- insert annotation to podTemplate; - skip apply rule on pod if annotation exists

2025-03-31 03:45:17 +00:00 · 2019-12-26 15:34:19 -08:00 · 2019-12-26 15:34:19 -08:00 · 54ecb7738a
commit 54ecb7738a
parent b5255893e3
5 changed files with 55 additions and 16 deletions
--- a/pkg/engine/mutation.go
+++ b/pkg/engine/mutation.go
@ -1,12 +1,20 @@
 package engine

 import (
+	"strings"
 	"time"

 	"github.com/golang/glog"
+	kyverno "github.com/nirmata/kyverno/pkg/api/kyverno/v1"
 	"github.com/nirmata/kyverno/pkg/engine/response"
 )

+const (
+	PodControllers           = "DaemonSet,Deployment,Job,StatefulSet"
+	PodControllersAnnotation = "pod-policies.kyverno.io/autogen-controllers"
+	PodTemplateAnnotation    = "pod-policies.kyverno.io/autogen-applied"
+)
+
 // Mutate performs mutation. Overlay first and then mutation patches
 func Mutate(policyContext PolicyContext) (resp response.EngineResponse) {
 	startTime := time.Now()
@ -39,7 +47,7 @@ func Mutate(policyContext PolicyContext) (resp response.EngineResponse) {

 	for _, rule := range policy.Spec.Rules {
 		//TODO: to be checked before calling the resources as well
-		if !rule.HasMutate() {
+		if !rule.HasMutate() && !strings.Contains(PodControllers, resource.GetKind()) {
 			continue
 		}

@ -83,8 +91,29 @@ func Mutate(policyContext PolicyContext) (resp response.EngineResponse) {
 			resp.PolicyResponse.Rules = append(resp.PolicyResponse.Rules, ruleResponse)
 			incrementAppliedRuleCount()
 		}
+
+		// insert annotation to podtemplate if resource is pod controller
+		if strings.Contains(PodControllers, resource.GetKind()) {
+			var ruleResponse response.RuleResponse
+			ruleResponse, patchedResource = processOverlay(ctx, podTemplateRule, patchedResource)
+			if !ruleResponse.Success {
+				glog.Errorf("Failed to insert annotation to podTemplate of %s/%s/%s", resource.GetKind(), resource.GetNamespace(), resource.GetName())
+				continue
+			}
+
+			resp.PolicyResponse.Rules = append(resp.PolicyResponse.Rules, ruleResponse)
+		}
 	}
 	// send the patched resource
 	resp.PatchedResource = patchedResource
 	return resp
 }
+
+// podTemplateRule mutate pod template with annotation
+// pod-policies.kyverno.io/autogen-applied=true
+var podTemplateRule = kyverno.Rule{
+	Name: "autogen-add-podtemplate-annotation",
+	Mutation: kyverno.Mutation{
+		Overlay: `{"spec":{"template":{"metadata":{"annotations":{"+(pod-policies.kyverno.io/autogen-applied)":"true"}}}}}"`,
+	},
+}
--- a/pkg/policy/cleanup.go
+++ b/pkg/policy/cleanup.go
@ -50,7 +50,7 @@ func (pc *PolicyController) cleanUpPolicyViolation(pResponse response.PolicyResp
 		if reflect.DeepEqual(pv, kyverno.PolicyViolation{}) {
 			continue
 		}
-		glog.V(4).Infof("cleanup namespaced violation %s on %s", pv.Name, pv.Spec.ResourceSpec.ToKey())
+		glog.V(4).Infof("cleanup namespaced violation %s on %s.%s", pv.Name, pResponse.Resource.Namespace, pv.Spec.ResourceSpec.ToKey())
 		if err := pc.pvControl.DeleteNamespacedPolicyViolation(pv.Namespace, pv.Name); err != nil {
 			glog.Errorf("failed to delete namespaced policy violation %s on %s: %v", pv.Name, pv.Spec.ResourceSpec.ToKey(), err)
 			continue
--- a/pkg/webhooks/policymutation.go
+++ b/pkg/webhooks/policymutation.go
@ -10,16 +10,12 @@ import (
 	jsonpatch "github.com/evanphx/json-patch"
 	"github.com/golang/glog"
 	kyverno "github.com/nirmata/kyverno/pkg/api/kyverno/v1"
+	"github.com/nirmata/kyverno/pkg/engine"
 	"github.com/nirmata/kyverno/pkg/utils"
 	v1beta1 "k8s.io/api/admission/v1beta1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 )

-const (
-	podControllers           = "DaemonSet,Deployment,Job,StatefulSet"
-	podControllersAnnotation = "policies.kyverno.io/autogen-controllers"
-)
-
 func (ws *WebhookServer) handlePolicyMutation(request *v1beta1.AdmissionRequest) *v1beta1.AdmissionResponse {
 	var policy *kyverno.ClusterPolicy
 	raw := request.Object.Raw
@ -114,7 +110,7 @@ func defaultvalidationFailureAction(policy *kyverno.ClusterPolicy) ([]byte, stri
 // generatePodControllerRule returns two patches: rulePatches and annotation patch(if necessary)
 func generatePodControllerRule(policy kyverno.ClusterPolicy) (patches [][]byte, errs []error) {
 	ann := policy.GetAnnotations()
-	controllers, ok := ann[podControllersAnnotation]
+	controllers, ok := ann[engine.PodControllersAnnotation]

 	// scenario A
 	if !ok {
@ -215,7 +211,7 @@ func generateRuleForControllers(rule kyverno.Rule, controllers string) kyvernoRu
 			glog.Warningf("Rule '%s' skip generating rule on pod controllers: Name / Selector in resource decription may not be applicable.", rule.Name)
 			return kyvernoRule{}
 		}
-		controllers = podControllers
+		controllers = engine.PodControllers
 	}

 	controllerRule := &kyvernoRule{
@ -276,12 +272,12 @@ func generateRuleForControllers(rule kyverno.Rule, controllers string) kyvernoRu
 	return kyvernoRule{}
 }

-// defaultPodControllerAnnotation generates annotation "policies.kyverno.io/autogen-controllers=all"
+// defaultPodControllerAnnotation generates annotation "pod-policies.kyverno.io/autogen-controllers=all"
 // ann passes in the annotation of the policy
 func defaultPodControllerAnnotation(ann map[string]string) ([]byte, error) {
 	if ann == nil {
 		ann = make(map[string]string)
-		ann[podControllersAnnotation] = "all"
+		ann[engine.PodControllersAnnotation] = "all"
 		jsonPatch := struct {
 			Path  string      `json:"path"`
 			Op    string      `json:"op"`
@ -304,7 +300,7 @@ func defaultPodControllerAnnotation(ann map[string]string) ([]byte, error) {
 		Op    string      `json:"op"`
 		Value interface{} `json:"value"`
 	}{
-		"/metadata/annotations/policies.kyverno.io~1autogen-controllers",
+		"/metadata/annotations/pod-policies.kyverno.io~1autogen-controllers",
 		"add",
 		"all",
 	}
--- a/pkg/webhooks/policymutation_test.go
+++ b/pkg/webhooks/policymutation_test.go
@ -40,7 +40,7 @@ func TestGeneratePodControllerRule_NilAnnotation(t *testing.T) {
 		"metadata": {
 		  "name": "add-safe-to-evict",
 		  "annotations": {
-			"policies.kyverno.io/autogen-controllers": "all"
+			"pod-policies.kyverno.io/autogen-controllers": "all"
 		  }
 		}
 	  }`)
@ -54,7 +54,7 @@ func TestGeneratePodControllerRule_PredefinedAnnotation(t *testing.T) {
 		"metadata": {
 		  "name": "add-safe-to-evict",
 		  "annotations": {
-			"policies.kyverno.io/autogen-controllers": "StatefulSet,Pod"
+			"pod-policies.kyverno.io/autogen-controllers": "StatefulSet,Pod"
 		  }
 		}
 	  }`)
@ -92,7 +92,7 @@ func TestGeneratePodControllerRule_ExistOtherAnnotation(t *testing.T) {
 		"metadata": {
 		  "name": "add-safe-to-evict",
 		  "annotations": {
-			"policies.kyverno.io/autogen-controllers": "all",
+			"pod-policies.kyverno.io/autogen-controllers": "all",
 			"test": "annotation"
 		  }
 		}
@ -243,7 +243,7 @@ func TestGeneratePodControllerRule(t *testing.T) {
 		   "name": "add-safe-to-evict",
 		   "annotations": {
 			  "a": "b",
-			  "policies.kyverno.io/autogen-controllers": "all"
+			  "pod-policies.kyverno.io/autogen-controllers": "all"
 		   }
 		},
 		"spec": {
--- a/pkg/webhooks/server.go
+++ b/pkg/webhooks/server.go
@ -1,6 +1,7 @@
 package webhooks

 import (
+	"bytes"
 	"context"
 	"crypto/tls"
 	"encoding/json"
@ -17,6 +18,7 @@ import (
 	kyvernolister "github.com/nirmata/kyverno/pkg/client/listers/kyverno/v1"
 	"github.com/nirmata/kyverno/pkg/config"
 	client "github.com/nirmata/kyverno/pkg/dclient"
+	"github.com/nirmata/kyverno/pkg/engine"
 	"github.com/nirmata/kyverno/pkg/event"
 	"github.com/nirmata/kyverno/pkg/policy"
 	"github.com/nirmata/kyverno/pkg/policystore"
@ -185,6 +187,18 @@ func (ws *WebhookServer) serve(w http.ResponseWriter, r *http.Request) {
 }

 func (ws *WebhookServer) handleAdmissionRequest(request *v1beta1.AdmissionRequest) *v1beta1.AdmissionResponse {
+	if request.Kind.Kind == "Pod" {
+		if bytes.Contains(request.Object.Raw, []byte(engine.PodTemplateAnnotation)) {
+			glog.V(4).Infof("Policies already processed on pod controllers, skip processing policy on Pod UID=%s", request.UID)
+			return &v1beta1.AdmissionResponse{
+				Allowed: true,
+				Result: &metav1.Status{
+					Status: "Success",
+				},
+			}
+		}
+	}
+
 	policies, err := ws.pMetaStore.LookUp(request.Kind.Kind, request.Namespace)
 	if err != nil {
 		// Unable to connect to policy Lister to access policies