mirrors/kyverno
mirrors/kyverno
1
0
Fork 0
mirror of https://github.com/kyverno/kyverno.git synced 2025-03-29 02:45:06 +00:00
Code Activity

feat: add autogen controllers to policy status (#3332)

Browse source 
* feat: add autogen controllers to policy status

Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com>

* feat: add autogen controllers to policy status

Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com>

Co-authored-by: shuting <shuting@nirmata.com>
This commit is contained in:
Charles-Edouard Brétéché 2022-03-10 16:51:29 +01:00 committed by GitHub
parent 78239a2947
commit 8d08250e07
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
10 changed files with 399 additions and 4 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

15
api/kyverno/v1/common_types.go
View file

@ -814,6 +814,21 @@ type CloneFrom struct {
type PolicyStatus struct {
// Ready indicates if the policy is ready to serve the admission request
Ready bool `json:"ready" yaml:"ready"`
// Autogen contains autogen status information
// +optional
Autogen AutogenStatus `json:"autogen" yaml:"autogen"`
}
// AutogenStatus contains autogen status information.
// It indicates requested, supported and effective autogen controllers used when
// automatically generating rules.
type AutogenStatus struct {
// Requested indicates the autogen requested controllers
Requested []string `json:"requested,omitempty" yaml:"requested,omitempty"`
// Supported indicates the autogen supported controllers
Supported []string `json:"supported,omitempty" yaml:"supported,omitempty"`
// Activated indicates the autogen activated controllers
Activated []string `json:"activated,omitempty" yaml:"activated,omitempty"`
}
// ResourceSpec contains information to identify a resource.

35
api/kyverno/v1/zz_generated.deepcopy.go
View file

@ -111,6 +111,36 @@ func (in *Attestation) DeepCopy() *Attestation {
return out
}
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *AutogenStatus) DeepCopyInto(out *AutogenStatus) {
*out = *in
if in.Requested != nil {
in, out := &in.Requested, &out.Requested
*out = make([]string, len(*in))
copy(*out, *in)
}
if in.Supported != nil {
in, out := &in.Supported, &out.Supported
*out = make([]string, len(*in))
copy(*out, *in)
}
if in.Activated != nil {
in, out := &in.Activated, &out.Activated
*out = make([]string, len(*in))
copy(*out, *in)
}
}
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AutogenStatus.
func (in *AutogenStatus) DeepCopy() *AutogenStatus {
if in == nil {
return nil
}
out := new(AutogenStatus)
in.DeepCopyInto(out)
return out
}
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *CloneFrom) DeepCopyInto(out *CloneFrom) {
*out = *in
@ -132,7 +162,7 @@ func (in *ClusterPolicy) DeepCopyInto(out *ClusterPolicy) {
out.TypeMeta = in.TypeMeta
in.ObjectMeta.DeepCopyInto(&out.ObjectMeta)
in.Spec.DeepCopyInto(&out.Spec)
out.Status = in.Status
in.Status.DeepCopyInto(&out.Status)
}
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ClusterPolicy.
@ -636,7 +666,7 @@ func (in *Policy) DeepCopyInto(out *Policy) {
out.TypeMeta = in.TypeMeta
in.ObjectMeta.DeepCopyInto(&out.ObjectMeta)
in.Spec.DeepCopyInto(&out.Spec)
out.Status = in.Status
in.Status.DeepCopyInto(&out.Status)
}
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Policy.
@ -692,6 +722,7 @@ func (in *PolicyList) DeepCopyObject() runtime.Object {
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *PolicyStatus) DeepCopyInto(out *PolicyStatus) {
*out = *in
in.Autogen.DeepCopyInto(&out.Autogen)
}
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PolicyStatus.

38
charts/kyverno/templates/crds.yaml
View file

@ -1357,6 +1357,25 @@ spec:
status:
description: Status contains policy runtime data.
properties:
autogen:
description: Autogen contains autogen status information
properties:
activated:
description: Activated indicates the autogen activated controllers
items:
type: string
type: array
requested:
description: Requested indicates the autogen requested controllers
items:
type: string
type: array
supported:
description: Supported indicates the autogen supported controllers
items:
type: string
type: array
type: object
ready:
description: Ready indicates if the policy is ready to serve the admission request
type: boolean
@ -3903,6 +3922,25 @@ spec:
status:
description: Status contains policy runtime information. Deprecated. Policy metrics are available via the metrics endpoint
properties:
autogen:
description: Autogen contains autogen status information
properties:
activated:
description: Activated indicates the autogen activated controllers
items:
type: string
type: array
requested:
description: Requested indicates the autogen requested controllers
items:
type: string
type: array
supported:
description: Supported indicates the autogen supported controllers
items:
type: string
type: array
type: object
ready:
description: Ready indicates if the policy is ready to serve the admission request
type: boolean

19
config/crds/kyverno.io_clusterpolicies.yaml
View file

@ -2160,6 +2160,25 @@ spec:
status:
description: Status contains policy runtime data.
properties:
autogen:
description: Autogen contains autogen status information
properties:
activated:
description: Activated indicates the autogen activated controllers
items:
type: string
type: array
requested:
description: Requested indicates the autogen requested controllers
items:
type: string
type: array
supported:
description: Supported indicates the autogen supported controllers
items:
type: string
type: array
type: object
ready:
description: Ready indicates if the policy is ready to serve the admission
request

19
config/crds/kyverno.io_policies.yaml
View file

@ -2162,6 +2162,25 @@ spec:
description: Status contains policy runtime information. Deprecated. Policy
metrics are available via the metrics endpoint
properties:
autogen:
description: Autogen contains autogen status information
properties:
activated:
description: Activated indicates the autogen activated controllers
items:
type: string
type: array
requested:
description: Requested indicates the autogen requested controllers
items:
type: string
type: array
supported:
description: Supported indicates the autogen supported controllers
items:
type: string
type: array
type: object
ready:
description: Ready indicates if the policy is ready to serve the admission
request

38
config/install.yaml
View file

@ -2176,6 +2176,25 @@ spec:
status:
description: Status contains policy runtime data.
properties:
autogen:
description: Autogen contains autogen status information
properties:
activated:
description: Activated indicates the autogen activated controllers
items:
type: string
type: array
requested:
description: Requested indicates the autogen requested controllers
items:
type: string
type: array
supported:
description: Supported indicates the autogen supported controllers
items:
type: string
type: array
type: object
ready:
description: Ready indicates if the policy is ready to serve the admission
request
@ -5922,6 +5941,25 @@ spec:
description: Status contains policy runtime information. Deprecated. Policy
metrics are available via the metrics endpoint
properties:
autogen:
description: Autogen contains autogen status information
properties:
activated:
description: Activated indicates the autogen activated controllers
items:
type: string
type: array
requested:
description: Requested indicates the autogen requested controllers
items:
type: string
type: array
supported:
description: Supported indicates the autogen supported controllers
items:
type: string
type: array
type: object
ready:
description: Ready indicates if the policy is ready to serve the admission
request

38
config/install_debug.yaml
View file

@ -2165,6 +2165,25 @@ spec:
status:
description: Status contains policy runtime data.
properties:
autogen:
description: Autogen contains autogen status information
properties:
activated:
description: Activated indicates the autogen activated controllers
items:
type: string
type: array
requested:
description: Requested indicates the autogen requested controllers
items:
type: string
type: array
supported:
description: Supported indicates the autogen supported controllers
items:
type: string
type: array
type: object
ready:
description: Ready indicates if the policy is ready to serve the admission
request
@ -5887,6 +5906,25 @@ spec:
description: Status contains policy runtime information. Deprecated. Policy
metrics are available via the metrics endpoint
properties:
autogen:
description: Autogen contains autogen status information
properties:
activated:
description: Activated indicates the autogen activated controllers
items:
type: string
type: array
requested:
description: Requested indicates the autogen requested controllers
items:
type: string
type: array
supported:
description: Supported indicates the autogen supported controllers
items:
type: string
type: array
type: object
ready:
description: Ready indicates if the policy is ready to serve the admission
request

50
pkg/autogen/autogen.go
View file

@ -4,10 +4,13 @@ import (
"encoding/json"
"fmt"
"strconv"
"strings"
jsonpatch "github.com/evanphx/json-patch"
"github.com/go-logr/logr"
kyverno "github.com/kyverno/kyverno/api/kyverno/v1"
"github.com/kyverno/kyverno/pkg/utils"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
)
const (
@ -105,6 +108,53 @@ func CanAutoGen(spec *kyverno.Spec, log logr.Logger) (applyAutoGen bool, control
return true, PodControllers
}
// GetSupportedControllers returns the supported autogen controllers for a given spec.
func GetSupportedControllers(spec *kyverno.Spec, log logr.Logger) []string {
apply, controllers := CanAutoGen(spec, log)
if !apply || controllers == "none" {
return nil
}
return strings.Split(controllers, ",")
}
// GetRequestedControllers returns the requested autogen controllers based on object annotations.
func GetRequestedControllers(meta metav1.ObjectMeta) []string {
annotations := meta.GetAnnotations()
if annotations == nil {
return nil
}
controllers, ok := annotations[kyverno.PodControllersAnnotation]
if !ok || controllers == "" {
return nil
}
if controllers == "none" {
return []string{}
}
return strings.Split(controllers, ",")
}
// GetControllers computes the autogen controllers that should be applied to a policy.
// It returns the requested, supported and effective controllers (intersection of requested and supported ones).
func GetControllers(meta metav1.ObjectMeta, spec *kyverno.Spec, log logr.Logger) ([]string, []string, []string) {
// compute supported and requested controllers
supported := GetSupportedControllers(spec, log)
requested := GetRequestedControllers(meta)
// no specific request, we can return supported controllers without further filtering
if requested == nil {
return requested, supported, supported
}
// filter supported controllers, keeping only those that have been requested
var activated []string
for _, controller := range supported {
if utils.ContainsString(requested, controller) {
activated = append(activated, controller)
}
}
return requested, supported, activated
}
// podControllersKey annotation could be:
// scenario A: not exist, set default to "all", which generates on all pod controllers
// - if name / selector exist in resource description -> skip

142
pkg/autogen/autogen_test.go
View file

@ -12,10 +12,11 @@ import (
kyverno "github.com/kyverno/kyverno/api/kyverno/v1"
"github.com/kyverno/kyverno/pkg/utils"
"gotest.tools/assert"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
"sigs.k8s.io/controller-runtime/pkg/log"
)
func Test_getControllers(t *testing.T) {
func Test_CanAutoGen(t *testing.T) {
testCases := []struct {
name string
policy []byte
@ -106,6 +107,145 @@ func Test_getControllers(t *testing.T) {
}
}
func Test_GetSupportedControllers(t *testing.T) {
testCases := []struct {
name string
policy []byte
expectedControllers string
}{
{
name: "rule-with-match-name",
policy: []byte(`{"apiVersion":"kyverno.io/v1","kind":"ClusterPolicy","metadata":{"name":"test"},"spec":{"rules":[{"name":"test","match":{"resources":{"kinds":["Namespace"],"name":"*"}}}]}}`),
expectedControllers: "none",
},
{
name: "rule-with-match-selector",
policy: []byte(`{"apiVersion":"kyverno.io/v1","kind":"ClusterPolicy","metadata":{"name":"test-getcontrollers"},"spec":{"background":false,"rules":[{"name":"test-getcontrollers","match":{"resources":{"kinds":["Pod"],"selector":{"matchLabels":{"foo":"bar"}}}}}]}}`),
expectedControllers: "none",
},
{
name: "rule-with-exclude-name",
policy: []byte(`{"apiVersion":"kyverno.io/v1","kind":"ClusterPolicy","metadata":{"name":"test-getcontrollers"},"spec":{"background":false,"rules":[{"name":"test-getcontrollers","match":{"resources":{"kinds":["Pod"]}},"exclude":{"resources":{"name":"test"}}}]}}`),
expectedControllers: "none",
},
{
name: "rule-with-exclude-selector",
policy: []byte(`{"apiVersion":"kyverno.io/v1","kind":"ClusterPolicy","metadata":{"name":"test-getcontrollers"},"spec":{"background":false,"rules":[{"name":"test-getcontrollers","match":{"resources":{"kinds":["Pod"]}},"exclude":{"resources":{"selector":{"matchLabels":{"foo":"bar"}}}}}]}}`),
expectedControllers: "none",
},
{
name: "rule-with-deny",
policy: []byte(`{"apiVersion":"kyverno.io/v1","kind":"ClusterPolicy","metadata":{"name":"test"},"spec":{"rules":[{"name":"require-network-policy","match":{"resources":{"kinds":["Pod"]}},"validate":{"message":"testpolicy","deny":{"conditions":[{"key":"{{request.object.metadata.labels.foo}}","operator":"Equals","value":"bar"}]}}}]}}`),
expectedControllers: PodControllers,
},
{
name: "rule-with-match-mixed-kinds-pod-podcontrollers",
policy: []byte(`{"apiVersion":"kyverno.io/v1","kind":"ClusterPolicy","metadata":{"name":"set-service-labels-env"},"spec":{"background":false,"rules":[{"name":"set-service-label","match":{"resources":{"kinds":["Pod","Deployment"]}},"preconditions":{"any":[{"key":"{{request.operation}}","operator":"Equals","value":"CREATE"}]},"mutate":{"patchStrategicMerge":{"metadata":{"labels":{"+(service)":"{{request.object.spec.template.metadata.labels.app}}"}}}}}]}}`),
expectedControllers: "none",
},
{
name: "rule-with-exclude-mixed-kinds-pod-podcontrollers",
policy: []byte(`{"apiVersion":"kyverno.io/v1","kind":"ClusterPolicy","metadata":{"name":"set-service-labels-env"},"spec":{"background":false,"rules":[{"name":"set-service-label","match":{"resources":{"kinds":["Pod"]}},"exclude":{"resources":{"kinds":["Pod","Deployment"]}},"mutate":{"patchStrategicMerge":{"metadata":{"labels":{"+(service)":"{{request.object.spec.template.metadata.labels.app}}"}}}}}]}}`),
expectedControllers: "none",
},
{
name: "rule-with-match-kinds-pod-only",
policy: []byte(`{"apiVersion":"kyverno.io/v1","kind":"ClusterPolicy","metadata":{"name":"test"},"spec":{"rules":[{"name":"require-network-policy","match":{"resources":{"kinds":["Pod"]}},"validate":{"message":"testpolicy","pattern":{"metadata":{"labels":{"foo":"bar"}}}}}]}}`),
expectedControllers: PodControllers,
},
{
name: "rule-with-exclude-kinds-pod-only",
policy: []byte(`{"apiVersion":"kyverno.io/v1","kind":"ClusterPolicy","metadata":{"name":"test"},"spec":{"rules":[{"name":"require-network-policy","match":{"resources":{"kinds":["Pod"]}},"exclude":{"resources":{"kinds":["Pod"],"namespaces":["test"]}},"validate":{"message":"testpolicy","pattern":{"metadata":{"labels":{"foo":"bar"}}}}}]}}`),
expectedControllers: PodControllers,
},
{
name: "rule-with-mutate-patches",
policy: []byte(`{"apiVersion":"kyverno.io/v1","kind":"ClusterPolicy","metadata":{"name":"test"},"spec":{"rules":[{"name":"test","match":{"resources":{"kinds":["Pod"]}},"mutate":{"patchesJson6902":"-op:add\npath:/spec/containers/0/env/-1\nvalue:{\"name\":\"SERVICE\",\"value\":{{request.object.spec.template.metadata.labels.app}}}"}}]}}`),
expectedControllers: "none",
},
{
name: "rule-with-generate",
policy: []byte(`{"apiVersion":"kyverno.io/v1","kind":"ClusterPolicy","metadata":{"name":"add-networkpolicy"},"spec":{"rules":[{"name":"default-deny-ingress","match":{"resources":{"kinds":["Namespace"],"name":"*"}},"exclude":{"resources":{"namespaces":["kube-system","default","kube-public","kyverno"]}},"generate":{"kind":"NetworkPolicy","name":"default-deny-ingress","namespace":"{{request.object.metadata.name}}","synchronize":true,"data":{"spec":{"podSelector":{},"policyTypes":["Ingress"]}}}}]}}`),
expectedControllers: "none",
},
{
name: "rule-with-predefined-invalid-controllers",
policy: []byte(`{"apiVersion":"kyverno.io/v1","kind":"ClusterPolicy","metadata":{"name":"set-service-labels-env"},"annotations":null,"pod-policies.kyverno.io/autogen-controllers":"DaemonSet,Deployment,StatefulSet","spec":{"background":false,"rules":[{"name":"set-service-label","match":{"resources":{"kinds":["Pod","Deployment"]}},"mutate":{"patchStrategicMerge":{"metadata":{"labels":{"+(service)":"{{request.object.spec.template.metadata.labels.app}}"}}}}}]}}`),
expectedControllers: "none",
},
{
name: "rule-with-predefined-valid-controllers",
policy: []byte(`{"apiVersion":"kyverno.io/v1","kind":"ClusterPolicy","metadata":{"name":"set-service-labels-env"},"annotations":null,"pod-policies.kyverno.io/autogen-controllers":"none","spec":{"background":false,"rules":[{"name":"set-service-label","match":{"resources":{"kinds":["Pod","Deployment"]}},"mutate":{"patchStrategicMerge":{"metadata":{"labels":{"+(service)":"{{request.object.spec.template.metadata.labels.app}}"}}}}}]}}`),
expectedControllers: "none",
},
{
name: "rule-with-only-predefined-valid-controllers",
policy: []byte(`{"apiVersion":"kyverno.io/v1","kind":"ClusterPolicy","metadata":{"name":"set-service-labels-env"},"annotations":null,"pod-policies.kyverno.io/autogen-controllers":"none","spec":{"background":false,"rules":[{"name":"set-service-label","match":{"resources":{"kinds":["Namespace"]}},"mutate":{"patchStrategicMerge":{"metadata":{"labels":{"+(service)":"{{request.object.spec.template.metadata.labels.app}}"}}}}}]}}`),
expectedControllers: "none",
},
}
for _, test := range testCases {
var policy kyverno.ClusterPolicy
err := json.Unmarshal(test.policy, &policy)
assert.NilError(t, err)
controllers := GetSupportedControllers(&policy.Spec, log.Log)
var expectedControllers []string
if test.expectedControllers != "none" {
expectedControllers = strings.Split(test.expectedControllers, ",")
}
assert.DeepEqual(t, expectedControllers, controllers)
}
}
func Test_GetRequestedControllers(t *testing.T) {
testCases := []struct {
name string
meta metav1.ObjectMeta
expectedControllers []string
}{
{
name: "annotations-nil",
meta: metav1.ObjectMeta{},
expectedControllers: nil,
},
{
name: "annotation-not-set",
meta: metav1.ObjectMeta{Annotations: map[string]string{}},
expectedControllers: nil,
},
{
name: "annotation-empty",
meta: metav1.ObjectMeta{Annotations: map[string]string{"pod-policies.kyverno.io/autogen-controllers": ""}},
expectedControllers: nil,
},
{
name: "annotation-none",
meta: metav1.ObjectMeta{Annotations: map[string]string{"pod-policies.kyverno.io/autogen-controllers": "none"}},
expectedControllers: []string{},
},
{
name: "annotation-job",
meta: metav1.ObjectMeta{Annotations: map[string]string{"pod-policies.kyverno.io/autogen-controllers": "Job"}},
expectedControllers: []string{"Job"},
},
{
name: "annotation-job-deployment",
meta: metav1.ObjectMeta{Annotations: map[string]string{"pod-policies.kyverno.io/autogen-controllers": "Job,Deployment"}},
expectedControllers: []string{"Job", "Deployment"},
},
}
for _, test := range testCases {
controllers := GetRequestedControllers(test.meta)
assert.DeepEqual(t, test.expectedControllers, controllers)
}
}
func Test_Any(t *testing.T) {
dir, err := os.Getwd()
baseDir := filepath.Dir(filepath.Dir(dir))

9
pkg/webhookconfig/configmanager.go
View file

@ -11,6 +11,7 @@ import (
"github.com/go-logr/logr"
kyverno "github.com/kyverno/kyverno/api/kyverno/v1"
"github.com/kyverno/kyverno/pkg/autogen"
kyvernoclient "github.com/kyverno/kyverno/pkg/client/clientset/versioned"
kyvernoinformer "github.com/kyverno/kyverno/pkg/client/informers/externalversions/kyverno/v1"
kyvernolister "github.com/kyverno/kyverno/pkg/client/listers/kyverno/v1"
@ -679,12 +680,18 @@ func (m *webhookConfigManager) compareAndUpdateWebhook(webhookKind, webhookName
func (m *webhookConfigManager) updateStatus(policy *kyverno.ClusterPolicy, status bool) error {
policyCopy := policy.DeepCopy()
requested, supported, activated := autogen.GetControllers(policy.ObjectMeta, &policy.Spec, m.log)
policyCopy.Status.Ready = status
policyCopy.Status.Autogen.Requested = requested
policyCopy.Status.Autogen.Supported = supported
policyCopy.Status.Autogen.Activated = activated
if reflect.DeepEqual(policyCopy.Status, policy.Status) {
return nil
}
if policy.GetNamespace() == "" {
_, err := m.kyvernoClient.KyvernoV1().ClusterPolicies().UpdateStatus(context.TODO(), policyCopy, v1.UpdateOptions{})
return err
}
_, err := m.kyvernoClient.KyvernoV1().Policies(policyCopy.GetNamespace()).UpdateStatus(context.TODO(), (*kyverno.Policy)(policyCopy), v1.UpdateOptions{})
return err
}