mirror of
https://github.com/kyverno/kyverno.git
synced 2025-03-31 03:45:17 +00:00
validate and block policy based on the matched kind cache (#3283)
Signed-off-by: prateekpandey14 <prateek.pandey@nirmata.com> Co-authored-by: prateekpandey14 <prateek.pandey@nirmata.com>
This commit is contained in:
Prateek Pandey
GitHub
parent
447bafbed5
commit
66969d35ea
4 changed files with 18 additions and 8 deletions
3
go.mod
3
go.mod
|
|
@ -57,7 +57,9 @@ require (
|
||||||
github.com/awslabs/amazon-ecr-credential-helper/ecr-login v0.0.0-20211215200129-69c85dc22db6
|
github.com/awslabs/amazon-ecr-credential-helper/ecr-login v0.0.0-20211215200129-69c85dc22db6
|
||||||
github.com/blang/semver/v4 v4.0.0
|
github.com/blang/semver/v4 v4.0.0
|
||||||
github.com/chrismellard/docker-credential-acr-env v0.0.0-20220119192733-fe33c00cee21
|
github.com/chrismellard/docker-credential-acr-env v0.0.0-20220119192733-fe33c00cee21
|
||||||
|
github.com/evanphx/json-patch v4.12.0+incompatible
|
||||||
github.com/google/go-containerregistry/pkg/authn/kubernetes v0.0.0-20220125170349-50dfc2733d10
|
github.com/google/go-containerregistry/pkg/authn/kubernetes v0.0.0-20220125170349-50dfc2733d10
|
||||||
|
github.com/gorilla/mux v1.8.0
|
||||||
gopkg.in/inf.v0 v0.9.1
|
gopkg.in/inf.v0 v0.9.1
|
||||||
)
|
)
|
||||||
|
|
||||||
|
|
@ -118,7 +120,6 @@ require (
|
||||||
github.com/docker/docker-credential-helpers v0.6.4 // indirect
|
github.com/docker/docker-credential-helpers v0.6.4 // indirect
|
||||||
github.com/dustin/go-humanize v1.0.0 // indirect
|
github.com/dustin/go-humanize v1.0.0 // indirect
|
||||||
github.com/emirpasic/gods v1.12.0 // indirect
|
github.com/emirpasic/gods v1.12.0 // indirect
|
||||||
github.com/evanphx/json-patch v4.12.0+incompatible // indirect
|
|
||||||
github.com/fsnotify/fsnotify v1.5.1 // indirect
|
github.com/fsnotify/fsnotify v1.5.1 // indirect
|
||||||
github.com/go-chi/chi v4.1.2+incompatible // indirect
|
github.com/go-chi/chi v4.1.2+incompatible // indirect
|
||||||
github.com/go-errors/errors v1.0.1 // indirect
|
github.com/go-errors/errors v1.0.1 // indirect
|
||||||
|
|
|
||||||
1
go.sum
1
go.sum
|
|
@ -1030,6 +1030,7 @@ github.com/goreleaser/nfpm v1.2.1/go.mod h1:TtWrABZozuLOttX2uDlYyECfQX7x5XYkVxhj
|
||||||
github.com/gorilla/context v1.1.1/go.mod h1:kBGZzfjB9CEq2AlWe17Uuf7NDRt0dE0s8S51q0aT7Yg=
|
github.com/gorilla/context v1.1.1/go.mod h1:kBGZzfjB9CEq2AlWe17Uuf7NDRt0dE0s8S51q0aT7Yg=
|
||||||
github.com/gorilla/mux v1.6.2/go.mod h1:1lud6UwP+6orDFRuTfBEV8e9/aOM/c4fVVCaMa2zaAs=
|
github.com/gorilla/mux v1.6.2/go.mod h1:1lud6UwP+6orDFRuTfBEV8e9/aOM/c4fVVCaMa2zaAs=
|
||||||
github.com/gorilla/mux v1.7.3/go.mod h1:1lud6UwP+6orDFRuTfBEV8e9/aOM/c4fVVCaMa2zaAs=
|
github.com/gorilla/mux v1.7.3/go.mod h1:1lud6UwP+6orDFRuTfBEV8e9/aOM/c4fVVCaMa2zaAs=
|
||||||
|
github.com/gorilla/mux v1.8.0 h1:i40aqfkR1h2SlN9hojwV5ZA91wcXFOvkdNIeFDP5koI=
|
||||||
github.com/gorilla/mux v1.8.0/go.mod h1:DVbg23sWSpFRCP0SfiEN6jmj59UnW/n46BH5rLB71So=
|
github.com/gorilla/mux v1.8.0/go.mod h1:DVbg23sWSpFRCP0SfiEN6jmj59UnW/n46BH5rLB71So=
|
||||||
github.com/gorilla/securecookie v1.1.1/go.mod h1:ra0sb63/xPlUeL+yeDciTfxMRAA+MP+HVt/4epWDjd4=
|
github.com/gorilla/securecookie v1.1.1/go.mod h1:ra0sb63/xPlUeL+yeDciTfxMRAA+MP+HVt/4epWDjd4=
|
||||||
github.com/gorilla/sessions v1.2.1/go.mod h1:dk2InVEVJ0sfLlnXv9EAgkf6ecYs/i80K/zI+bUmuGM=
|
github.com/gorilla/sessions v1.2.1/go.mod h1:dk2InVEVJ0sfLlnXv9EAgkf6ecYs/i80K/zI+bUmuGM=
|
||||||
|
|
|
||||||
|
|
@ -256,26 +256,25 @@ func Validate(policy *kyverno.ClusterPolicy, client *dclient.Client, mock bool,
|
||||||
for _, value := range match.Any {
|
for _, value := range match.Any {
|
||||||
err := validateKinds(value.ResourceDescription.Kinds, mock, client, *policy)
|
err := validateKinds(value.ResourceDescription.Kinds, mock, client, *policy)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return fmt.Errorf("the kind defined in the any match resource is invalid")
|
return errors.Wrapf(err, "the kind defined in the any match resource is invalid")
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
for _, value := range match.All {
|
for _, value := range match.All {
|
||||||
err := validateKinds(value.ResourceDescription.Kinds, mock, client, *policy)
|
err := validateKinds(value.ResourceDescription.Kinds, mock, client, *policy)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return fmt.Errorf("the kind defined in the all match resource is invalid")
|
return errors.Wrapf(err, "the kind defined in the all match resource is invalid")
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
for _, value := range exclude.Any {
|
for _, value := range exclude.Any {
|
||||||
err := validateKinds(value.ResourceDescription.Kinds, mock, client, *policy)
|
err := validateKinds(value.ResourceDescription.Kinds, mock, client, *policy)
|
||||||
|
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return fmt.Errorf("the kind defined in the any exclude resource is invalid")
|
return errors.Wrapf(err, "the kind defined in the any exclude resource is invalid")
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
for _, value := range exclude.All {
|
for _, value := range exclude.All {
|
||||||
err := validateKinds(value.ResourceDescription.Kinds, mock, client, *policy)
|
err := validateKinds(value.ResourceDescription.Kinds, mock, client, *policy)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return fmt.Errorf("the kind defined in the all exclude resource is invalid")
|
return errors.Wrapf(err, "the kind defined in the all exclude resource is invalid")
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
if !utils.ContainsString(rule.MatchResources.Kinds, "*") {
|
if !utils.ContainsString(rule.MatchResources.Kinds, "*") {
|
||||||
|
|
@ -1483,12 +1482,21 @@ func jsonPatchOnPod(rule kyverno.Rule) bool {
|
||||||
return false
|
return false
|
||||||
}
|
}
|
||||||
|
|
||||||
|
// validateKinds verifies if an API resource that matches 'kind' is valid kind
|
||||||
|
// and found in the cache, returns error if not found
|
||||||
func validateKinds(kinds []string, mock bool, client *dclient.Client, p kyverno.ClusterPolicy) error {
|
func validateKinds(kinds []string, mock bool, client *dclient.Client, p kyverno.ClusterPolicy) error {
|
||||||
for _, kind := range kinds {
|
for _, kind := range kinds {
|
||||||
_, k := comn.GetKindFromGVK(kind)
|
gv, k := comn.GetKindFromGVK(kind)
|
||||||
if k == p.Kind {
|
if k == p.Kind {
|
||||||
return fmt.Errorf("kind and match resource kind should not be the same")
|
return fmt.Errorf("kind and match resource kind should not be the same")
|
||||||
}
|
}
|
||||||
|
|
||||||
|
if !mock {
|
||||||
|
_, _, err := client.DiscoveryClient.FindResource(gv, k)
|
||||||
|
if err != nil {
|
||||||
|
return fmt.Errorf("unable to convert GVK to GVR, %s, err: %s", kinds, err)
|
||||||
|
}
|
||||||
|
}
|
||||||
}
|
}
|
||||||
return nil
|
return nil
|
||||||
}
|
}
|
||||||
|
|
|
||||||
|
|
@ -1555,6 +1555,6 @@ func Test_patchesJson6902_Policy(t *testing.T) {
|
||||||
assert.NilError(t, err)
|
assert.NilError(t, err)
|
||||||
|
|
||||||
openAPIController, _ := openapi.NewOpenAPIController()
|
openAPIController, _ := openapi.NewOpenAPIController()
|
||||||
err = Validate(policy, nil, false, openAPIController)
|
err = Validate(policy, nil, true, openAPIController)
|
||||||
assert.NilError(t, err)
|
assert.NilError(t, err)
|
||||||
}
|
}
|
||||||
|
|
|
||||||
Loading…
Add table
Reference in a new issue