kyverno/pkg/engine/forceMutate.go

package engine

import (
	"encoding/json"
	"fmt"
	"regexp"

	kyverno "github.com/nirmata/kyverno/pkg/api/kyverno/v1"
	"github.com/nirmata/kyverno/pkg/engine/context"
	"github.com/nirmata/kyverno/pkg/engine/mutate"
	"github.com/nirmata/kyverno/pkg/engine/response"
	"github.com/nirmata/kyverno/pkg/engine/utils"
	"github.com/nirmata/kyverno/pkg/engine/variables"
	"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
	"sigs.k8s.io/controller-runtime/pkg/log"
)

func mutateResourceWithOverlay(resource unstructured.Unstructured, overlay interface{}) (unstructured.Unstructured, error) {
	logger := log.Log.WithValues("resource", resource.GetKind(), "overlay", overlay)
	patches, err := mutate.MutateResourceWithOverlay(resource.UnstructuredContent(), overlay)
	if err != nil {
		logger.V(4).Info("failed to mutate resource with overlay")
		return resource, err
	}

	if len(patches) == 0 {
		return resource, nil
	}

	// convert to RAW
	resourceRaw, err := resource.MarshalJSON()
	if err != nil {
		logger.V(4).Info("failed to marshall resource JSON")
		return resource, err
	}

	var patchResource []byte
	patchResource, err = utils.ApplyPatches(resourceRaw, patches)
	if err != nil {
		logger.V(4).Info("failed to apply patches")
		return resource, err
	}

	resource = unstructured.Unstructured{}
	err = resource.UnmarshalJSON(patchResource)
	if err != nil {
		logger.V(4).Info("failed to unmarshal patched resource JSON")
		return resource, err
	}

	logger.V(4).Info("mutated resource with overlay")
	return resource, nil
}

// ForceMutate does not check any conditions, it simply mutates the given resource
func ForceMutate(ctx context.EvalInterface, policy kyverno.ClusterPolicy, resource unstructured.Unstructured) (unstructured.Unstructured, error) {
	var err error
	logger := log.Log.WithName("EngineForceMutate").WithValues("policy", policy.Name, "kind", resource.GetKind(),
		"namespace", resource.GetNamespace(), "name", resource.GetName())

	for _, rule := range policy.Spec.Rules {
		if !rule.HasMutate() {
			continue
		}

		mutation := rule.Mutation.DeepCopy()

		if mutation.Overlay != nil {
			overlay := mutation.Overlay
			if ctx != nil {
				if overlay, err = variables.SubstituteVars(log.Log, ctx, overlay); err != nil {
					return unstructured.Unstructured{}, err
				}
			} else {
				overlay = replaceSubstituteVariables(overlay)
			}

			resource, err = mutateResourceWithOverlay(resource, overlay)
			if err != nil {
				detailedErr := fmt.Errorf("failed to mutate resource %s with overlay rule %v:%v", resource.GetKind(), rule.Name, err)
				return unstructured.Unstructured{}, detailedErr
			}
		}

		if rule.Mutation.Patches != nil {
			var resp response.RuleResponse
			resp, resource = mutate.ProcessPatches(logger.WithValues("rule", rule.Name), rule, resource)
			if !resp.Success {
				return unstructured.Unstructured{}, fmt.Errorf(resp.Message)
			}
		}
	}

	return resource, nil
}

func replaceSubstituteVariables(overlay interface{}) interface{} {
	overlayRaw, err := json.Marshal(overlay)
	if err != nil {
		return overlay
	}

	regex := regexp.MustCompile(`\{\{([^{}]*)\}\}`)
	for {
		if len(regex.FindAllStringSubmatch(string(overlayRaw), -1)) > 0 {
			overlayRaw = regex.ReplaceAll(overlayRaw, []byte(`placeholderValue`))
		} else {
			break
		}
	}

	var output interface{}
	err = json.Unmarshal(overlayRaw, &output)
	if err != nil {
		return overlay
	}

	return output
}
522 moving force mutate to a seperate file 2020-03-05 20:24:36 +00:00			`package engine`

			`import (`
			`"encoding/json"`
			`"fmt"`
			`"regexp"`

			`kyverno "github.com/nirmata/kyverno/pkg/api/kyverno/v1"`
			`"github.com/nirmata/kyverno/pkg/engine/context"`
			`"github.com/nirmata/kyverno/pkg/engine/mutate"`
			`"github.com/nirmata/kyverno/pkg/engine/response"`
			`"github.com/nirmata/kyverno/pkg/engine/utils"`
			`"github.com/nirmata/kyverno/pkg/engine/variables"`
			`"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"`
Merge branch 'master' into access_check 2020-03-18 00:23:18 +00:00			`"sigs.k8s.io/controller-runtime/pkg/log"`
522 moving force mutate to a seperate file 2020-03-05 20:24:36 +00:00			`)`

			`func mutateResourceWithOverlay(resource unstructured.Unstructured, overlay interface{}) (unstructured.Unstructured, error) {`
Update mutate overlay to handle keys with slashes for labels (like annotations). Added debug V4 logs for mutate flows. (#972) 2020-07-05 02:32:11 +00:00			`logger := log.Log.WithValues("resource", resource.GetKind(), "overlay", overlay)`
522 moving force mutate to a seperate file 2020-03-05 20:24:36 +00:00			`patches, err := mutate.MutateResourceWithOverlay(resource.UnstructuredContent(), overlay)`
			`if err != nil {`
Update mutate overlay to handle keys with slashes for labels (like annotations). Added debug V4 logs for mutate flows. (#972) 2020-07-05 02:32:11 +00:00			`logger.V(4).Info("failed to mutate resource with overlay")`
			`return resource, err`
522 moving force mutate to a seperate file 2020-03-05 20:24:36 +00:00			`}`
Update mutate overlay to handle keys with slashes for labels (like annotations). Added debug V4 logs for mutate flows. (#972) 2020-07-05 02:32:11 +00:00
522 moving force mutate to a seperate file 2020-03-05 20:24:36 +00:00			`if len(patches) == 0 {`
			`return resource, nil`
			`}`

			`// convert to RAW`
			`resourceRaw, err := resource.MarshalJSON()`
			`if err != nil {`
Update mutate overlay to handle keys with slashes for labels (like annotations). Added debug V4 logs for mutate flows. (#972) 2020-07-05 02:32:11 +00:00			`logger.V(4).Info("failed to marshall resource JSON")`
			`return resource, err`
522 moving force mutate to a seperate file 2020-03-05 20:24:36 +00:00			`}`

			`var patchResource []byte`
			`patchResource, err = utils.ApplyPatches(resourceRaw, patches)`
			`if err != nil {`
Update mutate overlay to handle keys with slashes for labels (like annotations). Added debug V4 logs for mutate flows. (#972) 2020-07-05 02:32:11 +00:00			`logger.V(4).Info("failed to apply patches")`
			`return resource, err`
522 moving force mutate to a seperate file 2020-03-05 20:24:36 +00:00			`}`

			`resource = unstructured.Unstructured{}`
			`err = resource.UnmarshalJSON(patchResource)`
			`if err != nil {`
Update mutate overlay to handle keys with slashes for labels (like annotations). Added debug V4 logs for mutate flows. (#972) 2020-07-05 02:32:11 +00:00			`logger.V(4).Info("failed to unmarshal patched resource JSON")`
			`return resource, err`
522 moving force mutate to a seperate file 2020-03-05 20:24:36 +00:00			`}`

Update mutate overlay to handle keys with slashes for labels (like annotations). Added debug V4 logs for mutate flows. (#972) 2020-07-05 02:32:11 +00:00			`logger.V(4).Info("mutated resource with overlay")`
522 moving force mutate to a seperate file 2020-03-05 20:24:36 +00:00			`return resource, nil`
			`}`

			`// ForceMutate does not check any conditions, it simply mutates the given resource`
			`func ForceMutate(ctx context.EvalInterface, policy kyverno.ClusterPolicy, resource unstructured.Unstructured) (unstructured.Unstructured, error) {`
			`var err error`
965 add validate audit handler (#967) * store policy names cache to reduce lookup time * add validate audit handler * fix #958, remove auto-gen annotation on Pod * formatting code * update processTime to readable format * #586, add back unit test * update logging info * remove unused interface * handle generate policy in a single thread in weboook * resolve pr comments 2020-07-09 18:48:34 +00:00			`logger := log.Log.WithName("EngineForceMutate").WithValues("policy", policy.Name, "kind", resource.GetKind(),`
			`"namespace", resource.GetNamespace(), "name", resource.GetName())`

522 moving force mutate to a seperate file 2020-03-05 20:24:36 +00:00			`for _, rule := range policy.Spec.Rules {`
			`if !rule.HasMutate() {`
			`continue`
			`}`

			`mutation := rule.Mutation.DeepCopy()`

			`if mutation.Overlay != nil {`
			`overlay := mutation.Overlay`
			`if ctx != nil {`
Merge branch 'master' into access_check 2020-03-18 00:23:18 +00:00			`if overlay, err = variables.SubstituteVars(log.Log, ctx, overlay); err != nil {`
522 moving force mutate to a seperate file 2020-03-05 20:24:36 +00:00			`return unstructured.Unstructured{}, err`
			`}`
			`} else {`
			`overlay = replaceSubstituteVariables(overlay)`
			`}`

			`resource, err = mutateResourceWithOverlay(resource, overlay)`
			`if err != nil {`
Update mutate overlay to handle keys with slashes for labels (like annotations). Added debug V4 logs for mutate flows. (#972) 2020-07-05 02:32:11 +00:00			`detailedErr := fmt.Errorf("failed to mutate resource %s with overlay rule %v:%v", resource.GetKind(), rule.Name, err)`
			`return unstructured.Unstructured{}, detailedErr`
522 moving force mutate to a seperate file 2020-03-05 20:24:36 +00:00			`}`
			`}`

			`if rule.Mutation.Patches != nil {`
			`var resp response.RuleResponse`
965 add validate audit handler (#967) * store policy names cache to reduce lookup time * add validate audit handler * fix #958, remove auto-gen annotation on Pod * formatting code * update processTime to readable format * #586, add back unit test * update logging info * remove unused interface * handle generate policy in a single thread in weboook * resolve pr comments 2020-07-09 18:48:34 +00:00			`resp, resource = mutate.ProcessPatches(logger.WithValues("rule", rule.Name), rule, resource)`
522 moving force mutate to a seperate file 2020-03-05 20:24:36 +00:00			`if !resp.Success {`
			`return unstructured.Unstructured{}, fmt.Errorf(resp.Message)`
			`}`
			`}`
			`}`

			`return resource, nil`
			`}`

			`func replaceSubstituteVariables(overlay interface{}) interface{} {`
			`overlayRaw, err := json.Marshal(overlay)`
			`if err != nil {`
			`return overlay`
			`}`

			regex := regexp.MustCompile(`\{\{([^{}]*)\}\}`)
			`for {`
			`if len(regex.FindAllStringSubmatch(string(overlayRaw), -1)) > 0 {`
			overlayRaw = regex.ReplaceAll(overlayRaw, []byte(`placeholderValue`))
			`} else {`
			`break`
			`}`
			`}`

			`var output interface{}`
			`err = json.Unmarshal(overlayRaw, &output)`
			`if err != nil {`
			`return overlay`
			`}`

			`return output`
			`}`