From a847b140d3b87d60526431b29f41bfcb76664b7b Mon Sep 17 00:00:00 2001 From: shivkumar dudhani Date: Tue, 6 Aug 2019 23:44:40 -0700 Subject: [PATCH 1/5] fix examples --- README.md | 27 +++++++++++++++------------ 1 file changed, 15 insertions(+), 12 deletions(-) diff --git a/README.md b/README.md index 7a2e4b38ab..f0c8808da3 100644 --- a/README.md +++ b/README.md @@ -34,9 +34,10 @@ metadata: spec: rules: - name: check-pod-resources - resource: - kinds: - - Pod + match: + resources: + kinds: + - Pod validate: message: "CPU and memory resource requests and limits are required" pattern: @@ -67,9 +68,10 @@ metadata: spec: rules: - name: set-image-pull-policy - resource: - kinds: - - Deployment + match: + resources: + kinds: + - Deployment mutate: overlay: spec: @@ -94,12 +96,13 @@ metadata: spec: rules: - name: "zk-kafka-address" - resource: - kinds: - - Namespace - selector: - matchExpressions: - - {key: kafka, operator: Exists} + match: + resources: + kinds: + - Namespace + selector: + matchExpressions: + - {key: kafka, operator: Exists} generate: kind: ConfigMap name: zk-kafka-address From d16e398d38b00c9ca410abb36b97e6d9ffa77b78 Mon Sep 17 00:00:00 2001 From: shivkumar dudhani Date: Wed, 7 Aug 2019 17:06:36 -0700 Subject: [PATCH 2/5] fixes bug_267 --- pkg/annotations/annotations.go | 63 +++++++++++++++++++++++++++++++++ pkg/controller/controller.go | 60 +++---------------------------- pkg/gencontroller/generation.go | 2 +- pkg/info/info.go | 2 ++ pkg/webhooks/report.go | 2 +- 5 files changed, 72 insertions(+), 57 deletions(-) diff --git a/pkg/annotations/annotations.go b/pkg/annotations/annotations.go index 21f4e71747..46725b8cc2 100644 --- a/pkg/annotations/annotations.go +++ b/pkg/annotations/annotations.go @@ -78,6 +78,16 @@ func (p *Policy) updatePolicy(obj *Policy, ruleType pinfo.RuleType) bool { updates := false // Check Mutation rules switch ruleType { + case pinfo.All: + if p.compareMutationRules(obj.MutationRules) { + updates = true + } + if p.compareValidationRules(obj.ValidationRules) { + updates = true + } + if p.compareGenerationRules(obj.GenerationRules) { + updates = true + } case pinfo.Mutation: if p.compareMutationRules(obj.MutationRules) { updates = true @@ -214,6 +224,59 @@ func ParseAnnotationsFromObject(bytes []byte) map[string]string { return ann } +func PatchAnnotations(ann map[string]string, pi *pinfo.PolicyInfo, ruleType pinfo.RuleType) ([]byte, error) { + if ruleType != pinfo.All && !pi.ContainsRuleType(ruleType) { + // the rule was not proceesed in the current policy application + return nil, nil + } + // transform the PolicyInfo to anotation struct + policyObj := newAnnotationForPolicy(pi) + if ann == nil { + ann = make(map[string]string, 0) + policyByte, err := json.Marshal(policyObj) + if err != nil { + return nil, err + } + // create a json patch to add annotation object + ann[BuildKeyString(pi.Name)] = string(policyByte) + // patch adds the annotation map with the policy information + jsonPatch, err := createAddJSONPatchMap(ann) + return jsonPatch, err + } + // if the annotations map already exists then we need to update it by adding a patch to the field inside the annotation + cPolicy, ok := ann[BuildKey(pi.Name)] + if !ok { + // annotations does not contain the policy + policyByte, err := json.Marshal(policyObj) + if err != nil { + return nil, err + } + jsonPatch, err := createAddJSONPatch(BuildKey(pi.Name), string(policyByte)) + return jsonPatch, err + } + // an annotaion exists for the policy, we need to update the information if anything has changed + cPolicyObj := Policy{} + err := json.Unmarshal([]byte(cPolicy), &cPolicyObj) + if err != nil { + // error while unmarshallign the content + return nil, err + } + // update policy information inside the annotation + // 1> policy status + // 2> rule (name, status,changes,type) + update := cPolicyObj.updatePolicy(policyObj, ruleType) + if !update { + // there is not update, so we dont + return nil, nil + } + policyByte, err := json.Marshal(cPolicyObj) + if err != nil { + return nil, err + } + jsonPatch, err := createAddJSONPatch(BuildKey(pi.Name), string(policyByte)) + return jsonPatch, err +} + //AddPolicyJSONPatch generate JSON Patch to add policy informatino JSON patch func AddPolicyJSONPatch(ann map[string]string, pi *pinfo.PolicyInfo, ruleType pinfo.RuleType) (map[string]string, []byte, error) { if !pi.ContainsRuleType(ruleType) { diff --git a/pkg/controller/controller.go b/pkg/controller/controller.go index 67cd0908fd..3460732a6a 100644 --- a/pkg/controller/controller.go +++ b/pkg/controller/controller.go @@ -5,8 +5,6 @@ import ( "reflect" "time" - jsonpatch "github.com/evanphx/json-patch" - "github.com/nirmata/kyverno/pkg/annotations" "github.com/nirmata/kyverno/pkg/info" "github.com/nirmata/kyverno/pkg/utils" @@ -210,7 +208,6 @@ func (pc *PolicyController) syncHandler(obj interface{}) error { func (pc *PolicyController) createAnnotations(policyInfos []*info.PolicyInfo) { for _, pi := range policyInfos { - var patch []byte //get resource obj, err := pc.client.GetResource(pi.RKind, pi.RNamespace, pi.RName) if err != nil { @@ -219,61 +216,14 @@ func (pc *PolicyController) createAnnotations(policyInfos []*info.PolicyInfo) { } // add annotation for policy application ann := obj.GetAnnotations() - // Mutation rules - ann, mpatch, err := annotations.AddPolicyJSONPatch(ann, pi, info.Mutation) - if err != nil { - glog.Error(err) - continue - } - // Validation rules - ann, vpatch, err := annotations.AddPolicyJSONPatch(ann, pi, info.Validation) - if err != nil { - glog.Error(err) - } - - // Generation rules - ann, gpatch, err := annotations.AddPolicyJSONPatch(ann, pi, info.Generation) - if err != nil { - glog.Error(err) - } - - if mpatch == nil && vpatch == nil && gpatch == nil { - //nothing to patch - continue - } - // merge the patches - if mpatch != nil && vpatch != nil { - patch, err = jsonpatch.MergePatch(mpatch, vpatch) - if err != nil { - glog.Error(err) - continue - } - } - - if mpatch == nil { - patch = vpatch - } else { - patch = mpatch - } - - if gpatch != nil { - // generation - if patch != nil { - patch, err = jsonpatch.MergePatch(patch, gpatch) - if err != nil { - glog.Error(err) - continue - } - } else { - patch = gpatch - } - } - + // if annotations are nil then create a map and patch + // else + // add the exact patch + patch, err := annotations.PatchAnnotations(ann, pi, info.All) if patch == nil { + /// nothing to patch return } - - // add the anotation to the resource _, err = pc.client.PatchResource(pi.RKind, pi.RNamespace, pi.RName, patch) if err != nil { glog.Error(err) diff --git a/pkg/gencontroller/generation.go b/pkg/gencontroller/generation.go index 76c03792e8..4270715037 100644 --- a/pkg/gencontroller/generation.go +++ b/pkg/gencontroller/generation.go @@ -140,7 +140,7 @@ func (c *Controller) createAnnotations(pi *info.PolicyInfo) { // add annotation for policy application ann := obj.GetAnnotations() // Generation rules - ann, gpatch, err := annotations.AddPolicyJSONPatch(ann, pi, info.Generation) + gpatch, err := annotations.PatchAnnotations(ann, pi, info.Generation) if err != nil { glog.Error(err) return diff --git a/pkg/info/info.go b/pkg/info/info.go index fbde19e160..8d61b764f0 100644 --- a/pkg/info/info.go +++ b/pkg/info/info.go @@ -99,6 +99,7 @@ const ( Mutation RuleType = iota Validation Generation + All ) func (ri RuleType) String() string { @@ -106,6 +107,7 @@ func (ri RuleType) String() string { "Mutation", "Validation", "Generation", + "All", }[ri] } diff --git a/pkg/webhooks/report.go b/pkg/webhooks/report.go index 7f9b4697af..d9003417ec 100644 --- a/pkg/webhooks/report.go +++ b/pkg/webhooks/report.go @@ -68,7 +68,7 @@ func addAnnotationsToResource(rawResource []byte, pi *info.PolicyInfo, ruleType } // get annotations ann := annotations.ParseAnnotationsFromObject(rawResource) - ann, patch, err := annotations.AddPolicyJSONPatch(ann, pi, ruleType) + patch, err := annotations.PatchAnnotations(ann, pi, ruleType) if err != nil { glog.Error(err) return nil From 87994e4a77b6db7edb7111267a182af2f41b21b0 Mon Sep 17 00:00:00 2001 From: shivkumar dudhani Date: Wed, 7 Aug 2019 18:13:43 -0700 Subject: [PATCH 3/5] fixes 268_bug --- examples/policy_generate_networkPolicy.yaml | 5 +++-- pkg/engine/generation.go | 13 +++++++++++-- 2 files changed, 14 insertions(+), 4 deletions(-) diff --git a/examples/policy_generate_networkPolicy.yaml b/examples/policy_generate_networkPolicy.yaml index 390d8fc07c..56629eccdc 100644 --- a/examples/policy_generate_networkPolicy.yaml +++ b/examples/policy_generate_networkPolicy.yaml @@ -1,9 +1,10 @@ apiVersion: kyverno.io/v1alpha1 kind: Policy metadata: - name: "default-networkPolicy" + name: "defaultnetworkpolicy" spec: rules: + validationFailureAction: audit - name: "default-networkPolicy" match: resources: @@ -12,7 +13,7 @@ spec: name: "devtest" generate: kind: NetworkPolicy - name: default-networkPolicy + name: defaultnetworkpolicy data: spec: # select all pods in the namespace diff --git a/pkg/engine/generation.go b/pkg/engine/generation.go index 2bc02fc2f5..314646fe72 100644 --- a/pkg/engine/generation.go +++ b/pkg/engine/generation.go @@ -21,7 +21,7 @@ func Generate(client *client.Client, policy *v1alpha1.Policy, ns unstructured.Un continue } ri := info.NewRuleInfo(rule.Name, info.Generation) - err := applyRuleGenerator(client, ns, rule.Generation) + err := applyRuleGenerator(client, ns, rule.Generation, policy.Spec.ValidationFailureAction) if err != nil { ri.Fail() ri.Addf("Rule %s: Failed to apply rule generator, err %v.", rule.Name, err) @@ -34,7 +34,7 @@ func Generate(client *client.Client, policy *v1alpha1.Policy, ns unstructured.Un return ris } -func applyRuleGenerator(client *client.Client, ns unstructured.Unstructured, gen *v1alpha1.Generation) error { +func applyRuleGenerator(client *client.Client, ns unstructured.Unstructured, gen *v1alpha1.Generation, validationFailureAction string) error { var err error resource := &unstructured.Unstructured{} var rdata map[string]interface{} @@ -80,6 +80,15 @@ func applyRuleGenerator(client *client.Client, ns unstructured.Unstructured, gen // Reset resource version resource.SetResourceVersion("") + if validationFailureAction != "audit" { + // if not audit, then enforce.. + // with enforce we will block the creation of resource and instead generate an error + // the error will then create a policyViolation so that the resource owner can add the defaults + return errors.New("policy flag validationFailureAction:'audit' blocked the creation of default resource for the namespace") + } + // for "audit" mode, the resource will create the resource + // but wont generate a policy violation as the generate controller doesnt know if the generate request + // is a new resource via admission controller or via syncing its cache after a controller restart _, err = client.CreateResource(gen.Kind, ns.GetName(), resource, false) if err != nil { return err From 15092f6927d2b07ac25f9eed5c5fa4aa5302acc9 Mon Sep 17 00:00:00 2001 From: shivkumar dudhani Date: Wed, 7 Aug 2019 18:24:55 -0700 Subject: [PATCH 4/5] update comment for bug_268 --- pkg/engine/generation.go | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/pkg/engine/generation.go b/pkg/engine/generation.go index 314646fe72..d0e0c73c7d 100644 --- a/pkg/engine/generation.go +++ b/pkg/engine/generation.go @@ -79,16 +79,16 @@ func applyRuleGenerator(client *client.Client, ns unstructured.Unstructured, gen resource.SetNamespace(ns.GetName()) // Reset resource version resource.SetResourceVersion("") - - if validationFailureAction != "audit" { - // if not audit, then enforce.. - // with enforce we will block the creation of resource and instead generate an error - // the error will then create a policyViolation so that the resource owner can add the defaults - return errors.New("policy flag validationFailureAction:'audit' blocked the creation of default resource for the namespace") - } + // TODO based on https://github.com/nirmata/kyverno/issues/268 + // if validationFailureAction != "audit" { + // // if not audit, then enforce.. + // // with enforce we will block the creation of resource and instead generate an error + // // the error will then create a policyViolation so that the resource owner can add the defaults + // return errors.New("policy flag validationFailureAction:'audit' blocked the creation of default resource for the namespace") + // } // for "audit" mode, the resource will create the resource // but wont generate a policy violation as the generate controller doesnt know if the generate request - // is a new resource via admission controller or via syncing its cache after a controller restart + // is a new resource via admission controller or via syncing its cache after a controller _, err = client.CreateResource(gen.Kind, ns.GetName(), resource, false) if err != nil { return err From cc907bccbad2a7faa1a7941ef941c01971f0532b Mon Sep 17 00:00:00 2001 From: shivkumar dudhani Date: Thu, 8 Aug 2019 15:15:47 -0700 Subject: [PATCH 5/5] create violation on existing namespace that dont satisfy the generate rules --- examples/policy_generate_networkPolicy.yaml | 1 - pkg/engine/generation.go | 29 ++++++++++----------- 2 files changed, 14 insertions(+), 16 deletions(-) diff --git a/examples/policy_generate_networkPolicy.yaml b/examples/policy_generate_networkPolicy.yaml index 56629eccdc..67db85df8d 100644 --- a/examples/policy_generate_networkPolicy.yaml +++ b/examples/policy_generate_networkPolicy.yaml @@ -4,7 +4,6 @@ metadata: name: "defaultnetworkpolicy" spec: rules: - validationFailureAction: audit - name: "default-networkPolicy" match: resources: diff --git a/pkg/engine/generation.go b/pkg/engine/generation.go index d0e0c73c7d..f34479b043 100644 --- a/pkg/engine/generation.go +++ b/pkg/engine/generation.go @@ -2,13 +2,14 @@ package engine import ( "encoding/json" - "errors" + "fmt" "github.com/golang/glog" v1alpha1 "github.com/nirmata/kyverno/pkg/apis/policy/v1alpha1" client "github.com/nirmata/kyverno/pkg/dclient" "github.com/nirmata/kyverno/pkg/info" "github.com/nirmata/kyverno/pkg/utils" + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" "k8s.io/apimachinery/pkg/apis/meta/v1/unstructured" "k8s.io/apimachinery/pkg/runtime" ) @@ -21,7 +22,7 @@ func Generate(client *client.Client, policy *v1alpha1.Policy, ns unstructured.Un continue } ri := info.NewRuleInfo(rule.Name, info.Generation) - err := applyRuleGenerator(client, ns, rule.Generation, policy.Spec.ValidationFailureAction) + err := applyRuleGenerator(client, ns, rule.Generation, policy.GetCreationTimestamp()) if err != nil { ri.Fail() ri.Addf("Rule %s: Failed to apply rule generator, err %v.", rule.Name, err) @@ -34,11 +35,15 @@ func Generate(client *client.Client, policy *v1alpha1.Policy, ns unstructured.Un return ris } -func applyRuleGenerator(client *client.Client, ns unstructured.Unstructured, gen *v1alpha1.Generation, validationFailureAction string) error { +func applyRuleGenerator(client *client.Client, ns unstructured.Unstructured, gen *v1alpha1.Generation, policyCreationTime metav1.Time) error { var err error resource := &unstructured.Unstructured{} var rdata map[string]interface{} - + // To manage existing resource , we compare the creation time for the default resource to be generate and policy creation time + processExisting := func() bool { + nsCreationTime := ns.GetCreationTimestamp() + return nsCreationTime.Before(&policyCreationTime) + }() if gen.Data != nil { // 1> Check if resource exists obj, err := client.GetResource(gen.Kind, ns.GetName(), gen.Name) @@ -51,7 +56,7 @@ func applyRuleGenerator(client *client.Client, ns unstructured.Unstructured, gen return err } if !ok { - return errors.New("rule configuration not present in resource") + return fmt.Errorf("rule configuration not present in resource %s/%s", ns.GetName(), gen.Name) } return nil } @@ -74,21 +79,15 @@ func applyRuleGenerator(client *client.Client, ns unstructured.Unstructured, gen } rdata = resource.UnstructuredContent() } + if processExisting { + // for existing resources we generate an error which indirectly generates a policy violation + return fmt.Errorf("resource %s not found in existing namespace %s", gen.Name, ns.GetName()) + } resource.SetUnstructuredContent(rdata) resource.SetName(gen.Name) resource.SetNamespace(ns.GetName()) // Reset resource version resource.SetResourceVersion("") - // TODO based on https://github.com/nirmata/kyverno/issues/268 - // if validationFailureAction != "audit" { - // // if not audit, then enforce.. - // // with enforce we will block the creation of resource and instead generate an error - // // the error will then create a policyViolation so that the resource owner can add the defaults - // return errors.New("policy flag validationFailureAction:'audit' blocked the creation of default resource for the namespace") - // } - // for "audit" mode, the resource will create the resource - // but wont generate a policy violation as the generate controller doesnt know if the generate request - // is a new resource via admission controller or via syncing its cache after a controller _, err = client.CreateResource(gen.Kind, ns.GetName(), resource, false) if err != nil { return err