Merge branch 'mutating-overlay' into release-0.1

.gitignore

@@ -2,7 +2,7 @@ vendor
 pkg/client
 pkg/apis/policy/v1alpha1/zz_generated.deepcopy.go
 certs
-kube-policy
+kyverno
 Gopkg.lock
 Dockerfile
 .vscode

pkg/engine/mutation.go

@@ -4,15 +4,14 @@ import (
 	"log"
 
 	kubepolicy "github.com/nirmata/kyverno/pkg/apis/policy/v1alpha1"
-	"github.com/nirmata/kyverno/pkg/engine/mutation"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 )
 
 // Mutate performs mutation. Overlay first and then mutation patches
 // TODO: return events and violations
-func Mutate(policy kubepolicy.Policy, rawResource []byte, gvk metav1.GroupVersionKind) ([]mutation.PatchBytes, []byte) {
-	var policyPatches []mutation.PatchBytes
-	var processedPatches []mutation.PatchBytes
+func Mutate(policy kubepolicy.Policy, rawResource []byte, gvk metav1.GroupVersionKind) ([]PatchBytes, []byte) {
+	var policyPatches []PatchBytes
+	var processedPatches []PatchBytes
 	var err error
 	patchedDocument := rawResource
 
@@ -30,7 +29,7 @@ func Mutate(policy kubepolicy.Policy, rawResource []byte, gvk metav1.GroupVersio
 		// Process Overlay
 
 		if rule.Mutation.Overlay != nil {
-			overlayPatches, err := mutation.ProcessOverlay(rule.Mutation.Overlay, rawResource)
+			overlayPatches, err := ProcessOverlay(policy, rawResource, gvk)
 			if err != nil {
 				log.Printf("Overlay application has failed for rule %s in policy %s, err: %v\n", rule.Name, policy.ObjectMeta.Name, err)
 			} else {
@@ -41,7 +40,7 @@ func Mutate(policy kubepolicy.Policy, rawResource []byte, gvk metav1.GroupVersio
 		// Process Patches
 
 		if rule.Mutation.Patches != nil {
-			processedPatches, patchedDocument, err = mutation.ProcessPatches(rule.Mutation.Patches, patchedDocument)
+			processedPatches, patchedDocument, err = ProcessPatches(rule.Mutation.Patches, patchedDocument)
 			if err != nil {
 				log.Printf("Patches application has failed for rule %s in policy %s, err: %v\n", rule.Name, policy.ObjectMeta.Name, err)
 			} else {

pkg/engine/mutation/overlay.go

@@ -1,6 +0,0 @@
-package mutation
-
-func ProcessOverlay(overlay interface{}, rawResource []byte) ([]PatchBytes, error) {
-	// TODO: Overlay to be implemented
-	return nil, nil
-}

pkg/engine/overlay.go

@@ -0,0 +1,379 @@
+package engine
+
+import (
+	"encoding/json"
+	"fmt"
+	"log"
+	"reflect"
+
+	jsonpatch "github.com/evanphx/json-patch"
+
+	kubepolicy "github.com/nirmata/kyverno/pkg/apis/policy/v1alpha1"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+)
+
+// ProcessOverlay handles validating admission request
+// Checks the target resourse for rules defined in the policy
+func ProcessOverlay(policy kubepolicy.Policy, rawResource []byte, gvk metav1.GroupVersionKind) ([]PatchBytes, []byte) {
+	var resource interface{}
+	json.Unmarshal(rawResource, &resource)
+
+	for _, rule := range policy.Spec.Rules {
+		if rule.Mutation == nil || rule.Mutation.Overlay == nil {
+			continue
+		}
+
+		ok := ResourceMeetsDescription(rawResource, rule.ResourceDescription, gvk)
+		if !ok {
+			log.Printf("Rule \"%s\" is not applicable to resource\n", rule.Name)
+			continue
+		}
+
+		overlay := *rule.Mutation.Overlay
+		if err, _ := applyOverlay(resource, overlay, ""); err != nil {
+			//return fmt.Errorf("%s: %s", *rule.Validation.Message, err.Error())
+		}
+	}
+
+	return nil, nil
+}
+
+func applyOverlay(resource, overlay interface{}, path string) ([]PatchBytes, error) {
+	var appliedPatches []PatchBytes
+
+	// resource item exists but has different type - replace
+	// all subtree within this path by overlay
+	if reflect.TypeOf(resource) != reflect.TypeOf(overlay) {
+		patch, err := replaceSubtree(overlay, path)
+		if err != nil {
+			return nil, err
+		}
+
+		appliedPatches = append(appliedPatches, patch)
+		return appliedPatches, nil
+	}
+
+	switch typedOverlay := overlay.(type) {
+	case map[string]interface{}:
+		typedResource := resource.(map[string]interface{})
+
+		for key, value := range typedOverlay {
+			if wrappedWithParentheses(key) {
+				key = key[1 : len(key)-1]
+			}
+			currentPath := path + key + "/"
+			resourcePart, ok := typedResource[key]
+
+			if ok {
+				patches, err := applyOverlay(resourcePart, value, currentPath)
+				if err != nil {
+					return nil, err
+				}
+
+				appliedPatches = append(appliedPatches, patches...)
+
+			} else {
+				patch, err := insertSubtree(value, currentPath)
+				if err != nil {
+					return nil, err
+				}
+
+				appliedPatches = append(appliedPatches, patch)
+			}
+		}
+	case []interface{}:
+		typedResource := resource.([]interface{})
+		patches, err := applyOverlayToArray(typedResource, typedOverlay, path)
+		if err != nil {
+			return nil, err
+		}
+
+		appliedPatches = append(appliedPatches, patches...)
+	case string:
+		patch, err := replaceSubtree(overlay, path)
+		if err != nil {
+			return nil, err
+		}
+
+		appliedPatches = append(appliedPatches, patch)
+	case float64:
+		patch, err := replaceSubtree(overlay, path)
+		if err != nil {
+			return nil, err
+		}
+
+		appliedPatches = append(appliedPatches, patch)
+	case int64:
+		patch, err := replaceSubtree(overlay, path)
+		if err != nil {
+			return nil, err
+		}
+
+		appliedPatches = append(appliedPatches, patch)
+	}
+
+	return appliedPatches, nil
+}
+
+func applyOverlayToArray(resource, overlay []interface{}, path string) ([]PatchBytes, error) {
+	var appliedPatches []PatchBytes
+	if len(overlay) == 0 {
+		return nil, fmt.Errorf("overlay does not support empty arrays")
+	}
+
+	if len(resource) == 0 {
+		patches, err := fillEmptyArray(overlay, path)
+		if err != nil {
+			return nil, err
+		}
+
+		return patches, nil
+	}
+
+	if reflect.TypeOf(resource[0]) != reflect.TypeOf(overlay[0]) {
+		return nil, fmt.Errorf("overlay array and resource array have elements of different types: %T and %T", overlay[0], resource[0])
+	}
+
+	switch overlay[0].(type) {
+	case map[string]interface{}:
+		for _, overlayElement := range overlay {
+			typedOverlay := overlayElement.(map[string]interface{})
+			anchors := GetAnchorsFromMap(typedOverlay)
+
+			currentPath := path + "0/"
+			for _, resourceElement := range resource {
+				typedResource := resourceElement.(map[string]interface{})
+				if len(anchors) > 0 {
+					if !skipArrayObject(typedResource, anchors) {
+						patches, err := applyOverlay(resourceElement, overlayElement, currentPath)
+						if err != nil {
+							return nil, err
+						}
+
+						appliedPatches = append(appliedPatches, patches...)
+					}
+				} else {
+					if hasNestedAnchors(overlayElement) {
+						patches, err := applyOverlay(resourceElement, overlayElement, currentPath)
+						if err != nil {
+							return nil, err
+						}
+						appliedPatches = append(appliedPatches, patches...)
+					} else {
+						patch, err := insertSubtree(overlayElement, currentPath)
+						if err != nil {
+							return nil, err
+						}
+						appliedPatches = append(appliedPatches, patch)
+					}
+				}
+			}
+
+		}
+	default:
+		path += "0/"
+		for _, value := range overlay {
+			patch, err := insertSubtree(value, path)
+			if err != nil {
+				return nil, err
+			}
+			appliedPatches = append(appliedPatches, patch)
+		}
+	}
+
+	return appliedPatches, nil
+}
+
+// In case of empty resource array
+// append all non-anchor items to front
+func fillEmptyArray(overlay []interface{}, path string) ([]PatchBytes, error) {
+	var appliedPatches []PatchBytes
+	if len(overlay) == 0 {
+		return nil, fmt.Errorf("overlay does not support empty arrays")
+	}
+
+	path += "0/"
+
+	switch overlay[0].(type) {
+	case map[string]interface{}:
+		for _, overlayElement := range overlay {
+			typedOverlay := overlayElement.(map[string]interface{})
+			anchors := GetAnchorsFromMap(typedOverlay)
+
+			if len(anchors) == 0 {
+				patch, err := insertSubtree(overlayElement, path)
+				if err != nil {
+					return nil, err
+				}
+
+				appliedPatches = append(appliedPatches, patch)
+			}
+		}
+	default:
+		for _, overlayElement := range overlay {
+			patch, err := insertSubtree(overlayElement, path)
+			if err != nil {
+				return nil, err
+			}
+
+			appliedPatches = append(appliedPatches, patch)
+		}
+	}
+
+	return appliedPatches, nil
+}
+
+func skipArrayObject(object, anchors map[string]interface{}) bool {
+	for key, pattern := range anchors {
+		key = key[1 : len(key)-1]
+
+		value, ok := object[key]
+		if !ok {
+			return true
+		}
+
+		if value != pattern {
+			return true
+		}
+	}
+
+	return false
+}
+
+func insertSubtree(overlay interface{}, path string) ([]byte, error) {
+	return processSubtree(overlay, path, "add")
+}
+
+func replaceSubtree(overlay interface{}, path string) ([]byte, error) {
+	return processSubtree(overlay, path, "replace")
+}
+
+func processSubtree(overlay interface{}, path string, op string) ([]byte, error) {
+	if len(path) > 1 && path[len(path)-1] == '/' {
+		path = path[:len(path)-1]
+	}
+
+	if path == "" {
+		path = "/"
+	}
+
+	value := prepareJSONValue(overlay)
+	patchStr := fmt.Sprintf(`{ "op": "%s", "path": "%s", "value": %s }`, op, path, value)
+
+	// check the patch
+	_, err := jsonpatch.DecodePatch([]byte("[" + patchStr + "]"))
+	if err != nil {
+		return nil, err
+	}
+
+	return []byte(patchStr), nil
+}
+
+func prepareJSONValue(overlay interface{}) string {
+	switch typed := overlay.(type) {
+	case map[string]interface{}:
+		if len(typed) == 0 {
+			return ""
+		}
+
+		if hasOnlyAnchors(overlay) {
+			return ""
+		}
+
+		result := ""
+		for key, value := range typed {
+			jsonValue := prepareJSONValue(value)
+
+			pair := fmt.Sprintf(`"%s":%s`, key, jsonValue)
+
+			if result != "" {
+				result += ", "
+			}
+
+			result += pair
+		}
+
+		result = fmt.Sprintf(`{ %s }`, result)
+		return result
+	case []interface{}:
+		if len(typed) == 0 {
+			return ""
+		}
+
+		if hasOnlyAnchors(overlay) {
+			return ""
+		}
+
+		result := ""
+		for _, value := range typed {
+			jsonValue := prepareJSONValue(value)
+
+			if result != "" {
+				result += ", "
+			}
+
+			result += jsonValue
+		}
+
+		result = fmt.Sprintf(`[ %s ]`, result)
+		return result
+	case string:
+		return fmt.Sprintf(`"%s"`, typed)
+	case float64:
+		return fmt.Sprintf("%f", typed)
+	case int64:
+		return fmt.Sprintf("%d", typed)
+	default:
+		return ""
+	}
+}
+
+func hasOnlyAnchors(overlay interface{}) bool {
+	switch typed := overlay.(type) {
+	case map[string]interface{}:
+		if anchors := GetAnchorsFromMap(typed); len(anchors) == len(typed) {
+			return true
+		}
+
+		for _, value := range typed {
+			if !hasOnlyAnchors(value) {
+				return false
+			}
+		}
+
+		return true
+	case string:
+		return false
+	case float64:
+		return false
+	case int64:
+		return false
+	default:
+		return false
+	}
+}
+
+func hasNestedAnchors(overlay interface{}) bool {
+	switch typed := overlay.(type) {
+	case map[string]interface{}:
+		if anchors := GetAnchorsFromMap(typed); len(anchors) > 0 {
+			return true
+		}
+
+		for _, value := range typed {
+			if hasNestedAnchors(value) {
+				return true
+			}
+		}
+
+		return false
+	case string:
+		return false
+	case float64:
+		return false
+	case int64:
+		return false
+	default:
+		return false
+	}
+}

pkg/engine/overlay_test.go

@@ -0,0 +1,62 @@
+package engine
+
+import (
+	"encoding/json"
+	"testing"
+
+	jsonpatch "github.com/evanphx/json-patch"
+	"gotest.tools/assert"
+)
+
+func TestApplyOverlay_NestedListWithAnchor(t *testing.T) {
+	resourceRaw := []byte(`{ "apiVersion": "v1", "kind": "Endpoints", "metadata": { "name": "test-endpoint", "labels": { "label": "test" } }, "subsets": [ { "addresses": [ { "ip": "192.168.10.171" } ], "ports": [ { "name": "secure-connection", "port": 443, "protocol": "TCP" } ] } ] }`)
+	overlayRaw := []byte(`{ "subsets": [ { "ports": [ { "(name)": "secure-connection", "port": 444, "protocol": "UDP" } ] } ] }`)
+
+	var resource, overlay interface{}
+
+	json.Unmarshal(resourceRaw, &resource)
+	json.Unmarshal(overlayRaw, &overlay)
+
+	patches, err := applyOverlay(resource, overlay, "/")
+	assert.NilError(t, err)
+	assert.Assert(t, patches != nil)
+
+	patch := JoinPatches(patches)
+	decoded, err := jsonpatch.DecodePatch(patch)
+	assert.NilError(t, err)
+	assert.Assert(t, decoded != nil)
+
+	patched, err := decoded.Apply(resourceRaw)
+	assert.NilError(t, err)
+	assert.Assert(t, patched != nil)
+
+	expectedResult := []byte(`{"apiVersion":"v1","kind":"Endpoints","metadata":{"name":"test-endpoint","labels":{"label":"test"}},"subsets":[{"addresses":[{"ip":"192.168.10.171"}],"ports":[{"name":"secure-connection","port":444.000000,"protocol":"UDP"}]}]}`)
+	assert.Equal(t, string(expectedResult), string(patched))
+}
+
+func TestApplyOverlay_InsertIntoArray(t *testing.T) {
+	resourceRaw := []byte(`{ "apiVersion": "v1", "kind": "Endpoints", "metadata": { "name": "test-endpoint", "labels": { "label": "test" } }, "subsets": [ { "addresses": [ { "ip": "192.168.10.171" } ], "ports": [ { "name": "secure-connection", "port": 443, "protocol": "TCP" } ] } ] }`)
+	overlayRaw := []byte(`{ "subsets": [ { "addresses": [ { "ip": "192.168.10.172" }, { "ip": "192.168.10.173" } ], "ports": [ { "name": "insecure-connection", "port": 80, "protocol": "UDP" } ] } ] }`)
+
+	var resource, overlay interface{}
+
+	json.Unmarshal(resourceRaw, &resource)
+	json.Unmarshal(overlayRaw, &overlay)
+
+	patches, err := applyOverlay(resource, overlay, "/")
+	assert.NilError(t, err)
+	assert.Assert(t, patches != nil)
+
+	patch := JoinPatches(patches)
+
+	decoded, err := jsonpatch.DecodePatch(patch)
+	assert.NilError(t, err)
+	assert.Assert(t, decoded != nil)
+
+	patched, err := decoded.Apply(resourceRaw)
+	assert.NilError(t, err)
+	assert.Assert(t, patched != nil)
+
+	expectedResult := []byte(`{"apiVersion":"v1","kind":"Endpoints","metadata":{"name":"test-endpoint","labels":{"label":"test"}},"subsets":[{"addresses":[{"ip":"192.168.10.172"},{"ip":"192.168.10.173"}],"ports":[{"name":"insecure-connection","port":80.000000,"protocol":"UDP"}]},{"addresses":[{"ip":"192.168.10.171"}],"ports":[{"name":"secure-connection","port":443,"protocol":"TCP"}]}]}`)
+	assert.Equal(t, string(expectedResult), string(patched))
+}

pkg/engine/patches.go

@@ -1,4 +1,4 @@
-package mutation
+package engine
 
 import (
 	"encoding/json"

pkg/engine/patches_test.go

@@ -1,4 +1,4 @@
-package mutation
+package engine
 
 import (
 	"testing"

pkg/engine/utils.go

@@ -105,6 +105,18 @@ func ParseRegexPolicyResourceName(policyResourceName string) (string, bool) {
 	return strings.Trim(regex[1], " "), true
 }
 
+func GetAnchorsFromMap(anchorsMap map[string]interface{}) map[string]interface{} {
+	result := make(map[string]interface{})
+
+	for key, value := range anchorsMap {
+		if wrappedWithParentheses(key) {
+			result[key] = value
+		}
+	}
+
+	return result
+}
+
 func findKind(kinds []string, kindGVK string) bool {
 	for _, kind := range kinds {
 		if kind == kindGVK {

pkg/engine/validation.go

@@ -96,10 +96,7 @@ func validateArray(resourcePart, patternPart interface{}) error {
 
 	switch pattern := patternArray[0].(type) {
 	case map[string]interface{}:
-		anchors, err := getAnchorsFromMap(pattern)
-		if err != nil {
-			return err
-		}
+		anchors := GetAnchorsFromMap(pattern)
 
 		for _, value := range resourceArray {
 			resource, ok := value.(map[string]interface{})
@@ -107,7 +104,7 @@ func validateArray(resourcePart, patternPart interface{}) error {
 				return fmt.Errorf("expected array, found %T", resourcePart)
 			}
 
-			if skipArrayObject(resource, anchors) {
+			if skipValidatingObject(resource, anchors) {
 				continue
 			}
 
@@ -177,19 +174,7 @@ func validateMapElement(resourcePart, patternPart interface{}) error {
 	return nil
 }
 
-func getAnchorsFromMap(pattern map[string]interface{}) (map[string]interface{}, error) {
-	result := make(map[string]interface{})
-
-	for key, value := range pattern {
-		if wrappedWithParentheses(key) {
-			result[key] = value
-		}
-	}
-
-	return result, nil
-}
-
-func skipArrayObject(object, anchors map[string]interface{}) bool {
+func skipValidatingObject(object, anchors map[string]interface{}) bool {
 	for key, pattern := range anchors {
 		key = key[1 : len(key)-1]
 

pkg/engine/validation_test.go

@@ -306,8 +306,7 @@ func TestGetAnchorsFromMap_ThereAreAnchors(t *testing.T) {
 	var unmarshalled map[string]interface{}
 	json.Unmarshal(rawMap, &unmarshalled)
 
-	actualMap, err := getAnchorsFromMap(unmarshalled)
-	assert.NilError(t, err)
+	actualMap := GetAnchorsFromMap(unmarshalled)
 	assert.Equal(t, len(actualMap), 2)
 	assert.Equal(t, actualMap["(name)"].(string), "nirmata-*")
 	assert.Equal(t, actualMap["(namespace)"].(string), "kube-?olicy")
@@ -319,8 +318,7 @@ func TestGetAnchorsFromMap_ThereAreNoAnchors(t *testing.T) {
 	var unmarshalled map[string]interface{}
 	json.Unmarshal(rawMap, &unmarshalled)
 
-	actualMap, err := getAnchorsFromMap(unmarshalled)
-	assert.NilError(t, err)
+	actualMap := GetAnchorsFromMap(unmarshalled)
 	assert.Assert(t, len(actualMap) == 0)
 }
 

pkg/webhooks/server.go

@@ -16,7 +16,6 @@ import (
 	"github.com/nirmata/kyverno/pkg/client/listers/policy/v1alpha1"
 	"github.com/nirmata/kyverno/pkg/config"
 	engine "github.com/nirmata/kyverno/pkg/engine"
-	"github.com/nirmata/kyverno/pkg/engine/mutation"
 	"github.com/nirmata/kyverno/pkg/sharedinformer"
 	tlsutils "github.com/nirmata/kyverno/pkg/tls"
 	v1beta1 "k8s.io/api/admission/v1beta1"
@@ -141,7 +140,7 @@ func (ws *WebhookServer) HandleMutation(request *v1beta1.AdmissionRequest) *v1be
 		return nil
 	}
 
-	var allPatches []mutation.PatchBytes
+	var allPatches []engine.PatchBytes
 	for _, policy := range policies {
 		ws.logger.Printf("Applying policy %s with %d rules\n", policy.ObjectMeta.Name, len(policy.Spec.Rules))
 
@@ -158,7 +157,7 @@ func (ws *WebhookServer) HandleMutation(request *v1beta1.AdmissionRequest) *v1be
 	patchType := v1beta1.PatchTypeJSONPatch
 	return &v1beta1.AdmissionResponse{
 		Allowed:   true,
-		Patch:     mutation.JoinPatches(allPatches),
+		Patch:     engine.JoinPatches(allPatches),
 		PatchType: &patchType,
 	}
 }