kyverno/pkg/controller/processPolicy.go

package controller

import (
	"encoding/json"
	"fmt"

	types "github.com/nirmata/kube-policy/pkg/apis/policy/v1alpha1"
	"github.com/nirmata/kube-policy/pkg/engine/mutation"
	event "github.com/nirmata/kube-policy/pkg/event"
	violation "github.com/nirmata/kube-policy/pkg/violation"
	"k8s.io/apimachinery/pkg/labels"
	"k8s.io/apimachinery/pkg/runtime"
	utilruntime "k8s.io/apimachinery/pkg/util/runtime"
)

func (pc *PolicyController) runForPolicy(key string) {

	policy, err := pc.getPolicyByKey(key)
	if err != nil {
		utilruntime.HandleError(fmt.Errorf("invalid resource key: %s, err: %v", key, err))
		return
	}

	if policy == nil {
		pc.logger.Printf("Counld not find policy by key %s", key)
		return
	}

	violations, events, err := pc.processPolicy(*policy)
	if err != nil {
		// add Error processing policy event
	}

	pc.logger.Printf("%v, %v", violations, events)
	// TODO:
	// create violations
	//	pc.violationBuilder.Add()
	// create events
	//	pc.eventBuilder.Add()

}

// processPolicy process the policy to all the matched resources
func (pc *PolicyController) processPolicy(policy types.Policy) (
	violations []violation.Info, events []event.Info, err error) {

	for _, rule := range policy.Spec.Rules {
		resources, err := pc.filterResourceByRule(rule)
		if err != nil {
			pc.logger.Printf("Failed to filter resources by rule %s, err: %v\n", rule.Name, err)
		}

		for _, resource := range resources {
			rawResource, err := json.Marshal(resource)
			if err != nil {
				pc.logger.Printf("Failed to marshal resources map to rule %s, err: %v\n", rule.Name, err)
				continue
			}

			violation, eventInfos, err := pc.policyEngine.ProcessExisting(policy, rawResource)
			if err != nil {
				pc.logger.Printf("Failed to process rule %s, err: %v\n", rule.Name, err)
				continue
			}

			violations = append(violations, violation...)
			events = append(events, eventInfos...)
		}
	}
	return violations, events, nil
}

func (pc *PolicyController) filterResourceByRule(rule types.Rule) ([]runtime.Object, error) {
	var targetResources []runtime.Object
	// TODO: make this namespace all
	var namespace = "default"
	if err := rule.Validate(); err != nil {
		return nil, fmt.Errorf("invalid rule detected: %s, err: %v", rule.Name, err)
	}

	// Get the resource list from kind
	resources, err := pc.kubeClient.ListResource(rule.ResourceDescription.Kind, namespace)
	if err != nil {
		return nil, err
	}

	for _, resource := range resources {
		// TODO:
		rawResource, err := json.Marshal(resource)
		// objKind := resource.GetObjectKind()
		// codecFactory := serializer.NewCodecFactory(runtime.NewScheme())
		// codecFactory.EncoderForVersion()

		if err != nil {
			pc.logger.Printf("failed to marshal object %v", resource)
			continue
		}

		// filter the resource by name and label
		if ok, _ := mutation.IsRuleApplicableToResource(rawResource, rule.ResourceDescription); ok {
			targetResources = append(targetResources, resource)
		}
	}
	return targetResources, nil
}

func (pc *PolicyController) getPolicyByKey(key string) (*types.Policy, error) {
	// Create nil Selector to grab all the policies
	selector := labels.NewSelector()
	cachedPolicies, err := pc.policyLister.List(selector)
	if err != nil {
		return nil, err
	}

	for _, elem := range cachedPolicies {
		if elem.Name == key {
			return elem, nil
		}
	}

	return nil, nil
}
Resolve PR 27 2019-05-13 18:17:28 -07:00			`package controller`
Add PolicyEngine 2019-05-09 22:26:22 -07:00
			`import (`
			`"encoding/json"`
			`"fmt"`

			`types "github.com/nirmata/kube-policy/pkg/apis/policy/v1alpha1"`
Resolve PR 27 2019-05-13 18:17:28 -07:00			`"github.com/nirmata/kube-policy/pkg/engine/mutation"`
merge the changes with policy-engine 2019-05-10 12:36:55 -07:00			`event "github.com/nirmata/kube-policy/pkg/event"`
Resolve PR 27 2019-05-13 18:17:28 -07:00			`violation "github.com/nirmata/kube-policy/pkg/violation"`
Add PolicyEngine 2019-05-09 22:26:22 -07:00			`"k8s.io/apimachinery/pkg/labels"`
			`"k8s.io/apimachinery/pkg/runtime"`
			`utilruntime "k8s.io/apimachinery/pkg/util/runtime"`
			`)`

merge the changes with policy-engine 2019-05-10 12:36:55 -07:00			`func (pc *PolicyController) runForPolicy(key string) {`

			`policy, err := pc.getPolicyByKey(key)`
Add PolicyEngine 2019-05-09 22:26:22 -07:00			`if err != nil {`
			`utilruntime.HandleError(fmt.Errorf("invalid resource key: %s, err: %v", key, err))`
			`return`
			`}`

			`if policy == nil {`
merge the changes with policy-engine 2019-05-10 12:36:55 -07:00			`pc.logger.Printf("Counld not find policy by key %s", key)`
Add PolicyEngine 2019-05-09 22:26:22 -07:00			`return`
			`}`

merge the changes with policy-engine 2019-05-10 12:36:55 -07:00			`violations, events, err := pc.processPolicy(*policy)`
Add PolicyEngine 2019-05-09 22:26:22 -07:00			`if err != nil {`
			`// add Error processing policy event`
			`}`

merge the changes with policy-engine 2019-05-10 12:36:55 -07:00			`pc.logger.Printf("%v, %v", violations, events)`
Add PolicyEngine 2019-05-09 22:26:22 -07:00			`// TODO:`
			`// create violations`
merge the changes with policy-engine 2019-05-10 12:36:55 -07:00			`// pc.violationBuilder.Add()`
Add PolicyEngine 2019-05-09 22:26:22 -07:00			`// create events`
merge the changes with policy-engine 2019-05-10 12:36:55 -07:00			`// pc.eventBuilder.Add()`
Add PolicyEngine 2019-05-09 22:26:22 -07:00
			`}`

			`// processPolicy process the policy to all the matched resources`
merge the changes with policy-engine 2019-05-10 12:36:55 -07:00			`func (pc *PolicyController) processPolicy(policy types.Policy) (`
Resolve PR 27 2019-05-13 18:17:28 -07:00			`violations []violation.Info, events []event.Info, err error) {`
Add PolicyEngine 2019-05-09 22:26:22 -07:00
			`for _, rule := range policy.Spec.Rules {`
merge the changes with policy-engine 2019-05-10 12:36:55 -07:00			`resources, err := pc.filterResourceByRule(rule)`
Add PolicyEngine 2019-05-09 22:26:22 -07:00			`if err != nil {`
merge the changes with policy-engine 2019-05-10 12:36:55 -07:00			`pc.logger.Printf("Failed to filter resources by rule %s, err: %v\n", rule.Name, err)`
Add PolicyEngine 2019-05-09 22:26:22 -07:00			`}`

			`for _, resource := range resources {`
			`rawResource, err := json.Marshal(resource)`
			`if err != nil {`
merge the changes with policy-engine 2019-05-10 12:36:55 -07:00			`pc.logger.Printf("Failed to marshal resources map to rule %s, err: %v\n", rule.Name, err)`
Add PolicyEngine 2019-05-09 22:26:22 -07:00			`continue`
			`}`

merge the changes with policy-engine 2019-05-10 12:36:55 -07:00			`violation, eventInfos, err := pc.policyEngine.ProcessExisting(policy, rawResource)`
Add PolicyEngine 2019-05-09 22:26:22 -07:00			`if err != nil {`
merge the changes with policy-engine 2019-05-10 12:36:55 -07:00			`pc.logger.Printf("Failed to process rule %s, err: %v\n", rule.Name, err)`
Add PolicyEngine 2019-05-09 22:26:22 -07:00			`continue`
			`}`

			`violations = append(violations, violation...)`
			`events = append(events, eventInfos...)`
			`}`
			`}`
			`return violations, events, nil`
			`}`

Updated code in the project to be compilable with new version of Policy. Moved logic from webhooks/mutation.go to policyengine/mutation.go and server.go 2019-05-13 21:27:47 +03:00			`func (pc *PolicyController) filterResourceByRule(rule types.Rule) ([]runtime.Object, error) {`
Add PolicyEngine 2019-05-09 22:26:22 -07:00			`var targetResources []runtime.Object`
			`// TODO: make this namespace all`
			`var namespace = "default"`
			`if err := rule.Validate(); err != nil {`
			`return nil, fmt.Errorf("invalid rule detected: %s, err: %v", rule.Name, err)`
			`}`

			`// Get the resource list from kind`
Updated code in the project to be compilable with new version of Policy. Moved logic from webhooks/mutation.go to policyengine/mutation.go and server.go 2019-05-13 21:27:47 +03:00			`resources, err := pc.kubeClient.ListResource(rule.ResourceDescription.Kind, namespace)`
Add PolicyEngine 2019-05-09 22:26:22 -07:00			`if err != nil {`
			`return nil, err`
			`}`

			`for _, resource := range resources {`
			`// TODO:`
			`rawResource, err := json.Marshal(resource)`
			`// objKind := resource.GetObjectKind()`
			`// codecFactory := serializer.NewCodecFactory(runtime.NewScheme())`
			`// codecFactory.EncoderForVersion()`

			`if err != nil {`
merge the changes with policy-engine 2019-05-10 12:36:55 -07:00			`pc.logger.Printf("failed to marshal object %v", resource)`
Add PolicyEngine 2019-05-09 22:26:22 -07:00			`continue`
			`}`

			`// filter the resource by name and label`
Updated code in the project to be compilable with new version of Policy. Moved logic from webhooks/mutation.go to policyengine/mutation.go and server.go 2019-05-13 21:27:47 +03:00			`if ok, _ := mutation.IsRuleApplicableToResource(rawResource, rule.ResourceDescription); ok {`
Add PolicyEngine 2019-05-09 22:26:22 -07:00			`targetResources = append(targetResources, resource)`
			`}`
			`}`
			`return targetResources, nil`
			`}`

merge the changes with policy-engine 2019-05-10 12:36:55 -07:00			`func (pc PolicyController) getPolicyByKey(key string) (types.Policy, error) {`
Add PolicyEngine 2019-05-09 22:26:22 -07:00			`// Create nil Selector to grab all the policies`
			`selector := labels.NewSelector()`
merge the changes with policy-engine 2019-05-10 12:36:55 -07:00			`cachedPolicies, err := pc.policyLister.List(selector)`
Add PolicyEngine 2019-05-09 22:26:22 -07:00			`if err != nil {`
			`return nil, err`
			`}`

			`for _, elem := range cachedPolicies {`
			`if elem.Name == key {`
			`return elem, nil`
			`}`
			`}`

			`return nil, nil`
			`}`