diff --git a/Makefile b/Makefile index 824f8b92e4..337e4fef43 100644 --- a/Makefile +++ b/Makefile @@ -10,7 +10,7 @@ TIMESTAMP := $(shell date '+%Y-%m-%d_%I:%M:%S%p') REGISTRY=index.docker.io REPO=$(REGISTRY)/nirmata/kyverno -IMAGE_TAG=$(GIT_VERSION) +IMAGE_TAG?=$(GIT_VERSION) GOOS ?= $(shell go env GOOS) PACKAGE ?=github.com/nirmata/kyverno LD_FLAGS="-s -w -X $(PACKAGE)/pkg/version.BuildVersion=$(GIT_VERSION) -X $(PACKAGE)/pkg/version.BuildHash=$(GIT_HASH) -X $(PACKAGE)/pkg/version.BuildTime=$(TIMESTAMP)" diff --git a/definitions/install.yaml b/definitions/install.yaml index b8950c12e6..5fcc327d47 100644 --- a/definitions/install.yaml +++ b/definitions/install.yaml @@ -712,7 +712,7 @@ spec: - name: kyverno image: nirmata/kyverno:v1.1.5 args: - - "--filterK8Resources=[Event,*,*][*,kube-system,*][*,kube-public,*][*,kube-node-lease,*][Node,*,*][APIService,*,*][TokenReview,*,*][SubjectAccessReview,*,*][*,kyverno,*]" + - "--filterK8Resources=[Event,*,*][*,kube-system,*][*,kube-public,*][*,kube-node-lease,*][Node,*,*][APIService,*,*][TokenReview,*,*][SubjectAccessReview,*,*][*,kyverno,*][Binding,*,*][ReplicaSet,*,*]" # customize webhook timout # - "--webhooktimeout=4" ports: diff --git a/pkg/webhooks/annotations.go b/pkg/webhooks/annotations.go index eddded1cde..c44e03017d 100644 --- a/pkg/webhooks/annotations.go +++ b/pkg/webhooks/annotations.go @@ -152,7 +152,7 @@ func annotationFromPolicyResponse(policyResponse response.PolicyResponse, log lo } // checkPodTemplateAnn checks if a Pod has annotation "pod-policies.kyverno.io/autogen-applied" -func checkPodTemplateAnn(resource unstructured.Unstructured) bool { +func checkPodTemplateAnnotation(resource unstructured.Unstructured) bool { if resource.GetKind() == "Pod" { ann := resource.GetAnnotations() if _, ok := ann[engine.PodTemplateAnnotation]; ok { diff --git a/pkg/webhooks/mutation.go b/pkg/webhooks/mutation.go index 0afdefa90a..b2c912b2ae 100644 --- a/pkg/webhooks/mutation.go +++ b/pkg/webhooks/mutation.go @@ -55,7 +55,7 @@ func (ws *WebhookServer) HandleMutation(request *v1beta1.AdmissionRequest, resou } for _, policy := range policies { - logger.V(2).Info("evaluating policy", "policy", policy.Name) + logger.V(3).Info("evaluating policy", "policy", policy.Name) policyContext.Policy = policy engineResponse := engine.Mutate(policyContext) @@ -72,7 +72,9 @@ func (ws *WebhookServer) HandleMutation(request *v1beta1.AdmissionRequest, resou } // gather patches patches = append(patches, engineResponse.GetPatches()...) - logger.Info("mutation rules from policy applied succesfully", "policy", policy.Name) + if len(engineResponse.GetPatches()) != 0 { + logger.Info("mutation rules from policy applied succesfully", "policy", policy.Name) + } policyContext.NewResource = engineResponse.PatchedResource } diff --git a/pkg/webhooks/server.go b/pkg/webhooks/server.go index f1517ef66f..605198310d 100644 --- a/pkg/webhooks/server.go +++ b/pkg/webhooks/server.go @@ -193,7 +193,7 @@ func (ws *WebhookServer) handlerFunc(handler func(request *v1beta1.AdmissionRequ } func (ws *WebhookServer) handleMutateAdmissionRequest(request *v1beta1.AdmissionRequest) *v1beta1.AdmissionResponse { - logger := ws.log.WithValues("uid", request.UID, "kind", request.Kind.Kind, "namespace", request.Namespace, "name", request.Name, "operation", request.Operation) + logger := ws.log.WithName("handleMutateAdmissionRequest").WithValues("uid", request.UID, "kind", request.Kind.Kind, "namespace", request.Namespace, "name", request.Name, "operation", request.Operation) policies, err := ws.pMetaStore.ListAll() if err != nil { // Unable to connect to policy Lister to access policies @@ -226,7 +226,7 @@ func (ws *WebhookServer) handleMutateAdmissionRequest(request *v1beta1.Admission } } - if checkPodTemplateAnn(resource) { + if checkPodTemplateAnnotation(resource) { return &v1beta1.AdmissionResponse{ Allowed: true, Result: &metav1.Status{ @@ -288,7 +288,7 @@ func (ws *WebhookServer) handleMutateAdmissionRequest(request *v1beta1.Admission } func (ws *WebhookServer) handleValidateAdmissionRequest(request *v1beta1.AdmissionRequest) *v1beta1.AdmissionResponse { - logger := ws.log.WithValues("uid", request.UID, "kind", request.Kind.Kind, "namespace", request.Namespace, "name", request.Name, "operation", request.Operation) + logger := ws.log.WithName("handleValidateAdmissionRequest").WithValues("uid", request.UID, "kind", request.Kind.Kind, "namespace", request.Namespace, "name", request.Name, "operation", request.Operation) policies, err := ws.pMetaStore.ListAll() if err != nil { // Unable to connect to policy Lister to access policies @@ -307,6 +307,28 @@ func (ws *WebhookServer) handleValidateAdmissionRequest(request *v1beta1.Admissi } } + resource, err := convertResource(request.Object.Raw, request.Kind.Group, request.Kind.Version, request.Kind.Kind, request.Namespace) + if err != nil { + logger.Error(err, "failed to convert RAW resource to unstructured format") + + return &v1beta1.AdmissionResponse{ + Allowed: false, + Result: &metav1.Status{ + Status: "Failure", + Message: err.Error(), + }, + } + } + + if checkPodTemplateAnnotation(resource) { + return &v1beta1.AdmissionResponse{ + Allowed: true, + Result: &metav1.Status{ + Status: "Success", + }, + } + } + // VALIDATION ok, msg := ws.HandleValidation(request, policies, nil, roles, clusterRoles) if !ok { diff --git a/pkg/webhooks/validation.go b/pkg/webhooks/validation.go index d0b49347ad..a87b7e3133 100644 --- a/pkg/webhooks/validation.go +++ b/pkg/webhooks/validation.go @@ -58,7 +58,7 @@ func (ws *WebhookServer) HandleValidation(request *v1beta1.AdmissionRequest, pol } var engineResponses []response.EngineResponse for _, policy := range policies { - logger.V(2).Info("evaluating policy", "policy", policy.Name) + logger.V(3).Info("evaluating policy", "policy", policy.Name) policyContext.Policy = policy engineResponse := engine.Validate(policyContext) if reflect.DeepEqual(engineResponse, response.EngineResponse{}) { @@ -74,6 +74,8 @@ func (ws *WebhookServer) HandleValidation(request *v1beta1.AdmissionRequest, pol logger.V(4).Info("failed to apply policy", "policy", policy.Name) continue } + + logger.Info("valiadtion rules from policy applied succesfully", "policy", policy.Name) } // If Validation fails then reject the request // no violations will be created on "enforce"