kyverno/pkg/webhooks/policyvalidation.go

package webhooks

import (
	"encoding/json"
	"fmt"
	"reflect"

	"github.com/golang/glog"
	kyverno "github.com/nirmata/kyverno/pkg/api/kyverno/v1alpha1"
	"github.com/nirmata/kyverno/pkg/utils"
	v1beta1 "k8s.io/api/admission/v1beta1"
	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
)

//HandlePolicyValidation performs the validation check on policy resource
func (ws *WebhookServer) handlePolicyValidation(request *v1beta1.AdmissionRequest) *v1beta1.AdmissionResponse {
	var policy *kyverno.Policy
	admissionResp := &v1beta1.AdmissionResponse{
		Allowed: true,
	}

	//TODO: can this happen? wont this be picked by OpenAPI spec schema ?
	raw := request.Object.Raw
	if err := json.Unmarshal(raw, &policy); err != nil {
		glog.Errorf("Failed to unmarshal policy admission request, err %v\n", err)
		return &v1beta1.AdmissionResponse{Allowed: false,
			Result: &metav1.Status{
				Message: fmt.Sprintf("Failed to unmarshal policy admission request err %v", err),
			}}
	}
	// check for uniqueness of rule names while CREATE/DELET
	admissionResp = ws.validateUniqueRuleName(policy)

	if admissionResp.Allowed {
		ws.manageWebhookConfigurations(*policy, request.Operation)
	}

	return admissionResp
}

func (ws *WebhookServer) validatePolicy(policy *kyverno.Policy) *v1beta1.AdmissionResponse {
	admissionResp := ws.validateUniqueRuleName(policy)
	if !admissionResp.Allowed {
		return admissionResp
	}

	return ws.validateOverlayPattern(policy)
}

func (ws *WebhookServer) validateOverlayPattern(policy *kyverno.Policy) *v1beta1.AdmissionResponse {
	for _, rule := range policy.Spec.Rules {
		if reflect.DeepEqual(rule.Validation, kyverno.Validation{}) {
			continue
		}

		if rule.Validation.Pattern == nil && len(rule.Validation.AnyPattern) == 0 {
			return &v1beta1.AdmissionResponse{
				Allowed: false,
				Result: &metav1.Status{
					Message: fmt.Sprintf("Invalid policy, neither pattern nor anyPattern found in validate rule %s", rule.Name),
				},
			}
		}

		if rule.Validation.Pattern != nil && len(rule.Validation.AnyPattern) != 0 {
			return &v1beta1.AdmissionResponse{
				Allowed: false,
				Result: &metav1.Status{
					Message: fmt.Sprintf("Invalid policy, either pattern or anyPattern is allowed in validate rule %s", rule.Name),
				},
			}
		}
	}

	return &v1beta1.AdmissionResponse{Allowed: true}
}

// Verify if the Rule names are unique within a policy
func (ws *WebhookServer) validateUniqueRuleName(policy *kyverno.Policy) *v1beta1.AdmissionResponse {
	var ruleNames []string

	for _, rule := range policy.Spec.Rules {
		if utils.Contains(ruleNames, rule.Name) {
			msg := fmt.Sprintf(`The policy "%s" is invalid: duplicate rule name: "%s"`, policy.Name, rule.Name)
			glog.Errorln(msg)

			return &v1beta1.AdmissionResponse{
				Allowed: false,
				Result: &metav1.Status{
					Message: msg,
				},
			}
		}
		ruleNames = append(ruleNames, rule.Name)
	}

	glog.V(4).Infof("Policy validation passed")
	return &v1beta1.AdmissionResponse{
		Allowed: true,
	}
}
restructure webhooks pkg 2019-07-15 16:07:56 -07:00			`package webhooks`

			`import (`
			`"encoding/json"`
			`"fmt"`
add anyPattern in crd definition 2019-08-20 17:56:02 -07:00			`"reflect"`
restructure webhooks pkg 2019-07-15 16:07:56 -07:00
			`"github.com/golang/glog"`
clean up 2019-08-14 10:01:47 -07:00			`kyverno "github.com/nirmata/kyverno/pkg/api/kyverno/v1alpha1"`
restructure webhooks pkg 2019-07-15 16:07:56 -07:00			`"github.com/nirmata/kyverno/pkg/utils"`
			`v1beta1 "k8s.io/api/admission/v1beta1"`
			`metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"`
			`)`

			`//HandlePolicyValidation performs the validation check on policy resource`
endpoint for policy mutation + refactor + graceful shutdown 2019-08-27 16:44:10 -07:00			`func (ws WebhookServer) handlePolicyValidation(request v1beta1.AdmissionRequest) *v1beta1.AdmissionResponse {`
Merge branch 'policyViolation' into 254_dynamic_webhook_configurations # Conflicts: # main.go # pkg/annotations/annotations.go # pkg/annotations/controller.go # pkg/controller/controller.go # pkg/controller/controller_test.go # pkg/engine/engine.go # pkg/engine/generation.go # pkg/engine/mutation.go # pkg/engine/validation.go # pkg/event/controller.go # pkg/webhooks/mutation.go # pkg/webhooks/policyvalidation.go # pkg/webhooks/report.go # pkg/webhooks/server.go # pkg/webhooks/validation.go 2019-08-14 19:00:37 -07:00			`var policy *kyverno.Policy`
implement deletion logic 2019-08-08 13:09:40 -07:00			`admissionResp := &v1beta1.AdmissionResponse{`
			`Allowed: true,`
			`}`
return on delete request 2019-08-21 16:42:42 -07:00
endpoint for policy mutation + refactor + graceful shutdown 2019-08-27 16:44:10 -07:00			`//TODO: can this happen? wont this be picked by OpenAPI spec schema ?`
return on delete request 2019-08-21 16:42:42 -07:00			`raw := request.Object.Raw`
implement deletion logic 2019-08-08 13:09:40 -07:00			`if err := json.Unmarshal(raw, &policy); err != nil {`
			`glog.Errorf("Failed to unmarshal policy admission request, err %v\n", err)`
add anyPattern in validate rule 2019-08-21 12:38:15 -07:00			`return &v1beta1.AdmissionResponse{Allowed: false,`
			`Result: &metav1.Status{`
			`Message: fmt.Sprintf("Failed to unmarshal policy admission request err %v", err),`
			`}}`
implement deletion logic 2019-08-08 13:09:40 -07:00			`}`
return on delete request 2019-08-21 16:42:42 -07:00			`// check for uniqueness of rule names while CREATE/DELET`
			`admissionResp = ws.validateUniqueRuleName(policy)`
register webhookconfigurations when policy first applied 2019-08-07 18:01:28 -07:00
			`if admissionResp.Allowed {`
implement deletion logic 2019-08-08 13:09:40 -07:00			`ws.manageWebhookConfigurations(*policy, request.Operation)`
register webhookconfigurations when policy first applied 2019-08-07 18:01:28 -07:00			`}`
implement deletion logic 2019-08-08 13:09:40 -07:00
register webhookconfigurations when policy first applied 2019-08-07 18:01:28 -07:00			`return admissionResp`
restructure webhooks pkg 2019-07-15 16:07:56 -07:00			`}`

add anyPattern in crd definition 2019-08-20 17:56:02 -07:00			`func (ws WebhookServer) validatePolicy(policy kyverno.Policy) *v1beta1.AdmissionResponse {`
			`admissionResp := ws.validateUniqueRuleName(policy)`
			`if !admissionResp.Allowed {`
			`return admissionResp`
			`}`

			`return ws.validateOverlayPattern(policy)`
			`}`

			`func (ws WebhookServer) validateOverlayPattern(policy kyverno.Policy) *v1beta1.AdmissionResponse {`
			`for _, rule := range policy.Spec.Rules {`
add anyPattern in validate rule 2019-08-21 12:38:15 -07:00			`if reflect.DeepEqual(rule.Validation, kyverno.Validation{}) {`
			`continue`
			`}`

			`if rule.Validation.Pattern == nil && len(rule.Validation.AnyPattern) == 0 {`
			`return &v1beta1.AdmissionResponse{`
			`Allowed: false,`
			`Result: &metav1.Status{`
			`Message: fmt.Sprintf("Invalid policy, neither pattern nor anyPattern found in validate rule %s", rule.Name),`
			`},`
add anyPattern in crd definition 2019-08-20 17:56:02 -07:00			`}`
			`}`
add check for validate rule 2019-08-21 14:06:06 -07:00
			`if rule.Validation.Pattern != nil && len(rule.Validation.AnyPattern) != 0 {`
			`return &v1beta1.AdmissionResponse{`
			`Allowed: false,`
			`Result: &metav1.Status{`
			`Message: fmt.Sprintf("Invalid policy, either pattern or anyPattern is allowed in validate rule %s", rule.Name),`
			`},`
			`}`
			`}`
add anyPattern in crd definition 2019-08-20 17:56:02 -07:00			`}`

			`return &v1beta1.AdmissionResponse{Allowed: true}`
			`}`

restructure webhooks pkg 2019-07-15 16:07:56 -07:00			`// Verify if the Rule names are unique within a policy`
Merge branch 'policyViolation' into 254_dynamic_webhook_configurations # Conflicts: # main.go # pkg/annotations/annotations.go # pkg/annotations/controller.go # pkg/controller/controller.go # pkg/controller/controller_test.go # pkg/engine/engine.go # pkg/engine/generation.go # pkg/engine/mutation.go # pkg/engine/validation.go # pkg/event/controller.go # pkg/webhooks/mutation.go # pkg/webhooks/policyvalidation.go # pkg/webhooks/report.go # pkg/webhooks/server.go # pkg/webhooks/validation.go 2019-08-14 19:00:37 -07:00			`func (ws WebhookServer) validateUniqueRuleName(policy kyverno.Policy) *v1beta1.AdmissionResponse {`
restructure webhooks pkg 2019-07-15 16:07:56 -07:00			`var ruleNames []string`

			`for _, rule := range policy.Spec.Rules {`
			`if utils.Contains(ruleNames, rule.Name) {`
			msg := fmt.Sprintf(`The policy "%s" is invalid: duplicate rule name: "%s"`, policy.Name, rule.Name)
			`glog.Errorln(msg)`

			`return &v1beta1.AdmissionResponse{`
			`Allowed: false,`
			`Result: &metav1.Status{`
			`Message: msg,`
			`},`
			`}`
			`}`
			`ruleNames = append(ruleNames, rule.Name)`
			`}`

update document 2019-08-21 18:47:49 -07:00			`glog.V(4).Infof("Policy validation passed")`
restructure webhooks pkg 2019-07-15 16:07:56 -07:00			`return &v1beta1.AdmissionResponse{`
			`Allowed: true,`
			`}`
			`}`