Merge branch 'master' into access_check

2024-12-14 11:57:48 +00:00 · 2020-03-20 10:07:47 -07:00 · 2020-03-20 10:07:47 -07:00 · 2638e1002a
commit 2638e1002a
parent 90a80db748 e8397c01c5
7 changed files with 126 additions and 65 deletions
--- a/README.md
+++ b/README.md
@ -120,6 +120,7 @@ Refer to a list of curated of ***[sample policies](/samples/README.md)*** that c

 * [Getting Started](documentation/installation.md)
 * [Writing Policies](documentation/writing-policies.md)
+  * [Selecting Resources](/documentation/writing-policies-match-exclude.md)
  * [Validate Resources](documentation/writing-policies-validate.md)
  * [Mutate Resources](documentation/writing-policies-mutate.md)
  * [Generate Resources](documentation/writing-policies-generate.md)
--- a/documentation/kyverno-cli.md
+++ b/documentation/kyverno-cli.md
@ -16,6 +16,14 @@ make cli
 mv ./cmd/cli/kubectl-kyverno/kyverno /usr/local/bin/kyverno
 ```

+## Install via AUR (archlinux)
+
+You can install the kyverno cli via your favourite AUR helper (e.g. [yay](https://github.com/Jguer/yay))
+
+```
+yay -S kyverno-git
+```
+
 ## Commands

 #### Version
--- a/documentation/writing-policies-match-exclude.md
+++ b/documentation/writing-policies-match-exclude.md
@ -0,0 +1,93 @@
+<small>*[documentation](/README.md#documentation) / Writing Policies / Match & Exclude *</small>
+
+# Match & Exclude
+
+The `match` and `exclude` filters control which resources policies are applied to. 
+
+The match / exclude clauses have the same structure, and can each contain the following elements:
+* resources: select resources by name, namespaces, kinds, and label selectors.
+* subjects: select users, user groups, and service accounts
+* roles: select namespaced roles
+* clusterroles: select cluster wide roles
+
+At least one element must be specified in a `match` block. The `kind` attribute is optional, but if it's not specified the policy rule will only be applicable to metatdata that is common across all resources kinds.
+
+When Kyverno receives an admission controller request, i.e. a validation or mutation webhook, it first checks to see if the resource and user information matches or should be excluded from processing. If both checks pass, then the rule logic to mutate, validate, or generate resources is applied.
+
+The following YAML provides an example for a match clause.
+
+````yaml
+apiVersion : kyverno.io/v1
+kind : ClusterPolicy
+metadata :
+  name : policy
+spec :
+  # 'enforce' to block resource request if any rules fail
+  # 'audit' to allow resource request on failure of rules, but create policy violations to report them
+  validationFailureAction: enforce
+  # Each policy has a list of rules applied in declaration order
+  rules:
+    # Rules must have a unique name
+    - name: "check-pod-controller-labels"      
+      # Each rule matches specific resource described by "match" field.
+      match:
+        resources:
+          kinds: # Required, list of kinds
+          - Deployment
+          - StatefulSet
+          name: "mongo*" # Optional, a resource name is optional. Name supports wildcards (* and ?)
+          namespaces: # Optional, list of namespaces. Supports wildcards (* and ?)
+          - "dev*"
+          - test
+          selector: # Optional, a resource selector is optional. Values support wildcards (* and ?)
+              matchLabels:
+                  app: mongodb
+              matchExpressions:
+                  - {key: tier, operator: In, values: [database]}
+        # Optional, subjects to be matched
+        subjects:
+        - kind: User
+          name: mary@somecorp.com
+        # Optional, roles to be matched
+        roles:
+        # Optional, clusterroles to be matched
+        clusterroles: cluster-admin
+
+        ...
+
+````
+
+All`match` and `exclude` element must be satisfied for the resource to be selected as a candidate for the policy rule. In other words, the match and exclude conditions are evaluated using a logical AND operation.
+
+Here is an example of a rule that matches all pods, excluding pods created by using the `cluster-admin` cluster role.
+
+````yaml
+spec:
+  rules:
+    name: "match-pods-except-admin"
+    match:
+      resources:
+        kinds:
+        - Pod
+    exclude:
+      clusterroles: cluster-admin
+````
+
+This rule that matches all pods, excluding pods in the `kube-system` namespace.
+
+````yaml
+spec:
+  rules:
+    name: "match-pods-except-admin"
+    match:
+      resources:
+        kinds:
+        - Pod
+    exclude:
+      namespaces:
+      - "kube-system"
+````
+
+
+---
+<small>*Read Next >> [Validate Resources](/documentation/writing-policies-validate.md)*</small>
--- a/documentation/writing-policies.md
+++ b/documentation/writing-policies.md
@ -8,59 +8,9 @@ The following picture shows the structure of a Kyverno Policy:

 Each Kyverno policy contains one or more rules. Each rule has a `match` clause, an optional `exclude` clause, and one of a `mutate`, `validate`, or `generate` clause.

-The match / exclude clauses have the same structure, and can contain the following elements:
-* resources: select resources by name, namespaces, kinds, and label selectors.
-* subjects: select users, user groups, and service accounts
-* roles: select namespaced roles
-* clusterroles: select cluster wide roles
-
-When Kyverno receives an admission controller request, i.e. a validation or mutation webhook, it first checks to see if the resource and user information matches or should be excluded from processing. If both checks pass, then the rule logic to mutate, validate, or generate resources is applied.
-
-The following YAML provides an example for a match clause.
-
-````yaml
-apiVersion : kyverno.io/v1
-kind : ClusterPolicy
-metadata :
-  name : policy
-spec :
-  # 'enforce' to block resource request if any rules fail
-  # 'audit' to allow resource request on failure of rules, but create policy violations to report them
-  validationFailureAction: enforce
-  # Each policy has a list of rules applied in declaration order
-  rules:
-    # Rules must have a unique name
-    - name: "check-pod-controller-labels"      
-      # Each rule matches specific resource described by "match" field.
-      match:
-        resources:
-          kinds: # Required, list of kinds
-          - Deployment
-          - StatefulSet
-          name: "mongo*" # Optional, a resource name is optional. Name supports wildcards (* and ?)
-          namespaces: # Optional, list of namespaces. Supports wildcards (* and ?)
-          - "dev*"
-          - test
-          selector: # Optional, a resource selector is optional. Values support wildcards (* and ?)
-              matchLabels:
-                  app: mongodb
-              matchExpressions:
-                  - {key: tier, operator: In, values: [database]}
-        # Optional, subjects to be matched
-        subjects:
-        - kind: User
-          name: mary@somecorp.com
-        # Optional, roles to be matched
-        roles:
-        # Optional, clusterroles to be matched
-        clusterroles: cluster-admin
-
-        ...
-
-````
-
-Each rule can validate, mutate, or generate configurations of matching resources. A rule definition can contain only a single **mutate**, **validate**, or **generate** child node. These actions are applied to the resource in described order: mutation, validation and then generation.
+Each rule can validate, mutate, or generate configurations of matching resources. A rule definition can contain only a single **mutate**, **validate**, or **generate** child node. 

+These actions are applied to the resource in described order: mutation, validation and then generation.

 ---
-<small>*Read Next >> [Validate Resources](/documentation/writing-policies-validate.md)*</small>
+<small>*Read Next >> [Selecting Resources](/documentation/writing-policies-match-exclude.md)*</small>
--- a/pkg/engine/validation.go
+++ b/pkg/engine/validation.go
@ -233,7 +233,12 @@ func validatePatterns(log logr.Logger, ctx context.EvalInterface, resource unstr
 				errorStr = append(errorStr, err.Error())
 			}
 			resp.Success = false
-			resp.Message = fmt.Sprintf("Validation rule '%s' failed. %s", rule.Name, errorStr)
+			glog.V(4).Infof("Validation rule '%s' failed. %s", rule.Name, errorStr)
+			if rule.Validation.Message == "" {
+				resp.Message = fmt.Sprintf("Validation rule '%s' has failed", rule.Name)
+			} else {
+				resp.Message = rule.Validation.Message
+			}
 			return resp
 		}
 	}
--- a/pkg/engine/validation_test.go
+++ b/pkg/engine/validation_test.go
@ -294,7 +294,7 @@ func TestValidate_Fail_anyPattern(t *testing.T) {
 	resourceUnstructured, err := utils.ConvertToUnstructured(rawResource)
 	assert.NilError(t, err)
 	er := Validate(PolicyContext{Policy: policy, NewResource: *resourceUnstructured})
-	msgs := []string{"Validation rule 'check-default-namespace' failed. [anyPattern[0] failed; Validation rule failed at '/metadata/namespace/' to validate value '<nil>' with pattern '?*' anyPattern[1] failed; Validation rule failed at '/metadata/namespace/' to validate value '<nil>' with pattern '!default']"}
+	msgs := []string{"A namespace is required"}
 	for index, r := range er.PolicyResponse.Rules {
 		assert.Equal(t, r.Message, msgs[index])
 	}
@ -1582,5 +1582,5 @@ func Test_VariableSubstitutionPathNotExistInAnyPattern_AllPathPresent_NonePatter

 	// expectedMsg := "Validation error: ; Validation rule test-path-not-exist anyPattern[0] failed at path /spec/template/spec/containers/0/name/. Validation rule test-path-not-exist anyPattern[1] failed at path /spec/template/spec/containers/0/name/."
 	assert.Assert(t, !er.PolicyResponse.Rules[0].Success)
-	assert.Equal(t, er.PolicyResponse.Rules[0].Message, "Validation rule 'test-path-not-exist' failed. [anyPattern[0] failed; Validation rule failed at '/spec/template/spec/containers/0/name/' to validate value 'pod-test-pod' with pattern 'test*' anyPattern[1] failed; Validation rule failed at '/spec/template/spec/containers/0/name/' to validate value 'pod-test-pod' with pattern 'test*']")
+	assert.Equal(t, er.PolicyResponse.Rules[0].Message, "Validation rule 'test-path-not-exist' has failed")
 }
--- a/pkg/webhooks/common.go
+++ b/pkg/webhooks/common.go
@ -5,6 +5,7 @@ import (
 	"strings"

 	"github.com/go-logr/logr"
+	yamlv2 "gopkg.in/yaml.v2"
 	kyverno "github.com/nirmata/kyverno/pkg/api/kyverno/v1"
 	"github.com/nirmata/kyverno/pkg/engine/response"
 	engineutils "github.com/nirmata/kyverno/pkg/engine/utils"
@ -37,22 +38,25 @@ func toBlockResource(engineReponses []response.EngineResponse, log logr.Logger)
 }

 // getEnforceFailureErrorMsg gets the error messages for failed enforce policy
-func getEnforceFailureErrorMsg(engineReponses []response.EngineResponse) string {
-	var str []string
-	var resourceInfo string
-
-	for _, er := range engineReponses {
+func getEnforceFailureErrorMsg(engineResponses []response.EngineResponse) string {
+	policyToRule := make(map[string]interface{})
+	var resourceName string
+	for _, er := range engineResponses {
 		if !er.IsSuccesful() && er.PolicyResponse.ValidationFailureAction == Enforce {
-			resourceInfo = fmt.Sprintf("%s/%s/%s", er.PolicyResponse.Resource.Kind, er.PolicyResponse.Resource.Namespace, er.PolicyResponse.Resource.Name)
-			str = append(str, fmt.Sprintf("failed policy %s:", er.PolicyResponse.Policy))
+			ruleToReason := make(map[string]string)
 			for _, rule := range er.PolicyResponse.Rules {
 				if !rule.Success {
-					str = append(str, rule.ToString())
+					ruleToReason[rule.Name] = rule.Message
 				}
 			}
+			resourceName = fmt.Sprintf("%s/%s/%s", er.PolicyResponse.Resource.Kind, er.PolicyResponse.Resource.Namespace, er.PolicyResponse.Resource.Name)
+
+			policyToRule[er.PolicyResponse.Policy] = ruleToReason
 		}
 	}
-	return fmt.Sprintf("Resource %s %s", resourceInfo, strings.Join(str, ";"))
+
+	result, _ := yamlv2.Marshal(policyToRule)
+	return "\n\nresource " + resourceName + " was blocked due to the following policies\n\n" + string(result)
 }

 // getErrorMsg gets all failed engine response message