diff --git a/kubeclient/kubeclient.go b/kubeclient/kubeclient.go index d4cd0220d2..f32d6950b6 100644 --- a/kubeclient/kubeclient.go +++ b/kubeclient/kubeclient.go @@ -10,7 +10,6 @@ import ( types "github.com/nirmata/kube-policy/pkg/apis/policy/v1alpha1" apps "k8s.io/api/apps/v1" v1 "k8s.io/api/core/v1" - meta "k8s.io/apimachinery/pkg/apis/meta/v1" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" "k8s.io/apimachinery/pkg/runtime" utilruntime "k8s.io/apimachinery/pkg/util/runtime" @@ -43,7 +42,7 @@ func NewKubeClient(config *rest.Config, logger *log.Logger) (*KubeClient, error) }, nil } -func (kc *KubeClient) GetEventsInterface(namespace string) event.EventInterface { +func (kc *KubeClient) GetEvents(namespace string) event.EventInterface { return kc.client.CoreV1().Events(namespace) } @@ -51,7 +50,7 @@ func (kc *KubeClient) GetKubePolicyDeployment() (*apps.Deployment, error) { kubePolicyDeployment, err := kc.client. AppsV1(). Deployments(config.KubePolicyNamespace). - Get(config.KubePolicyDeploymentName, meta.GetOptions{}) + Get(config.KubePolicyDeploymentName, metav1.GetOptions{}) if err != nil { return nil, err diff --git a/main.go b/main.go index e5f516fa89..d94ce37e74 100644 --- a/main.go +++ b/main.go @@ -5,15 +5,13 @@ import ( "log" "github.com/nirmata/kube-policy/kubeclient" - "github.com/nirmata/kube-policy/pkg/webhooks" - "github.com/nirmata/kube-policy/policycontroller" - policyclientset "github.com/nirmata/kube-policy/pkg/client/clientset/versioned" informers "github.com/nirmata/kube-policy/pkg/client/informers/externalversions" - policyengine "github.com/nirmata/kube-policy/pkg/policyengine" - policyviolation "github.com/nirmata/kube-policy/pkg/policyviolation" - + controller "github.com/nirmata/kube-policy/pkg/controller" + engine "github.com/nirmata/kube-policy/pkg/engine" event "github.com/nirmata/kube-policy/pkg/event" + violation "github.com/nirmata/kube-policy/pkg/violation" + "github.com/nirmata/kube-policy/pkg/webhooks" "k8s.io/sample-controller/pkg/signals" ) @@ -44,10 +42,10 @@ func main() { policyInformer := policyInformerFactory.Kubepolicy().V1alpha1().Policies() eventController := event.NewEventController(kubeclient, policyInformer.Lister(), nil) - violationBuilder := policyviolation.NewPolicyViolationBuilder(kubeclient, policyInformer.Lister(), policyClientset, eventController, nil) - policyEngine := policyengine.NewPolicyEngine(kubeclient, nil) + violationBuilder := violation.NewPolicyViolationBuilder(kubeclient, policyInformer.Lister(), policyClientset, eventController, nil) + policyEngine := engine.NewPolicyEngine(kubeclient, nil) - policyController := policycontroller.NewPolicyController(policyClientset, + policyController := controller.NewPolicyController(policyClientset, policyInformer, policyEngine, violationBuilder, @@ -64,7 +62,7 @@ func main() { log.Fatalf("Failed to initialize TLS key/certificate pair: %v\n", err) } - server, err := webhooks.NewWebhookServer(tlsPair, kubeclient, policyInformer.Lister(), nil) + server, err := webhooks.NewWebhookServer(tlsPair, kubeclient, policyInformer.Lister(), policyEngine, nil) if err != nil { log.Fatalf("Unable to create webhook server: %v\n", err) } diff --git a/policycontroller/policycontroller.go b/pkg/controller/controller.go similarity index 94% rename from policycontroller/policycontroller.go rename to pkg/controller/controller.go index 6e31087266..1588a11f3c 100644 --- a/policycontroller/policycontroller.go +++ b/pkg/controller/controller.go @@ -1,4 +1,4 @@ -package policycontroller +package controller import ( "fmt" @@ -11,9 +11,9 @@ import ( policyclientset "github.com/nirmata/kube-policy/pkg/client/clientset/versioned" infomertypes "github.com/nirmata/kube-policy/pkg/client/informers/externalversions/policy/v1alpha1" lister "github.com/nirmata/kube-policy/pkg/client/listers/policy/v1alpha1" + engine "github.com/nirmata/kube-policy/pkg/engine" event "github.com/nirmata/kube-policy/pkg/event" - policyengine "github.com/nirmata/kube-policy/pkg/policyengine" - policyviolation "github.com/nirmata/kube-policy/pkg/policyviolation" + violation "github.com/nirmata/kube-policy/pkg/violation" "k8s.io/apimachinery/pkg/api/errors" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" utilruntime "k8s.io/apimachinery/pkg/util/runtime" @@ -28,8 +28,8 @@ type PolicyController struct { policyLister lister.PolicyLister policyInterface policyclientset.Interface policySynced cache.InformerSynced - policyEngine policyengine.PolicyEngine - violationBuilder policyviolation.Generator + policyEngine engine.PolicyEngine + violationBuilder violation.Generator eventBuilder event.Generator logger *log.Logger queue workqueue.RateLimitingInterface @@ -38,8 +38,8 @@ type PolicyController struct { // NewPolicyController from cmd args func NewPolicyController(policyInterface policyclientset.Interface, policyInformer infomertypes.PolicyInformer, - policyEngine policyengine.PolicyEngine, - violationBuilder policyviolation.Generator, + policyEngine engine.PolicyEngine, + violationBuilder violation.Generator, eventController event.Generator, logger *log.Logger, kubeClient *kubeClient.KubeClient) *PolicyController { diff --git a/policycontroller/policycontroller_test.go b/pkg/controller/controller_test.go similarity index 99% rename from policycontroller/policycontroller_test.go rename to pkg/controller/controller_test.go index b4f513bc87..2ea38a3b74 100644 --- a/policycontroller/policycontroller_test.go +++ b/pkg/controller/controller_test.go @@ -1,4 +1,4 @@ -package policycontroller +package controller import ( "testing" diff --git a/policycontroller/processPolicy.go b/pkg/controller/processPolicy.go similarity index 95% rename from policycontroller/processPolicy.go rename to pkg/controller/processPolicy.go index ed93168b49..658d5e83b2 100644 --- a/policycontroller/processPolicy.go +++ b/pkg/controller/processPolicy.go @@ -1,4 +1,4 @@ -package policycontroller +package controller import ( "encoding/json" @@ -6,7 +6,7 @@ import ( types "github.com/nirmata/kube-policy/pkg/apis/policy/v1alpha1" event "github.com/nirmata/kube-policy/pkg/event" - policyviolation "github.com/nirmata/kube-policy/pkg/policyviolation" + violation "github.com/nirmata/kube-policy/pkg/violation" "k8s.io/apimachinery/pkg/labels" "k8s.io/apimachinery/pkg/runtime" utilruntime "k8s.io/apimachinery/pkg/util/runtime" @@ -41,7 +41,7 @@ func (pc *PolicyController) runForPolicy(key string) { // processPolicy process the policy to all the matched resources func (pc *PolicyController) processPolicy(policy types.Policy) ( - violations []policyviolation.Info, events []event.Info, err error) { + violations []violation.Info, events []event.Info, err error) { for _, rule := range policy.Spec.Rules { resources, err := pc.filterResourceByRule(rule) diff --git a/policycontroller/utils.go b/pkg/controller/utils.go similarity index 83% rename from policycontroller/utils.go rename to pkg/controller/utils.go index 22f11696a1..b5eb6de4d6 100644 --- a/policycontroller/utils.go +++ b/pkg/controller/utils.go @@ -1,4 +1,4 @@ -package policycontroller +package controller const policyWorkQueueName = "policyworkqueue" diff --git a/pkg/policyengine/policyengine.go b/pkg/engine/engine.go similarity index 85% rename from pkg/policyengine/policyengine.go rename to pkg/engine/engine.go index 3957ddf224..cd8b41d400 100644 --- a/pkg/policyengine/policyengine.go +++ b/pkg/engine/engine.go @@ -1,4 +1,4 @@ -package policyengine +package engine import ( "fmt" @@ -6,9 +6,9 @@ import ( kubeClient "github.com/nirmata/kube-policy/kubeclient" types "github.com/nirmata/kube-policy/pkg/apis/policy/v1alpha1" + "github.com/nirmata/kube-policy/pkg/engine/mutation" event "github.com/nirmata/kube-policy/pkg/event" - "github.com/nirmata/kube-policy/pkg/policyengine/mutation" - policyviolation "github.com/nirmata/kube-policy/pkg/policyviolation" + violation "github.com/nirmata/kube-policy/pkg/violation" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" ) @@ -26,9 +26,10 @@ type PolicyEngine interface { // when there is an create / update of the policy // we should process the policy on matched resources, generate violations accordingly // TODO: This method should not be in PolicyEngine. Validate will do this work instead - ProcessExisting(policy types.Policy, rawResource []byte) ([]policyviolation.Info, []event.Info, error) + ProcessExisting(policy types.Policy, rawResource []byte) ([]violation.Info, []event.Info, error) // TODO: Add Generate method + // Generate() } type policyEngine struct { @@ -44,8 +45,8 @@ func NewPolicyEngine(kubeClient *kubeClient.KubeClient, logger *log.Logger) Poli } } -func (p *policyEngine) ProcessExisting(policy types.Policy, rawResource []byte) ([]policyviolation.Info, []event.Info, error) { - var violations []policyviolation.Info +func (p *policyEngine) ProcessExisting(policy types.Policy, rawResource []byte) ([]violation.Info, []event.Info, error) { + var violations []violation.Info var events []event.Info for _, rule := range policy.Spec.Rules { @@ -75,9 +76,9 @@ func (p *policyEngine) ProcessExisting(policy types.Policy, rawResource []byte) } func (p *policyEngine) processRuleOnResource(policyName string, rule types.Rule, rawResource []byte) ( - policyviolation.Info, []event.Info, error) { + violation.Info, []event.Info, error) { - var violationInfo policyviolation.Info + var violationInfo violation.Info var eventInfos []event.Info resourceKind := mutation.ParseKindFromObject(rawResource) @@ -92,7 +93,7 @@ func (p *policyEngine) processRuleOnResource(policyName string, rule types.Rule, if rulePatchesProcessed != nil { log.Printf("Rule %s: prepared %d patches", rule.Name, len(rulePatchesProcessed)) - violationInfo = policyviolation.NewViolation(policyName, resourceKind, resourceNamespace+"/"+resourceName, rule.Name) + violationInfo = violation.NewViolation(policyName, resourceKind, resourceNamespace+"/"+resourceName, rule.Name) // add a violation to queue // add an event to policy diff --git a/pkg/policyengine/generation.go b/pkg/engine/generation.go similarity index 94% rename from pkg/policyengine/generation.go rename to pkg/engine/generation.go index 86ce884419..dc8f7cb231 100644 --- a/pkg/policyengine/generation.go +++ b/pkg/engine/generation.go @@ -1,10 +1,10 @@ -package policyengine +package engine import ( "fmt" kubepolicy "github.com/nirmata/kube-policy/pkg/apis/policy/v1alpha1" - "github.com/nirmata/kube-policy/pkg/policyengine/mutation" + "github.com/nirmata/kube-policy/pkg/engine/mutation" ) // TODO: To be reworked due to spec policy-v2 diff --git a/pkg/policyengine/mutation.go b/pkg/engine/mutation.go similarity index 96% rename from pkg/policyengine/mutation.go rename to pkg/engine/mutation.go index f9fd403a0a..d6aeac688b 100644 --- a/pkg/policyengine/mutation.go +++ b/pkg/engine/mutation.go @@ -1,8 +1,8 @@ -package policyengine +package engine import ( kubepolicy "github.com/nirmata/kube-policy/pkg/apis/policy/v1alpha1" - "github.com/nirmata/kube-policy/pkg/policyengine/mutation" + "github.com/nirmata/kube-policy/pkg/engine/mutation" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" ) diff --git a/pkg/engine/mutation/checkRules.go b/pkg/engine/mutation/checkRules.go new file mode 100644 index 0000000000..bcd73a0840 --- /dev/null +++ b/pkg/engine/mutation/checkRules.go @@ -0,0 +1,44 @@ +package mutation + +import ( + "github.com/minio/minio/pkg/wildcard" + types "github.com/nirmata/kube-policy/pkg/apis/policy/v1alpha1" + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" +) + +// kind is the type of object being manipulated +// Checks requests kind, name and labels to fit the policy +func IsRuleApplicableToResource(resourceRaw []byte, description types.ResourceDescription) (bool, error) { + kind := ParseKindFromObject(resourceRaw) + if description.Kind != kind { + return false, nil + } + + if resourceRaw != nil { + meta := ParseMetadataFromObject(resourceRaw) + name := ParseNameFromObject(resourceRaw) + + if description.Name != nil { + + if !wildcard.Match(*description.Name, name) { + return false, nil + } + } + + if description.Selector != nil { + selector, err := metav1.LabelSelectorAsSelector(description.Selector) + + if err != nil { + return false, err + } + + labelMap := ParseLabelsFromMetadata(meta) + + if !selector.Matches(labelMap) { + return false, nil + } + + } + } + return true, nil +} diff --git a/pkg/policyengine/mutation/overlay.go b/pkg/engine/mutation/overlay.go similarity index 100% rename from pkg/policyengine/mutation/overlay.go rename to pkg/engine/mutation/overlay.go diff --git a/pkg/policyengine/mutation/patches.go b/pkg/engine/mutation/patches.go similarity index 100% rename from pkg/policyengine/mutation/patches.go rename to pkg/engine/mutation/patches.go diff --git a/pkg/policyengine/mutation/patches_test.go b/pkg/engine/mutation/patches_test.go similarity index 100% rename from pkg/policyengine/mutation/patches_test.go rename to pkg/engine/mutation/patches_test.go diff --git a/pkg/policyengine/mutation/utils.go b/pkg/engine/mutation/utils.go similarity index 100% rename from pkg/policyengine/mutation/utils.go rename to pkg/engine/mutation/utils.go diff --git a/pkg/policyengine/mutation/utils_test.go b/pkg/engine/mutation/utils_test.go similarity index 100% rename from pkg/policyengine/mutation/utils_test.go rename to pkg/engine/mutation/utils_test.go diff --git a/pkg/policyengine/validation.go b/pkg/engine/validation.go similarity index 97% rename from pkg/policyengine/validation.go rename to pkg/engine/validation.go index 8418a12d27..726d830944 100644 --- a/pkg/policyengine/validation.go +++ b/pkg/engine/validation.go @@ -1,11 +1,11 @@ -package policyengine +package engine import ( "encoding/json" "fmt" kubepolicy "github.com/nirmata/kube-policy/pkg/apis/policy/v1alpha1" - "github.com/nirmata/kube-policy/pkg/policyengine/mutation" + "github.com/nirmata/kube-policy/pkg/engine/mutation" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" ) diff --git a/pkg/event/eventmsgbuilder_test.go b/pkg/event/builder_test.go similarity index 100% rename from pkg/event/eventmsgbuilder_test.go rename to pkg/event/builder_test.go diff --git a/pkg/event/eventcontroller.go b/pkg/event/controller.go similarity index 98% rename from pkg/event/eventcontroller.go rename to pkg/event/controller.go index 1c15569f54..e0507af49f 100644 --- a/pkg/event/eventcontroller.go +++ b/pkg/event/controller.go @@ -66,7 +66,7 @@ func initRecorder(kubeClient *kubeClient.KubeClient) record.EventRecorder { eventBroadcaster.StartLogging(log.Printf) eventBroadcaster.StartRecordingToSink( &typedcorev1.EventSinkImpl{ - Interface: kubeClient.GetEventsInterface("")}) + Interface: kubeClient.GetEvents("")}) recorder := eventBroadcaster.NewRecorder( scheme.Scheme, v1.EventSource{Component: eventSource}) diff --git a/pkg/event/eventmsgbuilder.go b/pkg/event/msgbuilder.go similarity index 96% rename from pkg/event/eventmsgbuilder.go rename to pkg/event/msgbuilder.go index 1e06c3c5a4..b38d9327ac 100644 --- a/pkg/event/eventmsgbuilder.go +++ b/pkg/event/msgbuilder.go @@ -19,11 +19,12 @@ func (k MsgKey) String() string { const argRegex = "%[s,d,v]" +var re = regexp.MustCompile(argRegex) + //GetEventMsg return the application message based on the message id and the arguments, // if the number of arguments passed to the message are incorrect generate an error func getEventMsg(key MsgKey, args ...interface{}) (string, error) { // Verify the number of arguments - re := regexp.MustCompile(argRegex) argsCount := len(re.FindAllString(key.String(), -1)) if argsCount != len(args) { return "", fmt.Errorf("message expects %d arguments, but %d arguments passed", argsCount, len(args)) diff --git a/pkg/policyviolation/builder.go b/pkg/violation/builder.go similarity index 99% rename from pkg/policyviolation/builder.go rename to pkg/violation/builder.go index 69e0b1e56f..ab66e2fc09 100644 --- a/pkg/policyviolation/builder.go +++ b/pkg/violation/builder.go @@ -1,4 +1,4 @@ -package policyviolation +package violation import ( "fmt" diff --git a/pkg/policyviolation/util.go b/pkg/violation/util.go similarity index 94% rename from pkg/policyviolation/util.go rename to pkg/violation/util.go index 7fa1ebd333..e8eb73baff 100644 --- a/pkg/policyviolation/util.go +++ b/pkg/violation/util.go @@ -1,4 +1,4 @@ -package policyviolation +package violation import policytype "github.com/nirmata/kube-policy/pkg/apis/policy/v1alpha1" diff --git a/pkg/webhooks/server.go b/pkg/webhooks/server.go index 8f23ce8370..528af3f817 100644 --- a/pkg/webhooks/server.go +++ b/pkg/webhooks/server.go @@ -15,8 +15,8 @@ import ( "github.com/nirmata/kube-policy/config" "github.com/nirmata/kube-policy/kubeclient" policylister "github.com/nirmata/kube-policy/pkg/client/listers/policy/v1alpha1" - "github.com/nirmata/kube-policy/pkg/policyengine" - "github.com/nirmata/kube-policy/pkg/policyengine/mutation" + engine "github.com/nirmata/kube-policy/pkg/engine" + "github.com/nirmata/kube-policy/pkg/engine/mutation" tlsutils "github.com/nirmata/kube-policy/pkg/tls" v1beta1 "k8s.io/api/admission/v1beta1" "k8s.io/apimachinery/pkg/labels" @@ -27,7 +27,7 @@ import ( // MutationWebhook gets policies from policyController and takes control of the cluster with kubeclient. type WebhookServer struct { server http.Server - policyEngine policyengine.PolicyEngine + policyEngine engine.PolicyEngine policyLister policylister.PolicyLister logger *log.Logger } @@ -38,6 +38,7 @@ func NewWebhookServer( tlsPair *tlsutils.TlsPemPair, kubeClient *kubeclient.KubeClient, policyLister policylister.PolicyLister, + policyEngine engine.PolicyEngine, logger *log.Logger) (*WebhookServer, error) { if logger == nil { logger = log.New(os.Stdout, "Webhook Server: ", log.LstdFlags) @@ -53,7 +54,6 @@ func NewWebhookServer( return nil, err } tlsConfig.Certificates = []tls.Certificate{pair} - policyEngine := policyengine.NewPolicyEngine(kubeClient, logger) ws := &WebhookServer{ policyEngine: policyEngine,