diff --git a/api/kyverno/v1/common_types.go b/api/kyverno/v1/common_types.go index 6012cd42b2..d46eaa4885 100755 --- a/api/kyverno/v1/common_types.go +++ b/api/kyverno/v1/common_types.go @@ -814,6 +814,21 @@ type CloneFrom struct { type PolicyStatus struct { // Ready indicates if the policy is ready to serve the admission request Ready bool `json:"ready" yaml:"ready"` + // Autogen contains autogen status information + // +optional + Autogen AutogenStatus `json:"autogen" yaml:"autogen"` +} + +// AutogenStatus contains autogen status information. +// It indicates requested, supported and effective autogen controllers used when +// automatically generating rules. +type AutogenStatus struct { + // Requested indicates the autogen requested controllers + Requested []string `json:"requested,omitempty" yaml:"requested,omitempty"` + // Supported indicates the autogen supported controllers + Supported []string `json:"supported,omitempty" yaml:"supported,omitempty"` + // Activated indicates the autogen activated controllers + Activated []string `json:"activated,omitempty" yaml:"activated,omitempty"` } // ResourceSpec contains information to identify a resource. diff --git a/api/kyverno/v1/zz_generated.deepcopy.go b/api/kyverno/v1/zz_generated.deepcopy.go index 1164612c5a..ca82249f4b 100755 --- a/api/kyverno/v1/zz_generated.deepcopy.go +++ b/api/kyverno/v1/zz_generated.deepcopy.go @@ -111,6 +111,36 @@ func (in *Attestation) DeepCopy() *Attestation { return out } +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *AutogenStatus) DeepCopyInto(out *AutogenStatus) { + *out = *in + if in.Requested != nil { + in, out := &in.Requested, &out.Requested + *out = make([]string, len(*in)) + copy(*out, *in) + } + if in.Supported != nil { + in, out := &in.Supported, &out.Supported + *out = make([]string, len(*in)) + copy(*out, *in) + } + if in.Activated != nil { + in, out := &in.Activated, &out.Activated + *out = make([]string, len(*in)) + copy(*out, *in) + } +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AutogenStatus. +func (in *AutogenStatus) DeepCopy() *AutogenStatus { + if in == nil { + return nil + } + out := new(AutogenStatus) + in.DeepCopyInto(out) + return out +} + // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *CloneFrom) DeepCopyInto(out *CloneFrom) { *out = *in @@ -132,7 +162,7 @@ func (in *ClusterPolicy) DeepCopyInto(out *ClusterPolicy) { out.TypeMeta = in.TypeMeta in.ObjectMeta.DeepCopyInto(&out.ObjectMeta) in.Spec.DeepCopyInto(&out.Spec) - out.Status = in.Status + in.Status.DeepCopyInto(&out.Status) } // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ClusterPolicy. @@ -636,7 +666,7 @@ func (in *Policy) DeepCopyInto(out *Policy) { out.TypeMeta = in.TypeMeta in.ObjectMeta.DeepCopyInto(&out.ObjectMeta) in.Spec.DeepCopyInto(&out.Spec) - out.Status = in.Status + in.Status.DeepCopyInto(&out.Status) } // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Policy. @@ -692,6 +722,7 @@ func (in *PolicyList) DeepCopyObject() runtime.Object { // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *PolicyStatus) DeepCopyInto(out *PolicyStatus) { *out = *in + in.Autogen.DeepCopyInto(&out.Autogen) } // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PolicyStatus. diff --git a/charts/kyverno/templates/crds.yaml b/charts/kyverno/templates/crds.yaml index 17318d2782..3706c620c0 100644 --- a/charts/kyverno/templates/crds.yaml +++ b/charts/kyverno/templates/crds.yaml @@ -1357,6 +1357,25 @@ spec: status: description: Status contains policy runtime data. properties: + autogen: + description: Autogen contains autogen status information + properties: + activated: + description: Activated indicates the autogen activated controllers + items: + type: string + type: array + requested: + description: Requested indicates the autogen requested controllers + items: + type: string + type: array + supported: + description: Supported indicates the autogen supported controllers + items: + type: string + type: array + type: object ready: description: Ready indicates if the policy is ready to serve the admission request type: boolean @@ -3903,6 +3922,25 @@ spec: status: description: Status contains policy runtime information. Deprecated. Policy metrics are available via the metrics endpoint properties: + autogen: + description: Autogen contains autogen status information + properties: + activated: + description: Activated indicates the autogen activated controllers + items: + type: string + type: array + requested: + description: Requested indicates the autogen requested controllers + items: + type: string + type: array + supported: + description: Supported indicates the autogen supported controllers + items: + type: string + type: array + type: object ready: description: Ready indicates if the policy is ready to serve the admission request type: boolean diff --git a/config/crds/kyverno.io_clusterpolicies.yaml b/config/crds/kyverno.io_clusterpolicies.yaml index 3e9bf40b09..d2c059e02b 100644 --- a/config/crds/kyverno.io_clusterpolicies.yaml +++ b/config/crds/kyverno.io_clusterpolicies.yaml @@ -2160,6 +2160,25 @@ spec: status: description: Status contains policy runtime data. properties: + autogen: + description: Autogen contains autogen status information + properties: + activated: + description: Activated indicates the autogen activated controllers + items: + type: string + type: array + requested: + description: Requested indicates the autogen requested controllers + items: + type: string + type: array + supported: + description: Supported indicates the autogen supported controllers + items: + type: string + type: array + type: object ready: description: Ready indicates if the policy is ready to serve the admission request diff --git a/config/crds/kyverno.io_policies.yaml b/config/crds/kyverno.io_policies.yaml index ffca95368f..7b13aa6ba2 100644 --- a/config/crds/kyverno.io_policies.yaml +++ b/config/crds/kyverno.io_policies.yaml @@ -2162,6 +2162,25 @@ spec: description: Status contains policy runtime information. Deprecated. Policy metrics are available via the metrics endpoint properties: + autogen: + description: Autogen contains autogen status information + properties: + activated: + description: Activated indicates the autogen activated controllers + items: + type: string + type: array + requested: + description: Requested indicates the autogen requested controllers + items: + type: string + type: array + supported: + description: Supported indicates the autogen supported controllers + items: + type: string + type: array + type: object ready: description: Ready indicates if the policy is ready to serve the admission request diff --git a/config/install.yaml b/config/install.yaml index b277384606..15042a5748 100644 --- a/config/install.yaml +++ b/config/install.yaml @@ -2176,6 +2176,25 @@ spec: status: description: Status contains policy runtime data. properties: + autogen: + description: Autogen contains autogen status information + properties: + activated: + description: Activated indicates the autogen activated controllers + items: + type: string + type: array + requested: + description: Requested indicates the autogen requested controllers + items: + type: string + type: array + supported: + description: Supported indicates the autogen supported controllers + items: + type: string + type: array + type: object ready: description: Ready indicates if the policy is ready to serve the admission request @@ -5922,6 +5941,25 @@ spec: description: Status contains policy runtime information. Deprecated. Policy metrics are available via the metrics endpoint properties: + autogen: + description: Autogen contains autogen status information + properties: + activated: + description: Activated indicates the autogen activated controllers + items: + type: string + type: array + requested: + description: Requested indicates the autogen requested controllers + items: + type: string + type: array + supported: + description: Supported indicates the autogen supported controllers + items: + type: string + type: array + type: object ready: description: Ready indicates if the policy is ready to serve the admission request diff --git a/config/install_debug.yaml b/config/install_debug.yaml index f0cb579f30..959e001bbc 100755 --- a/config/install_debug.yaml +++ b/config/install_debug.yaml @@ -2165,6 +2165,25 @@ spec: status: description: Status contains policy runtime data. properties: + autogen: + description: Autogen contains autogen status information + properties: + activated: + description: Activated indicates the autogen activated controllers + items: + type: string + type: array + requested: + description: Requested indicates the autogen requested controllers + items: + type: string + type: array + supported: + description: Supported indicates the autogen supported controllers + items: + type: string + type: array + type: object ready: description: Ready indicates if the policy is ready to serve the admission request @@ -5887,6 +5906,25 @@ spec: description: Status contains policy runtime information. Deprecated. Policy metrics are available via the metrics endpoint properties: + autogen: + description: Autogen contains autogen status information + properties: + activated: + description: Activated indicates the autogen activated controllers + items: + type: string + type: array + requested: + description: Requested indicates the autogen requested controllers + items: + type: string + type: array + supported: + description: Supported indicates the autogen supported controllers + items: + type: string + type: array + type: object ready: description: Ready indicates if the policy is ready to serve the admission request diff --git a/pkg/autogen/autogen.go b/pkg/autogen/autogen.go index b163df909f..1b7995d94b 100644 --- a/pkg/autogen/autogen.go +++ b/pkg/autogen/autogen.go @@ -4,10 +4,13 @@ import ( "encoding/json" "fmt" "strconv" + "strings" jsonpatch "github.com/evanphx/json-patch" "github.com/go-logr/logr" kyverno "github.com/kyverno/kyverno/api/kyverno/v1" + "github.com/kyverno/kyverno/pkg/utils" + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" ) const ( @@ -105,6 +108,53 @@ func CanAutoGen(spec *kyverno.Spec, log logr.Logger) (applyAutoGen bool, control return true, PodControllers } +// GetSupportedControllers returns the supported autogen controllers for a given spec. +func GetSupportedControllers(spec *kyverno.Spec, log logr.Logger) []string { + apply, controllers := CanAutoGen(spec, log) + if !apply || controllers == "none" { + return nil + } + return strings.Split(controllers, ",") +} + +// GetRequestedControllers returns the requested autogen controllers based on object annotations. +func GetRequestedControllers(meta metav1.ObjectMeta) []string { + annotations := meta.GetAnnotations() + if annotations == nil { + return nil + } + controllers, ok := annotations[kyverno.PodControllersAnnotation] + if !ok || controllers == "" { + return nil + } + if controllers == "none" { + return []string{} + } + return strings.Split(controllers, ",") +} + +// GetControllers computes the autogen controllers that should be applied to a policy. +// It returns the requested, supported and effective controllers (intersection of requested and supported ones). +func GetControllers(meta metav1.ObjectMeta, spec *kyverno.Spec, log logr.Logger) ([]string, []string, []string) { + // compute supported and requested controllers + supported := GetSupportedControllers(spec, log) + requested := GetRequestedControllers(meta) + + // no specific request, we can return supported controllers without further filtering + if requested == nil { + return requested, supported, supported + } + + // filter supported controllers, keeping only those that have been requested + var activated []string + for _, controller := range supported { + if utils.ContainsString(requested, controller) { + activated = append(activated, controller) + } + } + return requested, supported, activated +} + // podControllersKey annotation could be: // scenario A: not exist, set default to "all", which generates on all pod controllers // - if name / selector exist in resource description -> skip diff --git a/pkg/autogen/autogen_test.go b/pkg/autogen/autogen_test.go index 7fde898485..b353126574 100644 --- a/pkg/autogen/autogen_test.go +++ b/pkg/autogen/autogen_test.go @@ -12,10 +12,11 @@ import ( kyverno "github.com/kyverno/kyverno/api/kyverno/v1" "github.com/kyverno/kyverno/pkg/utils" "gotest.tools/assert" + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" "sigs.k8s.io/controller-runtime/pkg/log" ) -func Test_getControllers(t *testing.T) { +func Test_CanAutoGen(t *testing.T) { testCases := []struct { name string policy []byte @@ -106,6 +107,145 @@ func Test_getControllers(t *testing.T) { } } +func Test_GetSupportedControllers(t *testing.T) { + testCases := []struct { + name string + policy []byte + expectedControllers string + }{ + { + name: "rule-with-match-name", + policy: []byte(`{"apiVersion":"kyverno.io/v1","kind":"ClusterPolicy","metadata":{"name":"test"},"spec":{"rules":[{"name":"test","match":{"resources":{"kinds":["Namespace"],"name":"*"}}}]}}`), + expectedControllers: "none", + }, + { + name: "rule-with-match-selector", + policy: []byte(`{"apiVersion":"kyverno.io/v1","kind":"ClusterPolicy","metadata":{"name":"test-getcontrollers"},"spec":{"background":false,"rules":[{"name":"test-getcontrollers","match":{"resources":{"kinds":["Pod"],"selector":{"matchLabels":{"foo":"bar"}}}}}]}}`), + expectedControllers: "none", + }, + { + name: "rule-with-exclude-name", + policy: []byte(`{"apiVersion":"kyverno.io/v1","kind":"ClusterPolicy","metadata":{"name":"test-getcontrollers"},"spec":{"background":false,"rules":[{"name":"test-getcontrollers","match":{"resources":{"kinds":["Pod"]}},"exclude":{"resources":{"name":"test"}}}]}}`), + expectedControllers: "none", + }, + { + name: "rule-with-exclude-selector", + policy: []byte(`{"apiVersion":"kyverno.io/v1","kind":"ClusterPolicy","metadata":{"name":"test-getcontrollers"},"spec":{"background":false,"rules":[{"name":"test-getcontrollers","match":{"resources":{"kinds":["Pod"]}},"exclude":{"resources":{"selector":{"matchLabels":{"foo":"bar"}}}}}]}}`), + expectedControllers: "none", + }, + { + name: "rule-with-deny", + policy: []byte(`{"apiVersion":"kyverno.io/v1","kind":"ClusterPolicy","metadata":{"name":"test"},"spec":{"rules":[{"name":"require-network-policy","match":{"resources":{"kinds":["Pod"]}},"validate":{"message":"testpolicy","deny":{"conditions":[{"key":"{{request.object.metadata.labels.foo}}","operator":"Equals","value":"bar"}]}}}]}}`), + expectedControllers: PodControllers, + }, + + { + name: "rule-with-match-mixed-kinds-pod-podcontrollers", + policy: []byte(`{"apiVersion":"kyverno.io/v1","kind":"ClusterPolicy","metadata":{"name":"set-service-labels-env"},"spec":{"background":false,"rules":[{"name":"set-service-label","match":{"resources":{"kinds":["Pod","Deployment"]}},"preconditions":{"any":[{"key":"{{request.operation}}","operator":"Equals","value":"CREATE"}]},"mutate":{"patchStrategicMerge":{"metadata":{"labels":{"+(service)":"{{request.object.spec.template.metadata.labels.app}}"}}}}}]}}`), + expectedControllers: "none", + }, + { + name: "rule-with-exclude-mixed-kinds-pod-podcontrollers", + policy: []byte(`{"apiVersion":"kyverno.io/v1","kind":"ClusterPolicy","metadata":{"name":"set-service-labels-env"},"spec":{"background":false,"rules":[{"name":"set-service-label","match":{"resources":{"kinds":["Pod"]}},"exclude":{"resources":{"kinds":["Pod","Deployment"]}},"mutate":{"patchStrategicMerge":{"metadata":{"labels":{"+(service)":"{{request.object.spec.template.metadata.labels.app}}"}}}}}]}}`), + expectedControllers: "none", + }, + { + name: "rule-with-match-kinds-pod-only", + policy: []byte(`{"apiVersion":"kyverno.io/v1","kind":"ClusterPolicy","metadata":{"name":"test"},"spec":{"rules":[{"name":"require-network-policy","match":{"resources":{"kinds":["Pod"]}},"validate":{"message":"testpolicy","pattern":{"metadata":{"labels":{"foo":"bar"}}}}}]}}`), + expectedControllers: PodControllers, + }, + { + name: "rule-with-exclude-kinds-pod-only", + policy: []byte(`{"apiVersion":"kyverno.io/v1","kind":"ClusterPolicy","metadata":{"name":"test"},"spec":{"rules":[{"name":"require-network-policy","match":{"resources":{"kinds":["Pod"]}},"exclude":{"resources":{"kinds":["Pod"],"namespaces":["test"]}},"validate":{"message":"testpolicy","pattern":{"metadata":{"labels":{"foo":"bar"}}}}}]}}`), + expectedControllers: PodControllers, + }, + { + name: "rule-with-mutate-patches", + policy: []byte(`{"apiVersion":"kyverno.io/v1","kind":"ClusterPolicy","metadata":{"name":"test"},"spec":{"rules":[{"name":"test","match":{"resources":{"kinds":["Pod"]}},"mutate":{"patchesJson6902":"-op:add\npath:/spec/containers/0/env/-1\nvalue:{\"name\":\"SERVICE\",\"value\":{{request.object.spec.template.metadata.labels.app}}}"}}]}}`), + expectedControllers: "none", + }, + { + name: "rule-with-generate", + policy: []byte(`{"apiVersion":"kyverno.io/v1","kind":"ClusterPolicy","metadata":{"name":"add-networkpolicy"},"spec":{"rules":[{"name":"default-deny-ingress","match":{"resources":{"kinds":["Namespace"],"name":"*"}},"exclude":{"resources":{"namespaces":["kube-system","default","kube-public","kyverno"]}},"generate":{"kind":"NetworkPolicy","name":"default-deny-ingress","namespace":"{{request.object.metadata.name}}","synchronize":true,"data":{"spec":{"podSelector":{},"policyTypes":["Ingress"]}}}}]}}`), + expectedControllers: "none", + }, + { + name: "rule-with-predefined-invalid-controllers", + policy: []byte(`{"apiVersion":"kyverno.io/v1","kind":"ClusterPolicy","metadata":{"name":"set-service-labels-env"},"annotations":null,"pod-policies.kyverno.io/autogen-controllers":"DaemonSet,Deployment,StatefulSet","spec":{"background":false,"rules":[{"name":"set-service-label","match":{"resources":{"kinds":["Pod","Deployment"]}},"mutate":{"patchStrategicMerge":{"metadata":{"labels":{"+(service)":"{{request.object.spec.template.metadata.labels.app}}"}}}}}]}}`), + expectedControllers: "none", + }, + { + name: "rule-with-predefined-valid-controllers", + policy: []byte(`{"apiVersion":"kyverno.io/v1","kind":"ClusterPolicy","metadata":{"name":"set-service-labels-env"},"annotations":null,"pod-policies.kyverno.io/autogen-controllers":"none","spec":{"background":false,"rules":[{"name":"set-service-label","match":{"resources":{"kinds":["Pod","Deployment"]}},"mutate":{"patchStrategicMerge":{"metadata":{"labels":{"+(service)":"{{request.object.spec.template.metadata.labels.app}}"}}}}}]}}`), + expectedControllers: "none", + }, + { + name: "rule-with-only-predefined-valid-controllers", + policy: []byte(`{"apiVersion":"kyverno.io/v1","kind":"ClusterPolicy","metadata":{"name":"set-service-labels-env"},"annotations":null,"pod-policies.kyverno.io/autogen-controllers":"none","spec":{"background":false,"rules":[{"name":"set-service-label","match":{"resources":{"kinds":["Namespace"]}},"mutate":{"patchStrategicMerge":{"metadata":{"labels":{"+(service)":"{{request.object.spec.template.metadata.labels.app}}"}}}}}]}}`), + expectedControllers: "none", + }, + } + + for _, test := range testCases { + var policy kyverno.ClusterPolicy + err := json.Unmarshal(test.policy, &policy) + assert.NilError(t, err) + + controllers := GetSupportedControllers(&policy.Spec, log.Log) + + var expectedControllers []string + if test.expectedControllers != "none" { + expectedControllers = strings.Split(test.expectedControllers, ",") + } + + assert.DeepEqual(t, expectedControllers, controllers) + } +} + +func Test_GetRequestedControllers(t *testing.T) { + testCases := []struct { + name string + meta metav1.ObjectMeta + expectedControllers []string + }{ + { + name: "annotations-nil", + meta: metav1.ObjectMeta{}, + expectedControllers: nil, + }, + { + name: "annotation-not-set", + meta: metav1.ObjectMeta{Annotations: map[string]string{}}, + expectedControllers: nil, + }, + { + name: "annotation-empty", + meta: metav1.ObjectMeta{Annotations: map[string]string{"pod-policies.kyverno.io/autogen-controllers": ""}}, + expectedControllers: nil, + }, + { + name: "annotation-none", + meta: metav1.ObjectMeta{Annotations: map[string]string{"pod-policies.kyverno.io/autogen-controllers": "none"}}, + expectedControllers: []string{}, + }, + { + name: "annotation-job", + meta: metav1.ObjectMeta{Annotations: map[string]string{"pod-policies.kyverno.io/autogen-controllers": "Job"}}, + expectedControllers: []string{"Job"}, + }, + { + name: "annotation-job-deployment", + meta: metav1.ObjectMeta{Annotations: map[string]string{"pod-policies.kyverno.io/autogen-controllers": "Job,Deployment"}}, + expectedControllers: []string{"Job", "Deployment"}, + }, + } + + for _, test := range testCases { + controllers := GetRequestedControllers(test.meta) + assert.DeepEqual(t, test.expectedControllers, controllers) + } +} + func Test_Any(t *testing.T) { dir, err := os.Getwd() baseDir := filepath.Dir(filepath.Dir(dir)) diff --git a/pkg/webhookconfig/configmanager.go b/pkg/webhookconfig/configmanager.go index 25b8d3eafb..2c3ec7f46c 100644 --- a/pkg/webhookconfig/configmanager.go +++ b/pkg/webhookconfig/configmanager.go @@ -11,6 +11,7 @@ import ( "github.com/go-logr/logr" kyverno "github.com/kyverno/kyverno/api/kyverno/v1" + "github.com/kyverno/kyverno/pkg/autogen" kyvernoclient "github.com/kyverno/kyverno/pkg/client/clientset/versioned" kyvernoinformer "github.com/kyverno/kyverno/pkg/client/informers/externalversions/kyverno/v1" kyvernolister "github.com/kyverno/kyverno/pkg/client/listers/kyverno/v1" @@ -679,12 +680,18 @@ func (m *webhookConfigManager) compareAndUpdateWebhook(webhookKind, webhookName func (m *webhookConfigManager) updateStatus(policy *kyverno.ClusterPolicy, status bool) error { policyCopy := policy.DeepCopy() + requested, supported, activated := autogen.GetControllers(policy.ObjectMeta, &policy.Spec, m.log) policyCopy.Status.Ready = status + policyCopy.Status.Autogen.Requested = requested + policyCopy.Status.Autogen.Supported = supported + policyCopy.Status.Autogen.Activated = activated + if reflect.DeepEqual(policyCopy.Status, policy.Status) { + return nil + } if policy.GetNamespace() == "" { _, err := m.kyvernoClient.KyvernoV1().ClusterPolicies().UpdateStatus(context.TODO(), policyCopy, v1.UpdateOptions{}) return err } - _, err := m.kyvernoClient.KyvernoV1().Policies(policyCopy.GetNamespace()).UpdateStatus(context.TODO(), (*kyverno.Policy)(policyCopy), v1.UpdateOptions{}) return err }