mirrors/kyverno
mirrors/kyverno
1
0
Fork 0
mirror of https://github.com/kyverno/kyverno.git synced 2025-03-31 03:45:17 +00:00
Code Activity

refactor: Rule type validation (#3400)

Browse source 
* refactor: UserInfo validation

Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com>

* refactor: Rule type validation

Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com>
This commit is contained in:
Charles-Edouard Brétéché 2022-03-16 22:57:31 +01:00 committed by GitHub
parent 33df85cc0c
commit adcb71f1d6
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
5 changed files with 291 additions and 295 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

103
api/kyverno/v1/common_types.go
View file

@ -2,7 +2,6 @@ package v1
import (
"encoding/json"
"reflect"
"k8s.io/apiextensions-apiserver/pkg/apis/apiextensions"
apiextv1 "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1"
@ -121,108 +120,6 @@ func (s *Spec) BackgroundProcessingEnabled() bool {
return *s.Background
}
// Rule defines a validation, mutation, or generation control for matching resources.
// Each rules contains a match declaration to select resources, and an optional exclude
// declaration to specify which resources to exclude.
type Rule struct {
// Name is a label to identify the rule, It must be unique within the policy.
// +kubebuilder:validation:MaxLength=63
Name string `json:"name,omitempty" yaml:"name,omitempty"`
// Context defines variables and data sources that can be used during rule execution.
// +optional
Context []ContextEntry `json:"context,omitempty" yaml:"context,omitempty"`
// MatchResources defines when this policy rule should be applied. The match
// criteria can include resource information (e.g. kind, name, namespace, labels)
// and admission review request information like the user name or role.
// At least one kind is required.
MatchResources MatchResources `json:"match,omitempty" yaml:"match,omitempty"`
// ExcludeResources defines when this policy rule should not be applied. The exclude
// criteria can include resource information (e.g. kind, name, namespace, labels)
// and admission review request information like the name or role.
// +optional
ExcludeResources ExcludeResources `json:"exclude,omitempty" yaml:"exclude,omitempty"`
// Preconditions are used to determine if a policy rule should be applied by evaluating a
// set of conditions. The declaration can contain nested `any` or `all` statements. A direct list
// of conditions (without `any` or `all` statements is supported for backwards compatibility but
// will be deprecated in the next major release.
// See: https://kyverno.io/docs/writing-policies/preconditions/
// +optional
RawAnyAllConditions *apiextv1.JSON `json:"preconditions,omitempty" yaml:"preconditions,omitempty"`
// Mutation is used to modify matching resources.
// +optional
Mutation Mutation `json:"mutate,omitempty" yaml:"mutate,omitempty"`
// Validation is used to validate matching resources.
// +optional
Validation Validation `json:"validate,omitempty" yaml:"validate,omitempty"`
// Generation is used to create new resources.
// +optional
Generation Generation `json:"generate,omitempty" yaml:"generate,omitempty"`
// VerifyImages is used to verify image signatures and mutate them to add a digest
// +optional
VerifyImages []*ImageVerification `json:"verifyImages,omitempty" yaml:"verifyImages,omitempty"`
}
// HasMutate checks for mutate rule
func (r *Rule) HasMutate() bool {
return !reflect.DeepEqual(r.Mutation, Mutation{})
}
// HasVerifyImages checks for verifyImages rule
func (r *Rule) HasVerifyImages() bool {
return r.VerifyImages != nil && !reflect.DeepEqual(r.VerifyImages, ImageVerification{})
}
// HasValidate checks for validate rule
func (r *Rule) HasValidate() bool {
return !reflect.DeepEqual(r.Validation, Validation{})
}
// HasGenerate checks for generate rule
func (r *Rule) HasGenerate() bool {
return !reflect.DeepEqual(r.Generation, Generation{})
}
// MatchKinds returns a slice of all kinds to match
func (r *Rule) MatchKinds() []string {
matchKinds := r.MatchResources.ResourceDescription.Kinds
for _, value := range r.MatchResources.All {
matchKinds = append(matchKinds, value.ResourceDescription.Kinds...)
}
for _, value := range r.MatchResources.Any {
matchKinds = append(matchKinds, value.ResourceDescription.Kinds...)
}
return matchKinds
}
// ExcludeKinds returns a slice of all kinds to exclude
func (r *Rule) ExcludeKinds() []string {
excludeKinds := r.ExcludeResources.ResourceDescription.Kinds
for _, value := range r.ExcludeResources.All {
excludeKinds = append(excludeKinds, value.ResourceDescription.Kinds...)
}
for _, value := range r.ExcludeResources.Any {
excludeKinds = append(excludeKinds, value.ResourceDescription.Kinds...)
}
return excludeKinds
}
func (r *Rule) GetAnyAllConditions() apiextensions.JSON {
return FromJSON(r.RawAnyAllConditions)
}
func (r *Rule) SetAnyAllConditions(in apiextensions.JSON) {
r.RawAnyAllConditions = ToJSON(in)
}
// FailurePolicyType specifies a failure policy that defines how unrecognized errors from the admission endpoint are handled.
// +kubebuilder:validation:Enum=Ignore;Fail
type FailurePolicyType string

152
api/kyverno/v1/rule_test.go Normal file
View file

@ -0,0 +1,152 @@
package v1
import (
"encoding/json"
"testing"
"gotest.tools/assert"
"k8s.io/apimachinery/pkg/util/validation/field"
)
func Test_Validate_RuleType_EmptyRule(t *testing.T) {
subject := Rule{
Name: "validate-user-privilege",
}
path := field.NewPath("dummy")
errs := subject.Validate(path)
assert.Equal(t, len(errs), 1)
assert.Equal(t, errs[0].Field, "dummy")
assert.Equal(t, errs[0].Type, field.ErrorTypeInvalid)
assert.Equal(t, errs[0].Detail, "No operation defined in the rule 'validate-user-privilege'.(supported operations: mutate,validate,generate,verifyImages)")
}
func Test_Validate_RuleType_MultipleRule(t *testing.T) {
rawPolicy := []byte(`
{
"spec": {
"rules": [
{
"name": "validate-user-privilege",
"match": {
"resources": {
"kinds": [
"Deployment"
],
"selector": {
"matchLabels": {
"app.type": "prod"
}
}
}
},
"mutate": {
"patchStrategicMerge": {
"spec": {
"template": {
"spec": {
"containers": [
{
"(name)": "*",
"resources": {
"limits": {
"+(memory)": "300Mi",
"+(cpu)": "100"
}
}
}
]
}
}
}
}
},
"validate": {
"message": "validate container security contexts",
"anyPattern": [
{
"spec": {
"template": {
"spec": {
"containers": [
{
"securityContext": {
"runAsNonRoot": true
}
}
]
}
}
}
}
]
}
}
]
}
}`)
var policy *ClusterPolicy
err := json.Unmarshal(rawPolicy, &policy)
assert.NilError(t, err)
for _, rule := range policy.Spec.GetRules() {
path := field.NewPath("dummy")
errs := rule.Validate(path)
assert.Assert(t, len(errs) != 0)
}
}
func Test_Validate_RuleType_SingleRule(t *testing.T) {
rawPolicy := []byte(`
{
"spec": {
"rules": [
{
"name": "validate-user-privilege",
"match": {
"resources": {
"kinds": [
"Deployment"
],
"selector": {
"matchLabels": {
"app.type": "prod"
}
}
}
},
"validate": {
"message": "validate container security contexts",
"anyPattern": [
{
"spec": {
"template": {
"spec": {
"containers": [
{
"securityContext": {
"runAsNonRoot": "true"
}
}
]
}
}
}
}
]
}
}
]
}
}
`)
var policy *ClusterPolicy
err := json.Unmarshal(rawPolicy, &policy)
assert.NilError(t, err)
for _, rule := range policy.Spec.GetRules() {
path := field.NewPath("dummy")
errs := rule.Validate(path)
assert.Assert(t, len(errs) == 0)
}
}

137
api/kyverno/v1/rule_types.go Normal file
View file

@ -0,0 +1,137 @@
package v1
import (
"fmt"
"reflect"
"k8s.io/apiextensions-apiserver/pkg/apis/apiextensions"
apiextv1 "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1"
"k8s.io/apimachinery/pkg/util/validation/field"
)
// Rule defines a validation, mutation, or generation control for matching resources.
// Each rules contains a match declaration to select resources, and an optional exclude
// declaration to specify which resources to exclude.
type Rule struct {
// Name is a label to identify the rule, It must be unique within the policy.
// +kubebuilder:validation:MaxLength=63
Name string `json:"name,omitempty" yaml:"name,omitempty"`
// Context defines variables and data sources that can be used during rule execution.
// +optional
Context []ContextEntry `json:"context,omitempty" yaml:"context,omitempty"`
// MatchResources defines when this policy rule should be applied. The match
// criteria can include resource information (e.g. kind, name, namespace, labels)
// and admission review request information like the user name or role.
// At least one kind is required.
MatchResources MatchResources `json:"match,omitempty" yaml:"match,omitempty"`
// ExcludeResources defines when this policy rule should not be applied. The exclude
// criteria can include resource information (e.g. kind, name, namespace, labels)
// and admission review request information like the name or role.
// +optional
ExcludeResources ExcludeResources `json:"exclude,omitempty" yaml:"exclude,omitempty"`
// Preconditions are used to determine if a policy rule should be applied by evaluating a
// set of conditions. The declaration can contain nested `any` or `all` statements. A direct list
// of conditions (without `any` or `all` statements is supported for backwards compatibility but
// will be deprecated in the next major release.
// See: https://kyverno.io/docs/writing-policies/preconditions/
// +optional
RawAnyAllConditions *apiextv1.JSON `json:"preconditions,omitempty" yaml:"preconditions,omitempty"`
// Mutation is used to modify matching resources.
// +optional
Mutation Mutation `json:"mutate,omitempty" yaml:"mutate,omitempty"`
// Validation is used to validate matching resources.
// +optional
Validation Validation `json:"validate,omitempty" yaml:"validate,omitempty"`
// Generation is used to create new resources.
// +optional
Generation Generation `json:"generate,omitempty" yaml:"generate,omitempty"`
// VerifyImages is used to verify image signatures and mutate them to add a digest
// +optional
VerifyImages []*ImageVerification `json:"verifyImages,omitempty" yaml:"verifyImages,omitempty"`
}
// HasMutate checks for mutate rule
func (r *Rule) HasMutate() bool {
return !reflect.DeepEqual(r.Mutation, Mutation{})
}
// HasVerifyImages checks for verifyImages rule
func (r *Rule) HasVerifyImages() bool {
return r.VerifyImages != nil && !reflect.DeepEqual(r.VerifyImages, ImageVerification{})
}
// HasValidate checks for validate rule
func (r *Rule) HasValidate() bool {
return !reflect.DeepEqual(r.Validation, Validation{})
}
// HasGenerate checks for generate rule
func (r *Rule) HasGenerate() bool {
return !reflect.DeepEqual(r.Generation, Generation{})
}
// MatchKinds returns a slice of all kinds to match
func (r *Rule) MatchKinds() []string {
matchKinds := r.MatchResources.ResourceDescription.Kinds
for _, value := range r.MatchResources.All {
matchKinds = append(matchKinds, value.ResourceDescription.Kinds...)
}
for _, value := range r.MatchResources.Any {
matchKinds = append(matchKinds, value.ResourceDescription.Kinds...)
}
return matchKinds
}
// ExcludeKinds returns a slice of all kinds to exclude
func (r *Rule) ExcludeKinds() []string {
excludeKinds := r.ExcludeResources.ResourceDescription.Kinds
for _, value := range r.ExcludeResources.All {
excludeKinds = append(excludeKinds, value.ResourceDescription.Kinds...)
}
for _, value := range r.ExcludeResources.Any {
excludeKinds = append(excludeKinds, value.ResourceDescription.Kinds...)
}
return excludeKinds
}
func (r *Rule) GetAnyAllConditions() apiextensions.JSON {
return FromJSON(r.RawAnyAllConditions)
}
func (r *Rule) SetAnyAllConditions(in apiextensions.JSON) {
r.RawAnyAllConditions = ToJSON(in)
}
// ValidateRuleType checks only one type of rule is defined per rule
func (r *Rule) ValidateRuleType(path *field.Path) field.ErrorList {
var errs field.ErrorList
ruleTypes := []bool{r.HasMutate(), r.HasValidate(), r.HasGenerate(), r.HasVerifyImages()}
count := 0
for _, v := range ruleTypes {
if v {
count++
}
}
if count == 0 {
errs = append(errs, field.Invalid(path, r, fmt.Sprintf("No operation defined in the rule '%s'.(supported operations: mutate,validate,generate,verifyImages)", r.Name)))
} else if count != 1 {
errs = append(errs, field.Invalid(path, r, fmt.Sprintf("Multiple operations defined in the rule '%s', only one operation (mutate,validate,generate,verifyImages) is allowed per rule", r.Name)))
}
return errs
}
// Validate implements programmatic validation
func (r *Rule) Validate(path *field.Path) field.ErrorList {
var errs field.ErrorList
errs = append(errs, r.ValidateRuleType(path)...)
return errs
}

27
pkg/policy/validate.go
View file

@ -156,9 +156,8 @@ func Validate(policy *kyverno.ClusterPolicy, client *dclient.Client, mock bool,
// validate rule types
// only one type of rule is allowed per rule
if err := validateRuleType(rule); err != nil {
// as there are more than 1 operation in rule, not need to evaluate it further
return nil, fmt.Errorf("path: spec.rules[%d]: %v", i, err)
if errs := rule.ValidateRuleType(rulePath); len(errs) != 0 {
return nil, errs.ToAggregate()
}
err := validateElementInForEach(rule)
@ -1110,28 +1109,6 @@ func validateUniqueRuleName(p kyverno.ClusterPolicy) (string, error) {
return "", nil
}
// validateRuleType checks only one type of rule is defined per rule
func validateRuleType(r kyverno.Rule) error {
ruleTypes := []bool{r.HasMutate(), r.HasValidate(), r.HasGenerate(), r.HasVerifyImages()}
operationCount := func() int {
count := 0
for _, v := range ruleTypes {
if v {
count++
}
}
return count
}()
if operationCount == 0 {
return fmt.Errorf("no operation defined in the rule '%s'.(supported operations: mutate,validate,generate,verifyImages)", r.Name)
} else if operationCount != 1 {
return fmt.Errorf("multiple operations defined in the rule '%s', only one operation (mutate,validate,generate,verifyImages) is allowed per rule", r.Name)
}
return nil
}
func validateRuleContext(rule kyverno.Rule) error {
if rule.Context == nil || len(rule.Context) == 0 {
return nil

167
pkg/policy/validate_test.go
View file

@ -54,173 +54,6 @@ func Test_Validate_UniqueRuleName(t *testing.T) {
assert.Assert(t, err != nil)
}
func Test_Validate_RuleType_EmptyRule(t *testing.T) {
rawPolicy := []byte(`
{
"spec": {
"rules": [
{
"name": "validate-user-privilege",
"match": {
"resources": {
"kinds": [
"Deployment"
],
"selector": {
"matchLabels": {
"app.type": "prod"
}
}
}
},
"mutate": {},
"validate": {}
}
]
}
}
`)
var policy *kyverno.ClusterPolicy
err := json.Unmarshal(rawPolicy, &policy)
assert.NilError(t, err)
for _, rule := range policy.Spec.GetRules() {
err := validateRuleType(rule)
assert.Assert(t, err != nil)
}
}
func Test_Validate_RuleType_MultipleRule(t *testing.T) {
rawPolicy := []byte(`
{
"spec": {
"rules": [
{
"name": "validate-user-privilege",
"match": {
"resources": {
"kinds": [
"Deployment"
],
"selector": {
"matchLabels": {
"app.type": "prod"
}
}
}
},
"mutate": {
"patchStrategicMerge": {
"spec": {
"template": {
"spec": {
"containers": [
{
"(name)": "*",
"resources": {
"limits": {
"+(memory)": "300Mi",
"+(cpu)": "100"
}
}
}
]
}
}
}
}
},
"validate": {
"message": "validate container security contexts",
"anyPattern": [
{
"spec": {
"template": {
"spec": {
"containers": [
{
"securityContext": {
"runAsNonRoot": true
}
}
]
}
}
}
}
]
}
}
]
}
}`)
var policy *kyverno.ClusterPolicy
err := json.Unmarshal(rawPolicy, &policy)
assert.NilError(t, err)
for _, rule := range policy.Spec.GetRules() {
err := validateRuleType(rule)
assert.Assert(t, err != nil)
}
}
func Test_Validate_RuleType_SingleRule(t *testing.T) {
rawPolicy := []byte(`
{
"spec": {
"rules": [
{
"name": "validate-user-privilege",
"match": {
"resources": {
"kinds": [
"Deployment"
],
"selector": {
"matchLabels": {
"app.type": "prod"
}
}
}
},
"validate": {
"message": "validate container security contexts",
"anyPattern": [
{
"spec": {
"template": {
"spec": {
"containers": [
{
"securityContext": {
"runAsNonRoot": "true"
}
}
]
}
}
}
}
]
}
}
]
}
}
`)
var policy *kyverno.ClusterPolicy
err := json.Unmarshal(rawPolicy, &policy)
assert.NilError(t, err)
for _, rule := range policy.Spec.GetRules() {
err := validateRuleType(rule)
assert.NilError(t, err)
}
}
func Test_Validate_ResourceDescription_Empty(t *testing.T) {
var err error
rawResourcedescirption := []byte(`{}`)