diff --git a/pkg/dclient/discovery.go b/pkg/dclient/discovery.go index 8a898dd83e..d7f96c0c64 100644 --- a/pkg/dclient/discovery.go +++ b/pkg/dclient/discovery.go @@ -5,6 +5,8 @@ import ( "strings" "time" + kubeutils "github.com/kyverno/kyverno/pkg/utils/kube" + openapiv2 "github.com/googleapis/gnostic/openapiv2" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" "k8s.io/apimachinery/pkg/runtime/schema" @@ -126,23 +128,22 @@ func (c serverPreferredResources) findResource(apiVersion string, kind string) ( } } + k, subresource := kubeutils.SplitSubresource(kind) + if subresource != "" { + kind = k + } + for _, serverResource := range serverResources { if apiVersion != "" && serverResource.GroupVersion != apiVersion { continue } for _, resource := range serverResource.APIResources { - if strings.Contains(resource.Name, "/") { - // skip the sub-resources like deployment/status - continue - } - - // match kind or names (e.g. Namespace, namespaces, namespace) - // to allow matching API paths (e.g. /api/v1/namespaces). - if resource.Kind == kind || resource.Name == kind || resource.SingularName == kind { + if resourceMatches(resource, kind, subresource) { + logger.V(4).Info("matched API resource to kind", "apiResource", resource, "kind", kind) gv, err := schema.ParseGroupVersion(serverResource.GroupVersion) if err != nil { - logger.Error(err, "failed to parse groupVersion", "groupVersion", serverResource.GroupVersion) + logger.Error(err, "failed to parse GV", "groupVersion", serverResource.GroupVersion) return nil, schema.GroupVersionResource{}, err } @@ -153,3 +154,14 @@ func (c serverPreferredResources) findResource(apiVersion string, kind string) ( return nil, schema.GroupVersionResource{}, fmt.Errorf("kind '%s' not found in apiVersion '%s'", kind, apiVersion) } + +// resourceMatches checks the resource Kind, Name, SingularName and a subresource if specified +// e.g. &apiResource{Name: "taskruns/status", Kind: "TaskRun"} will match "kind=TaskRun, subresource=Status" +func resourceMatches(resource metav1.APIResource, kind, subresource string) bool { + if resource.Kind == kind || resource.Name == kind || resource.SingularName == kind { + _, s := kubeutils.SplitSubresource(resource.Name) + return strings.EqualFold(s, subresource) + } + + return false +} diff --git a/pkg/dclient/discovery_test.go b/pkg/dclient/discovery_test.go new file mode 100644 index 0000000000..3fd6f8478d --- /dev/null +++ b/pkg/dclient/discovery_test.go @@ -0,0 +1,22 @@ +package client + +import ( + "testing" + + "gotest.tools/assert" + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" +) + +func Test_resourceMatches(t *testing.T) { + ar := metav1.APIResource{Name: "taskruns/status", Kind: "TaskRun"} + assert.Equal(t, resourceMatches(ar, "TaskRun", "Status"), true) + + ar = metav1.APIResource{Name: "taskruns/status", Kind: "TaskRun"} + assert.Equal(t, resourceMatches(ar, "TaskRun", ""), false) + + ar = metav1.APIResource{Name: "taskruns", Kind: "TaskRun"} + assert.Equal(t, resourceMatches(ar, "TaskRun", ""), true) + + ar = metav1.APIResource{Name: "tasks/status", Kind: "Task"} + assert.Equal(t, resourceMatches(ar, "TaskRun", "Status"), false) +} diff --git a/pkg/engine/jsonContext.go b/pkg/engine/jsonContext.go index 7125e8f5c1..cdc2e95f04 100644 --- a/pkg/engine/jsonContext.go +++ b/pkg/engine/jsonContext.go @@ -273,7 +273,7 @@ func loadAPIData(logger logr.Logger, entry kyverno.ContextEntry, ctx *PolicyCont return fmt.Errorf("failed to add JMESPath (%s) results to context, error: %v", entry.APICall.JMESPath, err) } - logger.Info("added APICall context entry", "data", contextData) + logger.V(4).Info("added APICall context entry", "len", len(contextData)) return nil } diff --git a/pkg/engine/utils.go b/pkg/engine/utils.go index cad25cee56..a496c90a57 100644 --- a/pkg/engine/utils.go +++ b/pkg/engine/utils.go @@ -6,6 +6,8 @@ import ( "strings" "time" + "k8s.io/apimachinery/pkg/runtime/schema" + "github.com/go-logr/logr" wildcard "github.com/kyverno/go-wildcard" kyverno "github.com/kyverno/kyverno/api/kyverno/v1" @@ -34,19 +36,25 @@ type EngineStats struct { RulesAppliedCount int } -func checkKind(kinds []string, resource unstructured.Unstructured) bool { - for _, kind := range kinds { - SplitGVK := strings.Split(kind, "/") - if len(SplitGVK) == 1 { - if resource.GetKind() == strings.Title(kind) || kind == "*" { +func checkKind(kinds []string, resourceKind string, gvk schema.GroupVersionKind) bool { + for _, k := range kinds { + parts := strings.Split(k, "/") + if len(parts) == 1 { + if k == "*" || resourceKind == strings.Title(k) { return true } - } else if len(SplitGVK) == 2 { - if resource.GroupVersionKind().Kind == strings.Title(SplitGVK[1]) && resource.GroupVersionKind().Version == SplitGVK[0] { + } + + if len(parts) == 2 { + kindParts := strings.SplitN(parts[1], ".", 2) + if gvk.Kind == strings.Title(kindParts[0]) && gvk.Version == parts[0] { return true } - } else { - if resource.GroupVersionKind().Group == SplitGVK[0] && resource.GroupVersionKind().Kind == strings.Title(SplitGVK[2]) && (resource.GroupVersionKind().Version == SplitGVK[1] || SplitGVK[1] == "*") { + } + + if len(parts) == 3 || len(parts) == 4 { + kindParts := strings.SplitN(parts[2], ".", 2) + if gvk.Group == parts[0] && (gvk.Version == parts[1] || parts[1] == "*") && gvk.Kind == strings.Title(kindParts[0]) { return true } } @@ -130,7 +138,7 @@ func doesResourceMatchConditionBlock(conditionBlock kyverno.ResourceDescription, var errs []error if len(conditionBlock.Kinds) > 0 { - if !checkKind(conditionBlock.Kinds, resource) { + if !checkKind(conditionBlock.Kinds, resource.GetKind(), resource.GroupVersionKind()) { errs = append(errs, fmt.Errorf("kind does not match %v", conditionBlock.Kinds)) } } @@ -272,6 +280,7 @@ func MatchesResourceDescription(resourceRef unstructured.Unstructured, ruleRef k if policyNamespace != "" && policyNamespace != resourceRef.GetNamespace() { return errors.New(" The policy and resource namespace are different. Therefore, policy skip this resource.") } + if len(rule.MatchResources.Any) > 0 { // include object if ANY of the criteria match // so if one matches then break from loop diff --git a/pkg/engine/utils_test.go b/pkg/engine/utils_test.go index 081b235e12..8e8326489b 100644 --- a/pkg/engine/utils_test.go +++ b/pkg/engine/utils_test.go @@ -4,6 +4,8 @@ import ( "encoding/json" "testing" + "k8s.io/apimachinery/pkg/runtime/schema" + v1 "github.com/kyverno/kyverno/api/kyverno/v1" v1beta1 "github.com/kyverno/kyverno/api/kyverno/v1beta1" "github.com/kyverno/kyverno/pkg/autogen" @@ -1453,3 +1455,23 @@ func TestManagedPodResource(t *testing.T) { assert.Equal(t, res, tc.expectedResult, "test %d/%s failed, expect %v, got %v", i+1, tc.name, tc.expectedResult, res) } } + +func Test_checkKind(t *testing.T) { + match := checkKind([]string{"*"}, "Deployment", schema.GroupVersionKind{Kind: "Deployment", Group: "", Version: "v1"}) + assert.Equal(t, match, true) + + match = checkKind([]string{"Pod"}, "Pod", schema.GroupVersionKind{Kind: "Pod", Group: "", Version: "v1"}) + assert.Equal(t, match, true) + + match = checkKind([]string{"v1/Pod"}, "Pod", schema.GroupVersionKind{Kind: "Pod", Group: "", Version: "v1"}) + assert.Equal(t, match, true) + + match = checkKind([]string{"tekton.dev/v1beta1/TaskRun"}, "TaskRun", schema.GroupVersionKind{Kind: "TaskRun", Group: "tekton.dev", Version: "v1beta1"}) + assert.Equal(t, match, true) + + match = checkKind([]string{"tekton.dev/v1beta1/TaskRun/status"}, "TaskRun", schema.GroupVersionKind{Kind: "TaskRun", Group: "tekton.dev", Version: "v1beta1"}) + assert.Equal(t, match, true) + + match = checkKind([]string{"v1/pod.status"}, "Pod", schema.GroupVersionKind{Kind: "Pod", Group: "", Version: "v1"}) + assert.Equal(t, match, true) +} diff --git a/pkg/openapi/validation.go b/pkg/openapi/validation.go index a2f302f016..aab3dd72bd 100644 --- a/pkg/openapi/validation.go +++ b/pkg/openapi/validation.go @@ -14,7 +14,6 @@ import ( "github.com/kyverno/kyverno/pkg/autogen" "github.com/kyverno/kyverno/pkg/engine" "github.com/kyverno/kyverno/pkg/utils" - kubeutils "github.com/kyverno/kyverno/pkg/utils/kube" cmap "github.com/orcaman/concurrent-map" "github.com/pkg/errors" "gopkg.in/yaml.v3" @@ -141,7 +140,7 @@ func (o *Controller) ValidatePolicyMutation(policy v1.PolicyInterface) error { for _, rule := range autogen.ComputeRules(policy) { if rule.HasMutate() { for _, kind := range rule.MatchResources.Kinds { - kindToRules[kind] = append(kindToRules[kubeutils.GetFormatedKind(kind)], rule) + kindToRules[kind] = append(kindToRules[kind], rule) } } } diff --git a/pkg/policy/validate.go b/pkg/policy/validate.go index 4222be7b66..23368dccf0 100644 --- a/pkg/policy/validate.go +++ b/pkg/policy/validate.go @@ -1040,7 +1040,7 @@ func validateKinds(kinds []string, mock bool, client dclient.Interface, p kyvern if !mock && !kubeutils.SkipSubResources(k) && !strings.Contains(kind, "*") { _, _, err := client.Discovery().FindResource(gv, k) if err != nil { - return fmt.Errorf("unable to convert GVK to GVR, %s, err: %s", kinds, err) + return fmt.Errorf("unable to convert GVK to GVR for kinds %s, err: %s", kinds, err) } } } diff --git a/pkg/policycache/policy_map.go b/pkg/policycache/policy_map.go index ae136bf43c..982975f98e 100644 --- a/pkg/policycache/policy_map.go +++ b/pkg/policycache/policy_map.go @@ -1,7 +1,6 @@ package policycache import ( - "strings" "sync" kyverno "github.com/kyverno/kyverno/api/kyverno/v1" @@ -116,7 +115,7 @@ func (m *pMap) update(old kyverno.PolicyInterface, new kyverno.PolicyInterface) func addCacheHelper(rmr kyverno.ResourceFilter, m *pMap, rule kyverno.Rule, pName string, enforcePolicy bool) { for _, gvk := range rmr.Kinds { _, k := kubeutils.GetKindFromGVK(gvk) - kind := strings.Title(k) + kind, _ := kubeutils.SplitSubresource(k) _, ok := m.kindDataMap[kind] if !ok { m.kindDataMap[kind] = make(map[PolicyType][]string) diff --git a/pkg/policymutation/policymutation.go b/pkg/policymutation/policymutation.go index 4e3634d9b3..9c85528e43 100644 --- a/pkg/policymutation/policymutation.go +++ b/pkg/policymutation/policymutation.go @@ -10,7 +10,6 @@ import ( "github.com/kyverno/kyverno/pkg/autogen" "github.com/kyverno/kyverno/pkg/toggle" jsonutils "github.com/kyverno/kyverno/pkg/utils/json" - kubeutils "github.com/kyverno/kyverno/pkg/utils/kube" ) // GenerateJSONPatchesForDefaults generates default JSON patches for @@ -48,93 +47,10 @@ func GenerateJSONPatchesForDefaults(policy kyverno.PolicyInterface, log logr.Log } patches = append(patches, patch...) } - formatedGVK, errs := checkForGVKFormatPatch(policy, log) - if len(errs) > 0 { - var errMsgs []string - for _, err := range errs { - errMsgs = append(errMsgs, err.Error()) - log.Error(err, "failed to format the kind") - } - updateMsgs = append(updateMsgs, strings.Join(errMsgs, ";")) - } - patches = append(patches, formatedGVK...) + return jsonutils.JoinPatches(patches...), updateMsgs } -func checkForGVKFormatPatch(policy kyverno.PolicyInterface, log logr.Logger) (patches [][]byte, errs []error) { - patches = make([][]byte, 0) - for i, rule := range autogen.ComputeRules(policy) { - patchByte, err := convertGVKForKinds(fmt.Sprintf("/spec/rules/%s/match/resources/kinds", strconv.Itoa(i)), rule.MatchResources.Kinds, log) - if err == nil && patchByte != nil { - patches = append(patches, patchByte) - } else if err != nil { - errs = append(errs, fmt.Errorf("failed to GVK for rule '%s/%s/%d/match': %v", policy.GetName(), rule.Name, i, err)) - } - - for j, matchAll := range rule.MatchResources.All { - patchByte, err := convertGVKForKinds(fmt.Sprintf("/spec/rules/%s/match/all/%s/resources/kinds", strconv.Itoa(i), strconv.Itoa(j)), matchAll.ResourceDescription.Kinds, log) - if err == nil && patchByte != nil { - patches = append(patches, patchByte) - } else if err != nil { - errs = append(errs, fmt.Errorf("failed to convert GVK for rule '%s/%s/%d/match/all/%d': %v", policy.GetName(), rule.Name, i, j, err)) - } - } - - for k, matchAny := range rule.MatchResources.Any { - patchByte, err := convertGVKForKinds(fmt.Sprintf("/spec/rules/%s/match/any/%s/resources/kinds", strconv.Itoa(i), strconv.Itoa(k)), matchAny.ResourceDescription.Kinds, log) - if err == nil && patchByte != nil { - patches = append(patches, patchByte) - } else if err != nil { - errs = append(errs, fmt.Errorf("failed to convert GVK for rule '%s/%s/%d/match/any/%d': %v", policy.GetName(), rule.Name, i, k, err)) - } - } - - patchByte, err = convertGVKForKinds(fmt.Sprintf("/spec/rules/%s/exclude/resources/kinds", strconv.Itoa(i)), rule.ExcludeResources.Kinds, log) - if err == nil && patchByte != nil { - patches = append(patches, patchByte) - } else if err != nil { - errs = append(errs, fmt.Errorf("failed to convert GVK for rule '%s/%s/%d/exclude': %v", policy.GetName(), rule.Name, i, err)) - } - - for j, excludeAll := range rule.ExcludeResources.All { - patchByte, err := convertGVKForKinds(fmt.Sprintf("/spec/rules/%s/exclude/all/%s/resources/kinds", strconv.Itoa(i), strconv.Itoa(j)), excludeAll.ResourceDescription.Kinds, log) - if err == nil && patchByte != nil { - patches = append(patches, patchByte) - } else if err != nil { - errs = append(errs, fmt.Errorf("failed to convert GVK for rule '%s/%s/%d/exclude/all/%d': %v", policy.GetName(), rule.Name, i, j, err)) - } - } - - for k, excludeAny := range rule.ExcludeResources.Any { - patchByte, err := convertGVKForKinds(fmt.Sprintf("/spec/rules/%s/exclude/any/%s/resources/kinds", strconv.Itoa(i), strconv.Itoa(k)), excludeAny.ResourceDescription.Kinds, log) - if err == nil && patchByte != nil { - patches = append(patches, patchByte) - } else if err != nil { - errs = append(errs, fmt.Errorf("failed to convert GVK for rule '%s/%s/%d/exclude/any/%d': %v", policy.GetName(), rule.Name, i, k, err)) - } - } - } - - return patches, errs -} - -func convertGVKForKinds(path string, kinds []string, log logr.Logger) ([]byte, error) { - kindList := []string{} - for _, k := range kinds { - gvk := kubeutils.GetFormatedKind(k) - if gvk == k { - continue - } - kindList = append(kindList, gvk) - } - if len(kindList) == 0 { - return nil, nil - } - p, err := jsonutils.MarshalPatch(path, "replace", kindList) - log.V(4).WithName("convertGVKForKinds").Info("generated patch", "patch", string(p)) - return p, err -} - func defaultBackgroundFlag(spec *kyverno.Spec, log logr.Logger) ([]byte, string) { // set 'Background' flag to 'true' if not specified if spec.Background == nil { diff --git a/pkg/policymutation/policymutation_test.go b/pkg/policymutation/policymutation_test.go deleted file mode 100644 index a0da43fa61..0000000000 --- a/pkg/policymutation/policymutation_test.go +++ /dev/null @@ -1,103 +0,0 @@ -package policymutation - -import ( - "encoding/json" - "fmt" - "os" - "path/filepath" - "testing" - - kyverno "github.com/kyverno/kyverno/api/kyverno/v1" - "gotest.tools/assert" - "sigs.k8s.io/controller-runtime/pkg/log" -) - -func currentDir() (string, error) { - homedir, err := os.UserHomeDir() - if err != nil { - return "", nil - } - - return filepath.Join(homedir, "github.com/kyverno/kyverno"), nil -} - -func Test_checkForGVKFormatPatch(t *testing.T) { - testCases := []struct { - name string - policy []byte - expectedPatches []byte - }{ - { - name: "match-kinds-empty", - policy: []byte(`{"apiVersion":"kyverno.io/v1","kind":"ClusterPolicy","metadata":{"name":"match-kinds-empty"},"spec":{"rules":[{"name":"test","match":{"resources":{"kinds":["ConfigMap","batch.volcano.sh/v1alpha1/Job"]}},"validate":{"message":"Metadatalabel'name'isrequired.","pattern":{"metadata":{"labels":{"name":"?*"}}}}}]}}`), - expectedPatches: nil, - }, - { - name: "match-kinds", - policy: []byte(`{"apiVersion":"kyverno.io/v1","kind":"ClusterPolicy","metadata":{"name":"match-kinds"},"spec":{"rules":[{"name":"test","match":{"resources":{"kinds":["configmap","batch.volcano.sh/v1alpha1/job"]}},"validate":{"message":"Metadatalabel'name'isrequired.","pattern":{"metadata":{"labels":{"name":"?*"}}}}}]}}`), - expectedPatches: []byte(`{"path":"/spec/rules/0/match/resources/kinds","op":"replace","value":["Configmap","batch.volcano.sh/v1alpha1/Job"]}`), - }, - { - name: "exclude-kinds-empty", - policy: []byte(`{"apiVersion":"kyverno.io/v1","kind":"ClusterPolicy","metadata":{"name":"exclude-kinds-empty"},"spec":{"rules":[{"name":"test","exclude":{"resources":{"kinds":["ConfigMap","batch.volcano.sh/v1alpha1/Job"]}},"validate":{"message":"Metadatalabel'name'isrequired.","pattern":{"metadata":{"labels":{"name":"?*"}}}}}]}}`), - expectedPatches: nil, - }, - { - name: "exclude-kinds", - policy: []byte(`{"apiVersion":"kyverno.io/v1","kind":"ClusterPolicy","metadata":{"name":"exclude-kinds"},"spec":{"rules":[{"name":"test","exclude":{"resources":{"kinds":["configmap","batch.volcano.sh/v1alpha1/job"]}},"validate":{"message":"Metadatalabel'name'isrequired.","pattern":{"metadata":{"labels":{"name":"?*"}}}}}]}}`), - expectedPatches: []byte(`{"path":"/spec/rules/0/exclude/resources/kinds","op":"replace","value":["Configmap","batch.volcano.sh/v1alpha1/Job"]}`), - }, - { - name: "match-any-kinds-empty", - policy: []byte(`{"apiVersion":"kyverno.io/v1","kind":"ClusterPolicy","metadata":{"name":"match-any-kinds-empty"},"spec":{"rules":[{"name":"test","match":{"any":[{"resources":{"kinds":["Deployment","Pod","DaemonSet"]}}]},"validate":{"pattern":{"metadata":{"labels":{"name":"?*"}}}}}]}}`), - expectedPatches: nil, - }, - { - name: "match-any-kinds", - policy: []byte(`{"apiVersion":"kyverno.io/v1","kind":"ClusterPolicy","metadata":{"name":"match-any-kinds"},"spec":{"rules":[{"name":"test","match":{"any":[{"resources":{"kinds":["deployment","pod","DaemonSet"]}}]},"validate":{"pattern":{"metadata":{"labels":{"name":"?*"}}}}}]}}`), - expectedPatches: []byte(`{"path":"/spec/rules/0/match/any/0/resources/kinds","op":"replace","value":["Deployment","Pod"]}`), - }, - { - name: "match-all-kinds-empty", - policy: []byte(`{"apiVersion":"kyverno.io/v1","kind":"ClusterPolicy","metadata":{"name":"match-all-kinds-empty"},"spec":{"rules":[{"name":"test","match":{"all":[{"resources":{"kinds":["Deployment","Pod","DaemonSet"]}}]},"validate":{"pattern":{"metadata":{"labels":{"name":"?*"}}}}}]}}`), - expectedPatches: nil, - }, - { - name: "match-all-kinds", - policy: []byte(`{"apiVersion":"kyverno.io/v1","kind":"ClusterPolicy","metadata":{"name":"match-all-kinds"},"spec":{"rules":[{"name":"test","match":{"all":[{"resources":{"kinds":["deployment","pod","DaemonSet"]}}]},"validate":{"pattern":{"metadata":{"labels":{"name":"?*"}}}}}]}}`), - expectedPatches: []byte(`{"path":"/spec/rules/0/match/all/0/resources/kinds","op":"replace","value":["Deployment","Pod"]}`), - }, - { - name: "exclude-any-kinds-empty", - policy: []byte(`{"apiVersion":"kyverno.io/v1","kind":"ClusterPolicy","metadata":{"name":"exclude-any-kinds-empty"},"spec":{"rules":[{"name":"test","exclude":{"any":[{"resources":{"kinds":["Deployment","Pod","DaemonSet"]}},{"resources":{"kinds":["ConfigMap"]}}]},"validate":{"pattern":{"metadata":{"labels":{"name":"?*"}}}}}]}}`), - expectedPatches: nil, - }, - { - name: "exclude-any-kinds", - policy: []byte(`{"apiVersion":"kyverno.io/v1","kind":"ClusterPolicy","metadata":{"name":"exclude-any-kinds-empty"},"spec":{"rules":[{"name":"test","exclude":{"any":[{"resources":{"kinds":["Deployment","Pod","DaemonSet"]}},{"resources":{"kinds":["configMap"]}}]},"validate":{"pattern":{"metadata":{"labels":{"name":"?*"}}}}}]}}`), - expectedPatches: []byte(`{"path":"/spec/rules/0/exclude/any/1/resources/kinds","op":"replace","value":["ConfigMap"]}`), - }, - { - name: "exclude-all-kinds-empty", - policy: []byte(`{"apiVersion":"kyverno.io/v1","kind":"ClusterPolicy","metadata":{"name":"exclude-all-kinds-empty"},"spec":{"rules":[{"name":"test","exclude":{"all":[{"resources":{"kinds":["Deployment","Pod","DaemonSet"]}},{"resources":{"kinds":["ConfigMap"]}}]},"validate":{"pattern":{"metadata":{"labels":{"name":"?*"}}}}}]}}`), - expectedPatches: nil, - }, - { - name: "exclude-all-kinds", - policy: []byte(`{"apiVersion":"kyverno.io/v1","kind":"ClusterPolicy","metadata":{"name":"exclude-all-kinds"},"spec":{"rules":[{"name":"test","exclude":{"all":[{"resources":{"kinds":["Deployment","pod","DaemonSet"]}},{"resources":{"kinds":["ConfigMap"]}}]},"validate":{"pattern":{"metadata":{"labels":{"name":"?*"}}}}}]}}`), - expectedPatches: []byte(`{"path":"/spec/rules/0/exclude/all/0/resources/kinds","op":"replace","value":["Pod"]}`), - }, - } - - for _, test := range testCases { - var policy kyverno.ClusterPolicy - err := json.Unmarshal(test.policy, &policy) - assert.NilError(t, err, fmt.Sprintf("failed to convert policy test %s: %v", test.name, err)) - - patches, errs := checkForGVKFormatPatch(&policy, log.Log) - assert.Assert(t, len(errs) == 0) - for _, p := range patches { - assert.Equal(t, string(p), string(test.expectedPatches), fmt.Sprintf("test %s failed", test.name)) - } - } -} diff --git a/pkg/utils/kube/kind.go b/pkg/utils/kube/kind.go index ac8e9c7eeb..b2ed5fbf0d 100644 --- a/pkg/utils/kube/kind.go +++ b/pkg/utils/kube/kind.go @@ -4,17 +4,39 @@ import "strings" // GetKindFromGVK - get kind and APIVersion from GVK func GetKindFromGVK(str string) (apiVersion string, kind string) { - if strings.Count(str, "/") == 0 { - return "", str + parts := strings.Split(str, "/") + count := len(parts) + if count == 2 { + return parts[0], formatSubresource(parts[1]) } - splitString := strings.Split(str, "/") - if strings.Count(str, "/") == 1 { - return splitString[0], splitString[1] + + if count == 3 { + if parts[1] == "*" { + return "", formatSubresource(parts[2]) + } + + return parts[0] + "/" + parts[1], formatSubresource(parts[2]) } - if splitString[1] == "*" { - return "", splitString[2] + + if count == 4 { + return parts[0] + "/" + parts[1], parts[2] + "/" + parts[3] } - return splitString[0] + "/" + splitString[1], splitString[2] + + return "", formatSubresource(str) +} + +func formatSubresource(s string) string { + return strings.Replace(s, ".", "/", 1) +} + +func SplitSubresource(s string) (kind string, subresource string) { + normalized := strings.Replace(s, ".", "/", 1) + parts := strings.Split(normalized, "/") + if len(parts) == 2 { + return parts[0], parts[1] + } + + return s, "" } func ContainsKind(list []string, kind string) bool { @@ -26,19 +48,8 @@ func ContainsKind(list []string, kind string) bool { return false } -// SkipSubResources check to skip list of resources which don't have group. +// SkipSubResources skip list of resources which don't have an API group. func SkipSubResources(kind string) bool { s := []string{"PodExecOptions", "PodAttachOptions", "PodProxyOptions", "ServiceProxyOptions", "NodeProxyOptions"} return ContainsKind(s, kind) } - -func GetFormatedKind(str string) (kind string) { - if strings.Count(str, "/") == 0 { - return strings.Title(str) - } - splitString := strings.Split(str, "/") - if strings.Count(str, "/") == 1 { - return splitString[0] + "/" + strings.Title(splitString[1]) - } - return splitString[0] + "/" + splitString[1] + "/" + strings.Title(splitString[2]) -} diff --git a/pkg/utils/kube/kind_test.go b/pkg/utils/kube/kind_test.go new file mode 100644 index 0000000000..c0aa0b9da6 --- /dev/null +++ b/pkg/utils/kube/kind_test.go @@ -0,0 +1,65 @@ +package kube + +import ( + "testing" + + "gotest.tools/assert" +) + +func Test_GetKindFromGVK(t *testing.T) { + var apiVersion, kind string + apiVersion, kind = GetKindFromGVK("*") + assert.Equal(t, "", apiVersion) + assert.Equal(t, "*", kind) + + apiVersion, kind = GetKindFromGVK("Pod") + assert.Equal(t, "", apiVersion) + assert.Equal(t, "Pod", kind) + + apiVersion, kind = GetKindFromGVK("v1/Pod") + assert.Equal(t, "v1", apiVersion) + assert.Equal(t, "Pod", kind) + + apiVersion, kind = GetKindFromGVK("batch/*/CronJob") + assert.Equal(t, "", apiVersion) + assert.Equal(t, "CronJob", kind) + + apiVersion, kind = GetKindFromGVK("storage.k8s.io/v1/CSIDriver") + assert.Equal(t, "storage.k8s.io/v1", apiVersion) + assert.Equal(t, "CSIDriver", kind) + + apiVersion, kind = GetKindFromGVK("tekton.dev/v1beta1/TaskRun/Status") + assert.Equal(t, "tekton.dev/v1beta1", apiVersion) + assert.Equal(t, "TaskRun/Status", kind) + + apiVersion, kind = GetKindFromGVK("v1/Pod.Status") + assert.Equal(t, "v1", apiVersion) + assert.Equal(t, "Pod/Status", kind) + + apiVersion, kind = GetKindFromGVK("Pod.Status") + assert.Equal(t, "", apiVersion) + assert.Equal(t, "Pod/Status", kind) +} + +func Test_SplitSubresource(t *testing.T) { + var kind, subresource string + kind, subresource = SplitSubresource("TaskRun/Status") + assert.Equal(t, kind, "TaskRun") + assert.Equal(t, subresource, "Status") + + kind, subresource = SplitSubresource("TaskRun/status") + assert.Equal(t, kind, "TaskRun") + assert.Equal(t, subresource, "status") + + kind, subresource = SplitSubresource("Pod.Status") + assert.Equal(t, kind, "Pod") + assert.Equal(t, subresource, "Status") + + kind, subresource = SplitSubresource("v1/Pod/Status") + assert.Equal(t, kind, "v1/Pod/Status") + assert.Equal(t, subresource, "") + + kind, subresource = SplitSubresource("v1/Pod.Status") + assert.Equal(t, kind, "v1/Pod.Status") + assert.Equal(t, subresource, "") +} diff --git a/pkg/webhookconfig/configmanager.go b/pkg/webhookconfig/configmanager.go index 5da68f4484..ae4db60320 100644 --- a/pkg/webhookconfig/configmanager.go +++ b/pkg/webhookconfig/configmanager.go @@ -638,6 +638,7 @@ func (m *webhookConfigManager) mergeWebhook(dst *webhook, policy kyverno.PolicyI if strings.Contains(gvk, "*") { gvrList = append(gvrList, schema.GroupVersionResource{Group: gvr.Group, Version: "*", Resource: gvr.Resource}) } else { + m.log.V(4).Info("configuring webhook", "GVK", gvk, "GVR", gvr) gvrList = append(gvrList, gvr) } } diff --git a/pkg/webhooks/handlers.go b/pkg/webhooks/handlers.go index 82ff0346a9..7c80a25245 100644 --- a/pkg/webhooks/handlers.go +++ b/pkg/webhooks/handlers.go @@ -43,7 +43,7 @@ func errorResponse(logger logr.Logger, err error, message string) *admissionv1.A } func setupLogger(logger logr.Logger, name string, request *admissionv1.AdmissionRequest) logr.Logger { - return logger.WithName("MutateWebhook").WithValues( + return logger.WithName(name).WithValues( "uid", request.UID, "kind", request.Kind, "namespace", request.Namespace, @@ -61,8 +61,7 @@ func (ws *WebhookServer) admissionHandler(filter bool, inner handlers.AdmissionH } func (ws *WebhookServer) policyMutation(request *admissionv1.AdmissionRequest) *admissionv1.AdmissionResponse { - logger := setupLogger(ws.log, "policy mutation", request) - + logger := setupLogger(ws.log, "PolicyMutationWebhook", request) policy, oldPolicy, err := admissionutils.GetPolicies(request) if err != nil { logger.Error(err, "failed to unmarshal policies from admission request") @@ -88,7 +87,7 @@ func (ws *WebhookServer) policyMutation(request *admissionv1.AdmissionRequest) * //policyValidation performs the validation check on policy resource func (ws *WebhookServer) policyValidation(request *admissionv1.AdmissionRequest) *admissionv1.AdmissionResponse { - logger := setupLogger(ws.log, "policy validation", request) + logger := setupLogger(ws.log, "PolicyValidationWebhook", request) policy, oldPolicy, err := admissionutils.GetPolicies(request) if err != nil { logger.Error(err, "failed to unmarshal policies from admission request") @@ -119,7 +118,7 @@ func (ws *WebhookServer) policyValidation(request *admissionv1.AdmissionRequest) // resourceMutation mutates resource func (ws *WebhookServer) resourceMutation(request *admissionv1.AdmissionRequest) *admissionv1.AdmissionResponse { - logger := setupLogger(ws.log, "resource mutation", request) + logger := setupLogger(ws.log, "ResourceMutationWebhook", request) if excludeKyvernoResources(request.Kind.Kind) { return admissionutils.ResponseSuccess(true, "") } @@ -131,21 +130,25 @@ func (ws *WebhookServer) resourceMutation(request *admissionv1.AdmissionRequest) } else { logger.Info(fmt.Sprintf("Converting oldObject failed: %v", err)) } - return admissionutils.ResponseSuccess(true, "") + return admissionutils.ResponseSuccess(true, "") } - logger.V(4).Info("received an admission request in mutating webhook") + kind := request.Kind.Kind + logger.V(4).Info("received an admission request in mutating webhook", "kind", kind) requestTime := time.Now().Unix() - mutatePolicies := ws.pCache.GetPolicies(policycache.Mutate, request.Kind.Kind, request.Namespace) - verifyImagesPolicies := ws.pCache.GetPolicies(policycache.VerifyImagesMutate, request.Kind.Kind, request.Namespace) + mutatePolicies := ws.pCache.GetPolicies(policycache.Mutate, kind, request.Namespace) + verifyImagesPolicies := ws.pCache.GetPolicies(policycache.VerifyImagesMutate, kind, request.Namespace) if len(mutatePolicies) == 0 && len(verifyImagesPolicies) == 0 { - logger.V(4).Info("no policies matched admission request") + logger.V(4).Info("no policies matched mutate admission request", "kind", kind) return admissionutils.ResponseSuccess(true, "") } + logger.V(4).Info("processing policies for mutate admission request", "kind", kind, + "mutatePolicies", len(mutatePolicies), "verifyImagesPolicies", len(verifyImagesPolicies)) + addRoles := containsRBACInfo(mutatePolicies) policyContext, err := ws.buildPolicyContext(request, addRoles) if err != nil { @@ -172,7 +175,7 @@ func (ws *WebhookServer) resourceMutation(request *admissionv1.AdmissionRequest) } func (ws *WebhookServer) resourceValidation(request *admissionv1.AdmissionRequest) *admissionv1.AdmissionResponse { - logger := setupLogger(ws.log, "resource validation", request) + logger := setupLogger(ws.log, "ResourceValidationWebhook", request) if request.Operation == admissionv1.Delete { ws.handleDelete(request) } @@ -181,22 +184,29 @@ func (ws *WebhookServer) resourceValidation(request *admissionv1.AdmissionReques return admissionutils.ResponseSuccess(true, "") } - logger.V(6).Info("received an admission request in validating webhook") + kind := request.Kind.Kind + logger.V(4).Info("received an admission request in validating webhook", "kind", kind) // timestamp at which this admission request got triggered requestTime := time.Now().Unix() - policies := ws.pCache.GetPolicies(policycache.ValidateEnforce, request.Kind.Kind, request.Namespace) - mutatePolicies := ws.pCache.GetPolicies(policycache.Mutate, request.Kind.Kind, request.Namespace) - generatePolicies := ws.pCache.GetPolicies(policycache.Generate, request.Kind.Kind, request.Namespace) - - imageVerifyValidatePolicies := ws.pCache.GetPolicies(policycache.VerifyImagesValidate, request.Kind.Kind, request.Namespace) + policies := ws.pCache.GetPolicies(policycache.ValidateEnforce, kind, request.Namespace) + mutatePolicies := ws.pCache.GetPolicies(policycache.Mutate, kind, request.Namespace) + generatePolicies := ws.pCache.GetPolicies(policycache.Generate, kind, request.Namespace) + imageVerifyValidatePolicies := ws.pCache.GetPolicies(policycache.VerifyImagesValidate, kind, request.Namespace) policies = append(policies, imageVerifyValidatePolicies...) + if len(policies) == 0 && len(mutatePolicies) == 0 && len(generatePolicies) == 0 { + logger.V(4).Info("no policies matched admission request", "kind", kind) + } + if len(generatePolicies) == 0 && request.Operation == admissionv1.Update { // handle generate source resource updates go ws.handleUpdatesForGenerateRules(request, []kyverno.PolicyInterface{}) } + logger.V(4).Info("processing policies for validate admission request", + "kind", kind, "validate", len(policies), "mutate", len(mutatePolicies), "generate", len(generatePolicies)) + var roles, clusterRoles []string if containsRBACInfo(policies, generatePolicies) { var err error diff --git a/test/e2e/mutate/mutate_test.go b/test/e2e/mutate/mutate_test.go index 2387236253..4b04ff47bc 100644 --- a/test/e2e/mutate/mutate_test.go +++ b/test/e2e/mutate/mutate_test.go @@ -420,7 +420,9 @@ func Test_Mutate_Existing(t *testing.T) { Expect(err).NotTo(HaveOccurred()) // wait for UR to be completed - time.Sleep(3 * time.Second) + // TODO: this should be changed to check the UR for the right state. + // Any hard-coded timer may fail in some cases. + time.Sleep(5 * time.Second) res, err := e2eClient.GetNamespacedResource(test.TargetGVR, test.TargetNamespace, test.TargetName) Expect(err).NotTo(HaveOccurred())