mirrors/kyverno
mirrors/kyverno
1
0
Fork 0
mirror of https://github.com/kyverno/kyverno.git synced 2025-03-31 03:45:17 +00:00
Code Activity

match % exclude resources

Browse source
This commit is contained in:
shivkumar dudhani 2019-07-23 23:34:03 -04:00
parent 9bfacd2039
commit 94a6f1a71a
13 changed files with 332 additions and 116 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

101
definitions/install.yaml
View file

@ -34,45 +34,90 @@ spec:
type: object
required:
- name
- resource
- match
properties:
name:
type: string
resource:
match:
type: object
required:
- kinds
- resources
properties:
kinds:
type: array
items:
type: string
name:
type: string
namespace:
type: string
selector:
resources:
type: object
required:
- kinds
properties:
matchLabels:
type: object
additionalProperties:
type: string
matchExpressions:
kinds:
type: array
items:
type: object
required:
- key
- operator
properties:
key:
type: string
name:
type: string
namespace:
type: string
selector:
properties:
matchLabels:
type: object
additionalProperties:
type: string
operator:
matchExpressions:
type: array
items:
type: object
required:
- key
- operator
properties:
key:
type: string
operator:
type: string
values:
type: array
items:
type: string
exclude:
type: object
required:
- resources
properties:
resources:
type: object
required:
- kinds
properties:
kinds:
type: array
items:
type: string
name:
type: string
namespace:
type: string
selector:
properties:
matchLabels:
type: object
additionalProperties:
type: string
values:
type: array
items:
type: string
matchExpressions:
type: array
items:
type: object
required:
- key
- operator
properties:
key:
type: string
operator:
type: string
values:
type: array
items:
type: string
mutate:
type: object
properties:

21
pkg/apis/policy/v1alpha1/types.go
View file

@ -25,11 +25,22 @@ type Spec struct {
// Rule is set of mutation, validation and generation actions
// for the single resource description
type Rule struct {
Name string `json:"name"`
ResourceDescription `json:"resource"`
Mutation *Mutation `json:"mutate"`
Validation *Validation `json:"validate"`
Generation *Generation `json:"generate"`
Name string `json:"name"`
MatchResources MatchResources `json:"match"`
ExcludeResources ExcludeResources `json:"exclude,omitempty"`
Mutation *Mutation `json:"mutate"`
Validation *Validation `json:"validate"`
Generation *Generation `json:"generate"`
}
//MatchResources contains resource description of the resources that the rule is to apply on
type MatchResources struct {
ResourceDescription `json:"resources"`
}
//ExcludeResources container resource description of the resources that are to be excluded from the applying the policy rule
type ExcludeResources struct {
ResourceDescription `json:"resources"`
}
// ResourceDescription describes the resource to which the PolicyRule will be applied.

3
pkg/apis/policy/v1alpha1/utils.go
View file

@ -9,7 +9,8 @@ import (
// Validate checks if rule is not empty and all substructures are valid
func (r *Rule) Validate() error {
err := r.ResourceDescription.Validate()
// check matches Resoource Description of match resource
err := r.MatchResources.ResourceDescription.Validate()
if err != nil {
return err
}

37
pkg/apis/policy/v1alpha1/zz_generated.deepcopy.go
View file

@ -41,6 +41,23 @@ func (in *CloneFrom) DeepCopy() *CloneFrom {
return out
}
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *ExcludeResources) DeepCopyInto(out *ExcludeResources) {
*out = *in
in.ResourceDescription.DeepCopyInto(&out.ResourceDescription)
return
}
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ExcludeResources.
func (in *ExcludeResources) DeepCopy() *ExcludeResources {
if in == nil {
return nil
}
out := new(ExcludeResources)
in.DeepCopyInto(out)
return out
}
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *FailedRule) DeepCopyInto(out *FailedRule) {
*out = *in
@ -67,6 +84,23 @@ func (in *Generation) DeepCopy() *Generation {
return out
}
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *MatchResources) DeepCopyInto(out *MatchResources) {
*out = *in
in.ResourceDescription.DeepCopyInto(&out.ResourceDescription)
return
}
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new MatchResources.
func (in *MatchResources) DeepCopy() *MatchResources {
if in == nil {
return nil
}
out := new(MatchResources)
in.DeepCopyInto(out)
return out
}
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Mutation.
func (in *Mutation) DeepCopy() *Mutation {
if in == nil {
@ -177,7 +211,8 @@ func (in *ResourceDescription) DeepCopy() *ResourceDescription {
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *Rule) DeepCopyInto(out *Rule) {
*out = *in
in.ResourceDescription.DeepCopyInto(&out.ResourceDescription)
in.MatchResources.DeepCopyInto(&out.MatchResources)
in.ExcludeResources.DeepCopyInto(&out.ExcludeResources)
if in.Mutation != nil {
in, out := &in.Mutation, &out.Mutation
*out = (*in).DeepCopy()

72
pkg/controller/cleanup.go
View file

@ -2,11 +2,10 @@ package controller
import (
"github.com/golang/glog"
"github.com/minio/minio/pkg/wildcard"
"github.com/nirmata/kyverno/pkg/annotations"
v1alpha1 "github.com/nirmata/kyverno/pkg/apis/policy/v1alpha1"
client "github.com/nirmata/kyverno/pkg/dclient"
"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
"github.com/nirmata/kyverno/pkg/engine"
"k8s.io/apimachinery/pkg/runtime"
)
@ -24,43 +23,44 @@ func cleanAnnotations(client *client.Client, obj interface{}) {
}
// Get the resources that apply to the policy
// key uid
resourceMap := map[string]unstructured.Unstructured{}
for _, rule := range policy.Spec.Rules {
for _, k := range rule.Kinds {
if k == "Namespace" {
continue
}
// kind -> resource
gvr := client.DiscoveryClient.GetGVRFromKind(k)
// label selectors
// namespace ? should it be default or allow policy to specify it
namespace := "default"
if rule.ResourceDescription.Namespace != nil {
namespace = *rule.ResourceDescription.Namespace
}
list, err := client.ListResource(k, namespace, rule.ResourceDescription.Selector)
if err != nil {
glog.Errorf("unable to list resource for %s with label selector %s", gvr.Resource, rule.Selector.String())
glog.Errorf("unable to apply policy %s rule %s. err: %s", policy.Name, rule.Name, err)
continue
}
for _, res := range list.Items {
name := rule.ResourceDescription.Name
if name != nil {
// wild card matching
if !wildcard.Match(*name, res.GetName()) {
continue
}
}
resourceMap[string(res.GetUID())] = res
}
}
}
resourceMap := engine.ListResourcesThatApplyToPolicy(client, &policy)
// for _, rule := range policy.Spec.Rules {
// for _, k := range rule.Kinds {
// if k == "Namespace" {
// continue
// }
// // kind -> resource
// gvr := client.DiscoveryClient.GetGVRFromKind(k)
// // label selectors
// // namespace ? should it be default or allow policy to specify it
// namespace := "default"
// if rule.ResourceDescription.Namespace != nil {
// namespace = *rule.ResourceDescription.Namespace
// }
// list, err := client.ListResource(k, namespace, rule.ResourceDescription.Selector)
// if err != nil {
// glog.Errorf("unable to list resource for %s with label selector %s", gvr.Resource, rule.Selector.String())
// glog.Errorf("unable to apply policy %s rule %s. err: %s", policy.Name, rule.Name, err)
// continue
// }
// for _, res := range list.Items {
// name := rule.ResourceDescription.Name
// if name != nil {
// // wild card matching
// if !wildcard.Match(*name, res.GetName()) {
// continue
// }
// }
// resourceMap[string(res.GetUID())] = res
// }
// }
// }
// remove annotations for the resources
for _, obj := range resourceMap {
// get annotations
ann := obj.GetAnnotations()
ann := obj.Resource.GetAnnotations()
_, patch, err := annotations.RemovePolicyJSONPatch(ann, annotations.BuildKey(policy.Name))
if err != nil {
@ -68,7 +68,7 @@ func cleanAnnotations(client *client.Client, obj interface{}) {
continue
}
// patch the resource
_, err = client.PatchResource(obj.GetKind(), obj.GetNamespace(), obj.GetName(), patch)
_, err = client.PatchResource(obj.Resource.GetKind(), obj.Resource.GetNamespace(), obj.Resource.GetName(), patch)
if err != nil {
glog.Error(err)
continue

127
pkg/engine/engine.go
View file

@ -8,44 +8,80 @@ import (
client "github.com/nirmata/kyverno/pkg/dclient"
"github.com/nirmata/kyverno/pkg/info"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
v1helper "k8s.io/apimachinery/pkg/apis/meta/v1"
"k8s.io/apimachinery/pkg/labels"
)
// ProcessExisting checks for mutation and validation violations of existing resources
func ProcessExisting(client *client.Client, policy *types.Policy) []*info.PolicyInfo {
glog.Infof("Applying policy %s on existing resources", policy.Name)
func ListResourcesThatApplyToPolicy(client *client.Client, policy *types.Policy) map[string]resourceInfo {
// key uid
resourceMap := map[string]resourceInfo{}
for _, rule := range policy.Spec.Rules {
for _, k := range rule.Kinds {
// Match
for _, k := range rule.MatchResources.Kinds {
// kind -> resource
gvr := client.DiscoveryClient.GetGVRFromKind(k)
// label selectors
// namespace ? should it be default or allow policy to specify it
// Namespace
namespace := "default"
if rule.ResourceDescription.Namespace != nil {
namespace = *rule.ResourceDescription.Namespace
if rule.MatchResources.Namespace != nil {
namespace = *rule.MatchResources.Namespace
}
if k == "Namespace" {
namespace = ""
}
// Check if exclude namespace is not clashing
if rule.ExcludeResources.Namespace != nil && *rule.ExcludeResources.Namespace == namespace {
// as the namespace is excluded
continue
}
list, err := client.ListResource(k, namespace, rule.ResourceDescription.Selector)
// List resources
list, err := client.ListResource(k, namespace, rule.MatchResources.Selector)
if err != nil {
glog.Errorf("unable to list resource for %s with label selector %s", gvr.Resource, rule.Selector.String())
glog.Errorf("unable to list resource for %s with label selector %s", gvr.Resource, rule.MatchResources.Selector.String())
glog.Errorf("unable to apply policy %s rule %s. err: %s", policy.Name, rule.Name, err)
continue
}
var selector labels.Selector
// exclude label selector
if rule.ExcludeResources.Selector != nil {
selector, err = v1helper.LabelSelectorAsSelector(rule.ExcludeResources.Selector)
if err != nil {
glog.Error(err)
}
}
for _, res := range list.Items {
name := rule.ResourceDescription.Name
gvk := res.GroupVersionKind()
// exclude label selectors
if selector != nil {
set := labels.Set(res.GetLabels())
if selector.Matches(set) {
// if matches
continue
}
}
var name *string
// match
// name
// wild card matching
name = rule.MatchResources.Name
if name != nil {
// wild card matching
// if does not match then we skip
if !wildcard.Match(*name, res.GetName()) {
continue
}
}
ri := resourceInfo{resource: res, gvk: &metav1.GroupVersionKind{Group: gvk.Group,
// exclude
// name
// wild card matching
name = rule.ExcludeResources.Name
if name != nil {
// if matches then we skip
if wildcard.Match(*name, res.GetName()) {
continue
}
}
gvk := res.GroupVersionKind()
ri := resourceInfo{Resource: res, Gvk: &metav1.GroupVersionKind{Group: gvk.Group,
Version: gvk.Version,
Kind: gvk.Kind}}
@ -54,13 +90,60 @@ func ProcessExisting(client *client.Client, policy *types.Policy) []*info.Policy
}
}
}
return resourceMap
}
// ProcessExisting checks for mutation and validation violations of existing resources
func ProcessExisting(client *client.Client, policy *types.Policy) []*info.PolicyInfo {
glog.Infof("Applying policy %s on existing resources", policy.Name)
// key uid
resourceMap := ListResourcesThatApplyToPolicy(client, policy)
// for _, rule := range policy.Spec.Rules {
// for _, k := range rule.Kinds {
// // kind -> resource
// gvr := client.DiscoveryClient.GetGVRFromKind(k)
// // label selectors
// // namespace ? should it be default or allow policy to specify it
// namespace := "default"
// if rule.ResourceDescription.Namespace != nil {
// namespace = *rule.ResourceDescription.Namespace
// }
// if k == "Namespace" {
// namespace = ""
// }
// list, err := client.ListResource(k, namespace, rule.ResourceDescription.Selector)
// if err != nil {
// glog.Errorf("unable to list resource for %s with label selector %s", gvr.Resource, rule.Selector.String())
// glog.Errorf("unable to apply policy %s rule %s. err: %s", policy.Name, rule.Name, err)
// continue
// }
// for _, res := range list.Items {
// name := rule.ResourceDescription.Name
// gvk := res.GroupVersionKind()
// if name != nil {
// // wild card matching
// if !wildcard.Match(*name, res.GetName()) {
// continue
// }
// }
// ri := resourceInfo{resource: res, gvk: &metav1.GroupVersionKind{Group: gvk.Group,
// Version: gvk.Version,
// Kind: gvk.Kind}}
// resourceMap[string(res.GetUID())] = ri
// }
// }
// }
policyInfos := []*info.PolicyInfo{}
// for the filtered resource apply policy
for _, v := range resourceMap {
policyInfo, err := applyPolicy(client, policy, v)
if err != nil {
glog.Errorf("unable to apply policy %s on resource %s/%s", policy.Name, v.resource.GetName(), v.resource.GetNamespace())
glog.Errorf("unable to apply policy %s on resource %s/%s", policy.Name, v.Resource.GetName(), v.Resource.GetNamespace())
glog.Error(err)
continue
}
@ -71,28 +154,28 @@ func ProcessExisting(client *client.Client, policy *types.Policy) []*info.Policy
}
func applyPolicy(client *client.Client, policy *types.Policy, res resourceInfo) (*info.PolicyInfo, error) {
policyInfo := info.NewPolicyInfo(policy.Name, res.gvk.Kind, res.resource.GetName(), res.resource.GetNamespace(), policy.Spec.ValidationFailureAction)
policyInfo := info.NewPolicyInfo(policy.Name, res.Gvk.Kind, res.Resource.GetName(), res.Resource.GetNamespace(), policy.Spec.ValidationFailureAction)
glog.Infof("Applying policy %s with %d rules\n", policy.ObjectMeta.Name, len(policy.Spec.Rules))
rawResource, err := res.resource.MarshalJSON()
rawResource, err := res.Resource.MarshalJSON()
if err != nil {
return nil, err
}
// Mutate
mruleInfos, err := mutation(policy, rawResource, res.gvk)
mruleInfos, err := mutation(policy, rawResource, res.Gvk)
policyInfo.AddRuleInfos(mruleInfos)
if err != nil {
return nil, err
}
// Validation
vruleInfos, err := Validate(*policy, rawResource, *res.gvk)
vruleInfos, err := Validate(*policy, rawResource, *res.Gvk)
policyInfo.AddRuleInfos(vruleInfos)
if err != nil {
return nil, err
}
if res.gvk.Kind == "Namespace" {
if res.Gvk.Kind == "Namespace" {
// Generation
gruleInfos := GenerateNew(client, policy, res.resource)
gruleInfos := GenerateNew(client, policy, res.Resource)
policyInfo.AddRuleInfos(gruleInfos)
}

2
pkg/engine/generation.go
View file

@ -21,7 +21,7 @@ func Generate(client *client.Client, policy kubepolicy.Policy, rawResource []byt
ri := info.NewRuleInfo(rule.Name, info.Generation)
ok := ResourceMeetsDescription(rawResource, rule.ResourceDescription, gvk)
ok := ResourceMeetsDescription(rawResource, rule.MatchResources.ResourceDescription, rule.ExcludeResources.ResourceDescription, gvk)
if !ok {
glog.Infof("Rule is not applicable to the request: rule name = %s in policy %s \n", rule.Name, policy.ObjectMeta.Name)
continue

2
pkg/engine/mutation.go
View file

@ -19,7 +19,7 @@ func Mutate(policy kubepolicy.Policy, rawResource []byte, gvk metav1.GroupVersio
}
ri := info.NewRuleInfo(rule.Name, info.Mutation)
ok := ResourceMeetsDescription(rawResource, rule.ResourceDescription, gvk)
ok := ResourceMeetsDescription(rawResource, rule.MatchResources.ResourceDescription, rule.ExcludeResources.ResourceDescription, gvk)
if !ok {
glog.V(3).Infof("Not applicable on specified resource kind%s", gvk.Kind)
continue

58
pkg/engine/utils.go
View file

@ -6,8 +6,10 @@ import (
"strconv"
"strings"
"github.com/golang/glog"
"github.com/minio/minio/pkg/wildcard"
kubepolicy "github.com/nirmata/kyverno/pkg/apis/policy/v1alpha1"
v1alpha1 "github.com/nirmata/kyverno/pkg/apis/policy/v1alpha1"
"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
@ -15,8 +17,8 @@ import (
)
// ResourceMeetsDescription checks requests kind, name and labels to fit the policy rule
func ResourceMeetsDescription(resourceRaw []byte, description kubepolicy.ResourceDescription, gvk metav1.GroupVersionKind) bool {
if !findKind(description.Kinds, gvk.Kind) {
func ResourceMeetsDescription(resourceRaw []byte, matches v1alpha1.ResourceDescription, exclude v1alpha1.ResourceDescription, gvk metav1.GroupVersionKind) bool {
if !findKind(matches.Kinds, gvk.Kind) {
return false
}
@ -25,31 +27,53 @@ func ResourceMeetsDescription(resourceRaw []byte, description kubepolicy.Resourc
name := ParseNameFromObject(resourceRaw)
namespace := ParseNamespaceFromObject(resourceRaw)
if description.Name != nil {
if !wildcard.Match(*description.Name, name) {
if matches.Name != nil {
// Matches
if !wildcard.Match(*matches.Name, name) {
return false
}
// Exclude
// the resource name matches the exclude resource name then reject
if exclude.Name != nil {
if wildcard.Match(*exclude.Name, name) {
return false
}
}
}
if description.Namespace != nil && *description.Namespace != namespace {
// Matches
if matches.Namespace != nil && *matches.Namespace != namespace {
return false
}
if description.Selector != nil {
selector, err := metav1.LabelSelectorAsSelector(description.Selector)
// Exclude
if exclude.Namespace != nil && *exclude.Namespace == namespace {
return false
}
// Matches
if matches.Selector != nil {
selector, err := metav1.LabelSelectorAsSelector(matches.Selector)
if err != nil {
glog.Error(err)
return false
}
labelMap := parseLabelsFromMetadata(meta)
if !selector.Matches(labelMap) {
return false
}
}
// Exclude
if exclude.Selector != nil {
selector, err := metav1.LabelSelectorAsSelector(exclude.Selector)
// if the label selector is incorrect, should be fail or
if err != nil {
glog.Error(err)
return false
}
labelMap := parseLabelsFromMetadata(meta)
if selector.Matches(labelMap) {
return false
}
}
}
return true
}
@ -253,6 +277,6 @@ func convertToFloat(value interface{}) (float64, error) {
}
type resourceInfo struct {
resource unstructured.Unstructured
gvk *metav1.GroupVersionKind
Resource unstructured.Unstructured
Gvk *metav1.GroupVersionKind
}

2
pkg/engine/validation.go
View file

@ -32,7 +32,7 @@ func Validate(policy kubepolicy.Policy, rawResource []byte, gvk metav1.GroupVers
}
ri := info.NewRuleInfo(rule.Name, info.Validation)
ok := ResourceMeetsDescription(rawResource, rule.ResourceDescription, gvk)
ok := ResourceMeetsDescription(rawResource, rule.MatchResources.ResourceDescription, rule.ExcludeResources.ResourceDescription, gvk)
if !ok {
glog.V(3).Infof("Not applicable on specified resource kind%s", gvk.Kind)
continue

11
pkg/gencontroller/generation.go
View file

@ -14,6 +14,7 @@ import (
"github.com/nirmata/kyverno/pkg/info"
violation "github.com/nirmata/kyverno/pkg/violation"
corev1 "k8s.io/api/core/v1"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
"k8s.io/apimachinery/pkg/labels"
"k8s.io/apimachinery/pkg/runtime"
)
@ -44,7 +45,15 @@ func (c *Controller) listPolicies(ns *corev1.Namespace) ([]*v1alpha1.Policy, err
for _, r := range p.Spec.Rules {
if r.Generation != nil {
// Check if the resource meets the description
if namespaceMeetsRuleDescription(ns, r.ResourceDescription) {
data, err := ns.Marshal()
if err != nil {
glog.Error(err)
continue
}
// convert types of GVK
nsGvk := ns.GroupVersionKind()
gvk := metav1.GroupVersionKind{Group: nsGvk.Group, Kind: nsGvk.Kind, Version: nsGvk.Version}
if engine.ResourceMeetsDescription(data, r.MatchResources.ResourceDescription, r.ExcludeResources.ResourceDescription, gvk) {
fpolicies = append(fpolicies, p)
break
}

2
pkg/webhooks/deleteresource.go
View file

@ -26,7 +26,7 @@ func (ws *WebhookServer) removePolicyViolation(request *v1beta1.AdmissionRequest
rkind := request.Kind.Kind
// check if the resource meets the policy Resource description
for _, rule := range policy.Spec.Rules {
ok := engine.ResourceMeetsDescription(request.Object.Raw, rule.ResourceDescription, request.Kind)
ok := engine.ResourceMeetsDescription(request.Object.Raw, rule.MatchResources.ResourceDescription, rule.ExcludeResources.ResourceDescription, request.Kind)
if ok {
// Check if the policy has a violation for this resource
err := ws.violationBuilder.ResourceRemoval(policy.Name, rkind, rns, rname)

10
pkg/webhooks/utils.go
View file

@ -77,10 +77,18 @@ func getApplicableKindsForPolicy(p *v1alpha1.Policy) []string {
kindsMap := map[string]interface{}{}
kinds := []string{}
// iterate over the rules an identify all kinds
// Matching
for _, rule := range p.Spec.Rules {
for _, k := range rule.ResourceDescription.Kinds {
for _, k := range rule.MatchResources.Kinds {
kindsMap[k] = nil
}
// remove excluded ones
for _, k := range rule.ExcludeResources.Kinds {
if _, ok := kindsMap[k]; ok {
// delete kind
delete(kindsMap, k)
}
}
}
// get the kinds