mirror of
https://github.com/kyverno/kyverno.git
synced 2025-03-13 19:28:55 +00:00
refactor: move image verification handler out of webhooks package (#4569)
* refactor: move mutation handler out of webhooks package Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com> * refactor: move image verification handler out of webhooks package Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com> Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com>
This commit is contained in:
Charles-Edouard Brétéché
GitHub
parent
20b8697ad8
commit
10638362dc
3 changed files with 121 additions and 80 deletions
|
|
@ -2,7 +2,6 @@ package resource
|
|||
|
||||
import (
|
||||
"fmt"
|
||||
"reflect"
|
||||
"time"
|
||||
|
||||
"github.com/go-logr/logr"
|
||||
|
|
@ -13,9 +12,7 @@ import (
|
|||
"github.com/kyverno/kyverno/pkg/clients/dclient"
|
||||
"github.com/kyverno/kyverno/pkg/common"
|
||||
"github.com/kyverno/kyverno/pkg/config"
|
||||
"github.com/kyverno/kyverno/pkg/engine"
|
||||
enginectx "github.com/kyverno/kyverno/pkg/engine/context"
|
||||
"github.com/kyverno/kyverno/pkg/engine/response"
|
||||
engineutils2 "github.com/kyverno/kyverno/pkg/engine/utils"
|
||||
"github.com/kyverno/kyverno/pkg/event"
|
||||
"github.com/kyverno/kyverno/pkg/metrics"
|
||||
|
|
@ -27,14 +24,12 @@ import (
|
|||
jsonutils "github.com/kyverno/kyverno/pkg/utils/json"
|
||||
"github.com/kyverno/kyverno/pkg/webhooks"
|
||||
"github.com/kyverno/kyverno/pkg/webhooks/resource/audit"
|
||||
"github.com/kyverno/kyverno/pkg/webhooks/resource/imageverification"
|
||||
"github.com/kyverno/kyverno/pkg/webhooks/resource/mutation"
|
||||
"github.com/kyverno/kyverno/pkg/webhooks/resource/validation"
|
||||
webhookgenerate "github.com/kyverno/kyverno/pkg/webhooks/updaterequest"
|
||||
webhookutils "github.com/kyverno/kyverno/pkg/webhooks/utils"
|
||||
"github.com/pkg/errors"
|
||||
admissionv1 "k8s.io/api/admission/v1"
|
||||
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
|
||||
"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
|
||||
corev1listers "k8s.io/client-go/listers/core/v1"
|
||||
rbacv1listers "k8s.io/client-go/listers/rbac/v1"
|
||||
)
|
||||
|
|
@ -197,7 +192,8 @@ func (h *handlers) Mutate(logger logr.Logger, request *admissionv1.AdmissionRequ
|
|||
return admissionutils.ResponseFailure(err.Error())
|
||||
}
|
||||
newRequest := patchRequest(mutatePatches, request, logger)
|
||||
imagePatches, imageVerifyWarnings, err := h.applyImageVerifyPolicies(logger, newRequest, policyContext, verifyImagesPolicies)
|
||||
ivh := imageverification.NewImageVerificationHandler(logger, h.eventGen, h.prGenerator)
|
||||
imagePatches, imageVerifyWarnings, err := ivh.Handle(h.metricsConfig, newRequest, verifyImagesPolicies, policyContext)
|
||||
if err != nil {
|
||||
logger.Error(err, "image verification failed")
|
||||
return admissionutils.ResponseFailure(err.Error())
|
||||
|
|
@ -213,73 +209,6 @@ func (h *handlers) Mutate(logger logr.Logger, request *admissionv1.AdmissionRequ
|
|||
return admissionResponse
|
||||
}
|
||||
|
||||
func (h *handlers) applyImageVerifyPolicies(logger logr.Logger, request *admissionv1.AdmissionRequest, policyContext *engine.PolicyContext, policies []kyvernov1.PolicyInterface) ([]byte, []string, error) {
|
||||
ok, message, imagePatches, warnings := h.handleVerifyImages(logger, request, policyContext, policies)
|
||||
if !ok {
|
||||
return nil, nil, errors.New(message)
|
||||
}
|
||||
|
||||
logger.V(6).Info("images verified", "patches", string(imagePatches), "warnings", warnings)
|
||||
return imagePatches, warnings, nil
|
||||
}
|
||||
|
||||
func (h *handlers) handleVerifyImages(logger logr.Logger, request *admissionv1.AdmissionRequest, policyContext *engine.PolicyContext, policies []kyvernov1.PolicyInterface) (bool, string, []byte, []string) {
|
||||
if len(policies) == 0 {
|
||||
return true, "", nil, nil
|
||||
}
|
||||
|
||||
var engineResponses []*response.EngineResponse
|
||||
var patches [][]byte
|
||||
verifiedImageData := &engine.ImageVerificationMetadata{}
|
||||
for _, p := range policies {
|
||||
policyContext.Policy = p
|
||||
resp, ivm := engine.VerifyAndPatchImages(policyContext)
|
||||
|
||||
engineResponses = append(engineResponses, resp)
|
||||
patches = append(patches, resp.GetPatches()...)
|
||||
verifiedImageData.Merge(ivm)
|
||||
}
|
||||
|
||||
failurePolicy := policyContext.Policy.GetSpec().GetFailurePolicy()
|
||||
blocked := webhookutils.BlockRequest(engineResponses, failurePolicy, logger)
|
||||
if !isResourceDeleted(policyContext) {
|
||||
events := webhookutils.GenerateEvents(engineResponses, blocked)
|
||||
h.eventGen.Add(events...)
|
||||
}
|
||||
|
||||
if blocked {
|
||||
logger.V(4).Info("admission request blocked")
|
||||
return false, webhookutils.GetBlockedMessages(engineResponses), nil, nil
|
||||
}
|
||||
|
||||
prInfos := policyreport.GeneratePRsFromEngineResponse(engineResponses, logger)
|
||||
h.prGenerator.Add(prInfos...)
|
||||
|
||||
if !verifiedImageData.IsEmpty() {
|
||||
hasAnnotations := hasAnnotations(policyContext)
|
||||
annotationPatches, err := verifiedImageData.Patches(hasAnnotations, logger)
|
||||
if err != nil {
|
||||
logger.Error(err, "failed to create image verification annotation patches")
|
||||
} else {
|
||||
// add annotation patches first
|
||||
patches = append(annotationPatches, patches...)
|
||||
}
|
||||
}
|
||||
|
||||
warnings := webhookutils.GetWarningMessages(engineResponses)
|
||||
return true, "", jsonutils.JoinPatches(patches...), warnings
|
||||
}
|
||||
|
||||
func isResourceDeleted(policyContext *engine.PolicyContext) bool {
|
||||
var deletionTimeStamp *metav1.Time
|
||||
if reflect.DeepEqual(policyContext.NewResource, unstructured.Unstructured{}) {
|
||||
deletionTimeStamp = policyContext.NewResource.GetDeletionTimestamp()
|
||||
} else {
|
||||
deletionTimeStamp = policyContext.OldResource.GetDeletionTimestamp()
|
||||
}
|
||||
return deletionTimeStamp != nil
|
||||
}
|
||||
|
||||
func (h *handlers) handleDelete(logger logr.Logger, request *admissionv1.AdmissionRequest) {
|
||||
if request.Operation == admissionv1.Delete {
|
||||
resource, err := engineutils2.ConvertToUnstructured(request.OldObject.Raw)
|
||||
|
|
|
|||
118
pkg/webhooks/resource/imageverification/handler.go
Normal file
118
pkg/webhooks/resource/imageverification/handler.go
Normal file
|
|
@ -0,0 +1,118 @@
|
|||
package imageverification
|
||||
|
||||
import (
|
||||
"errors"
|
||||
"reflect"
|
||||
|
||||
"github.com/go-logr/logr"
|
||||
kyvernov1 "github.com/kyverno/kyverno/api/kyverno/v1"
|
||||
"github.com/kyverno/kyverno/pkg/engine"
|
||||
"github.com/kyverno/kyverno/pkg/engine/response"
|
||||
"github.com/kyverno/kyverno/pkg/event"
|
||||
"github.com/kyverno/kyverno/pkg/metrics"
|
||||
"github.com/kyverno/kyverno/pkg/policyreport"
|
||||
jsonutils "github.com/kyverno/kyverno/pkg/utils/json"
|
||||
webhookutils "github.com/kyverno/kyverno/pkg/webhooks/utils"
|
||||
admissionv1 "k8s.io/api/admission/v1"
|
||||
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
|
||||
"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
|
||||
)
|
||||
|
||||
type ImageVerificationHandler interface {
|
||||
Handle(
|
||||
*metrics.MetricsConfig,
|
||||
*admissionv1.AdmissionRequest,
|
||||
[]kyvernov1.PolicyInterface,
|
||||
*engine.PolicyContext,
|
||||
) ([]byte, []string, error)
|
||||
}
|
||||
|
||||
func NewImageVerificationHandler(log logr.Logger, eventGen event.Interface, prGenerator policyreport.GeneratorInterface) ImageVerificationHandler {
|
||||
return &imageVerificationHandler{
|
||||
log: log,
|
||||
eventGen: eventGen,
|
||||
prGenerator: prGenerator,
|
||||
}
|
||||
}
|
||||
|
||||
type imageVerificationHandler struct {
|
||||
log logr.Logger
|
||||
eventGen event.Interface
|
||||
prGenerator policyreport.GeneratorInterface
|
||||
}
|
||||
|
||||
func (h *imageVerificationHandler) Handle(
|
||||
metricsConfig *metrics.MetricsConfig,
|
||||
request *admissionv1.AdmissionRequest,
|
||||
policies []kyvernov1.PolicyInterface,
|
||||
policyContext *engine.PolicyContext,
|
||||
) ([]byte, []string, error) {
|
||||
ok, message, imagePatches, warnings := h.handleVerifyImages(h.log, request, policyContext, policies)
|
||||
if !ok {
|
||||
return nil, nil, errors.New(message)
|
||||
}
|
||||
h.log.V(6).Info("images verified", "patches", string(imagePatches), "warnings", warnings)
|
||||
return imagePatches, warnings, nil
|
||||
}
|
||||
|
||||
func (h *imageVerificationHandler) handleVerifyImages(logger logr.Logger, request *admissionv1.AdmissionRequest, policyContext *engine.PolicyContext, policies []kyvernov1.PolicyInterface) (bool, string, []byte, []string) {
|
||||
if len(policies) == 0 {
|
||||
return true, "", nil, nil
|
||||
}
|
||||
|
||||
var engineResponses []*response.EngineResponse
|
||||
var patches [][]byte
|
||||
verifiedImageData := &engine.ImageVerificationMetadata{}
|
||||
for _, p := range policies {
|
||||
policyContext.Policy = p
|
||||
resp, ivm := engine.VerifyAndPatchImages(policyContext)
|
||||
|
||||
engineResponses = append(engineResponses, resp)
|
||||
patches = append(patches, resp.GetPatches()...)
|
||||
verifiedImageData.Merge(ivm)
|
||||
}
|
||||
|
||||
failurePolicy := policyContext.Policy.GetSpec().GetFailurePolicy()
|
||||
blocked := webhookutils.BlockRequest(engineResponses, failurePolicy, logger)
|
||||
if !isResourceDeleted(policyContext) {
|
||||
events := webhookutils.GenerateEvents(engineResponses, blocked)
|
||||
h.eventGen.Add(events...)
|
||||
}
|
||||
|
||||
if blocked {
|
||||
logger.V(4).Info("admission request blocked")
|
||||
return false, webhookutils.GetBlockedMessages(engineResponses), nil, nil
|
||||
}
|
||||
|
||||
prInfos := policyreport.GeneratePRsFromEngineResponse(engineResponses, logger)
|
||||
h.prGenerator.Add(prInfos...)
|
||||
|
||||
if !verifiedImageData.IsEmpty() {
|
||||
hasAnnotations := hasAnnotations(policyContext)
|
||||
annotationPatches, err := verifiedImageData.Patches(hasAnnotations, logger)
|
||||
if err != nil {
|
||||
logger.Error(err, "failed to create image verification annotation patches")
|
||||
} else {
|
||||
// add annotation patches first
|
||||
patches = append(annotationPatches, patches...)
|
||||
}
|
||||
}
|
||||
|
||||
warnings := webhookutils.GetWarningMessages(engineResponses)
|
||||
return true, "", jsonutils.JoinPatches(patches...), warnings
|
||||
}
|
||||
|
||||
func hasAnnotations(context *engine.PolicyContext) bool {
|
||||
annotations := context.NewResource.GetAnnotations()
|
||||
return len(annotations) != 0
|
||||
}
|
||||
|
||||
func isResourceDeleted(policyContext *engine.PolicyContext) bool {
|
||||
var deletionTimeStamp *metav1.Time
|
||||
if reflect.DeepEqual(policyContext.NewResource, unstructured.Unstructured{}) {
|
||||
deletionTimeStamp = policyContext.NewResource.GetDeletionTimestamp()
|
||||
} else {
|
||||
deletionTimeStamp = policyContext.OldResource.GetDeletionTimestamp()
|
||||
}
|
||||
return deletionTimeStamp != nil
|
||||
}
|
||||
|
|
@ -8,7 +8,6 @@ import (
|
|||
kyvernov1 "github.com/kyverno/kyverno/api/kyverno/v1"
|
||||
kyvernov1beta1 "github.com/kyverno/kyverno/api/kyverno/v1beta1"
|
||||
"github.com/kyverno/kyverno/pkg/clients/dclient"
|
||||
"github.com/kyverno/kyverno/pkg/engine"
|
||||
enginectx "github.com/kyverno/kyverno/pkg/engine/context"
|
||||
"github.com/kyverno/kyverno/pkg/engine/response"
|
||||
engineutils "github.com/kyverno/kyverno/pkg/engine/utils"
|
||||
|
|
@ -49,11 +48,6 @@ func processResourceWithPatches(patch []byte, resource []byte, log logr.Logger)
|
|||
return resource
|
||||
}
|
||||
|
||||
func hasAnnotations(context *engine.PolicyContext) bool {
|
||||
annotations := context.NewResource.GetAnnotations()
|
||||
return len(annotations) != 0
|
||||
}
|
||||
|
||||
func getGeneratedByResource(newRes *unstructured.Unstructured, resLabels map[string]string, client dclient.Interface, rule kyvernov1.Rule, logger logr.Logger) (kyvernov1.Rule, error) {
|
||||
var apiVersion, kind, name, namespace string
|
||||
sourceRequest := &admissionv1.AdmissionRequest{}
|
||||
|
|
|
|||
Loading…
Add table
Reference in a new issue