1
0
Fork 0
mirror of https://github.com/kyverno/kyverno.git synced 2025-03-13 19:28:55 +00:00

feat: cleanup enhancements-1 (#5796)

* update fields description

Signed-off-by: ShutingZhao <shuting@nirmata.com>

* update cleanup controller clusterrole name

Signed-off-by: ShutingZhao <shuting@nirmata.com>

* - add variables validations to support "request." and "images."; - update debug log level to 4

Signed-off-by: ShutingZhao <shuting@nirmata.com>

* add missing files

Signed-off-by: ShutingZhao <shuting@nirmata.com>

Signed-off-by: ShutingZhao <shuting@nirmata.com>
This commit is contained in:
shuting 2023-01-04 17:03:56 +08:00 committed by GitHub
parent 3c0b7856eb
commit 18455b4d21
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
16 changed files with 115 additions and 80 deletions

View file

@ -164,7 +164,7 @@ type CleanupPolicySpec struct {
// The schedule in Cron format
Schedule string `json:"schedule"`
// Conditions defines conditions used to select resources which user needs to delete
// Conditions defines the conditions used to select the resources which will be cleaned up.
// +optional
Conditions *kyvernov2beta1.AnyAllConditions `json:"conditions,omitempty"`
}

View file

@ -119,14 +119,14 @@ type AnyAllConditions struct {
// AnyConditions enable variable-based conditional rule execution. This is useful for
// finer control of when an rule is applied. A condition can reference object data
// using JMESPath notation.
// Here, at least one of the conditions need to pass
// Here, at least one of the conditions need to pass.
// +optional
AnyConditions []Condition `json:"any,omitempty" yaml:"any,omitempty"`
// AllConditions enable variable-based conditional rule execution. This is useful for
// finer control of when an rule is applied. A condition can reference object data
// using JMESPath notation.
// Here, all of the conditions need to pass
// Here, all of the conditions need to pass.
// +optional
AllConditions []Condition `json:"all,omitempty" yaml:"all,omitempty"`
}

View file

@ -3,7 +3,7 @@
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: {{ template "kyverno.cleanup-controller.name" . }}
name: {{ template "kyverno.name" . }}:cleanup-controller
labels:
{{- include "kyverno.cleanup-controller.labels" . | nindent 4 }}
rules:

View file

@ -9,7 +9,7 @@ metadata:
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: {{ template "kyverno.cleanup-controller.name" . }}
name: {{ template "kyverno.name" . }}:cleanup-controller
subjects:
- kind: ServiceAccount
name: {{ template "kyverno.cleanup-controller.serviceAccountName" . }}

View file

@ -702,14 +702,14 @@ spec:
description: Spec declares policy behaviors.
properties:
conditions:
description: Conditions defines conditions used to select resources
which user needs to delete
description: Conditions defines the conditions used to select the
resources which will be cleaned up.
properties:
all:
description: AllConditions enable variable-based conditional rule
execution. This is useful for finer control of when an rule
is applied. A condition can reference object data using JMESPath
notation. Here, all of the conditions need to pass
notation. Here, all of the conditions need to pass.
items:
properties:
key:
@ -749,7 +749,7 @@ spec:
description: AnyConditions enable variable-based conditional rule
execution. This is useful for finer control of when an rule
is applied. A condition can reference object data using JMESPath
notation. Here, at least one of the conditions need to pass
notation. Here, at least one of the conditions need to pass.
items:
properties:
key:
@ -2401,14 +2401,14 @@ spec:
description: Spec declares policy behaviors.
properties:
conditions:
description: Conditions defines conditions used to select resources
which user needs to delete
description: Conditions defines the conditions used to select the
resources which will be cleaned up.
properties:
all:
description: AllConditions enable variable-based conditional rule
execution. This is useful for finer control of when an rule
is applied. A condition can reference object data using JMESPath
notation. Here, all of the conditions need to pass
notation. Here, all of the conditions need to pass.
items:
properties:
key:
@ -2448,7 +2448,7 @@ spec:
description: AnyConditions enable variable-based conditional rule
execution. This is useful for finer control of when an rule
is applied. A condition can reference object data using JMESPath
notation. Here, at least one of the conditions need to pass
notation. Here, at least one of the conditions need to pass.
items:
properties:
key:
@ -11622,7 +11622,7 @@ spec:
rule execution. This is useful for finer control of when
an rule is applied. A condition can reference object data
using JMESPath notation. Here, all of the conditions need
to pass
to pass.
items:
properties:
key:
@ -11663,7 +11663,7 @@ spec:
rule execution. This is useful for finer control of when
an rule is applied. A condition can reference object data
using JMESPath notation. Here, at least one of the conditions
need to pass
need to pass.
items:
properties:
key:
@ -11723,7 +11723,7 @@ spec:
conditional rule execution. This is useful for
finer control of when an rule is applied. A condition
can reference object data using JMESPath notation.
Here, all of the conditions need to pass
Here, all of the conditions need to pass.
items:
properties:
key:
@ -11766,7 +11766,7 @@ spec:
conditional rule execution. This is useful for
finer control of when an rule is applied. A condition
can reference object data using JMESPath notation.
Here, at least one of the conditions need to pass
Here, at least one of the conditions need to pass.
items:
properties:
key:
@ -24827,7 +24827,7 @@ spec:
rule execution. This is useful for finer control of when
an rule is applied. A condition can reference object data
using JMESPath notation. Here, all of the conditions need
to pass
to pass.
items:
properties:
key:
@ -24868,7 +24868,7 @@ spec:
rule execution. This is useful for finer control of when
an rule is applied. A condition can reference object data
using JMESPath notation. Here, at least one of the conditions
need to pass
need to pass.
items:
properties:
key:
@ -24928,7 +24928,7 @@ spec:
conditional rule execution. This is useful for
finer control of when an rule is applied. A condition
can reference object data using JMESPath notation.
Here, all of the conditions need to pass
Here, all of the conditions need to pass.
items:
properties:
key:
@ -24971,7 +24971,7 @@ spec:
conditional rule execution. This is useful for
finer control of when an rule is applied. A condition
can reference object data using JMESPath notation.
Here, at least one of the conditions need to pass
Here, at least one of the conditions need to pass.
items:
properties:
key:

View file

@ -64,7 +64,7 @@ func (h *handlers) lookupPolicy(namespace, name string) (kyvernov2alpha1.Cleanup
func (h *handlers) executePolicy(ctx context.Context, logger logr.Logger, policy kyvernov2alpha1.CleanupPolicyInterface, cfg config.Configuration) error {
spec := policy.GetSpec()
kinds := sets.New(spec.MatchResources.GetKinds()...)
debug := logger.V(5)
debug := logger.V(4)
var errs []error
for kind := range kinds {
debug := debug.WithValues("kind", kind)

View file

@ -10,7 +10,7 @@ import (
func shutdown(logger logr.Logger, sdowns ...context.CancelFunc) context.CancelFunc {
return func() {
for i := range sdowns {
logger.Info("shuting down...")
logger.Info("shutting down...")
defer sdowns[i]()
}
}

View file

@ -47,14 +47,14 @@ spec:
description: Spec declares policy behaviors.
properties:
conditions:
description: Conditions defines conditions used to select resources
which user needs to delete
description: Conditions defines the conditions used to select the
resources which will be cleaned up.
properties:
all:
description: AllConditions enable variable-based conditional rule
execution. This is useful for finer control of when an rule
is applied. A condition can reference object data using JMESPath
notation. Here, all of the conditions need to pass
notation. Here, all of the conditions need to pass.
items:
properties:
key:
@ -94,7 +94,7 @@ spec:
description: AnyConditions enable variable-based conditional rule
execution. This is useful for finer control of when an rule
is applied. A condition can reference object data using JMESPath
notation. Here, at least one of the conditions need to pass
notation. Here, at least one of the conditions need to pass.
items:
properties:
key:

View file

@ -47,14 +47,14 @@ spec:
description: Spec declares policy behaviors.
properties:
conditions:
description: Conditions defines conditions used to select resources
which user needs to delete
description: Conditions defines the conditions used to select the
resources which will be cleaned up.
properties:
all:
description: AllConditions enable variable-based conditional rule
execution. This is useful for finer control of when an rule
is applied. A condition can reference object data using JMESPath
notation. Here, all of the conditions need to pass
notation. Here, all of the conditions need to pass.
items:
properties:
key:
@ -94,7 +94,7 @@ spec:
description: AnyConditions enable variable-based conditional rule
execution. This is useful for finer control of when an rule
is applied. A condition can reference object data using JMESPath
notation. Here, at least one of the conditions need to pass
notation. Here, at least one of the conditions need to pass.
items:
properties:
key:

View file

@ -8220,7 +8220,7 @@ spec:
rule execution. This is useful for finer control of when
an rule is applied. A condition can reference object data
using JMESPath notation. Here, all of the conditions need
to pass
to pass.
items:
properties:
key:
@ -8261,7 +8261,7 @@ spec:
rule execution. This is useful for finer control of when
an rule is applied. A condition can reference object data
using JMESPath notation. Here, at least one of the conditions
need to pass
need to pass.
items:
properties:
key:
@ -8321,7 +8321,7 @@ spec:
conditional rule execution. This is useful for
finer control of when an rule is applied. A condition
can reference object data using JMESPath notation.
Here, all of the conditions need to pass
Here, all of the conditions need to pass.
items:
properties:
key:
@ -8364,7 +8364,7 @@ spec:
conditional rule execution. This is useful for
finer control of when an rule is applied. A condition
can reference object data using JMESPath notation.
Here, at least one of the conditions need to pass
Here, at least one of the conditions need to pass.
items:
properties:
key:

View file

@ -8223,7 +8223,7 @@ spec:
rule execution. This is useful for finer control of when
an rule is applied. A condition can reference object data
using JMESPath notation. Here, all of the conditions need
to pass
to pass.
items:
properties:
key:
@ -8264,7 +8264,7 @@ spec:
rule execution. This is useful for finer control of when
an rule is applied. A condition can reference object data
using JMESPath notation. Here, at least one of the conditions
need to pass
need to pass.
items:
properties:
key:
@ -8324,7 +8324,7 @@ spec:
conditional rule execution. This is useful for
finer control of when an rule is applied. A condition
can reference object data using JMESPath notation.
Here, all of the conditions need to pass
Here, all of the conditions need to pass.
items:
properties:
key:
@ -8367,7 +8367,7 @@ spec:
conditional rule execution. This is useful for
finer control of when an rule is applied. A condition
can reference object data using JMESPath notation.
Here, at least one of the conditions need to pass
Here, at least one of the conditions need to pass.
items:
properties:
key:

View file

@ -771,14 +771,14 @@ spec:
description: Spec declares policy behaviors.
properties:
conditions:
description: Conditions defines conditions used to select resources
which user needs to delete
description: Conditions defines the conditions used to select the
resources which will be cleaned up.
properties:
all:
description: AllConditions enable variable-based conditional rule
execution. This is useful for finer control of when an rule
is applied. A condition can reference object data using JMESPath
notation. Here, all of the conditions need to pass
notation. Here, all of the conditions need to pass.
items:
properties:
key:
@ -818,7 +818,7 @@ spec:
description: AnyConditions enable variable-based conditional rule
execution. This is useful for finer control of when an rule
is applied. A condition can reference object data using JMESPath
notation. Here, at least one of the conditions need to pass
notation. Here, at least one of the conditions need to pass.
items:
properties:
key:
@ -2473,14 +2473,14 @@ spec:
description: Spec declares policy behaviors.
properties:
conditions:
description: Conditions defines conditions used to select resources
which user needs to delete
description: Conditions defines the conditions used to select the
resources which will be cleaned up.
properties:
all:
description: AllConditions enable variable-based conditional rule
execution. This is useful for finer control of when an rule
is applied. A condition can reference object data using JMESPath
notation. Here, all of the conditions need to pass
notation. Here, all of the conditions need to pass.
items:
properties:
key:
@ -2520,7 +2520,7 @@ spec:
description: AnyConditions enable variable-based conditional rule
execution. This is useful for finer control of when an rule
is applied. A condition can reference object data using JMESPath
notation. Here, at least one of the conditions need to pass
notation. Here, at least one of the conditions need to pass.
items:
properties:
key:
@ -11695,7 +11695,7 @@ spec:
rule execution. This is useful for finer control of when
an rule is applied. A condition can reference object data
using JMESPath notation. Here, all of the conditions need
to pass
to pass.
items:
properties:
key:
@ -11736,7 +11736,7 @@ spec:
rule execution. This is useful for finer control of when
an rule is applied. A condition can reference object data
using JMESPath notation. Here, at least one of the conditions
need to pass
need to pass.
items:
properties:
key:
@ -11796,7 +11796,7 @@ spec:
conditional rule execution. This is useful for
finer control of when an rule is applied. A condition
can reference object data using JMESPath notation.
Here, all of the conditions need to pass
Here, all of the conditions need to pass.
items:
properties:
key:
@ -11839,7 +11839,7 @@ spec:
conditional rule execution. This is useful for
finer control of when an rule is applied. A condition
can reference object data using JMESPath notation.
Here, at least one of the conditions need to pass
Here, at least one of the conditions need to pass.
items:
properties:
key:
@ -24902,7 +24902,7 @@ spec:
rule execution. This is useful for finer control of when
an rule is applied. A condition can reference object data
using JMESPath notation. Here, all of the conditions need
to pass
to pass.
items:
properties:
key:
@ -24943,7 +24943,7 @@ spec:
rule execution. This is useful for finer control of when
an rule is applied. A condition can reference object data
using JMESPath notation. Here, at least one of the conditions
need to pass
need to pass.
items:
properties:
key:
@ -25003,7 +25003,7 @@ spec:
conditional rule execution. This is useful for
finer control of when an rule is applied. A condition
can reference object data using JMESPath notation.
Here, all of the conditions need to pass
Here, all of the conditions need to pass.
items:
properties:
key:
@ -25046,7 +25046,7 @@ spec:
conditional rule execution. This is useful for
finer control of when an rule is applied. A condition
can reference object data using JMESPath notation.
Here, at least one of the conditions need to pass
Here, at least one of the conditions need to pass.
items:
properties:
key:
@ -31438,7 +31438,7 @@ rules:
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: kyverno-cleanup-controller
name: kyverno:cleanup-controller
labels:
app.kubernetes.io/part-of: kyverno
app.kubernetes.io/version: latest
@ -31709,7 +31709,7 @@ metadata:
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: kyverno-cleanup-controller
name: kyverno:cleanup-controller
subjects:
- kind: ServiceAccount
name: kyverno-cleanup-controller

View file

@ -5226,7 +5226,7 @@ AnyAllConditions
</td>
<td>
<em>(Optional)</em>
<p>Conditions defines conditions used to select resources which user needs to delete</p>
<p>Conditions defines the conditions used to select the resources which will be cleaned up.</p>
</td>
</tr>
</table>
@ -5361,7 +5361,7 @@ AnyAllConditions
</td>
<td>
<em>(Optional)</em>
<p>Conditions defines conditions used to select resources which user needs to delete</p>
<p>Conditions defines the conditions used to select the resources which will be cleaned up.</p>
</td>
</tr>
</table>
@ -5552,7 +5552,7 @@ AnyAllConditions
</td>
<td>
<em>(Optional)</em>
<p>Conditions defines conditions used to select resources which user needs to delete</p>
<p>Conditions defines the conditions used to select the resources which will be cleaned up.</p>
</td>
</tr>
</tbody>
@ -6168,7 +6168,7 @@ PolicyStatus
<p>AnyConditions enable variable-based conditional rule execution. This is useful for
finer control of when an rule is applied. A condition can reference object data
using JMESPath notation.
Here, at least one of the conditions need to pass</p>
Here, at least one of the conditions need to pass.</p>
</td>
</tr>
<tr>
@ -6185,7 +6185,7 @@ Here, at least one of the conditions need to pass</p>
<p>AllConditions enable variable-based conditional rule execution. This is useful for
finer control of when an rule is applied. A condition can reference object data
using JMESPath notation.
Here, all of the conditions need to pass</p>
Here, all of the conditions need to pass.</p>
</td>
</tr>
</tbody>

View file

@ -0,0 +1,21 @@
package variables
import (
"github.com/jmespath/go-jmespath"
enginecontext "github.com/kyverno/kyverno/pkg/engine/context"
)
func CheckNotFoundErr(err error) bool {
if err != nil {
switch err.(type) {
case jmespath.NotFoundError:
return true
case enginecontext.InvalidVariableError:
return false
default:
return false
}
}
return true
}

View file

@ -498,7 +498,7 @@ func hasInvalidVariables(policy kyvernov1.PolicyInterface, background bool) erro
}
ctx := buildContext(ruleCopy, background)
if _, err := variables.SubstituteAllInRule(logging.GlobalLogger(), ctx, *ruleCopy); !checkNotFoundErr(err) {
if _, err := variables.SubstituteAllInRule(logging.GlobalLogger(), ctx, *ruleCopy); !variables.CheckNotFoundErr(err) {
return fmt.Errorf("variable substitution failed for rule %s: %s", ruleCopy.Name, err.Error())
}
}
@ -647,21 +647,6 @@ func addContextVariables(entries []kyvernov1.ContextEntry, ctx *enginecontext.Mo
}
}
func checkNotFoundErr(err error) bool {
if err != nil {
switch err.(type) {
case jmespath.NotFoundError:
return true
case enginecontext.InvalidVariableError:
return false
default:
return false
}
}
return true
}
func validateElementInForEach(document apiextensions.JSON) error {
jsonByte, err := json.Marshal(document)
if err != nil {

View file

@ -3,11 +3,14 @@ package cleanuppolicy
import (
"context"
"fmt"
"regexp"
"github.com/go-logr/logr"
kyvernov2alpha1 "github.com/kyverno/kyverno/api/kyverno/v2alpha1"
"github.com/kyverno/kyverno/pkg/auth"
"github.com/kyverno/kyverno/pkg/clients/dclient"
enginecontext "github.com/kyverno/kyverno/pkg/engine/context"
"github.com/kyverno/kyverno/pkg/engine/variables"
"k8s.io/apimachinery/pkg/util/sets"
"k8s.io/client-go/discovery"
)
@ -48,6 +51,10 @@ func Validate(ctx context.Context, logger logr.Logger, client dclient.Interface,
if err := validateAuth(ctx, client, policy); err != nil {
return err
}
if err := validateVariables(logger, policy); err != nil {
return err
}
return nil
}
@ -64,13 +71,35 @@ func validateAuth(ctx context.Context, client dclient.Interface, policy kyvernov
kinds := sets.New(spec.MatchResources.GetKinds()...)
for kind := range kinds {
checker := auth.NewCanI(client.Discovery(), client.GetKubeClient().AuthorizationV1().SelfSubjectAccessReviews(), kind, namespace, "delete", "")
allowed, err := checker.RunAccessCheck(ctx)
allowedDeletion, err := checker.RunAccessCheck(ctx)
if err != nil {
return err
}
if !allowed {
if !allowedDeletion {
return fmt.Errorf("cleanup controller has no permission to delete kind %s", kind)
}
checker = auth.NewCanI(client.Discovery(), client.GetKubeClient().AuthorizationV1().SelfSubjectAccessReviews(), kind, namespace, "list", "")
allowedList, err := checker.RunAccessCheck(ctx)
if err != nil {
return err
}
if !allowedList {
return fmt.Errorf("cleanup controller has no permission to list kind %s", kind)
}
}
return nil
}
func validateVariables(logger logr.Logger, policy kyvernov2alpha1.CleanupPolicyInterface) error {
ctx := enginecontext.NewMockContext(allowedVariables)
c := policy.GetSpec().Conditions
conditionCopy := c.DeepCopy()
if _, err := variables.SubstituteAllInType(logger, ctx, conditionCopy); !variables.CheckNotFoundErr(err) {
return fmt.Errorf("variable substitution failed for policy %s: %s", policy.GetName(), err.Error())
}
return nil
}
var allowedVariables = regexp.MustCompile(`request\.|images\.|([a-z_0-9]+\()[^{}]`)