744 save commit

pkg/engine/context/context.go

@@ -111,7 +111,13 @@ func (ctx *Context) AddResource(dataRaw []byte) error {
 
 //AddUserInfo adds userInfo at path request.userInfo
 func (ctx *Context) AddUserInfo(userRequestInfo kyverno.RequestInfo) error {
-	objRaw, err := json.Marshal(userRequestInfo)
+	modifiedResource := struct {
+		Request interface{} `json:"request"`
+	}{
+		Request: userRequestInfo,
+	}
+
+	objRaw, err := json.Marshal(modifiedResource)
 	if err != nil {
 		ctx.log.Error(err, "failed to marshal the UserInfo")
 		return err

pkg/engine/validation.go

@@ -29,22 +29,43 @@ func Validate(policyContext PolicyContext) response.EngineResponse {
 	// policy information
 	logger.V(4).Info("start processing", "startTime", startTime)
 
-	var resp *response.EngineResponse
-	// handling delete requests
-	if reflect.DeepEqual(newR, unstructured.Unstructured{}) {
-		resp = validateResource(logger, ctx, policy, oldR, admissionInfo, true)
-	} else {
-		resp = validateResource(logger, ctx, policy, newR, admissionInfo, false)
+	if resp := isRequestDenied(logger, ctx, policy, newR, admissionInfo); !resp.IsSuccesful() {
+		return *resp
 	}
 
-	startResultResponse(resp, policy, newR)
-	defer endResultResponse(logger, resp, startTime)
-	// set PatchedResource with origin resource if empty
-	// in order to create policy violation
-	if reflect.DeepEqual(resp.PatchedResource, unstructured.Unstructured{}) {
-		resp.PatchedResource = newR
+	// Process new & old resource
+	if reflect.DeepEqual(oldR, unstructured.Unstructured{}) {
+		// Create Mode
+		// Operate on New Resource only
+		resp := validateResource(logger, ctx, policy, newR, admissionInfo)
+		startResultResponse(resp, policy, newR)
+		defer endResultResponse(logger, resp, startTime)
+		// set PatchedResource with origin resource if empty
+		// in order to create policy violation
+		if reflect.DeepEqual(resp.PatchedResource, unstructured.Unstructured{}) {
+			resp.PatchedResource = newR
+		}
+		return *resp
 	}
-	return *resp
+	// Update Mode
+	// Operate on New and Old Resource only
+	// New resource
+	oldResponse := validateResource(logger, ctx, policy, oldR, admissionInfo)
+	newResponse := validateResource(logger, ctx, policy, newR, admissionInfo)
+
+	// if the old and new response is same then return empty response
+	if !isSameResponse(oldResponse, newResponse) {
+		// there are changes send response
+		startResultResponse(newResponse, policy, newR)
+		defer endResultResponse(logger, newResponse, startTime)
+		if reflect.DeepEqual(newResponse.PatchedResource, unstructured.Unstructured{}) {
+			newResponse.PatchedResource = newR
+		}
+		return *newResponse
+	}
+	// if there are no changes with old and new response then sent empty response
+	// skip processing
+	return response.EngineResponse{}
 }
 
 func startResultResponse(resp *response.EngineResponse, policy kyverno.ClusterPolicy, newR unstructured.Unstructured) {
@@ -68,7 +89,44 @@ func incrementAppliedCount(resp *response.EngineResponse) {
 	resp.PolicyResponse.RulesAppliedCount++
 }
 
-func validateResource(log logr.Logger, ctx context.EvalInterface, policy kyverno.ClusterPolicy, resource unstructured.Unstructured, admissionInfo kyverno.RequestInfo, isDelete bool) *response.EngineResponse {
+func isRequestDenied(log logr.Logger, ctx context.EvalInterface, policy kyverno.ClusterPolicy, resource unstructured.Unstructured, admissionInfo kyverno.RequestInfo) *response.EngineResponse {
+	resp := &response.EngineResponse{}
+	for _, rule := range policy.Spec.Rules {
+		if !rule.HasValidate() {
+			continue
+		}
+
+		if err := MatchesResourceDescription(resource, rule, admissionInfo); err != nil {
+			log.V(4).Info("resource fails the match description")
+			continue
+		}
+
+		preconditionsCopy := copyConditions(rule.Conditions)
+
+		if !variables.EvaluateConditions(log, ctx, preconditionsCopy) {
+			log.V(4).Info("resource fails the preconditions")
+			continue
+		}
+
+		if rule.Validation.Deny != nil {
+			denyConditionsCopy := copyConditions(rule.Validation.Deny.Conditions)
+			if rule.Validation.Deny.AllRequests || variables.EvaluateConditions(log, ctx, denyConditionsCopy) {
+				ruleResp := response.RuleResponse{
+					Name:    rule.Name,
+					Type:    utils.Validation.String(),
+					Message: rule.Validation.Message,
+					Success: false,
+				}
+				resp.PolicyResponse.Rules = append(resp.PolicyResponse.Rules, ruleResp)
+			}
+			continue
+		}
+
+	}
+	return resp
+}
+
+func validateResource(log logr.Logger, ctx context.EvalInterface, policy kyverno.ClusterPolicy, resource unstructured.Unstructured, admissionInfo kyverno.RequestInfo) *response.EngineResponse {
 	resp := &response.EngineResponse{}
 	for _, rule := range policy.Spec.Rules {
 		if !rule.HasValidate() {
@@ -92,26 +150,10 @@ func validateResource(log logr.Logger, ctx context.EvalInterface, policy kyverno
 			continue
 		}
 
-		if rule.Validation.Deny != nil {
-			denyConditionsCopy := copyConditions(rule.Validation.Deny.Conditions)
-			if rule.Validation.Deny.AllRequests || variables.EvaluateConditions(log, ctx, denyConditionsCopy) {
-				ruleResp := response.RuleResponse{
-					Name:    rule.Name,
-					Type:    utils.Validation.String(),
-					Message: rule.Validation.Message,
-					Success: false,
-				}
-				resp.PolicyResponse.Rules = append(resp.PolicyResponse.Rules, ruleResp)
-			}
-			continue
-		}
-
-		if !isDelete {
-			if rule.Validation.Pattern != nil || rule.Validation.AnyPattern != nil {
-				ruleResponse := validatePatterns(log, ctx, resource, rule)
-				incrementAppliedCount(resp)
-				resp.PolicyResponse.Rules = append(resp.PolicyResponse.Rules, ruleResponse)
-			}
+		if rule.Validation.Pattern != nil || rule.Validation.AnyPattern != nil {
+			ruleResponse := validatePatterns(log, ctx, resource, rule)
+			incrementAppliedCount(resp)
+			resp.PolicyResponse.Rules = append(resp.PolicyResponse.Rules, ruleResponse)
 		}
 
 	}

pkg/webhooks/server.go

@@ -8,7 +8,6 @@ import (
 	"fmt"
 	"io/ioutil"
 	"net/http"
-	"strings"
 	"time"
 
 	v1 "github.com/nirmata/kyverno/pkg/api/kyverno/v1"
@@ -173,16 +172,12 @@ func (ws *WebhookServer) handlerFunc(handler func(request *v1beta1.AdmissionRequ
 		// Do not process the admission requests for kinds that are in filterKinds for filtering
 		request := admissionReview.Request
 
-		if !isValidUsername(request.UserInfo.Username) {
-			admissionReview.Response = &v1beta1.AdmissionResponse{Allowed: true}
-		} else {
-			if filter {
-				if !ws.configHandler.ToFilter(request.Kind.Kind, request.Namespace, request.Name) {
-					admissionReview.Response = handler(request)
-				}
-			} else {
+		if filter {
+			if !ws.configHandler.ToFilter(request.Kind.Kind, request.Namespace, request.Name) {
 				admissionReview.Response = handler(request)
 			}
+		} else {
+			admissionReview.Response = handler(request)
 		}
 
 		admissionReview.Response.UID = request.UID
@@ -200,15 +195,6 @@ func (ws *WebhookServer) handlerFunc(handler func(request *v1beta1.AdmissionRequ
 	}
 }
 
-func isValidUsername(username string) bool {
-	if strings.HasPrefix(username, "system") {
-		if !strings.HasPrefix(username, "system:serviceaccount") {
-			return false
-		}
-	}
-	return true
-}
-
 func (ws *WebhookServer) resourceMutation(request *v1beta1.AdmissionRequest) *v1beta1.AdmissionResponse {
 	logger := ws.log.WithValues("uid", request.UID, "kind", request.Kind.Kind, "namespace", request.Namespace, "name", request.Name, "operation", request.Operation)
 	policies, err := ws.pMetaStore.ListAll()