2019-06-18 11:47:45 -07:00
|
|
|
package webhooks
|
|
|
|
|
|
|
|
|
|
import (
|
2019-07-15 16:07:56 -07:00
|
|
|
"fmt"
|
2019-06-18 11:47:45 -07:00
|
|
|
"strings"
|
2019-06-19 14:05:23 -07:00
|
|
|
|
2019-07-19 12:47:20 -07:00
|
|
|
"github.com/golang/glog"
|
2019-08-09 16:55:43 -07:00
|
|
|
kyverno "github.com/nirmata/kyverno/pkg/api/kyverno/v1alpha1"
|
2019-07-15 16:07:56 -07:00
|
|
|
"github.com/nirmata/kyverno/pkg/info"
|
2019-06-18 11:47:45 -07:00
|
|
|
)
|
|
|
|
|
|
2019-07-15 16:07:56 -07:00
|
|
|
const policyKind = "Policy"
|
|
|
|
|
|
2019-08-09 16:55:43 -07:00
|
|
|
func isAdmSuccesful(policyInfos []info.PolicyInfo) (bool, string) {
|
2019-07-15 16:07:56 -07:00
|
|
|
var admSuccess = true
|
|
|
|
|
var errMsgs []string
|
|
|
|
|
for _, pi := range policyInfos {
|
|
|
|
|
if !pi.IsSuccessful() {
|
|
|
|
|
admSuccess = false
|
|
|
|
|
errMsgs = append(errMsgs, fmt.Sprintf("\nPolicy %s failed with following rules", pi.Name))
|
|
|
|
|
// Get the error rules
|
|
|
|
|
errorRules := pi.ErrorRules()
|
|
|
|
|
errMsgs = append(errMsgs, errorRules)
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
return admSuccess, strings.Join(errMsgs, ";")
|
|
|
|
|
}
|
|
|
|
|
|
2019-07-23 00:55:45 -04:00
|
|
|
//ArrayFlags to store filterkinds
|
2019-06-18 11:47:45 -07:00
|
|
|
type ArrayFlags []string
|
|
|
|
|
|
|
|
|
|
func (i *ArrayFlags) String() string {
|
|
|
|
|
var sb strings.Builder
|
|
|
|
|
for _, str := range *i {
|
|
|
|
|
sb.WriteString(str)
|
|
|
|
|
}
|
|
|
|
|
return sb.String()
|
|
|
|
|
}
|
|
|
|
|
|
2019-07-23 00:55:45 -04:00
|
|
|
//Set setter for array flags
|
2019-06-18 11:47:45 -07:00
|
|
|
func (i *ArrayFlags) Set(value string) error {
|
|
|
|
|
*i = append(*i, value)
|
|
|
|
|
return nil
|
|
|
|
|
}
|
2019-06-19 14:05:23 -07:00
|
|
|
|
|
|
|
|
// extract the kinds that the policy rules apply to
|
2019-08-09 16:55:43 -07:00
|
|
|
func getApplicableKindsForPolicy(p *kyverno.Policy) []string {
|
2019-06-19 14:05:23 -07:00
|
|
|
kindsMap := map[string]interface{}{}
|
|
|
|
|
kinds := []string{}
|
|
|
|
|
// iterate over the rules an identify all kinds
|
2019-07-23 23:34:03 -04:00
|
|
|
// Matching
|
2019-06-19 14:05:23 -07:00
|
|
|
for _, rule := range p.Spec.Rules {
|
2019-07-23 23:34:03 -04:00
|
|
|
for _, k := range rule.MatchResources.Kinds {
|
2019-06-19 14:05:23 -07:00
|
|
|
kindsMap[k] = nil
|
|
|
|
|
}
|
2019-07-23 23:34:03 -04:00
|
|
|
// remove excluded ones
|
|
|
|
|
for _, k := range rule.ExcludeResources.Kinds {
|
|
|
|
|
if _, ok := kindsMap[k]; ok {
|
|
|
|
|
// delete kind
|
|
|
|
|
delete(kindsMap, k)
|
|
|
|
|
}
|
|
|
|
|
}
|
2019-06-19 14:05:23 -07:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// get the kinds
|
|
|
|
|
for k := range kindsMap {
|
|
|
|
|
kinds = append(kinds, k)
|
|
|
|
|
}
|
|
|
|
|
return kinds
|
|
|
|
|
}
|
2019-07-15 19:14:42 -07:00
|
|
|
|
|
|
|
|
// Policy Reporting Modes
|
|
|
|
|
const (
|
2019-07-23 18:29:44 -04:00
|
|
|
BlockChanges = "enforce"
|
|
|
|
|
ReportViolation = "audit"
|
2019-07-15 19:14:42 -07:00
|
|
|
)
|
2019-07-16 15:53:14 -07:00
|
|
|
|
2019-07-18 10:22:20 -07:00
|
|
|
// returns true -> if there is even one policy that blocks resource requst
|
|
|
|
|
// returns false -> if all the policies are meant to report only, we dont block resource request
|
2019-08-09 16:55:43 -07:00
|
|
|
func toBlock(pis []info.PolicyInfo) bool {
|
2019-07-16 15:53:14 -07:00
|
|
|
for _, pi := range pis {
|
|
|
|
|
if pi.ValidationFailureAction != ReportViolation {
|
2019-08-14 11:51:01 -07:00
|
|
|
glog.V(3).Infoln("ValidationFailureAction set to enforce, blocking resource ceation")
|
2019-07-16 15:53:14 -07:00
|
|
|
return true
|
|
|
|
|
}
|
|
|
|
|
}
|
2019-08-14 11:51:01 -07:00
|
|
|
glog.V(3).Infoln("ValidationFailureAction set to audit, allowing resource creation, reporting with violation")
|
2019-07-16 15:53:14 -07:00
|
|
|
return false
|
|
|
|
|
}
|
