
|
