mirrors/kyverno
mirrors/kyverno
1
0
Fork 0
mirror of https://github.com/kyverno/kyverno.git synced 2025-03-08 17:06:57 +00:00
Code Activity

removed logic - policy in cluster

Browse source
This commit is contained in:
NoSkillGirl 2020-11-03 01:25:32 +05:30
parent 94babfe4bd
commit 2b979fec4d
6 changed files with 55 additions and 174 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

41
pkg/kyverno/apply/command.go
View file

@ -3,17 +3,17 @@ package apply
import ( import (
"bufio" "bufio"
"encoding/json" "encoding/json"
"errors"
"fmt" "fmt"
"github.com/kyverno/kyverno/pkg/engine/response"
"io/ioutil" "io/ioutil"
"os" "os"
"path/filepath" "path/filepath"
"reflect" "reflect"
yaml1 "sigs.k8s.io/yaml"
"strings" "strings"
"time" "time"
"github.com/kyverno/kyverno/pkg/engine/response"
yaml1 "sigs.k8s.io/yaml"
v1 "github.com/kyverno/kyverno/pkg/api/kyverno/v1" v1 "github.com/kyverno/kyverno/pkg/api/kyverno/v1"
client "github.com/kyverno/kyverno/pkg/dclient" client "github.com/kyverno/kyverno/pkg/dclient"
"github.com/kyverno/kyverno/pkg/engine" "github.com/kyverno/kyverno/pkg/engine"
@ -75,12 +75,10 @@ func Command() *cobra.Command {
} }
}() }()
// base validations
if valuesFile != "" && variablesString != "" { if valuesFile != "" && variablesString != "" {
return sanitizedError.NewWithError("pass the values either using set flag or values_file flag", err) return sanitizedError.NewWithError("pass the values either using set flag or values_file flag", err)
} }
// get the variable values from from (-s) param / valuesFile (-f)
variables, valuesMap, err := getVariable(variablesString, valuesFile) variables, valuesMap, err := getVariable(variablesString, valuesFile)
if err != nil { if err != nil {
if !sanitizedError.IsErrorSanitized(err) { if !sanitizedError.IsErrorSanitized(err) {
@ -110,7 +108,7 @@ func Command() *cobra.Command {
return sanitizedError.NewWithError(fmt.Sprintf("policy file(s) or cluster required"), err) return sanitizedError.NewWithError(fmt.Sprintf("policy file(s) or cluster required"), err)
} }
policies, policiesFromCluster, err := common.ValidateAndGetPolicies(policyPaths, cluster, dClient, namespace) policies, err := common.ValidateAndGetPolicies(policyPaths)
if err != nil { if err != nil {
if !sanitizedError.IsErrorSanitized(err) { if !sanitizedError.IsErrorSanitized(err) {
return sanitizedError.NewWithError("failed to mutate policies.", err) return sanitizedError.NewWithError("failed to mutate policies.", err)
@ -130,7 +128,7 @@ func Command() *cobra.Command {
return err return err
} }
resources, resourceFromCluster, err := getResourceAccordingToResourcePath(resourcePaths, cluster, policies, dClient, namespace) resources, err := getResourceAccordingToResourcePath(resourcePaths, cluster, policies, dClient, namespace)
if err != nil { if err != nil {
if !sanitizedError.IsErrorSanitized(err) { if !sanitizedError.IsErrorSanitized(err) {
return sanitizedError.NewWithError("failed to load resources", err) return sanitizedError.NewWithError("failed to load resources", err)
@ -138,10 +136,6 @@ func Command() *cobra.Command {
return err return err
} }
if policiesFromCluster == true && resourceFromCluster == false {
return sanitizedError.NewWithError("resource should be inside cluster", errors.New("policy is inside cluster and resource is outside cluster"))
}
mutatedPolicies, err := mutatePolices(policies) mutatedPolicies, err := mutatePolices(policies)
msgPolicies := "1 policy" msgPolicies := "1 policy"
@ -201,7 +195,7 @@ func Command() *cobra.Command {
} }
} }
printReportOrViolation(policyReport , engineResponses , rc , resourcePaths) printReportOrViolation(policyReport, engineResponses, rc, resourcePaths)
return nil return nil
}, },
@ -256,7 +250,7 @@ func getVariable(variablesString, valuesFile string) (variables map[string]strin
} }
// checkMutateLogPath - checking path for printing mutated resource (-o flag) // checkMutateLogPath - checking path for printing mutated resource (-o flag)
func checkMutateLogPath(mutateLogPath string) (mutateLogPathIsDir bool, err error){ func checkMutateLogPath(mutateLogPath string) (mutateLogPathIsDir bool, err error) {
if mutateLogPath != "" { if mutateLogPath != "" {
spath := strings.Split(mutateLogPath, "/") spath := strings.Split(mutateLogPath, "/")
sfileName := strings.Split(spath[len(spath)-1], ".") sfileName := strings.Split(spath[len(spath)-1], ".")
@ -278,7 +272,7 @@ func checkMutateLogPath(mutateLogPath string) (mutateLogPathIsDir bool, err erro
} }
// getResourceAccordingToResourcePath - get resources according to the resource path // getResourceAccordingToResourcePath - get resources according to the resource path
func getResourceAccordingToResourcePath(resourcePaths []string, cluster bool, policies []*v1.ClusterPolicy, dClient *client.Client, namespace string)(resources []*unstructured.Unstructured, resourceFromCluster bool, err error){ func getResourceAccordingToResourcePath(resourcePaths []string, cluster bool, policies []*v1.ClusterPolicy, dClient *client.Client, namespace string) (resources []*unstructured.Unstructured, err error) {
if len(resourcePaths) > 0 && resourcePaths[0] == "-" { if len(resourcePaths) > 0 && resourcePaths[0] == "-" {
if common.IsInputFromPipe() { if common.IsInputFromPipe() {
resourceStr := "" resourceStr := ""
@ -290,30 +284,24 @@ func getResourceAccordingToResourcePath(resourcePaths []string, cluster bool, po
yamlBytes := []byte(resourceStr) yamlBytes := []byte(resourceStr)
resources, err = common.GetResource(yamlBytes) resources, err = common.GetResource(yamlBytes)
if err != nil { if err != nil {
return resources, resourceFromCluster, sanitizedError.NewWithError("failed to extract the resources", err) return resources, sanitizedError.NewWithError("failed to extract the resources", err)
} }
} }
} else if (len(resourcePaths) > 0 && resourcePaths[0] != "-") || len(resourcePaths) < 0 || cluster { } else if (len(resourcePaths) > 0 && resourcePaths[0] != "-") || len(resourcePaths) < 0 || cluster {
resources, resourceFromCluster, err = common.GetResources(policies, resourcePaths, dClient, cluster, namespace) resources, err = common.GetResources(policies, resourcePaths, dClient, cluster, namespace)
if err != nil { if err != nil {
return resources, resourceFromCluster, sanitizedError.NewWithError("failed to load resources", err) return resources, sanitizedError.NewWithError("failed to load resources", err)
} }
} }
return resources, resourceFromCluster, err return resources, err
} }
// printReportOrViolation - printing policy report/violations // printReportOrViolation - printing policy report/violations
func printReportOrViolation(policyReport bool, engineResponses []response.EngineResponse , rc *resultCounts, resourcePaths []string){ func printReportOrViolation(policyReport bool, engineResponses []response.EngineResponse, rc *resultCounts, resourcePaths []string) {
if policyReport { if policyReport {
resps := buildPolicyReports(engineResponses) resps := buildPolicyReports(engineResponses)
if len(resps) > 0 { if len(resps) > 0 {
fmt.Println("----------------------------------------------------------------------\nPOLICY REPORT:") fmt.Println("----------------------------------------------------------------------\nPOLICY REPORT:")
//for _, u := range resps {
// fmt.Println("----------------------------------------------------------------------")
// yamlResp, _ := yaml1.Marshal(u)
// fmt.Println(string(yamlResp))
//}
//fmt.Println("%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%")
report, _ := generateCLIraw(resps) report, _ := generateCLIraw(resps)
yamlReport, _ := yaml1.Marshal(report) yamlReport, _ := yaml1.Marshal(report)
fmt.Println(string(yamlReport)) fmt.Println(string(yamlReport))
@ -337,14 +325,13 @@ func printReportOrViolation(policyReport bool, engineResponses []response.Engine
} }
// applyPolicyOnResource - function to apply policy on resource // applyPolicyOnResource - function to apply policy on resource
func applyPolicyOnResource(policy *v1.ClusterPolicy, resource *unstructured.Unstructured, mutateLogPath string, mutateLogPathIsDir bool, variables map[string]string, rc *resultCounts, policyReport bool) ([]response.EngineResponse , error) { func applyPolicyOnResource(policy *v1.ClusterPolicy, resource *unstructured.Unstructured, mutateLogPath string, mutateLogPathIsDir bool, variables map[string]string, rc *resultCounts, policyReport bool) ([]response.EngineResponse, error) {
responseError := false responseError := false
engineResponses := make([]response.EngineResponse, 0) engineResponses := make([]response.EngineResponse, 0)
resPath := fmt.Sprintf("%s/%s/%s", resource.GetNamespace(), resource.GetKind(), resource.GetName()) resPath := fmt.Sprintf("%s/%s/%s", resource.GetNamespace(), resource.GetKind(), resource.GetName())
log.Log.V(3).Info("applying policy on resource", "policy", policy.Name, "resource", resPath) log.Log.V(3).Info("applying policy on resource", "policy", policy.Name, "resource", resPath)
// build context
ctx := context.NewContext() ctx := context.NewContext()
for key, value := range variables { for key, value := range variables {
startString := "" startString := ""

5
pkg/kyverno/apply/generate.go
View file

@ -129,11 +129,6 @@ func updateSummary(results []interface{}) map[string]interface{} {
switch typedResult["status"].(string) { switch typedResult["status"].(string) {
case report.StatusPass: case report.StatusPass:
//resources, ok := typedResult["resources"].([]interface{})
//if !ok {
// continue
//}
pass, _ := summary["Pass"].(int64) pass, _ := summary["Pass"].(int64)
pass++ pass++
summary["Pass"] = pass summary["Pass"] = pass

1
pkg/kyverno/apply/report.go
View file

@ -107,7 +107,6 @@ func buildPolicyResults(resps []response.EngineResponse) map[string][]*report.Po
} }
} }
//return mergeSucceededResults(results)
return results return results
} }

116
pkg/kyverno/common/common.go
View file

@ -17,61 +17,38 @@ import (
jsonpatch "github.com/evanphx/json-patch" jsonpatch "github.com/evanphx/json-patch"
"github.com/go-logr/logr" "github.com/go-logr/logr"
v1 "github.com/kyverno/kyverno/pkg/api/kyverno/v1" v1 "github.com/kyverno/kyverno/pkg/api/kyverno/v1"
client "github.com/kyverno/kyverno/pkg/dclient"
"github.com/kyverno/kyverno/pkg/kyverno/sanitizedError" "github.com/kyverno/kyverno/pkg/kyverno/sanitizedError"
"github.com/kyverno/kyverno/pkg/policymutation" "github.com/kyverno/kyverno/pkg/policymutation"
"github.com/kyverno/kyverno/pkg/utils" "github.com/kyverno/kyverno/pkg/utils"
) )
// GetPolicies - Extracting the policies from multiple YAML // GetPolicies - Extracting the policies from multiple YAML
func GetPolicies(paths []string, cluster bool, dClient *client.Client, namespace string) (policies []*v1.ClusterPolicy, policiesFromCluster bool, error error) { func GetPolicies(paths []string) (policies []*v1.ClusterPolicy, error error) {
if len(paths) == 0 {
// get the policies from the cluster based on the scope
ps, err := getPoliciesFromCluster(cluster, dClient, namespace)
if err != nil {
return policies, policiesFromCluster, sanitizedError.NewWithError(fmt.Sprintf("error occurred while fetching policy from cluster. Path: %v", paths), err)
}
policiesFromCluster = true
return ps, policiesFromCluster, nil
} else {
for _, path := range paths { for _, path := range paths {
path = filepath.Clean(path) path = filepath.Clean(path)
fileDesc, err := os.Stat(path) fileDesc, err := os.Stat(path)
if err != nil { if err != nil {
p, err := getPolicyFromCluster(path, cluster, dClient, namespace) return nil, err
if err != nil {
return nil, policiesFromCluster, sanitizedError.NewWithError(fmt.Sprintf("error occurred while fetching policy from cluster. Path: %v", path), err)
}
policies = append(policies, p)
policiesFromCluster = true
continue
} }
if fileDesc.IsDir() { if fileDesc.IsDir() {
files, err := ioutil.ReadDir(path) files, err := ioutil.ReadDir(path)
if err != nil { if err != nil {
return nil, policiesFromCluster, sanitizedError.NewWithError(fmt.Sprintf("failed to parse %v", path), err) return nil, sanitizedError.NewWithError(fmt.Sprintf("failed to parse %v", path), err)
} }
listOfFiles := make([]string, 0) listOfFiles := make([]string, 0)
for _, file := range files { for _, file := range files {
listOfFiles = append(listOfFiles, filepath.Join(path, file.Name())) listOfFiles = append(listOfFiles, filepath.Join(path, file.Name()))
} }
policiesFromDir, policiesFromCluster, err := GetPolicies(listOfFiles, cluster, dClient, namespace) policiesFromDir, err := GetPolicies(listOfFiles)
if err != nil { if err != nil {
return nil, policiesFromCluster, sanitizedError.NewWithError(fmt.Sprintf("failed to extract policies from %v", listOfFiles), err) return nil, sanitizedError.NewWithError(fmt.Sprintf("failed to extract policies from %v", listOfFiles), err)
} }
policies = append(policies, policiesFromDir...) policies = append(policies, policiesFromDir...)
} else { } else {
file, err := ioutil.ReadFile(path) file, err := ioutil.ReadFile(path)
if err != nil { if err != nil {
// check if cluster flag is passed and get the policy from cluster return nil, sanitizedError.NewWithError(fmt.Sprintf("failed to load file %v", path), err)
p, err := getPolicyFromCluster(path, cluster, dClient, namespace)
if err != nil {
return nil, policiesFromCluster, sanitizedError.NewWithError(fmt.Sprintf("error occurred while fetching policy from cluster. Path: %v", path), err)
}
policies = append(policies, p)
policiesFromCluster = true
continue
} }
getPolicies, getErrors := utils.GetPolicy(file) getPolicies, getErrors := utils.GetPolicy(file)
var errString string var errString string
@ -88,89 +65,20 @@ func GetPolicies(paths []string, cluster bool, dClient *client.Client, namespace
policies = append(policies, getPolicies...) policies = append(policies, getPolicies...)
} }
} }
}
return policies, policiesFromCluster, nil return policies, nil
}
func getPolicyFromCluster(policyName string, cluster bool, dClient *client.Client, namespace string) (*v1.ClusterPolicy, error) {
if !cluster {
return &v1.ClusterPolicy{}, nil
}
//check here----------------------------------
kind := "ClusterPolicy"
policy, err := dClient.GetResource("", kind, namespace, policyName, "")
fmt.Println("------------policy : ", policy)
if err != nil {
fmt.Println("could not find clusterpolicy ... checking policy")
// try getting policy
kind := "Policy"
policy, err = dClient.GetResource("", kind, namespace, policyName, "")
if err != nil {
fmt.Println("error occurred while fetching policy", err)
return &v1.ClusterPolicy{}, err
}
}
policyBytes, err := json.Marshal(policy.Object)
if err != nil {
return &v1.ClusterPolicy{}, sanitizedError.NewWithError(fmt.Sprintf("failed to marshal"), err)
}
var p v1.ClusterPolicy
err = json.Unmarshal(policyBytes, &p)
if err != nil {
return &v1.ClusterPolicy{}, sanitizedError.NewWithError(fmt.Sprintf("failed to unmarshal"), err)
}
return &p, nil
}
func getPoliciesFromCluster(cluster bool, dClient *client.Client, namespace string) ([]*v1.ClusterPolicy, error) {
res := make([]*v1.ClusterPolicy, 0)
if !cluster {
return res, nil
}
policyTypes := []string{"ClusterPolicy", "Policy"}
for _, policy := range policyTypes {
policyList, err := dClient.ListResource("", policy, namespace, nil)
if err != nil {
return res, err
}
for _, policy := range policyList.Items {
policyBytes, err := json.Marshal(policy.Object)
if err != nil {
return res, err
}
var p v1.ClusterPolicy
err = json.Unmarshal(policyBytes, &p)
if err != nil {
return res, err
}
res = append(res, &p)
}
}
return res, nil
} }
//ValidateAndGetPolicies - validating policies //ValidateAndGetPolicies - validating policies
func ValidateAndGetPolicies(policyPaths []string, cluster bool, dClient *client.Client, namespace string) ([]*v1.ClusterPolicy, bool, error) { func ValidateAndGetPolicies(policyPaths []string) ([]*v1.ClusterPolicy, error) {
policies, policiesFromCluster, err := GetPolicies(policyPaths, cluster, dClient, namespace) policies, err := GetPolicies(policyPaths)
if err != nil { if err != nil {
if !sanitizedError.IsErrorSanitized(err) { if !sanitizedError.IsErrorSanitized(err) {
return nil, policiesFromCluster, sanitizedError.NewWithError((fmt.Sprintf("failed to parse %v path/s.", policyPaths)), err) return nil, sanitizedError.NewWithError((fmt.Sprintf("failed to parse %v path/s.", policyPaths)), err)
} }
return nil, policiesFromCluster, err return nil, err
} }
return policies, policiesFromCluster, nil return policies, nil
} }
// PolicyHasVariables - check for variables in the policy // PolicyHasVariables - check for variables in the policy

15
pkg/kyverno/common/fetch.go
View file

@ -19,10 +19,9 @@ import (
// the resources are fetched from // the resources are fetched from
// - local paths to resources, if given // - local paths to resources, if given
// - the k8s cluster, if given // - the k8s cluster, if given
func GetResources(policies []*v1.ClusterPolicy, resourcePaths []string, dClient *client.Client, cluster bool, namespace string) ([]*unstructured.Unstructured, bool, error) { func GetResources(policies []*v1.ClusterPolicy, resourcePaths []string, dClient *client.Client, cluster bool, namespace string) ([]*unstructured.Unstructured, error) {
resources := make([]*unstructured.Unstructured, 0) resources := make([]*unstructured.Unstructured, 0)
var err error var err error
var resourceFromCluster bool
var resourceTypesMap = make(map[string]bool) var resourceTypesMap = make(map[string]bool)
var resourceTypes []string var resourceTypes []string
@ -42,7 +41,7 @@ func GetResources(policies []*v1.ClusterPolicy, resourcePaths []string, dClient
if cluster && dClient != nil { if cluster && dClient != nil {
resourceMap, err = getResourcesOfTypeFromCluster(resourceTypes, dClient, namespace) resourceMap, err = getResourcesOfTypeFromCluster(resourceTypes, dClient, namespace)
if err != nil { if err != nil {
return nil, resourceFromCluster, err return nil, err
} }
if len(resourcePaths) == 0 { if len(resourcePaths) == 0 {
for _, rm := range resourceMap { for _, rm := range resourceMap {
@ -50,9 +49,6 @@ func GetResources(policies []*v1.ClusterPolicy, resourcePaths []string, dClient
resources = append(resources, rr) resources = append(resources, rr)
} }
} }
if resources != nil{
resourceFromCluster = true
}
} }
} }
@ -68,7 +64,6 @@ func GetResources(policies []*v1.ClusterPolicy, resourcePaths []string, dClient
if cluster { if cluster {
for _, rm := range resourceMap { for _, rm := range resourceMap {
for rn, rr := range rm { for rn, rr := range rm {
resourceFromCluster = true
if rn == resourcePath { if rn == resourcePath {
resources = append(resources, rr) resources = append(resources, rr)
continue continue
@ -76,19 +71,19 @@ func GetResources(policies []*v1.ClusterPolicy, resourcePaths []string, dClient
} }
} }
} else { } else {
return nil, resourceFromCluster, err return nil, err
} }
} }
getResources, err := GetResource(resourceBytes) getResources, err := GetResource(resourceBytes)
if err != nil { if err != nil {
return nil, resourceFromCluster, err return nil, err
} }
for _, resource := range getResources { for _, resource := range getResources {
resources = append(resources, resource) resources = append(resources, resource)
} }
} }
return resources, resourceFromCluster, nil return resources, nil
} }
func getResourceFromCluster(resourceTypes []string, resourceName string, dClient *client.Client) (*unstructured.Unstructured, error) { func getResourceFromCluster(resourceTypes []string, resourceName string, dClient *client.Client) (*unstructured.Unstructured, error) {

5
pkg/kyverno/validate/command.go
View file

@ -21,7 +21,6 @@ import (
log "sigs.k8s.io/controller-runtime/pkg/log" log "sigs.k8s.io/controller-runtime/pkg/log"
yaml "sigs.k8s.io/yaml" yaml "sigs.k8s.io/yaml"
client "github.com/kyverno/kyverno/pkg/dclient"
) )
func Command() *cobra.Command { func Command() *cobra.Command {
@ -77,9 +76,7 @@ func Command() *cobra.Command {
} }
} }
} else { } else {
cluster := false policies, err = common.ValidateAndGetPolicies(policyPaths)
var dClient *client.Client
policies, _, err = common.ValidateAndGetPolicies(policyPaths, cluster, dClient, "")
if err != nil { if err != nil {
if !sanitizedError.IsErrorSanitized(err) { if !sanitizedError.IsErrorSanitized(err) {
return sanitizedError.NewWithError("failed to mutate policies.", err) return sanitizedError.NewWithError("failed to mutate policies.", err)