kyverno/pkg/webhooks/validation.go

package webhooks

import (
	"github.com/golang/glog"
	engine "github.com/nirmata/kyverno/pkg/engine"
	"github.com/nirmata/kyverno/pkg/info"
	policyctr "github.com/nirmata/kyverno/pkg/policy"
	"github.com/nirmata/kyverno/pkg/policyviolation"
	"github.com/nirmata/kyverno/pkg/utils"
	v1beta1 "k8s.io/api/admission/v1beta1"
	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
	"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
	"k8s.io/apimachinery/pkg/labels"
	"k8s.io/apimachinery/pkg/runtime/schema"
)

// HandleValidation handles validating webhook admission request
// If there are no errors in validating rule we apply generation rules
func (ws *WebhookServer) HandleValidation(request *v1beta1.AdmissionRequest, resource unstructured.Unstructured) *v1beta1.AdmissionResponse {
	var policyInfos []info.PolicyInfo
	var policyStats []policyctr.PolicyStat
	// gather stats from the engine response
	gatherStat := func(policyName string, er engine.EngineResponse) {
		ps := policyctr.PolicyStat{}
		ps.PolicyName = policyName
		ps.ValidationExecutionTime = er.ExecutionTime
		ps.RulesAppliedCount = er.RulesAppliedCount
		policyStats = append(policyStats, ps)
	}
	// send stats for aggregation
	sendStat := func(blocked bool) {
		for _, stat := range policyStats {
			stat.ResourceBlocked = blocked
			//SEND
			ws.policyStatus.SendStat(stat)
		}
	}

	glog.V(5).Infof("Receive request in validating webhook: Kind=%s, Namespace=%s Name=%s UID=%s patchOperation=%s",
		request.Kind.Kind, request.Namespace, request.Name, request.UID, request.Operation)

	policies, err := ws.pLister.List(labels.NewSelector())
	if err != nil {
		//TODO check if the CRD is created ?
		// Unable to connect to policy Lister to access policies
		glog.Error("Unable to connect to policy controller to access policies. Validation Rules are NOT being applied")
		glog.Warning(err)
		return &v1beta1.AdmissionResponse{
			Allowed: true,
		}
	}

	//TODO: check if resource gvk is available in raw resource,
	// if not then set it from the api request
	resource.SetGroupVersionKind(schema.GroupVersionKind{Group: request.Kind.Group, Version: request.Kind.Version, Kind: request.Kind.Kind})
	//TODO: check if the name and namespace is also passed right in the resource?
	// all the patches to be applied on the resource

	for _, policy := range policies {

		if !utils.Contains(getApplicableKindsForPolicy(policy), request.Kind.Kind) {
			continue
		}

		policyInfo := info.NewPolicyInfo(policy.Name, resource.GetKind(), resource.GetName(), resource.GetNamespace(), policy.Spec.ValidationFailureAction)

		glog.V(4).Infof("Handling validation for Kind=%s, Namespace=%s Name=%s UID=%s patchOperation=%s",
			resource.GetKind(), resource.GetNamespace(), resource.GetName(), request.UID, request.Operation)

		glog.V(4).Infof("Validating resource %s/%s/%s with policy %s with %d rules\n", resource.GetKind(), resource.GetNamespace(), resource.GetName(), policy.ObjectMeta.Name, len(policy.Spec.Rules))

		engineResponse := engine.Validate(*policy, resource)
		if len(engineResponse.RuleInfos) == 0 {
			continue
		}
		gatherStat(policy.Name, engineResponse)

		if len(engineResponse.RuleInfos) > 0 {
			glog.V(4).Infof("Validation from policy %s has applied succesfully to %s %s/%s", policy.Name, request.Kind.Kind, resource.GetNamespace(), resource.GetName())
		}

		policyInfo.AddRuleInfos(engineResponse.RuleInfos)

		if !policyInfo.IsSuccessful() {
			glog.Infof("Failed to apply policy %s on resource %s/%s", policy.Name, resource.GetNamespace(), resource.GetName())
			for _, r := range engineResponse.RuleInfos {
				glog.Warningf("%s: %s\n", r.Name, r.Msgs)
			}
		}

		policyInfos = append(policyInfos, policyInfo)

	}

	// ADD EVENTS
	if len(policyInfos) > 0 && len(policyInfos[0].Rules) != 0 {
		eventsInfo := newEventInfoFromPolicyInfo(policyInfos, (request.Operation == v1beta1.Update), info.Validation)
		// If the validationFailureAction flag is set "audit",
		// then we dont block the request and report the violations
		ws.eventGen.Add(eventsInfo...)
	}

	// If Validation fails then reject the request
	// violations are created if "audit" flag is set
	// and if there are any then we dont block the resource creation
	// Even if one the policy being applied
	ok, msg := isAdmSuccesful(policyInfos)
	if !ok && toBlock(policyInfos) {
		sendStat(true)
		return &v1beta1.AdmissionResponse{
			Allowed: false,
			Result: &metav1.Status{
				Message: msg,
			},
		}
	}

	// ADD POLICY VIOLATIONS
	policyviolation.GeneratePolicyViolations(ws.pvListerSynced, ws.pvLister, ws.kyvernoClient, policyInfos)

	sendStat(false)
	return &v1beta1.AdmissionResponse{
		Allowed: true,
	}
}
restructure webhooks pkg 2019-07-15 16:07:56 -07:00			`package webhooks`

			`import (`
			`"github.com/golang/glog"`
			`engine "github.com/nirmata/kyverno/pkg/engine"`
			`"github.com/nirmata/kyverno/pkg/info"`
recieve stats + update violation status move to aggregator 2019-08-20 12:51:25 -07:00			`policyctr "github.com/nirmata/kyverno/pkg/policy"`
existing resource reporting 2019-08-13 13:15:04 -07:00			`"github.com/nirmata/kyverno/pkg/policyviolation"`
resource description: support list of namespaces 2019-08-17 09:45:57 -07:00			`"github.com/nirmata/kyverno/pkg/utils"`
restructure webhooks pkg 2019-07-15 16:07:56 -07:00			`v1beta1 "k8s.io/api/admission/v1beta1"`
			`metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"`
Merge branch 'policyViolation' into 254_dynamic_webhook_configurations # Conflicts: # main.go # pkg/annotations/annotations.go # pkg/annotations/controller.go # pkg/controller/controller.go # pkg/controller/controller_test.go # pkg/engine/engine.go # pkg/engine/generation.go # pkg/engine/mutation.go # pkg/engine/validation.go # pkg/event/controller.go # pkg/webhooks/mutation.go # pkg/webhooks/policyvalidation.go # pkg/webhooks/report.go # pkg/webhooks/server.go # pkg/webhooks/validation.go 2019-08-14 19:00:37 -07:00			`"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"`
restructure webhooks pkg 2019-07-15 16:07:56 -07:00			`"k8s.io/apimachinery/pkg/labels"`
event generator cleanup 2019-08-09 13:41:56 -07:00			`"k8s.io/apimachinery/pkg/runtime/schema"`
restructure webhooks pkg 2019-07-15 16:07:56 -07:00			`)`

			`// HandleValidation handles validating webhook admission request`
			`// If there are no errors in validating rule we apply generation rules`
Merge branch 'policyViolation' into 254_dynamic_webhook_configurations # Conflicts: # main.go # pkg/annotations/annotations.go # pkg/annotations/controller.go # pkg/controller/controller.go # pkg/controller/controller_test.go # pkg/engine/engine.go # pkg/engine/generation.go # pkg/engine/mutation.go # pkg/engine/validation.go # pkg/event/controller.go # pkg/webhooks/mutation.go # pkg/webhooks/policyvalidation.go # pkg/webhooks/report.go # pkg/webhooks/server.go # pkg/webhooks/validation.go 2019-08-14 19:00:37 -07:00			`func (ws WebhookServer) HandleValidation(request v1beta1.AdmissionRequest, resource unstructured.Unstructured) *v1beta1.AdmissionResponse {`
test policy engine on admission requests 2019-08-09 16:55:43 -07:00			`var policyInfos []info.PolicyInfo`
recieve stats + update violation status move to aggregator 2019-08-20 12:51:25 -07:00			`var policyStats []policyctr.PolicyStat`
			`// gather stats from the engine response`
			`gatherStat := func(policyName string, er engine.EngineResponse) {`
			`ps := policyctr.PolicyStat{}`
			`ps.PolicyName = policyName`
			`ps.ValidationExecutionTime = er.ExecutionTime`
			`ps.RulesAppliedCount = er.RulesAppliedCount`
			`policyStats = append(policyStats, ps)`
			`}`
			`// send stats for aggregation`
			`sendStat := func(blocked bool) {`
			`for _, stat := range policyStats {`
			`stat.ResourceBlocked = blocked`
			`//SEND`
			`ws.policyStatus.SendStat(stat)`
			`}`
			`}`
- update install_debug.yaml - add debug log 2019-07-23 17:54:31 -07:00
Merge branch 'policyViolation' into 254_dynamic_webhook_configurations # Conflicts: # main.go # pkg/annotations/annotations.go # pkg/annotations/controller.go # pkg/controller/controller.go # pkg/controller/controller_test.go # pkg/engine/engine.go # pkg/engine/generation.go # pkg/engine/mutation.go # pkg/engine/validation.go # pkg/event/controller.go # pkg/webhooks/mutation.go # pkg/webhooks/policyvalidation.go # pkg/webhooks/report.go # pkg/webhooks/server.go # pkg/webhooks/validation.go 2019-08-14 19:00:37 -07:00			`glog.V(5).Infof("Receive request in validating webhook: Kind=%s, Namespace=%s Name=%s UID=%s patchOperation=%s",`
- add debug log - tested fix 2019-07-21 14:13:00 -07:00			`request.Kind.Kind, request.Namespace, request.Name, request.UID, request.Operation)`

test policy engine on admission requests 2019-08-09 16:55:43 -07:00			`policies, err := ws.pLister.List(labels.NewSelector())`
restructure webhooks pkg 2019-07-15 16:07:56 -07:00			`if err != nil {`
event generator cleanup 2019-08-09 13:41:56 -07:00			`//TODO check if the CRD is created ?`
restructure webhooks pkg 2019-07-15 16:07:56 -07:00			`// Unable to connect to policy Lister to access policies`
			`glog.Error("Unable to connect to policy controller to access policies. Validation Rules are NOT being applied")`
			`glog.Warning(err)`
			`return &v1beta1.AdmissionResponse{`
			`Allowed: true,`
			`}`
			`}`
annotations creation,update & removal 2019-07-17 23:13:28 -07:00
event generator cleanup 2019-08-09 13:41:56 -07:00			`//TODO: check if resource gvk is available in raw resource,`
			`// if not then set it from the api request`
			`resource.SetGroupVersionKind(schema.GroupVersionKind{Group: request.Kind.Group, Version: request.Kind.Version, Kind: request.Kind.Kind})`
			`//TODO: check if the name and namespace is also passed right in the resource?`
			`// all the patches to be applied on the resource`
restructure webhooks pkg 2019-07-15 16:07:56 -07:00
			`for _, policy := range policies {`

resource description: support list of namespaces 2019-08-17 09:45:57 -07:00			`if !utils.Contains(getApplicableKindsForPolicy(policy), request.Kind.Kind) {`
restructure webhooks pkg 2019-07-15 16:07:56 -07:00			`continue`
			`}`

event generator cleanup 2019-08-09 13:41:56 -07:00			`policyInfo := info.NewPolicyInfo(policy.Name, resource.GetKind(), resource.GetName(), resource.GetNamespace(), policy.Spec.ValidationFailureAction)`
restructure webhooks pkg 2019-07-15 16:07:56 -07:00
event generator cleanup 2019-08-09 13:41:56 -07:00			`glog.V(4).Infof("Handling validation for Kind=%s, Namespace=%s Name=%s UID=%s patchOperation=%s",`
			`resource.GetKind(), resource.GetNamespace(), resource.GetName(), request.UID, request.Operation)`

Merge branch 'policyViolation' into 254_dynamic_webhook_configurations # Conflicts: # main.go # pkg/annotations/annotations.go # pkg/annotations/controller.go # pkg/controller/controller.go # pkg/controller/controller_test.go # pkg/engine/engine.go # pkg/engine/generation.go # pkg/engine/mutation.go # pkg/engine/validation.go # pkg/event/controller.go # pkg/webhooks/mutation.go # pkg/webhooks/policyvalidation.go # pkg/webhooks/report.go # pkg/webhooks/server.go # pkg/webhooks/validation.go 2019-08-14 19:00:37 -07:00			`glog.V(4).Infof("Validating resource %s/%s/%s with policy %s with %d rules\n", resource.GetKind(), resource.GetNamespace(), resource.GetName(), policy.ObjectMeta.Name, len(policy.Spec.Rules))`
restructure webhooks pkg 2019-07-15 16:07:56 -07:00
Merge branch 'policyViolation' into 254_dynamic_webhook_configurations # Conflicts: # main.go # pkg/annotations/annotations.go # pkg/annotations/controller.go # pkg/controller/controller.go # pkg/controller/controller_test.go # pkg/engine/engine.go # pkg/engine/generation.go # pkg/engine/mutation.go # pkg/engine/validation.go # pkg/event/controller.go # pkg/webhooks/mutation.go # pkg/webhooks/policyvalidation.go # pkg/webhooks/report.go # pkg/webhooks/server.go # pkg/webhooks/validation.go 2019-08-14 19:00:37 -07:00			`engineResponse := engine.Validate(*policy, resource)`
			`if len(engineResponse.RuleInfos) == 0 {`
restructure webhooks pkg 2019-07-15 16:07:56 -07:00			`continue`
			`}`
recieve stats + update violation status move to aggregator 2019-08-20 12:51:25 -07:00			`gatherStat(policy.Name, engineResponse)`
Merge branch 'policyViolation' into 254_dynamic_webhook_configurations # Conflicts: # main.go # pkg/annotations/annotations.go # pkg/annotations/controller.go # pkg/controller/controller.go # pkg/controller/controller_test.go # pkg/engine/engine.go # pkg/engine/generation.go # pkg/engine/mutation.go # pkg/engine/validation.go # pkg/event/controller.go # pkg/webhooks/mutation.go # pkg/webhooks/policyvalidation.go # pkg/webhooks/report.go # pkg/webhooks/server.go # pkg/webhooks/validation.go 2019-08-14 19:00:37 -07:00
			`if len(engineResponse.RuleInfos) > 0 {`
			`glog.V(4).Infof("Validation from policy %s has applied succesfully to %s %s/%s", policy.Name, request.Kind.Kind, resource.GetNamespace(), resource.GetName())`
			`}`

combine policy engine returns into single struct 2019-08-14 15:18:46 -07:00			`policyInfo.AddRuleInfos(engineResponse.RuleInfos)`
restructure webhooks pkg 2019-07-15 16:07:56 -07:00
			`if !policyInfo.IsSuccessful() {`
event generator cleanup 2019-08-09 13:41:56 -07:00			`glog.Infof("Failed to apply policy %s on resource %s/%s", policy.Name, resource.GetNamespace(), resource.GetName())`
combine policy engine returns into single struct 2019-08-14 15:18:46 -07:00			`for _, r := range engineResponse.RuleInfos {`
remove rule name in failure even info 2019-07-19 17:52:24 -07:00			`glog.Warningf("%s: %s\n", r.Name, r.Msgs)`
restructure webhooks pkg 2019-07-15 16:07:56 -07:00			`}`
			`}`
Merge branch 'policyViolation' into 254_dynamic_webhook_configurations # Conflicts: # main.go # pkg/annotations/annotations.go # pkg/annotations/controller.go # pkg/controller/controller.go # pkg/controller/controller_test.go # pkg/engine/engine.go # pkg/engine/generation.go # pkg/engine/mutation.go # pkg/engine/validation.go # pkg/event/controller.go # pkg/webhooks/mutation.go # pkg/webhooks/policyvalidation.go # pkg/webhooks/report.go # pkg/webhooks/server.go # pkg/webhooks/validation.go 2019-08-14 19:00:37 -07:00
restructure webhooks pkg 2019-07-15 16:07:56 -07:00			`policyInfos = append(policyInfos, policyInfo)`
Merge branch 'policyViolation' into 254_dynamic_webhook_configurations # Conflicts: # main.go # pkg/annotations/annotations.go # pkg/annotations/controller.go # pkg/controller/controller.go # pkg/controller/controller_test.go # pkg/engine/engine.go # pkg/engine/generation.go # pkg/engine/mutation.go # pkg/engine/validation.go # pkg/event/controller.go # pkg/webhooks/mutation.go # pkg/webhooks/policyvalidation.go # pkg/webhooks/report.go # pkg/webhooks/server.go # pkg/webhooks/validation.go 2019-08-14 19:00:37 -07:00
restructure webhooks pkg 2019-07-15 16:07:56 -07:00			`}`

event generator cleanup 2019-08-09 13:41:56 -07:00			`// ADD EVENTS`
restructure webhooks pkg 2019-07-15 16:07:56 -07:00			`if len(policyInfos) > 0 && len(policyInfos[0].Rules) != 0 {`
clean up 2019-08-14 10:01:47 -07:00			`eventsInfo := newEventInfoFromPolicyInfo(policyInfos, (request.Operation == v1beta1.Update), info.Validation)`
change flag field 2019-07-23 18:29:44 -04:00			`// If the validationFailureAction flag is set "audit",`
update flag & support ValidationFailureAction flag 2019-07-15 19:14:42 -07:00			`// then we dont block the request and report the violations`
generate events for resource & policy 2019-08-09 17:28:49 -07:00			`ws.eventGen.Add(eventsInfo...)`
restructure webhooks pkg 2019-07-15 16:07:56 -07:00			`}`
test policy engine on admission requests 2019-08-09 16:55:43 -07:00
restructure webhooks pkg 2019-07-15 16:07:56 -07:00			`// If Validation fails then reject the request`
change flag field 2019-07-23 18:29:44 -04:00			`// violations are created if "audit" flag is set`
add profiling flags 2019-08-02 11:18:02 -07:00			`// and if there are any then we dont block the resource creation`
update flag & support ValidationFailureAction flag 2019-07-15 19:14:42 -07:00			`// Even if one the policy being applied`
restructure webhooks pkg 2019-07-15 16:07:56 -07:00			`ok, msg := isAdmSuccesful(policyInfos)`
change flag & corrections 2019-07-16 15:53:14 -07:00			`if !ok && toBlock(policyInfos) {`
recieve stats + update violation status move to aggregator 2019-08-20 12:51:25 -07:00			`sendStat(true)`
restructure webhooks pkg 2019-07-15 16:07:56 -07:00			`return &v1beta1.AdmissionResponse{`
			`Allowed: false,`
			`Result: &metav1.Status{`
			`Message: msg,`
			`},`
			`}`
			`}`

start creation policy violation 2019-08-09 19:12:50 -07:00			`// ADD POLICY VIOLATIONS`
existing resource reporting 2019-08-13 13:15:04 -07:00			`policyviolation.GeneratePolicyViolations(ws.pvListerSynced, ws.pvLister, ws.kyvernoClient, policyInfos)`
start creation policy violation 2019-08-09 19:12:50 -07:00
recieve stats + update violation status move to aggregator 2019-08-20 12:51:25 -07:00			`sendStat(false)`
restructure webhooks pkg 2019-07-15 16:07:56 -07:00			`return &v1beta1.AdmissionResponse{`
			`Allowed: true,`
			`}`
			`}`