mirrors/kyverno
mirrors/kyverno
1
0
Fork 0
mirror of https://github.com/kyverno/kyverno.git synced 2025-03-31 03:45:17 +00:00
Code Activity

Merge branch 'kyverno:main' into main

Browse source
This commit is contained in:
Chip Zoller 2021-06-02 08:26:19 -04:00
commit 7cb9ec3004
153 changed files with 122958 additions and 97788 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
.github/PULL_REQUEST_TEMPLATE.md vendored
View file

@ -65,7 +65,7 @@ them, don't hesitate to ask. We're here to help! This is simply a reminder of wh
- [] I have raised an issue in [kyverno/website](https://github.com/kyverno/website) to track the doc update and the link is:
<!-- Uncomment to link to the issue -->
<!-- https://github.com/kyverno/website/issues/1 -->
- [] I have read the [PR documentation guide](pr_documentation.md) and followed the process including adding proof manifests to this PR.
- [] I have read the [PR documentation guide](https://github.com/kyverno/kyverno/blob/main/.github/pr_documentation.md) and followed the process including adding proof manifests to this PR.
## Further Comments

2
.github/workflows/e2e.yaml vendored
View file

@ -82,6 +82,8 @@ jobs:
kubectl get pods -n kyverno
${GITHUB_WORKSPACE}/scripts/verify-deployment.sh -n kyverno kyverno
sleep 20
echo ">>> Expose the Kyverno's service's metric server to the host"
kubectl port-forward svc/kyverno-svc -n kyverno 8000:8000 &
echo ">>> Run Kyverno e2e test"
make test-e2e
kubectl delete -f ${GITHUB_WORKSPACE}/definitions/install.yaml

10
Makefile
View file

@ -171,14 +171,18 @@ code-cov-report: $(CODE_COVERAGE_FILE_TXT)
# Test E2E
test-e2e:
$(eval export E2E="ok")
go test ./test/e2e/metrics -v
go test ./test/e2e/mutate -v
go test ./test/e2e/generate -v
$(eval export E2E="")
#Test TestCmd Policy
run_testcmd_policy:
go build -o kyvernoctl cmd/cli/kubectl-kyverno/main.go
./kyvernoctl test https://github.com/kyverno/policies/main
run_testcmd_policy: cli
$(PWD)/$(CLI_PATH)/kyverno test https://github.com/kyverno/policies/main
$(PWD)/$(CLI_PATH)/kyverno test ./test/cli/test
$(PWD)/$(CLI_PATH)/kyverno test ./test/cli/test-fail/missing-policy && exit 1 || exit 0
$(PWD)/$(CLI_PATH)/kyverno test ./test/cli/test-fail/missing-rule && exit 1 || exit 0
$(PWD)/$(CLI_PATH)/kyverno test ./test/cli/test-fail/missing-resource && exit 1 || exit 0
# godownloader create downloading script for kyverno-cli
godownloader:

45
README.md
View file

@ -1,6 +1,6 @@
# Kyverno [![Tweet](https://img.shields.io/twitter/url/http/shields.io.svg?style=social)](https://twitter.com/intent/tweet?text=Kubernetes%20Native%20Policy%20Management.%20No%20new%20language%20required%21&url=https://github.com/kyverno/kyverno/&hashtags=kubernetes,devops)
**Kubernetes Native Policy Management**
**Kubernetes Native Policy Management 🎉**
![build](https://github.com/kyverno/kyverno/workflows/build/badge.svg)
![prereleaser](https://github.com/kyverno/kyverno/workflows/prereleaser/badge.svg)
@ -11,30 +11,49 @@
<a href="https://kyverno.io" rel="kyverno.io">![logo](img/Kyverno_Horizontal.png)</a>
<p class="callout info" style="font-size: 2000%;">
<p class="callout info" style="font-size: 100%;">
Kyverno is a policy engine designed for Kubernetes. It can validate, mutate, and generate configurations using admission controls and background scans. Kyverno policies are Kubernetes resources and do not require learning a new language. Kyverno is designed to work nicely with tools you already use like kubectl, kustomize, and Git.
</p>
## Documentation
## 📙 Documentation
Kyverno guides and reference documents are available at: <a href="https://kyverno.io/">kyverno.io</a>.
Kyverno installation and reference documents are available at: <a href="https://kyverno.io/">kyverno.io</a>.
Try the [quick start guide](https://kyverno.io/docs/introduction/#quick-start) to install Kyverno and create your first policy.
👉 **[Quick Start](https://kyverno.io/docs/introduction/#quick-start)**
## Contributing
👉 **[Installation](https://kyverno.io/docs/installation/)**
Checkout out the Kyverno <a href="https://kyverno.io/community">Community</a> page for ways to get involved and details on joining our next community meeting.
👉 **[Sample Policies](https://kyverno.io/policies/)**
## Getting Help
- For feature requests and bugs, file an [issue](https://github.com/kyverno/kyverno/issues).
- For discussions or questions, join the **#kyverno** channel on the [Kubernetes Slack](https://kubernetes.slack.com/) or the [mailing list](https://groups.google.com/g/kyverno).
## 🙋‍♂️ Getting Help
## Spread The Love
We are here to help!
✔ For feature requests and bugs, file an [issue](https://github.com/kyverno/kyverno/issues).
✔ For discussions or questions, join the **#kyverno** channel on the [Kubernetes Slack](https://kubernetes.slack.com/).
✔ For community meeting access join the [mailing list](https://groups.google.com/g/kyverno).
✔ To get updates ⭐️ [star this repository](https://github.com/kyverno/kyverno/stargazers).
## Contributing
Thanks for your interest in contributing to Kyverno! Here are some steps to help get you started:
✔ Read and agree to the [Contribution Guidelines](https://github.com/kyverno/kyverno/blob/main/CONTRIBUTING.md).
✔ Browse through the [GitHub discussions](https://github.com/kyverno/kyverno/discussions).
✔ Read Kyverno design and development details on the [GitHub Wiki](https://github.com/kyverno/kyverno/wiki).
✔ Check out the **[good first issue](https://github.com/kyverno/kyverno/labels/good%20first%20issue)** list. Add a comment with `/assign` to request assignment of the issue.
✔ Checkout out the Kyverno <a href="https://kyverno.io/community">Community</a> page for other ways to get involved.
We built Kyverno to make it easy to secure and manage Kubernetes configurations. If you like the project, [let us know](https://github.com/kyverno/kyverno/stargazers)!
[![Stargazers over time](https://starchart.cc/kyverno/kyverno.svg)](https://starchart.cc/kyverno/kyverno)

3413
api/apiResources.go Normal file
View file

File diff suppressed because it is too large Load diff

1863
api/preferredResources.go Normal file
View file

File diff suppressed because it is too large Load diff

207312
api/swaggerDoc.go
View file

File diff suppressed because it is too large Load diff

4
charts/kyverno/Chart.yaml
View file

@ -1,7 +1,7 @@
apiVersion: v1
name: kyverno
version: v1.3.5-rc3
appVersion: v1.3.5-rc3
version: v1.3.6
appVersion: v1.3.6
icon: https://github.com/kyverno/kyverno/raw/main/img/logo.png
description: Kubernetes Native Policy Management
keywords:

2
charts/kyverno/README.md
View file

@ -68,6 +68,7 @@ The following table lists the configurable parameters of the kyverno chart and t
| `createSelfSignedCert` | generate a self signed cert and certificate authority. Kyverno defaults to using kube-controller-manager CA-signed certificate or existing cert secret if false. | `false` |
| `config.existingConfig` | existing Kubernetes configmap to use for the resource filters configuration | `nil` |
| `config.resourceFilters` | list of filter of resource types to be skipped by kyverno policy engine. See [documentation](https://github.com/kyverno/kyverno/blob/master/documentation/installation.md#filter-kubernetes-resources-that-admission-webhook-should-not-process) for details | `["[Event,*,*]","[*,kube-system,*]","[*,kube-public,*]","[*,kube-node-lease,*]","[Node,*,*]","[APIService,*,*]","[TokenReview,*,*]","[SubjectAccessReview,*,*]","[*,kyverno,*]"]` |
| customLabels | object | `{}` | Additional labels |
| `dnsPolicy` | Sets the DNS Policy which determines the manner in which DNS resolution happens across the cluster. For further reference, see [the official docs](https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#pod-s-dns-policy) | `ClusterFirst` |
| envVars | Extra environment variables to pass to kyverno | {} |
| `extraArgs` | list of extra arguments to give the binary | `[]` |
@ -103,6 +104,7 @@ The following table lists the configurable parameters of the kyverno chart and t
| `tolerations` | list of node taints to tolerate | `[]` |
| `securityContext` | security context configuration | `{}` |
| `podSecurityStandard` | set desired pod security level `privileged`, `default`, `restricted`, `custom`. Set to `restricted` for maximum security for your cluster. See: https://kyverno.io/policies/pod-security/ | `default` |
| `podSecuritySeverity` | set desired pod security severity `low`, `medium`, `high`. Used severity level in PolicyReportResults for the selected pod security policies. | `medium` |
| `podSecurityPolicies` | Policies to include when `podSecurityStandard` is set to `custom` | `[]` |
| `validationFailureAction` | set to get response in failed validation check. Supported values- `audit`, `enforce`. See: https://kyverno.io/docs/writing-policies/validate/ | `audit` |

2
charts/kyverno/templates/NOTES.txt
View file

@ -1,4 +1,4 @@
Thank you for installing {{ .Chart.Name }} 😀
Thank you for installing {{ .Chart.Name }} {{ .Chart.Version }} 😀
Your release is named {{ .Release.Name }}.

10
charts/kyverno/templates/_helpers.tpl
View file

@ -30,10 +30,16 @@ If release name contains chart name it will be used as a full name.
{{/* Helm required labels */}}
{{- define "kyverno.labels" -}}
app.kubernetes.io/name: {{ template "kyverno.name" . }}
helm.sh/chart: {{ template "kyverno.chart" . }}
app.kubernetes.io/component: kyverno
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/managed-by: {{ .Release.Service }}
app.kubernetes.io/name: {{ template "kyverno.name" . }}
app.kubernetes.io/part-of: {{ template "kyverno.name" . }}
app.kubernetes.io/version: "{{ .Chart.Version }}"
helm.sh/chart: {{ template "kyverno.chart" . }}
{{- if .Values.customLabels }}
{{ toYaml .Values.customLabels | indent 4 }}
{{- end }}
{{- end -}}
{{/* matchLabels */}}

21
charts/kyverno/templates/clusterrole.yaml
View file

@ -3,6 +3,8 @@ apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: {{ template "kyverno.fullname" . }}:webhook
labels: {{ include "kyverno.labels" . | nindent 4 }}
app: kyverno
rules:
# Dynamic creation of webhooks, events & certs
- apiGroups:
@ -48,6 +50,8 @@ apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: {{ template "kyverno.fullname" . }}:userinfo
labels: {{ include "kyverno.labels" . | nindent 4 }}
app: kyverno
rules:
# get the roleRef for incoming api-request user
- apiGroups:
@ -67,6 +71,8 @@ apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: {{ template "kyverno.fullname" . }}:customresources
labels: {{ include "kyverno.labels" . | nindent 4 }}
app: kyverno
rules:
# Kyverno CRs
- apiGroups:
@ -105,6 +111,8 @@ apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: {{ template "kyverno.fullname" . }}:policycontroller
labels: {{ include "kyverno.labels" . | nindent 4 }}
app: kyverno
rules:
# background processing, identify all existing resources
- apiGroups:
@ -121,6 +129,8 @@ apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: {{ template "kyverno.fullname" . }}:generatecontroller
labels: {{ include "kyverno.labels" . | nindent 4 }}
app: kyverno
rules:
# process generate rules to generate resources
- apiGroups:
@ -154,9 +164,10 @@ rules:
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
labels:
rbac.authorization.k8s.io/aggregate-to-admin: "true"
name: {{ template "kyverno.fullname" . }}:admin-policies
labels: {{ include "kyverno.labels" . | nindent 4 }}
rbac.authorization.k8s.io/aggregate-to-admin: "true"
app: kyverno
rules:
- apiGroups:
- kyverno.io
@ -169,8 +180,9 @@ rules:
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
labels:
labels: {{ include "kyverno.labels" . | nindent 4 }}
rbac.authorization.k8s.io/aggregate-to-admin: "true"
app: kyverno
name: {{ template "kyverno.fullname" . }}:admin-policyreport
rules:
- apiGroups:
@ -184,8 +196,9 @@ rules:
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
labels:
labels: {{ include "kyverno.labels" . | nindent 4 }}
rbac.authorization.k8s.io/aggregate-to-admin: "true"
app: kyverno
name: {{ template "kyverno.fullname" . }}:admin-reportchangerequest
rules:
- apiGroups:

10
charts/kyverno/templates/clusterrolebinding.yaml
View file

@ -3,6 +3,8 @@ kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: {{ template "kyverno.fullname" . }}:webhook
labels: {{ include "kyverno.labels" . | nindent 4 }}
app: kyverno
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
@ -16,6 +18,8 @@ kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: {{ template "kyverno.fullname" . }}:userinfo
labels: {{ include "kyverno.labels" . | nindent 4 }}
app: kyverno
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
@ -29,6 +33,8 @@ kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: {{ template "kyverno.fullname" . }}:customresources
labels: {{ include "kyverno.labels" . | nindent 4 }}
app: kyverno
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
@ -42,6 +48,8 @@ kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: {{ template "kyverno.fullname" . }}:policycontroller
labels: {{ include "kyverno.labels" . | nindent 4 }}
app: kyverno
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
@ -55,6 +63,8 @@ kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: {{ template "kyverno.fullname" . }}:generatecontroller
labels: {{ include "kyverno.labels" . | nindent 4 }}
app: kyverno
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole

1
charts/kyverno/templates/configmap.yaml
View file

@ -3,6 +3,7 @@ apiVersion: v1
kind: ConfigMap
metadata:
labels: {{ include "kyverno.labels" . | nindent 4 }}
app: kyverno
name: {{ template "kyverno.configMapName" . }}
namespace: {{ template "kyverno.namespace" . }}
data:

9
charts/kyverno/templates/deployment.yaml
View file

@ -3,14 +3,17 @@ kind: Deployment
metadata:
name: {{ template "kyverno.fullname" . }}
labels: {{ include "kyverno.labels" . | nindent 4 }}
app: kyverno
namespace: {{ template "kyverno.namespace" . }}
spec:
selector:
matchLabels: {{ include "kyverno.matchLabels" . | nindent 6 }}
app: kyverno
replicas: {{ .Values.replicaCount }}
template:
metadata:
labels: {{ include "kyverno.labels" . | nindent 8 }}
app: kyverno
{{- range $key, $value := .Values.podLabels }}
{{ $key }}: {{ $value }}
{{- end }}
@ -47,6 +50,9 @@ spec:
- name: kyverno-pre
image: {{ .Values.initImage.repository }}:{{ default .Chart.AppVersion (default .Values.image.tag .Values.initImage.tag) }}
imagePullPolicy: {{ default .Values.image.pullPolicy .Values.initImage.pullPolicy }}
{{- with .Values.initResources }}
resources: {{ tpl (toYaml .) $ | nindent 12 }}
{{- end }}
securityContext:
runAsUser: 1000
runAsNonRoot: true
@ -88,6 +94,9 @@ spec:
- containerPort: 9443
name: https
protocol: TCP
- containerPort: 8000
name: metrics-port
protocol: TCP
env:
- name: INIT_CONFIG
value: {{ template "kyverno.configMapName" . }}

9
charts/kyverno/templates/policies/default/disallow-adding-capabilities.yaml
View file

@ -1,4 +1,4 @@
{{ $name := "disallow-add-capabilities" -}}
{{- $name := "disallow-add-capabilities" }}
{{- if eq (include "kyverno.podSecurityDefault" (merge (dict "name" $name) .)) "true" }}
apiVersion: kyverno.io/v1
kind: ClusterPolicy
@ -6,9 +6,14 @@ metadata:
name: {{ $name }}
annotations:
policies.kyverno.io/category: Pod Security Standards (Default)
{{- if .Values.podSecuritySeverity }}
policies.kyverno.io/severity: {{ .Values.podSecuritySeverity | quote }}
{{- end }}
policies.kyverno.io/description: >-
Capabilities permit privileged actions without giving full root access.
Adding capabilities beyond the default set must not be allowed.
labels: {{ include "kyverno.labels" . | nindent 4 }}
app: kyverno
spec:
validationFailureAction: {{ .Values.validationFailureAction }}
background: true
@ -33,4 +38,4 @@ spec:
- =(securityContext):
=(capabilities):
X(add): null
{{- end -}}
{{- end -}}

7
charts/kyverno/templates/policies/default/disallow-host-namespaces.yaml
View file

@ -1,4 +1,4 @@
{{ $name := "disallow-host-namespaces" -}}
{{- $name := "disallow-host-namespaces" }}
{{- if eq (include "kyverno.podSecurityDefault" (merge (dict "name" $name) .)) "true" }}
apiVersion: kyverno.io/v1
kind: ClusterPolicy
@ -6,10 +6,15 @@ metadata:
name: {{ $name }}
annotations:
policies.kyverno.io/category: Pod Security Standards (Default)
{{- if .Values.podSecuritySeverity }}
policies.kyverno.io/severity: {{ .Values.podSecuritySeverity | quote }}
{{- end }}
policies.kyverno.io/description: >-
Host namespaces (Process ID namespace, Inter-Process Communication namespace, and
network namespace) allow access to shared information and can be used to elevate
privileges. Pods should not be allowed access to host namespaces.
labels: {{ include "kyverno.labels" . | nindent 4 }}
app: kyverno
spec:
validationFailureAction: {{ .Values.validationFailureAction }}
background: true

7
charts/kyverno/templates/policies/default/disallow-host-path.yaml
View file

@ -1,4 +1,4 @@
{{ $name := "disallow-host-path" -}}
{{- $name := "disallow-host-path" }}
{{- if eq (include "kyverno.podSecurityDefault" (merge (dict "name" $name) .)) "true" }}
apiVersion: kyverno.io/v1
kind: ClusterPolicy
@ -6,10 +6,15 @@ metadata:
name: {{ $name }}
annotations:
policies.kyverno.io/category: Pod Security Standards (Default)
{{- if .Values.podSecuritySeverity }}
policies.kyverno.io/severity: {{ .Values.podSecuritySeverity | quote }}
{{- end }}
policies.kyverno.io/description: >-
HostPath volumes let pods use host directories and volumes in containers.
Using host resources can be used to access shared data or escalate privileges
and should not be allowed.
labels: {{ include "kyverno.labels" . | nindent 4 }}
app: kyverno
spec:
validationFailureAction: {{ .Values.validationFailureAction }}
background: true

5
charts/kyverno/templates/policies/default/disallow-host-ports.yaml
View file

@ -6,9 +6,14 @@ metadata:
name: {{ $name }}
annotations:
policies.kyverno.io/category: Pod Security Standards (Default)
{{- if .Values.podSecuritySeverity }}
policies.kyverno.io/severity: {{ .Values.podSecuritySeverity | quote }}
{{- end }}
policies.kyverno.io/description: >-
Access to host ports allows potential snooping of network traffic and should not be
allowed, or at minimum restricted to a known list.
labels: {{ include "kyverno.labels" . | nindent 4 }}
app: kyverno
spec:
validationFailureAction: {{ .Values.validationFailureAction }}
background: true

5
charts/kyverno/templates/policies/default/disallow-privileged-containers.yaml
View file

@ -6,8 +6,13 @@ metadata:
name: {{ $name }}
annotations:
policies.kyverno.io/category: Pod Security Standards (Default)
{{- if .Values.podSecuritySeverity }}
policies.kyverno.io/severity: {{ .Values.podSecuritySeverity | quote }}
{{- end }}
policies.kyverno.io/description: >-
Privileged mode disables most security mechanisms and must not be allowed.
labels: {{ include "kyverno.labels" . | nindent 4 }}
app: kyverno
spec:
validationFailureAction: {{ .Values.validationFailureAction }}
background: true

5
charts/kyverno/templates/policies/default/disallow-proc-mount.yaml
View file

@ -6,8 +6,13 @@ metadata:
name: {{ $name }}
annotations:
policies.kyverno.io/category: Pod Security Standards (Default)
{{- if .Values.podSecuritySeverity }}
policies.kyverno.io/severity: {{ .Values.podSecuritySeverity | quote }}
{{- end }}
policies.kyverno.io/description: >-
The default /proc masks are set up to reduce attack surface and should be required.
labels: {{ include "kyverno.labels" . | nindent 4 }}
app: kyverno
spec:
validationFailureAction: {{ .Values.validationFailureAction }}
background: true

5
charts/kyverno/templates/policies/default/disallow-selinux.yaml
View file

@ -7,8 +7,13 @@ metadata:
annotations:
policies.kyverno.io/title: Disallow SELinux
policies.kyverno.io/category: Pod Security Standards (Default)
{{- if .Values.podSecuritySeverity }}
policies.kyverno.io/severity: {{ .Values.podSecuritySeverity | quote }}
{{- end }}
policies.kyverno.io/description: >-
SELinux options can be used to escalate privileges and should not be allowed.
labels: {{ include "kyverno.labels" . | nindent 4 }}
app: kyverno
spec:
validationFailureAction: {{ .Values.validationFailureAction }}
background: true

7
charts/kyverno/templates/policies/default/restrict-apparmor-profiles.yaml
View file

@ -1,4 +1,4 @@
{{ $name := "restrict-apparmor-profiles" -}}
{{- $name := "restrict-apparmor-profiles" }}
{{- if eq (include "kyverno.podSecurityDefault" (merge (dict "name" $name) .)) "true" }}
apiVersion: kyverno.io/v1
kind: ClusterPolicy
@ -7,10 +7,15 @@ metadata:
annotations:
policies.kyverno.io/title: Restrict AppArmor
policies.kyverno.io/category: Pod Security Standards (Default)
{{- if .Values.podSecuritySeverity }}
policies.kyverno.io/severity: {{ .Values.podSecuritySeverity | quote }}
{{- end }}
policies.kyverno.io/description: >-
On supported hosts, the 'runtime/default' AppArmor profile is applied by default.
The default policy should prevent overriding or disabling the policy, or restrict
overrides to an allowed set of profiles.
labels: {{ include "kyverno.labels" . | nindent 4 }}
app: kyverno
spec:
validationFailureAction: {{ .Values.validationFailureAction }}
background: true

7
charts/kyverno/templates/policies/default/restrict-sysctls.yaml
View file

@ -1,4 +1,4 @@
{{ $name := "restrict-sysctls" -}}
{{- $name := "restrict-sysctls" }}
{{- if eq (include "kyverno.podSecurityDefault" (merge (dict "name" $name) .)) "true" }}
apiVersion: kyverno.io/v1
kind: ClusterPolicy
@ -6,11 +6,16 @@ metadata:
name: {{ $name }}
annotations:
policies.kyverno.io/category: Pod Security Standards (Default)
{{- if .Values.podSecuritySeverity }}
policies.kyverno.io/severity: {{ .Values.podSecuritySeverity | quote }}
{{- end }}
policies.kyverno.io/description: >-
Sysctls can disable security mechanisms or affect all containers on a
host, and should be disallowed except for an allowed "safe" subset. A
sysctl is considered safe if it is namespaced in the container or the
Pod, and it is isolated from other Pods or processes on the same Node.
labels: {{ include "kyverno.labels" . | nindent 4 }}
app: kyverno
spec:
validationFailureAction: {{ .Values.validationFailureAction }}
background: true

7
charts/kyverno/templates/policies/restricted/deny-privilege-escalation.yaml
View file

@ -1,4 +1,4 @@
{{ $name := "deny-privilege-escalation" -}}
{{- $name := "deny-privilege-escalation" }}
{{- if eq (include "kyverno.podSecurityRestricted" (merge (dict "name" $name) .)) "true" }}
apiVersion: kyverno.io/v1
kind: ClusterPolicy
@ -6,8 +6,13 @@ metadata:
name: {{ $name }}
annotations:
policies.kyverno.io/category: Pod Security Standards (Restricted)
{{- if .Values.podSecuritySeverity }}
policies.kyverno.io/severity: {{ .Values.podSecuritySeverity | quote }}
{{- end }}
policies.kyverno.io/description: >-
Privilege escalation, such as via set-user-ID or set-group-ID file mode, should not be allowed.
labels: {{ include "kyverno.labels" . | nindent 4 }}
app: kyverno
spec:
background: true
validationFailureAction: {{ .Values.validationFailureAction }}

15
charts/kyverno/templates/policies/restricted/require-non-root-groups.yaml
View file

@ -1,4 +1,4 @@
{{ $name := "require-non-root-groups" -}}
{{- $name := "require-non-root-groups" }}
{{- if eq (include "kyverno.podSecurityRestricted" (merge (dict "name" $name) .)) "true" }}
apiVersion: kyverno.io/v1
kind: ClusterPolicy
@ -6,8 +6,13 @@ metadata:
name: {{ $name }}
annotations:
policies.kyverno.io/category: Pod Security Standards (Restricted)
{{- if .Values.podSecuritySeverity }}
policies.kyverno.io/severity: {{ .Values.podSecuritySeverity | quote }}
{{- end }}
policies.kyverno.io/description: >-
Containers should be forbidden from running with a root primary or supplementary GID.
labels: {{ include "kyverno.labels" . | nindent 4 }}
app: kyverno
spec:
background: true
validationFailureAction: {{ .Values.validationFailureAction }}
@ -45,7 +50,7 @@ spec:
pattern:
spec:
=(securityContext):
=(supplementalGroups): ["null"]
=(supplementalGroups): ">0"
- name: check-fsGroup
match:
resources:
@ -53,10 +58,10 @@ spec:
- Pod
validate:
message: >-
Changing of file system groups is not allowed. The field
spec.securityContext.fsGroup must not be defined.
Changing to root group ID is disallowed. The field
spec.securityContext.fsGroup must be empty or greater than zero.
pattern:
spec:
=(securityContext):
X(fsGroup): "*"
=(fsGroup): ">0"
{{- end -}}

7
charts/kyverno/templates/policies/restricted/require-run-as-nonroot.yaml
View file

@ -1,4 +1,4 @@
{{ $name := "require-run-as-non-root" -}}
{{- $name := "require-run-as-non-root" }}
{{- if eq (include "kyverno.podSecurityRestricted" (merge (dict "name" $name) .)) "true" }}
apiVersion: kyverno.io/v1
kind: ClusterPolicy
@ -6,7 +6,12 @@ metadata:
name: {{ $name }}
annotations:
policies.kyverno.io/category: Pod Security Standards (Restricted)
{{- if .Values.podSecuritySeverity }}
policies.kyverno.io/severity: {{ .Values.podSecuritySeverity | quote }}
{{- end }}
policies.kyverno.io/description: Containers must be required to run as non-root users.
labels: {{ include "kyverno.labels" . | nindent 4 }}
app: kyverno
spec:
background: true
validationFailureAction: {{ .Values.validationFailureAction }}

7
charts/kyverno/templates/policies/restricted/restrict-seccomp.yaml
View file

@ -1,4 +1,4 @@
{{ $name := "restrict-seccomp" -}}
{{- $name := "restrict-seccomp" }}
{{- if eq (include "kyverno.podSecurityRestricted" (merge (dict "name" $name) .)) "true" }}
apiVersion: kyverno.io/v1
kind: ClusterPolicy
@ -7,9 +7,14 @@ metadata:
annotations:
policies.kyverno.io/title: Restrict Seccomp
policies.kyverno.io/category: Pod Security Standards (Restricted)
{{- if .Values.podSecuritySeverity }}
policies.kyverno.io/severity: {{ .Values.podSecuritySeverity | quote }}
{{- end }}
policies.kyverno.io/description: >-
The runtime default seccomp profile must be required, or only specific
additional profiles should be allowed.
labels: {{ include "kyverno.labels" . | nindent 4 }}
app: kyverno
spec:
background: true
validationFailureAction: {{ .Values.validationFailureAction }}

7
charts/kyverno/templates/policies/restricted/restrict-volume-types.yaml
View file

@ -1,4 +1,4 @@
{{ $name := "restrict-volume-types" -}}
{{- $name := "restrict-volume-types" }}
{{- if eq (include "kyverno.podSecurityRestricted" (merge (dict "name" $name) .)) "true" }}
apiVersion: kyverno.io/v1
kind: ClusterPolicy
@ -6,9 +6,14 @@ metadata:
name: {{ $name }}
annotations:
policies.kyverno.io/category: Pod Security Standards (Restricted)
{{- if .Values.podSecuritySeverity }}
policies.kyverno.io/severity: {{ .Values.podSecuritySeverity | quote }}
{{- end }}
policies.kyverno.io/description: >-
In addition to restricting HostPath volumes, the restricted pod security profile
limits usage of non-core volume types to those defined through PersistentVolumes.
labels: {{ include "kyverno.labels" . | nindent 4 }}
app: kyverno
spec:
background: true
validationFailureAction: {{ .Values.validationFailureAction }}

2
charts/kyverno/templates/secret.yaml
View file

@ -6,6 +6,7 @@ kind: Secret
metadata:
name: {{ template "kyverno.serviceName" . }}.{{ template "kyverno.namespace" . }}.svc.kyverno-tls-ca
labels: {{ include "kyverno.labels" . | nindent 4 }}
app: kyverno
data:
rootCA.crt: {{ $ca.Cert | b64enc }}
---
@ -14,6 +15,7 @@ kind: Secret
metadata:
name: {{ template "kyverno.serviceName" . }}.{{ template "kyverno.namespace" . }}.svc.kyverno-tls-pair
labels: {{ include "kyverno.labels" . | nindent 4 }}
app: kyverno
annotations:
self-signed-cert: "true"
type: kubernetes.io/tls

9
charts/kyverno/templates/service.yaml
View file

@ -3,6 +3,7 @@ kind: Service
metadata:
name: {{ template "kyverno.serviceName" . }}
labels: {{ include "kyverno.labels" . | nindent 4 }}
app: kyverno
namespace: {{ template "kyverno.namespace" . }}
{{- with .Values.service.annotations }}
annotations: {{ tpl (toYaml .) $ | nindent 4 }}
@ -16,5 +17,13 @@ spec:
{{- if and (eq .Values.service.type "NodePort") (not (empty .Values.service.nodePort)) }}
nodePort: {{ .Values.service.nodePort }}
{{- end }}
- port: {{ .Values.service.metricsPort }}
targetPort: 8000
protocol: TCP
name: metrics-port
{{- if and (eq .Values.service.type "NodePort") (not (empty .Values.service.nodePort)) }}
nodePort: {{ .Values.service.metricsNodePort }}
{{- end }}
selector: {{ include "kyverno.matchLabels" . | nindent 4 }}
app: kyverno
type: {{ .Values.service.type }}

1
charts/kyverno/templates/serviceaccount.yaml
View file

@ -4,6 +4,7 @@ kind: ServiceAccount
metadata:
name: {{ template "kyverno.serviceAccountName" . }}
labels: {{ include "kyverno.labels" . | nindent 4 }}
app: kyverno
{{- if .Values.rbac.serviceAccount.annotations }}
annotations: {{ toYaml .Values.rbac.serviceAccount.annotations | nindent 4 }}
{{- end }}

17
charts/kyverno/values.yaml
View file

@ -4,12 +4,17 @@ namespace:
# Supported- default/restricted/privileged/custom
# For more info- https://kyverno.io/policies/pod-security
podSecurityStandard: default
# Supported- low/medium/high
podSecuritySeverity: medium
# Policies to include when podSecurityStandard is custom
podSecurityPolicies: []
# Supported values- `audit`, `enforce`
# For more info- https://kyverno.io/docs/writing-policies/validate/
validationFailureAction: audit
# -- Additional labels
customLabels: {}
rbac:
create: true
serviceAccount:
@ -69,6 +74,14 @@ resources:
cpu: 100m
memory: 50Mi
initResources:
limits:
cpu: 100m
memory: 256Mi
requests:
cpu: 10m
memory: 64Mi
## Liveness Probe. The block is directly forwarded into the deployment, so you can use whatever livenessProbe configuration you want.
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-probes/
##
@ -135,6 +148,10 @@ service:
type: ClusterIP
# Only used if service.type is NodePort
nodePort:
## Kyverno's metrics server will be exposed at this port
metricsPort: 8000
## The Node's port which will allow access Kyverno's metrics at the host level. Only used if service.type is NodePort.
metricsNodePort: 8000
## Provide any additional annotations which may be required. This can be used to
## set the LoadBalancer service type to internal only.
## ref: https://kubernetes.io/docs/concepts/services-networking/service/#internal-load-balancer

41
cmd/kyverno/main.go
View file

@ -34,6 +34,9 @@ import (
"k8s.io/klog/v2"
"k8s.io/klog/v2/klogr"
log "sigs.k8s.io/controller-runtime/pkg/log"
"github.com/kyverno/kyverno/pkg/metrics"
"github.com/prometheus/client_golang/prometheus/promhttp"
)
const resyncPeriod = 15 * time.Minute
@ -47,12 +50,13 @@ var (
excludeGroupRole string
excludeUsername string
profilePort string
metricsPort string
webhookTimeout int
genWorkers int
profile bool
policyReport bool
profile bool
disableMetricsExport bool
policyControllerResyncPeriod time.Duration
setupLog = log.Log.WithName("setup")
@ -70,6 +74,8 @@ func main() {
flag.StringVar(&serverIP, "serverIP", "", "IP address where Kyverno controller runs. Only required if out-of-cluster.")
flag.BoolVar(&profile, "profile", false, "Set this flag to 'true', to enable profiling.")
flag.StringVar(&profilePort, "profile-port", "6060", "Enable profiling at given port, default to 6060.")
flag.BoolVar(&disableMetricsExport, "disable-metrics", false, "Set this flag to 'true', to enable exposing the metrics.")
flag.StringVar(&metricsPort, "metrics-port", "8000", "Expose prometheus metrics at the given port, default to 8000.")
flag.DurationVar(&policyControllerResyncPeriod, "background-scan", time.Hour, "Perform background scan every given interval, e.g., 30s, 15m, 1h.")
if err := flag.Set("v", "2"); err != nil {
setupLog.Error(err, "failed to set log level")
@ -87,11 +93,16 @@ func main() {
os.Exit(1)
}
var profilingServerMux *http.ServeMux
var metricsServerMux *http.ServeMux
var promConfig *metrics.PromConfig
if profile {
profilingServerMux = http.NewServeMux()
addr := ":" + profilePort
setupLog.Info("Enable profiling, see details at https://github.com/kyverno/kyverno/wiki/Profiling-Kyverno-on-Kubernetes", "port", profilePort)
go func() {
if err := http.ListenAndServe(addr, nil); err != nil {
if err := http.ListenAndServe(addr, profilingServerMux); err != nil {
setupLog.Error(err, "Failed to enable profiling")
os.Exit(1)
}
@ -99,6 +110,20 @@ func main() {
}
if !disableMetricsExport {
promConfig = metrics.NewPromConfig()
metricsServerMux = http.NewServeMux()
metricsServerMux.Handle("/metrics", promhttp.HandlerFor(promConfig.MetricsRegistry, promhttp.HandlerOpts{Timeout: 10 * time.Second}))
metricsAddr := ":" + metricsPort
setupLog.Info("Enable exposure of metrics, see details at https://github.com/kyverno/kyverno/wiki/Metrics-Kyverno-on-Kubernetes", "port", metricsPort)
go func() {
if err := http.ListenAndServe(metricsAddr, metricsServerMux); err != nil {
setupLog.Error(err, "Failed to enable exposure of metrics")
os.Exit(1)
}
}()
}
// KYVERNO CRD CLIENT
// access CRD resources
// - ClusterPolicy, Policy
@ -138,17 +163,17 @@ func main() {
if err != nil {
setupLog.Error(err, "ConfigMap lookup disabled: failed to create resource cache")
}
debug := serverIP != ""
webhookCfg := webhookconfig.NewRegister(
clientConfig,
client,
rCache,
serverIP,
int32(webhookTimeout),
debug,
log.Log)
// Resource Mutating Webhook Watcher
webhookMonitor := webhookconfig.NewMonitor(rCache, log.Log.WithName("WebhookMonitor"))
webhookMonitor := webhookconfig.NewMonitor(kubeInformer.Core().V1().Secrets(), log.Log.WithName("WebhookMonitor"))
// KYVERNO CRD INFORMER
// watches CRD resources:
@ -224,6 +249,7 @@ func main() {
log.Log.WithName("PolicyController"),
rCache,
policyControllerResyncPeriod,
promConfig,
)
if err != nil {
@ -286,6 +312,7 @@ func main() {
configData,
rCache,
client,
promConfig,
)
certRenewer := ktls.NewCertRenewer(client, clientConfig, ktls.CertRenewalInterval, ktls.CertValidityDuration, log.Log.WithName("CertRenewer"))
@ -334,7 +361,6 @@ func main() {
// -- annotations on resources with update details on mutation JSON patches
// -- generate policy violation resource
// -- generate events on policy and resource
debug := serverIP != ""
server, err := webhooks.NewWebhookServer(
pclient,
client,
@ -362,6 +388,7 @@ func main() {
rCache,
grc,
debug,
promConfig,
)
if err != nil {

209
definitions/install.yaml
View file

@ -1,6 +1,14 @@
apiVersion: v1
kind: Namespace
metadata:
labels:
app: kyverno
app.kubernetes.io/component: kyverno
app.kubernetes.io/instance: kyverno
app.kubernetes.io/managed-by: Kustomize
app.kubernetes.io/name: kyverno
app.kubernetes.io/part-of: kyverno
app.kubernetes.io/version: v1.3.6
name: kyverno
---
apiVersion: apiextensions.k8s.io/v1
@ -9,6 +17,13 @@ metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.4.0
creationTimestamp: null
labels:
app.kubernetes.io/component: kyverno
app.kubernetes.io/instance: kyverno
app.kubernetes.io/managed-by: Kustomize
app.kubernetes.io/name: kyverno
app.kubernetes.io/part-of: kyverno
app.kubernetes.io/version: v1.3.6
name: clusterpolicies.kyverno.io
spec:
group: kyverno.io
@ -496,6 +511,13 @@ metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.4.0
creationTimestamp: null
labels:
app.kubernetes.io/component: kyverno
app.kubernetes.io/instance: kyverno
app.kubernetes.io/managed-by: Kustomize
app.kubernetes.io/name: kyverno
app.kubernetes.io/part-of: kyverno
app.kubernetes.io/version: v1.3.6
name: clusterpolicyreports.wgpolicyk8s.io
spec:
group: wgpolicyk8s.io
@ -742,6 +764,13 @@ metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.4.0
creationTimestamp: null
labels:
app.kubernetes.io/component: kyverno
app.kubernetes.io/instance: kyverno
app.kubernetes.io/managed-by: Kustomize
app.kubernetes.io/name: kyverno
app.kubernetes.io/part-of: kyverno
app.kubernetes.io/version: v1.3.6
name: clusterreportchangerequests.kyverno.io
spec:
group: kyverno.io
@ -988,6 +1017,13 @@ metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.4.0
creationTimestamp: null
labels:
app.kubernetes.io/component: kyverno
app.kubernetes.io/instance: kyverno
app.kubernetes.io/managed-by: Kustomize
app.kubernetes.io/name: kyverno
app.kubernetes.io/part-of: kyverno
app.kubernetes.io/version: v1.3.6
name: generaterequests.kyverno.io
spec:
group: kyverno.io
@ -1153,6 +1189,13 @@ metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.4.0
creationTimestamp: null
labels:
app.kubernetes.io/component: kyverno
app.kubernetes.io/instance: kyverno
app.kubernetes.io/managed-by: Kustomize
app.kubernetes.io/name: kyverno
app.kubernetes.io/part-of: kyverno
app.kubernetes.io/version: v1.3.6
name: policies.kyverno.io
spec:
group: kyverno.io
@ -1640,6 +1683,13 @@ metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.4.0
creationTimestamp: null
labels:
app.kubernetes.io/component: kyverno
app.kubernetes.io/instance: kyverno
app.kubernetes.io/managed-by: Kustomize
app.kubernetes.io/name: kyverno
app.kubernetes.io/part-of: kyverno
app.kubernetes.io/version: v1.3.6
name: policyreports.wgpolicyk8s.io
spec:
group: wgpolicyk8s.io
@ -1886,6 +1936,13 @@ metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.4.0
creationTimestamp: null
labels:
app.kubernetes.io/component: kyverno
app.kubernetes.io/instance: kyverno
app.kubernetes.io/managed-by: Kustomize
app.kubernetes.io/name: kyverno
app.kubernetes.io/part-of: kyverno
app.kubernetes.io/version: v1.3.6
name: reportchangerequests.kyverno.io
spec:
group: kyverno.io
@ -2129,6 +2186,14 @@ status:
apiVersion: v1
kind: ServiceAccount
metadata:
labels:
app: kyverno
app.kubernetes.io/component: kyverno
app.kubernetes.io/instance: kyverno
app.kubernetes.io/managed-by: Kustomize
app.kubernetes.io/name: kyverno
app.kubernetes.io/part-of: kyverno
app.kubernetes.io/version: v1.3.6
name: kyverno-service-account
namespace: kyverno
---
@ -2136,6 +2201,13 @@ apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
labels:
app: kyverno
app.kubernetes.io/component: kyverno
app.kubernetes.io/instance: kyverno
app.kubernetes.io/managed-by: Kustomize
app.kubernetes.io/name: kyverno
app.kubernetes.io/part-of: kyverno
app.kubernetes.io/version: v1.3.6
rbac.authorization.k8s.io/aggregate-to-admin: "true"
name: kyverno:admin-policies
rules:
@ -2151,6 +2223,13 @@ apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
labels:
app: kyverno
app.kubernetes.io/component: kyverno
app.kubernetes.io/instance: kyverno
app.kubernetes.io/managed-by: Kustomize
app.kubernetes.io/name: kyverno
app.kubernetes.io/part-of: kyverno
app.kubernetes.io/version: v1.3.6
rbac.authorization.k8s.io/aggregate-to-admin: "true"
name: kyverno:admin-policyreport
rules:
@ -2166,6 +2245,13 @@ apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
labels:
app: kyverno
app.kubernetes.io/component: kyverno
app.kubernetes.io/instance: kyverno
app.kubernetes.io/managed-by: Kustomize
app.kubernetes.io/name: kyverno
app.kubernetes.io/part-of: kyverno
app.kubernetes.io/version: v1.3.6
rbac.authorization.k8s.io/aggregate-to-admin: "true"
name: kyverno:admin-reportchangerequest
rules:
@ -2180,6 +2266,14 @@ rules:
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
labels:
app: kyverno
app.kubernetes.io/component: kyverno
app.kubernetes.io/instance: kyverno
app.kubernetes.io/managed-by: Kustomize
app.kubernetes.io/name: kyverno
app.kubernetes.io/part-of: kyverno
app.kubernetes.io/version: v1.3.6
name: kyverno:customresources
rules:
- apiGroups:
@ -2217,6 +2311,14 @@ rules:
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
labels:
app: kyverno
app.kubernetes.io/component: kyverno
app.kubernetes.io/instance: kyverno
app.kubernetes.io/managed-by: Kustomize
app.kubernetes.io/name: kyverno
app.kubernetes.io/part-of: kyverno
app.kubernetes.io/version: v1.3.6
name: kyverno:generatecontroller
rules:
- apiGroups:
@ -2244,6 +2346,14 @@ rules:
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
labels:
app: kyverno
app.kubernetes.io/component: kyverno
app.kubernetes.io/instance: kyverno
app.kubernetes.io/managed-by: Kustomize
app.kubernetes.io/name: kyverno
app.kubernetes.io/part-of: kyverno
app.kubernetes.io/version: v1.3.6
name: kyverno:policycontroller
rules:
- apiGroups:
@ -2259,6 +2369,14 @@ rules:
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
labels:
app: kyverno
app.kubernetes.io/component: kyverno
app.kubernetes.io/instance: kyverno
app.kubernetes.io/managed-by: Kustomize
app.kubernetes.io/name: kyverno
app.kubernetes.io/part-of: kyverno
app.kubernetes.io/version: v1.3.6
name: kyverno:userinfo
rules:
- apiGroups:
@ -2277,6 +2395,14 @@ rules:
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
labels:
app: kyverno
app.kubernetes.io/component: kyverno
app.kubernetes.io/instance: kyverno
app.kubernetes.io/managed-by: Kustomize
app.kubernetes.io/name: kyverno
app.kubernetes.io/part-of: kyverno
app.kubernetes.io/version: v1.3.6
name: kyverno:webhook
rules:
- apiGroups:
@ -2321,6 +2447,14 @@ rules:
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
labels:
app: kyverno
app.kubernetes.io/component: kyverno
app.kubernetes.io/instance: kyverno
app.kubernetes.io/managed-by: Kustomize
app.kubernetes.io/name: kyverno
app.kubernetes.io/part-of: kyverno
app.kubernetes.io/version: v1.3.6
name: kyverno:customresources
roleRef:
apiGroup: rbac.authorization.k8s.io
@ -2334,6 +2468,14 @@ subjects:
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
labels:
app: kyverno
app.kubernetes.io/component: kyverno
app.kubernetes.io/instance: kyverno
app.kubernetes.io/managed-by: Kustomize
app.kubernetes.io/name: kyverno
app.kubernetes.io/part-of: kyverno
app.kubernetes.io/version: v1.3.6
name: kyverno:generatecontroller
roleRef:
apiGroup: rbac.authorization.k8s.io
@ -2347,6 +2489,14 @@ subjects:
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
labels:
app: kyverno
app.kubernetes.io/component: kyverno
app.kubernetes.io/instance: kyverno
app.kubernetes.io/managed-by: Kustomize
app.kubernetes.io/name: kyverno
app.kubernetes.io/part-of: kyverno
app.kubernetes.io/version: v1.3.6
name: kyverno:policycontroller
roleRef:
apiGroup: rbac.authorization.k8s.io
@ -2360,6 +2510,14 @@ subjects:
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
labels:
app: kyverno
app.kubernetes.io/component: kyverno
app.kubernetes.io/instance: kyverno
app.kubernetes.io/managed-by: Kustomize
app.kubernetes.io/name: kyverno
app.kubernetes.io/part-of: kyverno
app.kubernetes.io/version: v1.3.6
name: kyverno:userinfo
roleRef:
apiGroup: rbac.authorization.k8s.io
@ -2373,6 +2531,14 @@ subjects:
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
labels:
app: kyverno
app.kubernetes.io/component: kyverno
app.kubernetes.io/instance: kyverno
app.kubernetes.io/managed-by: Kustomize
app.kubernetes.io/name: kyverno
app.kubernetes.io/part-of: kyverno
app.kubernetes.io/version: v1.3.6
name: kyverno:webhook
roleRef:
apiGroup: rbac.authorization.k8s.io
@ -2389,6 +2555,14 @@ data:
resourceFilters: '[Event,*,*][*,kube-system,*][*,kube-public,*][*,kube-node-lease,*][Node,*,*][APIService,*,*][TokenReview,*,*][SubjectAccessReview,*,*][SelfSubjectAccessReview,*,*][*,kyverno,*][Binding,*,*][ReplicaSet,*,*][ReportChangeRequest,*,*][ClusterReportChangeRequest,*,*][PolicyReport,*,*][ClusterPolicyReport,*,*]'
kind: ConfigMap
metadata:
labels:
app: kyverno
app.kubernetes.io/component: kyverno
app.kubernetes.io/instance: kyverno
app.kubernetes.io/managed-by: Kustomize
app.kubernetes.io/name: kyverno
app.kubernetes.io/part-of: kyverno
app.kubernetes.io/version: v1.3.6
name: init-config
namespace: kyverno
---
@ -2397,13 +2571,22 @@ kind: Service
metadata:
labels:
app: kyverno
app.kubernetes.io/component: kyverno
app.kubernetes.io/instance: kyverno
app.kubernetes.io/managed-by: Kustomize
app.kubernetes.io/name: kyverno
app.kubernetes.io/part-of: kyverno
app.kubernetes.io/version: v1.3.6
name: kyverno-svc
namespace: kyverno
spec:
ports:
- port: 443
- name: https
port: 443
targetPort: https
- name: metrics-port
port: 8000
targetPort: metrics-port
selector:
app: kyverno
app.kubernetes.io/name: kyverno
@ -2413,7 +2596,12 @@ kind: Deployment
metadata:
labels:
app: kyverno
app.kubernetes.io/component: kyverno
app.kubernetes.io/instance: kyverno
app.kubernetes.io/managed-by: Kustomize
app.kubernetes.io/name: kyverno
app.kubernetes.io/part-of: kyverno
app.kubernetes.io/version: v1.3.6
name: kyverno
namespace: kyverno
spec:
@ -2426,7 +2614,12 @@ spec:
metadata:
labels:
app: kyverno
app.kubernetes.io/component: kyverno
app.kubernetes.io/instance: kyverno
app.kubernetes.io/managed-by: Kustomize
app.kubernetes.io/name: kyverno
app.kubernetes.io/part-of: kyverno
app.kubernetes.io/version: v1.3.6
spec:
containers:
- args:
@ -2441,7 +2634,7 @@ spec:
fieldPath: metadata.namespace
- name: KYVERNO_SVC
value: kyverno-svc
image: ghcr.io/kyverno/kyverno:v1.3.5-rc3
image: ghcr.io/kyverno/kyverno:v1.3.6
imagePullPolicy: IfNotPresent
livenessProbe:
failureThreshold: 2
@ -2458,6 +2651,9 @@ spec:
- containerPort: 9443
name: https
protocol: TCP
- containerPort: 8000
name: metrics-port
protocol: TCP
readinessProbe:
failureThreshold: 4
httpGet:
@ -2483,9 +2679,16 @@ spec:
readOnlyRootFilesystem: true
runAsNonRoot: true
initContainers:
- image: ghcr.io/kyverno/kyvernopre:v1.3.5-rc3
- image: ghcr.io/kyverno/kyvernopre:v1.3.6
imagePullPolicy: IfNotPresent
name: kyverno-pre
resources:
limits:
cpu: 100m
memory: 256Mi
requests:
cpu: 10m
memory: 64Mi
securityContext:
allowPrivilegeEscalation: false
capabilities:

36
definitions/install_debug.yaml
View file

@ -1,6 +1,8 @@
apiVersion: v1
kind: Namespace
metadata:
labels:
app: kyverno
name: kyverno
---
apiVersion: apiextensions.k8s.io/v1
@ -2129,6 +2131,8 @@ status:
apiVersion: v1
kind: ServiceAccount
metadata:
labels:
app: kyverno
name: kyverno-service-account
namespace: kyverno
---
@ -2136,6 +2140,7 @@ apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
labels:
app: kyverno
rbac.authorization.k8s.io/aggregate-to-admin: "true"
name: kyverno:admin-policies
rules:
@ -2151,6 +2156,7 @@ apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
labels:
app: kyverno
rbac.authorization.k8s.io/aggregate-to-admin: "true"
name: kyverno:admin-policyreport
rules:
@ -2166,6 +2172,7 @@ apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
labels:
app: kyverno
rbac.authorization.k8s.io/aggregate-to-admin: "true"
name: kyverno:admin-reportchangerequest
rules:
@ -2180,6 +2187,8 @@ rules:
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
labels:
app: kyverno
name: kyverno:customresources
rules:
- apiGroups:
@ -2217,6 +2226,8 @@ rules:
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
labels:
app: kyverno
name: kyverno:generatecontroller
rules:
- apiGroups:
@ -2244,6 +2255,8 @@ rules:
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
labels:
app: kyverno
name: kyverno:policycontroller
rules:
- apiGroups:
@ -2259,6 +2272,8 @@ rules:
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
labels:
app: kyverno
name: kyverno:userinfo
rules:
- apiGroups:
@ -2277,6 +2292,8 @@ rules:
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
labels:
app: kyverno
name: kyverno:webhook
rules:
- apiGroups:
@ -2321,6 +2338,8 @@ rules:
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
labels:
app: kyverno
name: kyverno:customresources
roleRef:
apiGroup: rbac.authorization.k8s.io
@ -2334,6 +2353,8 @@ subjects:
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
labels:
app: kyverno
name: kyverno:generatecontroller
roleRef:
apiGroup: rbac.authorization.k8s.io
@ -2347,6 +2368,8 @@ subjects:
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
labels:
app: kyverno
name: kyverno:policycontroller
roleRef:
apiGroup: rbac.authorization.k8s.io
@ -2360,6 +2383,8 @@ subjects:
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
labels:
app: kyverno
name: kyverno:userinfo
roleRef:
apiGroup: rbac.authorization.k8s.io
@ -2373,6 +2398,8 @@ subjects:
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
labels:
app: kyverno
name: kyverno:webhook
roleRef:
apiGroup: rbac.authorization.k8s.io
@ -2389,6 +2416,8 @@ data:
resourceFilters: '[Event,*,*][*,kube-system,*][*,kube-public,*][*,kube-node-lease,*][Node,*,*][APIService,*,*][TokenReview,*,*][SubjectAccessReview,*,*][SelfSubjectAccessReview,*,*][*,kyverno,*][Binding,*,*][ReplicaSet,*,*][ReportChangeRequest,*,*][ClusterReportChangeRequest,*,*][PolicyReport,*,*][ClusterPolicyReport,*,*]'
kind: ConfigMap
metadata:
labels:
app: kyverno
name: init-config
namespace: kyverno
---
@ -2397,13 +2426,16 @@ kind: Service
metadata:
labels:
app: kyverno
app.kubernetes.io/name: kyverno
name: kyverno-svc
namespace: kyverno
spec:
ports:
- port: 443
- name: https
port: 443
targetPort: https
- name: metrics-port
port: 8000
targetPort: metrics-port
selector:
app: kyverno
app.kubernetes.io/name: kyverno

10
definitions/k8s-resource/clusterrolebindings.yaml
View file

@ -2,6 +2,8 @@
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
labels:
app: kyverno
name: kyverno:webhook
roleRef:
apiGroup: rbac.authorization.k8s.io
@ -15,6 +17,8 @@ subjects:
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
labels:
app: kyverno
name: kyverno:userinfo
roleRef:
apiGroup: rbac.authorization.k8s.io
@ -28,6 +32,8 @@ subjects:
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
labels:
app: kyverno
name: kyverno:customresources
roleRef:
apiGroup: rbac.authorization.k8s.io
@ -41,6 +47,8 @@ subjects:
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
labels:
app: kyverno
name: kyverno:policycontroller
roleRef:
apiGroup: rbac.authorization.k8s.io
@ -54,6 +62,8 @@ subjects:
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
labels:
app: kyverno
name: kyverno:generatecontroller
roleRef:
apiGroup: rbac.authorization.k8s.io

40
definitions/k8s-resource/clusterroles.yaml
View file

@ -1,34 +1,9 @@
---
kind: Namespace
apiVersion: v1
metadata:
name: "kyverno"
---
apiVersion: v1
kind: Service
metadata:
namespace: kyverno
name: kyverno-svc
labels:
app: kyverno
app.kubernetes.io/name: kyverno
spec:
ports:
- port: 443
targetPort: https
selector:
app: kyverno
app.kubernetes.io/name: kyverno
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: kyverno-service-account
namespace: kyverno
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
labels:
app: kyverno
name: kyverno:webhook
rules:
# Dynamic creation of webhooks, events & certs
@ -74,6 +49,8 @@ rules:
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
labels:
app: kyverno
name: kyverno:userinfo
rules:
# get the roleRef for incoming api-request user
@ -93,6 +70,8 @@ rules:
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
labels:
app: kyverno
name: kyverno:customresources
rules:
# Kyverno CRs
@ -131,6 +110,8 @@ rules:
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
labels:
app: kyverno
name: kyverno:policycontroller
rules:
# background processing, identify all existing resources
@ -147,6 +128,8 @@ rules:
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
labels:
app: kyverno
name: kyverno:generatecontroller
rules:
# process generate rules to generate resources
@ -178,6 +161,7 @@ apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
labels:
app: kyverno
rbac.authorization.k8s.io/aggregate-to-admin: "true"
name: kyverno:admin-policies
rules:
@ -193,6 +177,7 @@ apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
labels:
app: kyverno
rbac.authorization.k8s.io/aggregate-to-admin: "true"
name: kyverno:admin-policyreport
rules:
@ -208,6 +193,7 @@ apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
labels:
app: kyverno
rbac.authorization.k8s.io/aggregate-to-admin: "true"
name: kyverno:admin-reportchangerequest
rules:

2
definitions/k8s-resource/configmap.yaml
View file

@ -4,5 +4,7 @@ data:
excludeGroupRole: 'system:serviceaccounts:kube-system,system:nodes,system:kube-scheduler'
kind: ConfigMap
metadata:
labels:
app: kyverno
name: init-config
namespace: kyverno

5
definitions/k8s-resource/kustomization.yaml
View file

@ -4,4 +4,7 @@ kind: Kustomization
resources:
- ./clusterroles.yaml
- ./clusterrolebindings.yaml
- ./configmap.yaml
- ./configmap.yaml
- ./namespace.yaml
- ./service.yaml
- ./serviceaccount.yaml

7
definitions/k8s-resource/namespace.yaml Normal file
View file

@ -0,0 +1,7 @@
---
kind: Namespace
apiVersion: v1
metadata:
labels:
app: kyverno
name: kyverno

20
definitions/k8s-resource/service.yaml Normal file
View file

@ -0,0 +1,20 @@
---
apiVersion: v1
kind: Service
metadata:
labels:
app: kyverno
namespace: kyverno
name: kyverno-svc
spec:
ports:
- port: 443
name: https
targetPort: https
- port: 8000
name: metrics-port
targetPort: metrics-port
selector:
app: kyverno
# do not remove
app.kubernetes.io/name: kyverno

8
definitions/k8s-resource/serviceaccount.yaml Normal file
View file

@ -0,0 +1,8 @@
---
apiVersion: v1
kind: ServiceAccount
metadata:
labels:
app: kyverno
name: kyverno-service-account
namespace: kyverno

8
definitions/kustomization.yaml
View file

@ -1,14 +1,18 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
transformers:
- labels.yaml
resources:
- ./crds/
- ./manifest/
- ./k8s-resource/
images:
- name: ghcr.io/kyverno/kyverno
newName: ghcr.io/kyverno/kyverno
newTag: v1.3.5-rc3
newTag: v1.3.6
- name: ghcr.io/kyverno/kyvernopre
newName: ghcr.io/kyverno/kyvernopre
newTag: v1.3.5-rc3
newTag: v1.3.6

18
definitions/labels.yaml Normal file
View file

@ -0,0 +1,18 @@
---
apiVersion: builtin
kind: LabelTransformer
metadata:
name: labelTransformer
labels:
app.kubernetes.io/component: kyverno
app.kubernetes.io/instance: kyverno
app.kubernetes.io/managed-by: Kustomize
app.kubernetes.io/name: kyverno
app.kubernetes.io/part-of: kyverno
app.kubernetes.io/version: v1.3.6
fieldSpecs:
- path: metadata/labels
create: true
- kind: Deployment
path: spec/template/metadata/labels
create: true

17
definitions/manifest/deployment.yaml
View file

@ -2,21 +2,24 @@
apiVersion: apps/v1
kind: Deployment
metadata:
namespace: kyverno
name: kyverno
labels:
app: kyverno
# do not remove
app.kubernetes.io/name: kyverno
namespace: kyverno
name: kyverno
spec:
selector:
matchLabels:
app: kyverno
# do not remove
app.kubernetes.io/name: kyverno
replicas: 1
template:
metadata:
labels:
app: kyverno
# do not remove
app.kubernetes.io/name: kyverno
spec:
serviceAccountName: kyverno-service-account
@ -26,6 +29,13 @@ spec:
- name: kyverno-pre
image: ghcr.io/kyverno/kyvernopre:latest
imagePullPolicy: IfNotPresent
resources:
limits:
cpu: 100m
memory: 256Mi
requests:
cpu: 10m
memory: 64Mi
securityContext:
runAsNonRoot: true
privileged: false
@ -51,6 +61,9 @@ spec:
- containerPort: 9443
name: https
protocol: TCP
- containerPort: 8000
name: metrics-port
protocol: TCP
env:
- name: INIT_CONFIG
value: init-config

22
definitions/release/install.yaml
View file

@ -1170,7 +1170,7 @@ spec:
name: Background
type: string
- jsonPath: .spec.validationFailureAction
name: Validation Failure Action
name: Action
type: string
name: v1
schema:
@ -2386,7 +2386,7 @@ subjects:
apiVersion: v1
data:
excludeGroupRole: system:serviceaccounts:kube-system,system:nodes,system:kube-scheduler
resourceFilters: '[Event,*,*][*,kube-system,*][*,kube-public,*][*,kube-node-lease,*][Node,*,*][APIService,*,*][TokenReview,*,*][SubjectAccessReview,*,*][*,kyverno,*][Binding,*,*][ReplicaSet,*,*][ReportChangeRequest,*,*][ClusterReportChangeRequest,*,*][PolicyReport,*,*][ClusterPolicyReport,*,*]'
resourceFilters: '[Event,*,*][*,kube-system,*][*,kube-public,*][*,kube-node-lease,*][Node,*,*][APIService,*,*][TokenReview,*,*][SubjectAccessReview,*,*][SelfSubjectAccessReview,*,*][*,kyverno,*][Binding,*,*][ReplicaSet,*,*][ReportChangeRequest,*,*][ClusterReportChangeRequest,*,*][PolicyReport,*,*][ClusterPolicyReport,*,*]'
kind: ConfigMap
metadata:
name: init-config
@ -2397,6 +2397,7 @@ kind: Service
metadata:
labels:
app: kyverno
app.kubernetes.io/name: kyverno
name: kyverno-svc
namespace: kyverno
spec:
@ -2405,12 +2406,14 @@ spec:
targetPort: https
selector:
app: kyverno
app.kubernetes.io/name: kyverno
---
apiVersion: apps/v1
kind: Deployment
metadata:
labels:
app: kyverno
app.kubernetes.io/name: kyverno
name: kyverno
namespace: kyverno
spec:
@ -2418,10 +2421,12 @@ spec:
selector:
matchLabels:
app: kyverno
app.kubernetes.io/name: kyverno
template:
metadata:
labels:
app: kyverno
app.kubernetes.io/name: kyverno
spec:
containers:
- args:
@ -2436,7 +2441,7 @@ spec:
fieldPath: metadata.namespace
- name: KYVERNO_SVC
value: kyverno-svc
image: ghcr.io/kyverno/kyverno:v1.3.5-rc3
image: ghcr.io/kyverno/kyverno:v1.3.6
imagePullPolicy: IfNotPresent
livenessProbe:
failureThreshold: 2
@ -2478,9 +2483,16 @@ spec:
readOnlyRootFilesystem: true
runAsNonRoot: true
initContainers:
- image: ghcr.io/kyverno/kyvernopre:v1.3.5-rc3
- image: ghcr.io/kyverno/kyvernopre:v1.3.6
imagePullPolicy: IfNotPresent
name: kyverno-pre
resources:
limits:
cpu: 100m
memory: 256Mi
requests:
cpu: 10m
memory: 64Mi
securityContext:
allowPrivilegeEscalation: false
capabilities:
@ -2491,4 +2503,4 @@ spec:
runAsNonRoot: true
securityContext:
runAsNonRoot: true
serviceAccountName: kyverno-service-account
serviceAccountName: kyverno-service-account

21
go.mod
View file

@ -13,7 +13,8 @@ require (
github.com/ghodss/yaml v1.0.1-0.20190212211648-25d852aebe32
github.com/go-git/go-billy/v5 v5.0.0
github.com/go-git/go-git/v5 v5.2.0
github.com/go-logr/logr v0.3.0
github.com/go-logr/logr v0.4.0
github.com/google/uuid v1.1.2
github.com/googleapis/gnostic v0.5.4
github.com/jmespath/go-jmespath v0.0.0-20180206201540-c2b33e8439af
github.com/julienschmidt/httprouter v1.3.0
@ -25,23 +26,22 @@ require (
github.com/onsi/ginkgo v1.14.1
github.com/onsi/gomega v1.10.2
github.com/opencontainers/go-digest v1.0.0 // indirect
github.com/opencontainers/image-spec v1.0.1 // indirect
github.com/orcaman/concurrent-map v0.0.0-20190826125027-8c72a8bb44f6
github.com/patrickmn/go-cache v2.1.0+incompatible
github.com/pkg/errors v0.9.1
github.com/sirupsen/logrus v1.6.0 // indirect
github.com/prometheus/client_golang v1.7.1
github.com/spf13/cobra v1.1.1
github.com/stretchr/testify v1.6.1
gopkg.in/yaml.v2 v2.3.0
gopkg.in/yaml.v2 v2.4.0
gopkg.in/yaml.v3 v3.0.0-20200615113413-eeeca48fe776
gotest.tools v2.2.0+incompatible
k8s.io/api v0.20.2
k8s.io/apiextensions-apiserver v0.20.2
k8s.io/apimachinery v0.20.2
k8s.io/api v0.21.0
k8s.io/apiextensions-apiserver v0.21.0
k8s.io/apimachinery v0.21.0
k8s.io/cli-runtime v0.20.2
k8s.io/client-go v0.20.2
k8s.io/klog/v2 v2.4.0
k8s.io/kube-openapi v0.0.0-20201113171705-d219536bb9fd
k8s.io/client-go v0.21.0
k8s.io/klog/v2 v2.8.0
k8s.io/kube-openapi v0.0.0-20210305001622-591a79e4bda7
sigs.k8s.io/controller-runtime v0.8.1
sigs.k8s.io/kustomize/api v0.7.0
sigs.k8s.io/kustomize/kyaml v0.10.3
@ -51,6 +51,7 @@ require (
// Added for go1.13 migration https://github.com/golang/go/issues/32805
replace (
github.com/gorilla/rpc v1.2.0+incompatible => github.com/gorilla/rpc v1.2.0
github.com/jmespath/go-jmespath => github.com/kyverno/go-jmespath v0.4.1-0.20210302163943-f30eab0a3ed6
k8s.io/code-generator => k8s.io/code-generator v0.0.0-20200306081859-6a048a382944
k8s.io/component-base => k8s.io/component-base v0.0.0-20190612130303-4062e14deebe
)

84
go.sum
View file

@ -33,6 +33,7 @@ github.com/Azure/go-autorest v11.7.1+incompatible/go.mod h1:r+4oMnoxhatjLLJ6zxSW
github.com/Azure/go-autorest v14.2.0+incompatible/go.mod h1:r+4oMnoxhatjLLJ6zxSWATqVooLgysK6ZNox3g/xq24=
github.com/Azure/go-autorest/autorest v0.9.0/go.mod h1:xyHB1BMZT0cuDHU7I0+g046+BFDTQ8rEZB0s4Yfa6bI=
github.com/Azure/go-autorest/autorest v0.11.1/go.mod h1:JFgpikqFJ/MleTTxwepExTKnFUKKszPS8UavbQYUMuw=
github.com/Azure/go-autorest/autorest v0.11.12/go.mod h1:eipySxLmqSyC5s5k1CLupqet0PSENBEDP93LQ9a8QYw=
github.com/Azure/go-autorest/autorest/adal v0.5.0/go.mod h1:8Z9fGy2MpX0PvDjB1pEgQTmVqjGhiHBW7RJJEciWzS0=
github.com/Azure/go-autorest/autorest/adal v0.9.0/go.mod h1:/c022QCutn2P7uY+/oQWWNcK9YU+MH96NgK+jErpbcg=
github.com/Azure/go-autorest/autorest/adal v0.9.5/go.mod h1:B7KF7jKIeC9Mct5spmyCB/A8CG/sEz1vwIRGv/bbw7A=
@ -53,6 +54,7 @@ github.com/Masterminds/semver v1.4.2 h1:WBLTQ37jOCzSLtXNdoo8bNM8876KhNqOKvrlGITg
github.com/Masterminds/semver v1.4.2/go.mod h1:MB6lktGJrhw8PrUyiEoblNEGEQ+RzHPF078ddwwvV3Y=
github.com/Masterminds/sprig v2.16.0+incompatible/go.mod h1:y6hNFY5UBTIWBxnzTeuNhlNS5hqE0NB0E6fgfo2Br3o=
github.com/NYTimes/gziphandler v0.0.0-20170623195520-56545f4a5d46/go.mod h1:3wb06e3pkSAbeQ52E9H9iFoQsEEwGN64994WTCIhntQ=
github.com/NYTimes/gziphandler v1.1.1/go.mod h1:n/CVRwUEOgIxrgPvAQhUUr9oeUtvrhMomdKFjzJNB0c=
github.com/OneOfOne/xxhash v1.2.2/go.mod h1:HSdplMjZKSmBqAxg5vPj2TmRDmfkzw+cTzAElWljhcU=
github.com/OpenPeeDeeP/depguard v1.0.1/go.mod h1:xsIw86fROiiwelg+jB2uM9PiKihMMmUx/1V+TNhjQvM=
github.com/PuerkitoBio/goquery v1.5.0/go.mod h1:qD2PgZ9lccMbQlc7eEOjaeRlFQON7xY8kdmcsrnKqMg=
@ -92,6 +94,7 @@ github.com/armon/go-radix v0.0.0-20180808171621-7fddfc383310/go.mod h1:ufUuZ+zHj
github.com/armon/go-socks5 v0.0.0-20160902184237-e75332964ef5 h1:0CwZNZbxp69SHPdPJAN/hZIm0C4OItdklCFmMRWYpio=
github.com/armon/go-socks5 v0.0.0-20160902184237-e75332964ef5/go.mod h1:wHh0iHkYZB8zMSxRWpUBQtwG5a7fFgvEO+odwuTv2gs=
github.com/asaskevich/govalidator v0.0.0-20180720115003-f9ffefc3facf/go.mod h1:lB+ZfQJz7igIIfQNfa7Ml4HSf2uFQQRzpGGRXenZAgY=
github.com/asaskevich/govalidator v0.0.0-20190424111038-f61b66f89f4a h1:idn718Q4B6AGu/h5Sxe66HYVdqdGu2l9Iebqhi/AEoA=
github.com/asaskevich/govalidator v0.0.0-20190424111038-f61b66f89f4a/go.mod h1:lB+ZfQJz7igIIfQNfa7Ml4HSf2uFQQRzpGGRXenZAgY=
github.com/aws/aws-sdk-go v1.20.21/go.mod h1:KmX6BPdI08NWTb3/sm4ZGu5ShLoqVDhKgpiN924inxo=
github.com/baiyubin/aliyun-sts-go-sdk v0.0.0-20180326062324-cfa1a18b161f/go.mod h1:AuiFmCCPBSrqvVMvuqFuk0qogytodnVFVSN5CeJB8Gc=
@ -99,6 +102,7 @@ github.com/bcicen/jstream v0.0.0-20190220045926-16c1f8af81c2/go.mod h1:RDu/qcrnp
github.com/beevik/ntp v0.2.0/go.mod h1:hIHWr+l3+/clUnF44zdK+CWW7fO8dR5cIylAQ76NRpg=
github.com/beorn7/perks v0.0.0-20180321164747-3a771d992973/go.mod h1:Dwedo/Wpr24TaqPxmxbtue+5NUziq4I4S80YR8gNf3Q=
github.com/beorn7/perks v1.0.0/go.mod h1:KWe93zE9D1o94FZ5RNwFwVgaQK1VOXiVxmqh+CedLV8=
github.com/beorn7/perks v1.0.1 h1:VlbKKnNfV8bJzeqoa4cOKqO6bYr3WgKZxO8Z16+hsOM=
github.com/beorn7/perks v1.0.1/go.mod h1:G2ZrVWU2WbWT9wwq4/hrbKbnv/1ERSJQ0ibhJ6rlkpw=
github.com/bgentry/go-netrc v0.0.0-20140422174119-9fd32a8b3d3d/go.mod h1:6QX/PXZ00z/TKoufEY6K/a0k6AhaJrQKdFe6OfVXsa4=
github.com/bgentry/speakeasy v0.1.0/go.mod h1:+zsyZBPWlz7T6j88CTgSN5bM796AkVf0kBD4zp0CCIs=
@ -110,7 +114,9 @@ github.com/cenkalti/backoff v2.2.1+incompatible h1:tNowT99t7UNflLxfYYSlKYsBpXdEe
github.com/cenkalti/backoff v2.2.1+incompatible/go.mod h1:90ReRw6GdpyfrHakVjL/QHaoyV4aDUVVkXQJJJ3NXXM=
github.com/census-instrumentation/opencensus-proto v0.2.0/go.mod h1:f6KPmirojxKA12rnyqOA5BBL4O983OfeGPqjHWSTneU=
github.com/census-instrumentation/opencensus-proto v0.2.1/go.mod h1:f6KPmirojxKA12rnyqOA5BBL4O983OfeGPqjHWSTneU=
github.com/cespare/xxhash v1.1.0 h1:a6HrQnmkObjyL+Gs60czilIUGqrzKutQD6XZog3p+ko=
github.com/cespare/xxhash v1.1.0/go.mod h1:XrSqR1VqqWfGrhpAt58auRo0WTKS1nRRg3ghfAqPWnc=
github.com/cespare/xxhash/v2 v2.1.1 h1:6MnRN8NT7+YBpUIWxHtefFZOKTAPgGjpQSxqLNn0+qY=
github.com/cespare/xxhash/v2 v2.1.1/go.mod h1:VGX0DQ3Q6kWi7AoAeZDth3/j3BFtOZR5XLFGgcrjCOs=
github.com/cheggaaa/pb v1.0.28/go.mod h1:pQciLPpbU0oxA0h+VJYYLxO+XeDQb5pZijXscXHm81s=
github.com/chzyer/logex v1.1.10/go.mod h1:+Ywpsq7O8HXn0nuIou7OrIPyXbp3wmkHB+jjWRnGsAI=
@ -235,8 +241,9 @@ github.com/go-logfmt/logfmt v0.3.0/go.mod h1:Qt1PoO58o5twSAckw1HlFXLmHsOX5/0LbT9
github.com/go-logfmt/logfmt v0.4.0/go.mod h1:3RMwSq7FuexP4Kalkev3ejPJsZTpXXBr9+V4qmtdjCk=
github.com/go-logr/logr v0.1.0/go.mod h1:ixOQHD9gLJUVQQ2ZOR7zLEifBX6tGkNJF4QyIY7sIas=
github.com/go-logr/logr v0.2.0/go.mod h1:z6/tIYblkpsD+a4lm/fGIIU9mZ+XfAiaFtq7xTgseGU=
github.com/go-logr/logr v0.3.0 h1:q4c+kbcR0d5rSurhBR8dIgieOaYpXtsdTYfx22Cu6rs=
github.com/go-logr/logr v0.3.0/go.mod h1:z6/tIYblkpsD+a4lm/fGIIU9mZ+XfAiaFtq7xTgseGU=
github.com/go-logr/logr v0.4.0 h1:K7/B1jt6fIBQVd4Owv2MqGQClcgf0R266+7C/QjRcLc=
github.com/go-logr/logr v0.4.0/go.mod h1:z6/tIYblkpsD+a4lm/fGIIU9mZ+XfAiaFtq7xTgseGU=
github.com/go-logr/zapr v0.2.0/go.mod h1:qhKdvif7YF5GI9NWEpyxTSSBdGmzkNguibrdCNVPunU=
github.com/go-ole/go-ole v1.2.1/go.mod h1:7FAglXiTm7HKlQRDeOQ6ZNUHidzCWXuZWq/1dTyBNF8=
github.com/go-ole/go-ole v1.2.4 h1:nNBDSCOigTSiarFpYE9J/KtEA1IOW4CNeqT9TQDqCxI=
@ -314,8 +321,9 @@ github.com/gogo/protobuf v0.0.0-20171007142547-342cbe0a0415/go.mod h1:r8qH/GZQm5
github.com/gogo/protobuf v1.1.1/go.mod h1:r8qH/GZQm5c6nD/R0oafs1akxWv10x8SbQlK7atdtwQ=
github.com/gogo/protobuf v1.2.1/go.mod h1:hp+jE20tsWTFYpLwKvXlhS1hjn+gTNwPg2I6zVXpSg4=
github.com/gogo/protobuf v1.2.2-0.20190723190241-65acae22fc9d/go.mod h1:SlYgWuQ5SjCEi6WLHjHCa1yvBfUnHcTbrrZtXPKa29o=
github.com/gogo/protobuf v1.3.1 h1:DqDEcV5aeaTmdFBePNpYsp3FlcVH/2ISVVM9Qf8PSls=
github.com/gogo/protobuf v1.3.1/go.mod h1:SlYgWuQ5SjCEi6WLHjHCa1yvBfUnHcTbrrZtXPKa29o=
github.com/gogo/protobuf v1.3.2 h1:Ov1cvc58UF3b5XjBnZv7+opcTcQFZebYjWzi34vdm4Q=
github.com/gogo/protobuf v1.3.2/go.mod h1:P1XiOD3dCwIKUDQYPy72D8LYyHL2YPYrpS2s69NZV8Q=
github.com/golang/glog v0.0.0-20160126235308-23def4e6c14b/go.mod h1:SBH7ygxi8pfUlaOkMMuAQtPIUF8ecWP5IEl/CR7VP2Q=
github.com/golang/groupcache v0.0.0-20160516000752-02826c3e7903/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc=
github.com/golang/groupcache v0.0.0-20190129154638-5b532d6fd5ef/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc=
@ -476,8 +484,8 @@ github.com/jbenet/go-context v0.0.0-20150711004518-d14ea06fba99 h1:BQSFePA1RWJOl
github.com/jbenet/go-context v0.0.0-20150711004518-d14ea06fba99/go.mod h1:1lJo3i6rXxKeerYnT8Nvf0QmHCRC1n8sfWVwXF2Frvo=
github.com/jcmturner/gofork v0.0.0-20190328161633-dc7c13fece03/go.mod h1:MK8+TM0La+2rjBD4jE12Kj1pCCxK7d2LK/UM3ncEo0o=
github.com/jessevdk/go-flags v1.4.0/go.mod h1:4FA24M0QyGHXBuZZK/XkWh8h0e1EYbRYJSGM75WSRxI=
github.com/jmespath/go-jmespath v0.0.0-20180206201540-c2b33e8439af h1:pmfjZENx5imkbgOkpRUYLnmbU7UEFbjtDA2hxJ1ichM=
github.com/jmespath/go-jmespath v0.0.0-20180206201540-c2b33e8439af/go.mod h1:Nht3zPeWKUH0NzdCt2Blrr5ys8VGpn0CEB0cQHVjt7k=
github.com/jmespath/go-jmespath/internal/testify v1.5.1 h1:shLQSRRSCCPj3f2gpwzGwWFoC7ycTf1rcQZHOlsJ6N8=
github.com/jmespath/go-jmespath/internal/testify v1.5.1/go.mod h1:L3OGu8Wl2/fWfCI6z80xFu9LTZmf1ZRjMHUOPmWr69U=
github.com/jonboulle/clockwork v0.1.0/go.mod h1:Ii8DK3G1RaLaWxj9trq07+26W01tbo22gdxWY5EU2bo=
github.com/json-iterator/go v0.0.0-20180612202835-f2b4162afba3/go.mod h1:+SdeFBvtyEkXs7REEP0seUULqWtbJapLOCVDaaPEHmU=
github.com/json-iterator/go v0.0.0-20180701071628-ab8a2e0c74be/go.mod h1:+SdeFBvtyEkXs7REEP0seUULqWtbJapLOCVDaaPEHmU=
@ -498,6 +506,7 @@ github.com/kevinburke/ssh_config v0.0.0-20190725054713-01f96b0aa0cd h1:Coekwdh0v
github.com/kevinburke/ssh_config v0.0.0-20190725054713-01f96b0aa0cd/go.mod h1:CT57kijsi8u/K/BOFA39wgDQJ9CxiF4nAY/ojJ6r6mM=
github.com/kisielk/errcheck v1.1.0/go.mod h1:EZBBE59ingxPouuu3KfxchcWSUPOHkagtvWXihfKN4Q=
github.com/kisielk/errcheck v1.2.0/go.mod h1:/BMXB+zMLi60iA8Vv6Ksmxu/1UDYcXs4uQLJ+jE2L00=
github.com/kisielk/errcheck v1.5.0/go.mod h1:pFxgyoBC7bSaBwPgfKdkLd5X25qrDl4LWUI2bnpBCr8=
github.com/kisielk/gotool v1.0.0/go.mod h1:XhKaO+MFFWcvkIS/tQcRk01m1F5IRFswLeQ+oQHNcck=
github.com/klauspost/compress v1.4.0/go.mod h1:RyIbtBH6LamlWaDj8nUwkbUhJ87Yi3uG0guNDohfE1A=
github.com/klauspost/compress v1.4.1/go.mod h1:RyIbtBH6LamlWaDj8nUwkbUhJ87Yi3uG0guNDohfE1A=
@ -511,8 +520,6 @@ github.com/klauspost/pgzip v1.2.1/go.mod h1:Ch1tH69qFZu15pkjo5kYi6mth2Zzwzt50oCQ
github.com/klauspost/readahead v1.3.1/go.mod h1:AH9juHzNH7xqdqFHrMRSHeH2Ps+vFf+kblDqzPFiLJg=
github.com/klauspost/reedsolomon v1.9.3/go.mod h1:CwCi+NUr9pqSVktrkN+Ondf06rkhYZ/pcNv7fu+8Un4=
github.com/konsorten/go-windows-terminal-sequences v1.0.1/go.mod h1:T0+1ngSBFLxvqU3pZ+m/2kptfBszLMUkC4ZK/EgS/cQ=
github.com/konsorten/go-windows-terminal-sequences v1.0.3 h1:CE8S1cTafDpPvMhIxNJKvHsGVBgn1xWYf1NbHQhywc8=
github.com/konsorten/go-windows-terminal-sequences v1.0.3/go.mod h1:T0+1ngSBFLxvqU3pZ+m/2kptfBszLMUkC4ZK/EgS/cQ=
github.com/kr/logfmt v0.0.0-20140226030751-b84e30acd515/go.mod h1:+0opPa2QZZtGFBFZlji/RkVcI2GknAs/DXo4wKdlNEc=
github.com/kr/pretty v0.1.0/go.mod h1:dAy3ld7l9f0ibDNOQOHHMYYIIbhfbHSm3C4ZsoJORNo=
github.com/kr/pretty v0.2.0/go.mod h1:ipq/a2n7PKx3OHsz4KJII5eveXtPO4qwEXGdVfWzfnI=
@ -523,6 +530,8 @@ github.com/kr/text v0.1.0/go.mod h1:4Jbv+DJW3UT/LiOwJeYQe1efqtUx/iVham/4vfdArNI=
github.com/kr/text v0.2.0 h1:5Nx0Ya0ZqY2ygV366QzturHI13Jq95ApcVaJBhpS+AY=
github.com/kr/text v0.2.0/go.mod h1:eLer722TekiGuMkidMxC/pM04lWEeraHUUmBw8l2grE=
github.com/kurin/blazer v0.5.4-0.20190613185654-cf2f27cc0be3/go.mod h1:4FCXMUWo9DllR2Do4TtBd377ezyAJ51vB5uTBjt0pGU=
github.com/kyverno/go-jmespath v0.4.1-0.20210302163943-f30eab0a3ed6 h1:9rJUAc/XxL6wV4i+3X56wcRM8tDhoo0l7DIieuXPGfk=
github.com/kyverno/go-jmespath v0.4.1-0.20210302163943-f30eab0a3ed6/go.mod h1:T8mJZnbsbmF+m6zOOFylbeCJqk5+pHWvzYPziyZiYoo=
github.com/lensesio/tableprinter v0.0.0-20201125135848-89e81fc956e7 h1:k/1ku0yehLCPqERCHkIHMDqDg1R02AcCScRuHbamU3s=
github.com/lensesio/tableprinter v0.0.0-20201125135848-89e81fc956e7/go.mod h1:YR/zYthNdWfO8+0IOyHDcIDBBBS2JMnYUIwSsnwmRqU=
github.com/lib/pq v1.1.1/go.mod h1:5WUZQaWbwv1U+lTReE5YruASi9Al49XbQIvNi/34Woo=
@ -563,6 +572,7 @@ github.com/mattn/go-runewidth v0.0.2/go.mod h1:LwmH8dsx7+W8Uxz3IHJYH5QSwggIsqBzp
github.com/mattn/go-runewidth v0.0.4 h1:2BvfKmzob6Bmd4YsL0zygOqfdFnK7GR4QL06Do4/p7Y=
github.com/mattn/go-runewidth v0.0.4/go.mod h1:LwmH8dsx7+W8Uxz3IHJYH5QSwggIsqBzpuz5H//U1FU=
github.com/mattn/goveralls v0.0.2/go.mod h1:8d1ZMHsd7fW6IRPKQh46F2WRpyib5/X4FOpevwGNQEw=
github.com/matttproud/golang_protobuf_extensions v1.0.1 h1:4hp9jkHxhMHkqkrB3Ix0jegS5sx/RkqARlsWZ6pIwiU=
github.com/matttproud/golang_protobuf_extensions v1.0.1/go.mod h1:D8He9yQNgCq6Z5Ld7szi9bcBfOoFv/3dc6xSMkL2PC0=
github.com/miekg/dns v1.0.14/go.mod h1:W1PPwlIAgtquWBMBEV9nkV9Cazfe8ScdGz/Lj7v3Nrg=
github.com/miekg/dns v1.1.8/go.mod h1:W1PPwlIAgtquWBMBEV9nkV9Cazfe8ScdGz/Lj7v3Nrg=
@ -592,8 +602,10 @@ github.com/mitchellh/go-wordwrap v1.0.0/go.mod h1:ZXFpozHsX6DPmq2I0TCekCxypsnAUb
github.com/mitchellh/gox v0.4.0/go.mod h1:Sd9lOJ0+aimLBi73mGofS1ycjY8lL3uZM3JPS42BGNg=
github.com/mitchellh/iochan v1.0.0/go.mod h1:JwYml1nuB7xOzsp52dPpHFffvOCDupsG0QubkSMEySY=
github.com/mitchellh/mapstructure v0.0.0-20160808181253-ca63d7c062ee/go.mod h1:FVVH3fgwuzCH5S8UJGiWEs2h04kUh9fWfEaFds41c1Y=
github.com/mitchellh/mapstructure v1.1.2 h1:fmNYVwqnSfB9mZU6OS2O6GsXM+wcskZDuKQzvN1EDeE=
github.com/mitchellh/mapstructure v1.1.2/go.mod h1:FVVH3fgwuzCH5S8UJGiWEs2h04kUh9fWfEaFds41c1Y=
github.com/mitchellh/reflectwalk v1.0.0/go.mod h1:mSTlrgnPZtwu0c4WaC2kGObEpuNDbx0jmZXqmk4esnw=
github.com/moby/spdystream v0.2.0/go.mod h1:f7i0iNDQJ059oMTcWxx8MA/zKFIuD/lY+0GqbN2Wy8c=
github.com/modern-go/concurrent v0.0.0-20180228061459-e0a39a4cb421/go.mod h1:6dJC0mAP4ikYIbvyc7fijjWJddQyLn8Ig3JB5CqoB9Q=
github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd h1:TRLaZ9cD/w8PVh93nsPXa1VrQ6jlwL5oN8l14QlcNfg=
github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd/go.mod h1:6dJC0mAP4ikYIbvyc7fijjWJddQyLn8Ig3JB5CqoB9Q=
@ -652,8 +664,6 @@ github.com/onsi/gomega v1.10.2 h1:aY/nuoWlKJud2J6U0E3NWsjlg+0GtwXxgEqthRdzlcs=
github.com/onsi/gomega v1.10.2/go.mod h1:iN09h71vgCQne3DLsj+A5owkum+a2tYe+TOCB1ybHNo=
github.com/opencontainers/go-digest v1.0.0 h1:apOUWs51W5PlhuyGyz9FCeeBIOUDA/6nW8Oi/yOhh5U=
github.com/opencontainers/go-digest v1.0.0/go.mod h1:0JzlMkj0TRzQZfJkVvzbP0HBR3IKzErnv2BNG4W4MAM=
github.com/opencontainers/image-spec v1.0.1 h1:JMemWkRwHx4Zj+fVxWoMCFm/8sYGGrUVojFA6h/TRcI=
github.com/opencontainers/image-spec v1.0.1/go.mod h1:BtxoFyWECRxE4U/7sNtV5W15zMzWCbyJoFRP3s7yZA0=
github.com/orcaman/concurrent-map v0.0.0-20190826125027-8c72a8bb44f6 h1:lNCW6THrCKBiJBpz8kbVGjC7MgdCGKwuvBgc7LoD6sw=
github.com/orcaman/concurrent-map v0.0.0-20190826125027-8c72a8bb44f6/go.mod h1:Lu3tH6HLW3feq74c2GC+jIMS/K2CFcDWnWD9XkenwhI=
github.com/pascaldekloe/goe v0.0.0-20180627143212-57f6aae5913c/go.mod h1:lzWF7FIEvWOWxwDKqyGYQf6ZUaNfKdP144TG7ZOy1lc=
@ -682,23 +692,27 @@ github.com/prometheus/client_golang v0.9.2/go.mod h1:OsXs2jCmiKlQ1lTBmv21f2mNfw4
github.com/prometheus/client_golang v0.9.3-0.20190127221311-3c4408c8b829/go.mod h1:p2iRAGwDERtqlqzRXnrOVns+ignqQo//hLXqYxZYVNs=
github.com/prometheus/client_golang v0.9.3/go.mod h1:/TN21ttK/J9q6uSwhBd54HahCDft0ttaMvbicHlPoso=
github.com/prometheus/client_golang v1.0.0/go.mod h1:db9x61etRT2tGnBNRi70OPL5FsnadC4Ky3P0J6CfImo=
github.com/prometheus/client_golang v1.7.1 h1:NTGy1Ja9pByO+xAeH/qiWnLrKtr3hJPNjaVUwnjpdpA=
github.com/prometheus/client_golang v1.7.1/go.mod h1:PY5Wy2awLA44sXw4AOSfFBetzPP4j5+D6mVACh+pe2M=
github.com/prometheus/client_model v0.0.0-20180712105110-5c3871d89910/go.mod h1:MbSGuTsp3dbXC40dX6PRTWyKYBIrTGTE9sqQNg2J8bo=
github.com/prometheus/client_model v0.0.0-20190115171406-56726106282f/go.mod h1:MbSGuTsp3dbXC40dX6PRTWyKYBIrTGTE9sqQNg2J8bo=
github.com/prometheus/client_model v0.0.0-20190129233127-fd36f4220a90/go.mod h1:xMI15A0UPsDsEKsMN9yxemIoYk6Tm2C1GtYGdfGttqA=
github.com/prometheus/client_model v0.0.0-20190812154241-14fe0d1b01d4/go.mod h1:xMI15A0UPsDsEKsMN9yxemIoYk6Tm2C1GtYGdfGttqA=
github.com/prometheus/client_model v0.2.0 h1:uq5h0d+GuxiXLJLNABMgp2qUWDPiLvgCzz2dUR+/W/M=
github.com/prometheus/client_model v0.2.0/go.mod h1:xMI15A0UPsDsEKsMN9yxemIoYk6Tm2C1GtYGdfGttqA=
github.com/prometheus/common v0.0.0-20181113130724-41aa239b4cce/go.mod h1:daVV7qP5qjZbuso7PdcryaAu0sAZbrN9i7WWcTMWvro=
github.com/prometheus/common v0.0.0-20181126121408-4724e9255275/go.mod h1:daVV7qP5qjZbuso7PdcryaAu0sAZbrN9i7WWcTMWvro=
github.com/prometheus/common v0.2.0/go.mod h1:TNfzLD0ON7rHzMJeJkieUDPYmFC7Snx/y86RQel1bk4=
github.com/prometheus/common v0.4.0/go.mod h1:TNfzLD0ON7rHzMJeJkieUDPYmFC7Snx/y86RQel1bk4=
github.com/prometheus/common v0.4.1/go.mod h1:TNfzLD0ON7rHzMJeJkieUDPYmFC7Snx/y86RQel1bk4=
github.com/prometheus/common v0.10.0 h1:RyRA7RzGXQZiW+tGMr7sxa85G1z0yOpM1qq5c8lNawc=
github.com/prometheus/common v0.10.0/go.mod h1:Tlit/dnDKsSWFlCLTWaA1cyBgKHSMdTB80sz/V91rCo=
github.com/prometheus/procfs v0.0.0-20181005140218-185b4288413d/go.mod h1:c3At6R/oaqEKCNdg8wHV1ftS6bRYblBhIjjI8uT2IGk=
github.com/prometheus/procfs v0.0.0-20181204211112-1dc9a6cbc91a/go.mod h1:c3At6R/oaqEKCNdg8wHV1ftS6bRYblBhIjjI8uT2IGk=
github.com/prometheus/procfs v0.0.0-20190117184657-bf6a532e95b1/go.mod h1:c3At6R/oaqEKCNdg8wHV1ftS6bRYblBhIjjI8uT2IGk=
github.com/prometheus/procfs v0.0.0-20190507164030-5867b95ac084/go.mod h1:TjEm7ze935MbeOT/UhFTIMYKhuLP4wbCsTZCD3I8kEA=
github.com/prometheus/procfs v0.0.2/go.mod h1:TjEm7ze935MbeOT/UhFTIMYKhuLP4wbCsTZCD3I8kEA=
github.com/prometheus/procfs v0.1.3 h1:F0+tqvhOksq22sc6iCHF5WGlWjdwj92p0udFh1VFBS8=
github.com/prometheus/procfs v0.1.3/go.mod h1:lV6e/gmhEcM9IjHGsFOCxxuZ+z1YqCvr4OA4YeYWdaU=
github.com/prometheus/tsdb v0.7.1/go.mod h1:qhTCs0VvXwvX/y3TZrWD7rabWM+ijKTux40TwIPHuXU=
github.com/qri-io/starlib v0.4.2-0.20200213133954-ff2e8cd5ef8d/go.mod h1:7DPO4domFU579Ga6E61sB9VFNaniPVwJP5C4bBCu3wA=
@ -734,6 +748,8 @@ github.com/sirupsen/logrus v1.2.0/go.mod h1:LxeOpSwHxABJmUn/MG1IvRgCAasNZTLOkJPx
github.com/sirupsen/logrus v1.4.2/go.mod h1:tLMulIdttU9McNUspp0xgXVQah82FyeX6MwdIuYE2rE=
github.com/sirupsen/logrus v1.6.0 h1:UBcNElsrwanuuMsnGSlYmtmgbb23qDR5dG+6X6Oo89I=
github.com/sirupsen/logrus v1.6.0/go.mod h1:7uNnSEd1DgxDLC74fIahvMZmmYsHGZGEOFrfsX/uA88=
github.com/sirupsen/logrus v1.7.0 h1:ShrD1U9pZB12TX0cVy0DtePoCH97K8EtX+mg7ZARUtM=
github.com/sirupsen/logrus v1.7.0/go.mod h1:yWOB1SBYBC5VeMP7gHvWumXLIWorT60ONWic61uBYv0=
github.com/skyrings/skyring-common v0.0.0-20160929130248-d1c0bb1cbd5e/go.mod h1:d8hQseuYt4rJoOo21lFzYJdhMjmDqLY++ayArbgYjWI=
github.com/smartystreets/assertions v0.0.0-20180927180507-b2de0cb4f26d/go.mod h1:OnSkiWE9lh6wB0YB77sQom3nweQdgAjqCqsofrRNTgc=
github.com/smartystreets/assertions v0.0.0-20190401211740-f487f9de1cd3/go.mod h1:OnSkiWE9lh6wB0YB77sQom3nweQdgAjqCqsofrRNTgc=
@ -808,6 +824,8 @@ github.com/xiang90/probing v0.0.0-20190116061207-43a291ad63a2/go.mod h1:UETIi67q
github.com/xlab/treeprint v0.0.0-20181112141820-a009c3971eca h1:1CFlNzQhALwjS9mBAUkycX616GzgsuYUOCHA5+HSlXI=
github.com/xlab/treeprint v0.0.0-20181112141820-a009c3971eca/go.mod h1:ce1O1j6UtZfjr22oyGxGLbauSBp2YVXpARAosm7dHBg=
github.com/xordataexchange/crypt v0.0.3-0.20170626215501-b2862e3d0a77/go.mod h1:aYKd//L2LvnjZzWKhF00oedf4jCCReLcmhLdhm1A27Q=
github.com/yuin/goldmark v1.1.27/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74=
github.com/yuin/goldmark v1.2.1/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74=
github.com/yujunz/go-getter v1.5.1-lite.0.20201201013212-6d9c071adddf/go.mod h1:bL0Pr07HEdsMZ1WBqZIxXj96r5LnFsY4LgPaPEGkw1k=
go.etcd.io/bbolt v1.3.2/go.mod h1:IbVyRI1SCnLcuJnV2u8VeU0CEYM7e686BmAb1XKL+uU=
go.etcd.io/bbolt v1.3.3/go.mod h1:IbVyRI1SCnLcuJnV2u8VeU0CEYM7e686BmAb1XKL+uU=
@ -857,8 +875,9 @@ golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8U
golang.org/x/crypto v0.0.0-20191117063200-497ca9f6d64f/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
golang.org/x/crypto v0.0.0-20200302210943-78000ba7a073/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
golang.org/x/crypto v0.0.0-20201002170205-7f63de1d35b0 h1:hb9wdF1z5waM+dSIICn1l0DkLVDT3hqhhQsDNUmHPRE=
golang.org/x/crypto v0.0.0-20201002170205-7f63de1d35b0/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
golang.org/x/crypto v0.0.0-20210220033148-5ea612d1eb83 h1:/ZScEX8SfEmUGRHs0gxpqteO5nfNW6axyZbBdw9A12g=
golang.org/x/crypto v0.0.0-20210220033148-5ea612d1eb83/go.mod h1:jdWPYTVW3xRLrWPugEBEK3UY2ZEsg3UU495nc5E+M+I=
golang.org/x/exp v0.0.0-20190121172915-509febef88a4/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA=
golang.org/x/exp v0.0.0-20190306152737-a1d7652674e8/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA=
golang.org/x/exp v0.0.0-20190510132918-efd6b22b2522/go.mod h1:ZjyILWgesfNpC6sMxTJOJm9Kp84zZh5NQWvqDGG3Qr8=
@ -888,6 +907,7 @@ golang.org/x/mod v0.1.0/go.mod h1:0QHyrYULN0/3qlju5TqG8bIK38QM8yzMo5ekMj3DlcY=
golang.org/x/mod v0.1.1-0.20191105210325-c90efee705ee/go.mod h1:QqPTAvyqsEbceGzBzNggFXnrqF1CaUcvgkdR5Ot7KZg=
golang.org/x/mod v0.1.1-0.20191107180719-034126e5016b/go.mod h1:QqPTAvyqsEbceGzBzNggFXnrqF1CaUcvgkdR5Ot7KZg=
golang.org/x/mod v0.2.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
golang.org/x/mod v0.3.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
golang.org/x/net v0.0.0-20170114055629-f2499483f923/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
golang.org/x/net v0.0.0-20180218175443-cbe0f9307d01/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
golang.org/x/net v0.0.0-20180724234803-3673e40ba225/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
@ -926,8 +946,10 @@ golang.org/x/net v0.0.0-20200226121028-0de0cce0169b/go.mod h1:z5CRVTTTmAJ677TzLL
golang.org/x/net v0.0.0-20200301022130-244492dfa37a/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
golang.org/x/net v0.0.0-20200324143707-d3edc9973b7e/go.mod h1:qpuaurCH72eLCgpAm/N6yyVIVM9cpaDIP3A8BGJEC5A=
golang.org/x/net v0.0.0-20200520004742-59133d7f0dd7/go.mod h1:qpuaurCH72eLCgpAm/N6yyVIVM9cpaDIP3A8BGJEC5A=
golang.org/x/net v0.0.0-20201110031124-69a78807bb2b h1:uwuIcX0g4Yl1NC5XAz37xsr2lTtcqevgzYNVt49waME=
golang.org/x/net v0.0.0-20201021035429-f5854403a974/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU=
golang.org/x/net v0.0.0-20201110031124-69a78807bb2b/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU=
golang.org/x/net v0.0.0-20210224082022-3d97a244fca7 h1:OgUuv8lsRpBibGNbSizVwKWlysjaNzmC9gYMhPVfqFM=
golang.org/x/net v0.0.0-20210224082022-3d97a244fca7/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg=
golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U=
golang.org/x/oauth2 v0.0.0-20190226205417-e64efc72b421/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=
golang.org/x/oauth2 v0.0.0-20190402181905-9f3314589c9a/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=
@ -941,6 +963,7 @@ golang.org/x/sync v0.0.0-20181221193216-37e7f081c4d4/go.mod h1:RxMgew5VJxzue5/jJ
golang.org/x/sync v0.0.0-20190227155943-e225da77a7e6/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
golang.org/x/sync v0.0.0-20190911185100-cd5d95a43a6e/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
golang.org/x/sync v0.0.0-20201020160332-67f06af15bc9/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
golang.org/x/sys v0.0.0-20170830134202-bb24a47a89ea/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
golang.org/x/sys v0.0.0-20180823144017-11551d06cbcc/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
golang.org/x/sys v0.0.0-20180830151530-49385e6e1522/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
@ -991,8 +1014,14 @@ golang.org/x/sys v0.0.0-20200323222414-85ca7c5b95cd/go.mod h1:h1NjWce9XRLGQEsW7w
golang.org/x/sys v0.0.0-20200519105757-fe76b779f299/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
golang.org/x/sys v0.0.0-20200615200032-f1bc736245b1/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
golang.org/x/sys v0.0.0-20200930185726-fdedc70b468f/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
golang.org/x/sys v0.0.0-20201112073958-5cba982894dd h1:5CtCZbICpIOFdgO940moixOPjc0178IU44m4EjOO5IY=
golang.org/x/sys v0.0.0-20201112073958-5cba982894dd/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
golang.org/x/sys v0.0.0-20201119102817-f84b799fce68/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
golang.org/x/sys v0.0.0-20210225134936-a50acf3fe073 h1:8qxJSnu+7dRq6upnbntrmriWByIakBuct5OM/MdQC1M=
golang.org/x/sys v0.0.0-20210225134936-a50acf3fe073/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
golang.org/x/term v0.0.0-20201117132131-f5c789dd3221/go.mod h1:Nr5EML6q2oocZ2LXRh80K7BxOlk5/8JxuGnuhpl+muw=
golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
golang.org/x/term v0.0.0-20210220032956-6a3ed077a48d h1:SZxvLBoTP5yHO3Frd4z4vrF+DBX9vMVanchswa69toE=
golang.org/x/term v0.0.0-20210220032956-6a3ed077a48d/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
golang.org/x/text v0.0.0-20160726164857-2910a502d2bf/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
golang.org/x/text v0.0.0-20170915032832-14c0d48ead0c/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
@ -1006,8 +1035,9 @@ golang.org/x/time v0.0.0-20180412165947-fbb02b2291d2/go.mod h1:tRJNPiyCQ0inRvYxb
golang.org/x/time v0.0.0-20181108054448-85acf8d2951c/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
golang.org/x/time v0.0.0-20190308202827-9d24e82272b4/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
golang.org/x/time v0.0.0-20191024005414-555d28b269f0/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
golang.org/x/time v0.0.0-20200630173020-3af7569d3a1e h1:EHBhcS0mlXEAVwNyO2dLfjToGsyY4j24pTs2ScHnX7s=
golang.org/x/time v0.0.0-20200630173020-3af7569d3a1e/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
golang.org/x/time v0.0.0-20210220033141-f8bda1e9f3ba h1:O8mE0/t419eoIwhTFpKVkHiTs/Igowgfkj25AcZrtiE=
golang.org/x/time v0.0.0-20210220033141-f8bda1e9f3ba/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
golang.org/x/tools v0.0.0-20180221164845-07fd8470d635/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
golang.org/x/tools v0.0.0-20180525024113-a5b4c53f6e8b/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
@ -1061,6 +1091,8 @@ golang.org/x/tools v0.0.0-20200207183749-b753a1ba74fa/go.mod h1:TB2adYChydJhpapK
golang.org/x/tools v0.0.0-20200212150539-ea181f53ac56/go.mod h1:TB2adYChydJhpapKDTa4BR/hXlZSLoq2Wpct/0txZ28=
golang.org/x/tools v0.0.0-20200224181240-023911ca70b2/go.mod h1:TB2adYChydJhpapKDTa4BR/hXlZSLoq2Wpct/0txZ28=
golang.org/x/tools v0.0.0-20200304193943-95d2e580d8eb/go.mod h1:o4KQGtdN14AW+yjsvvwRTJJuXz8XRtIHtEnmAXLyFUw=
golang.org/x/tools v0.0.0-20200619180055-7c47624df98f/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE=
golang.org/x/tools v0.0.0-20210106214847-113979e3529a/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA=
golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
@ -1171,8 +1203,9 @@ gopkg.in/yaml.v2 v2.2.4/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
gopkg.in/yaml.v2 v2.2.5/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
gopkg.in/yaml.v2 v2.2.7/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
gopkg.in/yaml.v2 v2.2.8/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
gopkg.in/yaml.v2 v2.3.0 h1:clyUAQHOM3G0M3f5vQj7LuJrETvjVot3Z5el9nffUtU=
gopkg.in/yaml.v2 v2.3.0/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
gopkg.in/yaml.v2 v2.4.0 h1:D8xgwECY7CYvx+Y2n4sBz93Jn9JRvxdiyyo8CTfuKaY=
gopkg.in/yaml.v2 v2.4.0/go.mod h1:RDklbk79AGWmwhnvt/jBztapEOGDOx6ZbXqjP6csGnQ=
gopkg.in/yaml.v3 v3.0.0-20190905181640-827449938966/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
gopkg.in/yaml.v3 v3.0.0-20200121175148-a6ecf24a6d71/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
@ -1190,32 +1223,35 @@ k8s.io/api v0.0.0-20190918155943-95b840bb6a1f/go.mod h1:uWuOHnjmNrtQomJrvEBg0c0H
k8s.io/api v0.16.4/go.mod h1:AtzMnsR45tccQss5q8RnF+W8L81DH6XwXwo/joEx9u0=
k8s.io/api v0.17.0/go.mod h1:npsyOePkeP0CPwyGfXDHxvypiYMJxBWAMpQxCaJ4ZxI=
k8s.io/api v0.20.1/go.mod h1:KqwcCVogGxQY3nBlRpwt+wpAMF/KjaCc7RpywacvqUo=
k8s.io/api v0.20.2 h1:y/HR22XDZY3pniu9hIFDLpUCPq2w5eQ6aV/VFQ7uJMw=
k8s.io/api v0.20.2/go.mod h1:d7n6Ehyzx+S+cE3VhTGfVNNqtGc/oL9DCdYYahlurV8=
k8s.io/api v0.21.0 h1:gu5iGF4V6tfVCQ/R+8Hc0h7H1JuEhzyEi9S4R5LM8+Y=
k8s.io/api v0.21.0/go.mod h1:+YbrhBBGgsxbF6o6Kj4KJPJnBmAKuXDeS3E18bgHNVU=
k8s.io/apiextensions-apiserver v0.0.0-20190918161926-8f644eb6e783/go.mod h1:xvae1SZB3E17UpV59AWc271W/Ph25N+bjPyR63X6tPY=
k8s.io/apiextensions-apiserver v0.16.4/go.mod h1:HYQwjujEkXmQNhap2C9YDdIVOSskGZ3et0Mvjcyjbto=
k8s.io/apiextensions-apiserver v0.20.1/go.mod h1:ntnrZV+6a3dB504qwC5PN/Yg9PBiDNt1EVqbW2kORVk=
k8s.io/apiextensions-apiserver v0.20.2 h1:rfrMWQ87lhd8EzQWRnbQ4gXrniL/yTRBgYH1x1+BLlo=
k8s.io/apiextensions-apiserver v0.20.2/go.mod h1:F6TXp389Xntt+LUq3vw6HFOLttPa0V8821ogLGwb6Zs=
k8s.io/apiextensions-apiserver v0.21.0 h1:Nd4uBuweg6ImzbxkC1W7xUNZcCV/8Vt10iTdTIVF3hw=
k8s.io/apiextensions-apiserver v0.21.0/go.mod h1:gsQGNtGkc/YoDG9loKI0V+oLZM4ljRPjc/sql5tmvzc=
k8s.io/apimachinery v0.0.0-20190612125636-6a5db36e93ad/go.mod h1:I4A+glKBHiTgiEjQiCCQfCAIcIMFGt291SmsvcrFzJA=
k8s.io/apimachinery v0.0.0-20190913080033-27d36303b655/go.mod h1:nL6pwRT8NgfF8TT68DBI8uEePRt89cSvoXUVqbkWHq4=
k8s.io/apimachinery v0.16.4/go.mod h1:llRdnznGEAqC3DcNm6yEj472xaFVfLM7hnYofMb12tQ=
k8s.io/apimachinery v0.17.0/go.mod h1:b9qmWdKlLuU9EBh+06BtLcSf/Mu89rWL33naRxs1uZg=
k8s.io/apimachinery v0.20.1/go.mod h1:WlLqWAHZGg07AeltaI0MV5uk1Omp8xaN0JGLY6gkRpU=
k8s.io/apimachinery v0.20.2 h1:hFx6Sbt1oG0n6DZ+g4bFt5f6BoMkOjKWsQFu077M3Vg=
k8s.io/apimachinery v0.20.2/go.mod h1:WlLqWAHZGg07AeltaI0MV5uk1Omp8xaN0JGLY6gkRpU=
k8s.io/apimachinery v0.21.0 h1:3Fx+41if+IRavNcKOz09FwEXDBG6ORh6iMsTSelhkMA=
k8s.io/apimachinery v0.21.0/go.mod h1:jbreFvJo3ov9rj7eWT7+sYiRx+qZuCYXwWT1bcDswPY=
k8s.io/apiserver v0.0.0-20190918160949-bfa5e2e684ad/go.mod h1:XPCXEwhjaFN29a8NldXA901ElnKeKLrLtREO9ZhFyhg=
k8s.io/apiserver v0.16.4/go.mod h1:kbLJOak655g6W7C+muqu1F76u9wnEycfKMqbVaXIdAc=
k8s.io/apiserver v0.20.1/go.mod h1:ro5QHeQkgMS7ZGpvf4tSMx6bBOgPfE+f52KwvXfScaU=
k8s.io/apiserver v0.20.2/go.mod h1:2nKd93WyMhZx4Hp3RfgH2K5PhwyTrprrkWYnI7id7jA=
k8s.io/apiserver v0.21.0/go.mod h1:w2YSn4/WIwYuxG5zJmcqtRdtqgW/J2JRgFAqps3bBpg=
k8s.io/cli-runtime v0.20.2 h1:W0/FHdbApnl9oB7xdG643c/Zaf7TZT+43I+zKxwqvhU=
k8s.io/cli-runtime v0.20.2/go.mod h1:FjH6uIZZZP3XmwrXWeeYCbgxcrD6YXxoAykBaWH0VdM=
k8s.io/client-go v0.0.0-20190918160344-1fbdaa4c8d90/go.mod h1:J69/JveO6XESwVgG53q3Uz5OSfgsv4uxpScmmyYOOlk=
k8s.io/client-go v0.16.4/go.mod h1:ZgxhFDxSnoKY0J0U2/Y1C8obKDdlhGPZwA7oHH863Ok=
k8s.io/client-go v0.17.0/go.mod h1:TYgR6EUHs6k45hb6KWjVD6jFZvJV4gHDikv/It0xz+k=
k8s.io/client-go v0.20.1/go.mod h1:/zcHdt1TeWSd5HoUe6elJmHSQ6uLLgp4bIJHVEuy+/Y=
k8s.io/client-go v0.20.2 h1:uuf+iIAbfnCSw8IGAv/Rg0giM+2bOzHLOsbbrwrdhNQ=
k8s.io/client-go v0.20.2/go.mod h1:kH5brqWqp7HDxUFKoEgiI4v8G1xzbe9giaCenUWJzgE=
k8s.io/client-go v0.21.0 h1:n0zzzJsAQmJngpC0IhgFcApZyoGXPrDIAD601HD09ag=
k8s.io/client-go v0.21.0/go.mod h1:nNBytTF9qPFDEhoqgEPaarobC8QPae13bElIVHzIglA=
k8s.io/code-generator v0.0.0-20200306081859-6a048a382944/go.mod h1:+UHX5rSbxmR8kzS+FAv7um6dtYrZokQvjHpDSYRVkTc=
k8s.io/component-base v0.0.0-20190612130303-4062e14deebe/go.mod h1:MmIDXnint3qMN0cqXHKrSiJ2XQKo3J1BPIz7in7NvO0=
k8s.io/gengo v0.0.0-20190128074634-0689ccc1d7d6/go.mod h1:ezvh/TsK7cY6rbqRK0oQQ8IAqLxYwwyPxAX1Pzy0ii0=
@ -1230,14 +1266,16 @@ k8s.io/klog v0.4.0/go.mod h1:4Bi6QPql/J/LkTDqv7R/cd3hPo4k2DG6Ptcz060Ez5I=
k8s.io/klog v1.0.0 h1:Pt+yjF5aB1xDSVbau4VsWe+dQNzA0qv1LlXdC2dF6Q8=
k8s.io/klog v1.0.0/go.mod h1:4Bi6QPql/J/LkTDqv7R/cd3hPo4k2DG6Ptcz060Ez5I=
k8s.io/klog/v2 v2.0.0/go.mod h1:PBfzABfn139FHAV07az/IF9Wp1bkk3vpT2XSJ76fSDE=
k8s.io/klog/v2 v2.4.0 h1:7+X0fUguPyrKEC4WjH8iGDg3laWgMo5tMnRTIGTTxGQ=
k8s.io/klog/v2 v2.4.0/go.mod h1:Od+F08eJP+W3HUb4pSrPpgp9DGU4GzlpG/TmITuYh/Y=
k8s.io/klog/v2 v2.8.0 h1:Q3gmuM9hKEjefWFFYF0Mat+YyFJvsUyYuwyNNJ5C9Ts=
k8s.io/klog/v2 v2.8.0/go.mod h1:hy9LJ/NvuK+iVyP4Ehqva4HxZG/oXyIS3n3Jmire4Ec=
k8s.io/kube-openapi v0.0.0-20190228160746-b3a7cee44a30/go.mod h1:BXM9ceUBTj2QnfH2MK1odQs778ajze1RxcmP6S8RVVc=
k8s.io/kube-openapi v0.0.0-20190816220812-743ec37842bf/go.mod h1:1TqjTSzOxsLGIKfj0lK8EeCP7K1iUG65v09OM0/WG5E=
k8s.io/kube-openapi v0.0.0-20191107075043-30be4d16710a/go.mod h1:1TqjTSzOxsLGIKfj0lK8EeCP7K1iUG65v09OM0/WG5E=
k8s.io/kube-openapi v0.0.0-20200121204235-bf4fb3bd569c/go.mod h1:GRQhZsXIAJ1xR0C9bd8UpWHZ5plfAS9fzPjJuQ6JL3E=
k8s.io/kube-openapi v0.0.0-20201113171705-d219536bb9fd h1:sOHNzJIkytDF6qadMNKhhDRpc6ODik8lVC6nOur7B2c=
k8s.io/kube-openapi v0.0.0-20201113171705-d219536bb9fd/go.mod h1:WOJ3KddDSol4tAGcJo0Tvi+dK12EcqSLqcWsryKMpfM=
k8s.io/kube-openapi v0.0.0-20210305001622-591a79e4bda7 h1:vEx13qjvaZ4yfObSSXW7BrMc/KQBBT/Jyee8XtLf4x0=
k8s.io/kube-openapi v0.0.0-20210305001622-591a79e4bda7/go.mod h1:wXW5VT87nVfh/iLV8FpR2uDvrFyomxbtb1KivDbvPTE=
k8s.io/metrics v0.16.4/go.mod h1:dckkfqvaASo+NrzEmp8ST8yCc9hGt7lx9ABAILyDHx8=
k8s.io/utils v0.0.0-20190221042446-c2654d5206da/go.mod h1:8k8uAuAQ0rXslZKaEWd0c3oVhZz7sSzSiPnVZayjIX0=
k8s.io/utils v0.0.0-20190801114015-581e00157fb1/go.mod h1:sZAwmy6armz5eXlNoLmJcl4F1QuKu7sr+mFQ0byX7Ew=
@ -1252,6 +1290,7 @@ rsc.io/binaryregexp v0.2.0/go.mod h1:qTv7/COck+e2FymRvadv62gMdZztPaShugOCi3I+8D8
rsc.io/quote/v3 v3.1.0/go.mod h1:yEA65RcK8LyAZtP9Kv3t0HmxON59tX3rD+tICJqUlj0=
rsc.io/sampler v1.3.0/go.mod h1:T1hPZKmBbMNahiBKFy5HrXp6adAjACjK9JXDnKaTXpA=
sigs.k8s.io/apiserver-network-proxy/konnectivity-client v0.0.14/go.mod h1:LEScyzhFmoF5pso/YSeBstl57mOzx9xlU9n85RGrDQg=
sigs.k8s.io/apiserver-network-proxy/konnectivity-client v0.0.15/go.mod h1:LEScyzhFmoF5pso/YSeBstl57mOzx9xlU9n85RGrDQg=
sigs.k8s.io/controller-runtime v0.8.1 h1:O0K2CJ2JavK8/Tf4LfcpAwRxOFBhv8DjyrbmE6Qw59s=
sigs.k8s.io/controller-runtime v0.8.1/go.mod h1:U/l+DUopBc1ecfRZ5aviA9JDmGFQKvLf5YkZNx2e0sU=
sigs.k8s.io/controller-tools v0.2.4/go.mod h1:m/ztfQNocGYBgTTCmFdnK94uVvgxeZeE3LtJvd/jIzA=
@ -1266,8 +1305,9 @@ sigs.k8s.io/structured-merge-diff v0.0.0-20190817042607-6149e4549fca/go.mod h1:I
sigs.k8s.io/structured-merge-diff v1.0.1 h1:LOs1LZWMsz1xs77Phr/pkB4LFaavH7IVq/3+WTN9XTA=
sigs.k8s.io/structured-merge-diff v1.0.1/go.mod h1:IIgPezJWb76P0hotTxzDbWsMYB8APh18qZnxkomBpxA=
sigs.k8s.io/structured-merge-diff/v3 v3.0.0-20200116222232-67a7b8c61874/go.mod h1:PlARxl6Hbt/+BC80dRLi1qAmnMqwqDg62YvvVkZjemw=
sigs.k8s.io/structured-merge-diff/v4 v4.0.2 h1:YHQV7Dajm86OuqnIR6zAelnDWBRjo+YhYV9PmGrh1s8=
sigs.k8s.io/structured-merge-diff/v4 v4.0.2/go.mod h1:bJZC9H9iH24zzfZ/41RGcq60oK1F7G282QMXDPYydCw=
sigs.k8s.io/structured-merge-diff/v4 v4.1.0 h1:C4r9BgJ98vrKnnVCjwCSXcWjWe0NKcUQkmzDXZXGwH8=
sigs.k8s.io/structured-merge-diff/v4 v4.1.0/go.mod h1:bJZC9H9iH24zzfZ/41RGcq60oK1F7G282QMXDPYydCw=
sigs.k8s.io/yaml v1.1.0/go.mod h1:UJmg0vDUVViEyp3mgSv9WPwZCDxu4rQW1olrI1uml+o=
sigs.k8s.io/yaml v1.2.0 h1:kr/MCeFWJWTwyaHoR9c8EjH9OumOmoF9YGiZd7lFm/Q=
sigs.k8s.io/yaml v1.2.0/go.mod h1:yfXDCHCao9+ENCvLSE62v9VSji2MKu5jeNfTrofGhJc=

31
pkg/common/common.go
View file

@ -2,6 +2,7 @@ package common
import (
"encoding/json"
"fmt"
"strings"
"github.com/go-logr/logr"
@ -77,3 +78,33 @@ func GetKindFromGVK(str string) (apiVersion string, kind string) {
}
return splitString[0] + "/" + splitString[1], splitString[2]
}
func VariableToJSON(key, value string) []byte {
var subString string
splitBySlash := strings.Split(key, "\"")
if len(splitBySlash) > 1 {
subString = splitBySlash[1]
}
startString := ""
endString := ""
lenOfVariableString := 0
addedSlashString := false
for _, k := range strings.Split(splitBySlash[0], ".") {
if k != "" {
startString += fmt.Sprintf(`{"%s":`, k)
endString += `}`
lenOfVariableString = lenOfVariableString + len(k) + 1
if lenOfVariableString >= len(splitBySlash[0]) && len(splitBySlash) > 1 && !addedSlashString {
startString += fmt.Sprintf(`{"%s":`, subString)
endString += `}`
addedSlashString = true
}
}
}
midString := fmt.Sprintf(`"%s"`, strings.Replace(value, `"`, `\"`, -1))
finalString := startString + midString + endString
var jsonData = []byte(finalString)
return jsonData
}

4
pkg/engine/context/evaluate.go
View file

@ -5,7 +5,7 @@ import (
"fmt"
"strings"
jmespath "github.com/jmespath/go-jmespath"
jmespath "github.com/kyverno/kyverno/pkg/engine/jmespath"
)
//Query the JSON context with JMESPATH search path
@ -25,7 +25,7 @@ func (ctx *Context) Query(query string) (interface{}, error) {
}
// compile the query
queryPath, err := jmespath.Compile(query)
queryPath, err := jmespath.New(query)
if err != nil {
ctx.log.Error(err, "incorrect query", "query", query)
return emptyResult, fmt.Errorf("incorrect query %s: %v", query, err)

15
pkg/engine/forceMutate.go
View file

@ -3,6 +3,7 @@ package engine
import (
"fmt"
"github.com/ghodss/yaml"
kyverno "github.com/kyverno/kyverno/pkg/api/kyverno/v1"
"github.com/kyverno/kyverno/pkg/engine/context"
"github.com/kyverno/kyverno/pkg/engine/mutate"
@ -86,6 +87,20 @@ func ForceMutate(ctx context.EvalInterface, policy kyverno.ClusterPolicy, resour
return unstructured.Unstructured{}, fmt.Errorf(resp.Message)
}
}
if rule.Mutation.PatchesJSON6902 != "" {
var resp response.RuleResponse
jsonPatches, err := yaml.YAMLToJSON([]byte(rule.Mutation.PatchesJSON6902))
if err != nil {
return unstructured.Unstructured{}, err
}
resp, resource = mutate.ProcessPatchJSON6902(rule.Name, jsonPatches, resource, logger.WithValues("rule", rule.Name))
if !resp.Success {
return unstructured.Unstructured{}, fmt.Errorf(resp.Message)
}
}
}
return resource, nil

106
pkg/engine/forceMutate_test.go
View file

@ -8,6 +8,7 @@ import (
"github.com/kyverno/kyverno/pkg/engine/context"
"github.com/kyverno/kyverno/pkg/engine/utils"
"gotest.tools/assert"
"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
)
var rawPolicy = []byte(`
@ -148,3 +149,108 @@ func Test_ForceMutateSubstituteVarsWithNilContext(t *testing.T) {
assert.DeepEqual(t, expectedResource, mutatedResource.UnstructuredContent())
}
func Test_ForceMutateSubstituteVarsWithPatchesJson6902(t *testing.T) {
rawPolicy := []byte(`
{
"apiVersion": "kyverno.io/v1",
"kind": "ClusterPolicy",
"metadata": {
"name": "insert-container"
},
"spec": {
"rules": [
{
"name": "insert-container",
"match": {
"resources": {
"kinds": [
"Pod"
]
}
},
"mutate": {
"patchesJson6902": "- op: add\n path: \"/spec/template/spec/containers/0/command/0\"\n value: ls"
}
}
]
}
}
`)
rawResource := []byte(`
{
"apiVersion": "apps/v1",
"kind": "Deployment",
"metadata": {
"name": "myDeploy"
},
"spec": {
"replica": 2,
"template": {
"metadata": {
"labels": {
"old-label": "old-value"
}
},
"spec": {
"containers": [
{
"command": ["ll", "rm"],
"image": "nginx",
"name": "nginx"
}
]
}
}
}
}
`)
rawExpected := []byte(`
{
"apiVersion": "apps/v1",
"kind": "Deployment",
"metadata": {
"name": "myDeploy"
},
"spec": {
"replica": 2,
"template": {
"metadata": {
"labels": {
"old-label": "old-value"
}
},
"spec": {
"containers": [
{
"command": ["ls", "ll", "rm"],
"image": "nginx",
"name": "nginx"
}
]
}
}
}
}
`)
var expectedResource unstructured.Unstructured
assert.NilError(t, json.Unmarshal(rawExpected, &expectedResource))
var policy kyverno.ClusterPolicy
err := json.Unmarshal(rawPolicy, &policy)
assert.NilError(t, err)
resourceUnstructured, err := utils.ConvertToUnstructured(rawResource)
assert.NilError(t, err)
ctx := context.NewContext()
err = ctx.AddResource(rawResource)
assert.NilError(t, err)
mutatedResource, err := ForceMutate(ctx, policy, *resourceUnstructured)
assert.NilError(t, err)
assert.DeepEqual(t, expectedResource.UnstructuredContent(), mutatedResource.UnstructuredContent())
}

16
pkg/engine/generation.go
View file

@ -14,10 +14,11 @@ import (
// - the caller has to check the ruleResponse to determine whether the path exist
// 2. returns the list of rules that are applicable on this policy and resource, if 1 succeed
func Generate(policyContext *PolicyContext) (resp *response.EngineResponse) {
return filterRules(policyContext)
policyStartTime := time.Now()
return filterRules(policyContext, policyStartTime)
}
func filterRules(policyContext *PolicyContext) *response.EngineResponse {
func filterRules(policyContext *PolicyContext, startTime time.Time) *response.EngineResponse {
kind := policyContext.NewResource.GetKind()
name := policyContext.NewResource.GetName()
namespace := policyContext.NewResource.GetNamespace()
@ -25,6 +26,9 @@ func filterRules(policyContext *PolicyContext) *response.EngineResponse {
resp := &response.EngineResponse{
PolicyResponse: response.PolicyResponse{
Policy: policyContext.Policy.Name,
PolicyStats: response.PolicyStats{
PolicyExecutionTimestamp: startTime.Unix(),
},
Resource: response.ResourceSpec{
Kind: kind,
Name: name,
@ -76,7 +80,8 @@ func filterRule(rule kyverno.Rule, policyContext *PolicyContext) *response.RuleR
Type: "Generation",
Success: false,
RuleStats: response.RuleStats{
ProcessingTime: time.Since(startTime),
ProcessingTime: time.Since(startTime),
RuleExecutionTimestamp: startTime.Unix(),
},
}
}
@ -87,7 +92,7 @@ func filterRule(rule kyverno.Rule, policyContext *PolicyContext) *response.RuleR
policyContext.JSONContext.Checkpoint()
defer policyContext.JSONContext.Restore()
if err := LoadContext(logger, rule.Context, resCache, policyContext); err != nil {
if err := LoadContext(logger, rule.Context, resCache, policyContext, rule.Name); err != nil {
logger.V(4).Info("cannot add external data to the context", "reason", err.Error())
return nil
}
@ -111,7 +116,8 @@ func filterRule(rule kyverno.Rule, policyContext *PolicyContext) *response.RuleR
Type: "Generation",
Success: true,
RuleStats: response.RuleStats{
ProcessingTime: time.Since(startTime),
ProcessingTime: time.Since(startTime),
RuleExecutionTimestamp: startTime.Unix(),
},
}
}

413
pkg/engine/jmespath/functions.go Normal file
View file

@ -0,0 +1,413 @@
package jmespath
import (
"errors"
"fmt"
"reflect"
"regexp"
"strconv"
"strings"
gojmespath "github.com/jmespath/go-jmespath"
)
var (
JpObject = gojmespath.JpObject
JpString = gojmespath.JpString
JpNumber = gojmespath.JpNumber
JpArray = gojmespath.JpArray
JpArrayString = gojmespath.JpArrayString
)
type (
JpType = gojmespath.JpType
ArgSpec = gojmespath.ArgSpec
)
// function names
var (
compare = "compare"
contains = "contains"
equalFold = "equal_fold"
replace = "replace"
replaceAll = "replace_all"
toUpper = "to_upper"
toLower = "to_lower"
trim = "trim"
split = "split"
equals = "equals"
regexReplaceAll = "regex_replace_all"
regexReplaceAllLiteral = "regex_replace_all_literal"
regexMatch = "regex_match"
labelMatch = "label_match"
)
const errorPrefix = "JMESPath function '%s': "
const invalidArgumentTypeError = errorPrefix + "%d argument is expected of %s type"
const genericError = errorPrefix + "%s"
func getFunctions() []*gojmespath.FunctionEntry {
return []*gojmespath.FunctionEntry{
{
Name: compare,
Arguments: []ArgSpec{
{Types: []JpType{JpString}},
{Types: []JpType{JpString}},
},
Handler: jpfCompare,
},
{
Name: contains,
Arguments: []ArgSpec{
{Types: []JpType{JpString}},
{Types: []JpType{JpString}},
},
Handler: jpfContains,
},
{
Name: equalFold,
Arguments: []ArgSpec{
{Types: []JpType{JpString}},
{Types: []JpType{JpString}},
},
Handler: jpfEqualFold,
},
{
Name: replace,
Arguments: []ArgSpec{
{Types: []JpType{JpString}},
{Types: []JpType{JpString}},
{Types: []JpType{JpString}},
{Types: []JpType{JpNumber}},
},
Handler: jpfReplace,
},
{
Name: replaceAll,
Arguments: []ArgSpec{
{Types: []JpType{JpString}},
{Types: []JpType{JpString}},
{Types: []JpType{JpString}},
},
Handler: jpfReplaceAll,
},
{
Name: toUpper,
Arguments: []ArgSpec{
{Types: []JpType{JpString}},
},
Handler: jpfToUpper,
},
{
Name: toLower,
Arguments: []ArgSpec{
{Types: []JpType{JpString}},
},
Handler: jpfToLower,
},
{
Name: trim,
Arguments: []ArgSpec{
{Types: []JpType{JpString}},
{Types: []JpType{JpString}},
},
Handler: jpfTrim,
},
{
Name: split,
Arguments: []ArgSpec{
{Types: []JpType{JpString}},
{Types: []JpType{JpString}},
},
Handler: jpfSplit,
},
{
Name: regexReplaceAll,
Arguments: []ArgSpec{
{Types: []JpType{JpString}},
{Types: []JpType{JpString, JpNumber}},
{Types: []JpType{JpString, JpNumber}},
},
Handler: jpRegexReplaceAll,
},
{
Name: regexReplaceAllLiteral,
Arguments: []ArgSpec{
{Types: []JpType{JpString}},
{Types: []JpType{JpString, JpNumber}},
{Types: []JpType{JpString, JpNumber}},
},
Handler: jpRegexReplaceAllLiteral,
},
{
Name: regexMatch,
Arguments: []ArgSpec{
{Types: []JpType{JpString}},
{Types: []JpType{JpString, JpNumber}},
},
Handler: jpRegexMatch,
},
{
// Validates if label (param1) would match pod/host/etc labels (param2)
Name: labelMatch,
Arguments: []ArgSpec{
{Types: []JpType{JpObject}},
{Types: []JpType{JpObject}},
},
Handler: jpLabelMatch,
},
}
}
func jpfCompare(arguments []interface{}) (interface{}, error) {
var err error
a, err := validateArg(compare, arguments, 0, reflect.String)
if err != nil {
return nil, err
}
b, err := validateArg(compare, arguments, 1, reflect.String)
if err != nil {
return nil, err
}
return strings.Compare(a.String(), b.String()), nil
}
func jpfContains(arguments []interface{}) (interface{}, error) {
var err error
str, err := validateArg(contains, arguments, 0, reflect.String)
if err != nil {
return nil, err
}
substr, err := validateArg(contains, arguments, 1, reflect.String)
if err != nil {
return nil, err
}
return strings.Contains(str.String(), substr.String()), nil
}
func jpfEqualFold(arguments []interface{}) (interface{}, error) {
var err error
a, err := validateArg(equalFold, arguments, 0, reflect.String)
if err != nil {
return nil, err
}
b, err := validateArg(equalFold, arguments, 1, reflect.String)
if err != nil {
return nil, err
}
return strings.EqualFold(a.String(), b.String()), nil
}
func jpfReplace(arguments []interface{}) (interface{}, error) {
var err error
str, err := validateArg(replace, arguments, 0, reflect.String)
if err != nil {
return nil, err
}
old, err := validateArg(replace, arguments, 1, reflect.String)
if err != nil {
return nil, err
}
new, err := validateArg(replace, arguments, 2, reflect.String)
if err != nil {
return nil, err
}
n, err := validateArg(replace, arguments, 3, reflect.Float64)
if err != nil {
return nil, err
}
return strings.Replace(str.String(), old.String(), new.String(), int(n.Float())), nil
}
func jpfReplaceAll(arguments []interface{}) (interface{}, error) {
var err error
str, err := validateArg(replaceAll, arguments, 0, reflect.String)
if err != nil {
return nil, err
}
old, err := validateArg(replaceAll, arguments, 1, reflect.String)
if err != nil {
return nil, err
}
new, err := validateArg(replaceAll, arguments, 2, reflect.String)
if err != nil {
return nil, err
}
return strings.ReplaceAll(str.String(), old.String(), new.String()), nil
}
func jpfToUpper(arguments []interface{}) (interface{}, error) {
var err error
str, err := validateArg(toUpper, arguments, 0, reflect.String)
if err != nil {
return nil, err
}
return strings.ToUpper(str.String()), nil
}
func jpfToLower(arguments []interface{}) (interface{}, error) {
var err error
str, err := validateArg(toLower, arguments, 0, reflect.String)
if err != nil {
return nil, err
}
return strings.ToLower(str.String()), nil
}
func jpfTrim(arguments []interface{}) (interface{}, error) {
var err error
str, err := validateArg(trim, arguments, 0, reflect.String)
if err != nil {
return nil, err
}
cutset, err := validateArg(trim, arguments, 1, reflect.String)
if err != nil {
return nil, err
}
return strings.Trim(str.String(), cutset.String()), nil
}
func jpfSplit(arguments []interface{}) (interface{}, error) {
var err error
str, err := validateArg(split, arguments, 0, reflect.String)
if err != nil {
return nil, err
}
sep, err := validateArg(split, arguments, 1, reflect.String)
if err != nil {
return nil, err
}
return strings.Split(str.String(), sep.String()), nil
}
func jpRegexReplaceAll(arguments []interface{}) (interface{}, error) {
var err error
regex, err := validateArg(regexReplaceAll, arguments, 0, reflect.String)
if err != nil {
return nil, err
}
src, err := ifaceToString(arguments[1])
if err != nil {
return nil, fmt.Errorf(invalidArgumentTypeError, regexReplaceAll, 2, "String or Real")
}
repl, err := ifaceToString(arguments[2])
if err != nil {
return nil, fmt.Errorf(invalidArgumentTypeError, regexReplaceAll, 3, "String or Real")
}
reg, err := regexp.Compile(regex.String())
if err != nil {
return nil, fmt.Errorf(genericError, regexReplaceAll, err.Error())
}
return string(reg.ReplaceAll([]byte(src), []byte(repl))), nil
}
func jpRegexReplaceAllLiteral(arguments []interface{}) (interface{}, error) {
var err error
regex, err := validateArg(regexReplaceAllLiteral, arguments, 0, reflect.String)
if err != nil {
return nil, err
}
src, err := ifaceToString(arguments[1])
if err != nil {
return nil, fmt.Errorf(invalidArgumentTypeError, regexReplaceAllLiteral, 2, "String or Real")
}
repl, err := ifaceToString(arguments[2])
if err != nil {
return nil, fmt.Errorf(invalidArgumentTypeError, regexReplaceAllLiteral, 3, "String or Real")
}
reg, err := regexp.Compile(regex.String())
if err != nil {
return nil, fmt.Errorf(genericError, regexReplaceAllLiteral, err.Error())
}
return string(reg.ReplaceAllLiteral([]byte(src), []byte(repl))), nil
}
func jpRegexMatch(arguments []interface{}) (interface{}, error) {
var err error
regex, err := validateArg(regexMatch, arguments, 0, reflect.String)
if err != nil {
return nil, err
}
src, err := ifaceToString(arguments[1])
if err != nil {
return nil, fmt.Errorf(invalidArgumentTypeError, regexMatch, 2, "String or Real")
}
return regexp.Match(regex.String(), []byte(src))
}
func jpLabelMatch(arguments []interface{}) (interface{}, error) {
labelMap, ok := arguments[0].(map[string]interface{})
if !ok {
return nil, fmt.Errorf(invalidArgumentTypeError, labelMatch, 0, "Object")
}
matchMap, ok := arguments[1].(map[string]interface{})
if !ok {
return nil, fmt.Errorf(invalidArgumentTypeError, labelMatch, 1, "Object")
}
for key, value := range labelMap {
if val, ok := matchMap[key]; !ok || val != value {
return false, nil
}
}
return true, nil
}
// InterfaceToString casts an interface to a string type
func ifaceToString(iface interface{}) (string, error) {
switch iface.(type) {
case int:
return strconv.Itoa(iface.(int)), nil
case float64:
return strconv.FormatFloat(iface.(float64), 'f', -1, 32), nil
case float32:
return strconv.FormatFloat(iface.(float64), 'f', -1, 32), nil
case string:
return iface.(string), nil
case bool:
return strconv.FormatBool(iface.(bool)), nil
default:
return "", errors.New("error, undefined type cast")
}
}
func validateArg(f string, arguments []interface{}, index int, expectedType reflect.Kind) (reflect.Value, error) {
arg := reflect.ValueOf(arguments[index])
if arg.Type().Kind() != expectedType {
return reflect.Value{}, fmt.Errorf(invalidArgumentTypeError, equalFold, index+1, expectedType.String())
}
return arg, nil
}

303
pkg/engine/jmespath/functions_test.go Normal file
View file

@ -0,0 +1,303 @@
package jmespath
import (
"encoding/json"
"testing"
"gotest.tools/assert"
)
func TestJMESPathFunctions_CompareEqualStrings(t *testing.T) {
jp, err := New("compare('a', 'a')")
assert.NilError(t, err)
result, err := jp.Search("")
assert.NilError(t, err)
equal, ok := result.(int)
assert.Assert(t, ok)
assert.Equal(t, equal, 0)
}
func TestJMESPathFunctions_CompareDifferentStrings(t *testing.T) {
jp, err := New("compare('a', 'b')")
assert.NilError(t, err)
result, err := jp.Search("")
assert.NilError(t, err)
equal, ok := result.(int)
assert.Assert(t, ok)
assert.Equal(t, equal, -1)
}
func TestJMESPathFunctions_Contains(t *testing.T) {
jp, err := New("contains('string', 'str')")
assert.NilError(t, err)
result, err := jp.Search("")
assert.NilError(t, err)
contains, ok := result.(bool)
assert.Assert(t, ok)
assert.Assert(t, contains)
}
func TestJMESPathFunctions_EqualFold(t *testing.T) {
jp, err := New("equal_fold('Go', 'go')")
assert.NilError(t, err)
result, err := jp.Search("")
assert.NilError(t, err)
equal, ok := result.(bool)
assert.Assert(t, ok)
assert.Assert(t, equal)
}
func TestJMESPathFunctions_Replace(t *testing.T) {
// Can't use integer literals due to
// https://github.com/jmespath/go-jmespath/issues/27
//
// TODO: fix this in https://github.com/kyverno/go-jmespath
//
jp, err := New("replace('Lorem ipsum dolor sit amet', 'ipsum', 'muspi', `-1`)")
assert.NilError(t, err)
result, err := jp.Search("")
assert.NilError(t, err)
replaced, ok := result.(string)
assert.Assert(t, ok)
assert.Equal(t, replaced, "Lorem muspi dolor sit amet")
}
func TestJMESPathFunctions_ReplaceAll(t *testing.T) {
jp, err := New("replace_all('Lorem ipsum dolor sit amet', 'ipsum', 'muspi')")
assert.NilError(t, err)
result, err := jp.Search("")
assert.NilError(t, err)
replaced, ok := result.(string)
assert.Assert(t, ok)
assert.Equal(t, replaced, "Lorem muspi dolor sit amet")
}
func TestJMESPathFunctions_ToUpper(t *testing.T) {
jp, err := New("to_upper('abc')")
assert.NilError(t, err)
result, err := jp.Search("")
assert.NilError(t, err)
upper, ok := result.(string)
assert.Assert(t, ok)
assert.Equal(t, upper, "ABC")
}
func TestJMESPathFunctions_ToLower(t *testing.T) {
jp, err := New("to_lower('AbC')")
assert.NilError(t, err)
result, err := jp.Search("")
assert.NilError(t, err)
lower, ok := result.(string)
assert.Assert(t, ok)
assert.Equal(t, lower, "abc")
}
func TestJMESPathFunctions_Trim(t *testing.T) {
jp, err := New("trim('¡¡¡Hello, Gophers!!!', '!¡')")
assert.NilError(t, err)
result, err := jp.Search("")
assert.NilError(t, err)
trim, ok := result.(string)
assert.Assert(t, ok)
assert.Equal(t, trim, "Hello, Gophers")
}
func TestJMESPathFunctions_Split(t *testing.T) {
jp, err := New("split('Hello, Gophers', ', ')")
assert.NilError(t, err)
result, err := jp.Search("")
assert.NilError(t, err)
split, ok := result.([]string)
assert.Assert(t, ok)
assert.Equal(t, split[0], "Hello")
assert.Equal(t, split[1], "Gophers")
}
func TestJMESPathFunctions_HasPrefix(t *testing.T) {
jp, err := New("starts_with('Gophers', 'Go')")
assert.NilError(t, err)
result, err := jp.Search("")
assert.NilError(t, err)
split, ok := result.(bool)
assert.Assert(t, ok)
assert.Equal(t, split, true)
}
func TestJMESPathFunctions_HasSuffix(t *testing.T) {
jp, err := New("ends_with('Amigo', 'go')")
assert.NilError(t, err)
result, err := jp.Search("")
assert.NilError(t, err)
split, ok := result.(bool)
assert.Assert(t, ok)
assert.Equal(t, split, true)
}
func Test_regexMatch(t *testing.T) {
data := make(map[string]interface{})
data["foo"] = "hgf'b1a2r'b12g"
query, err := New("regex_match('12.*', foo)")
assert.NilError(t, err)
result, err := query.Search(data)
assert.NilError(t, err)
assert.Equal(t, true, result)
}
func Test_regexMatchWithNumber(t *testing.T) {
data := make(map[string]interface{})
data["foo"] = -12.0
query, err := New("regex_match('12.*', abs(foo))")
assert.NilError(t, err)
result, err := query.Search(data)
assert.NilError(t, err)
assert.Equal(t, true, result)
}
func Test_regexReplaceAll(t *testing.T) {
resourceRaw := []byte(`
{
"metadata": {
"name": "temp",
"namespace": "ns_first"
},
"spec": {
"namespace": "ns_first",
"name": "temp_other",
"field" : "Hello world, helworldlo"
}
}
`)
expected := "Glo world, Gworldlo"
var resource interface{}
err := json.Unmarshal(resourceRaw, &resource)
assert.NilError(t, err)
query, err := New(`regex_replace_all('([Hh]e|G)l', spec.field, '${2}G')`)
assert.NilError(t, err)
res, err := query.Search(resource)
assert.NilError(t, err)
result, ok := res.(string)
assert.Assert(t, ok)
assert.Equal(t, string(result), expected)
}
func Test_regexReplaceAllLiteral(t *testing.T) {
resourceRaw := []byte(`
{
"metadata": {
"name": "temp",
"namespace": "ns_first"
},
"spec": {
"namespace": "ns_first",
"name": "temp_other",
"field" : "Hello world, helworldlo"
}
}
`)
expected := "Glo world, Gworldlo"
var resource interface{}
err := json.Unmarshal(resourceRaw, &resource)
assert.NilError(t, err)
query, err := New(`regex_replace_all_literal('[Hh]el?', spec.field, 'G')`)
assert.NilError(t, err)
res, err := query.Search(resource)
assert.NilError(t, err)
result, ok := res.(string)
assert.Assert(t, ok)
assert.Equal(t, string(result), expected)
}
func Test_labelMatch(t *testing.T) {
resourceRaw := []byte(`
{
"metadata": {
"labels": {
"app": "test-app",
"controller-name": "test-controller"
}
}
}
`)
testCases := []struct {
resource []byte
test string
expectedResult bool
}{
{
resource: resourceRaw,
test: `{ "app": "test-app" }`,
expectedResult: true,
},
{
resource: resourceRaw,
test: `{ "app": "test-app", "controller-name": "test-controller" }`,
expectedResult: true,
},
{
resource: resourceRaw,
test: `{ "app": "test-app2" }`,
expectedResult: false,
},
{
resource: resourceRaw,
test: `{ "app.kubernetes.io/name": "test-app" }`,
expectedResult: false,
},
}
for _, testCase := range testCases {
var resource interface{}
err := json.Unmarshal(testCase.resource, &resource)
assert.NilError(t, err)
query, err := New("label_match(`" + testCase.test + "`, metadata.labels)")
assert.NilError(t, err)
res, err := query.Search(resource)
assert.NilError(t, err)
result, ok := res.(bool)
assert.Assert(t, ok)
assert.Equal(t, result, testCase.expectedResult)
}
}

18
pkg/engine/jmespath/new.go Normal file
View file

@ -0,0 +1,18 @@
package jmespath
import (
gojmespath "github.com/jmespath/go-jmespath"
)
func New(query string) (*gojmespath.JMESPath, error) {
jp, err := gojmespath.Compile(query)
if err != nil {
return nil, err
}
for _, function := range getFunctions() {
jp.Register(function)
}
return jp, nil
}

56
pkg/engine/jsonContext.go
View file

@ -8,41 +8,59 @@ import (
"strings"
"github.com/go-logr/logr"
"github.com/jmespath/go-jmespath"
kyverno "github.com/kyverno/kyverno/pkg/api/kyverno/v1"
pkgcommon "github.com/kyverno/kyverno/pkg/common"
"github.com/kyverno/kyverno/pkg/engine/context"
jmespath "github.com/kyverno/kyverno/pkg/engine/jmespath"
"github.com/kyverno/kyverno/pkg/engine/variables"
"github.com/kyverno/kyverno/pkg/kyverno/store"
"github.com/kyverno/kyverno/pkg/resourcecache"
"k8s.io/client-go/dynamic/dynamiclister"
)
// LoadContext - Fetches and adds external data to the Context.
func LoadContext(logger logr.Logger, contextEntries []kyverno.ContextEntry, resCache resourcecache.ResourceCache, ctx *PolicyContext) error {
func LoadContext(logger logr.Logger, contextEntries []kyverno.ContextEntry, resCache resourcecache.ResourceCache, ctx *PolicyContext, ruleName string) error {
if len(contextEntries) == 0 {
return nil
}
// get GVR Cache for "configmaps"
// can get cache for other resources if the informers are enabled in resource cache
gvrC, ok := resCache.GetGVRCache("ConfigMap")
if !ok {
return errors.New("configmaps GVR Cache not found")
}
policyName := ctx.Policy.Name
if store.GetMock() {
rule := store.GetPolicyRuleFromContext(policyName, ruleName)
if len(rule.Values) == 0 {
return fmt.Errorf("No values found for policy %s rule %s", policyName, ruleName)
}
variables := rule.Values
lister := gvrC.Lister()
for _, entry := range contextEntries {
if entry.ConfigMap != nil {
if err := loadConfigMap(logger, entry, lister, ctx.JSONContext); err != nil {
return err
}
} else if entry.APICall != nil {
if err := loadAPIData(logger, entry, ctx); err != nil {
for key, value := range variables {
jsonData := pkgcommon.VariableToJSON(key, value)
if err := ctx.JSONContext.AddJSON(jsonData); err != nil {
return err
}
}
}
} else {
// get GVR Cache for "configmaps"
// can get cache for other resources if the informers are enabled in resource cache
gvrC, ok := resCache.GetGVRCache("ConfigMap")
if !ok {
return errors.New("configmaps GVR Cache not found")
}
lister := gvrC.Lister()
for _, entry := range contextEntries {
if entry.ConfigMap != nil {
if err := loadConfigMap(logger, entry, lister, ctx.JSONContext); err != nil {
return err
}
} else if entry.APICall != nil {
if err := loadAPIData(logger, entry, ctx); err != nil {
return err
}
}
}
}
return nil
}
@ -88,7 +106,7 @@ func loadAPIData(logger logr.Logger, entry kyverno.ContextEntry, ctx *PolicyCont
}
func applyJMESPath(jmesPath string, jsonData []byte) (interface{}, error) {
jp, err := jmespath.Compile(jmesPath)
jp, err := jmespath.New(jmesPath)
if err != nil {
return nil, fmt.Errorf("failed to compile JMESPath: %s, error: %v", jmesPath, err)
}

1
pkg/engine/mutate/overlay.go
View file

@ -28,6 +28,7 @@ func ProcessOverlay(log logr.Logger, ruleName string, overlay interface{}, resou
resp.Type = utils.Mutation.String()
defer func() {
resp.RuleStats.ProcessingTime = time.Since(startTime)
resp.RuleStats.RuleExecutionTimestamp = startTime.Unix()
logger.V(4).Info("finished applying overlay rule", "processingTime", resp.RuleStats.ProcessingTime.String())
}()

1
pkg/engine/mutate/patchJson6902.go
View file

@ -21,6 +21,7 @@ func ProcessPatchJSON6902(ruleName string, patchesJSON6902 []byte, resource unst
resp.Type = utils.Mutation.String()
defer func() {
resp.RuleStats.ProcessingTime = time.Since(startTime)
resp.RuleStats.RuleExecutionTimestamp = startTime.Unix()
logger.V(4).Info("applied JSON6902 patch", "processingTime", resp.RuleStats.ProcessingTime.String())
}()

1
pkg/engine/mutate/patches.go
View file

@ -28,6 +28,7 @@ func ProcessPatches(log logr.Logger, ruleName string, mutation kyverno.Mutation,
resp.Type = utils.Mutation.String()
defer func() {
resp.RuleStats.ProcessingTime = time.Since(startTime)
resp.RuleStats.RuleExecutionTimestamp = startTime.Unix()
logger.V(4).Info("applied JSON patch", "processingTime", resp.RuleStats.ProcessingTime.String())
}()

1
pkg/engine/mutate/strategicMergePatch.go
View file

@ -26,6 +26,7 @@ func ProcessStrategicMergePatch(ruleName string, overlay interface{}, resource u
defer func() {
resp.RuleStats.ProcessingTime = time.Since(startTime)
resp.RuleStats.RuleExecutionTimestamp = startTime.Unix()
logger.V(4).Info("finished applying strategicMerge patch", "processingTime", resp.RuleStats.ProcessingTime.String())
}()

9
pkg/engine/mutation.go
View file

@ -58,7 +58,7 @@ func Mutate(policyContext *PolicyContext) (resp *response.EngineResponse) {
// check if the resource satisfies the filter conditions defined in the rule
//TODO: this needs to be extracted, to filter the resource so that we can avoid passing resources that
// dont satisfy a policy rule resource description
// don't satisfy a policy rule resource description
excludeResource := []string{}
if len(policyContext.ExcludeGroupRole) > 0 {
excludeResource = policyContext.ExcludeGroupRole
@ -72,7 +72,7 @@ func Mutate(policyContext *PolicyContext) (resp *response.EngineResponse) {
logger.V(3).Info("matched mutate rule")
policyContext.JSONContext.Restore()
if err := LoadContext(logger, rule.Context, resCache, policyContext); err != nil {
if err := LoadContext(logger, rule.Context, resCache, policyContext, rule.Name); err != nil {
logger.Error(err, "failed to load context")
continue
}
@ -95,11 +95,13 @@ func Mutate(policyContext *PolicyContext) (resp *response.EngineResponse) {
Name: rule.Name,
Type: utils.Validation.String(),
Message: fmt.Sprintf("variable substitution failed for rule %s: %s", rule.Name, err.Error()),
Success: false,
Success: true,
}
incrementAppliedCount(resp)
resp.PolicyResponse.Rules = append(resp.PolicyResponse.Rules, ruleResp)
logger.Error(err, "failed to substitute variables, skip current rule", "rule name", rule.Name)
continue
}
@ -145,5 +147,6 @@ func endMutateResultResponse(logger logr.Logger, resp *response.EngineResponse,
}
resp.PolicyResponse.ProcessingTime = time.Since(startTime)
resp.PolicyResponse.PolicyExecutionTimestamp = startTime.Unix()
logger.V(5).Info("finished processing policy", "processingTime", resp.PolicyResponse.ProcessingTime.String(), "mutationRulesApplied", resp.PolicyResponse.RulesAppliedCount)
}

104
pkg/engine/mutation_test.go
View file

@ -8,6 +8,7 @@ import (
kyverno "github.com/kyverno/kyverno/pkg/api/kyverno/v1"
"github.com/kyverno/kyverno/pkg/engine/context"
"github.com/kyverno/kyverno/pkg/engine/utils"
"github.com/kyverno/kyverno/pkg/kyverno/store"
"gotest.tools/assert"
)
@ -160,7 +161,108 @@ func Test_variableSubstitutionPathNotExist(t *testing.T) {
JSONContext: ctx,
NewResource: *resourceUnstructured}
er := Mutate(policyContext)
expectedErrorStr := "variable substitution failed for rule test-path-not-exist: variable request.object.metadata.name1 not resolved at path /mutate/overlay/spec/name"
expectedErrorStr := "variable substitution failed for rule test-path-not-exist: NotFoundVariableErr, variable request.object.metadata.name1 not resolved at path /mutate/overlay/spec/name"
t.Log(er.PolicyResponse.Rules[0].Message)
assert.Equal(t, er.PolicyResponse.Rules[0].Message, expectedErrorStr)
}
func Test_variableSubstitutionCLI(t *testing.T) {
resourceRaw := []byte(`{
"apiVersion": "v1",
"kind": "Pod",
"metadata": {
"name": "nginx-config-test"
},
"spec": {
"containers": [
{
"image": "nginx:latest",
"name": "test-nginx"
}
]
}
}`)
policyraw := []byte(`{
"apiVersion": "kyverno.io/v1",
"kind": "ClusterPolicy",
"metadata": {
"name": "cm-variable-example"
},
"spec": {
"rules": [
{
"name": "example-configmap-lookup",
"context": [
{
"name": "dictionary",
"configMap": {
"name": "mycmap",
"namespace": "default"
}
}
],
"match": {
"resources": {
"kinds": [
"Pod"
]
}
},
"mutate": {
"patchStrategicMerge": {
"metadata": {
"labels": {
"my-environment-name": "{{dictionary.data.env}}"
}
}
}
}
}
]
}
}`)
configMapVariableContext := store.Context{
Policies: []store.Policy{
{
Name: "cm-variable-example",
Rules: []store.Rule{
{
Name: "example-configmap-lookup",
Values: map[string]string{
"dictionary.data.env": "dev1",
},
},
},
},
},
}
expectedPatch := []byte(`{"op":"add","path":"/metadata/labels","value":{"my-environment-name":"dev1"}}`)
store.SetContext(configMapVariableContext)
store.SetMock(true)
var policy kyverno.ClusterPolicy
err := json.Unmarshal(policyraw, &policy)
assert.NilError(t, err)
resourceUnstructured, err := utils.ConvertToUnstructured(resourceRaw)
assert.NilError(t, err)
ctx := context.NewContext()
err = ctx.AddResource(resourceRaw)
assert.NilError(t, err)
policyContext := &PolicyContext{
Policy: policy,
JSONContext: ctx,
NewResource: *resourceUnstructured,
}
er := Mutate(policyContext)
t.Log(string(expectedPatch))
t.Log(string(er.PolicyResponse.Rules[0].Patches[0]))
if !reflect.DeepEqual(expectedPatch, er.PolicyResponse.Rules[0].Patches[0]) {
t.Error("patches dont match")
}
}

4
pkg/engine/response/response.go
View file

@ -52,6 +52,8 @@ type PolicyStats struct {
ProcessingTime time.Duration `json:"processingTime"`
// Count of rules that were applied successfully
RulesAppliedCount int `json:"rulesAppliedCount"`
// Timestamp of the instant the Policy was triggered
PolicyExecutionTimestamp int64 `json:"policyExecutionTimestamp"`
}
//RuleResponse details for each rule application
@ -79,6 +81,8 @@ func (rr RuleResponse) ToString() string {
type RuleStats struct {
// time required to apply the rule on the resource
ProcessingTime time.Duration `json:"processingTime"`
// Timestamp of the instant the rule got triggered
RuleExecutionTimestamp int64 `json:"ruleExecutionTimestamp"`
}
//IsSuccessful checks if any rule has failed or not

45
pkg/engine/utils_test.go
View file

@ -59,6 +59,51 @@ func TestMatchesResourceDescription(t *testing.T) {
Policy: []byte(`{"apiVersion":"kyverno.io/v1","kind":"ClusterPolicy","metadata":{"name":"hello-world-policy"},"spec":{"background":false,"rules":[{"name":"hello-world-policy","match":{"resources":{"kinds":["Pod"]}},"exclude":{"resources":{"name":"hello-world"},"clusterRoles":["system:node"]},"mutate":{"overlay":{"spec":{"containers":[{"(image)":"*","imagePullPolicy":"IfNotPresent"}]}}}}]}}`),
areErrorsExpected: false,
},
{
Description: "Should pass since group, version, kind match",
AdmissionInfo: kyverno.RequestInfo{
ClusterRoles: []string{"admin"},
},
Resource: []byte(`{ "apiVersion": "apps/v1", "kind": "Deployment", "metadata": { "creationTimestamp": "2020-09-21T12:56:35Z", "name": "qos-demo", "labels": { "test": "qos" } }, "spec": { "replicas": 1, "selector": { "matchLabels": { "app": "nginx" } }, "template": { "metadata": { "creationTimestamp": "2020-09-21T12:56:35Z", "labels": { "app": "nginx" } }, "spec": { "containers": [ { "name": "nginx", "image": "nginx:latest", "resources": { "limits": { "cpu": "50m" } } } ]}}}}`),
Policy: []byte(`{ "apiVersion": "kyverno.io/v1", "kind": "ClusterPolicy", "metadata": { "name": "policy-qos" }, "spec": { "validationFailureAction": "enforce", "rules": [ { "name": "add-memory-limit", "match": { "resources": { "kinds": [ "apps/v1/Deployment" ], "selector": { "matchLabels": { "test": "qos" } } } }, "mutate": { "overlay": { "spec": { "template": { "spec": { "containers": [ { "(name)": "*", "resources": { "limits": { "+(memory)": "300Mi", "+(cpu)": "100" } } } ] } } } } } }, { "name": "check-cpu-memory-limits", "match": { "resources": { "kinds": [ "apps/v1/Deployment" ], "selector": { "matchLabels": { "test": "qos" } } } }, "validate": { "message": "Resource limits are required for CPU and memory", "pattern": { "spec": { "template": { "spec": { "containers": [ { "(name)": "*", "resources": { "limits": { "memory": "?*", "cpu": "?*" } } } ] } } } } } } ] } }`),
areErrorsExpected: false,
},
{
Description: "Should pass since version and kind match",
AdmissionInfo: kyverno.RequestInfo{
ClusterRoles: []string{"admin"},
},
Resource: []byte(`{ "apiVersion": "v1", "kind": "Pod", "metadata": { "name": "myapp-pod2", "labels": { "app": "myapp2" } }, "spec": { "containers": [ { "name": "nginx", "image": "nginx" } ] } }`),
Policy: []byte(`{ "apiVersion": "kyverno.io/v1", "kind": "ClusterPolicy", "metadata": { "name": "disallow-latest-tag", "annotations": { "policies.kyverno.io/category": "Workload Isolation", "policies.kyverno.io/description": "The ':latest' tag is mutable and can lead to unexpected errors if the image changes. A best practice is to use an immutable tag that maps to a specific version of an application pod." } }, "spec": { "validationFailureAction": "enforce", "rules": [ { "name": "require-image-tag", "match": { "resources": { "kinds": [ "v1/Pod" ] } }, "validate": { "message": "An image tag is required", "pattern": { "spec": { "containers": [ { "image": "*:*" } ] } } } } ] } }`),
areErrorsExpected: false,
},
{
Description: "Should fail since resource does not match ",
AdmissionInfo: kyverno.RequestInfo{
ClusterRoles: []string{"admin"},
},
Resource: []byte(`{"apiVersion":"v1","kind":"Service","metadata":{"name":"hello-world","labels":{"name":"hello-world"}},"spec":{"containers":[{"name":"hello-world","image":"hello-world","ports":[{"containerPort":81}],"resources":{"limits":{"memory":"30Mi","cpu":"0.2"},"requests":{"memory":"20Mi","cpu":"0.1"}}}]}}`),
Policy: []byte(`{"apiVersion":"kyverno.io/v1","kind":"ClusterPolicy","metadata":{"name":"hello-world-policy"},"spec":{"background":false,"rules":[{"name":"hello-world-policy","match":{"resources":{"kinds":["Pod"]}},"exclude":{"resources":{"name":"hello-world"},"clusterRoles":["system:node"]},"mutate":{"overlay":{"spec":{"containers":[{"(image)":"*","imagePullPolicy":"IfNotPresent"}]}}}}]}}`),
areErrorsExpected: true,
},
{
Description: "Should fail since version not match",
AdmissionInfo: kyverno.RequestInfo{
ClusterRoles: []string{"admin"},
},
Resource: []byte(`{ "apiVersion": "apps/v1beta1", "kind": "Deployment", "metadata": { "creationTimestamp": "2020-09-21T12:56:35Z", "name": "qos-demo", "labels": { "test": "qos" } }, "spec": { "replicas": 1, "selector": { "matchLabels": { "app": "nginx" } }, "template": { "metadata": { "creationTimestamp": "2020-09-21T12:56:35Z", "labels": { "app": "nginx" } }, "spec": { "containers": [ { "name": "nginx", "image": "nginx:latest", "resources": { "limits": { "cpu": "50m" } } } ]}}}}`),
Policy: []byte(`{ "apiVersion": "kyverno.io/v1", "kind": "ClusterPolicy", "metadata": { "name": "policy-qos" }, "spec": { "validationFailureAction": "enforce", "rules": [ { "name": "add-memory-limit", "match": { "resources": { "kinds": [ "apps/v1/Deployment" ], "selector": { "matchLabels": { "test": "qos" } } } }, "mutate": { "overlay": { "spec": { "template": { "spec": { "containers": [ { "(name)": "*", "resources": { "limits": { "+(memory)": "300Mi", "+(cpu)": "100" } } } ] } } } } } }, { "name": "check-cpu-memory-limits", "match": { "resources": { "kinds": [ "apps/v1/Deployment" ], "selector": { "matchLabels": { "test": "qos" } } } }, "validate": { "message": "Resource limits are required for CPU and memory", "pattern": { "spec": { "template": { "spec": { "containers": [ { "(name)": "*", "resources": { "limits": { "memory": "?*", "cpu": "?*" } } } ] } } } } } } ] } }`),
areErrorsExpected: true,
},
{
Description: "Should fail since cluster role version not match",
AdmissionInfo: kyverno.RequestInfo{
ClusterRoles: []string{"admin"},
},
Resource: []byte(`{ "kind": "ClusterRole", "apiVersion": "rbac.authorization.k8s.io/v1", "metadata": { "name": "secret-reader-demo", "namespace": "default" }, "rules": [ { "apiGroups": [ "" ], "resources": [ "secrets" ], "verbs": [ "get", "watch", "list" ] } ] }`),
Policy: []byte(`{ "apiVersion": "kyverno.io/v1", "kind": "ClusterPolicy", "metadata": { "name": "check-host-path" }, "spec": { "validationFailureAction": "enforce", "background": true, "rules": [ { "name": "check-host-path", "match": { "resources": { "kinds": [ "rbac.authorization.k8s.io/v1beta1/ClusterRole" ] } }, "validate": { "message": "Host path is not allowed", "pattern": { "spec": { "volumes": [ { "name": "*", "hostPath": { "path": "" } } ] } } } } ] } }`),
areErrorsExpected: true,
},
}
for i, tc := range tcs {

20
pkg/engine/validate/validate.go
View file

@ -59,8 +59,18 @@ func validateResourceElement(log logr.Logger, resourceElement, patternElement, o
case string, float64, int, int64, bool, nil:
/*Analyze pattern */
if !ValidateValueWithPattern(log, resourceElement, patternElement) {
return path, fmt.Errorf("Validation rule failed at '%s' to validate value '%v' with pattern '%v'", path, resourceElement, patternElement)
switch resource := resourceElement.(type) {
case []interface{}:
for _, res := range resource {
if !ValidateValueWithPattern(log, res, patternElement) {
return path, fmt.Errorf("Validation rule failed at '%s' to validate value '%v' with pattern '%v'", path, resourceElement, patternElement)
}
}
return "", nil
default:
if !ValidateValueWithPattern(log, resourceElement, patternElement) {
return path, fmt.Errorf("Validation rule failed at '%s' to validate value '%v' with pattern '%v'", path, resourceElement, patternElement)
}
}
default:
@ -117,7 +127,6 @@ func validateMap(log logr.Logger, resourceMap, patternMap map[string]interface{}
}
func validateArray(log logr.Logger, resourceArray, patternArray []interface{}, originPattern interface{}, path string, ac *common.AnchorKey) (string, error) {
if 0 == len(patternArray) {
return path, fmt.Errorf("Pattern Array empty")
}
@ -130,6 +139,11 @@ func validateArray(log logr.Logger, resourceArray, patternArray []interface{}, o
if err != nil {
return elemPath, err
}
case string, float64, int, int64, bool, nil:
elemPath, err := validateResourceElement(log, resourceArray, typedPatternElement, originPattern, path, ac)
if err != nil {
return elemPath, err
}
default:
// In all other cases - detect type and handle each array element with validateResourceElement
if len(resourceArray) >= len(patternArray) {

7
pkg/engine/validation.go
View file

@ -67,6 +67,7 @@ func buildResponse(logger logr.Logger, ctx *PolicyContext, resp *response.Engine
resp.PolicyResponse.Resource.APIVersion = resp.PatchedResource.GetAPIVersion()
resp.PolicyResponse.ValidationFailureAction = ctx.Policy.Spec.ValidationFailureAction
resp.PolicyResponse.ProcessingTime = time.Since(startTime)
resp.PolicyResponse.PolicyExecutionTimestamp = startTime.Unix()
}
func incrementAppliedCount(resp *response.EngineResponse) {
@ -97,7 +98,7 @@ func validateResource(log logr.Logger, ctx *PolicyContext) *response.EngineRespo
}
ctx.JSONContext.Restore()
if err := LoadContext(log, rule.Context, ctx.ResourceCache, ctx); err != nil {
if err := LoadContext(log, rule.Context, ctx.ResourceCache, ctx, rule.Name); err != nil {
log.Error(err, "failed to load context")
continue
}
@ -121,12 +122,13 @@ func validateResource(log logr.Logger, ctx *PolicyContext) *response.EngineRespo
Name: rule.Name,
Type: utils.Validation.String(),
Message: fmt.Sprintf("variable substitution failed for rule %s: %s", rule.Name, err.Error()),
Success: false,
Success: true,
}
incrementAppliedCount(resp)
resp.PolicyResponse.Rules = append(resp.PolicyResponse.Rules, ruleResp)
log.Error(err, "failed to substitute variables, skip current rule", "rule name", rule.Name)
continue
}
@ -228,6 +230,7 @@ func validatePatterns(log logr.Logger, ctx context.EvalInterface, resource unstr
resp.Type = utils.Validation.String()
defer func() {
resp.RuleStats.ProcessingTime = time.Since(startTime)
resp.RuleStats.RuleExecutionTimestamp = startTime.Unix()
logger.V(4).Info("finished processing rule", "processingTime", resp.RuleStats.ProcessingTime.String())
}()

392
pkg/engine/validation_test.go
View file

@ -7,6 +7,7 @@ import (
kyverno "github.com/kyverno/kyverno/pkg/api/kyverno/v1"
"github.com/kyverno/kyverno/pkg/engine/context"
"github.com/kyverno/kyverno/pkg/engine/utils"
"github.com/kyverno/kyverno/pkg/kyverno/store"
utils2 "github.com/kyverno/kyverno/pkg/utils"
"gotest.tools/assert"
"k8s.io/api/admission/v1beta1"
@ -713,6 +714,160 @@ func TestValidate_anchor_map_found_valid(t *testing.T) {
assert.Assert(t, er.IsSuccessful())
}
func TestValidate_inequality_List_Processing(t *testing.T) {
// anchor not present in resource
rawPolicy := []byte(`{
"apiVersion": "kyverno.io/v1",
"kind": "ClusterPolicy",
"metadata": {
"name": "policy-secaas-k8s"
},
"spec": {
"rules": [
{
"name": "pod rule 2",
"match": {
"resources": {
"kinds": [
"Pod"
]
}
},
"validate": {
"message": "pod: validate run as non root user",
"pattern": {
"spec": {
"=(supplementalGroups)": ">0"
}
}
}
}
]
}
} `)
rawResource := []byte(`
{
"apiVersion": "v1",
"kind": "Pod",
"metadata": {
"name": "myapp-pod",
"labels": {
"app": "v1"
}
},
"spec": {
"containers": [
{
"name": "nginx",
"image": "nginx"
}
],
"supplementalGroups": [
"2",
"5",
"10"
]
}
}
`)
var policy kyverno.ClusterPolicy
err := json.Unmarshal(rawPolicy, &policy)
assert.NilError(t, err)
resourceUnstructured, err := utils.ConvertToUnstructured(rawResource)
assert.NilError(t, err)
er := Validate(&PolicyContext{Policy: policy, NewResource: *resourceUnstructured, JSONContext: context.NewContext()})
msgs := []string{"validation rule 'pod rule 2' passed."}
for index, r := range er.PolicyResponse.Rules {
assert.Equal(t, r.Message, msgs[index])
}
assert.Assert(t, er.IsSuccessful())
}
func TestValidate_inequality_List_ProcessingBrackets(t *testing.T) {
// anchor not present in resource
rawPolicy := []byte(`{
"apiVersion": "kyverno.io/v1",
"kind": "ClusterPolicy",
"metadata": {
"name": "policy-secaas-k8s"
},
"spec": {
"rules": [
{
"name": "pod rule 2",
"match": {
"resources": {
"kinds": [
"Pod"
]
}
},
"validate": {
"message": "pod: validate run as non root user",
"pattern": {
"spec": {
"=(supplementalGroups)": [
">0 & <100001"
]
}
}
}
}
]
}
} `)
rawResource := []byte(`
{
"apiVersion": "v1",
"kind": "Pod",
"metadata": {
"name": "myapp-pod",
"labels": {
"app": "v1"
}
},
"spec": {
"containers": [
{
"name": "nginx",
"image": "nginx"
}
],
"supplementalGroups": [
"2",
"5",
"10",
"100",
"10000",
"1000",
"543"
]
}
}
`)
var policy kyverno.ClusterPolicy
err := json.Unmarshal(rawPolicy, &policy)
assert.NilError(t, err)
resourceUnstructured, err := utils.ConvertToUnstructured(rawResource)
assert.NilError(t, err)
er := Validate(&PolicyContext{Policy: policy, NewResource: *resourceUnstructured, JSONContext: context.NewContext()})
msgs := []string{"validation rule 'pod rule 2' passed."}
for index, r := range er.PolicyResponse.Rules {
assert.Equal(t, r.Message, msgs[index])
}
assert.Assert(t, er.IsSuccessful())
}
func TestValidate_anchor_map_found_invalid(t *testing.T) {
// anchor not present in resource
rawPolicy := []byte(`{
@ -1319,9 +1474,9 @@ func Test_VariableSubstitutionPathNotExistInPattern(t *testing.T) {
JSONContext: ctx,
NewResource: *resourceUnstructured}
er := Validate(policyContext)
assert.Assert(t, !er.PolicyResponse.Rules[0].Success)
assert.Assert(t, er.PolicyResponse.Rules[0].Success)
assert.Equal(t, er.PolicyResponse.Rules[0].Message,
"variable substitution failed for rule test-path-not-exist: variable request.object.metadata.name1 not resolved at path /validate/pattern/spec/containers/0/name")
"variable substitution failed for rule test-path-not-exist: NotFoundVariableErr, variable request.object.metadata.name1 not resolved at path /validate/pattern/spec/containers/0/name")
}
func Test_VariableSubstitutionPathNotExistInAnyPattern_OnePatternStatisfiesButSubstitutionFails(t *testing.T) {
@ -1406,13 +1561,72 @@ func Test_VariableSubstitutionPathNotExistInAnyPattern_OnePatternStatisfiesButSu
err = ctx.AddResource(resourceRaw)
assert.NilError(t, err)
policyContext := &PolicyContext{
Policy: policy,
JSONContext: ctx,
NewResource: *resourceUnstructured}
er := Validate(policyContext)
assert.Assert(t, er.PolicyResponse.Rules[0].Success)
assert.Equal(t, er.PolicyResponse.Rules[0].Message, "variable substitution failed for rule test-path-not-exist: NotFoundVariableErr, variable request.object.metadata.name1 not resolved at path /validate/anyPattern/0/spec/template/spec/containers/0/name")
}
func Test_VariableSubstitution_NotOperatorWithStringVariable(t *testing.T) {
resourceRaw := []byte(`{
"apiVersion": "v1",
"kind": "Deployment",
"metadata": {
"name": "test"
},
"spec": {
"content": "sample text"
}
}`)
policyraw := []byte(`{
"apiVersion": "kyverno.io/v1",
"kind": "ClusterPolicy",
"metadata": {
"name": "substitute-variable"
},
"spec": {
"rules": [
{
"name": "not-operator-with-variable-should-alway-fail-validation",
"match": {
"resources": {
"kinds": [
"Deployment"
]
}
},
"validate": {
"pattern": {
"spec": {
"content": "!{{ request.object.spec.content }}"
}
}
}
}
]
}
}`)
var policy kyverno.ClusterPolicy
assert.NilError(t, json.Unmarshal(policyraw, &policy))
resourceUnstructured, err := utils.ConvertToUnstructured(resourceRaw)
assert.NilError(t, err)
ctx := context.NewContext()
err = ctx.AddResource(resourceRaw)
assert.NilError(t, err)
policyContext := &PolicyContext{
Policy: policy,
JSONContext: ctx,
NewResource: *resourceUnstructured}
er := Validate(policyContext)
assert.Assert(t, !er.PolicyResponse.Rules[0].Success)
assert.Equal(t, er.PolicyResponse.Rules[0].Message, "variable substitution failed for rule test-path-not-exist: variable request.object.metadata.name1 not resolved at path /validate/anyPattern/0/spec/template/spec/containers/0/name")
assert.Equal(t, er.PolicyResponse.Rules[0].Message, "validation error: rule not-operator-with-variable-should-alway-fail-validation failed at path /spec/content/")
}
func Test_VariableSubstitutionPathNotExistInAnyPattern_AllPathNotPresent(t *testing.T) {
@ -1502,8 +1716,8 @@ func Test_VariableSubstitutionPathNotExistInAnyPattern_AllPathNotPresent(t *test
JSONContext: ctx,
NewResource: *resourceUnstructured}
er := Validate(policyContext)
assert.Assert(t, !er.PolicyResponse.Rules[0].Success)
assert.Equal(t, er.PolicyResponse.Rules[0].Message, "variable substitution failed for rule test-path-not-exist: variable request.object.metadata.name1 not resolved at path /validate/anyPattern/0/spec/template/spec/containers/0/name")
assert.Assert(t, er.PolicyResponse.Rules[0].Success)
assert.Equal(t, er.PolicyResponse.Rules[0].Message, "variable substitution failed for rule test-path-not-exist: NotFoundVariableErr, variable request.object.metadata.name1 not resolved at path /validate/anyPattern/0/spec/template/spec/containers/0/name")
}
func Test_VariableSubstitutionPathNotExistInAnyPattern_AllPathPresent_NonePatternSatisfy(t *testing.T) {
@ -1669,7 +1883,12 @@ func Test_VariableSubstitutionValidate_VariablesInMessageAreResolved(t *testing.
{
"key": "{{ request.object.metadata.labels.animal }}",
"operator": "NotIn",
"value": "abcde"
"value": [
"snake",
"bear",
"cat",
"dog"
]
}
]
}
@ -1693,10 +1912,69 @@ func Test_VariableSubstitutionValidate_VariablesInMessageAreResolved(t *testing.
JSONContext: ctx,
NewResource: *resourceUnstructured}
er := Validate(policyContext)
assert.Assert(t, er.PolicyResponse.Rules[0].Success)
assert.Assert(t, !er.PolicyResponse.Rules[0].Success)
assert.Equal(t, er.PolicyResponse.Rules[0].Message, "The animal cow is not in the allowed list of animals.")
}
func Test_Flux_Kustomization_PathNotPresent(t *testing.T) {
tests := []struct {
name string
policyRaw []byte
resourceRaw []byte
expectedResult bool
expectedMessage string
}{
{
name: "path-not-present",
policyRaw: []byte(`{"apiVersion":"kyverno.io/v1","kind":"ClusterPolicy","metadata":{"name":"flux-multi-tenancy"},"spec":{"validationFailureAction":"enforce","rules":[{"name":"serviceAccountName","exclude":{"resources":{"namespaces":["flux-system"]}},"match":{"resources":{"kinds":["Kustomization","HelmRelease"]}},"validate":{"message":".spec.serviceAccountName is required","pattern":{"spec":{"serviceAccountName":"?*"}}}},{"name":"sourceRefNamespace","exclude":{"resources":{"namespaces":["flux-system"]}},"match":{"resources":{"kinds":["Kustomization","HelmRelease"]}},"validate":{"message":"spec.sourceRef.namespace must be the same as metadata.namespace","deny":{"conditions":[{"key":"{{request.object.spec.sourceRef.namespace}}","operator":"NotEquals","value":"{{request.object.metadata.namespace}}"}]}}}]}}`),
// referred variable path not present
resourceRaw: []byte(`{"apiVersion":"kustomize.toolkit.fluxcd.io/v1beta1","kind":"Kustomization","metadata":{"name":"dev-team","namespace":"apps"},"spec":{"serviceAccountName":"dev-team","interval":"5m","sourceRef":{"kind":"GitRepository","name":"dev-team"},"prune":true,"validation":"client"}}`),
expectedResult: true,
expectedMessage: "variable substitution failed for rule sourceRefNamespace: NotFoundVariableErr, variable request.object.spec.sourceRef.namespace not resolved at path /validate/deny/conditions/0/key",
},
{
name: "resource-with-violation",
policyRaw: []byte(`{"apiVersion":"kyverno.io/v1","kind":"ClusterPolicy","metadata":{"name":"flux-multi-tenancy"},"spec":{"validationFailureAction":"enforce","rules":[{"name":"serviceAccountName","exclude":{"resources":{"namespaces":["flux-system"]}},"match":{"resources":{"kinds":["Kustomization","HelmRelease"]}},"validate":{"message":".spec.serviceAccountName is required","pattern":{"spec":{"serviceAccountName":"?*"}}}},{"name":"sourceRefNamespace","exclude":{"resources":{"namespaces":["flux-system"]}},"match":{"resources":{"kinds":["Kustomization","HelmRelease"]}},"validate":{"message":"spec.sourceRef.namespace {{request.object.spec.sourceRef.namespace}} must be the same as metadata.namespace {{request.object.metadata.namespace}}","deny":{"conditions":[{"key":"{{request.object.spec.sourceRef.namespace}}","operator":"NotEquals","value":"{{request.object.metadata.namespace}}"}]}}}]}}`),
// referred variable path present with different value
resourceRaw: []byte(`{"apiVersion":"kustomize.toolkit.fluxcd.io/v1beta1","kind":"Kustomization","metadata":{"name":"dev-team","namespace":"apps"},"spec":{"serviceAccountName":"dev-team","interval":"5m","sourceRef":{"kind":"GitRepository","name":"dev-team","namespace":"default"},"prune":true,"validation":"client"}}`),
expectedResult: false,
expectedMessage: "spec.sourceRef.namespace default must be the same as metadata.namespace apps",
},
{
name: "resource-comply",
policyRaw: []byte(`{"apiVersion":"kyverno.io/v1","kind":"ClusterPolicy","metadata":{"name":"flux-multi-tenancy"},"spec":{"validationFailureAction":"enforce","rules":[{"name":"serviceAccountName","exclude":{"resources":{"namespaces":["flux-system"]}},"match":{"resources":{"kinds":["Kustomization","HelmRelease"]}},"validate":{"message":".spec.serviceAccountName is required","pattern":{"spec":{"serviceAccountName":"?*"}}}},{"name":"sourceRefNamespace","exclude":{"resources":{"namespaces":["flux-system"]}},"match":{"resources":{"kinds":["Kustomization","HelmRelease"]}},"validate":{"message":"spec.sourceRef.namespace must be the same as metadata.namespace","deny":{"conditions":[{"key":"{{request.object.spec.sourceRef.namespace}}","operator":"NotEquals","value":"{{request.object.metadata.namespace}}"}]}}}]}}`),
// referred variable path present with same value - validate passes
resourceRaw: []byte(`{"apiVersion":"kustomize.toolkit.fluxcd.io/v1beta1","kind":"Kustomization","metadata":{"name":"dev-team","namespace":"apps"},"spec":{"serviceAccountName":"dev-team","interval":"5m","sourceRef":{"kind":"GitRepository","name":"dev-team","namespace":"apps"},"prune":true,"validation":"client"}}`),
expectedResult: true,
expectedMessage: "spec.sourceRef.namespace must be the same as metadata.namespace",
},
}
for _, test := range tests {
var policy kyverno.ClusterPolicy
assert.NilError(t, json.Unmarshal(test.policyRaw, &policy))
resourceUnstructured, err := utils.ConvertToUnstructured(test.resourceRaw)
assert.NilError(t, err)
ctx := context.NewContext()
err = ctx.AddResource(test.resourceRaw)
assert.NilError(t, err)
policyContext := &PolicyContext{
Policy: policy,
JSONContext: ctx,
NewResource: *resourceUnstructured}
er := Validate(policyContext)
for i, rule := range er.PolicyResponse.Rules {
if rule.Name == "sourceRefNamespace" {
assert.Equal(t, er.PolicyResponse.Rules[i].Success, test.expectedResult)
assert.Equal(t, er.PolicyResponse.Rules[i].Message, test.expectedMessage, "\ntest %s failed\nexpected: %s\nactual: %s", test.name, test.expectedMessage, rule.Message)
}
}
}
}
type testCase struct {
description string
policy []byte
@ -1864,3 +2142,103 @@ func executeTest(t *testing.T, err error, test testCase) {
t.Errorf("Testcase has failed, policy: %v", policy.Name)
}
}
func TestValidate_context_variable_substitution_CLI(t *testing.T) {
rawPolicy := []byte(`{
"apiVersion": "kyverno.io/v1",
"kind": "ClusterPolicy",
"metadata": {
"name": "restrict-pod-count"
},
"spec": {
"validationFailureAction": "enforce",
"background": false,
"rules": [
{
"name": "restrict-pod-count",
"match": {
"resources": {
"kinds": [
"Pod"
]
}
},
"context": [
{
"name": "podcounts",
"apiCall": {
"urlPath": "/api/v1/pods",
"jmesPath": "items[?spec.nodeName=='minikube'] | length(@)"
}
}
],
"validate": {
"message": "restrict pod counts to be no more than 10 on node minikube",
"deny": {
"conditions": [
{
"key": "{{ podcounts }}",
"operator": "GreaterThanOrEquals",
"value": 10
}
]
}
}
}
]
}
}
`)
rawResource := []byte(`
{
"apiVersion": "v1",
"kind": "Pod",
"metadata": {
"name": "nginx-config-test"
},
"spec": {
"containers": [
{
"image": "nginx:latest",
"name": "test-nginx"
}
]
}
}
`)
configMapVariableContext := store.Context{
Policies: []store.Policy{
{
Name: "restrict-pod-count",
Rules: []store.Rule{
{
Name: "restrict-pod-count",
Values: map[string]string{
"podcounts": "12",
},
},
},
},
},
}
store.SetContext(configMapVariableContext)
store.SetMock(true)
var policy kyverno.ClusterPolicy
err := json.Unmarshal(rawPolicy, &policy)
assert.NilError(t, err)
resourceUnstructured, err := utils.ConvertToUnstructured(rawResource)
assert.NilError(t, err)
msgs := []string{
"restrict pod counts to be no more than 10 on node minikube",
}
er := Validate(&PolicyContext{Policy: policy, NewResource: *resourceUnstructured, JSONContext: context.NewContext()})
for index, r := range er.PolicyResponse.Rules {
assert.Equal(t, r.Message, msgs[index])
}
assert.Assert(t, !er.IsSuccessful())
}

23
pkg/engine/variables/variables_test.go
View file

@ -6,6 +6,7 @@ import (
"testing"
kyverno "github.com/kyverno/kyverno/pkg/api/kyverno/v1"
"gotest.tools/assert"
authenticationv1 "k8s.io/api/authentication/v1"
"sigs.k8s.io/controller-runtime/pkg/log"
@ -562,10 +563,26 @@ func Test_variableSubstitutionObjectOperatorNotEqualFail(t *testing.T) {
t.Error(err)
}
if patternCopy, err = SubstituteAll(log.Log, ctx, patternCopy); err == nil {
t.Error(err)
}
patternCopy, err = SubstituteAll(log.Log, ctx, patternCopy)
assert.NilError(t, err)
patternMapCopy, ok := patternCopy.(map[string]interface{})
assert.Assert(t, ok)
specInterface, ok := patternMapCopy["spec"]
assert.Assert(t, ok)
specMap, ok := specInterface.(map[string]interface{})
assert.Assert(t, ok)
variableInterface, ok := specMap["variable"]
assert.Assert(t, ok)
variableString, ok := variableInterface.(string)
assert.Assert(t, ok)
expected := `!{"var1":"temp1","var2":"temp2","varNested":{"var1":"temp1"}}`
assert.Equal(t, expected, variableString)
}
func Test_variableSubstitutionMultipleObject(t *testing.T) {

54
pkg/engine/variables/vars.go
View file

@ -104,7 +104,7 @@ func validateBackgroundModeVars(log logr.Logger, ctx context.EvalInterface) json
case context.InvalidVariableErr:
return nil, err
default:
return nil, fmt.Errorf("failed to resolve %v at path %s", variable, data.Path)
return nil, fmt.Errorf("failed to resolve %v at path %s: %v", variable, data.Path, err)
}
}
}
@ -119,7 +119,7 @@ type NotFoundVariableErr struct {
}
func (n NotFoundVariableErr) Error() string {
return fmt.Sprintf("variable %s not resolved at path %s", n.variable, n.path)
return fmt.Sprintf("NotFoundVariableErr, variable %s not resolved at path %s", n.variable, n.path)
}
// NotResolvedReferenceErr is returned when it is impossible to resolve the variable
@ -129,7 +129,7 @@ type NotResolvedReferenceErr struct {
}
func (n NotResolvedReferenceErr) Error() string {
return fmt.Sprintf("reference %s not resolved at path %s", n.reference, n.path)
return fmt.Sprintf("NotResolvedReferenceErr,reference %s not resolved at path %s", n.reference, n.path)
}
func substituteReferencesIfAny(log logr.Logger) jsonUtils.Action {
@ -146,12 +146,12 @@ func substituteReferencesIfAny(log logr.Logger) jsonUtils.Action {
case context.InvalidVariableErr:
return nil, err
default:
return nil, fmt.Errorf("failed to resolve %v at path %s", v, data.Path)
return nil, fmt.Errorf("failed to resolve %v at path %s: %v", v, data.Path, err)
}
}
if resolvedReference == nil {
return data.Element, fmt.Errorf("failed to resolve %v at path %s", v, data.Path)
return data.Element, fmt.Errorf("failed to resolve %v at path %s: %v", v, data.Path, err)
}
log.V(3).Info("reference resolved", "reference", v, "value", resolvedReference, "path", data.Path)
@ -178,12 +178,17 @@ func substituteVariablesIfAny(log logr.Logger, ctx context.EvalInterface) jsonUt
return data.Element, nil
}
originalPattern := value
vars := regexVariables.FindAllString(value, -1)
for len(vars) > 0 {
originalPattern := value
for _, v := range vars {
variable := replaceBracesAndTrimSpaces(v)
if variable == "@" {
variable = strings.Replace(variable, "@", fmt.Sprintf("request.object.%s", getJMESPath(data.Path)), -1)
}
operation, err := ctx.Query("request.operation")
if err == nil && operation == "DELETE" {
variable = strings.ReplaceAll(variable, "request.object", "request.oldObject")
@ -195,23 +200,22 @@ func substituteVariablesIfAny(log logr.Logger, ctx context.EvalInterface) jsonUt
case context.InvalidVariableErr:
return nil, err
default:
return nil, fmt.Errorf("failed to resolve %v at path %s", variable, data.Path)
return nil, fmt.Errorf("failed to resolve %v at path %s: %v", variable, data.Path, err)
}
}
log.V(3).Info("variable substituted", "variable", v, "value", substitutedVar, "path", data.Path)
if val, ok := substitutedVar.(string); ok {
value = strings.Replace(value, v, val, -1)
continue
}
if substitutedVar != nil {
if originalPattern == v {
return substitutedVar, nil
}
return nil, fmt.Errorf("failed to resolve %v at path %s", variable, data.Path)
if value, err = substituteVarInPattern(originalPattern, v, substitutedVar); err != nil {
return nil, fmt.Errorf("failed to resolve %v at path %s: %s", variable, data.Path, err.Error())
}
continue
}
return nil, NotFoundVariableErr{
@ -228,6 +232,30 @@ func substituteVariablesIfAny(log logr.Logger, ctx context.EvalInterface) jsonUt
})
}
// getJMESPath converts path to JMES format
func getJMESPath(rawPath string) string {
tokens := strings.Split(rawPath, "/")[3:] // skip empty element and two non-resource (like mutate.overlay)
path := strings.Join(tokens, ".")
regex := regexp.MustCompile(`\.([\d])\.`)
return string(regex.ReplaceAll([]byte(path), []byte("[$1].")))
}
func substituteVarInPattern(pattern, variable string, value interface{}) (string, error) {
var stringToSubstitute string
if s, ok := value.(string); ok {
stringToSubstitute = s
} else {
buffer, err := json.Marshal(value)
if err != nil {
return "", fmt.Errorf("failed to marshal %T: %v", value, value)
}
stringToSubstitute = string(buffer)
}
return strings.Replace(pattern, variable, stringToSubstitute, -1), nil
}
func replaceBracesAndTrimSpaces(v string) string {
variable := strings.ReplaceAll(v, "{{", "")
variable = strings.ReplaceAll(variable, "}}", "")

534
pkg/engine/variables/vars_test.go
View file

@ -1,11 +1,13 @@
package variables
import (
"bytes"
"encoding/json"
"fmt"
"strings"
"testing"
v1 "github.com/kyverno/kyverno/pkg/api/kyverno/v1"
"github.com/kyverno/kyverno/pkg/engine/context"
ju "github.com/kyverno/kyverno/pkg/engine/json-utils"
"gotest.tools/assert"
@ -134,6 +136,203 @@ func Test_subVars_failed(t *testing.T) {
}
}
func Test_subVars_with_JMESPath_At(t *testing.T) {
patternMap := []byte(`{
"mutate": {
"overlay": {
"spec": {
"kind": "{{@}}",
"data": {
"rules": [
{
"apiGroups": [
"{{request.object.metadata.name}}"
],
"resources": [
"namespaces"
],
"verbs": [
"*"
],
"resourceNames": [
"{{request.object.metadata.name}}"
]
}
]
}
}
}
}
}`)
resourceRaw := []byte(`
{
"metadata": {
"name": "temp",
"namespace": "n1"
},
"spec": {
"kind": "foo",
"namespace": "n1",
"name": "temp1"
}
}
`)
expectedRaw := []byte(`{
"mutate":{
"overlay":{
"spec":{
"data":{
"rules":[
{
"apiGroups":[
"temp"
],
"resourceNames":[
"temp"
],
"resources":[
"namespaces"
],
"verbs":[
"*"
]
}
]
},
"kind":"foo"
}
}
}
}`)
var err error
expected := new(bytes.Buffer)
err = json.Compact(expected, expectedRaw)
assert.NilError(t, err)
var pattern, resource interface{}
err = json.Unmarshal(patternMap, &pattern)
assert.NilError(t, err)
err = json.Unmarshal(resourceRaw, &resource)
assert.NilError(t, err)
// context
ctx := context.NewContext()
err = ctx.AddResource(resourceRaw)
assert.NilError(t, err)
output, err := SubstituteAll(log.Log, ctx, pattern)
assert.NilError(t, err)
out, err := json.Marshal(output)
assert.NilError(t, err)
assert.Equal(t, string(out), expected.String())
}
func Test_subVars_withRegexMatch(t *testing.T) {
patternMap := []byte(`{
"mutate": {
"overlay": {
"spec": {
"port": "{{ regex_match('(443)', '{{@}}') }}",
"name": "ns-owner-{{request.object.metadata.name}}"
}
}
}
}`)
resourceRaw := []byte(`
{
"metadata": {
"name": "temp",
"namespace": "n1"
},
"spec": {
"port": "443",
"namespace": "n1",
"name": "temp1"
}
}`)
expectedRaw := []byte(`{
"mutate":{
"overlay":{
"spec":{
"name":"ns-owner-temp",
"port":true
}
}
}
}`)
var err error
expected := new(bytes.Buffer)
err = json.Compact(expected, expectedRaw)
assert.NilError(t, err)
var pattern, resource interface{}
err = json.Unmarshal(patternMap, &pattern)
assert.NilError(t, err)
err = json.Unmarshal(resourceRaw, &resource)
assert.NilError(t, err)
// context
ctx := context.NewContext()
err = ctx.AddResource(resourceRaw)
assert.NilError(t, err)
output, err := SubstituteAll(log.Log, ctx, pattern)
assert.NilError(t, err)
out, err := json.Marshal(output)
assert.NilError(t, err)
fmt.Print(string(out))
assert.Equal(t, string(out), expected.String())
}
func Test_subVars_withRegexReplaceAll(t *testing.T) {
patternMap := []byte(`{
"mutate": {
"overlay": {
"spec": {
"port": "{{ regex_replace_all_literal('.*', '{{@}}', '1313') }}",
"name": "ns-owner-{{request.object.metadata.name}}"
}
}
}
}`)
resourceRaw := []byte(`{
"metadata": {
"name": "temp",
"namespace": "n1"
},
"spec": {
"port": "43123",
"namespace": "n1",
"name": "temp1"
}
}`)
expected := []byte(`{"mutate":{"overlay":{"spec":{"name":"ns-owner-temp","port":"1313"}}}}`)
var pattern, resource interface{}
var err error
err = json.Unmarshal(patternMap, &pattern)
assert.NilError(t, err)
err = json.Unmarshal(resourceRaw, &resource)
assert.NilError(t, err)
// context
ctx := context.NewContext()
err = ctx.AddResource(resourceRaw)
assert.NilError(t, err)
output, err := SubstituteAll(log.Log, ctx, pattern)
assert.NilError(t, err)
out, err := json.Marshal(output)
assert.NilError(t, err)
assert.Equal(t, string(out), string(expected))
}
func Test_ReplacingPathWhenDeleting(t *testing.T) {
patternRaw := []byte(`"{{request.object.metadata.annotations.target}}"`)
@ -334,6 +533,341 @@ func Test_policyContextValidation(t *testing.T) {
assert.Assert(t, err != nil, err)
}
func Test_variableSubstitution_array(t *testing.T) {
configmapRaw := []byte(`
{
"animals": {
"apiVersion": "v1",
"kind": "ConfigMap",
"metadata": {
"name": "animals",
"namespace": "default"
},
"data": {
"animals": "snake\nbear\ncat\ndog"
}
}
}`)
ruleRaw := []byte(`
{
"name": "validate-role-annotation",
"context": [
{
"name": "animals",
"configMap": {
"name": "animals",
"namespace": "default"
}
}
],
"match": {
"resources": {
"kinds": [
"Deployment"
]
}
},
"validate": {
"message": "The animal {{ request.object.metadata.labels.animal }} is not in the allowed list of animals: {{ animals.data.animals }}.",
"deny": {
"conditions": [
{
"key": "{{ request.object.metadata.labels.animal }}",
"operator": "NotIn",
"value": "{{ animals.data.animals }}"
}
]
}
}
}`)
resourceRaw := []byte(`
{
"apiVersion": "apps/v1",
"kind": "Deployment",
"metadata": {
"name": "busybox",
"labels": {
"app": "busybox",
"color": "red",
"animal": "cow",
"food": "pizza",
"car": "jeep",
"env": "qa"
}
}
}
`)
var rule v1.Rule
err := json.Unmarshal(ruleRaw, &rule)
assert.NilError(t, err)
ctx := context.NewContext("request.object", "animals")
ctx.AddJSON(configmapRaw)
ctx.AddResource(resourceRaw)
vars, err := SubstituteAllInRule(log.Log, ctx, rule)
assert.NilError(t, err)
assert.DeepEqual(t, vars.Validation.Message, "The animal cow is not in the allowed list of animals: snake\nbear\ncat\ndog.")
}
var variableObject = []byte(`
{
"complex_object_array": [
"value1",
"value2",
"value3"
],
"complex_object_map": {
"key1": "value1",
"key2": "value2",
"key3": "value3"
},
"simple_object_bool": false,
"simple_object_int": 5,
"simple_object_float": -5.5,
"simple_object_string": "example",
"simple_object_null": null
}
`)
func Test_SubstituteArray(t *testing.T) {
patternRaw := []byte(`
{
"spec": {
"content": "{{ request.object.complex_object_array }}"
}
}
`)
var err error
var pattern, resource map[string]interface{}
err = json.Unmarshal(patternRaw, &pattern)
assert.NilError(t, err)
err = json.Unmarshal(variableObject, &resource)
assert.NilError(t, err)
ctx := context.NewContext()
ctx.AddResource(variableObject)
resolved, err := SubstituteAll(log.Log, ctx, pattern)
assert.NilError(t, err)
content := resolved.(map[string]interface{})["spec"].(map[string]interface{})["content"]
expected := resource["complex_object_array"]
assert.DeepEqual(t, expected, content)
}
func Test_SubstituteArrayInString(t *testing.T) {
patternRaw := []byte(`
{
"spec": {
"content": "content is {{ request.object.complex_object_map }}"
}
}
`)
var err error
var pattern, resource map[string]interface{}
err = json.Unmarshal(patternRaw, &pattern)
assert.NilError(t, err)
err = json.Unmarshal(variableObject, &resource)
assert.NilError(t, err)
ctx := context.NewContext()
ctx.AddResource(variableObject)
resolved, err := SubstituteAll(log.Log, ctx, pattern)
assert.NilError(t, err)
content := resolved.(map[string]interface{})["spec"].(map[string]interface{})["content"]
expected := `content is {"key1":"value1","key2":"value2","key3":"value3"}`
assert.DeepEqual(t, expected, content)
}
func Test_SubstituteInt(t *testing.T) {
patternRaw := []byte(`
{
"spec": {
"content": "{{ request.object.simple_object_int }}"
}
}
`)
var err error
var pattern, resource map[string]interface{}
err = json.Unmarshal(patternRaw, &pattern)
assert.NilError(t, err)
err = json.Unmarshal(variableObject, &resource)
assert.NilError(t, err)
ctx := context.NewContext()
ctx.AddResource(variableObject)
resolved, err := SubstituteAll(log.Log, ctx, pattern)
assert.NilError(t, err)
content := resolved.(map[string]interface{})["spec"].(map[string]interface{})["content"]
expected := resource["simple_object_int"]
assert.DeepEqual(t, expected, content)
}
func Test_SubstituteIntInString(t *testing.T) {
patternRaw := []byte(`
{
"spec": {
"content": "content = {{ request.object.simple_object_int }}"
}
}
`)
var err error
var pattern, resource map[string]interface{}
err = json.Unmarshal(patternRaw, &pattern)
assert.NilError(t, err)
err = json.Unmarshal(variableObject, &resource)
assert.NilError(t, err)
ctx := context.NewContext()
ctx.AddResource(variableObject)
resolved, err := SubstituteAll(log.Log, ctx, pattern)
assert.NilError(t, err)
content := resolved.(map[string]interface{})["spec"].(map[string]interface{})["content"]
expected := "content = 5"
assert.DeepEqual(t, expected, content)
}
func Test_SubstituteBool(t *testing.T) {
patternRaw := []byte(`
{
"spec": {
"content": "{{ request.object.simple_object_bool }}"
}
}
`)
var err error
var pattern, resource map[string]interface{}
err = json.Unmarshal(patternRaw, &pattern)
assert.NilError(t, err)
err = json.Unmarshal(variableObject, &resource)
assert.NilError(t, err)
ctx := context.NewContext()
ctx.AddResource(variableObject)
resolved, err := SubstituteAll(log.Log, ctx, pattern)
assert.NilError(t, err)
content := resolved.(map[string]interface{})["spec"].(map[string]interface{})["content"]
expected := false
assert.DeepEqual(t, expected, content)
}
func Test_SubstituteBoolInString(t *testing.T) {
patternRaw := []byte(`
{
"spec": {
"content": "content = {{ request.object.simple_object_bool }}"
}
}
`)
var err error
var pattern, resource map[string]interface{}
err = json.Unmarshal(patternRaw, &pattern)
assert.NilError(t, err)
err = json.Unmarshal(variableObject, &resource)
assert.NilError(t, err)
ctx := context.NewContext()
ctx.AddResource(variableObject)
resolved, err := SubstituteAll(log.Log, ctx, pattern)
assert.NilError(t, err)
content := resolved.(map[string]interface{})["spec"].(map[string]interface{})["content"]
expected := "content = false"
assert.DeepEqual(t, expected, content)
}
func Test_SubstituteString(t *testing.T) {
patternRaw := []byte(`
{
"spec": {
"content": "{{ request.object.simple_object_string }}"
}
}
`)
var err error
var pattern, resource map[string]interface{}
err = json.Unmarshal(patternRaw, &pattern)
assert.NilError(t, err)
err = json.Unmarshal(variableObject, &resource)
assert.NilError(t, err)
ctx := context.NewContext()
ctx.AddResource(variableObject)
resolved, err := SubstituteAll(log.Log, ctx, pattern)
assert.NilError(t, err)
content := resolved.(map[string]interface{})["spec"].(map[string]interface{})["content"]
var expected interface{}
expected = "example"
assert.DeepEqual(t, expected, content)
}
func Test_SubstituteStringInString(t *testing.T) {
patternRaw := []byte(`
{
"spec": {
"content": "content = {{ request.object.simple_object_string }}"
}
}
`)
var err error
var pattern, resource map[string]interface{}
err = json.Unmarshal(patternRaw, &pattern)
assert.NilError(t, err)
err = json.Unmarshal(variableObject, &resource)
assert.NilError(t, err)
ctx := context.NewContext()
ctx.AddResource(variableObject)
resolved, err := SubstituteAll(log.Log, ctx, pattern)
assert.NilError(t, err)
content := resolved.(map[string]interface{})["spec"].(map[string]interface{})["content"]
var expected interface{}
expected = "content = example"
assert.DeepEqual(t, expected, content)
}
func Test_ReferenceSubstitution(t *testing.T) {
jsonRaw := []byte(`
{

22
pkg/generate/generate.go
View file

@ -221,7 +221,7 @@ func (c *Controller) applyGeneratePolicy(log logr.Logger, policyContext *engine.
}
// add configmap json data to context
if err := engine.LoadContext(log, rule.Context, resCache, policyContext); err != nil {
if err := engine.LoadContext(log, rule.Context, resCache, policyContext, rule.Name); err != nil {
log.Error(err, "cannot add configmaps to context")
return nil, err
}
@ -377,7 +377,9 @@ func applyRule(log logr.Logger, client *dclient.Client, rule kyverno.Rule, resou
newResource.SetAPIVersion(genAPIVersion)
// manage labels
// - app.kubernetes.io/managed-by: kyverno
// - kyverno.io/generated-by: kind/namespace/name (trigger resource)
// "kyverno.io/generated-by-kind": kind (trigger resource)
// "kyverno.io/generated-by-namespace": namespace (trigger resource)
// "kyverno.io/generated-by-name": name (trigger resource)
manageLabels(newResource, resource)
// Add Synchronize label
label := newResource.GetLabels()
@ -409,16 +411,14 @@ func applyRule(log logr.Logger, client *dclient.Client, rule kyverno.Rule, resou
label["policy.kyverno.io/synchronize"] = "disable"
}
if rule.Generation.Synchronize {
logger.V(4).Info("updating existing resource")
newResource.SetLabels(label)
_, err := client.UpdateResource(genAPIVersion, genKind, genNamespace, newResource, false)
if err != nil {
logger.Error(err, "failed to update resource")
return noGenResource, err
}
logger.V(2).Info("updated target resource")
logger.V(4).Info("updating label in existing resource")
newResource.SetLabels(label)
_, err := client.UpdateResource(genAPIVersion, genKind, genNamespace, newResource, false)
if err != nil {
logger.Error(err, "failed to update resource")
return noGenResource, err
}
logger.V(2).Info("updated target resource")
}
return newGenResource, nil

4
pkg/kyverno/apply/command.go
View file

@ -15,6 +15,7 @@ import (
"github.com/kyverno/kyverno/pkg/engine/response"
"github.com/kyverno/kyverno/pkg/kyverno/common"
sanitizederror "github.com/kyverno/kyverno/pkg/kyverno/sanitizedError"
"github.com/kyverno/kyverno/pkg/kyverno/store"
"github.com/kyverno/kyverno/pkg/openapi"
policy2 "github.com/kyverno/kyverno/pkg/policy"
"github.com/spf13/cobra"
@ -148,6 +149,7 @@ func Command() *cobra.Command {
func applyCommandHelper(resourcePaths []string, cluster bool, policyReport bool, mutateLogPath string,
variablesString string, valuesFile string, namespace string, policyPaths []string, stdin bool) (validateEngineResponses []*response.EngineResponse, rc *resultCounts, resources []*unstructured.Unstructured, skippedPolicies []SkippedPolicy, err error) {
store.SetMock(true)
kubernetesConfig := genericclioptions.NewConfigFlags(true)
fs := memfs.New()
@ -286,7 +288,7 @@ func applyCommandHelper(resourcePaths []string, cluster bool, policyReport bool,
thisPolicyResourceValues[k] = v
}
if len(common.PolicyHasVariables(*policy)) > 0 && len(thisPolicyResourceValues) == 0 {
if len(common.PolicyHasVariables(*policy)) > 0 && len(thisPolicyResourceValues) == 0 && len(store.GetContext().Policies) == 0 {
return validateEngineResponses, rc, resources, skippedPolicies, sanitizederror.NewWithError(fmt.Sprintf("policy %s have variables. pass the values for the variables using set/values_file flag", policy.Name), err)
}

93
pkg/kyverno/common/common.go
View file

@ -16,11 +16,13 @@ import (
"github.com/go-git/go-billy/v5"
"github.com/go-logr/logr"
v1 "github.com/kyverno/kyverno/pkg/api/kyverno/v1"
pkgcommon "github.com/kyverno/kyverno/pkg/common"
client "github.com/kyverno/kyverno/pkg/dclient"
"github.com/kyverno/kyverno/pkg/engine"
"github.com/kyverno/kyverno/pkg/engine/context"
"github.com/kyverno/kyverno/pkg/engine/response"
sanitizederror "github.com/kyverno/kyverno/pkg/kyverno/sanitizedError"
"github.com/kyverno/kyverno/pkg/kyverno/store"
"github.com/kyverno/kyverno/pkg/policymutation"
"github.com/kyverno/kyverno/pkg/utils"
ut "github.com/kyverno/kyverno/pkg/utils"
@ -32,15 +34,15 @@ import (
)
// GetPolicies - Extracting the policies from multiple YAML
type Resource struct {
Name string `json:"name"`
Values map[string]string `json:"values"`
}
type Policy struct {
Name string `json:"name"`
Resources []Resource `json:"resources"`
Rules []Rule `json:"rules"`
}
type Rule struct {
Name string `json:"name"`
Values map[string]string `json:"values"`
}
type Values struct {
@ -48,6 +50,11 @@ type Values struct {
NamespaceSelectors []NamespaceSelector `json:"namespaceSelector"`
}
type Resource struct {
Name string `json:"name"`
Values map[string]string `json:"values"`
}
type NamespaceSelector struct {
Name string `json:"name"`
Labels map[string]string `json:"labels"`
@ -305,9 +312,9 @@ func RemoveDuplicateVariables(matches [][]string) string {
return variableStr
}
// GetVariable - get the variables from console/file
func GetVariable(variablesString, valuesFile string, fs billy.Filesystem, isGit bool, policyresoucePath string) (map[string]string, map[string]map[string]Resource, map[string]map[string]string, error) {
valuesMap := make(map[string]map[string]Resource)
valuesMapResource := make(map[string]map[string]Resource)
valuesMapRule := make(map[string]map[string]Rule)
namespaceSelectorMap := make(map[string]map[string]string)
variables := make(map[string]string)
var yamlFile []byte
@ -327,29 +334,37 @@ func GetVariable(variablesString, valuesFile string, fs billy.Filesystem, isGit
}
yamlFile, err = ioutil.ReadAll(filep)
} else {
yamlFile, err = ioutil.ReadFile(valuesFile)
yamlFile, err = ioutil.ReadFile(filepath.Join(policyresoucePath, valuesFile))
}
if err != nil {
return variables, valuesMap, namespaceSelectorMap, sanitizederror.NewWithError("unable to read yaml", err)
return variables, valuesMapResource, namespaceSelectorMap, sanitizederror.NewWithError("unable to read yaml", err)
}
valuesBytes, err := yaml.ToJSON(yamlFile)
if err != nil {
return variables, valuesMap, namespaceSelectorMap, sanitizederror.NewWithError("failed to convert json", err)
return variables, valuesMapResource, namespaceSelectorMap, sanitizederror.NewWithError("failed to convert json", err)
}
values := &Values{}
if err := json.Unmarshal(valuesBytes, values); err != nil {
return variables, valuesMap, namespaceSelectorMap, sanitizederror.NewWithError("failed to decode yaml", err)
return variables, valuesMapResource, namespaceSelectorMap, sanitizederror.NewWithError("failed to decode yaml", err)
}
for _, p := range values.Policies {
pmap := make(map[string]Resource)
resourceMap := make(map[string]Resource)
for _, r := range p.Resources {
pmap[r.Name] = r
resourceMap[r.Name] = r
}
valuesMapResource[p.Name] = resourceMap
if p.Rules != nil {
ruleMap := make(map[string]Rule)
for _, r := range p.Rules {
ruleMap[r.Name] = r
}
valuesMapRule[p.Name] = ruleMap
}
valuesMap[p.Name] = pmap
}
for _, n := range values.NamespaceSelectors {
@ -357,7 +372,26 @@ func GetVariable(variablesString, valuesFile string, fs billy.Filesystem, isGit
}
}
return variables, valuesMap, namespaceSelectorMap, nil
storePolices := make([]store.Policy, 0)
for policyName, ruleMap := range valuesMapRule {
storeRules := make([]store.Rule, 0)
for _, rule := range ruleMap {
storeRules = append(storeRules, store.Rule{
Name: rule.Name,
Values: rule.Values,
})
}
storePolices = append(storePolices, store.Policy{
Name: policyName,
Rules: storeRules,
})
}
store.SetContext(store.Context{
Policies: storePolices,
})
return variables, valuesMapResource, namespaceSelectorMap, nil
}
// MutatePolices - function to apply mutation on policies
@ -409,32 +443,7 @@ func ApplyPolicyOnResource(policy *v1.ClusterPolicy, resource *unstructured.Unst
ctx := context.NewContext()
for key, value := range variables {
var subString string
splitBySlash := strings.Split(key, "\"")
if len(splitBySlash) > 1 {
subString = splitBySlash[1]
}
startString := ""
endString := ""
lenOfVariableString := 0
addedSlashString := false
for _, k := range strings.Split(splitBySlash[0], ".") {
if k != "" {
startString += fmt.Sprintf(`{"%s":`, k)
endString += `}`
lenOfVariableString = lenOfVariableString + len(k) + 1
if lenOfVariableString >= len(splitBySlash[0]) && len(splitBySlash) > 1 && addedSlashString == false {
startString += fmt.Sprintf(`{"%s":`, subString)
endString += `}`
addedSlashString = true
}
}
}
midString := fmt.Sprintf(`"%s"`, value)
finalString := startString + midString + endString
var jsonData = []byte(finalString)
jsonData := pkgcommon.VariableToJSON(key, value)
ctx.AddJSON(jsonData)
}

4
pkg/kyverno/common/fetch.go
View file

@ -160,6 +160,10 @@ func GetResource(resourceBytes []byte) ([]*unstructured.Unstructured, error) {
for _, resourceYaml := range files {
resource, err := convertResourceToUnstructured(resourceYaml)
if err != nil {
if strings.Contains(err.Error(), "Object 'Kind' is missing") {
log.Log.V(3).Info("skipping resource as kind not found")
continue
}
getErrString = getErrString + err.Error() + "\n"
}
resources = append(resources, resource)

4
pkg/kyverno/common/regex.go
View file

@ -7,5 +7,5 @@ import (
// RegexVariables represents regex for '{{}}'
var RegexVariables = regexp.MustCompile(`\{\{[^{}]*\}\}`)
// AllowedVariables represents regex for {{request.}} {{serviceAccountName}} and {{serviceAccountNamespace}}
var AllowedVariables = regexp.MustCompile(`\{\{\s*[request\.|serviceAccountName|serviceAccountNamespace][^{}]*\}\}`)
// AllowedVariables represents regex for {{request.}}, {{serviceAccountName}}, {{serviceAccountNamespace}} and {{@}}
var AllowedVariables = regexp.MustCompile(`\{\{\s*[request\.|serviceAccountName|serviceAccountNamespace|@][^{}]*\}\}`)

691
pkg/kyverno/crds/policy_crd.go Normal file
View file

@ -0,0 +1,691 @@
package crds
const PolicyCRD = `
{
"group": "kyverno.io",
"names": {
"kind": "Policy",
"listKind": "PolicyList",
"plural": "policies",
"shortNames": [
"pol"
],
"singular": "policy"
},
"scope": "Namespaced",
"versions": [
{
"additionalPrinterColumns": [
{
"jsonPath": ".spec.background",
"name": "Background",
"type": "string"
},
{
"jsonPath": ".spec.validationFailureAction",
"name": "Action",
"type": "string"
}
],
"name": "v1",
"schema": {
"openAPIV3Schema": {
"description": "Policy declares validation, mutation, and generation behaviors for matching resources. See: https://kyverno.io/docs/writing-policies/ for more information.",
"properties": {
"apiVersion": {
"description": "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources",
"type": "string"
},
"kind": {
"description": "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds",
"type": "string"
},
"metadata": {
"type": "object"
},
"spec": {
"description": "Spec defines policy behaviors and contains one or rules.",
"properties": {
"background": {
"description": "Background controls if rules are applied to existing resources during a background scan. Optional. Default value is \"true\". The value must be set to \"false\" if the policy rule uses variables that are only available in the admission review request (e.g. user name).",
"type": "boolean"
},
"rules": {
"description": "Rules is a list of Rule instances. A Policy contains multiple rules and each rule can validate, mutate, or generate resources.",
"items": {
"schema": {
"description": "Rule defines a validation, mutation, or generation control for matching resources. Each rules contains a match declaration to select resources, and an optional exclude declaration to specify which resources to exclude.",
"properties": {
"context": {
"description": "Context defines variables and data sources that can be used during rule execution.",
"items": {
"schema": {
"description": "ContextEntry adds variables and data sources to a rule Context. Either a ConfigMap reference or a APILookup must be provided.",
"properties": {
"apiCall": {
"description": "APICall defines an HTTP request to the Kubernetes API server. The JSON data retrieved is stored in the context.",
"properties": {
"jmesPath": {
"description": "JMESPath is an optional JSON Match Expression that can be used to transform the JSON response returned from the API server. For example a JMESPath of \"items | length(@)\" applied to the API server response to the URLPath \"/apis/apps/v1/deployments\" will return the total count of deployments across all namespaces.",
"type": "string"
},
"urlPath": {
"description": "URLPath is the URL path to be used in the HTTP GET request to the Kubernetes API server (e.g. \"/api/v1/namespaces\" or \"/apis/apps/v1/deployments\"). The format required is the same format used by the 'kubectl get --raw' command.",
"type": "string"
}
},
"required": [
"urlPath"
],
"type": "object"
},
"configMap": {
"description": "ConfigMap is the ConfigMap reference.",
"properties": {
"name": {
"description": "Name is the ConfigMap name.",
"type": "string"
},
"namespace": {
"description": "Namespace is the ConfigMap namespace.",
"type": "string"
}
},
"required": [
"name"
],
"type": "object"
},
"name": {
"description": "Name is the variable name.",
"type": "string"
}
},
"type": "object"
}
},
"type": "array"
},
"exclude": {
"description": "ExcludeResources defines when this policy rule should not be applied. The exclude criteria can include resource information (e.g. kind, name, namespace, labels) and admission review request information like the name or role.",
"properties": {
"clusterRoles": {
"description": "ClusterRoles is the list of cluster-wide role names for the user.",
"items": {
"schema": {
"type": "string"
}
},
"type": "array"
},
"resources": {
"description": "ResourceDescription contains information about the resource being created or modified.",
"properties": {
"annotations": {
"description": "Annotations is a map of annotations (key-value pairs of type string). Annotation keys and values support the wildcard characters \"*\" (matches zero or many characters) and \"?\" (matches at least one character).",
"type": "object"
},
"kinds": {
"description": "Kinds is a list of resource kinds.",
"items": {
"schema": {
"type": "string"
}
},
"type": "array"
},
"name": {
"description": "Name is the name of the resource. The name supports wildcard characters \"*\" (matches zero or many characters) and \"?\" (at least one character).",
"type": "string"
},
"namespaceSelector": {
"description": "NamespaceSelector is a label selector for the resource namespace. Label keys and values in 'matchLabels' support the wildcard characters '*' (matches zero or many characters) and '?' (matches one character).Wildcards allows writing label selectors like [\"storage.k8s.io/*\": \"*\"]. Note that using [\"*\" : \"*\"] matches any key and value but does not match an empty label set.",
"properties": {
"matchExpressions": {
"description": "matchExpressions is a list of label selector requirements. The requirements are ANDed.",
"items": {
"schema": {
"description": "A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.",
"properties": {
"key": {
"description": "key is the label key that the selector applies to.",
"type": "string"
},
"operator": {
"description": "operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.",
"type": "string"
},
"values": {
"description": "values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.",
"items": {
"schema": {
"type": "string"
}
},
"type": "array"
}
},
"required": [
"key",
"operator"
],
"type": "object"
}
},
"type": "array"
},
"matchLabels": {
"description": "matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is \"key\", the operator is \"In\", and the values array contains only \"value\". The requirements are ANDed.",
"type": "object"
}
},
"type": "object"
},
"namespaces": {
"description": "Namespaces is a list of namespaces names. Each name supports wildcard characters \"*\" (matches zero or many characters) and \"?\" (at least one character).",
"items": {
"schema": {
"type": "string"
}
},
"type": "array"
},
"selector": {
"description": "Selector is a label selector. Label keys and values in 'matchLabels' support the wildcard characters '*' (matches zero or many characters) and '?' (matches one character). Wildcards allows writing label selectors like [\"storage.k8s.io/*\": \"*\"]. Note that using [\"*\" : \"*\"] matches any key and value but does not match an empty label set.",
"properties": {
"matchExpressions": {
"description": "matchExpressions is a list of label selector requirements. The requirements are ANDed.",
"items": {
"schema": {
"description": "A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.",
"properties": {
"key": {
"description": "key is the label key that the selector applies to.",
"type": "string"
},
"operator": {
"description": "operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.",
"type": "string"
},
"values": {
"description": "values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.",
"items": {
"schema": {
"type": "string"
}
},
"type": "array"
}
},
"required": [
"key",
"operator"
],
"type": "object"
}
},
"type": "array"
},
"matchLabels": {
"description": "matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is \"key\", the operator is \"In\", and the values array contains only \"value\". The requirements are ANDed.",
"type": "object"
}
},
"type": "object"
}
},
"type": "object"
},
"roles": {
"description": "Roles is the list of namespaced role names for the user.",
"items": {
"schema": {
"type": "string"
}
},
"type": "array"
},
"subjects": {
"description": "Subjects is the list of subject names like users, user groups, and service accounts.",
"items": {
"schema": {
"description": "Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, or a value for non-objects such as user and group names.",
"properties": {
"apiGroup": {
"description": "APIGroup holds the API group of the referenced subject. Defaults to \"\" for ServiceAccount subjects. Defaults to \"rbac.authorization.k8s.io\" for User and Group subjects.",
"type": "string"
},
"kind": {
"description": "Kind of object being referenced. Values defined by this API group are \"User\", \"Group\", and \"ServiceAccount\". If the Authorizer does not recognized the kind value, the Authorizer should report an error.",
"type": "string"
},
"name": {
"description": "Name of the object being referenced.",
"type": "string"
},
"namespace": {
"description": "Namespace of the referenced object. If the object kind is non-namespace, such as \"User\" or \"Group\", and this value is not empty the Authorizer should report an error.",
"type": "string"
}
},
"required": [
"kind",
"name"
],
"type": "object"
}
},
"type": "array"
}
},
"type": "object"
},
"generate": {
"description": "Generation is used to create new resources.",
"properties": {
"apiVersion": {
"description": "APIVersion specifies resource apiVersion.",
"type": "string"
},
"clone": {
"description": "Clone specifies the source resource used to populate each generated resource. At most one of Data or Clone can be specified. If neither are provided, the generated resource will be created with default data only.",
"properties": {
"name": {
"description": "Name specifies name of the resource.",
"type": "string"
},
"namespace": {
"description": "Namespace specifies source resource namespace.",
"type": "string"
}
},
"type": "object"
},
"data": {
"description": "Data provides the resource declaration used to populate each generated resource. At most one of Data or Clone must be specified. If neither are provided, the generated resource will be created with default data only.",
"x-kubernetes-preserve-unknown-fields": true
},
"kind": {
"description": "Kind specifies resource kind.",
"type": "string"
},
"name": {
"description": "Name specifies the resource name.",
"type": "string"
},
"namespace": {
"description": "Namespace specifies resource namespace.",
"type": "string"
},
"synchronize": {
"description": "Synchronize controls if generated resources should be kept in-sync with their source resource. If Synchronize is set to \"true\" changes to generated resources will be overwritten with resource data from Data or the resource specified in the Clone declaration. Optional. Defaults to \"false\" if not specified.",
"type": "boolean"
}
},
"type": "object"
},
"match": {
"description": "MatchResources defines when this policy rule should be applied. The match criteria can include resource information (e.g. kind, name, namespace, labels) and admission review request information like the user name or role. At least one kind is required.",
"properties": {
"clusterRoles": {
"description": "ClusterRoles is the list of cluster-wide role names for the user.",
"items": {
"schema": {
"type": "string"
}
},
"type": "array"
},
"resources": {
"description": "ResourceDescription contains information about the resource being created or modified. Requires at least one tag to be specified when under MatchResources.",
"properties": {
"annotations": {
"description": "Annotations is a map of annotations (key-value pairs of type string). Annotation keys and values support the wildcard characters \"*\" (matches zero or many characters) and \"?\" (matches at least one character).",
"type": "object"
},
"kinds": {
"description": "Kinds is a list of resource kinds.",
"items": {
"schema": {
"type": "string"
}
},
"type": "array"
},
"name": {
"description": "Name is the name of the resource. The name supports wildcard characters \"*\" (matches zero or many characters) and \"?\" (at least one character).",
"type": "string"
},
"namespaceSelector": {
"description": "NamespaceSelector is a label selector for the resource namespace. Label keys and values in 'matchLabels' support the wildcard characters '*' (matches zero or many characters) and '?' (matches one character).Wildcards allows writing label selectors like [\"storage.k8s.io/*\": \"*\"]. Note that using [\"*\" : \"*\"] matches any key and value but does not match an empty label set.",
"properties": {
"matchExpressions": {
"description": "matchExpressions is a list of label selector requirements. The requirements are ANDed.",
"items": {
"schema": {
"description": "A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.",
"properties": {
"key": {
"description": "key is the label key that the selector applies to.",
"type": "string"
},
"operator": {
"description": "operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.",
"type": "string"
},
"values": {
"description": "values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.",
"items": {
"schema": {
"type": "string"
}
},
"type": "array"
}
},
"required": [
"key",
"operator"
],
"type": "object"
}
},
"type": "array"
},
"matchLabels": {
"description": "matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is \"key\", the operator is \"In\", and the values array contains only \"value\". The requirements are ANDed.",
"type": "object"
}
},
"type": "object"
},
"namespaces": {
"description": "Namespaces is a list of namespaces names. Each name supports wildcard characters \"*\" (matches zero or many characters) and \"?\" (at least one character).",
"items": {
"schema": {
"type": "string"
}
},
"type": "array"
},
"selector": {
"description": "Selector is a label selector. Label keys and values in 'matchLabels' support the wildcard characters '*' (matches zero or many characters) and '?' (matches one character). Wildcards allows writing label selectors like [\"storage.k8s.io/*\": \"*\"]. Note that using [\"*\" : \"*\"] matches any key and value but does not match an empty label set.",
"properties": {
"matchExpressions": {
"description": "matchExpressions is a list of label selector requirements. The requirements are ANDed.",
"items": {
"schema": {
"description": "A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.",
"properties": {
"key": {
"description": "key is the label key that the selector applies to.",
"type": "string"
},
"operator": {
"description": "operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.",
"type": "string"
},
"values": {
"description": "values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.",
"items": {
"schema": {
"type": "string"
}
},
"type": "array"
}
},
"required": [
"key",
"operator"
],
"type": "object"
}
},
"type": "array"
},
"matchLabels": {
"description": "matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is \"key\", the operator is \"In\", and the values array contains only \"value\". The requirements are ANDed.",
"type": "object"
}
},
"type": "object"
}
},
"type": "object"
},
"roles": {
"description": "Roles is the list of namespaced role names for the user.",
"items": {
"schema": {
"type": "string"
}
},
"type": "array"
},
"subjects": {
"description": "Subjects is the list of subject names like users, user groups, and service accounts.",
"items": {
"schema": {
"description": "Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, or a value for non-objects such as user and group names.",
"properties": {
"apiGroup": {
"description": "APIGroup holds the API group of the referenced subject. Defaults to \"\" for ServiceAccount subjects. Defaults to \"rbac.authorization.k8s.io\" for User and Group subjects.",
"type": "string"
},
"kind": {
"description": "Kind of object being referenced. Values defined by this API group are \"User\", \"Group\", and \"ServiceAccount\". If the Authorizer does not recognized the kind value, the Authorizer should report an error.",
"type": "string"
},
"name": {
"description": "Name of the object being referenced.",
"type": "string"
},
"namespace": {
"description": "Namespace of the referenced object. If the object kind is non-namespace, such as \"User\" or \"Group\", and this value is not empty the Authorizer should report an error.",
"type": "string"
}
},
"required": [
"kind",
"name"
],
"type": "object"
}
},
"type": "array"
}
},
"type": "object"
},
"mutate": {
"description": "Mutation is used to modify matching resources.",
"properties": {
"overlay": {
"description": "Overlay specifies an overlay pattern to modify resources. DEPRECATED. Use PatchStrategicMerge instead. Scheduled for removal in release 1.5+.",
"x-kubernetes-preserve-unknown-fields": true
},
"patchStrategicMerge": {
"description": "PatchStrategicMerge is a strategic merge patch used to modify resources. See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/ and https://kubectl.docs.kubernetes.io/references/kustomize/patchesstrategicmerge/.",
"x-kubernetes-preserve-unknown-fields": true
},
"patches": {
"description": "Patches specifies a RFC 6902 JSON Patch to modify resources. DEPRECATED. Use PatchesJSON6902 instead. Scheduled for removal in release 1.5+.",
"items": {
"schema": {
"description": "Patch is a RFC 6902 JSON Patch. See: https://tools.ietf.org/html/rfc6902",
"properties": {
"op": {
"description": "Operation specifies operations supported by JSON Patch. i.e:- add, replace and delete.",
"type": "string"
},
"path": {
"description": "Path specifies path of the resource.",
"type": "string"
},
"value": {
"description": "Value specifies the value to be applied.",
"x-kubernetes-preserve-unknown-fields": true
}
},
"type": "object"
}
},
"nullable": true,
"type": "array",
"x-kubernetes-preserve-unknown-fields": true
},
"patchesJson6902": {
"description": "PatchesJSON6902 is a list of RFC 6902 JSON Patch declarations used to modify resources. See https://tools.ietf.org/html/rfc6902 and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/.",
"type": "string"
}
},
"type": "object"
},
"name": {
"description": "Name is a label to identify the rule, It must be unique within the policy.",
"maxLength": 63,
"type": "string"
},
"preconditions": {
"description": "AnyAllConditions enable variable-based conditional rule execution. This is useful for finer control of when an rule is applied. A condition can reference object data using JMESPath notation. This too can be made to happen in a logical-manner where in some situation all the conditions need to pass and in some other situation, atleast one condition is enough to pass. For the sake of backwards compatibility, it can be populated with []kyverno.Condition.",
"x-kubernetes-preserve-unknown-fields": true
},
"validate": {
"description": "Validation is used to validate matching resources.",
"properties": {
"anyPattern": {
"description": "AnyPattern specifies list of validation patterns. At least one of the patterns must be satisfied for the validation rule to succeed.",
"x-kubernetes-preserve-unknown-fields": true
},
"deny": {
"description": "Deny defines conditions to fail the validation rule.",
"properties": {
"conditions": {
"description": "specifies the set of conditions to deny in a logical manner For the sake of backwards compatibility, it can be populated with []kyverno.Condition.",
"x-kubernetes-preserve-unknown-fields": true
}
},
"type": "object"
},
"message": {
"description": "Message specifies a custom message to be displayed on failure.",
"type": "string"
},
"pattern": {
"description": "Pattern specifies an overlay-style pattern used to check resources.",
"x-kubernetes-preserve-unknown-fields": true
}
},
"type": "object"
}
},
"type": "object"
}
},
"type": "array"
},
"validationFailureAction": {
"description": "ValidationFailureAction controls if a validation policy rule failure should disallow the admission review request (enforce), or allow (audit) the admission review request and report an error in a policy report. Optional. The default value is \"audit\".",
"type": "string"
}
},
"type": "object"
},
"status": {
"description": "Status contains policy runtime information.",
"properties": {
"averageExecutionTime": {
"description": "AvgExecutionTime is the average time taken to process the policy rules on a resource.",
"type": "string"
},
"resourcesBlockedCount": {
"description": "ResourcesBlockedCount is the total count of admission review requests that were blocked by this policy.",
"type": "integer"
},
"resourcesGeneratedCount": {
"description": "ResourcesGeneratedCount is the total count of resources that were generated by this policy.",
"type": "integer"
},
"resourcesMutatedCount": {
"description": "ResourcesMutatedCount is the total count of resources that were mutated by this policy.",
"type": "integer"
},
"ruleStatus": {
"description": "Rules provides per rule statistics",
"items": {
"schema": {
"description": "RuleStats provides statistics for an individual rule within a policy.",
"properties": {
"appliedCount": {
"description": "AppliedCount is the total number of times this rule was applied.",
"type": "integer"
},
"averageExecutionTime": {
"description": "ExecutionTime is the average time taken to execute this rule.",
"type": "string"
},
"failedCount": {
"description": "FailedCount is the total count of policy error results for this rule.",
"type": "integer"
},
"resourcesBlockedCount": {
"description": "ResourcesBlockedCount is the total count of admission review requests that were blocked by this rule.",
"type": "integer"
},
"resourcesGeneratedCount": {
"description": "ResourcesGeneratedCount is the total count of resources that were generated by this rule.",
"type": "integer"
},
"resourcesMutatedCount": {
"description": "ResourcesMutatedCount is the total count of resources that were mutated by this rule.",
"type": "integer"
},
"ruleName": {
"description": "Name is the rule name.",
"type": "string"
},
"violationCount": {
"description": "ViolationCount is the total count of policy failure results for this rule.",
"type": "integer"
}
},
"required": [
"ruleName"
],
"type": "object"
}
},
"type": "array"
},
"rulesAppliedCount": {
"description": "RulesAppliedCount is the total number of times this policy was applied.",
"type": "integer"
},
"rulesFailedCount": {
"description": "RulesFailedCount is the total count of policy execution errors for this policy.",
"type": "integer"
},
"violationCount": {
"description": "ViolationCount is the total count of policy failure results for this policy.",
"type": "integer"
}
},
"type": "object"
}
},
"required": [
"spec"
],
"type": "object"
}
},
"served": true,
"storage": true,
"subresources": {
"status": {}
}
}
]
}
`

56
pkg/kyverno/store/store.go Normal file
View file

@ -0,0 +1,56 @@
package store
var Mock bool
var ContextVar Context
func SetMock(mock bool) {
Mock = mock
}
func GetMock() bool {
return Mock
}
func SetContext(context Context) {
ContextVar = context
}
func GetContext() Context {
return ContextVar
}
func GetPolicyFromContext(policyName string) *Policy {
for _, policy := range ContextVar.Policies {
if policy.Name == policyName {
return &policy
}
}
return nil
}
func GetPolicyRuleFromContext(policyName string, ruleName string) *Rule {
for _, policy := range ContextVar.Policies {
if policy.Name == policyName {
for _, rule := range policy.Rules {
if rule.Name == ruleName {
return &rule
}
}
}
}
return nil
}
type Context struct {
Policies []Policy `json:"policies"`
}
type Policy struct {
Name string `json:"name"`
Rules []Rule `json:"rules"`
}
type Rule struct {
Name string `json:"name"`
Values map[string]string `json:"values"`
}

170
pkg/kyverno/test/command.go
View file

@ -22,9 +22,11 @@ import (
"github.com/kyverno/kyverno/pkg/engine/utils"
"github.com/kyverno/kyverno/pkg/kyverno/common"
sanitizederror "github.com/kyverno/kyverno/pkg/kyverno/sanitizedError"
"github.com/kyverno/kyverno/pkg/kyverno/store"
"github.com/kyverno/kyverno/pkg/openapi"
policy2 "github.com/kyverno/kyverno/pkg/policy"
"github.com/kyverno/kyverno/pkg/policyreport"
util "github.com/kyverno/kyverno/pkg/utils"
"github.com/lensesio/tableprinter"
"github.com/spf13/cobra"
corev1 "k8s.io/api/core/v1"
@ -75,10 +77,10 @@ type SkippedPolicy struct {
}
type TestResults struct {
Policy string `json:"policy"`
Rule string `json:"rule"`
Status string `json:"status"`
Resource string `json:"resource"`
Policy string `json:"policy"`
Rule string `json:"rule"`
Status report.PolicyStatus `json:"status"`
Resource string `json:"resource"`
}
type ReportResult struct {
@ -106,6 +108,7 @@ type Values struct {
}
type resultCounts struct {
skip int
pass int
fail int
}
@ -145,105 +148,125 @@ func testCommandExecute(dirPath []string, valuesFile string, fileName string) (r
sort.Strings(policyYamls)
for _, yamlFilePath := range policyYamls {
file, err := fs.Open(yamlFilePath)
if err != nil {
errors = append(errors, sanitizederror.NewWithError("Error: failed to open file", err))
continue
}
if strings.Contains(file.Name(), fileName) {
testYamlCount++
policyresoucePath := strings.Trim(yamlFilePath, fileName)
bytes, err := ioutil.ReadAll(file)
if err != nil {
sanitizederror.NewWithError("Error: failed to read file", err)
errors = append(errors, sanitizederror.NewWithError("Error: failed to read file", err))
continue
}
policyBytes, err := yaml.ToJSON(bytes)
if err != nil {
sanitizederror.NewWithError("failed to convert to JSON", err)
errors = append(errors, sanitizederror.NewWithError("failed to convert to JSON", err))
continue
}
if err := applyPoliciesFromPath(fs, policyBytes, valuesFile, true, policyresoucePath, rc); err != nil {
return rc, sanitizederror.NewWithError("failed to apply test command", err)
}
}
if err != nil {
sanitizederror.NewWithError("Error: failed to open file", err)
continue
}
}
if testYamlCount == 0 {
fmt.Printf("\n No test yamls available \n")
}
} else {
path := filepath.Clean(dirPath[0])
if err != nil {
errors = append(errors, err)
}
err := getLocalDirTestFiles(fs, path, fileName, valuesFile, rc, testYamlCount)
if err != nil {
errors = append(errors, err)
}
if len(errors) > 0 && log.Log.V(1).Enabled() {
fmt.Printf("ignoring errors: \n")
for _, e := range errors {
fmt.Printf(" %v \n", e.Error())
}
errors = getLocalDirTestFiles(fs, path, fileName, valuesFile, rc)
}
if len(errors) > 0 && log.Log.V(1).Enabled() {
fmt.Printf("ignoring errors: \n")
for _, e := range errors {
fmt.Printf(" %v \n", e.Error())
}
}
if rc.fail > 0 {
os.Exit(1)
}
if testYamlCount == 0 {
fmt.Printf("\n No test yamls available \n")
}
os.Exit(0)
return rc, nil
}
func getLocalDirTestFiles(fs billy.Filesystem, path, fileName, valuesFile string, rc *resultCounts, testYamlCount int) error {
func getLocalDirTestFiles(fs billy.Filesystem, path, fileName, valuesFile string, rc *resultCounts) []error {
var errors []error
files, err := ioutil.ReadDir(path)
if err != nil {
return fmt.Errorf("failed to read %v: %v", path, err.Error())
return []error{fmt.Errorf("failed to read %v: %v", path, err.Error())}
}
for _, file := range files {
if file.IsDir() {
getLocalDirTestFiles(fs, filepath.Join(path, file.Name()), fileName, valuesFile, rc, testYamlCount)
getLocalDirTestFiles(fs, filepath.Join(path, file.Name()), fileName, valuesFile, rc)
continue
}
if strings.Contains(file.Name(), fileName) {
testYamlCount++
yamlFile, err := ioutil.ReadFile(filepath.Join(path, file.Name()))
if err != nil {
sanitizederror.NewWithError("unable to read yaml", err)
errors = append(errors, sanitizederror.NewWithError("unable to read yaml", err))
continue
}
valuesBytes, err := yaml.ToJSON(yamlFile)
if err != nil {
sanitizederror.NewWithError("failed to convert json", err)
errors = append(errors, sanitizederror.NewWithError("failed to convert json", err))
continue
}
if err := applyPoliciesFromPath(fs, valuesBytes, valuesFile, false, path, rc); err != nil {
sanitizederror.NewWithError("failed to apply test command", err)
errors = append(errors, sanitizederror.NewWithError(fmt.Sprintf("failed to apply test command from file %s", file.Name()), err))
continue
}
}
}
return nil
return errors
}
func buildPolicyResults(resps []*response.EngineResponse) map[string][]interface{} {
results := make(map[string][]interface{})
func buildPolicyResults(resps []*response.EngineResponse, testResults []TestResults) map[string]report.PolicyReportResult {
results := make(map[string]report.PolicyReportResult)
infos := policyreport.GeneratePRsFromEngineResponse(resps, log.Log)
for _, resp := range resps {
policyName := resp.PolicyResponse.Policy
resourceName := resp.PolicyResponse.Resource.Name
var rules []string
for _, rule := range resp.PolicyResponse.Rules {
rules = append(rules, rule.Name)
}
result := report.PolicyReportResult{
Policy: policyName,
Resources: []*corev1.ObjectReference{
{
Name: resourceName,
},
},
}
for _, test := range testResults {
if test.Policy == policyName && test.Resource == resourceName {
if !util.ContainsString(rules, test.Rule) {
result.Status = report.StatusSkip
}
resultsKey := fmt.Sprintf("%s-%s-%s", test.Policy, test.Rule, test.Resource)
if _, ok := results[resultsKey]; !ok {
results[resultsKey] = result
}
}
}
}
for _, info := range infos {
for _, infoResult := range info.Results {
for _, rule := range infoResult.Rules {
if rule.Type != utils.Validation.String() {
continue
}
result := report.PolicyReportResult{
Policy: info.PolicyName,
Resources: []*corev1.ObjectReference{
{
Name: infoResult.Resource.Name,
},
},
var result report.PolicyReportResult
resultsKey := fmt.Sprintf("%s-%s-%s", info.PolicyName, rule.Name, infoResult.Resource.Name)
if val, ok := results[resultsKey]; ok {
result = val
} else {
continue
}
result.Rule = rule.Name
result.Status = report.PolicyStatus(rule.Check)
results[rule.Name] = append(results[rule.Name], result)
results[resultsKey] = result
}
}
}
@ -269,6 +292,7 @@ func applyPoliciesFromPath(fs billy.Filesystem, policyBytes []byte, valuesFile s
var dClient *client.Client
values := &Test{}
var variablesString string
store.SetMock(true)
if err := json.Unmarshal(policyBytes, values); err != nil {
return sanitizederror.NewWithError("failed to decode yaml", err)
@ -333,6 +357,18 @@ func applyPoliciesFromPath(fs billy.Filesystem, policyBytes []byte, valuesFile s
continue
}
for _, resource := range resources {
var resourcePolicy string
for polName, values := range valuesMap {
for resName := range values {
if resName == resource.GetName() {
resourcePolicy = polName
}
}
}
if len(valuesMap) != 0 && resourcePolicy != policy.GetName() {
log.Log.V(3).Info(fmt.Sprintf("Skipping resource, policy names do not match %s != %s", resourcePolicy, policy.GetName()))
continue
}
thisPolicyResourceValues := make(map[string]string)
if len(valuesMap[policy.GetName()]) != 0 && !reflect.DeepEqual(valuesMap[policy.GetName()][resource.GetName()], Resource{}) {
thisPolicyResourceValues = valuesMap[policy.GetName()][resource.GetName()].Values
@ -349,7 +385,7 @@ func applyPoliciesFromPath(fs billy.Filesystem, policyBytes []byte, valuesFile s
validateEngineResponses = append(validateEngineResponses, validateErs)
}
}
resultsMap := buildPolicyResults(validateEngineResponses)
resultsMap := buildPolicyResults(validateEngineResponses, values.Results)
resultErr := printTestResult(resultsMap, values.Results, rc)
if resultErr != nil {
return sanitizederror.NewWithError("Unable to genrate result. Error:", resultErr)
@ -357,40 +393,38 @@ func applyPoliciesFromPath(fs billy.Filesystem, policyBytes []byte, valuesFile s
return
}
func printTestResult(resps map[string][]interface{}, testResults []TestResults, rc *resultCounts) error {
func printTestResult(resps map[string]report.PolicyReportResult, testResults []TestResults, rc *resultCounts) error {
printer := tableprinter.New(os.Stdout)
table := []*Table{}
boldGreen := color.New(color.FgGreen).Add(color.Bold)
boldRed := color.New(color.FgRed).Add(color.Bold)
boldYellow := color.New(color.FgYellow).Add(color.Bold)
boldFgCyan := color.New(color.FgCyan).Add(color.Bold)
for i, v := range testResults {
res := new(Table)
res.ID = i + 1
res.Resource = boldFgCyan.Sprintf(v.Resource) + " with " + boldFgCyan.Sprintf(v.Policy) + "/" + boldFgCyan.Sprintf(v.Rule)
n := resps[v.Rule]
data, _ := json.Marshal(n)
valuesBytes, err := yaml.ToJSON(data)
if err != nil {
return sanitizederror.NewWithError("failed to convert json", err)
resultKey := fmt.Sprintf("%s-%s-%s", v.Policy, v.Rule, v.Resource)
var testRes report.PolicyReportResult
if val, ok := resps[resultKey]; ok {
testRes = val
} else {
res.Result = boldYellow.Sprintf("Not found")
rc.fail++
table = append(table, res)
continue
}
var r []ReportResult
json.Unmarshal(valuesBytes, &r)
res.Result = boldRed.Sprintf("Fail")
if len(r) != 0 {
var resource TestResults
for _, testRes := range r {
if testRes.Resources[0].Name == v.Resource {
resource.Policy = testRes.Policy
resource.Rule = testRes.Rule
resource.Status = testRes.Status
resource.Resource = testRes.Resources[0].Name
if v == resource {
res.Result = "Pass"
rc.pass++
} else {
rc.fail++
}
}
if testRes.Status == v.Status {
if testRes.Status == report.StatusSkip {
res.Result = boldGreen.Sprintf("Skip")
rc.skip++
} else {
res.Result = boldGreen.Sprintf("Pass")
rc.pass++
}
} else {
res.Result = boldRed.Sprintf("Fail")
rc.fail++
}
table = append(table, res)
}

186
pkg/kyverno/validate/command.go
View file

@ -9,11 +9,16 @@ import (
v1 "github.com/kyverno/kyverno/pkg/api/kyverno/v1"
"github.com/kyverno/kyverno/pkg/kyverno/common"
"github.com/kyverno/kyverno/pkg/kyverno/crds"
sanitizederror "github.com/kyverno/kyverno/pkg/kyverno/sanitizedError"
"github.com/kyverno/kyverno/pkg/openapi"
policy2 "github.com/kyverno/kyverno/pkg/policy"
"github.com/kyverno/kyverno/pkg/utils"
"github.com/spf13/cobra"
"k8s.io/apiextensions-apiserver/pkg/apis/apiextensions"
apiservervalidation "k8s.io/apiextensions-apiserver/pkg/apiserver/validation"
"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
"k8s.io/apimachinery/pkg/util/validation/field"
"sigs.k8s.io/controller-runtime/pkg/log"
"sigs.k8s.io/yaml"
)
@ -46,34 +51,14 @@ func Command() *cobra.Command {
return sanitizederror.NewWithError(fmt.Sprintf("policy file(s) required"), err)
}
var policies []*v1.ClusterPolicy
var errs []error
if policyPaths[0] == "-" {
if common.IsInputFromPipe() {
policyStr := ""
scanner := bufio.NewScanner(os.Stdin)
for scanner.Scan() {
policyStr = policyStr + scanner.Text() + "\n"
}
policies, err := getPolicyFromGivenPath(policyPaths)
if err != nil {
return sanitizederror.NewWithError("failed to parse policy", err)
}
yamlBytes := []byte(policyStr)
policies, err = utils.GetPolicy(yamlBytes)
if err != nil {
return sanitizederror.NewWithError("failed to parse policy", err)
}
}
} else {
policies, errs = common.GetPolicies(policyPaths)
if len(errs) > 0 && len(policies) == 0 {
return sanitizederror.NewWithErrors("failed to read policies", errs)
}
if len(errs) > 0 && log.Log.V(1).Enabled() {
fmt.Printf("ignoring errors: \n")
for _, e := range errs {
fmt.Printf(" %v \n", e.Error())
}
}
v1crd, err := getPolicyCRD()
if err != nil {
return sanitizederror.NewWithError("failed to decode crd: ", err)
}
openAPIController, err := openapi.NewOpenAPIController()
@ -93,38 +78,9 @@ func Command() *cobra.Command {
}
}
invalidPolicyFound := false
for _, policy := range policies {
fmt.Println("----------------------------------------------------------------------")
err := policy2.Validate(policy, nil, true, openAPIController)
if err != nil {
fmt.Printf("Policy %s is invalid.\n", policy.Name)
fmt.Printf("Error: invalid policy.\nCause: %s\n\n", err)
invalidPolicyFound = true
} else {
fmt.Printf("Policy %s is valid.\n\n", policy.Name)
if outputType != "" {
logger := log.Log.WithName("validate")
p, err := common.MutatePolicy(policy, logger)
if err != nil {
if !sanitizederror.IsErrorSanitized(err) {
return sanitizederror.NewWithError("failed to mutate policy.", err)
}
return err
}
if outputType == "yaml" {
yamlPolicy, _ := yaml.Marshal(p)
fmt.Println(string(yamlPolicy))
} else {
jsonPolicy, _ := json.MarshalIndent(p, "", " ")
fmt.Println(string(jsonPolicy))
}
}
}
}
if invalidPolicyFound == true {
os.Exit(1)
err = validatePolicies(policies, v1crd, openAPIController, outputType)
if err != nil {
return sanitizederror.NewWithError("failed to validate policies", err)
}
return nil
},
@ -133,3 +89,115 @@ func Command() *cobra.Command {
cmd.Flags().StringArrayVarP(&crdPaths, "crd", "c", []string{}, "Path to CRD files")
return cmd
}
func getPolicyFromGivenPath(policyPaths []string) (policies []*v1.ClusterPolicy, err error) {
var errs []error
if policyPaths[0] == "-" {
if common.IsInputFromPipe() {
policyStr := ""
scanner := bufio.NewScanner(os.Stdin)
for scanner.Scan() {
policyStr = policyStr + scanner.Text() + "\n"
}
yamlBytes := []byte(policyStr)
policies, err = utils.GetPolicy(yamlBytes)
if err != nil {
return policies, sanitizederror.NewWithError("failed to parse policy", err)
}
}
} else {
policies, errs = common.GetPolicies(policyPaths)
if len(errs) > 0 && len(policies) == 0 {
return policies, sanitizederror.NewWithErrors("failed to parse policies", errs)
}
if len(errs) > 0 && log.Log.V(1).Enabled() {
fmt.Printf("ignoring errors: \n")
for _, e := range errs {
fmt.Printf(" %v \n", e.Error())
}
}
}
return policies, nil
}
func getPolicyCRD() (v1crd apiextensions.CustomResourceDefinitionSpec, err error) {
if err = json.Unmarshal([]byte(crds.PolicyCRD), &v1crd); err != nil {
return
}
return
}
func validatePolicyAccordingToPolicyCRD(policy *v1.ClusterPolicy, v1crd apiextensions.CustomResourceDefinitionSpec) (err error, errList field.ErrorList) {
policyBytes, err := json.Marshal(policy)
if err != nil {
return sanitizederror.NewWithError("failed to marshal policy", err), nil
}
u := &unstructured.Unstructured{}
err = u.UnmarshalJSON(policyBytes)
if err != nil {
return sanitizederror.NewWithError("failed to decode policy", err), nil
}
versions := v1crd.Versions
for _, version := range versions {
validator, _, err := apiservervalidation.NewSchemaValidator(&apiextensions.CustomResourceValidation{OpenAPIV3Schema: version.Schema.OpenAPIV3Schema})
if err != nil {
return sanitizederror.NewWithError("failed to create schema validator", err), nil
}
errList = apiservervalidation.ValidateCustomResource(nil, u.UnstructuredContent(), validator)
}
return
}
func validatePolicies(policies []*v1.ClusterPolicy, v1crd apiextensions.CustomResourceDefinitionSpec, openAPIController *openapi.Controller, outputType string) error {
invalidPolicyFound := false
for _, policy := range policies {
err, errorList := validatePolicyAccordingToPolicyCRD(policy, v1crd)
if err != nil {
return sanitizederror.NewWithError("failed to validate policy.", err)
}
if errorList == nil {
err = policy2.Validate(policy, nil, true, openAPIController)
}
fmt.Println("----------------------------------------------------------------------")
if errorList != nil || err != nil {
fmt.Printf("Policy %s is invalid.\n", policy.Name)
if errorList != nil {
fmt.Printf("Error: invalid policy.\nCause: %s\n\n", errorList)
} else {
fmt.Printf("Error: invalid policy.\nCause: %s\n\n", err)
}
invalidPolicyFound = true
} else {
fmt.Printf("Policy %s is valid.\n\n", policy.Name)
if outputType != "" {
logger := log.Log.WithName("validate")
p, err := common.MutatePolicy(policy, logger)
if err != nil {
if !sanitizederror.IsErrorSanitized(err) {
return sanitizederror.NewWithError("failed to mutate policy.", err)
}
return err
}
if outputType == "yaml" {
yamlPolicy, _ := yaml.Marshal(p)
fmt.Println(string(yamlPolicy))
} else {
jsonPolicy, _ := json.MarshalIndent(p, "", " ")
fmt.Println(string(jsonPolicy))
}
}
}
}
if invalidPolicyFound {
os.Exit(1)
}
return nil
}

380
pkg/kyverno/validate/commmand_test.go Normal file
View file

@ -0,0 +1,380 @@
package validate
import (
"encoding/json"
"fmt"
"testing"
kyverno "github.com/kyverno/kyverno/pkg/api/kyverno/v1"
"gotest.tools/assert"
)
func Test_validateUsingPolicyCRD(t *testing.T) {
type TestCase struct {
rawPolicy []byte
errorDetail string
detail string
}
testcases := []TestCase{
{
rawPolicy: []byte(`
{
"apiVersion": "kyverno.io/v1",
"kind": "ClusterPolicy",
"metadata": {
"name": "add-requests"
},
"spec": {
"rules": [
{
"name": "Set memory and/or cpu requests for all pods in namespaces labeled 'myprivatelabel'",
"match": {
"resources": {
"kinds": [
"Pod"
]
}
},
"mutate": {
"overlay": {
"spec": {
"containers": [
{
"(name)": "*",
"resources": {
"requests": {
"cpu": "1000m"
}
}
}
]
}
}
}
}
]
}
}
`),
errorDetail: "spec.rules.name in body should be at most 63 chars long",
detail: "Test: char count for rule name",
},
{
rawPolicy: []byte(`
{
"apiVersion": "kyverno.io/v1",
"kind": "ClusterPolicy",
"metadata": {
"name": "min-replicas-clusterpolicy"
},
"spec": {
"validationFailureAction": "audit",
"rules": [
{
"name": "check-min-replicas",
"match": {
"resources": {
"kinds": [
"Deployment"
]
}
},
"validate": {
"message": "should have at least 2 replicas",
"pattern": {
"spec": {
"replicas": 2
}
}
}
}
]
}
}
`),
errorDetail: "",
detail: "Test: basic vaild policy",
},
{
rawPolicy: []byte(`
{
"apiVersion": "kyverno.io/v1",
"kind": "ClusterPolicy",
"metadata": {
"name": "disallow-singleton"
},
"spec": {
"validationFailureAction": "audit",
"rules": [
{
"name": "validate-replicas",
"match": {
"resources": {
"kinds": [
"Deployment"
],
"annotations": {
"singleton": "true"
}
}
},
"validate": {
"message": "Replicasets require at least 2 replicas.",
"pattern": {
"spec": {
"replicas": ">1"
}
}
}
}
]
}
}
`),
errorDetail: "",
detail: "Test: schema validation for spec.rules.match.resources.annotations",
},
{
rawPolicy: []byte(`
{
"apiVersion": "kyverno.io/v1",
"kind": "ClusterPolicy",
"metadata": {
"name": "disallow-singleton"
},
"spec": {
"validationFailureAction": "audit",
"rules": [
{
"name": "validate-replicas",
"match": {
"resources": {
"kinds": [
"Deployment"
]
}
},
"exclude": {
"resources": {
"annotations": {
"singleton": "true"
}
}
},
"validate": {
"message": "Replicasets require at least 2 replicas.",
"pattern": {
"spec": {
"replicas": ">1"
}
}
}
}
]
}
}
`),
errorDetail: "",
detail: "Test: schema validation for spec.rules.exclude.resources.annotations",
},
{
rawPolicy: []byte(`
{
"apiVersion": "kyverno.io/v1",
"kind": "ClusterPolicy",
"metadata": {
"name": "enforce-pod-name"
},
"spec": {
"validationFailureAction": "audit",
"background": true,
"rules": [
{
"name": "validate-name",
"match": {
"resources": {
"kinds": [
"Pod"
],
"namespaceSelector": {
"matchLabels": {
"app-namespace": "true"
}
}
}
},
"validate": {
"message": "The Pod must end with -nginx",
"pattern": {
"metadata": {
"name": "*-nginx"
}
}
}
}
]
}
}
`),
errorDetail: "",
detail: "Test: schema validation for spec.rules.match.resources.namespaceSelector.matchLabels",
},
{
rawPolicy: []byte(`
{
"apiVersion": "kyverno.io/v1",
"kind": "ClusterPolicy",
"metadata": {
"name": "enforce-pod-name"
},
"spec": {
"validationFailureAction": "audit",
"background": true,
"rules": [
{
"name": "validate-name",
"match": {
"resources": {
"kinds": [
"Pod"
]
}
},
"exclude": {
"resources": {
"namespaceSelector": {
"matchLabels": {
"app-namespace": "true"
}
}
}
},
"validate": {
"message": "The Pod must end with -nginx",
"pattern": {
"metadata": {
"name": "*-nginx"
}
}
}
}
]
}
}
`),
errorDetail: "",
detail: "Test: schema validation for spec.rules.exclude.resources.namespaceSelector.matchLabels",
},
{
rawPolicy: []byte(`
{
"apiVersion": "kyverno.io/v1",
"kind": "ClusterPolicy",
"metadata": {
"name": "enforce-pod-name"
},
"spec": {
"validationFailureAction": "audit",
"background": true,
"rules": [
{
"name": "validate-name",
"match": {
"resources": {
"kinds": [
"Pod"
],
"selector": {
"matchLabels": {
"app-namespace": "true"
}
}
}
},
"validate": {
"message": "The Pod must end with -nginx",
"pattern": {
"metadata": {
"name": "*-nginx"
}
}
}
}
]
}
}
`),
errorDetail: "",
detail: "Test: schema validation for spec.rules.match.resources.selector.matchLabels",
},
{
rawPolicy: []byte(`
{
"apiVersion": "kyverno.io/v1",
"kind": "ClusterPolicy",
"metadata": {
"name": "enforce-pod-name"
},
"spec": {
"validationFailureAction": "audit",
"background": true,
"rules": [
{
"name": "validate-name",
"match": {
"resources": {
"kinds": [
"Pod"
]
}
},
"exclude": {
"resources": {
"selector": {
"matchLabels": {
"app-namespace": "true"
}
}
}
},
"validate": {
"message": "The Pod must end with -nginx",
"pattern": {
"metadata": {
"name": "*-nginx"
}
}
}
}
]
}
}
`),
errorDetail: "",
detail: "Test: schema validation for spec.rules.exclude.resources.selector.matchLabels",
},
}
v1crd, err := getPolicyCRD()
assert.NilError(t, err)
var policy kyverno.ClusterPolicy
for _, tc := range testcases {
err = json.Unmarshal(tc.rawPolicy, &policy)
assert.NilError(t, err)
_, errorList := validatePolicyAccordingToPolicyCRD(&policy, v1crd)
fmt.Println(tc.detail)
for _, e := range errorList {
assert.Assert(t, tc.errorDetail == e.Detail)
}
}
}

68
pkg/metrics/admissionreviewlatency/admissionReviewLatency.go Normal file
View file

@ -0,0 +1,68 @@
package admissionreviewlatency
import (
"fmt"
kyverno "github.com/kyverno/kyverno/pkg/api/kyverno/v1"
"github.com/kyverno/kyverno/pkg/engine/response"
"github.com/kyverno/kyverno/pkg/metrics"
prom "github.com/prometheus/client_golang/prometheus"
)
func (pm PromMetrics) registerAdmissionReviewLatencyMetric(
clusterPoliciesCount, namespacedPoliciesCount int,
validateRulesCount, mutateRulesCount, generateRulesCount int,
resourceName, resourceKind, resourceNamespace string,
resourceRequestOperation metrics.ResourceRequestOperation,
admissionRequestLatency float64,
) error {
pm.AdmissionReviewLatency.With(prom.Labels{
"cluster_policies_count": fmt.Sprintf("%d", clusterPoliciesCount),
"namespaced_policies_count": fmt.Sprintf("%d", namespacedPoliciesCount),
"validate_rules_count": fmt.Sprintf("%d", validateRulesCount),
"mutate_rules_count": fmt.Sprintf("%d", mutateRulesCount),
"generate_rules_count": fmt.Sprintf("%d", generateRulesCount),
"resource_name": resourceName,
"resource_kind": resourceKind,
"resource_namespace": resourceNamespace,
"resource_request_operation": string(resourceRequestOperation),
}).Set(admissionRequestLatency)
return nil
}
func (pm PromMetrics) ProcessEngineResponses(engineResponses []*response.EngineResponse, triggeredPolicies []kyverno.ClusterPolicy, admissionReviewLatencyDuration int64, resourceRequestOperation metrics.ResourceRequestOperation) error {
if len(engineResponses) == 0 {
return nil
}
resourceName, resourceNamespace, resourceKind := engineResponses[0].PolicyResponse.Resource.Name, engineResponses[0].PolicyResponse.Resource.Namespace, engineResponses[0].PolicyResponse.Resource.Kind
clusterPoliciesCount, namespacedPoliciesCount, totalValidateRulesCount, totalMutateRulesCount, totalGenerateRulesCount := 0, 0, 0, 0, 0
for i, e := range engineResponses {
validateRulesCount, mutateRulesCount, generateRulesCount := 0, 0, 0
for _, rule := range e.PolicyResponse.Rules {
switch rule.Type {
case "Validation":
validateRulesCount++
case "Mutation":
mutateRulesCount++
case "Generation":
generateRulesCount++
}
}
// no rules triggered
if validateRulesCount+mutateRulesCount+generateRulesCount == 0 {
continue
}
if triggeredPolicies[i].Namespace == "" {
clusterPoliciesCount++
} else {
namespacedPoliciesCount++
}
totalValidateRulesCount += validateRulesCount
totalMutateRulesCount += mutateRulesCount
totalGenerateRulesCount += generateRulesCount
}
if totalValidateRulesCount+totalMutateRulesCount+totalGenerateRulesCount == 0 {
return nil
}
admissionReviewLatencyDurationInMs := float64(admissionReviewLatencyDuration) / float64(1000*1000)
return pm.registerAdmissionReviewLatencyMetric(clusterPoliciesCount, namespacedPoliciesCount, totalValidateRulesCount, totalMutateRulesCount, totalGenerateRulesCount, resourceName, resourceKind, resourceNamespace, resourceRequestOperation, admissionReviewLatencyDurationInMs)
}

25
pkg/metrics/admissionreviewlatency/parsers.go Normal file
View file

@ -0,0 +1,25 @@
package admissionreviewlatency
import (
"fmt"
"github.com/kyverno/kyverno/pkg/metrics"
)
func ParsePromMetrics(pm metrics.PromMetrics) PromMetrics {
return PromMetrics(pm)
}
func ParseResourceRequestOperation(requestOperationStr string) (metrics.ResourceRequestOperation, error) {
switch requestOperationStr {
case "CREATE":
return metrics.ResourceCreated, nil
case "UPDATE":
return metrics.ResourceUpdated, nil
case "DELETE":
return metrics.ResourceDeleted, nil
case "CONNECT":
return metrics.ResourceConnected, nil
default:
return "", fmt.Errorf("Unknown request operation made by resource: %s. Allowed requests: 'CREATE', 'UPDATE', 'DELETE', 'CONNECT'", requestOperationStr)
}
}

7
pkg/metrics/admissionreviewlatency/types.go Normal file
View file

@ -0,0 +1,7 @@
package admissionreviewlatency
import (
"github.com/kyverno/kyverno/pkg/metrics"
)
type PromMetrics metrics.PromMetrics

57
pkg/metrics/common_types.go Normal file
View file

@ -0,0 +1,57 @@
package metrics
type PolicyValidationMode string
const (
Enforce PolicyValidationMode = "enforce"
Audit PolicyValidationMode = "audit"
)
type PolicyType string
const (
Cluster PolicyType = "cluster"
Namespaced PolicyType = "namespaced"
)
type PolicyBackgroundMode string
const (
BackgroundTrue PolicyBackgroundMode = "true"
BackgroundFalse PolicyBackgroundMode = "false"
)
type RuleType string
const (
Validate RuleType = "validate"
Mutate RuleType = "mutate"
Generate RuleType = "generate"
EmptyRuleType RuleType = "-"
)
type RuleResult string
const (
Pass RuleResult = "pass"
Fail RuleResult = "fail"
Warn RuleResult = "warn"
Error RuleResult = "error"
Skip RuleResult = "skip"
)
type RuleExecutionCause string
const (
AdmissionRequest RuleExecutionCause = "admission_request"
BackgroundScan RuleExecutionCause = "background_scan"
)
type ResourceRequestOperation string
const (
ResourceCreated ResourceRequestOperation = "create"
ResourceUpdated ResourceRequestOperation = "update"
ResourceDeleted ResourceRequestOperation = "delete"
ResourceConnected ResourceRequestOperation = "connect"
)

103
pkg/metrics/metrics.go Normal file
View file

@ -0,0 +1,103 @@
package metrics
import (
prom "github.com/prometheus/client_golang/prometheus"
)
type PromConfig struct {
MetricsRegistry *prom.Registry
Metrics *PromMetrics
}
type PromMetrics struct {
PolicyRuleResults *prom.GaugeVec
PolicyRuleInfo *prom.GaugeVec
PolicyChanges *prom.GaugeVec
PolicyRuleExecutionLatency *prom.GaugeVec
AdmissionReviewLatency *prom.GaugeVec
}
func NewPromConfig() *PromConfig {
pc := new(PromConfig)
pc.MetricsRegistry = prom.NewRegistry()
policyRuleResultsLabels := []string{
"policy_validation_mode", "policy_type", "policy_background_mode", "policy_name", "policy_namespace",
"resource_name", "resource_kind", "resource_namespace", "resource_request_operation",
"rule_name", "rule_result", "rule_type", "rule_execution_cause", "rule_response",
"main_request_trigger_timestamp", "policy_execution_timestamp", "rule_execution_timestamp",
}
policyRuleResultsMetric := prom.NewGaugeVec(
prom.GaugeOpts{
Name: "kyverno_policy_rule_results_info",
Help: "can be used to track the results associated with the policies applied in the users cluster, at the level from rule to policy to admission requests.",
},
policyRuleResultsLabels,
)
policyRuleInfoLabels := []string{
"policy_validation_mode", "policy_type", "policy_background_mode", "policy_namespace", "policy_name", "rule_name", "rule_type",
}
policyRuleInfoMetric := prom.NewGaugeVec(
prom.GaugeOpts{
Name: "kyverno_policy_rule_info_total",
Help: "can be used to track the info of the rules or/and policies present in the cluster. 0 means the rule doesn't exist and has been deleted, 1 means the rule is currently existent in the cluster.",
},
policyRuleInfoLabels,
)
policyChangesLabels := []string{
"policy_validation_mode", "policy_type", "policy_background_mode", "policy_namespace", "policy_name", "policy_change_type", "timestamp",
}
policyChangesMetric := prom.NewGaugeVec(
prom.GaugeOpts{
Name: "kyverno_policy_changes_info",
Help: "can be used to track all the Kyverno policies which have been created, updated or deleted.",
},
policyChangesLabels,
)
policyRuleExecutionLatencyLabels := []string{
"policy_validation_mode", "policy_type", "policy_background_mode", "policy_name", "policy_namespace",
"resource_name", "resource_kind", "resource_namespace", "resource_request_operation",
"rule_name", "rule_result", "rule_type", "rule_execution_cause", "rule_response", "generate_rule_latency_type",
"main_request_trigger_timestamp", "policy_execution_timestamp", "rule_execution_timestamp",
}
policyRuleExecutionLatencyMetric := prom.NewGaugeVec(
prom.GaugeOpts{
Name: "kyverno_policy_rule_execution_latency_milliseconds",
Help: "can be used to track the latencies (in milliseconds) associated with the execution/processing of the individual rules under Kyverno policies whenever they evaluate incoming resource requests.",
},
policyRuleExecutionLatencyLabels,
)
admissionReviewLatency := []string{
"cluster_policies_count", "namespaced_policies_count",
"validate_rules_count", "mutate_rules_count", "generate_rules_count",
"resource_name", "resource_kind", "resource_namespace", "resource_request_operation",
}
admissionReviewLatencyMetric := prom.NewGaugeVec(
prom.GaugeOpts{
Name: "kyverno_admission_review_latency_milliseconds",
Help: "can be used to track the latencies associated with the entire individual admission review. For example, if an incoming request trigger, say, five policies, this metric will track the e2e latency associated with the execution of all those policies.",
},
admissionReviewLatency,
)
pc.Metrics = &PromMetrics{
PolicyRuleResults: policyRuleResultsMetric,
PolicyRuleInfo: policyRuleInfoMetric,
PolicyChanges: policyChangesMetric,
PolicyRuleExecutionLatency: policyRuleExecutionLatencyMetric,
AdmissionReviewLatency: admissionReviewLatencyMetric,
}
pc.MetricsRegistry.MustRegister(pc.Metrics.PolicyRuleResults)
pc.MetricsRegistry.MustRegister(pc.Metrics.PolicyRuleInfo)
pc.MetricsRegistry.MustRegister(pc.Metrics.PolicyChanges)
pc.MetricsRegistry.MustRegister(pc.Metrics.PolicyRuleExecutionLatency)
pc.MetricsRegistry.MustRegister(pc.Metrics.AdmissionReviewLatency)
return pc
}

38
pkg/metrics/parsers.go Normal file
View file

@ -0,0 +1,38 @@
package metrics
import (
"fmt"
kyverno "github.com/kyverno/kyverno/pkg/api/kyverno/v1"
"reflect"
)
func ParsePolicyValidationMode(validationFailureAction string) (PolicyValidationMode, error) {
switch validationFailureAction {
case "enforce":
return Enforce, nil
case "audit":
return Audit, nil
default:
return "", fmt.Errorf("wrong validation failure action found %s. Allowed: '%s', '%s'", validationFailureAction, "enforce", "audit")
}
}
func ParsePolicyBackgroundMode(backgroundMode bool) PolicyBackgroundMode {
if backgroundMode {
return BackgroundTrue
}
return BackgroundFalse
}
func ParseRuleType(rule kyverno.Rule) RuleType {
if !reflect.DeepEqual(rule.Validation, kyverno.Validation{}) {
return Validate
}
if !reflect.DeepEqual(rule.Mutation, kyverno.Mutation{}) {
return Mutate
}
if !reflect.DeepEqual(rule.Generation, kyverno.Generation{}) {
return Generate
}
return EmptyRuleType
}

9
pkg/metrics/policychanges/parsers.go Normal file
View file

@ -0,0 +1,9 @@
package policychanges
import (
"github.com/kyverno/kyverno/pkg/metrics"
)
func ParsePromMetrics(pm metrics.PromMetrics) PromMetrics {
return PromMetrics(pm)
}

65
pkg/metrics/policychanges/policyChanges.go Normal file
View file

@ -0,0 +1,65 @@
package policychanges
import (
"fmt"
kyverno "github.com/kyverno/kyverno/pkg/api/kyverno/v1"
"github.com/kyverno/kyverno/pkg/metrics"
prom "github.com/prometheus/client_golang/prometheus"
"time"
)
func (pm PromMetrics) registerPolicyChangesMetric(
policyValidationMode metrics.PolicyValidationMode,
policyType metrics.PolicyType,
policyBackgroundMode metrics.PolicyBackgroundMode,
policyNamespace, policyName string,
policyChangeType PolicyChangeType,
policyChangeTimestamp int64,
) error {
if policyType == metrics.Cluster {
policyNamespace = "-"
}
pm.PolicyChanges.With(prom.Labels{
"policy_validation_mode": string(policyValidationMode),
"policy_type": string(policyType),
"policy_background_mode": string(policyBackgroundMode),
"policy_namespace": policyNamespace,
"policy_name": policyName,
"policy_change_type": string(policyChangeType),
"timestamp": fmt.Sprintf("%+v", time.Unix(policyChangeTimestamp, 0)),
}).Set(1)
return nil
}
func (pm PromMetrics) RegisterPolicy(policy interface{}, policyChangeType PolicyChangeType, policyChangeTimestamp int64) error {
switch inputPolicy := policy.(type) {
case *kyverno.ClusterPolicy:
policyValidationMode, err := metrics.ParsePolicyValidationMode(inputPolicy.Spec.ValidationFailureAction)
if err != nil {
return err
}
policyBackgroundMode := metrics.ParsePolicyBackgroundMode(*inputPolicy.Spec.Background)
policyType := metrics.Cluster
policyNamespace := "" // doesn't matter for cluster policy
policyName := inputPolicy.ObjectMeta.Name
if err = pm.registerPolicyChangesMetric(policyValidationMode, policyType, policyBackgroundMode, policyNamespace, policyName, policyChangeType, policyChangeTimestamp); err != nil {
return err
}
return nil
case *kyverno.Policy:
policyValidationMode, err := metrics.ParsePolicyValidationMode(inputPolicy.Spec.ValidationFailureAction)
if err != nil {
return err
}
policyBackgroundMode := metrics.ParsePolicyBackgroundMode(*inputPolicy.Spec.Background)
policyType := metrics.Namespaced
policyNamespace := inputPolicy.ObjectMeta.Namespace
policyName := inputPolicy.ObjectMeta.Name
if err = pm.registerPolicyChangesMetric(policyValidationMode, policyType, policyBackgroundMode, policyNamespace, policyName, policyChangeType, policyChangeTimestamp); err != nil {
return err
}
return nil
default:
return fmt.Errorf("wrong input type provided %T. Only kyverno.Policy and kyverno.ClusterPolicy allowed", inputPolicy)
}
}

15
pkg/metrics/policychanges/types.go Normal file
View file

@ -0,0 +1,15 @@
package policychanges
import (
"github.com/kyverno/kyverno/pkg/metrics"
)
type PolicyChangeType string
const (
PolicyCreated PolicyChangeType = "created"
PolicyUpdated PolicyChangeType = "updated"
PolicyDeleted PolicyChangeType = "deleted"
)
type PromMetrics metrics.PromMetrics

40
pkg/metrics/policyruleexecutionlatency/parsers.go Normal file
View file

@ -0,0 +1,40 @@
package policyruleexecutionlatency
import (
"fmt"
"github.com/kyverno/kyverno/pkg/engine/response"
"github.com/kyverno/kyverno/pkg/metrics"
)
func ParsePromMetrics(pm metrics.PromMetrics) PromMetrics {
return PromMetrics(pm)
}
func ParseRuleTypeFromEngineRuleResponse(rule response.RuleResponse) metrics.RuleType {
switch rule.Type {
case "Validation":
return metrics.Validate
case "Mutation":
return metrics.Mutate
case "Generation":
return metrics.Generate
default:
return metrics.EmptyRuleType
}
}
func ParseResourceRequestOperation(requestOperationStr string) (metrics.ResourceRequestOperation, error) {
switch requestOperationStr {
case "CREATE":
return metrics.ResourceCreated, nil
case "UPDATE":
return metrics.ResourceUpdated, nil
case "DELETE":
return metrics.ResourceDeleted, nil
case "CONNECT":
return metrics.ResourceConnected, nil
default:
return "", fmt.Errorf("Unknown request operation made by resource: %s. Allowed requests: 'CREATE', 'UPDATE', 'DELETE', 'CONNECT'", requestOperationStr)
}
}

117
pkg/metrics/policyruleexecutionlatency/policyRuleExecutionLatency.go Normal file
View file

@ -0,0 +1,117 @@
package policyruleexecutionlatency
import (
"fmt"
"time"
kyverno "github.com/kyverno/kyverno/pkg/api/kyverno/v1"
"github.com/kyverno/kyverno/pkg/engine/response"
"github.com/kyverno/kyverno/pkg/metrics"
prom "github.com/prometheus/client_golang/prometheus"
)
func (pm PromMetrics) registerPolicyRuleResultsMetric(
policyValidationMode metrics.PolicyValidationMode,
policyType metrics.PolicyType,
policyBackgroundMode metrics.PolicyBackgroundMode,
policyNamespace, policyName string,
resourceName, resourceKind, resourceNamespace string,
resourceRequestOperation metrics.ResourceRequestOperation,
ruleName string,
ruleResult metrics.RuleResult,
ruleType metrics.RuleType,
ruleExecutionCause metrics.RuleExecutionCause,
ruleResponse string,
mainRequestTriggerTimestamp, policyExecutionTimestamp, ruleExecutionTimestamp int64,
generateRuleLatencyType string,
ruleExecutionLatencyInMs float64,
) error {
if policyType == metrics.Cluster {
policyNamespace = "-"
}
if ruleType != metrics.Generate || generateRuleLatencyType == "" {
generateRuleLatencyType = "-"
}
pm.PolicyRuleExecutionLatency.With(prom.Labels{
"policy_validation_mode": string(policyValidationMode),
"policy_type": string(policyType),
"policy_background_mode": string(policyBackgroundMode),
"policy_namespace": policyNamespace,
"policy_name": policyName,
"resource_name": resourceName,
"resource_kind": resourceKind,
"resource_namespace": resourceNamespace,
"resource_request_operation": string(resourceRequestOperation),
"rule_name": ruleName,
"rule_result": string(ruleResult),
"rule_type": string(ruleType),
"rule_execution_cause": string(ruleExecutionCause),
"rule_response": ruleResponse,
"main_request_trigger_timestamp": fmt.Sprintf("%+v", time.Unix(mainRequestTriggerTimestamp, 0)),
"policy_execution_timestamp": fmt.Sprintf("%+v", time.Unix(policyExecutionTimestamp, 0)),
"rule_execution_timestamp": fmt.Sprintf("%+v", time.Unix(ruleExecutionTimestamp, 0)),
"generate_rule_latency_type": generateRuleLatencyType,
}).Set(ruleExecutionLatencyInMs)
return nil
}
//policy - policy related data
//engineResponse - resource and rule related data
func (pm PromMetrics) ProcessEngineResponse(policy kyverno.ClusterPolicy, engineResponse response.EngineResponse, executionCause metrics.RuleExecutionCause, generateRuleLatencyType string, resourceRequestOperation metrics.ResourceRequestOperation, mainRequestTriggerTimestamp int64) error {
policyValidationMode, err := metrics.ParsePolicyValidationMode(policy.Spec.ValidationFailureAction)
if err != nil {
return err
}
policyType := metrics.Namespaced
policyBackgroundMode := metrics.ParsePolicyBackgroundMode(*policy.Spec.Background)
policyNamespace := policy.ObjectMeta.Namespace
if policyNamespace == "" {
policyNamespace = "-"
policyType = metrics.Cluster
}
policyName := policy.ObjectMeta.Name
policyExecutionTimestamp := engineResponse.PolicyResponse.PolicyExecutionTimestamp
resourceSpec := engineResponse.PolicyResponse.Resource
resourceName := resourceSpec.Name
resourceKind := resourceSpec.Kind
resourceNamespace := resourceSpec.Namespace
ruleResponses := engineResponse.PolicyResponse.Rules
for _, rule := range ruleResponses {
ruleName := rule.Name
ruleType := ParseRuleTypeFromEngineRuleResponse(rule)
ruleResponse := rule.Message
ruleResult := metrics.Fail
if rule.Success {
ruleResult = metrics.Pass
}
ruleExecutionTimestamp := rule.RuleStats.RuleExecutionTimestamp
ruleExecutionLatencyInMs := float64(rule.RuleStats.ProcessingTime) / float64(1000*1000)
if err := pm.registerPolicyRuleResultsMetric(
policyValidationMode,
policyType,
policyBackgroundMode,
policyNamespace, policyName,
resourceName, resourceKind, resourceNamespace,
resourceRequestOperation,
ruleName,
ruleResult,
ruleType,
executionCause,
ruleResponse,
mainRequestTriggerTimestamp, policyExecutionTimestamp, ruleExecutionTimestamp,
generateRuleLatencyType,
ruleExecutionLatencyInMs,
); err != nil {
return err
}
}
return nil
}

7
pkg/metrics/policyruleexecutionlatency/types.go Normal file
View file

@ -0,0 +1,7 @@
package policyruleexecutionlatency
import (
"github.com/kyverno/kyverno/pkg/metrics"
)
type PromMetrics metrics.PromMetrics

21
pkg/metrics/policyruleinfo/parsers.go Normal file
View file

@ -0,0 +1,21 @@
package policyruleinfo
import (
"fmt"
"github.com/kyverno/kyverno/pkg/metrics"
)
func ParsePolicyRuleInfoMetricChangeType(change string) (PolicyRuleInfoMetricChangeType, error) {
if change == "created" {
return PolicyRuleCreated, nil
}
if change == "deleted" {
return PolicyRuleDeleted, nil
}
return "", fmt.Errorf("wrong policy rule count metric change type found %s. Allowed: '%s', '%s'", change, "created", "deleted")
}
func ParsePromMetrics(pm metrics.PromMetrics) PromMetrics {
return PromMetrics(pm)
}

133
pkg/metrics/policyruleinfo/policyRuleInfo.go Normal file
View file

@ -0,0 +1,133 @@
package policyruleinfo
import (
"fmt"
kyverno "github.com/kyverno/kyverno/pkg/api/kyverno/v1"
"github.com/kyverno/kyverno/pkg/metrics"
prom "github.com/prometheus/client_golang/prometheus"
)
func (pm PromMetrics) registerPolicyRuleInfoMetric(
policyValidationMode metrics.PolicyValidationMode,
policyType metrics.PolicyType,
policyBackgroundMode metrics.PolicyBackgroundMode,
policyNamespace, policyName, ruleName string,
ruleType metrics.RuleType,
metricChangeType PolicyRuleInfoMetricChangeType,
) error {
var metricValue float64
switch metricChangeType {
case PolicyRuleCreated:
metricValue = float64(1)
case PolicyRuleDeleted:
metricValue = float64(0)
default:
return fmt.Errorf("unknown metric change type found: %s", metricChangeType)
}
if policyType == metrics.Cluster {
policyNamespace = "-"
}
pm.PolicyRuleInfo.With(prom.Labels{
"policy_validation_mode": string(policyValidationMode),
"policy_type": string(policyType),
"policy_background_mode": string(policyBackgroundMode),
"policy_namespace": policyNamespace,
"policy_name": policyName,
"rule_name": ruleName,
"rule_type": string(ruleType),
}).Set(metricValue)
return nil
}
func (pm PromMetrics) AddPolicy(policy interface{}) error {
switch inputPolicy := policy.(type) {
case *kyverno.ClusterPolicy:
policyValidationMode, err := metrics.ParsePolicyValidationMode(inputPolicy.Spec.ValidationFailureAction)
if err != nil {
return err
}
policyBackgroundMode := metrics.ParsePolicyBackgroundMode(*inputPolicy.Spec.Background)
policyType := metrics.Cluster
policyNamespace := "" // doesn't matter for cluster policy
policyName := inputPolicy.ObjectMeta.Name
// registering the metrics on a per-rule basis
for _, rule := range inputPolicy.Spec.Rules {
ruleName := rule.Name
ruleType := metrics.ParseRuleType(rule)
if err = pm.registerPolicyRuleInfoMetric(policyValidationMode, policyType, policyBackgroundMode, policyNamespace, policyName, ruleName, ruleType, PolicyRuleCreated); err != nil {
return err
}
}
return nil
case *kyverno.Policy:
policyValidationMode, err := metrics.ParsePolicyValidationMode(inputPolicy.Spec.ValidationFailureAction)
if err != nil {
return err
}
policyBackgroundMode := metrics.ParsePolicyBackgroundMode(*inputPolicy.Spec.Background)
policyType := metrics.Namespaced
policyNamespace := inputPolicy.ObjectMeta.Namespace
policyName := inputPolicy.ObjectMeta.Name
// registering the metrics on a per-rule basis
for _, rule := range inputPolicy.Spec.Rules {
ruleName := rule.Name
ruleType := metrics.ParseRuleType(rule)
if err = pm.registerPolicyRuleInfoMetric(policyValidationMode, policyType, policyBackgroundMode, policyNamespace, policyName, ruleName, ruleType, PolicyRuleCreated); err != nil {
return err
}
}
return nil
default:
return fmt.Errorf("wrong input type provided %T. Only kyverno.Policy and kyverno.ClusterPolicy allowed", inputPolicy)
}
}
func (pm PromMetrics) RemovePolicy(policy interface{}) error {
switch inputPolicy := policy.(type) {
case *kyverno.ClusterPolicy:
for _, rule := range inputPolicy.Spec.Rules {
policyValidationMode, err := metrics.ParsePolicyValidationMode(inputPolicy.Spec.ValidationFailureAction)
if err != nil {
return err
}
policyBackgroundMode := metrics.ParsePolicyBackgroundMode(*inputPolicy.Spec.Background)
policyType := metrics.Cluster
policyNamespace := "" // doesn't matter for cluster policy
policyName := inputPolicy.ObjectMeta.Name
ruleName := rule.Name
ruleType := metrics.ParseRuleType(rule)
if err = pm.registerPolicyRuleInfoMetric(policyValidationMode, policyType, policyBackgroundMode, policyNamespace, policyName, ruleName, ruleType, PolicyRuleDeleted); err != nil {
return err
}
}
return nil
case *kyverno.Policy:
for _, rule := range inputPolicy.Spec.Rules {
policyValidationMode, err := metrics.ParsePolicyValidationMode(inputPolicy.Spec.ValidationFailureAction)
if err != nil {
return err
}
policyBackgroundMode := metrics.ParsePolicyBackgroundMode(*inputPolicy.Spec.Background)
policyType := metrics.Namespaced
policyNamespace := inputPolicy.ObjectMeta.Namespace
policyName := inputPolicy.ObjectMeta.Name
ruleName := rule.Name
ruleType := metrics.ParseRuleType(rule)
if err = pm.registerPolicyRuleInfoMetric(policyValidationMode, policyType, policyBackgroundMode, policyNamespace, policyName, ruleName, ruleType, PolicyRuleDeleted); err != nil {
return err
}
}
return nil
default:
return fmt.Errorf("wrong input type provided %T. Only kyverno.Policy and kyverno.ClusterPolicy allowed", inputPolicy)
}
}

14
pkg/metrics/policyruleinfo/types.go Normal file
View file

@ -0,0 +1,14 @@
package policyruleinfo
import (
"github.com/kyverno/kyverno/pkg/metrics"
)
type PolicyRuleInfoMetricChangeType string
const (
PolicyRuleCreated PolicyRuleInfoMetricChangeType = "created"
PolicyRuleDeleted PolicyRuleInfoMetricChangeType = "deleted"
)
type PromMetrics metrics.PromMetrics

39
pkg/metrics/policyruleresults/parsers.go Normal file
View file

@ -0,0 +1,39 @@
package policyruleresults
import (
"fmt"
"github.com/kyverno/kyverno/pkg/engine/response"
"github.com/kyverno/kyverno/pkg/metrics"
)
func ParsePromMetrics(pm metrics.PromMetrics) PromMetrics {
return PromMetrics(pm)
}
func ParseRuleTypeFromEngineRuleResponse(rule response.RuleResponse) metrics.RuleType {
switch rule.Type {
case "Validation":
return metrics.Validate
case "Mutation":
return metrics.Mutate
case "Generation":
return metrics.Generate
default:
return metrics.EmptyRuleType
}
}
func ParseResourceRequestOperation(requestOperationStr string) (metrics.ResourceRequestOperation, error) {
switch requestOperationStr {
case "CREATE":
return metrics.ResourceCreated, nil
case "UPDATE":
return metrics.ResourceUpdated, nil
case "DELETE":
return metrics.ResourceDeleted, nil
case "CONNECT":
return metrics.ResourceConnected, nil
default:
return "", fmt.Errorf("Unknown request operation made by resource: %s. Allowed requests: 'CREATE', 'UPDATE', 'DELETE', 'CONNECT'", requestOperationStr)
}
}

107
pkg/metrics/policyruleresults/policyRuleResults.go Normal file
View file

@ -0,0 +1,107 @@
package policyruleresults
import (
"fmt"
kyverno "github.com/kyverno/kyverno/pkg/api/kyverno/v1"
"github.com/kyverno/kyverno/pkg/engine/response"
"github.com/kyverno/kyverno/pkg/metrics"
prom "github.com/prometheus/client_golang/prometheus"
"time"
)
func (pm PromMetrics) registerPolicyRuleResultsMetric(
policyValidationMode metrics.PolicyValidationMode,
policyType metrics.PolicyType,
policyBackgroundMode metrics.PolicyBackgroundMode,
policyNamespace, policyName string,
resourceName, resourceKind, resourceNamespace string,
resourceRequestOperation metrics.ResourceRequestOperation,
ruleName string,
ruleResult metrics.RuleResult,
ruleType metrics.RuleType,
ruleExecutionCause metrics.RuleExecutionCause,
ruleResponse string,
mainRequestTriggerTimestamp, policyExecutionTimestamp, ruleExecutionTimestamp int64,
) error {
if policyType == metrics.Cluster {
policyNamespace = "-"
}
pm.PolicyRuleResults.With(prom.Labels{
"policy_validation_mode": string(policyValidationMode),
"policy_type": string(policyType),
"policy_background_mode": string(policyBackgroundMode),
"policy_namespace": policyNamespace,
"policy_name": policyName,
"resource_name": resourceName,
"resource_kind": resourceKind,
"resource_namespace": resourceNamespace,
"resource_request_operation": string(resourceRequestOperation),
"rule_name": ruleName,
"rule_result": string(ruleResult),
"rule_type": string(ruleType),
"rule_execution_cause": string(ruleExecutionCause),
"rule_response": ruleResponse,
"main_request_trigger_timestamp": fmt.Sprintf("%+v", time.Unix(mainRequestTriggerTimestamp, 0)),
"policy_execution_timestamp": fmt.Sprintf("%+v", time.Unix(policyExecutionTimestamp, 0)),
"rule_execution_timestamp": fmt.Sprintf("%+v", time.Unix(ruleExecutionTimestamp, 0)),
}).Set(1)
return nil
}
//policy - policy related data
//engineResponse - resource and rule related data
func (pm PromMetrics) ProcessEngineResponse(policy kyverno.ClusterPolicy, engineResponse response.EngineResponse, executionCause metrics.RuleExecutionCause, resourceRequestOperation metrics.ResourceRequestOperation, mainRequestTriggerTimestamp int64) error {
policyValidationMode, err := metrics.ParsePolicyValidationMode(policy.Spec.ValidationFailureAction)
if err != nil {
return err
}
policyType := metrics.Namespaced
policyBackgroundMode := metrics.ParsePolicyBackgroundMode(*policy.Spec.Background)
policyNamespace := policy.ObjectMeta.Namespace
if policyNamespace == "" {
policyNamespace = "-"
policyType = metrics.Cluster
}
policyName := policy.ObjectMeta.Name
policyExecutionTimestamp := engineResponse.PolicyResponse.PolicyExecutionTimestamp
resourceSpec := engineResponse.PolicyResponse.Resource
resourceName := resourceSpec.Name
resourceKind := resourceSpec.Kind
resourceNamespace := resourceSpec.Namespace
ruleResponses := engineResponse.PolicyResponse.Rules
for _, rule := range ruleResponses {
ruleName := rule.Name
ruleType := ParseRuleTypeFromEngineRuleResponse(rule)
ruleResponse := rule.Message
ruleResult := metrics.Fail
if rule.Success {
ruleResult = metrics.Pass
}
ruleExecutionTimestamp := rule.RuleStats.RuleExecutionTimestamp
if err := pm.registerPolicyRuleResultsMetric(
policyValidationMode,
policyType,
policyBackgroundMode,
policyNamespace, policyName,
resourceName, resourceKind, resourceNamespace,
resourceRequestOperation,
ruleName,
ruleResult,
ruleType,
executionCause,
ruleResponse,
mainRequestTriggerTimestamp, policyExecutionTimestamp, ruleExecutionTimestamp,
); err != nil {
return err
}
}
return nil
}

7
pkg/metrics/policyruleresults/types.go Normal file
View file

@ -0,0 +1,7 @@
package policyruleresults
import (
"github.com/kyverno/kyverno/pkg/metrics"
)
type PromMetrics metrics.PromMetrics

Some files were not shown because too many files have changed in this diff Show more