522 save commit

2025-03-28 02:18:15 +00:00 · 2020-03-04 18:56:59 +05:30 · 2020-03-04 18:56:59 +05:30 · a0f9ad1361
commit a0f9ad1361
parent 0140aa6dd2
4 changed files with 357 additions and 0 deletions
--- a/pkg/dclient/client.go
+++ b/pkg/dclient/client.go
@ -5,6 +5,8 @@ import (
 	"strings"
 	"time"

+	openapi_v2 "github.com/googleapis/gnostic/OpenAPIv2"
+
 	"github.com/golang/glog"
 	"github.com/nirmata/kyverno/pkg/config"
 	apps "k8s.io/api/apps/v1"
@ -215,6 +217,7 @@ func convertToCSR(obj *unstructured.Unstructured) (*certificates.CertificateSign
 type IDiscovery interface {
 	GetGVRFromKind(kind string) schema.GroupVersionResource
 	GetServerVersion() (*version.Info, error)
+	OpenAPISchema() (*openapi_v2.Document, error)
 }

 // SetDiscovery sets the discovery client implementation
@ -246,6 +249,10 @@ func (c ServerPreferredResources) Poll(resync time.Duration, stopCh <-chan struc
 	}
 }

+func (c ServerPreferredResources) OpenAPISchema() (*openapi_v2.Document, error) {
+	return c.cachedClient.OpenAPISchema()
+}
+
 //GetGVRFromKind get the Group Version Resource from kind
 // if kind is not found in first attempt we invalidate the cache,
 // the retry will then fetch the new registered resources and check again
--- a/pkg/openapi/crdSync.go
+++ b/pkg/openapi/crdSync.go
@ -0,0 +1,38 @@
+package openapi
+
+import (
+	"time"
+
+	"github.com/golang/glog"
+
+	client "github.com/nirmata/kyverno/pkg/dclient"
+	"k8s.io/apimachinery/pkg/util/wait"
+)
+
+type crdSync struct {
+	client *client.Client
+}
+
+func NewCRDSync(client *client.Client) *crdSync {
+	return &crdSync{
+		client: client,
+	}
+}
+
+func (c *crdSync) Run(workers int, stopCh <-chan struct{}) {
+	for i := 0; i < workers; i++ {
+		go wait.Until(c.syncCrd, time.Second*10, stopCh)
+	}
+}
+
+func (c *crdSync) syncCrd() {
+	newDoc, err := c.client.DiscoveryClient.OpenAPISchema()
+	if err != nil {
+		glog.V(4).Infof("cannot get openapi schema: %v", err)
+	}
+
+	err = useCustomOpenApiDocument(newDoc)
+	if err != nil {
+		glog.V(4).Infof("Could not set custom OpenApi document: %v\n", err)
+	}
+}
--- a/pkg/openapi/validation.go
+++ b/pkg/openapi/validation.go
@ -0,0 +1,247 @@
+package openapi
+
+import (
+	"fmt"
+	"strconv"
+	"strings"
+	"sync"
+
+	"github.com/nirmata/kyverno/data"
+
+	"github.com/golang/glog"
+
+	"github.com/nirmata/kyverno/pkg/engine"
+	"github.com/nirmata/kyverno/pkg/engine/context"
+	"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
+
+	v1 "github.com/nirmata/kyverno/pkg/api/kyverno/v1"
+
+	openapi_v2 "github.com/googleapis/gnostic/OpenAPIv2"
+	"github.com/googleapis/gnostic/compiler"
+	"k8s.io/kube-openapi/pkg/util/proto"
+	"k8s.io/kube-openapi/pkg/util/proto/validation"
+
+	"gopkg.in/yaml.v2"
+)
+
+var openApiGlobalState struct {
+	mutex                sync.RWMutex
+	document             *openapi_v2.Document
+	definitions          map[string]*openapi_v2.Schema
+	kindToDefinitionName map[string]string
+	models               proto.Models
+	isSet                bool
+}
+
+func init() {
+	if !openApiGlobalState.isSet {
+		defaultDoc, err := getSchemaDocument()
+		if err != nil {
+			panic(err)
+		}
+
+		err = useCustomOpenApiDocument(defaultDoc)
+		if err != nil {
+			panic(err)
+		}
+	}
+}
+
+func ValidatePolicyMutation(policy v1.ClusterPolicy) error {
+	openApiGlobalState.mutex.RLock()
+	defer openApiGlobalState.mutex.RUnlock()
+
+	if !openApiGlobalState.isSet {
+		glog.V(4).Info("Cannot Validate policy: Validation global state not set")
+		return nil
+	}
+
+	var kindToRules = make(map[string][]v1.Rule)
+	for _, rule := range policy.Spec.Rules {
+		if rule.HasMutate() {
+			rule.MatchResources = v1.MatchResources{
+				UserInfo: v1.UserInfo{},
+				ResourceDescription: v1.ResourceDescription{
+					Kinds: rule.MatchResources.Kinds,
+				},
+			}
+			rule.ExcludeResources = v1.ExcludeResources{}
+			for _, kind := range rule.MatchResources.Kinds {
+				kindToRules[kind] = append(kindToRules[kind], rule)
+			}
+		}
+	}
+
+	for kind, rules := range kindToRules {
+		newPolicy := policy
+		newPolicy.Spec.Rules = rules
+
+		resource, _ := generateEmptyResource(openApiGlobalState.definitions[openApiGlobalState.kindToDefinitionName[kind]]).(map[string]interface{})
+		newResource := unstructured.Unstructured{Object: resource}
+		newResource.SetKind(kind)
+		policyContext := engine.PolicyContext{
+			Policy:      newPolicy,
+			NewResource: newResource,
+			Context:     context.NewContext(),
+		}
+		resp := engine.Mutate(policyContext)
+		if len(resp.GetSuccessRules()) != len(rules) {
+			var errMessages []string
+			for _, rule := range resp.PolicyResponse.Rules {
+				if !rule.Success {
+					errMessages = append(errMessages, fmt.Sprintf("Invalid rule : %v, %v", rule.Name, rule.Message))
+				}
+			}
+			return fmt.Errorf(strings.Join(errMessages, "\n"))
+		}
+		err := ValidateResource(resp.PatchedResource.UnstructuredContent(), kind)
+		if err != nil {
+			return err
+		}
+	}
+
+	return nil
+}
+
+func ValidateResource(patchedResource interface{}, kind string) error {
+	openApiGlobalState.mutex.RLock()
+	defer openApiGlobalState.mutex.RUnlock()
+
+	if !openApiGlobalState.isSet {
+		glog.V(4).Info("Cannot Validate resource: Validation global state not set")
+		return nil
+	}
+
+	kind = openApiGlobalState.kindToDefinitionName[kind]
+	schema := openApiGlobalState.models.LookupModel(kind)
+	if schema == nil {
+		return fmt.Errorf("pre-validation: couldn't find model %s", kind)
+	}
+
+	if errs := validation.ValidateModel(patchedResource, schema, kind); len(errs) > 0 {
+		var errorMessages []string
+		for i := range errs {
+			errorMessages = append(errorMessages, errs[i].Error())
+		}
+
+		return fmt.Errorf(strings.Join(errorMessages, "\n\n"))
+	}
+
+	return nil
+}
+
+func useCustomOpenApiDocument(customDoc *openapi_v2.Document) error {
+	openApiGlobalState.mutex.Lock()
+	defer openApiGlobalState.mutex.Unlock()
+
+	openApiGlobalState.document = customDoc
+
+	openApiGlobalState.definitions = make(map[string]*openapi_v2.Schema)
+	openApiGlobalState.kindToDefinitionName = make(map[string]string)
+	for _, definition := range openApiGlobalState.document.GetDefinitions().AdditionalProperties {
+		openApiGlobalState.definitions[definition.GetName()] = definition.GetValue()
+		path := strings.Split(definition.GetName(), ".")
+		openApiGlobalState.kindToDefinitionName[path[len(path)-1]] = definition.GetName()
+	}
+
+	var err error
+	openApiGlobalState.models, err = proto.NewOpenAPIData(openApiGlobalState.document)
+	if err != nil {
+		return err
+	}
+
+	openApiGlobalState.isSet = true
+
+	return nil
+}
+
+func getSchemaDocument() (*openapi_v2.Document, error) {
+	var spec yaml.MapSlice
+	err := yaml.Unmarshal([]byte(data.SwaggerDoc), &spec)
+	if err != nil {
+		return nil, err
+	}
+
+	return openapi_v2.NewDocument(spec, compiler.NewContext("$root", nil))
+}
+
+func generateEmptyResource(kindSchema *openapi_v2.Schema) interface{} {
+
+	types := kindSchema.GetType().GetValue()
+
+	if kindSchema.GetXRef() != "" {
+		return generateEmptyResource(openApiGlobalState.definitions[strings.TrimPrefix(kindSchema.GetXRef(), "#/definitions/")])
+	}
+
+	if len(types) != 1 {
+		return nil
+	}
+
+	switch types[0] {
+	case "object":
+		var props = make(map[string]interface{})
+		properties := kindSchema.GetProperties().GetAdditionalProperties()
+		if len(properties) == 0 {
+			return props
+		}
+
+		var wg sync.WaitGroup
+		var mutex sync.Mutex
+		wg.Add(len(properties))
+		for _, property := range properties {
+			go func(property *openapi_v2.NamedSchema) {
+				prop := generateEmptyResource(property.GetValue())
+				mutex.Lock()
+				props[property.GetName()] = prop
+				mutex.Unlock()
+				wg.Done()
+			}(property)
+		}
+		wg.Wait()
+		return props
+	case "array":
+		var array []interface{}
+		for _, schema := range kindSchema.GetItems().GetSchema() {
+			array = append(array, generateEmptyResource(schema))
+		}
+		return array
+	case "string":
+		if kindSchema.GetDefault() != nil {
+			return string(kindSchema.GetDefault().Value.Value)
+		}
+		if kindSchema.GetExample() != nil {
+			return string(kindSchema.GetExample().GetValue().Value)
+		}
+		return ""
+	case "integer":
+		if kindSchema.GetDefault() != nil {
+			val, _ := strconv.Atoi(string(kindSchema.GetDefault().Value.Value))
+			return val
+		}
+		if kindSchema.GetExample() != nil {
+			val, _ := strconv.Atoi(string(kindSchema.GetExample().GetValue().Value))
+			return val
+		}
+		return 0
+	case "number":
+		if kindSchema.GetDefault() != nil {
+			val, _ := strconv.Atoi(string(kindSchema.GetDefault().Value.Value))
+			return val
+		}
+		if kindSchema.GetExample() != nil {
+			val, _ := strconv.Atoi(string(kindSchema.GetExample().GetValue().Value))
+			return val
+		}
+		return 0
+	case "boolean":
+		if kindSchema.GetDefault() != nil {
+			return string(kindSchema.GetDefault().Value.Value) == "true"
+		}
+		if kindSchema.GetExample() != nil {
+			return string(kindSchema.GetExample().GetValue().Value) == "true"
+		}
+		return false
+	}
+
+	return nil
+}
--- a/pkg/openapi/validation_test.go
+++ b/pkg/openapi/validation_test.go
@ -0,0 +1,65 @@
+package openapi
+
+import (
+	"encoding/json"
+	"testing"
+
+	v1 "github.com/nirmata/kyverno/pkg/api/kyverno/v1"
+)
+
+func Test_ValidateMutationPolicy(t *testing.T) {
+	err := setValidationGlobalState()
+	if err != nil {
+		t.Fatalf("Could not set global state")
+	}
+
+	tcs := []struct {
+		description string
+		policy      []byte
+		errMessage  string
+	}{
+		{
+			description: "Policy with mutating imagePullPolicy Overlay",
+			policy:      []byte(`{"apiVersion":"kyverno.io/v1","kind":"ClusterPolicy","metadata":{"name":"set-image-pull-policy-2"},"spec":{"rules":[{"name":"set-image-pull-policy-2","match":{"resources":{"kinds":["Pod"]}},"mutate":{"overlay":{"spec":{"containers":[{"(image)":"*","imagePullPolicy":"Always"}]}}}}]}}`),
+		},
+		{
+			description: "Policy with mutating imagePullPolicy Overlay, field does not exist",
+			policy:      []byte(`{"apiVersion":"kyverno.io/v1","kind":"ClusterPolicy","metadata":{"name":"set-image-pull-policy-2"},"spec":{"rules":[{"name":"set-image-pull-policy-2","match":{"resources":{"kinds":["Pod"]}},"mutate":{"overlay":{"spec":{"containers":[{"(image)":"*","nonExistantField":"Always"}]}}}}]}}`),
+			errMessage:  `ValidationError(io.k8s.api.core.v1.Pod.spec.containers[0]): unknown field "nonExistantField" in io.k8s.api.core.v1.Container`,
+		},
+		{
+			description: "Policy with mutating imagePullPolicy Overlay, type of value is different (does not throw error since all numbers are also strings according to swagger)",
+			policy:      []byte(`{"apiVersion":"kyverno.io/v1","kind":"ClusterPolicy","metadata":{"name":"set-image-pull-policy-2"},"spec":{"rules":[{"name":"set-image-pull-policy-2","match":{"resources":{"kinds":["Pod"]}},"mutate":{"overlay":{"spec":{"containers":[{"(image)":"*","imagePullPolicy":80}]}}}}]}}`),
+		},
+		{
+			description: "Policy with patches",
+			policy:      []byte(`{"apiVersion":"kyverno.io/v1","kind":"ClusterPolicy","metadata":{"name":"policy-endpoints"},"spec":{"rules":[{"name":"pEP","match":{"resources":{"kinds":["Endpoints"],"selector":{"matchLabels":{"label":"test"}}}},"mutate":{"patches":[{"path":"/subsets/0/ports/0/port","op":"replace","value":9663},{"path":"/metadata/labels/isMutated","op":"add","value":"true"}]}}]}}`),
+		},
+		{
+			description: "Policy with patches, value converted from number to string",
+			policy:      []byte(`{"apiVersion":"kyverno.io/v1","kind":"ClusterPolicy","metadata":{"name":"policy-endpoints"},"spec":{"rules":[{"name":"pEP","match":{"resources":{"kinds":["Endpoints"],"selector":{"matchLabels":{"label":"test"}}}},"mutate":{"patches":[{"path":"/subsets/0/ports/0/port","op":"replace","value":"9663"},{"path":"/metadata/labels/isMutated","op":"add","value":"true"}]}}]}}`),
+			errMessage:  `ValidationError(io.k8s.api.core.v1.Endpoints.subsets[0].ports[0].port): invalid type for io.k8s.api.core.v1.EndpointPort.port: got "string", expected "integer"`,
+		},
+		{
+			description: "Policy where boolean is been converted to number",
+			policy:      []byte(`{"apiVersion":"kyverno.io/v1","kind":"ClusterPolicy","metadata":{"name":"mutate-pod-disable-automoutingapicred"},"spec":{"rules":[{"name":"pod-disable-automoutingapicred","match":{"resources":{"kinds":["Pod"]}},"mutate":{"overlay":{"spec":{"(serviceAccountName)":"*","automountServiceAccountToken":80}}}}]}}`),
+			errMessage:  `ValidationError(io.k8s.api.core.v1.Pod.spec.automountServiceAccountToken): invalid type for io.k8s.api.core.v1.PodSpec.automountServiceAccountToken: got "integer", expected "boolean"`,
+		},
+	}
+
+	for i, tc := range tcs {
+		policy := v1.ClusterPolicy{}
+		_ = json.Unmarshal(tc.policy, &policy)
+
+		var errMessage string
+		err := ValidatePolicyMutation(policy)
+		if err != nil {
+			errMessage = err.Error()
+		}
+
+		if errMessage != tc.errMessage {
+			t.Errorf("\nTestcase [%v] failed:\nExpected Error:  %v\nGot Error:  %v", i+1, tc.errMessage, errMessage)
+		}
+	}
+
+}