2019-07-15 16:07:56 -07:00
|
|
|
package webhooks
|
|
|
|
|
|
|
|
|
|
import (
|
|
|
|
|
"github.com/golang/glog"
|
|
|
|
|
engine "github.com/nirmata/kyverno/pkg/engine"
|
2019-08-20 12:51:25 -07:00
|
|
|
policyctr "github.com/nirmata/kyverno/pkg/policy"
|
2019-08-13 13:15:04 -07:00
|
|
|
"github.com/nirmata/kyverno/pkg/policyviolation"
|
2019-08-17 09:45:57 -07:00
|
|
|
"github.com/nirmata/kyverno/pkg/utils"
|
2019-07-15 16:07:56 -07:00
|
|
|
v1beta1 "k8s.io/api/admission/v1beta1"
|
|
|
|
|
"k8s.io/apimachinery/pkg/labels"
|
2019-08-09 13:41:56 -07:00
|
|
|
"k8s.io/apimachinery/pkg/runtime/schema"
|
2019-07-15 16:07:56 -07:00
|
|
|
)
|
|
|
|
|
|
2019-10-30 13:39:19 -07:00
|
|
|
// handleValidation handles validating webhook admission request
|
2019-07-15 16:07:56 -07:00
|
|
|
// If there are no errors in validating rule we apply generation rules
|
2019-08-23 18:34:23 -07:00
|
|
|
// patchedResource is the (resource + patches) after applying mutation rules
|
2019-10-30 13:39:19 -07:00
|
|
|
func (ws *WebhookServer) handleValidation(request *v1beta1.AdmissionRequest, patchedResource []byte) (bool, string) {
|
2019-08-23 18:34:23 -07:00
|
|
|
glog.V(4).Infof("Receive request in validating webhook: Kind=%s, Namespace=%s Name=%s UID=%s patchOperation=%s",
|
|
|
|
|
request.Kind.Kind, request.Namespace, request.Name, request.UID, request.Operation)
|
|
|
|
|
|
2019-08-20 12:51:25 -07:00
|
|
|
var policyStats []policyctr.PolicyStat
|
2019-08-23 18:34:23 -07:00
|
|
|
|
2019-08-20 12:51:25 -07:00
|
|
|
// gather stats from the engine response
|
2019-08-23 18:34:23 -07:00
|
|
|
gatherStat := func(policyName string, policyResponse engine.PolicyResponse) {
|
2019-08-20 12:51:25 -07:00
|
|
|
ps := policyctr.PolicyStat{}
|
|
|
|
|
ps.PolicyName = policyName
|
2019-08-23 18:34:23 -07:00
|
|
|
ps.Stats.ValidationExecutionTime = policyResponse.ProcessingTime
|
|
|
|
|
ps.Stats.RulesAppliedCount = policyResponse.RulesAppliedCount
|
2019-09-03 17:43:36 -07:00
|
|
|
// capture rule level stats
|
|
|
|
|
for _, rule := range policyResponse.Rules {
|
|
|
|
|
rs := policyctr.RuleStatinfo{}
|
|
|
|
|
rs.RuleName = rule.Name
|
|
|
|
|
rs.ExecutionTime = rule.RuleStats.ProcessingTime
|
|
|
|
|
if rule.Success {
|
|
|
|
|
rs.RuleAppliedCount++
|
|
|
|
|
} else {
|
|
|
|
|
rs.RulesFailedCount++
|
|
|
|
|
}
|
|
|
|
|
ps.Stats.Rules = append(ps.Stats.Rules, rs)
|
|
|
|
|
}
|
2019-08-20 12:51:25 -07:00
|
|
|
policyStats = append(policyStats, ps)
|
|
|
|
|
}
|
|
|
|
|
// send stats for aggregation
|
|
|
|
|
sendStat := func(blocked bool) {
|
|
|
|
|
for _, stat := range policyStats {
|
2019-08-20 16:40:20 -07:00
|
|
|
stat.Stats.ResourceBlocked = utils.Btoi(blocked)
|
2019-08-20 12:51:25 -07:00
|
|
|
//SEND
|
|
|
|
|
ws.policyStatus.SendStat(stat)
|
|
|
|
|
}
|
|
|
|
|
}
|
2019-07-23 17:54:31 -07:00
|
|
|
|
2019-08-23 18:34:23 -07:00
|
|
|
resourceRaw := request.Object.Raw
|
|
|
|
|
if patchedResource != nil {
|
|
|
|
|
glog.V(4).Info("using patched resource from mutation to process validation rules")
|
|
|
|
|
resourceRaw = patchedResource
|
|
|
|
|
}
|
|
|
|
|
// convert RAW to unstructured
|
|
|
|
|
resource, err := engine.ConvertToUnstructured(resourceRaw)
|
|
|
|
|
if err != nil {
|
|
|
|
|
//TODO: skip applying the amiddions control ?
|
|
|
|
|
glog.Errorf("unable to convert raw resource to unstructured: %v", err)
|
|
|
|
|
return true, ""
|
|
|
|
|
}
|
|
|
|
|
//TODO: check if resource gvk is available in raw resource,
|
|
|
|
|
// if not then set it from the api request
|
|
|
|
|
resource.SetGroupVersionKind(schema.GroupVersionKind{Group: request.Kind.Group, Version: request.Kind.Version, Kind: request.Kind.Kind})
|
2019-10-15 20:56:41 -07:00
|
|
|
|
|
|
|
|
//TODO: check if the name is also passed right in the resource?
|
2019-08-23 18:34:23 -07:00
|
|
|
// all the patches to be applied on the resource
|
2019-10-15 20:56:41 -07:00
|
|
|
// explictly set resource namespace with request namespace
|
|
|
|
|
// resource namespace is empty for the first CREATE operation
|
|
|
|
|
resource.SetNamespace(request.Namespace)
|
2019-07-21 14:13:00 -07:00
|
|
|
|
2019-08-09 16:55:43 -07:00
|
|
|
policies, err := ws.pLister.List(labels.NewSelector())
|
2019-07-15 16:07:56 -07:00
|
|
|
if err != nil {
|
2019-08-09 13:41:56 -07:00
|
|
|
//TODO check if the CRD is created ?
|
2019-07-15 16:07:56 -07:00
|
|
|
// Unable to connect to policy Lister to access policies
|
|
|
|
|
glog.Error("Unable to connect to policy controller to access policies. Validation Rules are NOT being applied")
|
|
|
|
|
glog.Warning(err)
|
2019-08-23 18:34:23 -07:00
|
|
|
return true, ""
|
2019-07-15 16:07:56 -07:00
|
|
|
}
|
2019-07-17 23:13:28 -07:00
|
|
|
|
2019-10-08 10:57:24 -07:00
|
|
|
var engineResponses []engine.EngineResponse
|
2019-07-15 16:07:56 -07:00
|
|
|
for _, policy := range policies {
|
|
|
|
|
|
2019-09-12 17:11:55 -07:00
|
|
|
if !utils.ContainsString(getApplicableKindsForPolicy(policy), request.Kind.Kind) {
|
2019-07-15 16:07:56 -07:00
|
|
|
continue
|
|
|
|
|
}
|
|
|
|
|
|
2019-10-23 23:18:58 -07:00
|
|
|
glog.V(2).Infof("Handling validation for Kind=%s, Namespace=%s Name=%s UID=%s patchOperation=%s",
|
2019-08-09 13:41:56 -07:00
|
|
|
resource.GetKind(), resource.GetNamespace(), resource.GetName(), request.UID, request.Operation)
|
|
|
|
|
|
2019-09-03 15:48:13 -07:00
|
|
|
engineResponse := engine.Validate(*policy, *resource)
|
2019-08-23 18:34:23 -07:00
|
|
|
engineResponses = append(engineResponses, engineResponse)
|
|
|
|
|
// Gather policy application statistics
|
|
|
|
|
gatherStat(policy.Name, engineResponse.PolicyResponse)
|
|
|
|
|
if !engineResponse.IsSuccesful() {
|
|
|
|
|
glog.V(4).Infof("Failed to apply policy %s on resource %s/%s\n", policy.Name, resource.GetNamespace(), resource.GetName())
|
2019-07-15 16:07:56 -07:00
|
|
|
continue
|
|
|
|
|
}
|
|
|
|
|
}
|
2019-08-09 13:41:56 -07:00
|
|
|
// ADD EVENTS
|
2019-08-26 13:34:42 -07:00
|
|
|
events := generateEvents(engineResponses, (request.Operation == v1beta1.Update))
|
|
|
|
|
ws.eventGen.Add(events...)
|
2019-08-09 16:55:43 -07:00
|
|
|
|
2019-07-15 16:07:56 -07:00
|
|
|
// If Validation fails then reject the request
|
2019-10-15 20:56:41 -07:00
|
|
|
// violations are created with resource owner(if exist) on "enforce"
|
2019-08-02 11:18:02 -07:00
|
|
|
// and if there are any then we dont block the resource creation
|
2019-07-15 19:14:42 -07:00
|
|
|
// Even if one the policy being applied
|
2019-08-23 18:34:23 -07:00
|
|
|
if !isResponseSuccesful(engineResponses) && toBlockResource(engineResponses) {
|
2019-10-24 15:50:11 -07:00
|
|
|
policyviolation.CreatePVWhenBlocked(ws.pvLister, ws.kyvernoClient, ws.client, engineResponses)
|
2019-08-20 12:51:25 -07:00
|
|
|
sendStat(true)
|
2019-08-23 18:34:23 -07:00
|
|
|
return false, getErrorMsg(engineResponses)
|
2019-07-15 16:07:56 -07:00
|
|
|
}
|
|
|
|
|
|
2019-08-09 19:12:50 -07:00
|
|
|
// ADD POLICY VIOLATIONS
|
2019-10-15 20:56:41 -07:00
|
|
|
// violations are created with resource on "audit"
|
2019-10-24 15:50:11 -07:00
|
|
|
policyviolation.CreatePV(ws.pvLister, ws.kyvernoClient, engineResponses)
|
2019-08-20 12:51:25 -07:00
|
|
|
sendStat(false)
|
2019-08-23 18:34:23 -07:00
|
|
|
return true, ""
|
2019-07-15 16:07:56 -07:00
|
|
|
}
|
