kyverno/pkg/engine/mutation.go

package engine

import (
	"fmt"
	"reflect"
	"strings"
	"time"

	"github.com/golang/glog"
	kyverno "github.com/nirmata/kyverno/pkg/api/kyverno/v1"
	"github.com/nirmata/kyverno/pkg/engine/mutate"
	"github.com/nirmata/kyverno/pkg/engine/rbac"
	"github.com/nirmata/kyverno/pkg/engine/response"
	"github.com/nirmata/kyverno/pkg/engine/utils"
	"github.com/nirmata/kyverno/pkg/engine/variables"
)

const (
	PodControllers           = "DaemonSet,Deployment,Job,StatefulSet"
	PodControllersAnnotation = "pod-policies.kyverno.io/autogen-controllers"
	PodTemplateAnnotation    = "pod-policies.kyverno.io/autogen-applied"
)

// Mutate performs mutation. Overlay first and then mutation patches
func Mutate(policyContext PolicyContext) (resp response.EngineResponse) {
	startTime := time.Now()
	policy := policyContext.Policy
	resource := policyContext.NewResource
	ctx := policyContext.Context

	// policy information
	func() {
		// set policy information
		resp.PolicyResponse.Policy = policy.Name
		// resource details
		resp.PolicyResponse.Resource.Name = resource.GetName()
		resp.PolicyResponse.Resource.Namespace = resource.GetNamespace()
		resp.PolicyResponse.Resource.Kind = resource.GetKind()
		resp.PolicyResponse.Resource.APIVersion = resource.GetAPIVersion()
	}()
	glog.V(4).Infof("started applying mutation rules of policy %q (%v)", policy.Name, startTime)
	defer func() {
		resp.PolicyResponse.ProcessingTime = time.Since(startTime)
		glog.V(4).Infof("finished applying mutation rules policy %v (%v)", policy.Name, resp.PolicyResponse.ProcessingTime)
		glog.V(4).Infof("Mutation Rules appplied count %v for policy %q", resp.PolicyResponse.RulesAppliedCount, policy.Name)
	}()
	incrementAppliedRuleCount := func() {
		// rules applied succesfully count
		resp.PolicyResponse.RulesAppliedCount++
	}

	patchedResource := policyContext.NewResource

	for _, rule := range policy.Spec.Rules {
		//TODO: to be checked before calling the resources as well
		if !rule.HasMutate() && !strings.Contains(PodControllers, resource.GetKind()) {
			continue
		}

		if paths := validateGeneralRuleInfoVariables(ctx, rule); len(paths) != 0 {
			glog.Infof("referenced path not present in rule %s, resource %s/%s/%s, path: %s", rule.Name, resource.GetKind(), resource.GetNamespace(), resource.GetName(), paths)
			resp.PolicyResponse.Rules = append(resp.PolicyResponse.Rules,
				newPathNotPresentRuleResponse(rule.Name, utils.Mutation.String(), fmt.Sprintf("path not present in rule info: %s", paths)))
			continue
		}

		startTime := time.Now()
		if !rbac.MatchAdmissionInfo(rule, policyContext.AdmissionInfo) {
			glog.V(3).Infof("rule '%s' cannot be applied on %s/%s/%s, admission permission: %v",
				rule.Name, resource.GetKind(), resource.GetNamespace(), resource.GetName(), policyContext.AdmissionInfo)
			continue
		}
		glog.V(4).Infof("Time: Mutate matchAdmissionInfo %v", time.Since(startTime))

		// check if the resource satisfies the filter conditions defined in the rule
		//TODO: this needs to be extracted, to filter the resource so that we can avoid passing resources that
		// dont statisfy a policy rule resource description
		ok := MatchesResourceDescription(resource, rule)
		if !ok {
			glog.V(4).Infof("resource %s/%s does not satisfy the resource description for the rule ", resource.GetNamespace(), resource.GetName())
			continue
		}

		// evaluate pre-conditions
		if !variables.EvaluateConditions(ctx, rule.Conditions) {
			glog.V(4).Infof("resource %s/%s does not satisfy the conditions for the rule ", resource.GetNamespace(), resource.GetName())
			continue
		}

		// Process Overlay
		if rule.Mutation.Overlay != nil {
			var ruleResponse response.RuleResponse
			ruleResponse, patchedResource = mutate.ProcessOverlay(ctx, rule, patchedResource)
			if ruleResponse.Success == true {
				// - variable substitution path is not present
				if ruleResponse.PathNotPresent {
					glog.V(4).Infof(ruleResponse.Message)
					resp.PolicyResponse.Rules = append(resp.PolicyResponse.Rules, ruleResponse)
					continue
				}

				// - overlay pattern does not match the resource conditions
				if ruleResponse.Patches == nil {
					glog.V(4).Infof(ruleResponse.Message)
					continue
				}

				glog.Infof("Mutate overlay in rule '%s' successfully applied on %s/%s/%s", rule.Name, resource.GetKind(), resource.GetNamespace(), resource.GetName())
			}

			resp.PolicyResponse.Rules = append(resp.PolicyResponse.Rules, ruleResponse)
			incrementAppliedRuleCount()
		}

		// Process Patches
		if rule.Mutation.Patches != nil {
			var ruleResponse response.RuleResponse
			ruleResponse, patchedResource = mutate.ProcessPatches(rule, patchedResource)
			glog.Infof("Mutate patches in rule '%s' successfully applied on %s/%s/%s", rule.Name, resource.GetKind(), resource.GetNamespace(), resource.GetName())
			resp.PolicyResponse.Rules = append(resp.PolicyResponse.Rules, ruleResponse)
			incrementAppliedRuleCount()
		}

		// insert annotation to podtemplate if resource is pod controller
		// skip inserting on existing resource
		if reflect.DeepEqual(policyContext.AdmissionInfo, kyverno.RequestInfo{}) {
			continue
		}

		if strings.Contains(PodControllers, resource.GetKind()) {
			var ruleResponse response.RuleResponse
			ruleResponse, patchedResource = mutate.ProcessOverlay(ctx, podTemplateRule, patchedResource)
			if !ruleResponse.Success {
				glog.Errorf("Failed to insert annotation to podTemplate of %s/%s/%s: %s", resource.GetKind(), resource.GetNamespace(), resource.GetName(), ruleResponse.Message)
				continue
			}

			if ruleResponse.Success && ruleResponse.Patches != nil {
				glog.V(2).Infof("Inserted annotation to podTemplate of %s/%s/%s: %s", resource.GetKind(), resource.GetNamespace(), resource.GetName(), ruleResponse.Message)
				resp.PolicyResponse.Rules = append(resp.PolicyResponse.Rules, ruleResponse)
			}
		}
	}
	// send the patched resource
	resp.PatchedResource = patchedResource
	return resp
}

// podTemplateRule mutate pod template with annotation
// pod-policies.kyverno.io/autogen-applied=true
var podTemplateRule = kyverno.Rule{
	Name: "autogen-annotate-podtemplate",
	Mutation: kyverno.Mutation{
		Overlay: map[string]interface{}{
			"spec": map[string]interface{}{
				"template": map[string]interface{}{
					"metadata": map[string]interface{}{
						"annotations": map[string]interface{}{
							"pod-policies.kyverno.io/autogen-applied": "true",
						},
					},
				},
			},
		},
	},
}
Resolve PR 27 2019-05-14 01:17:28 +00:00			`package engine`
Add PolicyEngine 2019-05-10 05:26:22 +00:00
			`import (`
report violation in generate when path not present 2020-01-10 19:59:05 +00:00			`"fmt"`
only generate rule on policy creation 2019-12-27 23:57:43 +00:00			`"reflect"`
- insert annotation to podTemplate; - skip apply rule on pod if annotation exists 2019-12-26 23:34:19 +00:00			`"strings"`
initial commit 2019-08-19 23:40:10 +00:00			`"time"`
test policy engine on admission requests 2019-08-09 23:55:43 +00:00
introduce info struct for engine responses 2019-06-26 01:16:02 +00:00			`"github.com/golang/glog"`
- insert annotation to podTemplate; - skip apply rule on pod if annotation exists 2019-12-26 23:34:19 +00:00			`kyverno "github.com/nirmata/kyverno/pkg/api/kyverno/v1"`
move mutation to subpackage pkg/engine/mutate 2020-01-08 01:06:17 +00:00			`"github.com/nirmata/kyverno/pkg/engine/mutate"`
			`"github.com/nirmata/kyverno/pkg/engine/rbac"`
refactor engine packages for validate & generate 2019-12-12 23:02:59 +00:00			`"github.com/nirmata/kyverno/pkg/engine/response"`
report violation in generate when path not present 2020-01-10 19:59:05 +00:00			`"github.com/nirmata/kyverno/pkg/engine/utils"`
593 feature (#594) * initial commit * background policy validation * correct message * skip non-background policy process for add/update * add Generate Request CR * generate Request Generator Initial * test generate request CR generation * initial commit gr generator * generate controller initial framework * add crd for generate request * gr cleanup controller initial commit * cleanup controller initial * generate mid-commit * generate rule processing * create PV on generate error * embed resource type * testing phase 1- generate resources with variable substitution * fix tests * comment broken test #586 * add printer column for state * return if existing resource for clone * set resync time to 2 mins & remove resource version check in update handler for gr * generate events for reporting * fix logs * initial commit * fix trailing quote in patch * remove comments * initial condition (equal & notequal) * initial support for conditions * initial support fo conditions in generate * support precondition checks * cleanup * re-evaluate GR on namespace update using dynamic informers * add status for generated resources * display loaded variable SA * support delete cleanup of generate request main resources * fix log * remove namespace from SA username * support multiple variables per statement for scalar values * fix fail variables * add check for userInfo * validation checks for conditions * update policy * refactor logs * code review * add openapispec for clusterpolicy preconditions * Update documentation * CR fixes * documentation * CR fixes * update variable * fix logs * update policy * pre-defined variables (serviceAccountName & serviceAccountNamespace) * update test 2020-01-07 23:13:57 +00:00			`"github.com/nirmata/kyverno/pkg/engine/variables"`
Add PolicyEngine 2019-05-10 05:26:22 +00:00			`)`

- insert annotation to podTemplate; - skip apply rule on pod if annotation exists 2019-12-26 23:34:19 +00:00			`const (`
			`PodControllers = "DaemonSet,Deployment,Job,StatefulSet"`
			`PodControllersAnnotation = "pod-policies.kyverno.io/autogen-controllers"`
			`PodTemplateAnnotation = "pod-policies.kyverno.io/autogen-applied"`
			`)`

Updated code in the project to be compilable with new version of Policy. Moved logic from webhooks/mutation.go to policyengine/mutation.go and server.go 2019-05-13 18:27:47 +00:00			`// Mutate performs mutation. Overlay first and then mutation patches`
refactor engine packages for validate & generate 2019-12-12 23:02:59 +00:00			`func Mutate(policyContext PolicyContext) (resp response.EngineResponse) {`
initial redesign 2019-08-24 01:34:23 +00:00			`startTime := time.Now()`
change engine interface to take policyContext struct 2019-11-09 02:57:27 +00:00			`policy := policyContext.Policy`
skip validation if the resource updates dont violate policy rules (#477) 2019-11-13 21:13:07 +00:00			`resource := policyContext.NewResource`
support variable substitution in overlay mutation 2019-12-13 02:25:54 +00:00			`ctx := policyContext.Context`
change engine interface to take policyContext struct 2019-11-09 02:57:27 +00:00
initial redesign 2019-08-24 01:34:23 +00:00			`// policy information`
			`func() {`
			`// set policy information`
refactor engine packages for validate & generate 2019-12-12 23:02:59 +00:00			`resp.PolicyResponse.Policy = policy.Name`
initial redesign 2019-08-24 01:34:23 +00:00			`// resource details`
refactor engine packages for validate & generate 2019-12-12 23:02:59 +00:00			`resp.PolicyResponse.Resource.Name = resource.GetName()`
			`resp.PolicyResponse.Resource.Namespace = resource.GetNamespace()`
			`resp.PolicyResponse.Resource.Kind = resource.GetKind()`
			`resp.PolicyResponse.Resource.APIVersion = resource.GetAPIVersion()`
initial redesign 2019-08-24 01:34:23 +00:00			`}()`
			`glog.V(4).Infof("started applying mutation rules of policy %q (%v)", policy.Name, startTime)`
			`defer func() {`
refactor engine packages for validate & generate 2019-12-12 23:02:59 +00:00			`resp.PolicyResponse.ProcessingTime = time.Since(startTime)`
			`glog.V(4).Infof("finished applying mutation rules policy %v (%v)", policy.Name, resp.PolicyResponse.ProcessingTime)`
			`glog.V(4).Infof("Mutation Rules appplied count %v for policy %q", resp.PolicyResponse.RulesAppliedCount, policy.Name)`
initial redesign 2019-08-24 01:34:23 +00:00			`}()`
			`incrementAppliedRuleCount := func() {`
			`// rules applied succesfully count`
refactor engine packages for validate & generate 2019-12-12 23:02:59 +00:00			`resp.PolicyResponse.RulesAppliedCount++`
initial redesign 2019-08-24 01:34:23 +00:00			`}`

fix annotation patch in mutate rule 2019-11-14 01:56:56 +00:00			`patchedResource := policyContext.NewResource`
initial redesign 2019-08-24 01:34:23 +00:00
			`for _, rule := range policy.Spec.Rules {`
			`//TODO: to be checked before calling the resources as well`
- insert annotation to podTemplate; - skip apply rule on pod if annotation exists 2019-12-26 23:34:19 +00:00			`if !rule.HasMutate() && !strings.Contains(PodControllers, resource.GetKind()) {`
initial redesign 2019-08-24 01:34:23 +00:00			`continue`
			`}`
change engine interface to take policyContext struct 2019-11-09 02:57:27 +00:00
report violation in generate when path not present 2020-01-10 19:59:05 +00:00			`if paths := validateGeneralRuleInfoVariables(ctx, rule); len(paths) != 0 {`
			`glog.Infof("referenced path not present in rule %s, resource %s/%s/%s, path: %s", rule.Name, resource.GetKind(), resource.GetNamespace(), resource.GetName(), paths)`
			`resp.PolicyResponse.Rules = append(resp.PolicyResponse.Rules,`
add more unit tests 2020-01-11 01:15:44 +00:00			`newPathNotPresentRuleResponse(rule.Name, utils.Mutation.String(), fmt.Sprintf("path not present in rule info: %s", paths)))`
report violation in generate when path not present 2020-01-10 19:59:05 +00:00			`continue`
			`}`

- add profiling; - fix CLI 2019-11-12 05:23:26 +00:00			`startTime := time.Now()`
538 (#587) * initial commit * background policy validation * correct message * skip non-background policy process for add/update * add Generate Request CR * generate Request Generator Initial * test generate request CR generation * initial commit gr generator * generate controller initial framework * add crd for generate request * gr cleanup controller initial commit * cleanup controller initial * generate mid-commit * generate rule processing * create PV on generate error * embed resource type * testing phase 1- generate resources with variable substitution * fix tests * comment broken test #586 * add printer column for state * return if existing resource for clone * set resync time to 2 mins & remove resource version check in update handler for gr * generate events for reporting * fix logs * cleanup * CR fixes * fix logs 2020-01-07 18:33:28 +00:00			`if !rbac.MatchAdmissionInfo(rule, policyContext.AdmissionInfo) {`
fix patches annotation 2019-11-12 02:52:26 +00:00			`glog.V(3).Infof("rule '%s' cannot be applied on %s/%s/%s, admission permission: %v",`
change engine interface to take policyContext struct 2019-11-09 02:57:27 +00:00			`rule.Name, resource.GetKind(), resource.GetNamespace(), resource.GetName(), policyContext.AdmissionInfo)`
			`continue`
			`}`
- add profiling; - fix CLI 2019-11-12 05:23:26 +00:00			`glog.V(4).Infof("Time: Mutate matchAdmissionInfo %v", time.Since(startTime))`
change engine interface to take policyContext struct 2019-11-09 02:57:27 +00:00
initial redesign 2019-08-24 01:34:23 +00:00			`// check if the resource satisfies the filter conditions defined in the rule`
			`//TODO: this needs to be extracted, to filter the resource so that we can avoid passing resources that`
			`// dont statisfy a policy rule resource description`
			`ok := MatchesResourceDescription(resource, rule)`
			`if !ok {`
			`glog.V(4).Infof("resource %s/%s does not satisfy the resource description for the rule ", resource.GetNamespace(), resource.GetName())`
			`continue`
			`}`
593 feature (#594) * initial commit * background policy validation * correct message * skip non-background policy process for add/update * add Generate Request CR * generate Request Generator Initial * test generate request CR generation * initial commit gr generator * generate controller initial framework * add crd for generate request * gr cleanup controller initial commit * cleanup controller initial * generate mid-commit * generate rule processing * create PV on generate error * embed resource type * testing phase 1- generate resources with variable substitution * fix tests * comment broken test #586 * add printer column for state * return if existing resource for clone * set resync time to 2 mins & remove resource version check in update handler for gr * generate events for reporting * fix logs * initial commit * fix trailing quote in patch * remove comments * initial condition (equal & notequal) * initial support for conditions * initial support fo conditions in generate * support precondition checks * cleanup * re-evaluate GR on namespace update using dynamic informers * add status for generated resources * display loaded variable SA * support delete cleanup of generate request main resources * fix log * remove namespace from SA username * support multiple variables per statement for scalar values * fix fail variables * add check for userInfo * validation checks for conditions * update policy * refactor logs * code review * add openapispec for clusterpolicy preconditions * Update documentation * CR fixes * documentation * CR fixes * update variable * fix logs * update policy * pre-defined variables (serviceAccountName & serviceAccountNamespace) * update test 2020-01-07 23:13:57 +00:00
			`// evaluate pre-conditions`
			`if !variables.EvaluateConditions(ctx, rule.Conditions) {`
			`glog.V(4).Infof("resource %s/%s does not satisfy the conditions for the rule ", resource.GetNamespace(), resource.GetName())`
			`continue`
			`}`

initial redesign 2019-08-24 01:34:23 +00:00			`// Process Overlay`
			`if rule.Mutation.Overlay != nil {`
refactor engine packages for validate & generate 2019-12-12 23:02:59 +00:00			`var ruleResponse response.RuleResponse`
move mutation to subpackage pkg/engine/mutate 2020-01-08 01:06:17 +00:00			`ruleResponse, patchedResource = mutate.ProcessOverlay(ctx, rule, patchedResource)`
generate violation in mutation when substitute path not present 2020-01-09 20:24:37 +00:00			`if ruleResponse.Success == true {`
			`// - variable substitution path is not present`
			`if ruleResponse.PathNotPresent {`
			`glog.V(4).Infof(ruleResponse.Message)`
			`resp.PolicyResponse.Rules = append(resp.PolicyResponse.Rules, ruleResponse)`
			`continue`
			`}`

			`// - overlay pattern does not match the resource conditions`
			`if ruleResponse.Patches == nil {`
			`glog.V(4).Infof(ruleResponse.Message)`
			`continue`
			`}`

fix annotation patch in mutate rule 2019-11-14 01:56:56 +00:00			`glog.Infof("Mutate overlay in rule '%s' successfully applied on %s/%s/%s", rule.Name, resource.GetKind(), resource.GetNamespace(), resource.GetName())`
initial redesign 2019-08-24 01:34:23 +00:00			`}`
fix annotation patch in mutate rule 2019-11-14 01:56:56 +00:00
refactor engine packages for validate & generate 2019-12-12 23:02:59 +00:00			`resp.PolicyResponse.Rules = append(resp.PolicyResponse.Rules, ruleResponse)`
initial redesign 2019-08-24 01:34:23 +00:00			`incrementAppliedRuleCount()`
			`}`

			`// Process Patches`
			`if rule.Mutation.Patches != nil {`
refactor engine packages for validate & generate 2019-12-12 23:02:59 +00:00			`var ruleResponse response.RuleResponse`
move mutation to subpackage pkg/engine/mutate 2020-01-08 01:06:17 +00:00			`ruleResponse, patchedResource = mutate.ProcessPatches(rule, patchedResource)`
remove overlay failure conditionNotPresent as it allows the tag not present 2019-11-12 05:03:34 +00:00			`glog.Infof("Mutate patches in rule '%s' successfully applied on %s/%s/%s", rule.Name, resource.GetKind(), resource.GetNamespace(), resource.GetName())`
refactor engine packages for validate & generate 2019-12-12 23:02:59 +00:00			`resp.PolicyResponse.Rules = append(resp.PolicyResponse.Rules, ruleResponse)`
initial redesign 2019-08-24 01:34:23 +00:00			`incrementAppliedRuleCount()`
			`}`
- insert annotation to podTemplate; - skip apply rule on pod if annotation exists 2019-12-26 23:34:19 +00:00
			`// insert annotation to podtemplate if resource is pod controller`
only generate rule on policy creation 2019-12-27 23:57:43 +00:00			`// skip inserting on existing resource`
remove duplicate structure definition 2020-01-08 18:44:41 +00:00			`if reflect.DeepEqual(policyContext.AdmissionInfo, kyverno.RequestInfo{}) {`
only generate rule on policy creation 2019-12-27 23:57:43 +00:00			`continue`
			`}`

- insert annotation to podTemplate; - skip apply rule on pod if annotation exists 2019-12-26 23:34:19 +00:00			`if strings.Contains(PodControllers, resource.GetKind()) {`
			`var ruleResponse response.RuleResponse`
move mutation to subpackage pkg/engine/mutate 2020-01-08 01:06:17 +00:00			`ruleResponse, patchedResource = mutate.ProcessOverlay(ctx, podTemplateRule, patchedResource)`
- insert annotation to podTemplate; - skip apply rule on pod if annotation exists 2019-12-26 23:34:19 +00:00			`if !ruleResponse.Success {`
skip process existing pod if annotation present 2019-12-27 02:41:14 +00:00			`glog.Errorf("Failed to insert annotation to podTemplate of %s/%s/%s: %s", resource.GetKind(), resource.GetNamespace(), resource.GetName(), ruleResponse.Message)`
- insert annotation to podTemplate; - skip apply rule on pod if annotation exists 2019-12-26 23:34:19 +00:00			`continue`
			`}`

only generate rule on policy creation 2019-12-27 23:57:43 +00:00			`if ruleResponse.Success && ruleResponse.Patches != nil {`
- add =() to volumes; - update error msg 2019-12-27 22:59:12 +00:00			`glog.V(2).Infof("Inserted annotation to podTemplate of %s/%s/%s: %s", resource.GetKind(), resource.GetNamespace(), resource.GetName(), ruleResponse.Message)`
skip process existing pod if annotation present 2019-12-27 02:41:14 +00:00			`resp.PolicyResponse.Rules = append(resp.PolicyResponse.Rules, ruleResponse)`
			`}`
- insert annotation to podTemplate; - skip apply rule on pod if annotation exists 2019-12-26 23:34:19 +00:00			`}`
initial redesign 2019-08-24 01:34:23 +00:00			`}`
			`// send the patched resource`
refactor engine packages for validate & generate 2019-12-12 23:02:59 +00:00			`resp.PatchedResource = patchedResource`
			`return resp`
initial redesign 2019-08-24 01:34:23 +00:00			`}`
- insert annotation to podTemplate; - skip apply rule on pod if annotation exists 2019-12-26 23:34:19 +00:00
			`// podTemplateRule mutate pod template with annotation`
			`// pod-policies.kyverno.io/autogen-applied=true`
			`var podTemplateRule = kyverno.Rule{`
skip process existing pod if annotation present 2019-12-27 02:41:14 +00:00			`Name: "autogen-annotate-podtemplate",`
- insert annotation to podTemplate; - skip apply rule on pod if annotation exists 2019-12-26 23:34:19 +00:00			`Mutation: kyverno.Mutation{`
skip process existing pod if annotation present 2019-12-27 02:41:14 +00:00			`Overlay: map[string]interface{}{`
			`"spec": map[string]interface{}{`
			`"template": map[string]interface{}{`
			`"metadata": map[string]interface{}{`
			`"annotations": map[string]interface{}{`
			`"pod-policies.kyverno.io/autogen-applied": "true",`
			`},`
			`},`
			`},`
			`},`
			`},`
- insert annotation to podTemplate; - skip apply rule on pod if annotation exists 2019-12-26 23:34:19 +00:00			`},`
			`}`