kyverno/pkg/webhooks/mutation.go

package webhooks

import (
	"github.com/golang/glog"
	engine "github.com/nirmata/kyverno/pkg/engine"
	"github.com/nirmata/kyverno/pkg/info"
	policyctr "github.com/nirmata/kyverno/pkg/policy"
	"github.com/nirmata/kyverno/pkg/utils"
	v1beta1 "k8s.io/api/admission/v1beta1"
	"k8s.io/apimachinery/pkg/labels"
	"k8s.io/apimachinery/pkg/runtime/schema"
)

// HandleMutation handles mutating webhook admission request
func (ws *WebhookServer) HandleMutation(request *v1beta1.AdmissionRequest) (bool, engine.EngineResponse) {
	var patches [][]byte
	var policyInfos []info.PolicyInfo
	var policyStats []policyctr.PolicyStat
	// gather stats from the engine response
	gatherStat := func(policyName string, er engine.EngineResponse) {
		ps := policyctr.PolicyStat{}
		ps.PolicyName = policyName
		ps.MutationExecutionTime = er.ExecutionTime
		ps.RulesAppliedCount = er.RulesAppliedCount
		policyStats = append(policyStats, ps)
	}
	// send stats for aggregation
	sendStat := func(blocked bool) {
		for _, stat := range policyStats {
			stat.ResourceBlocked = blocked
			//SEND
			ws.policyStatus.SendStat(stat)
		}
	}

	glog.V(5).Infof("Receive request in mutating webhook: Kind=%s, Namespace=%s Name=%s UID=%s patchOperation=%s",
		request.Kind.Kind, request.Namespace, request.Name, request.UID, request.Operation)

	resource, err := engine.ConvertToUnstructured(request.Object.Raw)
	if err != nil {
		glog.Errorf("unable to convert raw resource to unstructured: %v", err)
	}

	//TODO: check if resource gvk is available in raw resource,
	// if not then set it from the api request
	resource.SetGroupVersionKind(schema.GroupVersionKind{Group: request.Kind.Group, Version: request.Kind.Version, Kind: request.Kind.Kind})
	//TODO: check if the name and namespace is also passed right in the resource?

	engineResponse := engine.EngineResponse{PatchedResource: *resource}

	policies, err := ws.pLister.List(labels.NewSelector())
	if err != nil {
		//TODO check if the CRD is created ?
		// Unable to connect to policy Lister to access policies
		glog.Errorln("Unable to connect to policy controller to access policies. Mutation Rules are NOT being applied")
		glog.Warning(err)
		return true, engineResponse
	}

	for _, policy := range policies {

		// check if policy has a rule for the admission request kind
		if !utils.Contains(getApplicableKindsForPolicy(policy), request.Kind.Kind) {
			continue
		}

		policyInfo := info.NewPolicyInfo(policy.Name, resource.GetKind(), resource.GetName(), resource.GetNamespace(), policy.Spec.ValidationFailureAction)

		glog.V(4).Infof("Handling mutation for Kind=%s, Namespace=%s Name=%s UID=%s patchOperation=%s",
			resource.GetKind(), resource.GetNamespace(), resource.GetName(), request.UID, request.Operation)
		glog.V(4).Infof("Applying policy %s with %d rules\n", policy.ObjectMeta.Name, len(policy.Spec.Rules))

		engineResponse = engine.Mutate(*policy, *resource)
		policyInfo.AddRuleInfos(engineResponse.RuleInfos)
		// Gather policy application statistics
		gatherStat(policy.Name, engineResponse)

		// ps := policyctr.NewPolicyStat(policy.Name, engineResponse.ExecutionTime, nil, engineResponse.RulesAppliedCount)

		if !policyInfo.IsSuccessful() {
			glog.V(4).Infof("Failed to apply policy %s on resource %s/%s\n", policy.Name, resource.GetNamespace(), resource.GetName())
			glog.V(4).Info("Failed rule details")
			for _, r := range engineResponse.RuleInfos {
				glog.V(4).Infof("%s: %s\n", r.Name, r.Msgs)
			}
			continue
		}

		patches = append(patches, engineResponse.Patches...)
		policyInfos = append(policyInfos, policyInfo)
		glog.V(4).Infof("Mutation from policy %s has applied succesfully to %s %s/%s", policy.Name, request.Kind.Kind, resource.GetNamespace(), resource.GetName())

	}

	// ADD ANNOTATIONS
	// ADD EVENTS
	if len(patches) > 0 {
		eventsInfo := newEventInfoFromPolicyInfo(policyInfos, (request.Operation == v1beta1.Update), info.Mutation)
		ws.eventGen.Add(eventsInfo...)

		annotation := prepareAnnotationPatches(resource, policyInfos)
		patches = append(patches, annotation)
	}

	ok, msg := isAdmSuccesful(policyInfos)
	// Send policy engine Stats
	if ok {
		sendStat(false)
		engineResponse.Patches = patches
		return true, engineResponse
	}

	sendStat(true)
	glog.Errorf("Failed to mutate the resource: %s\n", msg)
	return false, engineResponse
}
restructure webhooks pkg 2019-07-15 16:07:56 -07:00			`package webhooks`

			`import (`
			`"github.com/golang/glog"`
			`engine "github.com/nirmata/kyverno/pkg/engine"`
			`"github.com/nirmata/kyverno/pkg/info"`
recieve stats + update violation status move to aggregator 2019-08-20 12:51:25 -07:00			`policyctr "github.com/nirmata/kyverno/pkg/policy"`
resource description: support list of namespaces 2019-08-17 09:45:57 -07:00			`"github.com/nirmata/kyverno/pkg/utils"`
restructure webhooks pkg 2019-07-15 16:07:56 -07:00			`v1beta1 "k8s.io/api/admission/v1beta1"`
			`"k8s.io/apimachinery/pkg/labels"`
clean up mutation 2019-08-09 12:59:37 -07:00			`"k8s.io/apimachinery/pkg/runtime/schema"`
restructure webhooks pkg 2019-07-15 16:07:56 -07:00			`)`

			`// HandleMutation handles mutating webhook admission request`
Merge branch 'policyViolation' into 254_dynamic_webhook_configurations # Conflicts: # main.go # pkg/annotations/annotations.go # pkg/annotations/controller.go # pkg/controller/controller.go # pkg/controller/controller_test.go # pkg/engine/engine.go # pkg/engine/generation.go # pkg/engine/mutation.go # pkg/engine/validation.go # pkg/event/controller.go # pkg/webhooks/mutation.go # pkg/webhooks/policyvalidation.go # pkg/webhooks/report.go # pkg/webhooks/server.go # pkg/webhooks/validation.go 2019-08-14 19:00:37 -07:00			`func (ws WebhookServer) HandleMutation(request v1beta1.AdmissionRequest) (bool, engine.EngineResponse) {`
clean up mutation 2019-08-09 12:59:37 -07:00			`var patches [][]byte`
test policy engine on admission requests 2019-08-09 16:55:43 -07:00			`var policyInfos []info.PolicyInfo`
recieve stats + update violation status move to aggregator 2019-08-20 12:51:25 -07:00			`var policyStats []policyctr.PolicyStat`
			`// gather stats from the engine response`
			`gatherStat := func(policyName string, er engine.EngineResponse) {`
			`ps := policyctr.PolicyStat{}`
			`ps.PolicyName = policyName`
			`ps.MutationExecutionTime = er.ExecutionTime`
			`ps.RulesAppliedCount = er.RulesAppliedCount`
			`policyStats = append(policyStats, ps)`
			`}`
			`// send stats for aggregation`
			`sendStat := func(blocked bool) {`
			`for _, stat := range policyStats {`
			`stat.ResourceBlocked = blocked`
			`//SEND`
			`ws.policyStatus.SendStat(stat)`
			`}`
			`}`
- Patch resource between every rule application - move mutation & validation to mutate webhook 2019-08-14 11:51:01 -07:00
Merge branch 'policyViolation' into 254_dynamic_webhook_configurations # Conflicts: # main.go # pkg/annotations/annotations.go # pkg/annotations/controller.go # pkg/controller/controller.go # pkg/controller/controller_test.go # pkg/engine/engine.go # pkg/engine/generation.go # pkg/engine/mutation.go # pkg/engine/validation.go # pkg/event/controller.go # pkg/webhooks/mutation.go # pkg/webhooks/policyvalidation.go # pkg/webhooks/report.go # pkg/webhooks/server.go # pkg/webhooks/validation.go 2019-08-14 19:00:37 -07:00			`glog.V(5).Infof("Receive request in mutating webhook: Kind=%s, Namespace=%s Name=%s UID=%s patchOperation=%s",`
			`request.Kind.Kind, request.Namespace, request.Name, request.UID, request.Operation)`
clean up mutation 2019-08-09 12:59:37 -07:00
Merge branch 'policyViolation' into 254_dynamic_webhook_configurations # Conflicts: # main.go # pkg/annotations/annotations.go # pkg/annotations/controller.go # pkg/controller/controller.go # pkg/controller/controller_test.go # pkg/engine/engine.go # pkg/engine/generation.go # pkg/engine/mutation.go # pkg/engine/validation.go # pkg/event/controller.go # pkg/webhooks/mutation.go # pkg/webhooks/policyvalidation.go # pkg/webhooks/report.go # pkg/webhooks/server.go # pkg/webhooks/validation.go 2019-08-14 19:00:37 -07:00			`resource, err := engine.ConvertToUnstructured(request.Object.Raw)`
clean up mutation 2019-08-09 12:59:37 -07:00			`if err != nil {`
			`glog.Errorf("unable to convert raw resource to unstructured: %v", err)`
- Patch resource between every rule application - move mutation & validation to mutate webhook 2019-08-14 11:51:01 -07:00			`}`
restructure webhooks pkg 2019-07-15 16:07:56 -07:00
clean up mutation 2019-08-09 12:59:37 -07:00			`//TODO: check if resource gvk is available in raw resource,`
			`// if not then set it from the api request`
			`resource.SetGroupVersionKind(schema.GroupVersionKind{Group: request.Kind.Group, Version: request.Kind.Version, Kind: request.Kind.Kind})`
			`//TODO: check if the name and namespace is also passed right in the resource?`
Merge branch 'policyViolation' into 254_dynamic_webhook_configurations # Conflicts: # main.go # pkg/annotations/annotations.go # pkg/annotations/controller.go # pkg/controller/controller.go # pkg/controller/controller_test.go # pkg/engine/engine.go # pkg/engine/generation.go # pkg/engine/mutation.go # pkg/engine/validation.go # pkg/event/controller.go # pkg/webhooks/mutation.go # pkg/webhooks/policyvalidation.go # pkg/webhooks/report.go # pkg/webhooks/server.go # pkg/webhooks/validation.go 2019-08-14 19:00:37 -07:00
			`engineResponse := engine.EngineResponse{PatchedResource: *resource}`
- add debug log - tested fix 2019-07-21 14:13:00 -07:00
Merge branch 'policyViolation' into 254_dynamic_webhook_configurations # Conflicts: # main.go # pkg/annotations/annotations.go # pkg/annotations/controller.go # pkg/controller/controller.go # pkg/controller/controller_test.go # pkg/engine/engine.go # pkg/engine/generation.go # pkg/engine/mutation.go # pkg/engine/validation.go # pkg/event/controller.go # pkg/webhooks/mutation.go # pkg/webhooks/policyvalidation.go # pkg/webhooks/report.go # pkg/webhooks/server.go # pkg/webhooks/validation.go 2019-08-14 19:00:37 -07:00			`policies, err := ws.pLister.List(labels.NewSelector())`
restructure webhooks pkg 2019-07-15 16:07:56 -07:00			`if err != nil {`
Merge branch 'policyViolation' into 254_dynamic_webhook_configurations # Conflicts: # main.go # pkg/annotations/annotations.go # pkg/annotations/controller.go # pkg/controller/controller.go # pkg/controller/controller_test.go # pkg/engine/engine.go # pkg/engine/generation.go # pkg/engine/mutation.go # pkg/engine/validation.go # pkg/event/controller.go # pkg/webhooks/mutation.go # pkg/webhooks/policyvalidation.go # pkg/webhooks/report.go # pkg/webhooks/server.go # pkg/webhooks/validation.go 2019-08-14 19:00:37 -07:00			`//TODO check if the CRD is created ?`
restructure webhooks pkg 2019-07-15 16:07:56 -07:00			`// Unable to connect to policy Lister to access policies`
- Patch resource between every rule application - move mutation & validation to mutate webhook 2019-08-14 11:51:01 -07:00			`glog.Errorln("Unable to connect to policy controller to access policies. Mutation Rules are NOT being applied")`
restructure webhooks pkg 2019-07-15 16:07:56 -07:00			`glog.Warning(err)`
combine policy engine returns into single struct 2019-08-14 15:18:46 -07:00			`return true, engineResponse`
restructure webhooks pkg 2019-07-15 16:07:56 -07:00			`}`
- Patch resource between every rule application - move mutation & validation to mutate webhook 2019-08-14 11:51:01 -07:00
restructure webhooks pkg 2019-07-15 16:07:56 -07:00			`for _, policy := range policies {`
- Patch resource between every rule application - move mutation & validation to mutate webhook 2019-08-14 11:51:01 -07:00
restructure webhooks pkg 2019-07-15 16:07:56 -07:00			`// check if policy has a rule for the admission request kind`
resource description: support list of namespaces 2019-08-17 09:45:57 -07:00			`if !utils.Contains(getApplicableKindsForPolicy(policy), request.Kind.Kind) {`
restructure webhooks pkg 2019-07-15 16:07:56 -07:00			`continue`
			`}`

event generator cleanup 2019-08-09 13:41:56 -07:00			`policyInfo := info.NewPolicyInfo(policy.Name, resource.GetKind(), resource.GetName(), resource.GetNamespace(), policy.Spec.ValidationFailureAction)`
restructure webhooks pkg 2019-07-15 16:07:56 -07:00
clean up mutation 2019-08-09 12:59:37 -07:00			`glog.V(4).Infof("Handling mutation for Kind=%s, Namespace=%s Name=%s UID=%s patchOperation=%s",`
			`resource.GetKind(), resource.GetNamespace(), resource.GetName(), request.UID, request.Operation)`
			`glog.V(4).Infof("Applying policy %s with %d rules\n", policy.ObjectMeta.Name, len(policy.Spec.Rules))`
restructure webhooks pkg 2019-07-15 16:07:56 -07:00
Merge branch 'policyViolation' into 254_dynamic_webhook_configurations # Conflicts: # main.go # pkg/annotations/annotations.go # pkg/annotations/controller.go # pkg/controller/controller.go # pkg/controller/controller_test.go # pkg/engine/engine.go # pkg/engine/generation.go # pkg/engine/mutation.go # pkg/engine/validation.go # pkg/event/controller.go # pkg/webhooks/mutation.go # pkg/webhooks/policyvalidation.go # pkg/webhooks/report.go # pkg/webhooks/server.go # pkg/webhooks/validation.go 2019-08-14 19:00:37 -07:00			`engineResponse = engine.Mutate(policy, resource)`
combine policy engine returns into single struct 2019-08-14 15:18:46 -07:00			`policyInfo.AddRuleInfos(engineResponse.RuleInfos)`
recieve stats + update violation status move to aggregator 2019-08-20 12:51:25 -07:00			`// Gather policy application statistics`
			`gatherStat(policy.Name, engineResponse)`

			`// ps := policyctr.NewPolicyStat(policy.Name, engineResponse.ExecutionTime, nil, engineResponse.RulesAppliedCount)`
restructure webhooks pkg 2019-07-15 16:07:56 -07:00
			`if !policyInfo.IsSuccessful() {`
Merge branch 'policyViolation' into 254_dynamic_webhook_configurations # Conflicts: # main.go # pkg/annotations/annotations.go # pkg/annotations/controller.go # pkg/controller/controller.go # pkg/controller/controller_test.go # pkg/engine/engine.go # pkg/engine/generation.go # pkg/engine/mutation.go # pkg/engine/validation.go # pkg/event/controller.go # pkg/webhooks/mutation.go # pkg/webhooks/policyvalidation.go # pkg/webhooks/report.go # pkg/webhooks/server.go # pkg/webhooks/validation.go 2019-08-14 19:00:37 -07:00			`glog.V(4).Infof("Failed to apply policy %s on resource %s/%s\n", policy.Name, resource.GetNamespace(), resource.GetName())`
clean up mutation 2019-08-09 12:59:37 -07:00			`glog.V(4).Info("Failed rule details")`
combine policy engine returns into single struct 2019-08-14 15:18:46 -07:00			`for _, r := range engineResponse.RuleInfos {`
clean up mutation 2019-08-09 12:59:37 -07:00			`glog.V(4).Infof("%s: %s\n", r.Name, r.Msgs)`
restructure webhooks pkg 2019-07-15 16:07:56 -07:00			`}`
clean up mutation 2019-08-09 12:59:37 -07:00			`continue`
restructure webhooks pkg 2019-07-15 16:07:56 -07:00			`}`
Change of annotation purpose #262 2019-08-19 16:10:10 -07:00
Merge branch 'policyViolation' into 254_dynamic_webhook_configurations # Conflicts: # main.go # pkg/annotations/annotations.go # pkg/annotations/controller.go # pkg/controller/controller.go # pkg/controller/controller_test.go # pkg/engine/engine.go # pkg/engine/generation.go # pkg/engine/mutation.go # pkg/engine/validation.go # pkg/event/controller.go # pkg/webhooks/mutation.go # pkg/webhooks/policyvalidation.go # pkg/webhooks/report.go # pkg/webhooks/server.go # pkg/webhooks/validation.go 2019-08-14 19:00:37 -07:00			`patches = append(patches, engineResponse.Patches...)`
Change of annotation purpose #262 2019-08-19 16:10:10 -07:00			`policyInfos = append(policyInfos, policyInfo)`
clean up mutation 2019-08-09 12:59:37 -07:00			`glog.V(4).Infof("Mutation from policy %s has applied succesfully to %s %s/%s", policy.Name, request.Kind.Kind, resource.GetNamespace(), resource.GetName())`
recieve stats + update violation status move to aggregator 2019-08-20 12:51:25 -07:00
restructure webhooks pkg 2019-07-15 16:07:56 -07:00			`}`

clean up mutation 2019-08-09 12:59:37 -07:00			`// ADD ANNOTATIONS`
			`// ADD EVENTS`
generate events for resource & policy 2019-08-09 17:28:49 -07:00			`if len(patches) > 0 {`
clean up 2019-08-14 10:01:47 -07:00			`eventsInfo := newEventInfoFromPolicyInfo(policyInfos, (request.Operation == v1beta1.Update), info.Mutation)`
generate events for resource & policy 2019-08-09 17:28:49 -07:00			`ws.eventGen.Add(eventsInfo...)`
Change of annotation purpose #262 2019-08-19 16:10:10 -07:00
			`annotation := prepareAnnotationPatches(resource, policyInfos)`
			`patches = append(patches, annotation)`
restructure webhooks pkg 2019-07-15 16:07:56 -07:00			`}`
- Patch resource between every rule application - move mutation & validation to mutate webhook 2019-08-14 11:51:01 -07:00
restructure webhooks pkg 2019-07-15 16:07:56 -07:00			`ok, msg := isAdmSuccesful(policyInfos)`
recieve stats + update violation status move to aggregator 2019-08-20 12:51:25 -07:00			`// Send policy engine Stats`
restructure webhooks pkg 2019-07-15 16:07:56 -07:00			`if ok {`
recieve stats + update violation status move to aggregator 2019-08-20 12:51:25 -07:00			`sendStat(false)`
Merge branch 'policyViolation' into 254_dynamic_webhook_configurations # Conflicts: # main.go # pkg/annotations/annotations.go # pkg/annotations/controller.go # pkg/controller/controller.go # pkg/controller/controller_test.go # pkg/engine/engine.go # pkg/engine/generation.go # pkg/engine/mutation.go # pkg/engine/validation.go # pkg/event/controller.go # pkg/webhooks/mutation.go # pkg/webhooks/policyvalidation.go # pkg/webhooks/report.go # pkg/webhooks/server.go # pkg/webhooks/validation.go 2019-08-14 19:00:37 -07:00			`engineResponse.Patches = patches`
combine policy engine returns into single struct 2019-08-14 15:18:46 -07:00			`return true, engineResponse`
restructure webhooks pkg 2019-07-15 16:07:56 -07:00			`}`
- Patch resource between every rule application - move mutation & validation to mutate webhook 2019-08-14 11:51:01 -07:00
recieve stats + update violation status move to aggregator 2019-08-20 12:51:25 -07:00			`sendStat(true)`
- Patch resource between every rule application - move mutation & validation to mutate webhook 2019-08-14 11:51:01 -07:00			`glog.Errorf("Failed to mutate the resource: %s\n", msg)`
combine policy engine returns into single struct 2019-08-14 15:18:46 -07:00			`return false, engineResponse`
restructure webhooks pkg 2019-07-15 16:07:56 -07:00			`}`