From 54a4080accc522e484d82996908fd3ef73089a1f Mon Sep 17 00:00:00 2001 From: Shuting Zhao Date: Thu, 20 Feb 2020 11:31:03 -0800 Subject: [PATCH 1/4] update doc --- documentation/installation.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/documentation/installation.md b/documentation/installation.md index b80317ab3e..1e59e13a5c 100644 --- a/documentation/installation.md +++ b/documentation/installation.md @@ -124,7 +124,7 @@ metadata: roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole - name: kyvernoRoleGenerate # clusterRole defined above, to manage generated resources + name: kyverno:generatecontroller # clusterRole defined above, to manage generated resources subjects: - kind: ServiceAccount name: kyverno-service-account # default kyverno serviceAccount From 9b38289a845990810112b5fb1e0930375d29cd58 Mon Sep 17 00:00:00 2001 From: shivkumar dudhani Date: Thu, 20 Feb 2020 15:09:20 -0800 Subject: [PATCH 2/4] remove openapi validation(manual revert) --- cmd/kyverno/main.go | 20 --- pkg/openapi/helper.go | 5 - pkg/openapi/validation.go | 270 --------------------------------- pkg/openapi/validation_test.go | 65 -------- pkg/policy/validate.go | 6 - pkg/webhooks/mutation.go | 6 - 6 files changed, 372 deletions(-) delete mode 100644 pkg/openapi/helper.go delete mode 100644 pkg/openapi/validation.go delete mode 100644 pkg/openapi/validation_test.go diff --git a/cmd/kyverno/main.go b/cmd/kyverno/main.go index b8768ba0f1..62cefceeb9 100644 --- a/cmd/kyverno/main.go +++ b/cmd/kyverno/main.go @@ -5,10 +5,6 @@ import ( "flag" "time" - "github.com/nirmata/kyverno/pkg/openapi" - - "k8s.io/client-go/discovery" - "github.com/golang/glog" "github.com/nirmata/kyverno/pkg/checker" kyvernoclient "github.com/nirmata/kyverno/pkg/client/clientset/versioned" @@ -204,22 +200,6 @@ func main() { glog.Fatalf("Failed registering Admission Webhooks: %v\n", err) } - // OpenAPI document - // Getting openApi document from kubernetes and overriding default openapi document - restClient, err := discovery.NewDiscoveryClientForConfig(clientConfig) - if err != nil { - glog.Fatalf("Could not get rest client to get openApi doc: %v\n", err) - } - - openApiDoc, err := restClient.RESTClient().Get().RequestURI("/openapi/v2").Do().Raw() - if err != nil { - glog.Fatalf("OpenApiDoc request failed: %v\n", err) - } - - if err := openapi.UseCustomOpenApiDocument(openApiDoc); err != nil { - glog.Fatalf("Could not set custom OpenApi document: %v\n", err) - } - // WEBHOOOK // - https server to provide endpoints called based on rules defined in Mutating & Validation webhook configuration // - reports the results based on the response from the policy engine: diff --git a/pkg/openapi/helper.go b/pkg/openapi/helper.go deleted file mode 100644 index b04978afb5..0000000000 --- a/pkg/openapi/helper.go +++ /dev/null @@ -1,5 +0,0 @@ -package openapi - -func GetDefinitionNameFromKind(kind string) string { - return openApiGlobalState.kindToDefinitionName[kind] -} diff --git a/pkg/openapi/validation.go b/pkg/openapi/validation.go deleted file mode 100644 index 0b941720ee..0000000000 --- a/pkg/openapi/validation.go +++ /dev/null @@ -1,270 +0,0 @@ -package openapi - -import ( - "fmt" - "strconv" - "strings" - "sync" - - "k8s.io/apimachinery/pkg/apis/meta/v1/unstructured" - - "github.com/nirmata/kyverno/data" - - "github.com/golang/glog" - - "github.com/nirmata/kyverno/pkg/engine" - "github.com/nirmata/kyverno/pkg/engine/context" - - v1 "github.com/nirmata/kyverno/pkg/api/kyverno/v1" - - openapi_v2 "github.com/googleapis/gnostic/OpenAPIv2" - "github.com/googleapis/gnostic/compiler" - "k8s.io/kube-openapi/pkg/util/proto" - "k8s.io/kube-openapi/pkg/util/proto/validation" - - "gopkg.in/yaml.v2" -) - -var openApiGlobalState struct { - document *openapi_v2.Document - definitions map[string]*openapi_v2.Schema - kindToDefinitionName map[string]string - models proto.Models - isSet bool -} - -func init() { - err := setValidationGlobalState() - if err != nil { - panic(err) - } -} - -func UseCustomOpenApiDocument(customDoc []byte) error { - var spec yaml.MapSlice - err := yaml.Unmarshal(customDoc, &spec) - if err != nil { - return err - } - - openApiGlobalState.document, err = openapi_v2.NewDocument(spec, compiler.NewContext("$root", nil)) - if err != nil { - return err - } - - openApiGlobalState.definitions = make(map[string]*openapi_v2.Schema) - openApiGlobalState.kindToDefinitionName = make(map[string]string) - for _, definition := range openApiGlobalState.document.GetDefinitions().AdditionalProperties { - openApiGlobalState.definitions[definition.GetName()] = definition.GetValue() - path := strings.Split(definition.GetName(), ".") - openApiGlobalState.kindToDefinitionName[path[len(path)-1]] = definition.GetName() - } - - openApiGlobalState.models, err = proto.NewOpenAPIData(openApiGlobalState.document) - if err != nil { - return err - } - - openApiGlobalState.isSet = true - - return nil -} - -func ValidatePolicyMutation(policy v1.ClusterPolicy) error { - if !openApiGlobalState.isSet { - glog.V(4).Info("Cannot Validate policy: Validation global state not set") - return nil - } - - var kindToRules = make(map[string][]v1.Rule) - for _, rule := range policy.Spec.Rules { - if rule.HasMutate() { - rule.MatchResources = v1.MatchResources{ - UserInfo: v1.UserInfo{}, - ResourceDescription: v1.ResourceDescription{ - Kinds: rule.MatchResources.Kinds, - }, - } - rule.ExcludeResources = v1.ExcludeResources{} - for _, kind := range rule.MatchResources.Kinds { - kindToRules[kind] = append(kindToRules[kind], rule) - } - } - } - - for kind, rules := range kindToRules { - newPolicy := policy - newPolicy.Spec.Rules = rules - - resource, _ := generateEmptyResource(openApiGlobalState.definitions[openApiGlobalState.kindToDefinitionName[kind]]).(map[string]interface{}) - newResource := unstructured.Unstructured{Object: resource} - newResource.SetKind(kind) - policyContext := engine.PolicyContext{ - Policy: newPolicy, - NewResource: newResource, - Context: context.NewContext(), - } - resp := engine.Mutate(policyContext) - if len(resp.GetSuccessRules()) != len(rules) { - var errMessages []string - for _, rule := range resp.PolicyResponse.Rules { - if !rule.Success { - errMessages = append(errMessages, fmt.Sprintf("Invalid rule : %v, %v", rule.Name, rule.Message)) - } - } - return fmt.Errorf(strings.Join(errMessages, "\n")) - } - err := ValidateResource(resp.PatchedResource.UnstructuredContent(), kind) - if err != nil { - return err - } - } - - return nil -} - -func ValidateResource(patchedResource interface{}, kind string) error { - if !openApiGlobalState.isSet { - glog.V(4).Info("Cannot Validate resource: Validation global state not set") - return nil - } - - kind = openApiGlobalState.kindToDefinitionName[kind] - - schema := openApiGlobalState.models.LookupModel(kind) - if schema == nil { - return fmt.Errorf("pre-validation: couldn't find model %s", kind) - } - - if errs := validation.ValidateModel(patchedResource, schema, kind); len(errs) > 0 { - var errorMessages []string - for i := range errs { - errorMessages = append(errorMessages, errs[i].Error()) - } - - return fmt.Errorf(strings.Join(errorMessages, "\n\n")) - } - - return nil -} - -func setValidationGlobalState() error { - if !openApiGlobalState.isSet { - var err error - openApiGlobalState.document, err = getSchemaDocument() - if err != nil { - return err - } - - openApiGlobalState.definitions = make(map[string]*openapi_v2.Schema) - openApiGlobalState.kindToDefinitionName = make(map[string]string) - for _, definition := range openApiGlobalState.document.GetDefinitions().AdditionalProperties { - openApiGlobalState.definitions[definition.GetName()] = definition.GetValue() - path := strings.Split(definition.GetName(), ".") - openApiGlobalState.kindToDefinitionName[path[len(path)-1]] = definition.GetName() - } - - for _, path := range openApiGlobalState.document.GetPaths().GetPath() { - path.GetName() - } - - openApiGlobalState.models, err = proto.NewOpenAPIData(openApiGlobalState.document) - if err != nil { - return err - } - - openApiGlobalState.isSet = true - } - return nil -} - -func getSchemaDocument() (*openapi_v2.Document, error) { - var spec yaml.MapSlice - err := yaml.Unmarshal([]byte(data.SwaggerDoc), &spec) - if err != nil { - return nil, err - } - - return openapi_v2.NewDocument(spec, compiler.NewContext("$root", nil)) -} - -func generateEmptyResource(kindSchema *openapi_v2.Schema) interface{} { - - types := kindSchema.GetType().GetValue() - - if kindSchema.GetXRef() != "" { - return generateEmptyResource(openApiGlobalState.definitions[strings.TrimPrefix(kindSchema.GetXRef(), "#/definitions/")]) - } - - if len(types) != 1 { - return nil - } - - switch types[0] { - case "object": - var props = make(map[string]interface{}) - properties := kindSchema.GetProperties().GetAdditionalProperties() - if len(properties) == 0 { - return props - } - - var wg sync.WaitGroup - var mutex sync.Mutex - wg.Add(len(properties)) - for _, property := range properties { - go func(property *openapi_v2.NamedSchema) { - prop := generateEmptyResource(property.GetValue()) - mutex.Lock() - props[property.GetName()] = prop - mutex.Unlock() - wg.Done() - }(property) - } - wg.Wait() - return props - case "array": - var array []interface{} - for _, schema := range kindSchema.GetItems().GetSchema() { - array = append(array, generateEmptyResource(schema)) - } - return array - case "string": - if kindSchema.GetDefault() != nil { - return string(kindSchema.GetDefault().Value.Value) - } - if kindSchema.GetExample() != nil { - return string(kindSchema.GetExample().GetValue().Value) - } - return "" - case "integer": - if kindSchema.GetDefault() != nil { - val, _ := strconv.Atoi(string(kindSchema.GetDefault().Value.Value)) - return int64(val) - } - if kindSchema.GetExample() != nil { - val, _ := strconv.Atoi(string(kindSchema.GetExample().GetValue().Value)) - return int64(val) - } - return int64(0) - case "number": - if kindSchema.GetDefault() != nil { - val, _ := strconv.Atoi(string(kindSchema.GetDefault().Value.Value)) - return int64(val) - } - if kindSchema.GetExample() != nil { - val, _ := strconv.Atoi(string(kindSchema.GetExample().GetValue().Value)) - return int64(val) - } - return int64(0) - case "boolean": - if kindSchema.GetDefault() != nil { - return string(kindSchema.GetDefault().Value.Value) == "true" - } - if kindSchema.GetExample() != nil { - return string(kindSchema.GetExample().GetValue().Value) == "true" - } - return false - } - - return nil -} diff --git a/pkg/openapi/validation_test.go b/pkg/openapi/validation_test.go deleted file mode 100644 index 4c6c8ac2a6..0000000000 --- a/pkg/openapi/validation_test.go +++ /dev/null @@ -1,65 +0,0 @@ -package openapi - -import ( - "encoding/json" - "testing" - - v1 "github.com/nirmata/kyverno/pkg/api/kyverno/v1" -) - -func Test_ValidateMutationPolicy(t *testing.T) { - err := setValidationGlobalState() - if err != nil { - t.Fatalf("Could not set global state") - } - - tcs := []struct { - description string - policy []byte - errMessage string - }{ - { - description: "Policy with mutating imagePullPolicy Overlay", - policy: []byte(`{"apiVersion":"kyverno.io/v1","kind":"ClusterPolicy","metadata":{"name":"set-image-pull-policy-2"},"spec":{"rules":[{"name":"set-image-pull-policy-2","match":{"resources":{"kinds":["Pod"]}},"mutate":{"overlay":{"spec":{"containers":[{"(image)":"*","imagePullPolicy":"Always"}]}}}}]}}`), - }, - { - description: "Policy with mutating imagePullPolicy Overlay, field does not exist", - policy: []byte(`{"apiVersion":"kyverno.io/v1","kind":"ClusterPolicy","metadata":{"name":"set-image-pull-policy-2"},"spec":{"rules":[{"name":"set-image-pull-policy-2","match":{"resources":{"kinds":["Pod"]}},"mutate":{"overlay":{"spec":{"containers":[{"(image)":"*","nonExistantField":"Always"}]}}}}]}}`), - errMessage: `ValidationError(io.k8s.api.core.v1.Pod.spec.containers[0]): unknown field "nonExistantField" in io.k8s.api.core.v1.Container`, - }, - { - description: "Policy with mutating imagePullPolicy Overlay, type of value is different (does not throw error since all numbers are also strings according to swagger)", - policy: []byte(`{"apiVersion":"kyverno.io/v1","kind":"ClusterPolicy","metadata":{"name":"set-image-pull-policy-2"},"spec":{"rules":[{"name":"set-image-pull-policy-2","match":{"resources":{"kinds":["Pod"]}},"mutate":{"overlay":{"spec":{"containers":[{"(image)":"*","imagePullPolicy":80}]}}}}]}}`), - }, - { - description: "Policy with patches", - policy: []byte(`{"apiVersion":"kyverno.io/v1","kind":"ClusterPolicy","metadata":{"name":"policy-endpoints"},"spec":{"rules":[{"name":"pEP","match":{"resources":{"kinds":["Endpoints"],"selector":{"matchLabels":{"label":"test"}}}},"mutate":{"patches":[{"path":"/subsets/0/ports/0/port","op":"replace","value":9663},{"path":"/metadata/labels/isMutated","op":"add","value":"true"}]}}]}}`), - }, - { - description: "Policy with patches, value converted from number to string", - policy: []byte(`{"apiVersion":"kyverno.io/v1","kind":"ClusterPolicy","metadata":{"name":"policy-endpoints"},"spec":{"rules":[{"name":"pEP","match":{"resources":{"kinds":["Endpoints"],"selector":{"matchLabels":{"label":"test"}}}},"mutate":{"patches":[{"path":"/subsets/0/ports/0/port","op":"replace","value":"9663"},{"path":"/metadata/labels/isMutated","op":"add","value":"true"}]}}]}}`), - errMessage: `ValidationError(io.k8s.api.core.v1.Endpoints.subsets[0].ports[0].port): invalid type for io.k8s.api.core.v1.EndpointPort.port: got "string", expected "integer"`, - }, - { - description: "Policy where boolean is been converted to number", - policy: []byte(`{"apiVersion":"kyverno.io/v1","kind":"ClusterPolicy","metadata":{"name":"mutate-pod-disable-automoutingapicred"},"spec":{"rules":[{"name":"pod-disable-automoutingapicred","match":{"resources":{"kinds":["Pod"]}},"mutate":{"overlay":{"spec":{"(serviceAccountName)":"*","automountServiceAccountToken":80}}}}]}}`), - errMessage: `ValidationError(io.k8s.api.core.v1.Pod.spec.automountServiceAccountToken): invalid type for io.k8s.api.core.v1.PodSpec.automountServiceAccountToken: got "integer", expected "boolean"`, - }, - } - - for i, tc := range tcs { - policy := v1.ClusterPolicy{} - _ = json.Unmarshal(tc.policy, &policy) - - var errMessage string - err := ValidatePolicyMutation(policy) - if err != nil { - errMessage = err.Error() - } - - if errMessage != tc.errMessage { - t.Errorf("\nTestcase [%v] failed:\nExpected Error: %v\nGot Error: %v", i+1, tc.errMessage, errMessage) - } - } - -} diff --git a/pkg/policy/validate.go b/pkg/policy/validate.go index 627437c9f5..b5071a01a3 100644 --- a/pkg/policy/validate.go +++ b/pkg/policy/validate.go @@ -8,8 +8,6 @@ import ( "strconv" "strings" - "github.com/nirmata/kyverno/pkg/openapi" - kyverno "github.com/nirmata/kyverno/pkg/api/kyverno/v1" "github.com/nirmata/kyverno/pkg/engine/anchor" rbacv1 "k8s.io/api/rbac/v1" @@ -73,10 +71,6 @@ func Validate(p kyverno.ClusterPolicy) error { } } - if err := openapi.ValidatePolicyMutation(p); err != nil { - return fmt.Errorf("Failed to validate policy: %v", err) - } - return nil } diff --git a/pkg/webhooks/mutation.go b/pkg/webhooks/mutation.go index b081f04ef0..c664c8a03f 100644 --- a/pkg/webhooks/mutation.go +++ b/pkg/webhooks/mutation.go @@ -9,7 +9,6 @@ import ( "github.com/nirmata/kyverno/pkg/engine/context" "github.com/nirmata/kyverno/pkg/engine/response" engineutils "github.com/nirmata/kyverno/pkg/engine/utils" - "github.com/nirmata/kyverno/pkg/openapi" policyctr "github.com/nirmata/kyverno/pkg/policy" "github.com/nirmata/kyverno/pkg/policyviolation" "github.com/nirmata/kyverno/pkg/utils" @@ -102,11 +101,6 @@ func (ws *WebhookServer) HandleMutation(request *v1beta1.AdmissionRequest, resou glog.V(4).Infof("Failed to apply policy %s on resource %s/%s\n", policy.Name, resource.GetNamespace(), resource.GetName()) continue } - err := openapi.ValidateResource(engineResponse.PatchedResource.UnstructuredContent(), engineResponse.PatchedResource.GetKind()) - if err != nil { - glog.V(4).Infoln(err) - continue - } // gather patches patches = append(patches, engineResponse.GetPatches()...) glog.V(4).Infof("Mutation from policy %s has applied successfully to %s %s/%s", policy.Name, request.Kind.Kind, resource.GetNamespace(), resource.GetName()) From 3beac273a5eebd2b3cd5a8b1b04966a08123353d Mon Sep 17 00:00:00 2001 From: shivkumar dudhani Date: Thu, 20 Feb 2020 15:21:07 -0800 Subject: [PATCH 3/4] add missing rbac resoruces --- definitions/install.yaml | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/definitions/install.yaml b/definitions/install.yaml index d5f607a63f..78140d7eaf 100644 --- a/definitions/install.yaml +++ b/definitions/install.yaml @@ -627,6 +627,9 @@ rules: - configmaps - resourcequotas - limitranges + - clusterroles + - rolebindings + - clusterrolebindings verbs: - create - update @@ -639,7 +642,7 @@ rules: resources: - namespaces verbs: - - watch + - watch --- apiVersion: v1 kind: ConfigMap From 14609ae7d9b2e3cc04abe29bc1530fe57ad1449b Mon Sep 17 00:00:00 2001 From: shivkumar dudhani Date: Thu, 20 Feb 2020 15:27:10 -0800 Subject: [PATCH 4/4] remove cli(revert changes) --- cmd/cli/kubectl-kyverno/main.go | 9 - pkg/kyverno/apply/command.go | 375 ---------------------------- pkg/kyverno/apply/helper.go | 37 --- pkg/kyverno/main.go | 50 ---- pkg/kyverno/sanitizedError/error.go | 20 -- pkg/kyverno/validate/command.go | 142 ----------- pkg/kyverno/version/command.go | 21 -- 7 files changed, 654 deletions(-) delete mode 100644 cmd/cli/kubectl-kyverno/main.go delete mode 100644 pkg/kyverno/apply/command.go delete mode 100644 pkg/kyverno/apply/helper.go delete mode 100644 pkg/kyverno/main.go delete mode 100644 pkg/kyverno/sanitizedError/error.go delete mode 100644 pkg/kyverno/validate/command.go delete mode 100644 pkg/kyverno/version/command.go diff --git a/cmd/cli/kubectl-kyverno/main.go b/cmd/cli/kubectl-kyverno/main.go deleted file mode 100644 index a5adfa5a9e..0000000000 --- a/cmd/cli/kubectl-kyverno/main.go +++ /dev/null @@ -1,9 +0,0 @@ -package main - -import ( - "github.com/nirmata/kyverno/pkg/kyverno" -) - -func main() { - kyverno.CLI() -} diff --git a/pkg/kyverno/apply/command.go b/pkg/kyverno/apply/command.go deleted file mode 100644 index 15132caa50..0000000000 --- a/pkg/kyverno/apply/command.go +++ /dev/null @@ -1,375 +0,0 @@ -package apply - -import ( - "encoding/json" - "fmt" - "io/ioutil" - "os" - "path/filepath" - - "github.com/nirmata/kyverno/pkg/kyverno/sanitizedError" - - policy2 "github.com/nirmata/kyverno/pkg/policy" - - "github.com/golang/glog" - - "k8s.io/apimachinery/pkg/runtime/schema" - - "k8s.io/client-go/discovery" - - "k8s.io/apimachinery/pkg/util/yaml" - - "github.com/nirmata/kyverno/pkg/engine" - - engineutils "github.com/nirmata/kyverno/pkg/engine/utils" - - "k8s.io/apimachinery/pkg/runtime" - - "k8s.io/apimachinery/pkg/apis/meta/v1/unstructured" - - v1 "github.com/nirmata/kyverno/pkg/api/kyverno/v1" - "github.com/spf13/cobra" - yamlv2 "gopkg.in/yaml.v2" - "k8s.io/cli-runtime/pkg/genericclioptions" - "k8s.io/client-go/kubernetes/scheme" -) - -func Command() *cobra.Command { - var cmd *cobra.Command - var resourcePaths []string - var cluster bool - - kubernetesConfig := genericclioptions.NewConfigFlags(true) - - cmd = &cobra.Command{ - Use: "apply", - Short: "Applies policies on resources", - Example: fmt.Sprintf("To apply on a resource:\nkyverno apply /path/to/policy.yaml /path/to/folderOfPolicies --resource=/path/to/resource1 --resource=/path/to/resource2\n\nTo apply on a cluster\nkyverno apply /path/to/policy.yaml /path/to/folderOfPolicies --cluster"), - RunE: func(cmd *cobra.Command, policyPaths []string) (err error) { - defer func() { - if err != nil { - if !sanitizedError.IsErrorSanitized(err) { - glog.V(4).Info(err) - err = fmt.Errorf("Internal error") - } - } - }() - - if len(resourcePaths) == 0 && !cluster { - return sanitizedError.New(fmt.Sprintf("Specify path to resource file or cluster name")) - } - - policies, err := getPolicies(policyPaths) - if err != nil { - if !sanitizedError.IsErrorSanitized(err) { - return sanitizedError.New("Could not parse policy paths") - } else { - return err - } - } - - for _, policy := range policies { - err := policy2.Validate(*policy) - if err != nil { - return sanitizedError.New(fmt.Sprintf("Policy %v is not valid", policy.Name)) - } - } - - var dClient discovery.CachedDiscoveryInterface - if cluster { - dClient, err = kubernetesConfig.ToDiscoveryClient() - if err != nil { - return sanitizedError.New(fmt.Errorf("Issues with kubernetes Config").Error()) - } - } - - resources, err := getResources(policies, resourcePaths, dClient) - if err != nil { - return sanitizedError.New(fmt.Errorf("Issues fetching resources").Error()) - } - - for i, policy := range policies { - for j, resource := range resources { - if !(j == 0 && i == 0) { - fmt.Printf("\n\n=======================================================================\n") - } - - err = applyPolicyOnResource(policy, resource) - if err != nil { - return sanitizedError.New(fmt.Errorf("Issues applying policy %v on resource %v", policy.Name, resource.GetName()).Error()) - } - } - } - - return nil - }, - } - - cmd.Flags().StringArrayVarP(&resourcePaths, "resource", "r", []string{}, "Path to resource files") - cmd.Flags().BoolVarP(&cluster, "cluster", "c", false, "Checks if policies should be applied to cluster in the current context") - - return cmd -} - -func getResources(policies []*v1.ClusterPolicy, resourcePaths []string, dClient discovery.CachedDiscoveryInterface) ([]*unstructured.Unstructured, error) { - var resources []*unstructured.Unstructured - var err error - - if dClient != nil { - var resourceTypesMap = make(map[string]bool) - var resourceTypes []string - for _, policy := range policies { - for _, rule := range policy.Spec.Rules { - for _, kind := range rule.MatchResources.Kinds { - resourceTypesMap[kind] = true - } - } - } - - for kind := range resourceTypesMap { - resourceTypes = append(resourceTypes, kind) - } - - resources, err = getResourcesOfTypeFromCluster(resourceTypes, dClient) - if err != nil { - return nil, err - } - } - - for _, resourcePath := range resourcePaths { - resource, err := getResource(resourcePath) - if err != nil { - return nil, err - } - - resources = append(resources, resource) - } - - return resources, nil -} - -func getResourcesOfTypeFromCluster(resourceTypes []string, dClient discovery.CachedDiscoveryInterface) ([]*unstructured.Unstructured, error) { - var resources []*unstructured.Unstructured - - for _, kind := range resourceTypes { - endpoint, err := getListEndpointForKind(kind) - if err != nil { - return nil, err - } - - listObjectRaw, err := dClient.RESTClient().Get().RequestURI(endpoint).Do().Raw() - if err != nil { - return nil, err - } - - listObject, err := engineutils.ConvertToUnstructured(listObjectRaw) - if err != nil { - return nil, err - } - - resourceList, err := listObject.ToList() - if err != nil { - return nil, err - } - - version := resourceList.GetAPIVersion() - for _, resource := range resourceList.Items { - resource.SetGroupVersionKind(schema.GroupVersionKind{ - Group: "", - Version: version, - Kind: kind, - }) - resources = append(resources, resource.DeepCopy()) - } - } - - return resources, nil -} - -func getPoliciesInDir(path string) ([]*v1.ClusterPolicy, error) { - var policies []*v1.ClusterPolicy - - files, err := ioutil.ReadDir(path) - if err != nil { - return nil, err - } - - for _, file := range files { - if file.IsDir() { - policiesFromDir, err := getPoliciesInDir(filepath.Join(path, file.Name())) - if err != nil { - return nil, err - } - - policies = append(policies, policiesFromDir...) - } else { - policy, err := getPolicy(filepath.Join(path, file.Name())) - if err != nil { - return nil, err - } - - policies = append(policies, policy) - } - } - - return policies, nil -} - -func getPolicies(paths []string) ([]*v1.ClusterPolicy, error) { - var policies = make([]*v1.ClusterPolicy, 0, len(paths)) - for _, path := range paths { - path = filepath.Clean(path) - - fileDesc, err := os.Stat(path) - if err != nil { - return nil, err - } - - if fileDesc.IsDir() { - policiesFromDir, err := getPoliciesInDir(path) - if err != nil { - return nil, err - } - - policies = append(policies, policiesFromDir...) - } else { - policy, err := getPolicy(path) - if err != nil { - return nil, err - } - - policies = append(policies, policy) - } - } - - return policies, nil -} - -func getPolicy(path string) (*v1.ClusterPolicy, error) { - policy := &v1.ClusterPolicy{} - - file, err := ioutil.ReadFile(path) - if err != nil { - return nil, fmt.Errorf("failed to load file: %v", err) - } - - policyBytes, err := yaml.ToJSON(file) - if err != nil { - return nil, err - } - - if err := json.Unmarshal(policyBytes, policy); err != nil { - return nil, sanitizedError.New(fmt.Sprintf("failed to decode policy in %s", path)) - } - - if policy.TypeMeta.Kind != "ClusterPolicy" { - return nil, sanitizedError.New(fmt.Sprintf("resource %v is not a cluster policy", policy.Name)) - } - - return policy, nil -} - -func getResource(path string) (*unstructured.Unstructured, error) { - - resourceYaml, err := ioutil.ReadFile(path) - if err != nil { - return nil, err - } - - decode := scheme.Codecs.UniversalDeserializer().Decode - resourceObject, metaData, err := decode(resourceYaml, nil, nil) - if err != nil { - return nil, err - } - - resourceUnstructured, err := runtime.DefaultUnstructuredConverter.ToUnstructured(&resourceObject) - if err != nil { - return nil, err - } - - resourceJSON, err := json.Marshal(resourceUnstructured) - if err != nil { - return nil, err - } - - resource, err := engineutils.ConvertToUnstructured(resourceJSON) - if err != nil { - return nil, err - } - - resource.SetGroupVersionKind(*metaData) - - if resource.GetNamespace() == "" { - resource.SetNamespace("default") - } - - return resource, nil -} - -func applyPolicyOnResource(policy *v1.ClusterPolicy, resource *unstructured.Unstructured) error { - - fmt.Printf("\n\nApplying Policy %s on Resource %s/%s/%s", policy.Name, resource.GetNamespace(), resource.GetKind(), resource.GetName()) - - mutateResponse := engine.Mutate(engine.PolicyContext{Policy: *policy, NewResource: *resource}) - if !mutateResponse.IsSuccesful() { - fmt.Printf("\n\nMutation:") - fmt.Printf("\nFailed to apply mutation") - for i, r := range mutateResponse.PolicyResponse.Rules { - fmt.Printf("\n%d. %s", i+1, r.Message) - } - fmt.Printf("\n\n") - } else { - if len(mutateResponse.PolicyResponse.Rules) > 0 { - fmt.Printf("\n\nMutation:") - fmt.Printf("\nMutation has been applied succesfully") - yamlEncodedResource, err := yamlv2.Marshal(mutateResponse.PatchedResource.Object) - if err != nil { - return err - } - - fmt.Printf("\n\n" + string(yamlEncodedResource)) - fmt.Printf("\n\n") - } - } - - validateResponse := engine.Validate(engine.PolicyContext{Policy: *policy, NewResource: mutateResponse.PatchedResource}) - if !validateResponse.IsSuccesful() { - fmt.Printf("\n\nValidation:") - fmt.Printf("\nResource is invalid") - for i, r := range validateResponse.PolicyResponse.Rules { - fmt.Printf("\n%d. %s", i+1, r.Message) - } - fmt.Printf("\n\n") - } else { - if len(validateResponse.PolicyResponse.Rules) > 0 { - fmt.Printf("\n\nValidation:") - fmt.Printf("\nResource is valid") - fmt.Printf("\n\n") - } - } - - var policyHasGenerate bool - for _, rule := range policy.Spec.Rules { - if rule.HasGenerate() { - policyHasGenerate = true - } - } - - if policyHasGenerate { - generateResponse := engine.Generate(engine.PolicyContext{Policy: *policy, NewResource: *resource}) - if len(generateResponse.PolicyResponse.Rules) > 0 { - fmt.Printf("\n\nGenerate:") - fmt.Printf("\nResource is valid") - fmt.Printf("\n\n") - } else { - fmt.Printf("\n\nGenerate:") - fmt.Printf("\nResource is invalid") - for i, r := range generateResponse.PolicyResponse.Rules { - fmt.Printf("\n%d. %s", i+1, r.Message) - } - fmt.Printf("\n\n") - } - } - - return nil -} diff --git a/pkg/kyverno/apply/helper.go b/pkg/kyverno/apply/helper.go deleted file mode 100644 index 04dc142a9a..0000000000 --- a/pkg/kyverno/apply/helper.go +++ /dev/null @@ -1,37 +0,0 @@ -package apply - -import ( - "fmt" - "strings" - - "github.com/nirmata/kyverno/pkg/openapi" -) - -func getListEndpointForKind(kind string) (string, error) { - - definitionName := openapi.GetDefinitionNameFromKind(kind) - definitionNameWithoutPrefix := strings.Replace(definitionName, "io.k8s.", "", -1) - - parts := strings.Split(definitionNameWithoutPrefix, ".") - definitionPrefix := strings.Join(parts[:len(parts)-1], ".") - - defPrefixToApiPrefix := map[string]string{ - "api.core.v1": "/api/v1", - "api.apps.v1": "/apis/apps/v1", - "api.batch.v1": "/apis/batch/v1", - "api.admissionregistration.v1": "/apis/admissionregistration.k8s.io/v1", - "kube-aggregator.pkg.apis.apiregistration.v1": "/apis/apiregistration.k8s.io/v1", - "apiextensions-apiserver.pkg.apis.apiextensions.v1": "/apis/apiextensions.k8s.io/v1", - "api.autoscaling.v1": "/apis/autoscaling/v1/", - "api.storage.v1": "/apis/storage.k8s.io/v1", - "api.coordination.v1": "/apis/coordination.k8s.io/v1", - "api.scheduling.v1": "/apis/scheduling.k8s.io/v1", - "api.rbac.v1": "/apis/rbac.authorization.k8s.io/v1", - } - - if defPrefixToApiPrefix[definitionPrefix] == "" { - return "", fmt.Errorf("Unsupported resource type %v", kind) - } - - return defPrefixToApiPrefix[definitionPrefix] + "/" + strings.ToLower(kind) + "s", nil -} diff --git a/pkg/kyverno/main.go b/pkg/kyverno/main.go deleted file mode 100644 index d0d1163ef6..0000000000 --- a/pkg/kyverno/main.go +++ /dev/null @@ -1,50 +0,0 @@ -package kyverno - -import ( - "flag" - "os" - - "github.com/nirmata/kyverno/pkg/kyverno/validate" - - "github.com/nirmata/kyverno/pkg/kyverno/apply" - - "github.com/nirmata/kyverno/pkg/kyverno/version" - - "github.com/spf13/cobra" -) - -func CLI() { - cli := &cobra.Command{ - Use: "kyverno", - Short: "kyverno manages native policies of Kubernetes", - } - - configureGlog(cli) - - commands := []*cobra.Command{ - version.Command(), - apply.Command(), - validate.Command(), - } - - cli.AddCommand(commands...) - - cli.SilenceUsage = true - - if err := cli.Execute(); err != nil { - os.Exit(1) - } -} - -func configureGlog(cli *cobra.Command) { - flag.Parse() - _ = flag.Set("logtostderr", "true") - - cli.PersistentFlags().AddGoFlagSet(flag.CommandLine) - _ = cli.PersistentFlags().MarkHidden("alsologtostderr") - _ = cli.PersistentFlags().MarkHidden("logtostderr") - _ = cli.PersistentFlags().MarkHidden("log_dir") - _ = cli.PersistentFlags().MarkHidden("log_backtrace_at") - _ = cli.PersistentFlags().MarkHidden("stderrthreshold") - _ = cli.PersistentFlags().MarkHidden("vmodule") -} diff --git a/pkg/kyverno/sanitizedError/error.go b/pkg/kyverno/sanitizedError/error.go deleted file mode 100644 index 3c8ef003f7..0000000000 --- a/pkg/kyverno/sanitizedError/error.go +++ /dev/null @@ -1,20 +0,0 @@ -package sanitizedError - -type customError struct { - message string -} - -func (c customError) Error() string { - return c.message -} - -func New(message string) error { - return customError{message: message} -} - -func IsErrorSanitized(err error) bool { - if _, ok := err.(customError); !ok { - return false - } - return true -} diff --git a/pkg/kyverno/validate/command.go b/pkg/kyverno/validate/command.go deleted file mode 100644 index 3845626305..0000000000 --- a/pkg/kyverno/validate/command.go +++ /dev/null @@ -1,142 +0,0 @@ -package validate - -import ( - "encoding/json" - "fmt" - "io/ioutil" - "os" - "path/filepath" - - "github.com/nirmata/kyverno/pkg/kyverno/sanitizedError" - - "github.com/golang/glog" - - policyvalidate "github.com/nirmata/kyverno/pkg/policy" - - v1 "github.com/nirmata/kyverno/pkg/api/kyverno/v1" - "github.com/spf13/cobra" - "k8s.io/apimachinery/pkg/util/yaml" -) - -func Command() *cobra.Command { - cmd := &cobra.Command{ - Use: "validate", - Short: "Validates kyverno policies", - Example: "kyverno validate /path/to/policy.yaml /path/to/folderOfPolicies", - RunE: func(cmd *cobra.Command, policyPaths []string) (err error) { - defer func() { - if err != nil { - if !sanitizedError.IsErrorSanitized(err) { - glog.V(4).Info(err) - err = fmt.Errorf("Internal error") - } - } - }() - - policies, err := getPolicies(policyPaths) - if err != nil { - if !sanitizedError.IsErrorSanitized(err) { - return sanitizedError.New("Could not parse policy paths") - } else { - return err - } - } - - for _, policy := range policies { - err = policyvalidate.Validate(*policy) - if err != nil { - fmt.Println("Policy " + policy.Name + " is invalid") - } else { - fmt.Println("Policy " + policy.Name + " is valid") - } - } - - return nil - }, - } - - return cmd -} - -func getPoliciesInDir(path string) ([]*v1.ClusterPolicy, error) { - var policies []*v1.ClusterPolicy - - files, err := ioutil.ReadDir(path) - if err != nil { - return nil, err - } - - for _, file := range files { - if file.IsDir() { - policiesFromDir, err := getPoliciesInDir(filepath.Join(path, file.Name())) - if err != nil { - return nil, err - } - - policies = append(policies, policiesFromDir...) - } else { - policy, err := getPolicy(filepath.Join(path, file.Name())) - if err != nil { - return nil, err - } - - policies = append(policies, policy) - } - } - - return policies, nil -} - -func getPolicies(paths []string) ([]*v1.ClusterPolicy, error) { - var policies = make([]*v1.ClusterPolicy, 0, len(paths)) - for _, path := range paths { - path = filepath.Clean(path) - - fileDesc, err := os.Stat(path) - if err != nil { - return nil, err - } - - if fileDesc.IsDir() { - policiesFromDir, err := getPoliciesInDir(path) - if err != nil { - return nil, err - } - - policies = append(policies, policiesFromDir...) - } else { - policy, err := getPolicy(path) - if err != nil { - return nil, err - } - - policies = append(policies, policy) - } - } - - return policies, nil -} - -func getPolicy(path string) (*v1.ClusterPolicy, error) { - policy := &v1.ClusterPolicy{} - - file, err := ioutil.ReadFile(path) - if err != nil { - return nil, fmt.Errorf("failed to load file: %v", err) - } - - policyBytes, err := yaml.ToJSON(file) - if err != nil { - return nil, err - } - - if err := json.Unmarshal(policyBytes, policy); err != nil { - return nil, sanitizedError.New(fmt.Sprintf("failed to decode policy in %s", path)) - } - - if policy.TypeMeta.Kind != "ClusterPolicy" { - return nil, sanitizedError.New(fmt.Sprintf("resource %v is not a cluster policy", policy.Name)) - } - - return policy, nil -} diff --git a/pkg/kyverno/version/command.go b/pkg/kyverno/version/command.go deleted file mode 100644 index 25d1324f2a..0000000000 --- a/pkg/kyverno/version/command.go +++ /dev/null @@ -1,21 +0,0 @@ -package version - -import ( - "fmt" - - "github.com/nirmata/kyverno/pkg/version" - "github.com/spf13/cobra" -) - -func Command() *cobra.Command { - return &cobra.Command{ - Use: "version", - Short: "Shows current version of kyverno", - RunE: func(cmd *cobra.Command, args []string) error { - fmt.Printf("Version: %s\n", version.BuildVersion) - fmt.Printf("Time: %s\n", version.BuildTime) - fmt.Printf("Git commit ID: %s\n", version.BuildHash) - return nil - }, - } -}