kyverno/pkg/webhooks/handlers/protect.go

package handlers

import (
	"context"
	"errors"
	"fmt"
	"time"

	"github.com/go-logr/logr"
	kyvernov1 "github.com/kyverno/kyverno/api/kyverno/v1"
	"github.com/kyverno/kyverno/pkg/config"
	admissionutils "github.com/kyverno/kyverno/pkg/utils/admission"
	admissionv1 "k8s.io/api/admission/v1"
	"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
)

const namespaceControllerUsername = "system:serviceaccount:kube-system:namespace-controller"

var kyvernoUsername = fmt.Sprintf("system:serviceaccount:%s:%s", config.KyvernoNamespace(), config.KyvernoServiceAccountName())

func (inner AdmissionHandler) WithProtection(enabled bool) AdmissionHandler {
	if !enabled {
		return inner
	}
	return inner.withProtection().WithTrace("PROTECT")
}

func (inner AdmissionHandler) withProtection() AdmissionHandler {
	return func(ctx context.Context, logger logr.Logger, request AdmissionRequest, startTime time.Time) AdmissionResponse {
		// Allows deletion of namespace containing managed resources
		if request.Operation == admissionv1.Delete && request.UserInfo.Username == namespaceControllerUsername {
			return inner(ctx, logger, request, startTime)
		}
		newResource, oldResource, err := admissionutils.ExtractResources(nil, request.AdmissionRequest)
		if err != nil {
			logger.Error(err, "failed to extract resources")
			return admissionutils.Response(request.UID, err)
		}
		for _, resource := range []unstructured.Unstructured{newResource, oldResource} {
			resLabels := resource.GetLabels()
			if resLabels[kyvernov1.LabelAppManagedBy] == kyvernov1.ValueKyvernoApp {
				if request.UserInfo.Username != kyvernoUsername {
					logger.V(2).Info("access to the resource not authorized, this is a kyverno managed resource and should be altered only by kyverno")
					return admissionutils.Response(request.UID, errors.New("A kyverno managed resource can only be modified by kyverno"))
				}
			}
		}
		return inner(ctx, logger, request, startTime)
	}
}
refactor: move all middlewares in handlers sub package (#5244) Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> 2022-11-07 15:53:40 +01:00			`package handlers`

			`import (`
refactor: propagate context through admission handlers (#5392) Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> 2022-11-17 16:17:52 +01:00			`"context"`
refactor: admission response utils (#5234) - refactor: admission response utils - unit tests Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> 2022-11-08 10:35:08 +01:00			`"errors"`
refactor: move all middlewares in handlers sub package (#5244) Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> 2022-11-07 15:53:40 +01:00			`"fmt"`
			`"time"`

			`"github.com/go-logr/logr"`
			`kyvernov1 "github.com/kyverno/kyverno/api/kyverno/v1"`
			`"github.com/kyverno/kyverno/pkg/config"`
			`admissionutils "github.com/kyverno/kyverno/pkg/utils/admission"`
			`admissionv1 "k8s.io/api/admission/v1"`
			`"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"`
			`)`

fix: allow deletion of namespace containing managed resources (#6098) Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> 2023-01-24 18:07:27 +01:00			`const namespaceControllerUsername = "system:serviceaccount:kube-system:namespace-controller"`

refactor: resolve roles/cluster roles/top level GVK earlier in the admission chain (#6775) * refactor: remove more admission request pointers Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * more Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * refactor: resolve roles/cluster roles earlier in the admission chain Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * fix Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * enrich Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * enrich Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> --------- Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> 2023-04-04 12:23:20 +02:00			`var kyvernoUsername = fmt.Sprintf("system:serviceaccount:%s:%s", config.KyvernoNamespace(), config.KyvernoServiceAccountName())`

feat: improve handlers tracing code (#5442) * feat: improve handlers tracing code Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * fix Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * fix cleanup Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> 2022-11-23 07:50:55 +01:00			`func (inner AdmissionHandler) WithProtection(enabled bool) AdmissionHandler {`
refactor: admission metrics (counter and latency) (#5245) * refactor: move all middlewares in handlers sub package Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * refactor: admission metrics (counter and latency) Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * builder Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * fix Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * cleanup Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> 2022-11-09 11:52:20 +01:00			`if !enabled {`
feat: improve handlers tracing code (#5442) * feat: improve handlers tracing code Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * fix Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * fix cleanup Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> 2022-11-23 07:50:55 +01:00			`return inner`
refactor: admission metrics (counter and latency) (#5245) * refactor: move all middlewares in handlers sub package Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * refactor: admission metrics (counter and latency) Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * builder Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * fix Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * cleanup Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> 2022-11-09 11:52:20 +01:00			`}`
feat: improve handlers tracing code (#5442) * feat: improve handlers tracing code Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * fix Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * fix cleanup Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> 2022-11-23 07:50:55 +01:00			`return inner.withProtection().WithTrace("PROTECT")`
refactor: admission metrics (counter and latency) (#5245) * refactor: move all middlewares in handlers sub package Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * refactor: admission metrics (counter and latency) Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * builder Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * fix Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * cleanup Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> 2022-11-09 11:52:20 +01:00			`}`

feat: improve handlers tracing code (#5442) * feat: improve handlers tracing code Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * fix Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * fix cleanup Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> 2022-11-23 07:50:55 +01:00			`func (inner AdmissionHandler) withProtection() AdmissionHandler {`
refactor: remove more admission request pointers (#6774) Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> 2023-04-04 07:11:18 +02:00			`return func(ctx context.Context, logger logr.Logger, request AdmissionRequest, startTime time.Time) AdmissionResponse {`
fix: allow deletion of namespace containing managed resources (#6098) Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> 2023-01-24 18:07:27 +01:00			`// Allows deletion of namespace containing managed resources`
			`if request.Operation == admissionv1.Delete && request.UserInfo.Username == namespaceControllerUsername {`
			`return inner(ctx, logger, request, startTime)`
			`}`
refactor: remove more admission request pointers (#6774) Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> 2023-04-04 07:11:18 +02:00			`newResource, oldResource, err := admissionutils.ExtractResources(nil, request.AdmissionRequest)`
feat: improve handlers tracing code (#5442) * feat: improve handlers tracing code Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * fix Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * fix cleanup Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> 2022-11-23 07:50:55 +01:00			`if err != nil {`
fix: add logs in webhook middlewares (#6797) 2023-04-06 16:28:13 +02:00			`logger.Error(err, "failed to extract resources")`
feat: use admission review v1 (#5464) * feat: use admission review v1 Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * fix Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * nit Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * logs Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * patch type Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * fix tests Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * fix Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com> Co-authored-by: Prateek Pandey <prateek.pandey@nirmata.com> 2022-11-30 16:37:42 +01:00			`return admissionutils.Response(request.UID, err)`
feat: improve handlers tracing code (#5442) * feat: improve handlers tracing code Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * fix Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * fix cleanup Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> 2022-11-23 07:50:55 +01:00			`}`
			`for _, resource := range []unstructured.Unstructured{newResource, oldResource} {`
			`resLabels := resource.GetLabels()`
			`if resLabels[kyvernov1.LabelAppManagedBy] == kyvernov1.ValueKyvernoApp {`
refactor: resolve roles/cluster roles/top level GVK earlier in the admission chain (#6775) * refactor: remove more admission request pointers Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * more Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * refactor: resolve roles/cluster roles earlier in the admission chain Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * fix Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * enrich Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * enrich Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> --------- Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> 2023-04-04 12:23:20 +02:00			`if request.UserInfo.Username != kyvernoUsername {`
fix: add logs in webhook middlewares (#6797) 2023-04-06 16:28:13 +02:00			`logger.V(2).Info("access to the resource not authorized, this is a kyverno managed resource and should be altered only by kyverno")`
feat: use admission review v1 (#5464) * feat: use admission review v1 Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * fix Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * nit Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * logs Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * patch type Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * fix tests Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * fix Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com> Co-authored-by: Prateek Pandey <prateek.pandey@nirmata.com> 2022-11-30 16:37:42 +01:00			`return admissionutils.Response(request.UID, errors.New("A kyverno managed resource can only be modified by kyverno"))`
refactor: move all middlewares in handlers sub package (#5244) Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> 2022-11-07 15:53:40 +01:00			`}`
feat: improve handlers tracing code (#5442) * feat: improve handlers tracing code Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * fix Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * fix cleanup Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> 2022-11-23 07:50:55 +01:00			`}`
			`}`
			`return inner(ctx, logger, request, startTime)`
refactor: move all middlewares in handlers sub package (#5244) Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> 2022-11-07 15:53:40 +01:00			`}`
			`}`