diff --git a/pkg/engine/mutation.go b/pkg/engine/mutation.go index da8534feda..39a0edc34d 100644 --- a/pkg/engine/mutation.go +++ b/pkg/engine/mutation.go @@ -1,12 +1,20 @@ package engine import ( + "strings" "time" "github.com/golang/glog" + kyverno "github.com/nirmata/kyverno/pkg/api/kyverno/v1" "github.com/nirmata/kyverno/pkg/engine/response" ) +const ( + PodControllers = "DaemonSet,Deployment,Job,StatefulSet" + PodControllersAnnotation = "pod-policies.kyverno.io/autogen-controllers" + PodTemplateAnnotation = "pod-policies.kyverno.io/autogen-applied" +) + // Mutate performs mutation. Overlay first and then mutation patches func Mutate(policyContext PolicyContext) (resp response.EngineResponse) { startTime := time.Now() @@ -39,7 +47,7 @@ func Mutate(policyContext PolicyContext) (resp response.EngineResponse) { for _, rule := range policy.Spec.Rules { //TODO: to be checked before calling the resources as well - if !rule.HasMutate() { + if !rule.HasMutate() && !strings.Contains(PodControllers, resource.GetKind()) { continue } @@ -83,8 +91,29 @@ func Mutate(policyContext PolicyContext) (resp response.EngineResponse) { resp.PolicyResponse.Rules = append(resp.PolicyResponse.Rules, ruleResponse) incrementAppliedRuleCount() } + + // insert annotation to podtemplate if resource is pod controller + if strings.Contains(PodControllers, resource.GetKind()) { + var ruleResponse response.RuleResponse + ruleResponse, patchedResource = processOverlay(ctx, podTemplateRule, patchedResource) + if !ruleResponse.Success { + glog.Errorf("Failed to insert annotation to podTemplate of %s/%s/%s", resource.GetKind(), resource.GetNamespace(), resource.GetName()) + continue + } + + resp.PolicyResponse.Rules = append(resp.PolicyResponse.Rules, ruleResponse) + } } // send the patched resource resp.PatchedResource = patchedResource return resp } + +// podTemplateRule mutate pod template with annotation +// pod-policies.kyverno.io/autogen-applied=true +var podTemplateRule = kyverno.Rule{ + Name: "autogen-add-podtemplate-annotation", + Mutation: kyverno.Mutation{ + Overlay: `{"spec":{"template":{"metadata":{"annotations":{"+(pod-policies.kyverno.io/autogen-applied)":"true"}}}}}"`, + }, +} diff --git a/pkg/policy/cleanup.go b/pkg/policy/cleanup.go index cf87f5e886..dd63cb1f03 100644 --- a/pkg/policy/cleanup.go +++ b/pkg/policy/cleanup.go @@ -50,7 +50,7 @@ func (pc *PolicyController) cleanUpPolicyViolation(pResponse response.PolicyResp if reflect.DeepEqual(pv, kyverno.PolicyViolation{}) { continue } - glog.V(4).Infof("cleanup namespaced violation %s on %s", pv.Name, pv.Spec.ResourceSpec.ToKey()) + glog.V(4).Infof("cleanup namespaced violation %s on %s.%s", pv.Name, pResponse.Resource.Namespace, pv.Spec.ResourceSpec.ToKey()) if err := pc.pvControl.DeleteNamespacedPolicyViolation(pv.Namespace, pv.Name); err != nil { glog.Errorf("failed to delete namespaced policy violation %s on %s: %v", pv.Name, pv.Spec.ResourceSpec.ToKey(), err) continue diff --git a/pkg/webhooks/policymutation.go b/pkg/webhooks/policymutation.go index 8e48f3d641..dbaedfec3b 100644 --- a/pkg/webhooks/policymutation.go +++ b/pkg/webhooks/policymutation.go @@ -10,16 +10,12 @@ import ( jsonpatch "github.com/evanphx/json-patch" "github.com/golang/glog" kyverno "github.com/nirmata/kyverno/pkg/api/kyverno/v1" + "github.com/nirmata/kyverno/pkg/engine" "github.com/nirmata/kyverno/pkg/utils" v1beta1 "k8s.io/api/admission/v1beta1" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" ) -const ( - podControllers = "DaemonSet,Deployment,Job,StatefulSet" - podControllersAnnotation = "policies.kyverno.io/autogen-controllers" -) - func (ws *WebhookServer) handlePolicyMutation(request *v1beta1.AdmissionRequest) *v1beta1.AdmissionResponse { var policy *kyverno.ClusterPolicy raw := request.Object.Raw @@ -114,7 +110,7 @@ func defaultvalidationFailureAction(policy *kyverno.ClusterPolicy) ([]byte, stri // generatePodControllerRule returns two patches: rulePatches and annotation patch(if necessary) func generatePodControllerRule(policy kyverno.ClusterPolicy) (patches [][]byte, errs []error) { ann := policy.GetAnnotations() - controllers, ok := ann[podControllersAnnotation] + controllers, ok := ann[engine.PodControllersAnnotation] // scenario A if !ok { @@ -215,7 +211,7 @@ func generateRuleForControllers(rule kyverno.Rule, controllers string) kyvernoRu glog.Warningf("Rule '%s' skip generating rule on pod controllers: Name / Selector in resource decription may not be applicable.", rule.Name) return kyvernoRule{} } - controllers = podControllers + controllers = engine.PodControllers } controllerRule := &kyvernoRule{ @@ -276,12 +272,12 @@ func generateRuleForControllers(rule kyverno.Rule, controllers string) kyvernoRu return kyvernoRule{} } -// defaultPodControllerAnnotation generates annotation "policies.kyverno.io/autogen-controllers=all" +// defaultPodControllerAnnotation generates annotation "pod-policies.kyverno.io/autogen-controllers=all" // ann passes in the annotation of the policy func defaultPodControllerAnnotation(ann map[string]string) ([]byte, error) { if ann == nil { ann = make(map[string]string) - ann[podControllersAnnotation] = "all" + ann[engine.PodControllersAnnotation] = "all" jsonPatch := struct { Path string `json:"path"` Op string `json:"op"` @@ -304,7 +300,7 @@ func defaultPodControllerAnnotation(ann map[string]string) ([]byte, error) { Op string `json:"op"` Value interface{} `json:"value"` }{ - "/metadata/annotations/policies.kyverno.io~1autogen-controllers", + "/metadata/annotations/pod-policies.kyverno.io~1autogen-controllers", "add", "all", } diff --git a/pkg/webhooks/policymutation_test.go b/pkg/webhooks/policymutation_test.go index 3ffca84d1c..b732bebf0a 100644 --- a/pkg/webhooks/policymutation_test.go +++ b/pkg/webhooks/policymutation_test.go @@ -40,7 +40,7 @@ func TestGeneratePodControllerRule_NilAnnotation(t *testing.T) { "metadata": { "name": "add-safe-to-evict", "annotations": { - "policies.kyverno.io/autogen-controllers": "all" + "pod-policies.kyverno.io/autogen-controllers": "all" } } }`) @@ -54,7 +54,7 @@ func TestGeneratePodControllerRule_PredefinedAnnotation(t *testing.T) { "metadata": { "name": "add-safe-to-evict", "annotations": { - "policies.kyverno.io/autogen-controllers": "StatefulSet,Pod" + "pod-policies.kyverno.io/autogen-controllers": "StatefulSet,Pod" } } }`) @@ -92,7 +92,7 @@ func TestGeneratePodControllerRule_ExistOtherAnnotation(t *testing.T) { "metadata": { "name": "add-safe-to-evict", "annotations": { - "policies.kyverno.io/autogen-controllers": "all", + "pod-policies.kyverno.io/autogen-controllers": "all", "test": "annotation" } } @@ -243,7 +243,7 @@ func TestGeneratePodControllerRule(t *testing.T) { "name": "add-safe-to-evict", "annotations": { "a": "b", - "policies.kyverno.io/autogen-controllers": "all" + "pod-policies.kyverno.io/autogen-controllers": "all" } }, "spec": { diff --git a/pkg/webhooks/server.go b/pkg/webhooks/server.go index 1b5dd58c5f..148265de3f 100644 --- a/pkg/webhooks/server.go +++ b/pkg/webhooks/server.go @@ -1,6 +1,7 @@ package webhooks import ( + "bytes" "context" "crypto/tls" "encoding/json" @@ -17,6 +18,7 @@ import ( kyvernolister "github.com/nirmata/kyverno/pkg/client/listers/kyverno/v1" "github.com/nirmata/kyverno/pkg/config" client "github.com/nirmata/kyverno/pkg/dclient" + "github.com/nirmata/kyverno/pkg/engine" "github.com/nirmata/kyverno/pkg/event" "github.com/nirmata/kyverno/pkg/policy" "github.com/nirmata/kyverno/pkg/policystore" @@ -185,6 +187,18 @@ func (ws *WebhookServer) serve(w http.ResponseWriter, r *http.Request) { } func (ws *WebhookServer) handleAdmissionRequest(request *v1beta1.AdmissionRequest) *v1beta1.AdmissionResponse { + if request.Kind.Kind == "Pod" { + if bytes.Contains(request.Object.Raw, []byte(engine.PodTemplateAnnotation)) { + glog.V(4).Infof("Policies already processed on pod controllers, skip processing policy on Pod UID=%s", request.UID) + return &v1beta1.AdmissionResponse{ + Allowed: true, + Result: &metav1.Status{ + Status: "Success", + }, + } + } + } + policies, err := ws.pMetaStore.LookUp(request.Kind.Kind, request.Namespace) if err != nil { // Unable to connect to policy Lister to access policies