From 402145376049e54c17271ea8b760645dee5a08bb Mon Sep 17 00:00:00 2001 From: shravan Date: Thu, 30 Jan 2020 16:12:26 +0530 Subject: [PATCH 01/22] 644 untested prototype changes --- pkg/engine/generation.go | 4 ---- pkg/engine/mutation.go | 6 ------ pkg/engine/validation.go | 7 ------- pkg/webhooks/server.go | 35 +++++++++++++++++++++++++++++++++++ 4 files changed, 35 insertions(+), 17 deletions(-) diff --git a/pkg/engine/generation.go b/pkg/engine/generation.go index 651943fc32..2960a155c4 100644 --- a/pkg/engine/generation.go +++ b/pkg/engine/generation.go @@ -6,7 +6,6 @@ import ( "github.com/golang/glog" kyverno "github.com/nirmata/kyverno/pkg/api/kyverno/v1" "github.com/nirmata/kyverno/pkg/engine/context" - "github.com/nirmata/kyverno/pkg/engine/rbac" "github.com/nirmata/kyverno/pkg/engine/response" "github.com/nirmata/kyverno/pkg/engine/utils" "github.com/nirmata/kyverno/pkg/engine/variables" @@ -29,9 +28,6 @@ func filterRule(rule kyverno.Rule, resource unstructured.Unstructured, admission if !rule.HasGenerate() { return nil } - if !rbac.MatchAdmissionInfo(rule, admissionInfo) { - return nil - } if !MatchesResourceDescription(resource, rule) { return nil } diff --git a/pkg/engine/mutation.go b/pkg/engine/mutation.go index 0764847838..f4fd39f185 100644 --- a/pkg/engine/mutation.go +++ b/pkg/engine/mutation.go @@ -9,7 +9,6 @@ import ( "github.com/golang/glog" kyverno "github.com/nirmata/kyverno/pkg/api/kyverno/v1" "github.com/nirmata/kyverno/pkg/engine/mutate" - "github.com/nirmata/kyverno/pkg/engine/rbac" "github.com/nirmata/kyverno/pkg/engine/response" "github.com/nirmata/kyverno/pkg/engine/utils" "github.com/nirmata/kyverno/pkg/engine/variables" @@ -57,11 +56,6 @@ func Mutate(policyContext PolicyContext) (resp response.EngineResponse) { } startTime := time.Now() - if !rbac.MatchAdmissionInfo(rule, policyContext.AdmissionInfo) { - glog.V(3).Infof("rule '%s' cannot be applied on %s/%s/%s, admission permission: %v", - rule.Name, resource.GetKind(), resource.GetNamespace(), resource.GetName(), policyContext.AdmissionInfo) - continue - } glog.V(4).Infof("Time: Mutate matchAdmissionInfo %v", time.Since(startTime)) // check if the resource satisfies the filter conditions defined in the rule diff --git a/pkg/engine/validation.go b/pkg/engine/validation.go index 616629485b..7c27d49ce4 100644 --- a/pkg/engine/validation.go +++ b/pkg/engine/validation.go @@ -10,7 +10,6 @@ import ( "github.com/golang/glog" kyverno "github.com/nirmata/kyverno/pkg/api/kyverno/v1" "github.com/nirmata/kyverno/pkg/engine/context" - "github.com/nirmata/kyverno/pkg/engine/rbac" "github.com/nirmata/kyverno/pkg/engine/response" "github.com/nirmata/kyverno/pkg/engine/utils" "github.com/nirmata/kyverno/pkg/engine/validate" @@ -101,12 +100,6 @@ func validateResource(ctx context.EvalInterface, policy kyverno.ClusterPolicy, r newPathNotPresentRuleResponse(rule.Name, utils.Validation.String(), fmt.Sprintf("path not present: %s", paths))) continue } - - if !rbac.MatchAdmissionInfo(rule, admissionInfo) { - glog.V(3).Infof("rule '%s' cannot be applied on %s/%s/%s, admission permission: %v", - rule.Name, resource.GetKind(), resource.GetNamespace(), resource.GetName(), admissionInfo) - continue - } glog.V(4).Infof("Time: Validate matchAdmissionInfo %v", time.Since(startTime)) // check if the resource satisfies the filter conditions defined in the rule diff --git a/pkg/webhooks/server.go b/pkg/webhooks/server.go index d6dd330e99..62c0147a01 100644 --- a/pkg/webhooks/server.go +++ b/pkg/webhooks/server.go @@ -10,6 +10,12 @@ import ( "net/http" "time" + "k8s.io/apimachinery/pkg/apis/meta/v1/unstructured" + + v1 "github.com/nirmata/kyverno/pkg/api/kyverno/v1" + + "github.com/nirmata/kyverno/pkg/engine/rbac" + "github.com/golang/glog" "github.com/nirmata/kyverno/pkg/checker" kyvernoclient "github.com/nirmata/kyverno/pkg/client/clientset/versioned" @@ -189,6 +195,27 @@ func (ws *WebhookServer) serve(w http.ResponseWriter, r *http.Request) { } } +func filterPolicyRulesBasedOnMatchExclude(policies []v1.ClusterPolicy, userRequestInfo v1.RequestInfo, resource unstructured.Unstructured) []v1.ClusterPolicy { + var updatedPolcies []v1.ClusterPolicy + for _, policy := range policies { + var validRules []v1.Rule + for _, rule := range policy.Spec.Rules { + if !rbac.MatchAdmissionInfo(rule, userRequestInfo) { + glog.V(3).Infof("rule '%s' cannot be applied on %s/%s/%s, admission permission: %v", + rule.Name, resource.GetKind(), resource.GetNamespace(), resource.GetName(), userRequestInfo) + continue + } + validRules = append(validRules, rule) + } + policy.Spec.Rules = validRules + if len(policy.Spec.Rules) > 0 { + updatedPolcies = append(updatedPolcies, policy) + } + } + + return updatedPolcies +} + func (ws *WebhookServer) handleAdmissionRequest(request *v1beta1.AdmissionRequest) *v1beta1.AdmissionResponse { policies, err := ws.pMetaStore.LookUp(request.Kind.Kind, request.Namespace) if err != nil { @@ -234,6 +261,14 @@ func (ws *WebhookServer) handleAdmissionRequest(request *v1beta1.AdmissionReques } } + userRequestInfo := v1.RequestInfo{ + Roles: roles, + ClusterRoles: clusterRoles, + AdmissionUserInfo: request.UserInfo, + } + + policies = filterPolicyRulesBasedOnMatchExclude(policies, userRequestInfo, resource) + // MUTATION // mutation failure should not block the resource creation // any mutation failure is reported as the violation From 3b37a61f5d4a286e99bbb893968bb37e27362efb Mon Sep 17 00:00:00 2001 From: shravan Date: Sat, 1 Feb 2020 20:48:06 +0530 Subject: [PATCH 02/22] Revert "644 untested prototype changes" This reverts commit 402145376049e54c17271ea8b760645dee5a08bb. --- pkg/engine/generation.go | 4 ++++ pkg/engine/mutation.go | 6 ++++++ pkg/engine/validation.go | 7 +++++++ pkg/webhooks/server.go | 35 ----------------------------------- 4 files changed, 17 insertions(+), 35 deletions(-) diff --git a/pkg/engine/generation.go b/pkg/engine/generation.go index 2960a155c4..651943fc32 100644 --- a/pkg/engine/generation.go +++ b/pkg/engine/generation.go @@ -6,6 +6,7 @@ import ( "github.com/golang/glog" kyverno "github.com/nirmata/kyverno/pkg/api/kyverno/v1" "github.com/nirmata/kyverno/pkg/engine/context" + "github.com/nirmata/kyverno/pkg/engine/rbac" "github.com/nirmata/kyverno/pkg/engine/response" "github.com/nirmata/kyverno/pkg/engine/utils" "github.com/nirmata/kyverno/pkg/engine/variables" @@ -28,6 +29,9 @@ func filterRule(rule kyverno.Rule, resource unstructured.Unstructured, admission if !rule.HasGenerate() { return nil } + if !rbac.MatchAdmissionInfo(rule, admissionInfo) { + return nil + } if !MatchesResourceDescription(resource, rule) { return nil } diff --git a/pkg/engine/mutation.go b/pkg/engine/mutation.go index f4fd39f185..0764847838 100644 --- a/pkg/engine/mutation.go +++ b/pkg/engine/mutation.go @@ -9,6 +9,7 @@ import ( "github.com/golang/glog" kyverno "github.com/nirmata/kyverno/pkg/api/kyverno/v1" "github.com/nirmata/kyverno/pkg/engine/mutate" + "github.com/nirmata/kyverno/pkg/engine/rbac" "github.com/nirmata/kyverno/pkg/engine/response" "github.com/nirmata/kyverno/pkg/engine/utils" "github.com/nirmata/kyverno/pkg/engine/variables" @@ -56,6 +57,11 @@ func Mutate(policyContext PolicyContext) (resp response.EngineResponse) { } startTime := time.Now() + if !rbac.MatchAdmissionInfo(rule, policyContext.AdmissionInfo) { + glog.V(3).Infof("rule '%s' cannot be applied on %s/%s/%s, admission permission: %v", + rule.Name, resource.GetKind(), resource.GetNamespace(), resource.GetName(), policyContext.AdmissionInfo) + continue + } glog.V(4).Infof("Time: Mutate matchAdmissionInfo %v", time.Since(startTime)) // check if the resource satisfies the filter conditions defined in the rule diff --git a/pkg/engine/validation.go b/pkg/engine/validation.go index 7c27d49ce4..616629485b 100644 --- a/pkg/engine/validation.go +++ b/pkg/engine/validation.go @@ -10,6 +10,7 @@ import ( "github.com/golang/glog" kyverno "github.com/nirmata/kyverno/pkg/api/kyverno/v1" "github.com/nirmata/kyverno/pkg/engine/context" + "github.com/nirmata/kyverno/pkg/engine/rbac" "github.com/nirmata/kyverno/pkg/engine/response" "github.com/nirmata/kyverno/pkg/engine/utils" "github.com/nirmata/kyverno/pkg/engine/validate" @@ -100,6 +101,12 @@ func validateResource(ctx context.EvalInterface, policy kyverno.ClusterPolicy, r newPathNotPresentRuleResponse(rule.Name, utils.Validation.String(), fmt.Sprintf("path not present: %s", paths))) continue } + + if !rbac.MatchAdmissionInfo(rule, admissionInfo) { + glog.V(3).Infof("rule '%s' cannot be applied on %s/%s/%s, admission permission: %v", + rule.Name, resource.GetKind(), resource.GetNamespace(), resource.GetName(), admissionInfo) + continue + } glog.V(4).Infof("Time: Validate matchAdmissionInfo %v", time.Since(startTime)) // check if the resource satisfies the filter conditions defined in the rule diff --git a/pkg/webhooks/server.go b/pkg/webhooks/server.go index 62c0147a01..d6dd330e99 100644 --- a/pkg/webhooks/server.go +++ b/pkg/webhooks/server.go @@ -10,12 +10,6 @@ import ( "net/http" "time" - "k8s.io/apimachinery/pkg/apis/meta/v1/unstructured" - - v1 "github.com/nirmata/kyverno/pkg/api/kyverno/v1" - - "github.com/nirmata/kyverno/pkg/engine/rbac" - "github.com/golang/glog" "github.com/nirmata/kyverno/pkg/checker" kyvernoclient "github.com/nirmata/kyverno/pkg/client/clientset/versioned" @@ -195,27 +189,6 @@ func (ws *WebhookServer) serve(w http.ResponseWriter, r *http.Request) { } } -func filterPolicyRulesBasedOnMatchExclude(policies []v1.ClusterPolicy, userRequestInfo v1.RequestInfo, resource unstructured.Unstructured) []v1.ClusterPolicy { - var updatedPolcies []v1.ClusterPolicy - for _, policy := range policies { - var validRules []v1.Rule - for _, rule := range policy.Spec.Rules { - if !rbac.MatchAdmissionInfo(rule, userRequestInfo) { - glog.V(3).Infof("rule '%s' cannot be applied on %s/%s/%s, admission permission: %v", - rule.Name, resource.GetKind(), resource.GetNamespace(), resource.GetName(), userRequestInfo) - continue - } - validRules = append(validRules, rule) - } - policy.Spec.Rules = validRules - if len(policy.Spec.Rules) > 0 { - updatedPolcies = append(updatedPolcies, policy) - } - } - - return updatedPolcies -} - func (ws *WebhookServer) handleAdmissionRequest(request *v1beta1.AdmissionRequest) *v1beta1.AdmissionResponse { policies, err := ws.pMetaStore.LookUp(request.Kind.Kind, request.Namespace) if err != nil { @@ -261,14 +234,6 @@ func (ws *WebhookServer) handleAdmissionRequest(request *v1beta1.AdmissionReques } } - userRequestInfo := v1.RequestInfo{ - Roles: roles, - ClusterRoles: clusterRoles, - AdmissionUserInfo: request.UserInfo, - } - - policies = filterPolicyRulesBasedOnMatchExclude(policies, userRequestInfo, resource) - // MUTATION // mutation failure should not block the resource creation // any mutation failure is reported as the violation From 0d4b256d13064bbc1e08b5c112821452f1754d00 Mon Sep 17 00:00:00 2001 From: shravan Date: Mon, 3 Feb 2020 18:51:18 +0530 Subject: [PATCH 03/22] 644 updating changes with revised understanding of issue, also removed alot of deadcode to make changes --- pkg/engine/generation.go | 6 +- pkg/engine/mutation.go | 8 +- pkg/engine/utils.go | 10 +- pkg/engine/utils_test.go | 12 +- pkg/engine/validation.go | 9 +- pkg/namespace/controller.go | 471 +++++++++++++++++------------------ pkg/namespace/generation.go | 482 +++++++++++++++++------------------- pkg/namespace/report.go | 113 ++++----- 8 files changed, 525 insertions(+), 586 deletions(-) diff --git a/pkg/engine/generation.go b/pkg/engine/generation.go index 651943fc32..5f8b5aa033 100644 --- a/pkg/engine/generation.go +++ b/pkg/engine/generation.go @@ -6,7 +6,6 @@ import ( "github.com/golang/glog" kyverno "github.com/nirmata/kyverno/pkg/api/kyverno/v1" "github.com/nirmata/kyverno/pkg/engine/context" - "github.com/nirmata/kyverno/pkg/engine/rbac" "github.com/nirmata/kyverno/pkg/engine/response" "github.com/nirmata/kyverno/pkg/engine/utils" "github.com/nirmata/kyverno/pkg/engine/variables" @@ -29,10 +28,7 @@ func filterRule(rule kyverno.Rule, resource unstructured.Unstructured, admission if !rule.HasGenerate() { return nil } - if !rbac.MatchAdmissionInfo(rule, admissionInfo) { - return nil - } - if !MatchesResourceDescription(resource, rule) { + if !MatchesResourceDescription(resource, rule, admissionInfo) { return nil } diff --git a/pkg/engine/mutation.go b/pkg/engine/mutation.go index 0764847838..666340428e 100644 --- a/pkg/engine/mutation.go +++ b/pkg/engine/mutation.go @@ -9,7 +9,6 @@ import ( "github.com/golang/glog" kyverno "github.com/nirmata/kyverno/pkg/api/kyverno/v1" "github.com/nirmata/kyverno/pkg/engine/mutate" - "github.com/nirmata/kyverno/pkg/engine/rbac" "github.com/nirmata/kyverno/pkg/engine/response" "github.com/nirmata/kyverno/pkg/engine/utils" "github.com/nirmata/kyverno/pkg/engine/variables" @@ -57,17 +56,12 @@ func Mutate(policyContext PolicyContext) (resp response.EngineResponse) { } startTime := time.Now() - if !rbac.MatchAdmissionInfo(rule, policyContext.AdmissionInfo) { - glog.V(3).Infof("rule '%s' cannot be applied on %s/%s/%s, admission permission: %v", - rule.Name, resource.GetKind(), resource.GetNamespace(), resource.GetName(), policyContext.AdmissionInfo) - continue - } glog.V(4).Infof("Time: Mutate matchAdmissionInfo %v", time.Since(startTime)) // check if the resource satisfies the filter conditions defined in the rule //TODO: this needs to be extracted, to filter the resource so that we can avoid passing resources that // dont statisfy a policy rule resource description - ok := MatchesResourceDescription(resource, rule) + ok := MatchesResourceDescription(resource, rule, policyContext.AdmissionInfo) if !ok { glog.V(4).Infof("resource %s/%s does not satisfy the resource description for the rule ", resource.GetNamespace(), resource.GetName()) continue diff --git a/pkg/engine/utils.go b/pkg/engine/utils.go index 3d7384c846..9524d0084e 100644 --- a/pkg/engine/utils.go +++ b/pkg/engine/utils.go @@ -5,6 +5,8 @@ import ( "strings" "time" + "github.com/nirmata/kyverno/pkg/engine/rbac" + "github.com/golang/glog" "github.com/minio/minio/pkg/wildcard" @@ -27,10 +29,16 @@ type EngineStats struct { } //MatchesResourceDescription checks if the resource matches resource desription of the rule or not -func MatchesResourceDescription(resource unstructured.Unstructured, rule kyverno.Rule) bool { +func MatchesResourceDescription(resource unstructured.Unstructured, rule kyverno.Rule, admissionInfo kyverno.RequestInfo) bool { matches := rule.MatchResources.ResourceDescription exclude := rule.ExcludeResources.ResourceDescription + if !rbac.MatchAdmissionInfo(rule, admissionInfo) { + glog.V(3).Infof("rule '%s' cannot be applied on %s/%s/%s, admission permission: %v", + rule.Name, resource.GetKind(), resource.GetNamespace(), resource.GetName(), admissionInfo) + return false + } + if !findKind(matches.Kinds, resource.GetKind()) { return false } diff --git a/pkg/engine/utils_test.go b/pkg/engine/utils_test.go index 69df80900b..e382244e4c 100644 --- a/pkg/engine/utils_test.go +++ b/pkg/engine/utils_test.go @@ -67,7 +67,7 @@ func TestResourceDescriptionMatch_MultipleKind(t *testing.T) { } rule := kyverno.Rule{MatchResources: kyverno.MatchResources{ResourceDescription: resourceDescription}} - assert.Assert(t, MatchesResourceDescription(*resource, rule)) + assert.Assert(t, MatchesResourceDescription(*resource, rule, kyverno.RequestInfo{})) } // Match resource name @@ -125,7 +125,7 @@ func TestResourceDescriptionMatch_Name(t *testing.T) { } rule := kyverno.Rule{MatchResources: kyverno.MatchResources{ResourceDescription: resourceDescription}} - assert.Assert(t, MatchesResourceDescription(*resource, rule)) + assert.Assert(t, MatchesResourceDescription(*resource, rule, kyverno.RequestInfo{})) } // Match resource regex @@ -183,7 +183,7 @@ func TestResourceDescriptionMatch_Name_Regex(t *testing.T) { } rule := kyverno.Rule{MatchResources: kyverno.MatchResources{ResourceDescription: resourceDescription}} - assert.Assert(t, MatchesResourceDescription(*resource, rule)) + assert.Assert(t, MatchesResourceDescription(*resource, rule, kyverno.RequestInfo{})) } // Match expressions for labels to not match @@ -249,7 +249,7 @@ func TestResourceDescriptionMatch_Label_Expression_NotMatch(t *testing.T) { } rule := kyverno.Rule{MatchResources: kyverno.MatchResources{ResourceDescription: resourceDescription}} - assert.Assert(t, MatchesResourceDescription(*resource, rule)) + assert.Assert(t, MatchesResourceDescription(*resource, rule, kyverno.RequestInfo{})) } // Match label expression in matching set @@ -316,7 +316,7 @@ func TestResourceDescriptionMatch_Label_Expression_Match(t *testing.T) { } rule := kyverno.Rule{MatchResources: kyverno.MatchResources{ResourceDescription: resourceDescription}} - assert.Assert(t, MatchesResourceDescription(*resource, rule)) + assert.Assert(t, MatchesResourceDescription(*resource, rule, kyverno.RequestInfo{})) } // check for exclude conditions @@ -394,7 +394,7 @@ func TestResourceDescriptionExclude_Label_Expression_Match(t *testing.T) { rule := kyverno.Rule{MatchResources: kyverno.MatchResources{ResourceDescription: resourceDescription}, ExcludeResources: kyverno.ExcludeResources{ResourceDescription: resourceDescriptionExclude}} - assert.Assert(t, !MatchesResourceDescription(*resource, rule)) + assert.Assert(t, !MatchesResourceDescription(*resource, rule, kyverno.RequestInfo{})) } func Test_validateGeneralRuleInfoVariables(t *testing.T) { diff --git a/pkg/engine/validation.go b/pkg/engine/validation.go index 616629485b..c72ccba393 100644 --- a/pkg/engine/validation.go +++ b/pkg/engine/validation.go @@ -10,7 +10,6 @@ import ( "github.com/golang/glog" kyverno "github.com/nirmata/kyverno/pkg/api/kyverno/v1" "github.com/nirmata/kyverno/pkg/engine/context" - "github.com/nirmata/kyverno/pkg/engine/rbac" "github.com/nirmata/kyverno/pkg/engine/response" "github.com/nirmata/kyverno/pkg/engine/utils" "github.com/nirmata/kyverno/pkg/engine/validate" @@ -101,18 +100,12 @@ func validateResource(ctx context.EvalInterface, policy kyverno.ClusterPolicy, r newPathNotPresentRuleResponse(rule.Name, utils.Validation.String(), fmt.Sprintf("path not present: %s", paths))) continue } - - if !rbac.MatchAdmissionInfo(rule, admissionInfo) { - glog.V(3).Infof("rule '%s' cannot be applied on %s/%s/%s, admission permission: %v", - rule.Name, resource.GetKind(), resource.GetNamespace(), resource.GetName(), admissionInfo) - continue - } glog.V(4).Infof("Time: Validate matchAdmissionInfo %v", time.Since(startTime)) // check if the resource satisfies the filter conditions defined in the rule // TODO: this needs to be extracted, to filter the resource so that we can avoid passing resources that // dont statisfy a policy rule resource description - ok := MatchesResourceDescription(resource, rule) + ok := MatchesResourceDescription(resource, rule, admissionInfo) if !ok { glog.V(4).Infof("resource %s/%s does not satisfy the resource description for the rule ", resource.GetNamespace(), resource.GetName()) continue diff --git a/pkg/namespace/controller.go b/pkg/namespace/controller.go index 5d1e4b9b7e..f5093df7a1 100644 --- a/pkg/namespace/controller.go +++ b/pkg/namespace/controller.go @@ -1,250 +1,225 @@ package namespace -import ( - "time" - - "k8s.io/apimachinery/pkg/util/wait" - - "github.com/golang/glog" - kyverno "github.com/nirmata/kyverno/pkg/api/kyverno/v1" - "github.com/nirmata/kyverno/pkg/config" - client "github.com/nirmata/kyverno/pkg/dclient" - "github.com/nirmata/kyverno/pkg/event" - "github.com/nirmata/kyverno/pkg/policy" - "github.com/nirmata/kyverno/pkg/policystore" - "github.com/nirmata/kyverno/pkg/policyviolation" - "k8s.io/apimachinery/pkg/api/errors" - - kyvernoclient "github.com/nirmata/kyverno/pkg/client/clientset/versioned" - kyvernoinformer "github.com/nirmata/kyverno/pkg/client/informers/externalversions/kyverno/v1" - kyvernolister "github.com/nirmata/kyverno/pkg/client/listers/kyverno/v1" - v1 "k8s.io/api/core/v1" - utilruntime "k8s.io/apimachinery/pkg/util/runtime" - v1Informer "k8s.io/client-go/informers/core/v1" - "k8s.io/client-go/tools/cache" - "k8s.io/client-go/util/workqueue" -) - -const ( - // maxRetries is the number of times a Namespace will be processed for a policy before its dropped from the queue - maxRetries = 15 -) - -//NamespaceController watches the 'Namespace' resource creation/update and applied the generation rules on them -type NamespaceController struct { - client *client.Client - kyvernoClient *kyvernoclient.Clientset - syncHandler func(nsKey string) error - enqueueNs func(ns *v1.Namespace) - - //nsLister provides expansion to the namespace lister to inject GVK for the resource - nsLister NamespaceListerExpansion - // nsSynced returns true if the Namespace store has been synced at least once - nsSynced cache.InformerSynced - // pvLister can list/get policy violation from the shared informer's store - pLister kyvernolister.ClusterPolicyLister - // pSynced retrns true if the Policy store has been synced at least once - pSynced cache.InformerSynced - // API to send policy stats for aggregation - policyStatus policy.PolicyStatusInterface - // eventGen provides interface to generate evenets - eventGen event.Interface - // Namespaces that need to be synced - queue workqueue.RateLimitingInterface - // Resource manager, manages the mapping for already processed resource - rm resourceManager - // helpers to validate against current loaded configuration - configHandler config.Interface - // store to hold policy meta data for faster lookup - pMetaStore policystore.LookupInterface - // policy violation generator - pvGenerator policyviolation.GeneratorInterface -} - -//NewNamespaceController returns a new Controller to manage generation rules -func NewNamespaceController(kyvernoClient *kyvernoclient.Clientset, - client *client.Client, - nsInformer v1Informer.NamespaceInformer, - pInformer kyvernoinformer.ClusterPolicyInformer, - policyStatus policy.PolicyStatusInterface, - eventGen event.Interface, - configHandler config.Interface, - pvGenerator policyviolation.GeneratorInterface, - pMetaStore policystore.LookupInterface) *NamespaceController { - //TODO: do we need to event recorder for this controller? - // create the controller - nsc := &NamespaceController{ - client: client, - kyvernoClient: kyvernoClient, - eventGen: eventGen, - queue: workqueue.NewNamedRateLimitingQueue(workqueue.DefaultControllerRateLimiter(), "namespace"), - configHandler: configHandler, - pMetaStore: pMetaStore, - pvGenerator: pvGenerator, - } - - nsInformer.Informer().AddEventHandler(cache.ResourceEventHandlerFuncs{ - AddFunc: nsc.addNamespace, - UpdateFunc: nsc.updateNamespace, - DeleteFunc: nsc.deleteNamespace, - }) - - pInformer.Informer().AddEventHandler(cache.ResourceEventHandlerFuncs{ - AddFunc: nsc.addPolicy, - UpdateFunc: nsc.updatePolicy, - }) - - nsc.enqueueNs = nsc.enqueue - nsc.syncHandler = nsc.syncNamespace - - nsc.nsLister = NewNamespaceLister(nsInformer.Lister()) - nsc.nsSynced = nsInformer.Informer().HasSynced - nsc.pLister = pInformer.Lister() - nsc.pSynced = pInformer.Informer().HasSynced - nsc.policyStatus = policyStatus - - // resource manager - // rebuild after 300 seconds/ 5 mins - nsc.rm = NewResourceManager(300) - - return nsc -} -func (nsc *NamespaceController) addPolicy(obj interface{}) { - p := obj.(*kyverno.ClusterPolicy) - // check if the policy has generate rule - if generateRuleExists(p) { - // process policy - nsc.processPolicy(p) - } -} - -func (nsc *NamespaceController) updatePolicy(old, cur interface{}) { - curP := cur.(*kyverno.ClusterPolicy) - // check if the policy has generate rule - if generateRuleExists(curP) { - // process policy - nsc.processPolicy(curP) - } -} - -func (nsc *NamespaceController) addNamespace(obj interface{}) { - ns := obj.(*v1.Namespace) - glog.V(4).Infof("Adding Namespace %s", ns.Name) - nsc.enqueueNs(ns) -} - -func (nsc *NamespaceController) updateNamespace(old, cur interface{}) { - oldNs := old.(*v1.Namespace) - curNs := cur.(*v1.Namespace) - if curNs.ResourceVersion == oldNs.ResourceVersion { - // Periodic resync will send update events for all known Namespace. - // Two different versions of the same replica set will always have different RVs. - return - } - glog.V(4).Infof("Updating Namesapce %s", curNs.Name) - //TODO: anything to be done here? -} - -func (nsc *NamespaceController) deleteNamespace(obj interface{}) { - ns, _ := obj.(*v1.Namespace) - glog.V(4).Infof("Deleting Namespace %s", ns.Name) - //TODO: anything to be done here? -} - -func (nsc *NamespaceController) enqueue(ns *v1.Namespace) { - key, err := cache.MetaNamespaceKeyFunc(ns) - if err != nil { - glog.Error(err) - return - } - nsc.queue.Add(key) -} - -//Run to run the controller -func (nsc *NamespaceController) Run(workers int, stopCh <-chan struct{}) { - defer utilruntime.HandleCrash() - defer nsc.queue.ShutDown() - - glog.Info("Starting namespace controller") - defer glog.Info("Shutting down namespace controller") - - if ok := cache.WaitForCacheSync(stopCh, nsc.nsSynced, nsc.pSynced); !ok { - glog.Error("namespace generator: failed to sync cache") - return - } - - for i := 0; i < workers; i++ { - go wait.Until(nsc.worker, time.Second, stopCh) - } - <-stopCh -} - -// worker runs a worker thread that just dequeues items, processes them, and marks them done. -// It enforces that the syncHandler is never invoked concurrently with the same key. -func (nsc *NamespaceController) worker() { - for nsc.processNextWorkItem() { - } -} - -func (nsc *NamespaceController) processNextWorkItem() bool { - key, quit := nsc.queue.Get() - if quit { - return false - } - defer nsc.queue.Done(key) - - err := nsc.syncHandler(key.(string)) - nsc.handleErr(err, key) - - return true -} - -func (nsc *NamespaceController) handleErr(err error, key interface{}) { - if err == nil { - nsc.queue.Forget(key) - return - } - - if nsc.queue.NumRequeues(key) < maxRetries { - glog.V(2).Infof("Error syncing namespace %v: %v", key, err) - nsc.queue.AddRateLimited(key) - return - } - - utilruntime.HandleError(err) - glog.V(2).Infof("Dropping namespace %q out of the queue: %v", key, err) - nsc.queue.Forget(key) -} - -func (nsc *NamespaceController) syncNamespace(key string) error { - startTime := time.Now() - glog.V(4).Infof("Started syncing namespace %q (%v)", key, startTime) - defer func() { - glog.V(4).Infof("Finished syncing namespace %q (%v)", key, time.Since(startTime)) - }() - namespace, err := nsc.nsLister.GetResource(key) - if errors.IsNotFound(err) { - glog.V(2).Infof("namespace %v has been deleted", key) - return nil - } - if err != nil { - return err - } - // Deep-copy otherwise we are mutating our cache. - // TODO: Deep-copy only when needed. - n := namespace.DeepCopy() - - // skip processing namespace if its been filtered - // exclude the filtered resources - if nsc.configHandler.ToFilter("", namespace.Name, "") { - //TODO: improve the text - glog.V(4).Infof("excluding namespace %s as its a filtered resource", namespace.Name) - return nil - } - - // process generate rules - engineResponses := nsc.processNamespace(*n) - // report errors - nsc.report(engineResponses) - return nil -} +//const ( +// // maxRetries is the number of times a Namespace will be processed for a policy before its dropped from the queue +// maxRetries = 15 +//) +// +////NamespaceController watches the 'Namespace' resource creation/update and applied the generation rules on them +//type NamespaceController struct { +// client *client.Client +// kyvernoClient *kyvernoclient.Clientset +// syncHandler func(nsKey string) error +// enqueueNs func(ns *v1.Namespace) +// +// //nsLister provides expansion to the namespace lister to inject GVK for the resource +// nsLister NamespaceListerExpansion +// // nsSynced returns true if the Namespace store has been synced at least once +// nsSynced cache.InformerSynced +// // pvLister can list/get policy violation from the shared informer's store +// pLister kyvernolister.ClusterPolicyLister +// // pSynced retrns true if the Policy store has been synced at least once +// pSynced cache.InformerSynced +// // API to send policy stats for aggregation +// policyStatus policy.PolicyStatusInterface +// // eventGen provides interface to generate evenets +// eventGen event.Interface +// // Namespaces that need to be synced +// queue workqueue.RateLimitingInterface +// // Resource manager, manages the mapping for already processed resource +// rm resourceManager +// // helpers to validate against current loaded configuration +// configHandler config.Interface +// // store to hold policy meta data for faster lookup +// pMetaStore policystore.LookupInterface +// // policy violation generator +// pvGenerator policyviolation.GeneratorInterface +//} +// +////NewNamespaceController returns a new Controller to manage generation rules +//func NewNamespaceController(kyvernoClient *kyvernoclient.Clientset, +// client *client.Client, +// nsInformer v1Informer.NamespaceInformer, +// pInformer kyvernoinformer.ClusterPolicyInformer, +// policyStatus policy.PolicyStatusInterface, +// eventGen event.Interface, +// configHandler config.Interface, +// pvGenerator policyviolation.GeneratorInterface, +// pMetaStore policystore.LookupInterface) *NamespaceController { +// //TODO: do we need to event recorder for this controller? +// // create the controller +// nsc := &NamespaceController{ +// client: client, +// kyvernoClient: kyvernoClient, +// eventGen: eventGen, +// queue: workqueue.NewNamedRateLimitingQueue(workqueue.DefaultControllerRateLimiter(), "namespace"), +// configHandler: configHandler, +// pMetaStore: pMetaStore, +// pvGenerator: pvGenerator, +// } +// +// nsInformer.Informer().AddEventHandler(cache.ResourceEventHandlerFuncs{ +// AddFunc: nsc.addNamespace, +// UpdateFunc: nsc.updateNamespace, +// DeleteFunc: nsc.deleteNamespace, +// }) +// +// pInformer.Informer().AddEventHandler(cache.ResourceEventHandlerFuncs{ +// AddFunc: nsc.addPolicy, +// UpdateFunc: nsc.updatePolicy, +// }) +// +// nsc.enqueueNs = nsc.enqueue +// nsc.syncHandler = nsc.syncNamespace +// +// nsc.nsLister = NewNamespaceLister(nsInformer.Lister()) +// nsc.nsSynced = nsInformer.Informer().HasSynced +// nsc.pLister = pInformer.Lister() +// nsc.pSynced = pInformer.Informer().HasSynced +// nsc.policyStatus = policyStatus +// +// // resource manager +// // rebuild after 300 seconds/ 5 mins +// nsc.rm = NewResourceManager(300) +// +// return nsc +//} +//func (nsc *NamespaceController) addPolicy(obj interface{}) { +// p := obj.(*kyverno.ClusterPolicy) +// // check if the policy has generate rule +// if generateRuleExists(p) { +// // process policy +// nsc.processPolicy(p) +// } +//} +// +//func (nsc *NamespaceController) updatePolicy(old, cur interface{}) { +// curP := cur.(*kyverno.ClusterPolicy) +// // check if the policy has generate rule +// if generateRuleExists(curP) { +// // process policy +// nsc.processPolicy(curP) +// } +//} +// +//func (nsc *NamespaceController) addNamespace(obj interface{}) { +// ns := obj.(*v1.Namespace) +// glog.V(4).Infof("Adding Namespace %s", ns.Name) +// nsc.enqueueNs(ns) +//} +// +//func (nsc *NamespaceController) updateNamespace(old, cur interface{}) { +// oldNs := old.(*v1.Namespace) +// curNs := cur.(*v1.Namespace) +// if curNs.ResourceVersion == oldNs.ResourceVersion { +// // Periodic resync will send update events for all known Namespace. +// // Two different versions of the same replica set will always have different RVs. +// return +// } +// glog.V(4).Infof("Updating Namesapce %s", curNs.Name) +// //TODO: anything to be done here? +//} +// +//func (nsc *NamespaceController) deleteNamespace(obj interface{}) { +// ns, _ := obj.(*v1.Namespace) +// glog.V(4).Infof("Deleting Namespace %s", ns.Name) +// //TODO: anything to be done here? +//} +// +//func (nsc *NamespaceController) enqueue(ns *v1.Namespace) { +// key, err := cache.MetaNamespaceKeyFunc(ns) +// if err != nil { +// glog.Error(err) +// return +// } +// nsc.queue.Add(key) +//} +// +////Run to run the controller +//func (nsc *NamespaceController) Run(workers int, stopCh <-chan struct{}) { +// defer utilruntime.HandleCrash() +// defer nsc.queue.ShutDown() +// +// glog.Info("Starting namespace controller") +// defer glog.Info("Shutting down namespace controller") +// +// if ok := cache.WaitForCacheSync(stopCh, nsc.nsSynced, nsc.pSynced); !ok { +// glog.Error("namespace generator: failed to sync cache") +// return +// } +// +// for i := 0; i < workers; i++ { +// go wait.Until(nsc.worker, time.Second, stopCh) +// } +// <-stopCh +//} +// +//// worker runs a worker thread that just dequeues items, processes them, and marks them done. +//// It enforces that the syncHandler is never invoked concurrently with the same key. +//func (nsc *NamespaceController) worker() { +// for nsc.processNextWorkItem() { +// } +//} +// +//func (nsc *NamespaceController) processNextWorkItem() bool { +// key, quit := nsc.queue.Get() +// if quit { +// return false +// } +// defer nsc.queue.Done(key) +// +// err := nsc.syncHandler(key.(string)) +// nsc.handleErr(err, key) +// +// return true +//} +// +//func (nsc *NamespaceController) handleErr(err error, key interface{}) { +// if err == nil { +// nsc.queue.Forget(key) +// return +// } +// +// if nsc.queue.NumRequeues(key) < maxRetries { +// glog.V(2).Infof("Error syncing namespace %v: %v", key, err) +// nsc.queue.AddRateLimited(key) +// return +// } +// +// utilruntime.HandleError(err) +// glog.V(2).Infof("Dropping namespace %q out of the queue: %v", key, err) +// nsc.queue.Forget(key) +//} +// +//func (nsc *NamespaceController) syncNamespace(key string) error { +// startTime := time.Now() +// glog.V(4).Infof("Started syncing namespace %q (%v)", key, startTime) +// defer func() { +// glog.V(4).Infof("Finished syncing namespace %q (%v)", key, time.Since(startTime)) +// }() +// namespace, err := nsc.nsLister.GetResource(key) +// if errors.IsNotFound(err) { +// glog.V(2).Infof("namespace %v has been deleted", key) +// return nil +// } +// if err != nil { +// return err +// } +// // Deep-copy otherwise we are mutating our cache. +// // TODO: Deep-copy only when needed. +// n := namespace.DeepCopy() +// +// // skip processing namespace if its been filtered +// // exclude the filtered resources +// if nsc.configHandler.ToFilter("", namespace.Name, "") { +// //TODO: improve the text +// glog.V(4).Infof("excluding namespace %s as its a filtered resource", namespace.Name) +// return nil +// } +// +// // process generate rules +// engineResponses := nsc.processNamespace(*n) +// // report errors +// nsc.report(engineResponses) +// return nil +//} diff --git a/pkg/namespace/generation.go b/pkg/namespace/generation.go index f5a96fa245..0a2a0f82b0 100644 --- a/pkg/namespace/generation.go +++ b/pkg/namespace/generation.go @@ -1,252 +1,234 @@ package namespace -import ( - "sync" - "time" - - "github.com/golang/glog" - kyverno "github.com/nirmata/kyverno/pkg/api/kyverno/v1" - client "github.com/nirmata/kyverno/pkg/dclient" - "github.com/nirmata/kyverno/pkg/engine" - "github.com/nirmata/kyverno/pkg/engine/context" - "github.com/nirmata/kyverno/pkg/engine/response" - policyctr "github.com/nirmata/kyverno/pkg/policy" - "github.com/nirmata/kyverno/pkg/policystore" - "github.com/nirmata/kyverno/pkg/utils" - corev1 "k8s.io/api/core/v1" - "k8s.io/apimachinery/pkg/apis/meta/v1/unstructured" - "k8s.io/apimachinery/pkg/labels" - "k8s.io/apimachinery/pkg/runtime" -) - -type resourceManager interface { - ProcessResource(policy, pv, kind, ns, name, rv string) bool - //TODO removeResource(kind, ns, name string) error - RegisterResource(policy, pv, kind, ns, name, rv string) - // reload - Drop() -} - -// ResourceManager stores the details on already processed resources for caching -type ResourceManager struct { - // we drop and re-build the cache - // based on the memory consumer of by the map - data map[string]interface{} - mux sync.RWMutex - time time.Time - rebuildTime int64 // after how many seconds should we rebuild the cache -} - -//NewResourceManager returns a new ResourceManager -func NewResourceManager(rebuildTime int64) *ResourceManager { - rm := ResourceManager{ - data: make(map[string]interface{}), - time: time.Now(), - rebuildTime: rebuildTime, - } - // set time it was built - return &rm -} - -var empty struct{} - -//RegisterResource stores if the policy is processed on this resource version -func (rm *ResourceManager) RegisterResource(policy, pv, kind, ns, name, rv string) { - rm.mux.Lock() - defer rm.mux.Unlock() - // add the resource - key := buildKey(policy, pv, kind, ns, name, rv) - rm.data[key] = empty -} - -//ProcessResource returns true if the policy was not applied on the resource -func (rm *ResourceManager) ProcessResource(policy, pv, kind, ns, name, rv string) bool { - rm.mux.RLock() - defer rm.mux.RUnlock() - - key := buildKey(policy, pv, kind, ns, name, rv) - _, ok := rm.data[key] - return !ok -} - -//Drop drop the cache after every rebuild interval mins -//TODO: or drop based on the size -func (rm *ResourceManager) Drop() { - timeSince := time.Since(rm.time) - glog.V(4).Infof("time since last cache reset time %v is %v", rm.time, timeSince) - glog.V(4).Infof("cache rebuild time %v", time.Duration(rm.rebuildTime)*time.Second) - if timeSince > time.Duration(rm.rebuildTime)*time.Second { - rm.mux.Lock() - defer rm.mux.Unlock() - rm.data = map[string]interface{}{} - rm.time = time.Now() - glog.V(4).Infof("dropping cache at time %v", rm.time) - } -} -func buildKey(policy, pv, kind, ns, name, rv string) string { - return policy + "/" + pv + "/" + kind + "/" + ns + "/" + name + "/" + rv -} - -func (nsc *NamespaceController) processNamespace(namespace corev1.Namespace) []response.EngineResponse { - // convert to unstructured - unstr, err := runtime.DefaultUnstructuredConverter.ToUnstructured(&namespace) - if err != nil { - glog.Infof("unable to convert to unstructured, not processing any policies: %v", err) - return nil - } - nsc.rm.Drop() - - ns := unstructured.Unstructured{Object: unstr} - - // get all the policies that have a generate rule and resource description satisfies the namespace - // apply policy on resource - policies := listpolicies(ns, nsc.pMetaStore) - var engineResponses []response.EngineResponse - for _, policy := range policies { - // pre-processing, check if the policy and resource version has been processed before - if !nsc.rm.ProcessResource(policy.Name, policy.ResourceVersion, ns.GetKind(), ns.GetNamespace(), ns.GetName(), ns.GetResourceVersion()) { - glog.V(4).Infof("policy %s with resource version %s already processed on resource %s/%s/%s with resource version %s", policy.Name, policy.ResourceVersion, ns.GetKind(), ns.GetNamespace(), ns.GetName(), ns.GetResourceVersion()) - continue - } - engineResponse := applyPolicy(nsc.client, ns, policy, nsc.policyStatus) - engineResponses = append(engineResponses, engineResponse) - - // post-processing, register the resource as processed - nsc.rm.RegisterResource(policy.GetName(), policy.GetResourceVersion(), ns.GetKind(), ns.GetNamespace(), ns.GetName(), ns.GetResourceVersion()) - } - return engineResponses -} - -func generateRuleExists(policy *kyverno.ClusterPolicy) bool { - for _, rule := range policy.Spec.Rules { - if rule.Generation != (kyverno.Generation{}) { - return true - } - } - return false -} - -func (nsc *NamespaceController) processPolicy(policy *kyverno.ClusterPolicy) { - filteredNamespaces := []*corev1.Namespace{} - // get namespaces that policy applies on - namespaces, err := nsc.nsLister.ListResources(labels.NewSelector()) - if err != nil { - glog.Errorf("failed to get list namespaces: %v", err) - return - } - for _, namespace := range namespaces { - // convert to unstructured - unstr, err := runtime.DefaultUnstructuredConverter.ToUnstructured(namespace) - if err != nil { - glog.Infof("unable to convert to unstructured, not processing any policies: %v", err) - continue - } - ns := unstructured.Unstructured{Object: unstr} - for _, rule := range policy.Spec.Rules { - if rule.Generation == (kyverno.Generation{}) { - continue - } - ok := engine.MatchesResourceDescription(ns, rule) - if !ok { - glog.V(4).Infof("namespace %s does not satisfy the resource description for the policy %s rule %s", ns.GetName(), policy.Name, rule.Name) - continue - } - glog.V(4).Infof("namespace %s satisfies resource description for policy %s rule %s", ns.GetName(), policy.Name, rule.Name) - filteredNamespaces = append(filteredNamespaces, namespace) - } - } - // list of namespaces that the policy applies on - for _, ns := range filteredNamespaces { - glog.V(4).Infof("policy %s with generate rule: namespace %s to be processed ", policy.Name, ns.Name) - nsc.addNamespace(ns) - } -} - -func listpolicies(ns unstructured.Unstructured, pMetaStore policystore.LookupInterface) []kyverno.ClusterPolicy { - var filteredpolicies []kyverno.ClusterPolicy - glog.V(4).Infof("listing policies for namespace %s", ns.GetName()) - policies, err := pMetaStore.LookUp(ns.GetKind(), ns.GetNamespace()) - if err != nil { - glog.Errorf("failed to get list policies: %v", err) - return nil - } - for _, policy := range policies { - for _, rule := range policy.Spec.Rules { - if rule.Generation == (kyverno.Generation{}) { - continue - } - ok := engine.MatchesResourceDescription(ns, rule) - if !ok { - glog.V(4).Infof("namespace %s does not satisfy the resource description for the policy %s rule %s", ns.GetName(), policy.Name, rule.Name) - continue - } - glog.V(4).Infof("namespace %s satisfies resource description for policy %s rule %s", ns.GetName(), policy.Name, rule.Name) - filteredpolicies = append(filteredpolicies, policy) - } - } - return filteredpolicies -} - -func applyPolicy(client *client.Client, resource unstructured.Unstructured, p kyverno.ClusterPolicy, policyStatus policyctr.PolicyStatusInterface) response.EngineResponse { - var policyStats []policyctr.PolicyStat - // gather stats from the engine response - gatherStat := func(policyName string, policyResponse response.PolicyResponse) { - ps := policyctr.PolicyStat{} - ps.PolicyName = policyName - ps.Stats.GenerationExecutionTime = policyResponse.ProcessingTime - ps.Stats.RulesAppliedCount = policyResponse.RulesAppliedCount - // capture rule level stats - for _, rule := range policyResponse.Rules { - rs := policyctr.RuleStatinfo{} - rs.RuleName = rule.Name - rs.ExecutionTime = rule.RuleStats.ProcessingTime - if rule.Success { - rs.RuleAppliedCount++ - } else { - rs.RulesFailedCount++ - } - ps.Stats.Rules = append(ps.Stats.Rules, rs) - } - policyStats = append(policyStats, ps) - } - // send stats for aggregation - sendStat := func(blocked bool) { - for _, stat := range policyStats { - stat.Stats.ResourceBlocked = utils.Btoi(blocked) - //SEND - policyStatus.SendStat(stat) - } - } - - startTime := time.Now() - glog.V(4).Infof("Started apply policy %s on resource %s/%s/%s (%v)", p.Name, resource.GetKind(), resource.GetNamespace(), resource.GetName(), startTime) - defer func() { - glog.V(4).Infof("Finished applying %s on resource %s/%s/%s (%v)", p.Name, resource.GetKind(), resource.GetNamespace(), resource.GetName(), time.Since(startTime)) - }() - // build context - ctx := context.NewContext() - ctx.AddResource(transformResource(resource)) - - policyContext := engine.PolicyContext{ - NewResource: resource, - Policy: p, - Client: client, - Context: ctx, - } - engineResponse := engine.Generate(policyContext) - // gather stats - gatherStat(p.Name, engineResponse.PolicyResponse) - //send stats - sendStat(false) - - return engineResponse -} - -func transformResource(resource unstructured.Unstructured) []byte { - data, err := resource.MarshalJSON() - if err != nil { - glog.Errorf("failed to marshall resource %v: %v", resource, err) - return nil - } - return data -} +// +//type resourceManager interface { +// ProcessResource(policy, pv, kind, ns, name, rv string) bool +// //TODO removeResource(kind, ns, name string) error +// RegisterResource(policy, pv, kind, ns, name, rv string) +// // reload +// Drop() +//} +// +//// ResourceManager stores the details on already processed resources for caching +//type ResourceManager struct { +// // we drop and re-build the cache +// // based on the memory consumer of by the map +// data map[string]interface{} +// mux sync.RWMutex +// time time.Time +// rebuildTime int64 // after how many seconds should we rebuild the cache +//} +// +////NewResourceManager returns a new ResourceManager +//func NewResourceManager(rebuildTime int64) *ResourceManager { +// rm := ResourceManager{ +// data: make(map[string]interface{}), +// time: time.Now(), +// rebuildTime: rebuildTime, +// } +// // set time it was built +// return &rm +//} +// +//var empty struct{} +// +////RegisterResource stores if the policy is processed on this resource version +//func (rm *ResourceManager) RegisterResource(policy, pv, kind, ns, name, rv string) { +// rm.mux.Lock() +// defer rm.mux.Unlock() +// // add the resource +// key := buildKey(policy, pv, kind, ns, name, rv) +// rm.data[key] = empty +//} +// +////ProcessResource returns true if the policy was not applied on the resource +//func (rm *ResourceManager) ProcessResource(policy, pv, kind, ns, name, rv string) bool { +// rm.mux.RLock() +// defer rm.mux.RUnlock() +// +// key := buildKey(policy, pv, kind, ns, name, rv) +// _, ok := rm.data[key] +// return !ok +//} +// +////Drop drop the cache after every rebuild interval mins +////TODO: or drop based on the size +//func (rm *ResourceManager) Drop() { +// timeSince := time.Since(rm.time) +// glog.V(4).Infof("time since last cache reset time %v is %v", rm.time, timeSince) +// glog.V(4).Infof("cache rebuild time %v", time.Duration(rm.rebuildTime)*time.Second) +// if timeSince > time.Duration(rm.rebuildTime)*time.Second { +// rm.mux.Lock() +// defer rm.mux.Unlock() +// rm.data = map[string]interface{}{} +// rm.time = time.Now() +// glog.V(4).Infof("dropping cache at time %v", rm.time) +// } +//} +//func buildKey(policy, pv, kind, ns, name, rv string) string { +// return policy + "/" + pv + "/" + kind + "/" + ns + "/" + name + "/" + rv +//} +// +//func (nsc *NamespaceController) processNamespace(namespace corev1.Namespace) []response.EngineResponse { +// // convert to unstructured +// unstr, err := runtime.DefaultUnstructuredConverter.ToUnstructured(&namespace) +// if err != nil { +// glog.Infof("unable to convert to unstructured, not processing any policies: %v", err) +// return nil +// } +// nsc.rm.Drop() +// +// ns := unstructured.Unstructured{Object: unstr} +// +// // get all the policies that have a generate rule and resource description satisfies the namespace +// // apply policy on resource +// policies := listpolicies(ns, nsc.pMetaStore) +// var engineResponses []response.EngineResponse +// for _, policy := range policies { +// // pre-processing, check if the policy and resource version has been processed before +// if !nsc.rm.ProcessResource(policy.Name, policy.ResourceVersion, ns.GetKind(), ns.GetNamespace(), ns.GetName(), ns.GetResourceVersion()) { +// glog.V(4).Infof("policy %s with resource version %s already processed on resource %s/%s/%s with resource version %s", policy.Name, policy.ResourceVersion, ns.GetKind(), ns.GetNamespace(), ns.GetName(), ns.GetResourceVersion()) +// continue +// } +// engineResponse := applyPolicy(nsc.client, ns, policy, nsc.policyStatus) +// engineResponses = append(engineResponses, engineResponse) +// +// // post-processing, register the resource as processed +// nsc.rm.RegisterResource(policy.GetName(), policy.GetResourceVersion(), ns.GetKind(), ns.GetNamespace(), ns.GetName(), ns.GetResourceVersion()) +// } +// return engineResponses +//} +// +//func generateRuleExists(policy *kyverno.ClusterPolicy) bool { +// for _, rule := range policy.Spec.Rules { +// if rule.Generation != (kyverno.Generation{}) { +// return true +// } +// } +// return false +//} +// +//func (nsc *NamespaceController) processPolicy(policy *kyverno.ClusterPolicy) { +// filteredNamespaces := []*corev1.Namespace{} +// // get namespaces that policy applies on +// namespaces, err := nsc.nsLister.ListResources(labels.NewSelector()) +// if err != nil { +// glog.Errorf("failed to get list namespaces: %v", err) +// return +// } +// for _, namespace := range namespaces { +// // convert to unstructured +// unstr, err := runtime.DefaultUnstructuredConverter.ToUnstructured(namespace) +// if err != nil { +// glog.Infof("unable to convert to unstructured, not processing any policies: %v", err) +// continue +// } +// ns := unstructured.Unstructured{Object: unstr} +// for _, rule := range policy.Spec.Rules { +// if rule.Generation == (kyverno.Generation{}) { +// continue +// } +// ok := engine.MatchesResourceDescription(ns, rule) +// if !ok { +// glog.V(4).Infof("namespace %s does not satisfy the resource description for the policy %s rule %s", ns.GetName(), policy.Name, rule.Name) +// continue +// } +// glog.V(4).Infof("namespace %s satisfies resource description for policy %s rule %s", ns.GetName(), policy.Name, rule.Name) +// filteredNamespaces = append(filteredNamespaces, namespace) +// } +// } +// // list of namespaces that the policy applies on +// for _, ns := range filteredNamespaces { +// glog.V(4).Infof("policy %s with generate rule: namespace %s to be processed ", policy.Name, ns.Name) +// nsc.addNamespace(ns) +// } +//} +// +//func listpolicies(ns unstructured.Unstructured, pMetaStore policystore.LookupInterface) []kyverno.ClusterPolicy { +// var filteredpolicies []kyverno.ClusterPolicy +// glog.V(4).Infof("listing policies for namespace %s", ns.GetName()) +// policies, err := pMetaStore.LookUp(ns.GetKind(), ns.GetNamespace()) +// if err != nil { +// glog.Errorf("failed to get list policies: %v", err) +// return nil +// } +// for _, policy := range policies { +// for _, rule := range policy.Spec.Rules { +// if rule.Generation == (kyverno.Generation{}) { +// continue +// } +// ok := engine.MatchesResourceDescription(ns, rule) +// if !ok { +// glog.V(4).Infof("namespace %s does not satisfy the resource description for the policy %s rule %s", ns.GetName(), policy.Name, rule.Name) +// continue +// } +// glog.V(4).Infof("namespace %s satisfies resource description for policy %s rule %s", ns.GetName(), policy.Name, rule.Name) +// filteredpolicies = append(filteredpolicies, policy) +// } +// } +// return filteredpolicies +//} +// +//func applyPolicy(client *client.Client, resource unstructured.Unstructured, p kyverno.ClusterPolicy, policyStatus policyctr.PolicyStatusInterface) response.EngineResponse { +// var policyStats []policyctr.PolicyStat +// // gather stats from the engine response +// gatherStat := func(policyName string, policyResponse response.PolicyResponse) { +// ps := policyctr.PolicyStat{} +// ps.PolicyName = policyName +// ps.Stats.GenerationExecutionTime = policyResponse.ProcessingTime +// ps.Stats.RulesAppliedCount = policyResponse.RulesAppliedCount +// // capture rule level stats +// for _, rule := range policyResponse.Rules { +// rs := policyctr.RuleStatinfo{} +// rs.RuleName = rule.Name +// rs.ExecutionTime = rule.RuleStats.ProcessingTime +// if rule.Success { +// rs.RuleAppliedCount++ +// } else { +// rs.RulesFailedCount++ +// } +// ps.Stats.Rules = append(ps.Stats.Rules, rs) +// } +// policyStats = append(policyStats, ps) +// } +// // send stats for aggregation +// sendStat := func(blocked bool) { +// for _, stat := range policyStats { +// stat.Stats.ResourceBlocked = utils.Btoi(blocked) +// //SEND +// policyStatus.SendStat(stat) +// } +// } +// +// startTime := time.Now() +// glog.V(4).Infof("Started apply policy %s on resource %s/%s/%s (%v)", p.Name, resource.GetKind(), resource.GetNamespace(), resource.GetName(), startTime) +// defer func() { +// glog.V(4).Infof("Finished applying %s on resource %s/%s/%s (%v)", p.Name, resource.GetKind(), resource.GetNamespace(), resource.GetName(), time.Since(startTime)) +// }() +// // build context +// ctx := context.NewContext() +// ctx.AddResource(transformResource(resource)) +// +// policyContext := engine.PolicyContext{ +// NewResource: resource, +// Policy: p, +// Client: client, +// Context: ctx, +// } +// engineResponse := engine.Generate(policyContext) +// // gather stats +// gatherStat(p.Name, engineResponse.PolicyResponse) +// //send stats +// sendStat(false) +// +// return engineResponse +//} +// +//func transformResource(resource unstructured.Unstructured) []byte { +// data, err := resource.MarshalJSON() +// if err != nil { +// glog.Errorf("failed to marshall resource %v: %v", resource, err) +// return nil +// } +// return data +//} diff --git a/pkg/namespace/report.go b/pkg/namespace/report.go index f8d0285bcb..743f2ab867 100644 --- a/pkg/namespace/report.go +++ b/pkg/namespace/report.go @@ -1,63 +1,54 @@ package namespace -import ( - "fmt" - - "github.com/golang/glog" - "github.com/nirmata/kyverno/pkg/engine/response" - "github.com/nirmata/kyverno/pkg/event" - "github.com/nirmata/kyverno/pkg/policyviolation" -) - -func (nsc *NamespaceController) report(engineResponses []response.EngineResponse) { - // generate events - eventInfos := generateEvents(engineResponses) - nsc.eventGen.Add(eventInfos...) - // generate policy violations - pvInfos := policyviolation.GeneratePVsFromEngineResponse(engineResponses) - nsc.pvGenerator.Add(pvInfos...) -} - -func generateEvents(ers []response.EngineResponse) []event.Info { - var eventInfos []event.Info - for _, er := range ers { - if er.IsSuccesful() { - continue - } - eventInfos = append(eventInfos, generateEventsPerEr(er)...) - } - return eventInfos -} - -func generateEventsPerEr(er response.EngineResponse) []event.Info { - var eventInfos []event.Info - glog.V(4).Infof("reporting results for policy '%s' application on resource '%s/%s/%s'", er.PolicyResponse.Policy, er.PolicyResponse.Resource.Kind, er.PolicyResponse.Resource.Namespace, er.PolicyResponse.Resource.Name) - for _, rule := range er.PolicyResponse.Rules { - if rule.Success { - continue - } - // generate event on resource for each failed rule - glog.V(4).Infof("generation event on resource '%s/%s' for policy '%s'", er.PolicyResponse.Resource.Kind, er.PolicyResponse.Resource.Name, er.PolicyResponse.Policy) - e := event.Info{} - e.Kind = er.PolicyResponse.Resource.Kind - e.Namespace = "" // event generate on namespace resource - e.Name = er.PolicyResponse.Resource.Name - e.Reason = "Failure" - e.Source = event.GeneratePolicyController - e.Message = fmt.Sprintf("policy '%s' (%s) rule '%s' not satisfied. %v", er.PolicyResponse.Policy, rule.Type, rule.Name, rule.Message) - eventInfos = append(eventInfos, e) - } - if er.IsSuccesful() { - return eventInfos - } - // generate a event on policy for all failed rules - glog.V(4).Infof("generation event on policy '%s'", er.PolicyResponse.Policy) - e := event.Info{} - e.Kind = "ClusterPolicy" - e.Namespace = "" - e.Name = er.PolicyResponse.Policy - e.Reason = "Failure" - e.Source = event.GeneratePolicyController - e.Message = fmt.Sprintf("policy '%s' rules '%v' on resource '%s/%s/%s' not stasified", er.PolicyResponse.Policy, er.GetFailedRules(), er.PolicyResponse.Resource.Kind, er.PolicyResponse.Resource.Namespace, er.PolicyResponse.Resource.Name) - return eventInfos -} +//func (nsc *NamespaceController) report(engineResponses []response.EngineResponse) { +// // generate events +// eventInfos := generateEvents(engineResponses) +// nsc.eventGen.Add(eventInfos...) +// // generate policy violations +// pvInfos := policyviolation.GeneratePVsFromEngineResponse(engineResponses) +// nsc.pvGenerator.Add(pvInfos...) +//} +// +//func generateEvents(ers []response.EngineResponse) []event.Info { +// var eventInfos []event.Info +// for _, er := range ers { +// if er.IsSuccesful() { +// continue +// } +// eventInfos = append(eventInfos, generateEventsPerEr(er)...) +// } +// return eventInfos +//} +// +//func generateEventsPerEr(er response.EngineResponse) []event.Info { +// var eventInfos []event.Info +// glog.V(4).Infof("reporting results for policy '%s' application on resource '%s/%s/%s'", er.PolicyResponse.Policy, er.PolicyResponse.Resource.Kind, er.PolicyResponse.Resource.Namespace, er.PolicyResponse.Resource.Name) +// for _, rule := range er.PolicyResponse.Rules { +// if rule.Success { +// continue +// } +// // generate event on resource for each failed rule +// glog.V(4).Infof("generation event on resource '%s/%s' for policy '%s'", er.PolicyResponse.Resource.Kind, er.PolicyResponse.Resource.Name, er.PolicyResponse.Policy) +// e := event.Info{} +// e.Kind = er.PolicyResponse.Resource.Kind +// e.Namespace = "" // event generate on namespace resource +// e.Name = er.PolicyResponse.Resource.Name +// e.Reason = "Failure" +// e.Source = event.GeneratePolicyController +// e.Message = fmt.Sprintf("policy '%s' (%s) rule '%s' not satisfied. %v", er.PolicyResponse.Policy, rule.Type, rule.Name, rule.Message) +// eventInfos = append(eventInfos, e) +// } +// if er.IsSuccesful() { +// return eventInfos +// } +// // generate a event on policy for all failed rules +// glog.V(4).Infof("generation event on policy '%s'", er.PolicyResponse.Policy) +// e := event.Info{} +// e.Kind = "ClusterPolicy" +// e.Namespace = "" +// e.Name = er.PolicyResponse.Policy +// e.Reason = "Failure" +// e.Source = event.GeneratePolicyController +// e.Message = fmt.Sprintf("policy '%s' rules '%v' on resource '%s/%s/%s' not stasified", er.PolicyResponse.Policy, er.GetFailedRules(), er.PolicyResponse.Resource.Kind, er.PolicyResponse.Resource.Namespace, er.PolicyResponse.Resource.Name) +// return eventInfos +//} From 4471117d42281e5816bbd4ea9e99b0d2628c3da5 Mon Sep 17 00:00:00 2001 From: shravan Date: Mon, 3 Feb 2020 18:58:31 +0530 Subject: [PATCH 04/22] 644 removing more deadcode related to previous commit --- pkg/namespace/expansion.go | 90 ++++++++++++++++++-------------------- 1 file changed, 42 insertions(+), 48 deletions(-) diff --git a/pkg/namespace/expansion.go b/pkg/namespace/expansion.go index c2b867cfb9..d3eec327fc 100644 --- a/pkg/namespace/expansion.go +++ b/pkg/namespace/expansion.go @@ -1,50 +1,44 @@ package namespace -import ( - v1 "k8s.io/api/core/v1" - "k8s.io/apimachinery/pkg/labels" - v1CoreLister "k8s.io/client-go/listers/core/v1" -) - -//NamespaceListerExpansion ... -type NamespaceListerExpansion interface { - v1CoreLister.NamespaceLister - // List lists all Namespaces in the indexer. - ListResources(selector labels.Selector) (ret []*v1.Namespace, err error) - // GetsResource and injects gvk - GetResource(name string) (*v1.Namespace, error) -} - -//NamespaceLister ... -type NamespaceLister struct { - v1CoreLister.NamespaceLister -} - -//NewNamespaceLister returns a new NamespaceLister -func NewNamespaceLister(nsLister v1CoreLister.NamespaceLister) NamespaceListerExpansion { - nsl := NamespaceLister{ - nsLister, - } - return &nsl -} - -//ListResources is a wrapper to List and adds the resource kind information -// as the lister is specific to a gvk we can harcode the values here -func (nsl *NamespaceLister) ListResources(selector labels.Selector) (ret []*v1.Namespace, err error) { - namespaces, err := nsl.List(selector) - for index := range namespaces { - namespaces[index].SetGroupVersionKind(v1.SchemeGroupVersion.WithKind("Namespace")) - } - return namespaces, err -} - -//GetResource is a wrapper to get the resource and inject the GVK -func (nsl *NamespaceLister) GetResource(name string) (*v1.Namespace, error) { - namespace, err := nsl.Get(name) - if err != nil { - return nil, err - } - - namespace.SetGroupVersionKind(v1.SchemeGroupVersion.WithKind("Namespace")) - return namespace, err -} +////NamespaceListerExpansion ... +//type NamespaceListerExpansion interface { +// v1CoreLister.NamespaceLister +// // List lists all Namespaces in the indexer. +// ListResources(selector labels.Selector) (ret []*v1.Namespace, err error) +// // GetsResource and injects gvk +// GetResource(name string) (*v1.Namespace, error) +//} +// +////NamespaceLister ... +//type NamespaceLister struct { +// v1CoreLister.NamespaceLister +//} +// +////NewNamespaceLister returns a new NamespaceLister +//func NewNamespaceLister(nsLister v1CoreLister.NamespaceLister) NamespaceListerExpansion { +// nsl := NamespaceLister{ +// nsLister, +// } +// return &nsl +//} +// +////ListResources is a wrapper to List and adds the resource kind information +//// as the lister is specific to a gvk we can harcode the values here +//func (nsl *NamespaceLister) ListResources(selector labels.Selector) (ret []*v1.Namespace, err error) { +// namespaces, err := nsl.List(selector) +// for index := range namespaces { +// namespaces[index].SetGroupVersionKind(v1.SchemeGroupVersion.WithKind("Namespace")) +// } +// return namespaces, err +//} +// +////GetResource is a wrapper to get the resource and inject the GVK +//func (nsl *NamespaceLister) GetResource(name string) (*v1.Namespace, error) { +// namespace, err := nsl.Get(name) +// if err != nil { +// return nil, err +// } +// +// namespace.SetGroupVersionKind(v1.SchemeGroupVersion.WithKind("Namespace")) +// return namespace, err +//} From f9293e9585a28af2b2cb08c82f1568c9ce5d1270 Mon Sep 17 00:00:00 2001 From: shravan Date: Thu, 6 Feb 2020 22:32:50 +0530 Subject: [PATCH 05/22] 644 untested prototype --- pkg/engine/utils.go | 231 ++++++++++++++++++++------------------------ 1 file changed, 105 insertions(+), 126 deletions(-) diff --git a/pkg/engine/utils.go b/pkg/engine/utils.go index 9524d0084e..75d969511f 100644 --- a/pkg/engine/utils.go +++ b/pkg/engine/utils.go @@ -2,7 +2,6 @@ package engine import ( "encoding/json" - "strings" "time" "github.com/nirmata/kyverno/pkg/engine/rbac" @@ -30,156 +29,136 @@ type EngineStats struct { //MatchesResourceDescription checks if the resource matches resource desription of the rule or not func MatchesResourceDescription(resource unstructured.Unstructured, rule kyverno.Rule, admissionInfo kyverno.RequestInfo) bool { + + var condition = make(chan bool) + defer close(condition) + matches := rule.MatchResources.ResourceDescription - exclude := rule.ExcludeResources.ResourceDescription - if !rbac.MatchAdmissionInfo(rule, admissionInfo) { - glog.V(3).Infof("rule '%s' cannot be applied on %s/%s/%s, admission permission: %v", - rule.Name, resource.GetKind(), resource.GetNamespace(), resource.GetName(), admissionInfo) - return false - } + go func() { + hasSuceeded := rbac.MatchAdmissionInfo(rule, admissionInfo) + if !hasSuceeded { + glog.V(3).Infof("rule '%s' cannot be applied on %s/%s/%s, admission permission: %v", + rule.Name, resource.GetKind(), resource.GetNamespace(), resource.GetName(), admissionInfo) + } + condition <- hasSuceeded + }() - if !findKind(matches.Kinds, resource.GetKind()) { - return false - } + go func() { + condition <- findKind(matches.Kinds, resource.GetKind()) + }() name := resource.GetName() - namespace := resource.GetNamespace() - if matches.Name != "" { - // Matches - if !wildcard.Match(matches.Name, name) { - return false + go func() { + if matches.Name != "" { + // Matches + condition <- wildcard.Match(matches.Name, name) } - } + }() // Matches // check if the resource namespace is defined in the list of namespace pattern - if len(matches.Namespaces) > 0 && !utils.ContainsNamepace(matches.Namespaces, namespace) { - return false - } + go func() { + condition <- !(len(matches.Namespaces) > 0 && !utils.ContainsNamepace(matches.Namespaces, namespace)) + }() // Matches - if matches.Selector != nil { - selector, err := metav1.LabelSelectorAsSelector(matches.Selector) - if err != nil { - glog.Error(err) - return false - } - if !selector.Matches(labels.Set(resource.GetLabels())) { - return false - } - } + go func() { + condition <- func() bool { + if matches.Selector != nil { + selector, err := metav1.LabelSelectorAsSelector(matches.Selector) + if err != nil { + glog.Error(err) + return false + } + if !selector.Matches(labels.Set(resource.GetLabels())) { + return false + } + } + return true + }() + }() - excludeName := func(name string) Condition { - if exclude.Name == "" { - return NotEvaluate - } - if wildcard.Match(exclude.Name, name) { - return Skip - } - return Process - } + // + // + // + // Exclude Conditions + // + // + // - excludeNamespace := func(namespace string) Condition { - if len(exclude.Namespaces) == 0 { - return NotEvaluate - } - if utils.ContainsNamepace(exclude.Namespaces, namespace) { - return Skip - } - return Process - } + exclude := rule.ExcludeResources.ResourceDescription - excludeSelector := func(labelsMap map[string]string) Condition { - if exclude.Selector == nil { - return NotEvaluate - } - selector, err := metav1.LabelSelectorAsSelector(exclude.Selector) - // if the label selector is incorrect, should be fail or - if err != nil { - glog.Error(err) - return Skip - } - if selector.Matches(labels.Set(labelsMap)) { - return Skip - } - return Process - } - - excludeKind := func(kind string) Condition { - if len(exclude.Kinds) == 0 { - return NotEvaluate - } - - if findKind(exclude.Kinds, kind) { - return Skip - } - - return Process - } - - // 0 -> dont check - // 1 -> is not to be exclude - // 2 -> to be exclude - excludeEval := []Condition{} - - if ret := excludeName(resource.GetName()); ret != NotEvaluate { - excludeEval = append(excludeEval, ret) - } - if ret := excludeNamespace(resource.GetNamespace()); ret != NotEvaluate { - excludeEval = append(excludeEval, ret) - } - if ret := excludeSelector(resource.GetLabels()); ret != NotEvaluate { - excludeEval = append(excludeEval, ret) - } - if ret := excludeKind(resource.GetKind()); ret != NotEvaluate { - excludeEval = append(excludeEval, ret) - } - // Filtered NotEvaluate - - if len(excludeEval) == 0 { - // nothing to exclude - return true - } - return func() bool { - for _, ret := range excludeEval { - if ret == Process { + go func() { + condition <- func() bool { + if exclude.Name == "" { return true } - } - return false + if wildcard.Match(exclude.Name, resource.GetName()) { + return false + } + return true + }() }() -} -//Condition type for conditions -type Condition int + go func() { + condition <- func() bool { + if len(exclude.Namespaces) == 0 { + return true + } + if utils.ContainsNamepace(exclude.Namespaces, resource.GetNamespace()) { + return false + } + return true + }() + }() -const ( - // NotEvaluate to not-evaluate to condition - NotEvaluate Condition = 0 - // Process to process the condition - Process Condition = 1 - // Skip to skip the condition - Skip Condition = 2 -) + go func() { + condition <- func() bool { + if exclude.Selector == nil { + return true + } + selector, err := metav1.LabelSelectorAsSelector(exclude.Selector) + // if the label selector is incorrect, should be fail or + if err != nil { + glog.Error(err) + return false + } + if selector.Matches(labels.Set(resource.GetLabels())) { + return false + } + return true + }() + }() -// ParseResourceInfoFromObject get kind/namepace/name from resource -func ParseResourceInfoFromObject(rawResource []byte) string { + go func() { + condition <- func() bool { + if len(exclude.Kinds) == 0 { + return true + } - kind := ParseKindFromObject(rawResource) - namespace := ParseNamespaceFromObject(rawResource) - name := ParseNameFromObject(rawResource) - return strings.Join([]string{kind, namespace, name}, "/") -} + if findKind(exclude.Kinds, resource.GetKind()) { + return false + } -//ParseKindFromObject get kind from resource -func ParseKindFromObject(bytes []byte) string { - var objectJSON map[string]interface{} - json.Unmarshal(bytes, &objectJSON) + return true + }() + }() - return objectJSON["kind"].(string) + var numberOfConditions = 9 + for numberOfConditions > 0 { + select { + case hasSucceeded := <-condition: + if !hasSucceeded { + return false + } + } + numberOfConditions -= numberOfConditions + } + + return true } //ParseNameFromObject extracts resource name from JSON obj From a683f8d3731489efe3109b019400c4beac24e574 Mon Sep 17 00:00:00 2001 From: shravan Date: Thu, 6 Feb 2020 23:35:50 +0530 Subject: [PATCH 06/22] 644 more elegant solution --- pkg/engine/utils.go | 192 +++++++++++++++++++++++--------------------- 1 file changed, 101 insertions(+), 91 deletions(-) diff --git a/pkg/engine/utils.go b/pkg/engine/utils.go index 75d969511f..cfdb4e1671 100644 --- a/pkg/engine/utils.go +++ b/pkg/engine/utils.go @@ -13,7 +13,6 @@ import ( "github.com/nirmata/kyverno/pkg/engine/context" "github.com/nirmata/kyverno/pkg/engine/response" "github.com/nirmata/kyverno/pkg/engine/variables" - "github.com/nirmata/kyverno/pkg/utils" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" "k8s.io/apimachinery/pkg/apis/meta/v1/unstructured" "k8s.io/apimachinery/pkg/labels" @@ -27,131 +26,142 @@ type EngineStats struct { RulesAppliedCount int } +func checkKind(kinds []string, resourceKind string) bool { + for _, kind := range kinds { + if resourceKind == kind { + return true + } + } + + return false +} + +func checkName(name, resourceName string) bool { + if wildcard.Match(name, resourceName) { + return true + } + + return false +} + +func checkNameSpace(namespaces []string, resourceNameSpace string) bool { + for _, namespace := range namespaces { + if resourceNameSpace == namespace { + return true + } + } + return false +} + +func checkSelector(labelSelector *metav1.LabelSelector, resourceLabels map[string]string) (bool, error) { + selector, err := metav1.LabelSelectorAsSelector(labelSelector) + if err != nil { + glog.Error(err) + return false, err + } + + if selector.Matches(labels.Set(resourceLabels)) { + return true, nil + } + + return false, nil +} + //MatchesResourceDescription checks if the resource matches resource desription of the rule or not func MatchesResourceDescription(resource unstructured.Unstructured, rule kyverno.Rule, admissionInfo kyverno.RequestInfo) bool { var condition = make(chan bool) defer close(condition) - matches := rule.MatchResources.ResourceDescription - go func() { - hasSuceeded := rbac.MatchAdmissionInfo(rule, admissionInfo) - if !hasSuceeded { + hasPassed := rbac.MatchAdmissionInfo(rule, admissionInfo) + if !hasPassed { glog.V(3).Infof("rule '%s' cannot be applied on %s/%s/%s, admission permission: %v", rule.Name, resource.GetKind(), resource.GetNamespace(), resource.GetName(), admissionInfo) } - condition <- hasSuceeded + condition <- hasPassed }() + // + // Match + // + matches := rule.MatchResources.ResourceDescription + go func() { - condition <- findKind(matches.Kinds, resource.GetKind()) + condition <- checkKind(matches.Kinds, resource.GetKind()) }() - - name := resource.GetName() - namespace := resource.GetNamespace() - go func() { if matches.Name != "" { - // Matches - condition <- wildcard.Match(matches.Name, name) + condition <- checkName(matches.Name, resource.GetName()) + } else { + condition <- true + } + }() + go func() { + if len(matches.Namespaces) > 0 { + condition <- checkNameSpace(matches.Namespaces, resource.GetNamespace()) + } else { + condition <- true + } + }() + go func() { + if matches.Selector != nil { + hasPassed, err := checkSelector(matches.Selector, resource.GetLabels()) + if err != nil { + condition <- false + } else { + condition <- hasPassed + } + } else { + condition <- true } }() - // Matches - // check if the resource namespace is defined in the list of namespace pattern - go func() { - condition <- !(len(matches.Namespaces) > 0 && !utils.ContainsNamepace(matches.Namespaces, namespace)) - }() - - // Matches - go func() { - condition <- func() bool { - if matches.Selector != nil { - selector, err := metav1.LabelSelectorAsSelector(matches.Selector) - if err != nil { - glog.Error(err) - return false - } - if !selector.Matches(labels.Set(resource.GetLabels())) { - return false - } - } - return true - }() - }() - // + // Exclude // - // - // Exclude Conditions - // - // - // - exclude := rule.ExcludeResources.ResourceDescription go func() { - condition <- func() bool { - if exclude.Name == "" { - return true - } - if wildcard.Match(exclude.Name, resource.GetName()) { - return false - } - return true - }() + if len(exclude.Kinds) > 0 { + condition <- !checkKind(exclude.Kinds, resource.GetKind()) + } else { + condition <- true + } }() - go func() { - condition <- func() bool { - if len(exclude.Namespaces) == 0 { - return true - } - if utils.ContainsNamepace(exclude.Namespaces, resource.GetNamespace()) { - return false - } - return true - }() + if exclude.Name != "" { + condition <- !checkName(exclude.Name, resource.GetName()) + } else { + condition <- true + } }() - go func() { - condition <- func() bool { - if exclude.Selector == nil { - return true - } - selector, err := metav1.LabelSelectorAsSelector(exclude.Selector) - // if the label selector is incorrect, should be fail or + if len(exclude.Namespaces) > 0 { + condition <- !checkNameSpace(exclude.Namespaces, resource.GetNamespace()) + } else { + condition <- true + } + }() + go func() { + if exclude.Selector != nil { + hasPassed, err := checkSelector(exclude.Selector, resource.GetLabels()) if err != nil { - glog.Error(err) - return false + condition <- false + } else { + condition <- !hasPassed } - if selector.Matches(labels.Set(resource.GetLabels())) { - return false - } - return true - }() - }() - - go func() { - condition <- func() bool { - if len(exclude.Kinds) == 0 { - return true - } - - if findKind(exclude.Kinds, resource.GetKind()) { - return false - } - - return true - }() + } else { + condition <- true + } }() + // check if any condition has failed var numberOfConditions = 9 for numberOfConditions > 0 { select { - case hasSucceeded := <-condition: - if !hasSucceeded { + case hasPassed := <-condition: + if !hasPassed { return false } } From 0891b23efde0d6c98942de5e1837e5a304fc6053 Mon Sep 17 00:00:00 2001 From: shravan Date: Thu, 6 Feb 2020 23:39:57 +0530 Subject: [PATCH 07/22] 644 stopped closing channel while go routine is sending values --- pkg/engine/utils.go | 1 - 1 file changed, 1 deletion(-) diff --git a/pkg/engine/utils.go b/pkg/engine/utils.go index cfdb4e1671..285c3f25a7 100644 --- a/pkg/engine/utils.go +++ b/pkg/engine/utils.go @@ -71,7 +71,6 @@ func checkSelector(labelSelector *metav1.LabelSelector, resourceLabels map[strin func MatchesResourceDescription(resource unstructured.Unstructured, rule kyverno.Rule, admissionInfo kyverno.RequestInfo) bool { var condition = make(chan bool) - defer close(condition) go func() { hasPassed := rbac.MatchAdmissionInfo(rule, admissionInfo) From 9051320e43ae0afecc57016c5a1f9c64e37cb4e1 Mon Sep 17 00:00:00 2001 From: shravan Date: Thu, 6 Feb 2020 23:55:46 +0530 Subject: [PATCH 08/22] 644 removing outdated tests and fixing stylistic issues --- pkg/engine/utils.go | 13 +- pkg/engine/validation_test.go | 378 +++++++++++++++++----------------- 2 files changed, 192 insertions(+), 199 deletions(-) diff --git a/pkg/engine/utils.go b/pkg/engine/utils.go index 285c3f25a7..f827042617 100644 --- a/pkg/engine/utils.go +++ b/pkg/engine/utils.go @@ -37,11 +37,7 @@ func checkKind(kinds []string, resourceKind string) bool { } func checkName(name, resourceName string) bool { - if wildcard.Match(name, resourceName) { - return true - } - - return false + return wildcard.Match(name, resourceName) } func checkNameSpace(namespaces []string, resourceNameSpace string) bool { @@ -158,11 +154,8 @@ func MatchesResourceDescription(resource unstructured.Unstructured, rule kyverno // check if any condition has failed var numberOfConditions = 9 for numberOfConditions > 0 { - select { - case hasPassed := <-condition: - if !hasPassed { - return false - } + if hasPassed := <-condition; !hasPassed { + return false } numberOfConditions -= numberOfConditions } diff --git a/pkg/engine/validation_test.go b/pkg/engine/validation_test.go index a233826446..e6142bff5a 100644 --- a/pkg/engine/validation_test.go +++ b/pkg/engine/validation_test.go @@ -31,195 +31,195 @@ func TestGetAnchorsFromMap_ThereAreAnchors(t *testing.T) { assert.Equal(t, actualMap["(namespace)"].(string), "kube-?olicy") } -func TestValidate_ServiceTest(t *testing.T) { - rawPolicy := []byte(`{ - "apiVersion":"kyverno.nirmata.io/v1", - "kind":"ClusterPolicy", - "metadata":{ - "name":"policy-service" - }, - "spec":{ - "rules":[ - { - "name":"ps1", - "resource":{ - "kinds":[ - "Service" - ], - "name":"game-service*" - }, - "mutate":{ - "patches":[ - { - "path":"/metadata/labels/isMutated", - "op":"add", - "value":"true" - }, - { - "path":"/metadata/labels/secretLabel", - "op":"replace", - "value":"weKnow" - }, - { - "path":"/metadata/labels/originalLabel", - "op":"remove" - }, - { - "path":"/spec/selector/app", - "op":"replace", - "value":"mutedApp" - } - ] - }, - "validate":{ - "message":"This resource is broken", - "pattern":{ - "spec":{ - "ports":[ - { - "name":"hs", - "protocol":32 - } - ] - } - } - } - } - ] - } - }`) - rawResource := []byte(`{ - "kind":"Service", - "apiVersion":"v1", - "metadata":{ - "name":"game-service", - "labels":{ - "originalLabel":"isHere", - "secretLabel":"thisIsMySecret" - } - }, - "spec":{ - "selector":{ - "app":"MyApp" - }, - "ports":[ - { - "name":"http", - "protocol":"TCP", - "port":80, - "targetPort":9376 - } - ] - } - } - `) - - var policy kyverno.ClusterPolicy - json.Unmarshal(rawPolicy, &policy) - - resourceUnstructured, err := utils.ConvertToUnstructured(rawResource) - assert.NilError(t, err) - - er := Validate(PolicyContext{Policy: policy, NewResource: *resourceUnstructured}) - assert.Assert(t, len(er.PolicyResponse.Rules) == 0) -} - -func TestValidate_MapHasFloats(t *testing.T) { - rawPolicy := []byte(`{ - "apiVersion":"kyverno.nirmata.io/v1", - "kind":"ClusterPolicy", - "metadata":{ - "name":"policy-deployment-changed" - }, - "spec":{ - "rules":[ - { - "name":"First policy v2", - "resource":{ - "kinds":[ - "Deployment" - ], - "name":"nginx-*" - }, - "mutate":{ - "patches":[ - { - "path":"/metadata/labels/isMutated", - "op":"add", - "value":"true" - }, - { - "path":"/metadata/labels/app", - "op":"replace", - "value":"nginx_is_mutated" - } - ] - }, - "validate":{ - "message":"replicas number is wrong", - "pattern":{ - "metadata":{ - "labels":{ - "app":"*" - } - }, - "spec":{ - "replicas":3 - } - } - } - } - ] - } - }`) - rawResource := []byte(`{ - "apiVersion":"apps/v1", - "kind":"Deployment", - "metadata":{ - "name":"nginx-deployment", - "labels":{ - "app":"nginx" - } - }, - "spec":{ - "replicas":3, - "selector":{ - "matchLabels":{ - "app":"nginx" - } - }, - "template":{ - "metadata":{ - "labels":{ - "app":"nginx" - } - }, - "spec":{ - "containers":[ - { - "name":"nginx", - "image":"nginx:1.7.9", - "ports":[ - { - "containerPort":80 - } - ] - } - ] - } - } - } - } - `) - - var policy kyverno.ClusterPolicy - json.Unmarshal(rawPolicy, &policy) - - resourceUnstructured, err := utils.ConvertToUnstructured(rawResource) - assert.NilError(t, err) - er := Validate(PolicyContext{Policy: policy, NewResource: *resourceUnstructured}) - assert.Assert(t, len(er.PolicyResponse.Rules) == 0) -} +//func TestValidate_ServiceTest(t *testing.T) { +// rawPolicy := []byte(`{ +// "apiVersion":"kyverno.nirmata.io/v1", +// "kind":"ClusterPolicy", +// "metadata":{ +// "name":"policy-service" +// }, +// "spec":{ +// "rules":[ +// { +// "name":"ps1", +// "resource":{ +// "kinds":[ +// "Service" +// ], +// "name":"game-service*" +// }, +// "mutate":{ +// "patches":[ +// { +// "path":"/metadata/labels/isMutated", +// "op":"add", +// "value":"true" +// }, +// { +// "path":"/metadata/labels/secretLabel", +// "op":"replace", +// "value":"weKnow" +// }, +// { +// "path":"/metadata/labels/originalLabel", +// "op":"remove" +// }, +// { +// "path":"/spec/selector/app", +// "op":"replace", +// "value":"mutedApp" +// } +// ] +// }, +// "validate":{ +// "message":"This resource is broken", +// "pattern":{ +// "spec":{ +// "ports":[ +// { +// "name":"hs", +// "protocol":32 +// } +// ] +// } +// } +// } +// } +// ] +// } +// }`) +// rawResource := []byte(`{ +// "kind":"Service", +// "apiVersion":"v1", +// "metadata":{ +// "name":"game-service", +// "labels":{ +// "originalLabel":"isHere", +// "secretLabel":"thisIsMySecret" +// } +// }, +// "spec":{ +// "selector":{ +// "app":"MyApp" +// }, +// "ports":[ +// { +// "name":"http", +// "protocol":"TCP", +// "port":80, +// "targetPort":9376 +// } +// ] +// } +// } +// `) +// +// var policy kyverno.ClusterPolicy +// json.Unmarshal(rawPolicy, &policy) +// +// resourceUnstructured, err := utils.ConvertToUnstructured(rawResource) +// assert.NilError(t, err) +// +// er := Validate(PolicyContext{Policy: policy, NewResource: *resourceUnstructured}) +// assert.Assert(t, len(er.PolicyResponse.Rules) == 0) +//} +// +//func TestValidate_MapHasFloats(t *testing.T) { +// rawPolicy := []byte(`{ +// "apiVersion":"kyverno.nirmata.io/v1", +// "kind":"ClusterPolicy", +// "metadata":{ +// "name":"policy-deployment-changed" +// }, +// "spec":{ +// "rules":[ +// { +// "name":"First policy v2", +// "resource":{ +// "kinds":[ +// "Deployment" +// ], +// "name":"nginx-*" +// }, +// "mutate":{ +// "patches":[ +// { +// "path":"/metadata/labels/isMutated", +// "op":"add", +// "value":"true" +// }, +// { +// "path":"/metadata/labels/app", +// "op":"replace", +// "value":"nginx_is_mutated" +// } +// ] +// }, +// "validate":{ +// "message":"replicas number is wrong", +// "pattern":{ +// "metadata":{ +// "labels":{ +// "app":"*" +// } +// }, +// "spec":{ +// "replicas":3 +// } +// } +// } +// } +// ] +// } +// }`) +// rawResource := []byte(`{ +// "apiVersion":"apps/v1", +// "kind":"Deployment", +// "metadata":{ +// "name":"nginx-deployment", +// "labels":{ +// "app":"nginx" +// } +// }, +// "spec":{ +// "replicas":3, +// "selector":{ +// "matchLabels":{ +// "app":"nginx" +// } +// }, +// "template":{ +// "metadata":{ +// "labels":{ +// "app":"nginx" +// } +// }, +// "spec":{ +// "containers":[ +// { +// "name":"nginx", +// "image":"nginx:1.7.9", +// "ports":[ +// { +// "containerPort":80 +// } +// ] +// } +// ] +// } +// } +// } +// } +// `) +// +// var policy kyverno.ClusterPolicy +// json.Unmarshal(rawPolicy, &policy) +// +// resourceUnstructured, err := utils.ConvertToUnstructured(rawResource) +// assert.NilError(t, err) +// er := Validate(PolicyContext{Policy: policy, NewResource: *resourceUnstructured}) +// assert.Assert(t, len(er.PolicyResponse.Rules) == 0) +//} func TestValidate_image_tag_fail(t *testing.T) { // If image tag is latest then imagepull policy needs to be checked From 819ba3fb1bfd87ba5925736f519a911b11302fe3 Mon Sep 17 00:00:00 2001 From: shravan Date: Fri, 7 Feb 2020 14:45:43 +0530 Subject: [PATCH 09/22] 644 returning detailed error from function in question, changes currently untested --- pkg/engine/generation.go | 3 +- pkg/engine/mutation.go | 5 +- pkg/engine/utils.go | 108 ++++++++++++++++++++++++--------------- pkg/engine/utils_test.go | 25 ++++++--- pkg/engine/validation.go | 5 +- 5 files changed, 92 insertions(+), 54 deletions(-) diff --git a/pkg/engine/generation.go b/pkg/engine/generation.go index 5f8b5aa033..121d99d733 100644 --- a/pkg/engine/generation.go +++ b/pkg/engine/generation.go @@ -28,7 +28,8 @@ func filterRule(rule kyverno.Rule, resource unstructured.Unstructured, admission if !rule.HasGenerate() { return nil } - if !MatchesResourceDescription(resource, rule, admissionInfo) { + if err := MatchesResourceDescription(resource, rule, admissionInfo); err != nil { + glog.V(4).Infof(err.Error()) return nil } diff --git a/pkg/engine/mutation.go b/pkg/engine/mutation.go index 666340428e..1fb4e71ab7 100644 --- a/pkg/engine/mutation.go +++ b/pkg/engine/mutation.go @@ -61,9 +61,8 @@ func Mutate(policyContext PolicyContext) (resp response.EngineResponse) { // check if the resource satisfies the filter conditions defined in the rule //TODO: this needs to be extracted, to filter the resource so that we can avoid passing resources that // dont statisfy a policy rule resource description - ok := MatchesResourceDescription(resource, rule, policyContext.AdmissionInfo) - if !ok { - glog.V(4).Infof("resource %s/%s does not satisfy the resource description for the rule ", resource.GetNamespace(), resource.GetName()) + if err := MatchesResourceDescription(resource, rule, policyContext.AdmissionInfo); err != nil { + glog.V(4).Infof("resource %s/%s does not satisfy the resource description for the rule:\n%s", resource.GetNamespace(), resource.GetName(), err.Error()) continue } diff --git a/pkg/engine/utils.go b/pkg/engine/utils.go index f827042617..66c525a820 100644 --- a/pkg/engine/utils.go +++ b/pkg/engine/utils.go @@ -2,6 +2,9 @@ package engine import ( "encoding/json" + "errors" + "fmt" + "sync" "time" "github.com/nirmata/kyverno/pkg/engine/rbac" @@ -64,17 +67,18 @@ func checkSelector(labelSelector *metav1.LabelSelector, resourceLabels map[strin } //MatchesResourceDescription checks if the resource matches resource desription of the rule or not -func MatchesResourceDescription(resource unstructured.Unstructured, rule kyverno.Rule, admissionInfo kyverno.RequestInfo) bool { +func MatchesResourceDescription(resource unstructured.Unstructured, rule kyverno.Rule, admissionInfo kyverno.RequestInfo) error { - var condition = make(chan bool) + var err = make(chan error, 9) + var wg sync.WaitGroup + wg.Add(9) go func() { - hasPassed := rbac.MatchAdmissionInfo(rule, admissionInfo) - if !hasPassed { - glog.V(3).Infof("rule '%s' cannot be applied on %s/%s/%s, admission permission: %v", + if !rbac.MatchAdmissionInfo(rule, admissionInfo) { + err <- fmt.Errorf("rule '%s' cannot be applied on %s/%s/%s, admission permission: %v", rule.Name, resource.GetKind(), resource.GetNamespace(), resource.GetName(), admissionInfo) } - condition <- hasPassed + wg.Done() }() // @@ -83,33 +87,39 @@ func MatchesResourceDescription(resource unstructured.Unstructured, rule kyverno matches := rule.MatchResources.ResourceDescription go func() { - condition <- checkKind(matches.Kinds, resource.GetKind()) + if !checkKind(matches.Kinds, resource.GetKind()) { + err <- fmt.Errorf("resource kind does not match rule") + } + wg.Done() }() go func() { if matches.Name != "" { - condition <- checkName(matches.Name, resource.GetName()) - } else { - condition <- true + if !checkName(matches.Name, resource.GetName()) { + err <- fmt.Errorf("resource name does not match rule") + } } + wg.Done() }() go func() { if len(matches.Namespaces) > 0 { - condition <- checkNameSpace(matches.Namespaces, resource.GetNamespace()) - } else { - condition <- true + if !checkNameSpace(matches.Namespaces, resource.GetNamespace()) { + err <- fmt.Errorf("resource namespace does not match rule") + } } + wg.Done() }() go func() { if matches.Selector != nil { - hasPassed, err := checkSelector(matches.Selector, resource.GetLabels()) - if err != nil { - condition <- false + hasPassed, rerr := checkSelector(matches.Selector, resource.GetLabels()) + if rerr != nil { + err <- fmt.Errorf("could not parse selector block of the policy in match: %v", rerr) } else { - condition <- hasPassed + if !hasPassed { + err <- fmt.Errorf("resource does not match given rules selector block") + } } - } else { - condition <- true } + wg.Done() }() // @@ -119,48 +129,64 @@ func MatchesResourceDescription(resource unstructured.Unstructured, rule kyverno go func() { if len(exclude.Kinds) > 0 { - condition <- !checkKind(exclude.Kinds, resource.GetKind()) - } else { - condition <- true + if checkKind(exclude.Kinds, resource.GetKind()) { + err <- fmt.Errorf("resource kind has been excluded by the given rule") + } } + wg.Done() }() go func() { if exclude.Name != "" { - condition <- !checkName(exclude.Name, resource.GetName()) - } else { - condition <- true + if checkName(exclude.Name, resource.GetName()) { + err <- fmt.Errorf("resource name has been excluded by the given rule") + } } + wg.Done() }() go func() { if len(exclude.Namespaces) > 0 { - condition <- !checkNameSpace(exclude.Namespaces, resource.GetNamespace()) - } else { - condition <- true + if checkNameSpace(exclude.Namespaces, resource.GetNamespace()) { + err <- fmt.Errorf("resource namespace has been excluded by the given rule") + } } + wg.Done() }() go func() { if exclude.Selector != nil { - hasPassed, err := checkSelector(exclude.Selector, resource.GetLabels()) - if err != nil { - condition <- false + hasPassed, rerr := checkSelector(exclude.Selector, resource.GetLabels()) + if rerr != nil { + err <- fmt.Errorf("could not parse selector block of the policy in exclude: %v", rerr) } else { - condition <- !hasPassed + if hasPassed { + err <- fmt.Errorf("resource has been excluded by the given rules selector block") + } } - } else { - condition <- true } + wg.Done() }() - // check if any condition has failed - var numberOfConditions = 9 - for numberOfConditions > 0 { - if hasPassed := <-condition; !hasPassed { - return false + wg.Wait() + close(err) + // recieve all failed conditions + var failedConditions []error + for failedCondition := range err { + if failedCondition != nil { + failedConditions = append(failedConditions, failedCondition) } - numberOfConditions -= numberOfConditions } - return true + var errorMessage = "rule has failed to match resource for the following reasons:" + for i, failedCondition := range failedConditions { + if failedCondition != nil { + errorMessage += "\n" + fmt.Sprint(i+1) + ". " + failedCondition.Error() + } + } + + if len(failedConditions) > 0 { + return errors.New(errorMessage) + } + + return nil } //ParseNameFromObject extracts resource name from JSON obj diff --git a/pkg/engine/utils_test.go b/pkg/engine/utils_test.go index e382244e4c..16236abac6 100644 --- a/pkg/engine/utils_test.go +++ b/pkg/engine/utils_test.go @@ -67,7 +67,10 @@ func TestResourceDescriptionMatch_MultipleKind(t *testing.T) { } rule := kyverno.Rule{MatchResources: kyverno.MatchResources{ResourceDescription: resourceDescription}} - assert.Assert(t, MatchesResourceDescription(*resource, rule, kyverno.RequestInfo{})) + if err := MatchesResourceDescription(*resource, rule, kyverno.RequestInfo{}); err != nil { + t.Errorf("Testcase has failed due to the following:%v", err) + } + } // Match resource name @@ -125,7 +128,9 @@ func TestResourceDescriptionMatch_Name(t *testing.T) { } rule := kyverno.Rule{MatchResources: kyverno.MatchResources{ResourceDescription: resourceDescription}} - assert.Assert(t, MatchesResourceDescription(*resource, rule, kyverno.RequestInfo{})) + if err := MatchesResourceDescription(*resource, rule, kyverno.RequestInfo{}); err != nil { + t.Errorf("Testcase has failed due to the following:%v", err) + } } // Match resource regex @@ -183,7 +188,9 @@ func TestResourceDescriptionMatch_Name_Regex(t *testing.T) { } rule := kyverno.Rule{MatchResources: kyverno.MatchResources{ResourceDescription: resourceDescription}} - assert.Assert(t, MatchesResourceDescription(*resource, rule, kyverno.RequestInfo{})) + if err := MatchesResourceDescription(*resource, rule, kyverno.RequestInfo{}); err != nil { + t.Errorf("Testcase has failed due to the following:%v", err) + } } // Match expressions for labels to not match @@ -249,7 +256,9 @@ func TestResourceDescriptionMatch_Label_Expression_NotMatch(t *testing.T) { } rule := kyverno.Rule{MatchResources: kyverno.MatchResources{ResourceDescription: resourceDescription}} - assert.Assert(t, MatchesResourceDescription(*resource, rule, kyverno.RequestInfo{})) + if err := MatchesResourceDescription(*resource, rule, kyverno.RequestInfo{}); err != nil { + t.Errorf("Testcase has failed due to the following:%v", err) + } } // Match label expression in matching set @@ -316,7 +325,9 @@ func TestResourceDescriptionMatch_Label_Expression_Match(t *testing.T) { } rule := kyverno.Rule{MatchResources: kyverno.MatchResources{ResourceDescription: resourceDescription}} - assert.Assert(t, MatchesResourceDescription(*resource, rule, kyverno.RequestInfo{})) + if err := MatchesResourceDescription(*resource, rule, kyverno.RequestInfo{}); err != nil { + t.Errorf("Testcase has failed due to the following:%v", err) + } } // check for exclude conditions @@ -394,7 +405,9 @@ func TestResourceDescriptionExclude_Label_Expression_Match(t *testing.T) { rule := kyverno.Rule{MatchResources: kyverno.MatchResources{ResourceDescription: resourceDescription}, ExcludeResources: kyverno.ExcludeResources{ResourceDescription: resourceDescriptionExclude}} - assert.Assert(t, !MatchesResourceDescription(*resource, rule, kyverno.RequestInfo{})) + if err := MatchesResourceDescription(*resource, rule, kyverno.RequestInfo{}); err == nil { + t.Errorf("Testcase has failed due to the following:\n Function has returned no error, even though it was suposed to fail") + } } func Test_validateGeneralRuleInfoVariables(t *testing.T) { diff --git a/pkg/engine/validation.go b/pkg/engine/validation.go index c72ccba393..6e56f33c86 100644 --- a/pkg/engine/validation.go +++ b/pkg/engine/validation.go @@ -105,9 +105,8 @@ func validateResource(ctx context.EvalInterface, policy kyverno.ClusterPolicy, r // check if the resource satisfies the filter conditions defined in the rule // TODO: this needs to be extracted, to filter the resource so that we can avoid passing resources that // dont statisfy a policy rule resource description - ok := MatchesResourceDescription(resource, rule, admissionInfo) - if !ok { - glog.V(4).Infof("resource %s/%s does not satisfy the resource description for the rule ", resource.GetNamespace(), resource.GetName()) + if err := MatchesResourceDescription(resource, rule, admissionInfo); err != nil { + glog.V(4).Infof("resource %s/%s does not satisfy the resource description for the rule:\n%s", resource.GetNamespace(), resource.GetName(), err.Error()) continue } From 21abc315f658b1d293fbcb5a18f8c07c3d3cf9cf Mon Sep 17 00:00:00 2001 From: shravan Date: Fri, 7 Feb 2020 14:55:04 +0530 Subject: [PATCH 10/22] 644 removing commented out unused code --- pkg/engine/validation_test.go | 190 --------------------------- pkg/namespace/controller.go | 225 -------------------------------- pkg/namespace/expansion.go | 44 ------- pkg/namespace/generation.go | 234 ---------------------------------- pkg/namespace/report.go | 54 -------- 5 files changed, 747 deletions(-) delete mode 100644 pkg/namespace/controller.go delete mode 100644 pkg/namespace/expansion.go delete mode 100644 pkg/namespace/generation.go delete mode 100644 pkg/namespace/report.go diff --git a/pkg/engine/validation_test.go b/pkg/engine/validation_test.go index e6142bff5a..8a7ac06e23 100644 --- a/pkg/engine/validation_test.go +++ b/pkg/engine/validation_test.go @@ -31,196 +31,6 @@ func TestGetAnchorsFromMap_ThereAreAnchors(t *testing.T) { assert.Equal(t, actualMap["(namespace)"].(string), "kube-?olicy") } -//func TestValidate_ServiceTest(t *testing.T) { -// rawPolicy := []byte(`{ -// "apiVersion":"kyverno.nirmata.io/v1", -// "kind":"ClusterPolicy", -// "metadata":{ -// "name":"policy-service" -// }, -// "spec":{ -// "rules":[ -// { -// "name":"ps1", -// "resource":{ -// "kinds":[ -// "Service" -// ], -// "name":"game-service*" -// }, -// "mutate":{ -// "patches":[ -// { -// "path":"/metadata/labels/isMutated", -// "op":"add", -// "value":"true" -// }, -// { -// "path":"/metadata/labels/secretLabel", -// "op":"replace", -// "value":"weKnow" -// }, -// { -// "path":"/metadata/labels/originalLabel", -// "op":"remove" -// }, -// { -// "path":"/spec/selector/app", -// "op":"replace", -// "value":"mutedApp" -// } -// ] -// }, -// "validate":{ -// "message":"This resource is broken", -// "pattern":{ -// "spec":{ -// "ports":[ -// { -// "name":"hs", -// "protocol":32 -// } -// ] -// } -// } -// } -// } -// ] -// } -// }`) -// rawResource := []byte(`{ -// "kind":"Service", -// "apiVersion":"v1", -// "metadata":{ -// "name":"game-service", -// "labels":{ -// "originalLabel":"isHere", -// "secretLabel":"thisIsMySecret" -// } -// }, -// "spec":{ -// "selector":{ -// "app":"MyApp" -// }, -// "ports":[ -// { -// "name":"http", -// "protocol":"TCP", -// "port":80, -// "targetPort":9376 -// } -// ] -// } -// } -// `) -// -// var policy kyverno.ClusterPolicy -// json.Unmarshal(rawPolicy, &policy) -// -// resourceUnstructured, err := utils.ConvertToUnstructured(rawResource) -// assert.NilError(t, err) -// -// er := Validate(PolicyContext{Policy: policy, NewResource: *resourceUnstructured}) -// assert.Assert(t, len(er.PolicyResponse.Rules) == 0) -//} -// -//func TestValidate_MapHasFloats(t *testing.T) { -// rawPolicy := []byte(`{ -// "apiVersion":"kyverno.nirmata.io/v1", -// "kind":"ClusterPolicy", -// "metadata":{ -// "name":"policy-deployment-changed" -// }, -// "spec":{ -// "rules":[ -// { -// "name":"First policy v2", -// "resource":{ -// "kinds":[ -// "Deployment" -// ], -// "name":"nginx-*" -// }, -// "mutate":{ -// "patches":[ -// { -// "path":"/metadata/labels/isMutated", -// "op":"add", -// "value":"true" -// }, -// { -// "path":"/metadata/labels/app", -// "op":"replace", -// "value":"nginx_is_mutated" -// } -// ] -// }, -// "validate":{ -// "message":"replicas number is wrong", -// "pattern":{ -// "metadata":{ -// "labels":{ -// "app":"*" -// } -// }, -// "spec":{ -// "replicas":3 -// } -// } -// } -// } -// ] -// } -// }`) -// rawResource := []byte(`{ -// "apiVersion":"apps/v1", -// "kind":"Deployment", -// "metadata":{ -// "name":"nginx-deployment", -// "labels":{ -// "app":"nginx" -// } -// }, -// "spec":{ -// "replicas":3, -// "selector":{ -// "matchLabels":{ -// "app":"nginx" -// } -// }, -// "template":{ -// "metadata":{ -// "labels":{ -// "app":"nginx" -// } -// }, -// "spec":{ -// "containers":[ -// { -// "name":"nginx", -// "image":"nginx:1.7.9", -// "ports":[ -// { -// "containerPort":80 -// } -// ] -// } -// ] -// } -// } -// } -// } -// `) -// -// var policy kyverno.ClusterPolicy -// json.Unmarshal(rawPolicy, &policy) -// -// resourceUnstructured, err := utils.ConvertToUnstructured(rawResource) -// assert.NilError(t, err) -// er := Validate(PolicyContext{Policy: policy, NewResource: *resourceUnstructured}) -// assert.Assert(t, len(er.PolicyResponse.Rules) == 0) -//} - func TestValidate_image_tag_fail(t *testing.T) { // If image tag is latest then imagepull policy needs to be checked rawPolicy := []byte(`{ diff --git a/pkg/namespace/controller.go b/pkg/namespace/controller.go deleted file mode 100644 index f5093df7a1..0000000000 --- a/pkg/namespace/controller.go +++ /dev/null @@ -1,225 +0,0 @@ -package namespace - -//const ( -// // maxRetries is the number of times a Namespace will be processed for a policy before its dropped from the queue -// maxRetries = 15 -//) -// -////NamespaceController watches the 'Namespace' resource creation/update and applied the generation rules on them -//type NamespaceController struct { -// client *client.Client -// kyvernoClient *kyvernoclient.Clientset -// syncHandler func(nsKey string) error -// enqueueNs func(ns *v1.Namespace) -// -// //nsLister provides expansion to the namespace lister to inject GVK for the resource -// nsLister NamespaceListerExpansion -// // nsSynced returns true if the Namespace store has been synced at least once -// nsSynced cache.InformerSynced -// // pvLister can list/get policy violation from the shared informer's store -// pLister kyvernolister.ClusterPolicyLister -// // pSynced retrns true if the Policy store has been synced at least once -// pSynced cache.InformerSynced -// // API to send policy stats for aggregation -// policyStatus policy.PolicyStatusInterface -// // eventGen provides interface to generate evenets -// eventGen event.Interface -// // Namespaces that need to be synced -// queue workqueue.RateLimitingInterface -// // Resource manager, manages the mapping for already processed resource -// rm resourceManager -// // helpers to validate against current loaded configuration -// configHandler config.Interface -// // store to hold policy meta data for faster lookup -// pMetaStore policystore.LookupInterface -// // policy violation generator -// pvGenerator policyviolation.GeneratorInterface -//} -// -////NewNamespaceController returns a new Controller to manage generation rules -//func NewNamespaceController(kyvernoClient *kyvernoclient.Clientset, -// client *client.Client, -// nsInformer v1Informer.NamespaceInformer, -// pInformer kyvernoinformer.ClusterPolicyInformer, -// policyStatus policy.PolicyStatusInterface, -// eventGen event.Interface, -// configHandler config.Interface, -// pvGenerator policyviolation.GeneratorInterface, -// pMetaStore policystore.LookupInterface) *NamespaceController { -// //TODO: do we need to event recorder for this controller? -// // create the controller -// nsc := &NamespaceController{ -// client: client, -// kyvernoClient: kyvernoClient, -// eventGen: eventGen, -// queue: workqueue.NewNamedRateLimitingQueue(workqueue.DefaultControllerRateLimiter(), "namespace"), -// configHandler: configHandler, -// pMetaStore: pMetaStore, -// pvGenerator: pvGenerator, -// } -// -// nsInformer.Informer().AddEventHandler(cache.ResourceEventHandlerFuncs{ -// AddFunc: nsc.addNamespace, -// UpdateFunc: nsc.updateNamespace, -// DeleteFunc: nsc.deleteNamespace, -// }) -// -// pInformer.Informer().AddEventHandler(cache.ResourceEventHandlerFuncs{ -// AddFunc: nsc.addPolicy, -// UpdateFunc: nsc.updatePolicy, -// }) -// -// nsc.enqueueNs = nsc.enqueue -// nsc.syncHandler = nsc.syncNamespace -// -// nsc.nsLister = NewNamespaceLister(nsInformer.Lister()) -// nsc.nsSynced = nsInformer.Informer().HasSynced -// nsc.pLister = pInformer.Lister() -// nsc.pSynced = pInformer.Informer().HasSynced -// nsc.policyStatus = policyStatus -// -// // resource manager -// // rebuild after 300 seconds/ 5 mins -// nsc.rm = NewResourceManager(300) -// -// return nsc -//} -//func (nsc *NamespaceController) addPolicy(obj interface{}) { -// p := obj.(*kyverno.ClusterPolicy) -// // check if the policy has generate rule -// if generateRuleExists(p) { -// // process policy -// nsc.processPolicy(p) -// } -//} -// -//func (nsc *NamespaceController) updatePolicy(old, cur interface{}) { -// curP := cur.(*kyverno.ClusterPolicy) -// // check if the policy has generate rule -// if generateRuleExists(curP) { -// // process policy -// nsc.processPolicy(curP) -// } -//} -// -//func (nsc *NamespaceController) addNamespace(obj interface{}) { -// ns := obj.(*v1.Namespace) -// glog.V(4).Infof("Adding Namespace %s", ns.Name) -// nsc.enqueueNs(ns) -//} -// -//func (nsc *NamespaceController) updateNamespace(old, cur interface{}) { -// oldNs := old.(*v1.Namespace) -// curNs := cur.(*v1.Namespace) -// if curNs.ResourceVersion == oldNs.ResourceVersion { -// // Periodic resync will send update events for all known Namespace. -// // Two different versions of the same replica set will always have different RVs. -// return -// } -// glog.V(4).Infof("Updating Namesapce %s", curNs.Name) -// //TODO: anything to be done here? -//} -// -//func (nsc *NamespaceController) deleteNamespace(obj interface{}) { -// ns, _ := obj.(*v1.Namespace) -// glog.V(4).Infof("Deleting Namespace %s", ns.Name) -// //TODO: anything to be done here? -//} -// -//func (nsc *NamespaceController) enqueue(ns *v1.Namespace) { -// key, err := cache.MetaNamespaceKeyFunc(ns) -// if err != nil { -// glog.Error(err) -// return -// } -// nsc.queue.Add(key) -//} -// -////Run to run the controller -//func (nsc *NamespaceController) Run(workers int, stopCh <-chan struct{}) { -// defer utilruntime.HandleCrash() -// defer nsc.queue.ShutDown() -// -// glog.Info("Starting namespace controller") -// defer glog.Info("Shutting down namespace controller") -// -// if ok := cache.WaitForCacheSync(stopCh, nsc.nsSynced, nsc.pSynced); !ok { -// glog.Error("namespace generator: failed to sync cache") -// return -// } -// -// for i := 0; i < workers; i++ { -// go wait.Until(nsc.worker, time.Second, stopCh) -// } -// <-stopCh -//} -// -//// worker runs a worker thread that just dequeues items, processes them, and marks them done. -//// It enforces that the syncHandler is never invoked concurrently with the same key. -//func (nsc *NamespaceController) worker() { -// for nsc.processNextWorkItem() { -// } -//} -// -//func (nsc *NamespaceController) processNextWorkItem() bool { -// key, quit := nsc.queue.Get() -// if quit { -// return false -// } -// defer nsc.queue.Done(key) -// -// err := nsc.syncHandler(key.(string)) -// nsc.handleErr(err, key) -// -// return true -//} -// -//func (nsc *NamespaceController) handleErr(err error, key interface{}) { -// if err == nil { -// nsc.queue.Forget(key) -// return -// } -// -// if nsc.queue.NumRequeues(key) < maxRetries { -// glog.V(2).Infof("Error syncing namespace %v: %v", key, err) -// nsc.queue.AddRateLimited(key) -// return -// } -// -// utilruntime.HandleError(err) -// glog.V(2).Infof("Dropping namespace %q out of the queue: %v", key, err) -// nsc.queue.Forget(key) -//} -// -//func (nsc *NamespaceController) syncNamespace(key string) error { -// startTime := time.Now() -// glog.V(4).Infof("Started syncing namespace %q (%v)", key, startTime) -// defer func() { -// glog.V(4).Infof("Finished syncing namespace %q (%v)", key, time.Since(startTime)) -// }() -// namespace, err := nsc.nsLister.GetResource(key) -// if errors.IsNotFound(err) { -// glog.V(2).Infof("namespace %v has been deleted", key) -// return nil -// } -// if err != nil { -// return err -// } -// // Deep-copy otherwise we are mutating our cache. -// // TODO: Deep-copy only when needed. -// n := namespace.DeepCopy() -// -// // skip processing namespace if its been filtered -// // exclude the filtered resources -// if nsc.configHandler.ToFilter("", namespace.Name, "") { -// //TODO: improve the text -// glog.V(4).Infof("excluding namespace %s as its a filtered resource", namespace.Name) -// return nil -// } -// -// // process generate rules -// engineResponses := nsc.processNamespace(*n) -// // report errors -// nsc.report(engineResponses) -// return nil -//} diff --git a/pkg/namespace/expansion.go b/pkg/namespace/expansion.go deleted file mode 100644 index d3eec327fc..0000000000 --- a/pkg/namespace/expansion.go +++ /dev/null @@ -1,44 +0,0 @@ -package namespace - -////NamespaceListerExpansion ... -//type NamespaceListerExpansion interface { -// v1CoreLister.NamespaceLister -// // List lists all Namespaces in the indexer. -// ListResources(selector labels.Selector) (ret []*v1.Namespace, err error) -// // GetsResource and injects gvk -// GetResource(name string) (*v1.Namespace, error) -//} -// -////NamespaceLister ... -//type NamespaceLister struct { -// v1CoreLister.NamespaceLister -//} -// -////NewNamespaceLister returns a new NamespaceLister -//func NewNamespaceLister(nsLister v1CoreLister.NamespaceLister) NamespaceListerExpansion { -// nsl := NamespaceLister{ -// nsLister, -// } -// return &nsl -//} -// -////ListResources is a wrapper to List and adds the resource kind information -//// as the lister is specific to a gvk we can harcode the values here -//func (nsl *NamespaceLister) ListResources(selector labels.Selector) (ret []*v1.Namespace, err error) { -// namespaces, err := nsl.List(selector) -// for index := range namespaces { -// namespaces[index].SetGroupVersionKind(v1.SchemeGroupVersion.WithKind("Namespace")) -// } -// return namespaces, err -//} -// -////GetResource is a wrapper to get the resource and inject the GVK -//func (nsl *NamespaceLister) GetResource(name string) (*v1.Namespace, error) { -// namespace, err := nsl.Get(name) -// if err != nil { -// return nil, err -// } -// -// namespace.SetGroupVersionKind(v1.SchemeGroupVersion.WithKind("Namespace")) -// return namespace, err -//} diff --git a/pkg/namespace/generation.go b/pkg/namespace/generation.go deleted file mode 100644 index 0a2a0f82b0..0000000000 --- a/pkg/namespace/generation.go +++ /dev/null @@ -1,234 +0,0 @@ -package namespace - -// -//type resourceManager interface { -// ProcessResource(policy, pv, kind, ns, name, rv string) bool -// //TODO removeResource(kind, ns, name string) error -// RegisterResource(policy, pv, kind, ns, name, rv string) -// // reload -// Drop() -//} -// -//// ResourceManager stores the details on already processed resources for caching -//type ResourceManager struct { -// // we drop and re-build the cache -// // based on the memory consumer of by the map -// data map[string]interface{} -// mux sync.RWMutex -// time time.Time -// rebuildTime int64 // after how many seconds should we rebuild the cache -//} -// -////NewResourceManager returns a new ResourceManager -//func NewResourceManager(rebuildTime int64) *ResourceManager { -// rm := ResourceManager{ -// data: make(map[string]interface{}), -// time: time.Now(), -// rebuildTime: rebuildTime, -// } -// // set time it was built -// return &rm -//} -// -//var empty struct{} -// -////RegisterResource stores if the policy is processed on this resource version -//func (rm *ResourceManager) RegisterResource(policy, pv, kind, ns, name, rv string) { -// rm.mux.Lock() -// defer rm.mux.Unlock() -// // add the resource -// key := buildKey(policy, pv, kind, ns, name, rv) -// rm.data[key] = empty -//} -// -////ProcessResource returns true if the policy was not applied on the resource -//func (rm *ResourceManager) ProcessResource(policy, pv, kind, ns, name, rv string) bool { -// rm.mux.RLock() -// defer rm.mux.RUnlock() -// -// key := buildKey(policy, pv, kind, ns, name, rv) -// _, ok := rm.data[key] -// return !ok -//} -// -////Drop drop the cache after every rebuild interval mins -////TODO: or drop based on the size -//func (rm *ResourceManager) Drop() { -// timeSince := time.Since(rm.time) -// glog.V(4).Infof("time since last cache reset time %v is %v", rm.time, timeSince) -// glog.V(4).Infof("cache rebuild time %v", time.Duration(rm.rebuildTime)*time.Second) -// if timeSince > time.Duration(rm.rebuildTime)*time.Second { -// rm.mux.Lock() -// defer rm.mux.Unlock() -// rm.data = map[string]interface{}{} -// rm.time = time.Now() -// glog.V(4).Infof("dropping cache at time %v", rm.time) -// } -//} -//func buildKey(policy, pv, kind, ns, name, rv string) string { -// return policy + "/" + pv + "/" + kind + "/" + ns + "/" + name + "/" + rv -//} -// -//func (nsc *NamespaceController) processNamespace(namespace corev1.Namespace) []response.EngineResponse { -// // convert to unstructured -// unstr, err := runtime.DefaultUnstructuredConverter.ToUnstructured(&namespace) -// if err != nil { -// glog.Infof("unable to convert to unstructured, not processing any policies: %v", err) -// return nil -// } -// nsc.rm.Drop() -// -// ns := unstructured.Unstructured{Object: unstr} -// -// // get all the policies that have a generate rule and resource description satisfies the namespace -// // apply policy on resource -// policies := listpolicies(ns, nsc.pMetaStore) -// var engineResponses []response.EngineResponse -// for _, policy := range policies { -// // pre-processing, check if the policy and resource version has been processed before -// if !nsc.rm.ProcessResource(policy.Name, policy.ResourceVersion, ns.GetKind(), ns.GetNamespace(), ns.GetName(), ns.GetResourceVersion()) { -// glog.V(4).Infof("policy %s with resource version %s already processed on resource %s/%s/%s with resource version %s", policy.Name, policy.ResourceVersion, ns.GetKind(), ns.GetNamespace(), ns.GetName(), ns.GetResourceVersion()) -// continue -// } -// engineResponse := applyPolicy(nsc.client, ns, policy, nsc.policyStatus) -// engineResponses = append(engineResponses, engineResponse) -// -// // post-processing, register the resource as processed -// nsc.rm.RegisterResource(policy.GetName(), policy.GetResourceVersion(), ns.GetKind(), ns.GetNamespace(), ns.GetName(), ns.GetResourceVersion()) -// } -// return engineResponses -//} -// -//func generateRuleExists(policy *kyverno.ClusterPolicy) bool { -// for _, rule := range policy.Spec.Rules { -// if rule.Generation != (kyverno.Generation{}) { -// return true -// } -// } -// return false -//} -// -//func (nsc *NamespaceController) processPolicy(policy *kyverno.ClusterPolicy) { -// filteredNamespaces := []*corev1.Namespace{} -// // get namespaces that policy applies on -// namespaces, err := nsc.nsLister.ListResources(labels.NewSelector()) -// if err != nil { -// glog.Errorf("failed to get list namespaces: %v", err) -// return -// } -// for _, namespace := range namespaces { -// // convert to unstructured -// unstr, err := runtime.DefaultUnstructuredConverter.ToUnstructured(namespace) -// if err != nil { -// glog.Infof("unable to convert to unstructured, not processing any policies: %v", err) -// continue -// } -// ns := unstructured.Unstructured{Object: unstr} -// for _, rule := range policy.Spec.Rules { -// if rule.Generation == (kyverno.Generation{}) { -// continue -// } -// ok := engine.MatchesResourceDescription(ns, rule) -// if !ok { -// glog.V(4).Infof("namespace %s does not satisfy the resource description for the policy %s rule %s", ns.GetName(), policy.Name, rule.Name) -// continue -// } -// glog.V(4).Infof("namespace %s satisfies resource description for policy %s rule %s", ns.GetName(), policy.Name, rule.Name) -// filteredNamespaces = append(filteredNamespaces, namespace) -// } -// } -// // list of namespaces that the policy applies on -// for _, ns := range filteredNamespaces { -// glog.V(4).Infof("policy %s with generate rule: namespace %s to be processed ", policy.Name, ns.Name) -// nsc.addNamespace(ns) -// } -//} -// -//func listpolicies(ns unstructured.Unstructured, pMetaStore policystore.LookupInterface) []kyverno.ClusterPolicy { -// var filteredpolicies []kyverno.ClusterPolicy -// glog.V(4).Infof("listing policies for namespace %s", ns.GetName()) -// policies, err := pMetaStore.LookUp(ns.GetKind(), ns.GetNamespace()) -// if err != nil { -// glog.Errorf("failed to get list policies: %v", err) -// return nil -// } -// for _, policy := range policies { -// for _, rule := range policy.Spec.Rules { -// if rule.Generation == (kyverno.Generation{}) { -// continue -// } -// ok := engine.MatchesResourceDescription(ns, rule) -// if !ok { -// glog.V(4).Infof("namespace %s does not satisfy the resource description for the policy %s rule %s", ns.GetName(), policy.Name, rule.Name) -// continue -// } -// glog.V(4).Infof("namespace %s satisfies resource description for policy %s rule %s", ns.GetName(), policy.Name, rule.Name) -// filteredpolicies = append(filteredpolicies, policy) -// } -// } -// return filteredpolicies -//} -// -//func applyPolicy(client *client.Client, resource unstructured.Unstructured, p kyverno.ClusterPolicy, policyStatus policyctr.PolicyStatusInterface) response.EngineResponse { -// var policyStats []policyctr.PolicyStat -// // gather stats from the engine response -// gatherStat := func(policyName string, policyResponse response.PolicyResponse) { -// ps := policyctr.PolicyStat{} -// ps.PolicyName = policyName -// ps.Stats.GenerationExecutionTime = policyResponse.ProcessingTime -// ps.Stats.RulesAppliedCount = policyResponse.RulesAppliedCount -// // capture rule level stats -// for _, rule := range policyResponse.Rules { -// rs := policyctr.RuleStatinfo{} -// rs.RuleName = rule.Name -// rs.ExecutionTime = rule.RuleStats.ProcessingTime -// if rule.Success { -// rs.RuleAppliedCount++ -// } else { -// rs.RulesFailedCount++ -// } -// ps.Stats.Rules = append(ps.Stats.Rules, rs) -// } -// policyStats = append(policyStats, ps) -// } -// // send stats for aggregation -// sendStat := func(blocked bool) { -// for _, stat := range policyStats { -// stat.Stats.ResourceBlocked = utils.Btoi(blocked) -// //SEND -// policyStatus.SendStat(stat) -// } -// } -// -// startTime := time.Now() -// glog.V(4).Infof("Started apply policy %s on resource %s/%s/%s (%v)", p.Name, resource.GetKind(), resource.GetNamespace(), resource.GetName(), startTime) -// defer func() { -// glog.V(4).Infof("Finished applying %s on resource %s/%s/%s (%v)", p.Name, resource.GetKind(), resource.GetNamespace(), resource.GetName(), time.Since(startTime)) -// }() -// // build context -// ctx := context.NewContext() -// ctx.AddResource(transformResource(resource)) -// -// policyContext := engine.PolicyContext{ -// NewResource: resource, -// Policy: p, -// Client: client, -// Context: ctx, -// } -// engineResponse := engine.Generate(policyContext) -// // gather stats -// gatherStat(p.Name, engineResponse.PolicyResponse) -// //send stats -// sendStat(false) -// -// return engineResponse -//} -// -//func transformResource(resource unstructured.Unstructured) []byte { -// data, err := resource.MarshalJSON() -// if err != nil { -// glog.Errorf("failed to marshall resource %v: %v", resource, err) -// return nil -// } -// return data -//} diff --git a/pkg/namespace/report.go b/pkg/namespace/report.go deleted file mode 100644 index 743f2ab867..0000000000 --- a/pkg/namespace/report.go +++ /dev/null @@ -1,54 +0,0 @@ -package namespace - -//func (nsc *NamespaceController) report(engineResponses []response.EngineResponse) { -// // generate events -// eventInfos := generateEvents(engineResponses) -// nsc.eventGen.Add(eventInfos...) -// // generate policy violations -// pvInfos := policyviolation.GeneratePVsFromEngineResponse(engineResponses) -// nsc.pvGenerator.Add(pvInfos...) -//} -// -//func generateEvents(ers []response.EngineResponse) []event.Info { -// var eventInfos []event.Info -// for _, er := range ers { -// if er.IsSuccesful() { -// continue -// } -// eventInfos = append(eventInfos, generateEventsPerEr(er)...) -// } -// return eventInfos -//} -// -//func generateEventsPerEr(er response.EngineResponse) []event.Info { -// var eventInfos []event.Info -// glog.V(4).Infof("reporting results for policy '%s' application on resource '%s/%s/%s'", er.PolicyResponse.Policy, er.PolicyResponse.Resource.Kind, er.PolicyResponse.Resource.Namespace, er.PolicyResponse.Resource.Name) -// for _, rule := range er.PolicyResponse.Rules { -// if rule.Success { -// continue -// } -// // generate event on resource for each failed rule -// glog.V(4).Infof("generation event on resource '%s/%s' for policy '%s'", er.PolicyResponse.Resource.Kind, er.PolicyResponse.Resource.Name, er.PolicyResponse.Policy) -// e := event.Info{} -// e.Kind = er.PolicyResponse.Resource.Kind -// e.Namespace = "" // event generate on namespace resource -// e.Name = er.PolicyResponse.Resource.Name -// e.Reason = "Failure" -// e.Source = event.GeneratePolicyController -// e.Message = fmt.Sprintf("policy '%s' (%s) rule '%s' not satisfied. %v", er.PolicyResponse.Policy, rule.Type, rule.Name, rule.Message) -// eventInfos = append(eventInfos, e) -// } -// if er.IsSuccesful() { -// return eventInfos -// } -// // generate a event on policy for all failed rules -// glog.V(4).Infof("generation event on policy '%s'", er.PolicyResponse.Policy) -// e := event.Info{} -// e.Kind = "ClusterPolicy" -// e.Namespace = "" -// e.Name = er.PolicyResponse.Policy -// e.Reason = "Failure" -// e.Source = event.GeneratePolicyController -// e.Message = fmt.Sprintf("policy '%s' rules '%v' on resource '%s/%s/%s' not stasified", er.PolicyResponse.Policy, er.GetFailedRules(), er.PolicyResponse.Resource.Kind, er.PolicyResponse.Resource.Namespace, er.PolicyResponse.Resource.Name) -// return eventInfos -//} From 736c18ea46011afd1b8244b05fd3dd901fb47704 Mon Sep 17 00:00:00 2001 From: shravan Date: Fri, 7 Feb 2020 16:53:38 +0530 Subject: [PATCH 11/22] 644 logical error fixes prototype --- pkg/engine/utils.go | 37 ++++++++++++++++++++++--------------- 1 file changed, 22 insertions(+), 15 deletions(-) diff --git a/pkg/engine/utils.go b/pkg/engine/utils.go index 66c525a820..d106c4e54b 100644 --- a/pkg/engine/utils.go +++ b/pkg/engine/utils.go @@ -69,7 +69,7 @@ func checkSelector(labelSelector *metav1.LabelSelector, resourceLabels map[strin //MatchesResourceDescription checks if the resource matches resource desription of the rule or not func MatchesResourceDescription(resource unstructured.Unstructured, rule kyverno.Rule, admissionInfo kyverno.RequestInfo) error { - var err = make(chan error, 9) + var err = make(chan error, 6) var wg sync.WaitGroup wg.Add(9) @@ -126,28 +126,23 @@ func MatchesResourceDescription(resource unstructured.Unstructured, rule kyverno // Exclude // exclude := rule.ExcludeResources.ResourceDescription + var excludeCondition = make(chan bool, 4) go func() { if len(exclude.Kinds) > 0 { - if checkKind(exclude.Kinds, resource.GetKind()) { - err <- fmt.Errorf("resource kind has been excluded by the given rule") - } + excludeCondition <- checkKind(exclude.Kinds, resource.GetKind()) } wg.Done() }() go func() { if exclude.Name != "" { - if checkName(exclude.Name, resource.GetName()) { - err <- fmt.Errorf("resource name has been excluded by the given rule") - } + excludeCondition <- checkName(exclude.Name, resource.GetName()) } wg.Done() }() go func() { if len(exclude.Namespaces) > 0 { - if checkNameSpace(exclude.Namespaces, resource.GetNamespace()) { - err <- fmt.Errorf("resource namespace has been excluded by the given rule") - } + excludeCondition <- checkNameSpace(exclude.Namespaces, resource.GetNamespace()) } wg.Done() }() @@ -155,11 +150,10 @@ func MatchesResourceDescription(resource unstructured.Unstructured, rule kyverno if exclude.Selector != nil { hasPassed, rerr := checkSelector(exclude.Selector, resource.GetLabels()) if rerr != nil { - err <- fmt.Errorf("could not parse selector block of the policy in exclude: %v", rerr) + glog.V(4).Infof("could not parse selector block of the policy in exclude: %v", rerr) + excludeCondition <- false } else { - if hasPassed { - err <- fmt.Errorf("resource has been excluded by the given rules selector block") - } + excludeCondition <- hasPassed } } wg.Done() @@ -167,7 +161,20 @@ func MatchesResourceDescription(resource unstructured.Unstructured, rule kyverno wg.Wait() close(err) - // recieve all failed conditions + close(excludeCondition) + + var isResourceExcluded = true + for hasPassed := range excludeCondition { + if !hasPassed { + isResourceExcluded = false + break + } + } + if isResourceExcluded { + err <- fmt.Errorf("resource has been excluded since the resource matches the exclude block of the rule") + } + + // receive all failed conditions var failedConditions []error for failedCondition := range err { if failedCondition != nil { From c8fd7f6a910dd5286eaaa99a594df52e82c5c21f Mon Sep 17 00:00:00 2001 From: shravan Date: Fri, 7 Feb 2020 18:11:47 +0530 Subject: [PATCH 12/22] 644 simplyifying solution --- pkg/engine/rbac/rbacValidation.go | 53 ++++++--- pkg/engine/rbac/rbacValidation_test.go | 5 +- pkg/engine/utils.go | 146 +++++++++++-------------- 3 files changed, 106 insertions(+), 98 deletions(-) diff --git a/pkg/engine/rbac/rbacValidation.go b/pkg/engine/rbac/rbacValidation.go index 483832e1a9..53fff84078 100644 --- a/pkg/engine/rbac/rbacValidation.go +++ b/pkg/engine/rbac/rbacValidation.go @@ -2,6 +2,7 @@ package rbac import ( "reflect" + "sync" kyverno "github.com/nirmata/kyverno/pkg/api/kyverno/v1" utils "github.com/nirmata/kyverno/pkg/utils" @@ -63,24 +64,46 @@ func validateMatch(match kyverno.MatchResources, requestInfo kyverno.RequestInfo // validateExclude return true if none of the above found in requestInfo // otherwise return false immediately means rule should not be applied func validateExclude(exclude kyverno.ExcludeResources, requestInfo kyverno.RequestInfo) bool { - if len(exclude.Roles) > 0 { - if matchRoleRefs(exclude.Roles, requestInfo.Roles) { - return false + if reflect.DeepEqual(exclude, kyverno.ExcludeResources{}) { + return true + } + + var conditions = make(chan bool, 3) + var wg sync.WaitGroup + wg.Add(3) + go func() { + if len(exclude.Roles) > 0 { + conditions <- matchRoleRefs(exclude.Roles, requestInfo.Roles) + } + wg.Done() + }() + + go func() { + if len(exclude.ClusterRoles) > 0 { + conditions <- matchRoleRefs(exclude.ClusterRoles, requestInfo.ClusterRoles) + } + wg.Done() + }() + + go func() { + if len(exclude.Subjects) > 0 { + conditions <- matchSubjects(exclude.Subjects, requestInfo.AdmissionUserInfo) + } + wg.Done() + }() + + wg.Wait() + close(conditions) + + var isValid bool + for hasPassed := range conditions { + if !hasPassed { + isValid = true + break } } - if len(exclude.ClusterRoles) > 0 { - if matchRoleRefs(exclude.ClusterRoles, requestInfo.ClusterRoles) { - return false - } - } - - if len(exclude.Subjects) > 0 { - if matchSubjects(exclude.Subjects, requestInfo.AdmissionUserInfo) { - return false - } - } - return true + return isValid } // matchRoleRefs return true if one of ruleRoleRefs exist in resourceRoleRefs diff --git a/pkg/engine/rbac/rbacValidation_test.go b/pkg/engine/rbac/rbacValidation_test.go index f08ab5df0e..2bc3229baa 100644 --- a/pkg/engine/rbac/rbacValidation_test.go +++ b/pkg/engine/rbac/rbacValidation_test.go @@ -2,6 +2,7 @@ package rbac import ( "flag" + "fmt" "testing" kyverno "github.com/nirmata/kyverno/pkg/api/kyverno/v1" @@ -100,8 +101,8 @@ func Test_matchAdmissionInfo(t *testing.T) { }, } - for _, test := range tests { - assert.Assert(t, test.expected == MatchAdmissionInfo(test.rule, test.info)) + for i, test := range tests { + assert.Assert(t, test.expected == MatchAdmissionInfo(test.rule, test.info), "failed for "+fmt.Sprint(i+1)) } } diff --git a/pkg/engine/utils.go b/pkg/engine/utils.go index d106c4e54b..95e3ed9088 100644 --- a/pkg/engine/utils.go +++ b/pkg/engine/utils.go @@ -4,6 +4,7 @@ import ( "encoding/json" "errors" "fmt" + "reflect" "sync" "time" @@ -66,130 +67,113 @@ func checkSelector(labelSelector *metav1.LabelSelector, resourceLabels map[strin return false, nil } -//MatchesResourceDescription checks if the resource matches resource desription of the rule or not -func MatchesResourceDescription(resource unstructured.Unstructured, rule kyverno.Rule, admissionInfo kyverno.RequestInfo) error { - - var err = make(chan error, 6) +func doesResourceMatchConditionBlock(conditionBlock kyverno.ResourceDescription, resource unstructured.Unstructured) []error { var wg sync.WaitGroup - wg.Add(9) - + wg.Add(4) + var errs = make(chan error, 4) go func() { - if !rbac.MatchAdmissionInfo(rule, admissionInfo) { - err <- fmt.Errorf("rule '%s' cannot be applied on %s/%s/%s, admission permission: %v", - rule.Name, resource.GetKind(), resource.GetNamespace(), resource.GetName(), admissionInfo) - } - wg.Done() - }() - - // - // Match - // - matches := rule.MatchResources.ResourceDescription - - go func() { - if !checkKind(matches.Kinds, resource.GetKind()) { - err <- fmt.Errorf("resource kind does not match rule") - } - wg.Done() - }() - go func() { - if matches.Name != "" { - if !checkName(matches.Name, resource.GetName()) { - err <- fmt.Errorf("resource name does not match rule") + if len(conditionBlock.Kinds) > 0 { + if !checkKind(conditionBlock.Kinds, resource.GetKind()) { + errs <- fmt.Errorf("resource kind does not match conditionBlock") } } wg.Done() }() go func() { - if len(matches.Namespaces) > 0 { - if !checkNameSpace(matches.Namespaces, resource.GetNamespace()) { - err <- fmt.Errorf("resource namespace does not match rule") + if conditionBlock.Name != "" { + if !checkName(conditionBlock.Name, resource.GetName()) { + errs <- fmt.Errorf("resource name does not match conditionBlock") } } wg.Done() }() go func() { - if matches.Selector != nil { - hasPassed, rerr := checkSelector(matches.Selector, resource.GetLabels()) - if rerr != nil { - err <- fmt.Errorf("could not parse selector block of the policy in match: %v", rerr) + if len(conditionBlock.Namespaces) > 0 { + if !checkNameSpace(conditionBlock.Namespaces, resource.GetNamespace()) { + errs <- fmt.Errorf("resource namespace does not match conditionBlock") + } + } + wg.Done() + }() + go func() { + if conditionBlock.Selector != nil { + hasPassed, err := checkSelector(conditionBlock.Selector, resource.GetLabels()) + if err != nil { + errs <- fmt.Errorf("could not parse selector block of the policy in conditionBlock: %v", err) } else { if !hasPassed { - err <- fmt.Errorf("resource does not match given rules selector block") + errs <- fmt.Errorf("resource does not match selector of given conditionBlock") } } } wg.Done() }() + wg.Wait() + close(errs) - // - // Exclude - // - exclude := rule.ExcludeResources.ResourceDescription - var excludeCondition = make(chan bool, 4) + var errsIfAny []error + for err := range errs { + errsIfAny = append(errsIfAny, err) + } + + return errsIfAny +} + +//MatchesResourceDescription checks if the resource matches resource description of the rule or not +func MatchesResourceDescription(resource unstructured.Unstructured, rule kyverno.Rule, admissionInfo kyverno.RequestInfo) error { + var errs = make(chan error, 6) + var wg sync.WaitGroup + wg.Add(3) go func() { - if len(exclude.Kinds) > 0 { - excludeCondition <- checkKind(exclude.Kinds, resource.GetKind()) + if !rbac.MatchAdmissionInfo(rule, admissionInfo) { + errs <- fmt.Errorf("rule '%s' cannot be applied on %s/%s/%s, admission permission: %v", + rule.Name, resource.GetKind(), resource.GetNamespace(), resource.GetName(), admissionInfo) } wg.Done() }() + + // checking if resource matches the rule go func() { - if exclude.Name != "" { - excludeCondition <- checkName(exclude.Name, resource.GetName()) + if !reflect.DeepEqual(rule.MatchResources.ResourceDescription, kyverno.ResourceDescription{}) { + matchErrs := doesResourceMatchConditionBlock(rule.MatchResources.ResourceDescription, resource) + for _, matchErr := range matchErrs { + errs <- matchErr + } + } else { + errs <- fmt.Errorf("match block in rule cannot be empty") } wg.Done() }() + + // checking if resource has been excluded go func() { - if len(exclude.Namespaces) > 0 { - excludeCondition <- checkNameSpace(exclude.Namespaces, resource.GetNamespace()) - } - wg.Done() - }() - go func() { - if exclude.Selector != nil { - hasPassed, rerr := checkSelector(exclude.Selector, resource.GetLabels()) - if rerr != nil { - glog.V(4).Infof("could not parse selector block of the policy in exclude: %v", rerr) - excludeCondition <- false - } else { - excludeCondition <- hasPassed + if !reflect.DeepEqual(rule.ExcludeResources.ResourceDescription, kyverno.ResourceDescription{}) { + excludeErrs := doesResourceMatchConditionBlock(rule.ExcludeResources.ResourceDescription, resource) + if excludeErrs == nil { + errs <- fmt.Errorf("resource has been excluded since it matches the exclude block") } } wg.Done() }() wg.Wait() - close(err) - close(excludeCondition) + close(errs) - var isResourceExcluded = true - for hasPassed := range excludeCondition { - if !hasPassed { - isResourceExcluded = false - break - } - } - if isResourceExcluded { - err <- fmt.Errorf("resource has been excluded since the resource matches the exclude block of the rule") - } - - // receive all failed conditions - var failedConditions []error - for failedCondition := range err { - if failedCondition != nil { - failedConditions = append(failedConditions, failedCondition) - } + var reasonsForFailure []error + for err := range errs { + reasonsForFailure = append(reasonsForFailure, err) } + // creating final error var errorMessage = "rule has failed to match resource for the following reasons:" - for i, failedCondition := range failedConditions { - if failedCondition != nil { - errorMessage += "\n" + fmt.Sprint(i+1) + ". " + failedCondition.Error() + for i, reasonForFailure := range reasonsForFailure { + if reasonForFailure != nil { + errorMessage += "\n" + fmt.Sprint(i+1) + ". " + reasonForFailure.Error() } } - if len(failedConditions) > 0 { + if len(reasonsForFailure) > 0 { return errors.New(errorMessage) } From c7bed6f3fff46dd5f51afe2dd45b9480772b7d4f Mon Sep 17 00:00:00 2001 From: shravan Date: Fri, 7 Feb 2020 18:36:17 +0530 Subject: [PATCH 13/22] 644 save commit for testcases --- pkg/engine/utils_test.go | 21 +++++++++++++++++++++ 1 file changed, 21 insertions(+) diff --git a/pkg/engine/utils_test.go b/pkg/engine/utils_test.go index 16236abac6..587b87eab6 100644 --- a/pkg/engine/utils_test.go +++ b/pkg/engine/utils_test.go @@ -13,6 +13,27 @@ import ( metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" ) +func TestMatchesResourceDescription(t *testing.T) { + tcs := []struct { + Description string + AdmissionInfo kyverno.RequestInfo + Resource []byte + Rule []byte + areErrorsExpected bool + }{ + { + + Resource: []byte(`{"apiVersion":"v1","kind":"Pod","metadata":{"name":"hello-world","labels":{"name":"hello-world"}},"spec":{"containers":[{"name":"hello-world","image":"hello-world","ports":[{"containerPort":81}],"resources":{"limits":{"memory":"30Mi","cpu":"0.2"},"requests":{"memory":"20Mi","cpu":"0.1"}}}]}}`), + Rule: []byte(`{"name":"hello-world-policy","match":{"resources":{"kinds":["Pod"]}},"exclude":{"resources":{"name":"hello-world"},"clusterroles":["system:node"]},"mutate":{"overlay":{"spec":{"containers":[{"(image)":"*","imagePullPolicy":"IfNotPresent"}]}}}}`), + areErrorsExpected: false, + }, + } + + for range tcs { + } + +} + // Match multiple kinds func TestResourceDescriptionMatch_MultipleKind(t *testing.T) { rawResource := []byte(`{ From b32b52224de0278ab821cb2de3abd65082d701d2 Mon Sep 17 00:00:00 2001 From: shravan Date: Sun, 9 Feb 2020 12:34:59 +0530 Subject: [PATCH 14/22] 644 added test to verify usage --- pkg/engine/utils_test.go | 26 +++++++++++++++++++++----- 1 file changed, 21 insertions(+), 5 deletions(-) diff --git a/pkg/engine/utils_test.go b/pkg/engine/utils_test.go index 587b87eab6..7e7d29cb15 100644 --- a/pkg/engine/utils_test.go +++ b/pkg/engine/utils_test.go @@ -18,20 +18,36 @@ func TestMatchesResourceDescription(t *testing.T) { Description string AdmissionInfo kyverno.RequestInfo Resource []byte - Rule []byte + Policy []byte areErrorsExpected bool }{ { - + Description: "", + AdmissionInfo: kyverno.RequestInfo{ + ClusterRoles: []string{"admin"}, + }, Resource: []byte(`{"apiVersion":"v1","kind":"Pod","metadata":{"name":"hello-world","labels":{"name":"hello-world"}},"spec":{"containers":[{"name":"hello-world","image":"hello-world","ports":[{"containerPort":81}],"resources":{"limits":{"memory":"30Mi","cpu":"0.2"},"requests":{"memory":"20Mi","cpu":"0.1"}}}]}}`), - Rule: []byte(`{"name":"hello-world-policy","match":{"resources":{"kinds":["Pod"]}},"exclude":{"resources":{"name":"hello-world"},"clusterroles":["system:node"]},"mutate":{"overlay":{"spec":{"containers":[{"(image)":"*","imagePullPolicy":"IfNotPresent"}]}}}}`), + Policy: []byte(`{"apiVersion":"kyverno.io/v1","kind":"ClusterPolicy","metadata":{"name":"hello-world-policy"},"spec":{"background":false,"rules":[{"name":"hello-world-policy","match":{"resources":{"kinds":["Pod"]}},"exclude":{"resources":{"name":"hello-world"},"clusterroles":["system:node"]},"mutate":{"overlay":{"spec":{"containers":[{"(image)":"*","imagePullPolicy":"IfNotPresent"}]}}}}]}}`), areErrorsExpected: false, }, } - for range tcs { - } + for _, tc := range tcs { + var policy kyverno.Policy + json.Unmarshal(tc.Policy, &policy) + resource, _ := utils.ConvertToUnstructured(tc.Resource) + for _, rule := range policy.Spec.Rules { + err := MatchesResourceDescription(*resource, rule, tc.AdmissionInfo) + if err != nil && !tc.areErrorsExpected { + t.Errorf("Unexpected error: %v", err) + } else { + if tc.areErrorsExpected { + t.Errorf("Expected Error but recievd no error") + } + } + } + } } // Match multiple kinds From 122d1bd5faeac0adba6712b2badb7569ab7447a9 Mon Sep 17 00:00:00 2001 From: shravan Date: Sun, 9 Feb 2020 13:12:27 +0530 Subject: [PATCH 15/22] 644 removed userinfo validation --- pkg/engine/rbac/rbacValidation.go | 140 ----------- pkg/engine/rbac/rbacValidation_test.go | 306 ------------------------- pkg/engine/utils.go | 97 ++++++-- 3 files changed, 81 insertions(+), 462 deletions(-) delete mode 100644 pkg/engine/rbac/rbacValidation.go delete mode 100644 pkg/engine/rbac/rbacValidation_test.go diff --git a/pkg/engine/rbac/rbacValidation.go b/pkg/engine/rbac/rbacValidation.go deleted file mode 100644 index 53fff84078..0000000000 --- a/pkg/engine/rbac/rbacValidation.go +++ /dev/null @@ -1,140 +0,0 @@ -package rbac - -import ( - "reflect" - "sync" - - kyverno "github.com/nirmata/kyverno/pkg/api/kyverno/v1" - utils "github.com/nirmata/kyverno/pkg/utils" - authenticationv1 "k8s.io/api/authentication/v1" - rbacv1 "k8s.io/api/rbac/v1" -) - -const ( - //SaPrefix defines the prefix for service accounts - SaPrefix = "system:serviceaccount:" -) - -// MatchAdmissionInfo return true if the rule can be applied to the request -func MatchAdmissionInfo(rule kyverno.Rule, requestInfo kyverno.RequestInfo) bool { - // when processing existing resource, it does not contain requestInfo - // skip permission checking - if reflect.DeepEqual(requestInfo, kyverno.RequestInfo{}) { - return true - } - - if !validateMatch(rule.MatchResources, requestInfo) { - return false - } - - return validateExclude(rule.ExcludeResources, requestInfo) -} - -// match: -// roles: role1, role2 -// clusterRoles: clusterRole1,clusterRole2 -// subjects: subject1, subject2 -// validateMatch return true if (role1 || role2) and (clusterRole1 || clusterRole2) -// and (subject1 || subject2) are found in requestInfo, OR operation for each list -func validateMatch(match kyverno.MatchResources, requestInfo kyverno.RequestInfo) bool { - if len(match.Roles) > 0 { - if !matchRoleRefs(match.Roles, requestInfo.Roles) { - return false - } - } - - if len(match.ClusterRoles) > 0 { - if !matchRoleRefs(match.ClusterRoles, requestInfo.ClusterRoles) { - return false - } - } - - if len(match.Subjects) > 0 { - if !matchSubjects(match.Subjects, requestInfo.AdmissionUserInfo) { - return false - } - } - return true -} - -// exclude: -// roles: role1, role2 -// clusterRoles: clusterRole1,clusterRole2 -// subjects: subject1, subject2 -// validateExclude return true if none of the above found in requestInfo -// otherwise return false immediately means rule should not be applied -func validateExclude(exclude kyverno.ExcludeResources, requestInfo kyverno.RequestInfo) bool { - if reflect.DeepEqual(exclude, kyverno.ExcludeResources{}) { - return true - } - - var conditions = make(chan bool, 3) - var wg sync.WaitGroup - wg.Add(3) - go func() { - if len(exclude.Roles) > 0 { - conditions <- matchRoleRefs(exclude.Roles, requestInfo.Roles) - } - wg.Done() - }() - - go func() { - if len(exclude.ClusterRoles) > 0 { - conditions <- matchRoleRefs(exclude.ClusterRoles, requestInfo.ClusterRoles) - } - wg.Done() - }() - - go func() { - if len(exclude.Subjects) > 0 { - conditions <- matchSubjects(exclude.Subjects, requestInfo.AdmissionUserInfo) - } - wg.Done() - }() - - wg.Wait() - close(conditions) - - var isValid bool - for hasPassed := range conditions { - if !hasPassed { - isValid = true - break - } - } - - return isValid -} - -// matchRoleRefs return true if one of ruleRoleRefs exist in resourceRoleRefs -func matchRoleRefs(ruleRoleRefs, resourceRoleRefs []string) bool { - for _, ruleRoleRef := range ruleRoleRefs { - if utils.ContainsString(resourceRoleRefs, ruleRoleRef) { - return true - } - } - return false -} - -// matchSubjects return true if one of ruleSubjects exist in userInfo -func matchSubjects(ruleSubjects []rbacv1.Subject, userInfo authenticationv1.UserInfo) bool { - userGroups := append(userInfo.Groups, userInfo.Username) - for _, subject := range ruleSubjects { - switch subject.Kind { - case "ServiceAccount": - if len(userInfo.Username) <= len(SaPrefix) { - continue - } - subjectServiceAccount := subject.Namespace + ":" + subject.Name - if userInfo.Username[len(SaPrefix):] == subjectServiceAccount { - return true - } - case "User", "Group": - if utils.ContainsString(userGroups, subject.Name) { - return true - } - } - } - - return false -} diff --git a/pkg/engine/rbac/rbacValidation_test.go b/pkg/engine/rbac/rbacValidation_test.go deleted file mode 100644 index 2bc3229baa..0000000000 --- a/pkg/engine/rbac/rbacValidation_test.go +++ /dev/null @@ -1,306 +0,0 @@ -package rbac - -import ( - "flag" - "fmt" - "testing" - - kyverno "github.com/nirmata/kyverno/pkg/api/kyverno/v1" - "gotest.tools/assert" - authenticationv1 "k8s.io/api/authentication/v1" - rbacv1 "k8s.io/api/rbac/v1" -) - -func Test_matchAdmissionInfo(t *testing.T) { - flag.Parse() - flag.Set("logtostderr", "true") - flag.Set("v", "3") - tests := []struct { - rule kyverno.Rule - info kyverno.RequestInfo - expected bool - }{ - { - rule: kyverno.Rule{ - MatchResources: kyverno.MatchResources{}, - }, - info: kyverno.RequestInfo{}, - expected: true, - }, - { - rule: kyverno.Rule{ - MatchResources: kyverno.MatchResources{ - UserInfo: kyverno.UserInfo{ - Roles: []string{"ns-a:role-a"}, - }, - }, - }, - info: kyverno.RequestInfo{ - Roles: []string{"ns-a:role-a"}, - }, - expected: true, - }, - { - rule: kyverno.Rule{ - MatchResources: kyverno.MatchResources{ - UserInfo: kyverno.UserInfo{ - Roles: []string{"ns-a:role-a"}, - }, - }, - }, - info: kyverno.RequestInfo{ - Roles: []string{"ns-a:role"}, - }, - expected: false, - }, - { - rule: kyverno.Rule{ - MatchResources: kyverno.MatchResources{ - UserInfo: kyverno.UserInfo{ - Subjects: testSubjects(), - }, - }, - }, - info: kyverno.RequestInfo{ - AdmissionUserInfo: authenticationv1.UserInfo{ - Username: "serviceaccount:mynamespace:mysa", - }, - }, - expected: false, - }, - { - rule: kyverno.Rule{ - ExcludeResources: kyverno.ExcludeResources{ - UserInfo: kyverno.UserInfo{ - Subjects: testSubjects(), - }, - }, - }, - info: kyverno.RequestInfo{ - AdmissionUserInfo: authenticationv1.UserInfo{ - UID: "1", - }, - }, - expected: true, - }, - { - rule: kyverno.Rule{ - ExcludeResources: kyverno.ExcludeResources{ - UserInfo: kyverno.UserInfo{ - Subjects: testSubjects(), - }, - }, - }, - info: kyverno.RequestInfo{ - AdmissionUserInfo: authenticationv1.UserInfo{ - Username: "kubernetes-admin", - Groups: []string{"system:masters", "system:authenticated"}, - }, - }, - expected: false, - }, - } - - for i, test := range tests { - assert.Assert(t, test.expected == MatchAdmissionInfo(test.rule, test.info), "failed for "+fmt.Sprint(i+1)) - } -} - -func Test_validateMatch(t *testing.T) { - requestInfo := []struct { - info kyverno.RequestInfo - expected bool - }{ - { - info: kyverno.RequestInfo{ - Roles: []string{}, - }, - expected: false, - }, - { - info: kyverno.RequestInfo{ - Roles: []string{"ns-b:role-b"}, - }, - expected: true, - }, - { - info: kyverno.RequestInfo{ - Roles: []string{"ns:role"}, - }, - expected: false, - }, - } - - matchRoles := kyverno.MatchResources{ - UserInfo: kyverno.UserInfo{ - Roles: []string{"ns-a:role-a", "ns-b:role-b"}, - }, - } - - for _, info := range requestInfo { - assert.Assert(t, info.expected == validateMatch(matchRoles, info.info)) - } - - requestInfo = []struct { - info kyverno.RequestInfo - expected bool - }{ - { - info: kyverno.RequestInfo{ - ClusterRoles: []string{}, - }, - expected: false, - }, - { - info: kyverno.RequestInfo{ - ClusterRoles: []string{"role-b"}, - }, - expected: false, - }, - { - info: kyverno.RequestInfo{ - ClusterRoles: []string{"clusterrole-b"}, - }, - expected: true, - }, - { - info: kyverno.RequestInfo{ - ClusterRoles: []string{"clusterrole-a", "clusterrole-b"}, - }, - expected: true, - }, - { - info: kyverno.RequestInfo{ - ClusterRoles: []string{"fake-a", "fake-b"}, - }, - expected: false, - }, - } - - matchClusterRoles := kyverno.MatchResources{ - UserInfo: kyverno.UserInfo{ - ClusterRoles: []string{"clusterrole-a", "clusterrole-b"}, - }, - } - - for _, info := range requestInfo { - assert.Assert(t, info.expected == validateMatch(matchClusterRoles, info.info)) - } -} - -func Test_validateExclude(t *testing.T) { - requestInfo := []struct { - info kyverno.RequestInfo - expected bool - }{ - { - info: kyverno.RequestInfo{ - Roles: []string{}, - }, - expected: true, - }, - { - info: kyverno.RequestInfo{ - Roles: []string{"ns-b:role-b"}, - }, - expected: false, - }, - { - info: kyverno.RequestInfo{ - Roles: []string{"ns:role"}, - }, - expected: true, - }, - } - - excludeRoles := kyverno.ExcludeResources{ - UserInfo: kyverno.UserInfo{ - Roles: []string{"ns-a:role-a", "ns-b:role-b"}, - }, - } - - for _, info := range requestInfo { - assert.Assert(t, info.expected == validateExclude(excludeRoles, info.info)) - } - - requestInfo = []struct { - info kyverno.RequestInfo - expected bool - }{ - { - info: kyverno.RequestInfo{ - ClusterRoles: []string{}, - }, - expected: true, - }, - { - info: kyverno.RequestInfo{ - ClusterRoles: []string{"role-b"}, - }, - expected: true, - }, - { - info: kyverno.RequestInfo{ - ClusterRoles: []string{"clusterrole-b"}, - }, - expected: false, - }, - { - info: kyverno.RequestInfo{ - ClusterRoles: []string{"fake-a", "fake-b"}, - }, - expected: true, - }, - } - - excludeClusterRoles := kyverno.ExcludeResources{ - UserInfo: kyverno.UserInfo{ - ClusterRoles: []string{"clusterrole-a", "clusterrole-b"}, - }, - } - - for _, info := range requestInfo { - assert.Assert(t, info.expected == validateExclude(excludeClusterRoles, info.info)) - } -} - -func Test_matchSubjects(t *testing.T) { - group := authenticationv1.UserInfo{ - Username: "kubernetes-admin", - Groups: []string{"system:masters", "system:authenticated"}, - } - - sa := authenticationv1.UserInfo{ - Username: "system:serviceaccount:mynamespace:mysa", - Groups: []string{"system:serviceaccounts", "system:serviceaccounts:mynamespace", "system:authenticated"}, - } - - user := authenticationv1.UserInfo{ - Username: "system:kube-scheduler", - Groups: []string{"system:authenticated"}, - } - - subjects := testSubjects() - - assert.Assert(t, matchSubjects(subjects, sa)) - assert.Assert(t, !matchSubjects(subjects, user)) - assert.Assert(t, matchSubjects(subjects, group)) -} - -func testSubjects() []rbacv1.Subject { - return []rbacv1.Subject{ - { - Kind: "User", - Name: "kube-scheduler", - }, - { - Kind: "Group", - Name: "system:masters", - }, - { - Kind: "ServiceAccount", - Name: "mysa", - Namespace: "mynamespace", - }, - } -} diff --git a/pkg/engine/utils.go b/pkg/engine/utils.go index 95e3ed9088..a0338e6192 100644 --- a/pkg/engine/utils.go +++ b/pkg/engine/utils.go @@ -8,7 +8,9 @@ import ( "sync" "time" - "github.com/nirmata/kyverno/pkg/engine/rbac" + "github.com/nirmata/kyverno/pkg/utils" + authenticationv1 "k8s.io/api/authentication/v1" + rbacv1 "k8s.io/api/rbac/v1" "github.com/golang/glog" @@ -67,10 +69,10 @@ func checkSelector(labelSelector *metav1.LabelSelector, resourceLabels map[strin return false, nil } -func doesResourceMatchConditionBlock(conditionBlock kyverno.ResourceDescription, resource unstructured.Unstructured) []error { +func doesResourceMatchConditionBlock(conditionBlock kyverno.ResourceDescription, userInfo kyverno.UserInfo, admissionInfo kyverno.RequestInfo, resource unstructured.Unstructured) []error { var wg sync.WaitGroup - wg.Add(4) - var errs = make(chan error, 4) + wg.Add(7) + var errs = make(chan error, 7) go func() { if len(conditionBlock.Kinds) > 0 { if !checkKind(conditionBlock.Kinds, resource.GetKind()) { @@ -108,6 +110,36 @@ func doesResourceMatchConditionBlock(conditionBlock kyverno.ResourceDescription, } wg.Done() }() + + if !reflect.DeepEqual(admissionInfo, kyverno.RequestInfo{}) { + go func() { + if len(userInfo.Roles) > 0 { + if !doesSliceContainsAnyOfTheseValues(userInfo.Roles, admissionInfo.Roles...) { + errs <- fmt.Errorf("user info does not match roles for the given conditionBlock") + } + } + wg.Done() + }() + + go func() { + if len(userInfo.ClusterRoles) > 0 { + if !doesSliceContainsAnyOfTheseValues(userInfo.ClusterRoles, admissionInfo.ClusterRoles...) { + errs <- fmt.Errorf("user info does not match clustersRoles for the given conditionBlock") + } + } + wg.Done() + }() + + go func() { + if len(userInfo.Subjects) > 0 { + if !matchSubjects(userInfo.Subjects, admissionInfo.AdmissionUserInfo) { + errs <- fmt.Errorf("user info does not match subject for the given conditionBlock") + } + } + wg.Done() + }() + } + wg.Wait() close(errs) @@ -119,24 +151,57 @@ func doesResourceMatchConditionBlock(conditionBlock kyverno.ResourceDescription, return errsIfAny } +// matchSubjects return true if one of ruleSubjects exist in userInfo +func matchSubjects(ruleSubjects []rbacv1.Subject, userInfo authenticationv1.UserInfo) bool { + const SaPrefix = "system:serviceaccount:" + + userGroups := append(userInfo.Groups, userInfo.Username) + for _, subject := range ruleSubjects { + switch subject.Kind { + case "ServiceAccount": + if len(userInfo.Username) <= len(SaPrefix) { + continue + } + subjectServiceAccount := subject.Namespace + ":" + subject.Name + if userInfo.Username[len(SaPrefix):] == subjectServiceAccount { + return true + } + case "User", "Group": + if utils.ContainsString(userGroups, subject.Name) { + return true + } + } + } + + return false +} + +func doesSliceContainsAnyOfTheseValues(slice []string, values ...string) bool { + + var sliceElementsMap = make(map[string]bool, len(slice)) + for _, sliceElement := range slice { + sliceElementsMap[sliceElement] = true + } + + for _, value := range values { + if sliceElementsMap[value] { + return true + } + } + + return false +} + //MatchesResourceDescription checks if the resource matches resource description of the rule or not func MatchesResourceDescription(resource unstructured.Unstructured, rule kyverno.Rule, admissionInfo kyverno.RequestInfo) error { - var errs = make(chan error, 6) + var errs = make(chan error, 8) var wg sync.WaitGroup - wg.Add(3) - - go func() { - if !rbac.MatchAdmissionInfo(rule, admissionInfo) { - errs <- fmt.Errorf("rule '%s' cannot be applied on %s/%s/%s, admission permission: %v", - rule.Name, resource.GetKind(), resource.GetNamespace(), resource.GetName(), admissionInfo) - } - wg.Done() - }() + wg.Add(2) // checking if resource matches the rule go func() { if !reflect.DeepEqual(rule.MatchResources.ResourceDescription, kyverno.ResourceDescription{}) { - matchErrs := doesResourceMatchConditionBlock(rule.MatchResources.ResourceDescription, resource) + matchErrs := doesResourceMatchConditionBlock(rule.MatchResources.ResourceDescription, rule.MatchResources.UserInfo, admissionInfo, resource) for _, matchErr := range matchErrs { errs <- matchErr } @@ -149,7 +214,7 @@ func MatchesResourceDescription(resource unstructured.Unstructured, rule kyverno // checking if resource has been excluded go func() { if !reflect.DeepEqual(rule.ExcludeResources.ResourceDescription, kyverno.ResourceDescription{}) { - excludeErrs := doesResourceMatchConditionBlock(rule.ExcludeResources.ResourceDescription, resource) + excludeErrs := doesResourceMatchConditionBlock(rule.ExcludeResources.ResourceDescription, rule.ExcludeResources.UserInfo, admissionInfo, resource) if excludeErrs == nil { errs <- fmt.Errorf("resource has been excluded since it matches the exclude block") } From a969a38c8156d27aebcf1b563289c3c1f73bc014 Mon Sep 17 00:00:00 2001 From: shravan Date: Sun, 9 Feb 2020 19:11:25 +0530 Subject: [PATCH 16/22] 644 working version need to add more tests --- pkg/engine/utils.go | 48 +++++++++++++++++++++------------------- pkg/engine/utils_test.go | 25 +++++++++++++++++---- 2 files changed, 46 insertions(+), 27 deletions(-) diff --git a/pkg/engine/utils.go b/pkg/engine/utils.go index a0338e6192..2eed09d48c 100644 --- a/pkg/engine/utils.go +++ b/pkg/engine/utils.go @@ -111,34 +111,32 @@ func doesResourceMatchConditionBlock(conditionBlock kyverno.ResourceDescription, wg.Done() }() - if !reflect.DeepEqual(admissionInfo, kyverno.RequestInfo{}) { - go func() { - if len(userInfo.Roles) > 0 { - if !doesSliceContainsAnyOfTheseValues(userInfo.Roles, admissionInfo.Roles...) { - errs <- fmt.Errorf("user info does not match roles for the given conditionBlock") - } + go func() { + if len(userInfo.Roles) > 0 { + if !doesSliceContainsAnyOfTheseValues(userInfo.Roles, admissionInfo.Roles...) { + errs <- fmt.Errorf("user info does not match roles for the given conditionBlock") } - wg.Done() - }() + } + wg.Done() + }() - go func() { - if len(userInfo.ClusterRoles) > 0 { - if !doesSliceContainsAnyOfTheseValues(userInfo.ClusterRoles, admissionInfo.ClusterRoles...) { - errs <- fmt.Errorf("user info does not match clustersRoles for the given conditionBlock") - } + go func() { + if len(userInfo.ClusterRoles) > 0 { + if !doesSliceContainsAnyOfTheseValues(userInfo.ClusterRoles, admissionInfo.ClusterRoles...) { + errs <- fmt.Errorf("user info does not match clustersRoles for the given conditionBlock") } - wg.Done() - }() + } + wg.Done() + }() - go func() { - if len(userInfo.Subjects) > 0 { - if !matchSubjects(userInfo.Subjects, admissionInfo.AdmissionUserInfo) { - errs <- fmt.Errorf("user info does not match subject for the given conditionBlock") - } + go func() { + if len(userInfo.Subjects) > 0 { + if !matchSubjects(userInfo.Subjects, admissionInfo.AdmissionUserInfo) { + errs <- fmt.Errorf("user info does not match subject for the given conditionBlock") } - wg.Done() - }() - } + } + wg.Done() + }() wg.Wait() close(errs) @@ -198,6 +196,10 @@ func MatchesResourceDescription(resource unstructured.Unstructured, rule kyverno var wg sync.WaitGroup wg.Add(2) + if reflect.DeepEqual(admissionInfo, kyverno.RequestInfo{}) { + rule.MatchResources.UserInfo = kyverno.UserInfo{} + } + // checking if resource matches the rule go func() { if !reflect.DeepEqual(rule.MatchResources.ResourceDescription, kyverno.ResourceDescription{}) { diff --git a/pkg/engine/utils_test.go b/pkg/engine/utils_test.go index 7e7d29cb15..8354aa00fe 100644 --- a/pkg/engine/utils_test.go +++ b/pkg/engine/utils_test.go @@ -30,20 +30,37 @@ func TestMatchesResourceDescription(t *testing.T) { Policy: []byte(`{"apiVersion":"kyverno.io/v1","kind":"ClusterPolicy","metadata":{"name":"hello-world-policy"},"spec":{"background":false,"rules":[{"name":"hello-world-policy","match":{"resources":{"kinds":["Pod"]}},"exclude":{"resources":{"name":"hello-world"},"clusterroles":["system:node"]},"mutate":{"overlay":{"spec":{"containers":[{"(image)":"*","imagePullPolicy":"IfNotPresent"}]}}}}]}}`), areErrorsExpected: false, }, + { + Description: "", + AdmissionInfo: kyverno.RequestInfo{ + ClusterRoles: []string{"system:node"}, + }, + Resource: []byte(`{"apiVersion":"v1","kind":"Pod","metadata":{"name":"hello-world","labels":{"name":"hello-world"}},"spec":{"containers":[{"name":"hello-world","image":"hello-world","ports":[{"containerPort":81}],"resources":{"limits":{"memory":"30Mi","cpu":"0.2"},"requests":{"memory":"20Mi","cpu":"0.1"}}}]}}`), + Policy: []byte(`{"apiVersion":"kyverno.io/v1","kind":"ClusterPolicy","metadata":{"name":"hello-world-policy"},"spec":{"background":false,"rules":[{"name":"hello-world-policy","match":{"resources":{"kinds":["Pod"]}},"exclude":{"resources":{"name":"hello-world"},"clusterroles":["system:node"]},"mutate":{"overlay":{"spec":{"containers":[{"(image)":"*","imagePullPolicy":"IfNotPresent"}]}}}}]}}`), + areErrorsExpected: true, + }, + { + Description: "", + Resource: []byte(`{"apiVersion":"v1","kind":"Pod","metadata":{"name":"hello-world","labels":{"name":"hello-world"}},"spec":{"containers":[{"name":"hello-world","image":"hello-world","ports":[{"containerPort":81}],"resources":{"limits":{"memory":"30Mi","cpu":"0.2"},"requests":{"memory":"20Mi","cpu":"0.1"}}}]}}`), + Policy: []byte(`{"apiVersion":"kyverno.io/v1","kind":"ClusterPolicy","metadata":{"name":"hello-world-policy"},"spec":{"background":false,"rules":[{"name":"hello-world-policy","match":{"resources":{"kinds":["Pod"]}},"exclude":{"resources":{"name":"hello-world"},"clusterroles":["system:node"]},"mutate":{"overlay":{"spec":{"containers":[{"(image)":"*","imagePullPolicy":"IfNotPresent"}]}}}}]}}`), + areErrorsExpected: false, + }, } - for _, tc := range tcs { + for i, tc := range tcs { var policy kyverno.Policy json.Unmarshal(tc.Policy, &policy) resource, _ := utils.ConvertToUnstructured(tc.Resource) for _, rule := range policy.Spec.Rules { err := MatchesResourceDescription(*resource, rule, tc.AdmissionInfo) - if err != nil && !tc.areErrorsExpected { - t.Errorf("Unexpected error: %v", err) + if err != nil { + if !tc.areErrorsExpected { + t.Errorf("Testcase %d Unexpected error: %v", i+1, err) + } } else { if tc.areErrorsExpected { - t.Errorf("Expected Error but recievd no error") + t.Errorf("Testcase %d Expected Error but recieved no error", i+1) } } } From 99e54e28d85ba306c9ef457d9f21be300a9039a6 Mon Sep 17 00:00:00 2001 From: shravan Date: Sun, 9 Feb 2020 19:15:39 +0530 Subject: [PATCH 17/22] 644 fixing compilation issue --- pkg/engine/utils.go | 9 --------- pkg/userinfo/roleRef.go | 8 ++++---- 2 files changed, 4 insertions(+), 13 deletions(-) diff --git a/pkg/engine/utils.go b/pkg/engine/utils.go index 2eed09d48c..9750aa5ec2 100644 --- a/pkg/engine/utils.go +++ b/pkg/engine/utils.go @@ -286,15 +286,6 @@ func ParseNamespaceFromObject(bytes []byte) string { return "" } -func findKind(kinds []string, kindGVK string) bool { - for _, kind := range kinds { - if kind == kindGVK { - return true - } - } - return false -} - // validateGeneralRuleInfoVariables validate variable subtition defined in // - MatchResources // - ExcludeResources diff --git a/pkg/userinfo/roleRef.go b/pkg/userinfo/roleRef.go index e0b53b046b..438ac1bd7c 100644 --- a/pkg/userinfo/roleRef.go +++ b/pkg/userinfo/roleRef.go @@ -5,7 +5,6 @@ import ( "strings" "github.com/golang/glog" - "github.com/nirmata/kyverno/pkg/engine/rbac" v1beta1 "k8s.io/api/admission/v1beta1" authenticationv1 "k8s.io/api/authentication/v1" rbacv1 "k8s.io/api/rbac/v1" @@ -16,6 +15,7 @@ import ( const ( clusterrolekind = "ClusterRole" rolekind = "Role" + SaPrefix = "system:serviceaccount:" ) //GetRoleRef gets the list of roles and cluster roles for the incoming api-request @@ -97,7 +97,7 @@ func matchSubjectsMap(subject rbacv1.Subject, userInfo authenticationv1.UserInfo } func isServiceaccountUserInfo(username string) bool { - if strings.Contains(username, rbac.SaPrefix) { + if strings.Contains(username, SaPrefix) { return true } return false @@ -107,8 +107,8 @@ func isServiceaccountUserInfo(username string) bool { // serviceaccount represents as saPrefix:namespace:name in userInfo func matchServiceAccount(subject rbacv1.Subject, userInfo authenticationv1.UserInfo) bool { subjectServiceAccount := subject.Namespace + ":" + subject.Name - if userInfo.Username[len(rbac.SaPrefix):] != subjectServiceAccount { - glog.V(3).Infof("service account not match, expect %s, got %s", subjectServiceAccount, userInfo.Username[len(rbac.SaPrefix):]) + if userInfo.Username[len(SaPrefix):] != subjectServiceAccount { + glog.V(3).Infof("service account not match, expect %s, got %s", subjectServiceAccount, userInfo.Username[len(SaPrefix):]) return false } From 17da6217e02209b8686b536bf7310e3a578ca42d Mon Sep 17 00:00:00 2001 From: shravan Date: Sun, 9 Feb 2020 19:28:51 +0530 Subject: [PATCH 18/22] 644 circle ci changes --- pkg/userinfo/roleRef.go | 9 +-------- pkg/userinfo/roleRef_test.go | 21 --------------------- 2 files changed, 1 insertion(+), 29 deletions(-) diff --git a/pkg/userinfo/roleRef.go b/pkg/userinfo/roleRef.go index 438ac1bd7c..6c5ebe1bd3 100644 --- a/pkg/userinfo/roleRef.go +++ b/pkg/userinfo/roleRef.go @@ -88,7 +88,7 @@ func getRoleRefByClusterRoleBindings(clusterroleBindings []*rbacv1.ClusterRoleBi // subject.kind can only be ServiceAccount, User and Group func matchSubjectsMap(subject rbacv1.Subject, userInfo authenticationv1.UserInfo) bool { // ServiceAccount - if isServiceaccountUserInfo(userInfo.Username) { + if strings.Contains(userInfo.Username, SaPrefix) { return matchServiceAccount(subject, userInfo) } @@ -96,13 +96,6 @@ func matchSubjectsMap(subject rbacv1.Subject, userInfo authenticationv1.UserInfo return matchUserOrGroup(subject, userInfo) } -func isServiceaccountUserInfo(username string) bool { - if strings.Contains(username, SaPrefix) { - return true - } - return false -} - // matchServiceAccount checks if userInfo sa matche the subject sa // serviceaccount represents as saPrefix:namespace:name in userInfo func matchServiceAccount(subject rbacv1.Subject, userInfo authenticationv1.UserInfo) bool { diff --git a/pkg/userinfo/roleRef_test.go b/pkg/userinfo/roleRef_test.go index 229e8394e4..c2aa94cae9 100644 --- a/pkg/userinfo/roleRef_test.go +++ b/pkg/userinfo/roleRef_test.go @@ -11,27 +11,6 @@ import ( metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" ) -func Test_isServiceaccountUserInfo(t *testing.T) { - tests := []struct { - username string - expected bool - }{ - { - username: "system:serviceaccount:default:saconfig", - expected: true, - }, - { - username: "serviceaccount:default:saconfig", - expected: false, - }, - } - - for _, test := range tests { - res := isServiceaccountUserInfo(test.username) - assert.Assert(t, test.expected == res) - } -} - func Test_matchServiceAccount_subject_variants(t *testing.T) { userInfo := authenticationv1.UserInfo{ Username: "system:serviceaccount:default:saconfig", From 2d137c856caf6200d1063b7f018ce5359cddfc98 Mon Sep 17 00:00:00 2001 From: shravan Date: Sun, 9 Feb 2020 19:56:38 +0530 Subject: [PATCH 19/22] 644 circle ci changes --- pkg/engine/utils_test.go | 29 +++++++++++++++++++++++++---- pkg/userinfo/roleRef.go | 6 +++--- 2 files changed, 28 insertions(+), 7 deletions(-) diff --git a/pkg/engine/utils_test.go b/pkg/engine/utils_test.go index 8354aa00fe..494b550602 100644 --- a/pkg/engine/utils_test.go +++ b/pkg/engine/utils_test.go @@ -22,7 +22,7 @@ func TestMatchesResourceDescription(t *testing.T) { areErrorsExpected bool }{ { - Description: "", + Description: "Should match pod and not exclude it", AdmissionInfo: kyverno.RequestInfo{ ClusterRoles: []string{"admin"}, }, @@ -31,7 +31,7 @@ func TestMatchesResourceDescription(t *testing.T) { areErrorsExpected: false, }, { - Description: "", + Description: "Should exclude resource since it matches the exclude block", AdmissionInfo: kyverno.RequestInfo{ ClusterRoles: []string{"system:node"}, }, @@ -40,16 +40,37 @@ func TestMatchesResourceDescription(t *testing.T) { areErrorsExpected: true, }, { - Description: "", + Description: "Should not fail if in sync mode, if admission info is empty it should still match resources with specific clusterroles", Resource: []byte(`{"apiVersion":"v1","kind":"Pod","metadata":{"name":"hello-world","labels":{"name":"hello-world"}},"spec":{"containers":[{"name":"hello-world","image":"hello-world","ports":[{"containerPort":81}],"resources":{"limits":{"memory":"30Mi","cpu":"0.2"},"requests":{"memory":"20Mi","cpu":"0.1"}}}]}}`), Policy: []byte(`{"apiVersion":"kyverno.io/v1","kind":"ClusterPolicy","metadata":{"name":"hello-world-policy"},"spec":{"background":false,"rules":[{"name":"hello-world-policy","match":{"resources":{"kinds":["Pod"]}},"exclude":{"resources":{"name":"hello-world"},"clusterroles":["system:node"]},"mutate":{"overlay":{"spec":{"containers":[{"(image)":"*","imagePullPolicy":"IfNotPresent"}]}}}}]}}`), areErrorsExpected: false, }, + { + Description: "Should fail since resource does not match policy", + AdmissionInfo: kyverno.RequestInfo{ + ClusterRoles: []string{"admin"}, + }, + Resource: []byte(`{"apiVersion":"v1","kind":"Service","metadata":{"name":"hello-world","labels":{"name":"hello-world"}},"spec":{"containers":[{"name":"hello-world","image":"hello-world","ports":[{"containerPort":81}],"resources":{"limits":{"memory":"30Mi","cpu":"0.2"},"requests":{"memory":"20Mi","cpu":"0.1"}}}]}}`), + Policy: []byte(`{"apiVersion":"kyverno.io/v1","kind":"ClusterPolicy","metadata":{"name":"hello-world-policy"},"spec":{"background":false,"rules":[{"name":"hello-world-policy","match":{"resources":{"kinds":["Pod"]}},"exclude":{"resources":{"name":"hello-world"},"clusterroles":["system:node"]},"mutate":{"overlay":{"spec":{"containers":[{"(image)":"*","imagePullPolicy":"IfNotPresent"}]}}}}]}}`), + areErrorsExpected: true, + }, + { + Description: "Should not fail since resource does not match exclude block", + AdmissionInfo: kyverno.RequestInfo{ + ClusterRoles: []string{"system:node"}, + }, + Resource: []byte(`{"apiVersion":"v1","kind":"Pod","metadata":{"name":"hello-world2","labels":{"name":"hello-world"}},"spec":{"containers":[{"name":"hello-world","image":"hello-world","ports":[{"containerPort":81}],"resources":{"limits":{"memory":"30Mi","cpu":"0.2"},"requests":{"memory":"20Mi","cpu":"0.1"}}}]}}`), + Policy: []byte(`{"apiVersion":"kyverno.io/v1","kind":"ClusterPolicy","metadata":{"name":"hello-world-policy"},"spec":{"background":false,"rules":[{"name":"hello-world-policy","match":{"resources":{"kinds":["Pod"]}},"exclude":{"resources":{"name":"hello-world"},"clusterroles":["system:node"]},"mutate":{"overlay":{"spec":{"containers":[{"(image)":"*","imagePullPolicy":"IfNotPresent"}]}}}}]}}`), + areErrorsExpected: false, + }, } for i, tc := range tcs { var policy kyverno.Policy - json.Unmarshal(tc.Policy, &policy) + err := json.Unmarshal(tc.Policy, &policy) + if err != nil { + t.Errorf("Testcase %d invalid policy raw", i+1) + } resource, _ := utils.ConvertToUnstructured(tc.Resource) for _, rule := range policy.Spec.Rules { diff --git a/pkg/userinfo/roleRef.go b/pkg/userinfo/roleRef.go index 6c5ebe1bd3..ac089bc041 100644 --- a/pkg/userinfo/roleRef.go +++ b/pkg/userinfo/roleRef.go @@ -90,10 +90,10 @@ func matchSubjectsMap(subject rbacv1.Subject, userInfo authenticationv1.UserInfo // ServiceAccount if strings.Contains(userInfo.Username, SaPrefix) { return matchServiceAccount(subject, userInfo) + } else { + // User or Group + return matchUserOrGroup(subject, userInfo) } - - // User or Group - return matchUserOrGroup(subject, userInfo) } // matchServiceAccount checks if userInfo sa matche the subject sa From 9f36141e3cb35d3993253904a2cc4770aa8fc5f7 Mon Sep 17 00:00:00 2001 From: shravan Date: Sun, 9 Feb 2020 20:52:45 +0530 Subject: [PATCH 20/22] 644 creating deepcopies of function inputs and fixing test policy raw --- pkg/engine/utils.go | 6 +++++- pkg/engine/utils_test.go | 12 ++++++------ 2 files changed, 11 insertions(+), 7 deletions(-) diff --git a/pkg/engine/utils.go b/pkg/engine/utils.go index 9750aa5ec2..9353f2f265 100644 --- a/pkg/engine/utils.go +++ b/pkg/engine/utils.go @@ -191,7 +191,11 @@ func doesSliceContainsAnyOfTheseValues(slice []string, values ...string) bool { } //MatchesResourceDescription checks if the resource matches resource description of the rule or not -func MatchesResourceDescription(resource unstructured.Unstructured, rule kyverno.Rule, admissionInfo kyverno.RequestInfo) error { +func MatchesResourceDescription(resourceRef unstructured.Unstructured, ruleRef kyverno.Rule, admissionInfoRef kyverno.RequestInfo) error { + rule := *ruleRef.DeepCopy() + resource := *resourceRef.DeepCopy() + admissionInfo := *admissionInfoRef.DeepCopy() + var errs = make(chan error, 8) var wg sync.WaitGroup wg.Add(2) diff --git a/pkg/engine/utils_test.go b/pkg/engine/utils_test.go index 08394b9ce3..96bb2f9631 100644 --- a/pkg/engine/utils_test.go +++ b/pkg/engine/utils_test.go @@ -27,7 +27,7 @@ func TestMatchesResourceDescription(t *testing.T) { ClusterRoles: []string{"admin"}, }, Resource: []byte(`{"apiVersion":"v1","kind":"Pod","metadata":{"name":"hello-world","labels":{"name":"hello-world"}},"spec":{"containers":[{"name":"hello-world","image":"hello-world","ports":[{"containerPort":81}],"resources":{"limits":{"memory":"30Mi","cpu":"0.2"},"requests":{"memory":"20Mi","cpu":"0.1"}}}]}}`), - Policy: []byte(`{"apiVersion":"kyverno.io/v1","kind":"ClusterPolicy","metadata":{"name":"hello-world-policy"},"spec":{"background":false,"rules":[{"name":"hello-world-policy","match":{"resources":{"kinds":["Pod"]}},"exclude":{"resources":{"name":"hello-world"},"clusterroles":["system:node"]},"mutate":{"overlay":{"spec":{"containers":[{"(image)":"*","imagePullPolicy":"IfNotPresent"}]}}}}]}}`), + Policy: []byte(`{"apiVersion":"kyverno.io/v1","kind":"ClusterPolicy","metadata":{"name":"hello-world-policy"},"spec":{"background":false,"rules":[{"name":"hello-world-policy","match":{"resources":{"kinds":["Pod"]}},"exclude":{"resources":{"name":"hello-world"},"clusterRoles":["system:node"]},"mutate":{"overlay":{"spec":{"containers":[{"(image)":"*","imagePullPolicy":"IfNotPresent"}]}}}}]}}`), areErrorsExpected: false, }, { @@ -36,13 +36,13 @@ func TestMatchesResourceDescription(t *testing.T) { ClusterRoles: []string{"system:node"}, }, Resource: []byte(`{"apiVersion":"v1","kind":"Pod","metadata":{"name":"hello-world","labels":{"name":"hello-world"}},"spec":{"containers":[{"name":"hello-world","image":"hello-world","ports":[{"containerPort":81}],"resources":{"limits":{"memory":"30Mi","cpu":"0.2"},"requests":{"memory":"20Mi","cpu":"0.1"}}}]}}`), - Policy: []byte(`{"apiVersion":"kyverno.io/v1","kind":"ClusterPolicy","metadata":{"name":"hello-world-policy"},"spec":{"background":false,"rules":[{"name":"hello-world-policy","match":{"resources":{"kinds":["Pod"]}},"exclude":{"resources":{"name":"hello-world"},"clusterroles":["system:node"]},"mutate":{"overlay":{"spec":{"containers":[{"(image)":"*","imagePullPolicy":"IfNotPresent"}]}}}}]}}`), + Policy: []byte(`{"apiVersion":"kyverno.io/v1","kind":"ClusterPolicy","metadata":{"name":"hello-world-policy"},"spec":{"background":false,"rules":[{"name":"hello-world-policy","match":{"resources":{"kinds":["Pod"]}},"exclude":{"resources":{"name":"hello-world"},"clusterRoles":["system:node"]},"mutate":{"overlay":{"spec":{"containers":[{"(image)":"*","imagePullPolicy":"IfNotPresent"}]}}}}]}}`), areErrorsExpected: true, }, { - Description: "Should not fail if in sync mode, if admission info is empty it should still match resources with specific clusterroles", + Description: "Should not fail if in sync mode, if admission info is empty it should still match resources with specific clusterRoles", Resource: []byte(`{"apiVersion":"v1","kind":"Pod","metadata":{"name":"hello-world","labels":{"name":"hello-world"}},"spec":{"containers":[{"name":"hello-world","image":"hello-world","ports":[{"containerPort":81}],"resources":{"limits":{"memory":"30Mi","cpu":"0.2"},"requests":{"memory":"20Mi","cpu":"0.1"}}}]}}`), - Policy: []byte(`{"apiVersion":"kyverno.io/v1","kind":"ClusterPolicy","metadata":{"name":"hello-world-policy"},"spec":{"background":false,"rules":[{"name":"hello-world-policy","match":{"resources":{"kinds":["Pod"]}},"exclude":{"resources":{"name":"hello-world"},"clusterroles":["system:node"]},"mutate":{"overlay":{"spec":{"containers":[{"(image)":"*","imagePullPolicy":"IfNotPresent"}]}}}}]}}`), + Policy: []byte(`{"apiVersion":"kyverno.io/v1","kind":"ClusterPolicy","metadata":{"name":"hello-world-policy"},"spec":{"background":false,"rules":[{"name":"hello-world-policy","match":{"resources":{"kinds":["Pod"]}},"exclude":{"resources":{"name":"hello-world"},"clusterRoles":["system:node"]},"mutate":{"overlay":{"spec":{"containers":[{"(image)":"*","imagePullPolicy":"IfNotPresent"}]}}}}]}}`), areErrorsExpected: false, }, { @@ -51,7 +51,7 @@ func TestMatchesResourceDescription(t *testing.T) { ClusterRoles: []string{"admin"}, }, Resource: []byte(`{"apiVersion":"v1","kind":"Service","metadata":{"name":"hello-world","labels":{"name":"hello-world"}},"spec":{"containers":[{"name":"hello-world","image":"hello-world","ports":[{"containerPort":81}],"resources":{"limits":{"memory":"30Mi","cpu":"0.2"},"requests":{"memory":"20Mi","cpu":"0.1"}}}]}}`), - Policy: []byte(`{"apiVersion":"kyverno.io/v1","kind":"ClusterPolicy","metadata":{"name":"hello-world-policy"},"spec":{"background":false,"rules":[{"name":"hello-world-policy","match":{"resources":{"kinds":["Pod"]}},"exclude":{"resources":{"name":"hello-world"},"clusterroles":["system:node"]},"mutate":{"overlay":{"spec":{"containers":[{"(image)":"*","imagePullPolicy":"IfNotPresent"}]}}}}]}}`), + Policy: []byte(`{"apiVersion":"kyverno.io/v1","kind":"ClusterPolicy","metadata":{"name":"hello-world-policy"},"spec":{"background":false,"rules":[{"name":"hello-world-policy","match":{"resources":{"kinds":["Pod"]}},"exclude":{"resources":{"name":"hello-world"},"clusterRoles":["system:node"]},"mutate":{"overlay":{"spec":{"containers":[{"(image)":"*","imagePullPolicy":"IfNotPresent"}]}}}}]}}`), areErrorsExpected: true, }, { @@ -60,7 +60,7 @@ func TestMatchesResourceDescription(t *testing.T) { ClusterRoles: []string{"system:node"}, }, Resource: []byte(`{"apiVersion":"v1","kind":"Pod","metadata":{"name":"hello-world2","labels":{"name":"hello-world"}},"spec":{"containers":[{"name":"hello-world","image":"hello-world","ports":[{"containerPort":81}],"resources":{"limits":{"memory":"30Mi","cpu":"0.2"},"requests":{"memory":"20Mi","cpu":"0.1"}}}]}}`), - Policy: []byte(`{"apiVersion":"kyverno.io/v1","kind":"ClusterPolicy","metadata":{"name":"hello-world-policy"},"spec":{"background":false,"rules":[{"name":"hello-world-policy","match":{"resources":{"kinds":["Pod"]}},"exclude":{"resources":{"name":"hello-world"},"clusterroles":["system:node"]},"mutate":{"overlay":{"spec":{"containers":[{"(image)":"*","imagePullPolicy":"IfNotPresent"}]}}}}]}}`), + Policy: []byte(`{"apiVersion":"kyverno.io/v1","kind":"ClusterPolicy","metadata":{"name":"hello-world-policy"},"spec":{"background":false,"rules":[{"name":"hello-world-policy","match":{"resources":{"kinds":["Pod"]}},"exclude":{"resources":{"name":"hello-world"},"clusterRoles":["system:node"]},"mutate":{"overlay":{"spec":{"containers":[{"(image)":"*","imagePullPolicy":"IfNotPresent"}]}}}}]}}`), areErrorsExpected: false, }, } From 38f916961d8cc22a87721bec80c0a016c3a30896 Mon Sep 17 00:00:00 2001 From: shravan Date: Wed, 19 Feb 2020 10:25:51 +0530 Subject: [PATCH 21/22] 644 removed concurrency --- pkg/engine/utils.go | 147 +++++++++++++++----------------------------- 1 file changed, 48 insertions(+), 99 deletions(-) diff --git a/pkg/engine/utils.go b/pkg/engine/utils.go index 9353f2f265..570ed6cbe8 100644 --- a/pkg/engine/utils.go +++ b/pkg/engine/utils.go @@ -5,7 +5,6 @@ import ( "errors" "fmt" "reflect" - "sync" "time" "github.com/nirmata/kyverno/pkg/utils" @@ -70,83 +69,49 @@ func checkSelector(labelSelector *metav1.LabelSelector, resourceLabels map[strin } func doesResourceMatchConditionBlock(conditionBlock kyverno.ResourceDescription, userInfo kyverno.UserInfo, admissionInfo kyverno.RequestInfo, resource unstructured.Unstructured) []error { - var wg sync.WaitGroup - wg.Add(7) - var errs = make(chan error, 7) - go func() { - if len(conditionBlock.Kinds) > 0 { - if !checkKind(conditionBlock.Kinds, resource.GetKind()) { - errs <- fmt.Errorf("resource kind does not match conditionBlock") + var errs []error + if len(conditionBlock.Kinds) > 0 { + if !checkKind(conditionBlock.Kinds, resource.GetKind()) { + errs = append(errs, fmt.Errorf("resource kind does not match conditionBlock")) + } + } + if conditionBlock.Name != "" { + if !checkName(conditionBlock.Name, resource.GetName()) { + errs = append(errs, fmt.Errorf("resource name does not match conditionBlock")) + } + } + if len(conditionBlock.Namespaces) > 0 { + if !checkNameSpace(conditionBlock.Namespaces, resource.GetNamespace()) { + errs = append(errs, fmt.Errorf("resource namespace does not match conditionBlock")) + } + } + if conditionBlock.Selector != nil { + hasPassed, err := checkSelector(conditionBlock.Selector, resource.GetLabels()) + if err != nil { + errs = append(errs, fmt.Errorf("could not parse selector block of the policy in conditionBlock: %v", err)) + } else { + if !hasPassed { + errs = append(errs, fmt.Errorf("resource does not match selector of given conditionBlock")) } } - wg.Done() - }() - go func() { - if conditionBlock.Name != "" { - if !checkName(conditionBlock.Name, resource.GetName()) { - errs <- fmt.Errorf("resource name does not match conditionBlock") - } + } + if len(userInfo.Roles) > 0 { + if !doesSliceContainsAnyOfTheseValues(userInfo.Roles, admissionInfo.Roles...) { + errs = append(errs, fmt.Errorf("user info does not match roles for the given conditionBlock")) } - wg.Done() - }() - go func() { - if len(conditionBlock.Namespaces) > 0 { - if !checkNameSpace(conditionBlock.Namespaces, resource.GetNamespace()) { - errs <- fmt.Errorf("resource namespace does not match conditionBlock") - } + } + if len(userInfo.ClusterRoles) > 0 { + if !doesSliceContainsAnyOfTheseValues(userInfo.ClusterRoles, admissionInfo.ClusterRoles...) { + errs = append(errs, fmt.Errorf("user info does not match clustersRoles for the given conditionBlock")) } - wg.Done() - }() - go func() { - if conditionBlock.Selector != nil { - hasPassed, err := checkSelector(conditionBlock.Selector, resource.GetLabels()) - if err != nil { - errs <- fmt.Errorf("could not parse selector block of the policy in conditionBlock: %v", err) - } else { - if !hasPassed { - errs <- fmt.Errorf("resource does not match selector of given conditionBlock") - } - } + } + if len(userInfo.Subjects) > 0 { + if !matchSubjects(userInfo.Subjects, admissionInfo.AdmissionUserInfo) { + errs = append(errs, fmt.Errorf("user info does not match subject for the given conditionBlock")) } - wg.Done() - }() - - go func() { - if len(userInfo.Roles) > 0 { - if !doesSliceContainsAnyOfTheseValues(userInfo.Roles, admissionInfo.Roles...) { - errs <- fmt.Errorf("user info does not match roles for the given conditionBlock") - } - } - wg.Done() - }() - - go func() { - if len(userInfo.ClusterRoles) > 0 { - if !doesSliceContainsAnyOfTheseValues(userInfo.ClusterRoles, admissionInfo.ClusterRoles...) { - errs <- fmt.Errorf("user info does not match clustersRoles for the given conditionBlock") - } - } - wg.Done() - }() - - go func() { - if len(userInfo.Subjects) > 0 { - if !matchSubjects(userInfo.Subjects, admissionInfo.AdmissionUserInfo) { - errs <- fmt.Errorf("user info does not match subject for the given conditionBlock") - } - } - wg.Done() - }() - - wg.Wait() - close(errs) - - var errsIfAny []error - for err := range errs { - errsIfAny = append(errsIfAny, err) } - return errsIfAny + return errs } // matchSubjects return true if one of ruleSubjects exist in userInfo @@ -196,44 +161,28 @@ func MatchesResourceDescription(resourceRef unstructured.Unstructured, ruleRef k resource := *resourceRef.DeepCopy() admissionInfo := *admissionInfoRef.DeepCopy() - var errs = make(chan error, 8) - var wg sync.WaitGroup - wg.Add(2) + var reasonsForFailure []error if reflect.DeepEqual(admissionInfo, kyverno.RequestInfo{}) { rule.MatchResources.UserInfo = kyverno.UserInfo{} } // checking if resource matches the rule - go func() { - if !reflect.DeepEqual(rule.MatchResources.ResourceDescription, kyverno.ResourceDescription{}) { - matchErrs := doesResourceMatchConditionBlock(rule.MatchResources.ResourceDescription, rule.MatchResources.UserInfo, admissionInfo, resource) - for _, matchErr := range matchErrs { - errs <- matchErr - } - } else { - errs <- fmt.Errorf("match block in rule cannot be empty") + if !reflect.DeepEqual(rule.MatchResources.ResourceDescription, kyverno.ResourceDescription{}) { + matchErrs := doesResourceMatchConditionBlock(rule.MatchResources.ResourceDescription, rule.MatchResources.UserInfo, admissionInfo, resource) + for _, matchErr := range matchErrs { + reasonsForFailure = append(reasonsForFailure, matchErr) } - wg.Done() - }() + } else { + reasonsForFailure = append(reasonsForFailure, fmt.Errorf("match block in rule cannot be empty")) + } // checking if resource has been excluded - go func() { - if !reflect.DeepEqual(rule.ExcludeResources.ResourceDescription, kyverno.ResourceDescription{}) { - excludeErrs := doesResourceMatchConditionBlock(rule.ExcludeResources.ResourceDescription, rule.ExcludeResources.UserInfo, admissionInfo, resource) - if excludeErrs == nil { - errs <- fmt.Errorf("resource has been excluded since it matches the exclude block") - } + if !reflect.DeepEqual(rule.ExcludeResources.ResourceDescription, kyverno.ResourceDescription{}) { + excludeErrs := doesResourceMatchConditionBlock(rule.ExcludeResources.ResourceDescription, rule.ExcludeResources.UserInfo, admissionInfo, resource) + if excludeErrs == nil { + reasonsForFailure = append(reasonsForFailure, fmt.Errorf("resource has been excluded since it matches the exclude block")) } - wg.Done() - }() - - wg.Wait() - close(errs) - - var reasonsForFailure []error - for err := range errs { - reasonsForFailure = append(reasonsForFailure, err) } // creating final error From 710be633a6388783b7a16e3ecd07d3ab1595329f Mon Sep 17 00:00:00 2001 From: shravan Date: Wed, 19 Feb 2020 10:49:57 +0530 Subject: [PATCH 22/22] 644 golangci issues --- pkg/engine/utils.go | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/pkg/engine/utils.go b/pkg/engine/utils.go index b6125accdd..c97b2eccb8 100644 --- a/pkg/engine/utils.go +++ b/pkg/engine/utils.go @@ -166,9 +166,7 @@ func MatchesResourceDescription(resourceRef unstructured.Unstructured, ruleRef k // checking if resource matches the rule if !reflect.DeepEqual(rule.MatchResources.ResourceDescription, kyverno.ResourceDescription{}) { matchErrs := doesResourceMatchConditionBlock(rule.MatchResources.ResourceDescription, rule.MatchResources.UserInfo, admissionInfo, resource) - for _, matchErr := range matchErrs { - reasonsForFailure = append(reasonsForFailure, matchErr) - } + reasonsForFailure = append(reasonsForFailure, matchErrs...) } else { reasonsForFailure = append(reasonsForFailure, fmt.Errorf("match block in rule cannot be empty")) }