From 10cf0f2344c4f6c4bb95cfeb77418ac0540790ed Mon Sep 17 00:00:00 2001 From: Tathagata Paul Date: Tue, 12 Apr 2022 09:30:49 +0530 Subject: [PATCH] add support for roles, cluster roles and subjects (#3188) * add support for roles, cluster roles and subjects in kyverno cli Signed-off-by: Tathagata Paul Co-authored-by: Vyankatesh Kudtarkar Co-authored-by: Sambhav Kothari --- pkg/kyverno/apply/apply_command.go | 20 +++++-- pkg/kyverno/apply/apply_command_test.go | 2 +- pkg/kyverno/common/common.go | 54 ++++++++++++++++++- pkg/kyverno/common/common_test.go | 3 +- pkg/kyverno/test/test_command.go | 18 +++++-- .../disallow_latest_tag.yaml | 37 +++++++++++++ .../admission_user_info/kyverno-test.yaml | 38 +++++++++++++ .../test/admission_user_info/resource.yaml | 34 ++++++++++++ .../test/admission_user_info/user_info.yaml | 4 ++ 9 files changed, 199 insertions(+), 11 deletions(-) create mode 100644 test/cli/test/admission_user_info/disallow_latest_tag.yaml create mode 100644 test/cli/test/admission_user_info/kyverno-test.yaml create mode 100644 test/cli/test/admission_user_info/resource.yaml create mode 100644 test/cli/test/admission_user_info/user_info.yaml diff --git a/pkg/kyverno/apply/apply_command.go b/pkg/kyverno/apply/apply_command.go index 12a3398310..9002a97ddc 100644 --- a/pkg/kyverno/apply/apply_command.go +++ b/pkg/kyverno/apply/apply_command.go @@ -8,6 +8,7 @@ import ( "time" "github.com/go-git/go-billy/v5/memfs" + v1 "github.com/kyverno/kyverno/api/kyverno/v1" client "github.com/kyverno/kyverno/pkg/dclient" "github.com/kyverno/kyverno/pkg/kyverno/common" sanitizederror "github.com/kyverno/kyverno/pkg/kyverno/sanitizedError" @@ -106,7 +107,7 @@ func Command() *cobra.Command { var cmd *cobra.Command var resourcePaths []string var cluster, policyReport, stdin, registryAccess bool - var mutateLogPath, variablesString, valuesFile, namespace string + var mutateLogPath, variablesString, valuesFile, namespace, userInfoPath string cmd = &cobra.Command{ Use: "apply", Short: "applies policies on resources", @@ -121,7 +122,7 @@ func Command() *cobra.Command { } }() - rc, resources, skipInvalidPolicies, pvInfos, err := applyCommandHelper(resourcePaths, cluster, policyReport, mutateLogPath, variablesString, valuesFile, namespace, policyPaths, stdin, registryAccess) + rc, resources, skipInvalidPolicies, pvInfos, err := applyCommandHelper(resourcePaths, userInfoPath, cluster, policyReport, mutateLogPath, variablesString, valuesFile, namespace, policyPaths, stdin, registryAccess) if err != nil { return err } @@ -134,6 +135,7 @@ func Command() *cobra.Command { cmd.Flags().BoolVarP(&cluster, "cluster", "c", false, "Checks if policies should be applied to cluster in the current context") cmd.Flags().StringVarP(&mutateLogPath, "output", "o", "", "Prints the mutated resources in provided file/directory") // currently `set` flag supports variable for single policy applied on single resource + cmd.Flags().StringVarP(&userInfoPath, "userinfo", "u", "", "Admission Info including Roles, Cluster Roles and Subjects") cmd.Flags().StringVarP(&variablesString, "set", "s", "", "Variables that are required") cmd.Flags().StringVarP(&valuesFile, "values-file", "f", "", "File containing values for policy variables") cmd.Flags().BoolVarP(&policyReport, "policy-report", "", false, "Generates policy report when passed (default policyviolation r") @@ -143,7 +145,7 @@ func Command() *cobra.Command { return cmd } -func applyCommandHelper(resourcePaths []string, cluster bool, policyReport bool, mutateLogPath string, +func applyCommandHelper(resourcePaths []string, userInfoPath string, cluster bool, policyReport bool, mutateLogPath string, variablesString string, valuesFile string, namespace string, policyPaths []string, stdin bool, registryAccess bool) (rc *common.ResultCounts, resources []*unstructured.Unstructured, skipInvalidPolicies SkippedInvalidPolicies, pvInfos []policyreport.Info, err error) { store.SetMock(true) store.SetRegistryAccess(registryAccess) @@ -243,6 +245,16 @@ func applyCommandHelper(resourcePaths []string, cluster bool, policyReport bool, return rc, resources, skipInvalidPolicies, pvInfos, sanitizederror.NewWithError("currently `set` flag supports variable for single policy applied on single resource ", nil) } + // get the user info as request info from a different file + var userInfo v1.RequestInfo + if userInfoPath != "" { + userInfo, err = common.GetUserInfoFromPath(fs, userInfoPath, false, "") + if err != nil { + fmt.Printf("Error: failed to load request info\nCause: %s\n", err) + os.Exit(1) + } + } + if variablesString != "" { variables = common.SetInStoreContext(mutatedPolicies, variables) } @@ -300,7 +312,7 @@ func applyCommandHelper(resourcePaths []string, cluster bool, policyReport bool, return rc, resources, skipInvalidPolicies, pvInfos, sanitizederror.NewWithError(fmt.Sprintf("policy `%s` have variables. pass the values for the variables for resource `%s` using set/values_file flag", policy.GetName(), resource.GetName()), err) } - _, info, err := common.ApplyPolicyOnResource(policy, resource, mutateLogPath, mutateLogPathIsDir, thisPolicyResourceValues, policyReport, namespaceSelectorMap, stdin, rc, true) + _, info, err := common.ApplyPolicyOnResource(policy, resource, mutateLogPath, mutateLogPathIsDir, thisPolicyResourceValues, userInfo, policyReport, namespaceSelectorMap, stdin, rc, true) if err != nil { return rc, resources, skipInvalidPolicies, pvInfos, sanitizederror.NewWithError(fmt.Errorf("failed to apply policy %v on resource %v", policy.GetName(), resource.GetName()).Error(), err) } diff --git a/pkg/kyverno/apply/apply_command_test.go b/pkg/kyverno/apply/apply_command_test.go index 1c8b97fcd2..4ef9aa139e 100644 --- a/pkg/kyverno/apply/apply_command_test.go +++ b/pkg/kyverno/apply/apply_command_test.go @@ -71,7 +71,7 @@ func Test_Apply(t *testing.T) { } for _, tc := range testcases { - _, _, _, info, _ := applyCommandHelper(tc.ResourcePaths, false, true, "", "", "", "", tc.PolicyPaths, false, false) + _, _, _, info, _ := applyCommandHelper(tc.ResourcePaths, "", false, true, "", "", "", "", tc.PolicyPaths, false, false) resps := buildPolicyReports(info) for i, resp := range resps { compareSummary(tc.expectedPolicyReports[i].Summary, resp.UnstructuredContent()["summary"].(map[string]interface{})) diff --git a/pkg/kyverno/common/common.go b/pkg/kyverno/common/common.go index 063f933b48..e318c6bf7b 100644 --- a/pkg/kyverno/common/common.go +++ b/pkg/kyverno/common/common.go @@ -442,7 +442,7 @@ func MutatePolicies(policies []v1.PolicyInterface) ([]v1.PolicyInterface, error) // ApplyPolicyOnResource - function to apply policy on resource func ApplyPolicyOnResource(policy v1.PolicyInterface, resource *unstructured.Unstructured, - mutateLogPath string, mutateLogPathIsDir bool, variables map[string]string, policyReport bool, + mutateLogPath string, mutateLogPathIsDir bool, variables map[string]string, userInfo v1.RequestInfo, policyReport bool, namespaceSelectorMap map[string]map[string]string, stdin bool, rc *ResultCounts, printPatchResource bool) ([]*response.EngineResponse, policyreport.Info, error) { @@ -568,7 +568,7 @@ OuterLoop: var info policyreport.Info var validateResponse *response.EngineResponse if policyHasValidate { - policyCtx := &engine.PolicyContext{Policy: policy, NewResource: mutateResponse.PatchedResource, JSONContext: ctx, NamespaceLabels: namespaceLabels} + policyCtx := &engine.PolicyContext{Policy: policy, NewResource: mutateResponse.PatchedResource, JSONContext: ctx, NamespaceLabels: namespaceLabels, AdmissionInfo: userInfo} validateResponse = engine.Validate(policyCtx) info = ProcessValidateEngineResponse(policy, validateResponse, resPath, rc, policyReport) } @@ -754,6 +754,7 @@ func GetResourceAccordingToResourcePath(fs billy.Filesystem, resourcePaths []str func ProcessValidateEngineResponse(policy v1.PolicyInterface, validateResponse *response.EngineResponse, resPath string, rc *ResultCounts, policyReport bool) policyreport.Info { var violatedRules []v1.ViolatedRule + printCount := 0 for _, policyRule := range autogen.ComputeRules(policy) { ruleFoundInEngineResponse := false @@ -1047,3 +1048,52 @@ func GetPatchedResourceFromPath(fs billy.Filesystem, path string, isGit bool, po return patchedResource, nil } + +//GetUserInfoFromPath - get the request info as user info from a given path +func GetUserInfoFromPath(fs billy.Filesystem, path string, isGit bool, policyResourcePath string) (v1.RequestInfo, error) { + userInfo := &v1.RequestInfo{} + + if isGit { + filep, err := fs.Open(filepath.Join(policyResourcePath, path)) + if err != nil { + fmt.Printf("Unable to open userInfo file: %s. \nerror: %s", path, err) + } + bytes, err := ioutil.ReadAll(filep) + if err != nil { + fmt.Printf("Error: failed to read file %s: %v", filep.Name(), err.Error()) + } + userInfoBytes, err := yaml.ToJSON(bytes) + if err != nil { + fmt.Printf("failed to convert to JSON: %v", err) + } + + if err := json.Unmarshal(userInfoBytes, userInfo); err != nil { + fmt.Printf("failed to decode yaml: %v", err) + } + } else { + var errors []error + bytes, err := ioutil.ReadFile(filepath.Join(policyResourcePath, path)) + if err != nil { + errors = append(errors, sanitizederror.NewWithError("unable to read yaml", err)) + } + userInfoBytes, err := yaml.ToJSON(bytes) + if err != nil { + errors = append(errors, sanitizederror.NewWithError("failed to convert json", err)) + } + + if err := json.Unmarshal(userInfoBytes, userInfo); err != nil { + errors = append(errors, sanitizederror.NewWithError("failed to decode yaml", err)) + } + if len(errors) > 0 { + return *userInfo, sanitizederror.NewWithErrors("failed to read file", errors) + } + + if len(errors) > 0 && log.Log.V(1).Enabled() { + fmt.Printf("ignoring errors: \n") + for _, e := range errors { + fmt.Printf(" %v \n", e.Error()) + } + } + } + return *userInfo, nil +} diff --git a/pkg/kyverno/common/common_test.go b/pkg/kyverno/common/common_test.go index ca17b8f5ef..b8af56adc2 100644 --- a/pkg/kyverno/common/common_test.go +++ b/pkg/kyverno/common/common_test.go @@ -3,6 +3,7 @@ package common import ( "testing" + v1 "github.com/kyverno/kyverno/api/kyverno/v1" "github.com/kyverno/kyverno/pkg/toggle" ut "github.com/kyverno/kyverno/pkg/utils" "gotest.tools/assert" @@ -99,7 +100,7 @@ func Test_NamespaceSelector(t *testing.T) { for _, tc := range testcases { policyArray, _ := ut.GetPolicy(tc.policy) resourceArray, _ := GetResource(tc.resource) - ApplyPolicyOnResource(policyArray[0], resourceArray[0], "", false, nil, false, tc.namespaceSelectorMap, false, rc, false) + ApplyPolicyOnResource(policyArray[0], resourceArray[0], "", false, nil, v1.RequestInfo{}, false, tc.namespaceSelectorMap, false, rc, false) assert.Equal(t, int64(rc.Pass), int64(tc.result.Pass)) assert.Equal(t, int64(rc.Fail), int64(tc.result.Fail)) // TODO: autogen rules seem to not be present when autogen internals is disabled diff --git a/pkg/kyverno/test/test_command.go b/pkg/kyverno/test/test_command.go index fdaf15bff2..7b884e9ca4 100644 --- a/pkg/kyverno/test/test_command.go +++ b/pkg/kyverno/test/test_command.go @@ -236,6 +236,7 @@ type Test struct { Policies []string `json:"policies"` Resources []string `json:"resources"` Variables string `json:"variables"` + UserInfo string `json:"userinfo"` Results []TestResults `json:"results"` } @@ -410,7 +411,6 @@ func testCommandExecute(dirPath []string, fileName string, gitBranch string, tes errors = append(errors, sanitizederror.NewWithError("failed to convert to JSON", err)) continue } - if err := applyPoliciesFromPath(fs, policyBytes, true, policyresoucePath, rc, openAPIController, tf); err != nil { return rc, sanitizederror.NewWithError("failed to apply test command", err) } @@ -717,8 +717,8 @@ func applyPoliciesFromPath(fs billy.Filesystem, policyBytes []byte, isGit bool, var variablesString string var pvInfos []policyreport.Info var resultCounts common.ResultCounts - store.SetMock(true) + store.SetMock(true) if err := json.Unmarshal(policyBytes, values); err != nil { return sanitizederror.NewWithError("failed to decode yaml", err) } @@ -739,6 +739,8 @@ func applyPoliciesFromPath(fs billy.Filesystem, policyBytes []byte, isGit bool, fmt.Printf("\nExecuting %s...", values.Name) valuesFile := values.Variables + userInfoFile := values.UserInfo + variables, globalValMap, valuesMap, namespaceSelectorMap, err := common.GetVariable(variablesString, values.Variables, fs, isGit, policyResourcePath) if err != nil { if !sanitizederror.IsErrorSanitized(err) { @@ -747,6 +749,16 @@ func applyPoliciesFromPath(fs billy.Filesystem, policyBytes []byte, isGit bool, return err } + // get the user info as request info from a different file + var userInfo v1.RequestInfo + if userInfoFile != "" { + userInfo, err = common.GetUserInfoFromPath(fs, userInfoFile, isGit, policyResourcePath) + if err != nil { + fmt.Printf("Error: failed to load request info\nCause: %s\n", err) + os.Exit(1) + } + } + policyFullPath := getFullPath(values.Policies, policyResourcePath, isGit) resourceFullPath := getFullPath(values.Resources, policyResourcePath, isGit) @@ -857,7 +869,7 @@ func applyPoliciesFromPath(fs billy.Filesystem, policyBytes []byte, isGit bool, return sanitizederror.NewWithError(fmt.Sprintf("policy `%s` have variables. pass the values for the variables for resource `%s` using set/values_file flag", policy.GetName(), resource.GetName()), err) } - ers, info, err := common.ApplyPolicyOnResource(policy, resource, "", false, thisPolicyResourceValues, true, namespaceSelectorMap, false, &resultCounts, false) + ers, info, err := common.ApplyPolicyOnResource(policy, resource, "", false, thisPolicyResourceValues, userInfo, true, namespaceSelectorMap, false, &resultCounts, false) if err != nil { return sanitizederror.NewWithError(fmt.Errorf("failed to apply policy %v on resource %v", policy.GetName(), resource.GetName()).Error(), err) } diff --git a/test/cli/test/admission_user_info/disallow_latest_tag.yaml b/test/cli/test/admission_user_info/disallow_latest_tag.yaml new file mode 100644 index 0000000000..db47bfef31 --- /dev/null +++ b/test/cli/test/admission_user_info/disallow_latest_tag.yaml @@ -0,0 +1,37 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: disallow-latest-tag + annotations: + policies.kyverno.io/category: Best Practices + policies.kyverno.io/description: >- + The ':latest' tag is mutable and can lead to unexpected errors if the + image changes. A best practice is to use an immutable tag that maps to + a specific version of an application pod. +spec: + validationFailureAction: audit + rules: + - name: require-image-tag + match: + resources: + kinds: + - Pod + clusterRoles: + - cluster-admin + validate: + message: "An image tag is required." + pattern: + spec: + containers: + - image: "*:*" + - name: validate-image-tag + match: + resources: + kinds: + - Pod + validate: + message: "Using a mutable image tag e.g. 'latest' is not allowed." + pattern: + spec: + containers: + - image: "!*:latest" \ No newline at end of file diff --git a/test/cli/test/admission_user_info/kyverno-test.yaml b/test/cli/test/admission_user_info/kyverno-test.yaml new file mode 100644 index 0000000000..b3accb44ce --- /dev/null +++ b/test/cli/test/admission_user_info/kyverno-test.yaml @@ -0,0 +1,38 @@ +name: admission-user-info +policies: + - disallow_latest_tag.yaml +resources: + - resource.yaml +userinfo: user_info.yaml + +results: + - policy: disallow-latest-tag + rule: require-image-tag + resource: myapp-pod1 + kind: Pod + result: pass + - policy: disallow-latest-tag + rule: require-image-tag + resource: myapp-pod2 + kind: Pod + result: pass + - policy: disallow-latest-tag + rule: require-image-tag + resource: myapp-pod3 + kind: Pod + result: pass + - policy: disallow-latest-tag + rule: validate-image-tag + resource: myapp-pod1 + kind: Pod + result: pass + - policy: disallow-latest-tag + rule: validate-image-tag + resource: myapp-pod2 + kind: Pod + result: pass + - policy: disallow-latest-tag + rule: validate-image-tag + resource: myapp-pod3 + kind: Pod + result: pass \ No newline at end of file diff --git a/test/cli/test/admission_user_info/resource.yaml b/test/cli/test/admission_user_info/resource.yaml new file mode 100644 index 0000000000..3decae1d6e --- /dev/null +++ b/test/cli/test/admission_user_info/resource.yaml @@ -0,0 +1,34 @@ +apiVersion: v1 +kind: Pod +metadata: + name: myapp-pod1 + labels: + app: myapp1 +spec: + containers: + - name: nginx + image: nginx:1.12 + +--- +apiVersion: v1 +kind: Pod +metadata: + name: myapp-pod2 + labels: + app: myapp2 +spec: + containers: + - name: nginx + image: nginx:1.12 + +--- +apiVersion: v1 +kind: Pod +metadata: + name: myapp-pod3 + labels: + app: myapp3 +spec: + containers: + - name: nginx + image: ngnix:1.12 diff --git a/test/cli/test/admission_user_info/user_info.yaml b/test/cli/test/admission_user_info/user_info.yaml new file mode 100644 index 0000000000..0fd5541e98 --- /dev/null +++ b/test/cli/test/admission_user_info/user_info.yaml @@ -0,0 +1,4 @@ +clusterRoles: +- cluster-admin +userInfo: + username: molybdenum@somecorp.com \ No newline at end of file