2023-02-02 11:58:34 +01:00
package engine
import (
"context"
2023-03-27 13:22:54 +02:00
"fmt"
2023-03-30 13:59:32 +02:00
"time"
2023-02-02 11:58:34 +01:00
2023-03-27 13:22:54 +02:00
"github.com/go-logr/logr"
2023-07-07 12:22:26 +02:00
gojmespath "github.com/kyverno/go-jmespath"
2023-02-08 06:55:03 +01:00
kyvernov1 "github.com/kyverno/kyverno/api/kyverno/v1"
2023-02-02 11:58:34 +01:00
"github.com/kyverno/kyverno/pkg/config"
engineapi "github.com/kyverno/kyverno/pkg/engine/api"
2023-02-08 06:55:03 +01:00
enginecontext "github.com/kyverno/kyverno/pkg/engine/context"
2023-03-24 17:24:00 +01:00
"github.com/kyverno/kyverno/pkg/engine/handlers"
2023-02-09 16:15:51 +01:00
"github.com/kyverno/kyverno/pkg/engine/internal"
2023-04-13 13:29:40 +02:00
"github.com/kyverno/kyverno/pkg/engine/jmespath"
2023-03-27 13:22:54 +02:00
engineutils "github.com/kyverno/kyverno/pkg/engine/utils"
2023-08-07 01:24:52 +05:30
"github.com/kyverno/kyverno/pkg/imageverifycache"
2023-02-09 16:15:51 +01:00
"github.com/kyverno/kyverno/pkg/logging"
2023-04-04 17:07:43 +02:00
"github.com/kyverno/kyverno/pkg/metrics"
2023-03-27 13:22:54 +02:00
"github.com/kyverno/kyverno/pkg/tracing"
2023-05-08 00:34:23 -07:00
stringutils "github.com/kyverno/kyverno/pkg/utils/strings"
2023-06-19 11:09:08 +02:00
"go.opentelemetry.io/otel"
2023-05-11 12:16:48 +02:00
"go.opentelemetry.io/otel/metric"
2023-03-27 13:22:54 +02:00
"go.opentelemetry.io/otel/trace"
"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
2023-02-02 11:58:34 +01:00
)
2023-02-03 06:01:11 +01:00
type engine struct {
2024-02-08 13:10:29 +01:00
configuration config . Configuration
metricsConfiguration config . MetricsConfiguration
jp jmespath . Interface
client engineapi . Client
rclientFactory engineapi . RegistryClientFactory
ivCache imageverifycache . Client
contextLoader engineapi . ContextLoaderFactory
exceptionSelector engineapi . PolicyExceptionSelector
2023-04-04 17:07:43 +02:00
// metrics
2023-05-11 12:16:48 +02:00
resultCounter metric . Int64Counter
durationHistogram metric . Float64Histogram
2023-02-03 06:01:11 +01:00
}
2023-02-02 11:58:34 +01:00
2023-04-03 21:58:58 +02:00
type handlerFactory = func ( ) ( handlers . Handler , error )
2023-02-03 06:01:11 +01:00
func NewEngine (
configuration config . Configuration ,
2023-04-04 17:07:43 +02:00
metricsConfiguration config . MetricsConfiguration ,
2023-04-13 13:29:40 +02:00
jp jmespath . Interface ,
2023-06-10 11:20:34 +02:00
client engineapi . Client ,
2023-06-16 19:07:08 +05:30
rclientFactory engineapi . RegistryClientFactory ,
2023-08-07 01:24:52 +05:30
ivCache imageverifycache . Client ,
2023-02-03 06:01:11 +01:00
contextLoader engineapi . ContextLoaderFactory ,
2023-02-06 06:49:47 +01:00
exceptionSelector engineapi . PolicyExceptionSelector ,
2023-02-03 06:01:11 +01:00
) engineapi . Engine {
2023-06-19 11:09:08 +02:00
meter := otel . GetMeterProvider ( ) . Meter ( metrics . MeterName )
2023-04-04 17:07:43 +02:00
resultCounter , err := meter . Int64Counter (
"kyverno_policy_results" ,
2023-05-11 12:16:48 +02:00
metric . WithDescription ( "can be used to track the results associated with the policies applied in the user's cluster, at the level from rule to policy to admission requests" ) ,
2023-04-04 17:07:43 +02:00
)
if err != nil {
logging . Error ( err , "failed to register metric kyverno_policy_results" )
}
2023-04-04 18:34:58 +02:00
durationHistogram , err := meter . Float64Histogram (
"kyverno_policy_execution_duration_seconds" ,
2023-05-11 12:16:48 +02:00
metric . WithDescription ( "can be used to track the latencies (in seconds) associated with the execution/processing of the individual rules under Kyverno policies whenever they evaluate incoming resource requests" ) ,
2023-04-04 18:34:58 +02:00
)
if err != nil {
logging . Error ( err , "failed to register metric kyverno_policy_execution_duration_seconds" )
}
2023-03-28 07:47:53 +02:00
return & engine {
2024-02-08 13:10:29 +01:00
configuration : configuration ,
metricsConfiguration : metricsConfiguration ,
jp : jp ,
client : client ,
rclientFactory : rclientFactory ,
ivCache : ivCache ,
contextLoader : contextLoader ,
exceptionSelector : exceptionSelector ,
resultCounter : resultCounter ,
durationHistogram : durationHistogram ,
2023-02-03 06:01:11 +01:00
}
2023-02-02 11:58:34 +01:00
}
func ( e * engine ) Validate (
ctx context . Context ,
policyContext engineapi . PolicyContext ,
2023-03-22 15:55:00 +01:00
) engineapi . EngineResponse {
2023-04-05 19:07:04 +02:00
startTime := time . Now ( )
response := engineapi . NewEngineResponseFromPolicyContext ( policyContext )
2023-02-09 16:15:51 +01:00
logger := internal . LoggerWithPolicyContext ( logging . WithName ( "engine.validate" ) , policyContext )
2024-02-02 16:32:28 +08:00
if internal . MatchPolicyContext ( logger , e . client , policyContext , e . configuration ) {
2023-03-30 13:59:32 +02:00
policyResponse := e . validate ( ctx , logger , policyContext )
response = response . WithPolicyResponse ( policyResponse )
2023-03-23 17:03:40 +01:00
}
2023-04-05 19:07:04 +02:00
response = response . WithStats ( engineapi . NewExecutionStats ( startTime , time . Now ( ) ) )
2023-04-04 17:07:43 +02:00
e . reportMetrics ( ctx , logger , policyContext . Operation ( ) , policyContext . AdmissionOperation ( ) , response )
return response
2023-02-02 11:58:34 +01:00
}
func ( e * engine ) Mutate (
ctx context . Context ,
policyContext engineapi . PolicyContext ,
2023-03-22 15:55:00 +01:00
) engineapi . EngineResponse {
2023-04-05 19:07:04 +02:00
startTime := time . Now ( )
response := engineapi . NewEngineResponseFromPolicyContext ( policyContext )
2023-02-09 16:15:51 +01:00
logger := internal . LoggerWithPolicyContext ( logging . WithName ( "engine.mutate" ) , policyContext )
2024-02-02 16:32:28 +08:00
if internal . MatchPolicyContext ( logger , e . client , policyContext , e . configuration ) {
2023-03-30 13:59:32 +02:00
policyResponse , patchedResource := e . mutate ( ctx , logger , policyContext )
response = response .
WithPolicyResponse ( policyResponse ) .
WithPatchedResource ( patchedResource )
2023-03-23 17:03:40 +01:00
}
2023-04-05 19:07:04 +02:00
response = response . WithStats ( engineapi . NewExecutionStats ( startTime , time . Now ( ) ) )
2023-04-04 17:07:43 +02:00
e . reportMetrics ( ctx , logger , policyContext . Operation ( ) , policyContext . AdmissionOperation ( ) , response )
return response
2023-02-02 11:58:34 +01:00
}
2023-04-03 06:57:48 +02:00
func ( e * engine ) Generate (
ctx context . Context ,
policyContext engineapi . PolicyContext ,
) engineapi . EngineResponse {
2023-04-05 19:07:04 +02:00
startTime := time . Now ( )
response := engineapi . NewEngineResponseFromPolicyContext ( policyContext )
2023-04-03 06:57:48 +02:00
logger := internal . LoggerWithPolicyContext ( logging . WithName ( "engine.generate" ) , policyContext )
2024-02-02 16:32:28 +08:00
if internal . MatchPolicyContext ( logger , e . client , policyContext , e . configuration ) {
2024-05-30 07:29:24 +08:00
policyResponse := e . generateResponse ( logger , policyContext )
2023-04-03 06:57:48 +02:00
response = response . WithPolicyResponse ( policyResponse )
}
2023-04-05 19:07:04 +02:00
response = response . WithStats ( engineapi . NewExecutionStats ( startTime , time . Now ( ) ) )
2023-04-04 17:07:43 +02:00
e . reportMetrics ( ctx , logger , policyContext . Operation ( ) , policyContext . AdmissionOperation ( ) , response )
return response
2023-04-03 06:57:48 +02:00
}
2023-02-02 11:58:34 +01:00
func ( e * engine ) VerifyAndPatchImages (
ctx context . Context ,
policyContext engineapi . PolicyContext ,
2023-03-23 13:58:52 +01:00
) ( engineapi . EngineResponse , engineapi . ImageVerificationMetadata ) {
2023-04-05 19:07:04 +02:00
startTime := time . Now ( )
response := engineapi . NewEngineResponseFromPolicyContext ( policyContext )
2023-03-30 13:59:32 +02:00
ivm := engineapi . ImageVerificationMetadata { }
2023-02-09 16:15:51 +01:00
logger := internal . LoggerWithPolicyContext ( logging . WithName ( "engine.verify" ) , policyContext )
2024-02-02 16:32:28 +08:00
if internal . MatchPolicyContext ( logger , e . client , policyContext , e . configuration ) {
2023-06-05 14:33:23 +02:00
policyResponse , patchedResource , innerIvm := e . verifyAndPatchImages ( ctx , logger , policyContext )
response , ivm = response .
WithPolicyResponse ( policyResponse ) .
WithPatchedResource ( patchedResource ) , innerIvm
2023-03-23 17:03:40 +01:00
}
2023-04-05 19:07:04 +02:00
response = response . WithStats ( engineapi . NewExecutionStats ( startTime , time . Now ( ) ) )
2023-04-04 17:07:43 +02:00
e . reportMetrics ( ctx , logger , policyContext . Operation ( ) , policyContext . AdmissionOperation ( ) , response )
return response , ivm
2023-02-03 06:01:11 +01:00
}
func ( e * engine ) ApplyBackgroundChecks (
2023-02-08 06:55:03 +01:00
ctx context . Context ,
2023-02-03 06:01:11 +01:00
policyContext engineapi . PolicyContext ,
2023-03-22 15:55:00 +01:00
) engineapi . EngineResponse {
2023-04-05 19:07:04 +02:00
startTime := time . Now ( )
response := engineapi . NewEngineResponseFromPolicyContext ( policyContext )
2023-02-09 16:15:51 +01:00
logger := internal . LoggerWithPolicyContext ( logging . WithName ( "engine.background" ) , policyContext )
2024-02-02 16:32:28 +08:00
if internal . MatchPolicyContext ( logger , e . client , policyContext , e . configuration ) {
2024-05-30 07:29:24 +08:00
policyResponse := e . applyBackgroundChecks ( logger , policyContext )
2023-03-30 13:59:32 +02:00
response = response . WithPolicyResponse ( policyResponse )
2023-03-23 17:03:40 +01:00
}
2023-04-05 19:07:04 +02:00
response = response . WithStats ( engineapi . NewExecutionStats ( startTime , time . Now ( ) ) )
2023-04-04 17:07:43 +02:00
e . reportMetrics ( ctx , logger , policyContext . Operation ( ) , policyContext . AdmissionOperation ( ) , response )
return response
2023-02-03 06:01:11 +01:00
}
func ( e * engine ) ContextLoader (
2023-02-08 06:55:03 +01:00
policy kyvernov1 . PolicyInterface ,
rule kyvernov1 . Rule ,
) engineapi . EngineContextLoader {
2023-04-03 21:58:58 +02:00
loader := e . contextLoader ( policy , rule )
return func ( ctx context . Context , contextEntries [ ] kyvernov1 . ContextEntry , jsonContext enginecontext . Interface ) error {
return loader . Load (
ctx ,
2023-04-13 13:29:40 +02:00
e . jp ,
2023-04-03 21:58:58 +02:00
e . client ,
2023-06-16 19:07:08 +05:30
e . rclientFactory ,
2023-04-03 21:58:58 +02:00
contextEntries ,
jsonContext ,
)
}
2023-03-28 07:47:53 +02:00
}
// matches checks if either the new or old resource satisfies the filter conditions defined in the rule
2023-06-05 13:47:46 +02:00
func ( e * engine ) matches (
2023-03-28 07:47:53 +02:00
rule kyvernov1 . Rule ,
policyContext engineapi . PolicyContext ,
resource unstructured . Unstructured ,
) error {
2023-06-05 13:47:46 +02:00
if policyContext . AdmissionOperation ( ) {
request := policyContext . AdmissionInfo ( )
if e . configuration . IsExcluded ( request . AdmissionUserInfo . Username , request . AdmissionUserInfo . Groups , request . Roles , request . ClusterRoles ) {
return fmt . Errorf ( "excluded by configuration" )
}
}
2023-03-28 07:47:53 +02:00
gvk , subresource := policyContext . ResourceKind ( )
err := engineutils . MatchesResourceDescription (
resource ,
rule ,
policyContext . AdmissionInfo ( ) ,
policyContext . NamespaceLabels ( ) ,
policyContext . Policy ( ) . GetNamespace ( ) ,
gvk ,
subresource ,
2023-03-29 06:22:21 +02:00
policyContext . Operation ( ) ,
2023-03-28 07:47:53 +02:00
)
if err == nil {
return nil
}
oldResource := policyContext . OldResource ( )
2023-05-19 05:57:57 +08:00
if resource . Object == nil && oldResource . Object != nil {
2023-03-28 07:47:53 +02:00
err := engineutils . MatchesResourceDescription (
policyContext . OldResource ( ) ,
rule ,
policyContext . AdmissionInfo ( ) ,
policyContext . NamespaceLabels ( ) ,
policyContext . Policy ( ) . GetNamespace ( ) ,
gvk ,
subresource ,
2023-03-29 06:22:21 +02:00
policyContext . Operation ( ) ,
2023-02-08 06:55:03 +01:00
)
2023-03-28 07:47:53 +02:00
if err == nil {
return nil
}
2023-02-08 06:55:03 +01:00
}
2023-03-28 07:47:53 +02:00
return err
2023-02-02 11:58:34 +01:00
}
2023-03-27 13:22:54 +02:00
func ( e * engine ) invokeRuleHandler (
ctx context . Context ,
logger logr . Logger ,
2023-04-03 21:58:58 +02:00
handlerFactory handlerFactory ,
2023-03-27 13:22:54 +02:00
policyContext engineapi . PolicyContext ,
resource unstructured . Unstructured ,
rule kyvernov1 . Rule ,
2023-03-28 07:47:53 +02:00
ruleType engineapi . RuleType ,
2023-03-27 13:22:54 +02:00
) ( unstructured . Unstructured , [ ] engineapi . RuleResponse ) {
return tracing . ChildSpan2 (
ctx ,
"pkg/engine" ,
fmt . Sprintf ( "RULE %s" , rule . Name ) ,
2023-06-27 09:58:50 -07:00
func ( ctx context . Context , span trace . Span ) ( patchedResource unstructured . Unstructured , results [ ] engineapi . RuleResponse ) {
2023-03-27 13:22:54 +02:00
// check if resource and rule match
2023-06-05 13:47:46 +02:00
if err := e . matches ( rule , policyContext , resource ) ; err != nil {
2023-03-27 13:22:54 +02:00
logger . V ( 4 ) . Info ( "rule not matched" , "reason" , err . Error ( ) )
return resource , nil
}
2023-04-03 21:58:58 +02:00
if handlerFactory == nil {
2023-04-05 12:35:38 +02:00
return resource , handlers . WithError ( rule , ruleType , "failed to instantiate handler" , nil )
2023-04-03 21:58:58 +02:00
} else if handler , err := handlerFactory ( ) ; err != nil {
2023-04-05 12:35:38 +02:00
return resource , handlers . WithError ( rule , ruleType , "failed to instantiate handler" , err )
2023-04-03 21:58:58 +02:00
} else if handler != nil {
2023-06-27 09:58:50 -07:00
policyContext . JSONContext ( ) . Checkpoint ( )
defer func ( ) {
policyContext . JSONContext ( ) . Restore ( )
if patchedResource . Object != nil {
if err := policyContext . JSONContext ( ) . AddResource ( patchedResource . Object ) ; err != nil {
logger . Error ( err , "failed to add resource in the json context" )
}
}
} ( )
2023-04-03 21:58:58 +02:00
// load rule context
contextLoader := e . ContextLoader ( policyContext . Policy ( ) , rule )
if err := contextLoader ( ctx , rule . Context , policyContext . JSONContext ( ) ) ; err != nil {
if _ , ok := err . ( gojmespath . NotFoundError ) ; ok {
logger . V ( 3 ) . Info ( "failed to load context" , "reason" , err . Error ( ) )
} else {
logger . Error ( err , "failed to load context" )
}
2023-04-05 12:35:38 +02:00
return resource , handlers . WithError ( rule , ruleType , "failed to load context" , err )
2023-04-03 21:58:58 +02:00
}
// check preconditions
2023-05-08 00:34:23 -07:00
preconditionsPassed , msg , err := internal . CheckPreconditions ( logger , policyContext . JSONContext ( ) , rule . GetAnyAllConditions ( ) )
2023-04-03 21:58:58 +02:00
if err != nil {
2023-04-05 12:35:38 +02:00
return resource , handlers . WithError ( rule , ruleType , "failed to evaluate preconditions" , err )
2023-04-03 21:58:58 +02:00
}
if ! preconditionsPassed {
2023-05-08 00:34:23 -07:00
s := stringutils . JoinNonEmpty ( [ ] string { "preconditions not met" , msg } , "; " )
return resource , handlers . WithSkip ( rule , ruleType , s )
2023-04-03 21:58:58 +02:00
}
2024-09-03 23:06:07 +05:30
// substitute properties
if err := internal . SubstitutePropertiesInRule ( logger , & rule , policyContext . JSONContext ( ) ) ; err != nil {
logger . Error ( err , "failed to substitute variables in rule properties" )
}
2023-11-13 17:43:25 +02:00
// get policy exceptions that matches both policy and rule name
exceptions , err := e . GetPolicyExceptions ( policyContext . Policy ( ) , rule . Name )
if err != nil {
logger . Error ( err , "failed to get exceptions" )
return resource , nil
2023-09-27 17:52:39 +03:00
}
2023-11-13 17:43:25 +02:00
// process handler
resource , ruleResponses := handler . Process ( ctx , logger , policyContext , resource , rule , contextLoader , exceptions )
2023-09-27 17:52:39 +03:00
return resource , ruleResponses
2023-03-27 13:22:54 +02:00
}
2023-04-03 21:58:58 +02:00
return resource , nil
2023-03-27 13:22:54 +02:00
} ,
)
}