kyverno/pkg/webhooks/resource/utils.go

package resource

import (
	"context"
	"errors"

	"github.com/go-logr/logr"
	kyvernov1 "github.com/kyverno/kyverno/api/kyverno/v1"
	kyvernov1beta1 "github.com/kyverno/kyverno/api/kyverno/v1beta1"
	engineapi "github.com/kyverno/kyverno/pkg/engine/api"
	engineutils "github.com/kyverno/kyverno/pkg/engine/utils"
	admissionutils "github.com/kyverno/kyverno/pkg/utils/admission"
	"github.com/kyverno/kyverno/pkg/webhooks/updaterequest"
	admissionv1 "k8s.io/api/admission/v1"
	"k8s.io/apimachinery/pkg/types"
)

type updateRequestResponse struct {
	ur  kyvernov1beta1.UpdateRequestSpec
	err error
}

func errorResponse(logger logr.Logger, uid types.UID, err error, message string) *admissionv1.AdmissionResponse {
	logger.Error(err, message)
	return admissionutils.Response(uid, errors.New(message+": "+err.Error()))
}

func patchRequest(patches []byte, request *admissionv1.AdmissionRequest, logger logr.Logger) *admissionv1.AdmissionRequest {
	patchedResource := processResourceWithPatches(patches, request.Object.Raw, logger)
	newRequest := request.DeepCopy()
	newRequest.Object.Raw = patchedResource
	return newRequest
}

func processResourceWithPatches(patch []byte, resource []byte, log logr.Logger) []byte {
	if patch == nil {
		return resource
	}
	resource, err := engineutils.ApplyPatchNew(resource, patch)
	if err != nil {
		log.Error(err, "failed to patch resource:", "patch", string(patch), "resource", string(resource))
		return nil
	}
	log.V(6).Info("", "patchedResource", string(resource))
	return resource
}

func applyUpdateRequest(
	ctx context.Context,
	request *admissionv1.AdmissionRequest,
	ruleType kyvernov1beta1.RequestType,
	grGenerator updaterequest.Generator,
	userRequestInfo kyvernov1beta1.RequestInfo,
	action admissionv1.Operation,
	engineResponses ...*engineapi.EngineResponse,
) (failedUpdateRequest []updateRequestResponse) {
	admissionRequestInfo := kyvernov1beta1.AdmissionRequestInfoObject{
		AdmissionRequest: request,
		Operation:        action,
	}

	for _, er := range engineResponses {
		ur := transform(admissionRequestInfo, userRequestInfo, er, ruleType)
		if err := grGenerator.Apply(ctx, ur, action); err != nil {
			failedUpdateRequest = append(failedUpdateRequest, updateRequestResponse{ur: ur, err: err})
		}
	}

	return
}

func transform(admissionRequestInfo kyvernov1beta1.AdmissionRequestInfoObject, userRequestInfo kyvernov1beta1.RequestInfo, er *engineapi.EngineResponse, ruleType kyvernov1beta1.RequestType) kyvernov1beta1.UpdateRequestSpec {
	var PolicyNameNamespaceKey string
	if er.PolicyResponse.Policy.Namespace != "" {
		PolicyNameNamespaceKey = er.PolicyResponse.Policy.Namespace + "/" + er.PolicyResponse.Policy.Name
	} else {
		PolicyNameNamespaceKey = er.PolicyResponse.Policy.Name
	}

	ur := kyvernov1beta1.UpdateRequestSpec{
		Type:   ruleType,
		Policy: PolicyNameNamespaceKey,
		Resource: kyvernov1.ResourceSpec{
			Kind:       er.PolicyResponse.Resource.Kind,
			Namespace:  er.PolicyResponse.Resource.Namespace,
			Name:       er.PolicyResponse.Resource.Name,
			APIVersion: er.PolicyResponse.Resource.APIVersion,
		},
		Context: kyvernov1beta1.UpdateRequestSpecContext{
			UserRequestInfo:      userRequestInfo,
			AdmissionRequestInfo: admissionRequestInfo,
		},
	}

	return ur
}
refactor: separate resource mutation/validation handlers from server (#3908) * refactor: webhooks server logger Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com> * refactor: separate policy mutation/validation handlers from server Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com> * separate resource mutation from server code Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com> 2022-05-16 16:36:21 +02:00			`package resource`

			`import (`
feat: propagate context through engine (#5639) * feat: propagate context through engine Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * feat: propagate context through engine Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * feat: propagate context through engine Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * feat: propagate context through engine Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> 2022-12-09 14:45:11 +01:00			`"context"`
refactor: admission response utils (#5234) - refactor: admission response utils - unit tests Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> 2022-11-08 10:35:08 +01:00			`"errors"`

refactor: separate resource mutation/validation handlers from server (#3908) * refactor: webhooks server logger Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com> * refactor: separate policy mutation/validation handlers from server Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com> * separate resource mutation from server code Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com> 2022-05-16 16:36:21 +02:00			`"github.com/go-logr/logr"`
			`kyvernov1 "github.com/kyverno/kyverno/api/kyverno/v1"`
			`kyvernov1beta1 "github.com/kyverno/kyverno/api/kyverno/v1beta1"`
refactor: introduce engine api package (#6154) * refactor: introduce engine api package Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * status Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> --------- Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> 2023-01-30 12:41:09 +01:00			`engineapi "github.com/kyverno/kyverno/pkg/engine/api"`
refactor: separate resource mutation/validation handlers from server (#3908) * refactor: webhooks server logger Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com> * refactor: separate policy mutation/validation handlers from server Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com> * separate resource mutation from server code Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com> 2022-05-16 16:36:21 +02:00			`engineutils "github.com/kyverno/kyverno/pkg/engine/utils"`
			`admissionutils "github.com/kyverno/kyverno/pkg/utils/admission"`
			`"github.com/kyverno/kyverno/pkg/webhooks/updaterequest"`
			`admissionv1 "k8s.io/api/admission/v1"`
feat: use admission review v1 (#5464) * feat: use admission review v1 Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * fix Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * nit Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * logs Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * patch type Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * fix tests Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * fix Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com> Co-authored-by: Prateek Pandey <prateek.pandey@nirmata.com> 2022-11-30 16:37:42 +01:00			`"k8s.io/apimachinery/pkg/types"`
refactor: separate resource mutation/validation handlers from server (#3908) * refactor: webhooks server logger Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com> * refactor: separate policy mutation/validation handlers from server Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com> * separate resource mutation from server code Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com> 2022-05-16 16:36:21 +02:00			`)`

			`type updateRequestResponse struct {`
			`ur kyvernov1beta1.UpdateRequestSpec`
			`err error`
			`}`

feat: use admission review v1 (#5464) * feat: use admission review v1 Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * fix Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * nit Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * logs Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * patch type Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * fix tests Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * fix Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com> Co-authored-by: Prateek Pandey <prateek.pandey@nirmata.com> 2022-11-30 16:37:42 +01:00			`func errorResponse(logger logr.Logger, uid types.UID, err error, message string) *admissionv1.AdmissionResponse {`
refactor: separate resource mutation/validation handlers from server (#3908) * refactor: webhooks server logger Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com> * refactor: separate policy mutation/validation handlers from server Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com> * separate resource mutation from server code Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com> 2022-05-16 16:36:21 +02:00			`logger.Error(err, message)`
feat: use admission review v1 (#5464) * feat: use admission review v1 Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * fix Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * nit Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * logs Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * patch type Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * fix tests Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * fix Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com> Co-authored-by: Prateek Pandey <prateek.pandey@nirmata.com> 2022-11-30 16:37:42 +01:00			`return admissionutils.Response(uid, errors.New(message+": "+err.Error()))`
refactor: separate resource mutation/validation handlers from server (#3908) * refactor: webhooks server logger Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com> * refactor: separate policy mutation/validation handlers from server Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com> * separate resource mutation from server code Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com> 2022-05-16 16:36:21 +02:00			`}`

			`func patchRequest(patches []byte, request admissionv1.AdmissionRequest, logger logr.Logger) admissionv1.AdmissionRequest {`
			`patchedResource := processResourceWithPatches(patches, request.Object.Raw, logger)`
			`newRequest := request.DeepCopy()`
			`newRequest.Object.Raw = patchedResource`
			`return newRequest`
			`}`

			`func processResourceWithPatches(patch []byte, resource []byte, log logr.Logger) []byte {`
			`if patch == nil {`
			`return resource`
			`}`
			`resource, err := engineutils.ApplyPatchNew(resource, patch)`
			`if err != nil {`
			`log.Error(err, "failed to patch resource:", "patch", string(patch), "resource", string(resource))`
			`return nil`
			`}`
			`log.V(6).Info("", "patchedResource", string(resource))`
			`return resource`
			`}`

feat: propagate context through engine (#5639) * feat: propagate context through engine Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * feat: propagate context through engine Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * feat: propagate context through engine Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * feat: propagate context through engine Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> 2022-12-09 14:45:11 +01:00			`func applyUpdateRequest(`
			`ctx context.Context,`
			`request *admissionv1.AdmissionRequest,`
			`ruleType kyvernov1beta1.RequestType,`
			`grGenerator updaterequest.Generator,`
			`userRequestInfo kyvernov1beta1.RequestInfo,`
			`action admissionv1.Operation,`
refactor: introduce engine api package (#6154) * refactor: introduce engine api package Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * status Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> --------- Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> 2023-01-30 12:41:09 +01:00			`engineResponses ...*engineapi.EngineResponse,`
chore: enable gofmt and gofumpt linters (#3931) Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com> 2022-05-17 08:19:03 +02:00			`) (failedUpdateRequest []updateRequestResponse) {`
refactor: separate resource mutation/validation handlers from server (#3908) * refactor: webhooks server logger Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com> * refactor: separate policy mutation/validation handlers from server Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com> * separate resource mutation from server code Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com> 2022-05-16 16:36:21 +02:00			`admissionRequestInfo := kyvernov1beta1.AdmissionRequestInfoObject{`
refactor: used typed admission request in ur (#4022) * refactor: add policy event listener in ur controller (#4012) Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com> (cherry picked from commit cd1fa030eefb33e45c10700c9d581a94d7c99db3) Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com> * refactor: used typed admission request in ur Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com> * refactor: used typed admission request in ur Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com> * Handle the error properly Signed-off-by: ShutingZhao <shuting@nirmata.com> Co-authored-by: Vyankatesh Kudtarkar <vyankateshkd@gmail.com> Co-authored-by: ShutingZhao <shuting@nirmata.com> 2022-05-29 09:27:14 +02:00			`AdmissionRequest: request,`
refactor: separate resource mutation/validation handlers from server (#3908) * refactor: webhooks server logger Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com> * refactor: separate policy mutation/validation handlers from server Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com> * separate resource mutation from server code Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com> 2022-05-16 16:36:21 +02:00			`Operation: action,`
			`}`

			`for _, er := range engineResponses {`
			`ur := transform(admissionRequestInfo, userRequestInfo, er, ruleType)`
feat: propagate context through engine (#5639) * feat: propagate context through engine Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * feat: propagate context through engine Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * feat: propagate context through engine Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * feat: propagate context through engine Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> 2022-12-09 14:45:11 +01:00			`if err := grGenerator.Apply(ctx, ur, action); err != nil {`
refactor: separate resource mutation/validation handlers from server (#3908) * refactor: webhooks server logger Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com> * refactor: separate policy mutation/validation handlers from server Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com> * separate resource mutation from server code Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com> 2022-05-16 16:36:21 +02:00			`failedUpdateRequest = append(failedUpdateRequest, updateRequestResponse{ur: ur, err: err})`
			`}`
			`}`

			`return`
			`}`

refactor: introduce engine api package (#6154) * refactor: introduce engine api package Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * status Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> --------- Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> 2023-01-30 12:41:09 +01:00			`func transform(admissionRequestInfo kyvernov1beta1.AdmissionRequestInfoObject, userRequestInfo kyvernov1beta1.RequestInfo, er *engineapi.EngineResponse, ruleType kyvernov1beta1.RequestType) kyvernov1beta1.UpdateRequestSpec {`
refactor: separate resource mutation/validation handlers from server (#3908) * refactor: webhooks server logger Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com> * refactor: separate policy mutation/validation handlers from server Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com> * separate resource mutation from server code Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com> 2022-05-16 16:36:21 +02:00			`var PolicyNameNamespaceKey string`
			`if er.PolicyResponse.Policy.Namespace != "" {`
			`PolicyNameNamespaceKey = er.PolicyResponse.Policy.Namespace + "/" + er.PolicyResponse.Policy.Name`
			`} else {`
			`PolicyNameNamespaceKey = er.PolicyResponse.Policy.Name`
			`}`

			`ur := kyvernov1beta1.UpdateRequestSpec{`
			`Type: ruleType,`
			`Policy: PolicyNameNamespaceKey,`
			`Resource: kyvernov1.ResourceSpec{`
			`Kind: er.PolicyResponse.Resource.Kind,`
			`Namespace: er.PolicyResponse.Resource.Namespace,`
			`Name: er.PolicyResponse.Resource.Name,`
			`APIVersion: er.PolicyResponse.Resource.APIVersion,`
			`},`
			`Context: kyvernov1beta1.UpdateRequestSpecContext{`
			`UserRequestInfo: userRequestInfo,`
			`AdmissionRequestInfo: admissionRequestInfo,`
			`},`
			`}`

			`return ur`
			`}`