Merge pull request #328 from nirmata/bug_exclude

check the exclude conditions with AND
2025-03-31 03:45:17 +00:00 · 2019-09-04 10:02:57 -07:00 · 2019-09-04 10:02:57 -07:00 · 94bf186f30
commit 94bf186f30
parent 6b41c1148d 5a6814a588
2 changed files with 202 additions and 98 deletions
--- a/pkg/engine/utils.go
+++ b/pkg/engine/utils.go
@ -205,24 +205,12 @@ func MatchesResourceDescription(resource unstructured.Unstructured, rule kyverno
 			return false
 		}
 	}
-	// Exclude
-	// the resource name matches the exclude resource name then reject
-	if exclude.Name != "" {
-		if wildcard.Match(exclude.Name, name) {
-			return false
-		}
-	}

 	// Matches
 	// check if the resource namespace is defined in the list of namespaces for inclusion
 	if len(matches.Namespaces) > 0 && !utils.Contains(matches.Namespaces, namespace) {
 		return false
 	}
-	// Exclude
-	// check if the resource namespace is defined in the list of namespace for exclusion
-	if len(exclude.Namespaces) > 0 && utils.Contains(exclude.Namespaces, namespace) {
-		return false
-	}

 	// Matches
 	if matches.Selector != nil {
@ -235,89 +223,95 @@ func MatchesResourceDescription(resource unstructured.Unstructured, rule kyverno
 			return false
 		}
 	}
-	// Exclude
-	if exclude.Selector != nil {
+
+	excludeName := func(name string) Condition {
+		if exclude.Name == "" {
+			return NotEvaluate
+		}
+		if wildcard.Match(exclude.Name, name) {
+			return Skip
+		}
+		return Process
+	}
+
+	excludeNamespace := func(namespace string) Condition {
+		if len(exclude.Namespaces) == 0 {
+			return NotEvaluate
+		}
+		if utils.Contains(exclude.Namespaces, namespace) {
+			return Skip
+		}
+		return Process
+	}
+
+	excludeSelector := func(labelsMap map[string]string) Condition {
+		if exclude.Selector == nil {
+			return NotEvaluate
+		}
 		selector, err := metav1.LabelSelectorAsSelector(exclude.Selector)
 		// if the label selector is incorrect, should be fail or
 		if err != nil {
 			glog.Error(err)
-			return false
+			return Skip
 		}
-		if selector.Matches(labels.Set(resource.GetLabels())) {
-			return false
+		if selector.Matches(labels.Set(labelsMap)) {
+			return Skip
 		}
+		return Process
 	}
-	return true
+
+	excludeKind := func(kind string) Condition {
+		if len(exclude.Kinds) == 0 {
+			return NotEvaluate
+		}
+
+		if findKind(exclude.Kinds, kind) {
+			return Skip
+		}
+
+		return Process
+	}
+
+	// 0 -> dont check
+	// 1 -> is not to be exclude
+	// 2 -> to be exclude
+	excludeEval := []Condition{}
+
+	if ret := excludeName(resource.GetName()); ret != NotEvaluate {
+		excludeEval = append(excludeEval, ret)
+	}
+	if ret := excludeNamespace(resource.GetNamespace()); ret != NotEvaluate {
+		excludeEval = append(excludeEval, ret)
+	}
+	if ret := excludeSelector(resource.GetLabels()); ret != NotEvaluate {
+		excludeEval = append(excludeEval, ret)
+	}
+	if ret := excludeKind(resource.GetKind()); ret != NotEvaluate {
+		excludeEval = append(excludeEval, ret)
+	}
+	// Filtered NotEvaluate
+
+	if len(excludeEval) == 0 {
+		// nothing to exclude
+		return true
+	}
+	return func() bool {
+		for _, ret := range excludeEval {
+			if ret == Process {
+				return true
+			}
+		}
+		return false
+	}()
 }

-// // ResourceMeetsDescription checks requests kind, name and labels to fit the policy rule
-// func ResourceMeetsDescription(resourceRaw []byte, matches kyverno.ResourceDescription, exclude kyverno.ResourceDescription, gvk metav1.GroupVersionKind) bool {
-// 	if !findKind(matches.Kinds, gvk.Kind) {
-// 		return false
-// 	}
+type Condition int

-// 	if resourceRaw != nil {
-// 		meta := parseMetadataFromObject(resourceRaw)
-// 		name := ParseNameFromObject(resourceRaw)
-// 		namespace := ParseNamespaceFromObject(resourceRaw)
-
-// 		if matches.Name != "" {
-// 			// Matches
-// 			if !wildcard.Match(matches.Name, name) {
-// 				return false
-// 			}
-// 		}
-// 		// Exclude
-// 		// the resource name matches the exclude resource name then reject
-// 		if exclude.Name != "" {
-// 			if wildcard.Match(exclude.Name, name) {
-// 				return false
-// 			}
-// 		}
-// 		// Matches
-// 		// check if the resource namespace is defined in the list of namespaces for inclusion
-// 		if len(matches.Namespaces) > 0 && !utils.Contains(matches.Namespaces, namespace) {
-// 			return false
-// 		}
-// 		// Exclude
-// 		// check if the resource namespace is defined in the list of namespace for exclusion
-// 		if len(exclude.Namespaces) > 0 && utils.Contains(exclude.Namespaces, namespace) {
-// 			return false
-// 		}
-// 		// Matches
-// 		if matches.Selector != nil {
-// 			selector, err := metav1.LabelSelectorAsSelector(matches.Selector)
-// 			if err != nil {
-// 				glog.Error(err)
-// 				return false
-// 			}
-// 			if meta != nil {
-// 				labelMap := parseLabelsFromMetadata(meta)
-// 				if !selector.Matches(labelMap) {
-// 					return false
-// 				}
-// 			}
-// 		}
-// 		// Exclude
-// 		if exclude.Selector != nil {
-// 			selector, err := metav1.LabelSelectorAsSelector(exclude.Selector)
-// 			// if the label selector is incorrect, should be fail or
-// 			if err != nil {
-// 				glog.Error(err)
-// 				return false
-// 			}
-
-// 			if meta != nil {
-// 				labelMap := parseLabelsFromMetadata(meta)
-// 				if selector.Matches(labelMap) {
-// 					return false
-// 				}
-// 			}
-// 		}
-
-// 	}
-// 	return true
-// }
+const (
+	NotEvaluate Condition = 0
+	Process     Condition = 1
+	Skip        Condition = 2
+)

 // ParseResourceInfoFromObject get kind/namepace/name from resource
 func ParseResourceInfoFromObject(rawResource []byte) string {
--- a/pkg/policy/existing.go
+++ b/pkg/policy/existing.go
@ -1,6 +1,7 @@
 package policy

 import (
+	"reflect"
 	"sync"
 	"time"

@ -12,6 +13,7 @@ import (
 	"github.com/nirmata/kyverno/pkg/utils"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
+	"k8s.io/apimachinery/pkg/labels"
 )

 func (pc *PolicyController) processExistingResources(policy kyverno.ClusterPolicy) []engine.EngineResponseNew {
@ -45,10 +47,10 @@ func listResources(client *client.Client, policy kyverno.ClusterPolicy, filterK8
 	for _, rule := range policy.Spec.Rules {
 		// resources that match
 		for _, k := range rule.MatchResources.Kinds {
-			if kindIsExcluded(k, rule.ExcludeResources.Kinds) {
-				glog.V(4).Infof("processing policy %s rule %s: kind %s is exluded", policy.Name, rule.Name, k)
-				continue
-			}
+			// if kindIsExcluded(k, rule.ExcludeResources.Kinds) {
+			// 	glog.V(4).Infof("processing policy %s rule %s: kind %s is exluded", policy.Name, rule.Name, k)
+			// 	continue
+			// }
 			var namespaces []string
 			if k == "Namespace" {
 				// TODO
@ -65,7 +67,7 @@ func listResources(client *client.Client, policy kyverno.ClusterPolicy, filterK8
 				namespaces = getAllNamespaces(client)
 			}
 			// check if exclude namespace is not clashing
-			namespaces = excludeNamespaces(namespaces, rule.ExcludeResources.Namespaces)
+			// namespaces = excludeNamespaces(namespaces, rule.ExcludeResources.Namespaces)

 			// get resources in the namespaces
 			for _, ns := range namespaces {
@ -81,7 +83,8 @@ func listResources(client *client.Client, policy kyverno.ClusterPolicy, filterK8
 func getResourcesPerNamespace(kind string, client *client.Client, namespace string, rule kyverno.Rule, filterK8Resources []utils.K8Resource) map[string]unstructured.Unstructured {
 	resourceMap := map[string]unstructured.Unstructured{}
 	// merge include and exclude label selector values
-	ls := mergeLabelSectors(rule.MatchResources.Selector, rule.ExcludeResources.Selector)
+	ls := rule.MatchResources.Selector
+	//	ls := mergeLabelSectors(rule.MatchResources.Selector, rule.ExcludeResources.Selector)
 	// list resources
 	glog.V(4).Infof("get resources for kind %s, namespace %s, selector %v", kind, namespace, rule.MatchResources.Selector)
 	list, err := client.ListResource(kind, namespace, ls)
@ -98,13 +101,13 @@ func getResourcesPerNamespace(kind string, client *client.Client, namespace stri
 				continue
 			}
 		}
-		// exclude name
-		if rule.ExcludeResources.Name != "" {
-			if wildcard.Match(rule.ExcludeResources.Name, r.GetName()) {
-				glog.V(4).Infof("skipping resource %s/%s due to exclude condition name=%s mistatch", r.GetNamespace(), r.GetName(), rule.MatchResources.Name)
-				continue
-			}
-		}
+		// // exclude name
+		// if rule.ExcludeResources.Name != "" {
+		// 	if wildcard.Match(rule.ExcludeResources.Name, r.GetName()) {
+		// 		glog.V(4).Infof("skipping resource %s/%s due to exclude condition name=%s mistatch", r.GetNamespace(), r.GetName(), rule.MatchResources.Name)
+		// 		continue
+		// 	}
+		// }
 		// Skip the filtered resources
 		if utils.SkipFilteredResources(r.GetKind(), r.GetNamespace(), r.GetName(), filterK8Resources) {
 			continue
@ -113,9 +116,116 @@ func getResourcesPerNamespace(kind string, client *client.Client, namespace stri
 		//TODO check if the group version kind is present or not
 		resourceMap[string(r.GetUID())] = r
 	}
+
+	// All the included resource
+	// Need to exclude
+	excludeResources(resourceMap, rule.ExcludeResources.ResourceDescription)
 	return resourceMap
 }

+func excludeResources(included map[string]unstructured.Unstructured, exclude kyverno.ResourceDescription) {
+	if reflect.DeepEqual(exclude, (kyverno.ResourceDescription{})) {
+		return
+	}
+	excludeName := func(name string) Condition {
+		if exclude.Name == "" {
+			return NotEvaluate
+		}
+		if wildcard.Match(exclude.Name, name) {
+			return Skip
+		}
+		return Process
+	}
+
+	excludeNamespace := func(namespace string) Condition {
+		if len(exclude.Namespaces) == 0 {
+			return NotEvaluate
+		}
+		if utils.Contains(exclude.Namespaces, namespace) {
+			return Skip
+		}
+		return Process
+	}
+
+	excludeSelector := func(labelsMap map[string]string) Condition {
+		if exclude.Selector == nil {
+			return NotEvaluate
+		}
+		selector, err := metav1.LabelSelectorAsSelector(exclude.Selector)
+		// if the label selector is incorrect, should be fail or
+		if err != nil {
+			glog.Error(err)
+			return Skip
+		}
+		if selector.Matches(labels.Set(labelsMap)) {
+			return Skip
+		}
+		return Process
+	}
+
+	findKind := func(kind string, kinds []string) bool {
+		for _, k := range kinds {
+			if k == kind {
+				return true
+			}
+		}
+		return false
+	}
+
+	excludeKind := func(kind string) Condition {
+		if len(exclude.Kinds) == 0 {
+			return NotEvaluate
+		}
+
+		if findKind(kind, exclude.Kinds) {
+			return Skip
+		}
+
+		return Process
+	}
+
+	// check exclude condition for each resource
+	for uid, resource := range included {
+		// 0 -> dont check
+		// 1 -> is not to be exclude
+		// 2 -> to be exclude
+		excludeEval := []Condition{}
+
+		if ret := excludeName(resource.GetName()); ret != NotEvaluate {
+			excludeEval = append(excludeEval, ret)
+		}
+		if ret := excludeNamespace(resource.GetNamespace()); ret != NotEvaluate {
+			excludeEval = append(excludeEval, ret)
+		}
+		if ret := excludeSelector(resource.GetLabels()); ret != NotEvaluate {
+			excludeEval = append(excludeEval, ret)
+		}
+		if ret := excludeKind(resource.GetKind()); ret != NotEvaluate {
+			excludeEval = append(excludeEval, ret)
+		}
+
+		func() bool {
+			for _, ret := range excludeEval {
+				if ret == Process {
+					// Process the resources
+					continue
+				}
+			}
+			// Skip the resource from processing
+			delete(included, uid)
+			return false
+		}()
+	}
+}
+
+type Condition int
+
+const (
+	NotEvaluate Condition = 0
+	Process     Condition = 1
+	Skip        Condition = 2
+)
+
 // merge b into a map
 func mergeresources(a, b map[string]unstructured.Unstructured) {
 	for k, v := range b {