mirrors/kyverno
mirrors/kyverno
1
0
Fork 0
mirror of https://github.com/kyverno/kyverno.git synced 2025-03-31 03:45:17 +00:00
Code Activity

Merge commit '5672c4d67c479aecadffd9d367661493b42d5015' into 285_allow_OR_across_overlay_patterns

Browse source 
# Conflicts:
#	pkg/webhooks/policyvalidation.go
This commit is contained in:
Shuting Zhao 2019-08-21 17:25:01 -07:00
commit 31566844bb
10 changed files with 143 additions and 105 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

35
documentation/writing-policies-generate.md
View file

@ -14,12 +14,13 @@ metadata:
spec:
rules:
- name: "Basic config generator for all namespaces"
resource:
kinds:
- Namespace
selector:
matchLabels:
LabelForSelector : "namespace2"
match:
resources:
kinds:
- Namespace
selector:
matchLabels:
LabelForSelector : "namespace2"
generate:
kind: ConfigMap
name: default-config
@ -27,12 +28,13 @@ spec:
namespace: default
name: config-template
- name: "Basic config generator for all namespaces"
resource:
kinds:
- Namespace
selector:
matchLabels:
LabelForSelector : "namespace2"
match:
resources:
kinds:
- Namespace
selector:
matchLabels:
LabelForSelector : "namespace2"
generate:
kind: Secret
name: mongo-creds
@ -59,10 +61,11 @@ metadata:
spec:
rules:
- name: "deny-all-traffic"
resource:
kinds:
- Namespace
name: "*"
match:
resources:
kinds:
- Namespace
name: "*"
generate:
kind: NetworkPolicy
name: deny-all-traffic

48
documentation/writing-policies-mutate.md
View file

@ -18,9 +18,10 @@ metadata :
spec :
rules:
- name: "add-init-secrets"
resource:
kinds:
- Deployment
match:
resources:
kinds:
- Deployment
mutate:
patches:
- path: "/spec/template/spec/initContainers/0/"
@ -46,9 +47,10 @@ metadata :
spec :
rules:
- name: "Remove unwanted label"
resource:
kinds:
- Secret
match:
resources:
kinds:
- Secret
mutate:
patches:
- path: "/metadata/labels/purpose"
@ -71,12 +73,13 @@ metadata :
spec :
rules:
- name: "Set hard memory limit to 2Gi"
resource:
kinds:
- Pod
selector:
matchLabels:
memory: high
match:
resources:
kinds:
- Pod
selector:
matchLabels:
memory: high
mutate:
overlay:
spec:
@ -103,9 +106,10 @@ metadata:
spec:
rules:
- name: "Add IP to subsets"
resource:
kinds :
- Endpoints
match:
resources:
kinds :
- Endpoints
mutate:
overlay:
subsets:
@ -128,9 +132,10 @@ metadata :
spec :
rules:
- name: "Set port"
resource:
kinds :
- Endpoints
match:
resources:
kinds :
- Endpoints
mutate:
overlay:
subsets:
@ -158,9 +163,10 @@ metadata :
spec :
rules:
- name: "Set port"
resource:
kinds :
- Endpoints
match:
resources:
kinds :
- Endpoints
mutate:
overlay:
subsets:

38
documentation/writing-policies-validate.md
View file

@ -44,16 +44,17 @@ metadata :
spec :
rules:
- name: check-label
resource:
# Kind specifies one or more resource types to match
kinds:
- Deployment
- StatefuleSet
- DaemonSet
# Name is optional and can use wildcards
name: "*"
# Selector is optional
selector:
match:
resources:
# Kind specifies one or more resource types to match
kinds:
- Deployment
- StatefuleSet
- DaemonSet
# Name is optional and can use wildcards
name: "*"
# Selector is optional
selector:
validate:
# Message is optional
message: "The label app is required"
@ -79,14 +80,15 @@ metadata :
spec :
rules:
- name: check-memory_requests_link_in_yaml_relative
resource:
# Kind specifies one or more resource types to match
kinds:
- Deployment
# Name is optional and can use wildcards
name: "*"
# Selector is optional
selector:
match:
resources:
# Kind specifies one or more resource types to match
kinds:
- Deployment
# Name is optional and can use wildcards
name: "*"
# Selector is optional
selector:
validate:
pattern:
spec:

49
documentation/writing-policies.md
View file

@ -14,26 +14,45 @@ spec :
rules:
# Rules must have a unique name
- name: "check-pod-controller-labels"
# Each rule matches specific resource described by "resource" field.
resource:
kinds:
- Deployment
- StatefulSet
- DaemonSet
# A resource name is optional. Name supports wildcards * and ?
name: "*"
# A resoucre selector is optional. Selector values support wildcards * and ?
selector:
matchLabels:
app: mongodb
matchExpressions:
- {key: tier, operator: In, values: [database]}
# Each rule matches specific resource described by "match" field.
match:
resources:
kinds: # Required, list of kinds
- Deployment
- StatefulSet
name: "mongo*" # Optional, a resource name is optional. Name supports wildcards * and ?
namespaces: # Optional, list of namespaces
- devtest2
- devtest1
selector: # Optional, a resource selector is optional. Selector values support wildcards * and ?
matchLabels:
app: mongodb
matchExpressions:
- {key: tier, operator: In, values: [database]}
# Resources that need to be excluded
exclude: # Optional, resources to be excluded from evaulation
resources:
kinds:
- Daemonsets
name: "*"
namespaces:
- devtest2
selector:
matchLabels:
app: mongodb
matchExpressions:
- {key: tier, operator: In, values: [database]}
# Each rule can contain a single validate, mutate, or generate directive
...
````
Each rule can validate, mutate, or generate configurations of matching resources. A rule definition can contain only a single **mutate**, **validate**, or **generate** child node. These actions are applied to the resource in described order: mutation, validation and then generation.
**Resource description:**
* ```match``` is a required key that defines the parameters which identify the resources that need to matched
* ```exclude``` is an option key to exclude resources from the application of the rule
---
<small>*Read Next >> [Validate](/documentation/writing-policies-validate.md)*</small>

4
examples/policy_mutate_imagePullPolicy.yaml
View file

@ -12,6 +12,10 @@ spec:
selector:
matchLabels:
app : nginxlatest
exclude:
resources:
kinds:
- DaemonSet
mutate:
overlay:
spec:

43
pkg/kyverno/apply/apply.go
View file

@ -8,7 +8,7 @@ import (
"os"
"github.com/golang/glog"
kubepolicy "github.com/nirmata/kyverno/pkg/apis/policy/v1alpha1"
kyverno "github.com/nirmata/kyverno/pkg/api/kyverno/v1alpha1"
"github.com/nirmata/kyverno/pkg/engine"
"github.com/nirmata/kyverno/pkg/info"
"github.com/spf13/cobra"
@ -51,7 +51,7 @@ func NewCmdApply(in io.Reader, out, errout io.Writer) *cobra.Command {
return cmd
}
func complete(kubeconfig string, args []string) (*kubepolicy.Policy, []*resourceInfo) {
func complete(kubeconfig string, args []string) (*kyverno.Policy, []*resourceInfo) {
policyDir, resourceDir, err := validateDir(args)
if err != nil {
glog.Errorf("Failed to parse file path, err: %v\n", err)
@ -75,7 +75,7 @@ func complete(kubeconfig string, args []string) (*kubepolicy.Policy, []*resource
return policy, resources
}
func applyPolicy(policy *kubepolicy.Policy, resources []*resourceInfo) (output string) {
func applyPolicy(policy *kyverno.Policy, resources []*resourceInfo) (output string) {
for _, resource := range resources {
patchedDocument, err := applyPolicyOnRaw(policy, resource.rawResource, resource.gvk)
if err != nil {
@ -94,7 +94,7 @@ func applyPolicy(policy *kubepolicy.Policy, resources []*resourceInfo) (output s
return
}
func applyPolicyOnRaw(policy *kubepolicy.Policy, rawResource []byte, gvk *metav1.GroupVersionKind) ([]byte, error) {
func applyPolicyOnRaw(policy *kyverno.Policy, rawResource []byte, gvk *metav1.GroupVersionKind) ([]byte, error) {
patchedResource := rawResource
var err error
@ -106,45 +106,44 @@ func applyPolicyOnRaw(policy *kubepolicy.Policy, rawResource []byte, gvk *metav1
rns,
policy.Spec.ValidationFailureAction)
resource, err := ConvertToUnstructured(rawResource)
if err != nil {
return nil, err
}
//TODO check if the kind information is present resource
// Process Mutation
patches, ruleInfos := engine.Mutate(*policy, rawResource, *gvk)
policyInfo.AddRuleInfos(ruleInfos)
engineResponse := engine.Mutate(*policy, *resource)
policyInfo.AddRuleInfos(engineResponse.RuleInfos)
if !policyInfo.IsSuccessful() {
glog.Infof("Failed to apply policy %s on resource %s/%s", policy.Name, rname, rns)
for _, r := range ruleInfos {
for _, r := range engineResponse.RuleInfos {
glog.Warning(r.Msgs)
}
} else if len(patches) > 0 {
} else if len(engineResponse.Patches) > 0 {
glog.Infof("Mutation from policy %s has applied succesfully to %s %s/%s", policy.Name, gvk.Kind, rname, rns)
patchedResource, err = engine.ApplyPatches(rawResource, patches)
patchedResource, err = engine.ApplyPatches(rawResource, engineResponse.Patches)
if err != nil {
return nil, fmt.Errorf("Unable to apply mutation patches:\n%v", err)
}
// Process Validation
ruleInfos, err := engine.Validate(*policy, patchedResource, *gvk)
if err != nil {
// This is not policy error
// but if unable to parse request raw resource
// TODO : create event ? dont think so
glog.Error(err)
return patchedResource, err
}
policyInfo.AddRuleInfos(ruleInfos)
engineResponse := engine.Validate(*policy, *resource)
policyInfo.AddRuleInfos(engineResponse.RuleInfos)
if !policyInfo.IsSuccessful() {
glog.Infof("Failed to apply policy %s on resource %s/%s", policy.Name, rname, rns)
for _, r := range ruleInfos {
for _, r := range engineResponse.RuleInfos {
glog.Warning(r.Msgs)
}
return patchedResource, fmt.Errorf("Failed to apply policy %s on resource %s/%s", policy.Name, rname, rns)
} else if len(ruleInfos) > 0 {
} else if len(engineResponse.RuleInfos) > 0 {
glog.Infof("Validation from policy %s has applied succesfully to %s %s/%s", policy.Name, gvk.Kind, rname, rns)
}
}
return patchedResource, nil
}
func extractPolicy(fileDir string) (*kubepolicy.Policy, error) {
policy := &kubepolicy.Policy{}
func extractPolicy(fileDir string) (*kyverno.Policy, error) {
policy := &kyverno.Policy{}
file, err := loadFile(fileDir)
if err != nil {

10
pkg/kyverno/apply/util.go
View file

@ -9,6 +9,7 @@ import (
"github.com/golang/glog"
yamlv2 "gopkg.in/yaml.v2"
unstructured "k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
rest "k8s.io/client-go/rest"
clientcmd "k8s.io/client-go/tools/clientcmd"
)
@ -93,3 +94,12 @@ func scanDir(dir string) ([]string, error) {
return res[1:], nil
}
func ConvertToUnstructured(data []byte) (*unstructured.Unstructured, error) {
resource := &unstructured.Unstructured{}
err := resource.UnmarshalJSON(data)
if err != nil {
glog.V(4).Infof("failed to unmarshall resource: %v", err)
return nil, err
}
return resource, nil
}

4
pkg/policy/controller.go
View file

@ -601,10 +601,6 @@ func (m *PolicyViolationControllerRefManager) adoptPolicyViolation(pv *kyverno.P
glog.Errorf("failed to add owner reference %v for PolicyViolation %s: %v", pOwnerRef, pv.Name, err)
return err
}
// addControllerPatch := fmt.Sprintf(
// `{"metadata":{"ownerReferences":[{"apiVersion":"%s","kind":"%s","name":"%s","uid":"%s","controller":true,"blockOwnerDeletion":true}],"uid":"%s"}}`,
// m.controllerKind.GroupVersion(), m.controllerKind.Kind,
// m.Controller.GetName(), m.Controller.GetUID(), pv.UID)
return m.pvControl.PatchPolicyViolation(pv.Name, addControllerPatch)
}

13
pkg/webhooks/policyvalidation.go
View file

@ -18,11 +18,12 @@ func (ws *WebhookServer) HandlePolicyValidation(request *v1beta1.AdmissionReques
admissionResp := &v1beta1.AdmissionResponse{
Allowed: true,
}
// nothing to do on DELETE
if request.Operation == v1beta1.Delete {
return admissionResp
}
raw := request.Object.Raw
if request.Operation == v1beta1.Delete {
raw = request.OldObject.Raw
}
if err := json.Unmarshal(raw, &policy); err != nil {
glog.Errorf("Failed to unmarshal policy admission request, err %v\n", err)
return &v1beta1.AdmissionResponse{Allowed: false,
@ -30,10 +31,8 @@ func (ws *WebhookServer) HandlePolicyValidation(request *v1beta1.AdmissionReques
Message: fmt.Sprintf("Failed to unmarshal policy admission request err %v", err),
}}
}
if request.Operation != v1beta1.Delete {
admissionResp = ws.validatePolicy(policy)
}
// check for uniqueness of rule names while CREATE/DELET
admissionResp = ws.validateUniqueRuleName(policy)
if admissionResp.Allowed {
ws.manageWebhookConfigurations(*policy, request.Operation)

4
test/generate-resource/main.go
View file

@ -10,7 +10,7 @@ import (
"path/filepath"
"strconv"
kubepolicy "github.com/nirmata/kyverno/pkg/apis/policy/v1alpha1"
kyverno "github.com/nirmata/kyverno/pkg/api/kyverno/v1alpha1"
yaml "k8s.io/apimachinery/pkg/util/yaml"
)
@ -21,7 +21,7 @@ func main() {
}
func generatePolicies() error {
var policy *kubepolicy.Policy
var policy *kyverno.Policy
file, err := ioutil.ReadFile(policyPath)
if err != nil {