diff --git a/pkg/engine/forceMutate.go b/pkg/engine/forceMutate.go index ee4bb90295..cd7705abbe 100644 --- a/pkg/engine/forceMutate.go +++ b/pkg/engine/forceMutate.go @@ -88,14 +88,6 @@ func ForceMutate(ctx context.EvalInterface, policy kyverno.ClusterPolicy, resour } } - if rule.Mutation.PatchStrategicMerge != nil { - var resp response.RuleResponse - resp, resource = mutate.ProcessStrategicMergePatch(rule.Name, rule.Mutation.PatchStrategicMerge, resource, logger.WithValues("rule", rule.Name)) - if !resp.Success { - return unstructured.Unstructured{}, fmt.Errorf(resp.Message) - } - } - if rule.Mutation.PatchesJSON6902 != "" { var resp response.RuleResponse jsonPatches, err := yaml.YAMLToJSON([]byte(rule.Mutation.PatchesJSON6902)) diff --git a/pkg/engine/forceMutate_test.go b/pkg/engine/forceMutate_test.go index 38b0a640a9..b7dd83c1c6 100644 --- a/pkg/engine/forceMutate_test.go +++ b/pkg/engine/forceMutate_test.go @@ -150,92 +150,6 @@ func Test_ForceMutateSubstituteVarsWithNilContext(t *testing.T) { assert.DeepEqual(t, expectedResource, mutatedResource.UnstructuredContent()) } -func Test_ForceMutateSubstituteVarsWithPatchStrategicMerge(t *testing.T) { - rawPolicy := []byte(` - { - "apiVersion": "kyverno.io/v1", - "kind": "ClusterPolicy", - "metadata": { - "name": "strategic-merge-patch" - }, - "spec": { - "rules": [ - { - "name": "set-image-pull-policy-add-command", - "match": { - "resources": { - "kinds": [ - "Pod" - ] - } - }, - "mutate": { - "patchStrategicMerge": { - "spec": { - "volumes": [ - { - "emptyDir": { - "medium": "Memory" - }, - "name": "cache-volume" - } - ] - } - } - } - } - ] - } - } -`) - - rawResource := []byte(` -{ - "apiVersion": "v1", - "kind": "Pod", - "metadata": { - "name": "check-root-user" - }, - "spec": { - "volumes": [ - { - "name": "cache-volume", - "emptyDir": { } - }, - { - "name": "cache-volume2", - "emptyDir": { - "medium": "Memory" - } - } - ] - } -} -`) - - expectedRawResource := []byte(` - {"apiVersion":"v1","kind":"Pod","metadata":{"name":"check-root-user"},"spec":{"volumes":[{"emptyDir":{"medium":"Memory"},"name":"cache-volume"},{"emptyDir":{"medium":"Memory"},"name":"cache-volume2"}]}} - `) - - var expectedResource interface{} - assert.NilError(t, json.Unmarshal(expectedRawResource, &expectedResource)) - - var policy kyverno.ClusterPolicy - err := json.Unmarshal(rawPolicy, &policy) - assert.NilError(t, err) - - resourceUnstructured, err := utils.ConvertToUnstructured(rawResource) - assert.NilError(t, err) - ctx := context.NewContext() - err = ctx.AddResource(rawResource) - assert.NilError(t, err) - - mutatedResource, err := ForceMutate(ctx, policy, *resourceUnstructured) - assert.NilError(t, err) - - assert.DeepEqual(t, expectedResource, mutatedResource.UnstructuredContent()) -} - func Test_ForceMutateSubstituteVarsWithPatchesJson6902(t *testing.T) { rawPolicy := []byte(` { diff --git a/pkg/policycache/cache.go b/pkg/policycache/cache.go index 39d51e891d..7f542f1925 100644 --- a/pkg/policycache/cache.go +++ b/pkg/policycache/cache.go @@ -39,8 +39,8 @@ type policyCache struct { type Interface interface { Add(policy *kyverno.ClusterPolicy) Remove(policy *kyverno.ClusterPolicy) - GetPolicyObject(pkey PolicyType, kind *string, nspace *string) []*kyverno.ClusterPolicy - get(pkey PolicyType, kind *string, nspace *string) []string + GetPolicyObject(pkey PolicyType, kind string, nspace string) []*kyverno.ClusterPolicy + get(pkey PolicyType, kind string, nspace string) []string } // newPolicyCache ... @@ -70,10 +70,10 @@ func (pc *policyCache) Add(policy *kyverno.ClusterPolicy) { } // Get the list of matched policies -func (pc *policyCache) get(pkey PolicyType, kind, nspace *string) []string { +func (pc *policyCache) get(pkey PolicyType, kind, nspace string) []string { return pc.pMap.get(pkey, kind, nspace) } -func (pc *policyCache) GetPolicyObject(pkey PolicyType, kind, nspace *string) []*kyverno.ClusterPolicy { +func (pc *policyCache) GetPolicyObject(pkey PolicyType, kind, nspace string) []*kyverno.ClusterPolicy { return pc.getPolicyObject(pkey, kind, nspace) } @@ -148,15 +148,15 @@ func (m *pMap) add(policy *kyverno.ClusterPolicy) { m.nameCacheMap[Generate] = generateMap } -func (pc *pMap) get(key PolicyType, kind, namespace *string) (names []string) { +func (pc *pMap) get(key PolicyType, kind, namespace string) (names []string) { pc.RLock() defer pc.RUnlock() - for _, policyName := range pc.kindDataMap[*kind][key] { + for _, policyName := range pc.kindDataMap[kind][key] { ns, key, isNamespacedPolicy := policy2.ParseNamespacedPolicy(policyName) if !isNamespacedPolicy { names = append(names, key) } else { - if ns == *namespace { + if ns == namespace { names = append(names, policyName) } } @@ -195,7 +195,7 @@ func (m *pMap) remove(policy *kyverno.ClusterPolicy) { } } } -func (m *policyCache) getPolicyObject(key PolicyType, kind *string, nspace *string) (policyObject []*kyverno.ClusterPolicy) { +func (m *policyCache) getPolicyObject(key PolicyType, kind string, nspace string) (policyObject []*kyverno.ClusterPolicy) { policyNames := m.pMap.get(key, kind, nspace) for _, policyName := range policyNames { var policy *kyverno.ClusterPolicy @@ -203,7 +203,7 @@ func (m *policyCache) getPolicyObject(key PolicyType, kind *string, nspace *stri if !isNamespacedPolicy { policy, _ = m.pLister.Get(key) } else { - if ns == *nspace { + if ns == nspace { nspolicy, _ := m.npLister.Policies(ns).Get(key) policy = policy2.ConvertPolicyToClusterPolicy(nspolicy) } diff --git a/pkg/policycache/cache_test.go b/pkg/policycache/cache_test.go index f74dc7c3a5..472c502472 100644 --- a/pkg/policycache/cache_test.go +++ b/pkg/policycache/cache_test.go @@ -54,16 +54,16 @@ func Test_All(t *testing.T) { for _, kind := range rule.MatchResources.Kinds { // get - mutate := pCache.get(Mutate, &kind, nil) + mutate := pCache.get(Mutate, kind, "") if len(mutate) != 1 { t.Errorf("expected 1 mutate policy, found %v", len(mutate)) } - validateEnforce := pCache.get(ValidateEnforce, &kind, nil) + validateEnforce := pCache.get(ValidateEnforce, kind, "") if len(validateEnforce) != 1 { t.Errorf("expected 1 validate policy, found %v", len(validateEnforce)) } - generate := pCache.get(Generate, &kind, nil) + generate := pCache.get(Generate, kind, "") if len(generate) != 1 { t.Errorf("expected 1 generate policy, found %v", len(generate)) } @@ -73,7 +73,7 @@ func Test_All(t *testing.T) { // remove pCache.Remove(policy) kind := "pod" - validateEnforce := pCache.get(ValidateEnforce, &kind, nil) + validateEnforce := pCache.get(ValidateEnforce, kind, "") assert.Assert(t, len(validateEnforce) == 0) } @@ -86,16 +86,16 @@ func Test_Add_Duplicate_Policy(t *testing.T) { for _, rule := range policy.Spec.Rules { for _, kind := range rule.MatchResources.Kinds { - mutate := pCache.get(Mutate, &kind, nil) + mutate := pCache.get(Mutate, kind, "") if len(mutate) != 1 { t.Errorf("expected 1 mutate policy, found %v", len(mutate)) } - validateEnforce := pCache.get(ValidateEnforce, &kind, nil) + validateEnforce := pCache.get(ValidateEnforce, kind, "") if len(validateEnforce) != 1 { t.Errorf("expected 1 validate policy, found %v", len(validateEnforce)) } - generate := pCache.get(Generate, &kind, nil) + generate := pCache.get(Generate, kind, "") if len(generate) != 1 { t.Errorf("expected 1 generate policy, found %v", len(generate)) } @@ -115,12 +115,12 @@ func Test_Add_Validate_Audit(t *testing.T) { for _, rule := range policy.Spec.Rules { for _, kind := range rule.MatchResources.Kinds { - validateEnforce := pCache.get(ValidateEnforce, &kind, nil) + validateEnforce := pCache.get(ValidateEnforce, kind, "") if len(validateEnforce) != 1 { t.Errorf("expected 1 mutate policy, found %v", len(validateEnforce)) } - validateAudit := pCache.get(ValidateAudit, &kind, nil) + validateAudit := pCache.get(ValidateAudit, kind, "") if len(validateEnforce) != 1 { t.Errorf("expected 1 validate policy, found %v", len(validateAudit)) } @@ -133,13 +133,13 @@ func Test_Add_Remove(t *testing.T) { policy := newPolicy(t) kind := "Pod" pCache.Add(policy) - validateEnforce := pCache.get(ValidateEnforce, &kind, nil) + validateEnforce := pCache.get(ValidateEnforce, kind, "") if len(validateEnforce) != 1 { t.Errorf("expected 1 validate enforce policy, found %v", len(validateEnforce)) } pCache.Remove(policy) - deletedValidateEnforce := pCache.get(ValidateEnforce, &kind, nil) + deletedValidateEnforce := pCache.get(ValidateEnforce, kind, "") if len(deletedValidateEnforce) != 0 { t.Errorf("expected 0 validate enforce policy, found %v", len(deletedValidateEnforce)) } @@ -378,16 +378,16 @@ func Test_Ns_All(t *testing.T) { for _, kind := range rule.MatchResources.Kinds { // get - mutate := pCache.get(Mutate, &kind, &nspace) + mutate := pCache.get(Mutate, kind, nspace) if len(mutate) != 1 { t.Errorf("expected 1 mutate policy, found %v", len(mutate)) } - validateEnforce := pCache.get(ValidateEnforce, &kind, &nspace) + validateEnforce := pCache.get(ValidateEnforce, kind, nspace) if len(validateEnforce) != 1 { t.Errorf("expected 1 validate policy, found %v", len(validateEnforce)) } - generate := pCache.get(Generate, &kind, &nspace) + generate := pCache.get(Generate, kind, nspace) if len(generate) != 1 { t.Errorf("expected 1 generate policy, found %v", len(generate)) } @@ -396,7 +396,7 @@ func Test_Ns_All(t *testing.T) { // remove pCache.Remove(policy) kind := "pod" - validateEnforce := pCache.get(ValidateEnforce, &kind, &nspace) + validateEnforce := pCache.get(ValidateEnforce, kind, nspace) assert.Assert(t, len(validateEnforce) == 0) } @@ -410,16 +410,16 @@ func Test_Ns_Add_Duplicate_Policy(t *testing.T) { for _, rule := range policy.Spec.Rules { for _, kind := range rule.MatchResources.Kinds { - mutate := pCache.get(Mutate, &kind, &nspace) + mutate := pCache.get(Mutate, kind, nspace) if len(mutate) != 1 { t.Errorf("expected 1 mutate policy, found %v", len(mutate)) } - validateEnforce := pCache.get(ValidateEnforce, &kind, &nspace) + validateEnforce := pCache.get(ValidateEnforce, kind, nspace) if len(validateEnforce) != 1 { t.Errorf("expected 1 validate policy, found %v", len(validateEnforce)) } - generate := pCache.get(Generate, &kind, &nspace) + generate := pCache.get(Generate, kind, nspace) if len(generate) != 1 { t.Errorf("expected 1 generate policy, found %v", len(generate)) } @@ -439,12 +439,12 @@ func Test_Ns_Add_Validate_Audit(t *testing.T) { for _, rule := range policy.Spec.Rules { for _, kind := range rule.MatchResources.Kinds { - validateEnforce := pCache.get(ValidateEnforce, &kind, &nspace) + validateEnforce := pCache.get(ValidateEnforce, kind, nspace) if len(validateEnforce) != 1 { t.Errorf("expected 1 validate policy, found %v", len(validateEnforce)) } - validateAudit := pCache.get(ValidateAudit, &kind, &nspace) + validateAudit := pCache.get(ValidateAudit, kind, nspace) if len(validateEnforce) != 1 { t.Errorf("expected 1 validate policy, found %v", len(validateAudit)) } @@ -458,13 +458,13 @@ func Test_Ns_Add_Remove(t *testing.T) { nspace := policy.GetNamespace() kind := "Pod" pCache.Add(policy) - validateEnforce := pCache.get(ValidateEnforce, &kind, &nspace) + validateEnforce := pCache.get(ValidateEnforce, kind, nspace) if len(validateEnforce) != 1 { t.Errorf("expected 1 validate enforce policy, found %v", len(validateEnforce)) } pCache.Remove(policy) - deletedValidateEnforce := pCache.get(ValidateEnforce, &kind, &nspace) + deletedValidateEnforce := pCache.get(ValidateEnforce, kind, nspace) if len(deletedValidateEnforce) != 0 { t.Errorf("expected 0 validate enforce policy, found %v", len(deletedValidateEnforce)) } diff --git a/pkg/webhooks/server.go b/pkg/webhooks/server.go index f03643be3f..8de9af93dc 100644 --- a/pkg/webhooks/server.go +++ b/pkg/webhooks/server.go @@ -308,11 +308,11 @@ func (ws *WebhookServer) ResourceMutation(request *v1beta1.AdmissionRequest) *v1 } logger.V(6).Info("received an admission request in mutating webhook") - mutatePolicies := ws.pCache.GetPolicyObject(policycache.Mutate, &request.Kind.Kind, nil) - generatePolicies := ws.pCache.GetPolicyObject(policycache.Generate, &request.Kind.Kind, nil) + mutatePolicies := ws.pCache.GetPolicyObject(policycache.Mutate, request.Kind.Kind, "") + generatePolicies := ws.pCache.GetPolicyObject(policycache.Generate, request.Kind.Kind, "") // Get namespace policies from the cache for the requested resource namespace - nsMutatePolicies := ws.pCache.GetPolicyObject(policycache.Mutate, &request.Kind.Kind, &request.Namespace) + nsMutatePolicies := ws.pCache.GetPolicyObject(policycache.Mutate, request.Kind.Kind, request.Namespace) mutatePolicies = append(mutatePolicies, nsMutatePolicies...) // convert RAW to unstructured @@ -395,9 +395,9 @@ func (ws *WebhookServer) resourceValidation(request *v1beta1.AdmissionRequest) * logger.V(6).Info("received an admission request in validating webhook") - policies := ws.pCache.GetPolicyObject(policycache.ValidateEnforce, &request.Kind.Kind, nil) + policies := ws.pCache.GetPolicyObject(policycache.ValidateEnforce, request.Kind.Kind, "") // Get namespace policies from the cache for the requested resource namespace - nsPolicies := ws.pCache.GetPolicyObject(policycache.ValidateEnforce, &request.Kind.Kind, &request.Namespace) + nsPolicies := ws.pCache.GetPolicyObject(policycache.ValidateEnforce, request.Kind.Kind, request.Namespace) policies = append(policies, nsPolicies...) if len(policies) == 0 { // push admission request to audit handler, this won't block the admission request diff --git a/pkg/webhooks/validate_audit.go b/pkg/webhooks/validate_audit.go index bd6e247066..72974d4fa8 100644 --- a/pkg/webhooks/validate_audit.go +++ b/pkg/webhooks/validate_audit.go @@ -149,9 +149,9 @@ func (h *auditHandler) process(request *v1beta1.AdmissionRequest) error { var err error logger := h.log.WithName("process") - policies := h.pCache.GetPolicyObject(policycache.ValidateAudit, &request.Kind.Kind, nil) + policies := h.pCache.GetPolicyObject(policycache.ValidateAudit, request.Kind.Kind, "") // Get namespace policies from the cache for the requested resource namespace - nsPolicies := h.pCache.GetPolicyObject(policycache.ValidateAudit, &request.Kind.Kind, &request.Namespace) + nsPolicies := h.pCache.GetPolicyObject(policycache.ValidateAudit, request.Kind.Kind, request.Namespace) policies = append(policies, nsPolicies...) // getRoleRef only if policy has roles/clusterroles defined if containRBACInfo(policies) {