kyverno/pkg/webhooks/utils.go

package webhooks

import (
	"fmt"
	"strings"

	"github.com/golang/glog"
	kyverno "github.com/nirmata/kyverno/pkg/api/kyverno/v1alpha1"
	"github.com/nirmata/kyverno/pkg/engine"
)

func isResponseSuccesful(engineReponses []engine.EngineResponse) bool {
	for _, er := range engineReponses {
		if !er.IsSuccesful() {
			return false
		}
	}
	return true
}

// returns true -> if there is even one policy that blocks resource request
// returns false -> if all the policies are meant to report only, we dont block resource request
func toBlockResource(engineReponses []engine.EngineResponse) bool {
	for _, er := range engineReponses {
		if er.PolicyResponse.ValidationFailureAction == Enforce {
			glog.V(4).Infof("ValidationFailureAction set to enforce for policy %s , blocking resource request ", er.PolicyResponse.Policy)
			return true
		}
	}
	glog.V(4).Infoln("ValidationFailureAction set to audit, allowing resource request, reporting with policy violation")
	return false
}

func getErrorMsg(engineReponses []engine.EngineResponse) string {
	var str []string
	var resourceInfo string

	for _, er := range engineReponses {
		if !er.IsSuccesful() {
			// resource in engineReponses is identical as this was called per admission request
			resourceInfo = fmt.Sprintf("%s/%s/%s", er.PolicyResponse.Resource.Kind, er.PolicyResponse.Resource.Namespace, er.PolicyResponse.Resource.Name)
			str = append(str, fmt.Sprintf("failed policy %s", er.PolicyResponse.Policy))
			for _, rule := range er.PolicyResponse.Rules {
				if !rule.Success {
					str = append(str, rule.ToString())
				}
			}
		}
	}
	return fmt.Sprintf("Resource %s: %s", resourceInfo, strings.Join(str, "\n"))
}

//ArrayFlags to store filterkinds
type ArrayFlags []string

func (i *ArrayFlags) String() string {
	var sb strings.Builder
	for _, str := range *i {
		sb.WriteString(str)
	}
	return sb.String()
}

//Set setter for array flags
func (i *ArrayFlags) Set(value string) error {
	*i = append(*i, value)
	return nil
}

// extract the kinds that the policy rules apply to
func getApplicableKindsForPolicy(p *kyverno.ClusterPolicy) []string {
	kinds := []string{}
	// iterate over the rules an identify all kinds
	// Matching
	for _, rule := range p.Spec.Rules {
		for _, k := range rule.MatchResources.Kinds {
			kinds = append(kinds, k)
		}
	}
	return kinds
}

// Policy Reporting Modes
const (
	Enforce = "enforce" // blocks the request on failure
	Audit   = "audit"   // dont block the request on failure, but report failiures as policy violations
)

func processResourceWithPatches(patch []byte, resource []byte) []byte {
	if patch == nil {
		return nil
	}

	resource, err := engine.ApplyPatchNew(resource, patch)
	if err != nil {
		glog.Errorf("failed to patch resource: %v", err)
		return nil
	}
	return resource
}
support comma seperated kinds 2019-06-18 11:47:45 -07:00			`package webhooks`

			`import (`
restructure webhooks pkg 2019-07-15 16:07:56 -07:00			`"fmt"`
support comma seperated kinds 2019-06-18 11:47:45 -07:00			`"strings"`
code review corrections 2019-06-19 14:05:23 -07:00
bypass annotation additions 2019-07-19 12:47:20 -07:00			`"github.com/golang/glog"`
test policy engine on admission requests 2019-08-09 16:55:43 -07:00			`kyverno "github.com/nirmata/kyverno/pkg/api/kyverno/v1alpha1"`
initial redesign 2019-08-23 18:34:23 -07:00			`"github.com/nirmata/kyverno/pkg/engine"`
support comma seperated kinds 2019-06-18 11:47:45 -07:00			`)`

update engineResponse Name 2019-10-08 10:57:24 -07:00			`func isResponseSuccesful(engineReponses []engine.EngineResponse) bool {`
initial redesign 2019-08-23 18:34:23 -07:00			`for _, er := range engineReponses {`
			`if !er.IsSuccesful() {`
			`return false`
			`}`
			`}`
			`return true`
			`}`

set default ValidationFailureAction to 'audit' 2019-09-06 10:18:45 -07:00			`// returns true -> if there is even one policy that blocks resource request`
initial redesign 2019-08-23 18:34:23 -07:00			`// returns false -> if all the policies are meant to report only, we dont block resource request`
update engineResponse Name 2019-10-08 10:57:24 -07:00			`func toBlockResource(engineReponses []engine.EngineResponse) bool {`
initial redesign 2019-08-23 18:34:23 -07:00			`for _, er := range engineReponses {`
set default ValidationFailureAction to 'audit' 2019-09-06 10:18:45 -07:00			`if er.PolicyResponse.ValidationFailureAction == Enforce {`
			`glog.V(4).Infof("ValidationFailureAction set to enforce for policy %s , blocking resource request ", er.PolicyResponse.Policy)`
initial redesign 2019-08-23 18:34:23 -07:00			`return true`
			`}`
			`}`
set default ValidationFailureAction to 'audit' 2019-09-06 10:18:45 -07:00			`glog.V(4).Infoln("ValidationFailureAction set to audit, allowing resource request, reporting with policy violation")`
initial redesign 2019-08-23 18:34:23 -07:00			`return false`
			`}`

update engineResponse Name 2019-10-08 10:57:24 -07:00			`func getErrorMsg(engineReponses []engine.EngineResponse) string {`
initial redesign 2019-08-23 18:34:23 -07:00			`var str []string`
- remove resource info per rule; - add resource info in each failed admission request 2019-11-06 17:14:32 -08:00			`var resourceInfo string`

initial redesign 2019-08-23 18:34:23 -07:00			`for _, er := range engineReponses {`
			`if !er.IsSuccesful() {`
- remove resource info per rule; - add resource info in each failed admission request 2019-11-06 17:14:32 -08:00			`// resource in engineReponses is identical as this was called per admission request`
			`resourceInfo = fmt.Sprintf("%s/%s/%s", er.PolicyResponse.Resource.Kind, er.PolicyResponse.Resource.Namespace, er.PolicyResponse.Resource.Name)`
rebase with master 2019-08-30 01:08:54 -07:00			`str = append(str, fmt.Sprintf("failed policy %s", er.PolicyResponse.Policy))`
initial redesign 2019-08-23 18:34:23 -07:00			`for _, rule := range er.PolicyResponse.Rules {`
			`if !rule.Success {`
			`str = append(str, rule.ToString())`
			`}`
			`}`
			`}`
			`}`
- remove resource info per rule; - add resource info in each failed admission request 2019-11-06 17:14:32 -08:00			`return fmt.Sprintf("Resource %s: %s", resourceInfo, strings.Join(str, "\n"))`
initial redesign 2019-08-23 18:34:23 -07:00			`}`

comments 2019-07-23 00:55:45 -04:00			`//ArrayFlags to store filterkinds`
support comma seperated kinds 2019-06-18 11:47:45 -07:00			`type ArrayFlags []string`

			`func (i *ArrayFlags) String() string {`
			`var sb strings.Builder`
			`for _, str := range *i {`
			`sb.WriteString(str)`
			`}`
			`return sb.String()`
			`}`

comments 2019-07-23 00:55:45 -04:00			`//Set setter for array flags`
support comma seperated kinds 2019-06-18 11:47:45 -07:00			`func (i *ArrayFlags) Set(value string) error {`
			`i = append(i, value)`
			`return nil`
			`}`
code review corrections 2019-06-19 14:05:23 -07:00
			`// extract the kinds that the policy rules apply to`
change CRD Name to ClusterPolicy & ClusterPolicyViolations 2019-09-03 14:51:51 -07:00			`func getApplicableKindsForPolicy(p *kyverno.ClusterPolicy) []string {`
code review corrections 2019-06-19 14:05:23 -07:00			`kinds := []string{}`
			`// iterate over the rules an identify all kinds`
match % exclude resources 2019-07-23 23:34:03 -04:00			`// Matching`
code review corrections 2019-06-19 14:05:23 -07:00			`for _, rule := range p.Spec.Rules {`
match % exclude resources 2019-07-23 23:34:03 -04:00			`for _, k := range rule.MatchResources.Kinds {`
remove exlude kind checks 2019-09-04 10:40:49 -07:00			`kinds = append(kinds, k)`
match % exclude resources 2019-07-23 23:34:03 -04:00			`}`
code review corrections 2019-06-19 14:05:23 -07:00			`}`
			`return kinds`
			`}`
update flag & support ValidationFailureAction flag 2019-07-15 19:14:42 -07:00
			`// Policy Reporting Modes`
			`const (`
set default ValidationFailureAction to 'audit' 2019-09-06 10:18:45 -07:00			`Enforce = "enforce" // blocks the request on failure`
			`Audit = "audit" // dont block the request on failure, but report failiures as policy violations`
update flag & support ValidationFailureAction flag 2019-07-15 19:14:42 -07:00			`)`
change flag & corrections 2019-07-16 15:53:14 -07:00
initial redesign 2019-08-23 18:34:23 -07:00			`func processResourceWithPatches(patch []byte, resource []byte) []byte {`
			`if patch == nil {`
			`return nil`
			`}`
fix 365 annotation_bug 2019-10-07 18:31:14 -07:00
initial redesign 2019-08-23 18:34:23 -07:00			`resource, err := engine.ApplyPatchNew(resource, patch)`
			`if err != nil {`
fix patches 2019-08-26 16:10:19 -07:00			`glog.Errorf("failed to patch resource: %v", err)`
initial redesign 2019-08-23 18:34:23 -07:00			`return nil`
			`}`
			`return resource`
			`}`