kyverno/pkg/imageverification/evaluator/eval.go

package eval

import (
	"context"
	"fmt"

	"github.com/kyverno/kyverno/api/policies.kyverno.io/v1alpha1"
	"github.com/kyverno/kyverno/pkg/imageverification/imagedataloader"
	admissionv1 "k8s.io/api/admission/v1"
	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
	"k8s.io/apimachinery/pkg/runtime"
	"k8s.io/apiserver/pkg/admission"
	k8scorev1 "k8s.io/client-go/kubernetes/typed/core/v1"
)

func Evaluate(ctx context.Context, ivpols []*v1alpha1.ImageVerificationPolicy, request interface{}, admissionAttr admission.Attributes, namespace runtime.Object, lister k8scorev1.SecretInterface, registryOpts ...imagedataloader.Option) (map[string]*EvaluationResult, error) {
	ictx, err := imagedataloader.NewImageContext(lister, registryOpts...)
	if err != nil {
		return nil, err
	}

	isAdmissionRequest := false
	var gvr *metav1.GroupVersionResource
	if r, ok := request.(*admissionv1.AdmissionRequest); ok {
		isAdmissionRequest = true
		gvr = requestGVR(r)
	}

	policies := filterPolicies(ivpols, isAdmissionRequest)

	c := NewCompiler(ictx, lister, gvr)
	results := make(map[string]*EvaluationResult, len(policies))
	for _, ivpol := range policies {
		p, errList := c.Compile(ivpol)
		if errList != nil {
			return nil, fmt.Errorf("failed to compile policy %v", errList)
		}

		result, err := p.Evaluate(ctx, ictx, admissionAttr, request, namespace, isAdmissionRequest)
		if err != nil {
			return nil, err
		}
		results[ivpol.Name] = result
	}
	return results, nil
}

func isK8s(request interface{}) bool {
	_, ok := request.(*admissionv1.AdmissionRequest)
	return ok
}

func requestGVR(request *admissionv1.AdmissionRequest) *metav1.GroupVersionResource {
	if request == nil {
		return nil
	}

	return request.RequestResource
}

func filterPolicies(ivpols []*v1alpha1.ImageVerificationPolicy, isK8s bool) []*v1alpha1.ImageVerificationPolicy {
	filteredPolicies := make([]*v1alpha1.ImageVerificationPolicy, 0)

	for _, v := range ivpols {
		if v == nil {
			continue
		}

		if isK8s && v.Spec.EvaluationMode() == v1alpha1.EvaluationModeKubernetes {
			filteredPolicies = append(filteredPolicies, v)
		} else if !isK8s && v.Spec.EvaluationMode() == v1alpha1.EvaluationModeJSON {
			filteredPolicies = append(filteredPolicies, v)
		}
	}
	return filteredPolicies
}
feat: add evaluator for image verification policies (#12251) * feat: add variables Signed-off-by: Vishal Choudhary <vishal.choudhary@nirmata.com> * feat: implement evaluator Signed-off-by: Vishal Choudhary <vishal.choudhary@nirmata.com> * fix: build Signed-off-by: Vishal Choudhary <vishal.choudhary@nirmata.com> * fix: linter Signed-off-by: Vishal Choudhary <vishal.choudhary@nirmata.com> * fix: unit tests Signed-off-by: Vishal Choudhary <vishal.choudhary@nirmata.com> --------- Signed-off-by: Vishal Choudhary <vishal.choudhary@nirmata.com> 2025-02-27 12:49:11 +05:30			`package eval`

			`import (`
			`"context"`
			`"fmt"`

			`"github.com/kyverno/kyverno/api/policies.kyverno.io/v1alpha1"`
			`"github.com/kyverno/kyverno/pkg/imageverification/imagedataloader"`
			`admissionv1 "k8s.io/api/admission/v1"`
feat: autogenerate image verification policies for pod controllers (#12290) * feat: autogen for image verification Signed-off-by: Vishal Choudhary <vishal.choudhary@nirmata.com> * fix: linter Signed-off-by: Vishal Choudhary <vishal.choudhary@nirmata.com> --------- Signed-off-by: Vishal Choudhary <vishal.choudhary@nirmata.com> 2025-03-05 03:00:23 +05:30			`metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"`
feat: add evaluator for image verification policies (#12251) * feat: add variables Signed-off-by: Vishal Choudhary <vishal.choudhary@nirmata.com> * feat: implement evaluator Signed-off-by: Vishal Choudhary <vishal.choudhary@nirmata.com> * fix: build Signed-off-by: Vishal Choudhary <vishal.choudhary@nirmata.com> * fix: linter Signed-off-by: Vishal Choudhary <vishal.choudhary@nirmata.com> * fix: unit tests Signed-off-by: Vishal Choudhary <vishal.choudhary@nirmata.com> --------- Signed-off-by: Vishal Choudhary <vishal.choudhary@nirmata.com> 2025-02-27 12:49:11 +05:30			`"k8s.io/apimachinery/pkg/runtime"`
			`"k8s.io/apiserver/pkg/admission"`
			`k8scorev1 "k8s.io/client-go/kubernetes/typed/core/v1"`
			`)`

feat: reconcile `ivpol.status` (#12392) * feat: update ivpol.status api Signed-off-by: ShutingZhao <shuting@nirmata.com> * chore: fix unit tests Signed-off-by: ShutingZhao <shuting@nirmata.com> * chore: update codegen Signed-off-by: ShutingZhao <shuting@nirmata.com> * chore: update codegen Signed-off-by: ShutingZhao <shuting@nirmata.com> * feat: reconcile ivpol.status Signed-off-by: ShutingZhao <shuting@nirmata.com> * fix: unit tests Signed-off-by: ShutingZhao <shuting@nirmata.com> * fix: linter issues Signed-off-by: ShutingZhao <shuting@nirmata.com> * fix: autogen fields replacement Signed-off-by: ShutingZhao <shuting@nirmata.com> * chore: add unit tests Signed-off-by: ShutingZhao <shuting@nirmata.com> * feat: update ivpol autogen rules Signed-off-by: ShutingZhao <shuting@nirmata.com> * feat: invoke ivpol webhook handler Signed-off-by: ShutingZhao <shuting@nirmata.com> --------- Signed-off-by: ShutingZhao <shuting@nirmata.com> Signed-off-by: shuting <shuting@nirmata.com> 2025-03-15 07:59:19 +08:00			`func Evaluate(ctx context.Context, ivpols []v1alpha1.ImageVerificationPolicy, request interface{}, admissionAttr admission.Attributes, namespace runtime.Object, lister k8scorev1.SecretInterface, registryOpts ...imagedataloader.Option) (map[string]EvaluationResult, error) {`
feat: add evaluator for image verification policies (#12251) * feat: add variables Signed-off-by: Vishal Choudhary <vishal.choudhary@nirmata.com> * feat: implement evaluator Signed-off-by: Vishal Choudhary <vishal.choudhary@nirmata.com> * fix: build Signed-off-by: Vishal Choudhary <vishal.choudhary@nirmata.com> * fix: linter Signed-off-by: Vishal Choudhary <vishal.choudhary@nirmata.com> * fix: unit tests Signed-off-by: Vishal Choudhary <vishal.choudhary@nirmata.com> --------- Signed-off-by: Vishal Choudhary <vishal.choudhary@nirmata.com> 2025-02-27 12:49:11 +05:30			`ictx, err := imagedataloader.NewImageContext(lister, registryOpts...)`
			`if err != nil {`
			`return nil, err`
			`}`

feat: autogenerate image verification policies for pod controllers (#12290) * feat: autogen for image verification Signed-off-by: Vishal Choudhary <vishal.choudhary@nirmata.com> * fix: linter Signed-off-by: Vishal Choudhary <vishal.choudhary@nirmata.com> --------- Signed-off-by: Vishal Choudhary <vishal.choudhary@nirmata.com> 2025-03-05 03:00:23 +05:30			`isAdmissionRequest := false`
			`var gvr *metav1.GroupVersionResource`
			`if r, ok := request.(*admissionv1.AdmissionRequest); ok {`
			`isAdmissionRequest = true`
			`gvr = requestGVR(r)`
feat: add evaluator for image verification policies (#12251) * feat: add variables Signed-off-by: Vishal Choudhary <vishal.choudhary@nirmata.com> * feat: implement evaluator Signed-off-by: Vishal Choudhary <vishal.choudhary@nirmata.com> * fix: build Signed-off-by: Vishal Choudhary <vishal.choudhary@nirmata.com> * fix: linter Signed-off-by: Vishal Choudhary <vishal.choudhary@nirmata.com> * fix: unit tests Signed-off-by: Vishal Choudhary <vishal.choudhary@nirmata.com> --------- Signed-off-by: Vishal Choudhary <vishal.choudhary@nirmata.com> 2025-02-27 12:49:11 +05:30			`}`

feat: add evaluation config to image verification policies (#12279) * feat: add evaluation config to image verification policies Signed-off-by: Vishal Choudhary <vishal.choudhary@nirmata.com> * fix: ci Signed-off-by: Vishal Choudhary <vishal.choudhary@nirmata.com> * fix: unit tests Signed-off-by: Vishal Choudhary <vishal.choudhary@nirmata.com> --------- Signed-off-by: Vishal Choudhary <vishal.choudhary@nirmata.com> Co-authored-by: shuting <shuting@nirmata.com> 2025-03-03 21:27:07 +05:30			`policies := filterPolicies(ivpols, isAdmissionRequest)`

feat: autogenerate image verification policies for pod controllers (#12290) * feat: autogen for image verification Signed-off-by: Vishal Choudhary <vishal.choudhary@nirmata.com> * fix: linter Signed-off-by: Vishal Choudhary <vishal.choudhary@nirmata.com> --------- Signed-off-by: Vishal Choudhary <vishal.choudhary@nirmata.com> 2025-03-05 03:00:23 +05:30			`c := NewCompiler(ictx, lister, gvr)`
feat: webhook handlers for image verification (#12318) * feat: webhook support for image verification Signed-off-by: Vishal Choudhary <vishal.choudhary@nirmata.com> * feat: add validation Signed-off-by: Vishal Choudhary <vishal.choudhary@nirmata.com> * fix: add tests Signed-off-by: Vishal Choudhary <vishal.choudhary@nirmata.com> * fix: tests Signed-off-by: Vishal Choudhary <vishal.choudhary@nirmata.com> * fix: ci Signed-off-by: Vishal Choudhary <vishal.choudhary@nirmata.com> * fix: codegen Signed-off-by: Vishal Choudhary <vishal.choudhary@nirmata.com> * fix: trim prefix Signed-off-by: Vishal Choudhary <vishal.choudhary@nirmata.com> * fix: only use matched policies Signed-off-by: Vishal Choudhary <vishal.choudhary@nirmata.com> * fix: conflicts Signed-off-by: Vishal Choudhary <vishal.choudhary@nirmata.com> * fix: remove commented code Signed-off-by: Vishal Choudhary <vishal.choudhary@nirmata.com> --------- Signed-off-by: Vishal Choudhary <vishal.choudhary@nirmata.com> Co-authored-by: shuting <shuting@nirmata.com> 2025-03-11 13:08:11 +05:30			`results := make(map[string]*EvaluationResult, len(policies))`
feat: add evaluation config to image verification policies (#12279) * feat: add evaluation config to image verification policies Signed-off-by: Vishal Choudhary <vishal.choudhary@nirmata.com> * fix: ci Signed-off-by: Vishal Choudhary <vishal.choudhary@nirmata.com> * fix: unit tests Signed-off-by: Vishal Choudhary <vishal.choudhary@nirmata.com> --------- Signed-off-by: Vishal Choudhary <vishal.choudhary@nirmata.com> Co-authored-by: shuting <shuting@nirmata.com> 2025-03-03 21:27:07 +05:30			`for _, ivpol := range policies {`
feat: reconcile `ivpol.status` (#12392) * feat: update ivpol.status api Signed-off-by: ShutingZhao <shuting@nirmata.com> * chore: fix unit tests Signed-off-by: ShutingZhao <shuting@nirmata.com> * chore: update codegen Signed-off-by: ShutingZhao <shuting@nirmata.com> * chore: update codegen Signed-off-by: ShutingZhao <shuting@nirmata.com> * feat: reconcile ivpol.status Signed-off-by: ShutingZhao <shuting@nirmata.com> * fix: unit tests Signed-off-by: ShutingZhao <shuting@nirmata.com> * fix: linter issues Signed-off-by: ShutingZhao <shuting@nirmata.com> * fix: autogen fields replacement Signed-off-by: ShutingZhao <shuting@nirmata.com> * chore: add unit tests Signed-off-by: ShutingZhao <shuting@nirmata.com> * feat: update ivpol autogen rules Signed-off-by: ShutingZhao <shuting@nirmata.com> * feat: invoke ivpol webhook handler Signed-off-by: ShutingZhao <shuting@nirmata.com> --------- Signed-off-by: ShutingZhao <shuting@nirmata.com> Signed-off-by: shuting <shuting@nirmata.com> 2025-03-15 07:59:19 +08:00			`p, errList := c.Compile(ivpol)`
feat: add evaluator for image verification policies (#12251) * feat: add variables Signed-off-by: Vishal Choudhary <vishal.choudhary@nirmata.com> * feat: implement evaluator Signed-off-by: Vishal Choudhary <vishal.choudhary@nirmata.com> * fix: build Signed-off-by: Vishal Choudhary <vishal.choudhary@nirmata.com> * fix: linter Signed-off-by: Vishal Choudhary <vishal.choudhary@nirmata.com> * fix: unit tests Signed-off-by: Vishal Choudhary <vishal.choudhary@nirmata.com> --------- Signed-off-by: Vishal Choudhary <vishal.choudhary@nirmata.com> 2025-02-27 12:49:11 +05:30			`if errList != nil {`
feat(test): image verification on any payload (#12266) 2025-02-28 14:39:25 +05:30			`return nil, fmt.Errorf("failed to compile policy %v", errList)`
feat: add evaluator for image verification policies (#12251) * feat: add variables Signed-off-by: Vishal Choudhary <vishal.choudhary@nirmata.com> * feat: implement evaluator Signed-off-by: Vishal Choudhary <vishal.choudhary@nirmata.com> * fix: build Signed-off-by: Vishal Choudhary <vishal.choudhary@nirmata.com> * fix: linter Signed-off-by: Vishal Choudhary <vishal.choudhary@nirmata.com> * fix: unit tests Signed-off-by: Vishal Choudhary <vishal.choudhary@nirmata.com> --------- Signed-off-by: Vishal Choudhary <vishal.choudhary@nirmata.com> 2025-02-27 12:49:11 +05:30			`}`

feat: add evaluation config to image verification policies (#12279) * feat: add evaluation config to image verification policies Signed-off-by: Vishal Choudhary <vishal.choudhary@nirmata.com> * fix: ci Signed-off-by: Vishal Choudhary <vishal.choudhary@nirmata.com> * fix: unit tests Signed-off-by: Vishal Choudhary <vishal.choudhary@nirmata.com> --------- Signed-off-by: Vishal Choudhary <vishal.choudhary@nirmata.com> Co-authored-by: shuting <shuting@nirmata.com> 2025-03-03 21:27:07 +05:30			`result, err := p.Evaluate(ctx, ictx, admissionAttr, request, namespace, isAdmissionRequest)`
feat: add evaluator for image verification policies (#12251) * feat: add variables Signed-off-by: Vishal Choudhary <vishal.choudhary@nirmata.com> * feat: implement evaluator Signed-off-by: Vishal Choudhary <vishal.choudhary@nirmata.com> * fix: build Signed-off-by: Vishal Choudhary <vishal.choudhary@nirmata.com> * fix: linter Signed-off-by: Vishal Choudhary <vishal.choudhary@nirmata.com> * fix: unit tests Signed-off-by: Vishal Choudhary <vishal.choudhary@nirmata.com> --------- Signed-off-by: Vishal Choudhary <vishal.choudhary@nirmata.com> 2025-02-27 12:49:11 +05:30			`if err != nil {`
			`return nil, err`
			`}`
feat: webhook handlers for image verification (#12318) * feat: webhook support for image verification Signed-off-by: Vishal Choudhary <vishal.choudhary@nirmata.com> * feat: add validation Signed-off-by: Vishal Choudhary <vishal.choudhary@nirmata.com> * fix: add tests Signed-off-by: Vishal Choudhary <vishal.choudhary@nirmata.com> * fix: tests Signed-off-by: Vishal Choudhary <vishal.choudhary@nirmata.com> * fix: ci Signed-off-by: Vishal Choudhary <vishal.choudhary@nirmata.com> * fix: codegen Signed-off-by: Vishal Choudhary <vishal.choudhary@nirmata.com> * fix: trim prefix Signed-off-by: Vishal Choudhary <vishal.choudhary@nirmata.com> * fix: only use matched policies Signed-off-by: Vishal Choudhary <vishal.choudhary@nirmata.com> * fix: conflicts Signed-off-by: Vishal Choudhary <vishal.choudhary@nirmata.com> * fix: remove commented code Signed-off-by: Vishal Choudhary <vishal.choudhary@nirmata.com> --------- Signed-off-by: Vishal Choudhary <vishal.choudhary@nirmata.com> Co-authored-by: shuting <shuting@nirmata.com> 2025-03-11 13:08:11 +05:30			`results[ivpol.Name] = result`
feat: add evaluator for image verification policies (#12251) * feat: add variables Signed-off-by: Vishal Choudhary <vishal.choudhary@nirmata.com> * feat: implement evaluator Signed-off-by: Vishal Choudhary <vishal.choudhary@nirmata.com> * fix: build Signed-off-by: Vishal Choudhary <vishal.choudhary@nirmata.com> * fix: linter Signed-off-by: Vishal Choudhary <vishal.choudhary@nirmata.com> * fix: unit tests Signed-off-by: Vishal Choudhary <vishal.choudhary@nirmata.com> --------- Signed-off-by: Vishal Choudhary <vishal.choudhary@nirmata.com> 2025-02-27 12:49:11 +05:30			`}`
			`return results, nil`
			`}`
feat: add evaluation config to image verification policies (#12279) * feat: add evaluation config to image verification policies Signed-off-by: Vishal Choudhary <vishal.choudhary@nirmata.com> * fix: ci Signed-off-by: Vishal Choudhary <vishal.choudhary@nirmata.com> * fix: unit tests Signed-off-by: Vishal Choudhary <vishal.choudhary@nirmata.com> --------- Signed-off-by: Vishal Choudhary <vishal.choudhary@nirmata.com> Co-authored-by: shuting <shuting@nirmata.com> 2025-03-03 21:27:07 +05:30
			`func isK8s(request interface{}) bool {`
			`_, ok := request.(*admissionv1.AdmissionRequest)`
			`return ok`
			`}`

feat: autogenerate image verification policies for pod controllers (#12290) * feat: autogen for image verification Signed-off-by: Vishal Choudhary <vishal.choudhary@nirmata.com> * fix: linter Signed-off-by: Vishal Choudhary <vishal.choudhary@nirmata.com> --------- Signed-off-by: Vishal Choudhary <vishal.choudhary@nirmata.com> 2025-03-05 03:00:23 +05:30			`func requestGVR(request admissionv1.AdmissionRequest) metav1.GroupVersionResource {`
			`if request == nil {`
			`return nil`
			`}`

			`return request.RequestResource`
			`}`

feat: add evaluation config to image verification policies (#12279) * feat: add evaluation config to image verification policies Signed-off-by: Vishal Choudhary <vishal.choudhary@nirmata.com> * fix: ci Signed-off-by: Vishal Choudhary <vishal.choudhary@nirmata.com> * fix: unit tests Signed-off-by: Vishal Choudhary <vishal.choudhary@nirmata.com> --------- Signed-off-by: Vishal Choudhary <vishal.choudhary@nirmata.com> Co-authored-by: shuting <shuting@nirmata.com> 2025-03-03 21:27:07 +05:30			`func filterPolicies(ivpols []v1alpha1.ImageVerificationPolicy, isK8s bool) []v1alpha1.ImageVerificationPolicy {`
			`filteredPolicies := make([]*v1alpha1.ImageVerificationPolicy, 0)`

			`for _, v := range ivpols {`
			`if v == nil {`
			`continue`
			`}`

			`if isK8s && v.Spec.EvaluationMode() == v1alpha1.EvaluationModeKubernetes {`
			`filteredPolicies = append(filteredPolicies, v)`
			`} else if !isK8s && v.Spec.EvaluationMode() == v1alpha1.EvaluationModeJSON {`
			`filteredPolicies = append(filteredPolicies, v)`
			`}`
			`}`
			`return filteredPolicies`
			`}`