kyverno/pkg/policyviolation/namespacedpv.go

package policyviolation

import (
	"fmt"
	"reflect"

	"github.com/golang/glog"
	kyverno "github.com/nirmata/kyverno/pkg/api/kyverno/v1"
	kyvernov1 "github.com/nirmata/kyverno/pkg/client/clientset/versioned/typed/kyverno/v1"
	kyvernolister "github.com/nirmata/kyverno/pkg/client/listers/kyverno/v1"
	client "github.com/nirmata/kyverno/pkg/dclient"
	"github.com/nirmata/kyverno/pkg/policyStatus"
	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
)

//NamespacedPV ...
type namespacedPV struct {
	// dynamic client
	dclient *client.Client
	// get/list namespaced policy violation
	nspvLister kyvernolister.PolicyViolationLister
	// policy violation interface
	kyvernoInterface kyvernov1.KyvernoV1Interface
	// update policy status with violationCount
	policyStatus *policyStatus.Sync
}

func newNamespacedPV(dclient *client.Client,
	nspvLister kyvernolister.PolicyViolationLister,
	kyvernoInterface kyvernov1.KyvernoV1Interface,
	policyStatus *policyStatus.Sync,
) *namespacedPV {
	nspv := namespacedPV{
		dclient:          dclient,
		nspvLister:       nspvLister,
		kyvernoInterface: kyvernoInterface,
		policyStatus:     policyStatus,
	}
	return &nspv
}

func (nspv *namespacedPV) create(pv kyverno.PolicyViolationTemplate) error {
	newPv := kyverno.PolicyViolation(pv)
	// PV already exists
	oldPv, err := nspv.getExisting(newPv)
	if err != nil {
		return err
	}
	if oldPv == nil {
		// create a new policy violation
		return nspv.createPV(&newPv)
	}
	// policy violation exists
	// skip if there is not change, else update the violation
	return nspv.updatePV(&newPv, oldPv)
}

func (nspv *namespacedPV) getExisting(newPv kyverno.PolicyViolation) (*kyverno.PolicyViolation, error) {
	var err error
	// use labels
	policyLabelmap := map[string]string{"policy": newPv.Spec.Policy, "resource": newPv.Spec.ResourceSpec.ToKey()}
	ls, err := converLabelToSelector(policyLabelmap)
	if err != nil {
		return nil, err
	}
	pvs, err := nspv.nspvLister.PolicyViolations(newPv.GetNamespace()).List(ls)
	if err != nil {
		glog.Errorf("unable to list namespaced policy violations : %v", err)
		return nil, err
	}

	for _, pv := range pvs {
		// find a policy on same resource and policy combination
		if pv.Spec.Policy == newPv.Spec.Policy &&
			pv.Spec.ResourceSpec.Kind == newPv.Spec.ResourceSpec.Kind &&
			pv.Spec.ResourceSpec.Name == newPv.Spec.ResourceSpec.Name {
			return pv, nil
		}
	}
	return nil, nil
}

func (nspv *namespacedPV) createPV(newPv *kyverno.PolicyViolation) error {
	var err error
	glog.V(4).Infof("creating new policy violation for policy %s & resource %s/%s/%s", newPv.Spec.Policy, newPv.Spec.ResourceSpec.Kind, newPv.Spec.ResourceSpec.Namespace, newPv.Spec.ResourceSpec.Name)
	obj, err := retryGetResource(nspv.dclient, newPv.Spec.ResourceSpec)
	if err != nil {
		return fmt.Errorf("failed to retry getting resource for policy violation %s/%s: %v", newPv.Name, newPv.Spec.Policy, err)
	}
	// set owner reference to resource
	ownerRef := createOwnerReference(obj)
	newPv.SetOwnerReferences([]metav1.OwnerReference{ownerRef})

	// create resource
	_, err = nspv.kyvernoInterface.PolicyViolations(newPv.GetNamespace()).Create(newPv)
	if err != nil {
		glog.V(4).Infof("failed to create Cluster Policy Violation: %v", err)
		return err
	}

	go nspv.policyStatus.UpdatePolicyStatusWithViolationCount(newPv.Spec.Policy, newPv.Spec.ViolatedRules)
	glog.Infof("policy violation created for resource %v", newPv.Spec.ResourceSpec)
	return nil
}

func (nspv *namespacedPV) updatePV(newPv, oldPv *kyverno.PolicyViolation) error {
	var err error
	// check if there is any update
	if reflect.DeepEqual(newPv.Spec, oldPv.Spec) {
		glog.V(4).Infof("policy violation spec %v did not change so not updating it", newPv.Spec)
		return nil
	}
	// set name
	newPv.SetName(oldPv.Name)
	newPv.SetResourceVersion(oldPv.ResourceVersion)
	// update resource
	_, err = nspv.kyvernoInterface.PolicyViolations(newPv.GetNamespace()).Update(newPv)
	if err != nil {
		return fmt.Errorf("failed to update namespaced policy violation: %v", err)
	}

	go nspv.policyStatus.UpdatePolicyStatusWithViolationCount(newPv.Spec.Policy, newPv.Spec.ViolatedRules)
	glog.Infof("namespaced policy violation updated for resource %v", newPv.Spec.ResourceSpec)
	return nil
}
create namespace pv when validate policy fails 2019-11-12 13:32:30 -08:00			`package policyviolation`

			`import (`
			`"fmt"`
			`"reflect"`

			`"github.com/golang/glog"`
update apiversion to v1 in code 2019-11-13 13:41:08 -08:00			`kyverno "github.com/nirmata/kyverno/pkg/api/kyverno/v1"`
update api in tests 2019-11-13 13:56:07 -08:00			`kyvernov1 "github.com/nirmata/kyverno/pkg/client/clientset/versioned/typed/kyverno/v1"`
update apiversion to v1 in code 2019-11-13 13:41:08 -08:00			`kyvernolister "github.com/nirmata/kyverno/pkg/client/listers/kyverno/v1"`
refactor policy violation resource 2019-11-26 18:07:15 -08:00			`client "github.com/nirmata/kyverno/pkg/dclient"`
527 save commit 2020-02-25 20:55:07 +05:30			`"github.com/nirmata/kyverno/pkg/policyStatus"`
refactor policy violation resource 2019-11-26 18:07:15 -08:00			`metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"`
create namespace pv when validate policy fails 2019-11-12 13:32:30 -08:00			`)`

refactor policy violation resource 2019-11-26 18:07:15 -08:00			`//NamespacedPV ...`
			`type namespacedPV struct {`
			`// dynamic client`
			`dclient *client.Client`
			`// get/list namespaced policy violation`
Merge branch '524_bug' into v1.1.0 2019-12-12 16:25:50 -08:00			`nspvLister kyvernolister.PolicyViolationLister`
refactor policy violation resource 2019-11-26 18:07:15 -08:00			`// policy violation interface`
			`kyvernoInterface kyvernov1.KyvernoV1Interface`
527 prototype changes to handle generate stats - also changes made to handle stats such as violation count and generated resources count - currently untested 2020-02-24 20:12:39 +05:30			`// update policy status with violationCount`
527 save commit 2020-02-25 20:55:07 +05:30			`policyStatus *policyStatus.Sync`
remove namespace from resource spec 2019-11-15 12:03:58 -08:00			`}`

refactor policy violation resource 2019-11-26 18:07:15 -08:00			`func newNamespacedPV(dclient *client.Client,`
Merge branch '524_bug' into v1.1.0 2019-12-12 16:25:50 -08:00			`nspvLister kyvernolister.PolicyViolationLister,`
refactor policy violation resource 2019-11-26 18:07:15 -08:00			`kyvernoInterface kyvernov1.KyvernoV1Interface,`
527 save commit 2020-02-25 20:55:07 +05:30			`policyStatus *policyStatus.Sync,`
refactor policy violation resource 2019-11-26 18:07:15 -08:00			`) *namespacedPV {`
			`nspv := namespacedPV{`
			`dclient: dclient,`
			`nspvLister: nspvLister,`
			`kyvernoInterface: kyvernoInterface,`
527 prototype changes to handle generate stats - also changes made to handle stats such as violation count and generated resources count - currently untested 2020-02-24 20:12:39 +05:30			`policyStatus: policyStatus,`
refactor policy violation resource 2019-11-26 18:07:15 -08:00			`}`
			`return &nspv`
create namespace pv when validate policy fails 2019-11-12 13:32:30 -08:00			`}`

Merge branch '524_bug' into v1.1.0 2019-12-12 16:25:50 -08:00			`func (nspv *namespacedPV) create(pv kyverno.PolicyViolationTemplate) error {`
			`newPv := kyverno.PolicyViolation(pv)`
refactor policy violation resource 2019-11-26 18:07:15 -08:00			`// PV already exists`
			`oldPv, err := nspv.getExisting(newPv)`
			`if err != nil {`
			`return err`
create namespace pv when validate policy fails 2019-11-12 13:32:30 -08:00			`}`
refactor policy violation resource 2019-11-26 18:07:15 -08:00			`if oldPv == nil {`
			`// create a new policy violation`
			`return nspv.createPV(&newPv)`
claim namespaced policy violations 2019-11-12 23:19:38 -08:00			`}`
refactor policy violation resource 2019-11-26 18:07:15 -08:00			`// policy violation exists`
			`// skip if there is not change, else update the violation`
			`return nspv.updatePV(&newPv, oldPv)`
create namespace pv when validate policy fails 2019-11-12 13:32:30 -08:00			`}`

Merge branch '524_bug' into v1.1.0 2019-12-12 16:25:50 -08:00			`func (nspv namespacedPV) getExisting(newPv kyverno.PolicyViolation) (kyverno.PolicyViolation, error) {`
CR fixes 2019-12-11 11:15:13 -08:00			`var err error`
			`// use labels`
			`policyLabelmap := map[string]string{"policy": newPv.Spec.Policy, "resource": newPv.Spec.ResourceSpec.ToKey()}`
			`ls, err := converLabelToSelector(policyLabelmap)`
			`if err != nil {`
			`return nil, err`
create namespaced pv on resource owner 2019-11-12 14:58:38 -08:00			`}`
Merge branch '524_bug' into v1.1.0 2019-12-12 16:25:50 -08:00			`pvs, err := nspv.nspvLister.PolicyViolations(newPv.GetNamespace()).List(ls)`
refactor policy violation resource 2019-11-26 18:07:15 -08:00			`if err != nil {`
			`glog.Errorf("unable to list namespaced policy violations : %v", err)`
			`return nil, err`
create namespaced pv on resource owner 2019-11-12 14:58:38 -08:00			`}`
- add dclient; - add retry getting resource before create pv 2019-11-12 20:19:20 -08:00
refactor policy violation resource 2019-11-26 18:07:15 -08:00			`for _, pv := range pvs {`
			`// find a policy on same resource and policy combination`
			`if pv.Spec.Policy == newPv.Spec.Policy &&`
			`pv.Spec.ResourceSpec.Kind == newPv.Spec.ResourceSpec.Kind &&`
			`pv.Spec.ResourceSpec.Name == newPv.Spec.ResourceSpec.Name {`
			`return pv, nil`
create namespace pv when validate policy fails 2019-11-12 13:32:30 -08:00			`}`
			`}`
refactor policy violation resource 2019-11-26 18:07:15 -08:00			`return nil, nil`
create namespace pv when validate policy fails 2019-11-12 13:32:30 -08:00			`}`

Merge branch '524_bug' into v1.1.0 2019-12-12 16:25:50 -08:00			`func (nspv namespacedPV) createPV(newPv kyverno.PolicyViolation) error {`
refactor policy violation resource 2019-11-26 18:07:15 -08:00			`var err error`
cleanup resource & policy 2019-12-02 17:15:47 -08:00			`glog.V(4).Infof("creating new policy violation for policy %s & resource %s/%s/%s", newPv.Spec.Policy, newPv.Spec.ResourceSpec.Kind, newPv.Spec.ResourceSpec.Namespace, newPv.Spec.ResourceSpec.Name)`
			`obj, err := retryGetResource(nspv.dclient, newPv.Spec.ResourceSpec)`
create namespace pv when validate policy fails 2019-11-12 13:32:30 -08:00			`if err != nil {`
refactor policy violation resource 2019-11-26 18:07:15 -08:00			`return fmt.Errorf("failed to retry getting resource for policy violation %s/%s: %v", newPv.Name, newPv.Spec.Policy, err)`
create namespace pv when validate policy fails 2019-11-12 13:32:30 -08:00			`}`
refactor policy violation resource 2019-11-26 18:07:15 -08:00			`// set owner reference to resource`
			`ownerRef := createOwnerReference(obj)`
			`newPv.SetOwnerReferences([]metav1.OwnerReference{ownerRef})`
create namespace pv when validate policy fails 2019-11-12 13:32:30 -08:00
refactor policy violation resource 2019-11-26 18:07:15 -08:00			`// create resource`
Merge branch '524_bug' into v1.1.0 2019-12-12 16:25:50 -08:00			`_, err = nspv.kyvernoInterface.PolicyViolations(newPv.GetNamespace()).Create(newPv)`
refactor policy violation resource 2019-11-26 18:07:15 -08:00			`if err != nil {`
			`glog.V(4).Infof("failed to create Cluster Policy Violation: %v", err)`
			`return err`
create namespace pv when validate policy fails 2019-11-12 13:32:30 -08:00			`}`
527 prototype changes to handle generate stats - also changes made to handle stats such as violation count and generated resources count - currently untested 2020-02-24 20:12:39 +05:30
			`go nspv.policyStatus.UpdatePolicyStatusWithViolationCount(newPv.Spec.Policy, newPv.Spec.ViolatedRules)`
refactor policy violation resource 2019-11-26 18:07:15 -08:00			`glog.Infof("policy violation created for resource %v", newPv.Spec.ResourceSpec)`
- add dclient; - add retry getting resource before create pv 2019-11-12 20:19:20 -08:00			`return nil`
create namespace pv when validate policy fails 2019-11-12 13:32:30 -08:00			`}`

Merge branch '524_bug' into v1.1.0 2019-12-12 16:25:50 -08:00			`func (nspv namespacedPV) updatePV(newPv, oldPv kyverno.PolicyViolation) error {`
refactor policy violation resource 2019-11-26 18:07:15 -08:00			`var err error`
			`// check if there is any update`
			`if reflect.DeepEqual(newPv.Spec, oldPv.Spec) {`
			`glog.V(4).Infof("policy violation spec %v did not change so not updating it", newPv.Spec)`
			`return nil`
create namespace pv when validate policy fails 2019-11-12 13:32:30 -08:00			`}`
refactor policy violation resource 2019-11-26 18:07:15 -08:00			`// set name`
			`newPv.SetName(oldPv.Name)`
CR fixes 2019-12-11 11:15:13 -08:00			`newPv.SetResourceVersion(oldPv.ResourceVersion)`
refactor policy violation resource 2019-11-26 18:07:15 -08:00			`// update resource`
Merge branch '524_bug' into v1.1.0 2019-12-12 16:25:50 -08:00			`_, err = nspv.kyvernoInterface.PolicyViolations(newPv.GetNamespace()).Update(newPv)`
refactor policy violation resource 2019-11-26 18:07:15 -08:00			`if err != nil {`
update examples and log text 2020-02-06 22:51:16 -08:00			`return fmt.Errorf("failed to update namespaced policy violation: %v", err)`
create namespace pv when validate policy fails 2019-11-12 13:32:30 -08:00			`}`
update examples and log text 2020-02-06 22:51:16 -08:00
527 prototype changes to handle generate stats - also changes made to handle stats such as violation count and generated resources count - currently untested 2020-02-24 20:12:39 +05:30			`go nspv.policyStatus.UpdatePolicyStatusWithViolationCount(newPv.Spec.Policy, newPv.Spec.ViolatedRules)`
Adding log level 4 to "Loading variable" logs in context.go line no 124 and 139 (#648) Type at pkg/policyviolation/namespacedev.go 2020-01-25 05:59:51 +05:30			`glog.Infof("namespaced policy violation updated for resource %v", newPv.Spec.ResourceSpec)`
refactor policy violation resource 2019-11-26 18:07:15 -08:00			`return nil`
create namespace pv when validate policy fails 2019-11-12 13:32:30 -08:00			`}`