diff --git a/cmd/kyverno/main.go b/cmd/kyverno/main.go index 4b8a39d941..181ca9d3cb 100644 --- a/cmd/kyverno/main.go +++ b/cmd/kyverno/main.go @@ -87,6 +87,9 @@ func main() { kubeInformer := kubeinformers.NewSharedInformerFactoryWithOptions( kubeClient, 10*time.Second) + // KUBERNETES Dynamic informer + // - cahce resync time: 10 seconds + kubedynamicInformer := client.NewDynamicSharedInformerFactory(10 * time.Second) // WERBHOOK REGISTRATION CLIENT webhookRegistrationClient := webhookconfig.NewWebhookRegistrationClient( @@ -168,6 +171,7 @@ func main() { pInformer.Kyverno().V1().GenerateRequests(), egen, pvgen, + kubedynamicInformer, ) // GENERATE REQUEST CLEANUP // -- cleans up the generate requests that have not been processed(i.e. state = [Pending, Failed]) for more than defined timeout @@ -176,6 +180,7 @@ func main() { client, pInformer.Kyverno().V1().ClusterPolicies(), pInformer.Kyverno().V1().GenerateRequests(), + kubedynamicInformer, ) // CONFIGURE CERTIFICATES @@ -221,6 +226,7 @@ func main() { // Start the components pInformer.Start(stopCh) kubeInformer.Start(stopCh) + kubedynamicInformer.Start(stopCh) go grgen.Run(1) go rWebhookWatcher.Run(stopCh) go configData.Run(stopCh) diff --git a/definitions/install.yaml b/definitions/install.yaml index ae587dfcdc..af8e54a51f 100644 --- a/definitions/install.yaml +++ b/definitions/install.yaml @@ -170,6 +170,14 @@ spec: type: array items: type: string + preconditions: + type: array + items: + type: object + required: + - key # can be of any type + - operator # typed + - value # can be of any type mutate: type: object properties: diff --git a/definitions/install_debug.yaml b/definitions/install_debug.yaml index 084a584a95..13b66e7ae8 100644 --- a/definitions/install_debug.yaml +++ b/definitions/install_debug.yaml @@ -170,6 +170,14 @@ spec: type: array items: type: string + preconditions: + type: array + items: + type: object + required: + - key # can be of any type + - operator # typed + - value # can be of any type mutate: type: object properties: diff --git a/documentation/writing-policies-generate.md b/documentation/writing-policies-generate.md index 4d8de833dd..634d69bd6c 100644 --- a/documentation/writing-policies-generate.md +++ b/documentation/writing-policies-generate.md @@ -2,10 +2,11 @@ # Generate Configurations -```generate``` is used to create default resources for a namespace. This feature is useful for managing resources that are required in each namespace. +```generate``` is used to create additional resources when a resource is created. This is useful to create supporting resources, such as role bindings for a new namespace. ## Example 1 - +- rule +Creates a ConfigMap with name `default-config` for all ````yaml apiVersion: kyverno.io/v1 kind: ClusterPolicy @@ -13,7 +14,7 @@ metadata: name: basic-policy spec: rules: - - name: "Basic config generator for all namespaces" + - name: "Generate ConfigMap" match: resources: kinds: @@ -22,12 +23,13 @@ spec: matchLabels: LabelForSelector : "namespace2" generate: - kind: ConfigMap - name: default-config + kind: ConfigMap # Kind of resource + name: default-config # Name of the new Resource + namespace: "{{request.object.metadata.name}}" # Create in the namespace that triggers this rule clone: namespace: default name: config-template - - name: "Basic config generator for all namespaces" + - name: "Generate Secret" match: resources: kinds: @@ -38,6 +40,7 @@ spec: generate: kind: Secret name: mongo-creds + namespace: "{{request.object.metadata.name}}" # Create in the namespace that triggers this rule data: data: DB_USER: YWJyYWthZGFicmE= @@ -69,6 +72,7 @@ spec: generate: kind: NetworkPolicy name: deny-all-traffic + namespace: "{{request.object.metadata.name}}" # Create in the namespace that triggers this rule data: spec: podSelector: diff --git a/documentation/writing-policies.md b/documentation/writing-policies.md index 6b0dc46719..17d6932599 100644 --- a/documentation/writing-policies.md +++ b/documentation/writing-policies.md @@ -70,14 +70,48 @@ spec : clusterroles: - cluster-admin - admin - + # rule is evaluated if the preconditions are satisfied + # all preconditions are AND/&& operation + preconditions: + - key: name # compares (key operator value) + operator: Equal + value: name # constant "name" == "name" + - key: "{{serviceAccount}}" # refer to a pre-defined variable serviceAccount + operator: NotEqual + value: "user1" # if service # Each rule can contain a single validate, mutate, or generate directive ... ```` Each rule can validate, mutate, or generate configurations of matching resources. A rule definition can contain only a single **mutate**, **validate**, or **generate** child node. These actions are applied to the resource in described order: mutation, validation and then generation. +# Variables: +Variables can be used to reference attributes that are loaded in the context using a [JMESPATH](http://jmespath.org/) search path. +Format: `{{}}` +Resources available in context: +- Resource: `{{request.object}}` +- UserInfo: `{{request.userInfo}}` +## Pre-defined Variables +- `serviceAccountName` : the variable removes the suffix system:serviceaccount:: and stores the userName. +Example userName=`system:serviceaccount:nirmata:user1` will store variable value as `user1`. +- `serviceAccountNamespace` : extracts the `namespace` of the serviceAccount. +Example userName=`system:serviceaccount:nirmata:user1` will store variable value as `nirmata`. + + +Examples: + +1. Refer to resource name(type string) + +`{{request.object.metadata.name}}` + +2. Build name from multiple variables(type string) + +`"ns-owner-{{request.object.metadata.namespace}}-{{request.userInfo.username}}-binding"` + +3. Refer to metadata struct/object(type object) + +`{{request.object.metadata}}` --- *Read Next >> [Validate](/documentation/writing-policies-validate.md)* \ No newline at end of file diff --git a/pkg/api/kyverno/v1/types.go b/pkg/api/kyverno/v1/types.go index 45504436f7..1de06e9d7b 100644 --- a/pkg/api/kyverno/v1/types.go +++ b/pkg/api/kyverno/v1/types.go @@ -43,6 +43,9 @@ type RequestInfo struct { type GenerateRequestStatus struct { State GenerateRequestState `json:"state"` Message string `json:"message,omitempty"` + // This will track the resoruces that are generated by the generate Policy + // Will be used during clean up resources + GeneratedResources []ResourceSpec `json:"generatedResources,omitempty"` } //GenerateRequestState defines the state of @@ -125,7 +128,7 @@ type Policy struct { type Spec struct { Rules []Rule `json:"rules"` ValidationFailureAction string `json:"validationFailureAction"` - Background bool `json:"background,omitempty"` + Background *bool `json:"background"` } // Rule is set of mutation, validation and generation actions @@ -134,11 +137,27 @@ type Rule struct { Name string `json:"name"` MatchResources MatchResources `json:"match"` ExcludeResources ExcludeResources `json:"exclude,omitempty"` + Conditions []Condition `json:"preconditions,omitempty"` Mutation Mutation `json:"mutate,omitempty"` Validation Validation `json:"validate,omitempty"` Generation Generation `json:"generate,omitempty"` } +type Condition struct { + Key interface{} `json:"key"` + Operator ConditionOperator `json:"operator"` + Value interface{} `json:"value"` +} + +type ConditionOperator string + +const ( + Equal ConditionOperator = "Equal" + NotEqual ConditionOperator = "NotEqual" + In ConditionOperator = "In" + NotIn ConditionOperator = "NotIn" +) + //MatchResources contains resource description of the resources that the rule is to apply on type MatchResources struct { UserInfo diff --git a/pkg/api/kyverno/v1/utils.go b/pkg/api/kyverno/v1/utils.go index fb37811ea0..4ba17b4516 100644 --- a/pkg/api/kyverno/v1/utils.go +++ b/pkg/api/kyverno/v1/utils.go @@ -55,6 +55,14 @@ func (gen *Generation) DeepCopyInto(out *Generation) { } } +// DeepCopyInto is declared because k8s:deepcopy-gen is +// not able to generate this method for interface{} member +func (cond *Condition) DeepCopyInto(out *Condition) { + if out != nil { + *out = *cond + } +} + //ToKey generates the key string used for adding label to polivy violation func (rs ResourceSpec) ToKey() string { return rs.Kind + "." + rs.Name diff --git a/pkg/api/kyverno/v1/zz_generated.deepcopy.go b/pkg/api/kyverno/v1/zz_generated.deepcopy.go index d2273dfc45..a7adc5d472 100644 --- a/pkg/api/kyverno/v1/zz_generated.deepcopy.go +++ b/pkg/api/kyverno/v1/zz_generated.deepcopy.go @@ -164,6 +164,16 @@ func (in *ClusterPolicyViolationList) DeepCopyObject() runtime.Object { return nil } +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Condition. +func (in *Condition) DeepCopy() *Condition { + if in == nil { + return nil + } + out := new(Condition) + in.DeepCopyInto(out) + return out +} + // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *ExcludeResources) DeepCopyInto(out *ExcludeResources) { *out = *in @@ -188,7 +198,7 @@ func (in *GenerateRequest) DeepCopyInto(out *GenerateRequest) { out.TypeMeta = in.TypeMeta in.ObjectMeta.DeepCopyInto(&out.ObjectMeta) in.Spec.DeepCopyInto(&out.Spec) - out.Status = in.Status + in.Status.DeepCopyInto(&out.Status) return } @@ -281,6 +291,11 @@ func (in *GenerateRequestSpec) DeepCopy() *GenerateRequestSpec { // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *GenerateRequestStatus) DeepCopyInto(out *GenerateRequestStatus) { *out = *in + if in.GeneratedResources != nil { + in, out := &in.GeneratedResources, &out.GeneratedResources + *out = make([]ResourceSpec, len(*in)) + copy(*out, *in) + } return } @@ -588,6 +603,13 @@ func (in *Rule) DeepCopyInto(out *Rule) { *out = *in in.MatchResources.DeepCopyInto(&out.MatchResources) in.ExcludeResources.DeepCopyInto(&out.ExcludeResources) + if in.Conditions != nil { + in, out := &in.Conditions, &out.Conditions + *out = make([]Condition, len(*in)) + for i := range *in { + (*in)[i].DeepCopyInto(&(*out)[i]) + } + } in.Mutation.DeepCopyInto(&out.Mutation) in.Validation.DeepCopyInto(&out.Validation) in.Generation.DeepCopyInto(&out.Generation) @@ -630,6 +652,11 @@ func (in *Spec) DeepCopyInto(out *Spec) { (*in)[i].DeepCopyInto(&(*out)[i]) } } + if in.Background != nil { + in, out := &in.Background, &out.Background + *out = new(bool) + **out = **in + } return } diff --git a/pkg/client/listers/kyverno/v1/expansion_generated.go b/pkg/client/listers/kyverno/v1/expansion_generated.go index 7ff4c70511..1afb8b6e21 100644 --- a/pkg/client/listers/kyverno/v1/expansion_generated.go +++ b/pkg/client/listers/kyverno/v1/expansion_generated.go @@ -154,6 +154,24 @@ type GenerateRequestListerExpansion interface { // GenerateRequestNamespaceLister. type GenerateRequestNamespaceListerExpansion interface { GetGenerateRequestsForClusterPolicy(policy string) ([]*kyvernov1.GenerateRequest, error) + GetGenerateRequestsForResource(kind, namespace, name string) ([]*kyvernov1.GenerateRequest, error) +} + +func (s generateRequestNamespaceLister) GetGenerateRequestsForResource(kind, namespace, name string) ([]*kyvernov1.GenerateRequest, error) { + var list []*kyvernov1.GenerateRequest + grs, err := s.List(labels.NewSelector()) + if err != nil { + return nil, err + } + for idx, gr := range grs { + if gr.Spec.Resource.Kind == kind && + gr.Spec.Resource.Namespace == namespace && + gr.Spec.Resource.Name == name { + list = append(list, grs[idx]) + + } + } + return list, err } func (s generateRequestNamespaceLister) GetGenerateRequestsForClusterPolicy(policy string) ([]*kyvernov1.GenerateRequest, error) { diff --git a/pkg/dclient/client.go b/pkg/dclient/client.go index aa788b6592..7993d83ce5 100644 --- a/pkg/dclient/client.go +++ b/pkg/dclient/client.go @@ -19,6 +19,7 @@ import ( "k8s.io/client-go/discovery" "k8s.io/client-go/discovery/cached/memory" "k8s.io/client-go/dynamic" + "k8s.io/client-go/dynamic/dynamicinformer" "k8s.io/client-go/kubernetes" csrtype "k8s.io/client-go/kubernetes/typed/certificates/v1beta1" event "k8s.io/client-go/kubernetes/typed/core/v1" @@ -62,6 +63,10 @@ func NewClient(config *rest.Config, resync time.Duration, stopCh <-chan struct{} return &client, nil } +func (c *Client) NewDynamicSharedInformerFactory(defaultResync time.Duration) dynamicinformer.DynamicSharedInformerFactory { + return dynamicinformer.NewDynamicSharedInformerFactory(c.client, defaultResync) +} + //GetKubePolicyDeployment returns kube policy depoyment value func (c *Client) GetKubePolicyDeployment() (*apps.Deployment, error) { kubePolicyDeployment, err := c.GetResource("Deployment", config.KubePolicyNamespace, config.KubePolicyDeploymentName) diff --git a/pkg/engine/context/context.go b/pkg/engine/context/context.go index 1975e7d59e..d6e5cea7d7 100644 --- a/pkg/engine/context/context.go +++ b/pkg/engine/context/context.go @@ -2,6 +2,7 @@ package context import ( "encoding/json" + "strings" "sync" jsonpatch "github.com/evanphx/json-patch" @@ -17,6 +18,8 @@ type Interface interface { AddResource(dataRaw []byte) error // merges userInfo json under kyverno.userInfo AddUserInfo(userInfo kyverno.UserInfo) error + // merges serrviceaccount + AddSA(userName string) error EvalInterface } @@ -97,3 +100,56 @@ func (ctx *Context) AddUserInfo(userRequestInfo kyverno.RequestInfo) error { } return ctx.AddJSON(objRaw) } + +// removes prefix 'system:serviceaccount:' and namespace, then loads only username +func (ctx *Context) AddSA(userName string) error { + saPrefix := "system:serviceaccount:" + var sa string + saName := "" + saNamespace := "" + if len(userName) <= len(saPrefix) { + sa = "" + } else { + sa = userName[len(saPrefix):] + } + // filter namespace + groups := strings.Split(sa, ":") + if len(groups) >= 2 { + glog.V(4).Infof("serviceAccount namespace: %s", groups[0]) + glog.V(4).Infof("serviceAccount name: %s", groups[1]) + saName = groups[1] + saNamespace = groups[0] + } + + glog.Infof("Loading variable serviceAccountName with value: %s", saName) + saNameObj := struct { + SA string `json:"serviceAccountName"` + }{ + SA: saName, + } + saNameRaw, err := json.Marshal(saNameObj) + if err != nil { + glog.V(4).Infof("failed to marshall the updated context data") + return err + } + if err := ctx.AddJSON(saNameRaw); err != nil { + return err + } + + glog.Infof("Loading variable serviceAccountNamespace with value: %s", saNamespace) + saNsObj := struct { + SA string `json:"serviceAccountNamespace"` + }{ + SA: saNamespace, + } + saNsRaw, err := json.Marshal(saNsObj) + if err != nil { + glog.V(4).Infof("failed to marshall the updated context data") + return err + } + if err := ctx.AddJSON(saNsRaw); err != nil { + return err + } + + return nil +} diff --git a/pkg/engine/context/context_test.go b/pkg/engine/context/context_test.go index 69a3697aaf..5531cac544 100644 --- a/pkg/engine/context/context_test.go +++ b/pkg/engine/context/context_test.go @@ -44,7 +44,7 @@ func Test_addResourceAndUserContext(t *testing.T) { `) userInfo := authenticationv1.UserInfo{ - Username: "admin", + Username: "system:serviceaccount:nirmata:user1", UID: "014fbff9a07c", } userRequestInfo := kyverno.RequestInfo{ @@ -80,7 +80,29 @@ func Test_addResourceAndUserContext(t *testing.T) { if err != nil { t.Error(err) } - expectedResult = "admin" + expectedResult = "system:serviceaccount:nirmata:user1" + t.Log(result) + if !reflect.DeepEqual(expectedResult, result) { + t.Error("exected result does not match") + } + // Add service account Name + ctx.AddSA(userRequestInfo.AdmissionUserInfo.Username) + result, err = ctx.Query("serviceAccountName") + if err != nil { + t.Error(err) + } + expectedResult = "user1" + t.Log(result) + if !reflect.DeepEqual(expectedResult, result) { + t.Error("exected result does not match") + } + + // Add service account Namespace + result, err = ctx.Query("serviceAccountNamespace") + if err != nil { + t.Error(err) + } + expectedResult = "nirmata" t.Log(result) if !reflect.DeepEqual(expectedResult, result) { t.Error("exected result does not match") diff --git a/pkg/engine/generation.go b/pkg/engine/generation.go index e29c4a2b66..40abb9e07a 100644 --- a/pkg/engine/generation.go +++ b/pkg/engine/generation.go @@ -1,9 +1,12 @@ package engine import ( + "github.com/golang/glog" kyverno "github.com/nirmata/kyverno/pkg/api/kyverno/v1" + "github.com/nirmata/kyverno/pkg/engine/context" "github.com/nirmata/kyverno/pkg/engine/rbac" "github.com/nirmata/kyverno/pkg/engine/response" + "github.com/nirmata/kyverno/pkg/engine/variables" "k8s.io/apimachinery/pkg/apis/meta/v1/unstructured" ) @@ -12,10 +15,11 @@ func GenerateNew(policyContext PolicyContext) (resp response.EngineResponse) { policy := policyContext.Policy resource := policyContext.NewResource admissionInfo := policyContext.AdmissionInfo - return filterRules(policy, resource, admissionInfo) + ctx := policyContext.Context + return filterRules(policy, resource, admissionInfo, ctx) } -func filterRule(rule kyverno.Rule, resource unstructured.Unstructured, admissionInfo kyverno.RequestInfo) *response.RuleResponse { +func filterRule(rule kyverno.Rule, resource unstructured.Unstructured, admissionInfo kyverno.RequestInfo, ctx context.EvalInterface) *response.RuleResponse { if !rule.HasGenerate() { return nil } @@ -25,6 +29,12 @@ func filterRule(rule kyverno.Rule, resource unstructured.Unstructured, admission if !MatchesResourceDescription(resource, rule) { return nil } + + // evaluate pre-conditions + if !variables.EvaluateConditions(ctx, rule.Conditions) { + glog.V(4).Infof("resource %s/%s does not satisfy the conditions for the rule ", resource.GetNamespace(), resource.GetName()) + return nil + } // build rule Response return &response.RuleResponse{ Name: rule.Name, @@ -32,7 +42,7 @@ func filterRule(rule kyverno.Rule, resource unstructured.Unstructured, admission } } -func filterRules(policy kyverno.ClusterPolicy, resource unstructured.Unstructured, admissionInfo kyverno.RequestInfo) response.EngineResponse { +func filterRules(policy kyverno.ClusterPolicy, resource unstructured.Unstructured, admissionInfo kyverno.RequestInfo, ctx context.EvalInterface) response.EngineResponse { resp := response.EngineResponse{ PolicyResponse: response.PolicyResponse{ Policy: policy.Name, @@ -45,7 +55,7 @@ func filterRules(policy kyverno.ClusterPolicy, resource unstructured.Unstructure } for _, rule := range policy.Spec.Rules { - if ruleResp := filterRule(rule, resource, admissionInfo); ruleResp != nil { + if ruleResp := filterRule(rule, resource, admissionInfo, ctx); ruleResp != nil { resp.PolicyResponse.Rules = append(resp.PolicyResponse.Rules, *ruleResp) } } diff --git a/pkg/engine/mutation.go b/pkg/engine/mutation.go index 51dcc737ee..75e2fe0cec 100644 --- a/pkg/engine/mutation.go +++ b/pkg/engine/mutation.go @@ -8,6 +8,7 @@ import ( "github.com/golang/glog" kyverno "github.com/nirmata/kyverno/pkg/api/kyverno/v1" "github.com/nirmata/kyverno/pkg/engine/response" + "github.com/nirmata/kyverno/pkg/engine/variables" "github.com/nirmata/kyverno/pkg/engine/rbac" ) @@ -69,6 +70,13 @@ func Mutate(policyContext PolicyContext) (resp response.EngineResponse) { glog.V(4).Infof("resource %s/%s does not satisfy the resource description for the rule ", resource.GetNamespace(), resource.GetName()) continue } + + // evaluate pre-conditions + if !variables.EvaluateConditions(ctx, rule.Conditions) { + glog.V(4).Infof("resource %s/%s does not satisfy the conditions for the rule ", resource.GetNamespace(), resource.GetName()) + continue + } + // Process Overlay if rule.Mutation.Overlay != nil { var ruleResponse response.RuleResponse diff --git a/pkg/engine/policy/background.go b/pkg/engine/policy/background.go index 1259042ad3..636d4f7666 100644 --- a/pkg/engine/policy/background.go +++ b/pkg/engine/policy/background.go @@ -20,12 +20,23 @@ func ContainsUserInfo(policy kyverno.ClusterPolicy) error { } // variable defined with user information + // - condition.key + // - condition.value // - mutate.overlay // - validate.pattern // - validate.anyPattern[*] // variables to filter // - request.userInfo filterVars := []string{"request.userInfo*"} + for condIdx, condition := range rule.Conditions { + if err := variables.CheckVariables(condition.Key, filterVars, "/"); err != nil { + return fmt.Errorf("path: spec/rules[%d]/condition[%d]/key%s", idx, condIdx, err) + } + if err := variables.CheckVariables(condition.Value, filterVars, "/"); err != nil { + return fmt.Errorf("path: spec/rules[%d]/condition[%d]/value%s", idx, condIdx, err) + } + } + if err := variables.CheckVariables(rule.Mutation.Overlay, filterVars, "/"); err != nil { return fmt.Errorf("path: spec/rules[%d]/mutate/overlay%s", idx, err) } diff --git a/pkg/engine/policy/validate.go b/pkg/engine/policy/validate.go index 7142a29a7a..2ab8547e14 100644 --- a/pkg/engine/policy/validate.go +++ b/pkg/engine/policy/validate.go @@ -21,7 +21,11 @@ func Validate(p kyverno.ClusterPolicy) error { if path, err := validateUniqueRuleName(p); err != nil { return fmt.Errorf("path: spec.%s: %v", path, err) } - if p.Spec.Background { + if p.Spec.Background == nil { + //skipped policy mutation default -> skip validation -> will not be processed for background processing + return nil + } + if *p.Spec.Background { if err := ContainsUserInfo(p); err != nil { // policy.spec.background -> "true" // - cannot use variables with request.userInfo diff --git a/pkg/engine/validation.go b/pkg/engine/validation.go index 48638489e7..b720685a94 100644 --- a/pkg/engine/validation.go +++ b/pkg/engine/validation.go @@ -12,6 +12,7 @@ import ( "github.com/nirmata/kyverno/pkg/engine/rbac" "github.com/nirmata/kyverno/pkg/engine/response" "github.com/nirmata/kyverno/pkg/engine/validate" + "github.com/nirmata/kyverno/pkg/engine/variables" "k8s.io/apimachinery/pkg/apis/meta/v1/unstructured" ) @@ -107,6 +108,13 @@ func validateResource(ctx context.EvalInterface, policy kyverno.ClusterPolicy, r glog.V(4).Infof("resource %s/%s does not satisfy the resource description for the rule ", resource.GetNamespace(), resource.GetName()) continue } + + // evaluate pre-conditions + if !variables.EvaluateConditions(ctx, rule.Conditions) { + glog.V(4).Infof("resource %s/%s does not satisfy the conditions for the rule ", resource.GetNamespace(), resource.GetName()) + continue + } + if rule.Validation.Pattern != nil || rule.Validation.AnyPattern != nil { ruleResponse := validatePatterns(ctx, resource, rule) incrementAppliedCount(resp) diff --git a/pkg/engine/variables/evaluate.go b/pkg/engine/variables/evaluate.go new file mode 100644 index 0000000000..a78aa8ef05 --- /dev/null +++ b/pkg/engine/variables/evaluate.go @@ -0,0 +1,28 @@ +package variables + +import ( + "github.com/golang/glog" + kyverno "github.com/nirmata/kyverno/pkg/api/kyverno/v1" + "github.com/nirmata/kyverno/pkg/engine/context" + "github.com/nirmata/kyverno/pkg/engine/variables/operator" +) + +func Evaluate(ctx context.EvalInterface, condition kyverno.Condition) bool { + // get handler for the operator + handle := operator.CreateOperatorHandler(ctx, condition.Operator, SubstituteVariables) + if handle == nil { + return false + } + return handle.Evaluate(condition.Key, condition.Value) +} + +func EvaluateConditions(ctx context.EvalInterface, conditions []kyverno.Condition) bool { + // AND the conditions + for _, condition := range conditions { + if !Evaluate(ctx, condition) { + glog.V(4).Infof("condition %v failed", condition) + return false + } + } + return true +} diff --git a/pkg/engine/variables/evaluate_test.go b/pkg/engine/variables/evaluate_test.go new file mode 100644 index 0000000000..9eaf532766 --- /dev/null +++ b/pkg/engine/variables/evaluate_test.go @@ -0,0 +1,518 @@ +package variables + +import ( + "encoding/json" + "testing" + + kyverno "github.com/nirmata/kyverno/pkg/api/kyverno/v1" + "github.com/nirmata/kyverno/pkg/engine/context" +) + +// STRINGS +func Test_Eval_Equal_Const_String_Pass(t *testing.T) { + ctx := context.NewContext() + // no variables + condition := kyverno.Condition{ + Key: "name", + Operator: kyverno.Equal, + Value: "name", + } + + if !Evaluate(ctx, condition) { + t.Error("expected to pass") + } +} + +func Test_Eval_Equal_Const_String_Fail(t *testing.T) { + ctx := context.NewContext() + // no variables + condition := kyverno.Condition{ + Key: "name", + Operator: kyverno.Equal, + Value: "name1", + } + + if Evaluate(ctx, condition) { + t.Error("expected to fail") + } +} + +func Test_Eval_NoEqual_Const_String_Pass(t *testing.T) { + ctx := context.NewContext() + // no variables + condition := kyverno.Condition{ + Key: "name", + Operator: kyverno.NotEqual, + Value: "name1", + } + + if !Evaluate(ctx, condition) { + t.Error("expected to pass") + } +} + +func Test_Eval_NoEqual_Const_String_Fail(t *testing.T) { + ctx := context.NewContext() + // no variables + condition := kyverno.Condition{ + Key: "name", + Operator: kyverno.NotEqual, + Value: "name", + } + + if Evaluate(ctx, condition) { + t.Error("expected to fail") + } +} + +//Bool + +func Test_Eval_Equal_Const_Bool_Pass(t *testing.T) { + ctx := context.NewContext() + // no variables + condition := kyverno.Condition{ + Key: true, + Operator: kyverno.Equal, + Value: true, + } + + if !Evaluate(ctx, condition) { + t.Error("expected to pass") + } +} + +func Test_Eval_Equal_Const_Bool_Fail(t *testing.T) { + ctx := context.NewContext() + // no variables + condition := kyverno.Condition{ + Key: true, + Operator: kyverno.Equal, + Value: false, + } + + if Evaluate(ctx, condition) { + t.Error("expected to fail") + } +} + +func Test_Eval_NoEqual_Const_Bool_Pass(t *testing.T) { + ctx := context.NewContext() + // no variables + condition := kyverno.Condition{ + Key: true, + Operator: kyverno.NotEqual, + Value: false, + } + + if !Evaluate(ctx, condition) { + t.Error("expected to pass") + } +} + +func Test_Eval_NoEqual_Const_Bool_Fail(t *testing.T) { + ctx := context.NewContext() + // no variables + condition := kyverno.Condition{ + Key: true, + Operator: kyverno.NotEqual, + Value: true, + } + + if Evaluate(ctx, condition) { + t.Error("expected to fail") + } +} + +// int +func Test_Eval_Equal_Const_int_Pass(t *testing.T) { + ctx := context.NewContext() + // no variables + condition := kyverno.Condition{ + Key: 1, + Operator: kyverno.Equal, + Value: 1, + } + + if !Evaluate(ctx, condition) { + t.Error("expected to pass") + } +} + +func Test_Eval_Equal_Const_int_Fail(t *testing.T) { + ctx := context.NewContext() + // no variables + condition := kyverno.Condition{ + Key: 1, + Operator: kyverno.Equal, + Value: 2, + } + + if Evaluate(ctx, condition) { + t.Error("expected to fail") + } +} + +func Test_Eval_NoEqual_Const_int_Pass(t *testing.T) { + ctx := context.NewContext() + // no variables + condition := kyverno.Condition{ + Key: 1, + Operator: kyverno.NotEqual, + Value: 2, + } + + if !Evaluate(ctx, condition) { + t.Error("expected to pass") + } +} + +func Test_Eval_NoEqual_Const_int_Fail(t *testing.T) { + ctx := context.NewContext() + // no variables + condition := kyverno.Condition{ + Key: 1, + Operator: kyverno.NotEqual, + Value: 1, + } + + if Evaluate(ctx, condition) { + t.Error("expected to fail") + } +} + +// int64 +func Test_Eval_Equal_Const_int64_Pass(t *testing.T) { + ctx := context.NewContext() + // no variables + condition := kyverno.Condition{ + Key: int64(1), + Operator: kyverno.Equal, + Value: int64(1), + } + + if !Evaluate(ctx, condition) { + t.Error("expected to pass") + } +} + +func Test_Eval_Equal_Const_int64_Fail(t *testing.T) { + ctx := context.NewContext() + // no variables + condition := kyverno.Condition{ + Key: int64(1), + Operator: kyverno.Equal, + Value: int64(2), + } + + if Evaluate(ctx, condition) { + t.Error("expected to fail") + } +} + +func Test_Eval_NoEqual_Const_int64_Pass(t *testing.T) { + ctx := context.NewContext() + // no variables + condition := kyverno.Condition{ + Key: int64(1), + Operator: kyverno.NotEqual, + Value: int64(2), + } + + if !Evaluate(ctx, condition) { + t.Error("expected to pass") + } +} + +func Test_Eval_NoEqual_Const_int64_Fail(t *testing.T) { + ctx := context.NewContext() + // no variables + condition := kyverno.Condition{ + Key: int64(1), + Operator: kyverno.NotEqual, + Value: int64(1), + } + + if Evaluate(ctx, condition) { + t.Error("expected to fail") + } +} + +//float64 + +func Test_Eval_Equal_Const_float64_Pass(t *testing.T) { + ctx := context.NewContext() + // no variables + condition := kyverno.Condition{ + Key: 1.5, + Operator: kyverno.Equal, + Value: 1.5, + } + + if !Evaluate(ctx, condition) { + t.Error("expected to pass") + } +} + +func Test_Eval_Equal_Const_float64_Fail(t *testing.T) { + ctx := context.NewContext() + // no variables + condition := kyverno.Condition{ + Key: 1.5, + Operator: kyverno.Equal, + Value: 1.6, + } + + if Evaluate(ctx, condition) { + t.Error("expected to fail") + } +} + +func Test_Eval_NoEqual_Const_float64_Pass(t *testing.T) { + ctx := context.NewContext() + // no variables + condition := kyverno.Condition{ + Key: 1.5, + Operator: kyverno.NotEqual, + Value: 1.6, + } + + if !Evaluate(ctx, condition) { + t.Error("expected to pass") + } +} + +func Test_Eval_NoEqual_Const_float64_Fail(t *testing.T) { + ctx := context.NewContext() + // no variables + condition := kyverno.Condition{ + Key: 1.5, + Operator: kyverno.NotEqual, + Value: 1.5, + } + + if Evaluate(ctx, condition) { + t.Error("expected to fail") + } +} + +//object/map[string]interface + +func Test_Eval_Equal_Const_object_Pass(t *testing.T) { + ctx := context.NewContext() + + obj1Raw := []byte(`{ "dir": { "file1": "a" } }`) + obj2Raw := []byte(`{ "dir": { "file1": "a" } }`) + var obj1, obj2 interface{} + json.Unmarshal(obj1Raw, &obj1) + json.Unmarshal(obj2Raw, &obj2) + // no variables + condition := kyverno.Condition{ + Key: obj1, + Operator: kyverno.Equal, + Value: obj2, + } + + if !Evaluate(ctx, condition) { + t.Error("expected to pass") + } +} + +func Test_Eval_Equal_Const_object_Fail(t *testing.T) { + ctx := context.NewContext() + + obj1Raw := []byte(`{ "dir": { "file1": "a" } }`) + obj2Raw := []byte(`{ "dir": { "file1": "b" } }`) + var obj1, obj2 interface{} + json.Unmarshal(obj1Raw, &obj1) + json.Unmarshal(obj2Raw, &obj2) + // no variables + condition := kyverno.Condition{ + Key: obj1, + Operator: kyverno.Equal, + Value: obj2, + } + + if Evaluate(ctx, condition) { + t.Error("expected to fail") + } +} + +func Test_Eval_NotEqual_Const_object_Pass(t *testing.T) { + ctx := context.NewContext() + + obj1Raw := []byte(`{ "dir": { "file1": "a" } }`) + obj2Raw := []byte(`{ "dir": { "file1": "b" } }`) + var obj1, obj2 interface{} + json.Unmarshal(obj1Raw, &obj1) + json.Unmarshal(obj2Raw, &obj2) + // no variables + condition := kyverno.Condition{ + Key: obj1, + Operator: kyverno.NotEqual, + Value: obj2, + } + + if !Evaluate(ctx, condition) { + t.Error("expected to pass") + } +} + +func Test_Eval_NotEqual_Const_object_Fail(t *testing.T) { + ctx := context.NewContext() + + obj1Raw := []byte(`{ "dir": { "file1": "a" } }`) + obj2Raw := []byte(`{ "dir": { "file1": "a" } }`) + var obj1, obj2 interface{} + json.Unmarshal(obj1Raw, &obj1) + json.Unmarshal(obj2Raw, &obj2) + // no variables + condition := kyverno.Condition{ + Key: obj1, + Operator: kyverno.NotEqual, + Value: obj2, + } + + if Evaluate(ctx, condition) { + t.Error("expected to fail") + } +} + +// list/ []interface{} + +func Test_Eval_Equal_Const_list_Pass(t *testing.T) { + ctx := context.NewContext() + + obj1Raw := []byte(`[ { "name": "a", "file": "a" }, { "name": "b", "file": "b" } ]`) + obj2Raw := []byte(`[ { "name": "a", "file": "a" }, { "name": "b", "file": "b" } ]`) + var obj1, obj2 interface{} + json.Unmarshal(obj1Raw, &obj1) + json.Unmarshal(obj2Raw, &obj2) + // no variables + condition := kyverno.Condition{ + Key: obj1, + Operator: kyverno.Equal, + Value: obj2, + } + + if !Evaluate(ctx, condition) { + t.Error("expected to pass") + } +} + +func Test_Eval_Equal_Const_list_Fail(t *testing.T) { + ctx := context.NewContext() + + obj1Raw := []byte(`[ { "name": "a", "file": "a" }, { "name": "b", "file": "b" } ]`) + obj2Raw := []byte(`[ { "name": "b", "file": "a" }, { "name": "b", "file": "b" } ]`) + var obj1, obj2 interface{} + json.Unmarshal(obj1Raw, &obj1) + json.Unmarshal(obj2Raw, &obj2) + // no variables + condition := kyverno.Condition{ + Key: obj1, + Operator: kyverno.Equal, + Value: obj2, + } + + if Evaluate(ctx, condition) { + t.Error("expected to fail") + } +} + +func Test_Eval_NotEqual_Const_list_Pass(t *testing.T) { + ctx := context.NewContext() + + obj1Raw := []byte(`[ { "name": "a", "file": "a" }, { "name": "b", "file": "b" } ]`) + obj2Raw := []byte(`[ { "name": "b", "file": "a" }, { "name": "b", "file": "b" } ]`) + var obj1, obj2 interface{} + json.Unmarshal(obj1Raw, &obj1) + json.Unmarshal(obj2Raw, &obj2) + // no variables + condition := kyverno.Condition{ + Key: obj1, + Operator: kyverno.NotEqual, + Value: obj2, + } + + if !Evaluate(ctx, condition) { + t.Error("expected to pass") + } +} + +func Test_Eval_NotEqual_Const_list_Fail(t *testing.T) { + ctx := context.NewContext() + + obj1Raw := []byte(`[ { "name": "a", "file": "a" }, { "name": "b", "file": "b" } ]`) + obj2Raw := []byte(`[ { "name": "a", "file": "a" }, { "name": "b", "file": "b" } ]`) + var obj1, obj2 interface{} + json.Unmarshal(obj1Raw, &obj1) + json.Unmarshal(obj2Raw, &obj2) + // no variables + condition := kyverno.Condition{ + Key: obj1, + Operator: kyverno.NotEqual, + Value: obj2, + } + + if Evaluate(ctx, condition) { + t.Error("expected to fail") + } +} + +// Variables + +func Test_Eval_Equal_Var_Pass(t *testing.T) { + resourceRaw := []byte(` + { + "metadata": { + "name": "temp", + "namespace": "n1" + }, + "spec": { + "namespace": "n1", + "name": "temp1" + } + } + `) + + // context + ctx := context.NewContext() + ctx.AddResource(resourceRaw) + condition := kyverno.Condition{ + Key: "{{request.object.metadata.name}}", + Operator: kyverno.Equal, + Value: "temp", + } + + if !Evaluate(ctx, condition) { + t.Error("expected to pass") + } +} + +func Test_Eval_Equal_Var_Fail(t *testing.T) { + resourceRaw := []byte(` + { + "metadata": { + "name": "temp", + "namespace": "n1" + }, + "spec": { + "namespace": "n1", + "name": "temp1" + } + } + `) + + // context + ctx := context.NewContext() + ctx.AddResource(resourceRaw) + condition := kyverno.Condition{ + Key: "{{request.object.metadata.name}}", + Operator: kyverno.Equal, + Value: "temp1", + } + + if Evaluate(ctx, condition) { + t.Error("expected to fail") + } +} diff --git a/pkg/engine/variables/operator/equal.go b/pkg/engine/variables/operator/equal.go new file mode 100644 index 0000000000..4d5d45dd32 --- /dev/null +++ b/pkg/engine/variables/operator/equal.go @@ -0,0 +1,139 @@ +package operator + +import ( + "math" + "reflect" + "strconv" + + "github.com/golang/glog" + "github.com/nirmata/kyverno/pkg/engine/context" +) + +func NewEqualHandler(ctx context.EvalInterface, subHandler VariableSubstitutionHandler) OperatorHandler { + return EqualHandler{ + ctx: ctx, + subHandler: subHandler, + } +} + +type EqualHandler struct { + ctx context.EvalInterface + subHandler VariableSubstitutionHandler +} + +func (eh EqualHandler) Evaluate(key, value interface{}) bool { + // substitute the variables + nKey := eh.subHandler(eh.ctx, key) + nValue := eh.subHandler(eh.ctx, value) + // key and value need to be of same type + switch typedKey := nKey.(type) { + case bool: + return eh.validateValuewithBoolPattern(typedKey, nValue) + case int: + return eh.validateValuewithIntPattern(int64(typedKey), nValue) + case int64: + return eh.validateValuewithIntPattern(typedKey, nValue) + case float64: + return eh.validateValuewithFloatPattern(typedKey, nValue) + case string: + return eh.validateValuewithStringPattern(typedKey, nValue) + case map[string]interface{}: + return eh.validateValueWithMapPattern(typedKey, nValue) + case []interface{}: + return eh.validateValueWithSlicePattern(typedKey, nValue) + default: + glog.Errorf("Unsupported type %v", typedKey) + return false + } +} + +func (eh EqualHandler) validateValueWithSlicePattern(key []interface{}, value interface{}) bool { + if val, ok := value.([]interface{}); ok { + return reflect.DeepEqual(key, val) + } + glog.Warningf("Expected []interface{}, %v is of type %T", value, value) + return false +} + +func (eh EqualHandler) validateValueWithMapPattern(key map[string]interface{}, value interface{}) bool { + if val, ok := value.(map[string]interface{}); ok { + return reflect.DeepEqual(key, val) + } + glog.Warningf("Expected map[string]interface{}, %v is of type %T", value, value) + return false +} + +func (eh EqualHandler) validateValuewithStringPattern(key string, value interface{}) bool { + if val, ok := value.(string); ok { + return key == val + } + glog.Warningf("Expected string, %v is of type %T", value, value) + return false +} + +func (eh EqualHandler) validateValuewithFloatPattern(key float64, value interface{}) bool { + switch typedValue := value.(type) { + case int: + // check that float has not fraction + if key == math.Trunc(key) { + return int(key) == typedValue + } + glog.Warningf("Expected float, found int: %d\n", typedValue) + case int64: + // check that float has not fraction + if key == math.Trunc(key) { + return int64(key) == typedValue + } + glog.Warningf("Expected float, found int: %d\n", typedValue) + case float64: + return typedValue == key + case string: + // extract float from string + float64Num, err := strconv.ParseFloat(typedValue, 64) + if err != nil { + glog.Warningf("Failed to parse float64 from string: %v", err) + return false + } + return float64Num == key + default: + glog.Warningf("Expected float, found: %T\n", value) + return false + } + return false +} + +func (eh EqualHandler) validateValuewithBoolPattern(key bool, value interface{}) bool { + typedValue, ok := value.(bool) + if !ok { + glog.Error("Expected bool, found %V", value) + return false + } + return key == typedValue +} + +func (eh EqualHandler) validateValuewithIntPattern(key int64, value interface{}) bool { + switch typedValue := value.(type) { + case int: + return int64(typedValue) == key + case int64: + return typedValue == key + case float64: + // check that float has no fraction + if typedValue == math.Trunc(typedValue) { + return int64(typedValue) == key + } + glog.Warningf("Expected int, found float: %f", typedValue) + return false + case string: + // extract in64 from string + int64Num, err := strconv.ParseInt(typedValue, 10, 64) + if err != nil { + glog.Warningf("Failed to parse int64 from string: %v", err) + return false + } + return int64Num == key + default: + glog.Warningf("Expected int, %v is of type %T", value, value) + return false + } +} diff --git a/pkg/engine/variables/operator/notequal.go b/pkg/engine/variables/operator/notequal.go new file mode 100644 index 0000000000..c088f682c9 --- /dev/null +++ b/pkg/engine/variables/operator/notequal.go @@ -0,0 +1,139 @@ +package operator + +import ( + "math" + "reflect" + "strconv" + + "github.com/golang/glog" + "github.com/nirmata/kyverno/pkg/engine/context" +) + +func NewNotEqualHandler(ctx context.EvalInterface, subHandler VariableSubstitutionHandler) OperatorHandler { + return NotEqualHandler{ + ctx: ctx, + subHandler: subHandler, + } +} + +type NotEqualHandler struct { + ctx context.EvalInterface + subHandler VariableSubstitutionHandler +} + +func (neh NotEqualHandler) Evaluate(key, value interface{}) bool { + // substitute the variables + nKey := neh.subHandler(neh.ctx, key) + nValue := neh.subHandler(neh.ctx, value) + // key and value need to be of same type + switch typedKey := nKey.(type) { + case bool: + return neh.validateValuewithBoolPattern(typedKey, nValue) + case int: + return neh.validateValuewithIntPattern(int64(typedKey), nValue) + case int64: + return neh.validateValuewithIntPattern(typedKey, nValue) + case float64: + return neh.validateValuewithFloatPattern(typedKey, nValue) + case string: + return neh.validateValuewithStringPattern(typedKey, nValue) + case map[string]interface{}: + return neh.validateValueWithMapPattern(typedKey, nValue) + case []interface{}: + return neh.validateValueWithSlicePattern(typedKey, nValue) + default: + glog.Error("Unsupported type %V", typedKey) + return false + } +} + +func (neh NotEqualHandler) validateValueWithSlicePattern(key []interface{}, value interface{}) bool { + if val, ok := value.([]interface{}); ok { + return !reflect.DeepEqual(key, val) + } + glog.Warningf("Expected []interface{}, %v is of type %T", value, value) + return false +} + +func (neh NotEqualHandler) validateValueWithMapPattern(key map[string]interface{}, value interface{}) bool { + if val, ok := value.(map[string]interface{}); ok { + return !reflect.DeepEqual(key, val) + } + glog.Warningf("Expected map[string]interface{}, %v is of type %T", value, value) + return false +} + +func (neh NotEqualHandler) validateValuewithStringPattern(key string, value interface{}) bool { + if val, ok := value.(string); ok { + return key != val + } + glog.Warningf("Expected string, %v is of type %T", value, value) + return false +} + +func (neh NotEqualHandler) validateValuewithFloatPattern(key float64, value interface{}) bool { + switch typedValue := value.(type) { + case int: + // check that float has not fraction + if key == math.Trunc(key) { + return int(key) != typedValue + } + glog.Warningf("Expected float, found int: %d\n", typedValue) + case int64: + // check that float has not fraction + if key == math.Trunc(key) { + return int64(key) != typedValue + } + glog.Warningf("Expected float, found int: %d\n", typedValue) + case float64: + return typedValue != key + case string: + // extract float from string + float64Num, err := strconv.ParseFloat(typedValue, 64) + if err != nil { + glog.Warningf("Failed to parse float64 from string: %v", err) + return false + } + return float64Num != key + default: + glog.Warningf("Expected float, found: %T\n", value) + return false + } + return false +} + +func (neh NotEqualHandler) validateValuewithBoolPattern(key bool, value interface{}) bool { + typedValue, ok := value.(bool) + if !ok { + glog.Error("Expected bool, found %V", value) + return false + } + return key != typedValue +} + +func (neh NotEqualHandler) validateValuewithIntPattern(key int64, value interface{}) bool { + switch typedValue := value.(type) { + case int: + return int64(typedValue) != key + case int64: + return typedValue != key + case float64: + // check that float has no fraction + if typedValue == math.Trunc(typedValue) { + return int64(typedValue) != key + } + glog.Warningf("Expected int, found float: %f\n", typedValue) + return false + case string: + // extract in64 from string + int64Num, err := strconv.ParseInt(typedValue, 10, 64) + if err != nil { + glog.Warningf("Failed to parse int64 from string: %v", err) + return false + } + return int64Num != key + default: + glog.Warningf("Expected int, %v is of type %T", value, value) + return false + } +} diff --git a/pkg/engine/variables/operator/operator.go b/pkg/engine/variables/operator/operator.go new file mode 100644 index 0000000000..607a64d203 --- /dev/null +++ b/pkg/engine/variables/operator/operator.go @@ -0,0 +1,30 @@ +package operator + +import ( + "github.com/golang/glog" + kyverno "github.com/nirmata/kyverno/pkg/api/kyverno/v1" + "github.com/nirmata/kyverno/pkg/engine/context" +) + +type OperatorHandler interface { + Evaluate(key, value interface{}) bool + validateValuewithBoolPattern(key bool, value interface{}) bool + validateValuewithIntPattern(key int64, value interface{}) bool + validateValuewithFloatPattern(key float64, value interface{}) bool + validateValueWithMapPattern(key map[string]interface{}, value interface{}) bool + validateValueWithSlicePattern(key []interface{}, value interface{}) bool +} + +type VariableSubstitutionHandler = func(ctx context.EvalInterface, pattern interface{}) interface{} + +func CreateOperatorHandler(ctx context.EvalInterface, op kyverno.ConditionOperator, subHandler VariableSubstitutionHandler) OperatorHandler { + switch op { + case kyverno.Equal: + return NewEqualHandler(ctx, subHandler) + case kyverno.NotEqual: + return NewNotEqualHandler(ctx, subHandler) + default: + glog.Errorf("unsupported operator: %s", string(op)) + } + return nil +} diff --git a/pkg/engine/variables/variables.go b/pkg/engine/variables/variables.go index 30b49787b7..63934a7d94 100644 --- a/pkg/engine/variables/variables.go +++ b/pkg/engine/variables/variables.go @@ -73,24 +73,65 @@ func substituteValue(ctx context.EvalInterface, valuePattern string) interface{} func getValueQuery(ctx context.EvalInterface, valuePattern string) interface{} { var emptyInterface interface{} // extract variable {{}} - variableRegex := regexp.MustCompile("{{(.*)}}") - groups := variableRegex.FindStringSubmatch(valuePattern) - if len(groups) < 2 { + validRegex := regexp.MustCompile(`\{\{([^{}]*)\}\}`) + groups := validRegex.FindAllStringSubmatch(valuePattern, -1) + // can have multiple variables in a single value pattern + // var Map + varMap := getValues(ctx, groups) + if len(varMap) == 0 { + // there are no varaiables + // return the original value return valuePattern } - searchPath := groups[1] - // search for the path in ctx - variable, err := ctx.Query(searchPath) - if err != nil { - glog.V(4).Infof("variable substitution failed for query %s: %v", searchPath, err) - return emptyInterface - } - // only replace the value if returned value is scalar - if val, ok := variable.(string); ok { - newVal := strings.Replace(valuePattern, groups[0], val, -1) + // only substitute values if all the variable values are of type string + if isAllVarStrings(varMap) { + newVal := valuePattern + for key, value := range varMap { + if val, ok := value.(string); ok { + newVal = strings.Replace(newVal, key, val, -1) + } + } return newVal } - return variable + + // we do not support mutliple substitution per statement for non-string types + for _, value := range varMap { + return value + } + return emptyInterface +} + +// returns map of variables as keys and variable values as values +func getValues(ctx context.EvalInterface, groups [][]string) map[string]interface{} { + var emptyInterface interface{} + subs := map[string]interface{}{} + for _, group := range groups { + if len(group) == 2 { + // 0th is string + // 1st is the capture group + variable, err := ctx.Query(group[1]) + if err != nil { + glog.V(4).Infof("variable substitution failed for query %s: %v", group[0], err) + subs[group[0]] = emptyInterface + continue + } + if variable == nil { + subs[group[0]] = emptyInterface + } else { + subs[group[0]] = variable + } + } + } + return subs +} + +func isAllVarStrings(subVar map[string]interface{}) bool { + for _, value := range subVar { + if _, ok := value.(string); !ok { + return false + } + } + return true } func getOperator(pattern string) string { diff --git a/pkg/engine/variables/variables_test.go b/pkg/engine/variables/variables_test.go index 610ce9b9b9..f3e8a22252 100644 --- a/pkg/engine/variables/variables_test.go +++ b/pkg/engine/variables/variables_test.go @@ -76,6 +76,72 @@ func Test_variablesub1(t *testing.T) { t.Error("result does not match") } } + +func Test_variablesub_multiple(t *testing.T) { + patternMap := []byte(` + { + "kind": "ClusterRole", + "name": "ns-owner-{{request.object.metadata.namespace}}-{{request.userInfo.username}}-bindings", + "data": { + "rules": [ + { + "apiGroups": [ + "" + ], + "resources": [ + "namespaces" + ], + "verbs": [ + "*" + ], + "resourceNames": [ + "{{request.object.metadata.name}}" + ] + } + ] + } + } + `) + + resourceRaw := []byte(` + { + "metadata": { + "name": "temp", + "namespace": "n1" + }, + "spec": { + "namespace": "n1", + "name": "temp1" + } + } + `) + // userInfo + userReqInfo := kyverno.RequestInfo{ + AdmissionUserInfo: authenticationv1.UserInfo{ + Username: "user1", + }, + } + + resultMap := []byte(`{"data":{"rules":[{"apiGroups":[""],"resourceNames":["temp"],"resources":["namespaces"],"verbs":["*"]}]},"kind":"ClusterRole","name":"ns-owner-n1-user1-bindings"}`) + + var pattern, resource interface{} + json.Unmarshal(patternMap, &pattern) + json.Unmarshal(resourceRaw, &resource) + // context + ctx := context.NewContext() + ctx.AddResource(resourceRaw) + ctx.AddUserInfo(userReqInfo) + value := SubstituteVariables(ctx, pattern) + resultRaw, err := json.Marshal(value) + if err != nil { + t.Error(err) + } + if !reflect.DeepEqual(resultMap, resultRaw) { + t.Log(string(resultMap)) + t.Log(string(resultRaw)) + t.Error("result does not match") + } +} func Test_variablesubstitution(t *testing.T) { patternMap := []byte(` { diff --git a/pkg/generate/cleanup/cleanup.go b/pkg/generate/cleanup/cleanup.go index cf6854558d..ff34284ac7 100644 --- a/pkg/generate/cleanup/cleanup.go +++ b/pkg/generate/cleanup/cleanup.go @@ -13,7 +13,6 @@ const timoutMins = 2 const timeout = time.Minute * timoutMins // 2 minutes func (c *Controller) processGR(gr kyverno.GenerateRequest) error { - glog.V(4).Info("processGR cleanup") // 1-Corresponding policy has been deleted _, err := c.pLister.Get(gr.Spec.Policy) if errors.IsNotFound(err) { @@ -25,13 +24,15 @@ func (c *Controller) processGR(gr kyverno.GenerateRequest) error { if gr.Status.State == kyverno.Completed { glog.V(4).Infof("checking if owner exists for gr %s", gr.Name) if !ownerResourceExists(c.client, gr) { + if err := deleteGeneratedResources(c.client, gr); err != nil { + return err + } glog.V(4).Infof("delete GR %s", gr.Name) return c.control.Delete(gr.Name) } return nil } createTime := gr.GetCreationTimestamp() - glog.V(4).Infof("state %s", string(gr.Status.State)) if time.Since(createTime.UTC()) > timeout { // the GR was in state ["",Failed] for more than timeout glog.V(4).Infof("GR %s was not processed succesfully in %d minutes", gr.Name, timoutMins) @@ -44,9 +45,22 @@ func (c *Controller) processGR(gr kyverno.GenerateRequest) error { func ownerResourceExists(client *dclient.Client, gr kyverno.GenerateRequest) bool { _, err := client.GetResource(gr.Spec.Resource.Kind, gr.Spec.Resource.Namespace, gr.Spec.Resource.Name) if err != nil { - glog.V(4).Info("cleanup Resource does not exits") return false } - glog.V(4).Info("cleanup Resource does exits") return true } + +func deleteGeneratedResources(client *dclient.Client, gr kyverno.GenerateRequest) error { + for _, genResource := range gr.Status.GeneratedResources { + err := client.DeleteResource(genResource.Kind, genResource.Namespace, genResource.Name, false) + if errors.IsNotFound(err) { + glog.V(4).Infof("resource %s/%s/%s not found, will no delete", genResource.Kind, genResource.Namespace, genResource.Name) + continue + } + if err != nil { + return err + } + + } + return nil +} diff --git a/pkg/generate/cleanup/controller.go b/pkg/generate/cleanup/controller.go index 655b2d0698..f493d2616c 100644 --- a/pkg/generate/cleanup/controller.go +++ b/pkg/generate/cleanup/controller.go @@ -12,8 +12,11 @@ import ( kyvernolister "github.com/nirmata/kyverno/pkg/client/listers/kyverno/v1" dclient "github.com/nirmata/kyverno/pkg/dclient" "k8s.io/apimachinery/pkg/api/errors" + "k8s.io/apimachinery/pkg/apis/meta/v1/unstructured" utilruntime "k8s.io/apimachinery/pkg/util/runtime" "k8s.io/apimachinery/pkg/util/wait" + "k8s.io/client-go/dynamic/dynamicinformer" + "k8s.io/client-go/informers" "k8s.io/client-go/tools/cache" "k8s.io/client-go/util/workqueue" ) @@ -44,6 +47,11 @@ type Controller struct { pSynced cache.InformerSynced // grSynced returns true if the generate request store has been synced at least once grSynced cache.InformerSynced + // dyanmic sharedinformer factory + dynamicInformer dynamicinformer.DynamicSharedInformerFactory + //TODO: list of generic informers + // only support Namespaces for deletion of resource + nsInformer informers.GenericInformer } func NewController( @@ -51,13 +59,15 @@ func NewController( client *dclient.Client, pInformer kyvernoinformer.ClusterPolicyInformer, grInformer kyvernoinformer.GenerateRequestInformer, + dynamicInformer dynamicinformer.DynamicSharedInformerFactory, ) *Controller { c := Controller{ kyvernoClient: kyvernoclient, client: client, //TODO: do the math for worst case back off and make sure cleanup runs after that // as we dont want a deleted GR to be re-queue - queue: workqueue.NewNamedRateLimitingQueue(workqueue.NewItemExponentialFailureRateLimiter(1, 30), "generate-request-cleanup"), + queue: workqueue.NewNamedRateLimitingQueue(workqueue.NewItemExponentialFailureRateLimiter(1, 30), "generate-request-cleanup"), + dynamicInformer: dynamicInformer, } c.control = Control{client: kyvernoclient} c.enqueueGR = c.enqueue @@ -78,10 +88,30 @@ func NewController( UpdateFunc: c.updateGR, DeleteFunc: c.deleteGR, }, 2*time.Minute) + //TODO: dynamic registration + // Only supported for namespaces + nsInformer := dynamicInformer.ForResource(client.DiscoveryClient.GetGVRFromKind("Namespace")) + c.nsInformer = nsInformer + c.nsInformer.Informer().AddEventHandlerWithResyncPeriod(cache.ResourceEventHandlerFuncs{ + DeleteFunc: c.deleteGenericResource, + }, 2*time.Minute) return &c } +func (c *Controller) deleteGenericResource(obj interface{}) { + r := obj.(*unstructured.Unstructured) + grs, err := c.grLister.GetGenerateRequestsForResource(r.GetKind(), r.GetNamespace(), r.GetName()) + if err != nil { + glog.Errorf("failed to Generate Requests for resource %s/%s/%s: %v", r.GetKind(), r.GetNamespace(), r.GetName(), err) + return + } + // re-evaluate the GR as the resource was deleted + for _, gr := range grs { + c.enqueueGR(gr) + } +} + func (c *Controller) deletePolicy(obj interface{}) { p, ok := obj.(*kyverno.ClusterPolicy) if !ok { diff --git a/pkg/generate/controller.go b/pkg/generate/controller.go index 2452536361..27ccdcc4a5 100644 --- a/pkg/generate/controller.go +++ b/pkg/generate/controller.go @@ -12,8 +12,11 @@ import ( dclient "github.com/nirmata/kyverno/pkg/dclient" "github.com/nirmata/kyverno/pkg/event" "github.com/nirmata/kyverno/pkg/policyviolation" + "k8s.io/apimachinery/pkg/apis/meta/v1/unstructured" utilruntime "k8s.io/apimachinery/pkg/util/runtime" "k8s.io/apimachinery/pkg/util/wait" + "k8s.io/client-go/dynamic/dynamicinformer" + "k8s.io/client-go/informers" "k8s.io/client-go/tools/cache" "k8s.io/client-go/util/workqueue" ) @@ -48,6 +51,11 @@ type Controller struct { grSynced cache.InformerSynced // policy violation generator pvGenerator policyviolation.GeneratorInterface + // dyanmic sharedinformer factory + dynamicInformer dynamicinformer.DynamicSharedInformerFactory + //TODO: list of generic informers + // only support Namespaces for re-evalutation on resource updates + nsInformer informers.GenericInformer } func NewController( @@ -57,6 +65,7 @@ func NewController( grInformer kyvernoinformer.GenerateRequestInformer, eventGen event.Interface, pvGenerator policyviolation.GeneratorInterface, + dynamicInformer dynamicinformer.DynamicSharedInformerFactory, ) *Controller { c := Controller{ client: client, @@ -65,7 +74,8 @@ func NewController( pvGenerator: pvGenerator, //TODO: do the math for worst case back off and make sure cleanup runs after that // as we dont want a deleted GR to be re-queue - queue: workqueue.NewNamedRateLimitingQueue(workqueue.NewItemExponentialFailureRateLimiter(1, 30), "generate-request"), + queue: workqueue.NewNamedRateLimitingQueue(workqueue.NewItemExponentialFailureRateLimiter(1, 30), "generate-request"), + dynamicInformer: dynamicInformer, } c.statusControl = StatusControl{client: kyvernoclient} @@ -89,9 +99,31 @@ func NewController( c.pSynced = pInformer.Informer().HasSynced c.grSynced = pInformer.Informer().HasSynced + //TODO: dynamic registration + // Only supported for namespaces + nsInformer := dynamicInformer.ForResource(client.DiscoveryClient.GetGVRFromKind("Namespace")) + c.nsInformer = nsInformer + c.nsInformer.Informer().AddEventHandlerWithResyncPeriod(cache.ResourceEventHandlerFuncs{ + UpdateFunc: c.updateGenericResource, + }, 2*time.Minute) return &c } +func (c *Controller) updateGenericResource(old, cur interface{}) { + curR := cur.(*unstructured.Unstructured) + + grs, err := c.grLister.GetGenerateRequestsForResource(curR.GetKind(), curR.GetNamespace(), curR.GetName()) + if err != nil { + glog.Errorf("failed to Generate Requests for resource %s/%s/%s: %v", curR.GetKind(), curR.GetNamespace(), curR.GetName(), err) + return + } + // re-evaluate the GR as the resource was updated + for _, gr := range grs { + c.enqueueGR(gr) + } + +} + func (c *Controller) enqueue(gr *kyverno.GenerateRequest) { key, err := cache.MetaNamespaceKeyFunc(gr) if err != nil { @@ -124,7 +156,6 @@ func (c *Controller) updatePolicy(old, cur interface{}) { func (c *Controller) addGR(obj interface{}) { gr := obj.(*kyverno.GenerateRequest) - // glog.V(4).Infof("Adding GR %s; Policy %s; Resource %v", gr.Name, gr.Spec.Policy, gr.Spec.Resource) c.enqueueGR(gr) } @@ -163,6 +194,7 @@ func (c *Controller) deleteGR(obj interface{}) { c.enqueueGR(gr) } +//Run ... func (c *Controller) Run(workers int, stopCh <-chan struct{}) { defer utilruntime.HandleCrash() defer c.queue.ShutDown() diff --git a/pkg/generate/generate.go b/pkg/generate/generate.go index bd9b3d15b1..2a120c605f 100644 --- a/pkg/generate/generate.go +++ b/pkg/generate/generate.go @@ -12,23 +12,24 @@ import ( "github.com/nirmata/kyverno/pkg/engine/variables" "github.com/nirmata/kyverno/pkg/policyviolation" "k8s.io/apimachinery/pkg/api/errors" - metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" "k8s.io/apimachinery/pkg/apis/meta/v1/unstructured" "k8s.io/apimachinery/pkg/runtime" ) func (c *Controller) processGR(gr *kyverno.GenerateRequest) error { + var err error + var resource *unstructured.Unstructured + var genResources []kyverno.ResourceSpec // 1 - Check if the resource exists - resource, err := getResource(c.client, gr.Spec.Resource) + resource, err = getResource(c.client, gr.Spec.Resource) if err != nil { // Dont update status glog.V(4).Infof("resource does not exist or is yet to be created, requeuing: %v", err) return err } - glog.V(4).Infof("processGR %v", gr.Status.State) // 2 - Apply the generate policy on the resource - err = c.applyGenerate(*resource, *gr) + genResources, err = c.applyGenerate(*resource, *gr) switch e := err.(type) { case *Violation: // Generate event @@ -45,28 +46,28 @@ func (c *Controller) processGR(gr *kyverno.GenerateRequest) error { reportEvents(err, c.eventGen, *gr, *resource) // 4 - Update Status - return updateStatus(c.statusControl, *gr, err) + return updateStatus(c.statusControl, *gr, err, genResources) } -func (c *Controller) applyGenerate(resource unstructured.Unstructured, gr kyverno.GenerateRequest) error { +func (c *Controller) applyGenerate(resource unstructured.Unstructured, gr kyverno.GenerateRequest) ([]kyverno.ResourceSpec, error) { // Get the list of rules to be applied // get policy - glog.V(4).Info("applyGenerate") policy, err := c.pLister.Get(gr.Spec.Policy) if err != nil { glog.V(4).Infof("policy %s not found: %v", gr.Spec.Policy, err) - return nil + return nil, nil } // build context ctx := context.NewContext() resourceRaw, err := resource.MarshalJSON() if err != nil { glog.V(4).Infof("failed to marshal resource: %v", err) - return err + return nil, err } ctx.AddResource(resourceRaw) ctx.AddUserInfo(gr.Spec.Context.UserRequestInfo) + ctx.AddSA(gr.Spec.Context.UserRequestInfo.AdmissionUserInfo.Username) policyContext := engine.PolicyContext{ NewResource: resource, @@ -75,35 +76,34 @@ func (c *Controller) applyGenerate(resource unstructured.Unstructured, gr kyvern AdmissionInfo: gr.Spec.Context.UserRequestInfo, } - glog.V(4).Info("GenerateNew") // check if the policy still applies to the resource engineResponse := engine.GenerateNew(policyContext) if len(engineResponse.PolicyResponse.Rules) == 0 { glog.V(4).Infof("policy %s, dont not apply to resource %v", gr.Spec.Policy, gr.Spec.Resource) - return fmt.Errorf("policy %s, dont not apply to resource %v", gr.Spec.Policy, gr.Spec.Resource) + return nil, fmt.Errorf("policy %s, dont not apply to resource %v", gr.Spec.Policy, gr.Spec.Resource) } - glog.V(4).Infof("%v", gr) + // Apply the generate rule on resource return applyGeneratePolicy(c.client, policyContext, gr.Status.State) } -func updateStatus(statusControl StatusControlInterface, gr kyverno.GenerateRequest, err error) error { +func updateStatus(statusControl StatusControlInterface, gr kyverno.GenerateRequest, err error, genResources []kyverno.ResourceSpec) error { if err != nil { - return statusControl.Failed(gr, err.Error()) + return statusControl.Failed(gr, err.Error(), genResources) } // Generate request successfully processed - return statusControl.Success(gr) + return statusControl.Success(gr, genResources) } -func applyGeneratePolicy(client *dclient.Client, policyContext engine.PolicyContext, state kyverno.GenerateRequestState) error { +func applyGeneratePolicy(client *dclient.Client, policyContext engine.PolicyContext, state kyverno.GenerateRequestState) ([]kyverno.ResourceSpec, error) { + // List of generatedResources + var genResources []kyverno.ResourceSpec // Get the response as the actions to be performed on the resource - // - DATA (rule.Generation.Data) // - - substitute values policy := policyContext.Policy resource := policyContext.NewResource ctx := policyContext.Context - glog.V(4).Info("applyGeneratePolicy") // To manage existing resources, we compare the creation time for the default resiruce to be generated and policy creation time processExisting := func() bool { rcreationTime := resource.GetCreationTimestamp() @@ -115,17 +115,20 @@ func applyGeneratePolicy(client *dclient.Client, policyContext engine.PolicyCont if !rule.HasGenerate() { continue } - if err := applyRule(client, rule, resource, ctx, state, processExisting); err != nil { - return err + genResource, err := applyRule(client, rule, resource, ctx, state, processExisting) + if err != nil { + return nil, err } + genResources = append(genResources, genResource) } - return nil + return genResources, nil } -func applyRule(client *dclient.Client, rule kyverno.Rule, resource unstructured.Unstructured, ctx context.EvalInterface, state kyverno.GenerateRequestState, processExisting bool) error { +func applyRule(client *dclient.Client, rule kyverno.Rule, resource unstructured.Unstructured, ctx context.EvalInterface, state kyverno.GenerateRequestState, processExisting bool) (kyverno.ResourceSpec, error) { var rdata map[string]interface{} var err error + var noGenResource kyverno.ResourceSpec // variable substitution // - name @@ -133,8 +136,14 @@ func applyRule(client *dclient.Client, rule kyverno.Rule, resource unstructured. // - clone.name // - clone.namespace gen := variableSubsitutionForAttributes(rule.Generation, ctx) + // Resource to be generated + newGenResource := kyverno.ResourceSpec{ + Kind: gen.Kind, + Namespace: gen.Namespace, + Name: gen.Name, + } + // DATA - glog.V(4).Info("applyRule") if gen.Data != nil { if rdata, err = handleData(rule.Name, gen, client, resource, ctx, state); err != nil { glog.V(4).Info(err) @@ -143,62 +152,57 @@ func applyRule(client *dclient.Client, rule kyverno.Rule, resource unstructured. // handled errors case *Violation: // create policy violation - return e + return noGenResource, e default: // errors that cant be handled - return e + return noGenResource, e } } if rdata == nil { // existing resource contains the configuration - return nil + return newGenResource, nil } } // CLONE if gen.Clone != (kyverno.CloneFrom{}) { if rdata, err = handleClone(gen, client, resource, ctx, state); err != nil { + glog.V(4).Info(err) switch e := err.(type) { case *NotFound: // handled errors - return e + return noGenResource, e default: // errors that cant be handled - return e + return noGenResource, e } } if rdata == nil { // resource already exists - return nil + return newGenResource, nil } } if processExisting { // handle existing resources // policy was generated after the resource // we do not create new resource - return err + return noGenResource, err } // Create the generate resource newResource := &unstructured.Unstructured{} - glog.V(4).Info(rdata) newResource.SetUnstructuredContent(rdata) newResource.SetName(gen.Name) newResource.SetNamespace(gen.Namespace) // Reset resource version newResource.SetResourceVersion("") - // set the ownerReferences - ownerRefs := newResource.GetOwnerReferences() - // add ownerRefs - newResource.SetOwnerReferences(ownerRefs) glog.V(4).Infof("creating resource %v", newResource) _, err = client.CreateResource(gen.Kind, gen.Namespace, newResource, false) if err != nil { glog.Info(err) - return err + return noGenResource, err } glog.V(4).Infof("created new resource %s %s %s ", gen.Kind, gen.Namespace, gen.Name) - // New Resource created succesfully - return nil + return newGenResource, nil } func variableSubsitutionForAttributes(gen kyverno.Generation, ctx context.EvalInterface) kyverno.Generation { @@ -227,24 +231,9 @@ func variableSubsitutionForAttributes(gen kyverno.Generation, ctx context.EvalIn if newcloneNamespace, ok := newcloneNamespaceVar.(string); ok { gen.Clone.Namespace = newcloneNamespace } - glog.V(4).Infof("var updated %v", gen.Name) return gen } -func createOwnerReference(ownerRefs []metav1.OwnerReference, resource unstructured.Unstructured) { - controllerFlag := true - blockOwnerDeletionFlag := true - ownerRef := metav1.OwnerReference{ - APIVersion: resource.GetAPIVersion(), - Kind: resource.GetKind(), - Name: resource.GetName(), - UID: resource.GetUID(), - Controller: &controllerFlag, - BlockOwnerDeletion: &blockOwnerDeletionFlag, - } - ownerRefs = append(ownerRefs, ownerRef) -} - func handleData(ruleName string, generateRule kyverno.Generation, client *dclient.Client, resource unstructured.Unstructured, ctx context.EvalInterface, state kyverno.GenerateRequestState) (map[string]interface{}, error) { newData := variables.SubstituteVariables(ctx, generateRule.Data) @@ -252,7 +241,6 @@ func handleData(ruleName string, generateRule kyverno.Generation, client *dclien obj, err := client.GetResource(generateRule.Kind, generateRule.Namespace, generateRule.Name) glog.V(4).Info(err) if errors.IsNotFound(err) { - glog.V(4).Info("handleData NotFound") glog.V(4).Info(string(state)) // Resource does not exist if state == "" { @@ -270,7 +258,6 @@ func handleData(ruleName string, generateRule kyverno.Generation, client *dclien // report Violation to notify the error return nil, NewViolation(ruleName, NewNotFound(generateRule.Kind, generateRule.Namespace, generateRule.Name)) } - glog.V(4).Info(err) if err != nil { //something wrong while fetching resource return nil, err @@ -293,12 +280,10 @@ func handleClone(generateRule kyverno.Generation, client *dclient.Client, resour // check if resource exists _, err := client.GetResource(generateRule.Kind, generateRule.Namespace, generateRule.Name) if err == nil { - glog.V(4).Info("handleClone Exists") // resource exists return nil, nil } if !errors.IsNotFound(err) { - glog.V(4).Info("handleClone NotFound") //something wrong while fetching resource return nil, err } @@ -306,15 +291,12 @@ func handleClone(generateRule kyverno.Generation, client *dclient.Client, resour // get reference clone resource obj, err := client.GetResource(generateRule.Kind, generateRule.Clone.Namespace, generateRule.Clone.Name) if errors.IsNotFound(err) { - glog.V(4).Info("handleClone reference not Found") return nil, NewNotFound(generateRule.Kind, generateRule.Clone.Namespace, generateRule.Clone.Name) } if err != nil { - glog.V(4).Info("handleClone reference Error") //something wrong while fetching resource return nil, err } - glog.V(4).Info("handleClone refrerence sending") return obj.UnstructuredContent(), nil } diff --git a/pkg/generate/status.go b/pkg/generate/status.go index f5da237e51..6ceed68ab5 100644 --- a/pkg/generate/status.go +++ b/pkg/generate/status.go @@ -7,8 +7,8 @@ import ( ) type StatusControlInterface interface { - Failed(gr kyverno.GenerateRequest, message string) error - Success(gr kyverno.GenerateRequest) error + Failed(gr kyverno.GenerateRequest, message string, genResources []kyverno.ResourceSpec) error + Success(gr kyverno.GenerateRequest, genResources []kyverno.ResourceSpec) error } // StatusControl is default implementaation of GRStatusControlInterface @@ -17,10 +17,11 @@ type StatusControl struct { } //FailedGR sets gr status.state to failed with message -func (sc StatusControl) Failed(gr kyverno.GenerateRequest, message string) error { +func (sc StatusControl) Failed(gr kyverno.GenerateRequest, message string, genResources []kyverno.ResourceSpec) error { gr.Status.State = kyverno.Failed gr.Status.Message = message - + // Update Generated Resources + gr.Status.GeneratedResources = genResources _, err := sc.client.KyvernoV1().GenerateRequests("kyverno").UpdateStatus(&gr) if err != nil { glog.V(4).Infof("FAILED: updated gr %s status to %s", gr.Name, string(kyverno.Failed)) @@ -31,9 +32,11 @@ func (sc StatusControl) Failed(gr kyverno.GenerateRequest, message string) error } // SuccessGR sets the gr status.state to completed and clears message -func (sc StatusControl) Success(gr kyverno.GenerateRequest) error { +func (sc StatusControl) Success(gr kyverno.GenerateRequest, genResources []kyverno.ResourceSpec) error { gr.Status.State = kyverno.Completed gr.Status.Message = "" + // Update Generated Resources + gr.Status.GeneratedResources = genResources _, err := sc.client.KyvernoV1().GenerateRequests("kyverno").UpdateStatus(&gr) if err != nil { diff --git a/pkg/policy/controller.go b/pkg/policy/controller.go index a8bfe8147b..1dbca0611a 100644 --- a/pkg/policy/controller.go +++ b/pkg/policy/controller.go @@ -13,6 +13,7 @@ import ( kyvernolister "github.com/nirmata/kyverno/pkg/client/listers/kyverno/v1" "github.com/nirmata/kyverno/pkg/config" client "github.com/nirmata/kyverno/pkg/dclient" + "github.com/nirmata/kyverno/pkg/engine/policy" "github.com/nirmata/kyverno/pkg/event" "github.com/nirmata/kyverno/pkg/policystore" "github.com/nirmata/kyverno/pkg/policyviolation" @@ -159,9 +160,25 @@ func (pc *PolicyController) addPolicy(obj interface{}) { // policy.spec.background -> "True" // register with policy meta-store pc.pMetaStore.Register(*p) - if !p.Spec.Background { - return + + // TODO: code might seem vague, awaiting resolution of issue https://github.com/nirmata/kyverno/issues/598 + if p.Spec.Background == nil { + // if userInfo is not defined in policy we process the policy + if err := policy.ContainsUserInfo(*p); err != nil { + return + } + } else { + if !*p.Spec.Background { + return + } + // If userInfo is used then skip the policy + // ideally this should be handled by background flag only + if err := policy.ContainsUserInfo(*p); err != nil { + // contains userInfo used in policy + return + } } + glog.V(4).Infof("Adding Policy %s", p.Name) pc.enqueuePolicy(p) } @@ -176,8 +193,22 @@ func (pc *PolicyController) updatePolicy(old, cur interface{}) { // Only process policies that are enabled for "background" execution // policy.spec.background -> "True" - if !curP.Spec.Background { - return + // TODO: code might seem vague, awaiting resolution of issue https://github.com/nirmata/kyverno/issues/598 + if curP.Spec.Background == nil { + // if userInfo is not defined in policy we process the policy + if err := policy.ContainsUserInfo(*curP); err != nil { + return + } + } else { + if !*curP.Spec.Background { + return + } + // If userInfo is used then skip the policy + // ideally this should be handled by background flag only + if err := policy.ContainsUserInfo(*curP); err != nil { + // contains userInfo used in policy + return + } } glog.V(4).Infof("Updating Policy %s", oldP.Name) pc.enqueuePolicy(curP) diff --git a/pkg/webhooks/generation.go b/pkg/webhooks/generation.go index d7661f0780..3aad02f442 100644 --- a/pkg/webhooks/generation.go +++ b/pkg/webhooks/generation.go @@ -34,6 +34,8 @@ func (ws *WebhookServer) HandleGenerate(request *v1beta1.AdmissionRequest, polic // load incoming resource into the context // ctx.AddResource(request.Object.Raw) ctx.AddUserInfo(userRequestInfo) + // load service account in context + ctx.AddSA(userRequestInfo.AdmissionUserInfo.Username) policyContext := engine.PolicyContext{ NewResource: *resource, diff --git a/pkg/webhooks/mutation.go b/pkg/webhooks/mutation.go index f73c9aaa99..dd0f8cb477 100644 --- a/pkg/webhooks/mutation.go +++ b/pkg/webhooks/mutation.go @@ -64,6 +64,8 @@ func (ws *WebhookServer) HandleMutation(request *v1beta1.AdmissionRequest, resou // load incoming resource into the context ctx.AddResource(request.Object.Raw) ctx.AddUserInfo(userRequestInfo) + ctx.AddSA(userRequestInfo.AdmissionUserInfo.Username) + policyContext := engine.PolicyContext{ NewResource: resource, AdmissionInfo: userRequestInfo, diff --git a/pkg/webhooks/policymutation.go b/pkg/webhooks/policymutation.go index d0a850fe1a..d0ee8c503b 100644 --- a/pkg/webhooks/policymutation.go +++ b/pkg/webhooks/policymutation.go @@ -60,6 +60,12 @@ func generateJSONPatchesForDefaults(policy *kyverno.ClusterPolicy, operation v1b updateMsgs = append(updateMsgs, updateMsg) } + // default 'Background' + if patch, updateMsg := defaultBackgroundFlag(policy); patch != nil { + patches = append(patches, patch) + updateMsgs = append(updateMsgs, updateMsg) + } + // TODO(shuting): enable this feature on policy UPDATE if operation == v1beta1.Create { patch, errs := generatePodControllerRule(*policy) @@ -77,6 +83,31 @@ func generateJSONPatchesForDefaults(policy *kyverno.ClusterPolicy, operation v1b return utils.JoinPatches(patches), updateMsgs } +func defaultBackgroundFlag(policy *kyverno.ClusterPolicy) ([]byte, string) { + // default 'Background' flag to 'true' if not specified + defaultVal := true + if policy.Spec.Background == nil { + glog.V(4).Infof("default policy %s 'Background' to '%s'", policy.Name, strconv.FormatBool(true)) + jsonPatch := struct { + Path string `json:"path"` + Op string `json:"op"` + Value *bool `json:"value"` + }{ + "/spec/background", + "add", + &defaultVal, + } + patchByte, err := json.Marshal(jsonPatch) + if err != nil { + glog.Errorf("failed to set default 'Background' to '%s' for policy %s", strconv.FormatBool(true), policy.Name) + return nil, "" + } + glog.V(4).Infof("generate JSON Patch to set default 'Background' to '%s' for policy %s", strconv.FormatBool(true), policy.Name) + return patchByte, fmt.Sprintf("default 'Background' to '%s'", strconv.FormatBool(true)) + } + return nil, "" +} + func defaultvalidationFailureAction(policy *kyverno.ClusterPolicy) ([]byte, string) { // default ValidationFailureAction to "audit" if not specified if policy.Spec.ValidationFailureAction == "" { diff --git a/pkg/webhooks/validation.go b/pkg/webhooks/validation.go index 940255043a..9237d7428a 100644 --- a/pkg/webhooks/validation.go +++ b/pkg/webhooks/validation.go @@ -68,6 +68,7 @@ func (ws *WebhookServer) HandleValidation(request *v1beta1.AdmissionRequest, pol // load incoming resource into the context ctx.AddResource(request.Object.Raw) ctx.AddUserInfo(userRequestInfo) + ctx.AddSA(userRequestInfo.AdmissionUserInfo.Username) policyContext := engine.PolicyContext{ NewResource: newR, diff --git a/samples/AddDefaultNetworkPolicy.md b/samples/AddDefaultNetworkPolicy.md index 3f2b456a56..e28371f3b8 100644 --- a/samples/AddDefaultNetworkPolicy.md +++ b/samples/AddDefaultNetworkPolicy.md @@ -24,6 +24,7 @@ spec: generate: kind: NetworkPolicy name: default-deny-ingress + namespace: "{{request.object.metadata.name}}" data: spec: # select all pods in the namespace diff --git a/samples/AddNamespaceQuotas.md b/samples/AddNamespaceQuotas.md index f3fda921d8..63c02109eb 100644 --- a/samples/AddNamespaceQuotas.md +++ b/samples/AddNamespaceQuotas.md @@ -25,6 +25,7 @@ spec: generate: kind: ResourceQuota name: default-resourcequota + namespace: "{{request.object.metadata.name}}" data: spec: hard: @@ -40,6 +41,7 @@ spec: generate: kind: LimitRange name: default-limitrange + namespace: "{{request.object.metadata.name}}" data: spec: limits: diff --git a/samples/best_practices/add_network_policy.yaml b/samples/best_practices/add_network_policy.yaml index 9753eb80db..d195330afa 100644 --- a/samples/best_practices/add_network_policy.yaml +++ b/samples/best_practices/add_network_policy.yaml @@ -21,6 +21,7 @@ spec: generate: kind: NetworkPolicy name: default-deny-ingress + namespace: "{{request.object.metadata.name}}" data: spec: # select all pods in the namespace diff --git a/samples/best_practices/add_ns_quota.yaml b/samples/best_practices/add_ns_quota.yaml index 1d830befcf..d8a1f147d4 100644 --- a/samples/best_practices/add_ns_quota.yaml +++ b/samples/best_practices/add_ns_quota.yaml @@ -17,6 +17,7 @@ spec: generate: kind: ResourceQuota name: default-resourcequota + namespace: "{{request.object.metadata.name}}" data: spec: hard: @@ -32,6 +33,7 @@ spec: generate: kind: LimitRange name: default-limitrange + namespace: "{{request.object.metadata.name}}" data: spec: limits: diff --git a/test/policy/generate/variable.yaml b/test/policy/generate/variable.yaml index 3072131c4e..03850b09dd 100644 --- a/test/policy/generate/variable.yaml +++ b/test/policy/generate/variable.yaml @@ -12,15 +12,14 @@ spec: resources: kinds: - Namespace - name: devtest generate: kind: ClusterRole - name: "ns-owner-{{request.userInfo.username}}" + name: "ns-owner-{{request.object.metadata.name}}-{{request.userInfo.username}}" data: rules: - apiGroups: [""] resources: ["namespaces"] - verbs: ["*"] + verbs: ["delete"] resourceNames: - "{{request.object.metadata.name}}" - name: generate-owner-role-binding @@ -28,28 +27,27 @@ spec: resources: kinds: - Namespace - name: devtest generate: kind: ClusterRoleBinding - name: "ns-owner-{{request.userInfo.username}}-binding" + name: "ns-owner-{{request.object.metadata.name}}-{{request.userInfo.username}}-binding" data: roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole - name: "nsowner-{{request.userInfo.username}}" + name: "ns-owner-{{request.object.metadata.name}}-{{request.userInfo.username}}" subjects: - kind: ServiceAccount - name: "{{request.userInfo.username}}" - namespace: "{{request.object.metadata.name}}" + # pre-defined context value (removes the suffix system:serviceaccount:: from userName) + name: "{{serviceAccountName}}" # + namespace: "{{serviceAccountNamespace}}" # - name: generate-admin-role-binding match: resources: kinds: - Namespace - name: devtest generate: kind: RoleBinding - name: "ns-admin-{{request.userInfo.username}}-binding" + name: "ns-admin-{{request.object.metadata.name}}-{{request.userInfo.username}}-binding" namespace: "{{request.object.metadata.name}}" data: roleRef: @@ -58,5 +56,5 @@ spec: name: admin subjects: - kind: ServiceAccount - name: "{{request.userInfo.username}}" - namespace: "{{request.object.metadata.name}}" \ No newline at end of file + name: "{{serviceAccountName}}" + namespace: "{{serviceAccountNamespace}}"