Merge branch '529_query' into 518_pod_controller

2025-03-31 03:45:17 +00:00 · 2019-12-20 18:55:08 -08:00 · 2019-12-20 18:55:08 -08:00 · 8be4db3de3
commit 8be4db3de3
parent cc87ea7339 d04f49b5d8
15 changed files with 192 additions and 86 deletions
--- a/.travis.yml
+++ b/.travis.yml
@ -31,6 +31,6 @@ after_success:
   if [ $TRAVIS_PULL_REQUEST == 'false' ]
   then
     docker login -u $DOCKER_USER -p $DOCKER_PASSWORD
-#     make docker-publish-initContainer
-#     make docker-publish-kyverno
+    make docker-publish-initContainer
+    make docker-publish-kyverno
   fi
--- a/cmd/initContainer/main.go
+++ b/cmd/initContainer/main.go
@ -7,6 +7,7 @@ import (
 	"flag"
 	"os"
 	"sync"
+	"time"

 	"github.com/golang/glog"
 	"github.com/nirmata/kyverno/pkg/config"
@ -41,7 +42,7 @@ func main() {

 	// DYNAMIC CLIENT
 	// - client for all registered resources
-	client, err := client.NewClient(clientConfig)
+	client, err := client.NewClient(clientConfig, 10*time.Second, stopCh)
 	if err != nil {
 		glog.Fatalf("Error creating client: %v\n", err)
 	}
--- a/cmd/kyverno/main.go
+++ b/cmd/kyverno/main.go
@ -60,12 +60,13 @@ func main() {

 	// DYNAMIC CLIENT
 	// - client for all registered resources
-	client, err := dclient.NewClient(clientConfig)
+	// - invalidate local cache of registered resource every 10 seconds
+	client, err := dclient.NewClient(clientConfig, 10*time.Second, stopCh)
 	if err != nil {
 		glog.Fatalf("Error creating client: %v\n", err)
 	}
 	// CRD CHECK
-	// - verify if the CRD for Policy & PolicyViolation are avialalbe
+	// - verify if the CRD for Policy & PolicyViolation are available
 	if !utils.CRDInstalled(client.DiscoveryClient) {
 		glog.Fatalf("Required CRDs unavailable")
 	}
--- a/definitions/install.yaml
+++ b/definitions/install.yaml
@ -257,6 +257,9 @@ spec:
    type: string
    description: The resource name that caused the violation
    JSONPath: .spec.resource.name
+  - name: Age
+    type: date
+    JSONPath: .metadata.creationTimestamp
  validation:
    openAPIV3Schema:
      properties:
@ -333,6 +336,9 @@ spec:
    type: string
    description: The resource name that caused the violation
    JSONPath: .spec.resource.name
+  - name: Age
+    type: date
+    JSONPath: .metadata.creationTimestamp
  validation:
    openAPIV3Schema:
      properties:
@ -415,6 +421,16 @@ subjects:
  name: kyverno-service-account
  namespace: kyverno
 ---
+apiVersion: rbac.authorization.k8s.io/v1beta1
+kind: ClusterRole
+metadata:
+  name: policyviolation
+rules:
+- apiGroups: ["kyverno.io"]
+  resources:
+  - policyviolations
+  verbs: ["get", "list", "watch"]
+---
 apiVersion: v1
 kind: ConfigMap
 metadata:
@ -447,7 +463,7 @@ spec:
          image: nirmata/kyvernopre:latest
      containers:
        - name: kyverno
-          image: nirmata/kyverno:v1.0.0
+          image: nirmata/kyverno:latest
          args:
          - "--filterK8Resources=[Event,*,*][*,kube-system,*][*,kube-public,*][*,kube-node-lease,*][Node,*,*][APIService,*,*][TokenReview,*,*][SubjectAccessReview,*,*][*,kyverno,*]"
          # customize webhook timout
--- a/definitions/install_debug.yaml
+++ b/definitions/install_debug.yaml
@ -257,6 +257,9 @@ spec:
    type: string
    description: The resource name that caused the violation
    JSONPath: .spec.resource.name
+  - name: Age
+    type: date
+    JSONPath: .metadata.creationTimestamp
  validation:
    openAPIV3Schema:
      properties:
@ -333,6 +336,9 @@ spec:
    type: string
    description: The resource name that caused the violation
    JSONPath: .spec.resource.name
+  - name: Age
+    type: date
+    JSONPath: .metadata.creationTimestamp
  validation:
    openAPIV3Schema:
      properties:
--- a/definitions/rolebinding.yaml
+++ b/definitions/rolebinding.yaml
@ -0,0 +1,21 @@
+apiVersion: rbac.authorization.k8s.io/v1beta1
+kind: RoleBinding
+metadata:
+  name: policyviolation
+  # change namespace below to create rolebinding for the namespace admin
+  namespace: default
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: policyviolation
+subjects:
+# configure below to access policy violation for the namespace admin
+- kind: ServiceAccount
+  name: default
+  namespace: default
+# - apiGroup: rbac.authorization.k8s.io
+#   kind: User
+#   name: 
+# - apiGroup: rbac.authorization.k8s.io
+#   kind: Group
+#   name: 
--- a/documentation/installation.md
+++ b/documentation/installation.md
@ -81,7 +81,7 @@ Kyverno uses secrets created above to setup TLS communication with the kube-apis

 To install a specific version, change the image tag with git tag in `install.yaml`.

-e.g., change image tag from `latest` to the specific tag `v0.3.0`.
+e.g., change image tag from `latest` to the specific tag `v1.0.0`.
 >>>
    spec:
      containers:
@ -112,6 +112,14 @@ kubectl logs <kyverno-pod-name> -n kyverno
 Here is a script that generates a self-signed CA, a TLS certificate-key pair, and the corresponding kubernetes secrets: [helper script](/scripts/generate-self-signed-cert-and-k8secrets.sh)


+# Configure a namespace admin to access policy violations
+
+During Kyverno installation, it creates a ClusterRole `policyviolation` which has the `list,get,watch` operation on resource `policyviolations`. To grant access to a namespace admin, configure [definitions/rolebinding.yaml](../definitions/rolebinding.yaml) then apply to the cluster.
+
+- Replace `metadata.namespace` with namespace of the admin
+- Configure `subjects` field to bind admin's role to the ClusterRole `policyviolation`
+
+
 # Installing outside of the cluster (debug mode)

 To build Kyverno in a development environment see: https://github.com/nirmata/kyverno/wiki/Building
--- a/pkg/dclient/client.go
+++ b/pkg/dclient/client.go
@ -36,7 +36,7 @@ type Client struct {
 }

 //NewClient creates new instance of client
-func NewClient(config *rest.Config) (*Client, error) {
+func NewClient(config *rest.Config, resync time.Duration, stopCh <-chan struct{}) (*Client, error) {
 	dclient, err := dynamic.NewForConfig(config)
 	if err != nil {
 		return nil, err
@ -52,6 +52,13 @@ func NewClient(config *rest.Config) (*Client, error) {
 	}
 	// Set discovery client
 	discoveryClient := ServerPreferredResources{memory.NewMemCacheClient(kclient.Discovery())}
+	// client will invalidate registered resources cache every x seconds,
+	// As there is no way to identify if the registered resource is available or not
+	// we will be invalidating the local cache, so the next request get a fresh cache
+	// If a resource is removed then and cache is not invalidate yet, we will not detect the removal
+	// but the re-sync shall re-evaluate
+	go discoveryClient.Poll(resync, stopCh)
+
 	client.SetDiscovery(discoveryClient)
 	return &client, nil
 }
@ -266,6 +273,25 @@ type ServerPreferredResources struct {
 	cachedClient discovery.CachedDiscoveryInterface
 }

+//Poll will keep invalidate the local cache
+func (c ServerPreferredResources) Poll(resync time.Duration, stopCh <-chan struct{}) {
+	// start a ticker
+	ticker := time.NewTicker(resync)
+	defer func() { ticker.Stop() }()
+	glog.Infof("Starting registered resources sync: every %d seconds", resync)
+	for {
+		select {
+		case <-stopCh:
+			glog.Info("Stopping registered resources sync")
+			return
+		case <-ticker.C:
+			// set cache as stale
+			glog.V(6).Info("invalidating local client cache for registered resources")
+			c.cachedClient.Invalidate()
+		}
+	}
+}
+
 //GetGVRFromKind get the Group Version Resource from kind
 // if kind is not found in first attempt we invalidate the cache,
 // the retry will then fetch the new registered resources and check again
--- a/pkg/engine/utils.go
+++ b/pkg/engine/utils.go
@ -2,8 +2,6 @@ package engine

 import (
 	"encoding/json"
-	"fmt"
-	"strconv"
 	"strings"
 	"time"

@ -12,10 +10,10 @@ import (
 	"github.com/minio/minio/pkg/wildcard"
 	kyverno "github.com/nirmata/kyverno/pkg/api/kyverno/v1"
 	"github.com/nirmata/kyverno/pkg/engine/anchor"
-	"github.com/nirmata/kyverno/pkg/utils"
-	"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
 	"github.com/nirmata/kyverno/pkg/engine/operator"
+	"github.com/nirmata/kyverno/pkg/utils"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
 	"k8s.io/apimachinery/pkg/labels"
 )

@ -318,28 +316,6 @@ func removeAnchor(key string) string {
 	return key
 }

-// convertToFloat converts string and any other value to float64
-func convertToFloat(value interface{}) (float64, error) {
-	switch typed := value.(type) {
-	case string:
-		var err error
-		floatValue, err := strconv.ParseFloat(typed, 64)
-		if err != nil {
-			return 0, err
-		}
-
-		return floatValue, nil
-	case float64:
-		return typed, nil
-	case int64:
-		return float64(typed), nil
-	case int:
-		return float64(typed), nil
-	default:
-		return 0, fmt.Errorf("Could not convert %T to float64", value)
-	}
-}
-
 type resourceInfo struct {
 	Resource unstructured.Unstructured
 	Gvk      *metav1.GroupVersionKind
--- a/pkg/engine/validate/common.go
+++ b/pkg/engine/validate/common.go
@ -37,6 +37,22 @@ func convertToFloat(value interface{}) (float64, error) {
 	}
 }

+// convertToString converts value to string
+func convertToString(value interface{}) (string, error) {
+	switch typed := value.(type) {
+	case string:
+		return string(typed), nil
+	case float64:
+		return fmt.Sprintf("%f", typed), nil
+	case int64:
+		return strconv.FormatInt(typed, 10), nil
+	case int:
+		return strconv.Itoa(typed), nil
+	default:
+		return "", fmt.Errorf("Could not convert %T to string", value)
+	}
+}
+
 func getRawKeyIfWrappedWithAttributes(str string) string {
 	if len(str) < 2 {
 		return str
--- a/pkg/engine/validate/pattern.go
+++ b/pkg/engine/validate/pattern.go
@ -7,9 +7,17 @@ import (
 	"strings"

 	"github.com/golang/glog"
-
 	"github.com/minio/minio/pkg/wildcard"
 	"github.com/nirmata/kyverno/pkg/engine/operator"
+	apiresource "k8s.io/apimachinery/pkg/api/resource"
+)
+
+type quantity int
+
+const (
+	equal       quantity = 0
+	lessThan    quantity = -1
+	greaterThan quantity = 1
 )

 // ValidateValueWithPattern validates value with operators and wildcards
@ -167,7 +175,7 @@ func validateValueWithStringPattern(value interface{}, pattern string) bool {
 		return validateString(value, str, operator)
 	}

-	return validateNumberWithStr(value, number, str, operator)
+	return validateNumberWithStr(value, pattern, operator)
 }

 // Handler for string values
@ -192,53 +200,50 @@ func validateString(value interface{}, pattern string, operatorVariable operator
 	return false
 }

-// validateNumberWithStr applies wildcard to suffix and operator to numerical part
-func validateNumberWithStr(value interface{}, patternNumber, patternStr string, operator operator.Operator) bool {
-	// pattern has suffix
-	if "" != patternStr {
-		typedValue, ok := value.(string)
-		if !ok {
-			glog.Warningf("Number must have suffix: %s", patternStr)
-			return false
-		}
-
-		valueNumber, valueStr := getNumberAndStringPartsFromPattern(typedValue)
-		if !wildcard.Match(patternStr, valueStr) {
-			glog.Warningf("Suffix %s has not passed wildcard check: %s", valueStr, patternStr)
-			return false
-		}
-
-		return validateNumber(valueNumber, patternNumber, operator)
+// validateNumberWithStr compares quantity if pattern type is quantity
+//  or a wildcard match to pattern string
+func validateNumberWithStr(value interface{}, pattern string, operator operator.Operator) bool {
+	typedValue, err := convertToString(value)
+	if err != nil {
+		glog.Warning(err)
+		return false
 	}

-	return validateNumber(value, patternNumber, operator)
+	patternQuan, err := apiresource.ParseQuantity(pattern)
+	// 1. nil error - quantity comparison
+	if err == nil {
+		valueQuan, err := apiresource.ParseQuantity(typedValue)
+		if err != nil {
+			glog.Warningf("Invalid quantity in resource %s, err: %v\n", typedValue, err)
+			return false
+		}
+
+		return compareQuantity(valueQuan, patternQuan, operator)
+	}
+
+	// 2. wildcard match
+	if !wildcard.Match(pattern, typedValue) {
+		glog.Warningf("Value '%s' has not passed wildcard check: %s", typedValue, pattern)
+		return false
+	}
+	return true
 }

-// validateNumber compares two numbers with operator
-func validateNumber(value, pattern interface{}, operatorVariable operator.Operator) bool {
-	floatPattern, err := convertToFloat(pattern)
-	if err != nil {
-		return false
-	}
-
-	floatValue, err := convertToFloat(value)
-	if err != nil {
-		return false
-	}
-
-	switch operatorVariable {
+func compareQuantity(value, pattern apiresource.Quantity, op operator.Operator) bool {
+	result := value.Cmp(pattern)
+	switch op {
 	case operator.Equal:
-		return floatValue == floatPattern
+		return result == int(equal)
 	case operator.NotEqual:
-		return floatValue != floatPattern
+		return result != int(equal)
 	case operator.More:
-		return floatValue > floatPattern
-	case operator.MoreEqual:
-		return floatValue >= floatPattern
+		return result == int(greaterThan)
 	case operator.Less:
-		return floatValue < floatPattern
+		return result == int(lessThan)
+	case operator.MoreEqual:
+		return (result == int(equal)) || (result == int(greaterThan))
 	case operator.LessEqual:
-		return floatValue <= floatPattern
+		return (result == int(equal)) || (result == int(lessThan))
 	}

 	return false
--- a/pkg/engine/validate/pattern_test.go
+++ b/pkg/engine/validate/pattern_test.go
@ -195,6 +195,10 @@ func TestValidateValueWithPattern_StringsLogicalOr(t *testing.T) {
 	assert.Assert(t, ValidateValueWithPattern(value, pattern))
 }

+func TestValidateValueWithPattern_EqualTwoFloats(t *testing.T) {
+	assert.Assert(t, ValidateValueWithPattern(7.0, 7.000))
+}
+
 func TestValidateValueWithNilPattern_NullPatternStringValue(t *testing.T) {
 	assert.Assert(t, !validateValueWithNilPattern("value"))
 }
@ -285,14 +289,42 @@ func TestGetNumberAndStringPartsFromPattern_Empty(t *testing.T) {
 	assert.Equal(t, str, "")
 }

-func TestValidateNumber_EqualTwoFloats(t *testing.T) {
-	assert.Assert(t, validateNumber(7.0, 7.000, operator.Equal))
+func TestValidateNumberWithStr_LessFloatAndInt(t *testing.T) {
+	assert.Assert(t, validateNumberWithStr(7.00001, "7.000001", operator.More))
+	assert.Assert(t, validateNumberWithStr(7.00001, "7", operator.NotEqual))
+
+	assert.Assert(t, validateNumberWithStr(7.0000, "7", operator.Equal))
+	assert.Assert(t, !validateNumberWithStr(6.000000001, "6", operator.Less))
 }

-func TestValidateNumber_LessFloatAndInt(t *testing.T) {
-	assert.Assert(t, validateNumber(7, 7.00001, operator.Less))
-	assert.Assert(t, validateNumber(7, 7.00001, operator.NotEqual))
-
-	assert.Assert(t, !validateNumber(7, 7.0000, operator.NotEqual))
-	assert.Assert(t, !validateNumber(6, 6.000000001, operator.More))
+func TestValidateQuantity_InvalidQuantity(t *testing.T) {
+	assert.Assert(t, !validateNumberWithStr("1024Gi", "", operator.Equal))
+	assert.Assert(t, !validateNumberWithStr("gii", "1024Gi", operator.Equal))
+}
+
+func TestValidateQuantity_Equal(t *testing.T) {
+	assert.Assert(t, validateNumberWithStr("1024Gi", "1024Gi", operator.Equal))
+	assert.Assert(t, validateNumberWithStr("1024Mi", "1Gi", operator.Equal))
+	assert.Assert(t, validateNumberWithStr("0.2", "200m", operator.Equal))
+	assert.Assert(t, validateNumberWithStr("500", "500", operator.Equal))
+	assert.Assert(t, !validateNumberWithStr("2048", "1024", operator.Equal))
+	assert.Assert(t, validateNumberWithStr(1024, "1024", operator.Equal))
+}
+
+func TestValidateQuantity_Operation(t *testing.T) {
+	assert.Assert(t, validateNumberWithStr("1Gi", "1000Mi", operator.More))
+	assert.Assert(t, validateNumberWithStr("1G", "1Gi", operator.Less))
+	assert.Assert(t, validateNumberWithStr("500m", "0.5", operator.MoreEqual))
+	assert.Assert(t, validateNumberWithStr("1", "500m", operator.MoreEqual))
+	assert.Assert(t, validateNumberWithStr("0.5", ".5", operator.LessEqual))
+	assert.Assert(t, validateNumberWithStr("0.2", ".5", operator.LessEqual))
+	assert.Assert(t, validateNumberWithStr("0.2", ".5", operator.NotEqual))
+}
+
+func TestGetOperatorFromStringPattern_OneChar(t *testing.T) {
+	assert.Equal(t, operator.GetOperatorFromStringPattern("f"), operator.Equal)
+}
+
+func TestGetOperatorFromStringPattern_EmptyString(t *testing.T) {
+	assert.Equal(t, operator.GetOperatorFromStringPattern(""), operator.Equal)
 }
--- a/pkg/engine/variables/variables.go
+++ b/pkg/engine/variables/variables.go
@ -63,7 +63,7 @@ func substituteValue(ctx context.EvalInterface, valuePattern string) interface{}
 	case string:
 		return string(operatorVariable) + value.(string)
 	default:
-		glog.Infof("cannot user operator with object variables. operator used %s in pattern %v", string(operatorVariable), valuePattern)
+		glog.Infof("cannot use operator with object variables. operator used %s in pattern %v", string(operatorVariable), valuePattern)
 		var emptyInterface interface{}
 		return emptyInterface
 	}
--- a/pkg/webhookconfig/registration.go
+++ b/pkg/webhookconfig/registration.go
@ -228,7 +228,6 @@ func (wrc *WebhookRegistrationClient) removeWebhookConfigurations() {
 	// mutating webhook configuration for verifying webhook
 	go wrc.removeVerifyWebhookMutatingWebhookConfig(&wg)

-	go wrc.removeVerifyWebhookMutatingWebhookConfig(&wg)
 	// wait for the removal go routines to return
 	wg.Wait()
 }
--- a/pkg/webhooks/server.go
+++ b/pkg/webhooks/server.go
@ -118,10 +118,9 @@ func NewWebhookServer(
 	}
 	mux := http.NewServeMux()
 	mux.HandleFunc(config.MutatingWebhookServicePath, ws.serve)
-	mux.HandleFunc(config.ValidatingWebhookServicePath, ws.serve)
+	mux.HandleFunc(config.VerifyMutatingWebhookServicePath, ws.serve)
 	mux.HandleFunc(config.PolicyValidatingWebhookServicePath, ws.serve)
 	mux.HandleFunc(config.PolicyMutatingWebhookServicePath, ws.serve)
-
 	ws.server = http.Server{
 		Addr:         ":443", // Listen on port for HTTPS requests
 		TLSConfig:    &tlsConfig,