diff --git a/.codeclimate.yml b/.codeclimate.yml new file mode 100644 index 0000000000..cf3023aa6f --- /dev/null +++ b/.codeclimate.yml @@ -0,0 +1,18 @@ +engines: + govet: + enabled: true + golint: + enabled: false + gofmt: + enabled: true + +ratings: + paths: + - "**.go" + +exclude_paths: +- documentation/ +- charts +- definitions +- samples +- scripts diff --git a/.github/PULL_REQUEST_TEMPLATE.md b/.github/PULL_REQUEST_TEMPLATE.md new file mode 100644 index 0000000000..f542064542 --- /dev/null +++ b/.github/PULL_REQUEST_TEMPLATE.md @@ -0,0 +1,50 @@ +## Related issue + + + +**What type of PR is this?** + + +## Proposed changes + + + +## Checklist + + + +- [ ] I have read the [contributing guidelines](../blob/master/CONTRIBUTING.md). +- [ ] I have added tests that prove my fix is effective or that my feature + works. +- [ ] I have added or changed [the documentation](documentation/). + +## Further comments + + diff --git a/.github/PULL_REQUEST_TEMPLATE/pull_request_template.md b/.github/PULL_REQUEST_TEMPLATE/pull_request_template.md deleted file mode 100644 index 7f76f9d5bf..0000000000 --- a/.github/PULL_REQUEST_TEMPLATE/pull_request_template.md +++ /dev/null @@ -1,21 +0,0 @@ -**What type of PR is this?** -> Uncomment only one ` /kind <>` line, hit enter to put that in a new line, and remove leading whitespaces from that line: -> -> /kind api-change -> /kind bug -> /kind cleanup -> /kind design -> /kind documentation -> /kind failing-test -> /kind feature - -**What this PR does / why we need it**: - -**Which issue(s) this PR fixes**: - -Fixes # - -**Special notes for your reviewer**: diff --git a/.github/semantic.yml b/.github/semantic.yml new file mode 100644 index 0000000000..bf22245188 --- /dev/null +++ b/.github/semantic.yml @@ -0,0 +1,17 @@ +titleOnly: true +commitsOnly: false +titleAndCommits: false + +types: + - feat + - fix + - revert + - docs + - style + - refactor + - test + - build + - autogen + - security + - ci + - chore \ No newline at end of file diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml new file mode 100644 index 0000000000..623d50c573 --- /dev/null +++ b/.github/workflows/release.yaml @@ -0,0 +1,41 @@ +name: prereleaser + +on: + push: + tags: + - '*' + + +jobs: + releaser: + runs-on: ubuntu-latest + steps: + - + name: Checkout + uses: actions/checkout@v2 + - + name: Unshallow + run: git fetch --prune --unshallow + - + name: Set up Go + uses: actions/setup-go@v2 + with: + go-version: 1.14 + - uses: creekorful/goreportcard-action@v1.0 + - + name: Run GoReleaser + uses: goreleaser/goreleaser-action@v2 + with: + version: latest + args: release --rm-dist + env: + GITHUB_TOKEN: ${{ secrets.ACCESS_TOKEN }} + - uses: J12934/helm-gh-pages-action@master + name: Run Helm Publish + with: + access-token: ${{ secrets.ACCESS_TOKEN }} + deploy-branch: gh-pages + charts-folder: charts + + + diff --git a/.gitignore b/.gitignore index 6e2acb1653..0117c88617 100644 --- a/.gitignore +++ b/.gitignore @@ -5,3 +5,6 @@ gh-pages/public _output coverage.txt .idea +cmd/initContainer/kyvernopre +cmd/kyverno/kyverno +cmd/cli/kubectl-kyverno/kyverno diff --git a/.golangci.yml b/.golangci.yml new file mode 100644 index 0000000000..a589a168f3 --- /dev/null +++ b/.golangci.yml @@ -0,0 +1,17 @@ +linters: + enable: + - gosec + - errcheck + - gosimple + - bodyclose + - staticcheck + disable: + - ineffassign + - deadcode + - unused + - structcheck + +run: + skip-files: + - ".+_test.go" + - ".+_test_.+.go" \ No newline at end of file diff --git a/.goreleaser.yml b/.goreleaser.yml new file mode 100644 index 0000000000..2595128777 --- /dev/null +++ b/.goreleaser.yml @@ -0,0 +1,49 @@ +project_name: kyverno-cli +before: + hooks: + - go mod download +builds: +- id: kyverno-cli + main: cmd/cli/kubectl-kyverno/main.go + binary: kyverno + env: + - CGO_ENABLED=0 + goos: + - linux + - darwin + - windows + goarch: + - amd64 + goarm: [6, 7] +archives: +- id: kyverno-cli-archive + name_template: |- + kyverno-cli_{{ .Tag }}_{{ .Os }}_{{ .Arch -}} + {{- with .Arm -}} + {{- if (eq . "6") -}}hf + {{- else -}}v{{- . -}} + {{- end -}} + {{- end -}} + builds: + - kyverno-cli + replacements: + 386: i386 + amd64: x86_64 + format_overrides: + - goos: windows + format: zip + files: ["LICENSE"] +checksum: + name_template: "checksums.txt" + algorithm: sha256 +release: + prerelease: auto +changelog: + sort: asc + filters: + # commit messages matching the regexp listed here will be removed from + # the changelog + exclude: + - '^docs:' + - typo + diff --git a/.travis.yml b/.travis.yml index 917a026a0c..d82cd41a9b 100644 --- a/.travis.yml +++ b/.travis.yml @@ -2,6 +2,11 @@ language: go go: - "1.13" +cache: + directories: + - $HOME/.cache/go-build + - $GOPATH/pkg/mod + # safelist branches: only: @@ -35,4 +40,4 @@ after_success: docker login -u $DOCKER_USER -p $DOCKER_PASSWORD make docker-publish-initContainer make docker-publish-kyverno - fi \ No newline at end of file + fi diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md index be104b5dc2..9941e08dd5 100644 --- a/CONTRIBUTING.md +++ b/CONTRIBUTING.md @@ -1 +1,7 @@ -See: https://github.com/nirmata/kyverno#contributing +# Contributing to Kyverno + +## Code Style + +We follow the community provided standard [code structure](https://github.com/golang-standards/project-layout). + +See : https://github.com/nirmata/kyverno#contributing diff --git a/Makefile b/Makefile index 824f8b92e4..7645266947 100644 --- a/Makefile +++ b/Makefile @@ -8,9 +8,9 @@ GIT_BRANCH := $(shell git branch | grep \* | cut -d ' ' -f2) GIT_HASH := $(GIT_BRANCH)/$(shell git log -1 --pretty=format:"%H") TIMESTAMP := $(shell date '+%Y-%m-%d_%I:%M:%S%p') -REGISTRY=index.docker.io +REGISTRY?=index.docker.io REPO=$(REGISTRY)/nirmata/kyverno -IMAGE_TAG=$(GIT_VERSION) +IMAGE_TAG?=$(GIT_VERSION) GOOS ?= $(shell go env GOOS) PACKAGE ?=github.com/nirmata/kyverno LD_FLAGS="-s -w -X $(PACKAGE)/pkg/version.BuildVersion=$(GIT_VERSION) -X $(PACKAGE)/pkg/version.BuildHash=$(GIT_HASH) -X $(PACKAGE)/pkg/version.BuildTime=$(TIMESTAMP)" @@ -53,6 +53,11 @@ docker-push-initContainer: .PHONY: docker-build-kyverno docker-tag-repo-kyverno docker-push-kyverno KYVERNO_PATH := cmd/kyverno KYVERNO_IMAGE := kyverno + +local: + go build -ldflags=$(LD_FLAGS) $(PWD)/$(KYVERNO_PATH) + go build -ldflags=$(LD_FLAGS) $(PWD)/$(CLI_PATH) + kyverno: GOOS=$(GOOS) go build -o $(PWD)/$(KYVERNO_PATH)/kyverno -ldflags=$(LD_FLAGS) $(PWD)/$(KYVERNO_PATH)/main.go @@ -108,4 +113,17 @@ code-cov-report: $(CODE_COVERAGE_FILE_TXT) # transform to html format @echo " generating code coverage report" go tool cover -html=coverage.txt - if [ -a $(CODE_COVERAGE_FILE_HTML) ]; then open $(CODE_COVERAGE_FILE_HTML); fi; \ No newline at end of file + if [ -a $(CODE_COVERAGE_FILE_HTML) ]; then open $(CODE_COVERAGE_FILE_HTML); fi; + +# godownloader create downloading script for kyverno-cli +godownloader: + godownloader .goreleaser.yml --repo nirmata/kyverno -o ./scripts/install-cli.sh --source="raw" + +# kustomize-crd will create install.yaml +kustomize-crd: + # Create CRD for helm deployment Helm + kustomize build ./definitions/crds > ./charts/kyverno/crds/crds.yaml + # Generate install.yaml that have all resources for kyverno + kustomize build ./definitions > ./definitions/install.yaml + # Generate install_debug.yaml that for developer testing + kustomize build ./definitions/debug > ./definitions/install_debug.yaml \ No newline at end of file diff --git a/README.md b/README.md index f4b22dd7e0..c4adfa3a73 100644 --- a/README.md +++ b/README.md @@ -6,7 +6,7 @@ Kyverno is a policy engine designed for Kubernetes. -Kubernetes supports declarative validation, mutation, and generation of resource configurations using policies written as Kubernetes resources. +Kyverno supports declarative validation, mutation, and generation of resource configurations using policies written as Kubernetes resources. Kyverno can be used to scan existing workloads for best practices, or can be used to enforce best practices by blocking or mutating API requests.Kyverno allows cluster adminstrators to manage environment specific configurations independently of workload configurations and enforce configuration best practices for their clusters. @@ -20,13 +20,24 @@ Mutating policies can be written as overlays (similar to [Kustomize](https://kub Policy enforcement is captured using Kubernetes events. Kyverno also reports policy violations for existing resources. +**NOTE** : Your Kubernetes cluster version must be above v1.14 which adds webook timeouts. To check the version, enter `kubectl version`. + +## Quick Start + +Install Kyverno: +```console +kubectl create -f https://github.com/nirmata/kyverno/raw/master/definitions/install.yaml +``` + +You can also install using the [Helm chart](https://github.com/nirmata/kyverno/blob/master/documentation/installation.md#install-kyverno-using-helm). As a next step, import [sample policies](https://github.com/nirmata/kyverno/blob/master/samples/README.md) and learn about [writing policies](https://github.com/nirmata/kyverno/blob/master/documentation/writing-policies.md). You can test policies using the [Kyverno cli](https://github.com/nirmata/kyverno/blob/master/documentation/kyverno-cli.md). See [docs](https://github.com/nirmata/kyverno/#documentation) for more details. + ## Examples ### 1. Validating resources This policy requires that all pods have CPU and memory resource requests and limits: -````yaml +```yaml apiVersion: kyverno.io/v1 kind: ClusterPolicy metadata: @@ -35,108 +46,146 @@ spec: # `enforce` blocks the request. `audit` reports violations validationFailureAction: enforce rules: - - name: check-pod-resources - match: - resources: - kinds: - - Pod - validate: - message: "CPU and memory resource requests and limits are required" - pattern: - spec: - containers: - # 'name: *' selects all containers in the pod - - name: "*" - resources: - limits: - # '?' requires 1 alphanumeric character and '*' means that there can be 0 or more characters. - # Using them together e.g. '?*' requires at least one character. - memory: "?*" - cpu: "?*" - requests: - memory: "?*" - cpu: "?*" -```` + - name: check-pod-resources + match: + resources: + kinds: + - Pod + validate: + message: "CPU and memory resource requests and limits are required" + pattern: + spec: + containers: + # 'name: *' selects all containers in the pod + - name: "*" + resources: + limits: + # '?' requires 1 alphanumeric character and '*' means that + # there can be 0 or more characters. Using them together + # e.g. '?*' requires at least one character. + memory: "?*" + cpu: "?*" + requests: + memory: "?*" + cpu: "?*" +``` + +This policy prevents users from changing default network policies: + +```yaml +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: deny-netpol-changes +spec: + validationFailureAction: enforce + background: false + rules: + - name: check-netpol-updates + match: + resources: + kinds: + - NetworkPolicy + name: + - *-default + exclude: + clusterRoles: + - cluster-admin + validate: + message: "Changing default network policies is not allowed" + deny: {} +``` + ### 2. Mutating resources This policy sets the imagePullPolicy to Always if the image tag is latest: -````yaml +```yaml apiVersion: kyverno.io/v1 kind: ClusterPolicy metadata: name: set-image-pull-policy spec: rules: - - name: set-image-pull-policy - match: - resources: - kinds: - - Pod - mutate: - overlay: - spec: - containers: - # match images which end with :latest - - (image): "*:latest" - # set the imagePullPolicy to "Always" - imagePullPolicy: "Always" -```` + - name: set-image-pull-policy + match: + resources: + kinds: + - Pod + mutate: + overlay: + spec: + containers: + # match images which end with :latest + - (image): "*:latest" + # set the imagePullPolicy to "Always" + imagePullPolicy: "Always" +``` ### 3. Generating resources -This policy sets the Zookeeper and Kafka connection strings for all namespaces with a label key 'kafka'. +This policy sets the Zookeeper and Kafka connection strings for all namespaces. -````yaml +```yaml apiVersion: kyverno.io/v1 kind: ClusterPolicy metadata: name: "zk-kafka-address" spec: rules: - - name: "zk-kafka-address" - match: - resources: - kinds: - - Namespace - generate: - kind: ConfigMap - name: zk-kafka-address - # generate the resource in the new namespace - namespace: "{{request.object.metadata.name}}" - data: + - name: "zk-kafka-address" + match: + resources: + kinds: + - Namespace + generate: kind: ConfigMap + name: zk-kafka-address + # generate the resource in the new namespace + namespace: "{{request.object.metadata.name}}" + synchronize : true data: - ZK_ADDRESS: "192.168.10.10:2181,192.168.10.11:2181,192.168.10.12:2181" - KAFKA_ADDRESS: "192.168.10.13:9092,192.168.10.14:9092,192.168.10.15:9092" -```` + kind: ConfigMap + data: + ZK_ADDRESS: "192.168.10.10:2181,192.168.10.11:2181,192.168.10.12:2181" + KAFKA_ADDRESS: "192.168.10.13:9092,192.168.10.14:9092,192.168.10.15:9092" +``` -### 4. More examples - -Refer to a list of curated of ***[sample policies](/samples/README.md)*** that can be applied to your cluster. +**For more examples, refer to a list of curated of **_[sample policies](/samples/README.md)_** that can be applied to your cluster.** ## Documentation -* [Getting Started](documentation/installation.md) -* [Writing Policies](documentation/writing-policies.md) - * [Validate Resources](documentation/writing-policies-validate.md) - * [Mutate Resources](documentation/writing-policies-mutate.md) - * [Generate Resources](documentation/writing-policies-generate.md) - * [Variable Substitution](documentation/writing-policies-variables.md) - * [Preconditions](documentation/writing-policies-preconditions.md) - * [Auto-Generation of Pod Controller Policies](documentation/writing-policies-autogen.md) - * [Background Processing](documentation/writing-policies-background.md) -* [Testing Policies](documentation/testing-policies.md) -* [Policy Violations](documentation/policy-violations.md) -* [Kyverno CLI](documentation/kyverno-cli.md) -* [Sample Policies](/samples/README.md) +- [Getting Started](documentation/installation.md) +- [Writing Policies](documentation/writing-policies.md) + - [Selecting Resources](/documentation/writing-policies-match-exclude.md) + - [Validating Resources](documentation/writing-policies-validate.md) + - [Mutating Resources](documentation/writing-policies-mutate.md) + - [Generating Resources](documentation/writing-policies-generate.md) + - [Variable Substitution](documentation/writing-policies-variables.md) + - [Preconditions](documentation/writing-policies-preconditions.md) + - [Auto-Generation of Pod Controller Policies](documentation/writing-policies-autogen.md) + - [Background Processing](documentation/writing-policies-background.md) +- [Testing Policies](documentation/testing-policies.md) +- [Policy Violations](documentation/policy-violations.md) +- [Kyverno CLI](documentation/kyverno-cli.md) +- [Sample Policies](/samples/README.md) + + +## Presentations and Articles + +- [Introducing Kyverno - blog post](https://nirmata.com/2019/07/11/managing-kubernetes-configuration-with-policies/) +- [CNCF Video and Slides](https://www.cncf.io/webinars/how-to-keep-your-clusters-safe-and-healthy/) +- [10 Kubernetes Best Practices - blog post](https://thenewstack.io/10-kubernetes-best-practices-you-can-easily-apply-to-your-clusters/) +- [VMware Code Meetup Video](https://www.youtube.com/watch?v=mgEmTvLytb0) +- [Virtual Rejekts Video](https://www.youtube.com/watch?v=caFMtSg4A6I) +- [TGIK Video](https://www.youtube.com/watch?v=ZE4Zu9WQET4&list=PL7bmigfV0EqQzxcNpmcdTJ9eFRPBe-iZa&index=18&t=0s) + ## License [Apache License 2.0](https://github.com/nirmata/kyverno/blob/master/LICENSE) - ## Alternatives ### Open Policy Agent @@ -155,20 +204,20 @@ Refer to a list of curated of ***[sample policies](/samples/README.md)*** that c Tools like [Kustomize](https://github.com/kubernetes-sigs/kustomize) can be used to manage variations in configurations outside of clusters. There are several advantages to this approach when used to produce variations of the same base configuration. However, such solutions cannot be used to validate or enforce configurations. - ## Roadmap See [Milestones](https://github.com/nirmata/kyverno/milestones) and [Issues](https://github.com/nirmata/kyverno/issues). ## Getting help - * For feature requests and bugs, file an [issue](https://github.com/nirmata/kyverno/issues). - * For discussions or questions, join our [Kubernetes Slack channel #kyverno](https://app.slack.com/client/T09NY5SBT/CLGR9BJU9) or the [mailing list](https://groups.google.com/forum/#!forum/kyverno) +- For feature requests and bugs, file an [issue](https://github.com/nirmata/kyverno/issues). +- For discussions or questions, join the **#kyverno** channel on the [Kubernetes Slack](https://kubernetes.slack.com/) or the [mailing list](https://groups.google.com/forum/#!forum/kyverno) ## Contributing Thanks for your interest in contributing! - * Please review and agree to abide with the [Code of Conduct](/CODE_OF_CONDUCT.md) before contributing. - * See the [Wiki](https://github.com/nirmata/kyverno/wiki) for developer documentation. - * Browse through the [open issues](https://github.com/nirmata/kyverno/issues) +- Please review and agree to abide with the [Code of Conduct](/CODE_OF_CONDUCT.md) before contributing. +- We encourage all contributions and encourage you to read our [contribution guidelines](./CONTRIBUTING.md). +- See the [Wiki](https://github.com/nirmata/kyverno/wiki) for developer documentation. +- Browse through the [open issues](https://github.com/nirmata/kyverno/issues) diff --git a/data/swaggerDoc.go b/api/swaggerDoc.go similarity index 100% rename from data/swaggerDoc.go rename to api/swaggerDoc.go diff --git a/charts/kyverno/Chart.yaml b/charts/kyverno/Chart.yaml new file mode 100644 index 0000000000..ca4633968f --- /dev/null +++ b/charts/kyverno/Chart.yaml @@ -0,0 +1,19 @@ +apiVersion: v1 +name: kyverno +version: 1.1.6 +appVersion: v1.1.6 +description: Kubernetes Native Policy Management +keywords: + - kubernetes + - nirmata + - policy agent + - validating webhook + - admissions controller +home: https://kyverno.io/ +sources: + - https://github.com/nirmata/kyverno +maintainers: + - name: Nirmata + url: https://kyverno.io/ +engine: gotpl +kubeVersion: ">=1.10.0-0" diff --git a/charts/kyverno/README.md b/charts/kyverno/README.md new file mode 100644 index 0000000000..b84617b4cc --- /dev/null +++ b/charts/kyverno/README.md @@ -0,0 +1,112 @@ +# kyverno + +[Kyverno](https://kyverno.io) is a Kubernetes Native Policy Management engine. It allows you to + +* Manage policies as Kubernetes resources. +* Validate, mutate, and generate configurations for any resource. +* Select resources based on labels and wildcards. +* View policy enforcement as events. +* Detect policy violations for existing resources. + +## TL;DR; + +```console +## Add the nirmata Helm repository +$ helm repo add kyverno https://nirmata.github.io/kyverno + +## Install the kyverno helm chart +$ helm install kyverno --namespace kyverno kyverno/kyverno +``` + +## Introduction + +This chart bootstraps a Kyverno deployment on a [Kubernetes](http://kubernetes.io) cluster using the [Helm](https://helm.sh) package manager. + +## Installing the Chart + +Kyverno makes assumptions about naming of namespaces and resources. Therefore, the chart must be installed with the default release name `kyverno` (default if --name is omitted) and in the namespace 'kyverno': + +```console +$ helm install kyverno --namespace kyverno kyverno ./charts/kyverno +``` + +Note that Helm by default expects the namespace to already exist before running helm install. Create the namespace using: + +```console +$ kubectl create ns kyverno +``` + +The command deploys Kyverno on the Kubernetes cluster in the default configuration. The [configuration](#configuration) section lists the parameters that can be configured during installation. + +## Uninstalling the Chart + +To uninstall/delete the `kyverno` deployment: + +```console +$ helm delete -n kyverno kyverno +``` + +The command removes all the Kubernetes components associated with the chart and deletes the release. + +## Configuration + +The following table lists the configurable parameters of the kyverno chart and their default values. + +Parameter | Description | Default +--- | --- | --- +`affinity` | node/pod affinities | `nil` +`createSelfSignedCert` | generate a self signed cert and certificate authority. Kyverno defaults to using kube-controller-manager CA-signed certificate or existing cert secret if false. | `false` +`config.existingConfig` | existing Kubernetes configmap to use for the resource filters configuration | `nil` +`config.resourceFilters` | list of filter of resource types to be skipped by kyverno policy engine. See [documentation](https://github.com/nirmata/kyverno/blob/master/documentation/installation.md#filter-kubernetes-resources-that-admission-webhook-should-not-process) for details | `["[Event,*,*]","[*,kube-system,*]","[*,kube-public,*]","[*,kube-node-lease,*]","[Node,*,*]","[APIService,*,*]","[TokenReview,*,*]","[SubjectAccessReview,*,*]","[*,kyverno,*]"]` +`extraArgs` | list of extra arguments to give the binary | `[]` +`fullnameOverride` | override the expanded name of the chart | `nil` +`generatecontrollerExtraResources` | extra resource type Kyverno is allowed to generate | `[]` +`image.pullPolicy` | Image pull policy | `IfNotPresent` +`image.pullSecrets` | Specify image pull secrets | `[]` (does not add image pull secrets to deployed pods) +`image.repository` | Image repository | `nirmata/kyverno` +`image.tag` | Image tag | `nil` +`initImage.pullPolicy` | Init image pull policy | `nil` +`initImage.repository` | Init image repository | `nirmata/kyvernopre` +`initImage.tag` | Init image tag | `nil` +`livenessProbe` | liveness probe configuration | `{}` +`nameOverride` | override the name of the chart | `nil` +`nodeSelector` | node labels for pod assignment | `{}` +`podAnnotations` | annotations to add to each pod | `{}` +`podLabels` | additional labels to add to each pod | `{}` +`podSecurityContext` | security context for the pod | `{}` +`priorityClassName` | priorityClassName | `nil` +`rbac.create` | create cluster roles, cluster role bindings, and service account | `true` +`rbac.serviceAccount.create` | create a service account | `true` +`rbac.serviceAccount.name` | the service account name | `nil` +`rbac.serviceAccount.annotations` | annotations for the service account | `{}` +`readinessProbe` | readiness probe configuration | `{}` +`replicaCount` | desired number of pods | `1` +`resources` | pod resource requests & limits | `{}` +`service.annotations` | annotations to add to the service | `{}` +`service.nodePort` | node port | `nil` +`service.port` | port for the service | `443` +`service.type` | type of service | `ClusterIP` +`tolerations` | list of node taints to tolerate | `[]` +`securityContext` | security context configuration | `{}` + + +Specify each parameter using the `--set key=value[,key=value]` argument to `helm install`. For example, + +```console +$ helm install --namespace kyverno kyverno ./charts/kyverno \ + --set=image.tag=v0.0.2,resources.limits.cpu=200m +``` + +Alternatively, a YAML file that specifies the values for the above parameters can be provided while installing the chart. For example, + +```console +$ helm install --namespace kyverno kyverno ./charts/kyverno -f values.yaml +``` + +> **Tip**: You can use the default [values.yaml](values.yaml) + +## TLS Configuration + +If `createSelfSignedCert` is `true`, Helm will take care of the steps of creating an external self-signed certificate describe in option 2 of the [installation documentation](https://github.com/nirmata/kyverno/blob/master/documentation/installation.md#option-2-use-your-own-ca-signed-certificate) + +If `createSelfSignedCert` is `false`, Kyverno will generate a pair using the kube-controller-manager., or you can provide your own TLS CA and signed-key pair and create the secret yourself as described in the documentation. diff --git a/charts/kyverno/crds/crds.yaml b/charts/kyverno/crds/crds.yaml new file mode 100644 index 0000000000..e654adc720 --- /dev/null +++ b/charts/kyverno/crds/crds.yaml @@ -0,0 +1,469 @@ +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + name: clusterpolicies.kyverno.io +spec: + group: kyverno.io + names: + kind: ClusterPolicy + plural: clusterpolicies + shortNames: + - cpol + singular: clusterpolicy + scope: Cluster + subresources: + status: {} + validation: + openAPIV3Schema: + properties: + spec: + properties: + background: + type: boolean + rules: + items: + properties: + exclude: + properties: + clusterRoles: + items: + type: string + type: array + resources: + properties: + kinds: + items: + type: string + type: array + name: + type: string + namespaces: + items: + type: string + type: array + selector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + type: string + values: + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + type: object + type: object + roles: + items: + type: string + type: array + subjects: + items: + properties: + apiGroup: + type: string + kind: + type: string + name: + type: string + namespace: + type: string + required: + - kind + - name + type: object + type: array + type: object + generate: + properties: + clone: + properties: + name: + type: string + namespace: + type: string + required: + - namespace + - name + type: object + data: + AnyValue: {} + kind: + type: string + name: + type: string + namespace: + type: string + synchronize: + type: boolean + required: + - kind + - name + type: object + match: + properties: + clusterRoles: + items: + type: string + type: array + resources: + minProperties: 1 + properties: + kinds: + items: + type: string + type: array + name: + type: string + namespaces: + items: + type: string + type: array + selector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + type: string + values: + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + type: object + type: object + roles: + items: + type: string + type: array + subjects: + items: + properties: + apiGroup: + type: string + kind: + type: string + name: + type: string + namespace: + type: string + required: + - kind + - name + type: object + type: array + required: + - resources + type: object + mutate: + properties: + overlay: + AnyValue: {} + patches: + items: + properties: + op: + enum: + - add + - replace + - remove + type: string + path: + type: string + value: + AnyValue: {} + required: + - path + - op + type: object + type: array + type: object + name: + type: string + preconditions: + items: + required: + - key + - operator + - value + type: object + type: array + validate: + properties: + anyPattern: + AnyValue: {} + deny: + properties: + conditions: + items: + properties: + key: + type: string + operator: + enum: + - Equal + - Equals + - NotEqual + - NotEquals + type: string + value: + type: string + required: + - key + - operator + - value + type: object + type: array + message: + type: string + pattern: + AnyValue: {} + type: object + required: + - name + - match + type: object + type: array + validationFailureAction: + enum: + - enforce + - audit + type: string + required: + - rules + status: {} + versions: + - name: v1 + served: true + storage: true +--- +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + name: clusterpolicyviolations.kyverno.io +spec: + additionalPrinterColumns: + - JSONPath: .spec.policy + description: The policy that resulted in the violation + name: Policy + type: string + - JSONPath: .spec.resource.kind + description: The resource kind that cause the violation + name: ResourceKind + type: string + - JSONPath: .spec.resource.name + description: The resource name that caused the violation + name: ResourceName + type: string + - JSONPath: .metadata.creationTimestamp + name: Age + type: date + group: kyverno.io + names: + kind: ClusterPolicyViolation + plural: clusterpolicyviolations + shortNames: + - cpolv + singular: clusterpolicyviolation + scope: Cluster + subresources: + status: {} + validation: + openAPIV3Schema: + properties: + spec: + properties: + policy: + type: string + resource: + properties: + kind: + type: string + name: + type: string + required: + - kind + - name + type: object + rules: + items: + properties: + message: + type: string + name: + type: string + type: + type: string + required: + - name + - type + - message + type: object + type: array + required: + - policy + - resource + - rules + versions: + - name: v1 + served: true + storage: true +--- +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + name: generaterequests.kyverno.io +spec: + additionalPrinterColumns: + - JSONPath: .spec.policy + description: The policy that resulted in the violation + name: Policy + type: string + - JSONPath: .spec.resource.kind + description: The resource kind that cause the violation + name: ResourceKind + type: string + - JSONPath: .spec.resource.name + description: The resource name that caused the violation + name: ResourceName + type: string + - JSONPath: .spec.resource.namespace + description: The resource namespace that caused the violation + name: ResourceNamespace + type: string + - JSONPath: .status.state + description: Current state of generate request + name: status + type: string + - JSONPath: .metadata.creationTimestamp + name: Age + type: date + group: kyverno.io + names: + kind: GenerateRequest + plural: generaterequests + shortNames: + - gr + singular: generaterequest + scope: Namespaced + subresources: + status: {} + validation: + openAPIV3Schema: + properties: + spec: + properties: + policy: + type: string + resource: + properties: + kind: + type: string + name: + type: string + namespace: + type: string + required: + - kind + - name + type: object + required: + - policy + - resource + versions: + - name: v1 + served: true + storage: true +--- +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + name: policyviolations.kyverno.io +spec: + additionalPrinterColumns: + - JSONPath: .spec.policy + description: The policy that resulted in the violation + name: Policy + type: string + - JSONPath: .spec.resource.kind + description: The resource kind that cause the violation + name: ResourceKind + type: string + - JSONPath: .spec.resource.name + description: The resource name that caused the violation + name: ResourceName + type: string + - JSONPath: .metadata.creationTimestamp + name: Age + type: date + group: kyverno.io + names: + kind: PolicyViolation + plural: policyviolations + shortNames: + - polv + singular: policyviolation + scope: Namespaced + subresources: + status: {} + validation: + openAPIV3Schema: + properties: + spec: + properties: + policy: + type: string + resource: + properties: + kind: + type: string + name: + type: string + required: + - kind + - name + type: object + rules: + items: + properties: + message: + type: string + name: + type: string + type: + type: string + required: + - name + - type + - message + type: object + type: array + required: + - policy + - resource + - rules + versions: + - name: v1 + served: true + storage: true diff --git a/charts/kyverno/templates/_helpers.tpl b/charts/kyverno/templates/_helpers.tpl new file mode 100644 index 0000000000..fe0880e71c --- /dev/null +++ b/charts/kyverno/templates/_helpers.tpl @@ -0,0 +1,62 @@ +{{/* vim: set filetype=mustache: */}} + +{{/* Expand the name of the chart. */}} +{{- define "kyverno.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "kyverno.fullname" -}} +{{- if .Values.fullnameOverride -}} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- $name := default .Chart.Name .Values.nameOverride -}} +{{- if contains $name .Release.Name -}} +{{- .Release.Name | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} +{{- end -}} +{{- end -}} +{{- end -}} + +{{/* Create chart name and version as used by the chart label. */}} +{{- define "kyverno.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* Helm required labels */}} +{{- define "kyverno.labels" -}} +app.kubernetes.io/name: {{ template "kyverno.name" . }} +helm.sh/chart: {{ template "kyverno.chart" . }} +app.kubernetes.io/instance: {{ .Release.Name }} +app.kubernetes.io/managed-by: {{ .Release.Service }} +{{- end -}} + +{{/* matchLabels */}} +{{- define "kyverno.matchLabels" -}} +app.kubernetes.io/name: {{ template "kyverno.name" . }} +app.kubernetes.io/instance: {{ .Release.Name }} +{{- end -}} + +{{/* Get the config map name. */}} +{{- define "kyverno.configMapName" -}} +{{- printf "%s" (default (include "kyverno.fullname" .) .Values.config.existingConfig) -}} +{{- end -}} + +{{/* Create the name of the service to use */}} +{{- define "kyverno.serviceName" -}} +{{- printf "%s-svc" (include "kyverno.fullname" .) | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* Create the name of the service account to use */}} +{{- define "kyverno.serviceAccountName" -}} +{{- if .Values.rbac.serviceAccount.create -}} + {{ default (include "kyverno.fullname" .) .Values.rbac.serviceAccount.name }} +{{- else -}} + {{ default "default" .Values.rbac.serviceAccount.name }} +{{- end -}} +{{- end -}} \ No newline at end of file diff --git a/charts/kyverno/templates/clusterrole.yaml b/charts/kyverno/templates/clusterrole.yaml new file mode 100644 index 0000000000..a4185b118c --- /dev/null +++ b/charts/kyverno/templates/clusterrole.yaml @@ -0,0 +1,147 @@ +{{- if .Values.rbac.create }} +apiVersion: rbac.authorization.k8s.io/v1beta1 +kind: ClusterRole +metadata: + name: {{ template "kyverno.fullname" . }}:policyviolations +rules: +- apiGroups: ["kyverno.io"] + resources: + - policyviolations + verbs: ["get", "list", "watch"] +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: {{ template "kyverno.fullname" . }}:webhook +rules: +# Dynamic creation of webhooks, events & certs +- apiGroups: + - '*' + resources: + - events + - mutatingwebhookconfigurations + - validatingwebhookconfigurations + - certificatesigningrequests + - certificatesigningrequests/approval + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - certificates.k8s.io + resources: + - certificatesigningrequests + - certificatesigningrequests/approval + - certificatesigningrequests/status + resourceNames: + - kubernetes.io/legacy-unknown + verbs: + - create + - delete + - get + - update + - watch +- apiGroups: + - certificates.k8s.io + resources: + - signers + resourceNames: + - kubernetes.io/legacy-unknown + verbs: + - approve +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: {{ template "kyverno.fullname" . }}:userinfo +rules: +# get the roleRef for incoming api-request user +- apiGroups: + - "*" + resources: + - rolebindings + - clusterrolebindings + - configmaps + verbs: + - watch +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: {{ template "kyverno.fullname" . }}:customresources +rules: +# Kyverno CRs +- apiGroups: + - '*' + resources: + - clusterpolicies + - clusterpolicies/status + - clusterpolicyviolations + - clusterpolicyviolations/status + - policyviolations + - policyviolations/status + - generaterequests + - generaterequests/status + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: {{ template "kyverno.fullname" . }}:policycontroller +rules: +# background processing, identify all existing resources +- apiGroups: + - '*' + resources: + - '*' + verbs: + - get + - list + - update +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: {{ template "kyverno.fullname" . }}:generatecontroller +rules: +# process generate rules to generate resources +- apiGroups: + - "*" + resources: + - namespaces + - networkpolicies + - secrets + - configmaps + - resourcequotas + - limitranges + - clusterroles + - rolebindings + - clusterrolebindings + {{- range .Values.generatecontrollerExtraResources }} + - {{ . }} + {{- end }} + verbs: + - create + - update + - delete + - get +# dynamic watches on trigger resources for generate rules +# re-evaluate the policy if the resource is updated +- apiGroups: + - '*' + resources: + - namespaces + verbs: + - watch +{{- end }} diff --git a/charts/kyverno/templates/clusterrolebinding.yaml b/charts/kyverno/templates/clusterrolebinding.yaml new file mode 100644 index 0000000000..87b413a1b7 --- /dev/null +++ b/charts/kyverno/templates/clusterrolebinding.yaml @@ -0,0 +1,66 @@ +{{- if .Values.rbac.create }} +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: {{ template "kyverno.fullname" . }}:webhook +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: {{ template "kyverno.fullname" . }}:webhook +subjects: +- kind: ServiceAccount + name: {{ template "kyverno.serviceAccountName" . }} + namespace: {{ .Release.Namespace }} +--- +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: {{ template "kyverno.fullname" . }}:userinfo +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: {{ template "kyverno.fullname" . }}:userinfo +subjects: +- kind: ServiceAccount + name: {{ template "kyverno.serviceAccountName" . }} + namespace: {{ .Release.Namespace }} +--- +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: {{ template "kyverno.fullname" . }}:customresources +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: {{ template "kyverno.fullname" . }}:customresources +subjects: +- kind: ServiceAccount + name: {{ template "kyverno.serviceAccountName" . }} + namespace: {{ .Release.Namespace }} +--- +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: {{ template "kyverno.fullname" . }}:policycontroller +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: {{ template "kyverno.fullname" . }}:policycontroller +subjects: +- kind: ServiceAccount + name: {{ template "kyverno.serviceAccountName" . }} + namespace: {{ .Release.Namespace }} +--- +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: {{ template "kyverno.fullname" . }}:generatecontroller +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: {{ template "kyverno.fullname" . }}:generatecontroller +subjects: +- kind: ServiceAccount + name: {{ template "kyverno.serviceAccountName" . }} + namespace: {{ .Release.Namespace }} +{{- end }} diff --git a/charts/kyverno/templates/configmap.yaml b/charts/kyverno/templates/configmap.yaml new file mode 100644 index 0000000000..cfe30c62ae --- /dev/null +++ b/charts/kyverno/templates/configmap.yaml @@ -0,0 +1,10 @@ +{{- if (not .Values.config.existingConfig) }} +apiVersion: v1 +kind: ConfigMap +metadata: + labels: {{ include "kyverno.labels" . | nindent 4 }} + name: {{ template "kyverno.configMapName" . }} +data: + # resource types to be skipped by kyverno policy engine + resourceFilters: {{ join "" .Values.config.resourceFilters | quote }} +{{- end -}} \ No newline at end of file diff --git a/charts/kyverno/templates/deployment.yaml b/charts/kyverno/templates/deployment.yaml new file mode 100644 index 0000000000..4e2c115620 --- /dev/null +++ b/charts/kyverno/templates/deployment.yaml @@ -0,0 +1,65 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ template "kyverno.fullname" . }} + labels: {{ include "kyverno.labels" . | nindent 4 }} +spec: + selector: + matchLabels: {{ include "kyverno.matchLabels" . | nindent 6 }} + replicas: {{ .Values.replicaCount }} + template: + metadata: + labels: {{ include "kyverno.labels" . | nindent 8 }} + {{- range $key, $value := .Values.podLabels }} + {{ $key }}: {{ $value }} + {{- end }} + {{- with .Values.podAnnotations }} + annotations: {{ tpl (toYaml .) $ | nindent 8 }} + {{- end }} + spec: + {{- with .Values.image.pullSecrets }} + imagePullSecrets: {{ tpl (toYaml .) $ | nindent 8 }} + {{- end }} + {{- with .Values.podSecurityContext }} + securityContext: {{ tpl (toYaml .) $ | nindent 8 }} + {{- end }} + {{- with .Values.affinity }} + affinity: {{ tpl (toYaml .) $ | nindent 8 }} + {{- end }} + {{- with .Values.nodeSelector }} + nodeSelector: {{ tpl (toYaml .) $ | nindent 8 }} + {{- end }} + {{- with .Values.tolerations }} + tolerations: {{ tpl (toYaml .) $ | nindent 8 }} + {{- end }} + serviceAccountName: {{ template "kyverno.serviceAccountName" . }} + {{- if .Values.priorityClassName }} + priorityClassName: {{ .Values.priorityClassName | quote }} + {{- end }} + initContainers: + - name: kyverno-pre + image: {{ .Values.initImage.repository }}:{{ default .Chart.AppVersion (default .Values.image.tag .Values.initImage.tag) }} + imagePullPolicy: {{ default .Values.image.pullPolicy .Values.initImage.pullPolicy }} + containers: + - name: kyverno + image: {{ .Values.image.repository }}:{{ default .Chart.AppVersion .Values.image.tag }} + imagePullPolicy: {{ .Values.image.pullPolicy }} + {{- with .Values.extraArgs }} + args: {{ tpl (toYaml .) $ | nindent 12 }} + {{- end }} + {{- with .Values.resources }} + resources: {{ tpl (toYaml .) $ | nindent 12 }} + {{- end }} + ports: + - containerPort: 443 + name: https + protocol: TCP + env: + - name: INIT_CONFIG + value: {{ template "kyverno.configMapName" . }} + {{- with .Values.livenessProbe }} + livenessProbe: {{ tpl (toYaml .) $ | nindent 12 }} + {{- end }} + {{- with .Values.readinessProbe }} + readinessProbe: {{ tpl (toYaml .) $ | nindent 12 }} + {{- end }} diff --git a/charts/kyverno/templates/secret.yaml b/charts/kyverno/templates/secret.yaml new file mode 100644 index 0000000000..ad5ba7cf76 --- /dev/null +++ b/charts/kyverno/templates/secret.yaml @@ -0,0 +1,23 @@ +{{- if .Values.createSelfSignedCert }} +{{- $ca := .ca | default (genCA (printf "*.%s.svc" .Release.Namespace) 1024) -}} +{{- $cert := genSignedCert (printf "%s.%s.svc" (include "kyverno.serviceName" .) .Release.Namespace) nil nil 1024 $ca -}} +apiVersion: v1 +kind: Secret +metadata: + name: {{ template "kyverno.serviceName" . }}.{{ .Release.Namespace }}.svc.kyverno-tls-ca + labels: {{ include "kyverno.labels" . | nindent 4 }} +data: + rootCA.crt: {{ $ca.Cert | b64enc }} +--- +apiVersion: v1 +kind: Secret +metadata: + name: {{ template "kyverno.serviceName" . }}.{{ .Release.Namespace }}.svc.kyverno-tls-pair + labels: {{ include "kyverno.labels" . | nindent 4 }} + annotations: + self-signed-cert: "true" +type: kubernetes.io/tls +data: + tls.key: {{ $cert.Key | b64enc }} + tls.crt: {{ $cert.Cert | b64enc }} +{{- end -}} diff --git a/charts/kyverno/templates/service.yaml b/charts/kyverno/templates/service.yaml new file mode 100644 index 0000000000..45c6889180 --- /dev/null +++ b/charts/kyverno/templates/service.yaml @@ -0,0 +1,19 @@ +apiVersion: v1 +kind: Service +metadata: + name: {{ template "kyverno.serviceName" . }} + labels: {{ include "kyverno.labels" . | nindent 4 }} + {{- with .Values.service.annotations }} + annotations: {{ tpl (toYaml .) $ | nindent 4 }} + {{- end }} +spec: + ports: + - port: {{ .Values.service.port }} + targetPort: https + protocol: TCP + name: https + {{- if and (eq .Values.service.type "NodePort") (not (empty .Values.service.nodePort)) }} + nodePort: {{ .Values.service.nodePort }} + {{- end }} + selector: {{ include "kyverno.matchLabels" . | nindent 4 }} + type: {{ .Values.service.type }} diff --git a/charts/kyverno/templates/serviceaccount.yaml b/charts/kyverno/templates/serviceaccount.yaml new file mode 100644 index 0000000000..8a77c6ec59 --- /dev/null +++ b/charts/kyverno/templates/serviceaccount.yaml @@ -0,0 +1,10 @@ +{{- if .Values.rbac.create }} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ template "kyverno.serviceAccountName" . }} + labels: {{ include "kyverno.labels" . | nindent 4 }} + {{- if .Values.rbac.serviceAccount.annotations }} + annotations: {{ toYaml .Values.rbac.serviceAccount.annotations | nindent 4 }} + {{- end }} +{{- end }} \ No newline at end of file diff --git a/charts/kyverno/values.yaml b/charts/kyverno/values.yaml new file mode 100644 index 0000000000..887e5903cc --- /dev/null +++ b/charts/kyverno/values.yaml @@ -0,0 +1,125 @@ +nameOverride: +fullnameOverride: + +rbac: + create: true + serviceAccount: + create: true + name: + annotations: {} + # example.com/annotation: value + +image: + repository: nirmata/kyverno + # Defaults to appVersion in Chart.yaml if omitted + tag: + pullPolicy: IfNotPresent + pullSecrets: [] + # - secretName +initImage: + repository: nirmata/kyvernopre + # If initImage.tag is missing, defaults to image.tag + tag: + # If initImage.pullPolicy is missing, defaults to image.pullPolicy + pullPolicy: + # No pull secrets just for initImage; just add to image.pullSecrets + +replicaCount: 1 + +podLabels: {} +# example.com/label: foo + +podAnnotations: {} +# example.com/annotation: foo + +podSecurityContext: {} + +affinity: {} +nodeSelector: {} +tolerations: [] + +extraArgs: [] +# - --fqdn-as-cn +# - --webhooktimeout=4 + +resources: + limits: + memory: 128Mi + requests: + cpu: 100m + memory: 50Mi + +## Liveness Probe. The block is directly forwarded into the deployment, so you can use whatever livenessProbe configuration you want. +## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-probes/ +## +livenessProbe: + httpGet: + path: /health/liveness + port: 443 + scheme: HTTPS + initialDelaySeconds: 10 + periodSeconds: 10 + timeoutSeconds: 5 + failureThreshold: 2 + successThreshold: 1 + +## Readiness Probe. The block is directly forwarded into the deployment, so you can use whatever readinessProbe configuration you want. +## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-probes/ +## +readinessProbe: + httpGet: + path: /health/readiness + port: 443 + scheme: HTTPS + initialDelaySeconds: 5 + periodSeconds: 10 + timeoutSeconds: 5 + failureThreshold: 6 + successThreshold: 1 + +# TODO(mbarrien): Should we just list all resources for the +# generatecontroller in here rather than having defaults hard-coded? +generatecontrollerExtraResources: +# - ResourceA +# - ResourceB + +config: + # resource types to be skipped by kyverno policy engine + # Make sure to surround each entry in quotes so that it doesn't get parsed + # as a nested YAML list. These are joined together without spaces in the configmap + resourceFilters: + - "[Event,*,*]" + - "[*,kube-system,*]" + - "[*,kube-public,*]" + - "[*,kube-node-lease,*]" + - "[Node,*,*]" + - "[APIService,*,*]" + - "[TokenReview,*,*]" + - "[SubjectAccessReview,*,*]" + - "[*,kyverno,*]" + # Or give the name of an existing config map (ignores default/provided resourceFilters) + existingConfig: + # existingConfig: init-config + +service: + port: 443 + type: ClusterIP + # Only used if service.type is NodePort + nodePort: + ## Provide any additional annotations which may be required. This can be used to + ## set the LoadBalancer service type to internal only. + ## ref: https://kubernetes.io/docs/concepts/services-networking/service/#internal-load-balancer + ## + annotations: {} + +# Kyverno requires a certificate key pair and corresponding certificate authority +# to properly register its webhooks. This can be done in one of 3 ways: +# 1) Use kube-controller-manager to generate a CA-signed certificate (preferred) +# 2) Provide your own CA and cert. +# In this case, you will need to create a certificate with a specific name and data structure. +# As long as you follow the naming scheme, it will be automatically picked up. +# kyverno-svc.(namespace).svc.kyverno-tls-ca (with data entry named rootCA.crt) +# kyverno-svc.kyverno.svc.kyverno-tls-key-pair (with data entries named tls.key and tls.crt) +# 3) Let Helm generate a self signed cert, by setting createSelfSignedCert true +# If letting Kyverno create its own CA or providing your own, make createSelfSignedCert is false +createSelfSignedCert: false \ No newline at end of file diff --git a/cmd/initContainer/main.go b/cmd/initContainer/main.go index 9c5a9141ba..f21d6737b1 100644 --- a/cmd/initContainer/main.go +++ b/cmd/initContainer/main.go @@ -5,23 +5,26 @@ package main import ( "flag" + "fmt" "os" - "regexp" - "strconv" "sync" "time" - "github.com/golang/glog" "github.com/nirmata/kyverno/pkg/config" client "github.com/nirmata/kyverno/pkg/dclient" "github.com/nirmata/kyverno/pkg/signal" + "github.com/nirmata/kyverno/pkg/utils" "k8s.io/apimachinery/pkg/api/errors" rest "k8s.io/client-go/rest" clientcmd "k8s.io/client-go/tools/clientcmd" + "k8s.io/klog" + "k8s.io/klog/klogr" + "sigs.k8s.io/controller-runtime/pkg/log" ) var ( kubeconfig string + setupLog = log.Log.WithName("setup") ) const ( @@ -30,26 +33,38 @@ const ( ) func main() { - defer glog.Flush() + klog.InitFlags(nil) + log.SetLogger(klogr.New()) + // arguments + flag.StringVar(&kubeconfig, "kubeconfig", "", "Path to a kubeconfig. Only required if out-of-cluster.") + if err := flag.Set("v", "2"); err != nil { + klog.Fatalf("failed to set log level: %v", err) + } + flag.Parse() + // os signal handler stopCh := signal.SetupSignalHandler() // create client config clientConfig, err := createClientConfig(kubeconfig) if err != nil { - glog.Fatalf("Error building kubeconfig: %v\n", err) + setupLog.Error(err, "Failed to build kubeconfig") + os.Exit(1) } // DYNAMIC CLIENT // - client for all registered resources - client, err := client.NewClient(clientConfig, 10*time.Second, stopCh) + client, err := client.NewClient(clientConfig, 15*time.Minute, stopCh, log.Log) if err != nil { - glog.Fatalf("Error creating client: %v\n", err) + setupLog.Error(err, "Failed to create client") + os.Exit(1) } // Exit for unsupported version of kubernetes cluster // https://github.com/nirmata/kyverno/issues/700 // - supported from v1.12.7+ - isVersionSupported(client) + if !utils.HigherThanKubernetesVersion(client, log.Log, 1, 12, 7) { + os.Exit(1) + } requests := []request{ // Resource @@ -78,53 +93,46 @@ func main() { for err := range merge(done, stopCh, p1, p2) { if err != nil { failure = true - glog.Errorf("failed to cleanup: %v", err) + log.Log.Error(err, "failed to cleanup resource") } } // if there is any failure then we fail process if failure { - glog.Errorf("failed to cleanup webhook configurations") + log.Log.Info("failed to cleanup webhook configurations") os.Exit(1) } } -func init() { - // arguments - flag.StringVar(&kubeconfig, "kubeconfig", "", "Path to a kubeconfig. Only required if out-of-cluster.") - flag.Set("logtostderr", "true") - flag.Set("stderrthreshold", "WARNING") - flag.Set("v", "2") - flag.Parse() -} - func removeWebhookIfExists(client *client.Client, kind string, name string) error { + logger := log.Log.WithName("removeExistingWebhook").WithValues("kind", kind, "name", name) var err error // Get resource _, err = client.GetResource(kind, "", name) if errors.IsNotFound(err) { - glog.V(4).Infof("%s(%s) not found", name, kind) + logger.V(4).Info("resource not found") return nil } if err != nil { - glog.Errorf("failed to get resource %s(%s)", name, kind) + logger.Error(err, "failed to get resource") return err } // Delete resource err = client.DeleteResource(kind, "", name, false) if err != nil { - glog.Errorf("failed to delete resource %s(%s)", name, kind) + logger.Error(err, "failed to delete resource") return err } - glog.Infof("cleaned up resource %s(%s)", name, kind) + logger.Info("removed the resource") return nil } func createClientConfig(kubeconfig string) (*rest.Config, error) { + logger := log.Log if kubeconfig == "" { - glog.Info("Using in-cluster configuration") + logger.Info("Using in-cluster configuration") return rest.InClusterConfig() } - glog.Infof("Using configuration from '%s'", kubeconfig) + logger.Info(fmt.Sprintf("Using configuration from '%s'", kubeconfig)) return clientcmd.BuildConfigFromFlags("", kubeconfig) } @@ -163,6 +171,7 @@ func gen(done <-chan struct{}, stopCh <-chan struct{}, requests ...request) <-ch // processes the requests func process(client *client.Client, done <-chan struct{}, stopCh <-chan struct{}, requests <-chan request) <-chan error { + logger := log.Log.WithName("process") out := make(chan error) go func() { defer close(out) @@ -170,10 +179,10 @@ func process(client *client.Client, done <-chan struct{}, stopCh <-chan struct{} select { case out <- removeWebhookIfExists(client, req.kind, req.name): case <-done: - println("done process") + logger.Info("done") return case <-stopCh: - println("shutting down process") + logger.Info("shutting down") return } } @@ -183,6 +192,7 @@ func process(client *client.Client, done <-chan struct{}, stopCh <-chan struct{} // waits for all processes to be complete and merges result func merge(done <-chan struct{}, stopCh <-chan struct{}, processes ...<-chan error) <-chan error { + logger := log.Log.WithName("merge") var wg sync.WaitGroup out := make(chan error) // gets the output from each process @@ -192,10 +202,10 @@ func merge(done <-chan struct{}, stopCh <-chan struct{}, processes ...<-chan err select { case out <- err: case <-done: - println("done merge") + logger.Info("done") return case <-stopCh: - println("shutting down merge") + logger.Info("shutting down") return } } @@ -213,32 +223,3 @@ func merge(done <-chan struct{}, stopCh <-chan struct{}, processes ...<-chan err }() return out } - -func isVersionSupported(client *client.Client) { - serverVersion, err := client.DiscoveryClient.GetServerVersion() - if err != nil { - glog.Fatalf("Failed to get kubernetes server version: %v\n", err) - } - exp := regexp.MustCompile(`v(\d*).(\d*).(\d*)`) - groups := exp.FindAllStringSubmatch(serverVersion.String(), -1) - if len(groups) != 1 || len(groups[0]) != 4 { - glog.Fatalf("Failed to extract kubernetes server version: %v.err %v\n", serverVersion, err) - } - // convert string to int - // assuming the version are always intergers - major, err := strconv.Atoi(groups[0][1]) - if err != nil { - glog.Fatalf("Failed to extract kubernetes major server version: %v.err %v\n", serverVersion, err) - } - minor, err := strconv.Atoi(groups[0][2]) - if err != nil { - glog.Fatalf("Failed to extract kubernetes minor server version: %v.err %v\n", serverVersion, err) - } - sub, err := strconv.Atoi(groups[0][3]) - if err != nil { - glog.Fatalf("Failed to extract kubernetes sub minor server version:%v. err %v\n", serverVersion, err) - } - if major <= 1 && minor <= 12 && sub < 7 { - glog.Fatalf("Unsupported kubernetes server version %s. Kyverno is supported from version v1.12.7+", serverVersion) - } -} diff --git a/cmd/kyverno/main.go b/cmd/kyverno/main.go index 857039b35a..cdc7ae1339 100644 --- a/cmd/kyverno/main.go +++ b/cmd/kyverno/main.go @@ -3,11 +3,14 @@ package main import ( "context" "flag" + "fmt" + "net/http" + _ "net/http/pprof" + "os" "time" "github.com/nirmata/kyverno/pkg/openapi" - "github.com/golang/glog" "github.com/nirmata/kyverno/pkg/checker" kyvernoclient "github.com/nirmata/kyverno/pkg/client/clientset/versioned" kyvernoinformer "github.com/nirmata/kyverno/pkg/client/informers/externalversions" @@ -18,7 +21,6 @@ import ( generatecleanup "github.com/nirmata/kyverno/pkg/generate/cleanup" "github.com/nirmata/kyverno/pkg/policy" "github.com/nirmata/kyverno/pkg/policystatus" - "github.com/nirmata/kyverno/pkg/policystore" "github.com/nirmata/kyverno/pkg/policyviolation" "github.com/nirmata/kyverno/pkg/signal" "github.com/nirmata/kyverno/pkg/utils" @@ -27,98 +29,118 @@ import ( "github.com/nirmata/kyverno/pkg/webhooks" webhookgenerate "github.com/nirmata/kyverno/pkg/webhooks/generate" kubeinformers "k8s.io/client-go/informers" + "k8s.io/klog" + "k8s.io/klog/klogr" + log "sigs.k8s.io/controller-runtime/pkg/log" ) +const resyncPeriod = 15 * time.Minute + var ( kubeconfig string serverIP string webhookTimeout int runValidationInMutatingWebhook string + profile bool //TODO: this has been added to backward support command line arguments // will be removed in future and the configuration will be set only via configmaps filterK8Resources string // User FQDN as CSR CN - fqdncn bool + fqdncn bool + setupLog = log.Log.WithName("setup") ) func main() { - defer glog.Flush() - version.PrintVersionInfo() - // cleanUp Channel - cleanUp := make(chan struct{}) - // handle os signals - stopCh := signal.SetupSignalHandler() - // CLIENT CONFIG - clientConfig, err := config.CreateClientConfig(kubeconfig) - if err != nil { - glog.Fatalf("Error building kubeconfig: %v\n", err) + klog.InitFlags(nil) + log.SetLogger(klogr.New()) + flag.StringVar(&filterK8Resources, "filterK8Resources", "", "k8 resource in format [kind,namespace,name] where policy is not evaluated by the admission webhook. example --filterKind \"[Deployment, kyverno, kyverno]\" --filterKind \"[Deployment, kyverno, kyverno],[Events, *, *]\"") + flag.IntVar(&webhookTimeout, "webhooktimeout", 3, "timeout for webhook configurations") + flag.StringVar(&kubeconfig, "kubeconfig", "", "Path to a kubeconfig. Only required if out-of-cluster.") + flag.StringVar(&serverIP, "serverIP", "", "IP address where Kyverno controller runs. Only required if out-of-cluster.") + flag.StringVar(&runValidationInMutatingWebhook, "runValidationInMutatingWebhook", "", "Validation will also be done using the mutation webhook, set to 'true' to enable. Older kubernetes versions do not work properly when a validation webhook is registered.") + flag.BoolVar(&profile, "profile", false, "Set this flag to 'true', to enable profiling.") + if err := flag.Set("v", "2"); err != nil { + setupLog.Error(err, "failed to set log level") + os.Exit(1) } - // KYVENO CRD CLIENT + // Generate CSR with CN as FQDN due to https://github.com/nirmata/kyverno/issues/542 + flag.BoolVar(&fqdncn, "fqdn-as-cn", false, "use FQDN as Common Name in CSR") + flag.Parse() + + if profile { + go http.ListenAndServe("localhost:6060", nil) + } + + version.PrintVersionInfo(log.Log) + cleanUp := make(chan struct{}) + stopCh := signal.SetupSignalHandler() + clientConfig, err := config.CreateClientConfig(kubeconfig, log.Log) + if err != nil { + setupLog.Error(err, "Failed to build kubeconfig") + os.Exit(1) + } + + // KYVERNO CRD CLIENT // access CRD resources // - Policy // - PolicyViolation pclient, err := kyvernoclient.NewForConfig(clientConfig) if err != nil { - glog.Fatalf("Error creating client: %v\n", err) + setupLog.Error(err, "Failed to create client") + os.Exit(1) } // DYNAMIC CLIENT // - client for all registered resources - // - invalidate local cache of registered resource every 10 seconds - client, err := dclient.NewClient(clientConfig, 10*time.Second, stopCh) + client, err := dclient.NewClient(clientConfig, 5*time.Minute, stopCh, log.Log) if err != nil { - glog.Fatalf("Error creating client: %v\n", err) + setupLog.Error(err, "Failed to create client") + os.Exit(1) } + // CRD CHECK // - verify if the CRD for Policy & PolicyViolation are available - if !utils.CRDInstalled(client.DiscoveryClient) { - glog.Fatalf("Required CRDs unavailable") + if !utils.CRDInstalled(client.DiscoveryClient, log.Log) { + setupLog.Error(fmt.Errorf("CRDs not installed"), "Failed to access Kyverno CRDs") + os.Exit(1) } - // KUBERNETES CLIENT + kubeClient, err := utils.NewKubeClient(clientConfig) if err != nil { - glog.Fatalf("Error creating kubernetes client: %v\n", err) + setupLog.Error(err, "Failed to create kubernetes client") + os.Exit(1) } - // TODO(shuting): To be removed for v1.2.0 - utils.CleanupOldCrd(client) + // TODO: To be removed for v1.2.0 + utils.CleanupOldCrd(client, log.Log) - // KUBERNETES RESOURCES INFORMER - // watches namespace resource - // - cache resync time: 10 seconds - kubeInformer := kubeinformers.NewSharedInformerFactoryWithOptions( - kubeClient, - 10*time.Second) - // KUBERNETES Dynamic informer - // - cahce resync time: 10 seconds - kubedynamicInformer := client.NewDynamicSharedInformerFactory(10 * time.Second) + kubeInformer := kubeinformers.NewSharedInformerFactoryWithOptions(kubeClient, resyncPeriod) + kubedynamicInformer := client.NewDynamicSharedInformerFactory(resyncPeriod) - // WERBHOOK REGISTRATION CLIENT webhookRegistrationClient := webhookconfig.NewWebhookRegistrationClient( clientConfig, client, serverIP, - int32(webhookTimeout)) + int32(webhookTimeout), + log.Log) // Resource Mutating Webhook Watcher - lastReqTime := checker.NewLastReqTime() + lastReqTime := checker.NewLastReqTime(log.Log.WithName("LastReqTime")) rWebhookWatcher := webhookconfig.NewResourceWebhookRegister( lastReqTime, kubeInformer.Admissionregistration().V1beta1().MutatingWebhookConfigurations(), kubeInformer.Admissionregistration().V1beta1().ValidatingWebhookConfigurations(), webhookRegistrationClient, runValidationInMutatingWebhook, + log.Log.WithName("ResourceWebhookRegister"), ) // KYVERNO CRD INFORMER // watches CRD resources: // - Policy // - PolicyVolation - // - cache resync time: 10 seconds - pInformer := kyvernoinformer.NewSharedInformerFactoryWithOptions( - pclient, - 10*time.Second) + pInformer := kyvernoinformer.NewSharedInformerFactoryWithOptions(pclient, resyncPeriod) // Configuration Data // dynamically load the configuration from configMap @@ -127,21 +149,21 @@ func main() { configData := config.NewConfigData( kubeClient, kubeInformer.Core().V1().ConfigMaps(), - filterK8Resources) - - // Policy meta-data store - policyMetaStore := policystore.NewPolicyStore(pInformer.Kyverno().V1().ClusterPolicies()) + filterK8Resources, + log.Log.WithName("ConfigData"), + ) // EVENT GENERATOR // - generate event with retry mechanism - egen := event.NewEventGenerator( + eventGenerator := event.NewEventGenerator( client, - pInformer.Kyverno().V1().ClusterPolicies()) + pInformer.Kyverno().V1().ClusterPolicies(), + log.Log.WithName("EventGenerator")) // Policy Status Handler - deals with all logic related to policy status statusSync := policystatus.NewSync( pclient, - policyMetaStore) + pInformer.Kyverno().V1().ClusterPolicies().Lister()) // POLICY VIOLATION GENERATOR // -- generate policy violation @@ -149,29 +171,34 @@ func main() { client, pInformer.Kyverno().V1().ClusterPolicyViolations(), pInformer.Kyverno().V1().PolicyViolations(), - statusSync.Listener) + statusSync.Listener, + log.Log.WithName("PolicyViolationGenerator"), + ) // POLICY CONTROLLER // - reconciliation policy and policy violation // - process policy on existing resources - // - status aggregator: receives stats when a policy is applied - // & updates the policy status - pc, err := policy.NewPolicyController(pclient, + // - status aggregator: receives stats when a policy is applied & updates the policy status + policyCtrl, err := policy.NewPolicyController(pclient, client, pInformer.Kyverno().V1().ClusterPolicies(), pInformer.Kyverno().V1().ClusterPolicyViolations(), pInformer.Kyverno().V1().PolicyViolations(), configData, - egen, + eventGenerator, pvgen, - policyMetaStore, - rWebhookWatcher) + rWebhookWatcher, + kubeInformer.Core().V1().Namespaces(), + log.Log.WithName("PolicyController"), + ) + if err != nil { - glog.Fatalf("error creating policy controller: %v\n", err) + setupLog.Error(err, "Failed to create policy controller") + os.Exit(1) } // GENERATE REQUEST GENERATOR - grgen := webhookgenerate.NewGenerator(pclient, stopCh) + grgen := webhookgenerate.NewGenerator(pclient, stopCh, log.Log.WithName("GenerateRequestGenerator")) // GENERATE CONTROLLER // - applies generate rules on resources based on generate requests created by webhook @@ -180,11 +207,13 @@ func main() { client, pInformer.Kyverno().V1().ClusterPolicies(), pInformer.Kyverno().V1().GenerateRequests(), - egen, + eventGenerator, pvgen, kubedynamicInformer, statusSync.Listener, + log.Log.WithName("GenerateController"), ) + // GENERATE REQUEST CLEANUP // -- cleans up the generate requests that have not been processed(i.e. state = [Pending, Failed]) for more than defined timeout grcc := generatecleanup.NewController( @@ -193,12 +222,14 @@ func main() { pInformer.Kyverno().V1().ClusterPolicies(), pInformer.Kyverno().V1().GenerateRequests(), kubedynamicInformer, + log.Log.WithName("GenerateCleanUpController"), ) // CONFIGURE CERTIFICATES tlsPair, err := client.InitTLSPemPair(clientConfig, fqdncn) if err != nil { - glog.Fatalf("Failed to initialize TLS key/certificate pair: %v\n", err) + setupLog.Error(err, "Failed to initialize TLS key/certificate pair") + os.Exit(1) } // WEBHOOK REGISTRATION @@ -207,13 +238,20 @@ func main() { // resource webhook confgiuration is generated dynamically in the webhook server and policy controller // based on the policy resources created if err = webhookRegistrationClient.Register(); err != nil { - glog.Fatalf("Failed registering Admission Webhooks: %v\n", err) + setupLog.Error(err, "Failed to register Admission webhooks") + os.Exit(1) + } + + openAPIController, err := openapi.NewOpenAPIController() + if err != nil { + setupLog.Error(err, "Failed to create openAPIController") + os.Exit(1) } // Sync openAPI definitions of resources - openApiSync := openapi.NewCRDSync(client) + openAPISync := openapi.NewCRDSync(client, openAPIController) - // WEBHOOOK + // WEBHOOK // - https server to provide endpoints called based on rules defined in Mutating & Validation webhook configuration // - reports the results based on the response from the policy engine: // -- annotations on resources with update details on mutation JSON patches @@ -226,18 +264,23 @@ func main() { pInformer.Kyverno().V1().ClusterPolicies(), kubeInformer.Rbac().V1().RoleBindings(), kubeInformer.Rbac().V1().ClusterRoleBindings(), - egen, + eventGenerator, webhookRegistrationClient, statusSync.Listener, configData, - policyMetaStore, pvgen, grgen, rWebhookWatcher, - cleanUp) + cleanUp, + log.Log.WithName("WebhookServer"), + openAPIController, + ) + if err != nil { - glog.Fatalf("Unable to create webhook server: %v\n", err) + setupLog.Error(err, "Failed to create webhook server") + os.Exit(1) } + // Start the components pInformer.Start(stopCh) kubeInformer.Start(stopCh) @@ -245,14 +288,13 @@ func main() { go grgen.Run(1) go rWebhookWatcher.Run(stopCh) go configData.Run(stopCh) - go policyMetaStore.Run(stopCh) - go pc.Run(1, stopCh) - go egen.Run(1, stopCh) + go policyCtrl.Run(3, stopCh) + go eventGenerator.Run(1, stopCh) go grc.Run(1, stopCh) go grcc.Run(1, stopCh) go pvgen.Run(1, stopCh) go statusSync.Run(1, stopCh) - go openApiSync.Run(1, stopCh) + openAPISync.Run(1, stopCh) // verifys if the admission control is enabled and active // resync: 60 seconds @@ -269,23 +311,12 @@ func main() { defer func() { cancel() }() + // cleanup webhookconfigurations followed by webhook shutdown server.Stop(ctx) + // resource cleanup // remove webhook configurations <-cleanUp - glog.Info("successful shutdown of kyverno controller") -} - -func init() { - flag.StringVar(&filterK8Resources, "filterK8Resources", "", "k8 resource in format [kind,namespace,name] where policy is not evaluated by the admission webhook. example --filterKind \"[Deployment, kyverno, kyverno]\" --filterKind \"[Deployment, kyverno, kyverno],[Events, *, *]\"") - flag.IntVar(&webhookTimeout, "webhooktimeout", 3, "timeout for webhook configurations") - flag.StringVar(&kubeconfig, "kubeconfig", "", "Path to a kubeconfig. Only required if out-of-cluster.") - flag.StringVar(&serverIP, "serverIP", "", "IP address where Kyverno controller runs. Only required if out-of-cluster.") - flag.StringVar(&runValidationInMutatingWebhook, "runValidationInMutatingWebhook", "", "Validation will also be done using the mutation webhook, set to 'true' to enable. Older kubernetes versions do not work properly when a validation webhook is registered.") - - // Generate CSR with CN as FQDN due to https://github.com/nirmata/kyverno/issues/542 - flag.BoolVar(&fqdncn, "fqdn-as-cn", false, "use FQDN as Common Name in CSR") - config.LogDefaultFlags() - flag.Parse() + setupLog.Info("Kyverno shutdown successful") } diff --git a/definitions/crds/crds.yaml b/definitions/crds/crds.yaml new file mode 100644 index 0000000000..f48642d951 --- /dev/null +++ b/definitions/crds/crds.yaml @@ -0,0 +1,470 @@ +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + name: clusterpolicies.kyverno.io +spec: + group: kyverno.io + versions: + - name: v1 + served: true + storage: true + scope: Cluster + names: + kind: ClusterPolicy + plural: clusterpolicies + singular: clusterpolicy + shortNames: + - cpol + subresources: + status: {} + validation: + openAPIV3Schema: + properties: + status: {} + spec: + required: + - rules + properties: + # default values to be handled by user + validationFailureAction: + type: string + enum: + - enforce # blocks the resorce api-reques if a rule fails. + - audit # allows resource creation and reports the failed validation rules as violations. Default + background: + type: boolean + rules: + type: array + items: + type: object + required: + - name + - match + properties: + name: + type: string + match: + type: object + required: + - resources + properties: + roles: + type: array + items: + type: string + clusterRoles: + type: array + items: + type: string + subjects: + type: array + items: + type: object + required: + - kind + - name + properties: + kind: + type: string + apiGroup: + type: string + name: + type: string + namespace: + type: string + resources: + type: object + minProperties: 1 + properties: + kinds: + type: array + items: + type: string + name: + type: string + namespaces: + type: array + items: + type: string + selector: + properties: + matchLabels: + type: object + additionalProperties: + type: string + matchExpressions: + type: array + items: + type: object + required: + - key + - operator + properties: + key: + type: string + operator: + type: string + values: + type: array + items: + type: string + exclude: + type: object + properties: + roles: + type: array + items: + type: string + clusterRoles: + type: array + items: + type: string + subjects: + type: array + items: + type: object + required: + - kind + - name + properties: + kind: + type: string + apiGroup: + type: string + name: + type: string + namespace: + type: string + resources: + type: object + properties: + kinds: + type: array + items: + type: string + name: + type: string + namespaces: + type: array + items: + type: string + selector: + properties: + matchLabels: + type: object + additionalProperties: + type: string + matchExpressions: + type: array + items: + type: object + required: + - key + - operator + properties: + key: + type: string + operator: + type: string + values: + type: array + items: + type: string + preconditions: + type: array + items: + type: object + required: + - key # can be of any type + - operator # typed + - value # can be of any type + mutate: + type: object + properties: + overlay: + AnyValue: {} + patches: + type: array + items: + type: object + required: + - path + - op + properties: + path: + type: string + op: + type: string + enum: + - add + - replace + - remove + value: + AnyValue: {} + validate: + type: object + properties: + message: + type: string + pattern: + AnyValue: {} + anyPattern: + AnyValue: {} + deny: + properties: + conditions: + type: array + items: + type: object + required: + - key # can be of any type + - operator # typed + - value # can be of any type + properties: + operator: + type: string + enum: + - Equal + - Equals + - NotEqual + - NotEquals + key: + type: string + value: + type: string + generate: + type: object + required: + - kind + - name + properties: + kind: + type: string + name: + type: string + namespace: + type: string + synchronize: + type: boolean + clone: + type: object + required: + - namespace + - name + properties: + namespace: + type: string + name: + type: string + data: + AnyValue: {} +--- +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + name: clusterpolicyviolations.kyverno.io +spec: + group: kyverno.io + versions: + - name: v1 + served: true + storage: true + scope: Cluster + names: + kind: ClusterPolicyViolation + plural: clusterpolicyviolations + singular: clusterpolicyviolation + shortNames: + - cpolv + subresources: + status: {} + additionalPrinterColumns: + - name: Policy + type: string + description: The policy that resulted in the violation + JSONPath: .spec.policy + - name: ResourceKind + type: string + description: The resource kind that cause the violation + JSONPath: .spec.resource.kind + - name: ResourceName + type: string + description: The resource name that caused the violation + JSONPath: .spec.resource.name + - name: Age + type: date + JSONPath: .metadata.creationTimestamp + validation: + openAPIV3Schema: + properties: + spec: + required: + - policy + - resource + - rules + properties: + policy: + type: string + resource: + type: object + required: + - kind + - name + properties: + kind: + type: string + name: + type: string + rules: + type: array + items: + type: object + required: + - name + - type + - message + properties: + name: + type: string + type: + type: string + message: + type: string +--- +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + name: policyviolations.kyverno.io +spec: + group: kyverno.io + versions: + - name: v1 + served: true + storage: true + scope: Namespaced + names: + kind: PolicyViolation + plural: policyviolations + singular: policyviolation + shortNames: + - polv + subresources: + status: {} + additionalPrinterColumns: + - name: Policy + type: string + description: The policy that resulted in the violation + JSONPath: .spec.policy + - name: ResourceKind + type: string + description: The resource kind that cause the violation + JSONPath: .spec.resource.kind + - name: ResourceName + type: string + description: The resource name that caused the violation + JSONPath: .spec.resource.name + - name: Age + type: date + JSONPath: .metadata.creationTimestamp + validation: + openAPIV3Schema: + properties: + spec: + required: + - policy + - resource + - rules + properties: + policy: + type: string + resource: + type: object + required: + - kind + - name + properties: + kind: + type: string + name: + type: string + rules: + type: array + items: + type: object + required: + - name + - type + - message + properties: + name: + type: string + type: + type: string + message: + type: string +--- +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + name: generaterequests.kyverno.io +spec: + group: kyverno.io + versions: + - name: v1 + served: true + storage: true + scope: Namespaced + names: + kind: GenerateRequest + plural: generaterequests + singular: generaterequest + shortNames: + - gr + subresources: + status: {} + additionalPrinterColumns: + - name: Policy + type: string + description: The policy that resulted in the violation + JSONPath: .spec.policy + - name: ResourceKind + type: string + description: The resource kind that cause the violation + JSONPath: .spec.resource.kind + - name: ResourceName + type: string + description: The resource name that caused the violation + JSONPath: .spec.resource.name + - name: ResourceNamespace + type: string + description: The resource namespace that caused the violation + JSONPath: .spec.resource.namespace + - name: status + type : string + description: Current state of generate request + JSONPath: .status.state + - name: Age + type: date + JSONPath: .metadata.creationTimestamp + validation: + openAPIV3Schema: + properties: + spec: + required: + - policy + - resource + properties: + policy: + type: string + resource: + type: object + required: + - kind + - name + properties: + kind: + type: string + name: + type: string + namespace: + type: string \ No newline at end of file diff --git a/definitions/crds/kustomization.yaml b/definitions/crds/kustomization.yaml new file mode 100644 index 0000000000..8adb7f06ef --- /dev/null +++ b/definitions/crds/kustomization.yaml @@ -0,0 +1,5 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization + +resources: +- ./crds.yaml \ No newline at end of file diff --git a/definitions/debug/kustomization.yaml b/definitions/debug/kustomization.yaml new file mode 100644 index 0000000000..504d3a843d --- /dev/null +++ b/definitions/debug/kustomization.yaml @@ -0,0 +1,6 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization + +resources: +- ../crds/ +- ../rbac/ \ No newline at end of file diff --git a/definitions/install.yaml b/definitions/install.yaml index be688d3d97..f36fb837e5 100644 --- a/definitions/install.yaml +++ b/definitions/install.yaml @@ -1,467 +1,477 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: kyverno +--- apiVersion: apiextensions.k8s.io/v1beta1 kind: CustomResourceDefinition metadata: name: clusterpolicies.kyverno.io spec: group: kyverno.io - versions: - - name: v1 - served: true - storage: true - scope: Cluster names: kind: ClusterPolicy plural: clusterpolicies - singular: clusterpolicy shortNames: - cpol + singular: clusterpolicy + scope: Cluster subresources: status: {} validation: openAPIV3Schema: properties: spec: - required: - - rules properties: - # default values to be handled by user - validationFailureAction: - type: string - enum: - - enforce # blocks the resorce api-reques if a rule fails. - - audit # allows resource creation and reports the failed validation rules as violations. Default background: type: boolean rules: - type: array items: - type: object - required: - - name - - match properties: - name: - type: string - match: - type: object - required: - - resources - properties: - roles: - type: array - items: - type: string - clusterRoles: - type: array - items: - type: string - subjects: - type: array - items: - type: object - required: - - kind - - name - properties: - kind: - type: string - apiGroup: - type: string - name: - type: string - Namespace: - type: string - resources: - type: object - minProperties: 1 - properties: - kinds: - type: array - items: - type: string - name: - type: string - namespaces: - type: array - items: - type: string - selector: - properties: - matchLabels: - type: object - additionalProperties: - type: string - matchExpressions: - type: array - items: - type: object - required: - - key - - operator - properties: - key: - type: string - operator: - type: string - values: - type: array - items: - type: string exclude: - type: object - required: - - resources properties: - roles: - type: array - items: - type: string clusterRoles: - type: array items: type: string - subjects: type: array - items: - type: object - required: - - kind - - name - properties: - kind: - type: string - apiGroup: - type: string - name: - type: string - Namespace: - type: string resources: - type: object properties: kinds: - type: array items: type: string + type: array name: type: string namespaces: - type: array items: type: string + type: array selector: properties: - matchLabels: - type: object - additionalProperties: - type: string matchExpressions: - type: array items: - type: object - required: - - key - - operator properties: key: type: string operator: type: string values: - type: array items: type: string - preconditions: - type: array - items: - type: object - required: - - key # can be of any type - - operator # typed - - value # can be of any type - mutate: - type: object - properties: - overlay: - AnyValue: {} - patches: - type: array + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + type: object + type: object + roles: + items: + type: string + type: array + subjects: items: - type: object - required: - - path - - op properties: - path: + apiGroup: type: string - op: + kind: type: string - enum: - - add - - replace - - remove - value: - AnyValue: {} - validate: + name: + type: string + namespace: + type: string + required: + - kind + - name + type: object + type: array type: object - properties: - message: - type: string - pattern: - AnyValue: {} - anyPattern: - AnyValue: {} generate: - type: object - required: - - kind - - name properties: + clone: + properties: + name: + type: string + namespace: + type: string + required: + - namespace + - name + type: object + data: + AnyValue: {} kind: type: string name: type: string - clone: - type: object - required: - - namespace - - name + namespace: + type: string + synchronize: + type: boolean + required: + - kind + - name + type: object + match: + properties: + clusterRoles: + items: + type: string + type: array + resources: + minProperties: 1 properties: - namespace: - type: string + kinds: + items: + type: string + type: array name: type: string - data: + namespaces: + items: + type: string + type: array + selector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + type: string + values: + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + type: object + type: object + roles: + items: + type: string + type: array + subjects: + items: + properties: + apiGroup: + type: string + kind: + type: string + name: + type: string + namespace: + type: string + required: + - kind + - name + type: object + type: array + required: + - resources + type: object + mutate: + properties: + overlay: AnyValue: {} + patches: + items: + properties: + op: + enum: + - add + - replace + - remove + type: string + path: + type: string + value: + AnyValue: {} + required: + - path + - op + type: object + type: array + type: object + name: + type: string + preconditions: + items: + required: + - key + - operator + - value + type: object + type: array + validate: + properties: + anyPattern: + AnyValue: {} + deny: + properties: + conditions: + items: + properties: + key: + type: string + operator: + enum: + - Equal + - Equals + - NotEqual + - NotEquals + type: string + value: + type: string + required: + - key + - operator + - value + type: object + type: array + message: + type: string + pattern: + AnyValue: {} + type: object + required: + - name + - match + type: object + type: array + validationFailureAction: + enum: + - enforce + - audit + type: string + required: + - rules + status: {} + versions: + - name: v1 + served: true + storage: true --- apiVersion: apiextensions.k8s.io/v1beta1 kind: CustomResourceDefinition metadata: name: clusterpolicyviolations.kyverno.io spec: + additionalPrinterColumns: + - JSONPath: .spec.policy + description: The policy that resulted in the violation + name: Policy + type: string + - JSONPath: .spec.resource.kind + description: The resource kind that cause the violation + name: ResourceKind + type: string + - JSONPath: .spec.resource.name + description: The resource name that caused the violation + name: ResourceName + type: string + - JSONPath: .metadata.creationTimestamp + name: Age + type: date group: kyverno.io - versions: - - name: v1 - served: true - storage: true - scope: Cluster names: kind: ClusterPolicyViolation plural: clusterpolicyviolations - singular: clusterpolicyviolation shortNames: - cpolv + singular: clusterpolicyviolation + scope: Cluster subresources: status: {} - additionalPrinterColumns: - - name: Policy - type: string - description: The policy that resulted in the violation - JSONPath: .spec.policy - - name: ResourceKind - type: string - description: The resource kind that cause the violation - JSONPath: .spec.resource.kind - - name: ResourceName - type: string - description: The resource name that caused the violation - JSONPath: .spec.resource.name - - name: Age - type: date - JSONPath: .metadata.creationTimestamp validation: openAPIV3Schema: properties: spec: - required: - - policy - - resource - - rules properties: policy: type: string resource: - type: object - required: - - kind - - name properties: kind: type: string name: type: string + required: + - kind + - name + type: object rules: - type: array items: - type: object - required: - - name - - type - - message properties: + message: + type: string name: type: string type: type: string - message: - type: string ---- -apiVersion: apiextensions.k8s.io/v1beta1 -kind: CustomResourceDefinition -metadata: - name: policyviolations.kyverno.io -spec: - group: kyverno.io + required: + - name + - type + - message + type: object + type: array + required: + - policy + - resource + - rules versions: - - name: v1 - served: true - storage: true - scope: Namespaced - names: - kind: PolicyViolation - plural: policyviolations - singular: policyviolation - shortNames: - - polv - subresources: - status: {} - additionalPrinterColumns: - - name: Policy - type: string - description: The policy that resulted in the violation - JSONPath: .spec.policy - - name: ResourceKind - type: string - description: The resource kind that cause the violation - JSONPath: .spec.resource.kind - - name: ResourceName - type: string - description: The resource name that caused the violation - JSONPath: .spec.resource.name - - name: Age - type: date - JSONPath: .metadata.creationTimestamp - validation: - openAPIV3Schema: - properties: - spec: - required: - - policy - - resource - - rules - properties: - policy: - type: string - resource: - type: object - required: - - kind - - name - properties: - kind: - type: string - name: - type: string - rules: - type: array - items: - type: object - required: - - name - - type - - message - properties: - name: - type: string - type: - type: string - message: - type: string + - name: v1 + served: true + storage: true --- apiVersion: apiextensions.k8s.io/v1beta1 kind: CustomResourceDefinition metadata: name: generaterequests.kyverno.io spec: + additionalPrinterColumns: + - JSONPath: .spec.policy + description: The policy that resulted in the violation + name: Policy + type: string + - JSONPath: .spec.resource.kind + description: The resource kind that cause the violation + name: ResourceKind + type: string + - JSONPath: .spec.resource.name + description: The resource name that caused the violation + name: ResourceName + type: string + - JSONPath: .spec.resource.namespace + description: The resource namespace that caused the violation + name: ResourceNamespace + type: string + - JSONPath: .status.state + description: Current state of generate request + name: status + type: string + - JSONPath: .metadata.creationTimestamp + name: Age + type: date group: kyverno.io - versions: - - name: v1 - served: true - storage: true - scope: Namespaced names: kind: GenerateRequest plural: generaterequests - singular: generaterequest shortNames: - gr + singular: generaterequest + scope: Namespaced subresources: status: {} - additionalPrinterColumns: - - name: Policy - type: string - description: The policy that resulted in the violation - JSONPath: .spec.policy - - name: ResourceKind - type: string - description: The resource kind that cause the violation - JSONPath: .spec.resource.kind - - name: ResourceName - type: string - description: The resource name that caused the violation - JSONPath: .spec.resource.name - - name: ResourceNamespace - type: string - description: The resource namespace that caused the violation - JSONPath: .spec.resource.namespace - - name: status - type : string - description: Current state of generate request - JSONPath: .status.state - - name: Age - type: date - JSONPath: .metadata.creationTimestamp validation: openAPIV3Schema: properties: spec: - required: - - policy - - resource properties: policy: type: string resource: - type: object - required: - - kind - - name properties: kind: type: string - name: + name: type: string namespace: - type: string + type: string + required: + - kind + - name + type: object + required: + - policy + - resource + versions: + - name: v1 + served: true + storage: true --- -kind: Namespace -apiVersion: v1 -metadata: - name: "kyverno" ---- -apiVersion: v1 -kind: Service +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition metadata: - namespace: kyverno - name: kyverno-svc - labels: - app: kyverno + name: policyviolations.kyverno.io spec: - ports: - - port: 443 - targetPort: 443 - selector: - app: kyverno + additionalPrinterColumns: + - JSONPath: .spec.policy + description: The policy that resulted in the violation + name: Policy + type: string + - JSONPath: .spec.resource.kind + description: The resource kind that cause the violation + name: ResourceKind + type: string + - JSONPath: .spec.resource.name + description: The resource name that caused the violation + name: ResourceName + type: string + - JSONPath: .metadata.creationTimestamp + name: Age + type: date + group: kyverno.io + names: + kind: PolicyViolation + plural: policyviolations + shortNames: + - polv + singular: policyviolation + scope: Namespaced + subresources: + status: {} + validation: + openAPIV3Schema: + properties: + spec: + properties: + policy: + type: string + resource: + properties: + kind: + type: string + name: + type: string + required: + - kind + - name + type: object + rules: + items: + properties: + message: + type: string + name: + type: string + type: + type: string + required: + - name + - type + - message + type: object + type: array + required: + - policy + - resource + - rules + versions: + - name: v1 + served: true + storage: true --- apiVersion: v1 kind: ServiceAccount @@ -469,125 +479,11 @@ metadata: name: kyverno-service-account namespace: kyverno --- -apiVersion: rbac.authorization.k8s.io/v1beta1 -kind: ClusterRole -metadata: - name: kyverno:policyviolations -rules: -- apiGroups: ["kyverno.io"] - resources: - - policyviolations - verbs: ["get", "list", "watch"] ---- -kind: ClusterRoleBinding -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: kyverno:webhook -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: kyverno:webhook -subjects: -- kind: ServiceAccount - name: kyverno-service-account - namespace: kyverno ---- -kind: ClusterRoleBinding -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: kyverno:userinfo -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: kyverno:userinfo -subjects: -- kind: ServiceAccount - name: kyverno-service-account - namespace: kyverno ---- -kind: ClusterRoleBinding -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: kyverno:customresources -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: kyverno:customresources -subjects: -- kind: ServiceAccount - name: kyverno-service-account - namespace: kyverno ---- -kind: ClusterRoleBinding -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: kyverno:policycontroller -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: kyverno:policycontroller -subjects: -- kind: ServiceAccount - name: kyverno-service-account - namespace: kyverno ---- -kind: ClusterRoleBinding -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: kyverno:generatecontroller -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: kyverno:generatecontroller -subjects: -- kind: ServiceAccount - name: kyverno-service-account - namespace: kyverno ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: kyverno:webhook -rules: -# Dynamic creation of webhooks, events & certs -- apiGroups: - - '*' - resources: - - events - - mutatingwebhookconfigurations - - validatingwebhookconfigurations - - certificatesigningrequests - - certificatesigningrequests/approval - verbs: - - create - - delete - - get - - list - - patch - - update - - watch ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: kyverno:userinfo -rules: -# get the roleRef for incoming api-request user -- apiGroups: - - "*" - resources: - - rolebindings - - clusterrolebindings - - configmaps - verbs: - - watch ---- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: kyverno:customresources rules: -# Kyverno CRs - apiGroups: - '*' resources: @@ -602,34 +498,19 @@ rules: verbs: - create - delete - - get - - list + - get + - list - patch - update - watch ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: kyverno:policycontroller -rules: -# background processing, identify all existing resources -- apiGroups: - - '*' - resources: - - '*' - verbs: - - get - - list --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: kyverno:generatecontroller rules: -# process generate rules to generate resources - apiGroups: - - "*" + - '*' resources: - namespaces - networkpolicies @@ -645,8 +526,6 @@ rules: - update - delete - get -# dynamic watches on trigger resources for generate rules -# re-evaluate the policy if the resource is updated - apiGroups: - '*' resources: @@ -654,45 +533,267 @@ rules: verbs: - watch --- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: kyverno:policycontroller +rules: +- apiGroups: + - '*' + resources: + - '*' + verbs: + - get + - list + - update +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: kyverno:userinfo +rules: +- apiGroups: + - '*' + resources: + - rolebindings + - clusterrolebindings + - configmaps + verbs: + - watch +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: kyverno:webhook +rules: +- apiGroups: + - '*' + resources: + - events + - mutatingwebhookconfigurations + - validatingwebhookconfigurations + - certificatesigningrequests + - certificatesigningrequests/approval + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - certificates.k8s.io + resourceNames: + - kubernetes.io/legacy-unknown + resources: + - certificatesigningrequests + - certificatesigningrequests/approval + - certificatesigningrequests/status + verbs: + - create + - delete + - get + - update + - watch +- apiGroups: + - certificates.k8s.io + resourceNames: + - kubernetes.io/legacy-unknown + resources: + - signers + verbs: + - approve +--- +apiVersion: rbac.authorization.k8s.io/v1beta1 +kind: ClusterRole +metadata: + name: kyverno:policyviolations +rules: +- apiGroups: + - kyverno.io + resources: + - policyviolations + verbs: + - get + - list + - watch +--- +apiVersion: rbac.authorization.k8s.io/v1beta1 +kind: ClusterRole +metadata: + labels: + rbac.authorization.k8s.io/aggregate-to-admin: "true" + name: kyverno:view-clusterpolicyviolations +rules: +- apiGroups: + - kyverno.io + resources: + - clusterpolicyviolations + verbs: + - get + - list + - watch +--- +apiVersion: rbac.authorization.k8s.io/v1beta1 +kind: ClusterRole +metadata: + labels: + rbac.authorization.k8s.io/aggregate-to-view: "true" + name: kyverno:view-policyviolations +rules: +- apiGroups: + - kyverno.io + resources: + - policyviolations + verbs: + - get + - list + - watch +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: kyverno:customresources +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: kyverno:customresources +subjects: +- kind: ServiceAccount + name: kyverno-service-account + namespace: kyverno +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: kyverno:generatecontroller +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: kyverno:generatecontroller +subjects: +- kind: ServiceAccount + name: kyverno-service-account + namespace: kyverno +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: kyverno:policycontroller +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: kyverno:policycontroller +subjects: +- kind: ServiceAccount + name: kyverno-service-account + namespace: kyverno +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: kyverno:userinfo +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: kyverno:userinfo +subjects: +- kind: ServiceAccount + name: kyverno-service-account + namespace: kyverno +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: kyverno:webhook +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: kyverno:webhook +subjects: +- kind: ServiceAccount + name: kyverno-service-account + namespace: kyverno +--- apiVersion: v1 +data: + resourceFilters: '[Event,*,*][*,kube-system,*][*,kube-public,*][*,kube-node-lease,*][Node,*,*][APIService,*,*][TokenReview,*,*][SubjectAccessReview,*,*][*,kyverno,*][Binding,*,*][ReplicaSet,*,*]' kind: ConfigMap metadata: name: init-config namespace: kyverno -data: - # resource types to be skipped by kyverno policy engine - resourceFilters: "[Event,*,*][*,kube-system,*][*,kube-public,*][*,kube-node-lease,*][Node,*,*][APIService,*,*][TokenReview,*,*][SubjectAccessReview,*,*][*,kyverno,*]" +--- +apiVersion: v1 +kind: Service +metadata: + labels: + app: kyverno + name: kyverno-svc + namespace: kyverno +spec: + ports: + - port: 443 + targetPort: 443 + selector: + app: kyverno --- apiVersion: apps/v1 kind: Deployment metadata: - namespace: kyverno - name: kyverno labels: app: kyverno + name: kyverno + namespace: kyverno spec: + replicas: 1 selector: matchLabels: app: kyverno - replicas: 1 template: metadata: labels: app: kyverno spec: - serviceAccountName: kyverno-service-account - initContainers: - - name: kyverno-pre - image: nirmata/kyvernopre:v1.1.4-rc1 containers: - - name: kyverno - image: nirmata/kyverno:v1.1.4-rc1 - args: - - "--filterK8Resources=[Event,*,*][*,kube-system,*][*,kube-public,*][*,kube-node-lease,*][Node,*,*][APIService,*,*][TokenReview,*,*][SubjectAccessReview,*,*][*,kyverno,*]" - # customize webhook timout - # - "--webhooktimeout=4" - ports: - - containerPort: 443 - env: - - name: INIT_CONFIG - value: init-config \ No newline at end of file + - args: + - --filterK8Resources=[Event,*,*][*,kube-system,*][*,kube-public,*][*,kube-node-lease,*][Node,*,*][APIService,*,*][TokenReview,*,*][SubjectAccessReview,*,*][*,kyverno,*][Binding,*,*][ReplicaSet,*,*] + - -v=2 + env: + - name: INIT_CONFIG + value: init-config + image: nirmata/kyverno:v1.1.6 + imagePullPolicy: Always + livenessProbe: + failureThreshold: 4 + httpGet: + path: /health/liveness + port: 443 + scheme: HTTPS + initialDelaySeconds: 5 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 5 + name: kyverno + ports: + - containerPort: 443 + readinessProbe: + failureThreshold: 4 + httpGet: + path: /health/readiness + port: 443 + scheme: HTTPS + initialDelaySeconds: 5 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 5 + resources: + limits: + memory: 128Mi + requests: + cpu: 100m + memory: 50Mi + initContainers: + - image: nirmata/kyvernopre:v1.1.6 + name: kyverno-pre + serviceAccountName: kyverno-service-account diff --git a/definitions/install_debug.yaml b/definitions/install_debug.yaml index efc62b5a44..3c1a111f18 100644 --- a/definitions/install_debug.yaml +++ b/definitions/install_debug.yaml @@ -1,454 +1,739 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: kyverno +--- apiVersion: apiextensions.k8s.io/v1beta1 kind: CustomResourceDefinition metadata: name: clusterpolicies.kyverno.io spec: group: kyverno.io - versions: - - name: v1 - served: true - storage: true - scope: Cluster names: kind: ClusterPolicy plural: clusterpolicies - singular: clusterpolicy shortNames: - cpol + singular: clusterpolicy + scope: Cluster subresources: status: {} validation: openAPIV3Schema: properties: spec: - required: - - rules properties: - # default values to be handled by user - validationFailureAction: - type: string - enum: - - enforce # blocks the resorce api-reques if a rule fails. - - audit # allows resource creation and reports the failed validation rules as violations. Default background: type: boolean rules: - type: array items: - type: object - required: - - name - - match properties: - name: - type: string - match: - type: object - required: - - resources + exclude: properties: - roles: - type: array - items: - type: string clusterRoles: - type: array items: type: string - subjects: type: array - items: - type: object - required: - - kind - - name - properties: - kind: + resources: + properties: + kinds: + items: type: string + type: array + name: + type: string + namespaces: + items: + type: string + type: array + selector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + type: string + values: + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + type: object + type: object + roles: + items: + type: string + type: array + subjects: + items: + properties: apiGroup: type: string + kind: + type: string name: type: string namespace: type: string - resources: - type: object - minProperties: 1 - properties: - kinds: - type: array - items: - type: string - name: - type: string - namespaces: - type: array - items: - type: string - selector: - properties: - matchLabels: - type: object - additionalProperties: - type: string - matchExpressions: - type: array - items: - type: object - required: - - key - - operator - properties: - key: - type: string - operator: - type: string - values: - type: array - items: - type: string - exclude: - type: object - required: - - resources - properties: - roles: - type: array - items: - type: string - clusterRoles: - type: array - items: - type: string - subjects: - type: array - items: - type: object required: - kind - name - properties: - kind: - type: string - apiGroup: - type: string - name: - type: string - Namespace: - type: string - resources: - type: object + type: object + type: array + type: object + generate: + properties: + clone: properties: - kinds: - type: array - items: - type: string name: type: string - namespaces: - type: array - items: - type: string - selector: - properties: - matchLabels: - type: object - additionalProperties: - type: string - matchExpressions: - type: array - items: - type: object - required: - - key - - operator - properties: - key: - type: string - operator: - type: string - values: - type: array - items: - type: string - preconditions: - type: array - items: - type: object - required: - - key # can be of any type - - operator # typed - - value # can be of any type - mutate: - type: object - properties: - overlay: + namespace: + type: string + required: + - namespace + - name + type: object + data: AnyValue: {} - patches: - type: array - items: - type: object - required: - - path - - op - properties: - path: - type: string - op: - type: string - enum: - - add - - replace - - remove - value: - AnyValue: {} - validate: - type: object - properties: - message: - type: string - pattern: - AnyValue: {} - anyPattern: - AnyValue: {} - generate: - type: object - required: - - kind - - name - properties: kind: type: string name: type: string - clone: - type: object - required: - - namespace - - name + namespace: + type: string + synchronize: + type: boolean + required: + - kind + - name + type: object + match: + properties: + clusterRoles: + items: + type: string + type: array + resources: + minProperties: 1 properties: - namespace: - type: string + kinds: + items: + type: string + type: array name: type: string - data: + namespaces: + items: + type: string + type: array + selector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + type: string + values: + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + type: object + type: object + roles: + items: + type: string + type: array + subjects: + items: + properties: + apiGroup: + type: string + kind: + type: string + name: + type: string + namespace: + type: string + required: + - kind + - name + type: object + type: array + required: + - resources + type: object + mutate: + properties: + overlay: AnyValue: {} + patches: + items: + properties: + op: + enum: + - add + - replace + - remove + type: string + path: + type: string + value: + AnyValue: {} + required: + - path + - op + type: object + type: array + type: object + name: + type: string + preconditions: + items: + required: + - key + - operator + - value + type: object + type: array + validate: + properties: + anyPattern: + AnyValue: {} + deny: + properties: + conditions: + items: + properties: + key: + type: string + operator: + enum: + - Equal + - Equals + - NotEqual + - NotEquals + type: string + value: + type: string + required: + - key + - operator + - value + type: object + type: array + message: + type: string + pattern: + AnyValue: {} + type: object + required: + - name + - match + type: object + type: array + validationFailureAction: + enum: + - enforce + - audit + type: string + required: + - rules + status: {} + versions: + - name: v1 + served: true + storage: true --- apiVersion: apiextensions.k8s.io/v1beta1 kind: CustomResourceDefinition metadata: name: clusterpolicyviolations.kyverno.io spec: + additionalPrinterColumns: + - JSONPath: .spec.policy + description: The policy that resulted in the violation + name: Policy + type: string + - JSONPath: .spec.resource.kind + description: The resource kind that cause the violation + name: ResourceKind + type: string + - JSONPath: .spec.resource.name + description: The resource name that caused the violation + name: ResourceName + type: string + - JSONPath: .metadata.creationTimestamp + name: Age + type: date group: kyverno.io - versions: - - name: v1 - served: true - storage: true - scope: Cluster names: kind: ClusterPolicyViolation plural: clusterpolicyviolations - singular: clusterpolicyviolation shortNames: - cpolv + singular: clusterpolicyviolation + scope: Cluster subresources: status: {} - additionalPrinterColumns: - - name: Policy - type: string - description: The policy that resulted in the violation - JSONPath: .spec.policy - - name: ResourceKind - type: string - description: The resource kind that cause the violation - JSONPath: .spec.resource.kind - - name: ResourceName - type: string - description: The resource name that caused the violation - JSONPath: .spec.resource.name - - name: Age - type: date - JSONPath: .metadata.creationTimestamp validation: openAPIV3Schema: properties: spec: - required: - - policy - - resource - - rules properties: policy: type: string resource: - type: object - required: - - kind - - name properties: kind: type: string name: type: string + required: + - kind + - name + type: object rules: - type: array items: - type: object - required: - - name - - type - - message properties: + message: + type: string name: type: string type: type: string - message: - type: string ---- -apiVersion: apiextensions.k8s.io/v1beta1 -kind: CustomResourceDefinition -metadata: - name: policyviolations.kyverno.io -spec: - group: kyverno.io + required: + - name + - type + - message + type: object + type: array + required: + - policy + - resource + - rules versions: - - name: v1 - served: true - storage: true - scope: Namespaced - names: - kind: PolicyViolation - plural: policyviolations - singular: policyviolation - shortNames: - - polv - subresources: - status: {} - additionalPrinterColumns: - - name: Policy - type: string - description: The policy that resulted in the violation - JSONPath: .spec.policy - - name: ResourceKind - type: string - description: The resource kind that cause the violation - JSONPath: .spec.resource.kind - - name: ResourceName - type: string - description: The resource name that caused the violation - JSONPath: .spec.resource.name - - name: Age - type: date - JSONPath: .metadata.creationTimestamp - validation: - openAPIV3Schema: - properties: - spec: - required: - - policy - - resource - - rules - properties: - policy: - type: string - resource: - type: object - required: - - kind - - name - properties: - kind: - type: string - name: - type: string - rules: - type: array - items: - type: object - required: - - name - - type - - message - properties: - name: - type: string - type: - type: string - message: - type: string + - name: v1 + served: true + storage: true --- apiVersion: apiextensions.k8s.io/v1beta1 kind: CustomResourceDefinition metadata: name: generaterequests.kyverno.io spec: + additionalPrinterColumns: + - JSONPath: .spec.policy + description: The policy that resulted in the violation + name: Policy + type: string + - JSONPath: .spec.resource.kind + description: The resource kind that cause the violation + name: ResourceKind + type: string + - JSONPath: .spec.resource.name + description: The resource name that caused the violation + name: ResourceName + type: string + - JSONPath: .spec.resource.namespace + description: The resource namespace that caused the violation + name: ResourceNamespace + type: string + - JSONPath: .status.state + description: Current state of generate request + name: status + type: string + - JSONPath: .metadata.creationTimestamp + name: Age + type: date group: kyverno.io - versions: - - name: v1 - served: true - storage: true - scope: Namespaced names: kind: GenerateRequest plural: generaterequests - singular: generaterequest shortNames: - gr + singular: generaterequest + scope: Namespaced subresources: status: {} - additionalPrinterColumns: - - name: Policy - type: string - description: The policy that resulted in the violation - JSONPath: .spec.policy - - name: ResourceKind - type: string - description: The resource kind that cause the violation - JSONPath: .spec.resource.kind - - name: ResourceName - type: string - description: The resource name that caused the violation - JSONPath: .spec.resource.name - - name: ResourceNamespace - type: string - description: The resource namespace that caused the violation - JSONPath: .spec.resource.namespace - - name: status - type: string - description: Current state of generate request - JSONPath: .status.state - - name: Age - type: date - JSONPath: .metadata.creationTimestamp validation: openAPIV3Schema: properties: spec: - required: - - policy - - resource properties: policy: type: string resource: - type: object - required: - - kind - - name properties: kind: type: string - name: + name: type: string namespace: - type: string ---- + type: string + required: + - kind + - name + type: object + required: + - policy + - resource + versions: + - name: v1 + served: true + storage: true +--- +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + name: policyviolations.kyverno.io +spec: + additionalPrinterColumns: + - JSONPath: .spec.policy + description: The policy that resulted in the violation + name: Policy + type: string + - JSONPath: .spec.resource.kind + description: The resource kind that cause the violation + name: ResourceKind + type: string + - JSONPath: .spec.resource.name + description: The resource name that caused the violation + name: ResourceName + type: string + - JSONPath: .metadata.creationTimestamp + name: Age + type: date + group: kyverno.io + names: + kind: PolicyViolation + plural: policyviolations + shortNames: + - polv + singular: policyviolation + scope: Namespaced + subresources: + status: {} + validation: + openAPIV3Schema: + properties: + spec: + properties: + policy: + type: string + resource: + properties: + kind: + type: string + name: + type: string + required: + - kind + - name + type: object + rules: + items: + properties: + message: + type: string + name: + type: string + type: + type: string + required: + - name + - type + - message + type: object + type: array + required: + - policy + - resource + - rules + versions: + - name: v1 + served: true + storage: true +--- apiVersion: v1 +kind: ServiceAccount +metadata: + name: kyverno-service-account + namespace: kyverno +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: kyverno:customresources +rules: +- apiGroups: + - '*' + resources: + - clusterpolicies + - clusterpolicies/status + - clusterpolicyviolations + - clusterpolicyviolations/status + - policyviolations + - policyviolations/status + - generaterequests + - generaterequests/status + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: kyverno:generatecontroller +rules: +- apiGroups: + - '*' + resources: + - namespaces + - networkpolicies + - secrets + - configmaps + - resourcequotas + - limitranges + - clusterroles + - rolebindings + - clusterrolebindings + verbs: + - create + - update + - delete + - get +- apiGroups: + - '*' + resources: + - namespaces + verbs: + - watch +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: kyverno:policycontroller +rules: +- apiGroups: + - '*' + resources: + - '*' + verbs: + - get + - list + - update +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: kyverno:userinfo +rules: +- apiGroups: + - '*' + resources: + - rolebindings + - clusterrolebindings + - configmaps + verbs: + - watch +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: kyverno:webhook +rules: +- apiGroups: + - '*' + resources: + - events + - mutatingwebhookconfigurations + - validatingwebhookconfigurations + - certificatesigningrequests + - certificatesigningrequests/approval + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - certificates.k8s.io + resourceNames: + - kubernetes.io/legacy-unknown + resources: + - certificatesigningrequests + - certificatesigningrequests/approval + - certificatesigningrequests/status + verbs: + - create + - delete + - get + - update + - watch +- apiGroups: + - certificates.k8s.io + resourceNames: + - kubernetes.io/legacy-unknown + resources: + - signers + verbs: + - approve +--- +apiVersion: rbac.authorization.k8s.io/v1beta1 +kind: ClusterRole +metadata: + name: kyverno:policyviolations +rules: +- apiGroups: + - kyverno.io + resources: + - policyviolations + verbs: + - get + - list + - watch +--- +apiVersion: rbac.authorization.k8s.io/v1beta1 +kind: ClusterRole +metadata: + labels: + rbac.authorization.k8s.io/aggregate-to-admin: "true" + name: kyverno:view-clusterpolicyviolations +rules: +- apiGroups: + - kyverno.io + resources: + - clusterpolicyviolations + verbs: + - get + - list + - watch +--- +apiVersion: rbac.authorization.k8s.io/v1beta1 +kind: ClusterRole +metadata: + labels: + rbac.authorization.k8s.io/aggregate-to-view: "true" + name: kyverno:view-policyviolations +rules: +- apiGroups: + - kyverno.io + resources: + - policyviolations + verbs: + - get + - list + - watch +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: kyverno:customresources +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: kyverno:customresources +subjects: +- kind: ServiceAccount + name: kyverno-service-account + namespace: kyverno +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: kyverno:generatecontroller +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: kyverno:generatecontroller +subjects: +- kind: ServiceAccount + name: kyverno-service-account + namespace: kyverno +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: kyverno:policycontroller +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: kyverno:policycontroller +subjects: +- kind: ServiceAccount + name: kyverno-service-account + namespace: kyverno +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: kyverno:userinfo +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: kyverno:userinfo +subjects: +- kind: ServiceAccount + name: kyverno-service-account + namespace: kyverno +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: kyverno:webhook +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: kyverno:webhook +subjects: +- kind: ServiceAccount + name: kyverno-service-account + namespace: kyverno +--- +apiVersion: v1 +data: + resourceFilters: '[Event,*,*][*,kube-system,*][*,kube-public,*][*,kube-node-lease,*][Node,*,*][APIService,*,*][TokenReview,*,*][SubjectAccessReview,*,*][*,kyverno,*][Binding,*,*][ReplicaSet,*,*]' kind: ConfigMap metadata: name: init-config namespace: kyverno -data: - # resource types to be skipped by kyverno policy engine - resourceFilters: "[Event,*,*][*,kube-system,*][*,kube-public,*][*,kube-node-lease,*][Node,*,*][APIService,*,*][TokenReview,*,*][SubjectAccessReview,*,*][*,kyverno,*]" +--- +apiVersion: v1 +kind: Service +metadata: + labels: + app: kyverno + name: kyverno-svc + namespace: kyverno +spec: + ports: + - port: 443 + targetPort: 443 + selector: + app: kyverno diff --git a/definitions/kustomization.yaml b/definitions/kustomization.yaml new file mode 100644 index 0000000000..fd5415e6ba --- /dev/null +++ b/definitions/kustomization.yaml @@ -0,0 +1,7 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization + +resources: +- ./crds/ +- ./manifest/ +- ./rbac/ \ No newline at end of file diff --git a/definitions/manifest/deployment.yaml b/definitions/manifest/deployment.yaml new file mode 100644 index 0000000000..1a197e0d3d --- /dev/null +++ b/definitions/manifest/deployment.yaml @@ -0,0 +1,64 @@ +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + namespace: kyverno + name: kyverno + labels: + app: kyverno +spec: + selector: + matchLabels: + app: kyverno + replicas: 1 + template: + metadata: + labels: + app: kyverno + spec: + serviceAccountName: kyverno-service-account + initContainers: + - name: kyverno-pre + image: nirmata/kyvernopre:v1.1.6 + containers: + - name: kyverno + image: nirmata/kyverno:v1.1.6 + imagePullPolicy: Always + args: + - "--filterK8Resources=[Event,*,*][*,kube-system,*][*,kube-public,*][*,kube-node-lease,*][Node,*,*][APIService,*,*][TokenReview,*,*][SubjectAccessReview,*,*][*,kyverno,*][Binding,*,*][ReplicaSet,*,*]" + # customize webhook timeout + #- "--webhooktimeout=4" + # enable profiling + # - "--profile" + - "-v=2" + ports: + - containerPort: 443 + env: + - name: INIT_CONFIG + value: init-config + resources: + requests: + memory: "50Mi" + cpu: "100m" + limits: + memory: "128Mi" + livenessProbe: + httpGet: + path: /health/liveness + port: 443 + scheme: HTTPS + initialDelaySeconds: 5 + periodSeconds: 10 + timeoutSeconds: 5 + failureThreshold: 4 + successThreshold: 1 + readinessProbe: + httpGet: + path: /health/readiness + port: 443 + scheme: HTTPS + initialDelaySeconds: 5 + periodSeconds: 10 + timeoutSeconds: 5 + failureThreshold: 4 + successThreshold: 1 diff --git a/definitions/manifest/kustomization.yaml b/definitions/manifest/kustomization.yaml new file mode 100644 index 0000000000..5fbc8ecbb3 --- /dev/null +++ b/definitions/manifest/kustomization.yaml @@ -0,0 +1,5 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization + +resources: +- ./deployment.yaml \ No newline at end of file diff --git a/definitions/rbac/kustomization.yaml b/definitions/rbac/kustomization.yaml new file mode 100644 index 0000000000..dbe45efc6e --- /dev/null +++ b/definitions/rbac/kustomization.yaml @@ -0,0 +1,5 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization + +resources: +- ./rbac.yaml \ No newline at end of file diff --git a/definitions/rbac/rbac.yaml b/definitions/rbac/rbac.yaml new file mode 100644 index 0000000000..f6cb27d727 --- /dev/null +++ b/definitions/rbac/rbac.yaml @@ -0,0 +1,266 @@ +--- +kind: Namespace +apiVersion: v1 +metadata: + name: "kyverno" +--- +apiVersion: v1 +kind: Service +metadata: + namespace: kyverno + name: kyverno-svc + labels: + app: kyverno +spec: + ports: + - port: 443 + targetPort: 443 + selector: + app: kyverno +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: kyverno-service-account + namespace: kyverno +--- +apiVersion: rbac.authorization.k8s.io/v1beta1 +kind: ClusterRole +metadata: + name: kyverno:policyviolations +rules: +- apiGroups: ["kyverno.io"] + resources: + - policyviolations + verbs: ["get", "list", "watch"] +--- +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: kyverno:webhook +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: kyverno:webhook +subjects: +- kind: ServiceAccount + name: kyverno-service-account + namespace: kyverno +--- +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: kyverno:userinfo +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: kyverno:userinfo +subjects: +- kind: ServiceAccount + name: kyverno-service-account + namespace: kyverno +--- +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: kyverno:customresources +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: kyverno:customresources +subjects: +- kind: ServiceAccount + name: kyverno-service-account + namespace: kyverno +--- +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: kyverno:policycontroller +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: kyverno:policycontroller +subjects: +- kind: ServiceAccount + name: kyverno-service-account + namespace: kyverno +--- +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: kyverno:generatecontroller +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: kyverno:generatecontroller +subjects: +- kind: ServiceAccount + name: kyverno-service-account + namespace: kyverno +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: kyverno:webhook +rules: +# Dynamic creation of webhooks, events & certs +- apiGroups: + - '*' + resources: + - events + - mutatingwebhookconfigurations + - validatingwebhookconfigurations + - certificatesigningrequests + - certificatesigningrequests/approval + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - certificates.k8s.io + resources: + - certificatesigningrequests + - certificatesigningrequests/approval + - certificatesigningrequests/status + resourceNames: + - kubernetes.io/legacy-unknown + verbs: + - create + - delete + - get + - update + - watch +- apiGroups: + - certificates.k8s.io + resources: + - signers + resourceNames: + - kubernetes.io/legacy-unknown + verbs: + - approve +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: kyverno:userinfo +rules: +# get the roleRef for incoming api-request user +- apiGroups: + - "*" + resources: + - rolebindings + - clusterrolebindings + - configmaps + verbs: + - watch +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: kyverno:customresources +rules: +# Kyverno CRs +- apiGroups: + - '*' + resources: + - clusterpolicies + - clusterpolicies/status + - clusterpolicyviolations + - clusterpolicyviolations/status + - policyviolations + - policyviolations/status + - generaterequests + - generaterequests/status + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: kyverno:policycontroller +rules: +# background processing, identify all existing resources +- apiGroups: + - '*' + resources: + - '*' + verbs: + - get + - list + - update +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: kyverno:generatecontroller +rules: +# process generate rules to generate resources +- apiGroups: + - "*" + resources: + - namespaces + - networkpolicies + - secrets + - configmaps + - resourcequotas + - limitranges + - clusterroles + - rolebindings + - clusterrolebindings + verbs: + - create + - update + - delete + - get +# dynamic watches on trigger resources for generate rules +# re-evaluate the policy if the resource is updated +- apiGroups: + - '*' + resources: + - namespaces + verbs: + - watch +--- +apiVersion: v1 +kind: ConfigMap +metadata: + name: init-config + namespace: kyverno +data: + # resource types to be skipped by kyverno policy engine + resourceFilters: "[Event,*,*][*,kube-system,*][*,kube-public,*][*,kube-node-lease,*][Node,*,*][APIService,*,*][TokenReview,*,*][SubjectAccessReview,*,*][*,kyverno,*][Binding,*,*][ReplicaSet,*,*]" +--- +apiVersion: rbac.authorization.k8s.io/v1beta1 +kind: ClusterRole +metadata: + name: kyverno:view-policyviolations + labels: + rbac.authorization.k8s.io/aggregate-to-view: "true" +rules: +- apiGroups: ["kyverno.io"] + resources: + - policyviolations + verbs: ["get", "list", "watch"] +--- +apiVersion: rbac.authorization.k8s.io/v1beta1 +kind: ClusterRole +metadata: + name: kyverno:view-clusterpolicyviolations + labels: + rbac.authorization.k8s.io/aggregate-to-admin: "true" +rules: +- apiGroups: ["kyverno.io"] + resources: + - clusterpolicyviolations + verbs: ["get", "list", "watch"] \ No newline at end of file diff --git a/documentation/installation.md b/documentation/installation.md index 0bac6466b5..343283e56d 100644 --- a/documentation/installation.md +++ b/documentation/installation.md @@ -2,11 +2,32 @@ # Installation +You can install Kyverno using the Helm chart or YAML files in this repository. + +## Install Kyverno using Helm + +```sh + +## Add the nirmata Helm repository +helm repo add kyverno https://nirmata.github.io/kyverno/ + +## Create the Kyverno namespace +kubectl create ns kyverno + +## Install the kyverno helm chart +helm install kyverno --namespace kyverno kyverno/kyverno + +``` + +Note: the namespace must be `kyverno`. See issue #841. + +## Install Kyverno using YAMLs + The Kyverno policy engine runs as an admission webhook and requires a CA-signed certificate and key to setup secure TLS communication with the kube-apiserver (the CA can be self-signed). -There are 2 ways to configure the secure communications link between Kyverno and the kube-apiserver: +There are 2 ways to configure the secure communications link between Kyverno and the kube-apiserver. -## Option 1: Use kube-controller-manager to generate a CA-signed certificate +### Option 1: Use kube-controller-manager to generate a CA-signed certificate Kyverno can request a CA signed certificate-key pair from `kube-controller-manager`. This method requires that the kube-controller-manager is configured to act as a certificate signer. To verify that this option is enabled for your cluster, check the command-line args for the kube-controller-manager. If `--cluster-signing-cert-file` and `--cluster-signing-key-file` are passed to the controller manager with paths to your CA's key-pair, then you can proceed to install Kyverno using this method. @@ -14,15 +35,15 @@ Kyverno can request a CA signed certificate-key pair from `kube-controller-manag To install Kyverno in a cluster that supports certificate signing, run the following command on a host with kubectl `cluster-admin` access: -````sh -kubectl create -f https://github.com/nirmata/kyverno/raw/master/definitions/install.yaml -```` - -Note that the above command will install the last released (stable) version of Kyverno. If you want to install the latest version, you can edit the `install.yaml` and update the image tag. +Note that the above command will install the last released (stable) version of Kyverno. If you want to install the latest version, you can edit the [install.yaml] and update the image tag. To check the Kyverno controller status, run the command: -````sh +```sh +## Install Kyverno +kubectl create -f https://github.com/nirmata/kyverno/raw/master/definitions/install.yaml + +## Check pod status kubectl get pods -n kyverno ```` @@ -36,11 +57,11 @@ kubectl describe pod -n kyverno kubectl logs -n kyverno ```` -## Option 2: Use your own CA-signed certificate +### Option 2: Use your own CA-signed certificate You can install your own CA-signed certificate, or generate a self-signed CA and use it to sign a certifcate. Once you have a CA and X.509 certificate-key pair, you can install these as Kubernetes secrets in your cluster. If Kyverno finds these secrets, it uses them. Otherwise it will request the kube-controller-manager to generate a certificate (see Option 1 above). -### 1. Generate a self-signed CA and signed certificate-key pair +#### 1. Generate a self-signed CA and signed certificate-key pair **Note: using a separate self-signed root CA is difficult to manage and not recommeded for production use.** @@ -61,7 +82,7 @@ Among the files that will be generated, you can use the following files to creat - webhooks.crt - webhooks.key -### 2. Configure secrets for the CA and TLS certificate-key pair +#### 2. Configure secrets for the CA and TLS certificate-key pair To create the required secrets, use the following commands (do not change the secret names): @@ -81,7 +102,7 @@ Secret | Data | Content Kyverno uses secrets created above to setup TLS communication with the kube-apiserver and specify the CA bundle to be used to validate the webhook server's certificate in the admission webhook configurations. -### 3. Configure Kyverno Role +#### 3. Configure Kyverno Role Kyverno, in `foreground` mode, leverages admission webhooks to manage incoming api-requests, and `background` mode applies the policies on existing resources. It uses ServiceAccount `kyverno-service-account`, which is bound to multiple ClusterRole, which defines the default resources and operations that are permitted. ClusterRoles used by kyverno: @@ -131,9 +152,9 @@ subjects: namespace: kyverno ``` -### 4. Install Kyverno +#### 4. Install Kyverno -To install a specific version, change the image tag with git tag in `install.yaml`. +To install a specific version, download [install.yaml] and then change the image tag. e.g., change image tag from `latest` to the specific tag `v1.0.0`. >>> @@ -141,10 +162,10 @@ e.g., change image tag from `latest` to the specific tag `v1.0.0`. containers: - name: kyverno # image: nirmata/kyverno:latest - image: nirmata/kyverno:v0.3.0 + image: nirmata/kyverno:v1.0.0 ````sh -kubectl create -f https://github.com/nirmata/kyverno/raw/master/definitions/install.yaml +kubectl create -f ./install.yaml ```` To check the Kyverno controller status, run the command: @@ -166,9 +187,10 @@ kubectl logs -n kyverno Here is a script that generates a self-signed CA, a TLS certificate-key pair, and the corresponding kubernetes secrets: [helper script](/scripts/generate-self-signed-cert-and-k8secrets.sh) + # Configure a namespace admin to access policy violations -During Kyverno installation, it creates a ClusterRole `kyverno:policyviolations` which has the `list,get,watch` operation on resource `policyviolations`. To grant access to a namespace admin, configure the following YAML file then apply to the cluster. +During Kyverno installation, it creates a ClusterRole `kyverno:policyviolations` which has the `list,get,watch` operations on resource `policyviolations`. To grant access to a namespace admin, configure the following YAML file then apply to the cluster. - Replace `metadata.namespace` with namespace of the admin - Configure `subjects` field to bind admin's role to the ClusterRole `policyviolation` @@ -200,16 +222,16 @@ subjects: To build Kyverno in a development environment see: https://github.com/nirmata/kyverno/wiki/Building -To run controller in this mode you should prepare TLS key/certificate pair for debug webhook, then start controller with kubeconfig and the server address. +To run controller in this mode you should prepare a TLS key/certificate pair for debug webhook, then start controller with kubeconfig and the server address. -1. Run `scripts/deploy-controller-debug.sh --service=localhost --serverIP=`, where is the IP address of the host where controller runs. This scripts will generate TLS certificate for debug webhook server and register this webhook in the cluster. Also it registers CustomResource Policy. +1. Run `sudo scripts/deploy-controller-debug.sh --service=localhost --serverIP=`, where is the IP address of the host where controller runs. This scripts will generate a TLS certificate for debug webhook server and register this webhook in the cluster. It also registers a CustomResource policy. -2. Start the controller using the following command: `sudo kyverno --kubeconfig=~/.kube/config --serverIP=` +2. Start the controller using the following command: `sudo go run ./cmd/kyverno/main.go --kubeconfig=~/.kube/config --serverIP=` -# Filter kuberenetes resources that admission webhook should not process -The admission webhook checks if a policy is applicable on all admission requests. The kubernetes kinds that are not be processed can be filtered by adding the configmap named `init-config` in namespace `kyverno` and specifying the resources to be filtered under `data.resourceFilters` +# Filter Kubernetes resources that admission webhook should not process +The admission webhook checks if a policy is applicable on all admission requests. The Kubernetes kinds that are not be processed can be filtered by adding a `ConfigMap` in namespace `kyverno` and specifying the resources to be filtered under `data.resourceFilters`. The default name of this `ConfigMap` is `init-config` but can be changed by modifying the value of the environment variable `INIT_CONFIG` in the kyverno deployment dpec. `data.resourceFilters` must be a sequence of one or more `[,,]` entries with `*` as wildcard. Thus, an item `[Node,*,*]` means that admissions of `Node` in any namespace and with any name will be ignored. -THe confimap is picked from the envenvironment variable `INIT_CONFIG` passed to the kyverno deployment spec. The resourceFilters configuration can be updated dynamically at runtime. +By default we have specified Nodes, Events, APIService & SubjectAccessReview as the kinds to be skipped in the default configuration [install.yaml]. ``` apiVersion: v1 @@ -222,9 +244,10 @@ data: resourceFilters: "[Event,*,*][*,kube-system,*][*,kube-public,*][*,kube-node-lease,*][Node,*,*][APIService,*,*][TokenReview,*,*][SubjectAccessReview,*,*][*,kyverno,*]" ``` -By default we have specified Nodes, Events, APIService & SubjectAccessReview as the kinds to be skipped in the default configmap -[install.yaml](https://github.com/nirmata/kyverno/raw/master/definitions/install.yaml). +To modify the `ConfigMap`, either directly edit the `ConfigMap` `init-config` in the default configuration [install.yaml] and redeploy it or modify the `ConfigMap` use `kubectl`. Changes to the `ConfigMap` through `kubectl` will automatically be picked up at runtime. --- *Read Next >> [Writing Policies](/documentation/writing-policies.md)* + +[install.yaml]: https://github.com/nirmata/kyverno/raw/master/definitions/install.yaml diff --git a/documentation/kyverno-cli.md b/documentation/kyverno-cli.md index 6901de2384..85ff9d3b7f 100644 --- a/documentation/kyverno-cli.md +++ b/documentation/kyverno-cli.md @@ -1,10 +1,13 @@ -*[documentation](/README.md#documentation) / kyverno-cli* - +_[documentation](/README.md#documentation) / kyverno-cli_ # Kyverno CLI The Kyverno Command Line Interface (CLI) is designed to validate policies and test the behavior of applying policies to resources before adding the policy to a cluster. It can be used as a kubectl plugin and as a standalone CLI. +## Install the CLI + +The Kyverno CLI binary is distributed with each release. You can install the CLI for your platform from the [releases](https://github.com/nirmata/kyverno/releases) site. + ## Build the CLI You can build the CLI binary locally, then move the binary into a directory in your PATH. @@ -16,45 +19,75 @@ make cli mv ./cmd/cli/kubectl-kyverno/kyverno /usr/local/bin/kyverno ``` +You can also use curl to install kyverno-cli + +```bash +curl -L https://raw.githubusercontent.com/nirmata/kyverno/master/scripts/install-cli.sh | bash +``` + +## Install via AUR (archlinux) + +You can install the kyverno cli via your favourite AUR helper (e.g. [yay](https://github.com/Jguer/yay)) + +``` +yay -S kyverno-git +``` + ## Commands #### Version Prints the version of kyverno used by the CLI. -Example: +Example: + ``` kyverno version ``` #### Validate -Validates a policy, can validate multiple policy resource description files or even an entire folder containing policy resource description -files. Currently supports files with resource description in yaml. + +Validates a policy, can validate multiple policy resource description files or even an entire folder containing policy resource description +files. Currently supports files with resource description in YAML. Example: + ``` kyverno validate /path/to/policy1.yaml /path/to/policy2.yaml /path/to/folderFullOfPolicies ``` #### Apply + Applies policies on resources, and supports applying multiple policies on multiple resources in a single command. Also supports applying the given policies to an entire cluster. The current kubectl context will be used to access the cluster. - Will return results to stdout. +Will return results to stdout. Apply to a resource: -``` + +```bash kyverno apply /path/to/policy.yaml --resource /path/to/resource.yaml ``` Apply to all matching resources in a cluster: -``` + +```bash kyverno apply /path/to/policy.yaml --cluster > policy-results.txt ``` Apply multiple policies to multiple resources: -``` + +```bash kyverno apply /path/to/policy1.yaml /path/to/folderFullOfPolicies --resource /path/to/resource1.yaml --resource /path/to/resource2.yaml --cluster ``` +##### Exit Codes -*Read Next >> [Sample Policies](/samples/README.md)* +The CLI exits with diffenent exit codes: + +| Message | Exit Code | +| ------------------------------------- | --------- | +| executes successfully | 0 | +| one or more policy rules are violated | 1 | +| policy validation failed | 2 | + +_Read Next >> [Sample Policies](/samples/README.md)_ diff --git a/documentation/testing-policies.md b/documentation/testing-policies.md index 9c46e18f53..e97ee2ea64 100644 --- a/documentation/testing-policies.md +++ b/documentation/testing-policies.md @@ -3,23 +3,23 @@ # Testing Policies -The resources definitions for testing are located in [/test](/test) directory. Each test contains a pair of files: one is the resource definition, and the second is the kyverno policy for this definition. +The resources definitions for testing are located in the [test](/test) directory. Each test contains a pair of files: one is the resource definition, and the second is the Kyverno policy for this definition. ## Test using kubectl -To do this you should [install kyverno to the cluster](/documentation/installation.md). +To do this you should [install Kyverno to the cluster](installation.md). -For example, to test the simplest kyverno policy for ConfigMap, create the policy and then the resource itself via kubectl: +For example, to test the simplest Kyverno policy for `ConfigMap`, create the policy and then the resource itself via `kubectl`: ````bash -cd test/ConfigMap -kubectl create -f policy-CM.yaml -kubectl create -f CM.yaml +cd test +kubectl create -f policy/policy-CM.yaml +kubectl create -f resources/CM.yaml ```` -Then compare the original resource definition in CM.yaml with the actual one: +Then compare the original resource definition in `CM.yaml` with the actual one: ````bash -kubectl get -f CM.yaml -o yaml +kubectl get -f resources/CM.yaml -o yaml ```` ## Test using Kyverno CLI diff --git a/documentation/writing-policies-autogen.md b/documentation/writing-policies-autogen.md index 97a6c922c6..2688159602 100644 --- a/documentation/writing-policies-autogen.md +++ b/documentation/writing-policies-autogen.md @@ -2,7 +2,7 @@ # Auto Generating Rules for Pod Controllers -Writing policies on pods helps address all pod creation flows. However, when pod cotrollers are used pod level policies result in errors not being reported when the pod controller object is created. +Writing policies on pods helps address all pod creation flows. However, when pod controllers are used, pod level policies result in errors not being reported when the pod controller object is created. Kyverno solves this issue by supporting automatic generation of policy rules for pod controllers from a rule written for a pod. diff --git a/documentation/writing-policies-generate.md b/documentation/writing-policies-generate.md index e4dcda2b1e..b0218f95ea 100644 --- a/documentation/writing-policies-generate.md +++ b/documentation/writing-policies-generate.md @@ -1,12 +1,13 @@ *[documentation](/README.md#documentation) / [Writing Policies](/documentation/writing-policies.md) / Generate Resources* -# Generate Resources +# Generating Resources The ```generate``` rule can used to create additional resources when a new resource is created. This is useful to create supporting resources, such as new role bindings for a new namespace. The `generate` rule supports `match` and `exclude` blocks, like other rules. Hence, the trigger for applying this rule can be the creation of any resource and its possible to match or exclude API requests based on subjects, roles, etc. -Currently, the generate rule only triggers during an API request and does not support [background processing](/documentation/writing-policies-background.md). Keeping resources synchhronized is planned for a future release (see https://github.com/nirmata/kyverno/issues/560). +Currently, the generate rule only triggers during an API request and does not support [background processing](/documentation/writing-policies-background.md). To keep resources synchronized across changes, you can use `synchronize : true`. Synchronize is disabled for the pre-existing generate policy that means User has to manually add `synchronize: true` for pre-existing generate policy + ## Example 1 @@ -26,6 +27,7 @@ spec: kind: ConfigMap # Kind of resource name: default-config # Name of the new Resource namespace: "{{request.object.metadata.name}}" # namespace that triggers this rule + synchronize : true clone: namespace: default name: config-template @@ -48,8 +50,8 @@ spec: ```` In this example new namespaces will receive 2 new resources after its creation: - * A ConfigMap cloned from default/config-template. - * A Secret with values DB_USER and DB_PASSWORD, and label ```purpose: mongo```. + * A `ConfigMap` cloned from `default/config-template`. + * A `Secret` with values `DB_USER` and `DB_PASSWORD`, and label `purpose: mongo`. ## Example 2 @@ -81,7 +83,7 @@ spec: policyname: "default" ```` -In this example new namespaces will receive a NetworkPolicy that default denies all inbound and outbound traffic. +In this example new namespaces will receive a `NetworkPolicy` that by default denies all inbound and outbound traffic. --- diff --git a/documentation/writing-policies-match-exclude.md b/documentation/writing-policies-match-exclude.md new file mode 100644 index 0000000000..674d38679e --- /dev/null +++ b/documentation/writing-policies-match-exclude.md @@ -0,0 +1,93 @@ +*[documentation](/README.md#documentation) / Writing Policies / Match & Exclude * + +# Match & Exclude + +The `match` and `exclude` filters control which resources policies are applied to. + +The match / exclude clauses have the same structure, and can each contain the following elements: +* resources: select resources by name, namespaces, kinds, and label selectors. +* subjects: select users, user groups, and service accounts +* roles: select namespaced roles +* clusterroles: select cluster wide roles + +At least one element must be specified in a `match` block. The `kind` attribute is optional, but if it's not specified the policy rule will only be applicable to metatdata that is common across all resources kinds. + +When Kyverno receives an admission controller request, i.e. a validation or mutation webhook, it first checks to see if the resource and user information matches or should be excluded from processing. If both checks pass, then the rule logic to mutate, validate, or generate resources is applied. + +The following YAML provides an example for a match clause. + +````yaml +apiVersion : kyverno.io/v1 +kind : ClusterPolicy +metadata : + name : policy +spec : + # 'enforce' to block resource request if any rules fail + # 'audit' to allow resource request on failure of rules, but create policy violations to report them + validationFailureAction: enforce + # Each policy has a list of rules applied in declaration order + rules: + # Rules must have a unique name + - name: "check-pod-controller-labels" + # Each rule matches specific resource described by "match" field. + match: + resources: + kinds: # Required, list of kinds + - Deployment + - StatefulSet + name: "mongo*" # Optional, a resource name is optional. Name supports wildcards (* and ?) + namespaces: # Optional, list of namespaces. Supports wildcards (* and ?) + - "dev*" + - test + selector: # Optional, a resource selector is optional. Values support wildcards (* and ?) + matchLabels: + app: mongodb + matchExpressions: + - {key: tier, operator: In, values: [database]} + # Optional, subjects to be matched + subjects: + - kind: User + name: mary@somecorp.com + # Optional, roles to be matched + roles: + # Optional, clusterroles to be matched + clusterroles: cluster-admin + + ... + +```` + +All`match` and `exclude` element must be satisfied for the resource to be selected as a candidate for the policy rule. In other words, the match and exclude conditions are evaluated using a logical AND operation. + +Here is an example of a rule that matches all pods, excluding pods created by using the `cluster-admin` cluster role. + +````yaml +spec: + rules: + name: "match-pods-except-admin" + match: + resources: + kinds: + - Pod + exclude: + clusterroles: cluster-admin +```` + +This rule that matches all pods, excluding pods in the `kube-system` namespace. + +````yaml +spec: + rules: + name: "match-pods-except-admin" + match: + resources: + kinds: + - Pod + exclude: + namespaces: + - "kube-system" +```` + + +--- +*Read Next >> [Validate Resources](/documentation/writing-policies-validate.md)* diff --git a/documentation/writing-policies-mutate.md b/documentation/writing-policies-mutate.md index 19110511e3..13dcf429a9 100644 --- a/documentation/writing-policies-mutate.md +++ b/documentation/writing-policies-mutate.md @@ -1,10 +1,10 @@ *[documentation](/README.md#documentation) / [Writing Policies](/documentation/writing-policies.md) / Mutate Resources* -# Mutate Resources +# Mutating Resources The ```mutate``` rule can be used to add, replace, or delete elements in matching resources. A mutate rule can be written as a JSON Patch or as an overlay. -By using a ```patch``` in the (JSONPatch - RFC 6902)[http://jsonpatch.com/] format, you can make precise changes to the resource being created. Using an ```overlay``` is convenient for describing the desired state of the resource. +By using a ```patch``` in the [JSONPatch - RFC 6902](http://jsonpatch.com/) format, you can make precise changes to the resource being created. Using an ```overlay``` is convenient for describing the desired state of the resource. Resource mutation occurs before validation, so the validation rules should not contradict the changes performed by the mutation section. @@ -20,38 +20,41 @@ A JSON Patch rule provides an alternate way to mutate resources. With Kyverno, the add and replace have the same behavior i.e. both operations will add or replace the target element. -This patch adds an init container to all deployments. +This patch policy adds, or replaces, entries in a `ConfigMap` with the name `config-game` in any namespace. ````yaml apiVersion : kyverno.io/v1 kind : ClusterPolicy metadata : - name : policy-v1 + name : policy-generate-cm spec : rules: - - name: "add-init-secrets" + - name: pCM1 match: resources: - kinds: - - Deployment + name: "config-game" + kinds : + - ConfigMap mutate: - overlay: - spec: - template: - spec: - initContainers: - - name: init-secrets - image: nirmata.io/kube-vault-client:v2 + patches: + - path: "/data/ship.properties" + op: add + value: | + type=starship + owner=utany.corp + - path : "/data/newKey1" + op : add + value : newValue1 ```` Here is the example of a patch that removes a label from the secret: ````yaml -apiVersion : kyverno.io/v1 -kind : ClusterPolicy -metadata : - name : policy-remove-label -spec : +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: policy-remove-label +spec: rules: - name: "Remove unwanted label" match: @@ -72,14 +75,14 @@ A mutation overlay describes the desired form of resource. The existing resource The overlay cannot be used to delete values in a resource: use **patches** for this purpose. -The following mutation overlay will add (or replace) the memory request and limit to 10Gi for every Pod with a label ```memory: high```: +The following mutation overlay will add (or replace) the memory request and limit to 10Gi for every Pod with a label `memory: high`: ````yaml -apiVersion : kyverno.io/v1 -kind : ClusterPolicy -metadata : - name : policy-change-memory-limit -spec : +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: policy-change-memory-limit +spec: rules: - name: "Set hard memory limit to 2Gi" match: @@ -117,7 +120,7 @@ spec: - name: "Add IP to subsets" match: resources: - kinds : + kinds: - Endpoints mutate: overlay: @@ -148,14 +151,14 @@ The **anchors** values support **wildcards**: A `conditional anchor` evaluates to `true` if the anchor tag exists and if the value matches the specified value. Processing stops if a tag does not exist or when the value does not match. Once processing stops, any child elements or any remaining siblings in a list, will not be processed. - For example, this overlay will add or replace the value 6443 for the port field, for all ports with a name value that starts with "secure": + For example, this overlay will add or replace the value `6443` for the `port` field, for all ports with a name value that starts with "secure": ````yaml apiVersion: kyverno.io/v1 -kind : ClusterPolicy -metadata : - name : policy-set-port -spec : +kind: ClusterPolicy +metadata: + name: policy-set-port +spec: rules: - name: "Set port" match: @@ -174,7 +177,7 @@ If the anchor tag value is an object or array, the entire object or array must m ### Add if not present anchor -A variation of an anchor, is to add a field value if it is not already defined. This is done by using the `add anchor` (short for `add if not present anchor`) with the notation ````+(...)```` for the tag. +A variation of an anchor, is to add a field value if it is not already defined. This is done by using the `add anchor` (short for `add if not present anchor`) with the notation `+(...)` for the tag. An `add anchor` is processed as part of applying the mutation. Typically, every non-anchor tag-value is applied as part of the mutation. If the `add anchor` is set on a tag, the tag and value are only applied if they do not exist in the resource. diff --git a/documentation/writing-policies-validate.md b/documentation/writing-policies-validate.md index 6b628ed0bd..a4fb04fae7 100644 --- a/documentation/writing-policies-validate.md +++ b/documentation/writing-policies-validate.md @@ -1,9 +1,15 @@ *[documentation](/README.md#documentation) / [Writing Policies](/documentation/writing-policies.md) / Validate Resources* -# Validate Resources +# Validating Resources and Requests -A validation rule is expressed as an overlay pattern that expresses the desired configuration. Resource configurations must match fields and expressions defined in the pattern to pass the validation rule. The following rules are followed when processing the overlay pattern: +A validation rule can be used to validate resources or to deny API requests based on other information. + +To validate resource data, define a [pattern](#patterns) in the validation rule. To deny certain API requests define a [deny](#deny-rules) element in the validation rule along a set of conditions that control when to allow or deny the request. + +## Patterns + +A validation rule that checks resource data is defined as an overlay pattern that provides the desired configuration. Resource configurations must match fields and expressions defined in the pattern to pass the validation rule. The following rules are followed when processing the overlay pattern: 1. Validation will fail if a field is defined in the pattern and if the field does not exist in the configuration. 2. Undefined fields are treated as wildcards. @@ -14,7 +20,6 @@ A validation rule is expressed as an overlay pattern that expresses the desired 7. The validation of siblings is performed only when one of the field values matches the value defined in the pattern. You can use the parenthesis operator to explictly specify a field value that must be matched. This allows writing rules like 'if fieldA equals X, then fieldB must equal Y'. 8. Validation of child values is only performed if the parent matches the pattern. -## Patterns ### Wildcards 1. `*` - matches zero or more alphanumeric characters @@ -33,7 +38,7 @@ A validation rule is expressed as an overlay pattern that expresses the desired There is no operator for `equals` as providing a field value in the pattern requires equality to the value. -## Anchors +### Anchors Anchors allow conditional processing (i.e. "if-then-else) and other logical checks in validation patterns. The following types of anchors are supported: @@ -45,7 +50,7 @@ Anchors allow conditional processing (i.e. "if-then-else) and other logical chec | Existence | ^() | Works on the list/array type only. If at least one element in the list satisfies the pattern. In contrast, a conditional anchor would validate that all elements in the list match the pattern.
e.g. At least one container with image nginx:latest must exist.
    ^(containers):
    - image: nginx:latest
| | Negation | X() | The tag cannot be specified. The value of the tag is not evaulated.
e.g. Hostpath tag cannot be defined.
    X(hostPath):
| -## Anchors and child elements +### Anchors and child elements Child elements are handled differently for conditional and equality anchors. @@ -77,17 +82,17 @@ For equality anchors, a child element is considered to be part of the "then" cla This is read as "If a hostPath volume exists, then the path must not be equal to /var/run/docker.sock". -## Examples +### Validation Pattern Examples The following rule prevents the creation of Deployment, StatefuleSet and DaemonSet resources without label 'app' in selector: ````yaml -apiVersion : kyverno.io/v1 -kind : ClusterPolicy -metadata : - name : validation-example -spec : +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: validation-example +spec: rules: - name: check-label match: @@ -113,18 +118,18 @@ spec : ```` -### Existence anchor: at least one +#### Existence anchor: at least one A variation of an anchor, is to check that in a list of elements at least one element exists that matches the patterm. This is done by using the ^(...) notation for the field. For example, this pattern will check that at least one container has memory requests and limits defined and that the request is less than the limit: ````yaml -apiVersion : kyverno.io/v1 -kind : ClusterPolicy -metadata : - name : validation-example2 -spec : +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: validation-example2 +spec: rules: - name: check-memory_requests_link_in_yaml_relative match: @@ -147,7 +152,7 @@ spec : memory: "2048Mi" ```` -### Logical OR across validation patterns +#### Logical OR across validation patterns In some cases content can be defined at a different level. For example, a security context can be defined at the Pod or Container level. The validation rule should pass if either one of the conditions is met. @@ -190,5 +195,44 @@ Additional examples are available in [samples](/samples/README.md) The `validationFailureAction` attribute controls processing behaviors when the resource is not compliant with the policy. If the value is set to `enforce` resource creation or updates are blocked when the resource does not comply, and when the value is set to `audit` a policy violation is reported but the resource creation or update is allowed. +## Deny rules + +In addition to applying patterns to check resources, a validate rule can `deny` a request based on a set of conditions. This is useful for applying fine grained access controls that cannot be performed using Kubernetes RBAC. + +For example, the policy below denies `delete requests` for objects with the label `app.kubernetes.io/managed-by: kyverno` and for all users who do not have the `cluster-admin` role. + +As the example shows, you can use `match` and `exclude` to select when the rule should be applied and then use additional conditions in the `deny` declaration to apply fine-grained controls. + +Note that the `validationFailureAction` must be set to `enforce` to block the request. + +```yaml +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: multi-tenancy +spec: + validationFailureAction: enforce + background: false + rules: + - name: block-deletes-for-kyverno-resources + match: + resources: + selector: + matchLabels: + app.kubernetes.io/managed-by: kyverno + exclude: + clusterRoles: + - cluster-admin + validate: + message: "Deleting {{request.oldObject.kind}}/{{request.oldObject.metadata.name}} is not allowed" + deny: + conditions: + - key: "{{request.operation}}" + operator: Equals + value: "DELETE" +``` + +Learn more about using [variables](writing-policies-variables.md) and [conditions](writing-policies-preconditions.md) in upcoming sections. + --- *Read Next >> [Mutate Resources](/documentation/writing-policies-mutate.md)* diff --git a/documentation/writing-policies-variables.md b/documentation/writing-policies-variables.md index a0371e25b4..3cbcb3833b 100644 --- a/documentation/writing-policies-variables.md +++ b/documentation/writing-policies-variables.md @@ -14,9 +14,9 @@ The following data is available for use in context: Kyverno automatically creates a few useful variables: -- `serviceAccountName` : the last part of a service account i.e. without the suffix `system:serviceaccount::` and stores the userName. For example, when processing a request from `system:serviceaccount:nirmata:user1` Kyverno will store the value `user1` in the variable `serviceAccountName`. +- `serviceAccountName` : the "userName" which is last part of a service account i.e. without the prefix `system:serviceaccount::`. For example, when processing a request from `system:serviceaccount:nirmata:user1` Kyverno will store the value `user1` in the variable `serviceAccountName`. -- `serviceAccountNamespace` : the `namespace` portion of the serviceAccount. For example, when processing a request from `system:serviceaccount:nirmata:user1` Kyverno will store `nirmata` in the variable `serviceAccountNamespace`. +- `serviceAccountNamespace` : the "namespace" part of the serviceAccount. For example, when processing a request from `system:serviceaccount:nirmata:user1` Kyverno will store `nirmata` in the variable `serviceAccountNamespace`. ## Examples diff --git a/documentation/writing-policies.md b/documentation/writing-policies.md index b0890dedf4..1f2e2c2cb3 100644 --- a/documentation/writing-policies.md +++ b/documentation/writing-policies.md @@ -8,59 +8,9 @@ The following picture shows the structure of a Kyverno Policy: Each Kyverno policy contains one or more rules. Each rule has a `match` clause, an optional `exclude` clause, and one of a `mutate`, `validate`, or `generate` clause. -The match / exclude clauses have the same structure, and can contain the following elements: -* resources: select resources by name, namespaces, kinds, and label selectors. -* subjects: select users, user groups, and service accounts -* roles: select namespaced roles -* clusterroles: select cluster wide roles - -When Kyverno receives an admission controller request, i.e. a validation or mutation webhook, it first checks to see if the resource and user information matches or should be excluded from processing. If both checks pass, then the rule logic to mutate, validate, or generate resources is applied. - -The following YAML provides an example for a match clause. - -````yaml -apiVersion : kyverno.io/v1 -kind : ClusterPolicy -metadata : - name : policy -spec : - # 'enforce' to block resource request if any rules fail - # 'audit' to allow resource request on failure of rules, but create policy violations to report them - validationFailureAction: enforce - # Each policy has a list of rules applied in declaration order - rules: - # Rules must have a unique name - - name: "check-pod-controller-labels" - # Each rule matches specific resource described by "match" field. - match: - resources: - kinds: # Required, list of kinds - - Deployment - - StatefulSet - name: "mongo*" # Optional, a resource name is optional. Name supports wildcards (* and ?) - namespaces: # Optional, list of namespaces. Supports wildcards (* and ?) - - "dev*" - - test - selector: # Optional, a resource selector is optional. Values support wildcards (* and ?) - matchLabels: - app: mongodb - matchExpressions: - - {key: tier, operator: In, values: [database]} - # Optional, subjects to be matched - subjects: - - kind: User - name: mary@somecorp.com - # Optional, roles to be matched - roles: - # Optional, clusterroles to be matched - clusterroles: cluster-admin - - ... - -```` - -Each rule can validate, mutate, or generate configurations of matching resources. A rule definition can contain only a single **mutate**, **validate**, or **generate** child node. These actions are applied to the resource in described order: mutation, validation and then generation. +Each rule can validate, mutate, or generate configurations of matching resources. A rule definition can contain only a single **mutate**, **validate**, or **generate** child node. +These actions are applied to the resource in described order: mutation, validation and then generation. --- -*Read Next >> [Validate Resources](/documentation/writing-policies-validate.md)* +*Read Next >> [Selecting Resources](/documentation/writing-policies-match-exclude.md)* diff --git a/gh-pages/README.md b/gh-pages/README.md deleted file mode 100644 index 71a742be86..0000000000 --- a/gh-pages/README.md +++ /dev/null @@ -1,24 +0,0 @@ -# Kyverno Web Site - -This folder contains the https://kyverno.io website. - -The site is published in the gh_pages branch. To build the site: - -1. Clone the Hugo template: - -````bash -cd themes - git clone https://github.com/nirmata/github-project-landing-page - ```` - - 2. Make changes as needed. Then publish using: - -````bash -publish-to-gh-pages.sh -```` - -To build and test locally, install and run hugo: - -````bash -hugo server -```` diff --git a/gh-pages/archetypes/default.md b/gh-pages/archetypes/default.md deleted file mode 100644 index 00e77bd79b..0000000000 --- a/gh-pages/archetypes/default.md +++ /dev/null @@ -1,6 +0,0 @@ ---- -title: "{{ replace .Name "-" " " | title }}" -date: {{ .Date }} -draft: true ---- - diff --git a/gh-pages/config.toml b/gh-pages/config.toml deleted file mode 100644 index e1419187e4..0000000000 --- a/gh-pages/config.toml +++ /dev/null @@ -1,33 +0,0 @@ -baseURL = "https://kyverno.io/" -themesDir = "themes" -theme = "github-project-landing-page" -title = "Kyverno" -canonifyURLs=true -relativeURLs=true - -[params] - description = "Kubernetes Native Policy Management" - long_description = ''' - Manage policies as Kubernetes resources. Validate, mutate, and generate configurations. - Select resources based on labels and wildcards. View policy enforcement as events. Detect - policy violations for existing resources.''' - author_name = "Nirmata" - author_url = "https://nirmata.com" - project_url = "https://github.com/nirmata/kyverno/" - project_documentation = "https://github.com/nirmata/kyverno/blob/master/README.md" - github_project_name = "kyverno" - github_user_name = "nirmata" - logo = "img/kyverno.png" - - first_color="#f8f8f8" - first_border_color="#e7e7e7" - first_text_color="#333" - - second_color="white" - second_text_color="#333" - - header_color="#f8f8f8" - header_text_color="rgb(51, 51, 51)" - - header_link_color="#777" - header_link_hover_color="rgb(51, 51, 51)" diff --git a/gh-pages/content/features.md b/gh-pages/content/features.md deleted file mode 100644 index 07aacf794c..0000000000 --- a/gh-pages/content/features.md +++ /dev/null @@ -1,24 +0,0 @@ -# Features - -* Policy definitions as Kubernetes resources - -* Validate, mutate, or generate Kubernetes resources - -* Match resources using label selectors and wildcards - -* Mutate using overlays (like Kustomize) or JSON Patch - -* Validate using overlays and powerful conditionals - -* Generate default resources during namespace creation - -* Reporting of policy violations for existing resources - -* Kubernetes events for resource changes and policy enforcement - -* Test policy changes using kubectl - - -

-Ready for more? Read the docs, write a policy, or try Kyverno in your cluster! -

\ No newline at end of file diff --git a/gh-pages/content/img/kyverno.png b/gh-pages/content/img/kyverno.png deleted file mode 100644 index a4e8dec82b..0000000000 Binary files a/gh-pages/content/img/kyverno.png and /dev/null differ diff --git a/gh-pages/publish-to-gh-pages.sh b/gh-pages/publish-to-gh-pages.sh deleted file mode 100644 index 98da6b8513..0000000000 --- a/gh-pages/publish-to-gh-pages.sh +++ /dev/null @@ -1,31 +0,0 @@ -#!/bin/sh - -DIR=$(dirname "$0") - -if [[ $(git status -s) ]] -then - echo "The working directory is dirty. Please commit any pending changes." - exit 1; -fi - -echo "Deleting old publication" -rm -rf public -mkdir public -git worktree prune -rm -rf .git/worktrees/public/ - -echo "Checking out gh-pages branch into public" -git worktree add -B gh-pages public origin/gh-pages - -echo "Removing existing files" -rm -rf public/* - -echo "Generating site" -hugo - -echo "Updating gh-pages branch" -cd public && git add --all && git commit -m "Publishing to gh-pages (publish.sh)" -cd .. - -echo "done!" - diff --git a/gh-pages/themes/github-project-landing-page b/gh-pages/themes/github-project-landing-page deleted file mode 160000 index 7507b5c2da..0000000000 --- a/gh-pages/themes/github-project-landing-page +++ /dev/null @@ -1 +0,0 @@ -Subproject commit 7507b5c2da7823b75185c3a2bd18db6357937143 diff --git a/go.sum b/go.sum new file mode 100644 index 0000000000..44177b474b --- /dev/null +++ b/go.sum @@ -0,0 +1,1114 @@ +9fans.net/go v0.0.0-20181112161441-237454027057/go.mod h1:diCsxrliIURU9xsYtjCp5AbpQKqdhKmf0ujWDUSkfoY= +cloud.google.com/go v0.26.0/go.mod h1:aQUYkXzVsufM+DwF1aE+0xfcU+56JwCaLick0ClmMTw= +cloud.google.com/go v0.34.0/go.mod h1:aQUYkXzVsufM+DwF1aE+0xfcU+56JwCaLick0ClmMTw= +cloud.google.com/go v0.38.0/go.mod h1:990N+gfupTy94rShfmMCWGDn0LpTmnzTp2qbd1dvSRU= +cloud.google.com/go v0.39.0/go.mod h1:rVLT6fkc8chs9sfPtFc1SBH6em7n+ZoXaG+87tDISts= +cloud.google.com/go v0.41.0/go.mod h1:OauMR7DV8fzvZIl2qg6rkaIhD/vmgk4iwEw/h6ercmg= +cloud.google.com/go v0.44.1/go.mod h1:iSa0KzasP4Uvy3f1mN/7PiObzGgflwredwwASm/v6AU= +cloud.google.com/go v0.44.2/go.mod h1:60680Gw3Yr4ikxnPRS/oxxkBccT6SA1yMk63TGekxKY= +cloud.google.com/go v0.45.1/go.mod h1:RpBamKRgapWJb87xiFSdk4g1CME7QZg3uwTez+TSTjc= +cloud.google.com/go/bigquery v1.0.1/go.mod h1:i/xbL2UlR5RvWAURpBYZTtm/cXjCha9lbfbpx4poX+o= +cloud.google.com/go/datastore v1.0.0/go.mod h1:LXYbyblFSglQ5pkeyhO+Qmw7ukd3C+pD7TKLgZqpHYE= +cloud.google.com/go/pubsub v1.0.1/go.mod h1:R0Gpsv3s54REJCy4fxDixWD93lHJMoZTyQ2kNxGRt3I= +contrib.go.opencensus.io/exporter/ocagent v0.5.0/go.mod h1:ImxhfLRpxoYiSq891pBrLVhN+qmP8BTVvdH2YLs7Gl0= +git.apache.org/thrift.git v0.12.0/go.mod h1:fPE2ZNJGynbRyZ4dJvy6G277gSllfV2HJqblrnkyeyg= +github.com/Azure/azure-pipeline-go v0.2.1/go.mod h1:UGSo8XybXnIGZ3epmeBw7Jdz+HiUVpqIlpz/HKHylF4= +github.com/Azure/azure-storage-blob-go v0.8.0/go.mod h1:lPI3aLPpuLTeUwh1sViKXFxwl2B6teiRqI0deQUvsw0= +github.com/Azure/go-ansiterm v0.0.0-20170929234023-d6e3b3328b78/go.mod h1:LmzpDX56iTiv29bbRTIsUNlaFfuhWRQBWjQdVyAevI8= +github.com/Azure/go-autorest v11.7.1+incompatible/go.mod h1:r+4oMnoxhatjLLJ6zxSWATqVooLgysK6ZNox3g/xq24= +github.com/Azure/go-autorest/autorest v0.9.0/go.mod h1:xyHB1BMZT0cuDHU7I0+g046+BFDTQ8rEZB0s4Yfa6bI= +github.com/Azure/go-autorest/autorest/adal v0.5.0/go.mod h1:8Z9fGy2MpX0PvDjB1pEgQTmVqjGhiHBW7RJJEciWzS0= +github.com/Azure/go-autorest/autorest/date v0.1.0/go.mod h1:plvfp3oPSKwf2DNjlBjWF/7vwR+cUD/ELuzDCXwHUVA= +github.com/Azure/go-autorest/autorest/mocks v0.1.0/go.mod h1:OTyCOPRA2IgIlWxVYxBee2F5Gr4kF2zd2J5cFRaIDN0= +github.com/Azure/go-autorest/autorest/mocks v0.2.0/go.mod h1:OTyCOPRA2IgIlWxVYxBee2F5Gr4kF2zd2J5cFRaIDN0= +github.com/Azure/go-autorest/logger v0.1.0/go.mod h1:oExouG+K6PryycPJfVSxi/koC6LSNgds39diKLz7Vrc= +github.com/Azure/go-autorest/tracing v0.5.0/go.mod h1:r/s2XiOKccPW3HrqB+W0TQzfbtp2fGCgRFtBroKn4Dk= +github.com/BurntSushi/toml v0.3.1/go.mod h1:xHWCNGjB5oqiDr8zfno3MHue2Ht5sIBksp03qcyfWMU= +github.com/BurntSushi/xgb v0.0.0-20160522181843-27f122750802/go.mod h1:IVnqGOEym/WlBOVXweHU+Q+/VP0lqqI8lqeDx9IjBqo= +github.com/DATA-DOG/go-sqlmock v1.3.3/go.mod h1:f/Ixk793poVmq4qj/V1dPUg2JEAKC73Q5eFN3EC/SaM= +github.com/DataDog/datadog-go v2.2.0+incompatible/go.mod h1:LButxg5PwREeZtORoXG3tL4fMGNddJ+vMq1mwgfaqoQ= +github.com/Masterminds/semver v1.4.2/go.mod h1:MB6lktGJrhw8PrUyiEoblNEGEQ+RzHPF078ddwwvV3Y= +github.com/Microsoft/go-winio v0.4.11/go.mod h1:VhR8bwka0BXejwEJY73c50VrPtXAaKcyvVC4A4RozmA= +github.com/NYTimes/gziphandler v0.0.0-20170623195520-56545f4a5d46/go.mod h1:3wb06e3pkSAbeQ52E9H9iFoQsEEwGN64994WTCIhntQ= +github.com/Nvveen/Gotty v0.0.0-20120604004816-cd527374f1e5/go.mod h1:lmUJ/7eu/Q8D7ML55dXQrVaamCz2vxCfdQBasLZfHKk= +github.com/OneOfOne/xxhash v1.2.2/go.mod h1:HSdplMjZKSmBqAxg5vPj2TmRDmfkzw+cTzAElWljhcU= +github.com/PuerkitoBio/purell v1.0.0/go.mod h1:c11w/QuzBsJSee3cPx9rAFu61PvFxuPbtSwDGJws/X0= +github.com/PuerkitoBio/purell v1.1.0/go.mod h1:c11w/QuzBsJSee3cPx9rAFu61PvFxuPbtSwDGJws/X0= +github.com/PuerkitoBio/purell v1.1.1/go.mod h1:c11w/QuzBsJSee3cPx9rAFu61PvFxuPbtSwDGJws/X0= +github.com/PuerkitoBio/urlesc v0.0.0-20160726150825-5bd2802263f2/go.mod h1:uGdkoq3SwY9Y+13GIhn11/XLaGBb4BfwItxLd5jeuXE= +github.com/PuerkitoBio/urlesc v0.0.0-20170810143723-de5bf2ad4578/go.mod h1:uGdkoq3SwY9Y+13GIhn11/XLaGBb4BfwItxLd5jeuXE= +github.com/Shopify/sarama v1.24.1/go.mod h1:fGP8eQ6PugKEI0iUETYYtnP6d1pH/bdDMTel1X5ajsU= +github.com/Shopify/toxiproxy v2.1.4+incompatible/go.mod h1:OXgGpZ6Cli1/URJOF1DMxUHB2q5Ap20/P/eIdh4G0pI= +github.com/StackExchange/wmi v0.0.0-20190523213315-cbe66965904d/go.mod h1:3eOhrUMpNV+6aFIbp5/iudMxNCF27Vw2OZgy4xEx0Fg= +github.com/agnivade/levenshtein v1.0.1/go.mod h1:CURSv5d9Uaml+FovSIICkLbAUZ9S4RqaHDIsdSBg7lM= +github.com/ajg/form v0.0.0-20160822230020-523a5da1a92f/go.mod h1:uL1WgH+h2mgNtvBq0339dVnzXdBETtL2LeUXaIv25UY= +github.com/alecthomas/participle v0.2.1/go.mod h1:SW6HZGeZgSIpcUWX3fXpfZhuaWHnmoD5KCVaqSaNTkk= +github.com/alecthomas/template v0.0.0-20160405071501-a0175ee3bccc/go.mod h1:LOuyumcjzFXgccqObfd/Ljyb9UuFJ6TxHnclSeseNhc= +github.com/alecthomas/units v0.0.0-20151022065526-2efee857e7cf/go.mod h1:ybxpYRFXyAe+OPACYpWeL0wqObRcbAqCMya13uyzqw0= +github.com/aliyun/aliyun-oss-go-sdk v0.0.0-20190307165228-86c17b95fcd5/go.mod h1:T/Aws4fEfogEE9v+HPhhw+CntffsBHJ8nXQCwKr0/g8= +github.com/andreyvit/diff v0.0.0-20170406064948-c7f18ee00883/go.mod h1:rCTlJbsFo29Kk6CurOXKm700vrz8f0KW0JNfpkRJY/8= +github.com/armon/consul-api v0.0.0-20180202201655-eb2c6b5be1b6/go.mod h1:grANhF5doyWs3UAsr3K4I6qtAmlQcZDesFNEHPZAzj8= +github.com/armon/go-metrics v0.0.0-20180917152333-f0300d1749da/go.mod h1:Q73ZrmVTwzkszR9V5SSuryQ31EELlFMUz1kKyl939pY= +github.com/armon/go-metrics v0.0.0-20190430140413-ec5e00d3c878/go.mod h1:3AMJUQhVx52RsWOnlkpikZr01T/yAVN2gn0861vByNg= +github.com/armon/go-radix v0.0.0-20180808171621-7fddfc383310/go.mod h1:ufUuZ+zHj4x4TnLV4JWEpy2hxWSpsRywHrMgIH9cCH8= +github.com/asaskevich/govalidator v0.0.0-20180720115003-f9ffefc3facf/go.mod h1:lB+ZfQJz7igIIfQNfa7Ml4HSf2uFQQRzpGGRXenZAgY= +github.com/asaskevich/govalidator v0.0.0-20190424111038-f61b66f89f4a/go.mod h1:lB+ZfQJz7igIIfQNfa7Ml4HSf2uFQQRzpGGRXenZAgY= +github.com/aws/aws-sdk-go v1.20.21/go.mod h1:KmX6BPdI08NWTb3/sm4ZGu5ShLoqVDhKgpiN924inxo= +github.com/aws/aws-sdk-go v1.23.19/go.mod h1:KmX6BPdI08NWTb3/sm4ZGu5ShLoqVDhKgpiN924inxo= +github.com/aws/aws-xray-sdk-go v0.9.4/go.mod h1:XtMKdBQfpVut+tJEwI7+dJFRxxRdxHDyVNp2tHXRq04= +github.com/baiyubin/aliyun-sts-go-sdk v0.0.0-20180326062324-cfa1a18b161f/go.mod h1:AuiFmCCPBSrqvVMvuqFuk0qogytodnVFVSN5CeJB8Gc= +github.com/bcicen/jstream v0.0.0-20190220045926-16c1f8af81c2/go.mod h1:RDu/qcrnpEdJC/p8tx34+YBFqqX71lB7dOX9QE+ZC4M= +github.com/beevik/ntp v0.2.0/go.mod h1:hIHWr+l3+/clUnF44zdK+CWW7fO8dR5cIylAQ76NRpg= +github.com/beorn7/perks v0.0.0-20180321164747-3a771d992973/go.mod h1:Dwedo/Wpr24TaqPxmxbtue+5NUziq4I4S80YR8gNf3Q= +github.com/beorn7/perks v1.0.0/go.mod h1:KWe93zE9D1o94FZ5RNwFwVgaQK1VOXiVxmqh+CedLV8= +github.com/bgentry/speakeasy v0.1.0/go.mod h1:+zsyZBPWlz7T6j88CTgSN5bM796AkVf0kBD4zp0CCIs= +github.com/blang/semver v3.5.0+incompatible/go.mod h1:kRBLl5iJ+tD4TcOOxsy/0fnwebNt5EWlYSAyrTnjyyk= +github.com/bmizerany/assert v0.0.0-20160611221934-b7ed37b82869/go.mod h1:Ekp36dRnpXw/yCqJaO+ZrUyxD+3VXMFFr56k5XYrpB4= +github.com/boltdb/bolt v1.3.1/go.mod h1:clJnj/oiGkjum5o1McbSZDSLxVThjynRyGBgiAx27Ps= +github.com/cenkalti/backoff v2.1.1+incompatible/go.mod h1:90ReRw6GdpyfrHakVjL/QHaoyV4aDUVVkXQJJJ3NXXM= +github.com/cenkalti/backoff v2.2.1+incompatible h1:tNowT99t7UNflLxfYYSlKYsBpXdEet03Pg2g16Swow4= +github.com/cenkalti/backoff v2.2.1+incompatible/go.mod h1:90ReRw6GdpyfrHakVjL/QHaoyV4aDUVVkXQJJJ3NXXM= +github.com/census-instrumentation/opencensus-proto v0.2.0/go.mod h1:f6KPmirojxKA12rnyqOA5BBL4O983OfeGPqjHWSTneU= +github.com/cespare/xxhash v1.1.0/go.mod h1:XrSqR1VqqWfGrhpAt58auRo0WTKS1nRRg3ghfAqPWnc= +github.com/cheggaaa/pb v1.0.28/go.mod h1:pQciLPpbU0oxA0h+VJYYLxO+XeDQb5pZijXscXHm81s= +github.com/cihub/seelog v0.0.0-20170130134532-f561c5e57575/go.mod h1:9d6lWj8KzO/fd/NrVaLscBKmPigpZpn5YawRPw+e3Yo= +github.com/circonus-labs/circonus-gometrics v2.3.1+incompatible/go.mod h1:nmEj6Dob7S7YxXgwXpfOuvO54S+tGdZdw9fuRZt25Ag= +github.com/circonus-labs/circonusllhist v0.1.3/go.mod h1:kMXHVDlOchFAehlya5ePtbp5jckzBHf4XRpQvBOLI+I= +github.com/client9/misspell v0.3.4/go.mod h1:qj6jICC3Q7zFZvVWo7KLAzC3yx5G7kyvSDkc90ppPyw= +github.com/cockroachdb/apd v1.1.0/go.mod h1:8Sl8LxpKi29FqWXR16WEFZRNSz3SoPzUzeMeY4+DwBQ= +github.com/cockroachdb/cockroach-go v0.0.0-20181001143604-e0a95dfd547c/go.mod h1:XGLbWH/ujMcbPbhZq52Nv6UrCghb1yGn//133kEsvDk= +github.com/cockroachdb/datadriven v0.0.0-20190809214429-80d97fb3cbaa/go.mod h1:zn76sxSg3SzpJ0PPJaLDCu+Bu0Lg3sKTORVIj19EIF8= +github.com/codahale/hdrhistogram v0.0.0-20161010025455-3a0bb77429bd/go.mod h1:sE/e/2PUdi/liOCUjSTXgM1o87ZssimdTWN964YiIeI= +github.com/codegangsta/negroni v1.0.0/go.mod h1:v0y3T5G7Y1UlFfyxFn/QLRU4a2EuNau2iZY63YTKWo0= +github.com/containerd/continuity v0.0.0-20181203112020-004b46473808/go.mod h1:GL3xCUCBDV3CZiTSEKksMWbLE66hEyuu9qyDOOqM47Y= +github.com/coredns/coredns v1.4.0/go.mod h1:zASH/MVDgR6XZTbxvOnsZfffS+31vg6Ackf/wo1+AM0= +github.com/coreos/bbolt v1.3.2/go.mod h1:iRUV2dpdMOn7Bo10OQBFzIJO9kkE559Wcmn+qkEiiKk= +github.com/coreos/bbolt v1.3.3/go.mod h1:iRUV2dpdMOn7Bo10OQBFzIJO9kkE559Wcmn+qkEiiKk= +github.com/coreos/etcd v3.3.10+incompatible/go.mod h1:uF7uidLiAD3TWHmW31ZFd/JWoc32PjwdhPthX9715RE= +github.com/coreos/etcd v3.3.12+incompatible/go.mod h1:uF7uidLiAD3TWHmW31ZFd/JWoc32PjwdhPthX9715RE= +github.com/coreos/go-etcd v2.0.0+incompatible/go.mod h1:Jez6KQU2B/sWsbdaef3ED8NzMklzPG4d5KIOhIy30Tk= +github.com/coreos/go-oidc v2.1.0+incompatible/go.mod h1:CgnwVTmzoESiwO9qyAFEMiHoZ1nMCKZlZ9V6mm3/LKc= +github.com/coreos/go-semver v0.2.0/go.mod h1:nnelYz7RCh+5ahJtPPxZlU+153eP4D4r3EedlOD2RNk= +github.com/coreos/go-semver v0.3.0/go.mod h1:nnelYz7RCh+5ahJtPPxZlU+153eP4D4r3EedlOD2RNk= +github.com/coreos/go-systemd v0.0.0-20180511133405-39ca1b05acc7/go.mod h1:F5haX7vjVVG0kc13fIWeqUViNPyEJxv/OmvnBo0Yme4= +github.com/coreos/go-systemd v0.0.0-20190321100706-95778dfbb74e/go.mod h1:F5haX7vjVVG0kc13fIWeqUViNPyEJxv/OmvnBo0Yme4= +github.com/coreos/pkg v0.0.0-20160727233714-3ac0863d7acf/go.mod h1:E3G3o1h8I7cfcXa63jLwjI0eiQQMgzzUDFVpN/nH/eA= +github.com/coreos/pkg v0.0.0-20180108230652-97fdf19511ea/go.mod h1:E3G3o1h8I7cfcXa63jLwjI0eiQQMgzzUDFVpN/nH/eA= +github.com/coreos/pkg v0.0.0-20180928190104-399ea9e2e55f/go.mod h1:E3G3o1h8I7cfcXa63jLwjI0eiQQMgzzUDFVpN/nH/eA= +github.com/cpuguy83/go-md2man v1.0.10/go.mod h1:SmD6nW6nTyfqj6ABTjUi3V3JVMnlJmwcJI5acqYI6dE= +github.com/creack/pty v1.1.7/go.mod h1:lj5s0c3V2DBrqTV7llrYr5NG6My20zk30Fl46Y7DoTY= +github.com/davecgh/go-spew v0.0.0-20151105211317-5215b55f46b2/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= +github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= +github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c= +github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= +github.com/dgrijalva/jwt-go v3.2.0+incompatible/go.mod h1:E3ru+11k8xSBh+hMPgOLZmtrrCbhqsmaPHjLKYnJCaQ= +github.com/dgryski/go-sip13 v0.0.0-20181026042036-e10d5fee7954/go.mod h1:vAd38F8PWV+bWy6jNmig1y/TA+kYO4g3RSRF0IAv0no= +github.com/djherbis/atime v1.0.0/go.mod h1:5W+KBIuTwVGcqjIfaTwt+KSYX1o6uep8dtevevQP/f8= +github.com/docker/docker v0.7.3-0.20190327010347-be7ac8be2ae0/go.mod h1:eEKB0N0r5NX/I1kEveEz05bcu8tLC/8azJZsviup8Sk= +github.com/docker/go-connections v0.4.0/go.mod h1:Gbd7IOopHjR8Iph03tsViu4nIes5XhDvyHbTtUxmeec= +github.com/docker/go-units v0.3.3/go.mod h1:fgPhTUdO+D/Jk86RDLlptpiXQzgHJF7gydDDbaIK4Dk= +github.com/docker/go-units v0.4.0/go.mod h1:fgPhTUdO+D/Jk86RDLlptpiXQzgHJF7gydDDbaIK4Dk= +github.com/docker/spdystream v0.0.0-20160310174837-449fdfce4d96/go.mod h1:Qh8CwZgvJUkLughtfhJv5dyTYa91l1fOUCrgjqmcifM= +github.com/docopt/docopt-go v0.0.0-20180111231733-ee0de3bc6815/go.mod h1:WwZ+bS3ebgob9U8Nd0kOddGdZWjyMGR8Wziv+TBNwSE= +github.com/dustin/go-humanize v0.0.0-20171111073723-bb3d318650d4/go.mod h1:HtrtbFcZ19U5GC7JDqmcUSB87Iq5E25KnS6fMYU6eOk= +github.com/dustin/go-humanize v0.0.0-20180713052910-9f541cc9db5d/go.mod h1:HtrtbFcZ19U5GC7JDqmcUSB87Iq5E25KnS6fMYU6eOk= +github.com/dustin/go-humanize v1.0.0/go.mod h1:HtrtbFcZ19U5GC7JDqmcUSB87Iq5E25KnS6fMYU6eOk= +github.com/eapache/go-resiliency v1.1.0/go.mod h1:kFI+JgMyC7bLPUVY133qvEBtVayf5mFgVsvEsIPBvNs= +github.com/eapache/go-resiliency v1.2.0/go.mod h1:kFI+JgMyC7bLPUVY133qvEBtVayf5mFgVsvEsIPBvNs= +github.com/eapache/go-xerial-snappy v0.0.0-20180814174437-776d5712da21/go.mod h1:+020luEh2TKB4/GOp8oxxtq0Daoen/Cii55CzbTV6DU= +github.com/eapache/queue v1.1.0/go.mod h1:6eCeP0CKFpHLu8blIFXhExK/dRa7WDZfr6jVFPTqq+I= +github.com/eclipse/paho.mqtt.golang v1.2.0/go.mod h1:H9keYFcgq3Qr5OUJm/JZI/i6U7joQ8SYLhZwfeOo6Ts= +github.com/elazarl/go-bindata-assetfs v1.0.0/go.mod h1:v+YaWX3bdea5J/mo8dSETolEo7R71Vk1u8bnjau5yw4= +github.com/elazarl/goproxy v0.0.0-20170405201442-c4fc26588b6e/go.mod h1:/Zj4wYkgs4iZTTu3o/KG3Itv/qCCa8VVMlb3i9OVuzc= +github.com/elazarl/goproxy v0.0.0-20181003060214-f58a169a71a5/go.mod h1:/Zj4wYkgs4iZTTu3o/KG3Itv/qCCa8VVMlb3i9OVuzc= +github.com/emicklei/go-restful v0.0.0-20170410110728-ff4f55a20633/go.mod h1:otzb+WCGbkyDHkqmQmT5YD2WR4BBwUdeQoFo8l/7tVs= +github.com/emicklei/go-restful v2.9.5+incompatible/go.mod h1:otzb+WCGbkyDHkqmQmT5YD2WR4BBwUdeQoFo8l/7tVs= +github.com/evanphx/json-patch v0.0.0-20190203023257-5858425f7550/go.mod h1:50XU6AFN0ol/bzJsmQLiYLvXMP4fmwYFNcr97nuDLSk= +github.com/evanphx/json-patch v4.2.0+incompatible/go.mod h1:50XU6AFN0ol/bzJsmQLiYLvXMP4fmwYFNcr97nuDLSk= +github.com/evanphx/json-patch v4.5.0+incompatible h1:ouOWdg56aJriqS0huScTkVXPC5IcNrDCXZ6OoTAWu7M= +github.com/evanphx/json-patch v4.5.0+incompatible/go.mod h1:50XU6AFN0ol/bzJsmQLiYLvXMP4fmwYFNcr97nuDLSk= +github.com/fatih/color v1.7.0/go.mod h1:Zm6kSWBoL9eyXnKyktHP6abPY2pDugNf5KwzbycvMj4= +github.com/fatih/structs v1.0.0/go.mod h1:9NiDSp5zOcgEDl+j00MP/WkGVPOlPRLejGD8Ga6PJ7M= +github.com/fatih/structs v1.1.0/go.mod h1:9NiDSp5zOcgEDl+j00MP/WkGVPOlPRLejGD8Ga6PJ7M= +github.com/fortytw2/leaktest v1.2.0/go.mod h1:jDsjWgpAGjm2CA7WthBh/CdZYEPF31XHquHwclZch5g= +github.com/fortytw2/leaktest v1.3.0/go.mod h1:jDsjWgpAGjm2CA7WthBh/CdZYEPF31XHquHwclZch5g= +github.com/frankban/quicktest v1.4.1/go.mod h1:36zfPVQyHxymz4cH7wlDmVwDrJuljRB60qkgn7rorfQ= +github.com/fsnotify/fsnotify v1.4.7/go.mod h1:jwhsz4b93w/PPRr/qN1Yymfu8t87LnFCMoQvtojpjFo= +github.com/ghodss/yaml v0.0.0-20150909031657-73d445a93680/go.mod h1:4dBDuWmgqj2HViK6kFavaiC9ZROes6MMH2rRYeMEF04= +github.com/ghodss/yaml v1.0.0/go.mod h1:4dBDuWmgqj2HViK6kFavaiC9ZROes6MMH2rRYeMEF04= +github.com/ghodss/yaml v1.0.1-0.20190212211648-25d852aebe32/go.mod h1:GIjDIg/heH5DOkXY3YJ/wNhfHsQHoXGjl8G8amsYQ1I= +github.com/globalsign/mgo v0.0.0-20180905125535-1ca0a4f7cbcb/go.mod h1:xkRDCp4j0OGD1HRkm4kmhM+pmpv3AKq5SU7GMg4oO/Q= +github.com/globalsign/mgo v0.0.0-20181015135952-eeefdecb41b8/go.mod h1:xkRDCp4j0OGD1HRkm4kmhM+pmpv3AKq5SU7GMg4oO/Q= +github.com/go-bindata/go-bindata v3.1.1+incompatible/go.mod h1:xK8Dsgwmeed+BBsSy2XTopBn/8uK2HWuGSnA11C3Joo= +github.com/go-kit/kit v0.8.0/go.mod h1:xBxKIO96dXMWWy0MnWVtmwkA9/13aqxPnvrjFYMA2as= +github.com/go-ldap/ldap v3.0.2+incompatible/go.mod h1:qfd9rJvER9Q0/D/Sqn1DfHRoBp40uXYvFoEVrNEPqRc= +github.com/go-logfmt/logfmt v0.3.0/go.mod h1:Qt1PoO58o5twSAckw1HlFXLmHsOX5/0LbT9GBnD5lWE= +github.com/go-logfmt/logfmt v0.4.0/go.mod h1:3RMwSq7FuexP4Kalkev3ejPJsZTpXXBr9+V4qmtdjCk= +github.com/go-logr/logr v0.1.0 h1:M1Tv3VzNlEHg6uyACnRdtrploV2P7wZqH8BoQMtz0cg= +github.com/go-logr/logr v0.1.0/go.mod h1:ixOQHD9gLJUVQQ2ZOR7zLEifBX6tGkNJF4QyIY7sIas= +github.com/go-logr/zapr v0.1.0/go.mod h1:tabnROwaDl0UNxkVeFRbY8bwB37GwRv0P8lg6aAiEnk= +github.com/go-ole/go-ole v1.2.4/go.mod h1:XCwSNxSkXRo4vlyPy93sltvi/qJq0jqQhjqQNIwKuxM= +github.com/go-openapi/analysis v0.0.0-20180825180245-b006789cd277/go.mod h1:k70tL6pCuVxPJOHXQ+wIac1FUrvNkHolPie/cLEU6hI= +github.com/go-openapi/analysis v0.17.0/go.mod h1:IowGgpVeD0vNm45So8nr+IcQ3pxVtpRoBWb8PVZO0ik= +github.com/go-openapi/analysis v0.18.0/go.mod h1:IowGgpVeD0vNm45So8nr+IcQ3pxVtpRoBWb8PVZO0ik= +github.com/go-openapi/analysis v0.19.2/go.mod h1:3P1osvZa9jKjb8ed2TPng3f0i/UY9snX6gxi44djMjk= +github.com/go-openapi/analysis v0.19.5/go.mod h1:hkEAkxagaIvIP7VTn8ygJNkd4kAYON2rCu0v0ObL0AU= +github.com/go-openapi/errors v0.17.0/go.mod h1:LcZQpmvG4wyF5j4IhA73wkLFQg+QJXOQHVjmcZxhka0= +github.com/go-openapi/errors v0.18.0/go.mod h1:LcZQpmvG4wyF5j4IhA73wkLFQg+QJXOQHVjmcZxhka0= +github.com/go-openapi/errors v0.19.2/go.mod h1:qX0BLWsyaKfvhluLejVpVNwNRdXZhEbTA4kxxpKBC94= +github.com/go-openapi/jsonpointer v0.0.0-20160704185906-46af16f9f7b1/go.mod h1:+35s3my2LFTysnkMfxsJBAMHj/DoqoB9knIWoYG/Vk0= +github.com/go-openapi/jsonpointer v0.17.0/go.mod h1:cOnomiV+CVVwFLk0A/MExoFMjwdsUdVpsRhURCKh+3M= +github.com/go-openapi/jsonpointer v0.18.0/go.mod h1:cOnomiV+CVVwFLk0A/MExoFMjwdsUdVpsRhURCKh+3M= +github.com/go-openapi/jsonpointer v0.19.2/go.mod h1:3akKfEdA7DF1sugOqz1dVQHBcuDBPKZGEoHC/NkiQRg= +github.com/go-openapi/jsonpointer v0.19.3/go.mod h1:Pl9vOtqEWErmShwVjC8pYs9cog34VGT37dQOVbmoatg= +github.com/go-openapi/jsonreference v0.0.0-20160704190145-13c6e3589ad9/go.mod h1:W3Z9FmVs9qj+KR4zFKmDPGiLdk1D9Rlm7cyMvf57TTg= +github.com/go-openapi/jsonreference v0.17.0/go.mod h1:g4xxGn04lDIRh0GJb5QlpE3HfopLOL6uZrK/VgnsK9I= +github.com/go-openapi/jsonreference v0.18.0/go.mod h1:g4xxGn04lDIRh0GJb5QlpE3HfopLOL6uZrK/VgnsK9I= +github.com/go-openapi/jsonreference v0.19.2/go.mod h1:jMjeRr2HHw6nAVajTXJ4eiUwohSTlpa0o73RUL1owJc= +github.com/go-openapi/jsonreference v0.19.3/go.mod h1:rjx6GuL8TTa9VaixXglHmQmIL98+wF9xc8zWvFonSJ8= +github.com/go-openapi/loads v0.17.0/go.mod h1:72tmFy5wsWx89uEVddd0RjRWPZm92WRLhf7AC+0+OOU= +github.com/go-openapi/loads v0.18.0/go.mod h1:72tmFy5wsWx89uEVddd0RjRWPZm92WRLhf7AC+0+OOU= +github.com/go-openapi/loads v0.19.0/go.mod h1:72tmFy5wsWx89uEVddd0RjRWPZm92WRLhf7AC+0+OOU= +github.com/go-openapi/loads v0.19.2/go.mod h1:QAskZPMX5V0C2gvfkGZzJlINuP7Hx/4+ix5jWFxsNPs= +github.com/go-openapi/loads v0.19.4/go.mod h1:zZVHonKd8DXyxyw4yfnVjPzBjIQcLt0CCsn0N0ZrQsk= +github.com/go-openapi/runtime v0.0.0-20180920151709-4f900dc2ade9/go.mod h1:6v9a6LTXWQCdL8k1AO3cvqx5OtZY/Y9wKTgaoP6YRfA= +github.com/go-openapi/runtime v0.19.0/go.mod h1:OwNfisksmmaZse4+gpV3Ne9AyMOlP1lt4sK4FXt0O64= +github.com/go-openapi/runtime v0.19.4/go.mod h1:X277bwSUBxVlCYR3r7xgZZGKVvBd/29gLDlFGtJ8NL4= +github.com/go-openapi/spec v0.0.0-20160808142527-6aced65f8501/go.mod h1:J8+jY1nAiCcj+friV/PDoE1/3eeccG9LYBs0tYvLOWc= +github.com/go-openapi/spec v0.17.0/go.mod h1:XkF/MOi14NmjsfZ8VtAKf8pIlbZzyoTvZsdfssdxcBI= +github.com/go-openapi/spec v0.18.0/go.mod h1:XkF/MOi14NmjsfZ8VtAKf8pIlbZzyoTvZsdfssdxcBI= +github.com/go-openapi/spec v0.19.2/go.mod h1:sCxk3jxKgioEJikev4fgkNmwS+3kuYdJtcsZsD5zxMY= +github.com/go-openapi/spec v0.19.3/go.mod h1:FpwSN1ksY1eteniUU7X0N/BgJ7a4WvBFVA8Lj9mJglo= +github.com/go-openapi/strfmt v0.17.0/go.mod h1:P82hnJI0CXkErkXi8IKjPbNBM6lV6+5pLP5l494TcyU= +github.com/go-openapi/strfmt v0.18.0/go.mod h1:P82hnJI0CXkErkXi8IKjPbNBM6lV6+5pLP5l494TcyU= +github.com/go-openapi/strfmt v0.19.0/go.mod h1:+uW+93UVvGGq2qGaZxdDeJqSAqBqBdl+ZPMF/cC8nDY= +github.com/go-openapi/strfmt v0.19.3/go.mod h1:0yX7dbo8mKIvc3XSKp7MNfxw4JytCfCD6+bY1AVL9LU= +github.com/go-openapi/swag v0.0.0-20160704191624-1d0bd113de87/go.mod h1:DXUve3Dpr1UfpPtxFw+EFuQ41HhCWZfha5jSVRG7C7I= +github.com/go-openapi/swag v0.17.0/go.mod h1:AByQ+nYG6gQg71GINrmuDXCPWdL640yX49/kXLo40Tg= +github.com/go-openapi/swag v0.18.0/go.mod h1:AByQ+nYG6gQg71GINrmuDXCPWdL640yX49/kXLo40Tg= +github.com/go-openapi/swag v0.19.2/go.mod h1:POnQmlKehdgb5mhVOsnJFsivZCEZ/vjK9gh66Z9tfKk= +github.com/go-openapi/swag v0.19.5/go.mod h1:POnQmlKehdgb5mhVOsnJFsivZCEZ/vjK9gh66Z9tfKk= +github.com/go-openapi/validate v0.18.0/go.mod h1:Uh4HdOzKt19xGIGm1qHf/ofbX1YQ4Y+MYsct2VUrAJ4= +github.com/go-openapi/validate v0.19.2/go.mod h1:1tRCw7m3jtI8eNWEEliiAqUIcBztB2KDnRCRMUi7GTA= +github.com/go-openapi/validate v0.19.5/go.mod h1:8DJv2CVJQ6kGNpFW6eV9N3JviE1C85nY1c2z52x1Gk4= +github.com/go-sql-driver/mysql v1.4.0/go.mod h1:zAC/RDZ24gD3HViQzih4MyKcchzm+sOG5ZlKdlhCg5w= +github.com/go-sql-driver/mysql v1.4.1/go.mod h1:zAC/RDZ24gD3HViQzih4MyKcchzm+sOG5ZlKdlhCg5w= +github.com/go-stack/stack v1.8.0/go.mod h1:v0f6uXyyMGvRgIKkXu+yp6POWl0qKG85gN/melR3HDY= +github.com/go-test/deep v1.0.2-0.20181118220953-042da051cf31/go.mod h1:wGDj63lr65AM2AQyKZd/NYHGb0R+1RLqB8NKt3aSFNA= +github.com/gobuffalo/buffalo v0.12.8-0.20181004233540-fac9bb505aa8/go.mod h1:sLyT7/dceRXJUxSsE813JTQtA3Eb1vjxWfo/N//vXIY= +github.com/gobuffalo/buffalo v0.13.0/go.mod h1:Mjn1Ba9wpIbpbrD+lIDMy99pQ0H0LiddMIIDGse7qT4= +github.com/gobuffalo/buffalo-plugins v1.0.2/go.mod h1:pOp/uF7X3IShFHyobahTkTLZaeUXwb0GrUTb9ngJWTs= +github.com/gobuffalo/buffalo-plugins v1.0.4/go.mod h1:pWS1vjtQ6uD17MVFWf7i3zfThrEKWlI5+PYLw/NaDB4= +github.com/gobuffalo/buffalo-plugins v1.4.3/go.mod h1:uCzTY0woez4nDMdQjkcOYKanngeUVRO2HZi7ezmAjWY= +github.com/gobuffalo/buffalo-plugins v1.5.1/go.mod h1:jbmwSZK5+PiAP9cC09VQOrGMZFCa/P0UMlIS3O12r5w= +github.com/gobuffalo/buffalo-plugins v1.6.4/go.mod h1:/+N1aophkA2jZ1ifB2O3Y9yGwu6gKOVMtUmJnbg+OZI= +github.com/gobuffalo/buffalo-plugins v1.6.5/go.mod h1:0HVkbgrVs/MnPZ/FOseDMVanCTm2RNcdM0PuXcL1NNI= +github.com/gobuffalo/buffalo-plugins v1.6.7/go.mod h1:ZGZRkzz2PiKWHs0z7QsPBOTo2EpcGRArMEym6ghKYgk= +github.com/gobuffalo/buffalo-plugins v1.6.9/go.mod h1:yYlYTrPdMCz+6/+UaXg5Jm4gN3xhsvsQ2ygVatZV5vw= +github.com/gobuffalo/buffalo-plugins v1.6.11/go.mod h1:eAA6xJIL8OuynJZ8amXjRmHND6YiusVAaJdHDN1Lu8Q= +github.com/gobuffalo/buffalo-plugins v1.8.2/go.mod h1:9te6/VjEQ7pKp7lXlDIMqzxgGpjlKoAcAANdCgoR960= +github.com/gobuffalo/buffalo-plugins v1.8.3/go.mod h1:IAWq6vjZJVXebIq2qGTLOdlXzmpyTZ5iJG5b59fza5U= +github.com/gobuffalo/buffalo-plugins v1.9.4/go.mod h1:grCV6DGsQlVzQwk6XdgcL3ZPgLm9BVxlBmXPMF8oBHI= +github.com/gobuffalo/buffalo-plugins v1.10.0/go.mod h1:4osg8d9s60txLuGwXnqH+RCjPHj9K466cDFRl3PErHI= +github.com/gobuffalo/buffalo-plugins v1.11.0/go.mod h1:rtIvAYRjYibgmWhnjKmo7OadtnxuMG5ZQLr25ozAzjg= +github.com/gobuffalo/buffalo-pop v1.0.5/go.mod h1:Fw/LfFDnSmB/vvQXPvcXEjzP98Tc+AudyNWUBWKCwQ8= +github.com/gobuffalo/envy v1.6.4/go.mod h1:Abh+Jfw475/NWtYMEt+hnJWRiC8INKWibIMyNt1w2Mc= +github.com/gobuffalo/envy v1.6.5/go.mod h1:N+GkhhZ/93bGZc6ZKhJLP6+m+tCNPKwgSpH9kaifseQ= +github.com/gobuffalo/envy v1.6.6/go.mod h1:N+GkhhZ/93bGZc6ZKhJLP6+m+tCNPKwgSpH9kaifseQ= +github.com/gobuffalo/envy v1.6.7/go.mod h1:N+GkhhZ/93bGZc6ZKhJLP6+m+tCNPKwgSpH9kaifseQ= +github.com/gobuffalo/envy v1.6.8/go.mod h1:N+GkhhZ/93bGZc6ZKhJLP6+m+tCNPKwgSpH9kaifseQ= +github.com/gobuffalo/envy v1.6.9/go.mod h1:N+GkhhZ/93bGZc6ZKhJLP6+m+tCNPKwgSpH9kaifseQ= +github.com/gobuffalo/envy v1.6.10/go.mod h1:X0CFllQjTV5ogsnUrg+Oks2yTI+PU2dGYBJOEI2D1Uo= +github.com/gobuffalo/envy v1.6.11/go.mod h1:Fiq52W7nrHGDggFPhn2ZCcHw4u/rqXkqo+i7FB6EAcg= +github.com/gobuffalo/envy v1.6.12/go.mod h1:qJNrJhKkZpEW0glh5xP2syQHH5kgdmgsKss2Kk8PTP0= +github.com/gobuffalo/envy v1.6.15/go.mod h1:n7DRkBerg/aorDM8kbduw5dN3oXGswK5liaSCx4T5NI= +github.com/gobuffalo/events v1.0.3/go.mod h1:Txo8WmqScapa7zimEQIwgiJBvMECMe9gJjsKNPN3uZw= +github.com/gobuffalo/events v1.0.7/go.mod h1:z8txf6H9jWhQ5Scr7YPLWg/cgXBRj8Q4uYI+rsVCCSQ= +github.com/gobuffalo/events v1.0.8/go.mod h1:A5KyqT1sA+3GJiBE4QKZibse9mtOcI9nw8gGrDdqYGs= +github.com/gobuffalo/events v1.1.3/go.mod h1:9yPGWYv11GENtzrIRApwQRMYSbUgCsZ1w6R503fCfrk= +github.com/gobuffalo/events v1.1.4/go.mod h1:09/YRRgZHEOts5Isov+g9X2xajxdvOAcUuAHIX/O//A= +github.com/gobuffalo/events v1.1.5/go.mod h1:3YUSzgHfYctSjEjLCWbkXP6djH2M+MLaVRzb4ymbAK0= +github.com/gobuffalo/events v1.1.7/go.mod h1:6fGqxH2ing5XMb3EYRq9LEkVlyPGs4oO/eLzh+S8CxY= +github.com/gobuffalo/events v1.1.8/go.mod h1:UFy+W6X6VbCWS8k2iT81HYX65dMtiuVycMy04cplt/8= +github.com/gobuffalo/events v1.1.9/go.mod h1:/0nf8lMtP5TkgNbzYxR6Bl4GzBy5s5TebgNTdRfRbPM= +github.com/gobuffalo/fizz v1.0.12/go.mod h1:C0sltPxpYK8Ftvf64kbsQa2yiCZY4RZviurNxXdAKwc= +github.com/gobuffalo/flect v0.0.0-20180907193754-dc14d8acaf9f/go.mod h1:rCiQgmAE4axgBNl3jZWzS5rETRYTGOsrixTRaCPzNdA= +github.com/gobuffalo/flect v0.0.0-20181002182613-4571df4b1daf/go.mod h1:rCiQgmAE4axgBNl3jZWzS5rETRYTGOsrixTRaCPzNdA= +github.com/gobuffalo/flect v0.0.0-20181007231023-ae7ed6bfe683/go.mod h1:rCiQgmAE4axgBNl3jZWzS5rETRYTGOsrixTRaCPzNdA= +github.com/gobuffalo/flect v0.0.0-20181018182602-fd24a256709f/go.mod h1:rCiQgmAE4axgBNl3jZWzS5rETRYTGOsrixTRaCPzNdA= +github.com/gobuffalo/flect v0.0.0-20181019110701-3d6f0b585514/go.mod h1:rCiQgmAE4axgBNl3jZWzS5rETRYTGOsrixTRaCPzNdA= +github.com/gobuffalo/flect v0.0.0-20181024204909-8f6be1a8c6c2/go.mod h1:rCiQgmAE4axgBNl3jZWzS5rETRYTGOsrixTRaCPzNdA= +github.com/gobuffalo/flect v0.0.0-20181104133451-1f6e9779237a/go.mod h1:rCiQgmAE4axgBNl3jZWzS5rETRYTGOsrixTRaCPzNdA= +github.com/gobuffalo/flect v0.0.0-20181114183036-47375f6d8328/go.mod h1:0HvNbHdfh+WOvDSIASqJOSxTOWSxCCUF++k/Y53v9rI= +github.com/gobuffalo/flect v0.0.0-20181210151238-24a2b68e0316/go.mod h1:en58vff74S9b99Eg42Dr+/9yPu437QjlNsO/hBYPuOk= +github.com/gobuffalo/flect v0.0.0-20190104192022-4af577e09bf2/go.mod h1:en58vff74S9b99Eg42Dr+/9yPu437QjlNsO/hBYPuOk= +github.com/gobuffalo/flect v0.0.0-20190117212819-a62e61d96794/go.mod h1:397QT6v05LkZkn07oJXXT6y9FCfwC8Pug0WA2/2mE9k= +github.com/gobuffalo/genny v0.0.0-20180924032338-7af3a40f2252/go.mod h1:tUTQOogrr7tAQnhajMSH6rv1BVev34H2sa1xNHMy94g= +github.com/gobuffalo/genny v0.0.0-20181003150629-3786a0744c5d/go.mod h1:WAd8HmjMVrnkAZbmfgH5dLBUchsZfqzp/WS5sQz+uTM= +github.com/gobuffalo/genny v0.0.0-20181005145118-318a41a134cc/go.mod h1:WAd8HmjMVrnkAZbmfgH5dLBUchsZfqzp/WS5sQz+uTM= +github.com/gobuffalo/genny v0.0.0-20181007153042-b8de7d566757/go.mod h1:+oG5Ljrw04czAHbPXREwaFojJbpUvcIy4DiOnbEJFTA= +github.com/gobuffalo/genny v0.0.0-20181012161047-33e5f43d83a6/go.mod h1:+oG5Ljrw04czAHbPXREwaFojJbpUvcIy4DiOnbEJFTA= +github.com/gobuffalo/genny v0.0.0-20181017160347-90a774534246/go.mod h1:+oG5Ljrw04czAHbPXREwaFojJbpUvcIy4DiOnbEJFTA= +github.com/gobuffalo/genny v0.0.0-20181024195656-51392254bf53/go.mod h1:o9GEH5gn5sCKLVB5rHFC4tq40rQ3VRUzmx6WwmaqISE= +github.com/gobuffalo/genny v0.0.0-20181025145300-af3f81d526b8/go.mod h1:uZ1fFYvdcP8mu0B/Ynarf6dsGvp7QFIpk/QACUuFUVI= +github.com/gobuffalo/genny v0.0.0-20181027191429-94d6cfb5c7fc/go.mod h1:x7SkrQQBx204Y+O9EwRXeszLJDTaWN0GnEasxgLrQTA= +github.com/gobuffalo/genny v0.0.0-20181027195209-3887b7171c4f/go.mod h1:JbKx8HSWICu5zyqWOa0dVV1pbbXOHusrSzQUprW6g+w= +github.com/gobuffalo/genny v0.0.0-20181106193839-7dcb0924caf1/go.mod h1:x61yHxvbDCgQ/7cOAbJCacZQuHgB0KMSzoYcw5debjU= +github.com/gobuffalo/genny v0.0.0-20181107223128-f18346459dbe/go.mod h1:utQD3aKKEsdb03oR+Vi/6ztQb1j7pO10N3OBoowRcSU= +github.com/gobuffalo/genny v0.0.0-20181114215459-0a4decd77f5d/go.mod h1:kN2KZ8VgXF9VIIOj/GM0Eo7YK+un4Q3tTreKOf0q1ng= +github.com/gobuffalo/genny v0.0.0-20181119162812-e8ff4adce8bb/go.mod h1:BA9htSe4bZwBDJLe8CUkoqkypq3hn3+CkoHqVOW718E= +github.com/gobuffalo/genny v0.0.0-20181127225641-2d959acc795b/go.mod h1:l54xLXNkteX/PdZ+HlgPk1qtcrgeOr3XUBBPDbH+7CQ= +github.com/gobuffalo/genny v0.0.0-20181128191930-77e34f71ba2a/go.mod h1:FW/D9p7cEEOqxYA71/hnrkOWm62JZ5ZNxcNIVJEaWBU= +github.com/gobuffalo/genny v0.0.0-20181203165245-fda8bcce96b1/go.mod h1:wpNSANu9UErftfiaAlz1pDZclrYzLtO5lALifODyjuM= +github.com/gobuffalo/genny v0.0.0-20181203201232-849d2c9534ea/go.mod h1:wpNSANu9UErftfiaAlz1pDZclrYzLtO5lALifODyjuM= +github.com/gobuffalo/genny v0.0.0-20181206121324-d6fb8a0dbe36/go.mod h1:wpNSANu9UErftfiaAlz1pDZclrYzLtO5lALifODyjuM= +github.com/gobuffalo/genny v0.0.0-20181207164119-84844398a37d/go.mod h1:y0ysCHGGQf2T3vOhCrGHheYN54Y/REj0ayd0Suf4C/8= +github.com/gobuffalo/genny v0.0.0-20181211165820-e26c8466f14d/go.mod h1:sHnK+ZSU4e2feXP3PA29ouij6PUEiN+RCwECjCTB3yM= +github.com/gobuffalo/genny v0.0.0-20190104222617-a71664fc38e7/go.mod h1:QPsQ1FnhEsiU8f+O0qKWXz2RE4TiDqLVChWkBuh1WaY= +github.com/gobuffalo/genny v0.0.0-20190112155932-f31a84fcacf5/go.mod h1:CIaHCrSIuJ4il6ka3Hub4DR4adDrGoXGEEt2FbBxoIo= +github.com/gobuffalo/github_flavored_markdown v1.0.4/go.mod h1:uRowCdK+q8d/RF0Kt3/DSalaIXbb0De/dmTqMQdkQ4I= +github.com/gobuffalo/github_flavored_markdown v1.0.5/go.mod h1:U0643QShPF+OF2tJvYNiYDLDGDuQmJZXsf/bHOJPsMY= +github.com/gobuffalo/github_flavored_markdown v1.0.7/go.mod h1:w93Pd9Lz6LvyQXEG6DktTPHkOtCbr+arAD5mkwMzXLI= +github.com/gobuffalo/httptest v1.0.2/go.mod h1:7T1IbSrg60ankme0aDLVnEY0h056g9M1/ZvpVThtB7E= +github.com/gobuffalo/licenser v0.0.0-20180924033006-eae28e638a42/go.mod h1:Ubo90Np8gpsSZqNScZZkVXXAo5DGhTb+WYFIjlnog8w= +github.com/gobuffalo/licenser v0.0.0-20181025145548-437d89de4f75/go.mod h1:x3lEpYxkRG/XtGCUNkio+6RZ/dlOvLzTI9M1auIwFcw= +github.com/gobuffalo/licenser v0.0.0-20181027200154-58051a75da95/go.mod h1:BzhaaxGd1tq1+OLKObzgdCV9kqVhbTulxOpYbvMQWS0= +github.com/gobuffalo/licenser v0.0.0-20181109171355-91a2a7aac9a7/go.mod h1:m+Ygox92pi9bdg+gVaycvqE8RVSjZp7mWw75+K5NPHk= +github.com/gobuffalo/licenser v0.0.0-20181128165715-cc7305f8abed/go.mod h1:oU9F9UCE+AzI/MueCKZamsezGOOHfSirltllOVeRTAE= +github.com/gobuffalo/licenser v0.0.0-20181203160806-fe900bbede07/go.mod h1:ph6VDNvOzt1CdfaWC+9XwcBnlSTBz2j49PBwum6RFaU= +github.com/gobuffalo/licenser v0.0.0-20181211173111-f8a311c51159/go.mod h1:ve/Ue99DRuvnTaLq2zKa6F4KtHiYf7W046tDjuGYPfM= +github.com/gobuffalo/logger v0.0.0-20181022175615-46cfb361fc27/go.mod h1:8sQkgyhWipz1mIctHF4jTxmJh1Vxhp7mP8IqbljgJZo= +github.com/gobuffalo/logger v0.0.0-20181027144941-73d08d2bb969/go.mod h1:7uGg2duHKpWnN4+YmyKBdLXfhopkAdVM6H3nKbyFbz8= +github.com/gobuffalo/logger v0.0.0-20181027193913-9cf4dd0efe46/go.mod h1:7uGg2duHKpWnN4+YmyKBdLXfhopkAdVM6H3nKbyFbz8= +github.com/gobuffalo/logger v0.0.0-20181109185836-3feeab578c17/go.mod h1:oNErH0xLe+utO+OW8ptXMSA5DkiSEDW1u3zGIt8F9Ew= +github.com/gobuffalo/logger v0.0.0-20181117211126-8e9b89b7c264/go.mod h1:5etB91IE0uBlw9k756fVKZJdS+7M7ejVhmpXXiSFj0I= +github.com/gobuffalo/logger v0.0.0-20181127160119-5b956e21995c/go.mod h1:+HxKANrR9VGw9yN3aOAppJKvhO05ctDi63w4mDnKv2U= +github.com/gobuffalo/makr v1.1.5/go.mod h1:Y+o0btAH1kYAMDJW/TX3+oAXEu0bmSLLoC9mIFxtzOw= +github.com/gobuffalo/mapi v1.0.0/go.mod h1:4VAGh89y6rVOvm5A8fKFxYG+wIW6LO1FMTG9hnKStFc= +github.com/gobuffalo/mapi v1.0.1/go.mod h1:4VAGh89y6rVOvm5A8fKFxYG+wIW6LO1FMTG9hnKStFc= +github.com/gobuffalo/meta v0.0.0-20181018155829-df62557efcd3/go.mod h1:XTTOhwMNryif3x9LkTTBO/Llrveezd71u3quLd0u7CM= +github.com/gobuffalo/meta v0.0.0-20181018192820-8c6cef77dab3/go.mod h1:E94EPzx9NERGCY69UWlcj6Hipf2uK/vnfrF4QD0plVE= +github.com/gobuffalo/meta v0.0.0-20181025145500-3a985a084b0a/go.mod h1:YDAKBud2FP7NZdruCSlmTmDOZbVSa6bpK7LJ/A/nlKg= +github.com/gobuffalo/meta v0.0.0-20181114191255-b130ebedd2f7/go.mod h1:K6cRZ29ozr4Btvsqkjvg5nDFTLOgTqf03KA70Ks0ypE= +github.com/gobuffalo/meta v0.0.0-20181127070345-0d7e59dd540b/go.mod h1:RLO7tMvE0IAKAM8wny1aN12pvEKn7EtkBLkUZR00Qf8= +github.com/gobuffalo/meta v0.0.0-20190120163247-50bbb1fa260d/go.mod h1:KKsH44nIK2gA8p0PJmRT9GvWJUdphkDUA8AJEvFWiqM= +github.com/gobuffalo/mw-basicauth v1.0.3/go.mod h1:dg7+ilMZOKnQFHDefUzUHufNyTswVUviCBgF244C1+0= +github.com/gobuffalo/mw-contenttype v0.0.0-20180802152300-74f5a47f4d56/go.mod h1:7EvcmzBbeCvFtQm5GqF9ys6QnCxz2UM1x0moiWLq1No= +github.com/gobuffalo/mw-csrf v0.0.0-20180802151833-446ff26e108b/go.mod h1:sbGtb8DmDZuDUQoxjr8hG1ZbLtZboD9xsn6p77ppcHo= +github.com/gobuffalo/mw-forcessl v0.0.0-20180802152810-73921ae7a130/go.mod h1:JvNHRj7bYNAMUr/5XMkZaDcw3jZhUZpsmzhd//FFWmQ= +github.com/gobuffalo/mw-i18n v0.0.0-20180802152014-e3060b7e13d6/go.mod h1:91AQfukc52A6hdfIfkxzyr+kpVYDodgAeT5cjX1UIj4= +github.com/gobuffalo/mw-paramlogger v0.0.0-20181005191442-d6ee392ec72e/go.mod h1:6OJr6VwSzgJMqWMj7TYmRUqzNe2LXu/W1rRW4MAz/ME= +github.com/gobuffalo/mw-tokenauth v0.0.0-20181001105134-8545f626c189/go.mod h1:UqBF00IfKvd39ni5+yI5MLMjAf4gX7cDKN/26zDOD6c= +github.com/gobuffalo/packd v0.0.0-20181027182251-01ad393492c8/go.mod h1:SmdBdhj6uhOsg1Ui4SFAyrhuc7U4VCildosO5IDJ3lc= +github.com/gobuffalo/packd v0.0.0-20181027190505-aafc0d02c411/go.mod h1:SmdBdhj6uhOsg1Ui4SFAyrhuc7U4VCildosO5IDJ3lc= +github.com/gobuffalo/packd v0.0.0-20181027194105-7ae579e6d213/go.mod h1:SmdBdhj6uhOsg1Ui4SFAyrhuc7U4VCildosO5IDJ3lc= +github.com/gobuffalo/packd v0.0.0-20181031195726-c82734870264/go.mod h1:Yf2toFaISlyQrr5TfO3h6DB9pl9mZRmyvBGQb/aQ/pI= +github.com/gobuffalo/packd v0.0.0-20181104210303-d376b15f8e96/go.mod h1:Yf2toFaISlyQrr5TfO3h6DB9pl9mZRmyvBGQb/aQ/pI= +github.com/gobuffalo/packd v0.0.0-20181111195323-b2e760a5f0ff/go.mod h1:Yf2toFaISlyQrr5TfO3h6DB9pl9mZRmyvBGQb/aQ/pI= +github.com/gobuffalo/packd v0.0.0-20181114190715-f25c5d2471d7/go.mod h1:Yf2toFaISlyQrr5TfO3h6DB9pl9mZRmyvBGQb/aQ/pI= +github.com/gobuffalo/packd v0.0.0-20181124090624-311c6248e5fb/go.mod h1:Foenia9ZvITEvG05ab6XpiD5EfBHPL8A6hush8SJ0o8= +github.com/gobuffalo/packd v0.0.0-20181207120301-c49825f8f6f4/go.mod h1:LYc0TGKFBBFTRC9dg2pcRcMqGCTMD7T2BIMP7OBuQAA= +github.com/gobuffalo/packd v0.0.0-20181212173646-eca3b8fd6687/go.mod h1:LYc0TGKFBBFTRC9dg2pcRcMqGCTMD7T2BIMP7OBuQAA= +github.com/gobuffalo/packr v1.13.7/go.mod h1:KkinLIn/n6+3tVXMwg6KkNvWwVsrRAz4ph+jgpk3Z24= +github.com/gobuffalo/packr v1.15.0/go.mod h1:t5gXzEhIviQwVlNx/+3SfS07GS+cZ2hn76WLzPp6MGI= +github.com/gobuffalo/packr v1.15.1/go.mod h1:IeqicJ7jm8182yrVmNbM6PR4g79SjN9tZLH8KduZZwE= +github.com/gobuffalo/packr v1.19.0/go.mod h1:MstrNkfCQhd5o+Ct4IJ0skWlxN8emOq8DsoT1G98VIU= +github.com/gobuffalo/packr v1.20.0/go.mod h1:JDytk1t2gP+my1ig7iI4NcVaXr886+N0ecUga6884zw= +github.com/gobuffalo/packr v1.21.0/go.mod h1:H00jGfj1qFKxscFJSw8wcL4hpQtPe1PfU2wa6sg/SR0= +github.com/gobuffalo/packr v1.22.0/go.mod h1:Qr3Wtxr3+HuQEwWqlLnNW4t1oTvK+7Gc/Rnoi/lDFvA= +github.com/gobuffalo/packr/v2 v2.0.0-rc.8/go.mod h1:y60QCdzwuMwO2R49fdQhsjCPv7tLQFR0ayzxxla9zes= +github.com/gobuffalo/packr/v2 v2.0.0-rc.9/go.mod h1:fQqADRfZpEsgkc7c/K7aMew3n4aF1Kji7+lIZeR98Fc= +github.com/gobuffalo/packr/v2 v2.0.0-rc.10/go.mod h1:4CWWn4I5T3v4c1OsJ55HbHlUEKNWMITG5iIkdr4Px4w= +github.com/gobuffalo/packr/v2 v2.0.0-rc.11/go.mod h1:JoieH/3h3U4UmatmV93QmqyPUdf4wVM9HELaHEu+3fk= +github.com/gobuffalo/packr/v2 v2.0.0-rc.12/go.mod h1:FV1zZTsVFi1DSCboO36Xgs4pzCZBjB/tDV9Cz/lSaR8= +github.com/gobuffalo/packr/v2 v2.0.0-rc.13/go.mod h1:2Mp7GhBFMdJlOK8vGfl7SYtfMP3+5roE39ejlfjw0rA= +github.com/gobuffalo/packr/v2 v2.0.0-rc.14/go.mod h1:06otbrNvDKO1eNQ3b8hst+1010UooI2MFg+B2Ze4MV8= +github.com/gobuffalo/packr/v2 v2.0.0-rc.15/go.mod h1:IMe7H2nJvcKXSF90y4X1rjYIRlNMJYCxEhssBXNZwWs= +github.com/gobuffalo/plush v3.7.16+incompatible/go.mod h1:rQ4zdtUUyZNqULlc6bqd5scsPfLKfT0+TGMChgduDvI= +github.com/gobuffalo/plush v3.7.20+incompatible/go.mod h1:rQ4zdtUUyZNqULlc6bqd5scsPfLKfT0+TGMChgduDvI= +github.com/gobuffalo/plush v3.7.21+incompatible/go.mod h1:rQ4zdtUUyZNqULlc6bqd5scsPfLKfT0+TGMChgduDvI= +github.com/gobuffalo/plush v3.7.22+incompatible/go.mod h1:rQ4zdtUUyZNqULlc6bqd5scsPfLKfT0+TGMChgduDvI= +github.com/gobuffalo/plush v3.7.23+incompatible/go.mod h1:rQ4zdtUUyZNqULlc6bqd5scsPfLKfT0+TGMChgduDvI= +github.com/gobuffalo/plush v3.7.30+incompatible/go.mod h1:rQ4zdtUUyZNqULlc6bqd5scsPfLKfT0+TGMChgduDvI= +github.com/gobuffalo/plush v3.7.31+incompatible/go.mod h1:rQ4zdtUUyZNqULlc6bqd5scsPfLKfT0+TGMChgduDvI= +github.com/gobuffalo/plush v3.7.32+incompatible/go.mod h1:rQ4zdtUUyZNqULlc6bqd5scsPfLKfT0+TGMChgduDvI= +github.com/gobuffalo/plushgen v0.0.0-20181128164830-d29dcb966cb2/go.mod h1:r9QwptTFnuvSaSRjpSp4S2/4e2D3tJhARYbvEBcKSb4= +github.com/gobuffalo/plushgen v0.0.0-20181203163832-9fc4964505c2/go.mod h1:opEdT33AA2HdrIwK1aibqnTJDVVKXC02Bar/GT1YRVs= +github.com/gobuffalo/plushgen v0.0.0-20181207152837-eedb135bd51b/go.mod h1:Lcw7HQbEVm09sAQrCLzIxuhFbB3nAgp4c55E+UlynR0= +github.com/gobuffalo/plushgen v0.0.0-20190104222512-177cd2b872b3/go.mod h1:tYxCozi8X62bpZyKXYHw1ncx2ZtT2nFvG42kuLwYjoc= +github.com/gobuffalo/pop v4.8.2+incompatible/go.mod h1:DwBz3SD5SsHpTZiTubcsFWcVDpJWGsxjVjMPnkiThWg= +github.com/gobuffalo/pop v4.8.3+incompatible/go.mod h1:DwBz3SD5SsHpTZiTubcsFWcVDpJWGsxjVjMPnkiThWg= +github.com/gobuffalo/pop v4.8.4+incompatible/go.mod h1:DwBz3SD5SsHpTZiTubcsFWcVDpJWGsxjVjMPnkiThWg= +github.com/gobuffalo/release v1.0.35/go.mod h1:VtHFAKs61vO3wboCec5xr9JPTjYyWYcvaM3lclkc4x4= +github.com/gobuffalo/release v1.0.38/go.mod h1:VtHFAKs61vO3wboCec5xr9JPTjYyWYcvaM3lclkc4x4= +github.com/gobuffalo/release v1.0.42/go.mod h1:RPs7EtafH4oylgetOJpGP0yCZZUiO4vqHfTHJjSdpug= +github.com/gobuffalo/release v1.0.52/go.mod h1:RPs7EtafH4oylgetOJpGP0yCZZUiO4vqHfTHJjSdpug= +github.com/gobuffalo/release v1.0.53/go.mod h1:FdF257nd8rqhNaqtDWFGhxdJ/Ig4J7VcS3KL7n/a+aA= +github.com/gobuffalo/release v1.0.54/go.mod h1:Pe5/RxRa/BE8whDpGfRqSI7D1a0evGK1T4JDm339tJc= +github.com/gobuffalo/release v1.0.61/go.mod h1:mfIO38ujUNVDlBziIYqXquYfBF+8FDHUjKZgYC1Hj24= +github.com/gobuffalo/release v1.0.72/go.mod h1:NP5NXgg/IX3M5XmHmWR99D687/3Dt9qZtTK/Lbwc1hU= +github.com/gobuffalo/release v1.1.1/go.mod h1:Sluak1Xd6kcp6snkluR1jeXAogdJZpFFRzTYRs/2uwg= +github.com/gobuffalo/release v1.1.3/go.mod h1:CuXc5/m+4zuq8idoDt1l4va0AXAn/OSs08uHOfMVr8E= +github.com/gobuffalo/release v1.1.6/go.mod h1:18naWa3kBsqO0cItXZNJuefCKOENpbbUIqRL1g+p6z0= +github.com/gobuffalo/shoulders v1.0.1/go.mod h1:V33CcVmaQ4gRUmHKwq1fiTXuf8Gp/qjQBUL5tHPmvbA= +github.com/gobuffalo/syncx v0.0.0-20181120191700-98333ab04150/go.mod h1:HhnNqWY95UYwwW3uSASeV7vtgYkT2t16hJgV3AEPUpw= +github.com/gobuffalo/syncx v0.0.0-20181120194010-558ac7de985f/go.mod h1:HhnNqWY95UYwwW3uSASeV7vtgYkT2t16hJgV3AEPUpw= +github.com/gobuffalo/tags v2.0.11+incompatible/go.mod h1:9XmhOkyaB7UzvuY4UoZO4s67q8/xRMVJEaakauVQYeY= +github.com/gobuffalo/tags v2.0.14+incompatible/go.mod h1:9XmhOkyaB7UzvuY4UoZO4s67q8/xRMVJEaakauVQYeY= +github.com/gobuffalo/tags v2.0.15+incompatible/go.mod h1:9XmhOkyaB7UzvuY4UoZO4s67q8/xRMVJEaakauVQYeY= +github.com/gobuffalo/uuid v2.0.3+incompatible/go.mod h1:ErhIzkRhm0FtRuiE/PeORqcw4cVi1RtSpnwYrxuvkfE= +github.com/gobuffalo/uuid v2.0.4+incompatible/go.mod h1:ErhIzkRhm0FtRuiE/PeORqcw4cVi1RtSpnwYrxuvkfE= +github.com/gobuffalo/uuid v2.0.5+incompatible/go.mod h1:ErhIzkRhm0FtRuiE/PeORqcw4cVi1RtSpnwYrxuvkfE= +github.com/gobuffalo/validate v2.0.3+incompatible/go.mod h1:N+EtDe0J8252BgfzQUChBgfd6L93m9weay53EWFVsMM= +github.com/gobuffalo/x v0.0.0-20181003152136-452098b06085/go.mod h1:WevpGD+5YOreDJznWevcn8NTmQEW5STSBgIkpkjzqXc= +github.com/gobuffalo/x v0.0.0-20181007152206-913e47c59ca7/go.mod h1:9rDPXaB3kXdKWzMc4odGQQdG2e2DIEmANy5aSJ9yesY= +github.com/gofrs/uuid v3.1.0+incompatible/go.mod h1:b2aQJv3Z4Fp6yNu3cdSllBxTCLRxnplIgP/c0N/04lM= +github.com/gofrs/uuid v3.2.0+incompatible/go.mod h1:b2aQJv3Z4Fp6yNu3cdSllBxTCLRxnplIgP/c0N/04lM= +github.com/gogo/protobuf v0.0.0-20171007142547-342cbe0a0415/go.mod h1:r8qH/GZQm5c6nD/R0oafs1akxWv10x8SbQlK7atdtwQ= +github.com/gogo/protobuf v1.1.1/go.mod h1:r8qH/GZQm5c6nD/R0oafs1akxWv10x8SbQlK7atdtwQ= +github.com/gogo/protobuf v1.2.1/go.mod h1:hp+jE20tsWTFYpLwKvXlhS1hjn+gTNwPg2I6zVXpSg4= +github.com/gogo/protobuf v1.2.2-0.20190723190241-65acae22fc9d/go.mod h1:SlYgWuQ5SjCEi6WLHjHCa1yvBfUnHcTbrrZtXPKa29o= +github.com/gogo/protobuf v1.3.1 h1:DqDEcV5aeaTmdFBePNpYsp3FlcVH/2ISVVM9Qf8PSls= +github.com/gogo/protobuf v1.3.1/go.mod h1:SlYgWuQ5SjCEi6WLHjHCa1yvBfUnHcTbrrZtXPKa29o= +github.com/golang/gddo v0.0.0-20180828051604-96d2a289f41e/go.mod h1:xEhNfoBDX1hzLm2Nf80qUvZ2sVwoMZ8d6IE2SrsQfh4= +github.com/golang/gddo v0.0.0-20190904175337-72a348e765d2/go.mod h1:xEhNfoBDX1hzLm2Nf80qUvZ2sVwoMZ8d6IE2SrsQfh4= +github.com/golang/glog v0.0.0-20160126235308-23def4e6c14b h1:VKtxabqXZkF25pY9ekfRL6a582T4P37/31XEstQ5p58= +github.com/golang/glog v0.0.0-20160126235308-23def4e6c14b/go.mod h1:SBH7ygxi8pfUlaOkMMuAQtPIUF8ecWP5IEl/CR7VP2Q= +github.com/golang/groupcache v0.0.0-20160516000752-02826c3e7903/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc= +github.com/golang/groupcache v0.0.0-20180513044358-24b0969c4cb7/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc= +github.com/golang/groupcache v0.0.0-20190129154638-5b532d6fd5ef/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc= +github.com/golang/groupcache v0.0.0-20190702054246-869f871628b6/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc= +github.com/golang/groupcache v0.0.0-20191227052852-215e87163ea7 h1:5ZkaAPbicIKTF2I64qf5Fh8Aa83Q/dnOafMYV0OMwjA= +github.com/golang/groupcache v0.0.0-20191227052852-215e87163ea7/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc= +github.com/golang/mock v1.1.1/go.mod h1:oTYuIxOrZwtPieC+H1uAHpcLFnEyAGVDL/k47Jfbm0A= +github.com/golang/mock v1.2.0/go.mod h1:oTYuIxOrZwtPieC+H1uAHpcLFnEyAGVDL/k47Jfbm0A= +github.com/golang/mock v1.3.1/go.mod h1:sBzyDLLjw3U8JLTeZvSv8jJB+tU5PVekmnlKIyFUx0Y= +github.com/golang/protobuf v0.0.0-20161109072736-4bd1920723d7/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U= +github.com/golang/protobuf v1.1.0/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U= +github.com/golang/protobuf v1.2.0/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U= +github.com/golang/protobuf v1.3.1/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U= +github.com/golang/protobuf v1.3.2 h1:6nsPYzhq5kReh6QImI3k5qWzO4PEbvbIW2cwSfR/6xs= +github.com/golang/protobuf v1.3.2/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U= +github.com/golang/snappy v0.0.1/go.mod h1:/XxbfmMg8lxefKM7IXC3fBNl/7bRcc72aCRzEWrmP2Q= +github.com/gomodule/redigo v2.0.0+incompatible/go.mod h1:B4C85qUVwatsJoIUNIfCRsp7qO0iAmpGFZ4EELWSbC4= +github.com/google/btree v0.0.0-20180813153112-4030bb1f1f0c/go.mod h1:lNA+9X1NB3Zf8V7Ke586lFgjr2dZNuvo3lPJSGZ5JPQ= +github.com/google/btree v1.0.0/go.mod h1:lNA+9X1NB3Zf8V7Ke586lFgjr2dZNuvo3lPJSGZ5JPQ= +github.com/google/go-cmp v0.2.0/go.mod h1:oXzfMopK8JAjlY9xF4vHSVASa0yLyX7SntLO5aqRK0M= +github.com/google/go-cmp v0.3.0/go.mod h1:8QqcDgzrUqlUb/G2PQTWiueGozuR1884gddMywk6iLU= +github.com/google/go-cmp v0.3.1 h1:Xye71clBPdm5HgqGwUkwhbynsUJZhDbS20FvLhQ2izg= +github.com/google/go-cmp v0.3.1/go.mod h1:8QqcDgzrUqlUb/G2PQTWiueGozuR1884gddMywk6iLU= +github.com/google/gofuzz v0.0.0-20161122191042-44d81051d367/go.mod h1:HP5RmnzzSNb993RKQDq4+1A4ia9nllfqcQFTQJedwGI= +github.com/google/gofuzz v0.0.0-20170612174753-24818f796faf/go.mod h1:HP5RmnzzSNb993RKQDq4+1A4ia9nllfqcQFTQJedwGI= +github.com/google/gofuzz v1.0.0 h1:A8PeW59pxE9IoFRqBp37U+mSNaQoZ46F1f0f863XSXw= +github.com/google/gofuzz v1.0.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg= +github.com/google/martian v2.1.0+incompatible/go.mod h1:9I4somxYTbIHy5NJKHRl3wXiIaQGbYVAs8BPL6v8lEs= +github.com/google/pprof v0.0.0-20181206194817-3ea8567a2e57/go.mod h1:zfwlbNMJ+OItoe0UupaVj+oy1omPYYDuagoSzA8v9mc= +github.com/google/pprof v0.0.0-20190515194954-54271f7e092f/go.mod h1:zfwlbNMJ+OItoe0UupaVj+oy1omPYYDuagoSzA8v9mc= +github.com/google/uuid v1.0.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo= +github.com/google/uuid v1.1.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo= +github.com/google/uuid v1.1.1/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo= +github.com/googleapis/gax-go/v2 v2.0.4/go.mod h1:0Wqv26UfaUD9n4G6kQubkQ+KchISgw+vpHVxEJEs9eg= +github.com/googleapis/gax-go/v2 v2.0.5/go.mod h1:DWXyrwAJ9X0FpwwEdw+IPEYBICEFu5mhpdKc/us6bOk= +github.com/googleapis/gnostic v0.0.0-20170729233727-0c5108395e2d/go.mod h1:sJBsCZ4ayReDTBIg8b9dl28c5xFWyhBTVRp3pOg5EKY= +github.com/googleapis/gnostic v0.3.1 h1:WeAefnSUHlBb0iJKwxFDZdbfGwkd7xRNuV+IpXMJhYk= +github.com/googleapis/gnostic v0.3.1/go.mod h1:on+2t9HRStVgn95RSsFWFz+6Q0Snyqv1awfrALZdbtU= +github.com/gophercloud/gophercloud v0.1.0/go.mod h1:vxM41WHh5uqHVBMZHzuwNOHh8XEoIEcSTewFxm1c5g8= +github.com/gopherjs/gopherjs v0.0.0-20181004151105-1babbf986f6f/go.mod h1:wJfORRmW1u3UXTncJ5qlYoELFm8eSnnEO6hX4iZ3EWY= +github.com/gopherjs/gopherjs v0.0.0-20181017120253-0766667cb4d1/go.mod h1:wJfORRmW1u3UXTncJ5qlYoELFm8eSnnEO6hX4iZ3EWY= +github.com/gopherjs/gopherjs v0.0.0-20190328170749-bb2674552d8f/go.mod h1:wJfORRmW1u3UXTncJ5qlYoELFm8eSnnEO6hX4iZ3EWY= +github.com/gorilla/context v1.1.1/go.mod h1:kBGZzfjB9CEq2AlWe17Uuf7NDRt0dE0s8S51q0aT7Yg= +github.com/gorilla/handlers v1.4.0/go.mod h1:Qkdc/uu4tH4g6mTK6auzZ766c4CA0Ng8+o/OAirnOIQ= +github.com/gorilla/mux v1.6.2/go.mod h1:1lud6UwP+6orDFRuTfBEV8e9/aOM/c4fVVCaMa2zaAs= +github.com/gorilla/mux v1.7.0/go.mod h1:1lud6UwP+6orDFRuTfBEV8e9/aOM/c4fVVCaMa2zaAs= +github.com/gorilla/pat v0.0.0-20180118222023-199c85a7f6d1/go.mod h1:YeAe0gNeiNT5hoiZRI4yiOky6jVdNvfO2N6Kav/HmxY= +github.com/gorilla/rpc v1.2.0/go.mod h1:V4h9r+4sF5HnzqbwIez0fKSpANP0zlYd3qR7p36jkTQ= +github.com/gorilla/securecookie v1.1.1/go.mod h1:ra0sb63/xPlUeL+yeDciTfxMRAA+MP+HVt/4epWDjd4= +github.com/gorilla/sessions v1.1.2/go.mod h1:8KCfur6+4Mqcc6S0FEfKuN15Vl5MgXW92AE8ovaJD0w= +github.com/gorilla/sessions v1.1.3/go.mod h1:8KCfur6+4Mqcc6S0FEfKuN15Vl5MgXW92AE8ovaJD0w= +github.com/gorilla/websocket v0.0.0-20170926233335-4201258b820c/go.mod h1:E7qHFY5m1UJ88s3WnNqhKjPHQ0heANvMoAMk2YaljkQ= +github.com/gorilla/websocket v1.4.0/go.mod h1:E7qHFY5m1UJ88s3WnNqhKjPHQ0heANvMoAMk2YaljkQ= +github.com/gorilla/websocket v1.4.1/go.mod h1:YR8l580nyteQvAITg2hZ9XVh4b55+EU/adAjf1fMHhE= +github.com/gotestyourself/gotestyourself v2.2.0+incompatible/go.mod h1:zZKM6oeNM8k+FRljX1mnzVYeS8wiGgQyvST1/GafPbY= +github.com/gregjones/httpcache v0.0.0-20180305231024-9cad4c3443a7/go.mod h1:FecbI9+v66THATjSRHfNgh1IVFe/9kFxbXtjV0ctIMA= +github.com/grpc-ecosystem/go-grpc-middleware v1.0.0/go.mod h1:FiyG127CGDf3tlThmgyCl78X/SZQqEOJBCDaAfeWzPs= +github.com/grpc-ecosystem/go-grpc-middleware v1.0.1-0.20190118093823-f849b5445de4/go.mod h1:FiyG127CGDf3tlThmgyCl78X/SZQqEOJBCDaAfeWzPs= +github.com/grpc-ecosystem/go-grpc-prometheus v1.2.0/go.mod h1:8NvIoxWQoOIhqOTXgfV/d3M/q6VIi02HzZEHgUlZvzk= +github.com/grpc-ecosystem/grpc-gateway v1.8.5/go.mod h1:vNeuVxBJEsws4ogUvrchl83t/GYV9WGTSLVdBhOQFDY= +github.com/grpc-ecosystem/grpc-gateway v1.9.0/go.mod h1:vNeuVxBJEsws4ogUvrchl83t/GYV9WGTSLVdBhOQFDY= +github.com/grpc-ecosystem/grpc-gateway v1.9.5/go.mod h1:vNeuVxBJEsws4ogUvrchl83t/GYV9WGTSLVdBhOQFDY= +github.com/hashicorp/errwrap v1.0.0/go.mod h1:YH+1FKiLXxHSkmPseP+kNlulaMuP3n2brvKWEqk/Jc4= +github.com/hashicorp/go-cleanhttp v0.5.0/go.mod h1:JpRdi6/HCYpAwUzNwuwqhbovhLtngrth3wmdIIUrZ80= +github.com/hashicorp/go-cleanhttp v0.5.1/go.mod h1:JpRdi6/HCYpAwUzNwuwqhbovhLtngrth3wmdIIUrZ80= +github.com/hashicorp/go-hclog v0.0.0-20180709165350-ff2cf002a8dd/go.mod h1:9bjs9uLqI8l75knNv3lV1kA55veR+WUPSiKIWcQHudI= +github.com/hashicorp/go-hclog v0.8.0/go.mod h1:5CU+agLiy3J7N7QjHK5d05KxGsuXiQLrjA0H7acj2lQ= +github.com/hashicorp/go-hclog v0.9.1/go.mod h1:5CU+agLiy3J7N7QjHK5d05KxGsuXiQLrjA0H7acj2lQ= +github.com/hashicorp/go-hclog v0.9.2/go.mod h1:5CU+agLiy3J7N7QjHK5d05KxGsuXiQLrjA0H7acj2lQ= +github.com/hashicorp/go-immutable-radix v1.0.0/go.mod h1:0y9vanUI8NX6FsYoO3zeMjhV/C5i9g4Q3DwcSNZ4P60= +github.com/hashicorp/go-msgpack v0.5.5/go.mod h1:ahLV/dePpqEmjfWmKiqvPkv/twdG7iPBM1vqhUKIvfM= +github.com/hashicorp/go-multierror v1.0.0/go.mod h1:dHtQlpGsu+cZNNAkkCN/P3hoUDHhCYQXV3UM06sGGrk= +github.com/hashicorp/go-plugin v1.0.1/go.mod h1:++UyYGoz3o5w9ZzAdZxtQKrWWP+iqPBn3cQptSMzBuY= +github.com/hashicorp/go-retryablehttp v0.5.3/go.mod h1:9B5zBasrRhHXnJnui7y6sL7es7NDiJgTc6Er0maI1Xs= +github.com/hashicorp/go-retryablehttp v0.5.4/go.mod h1:9B5zBasrRhHXnJnui7y6sL7es7NDiJgTc6Er0maI1Xs= +github.com/hashicorp/go-rootcerts v1.0.1/go.mod h1:pqUvnprVnM5bf7AOirdbb01K4ccR319Vf4pU3K5EGc8= +github.com/hashicorp/go-sockaddr v1.0.2/go.mod h1:rB4wwRAUzs07qva3c5SdrY/NEtAUjGlgmH/UkBUC97A= +github.com/hashicorp/go-uuid v1.0.0/go.mod h1:6SBZvOh/SIDV7/2o3Jml5SYk/TvGqwFJ/bN7x4byOro= +github.com/hashicorp/go-uuid v1.0.1/go.mod h1:6SBZvOh/SIDV7/2o3Jml5SYk/TvGqwFJ/bN7x4byOro= +github.com/hashicorp/go-version v1.1.0/go.mod h1:fltr4n8CU8Ke44wwGCBoEymUuxUHl09ZGVZPK5anwXA= +github.com/hashicorp/golang-lru v0.5.0/go.mod h1:/m3WP610KZHVQ1SGc6re/UDhFvYD7pJ4Ao+sR/qLZy8= +github.com/hashicorp/golang-lru v0.5.1/go.mod h1:/m3WP610KZHVQ1SGc6re/UDhFvYD7pJ4Ao+sR/qLZy8= +github.com/hashicorp/golang-lru v0.5.3 h1:YPkqC67at8FYaadspW/6uE0COsBxS2656RLEr8Bppgk= +github.com/hashicorp/golang-lru v0.5.3/go.mod h1:iADmTwqILo4mZ8BN3D2Q6+9jd8WM5uGBxy+E8yxSoD4= +github.com/hashicorp/hcl v1.0.0/go.mod h1:E5yfLk+7swimpb2L/Alb/PJmXilQ/rhwaUYs4T20WEQ= +github.com/hashicorp/raft v1.1.1-0.20190703171940-f639636d18e0/go.mod h1:vPAJM8Asw6u8LxC3eJCUZmRP/E4QmUGE1R7g7k8sG/8= +github.com/hashicorp/raft-boltdb v0.0.0-20171010151810-6e5ba93211ea/go.mod h1:pNv7Wc3ycL6F5oOWn+tPGo2gWD4a5X+yp/ntwdKLjRk= +github.com/hashicorp/vault/api v1.0.4/go.mod h1:gDcqh3WGcR1cpF5AJz/B1UFheUEneMoIospckxBxk6Q= +github.com/hashicorp/vault/sdk v0.1.13/go.mod h1:B+hVj7TpuQY1Y/GPbCpffmgd+tSEwvhkWnjtSYCaS2M= +github.com/hashicorp/yamux v0.0.0-20180604194846-3520598351bb/go.mod h1:+NfK9FKeTrX5uv1uIXGdwYDTeHna2qgaIlx54MXqjAM= +github.com/hashicorp/yamux v0.0.0-20181012175058-2f1d1f20f75d/go.mod h1:+NfK9FKeTrX5uv1uIXGdwYDTeHna2qgaIlx54MXqjAM= +github.com/hpcloud/tail v1.0.0/go.mod h1:ab1qPbhIpdTxEkNHXyeSf5vhxWSCs/tWer42PpOxQnU= +github.com/imdario/mergo v0.3.5/go.mod h1:2EnlNZ0deacrJVfApfmtdGgDfMuh/nq6Ok1EcJh5FfA= +github.com/imdario/mergo v0.3.6/go.mod h1:2EnlNZ0deacrJVfApfmtdGgDfMuh/nq6Ok1EcJh5FfA= +github.com/imdario/mergo v0.3.8 h1:CGgOkSJeqMRmt0D9XLWExdT4m4F1vd3FV3VPt+0VxkQ= +github.com/imdario/mergo v0.3.8/go.mod h1:2EnlNZ0deacrJVfApfmtdGgDfMuh/nq6Ok1EcJh5FfA= +github.com/inconshreveable/go-update v0.0.0-20160112193335-8152e7eb6ccf/go.mod h1:hyb9oH7vZsitZCiBt0ZvifOrB+qc8PS5IiilCIb87rg= +github.com/inconshreveable/mousetrap v1.0.0/go.mod h1:PxqpIevigyE2G7u3NXJIT2ANytuPF1OarO4DADm73n8= +github.com/jackc/fake v0.0.0-20150926172116-812a484cc733/go.mod h1:WrMFNQdiFJ80sQsxDoMokWK1W5TQtxBFNpzWTD84ibQ= +github.com/jackc/pgx v3.2.0+incompatible/go.mod h1:0ZGrqGqkRlliWnWB4zKnWtjbSWbGkVEFm4TeybAXq+I= +github.com/jcmturner/gofork v0.0.0-20190328161633-dc7c13fece03/go.mod h1:MK8+TM0La+2rjBD4jE12Kj1pCCxK7d2LK/UM3ncEo0o= +github.com/jmespath/go-jmespath v0.0.0-20180206201540-c2b33e8439af h1:pmfjZENx5imkbgOkpRUYLnmbU7UEFbjtDA2hxJ1ichM= +github.com/jmespath/go-jmespath v0.0.0-20180206201540-c2b33e8439af/go.mod h1:Nht3zPeWKUH0NzdCt2Blrr5ys8VGpn0CEB0cQHVjt7k= +github.com/jmoiron/sqlx v0.0.0-20180614180643-0dae4fefe7c0/go.mod h1:IiEW3SEiiErVyFdH8NTuWjSifiEQKUoyK3LNqr2kCHU= +github.com/jmoiron/sqlx v1.2.0/go.mod h1:1FEQNm3xlJgrMD+FBdI9+xvCksHtbpVBBw5dYhBSsks= +github.com/joho/godotenv v1.2.0/go.mod h1:7hK45KPybAkOC6peb+G5yklZfMxEjkZhHbwpqxOKXbg= +github.com/joho/godotenv v1.3.0/go.mod h1:7hK45KPybAkOC6peb+G5yklZfMxEjkZhHbwpqxOKXbg= +github.com/jonboulle/clockwork v0.1.0/go.mod h1:Ii8DK3G1RaLaWxj9trq07+26W01tbo22gdxWY5EU2bo= +github.com/json-iterator/go v0.0.0-20180612202835-f2b4162afba3/go.mod h1:+SdeFBvtyEkXs7REEP0seUULqWtbJapLOCVDaaPEHmU= +github.com/json-iterator/go v0.0.0-20180701071628-ab8a2e0c74be/go.mod h1:+SdeFBvtyEkXs7REEP0seUULqWtbJapLOCVDaaPEHmU= +github.com/json-iterator/go v1.1.6/go.mod h1:+SdeFBvtyEkXs7REEP0seUULqWtbJapLOCVDaaPEHmU= +github.com/json-iterator/go v1.1.7/go.mod h1:KdQUCv79m/52Kvf8AW2vK1V8akMuk1QjK/uOdHXbAo4= +github.com/json-iterator/go v1.1.8/go.mod h1:KdQUCv79m/52Kvf8AW2vK1V8akMuk1QjK/uOdHXbAo4= +github.com/json-iterator/go v1.1.9 h1:9yzud/Ht36ygwatGx56VwCZtlI/2AD15T1X2sjSuGns= +github.com/json-iterator/go v1.1.9/go.mod h1:KdQUCv79m/52Kvf8AW2vK1V8akMuk1QjK/uOdHXbAo4= +github.com/jstemmer/go-junit-report v0.0.0-20190106144839-af01ea7f8024/go.mod h1:6v2b51hI/fHJwM22ozAgKL4VKDeJcHhJFhtBdhmNjmU= +github.com/jtolds/gls v4.2.1+incompatible/go.mod h1:QJZ7F/aHp+rZTRtaJ1ow/lLfFfVYBRgL+9YlvaHOwJU= +github.com/jtolds/gls v4.20.0+incompatible/go.mod h1:QJZ7F/aHp+rZTRtaJ1ow/lLfFfVYBRgL+9YlvaHOwJU= +github.com/julienschmidt/httprouter v1.2.0/go.mod h1:SYymIcj16QtmaHHD7aYtjjsJG7VTCxuUUipMqKk8s4w= +github.com/julienschmidt/httprouter v1.3.0 h1:U0609e9tgbseu3rBINet9P48AI/D3oJs4dN7jwJOQ1U= +github.com/julienschmidt/httprouter v1.3.0/go.mod h1:JR6WtHb+2LUe8TCKY3cZOxFyyO8IZAc4RVcycCCAKdM= +github.com/karrick/godirwalk v1.7.5/go.mod h1:2c9FRhkDxdIbgkOnCEvnSWs71Bhugbl46shStcFDJ34= +github.com/karrick/godirwalk v1.7.7/go.mod h1:2c9FRhkDxdIbgkOnCEvnSWs71Bhugbl46shStcFDJ34= +github.com/karrick/godirwalk v1.7.8/go.mod h1:2c9FRhkDxdIbgkOnCEvnSWs71Bhugbl46shStcFDJ34= +github.com/kballard/go-shellquote v0.0.0-20180428030007-95032a82bc51/go.mod h1:CzGEWj7cYgsdH8dAjBGEr58BoE7ScuLd+fwFZ44+/x8= +github.com/kisielk/errcheck v1.1.0/go.mod h1:EZBBE59ingxPouuu3KfxchcWSUPOHkagtvWXihfKN4Q= +github.com/kisielk/errcheck v1.2.0/go.mod h1:/BMXB+zMLi60iA8Vv6Ksmxu/1UDYcXs4uQLJ+jE2L00= +github.com/kisielk/gotool v1.0.0/go.mod h1:XhKaO+MFFWcvkIS/tQcRk01m1F5IRFswLeQ+oQHNcck= +github.com/klauspost/compress v1.8.2/go.mod h1:RyIbtBH6LamlWaDj8nUwkbUhJ87Yi3uG0guNDohfE1A= +github.com/klauspost/compress v1.9.4/go.mod h1:RyIbtBH6LamlWaDj8nUwkbUhJ87Yi3uG0guNDohfE1A= +github.com/klauspost/compress v1.9.7/go.mod h1:RyIbtBH6LamlWaDj8nUwkbUhJ87Yi3uG0guNDohfE1A= +github.com/klauspost/cpuid v1.2.2/go.mod h1:Pj4uuM528wm8OyEC2QMXAi2YiTZ96dNQPGgoMS4s3ek= +github.com/klauspost/pgzip v1.2.1/go.mod h1:Ch1tH69qFZu15pkjo5kYi6mth2Zzwzt50oCQKQE9RUs= +github.com/klauspost/readahead v1.3.1/go.mod h1:AH9juHzNH7xqdqFHrMRSHeH2Ps+vFf+kblDqzPFiLJg= +github.com/klauspost/reedsolomon v1.9.3/go.mod h1:CwCi+NUr9pqSVktrkN+Ondf06rkhYZ/pcNv7fu+8Un4= +github.com/konsorten/go-windows-terminal-sequences v0.0.0-20180402223658-b729f2633dfe/go.mod h1:T0+1ngSBFLxvqU3pZ+m/2kptfBszLMUkC4ZK/EgS/cQ= +github.com/konsorten/go-windows-terminal-sequences v1.0.1/go.mod h1:T0+1ngSBFLxvqU3pZ+m/2kptfBszLMUkC4ZK/EgS/cQ= +github.com/konsorten/go-windows-terminal-sequences v1.0.2/go.mod h1:T0+1ngSBFLxvqU3pZ+m/2kptfBszLMUkC4ZK/EgS/cQ= +github.com/kr/logfmt v0.0.0-20140226030751-b84e30acd515/go.mod h1:+0opPa2QZZtGFBFZlji/RkVcI2GknAs/DXo4wKdlNEc= +github.com/kr/pretty v0.1.0/go.mod h1:dAy3ld7l9f0ibDNOQOHHMYYIIbhfbHSm3C4ZsoJORNo= +github.com/kr/pty v1.1.1/go.mod h1:pFQYn66WHrOpPYNljwOMqo10TkYh1fy3cYio2l3bCsQ= +github.com/kr/pty v1.1.3/go.mod h1:pFQYn66WHrOpPYNljwOMqo10TkYh1fy3cYio2l3bCsQ= +github.com/kr/pty v1.1.5/go.mod h1:9r2w37qlBe7rQ6e1fg1S/9xpWHSnaqNdHD3WcMdbPDA= +github.com/kr/text v0.1.0/go.mod h1:4Jbv+DJW3UT/LiOwJeYQe1efqtUx/iVham/4vfdArNI= +github.com/kurin/blazer v0.5.4-0.20190613185654-cf2f27cc0be3/go.mod h1:4FCXMUWo9DllR2Do4TtBd377ezyAJ51vB5uTBjt0pGU= +github.com/lib/pq v1.0.0/go.mod h1:5WUZQaWbwv1U+lTReE5YruASi9Al49XbQIvNi/34Woo= +github.com/lib/pq v1.1.1/go.mod h1:5WUZQaWbwv1U+lTReE5YruASi9Al49XbQIvNi/34Woo= +github.com/liggitt/tabwriter v0.0.0-20181228230101-89fcab3d43de/go.mod h1:zAbeS9B/r2mtpb6U+EI2rYA5OAXxsYw6wTamcNW+zcE= +github.com/luna-duclos/instrumentedsql v1.1.2/go.mod h1:4LGbEqDnopzNAiyxPPDXhLspyunZxgPTMJBKtC6U0BQ= +github.com/magiconair/properties v1.8.0/go.mod h1:PppfXfuXeibc/6YijjN8zIbojt8czPbwD3XqdrwzmxQ= +github.com/magiconair/properties v1.8.1/go.mod h1:PppfXfuXeibc/6YijjN8zIbojt8czPbwD3XqdrwzmxQ= +github.com/mailru/easyjson v0.0.0-20160728113105-d5b7844b561a/go.mod h1:C1wdFJiN94OJF2b5HbByQZoLdCWB1Yqtg26g4irojpc= +github.com/mailru/easyjson v0.0.0-20180730094502-03f2033d19d5/go.mod h1:C1wdFJiN94OJF2b5HbByQZoLdCWB1Yqtg26g4irojpc= +github.com/mailru/easyjson v0.0.0-20180823135443-60711f1a8329/go.mod h1:C1wdFJiN94OJF2b5HbByQZoLdCWB1Yqtg26g4irojpc= +github.com/mailru/easyjson v0.0.0-20190312143242-1de009706dbe/go.mod h1:C1wdFJiN94OJF2b5HbByQZoLdCWB1Yqtg26g4irojpc= +github.com/mailru/easyjson v0.0.0-20190614124828-94de47d64c63/go.mod h1:C1wdFJiN94OJF2b5HbByQZoLdCWB1Yqtg26g4irojpc= +github.com/mailru/easyjson v0.0.0-20190626092158-b2ccc519800e/go.mod h1:C1wdFJiN94OJF2b5HbByQZoLdCWB1Yqtg26g4irojpc= +github.com/mailru/easyjson v0.7.0/go.mod h1:KAzv3t3aY1NaHWoQz1+4F1ccyAH66Jk7yos7ldAVICs= +github.com/markbates/deplist v1.0.4/go.mod h1:gRRbPbbuA8TmMiRvaOzUlRfzfjeCCBqX2A6arxN01MM= +github.com/markbates/deplist v1.0.5/go.mod h1:gRRbPbbuA8TmMiRvaOzUlRfzfjeCCBqX2A6arxN01MM= +github.com/markbates/going v1.0.2/go.mod h1:UWCk3zm0UKefHZ7l8BNqi26UyiEMniznk8naLdTcy6c= +github.com/markbates/grift v1.0.4/go.mod h1:wbmtW74veyx+cgfwFhlnnMWqhoz55rnHR47oMXzsyVs= +github.com/markbates/hmax v1.0.0/go.mod h1:cOkR9dktiESxIMu+65oc/r/bdY4bE8zZw3OLhLx0X2c= +github.com/markbates/inflect v1.0.0/go.mod h1:oTeZL2KHA7CUX6X+fovmK9OvIOFuqu0TwdQrZjLTh88= +github.com/markbates/inflect v1.0.1/go.mod h1:uv3UVNBe5qBIfCm8O8Q+DW+S1EopeyINj+Ikhc7rnCk= +github.com/markbates/inflect v1.0.3/go.mod h1:1fR9+pO2KHEO9ZRtto13gDwwZaAKstQzferVeWqbgNs= +github.com/markbates/inflect v1.0.4/go.mod h1:1fR9+pO2KHEO9ZRtto13gDwwZaAKstQzferVeWqbgNs= +github.com/markbates/oncer v0.0.0-20180924031910-e862a676800b/go.mod h1:Ld9puTsIW75CHf65OeIOkyKbteujpZVXDpWK6YGZbxE= +github.com/markbates/oncer v0.0.0-20180924034138-723ad0170a46/go.mod h1:Ld9puTsIW75CHf65OeIOkyKbteujpZVXDpWK6YGZbxE= +github.com/markbates/oncer v0.0.0-20181014194634-05fccaae8fc4/go.mod h1:Ld9puTsIW75CHf65OeIOkyKbteujpZVXDpWK6YGZbxE= +github.com/markbates/oncer v0.0.0-20181203154359-bf2de49a0be2/go.mod h1:Ld9puTsIW75CHf65OeIOkyKbteujpZVXDpWK6YGZbxE= +github.com/markbates/refresh v1.4.10/go.mod h1:NDPHvotuZmTmesXxr95C9bjlw1/0frJwtME2dzcVKhc= +github.com/markbates/safe v1.0.0/go.mod h1:nAqgmRi7cY2nqMc92/bSEeQA+R4OheNU2T1kNSCBdG0= +github.com/markbates/safe v1.0.1/go.mod h1:nAqgmRi7cY2nqMc92/bSEeQA+R4OheNU2T1kNSCBdG0= +github.com/markbates/sigtx v1.0.0/go.mod h1:QF1Hv6Ic6Ca6W+T+DL0Y/ypborFKyvUY9HmuCD4VeTc= +github.com/markbates/willie v1.0.9/go.mod h1:fsrFVWl91+gXpx/6dv715j7i11fYPfZ9ZGfH0DQzY7w= +github.com/mattn/go-colorable v0.0.9/go.mod h1:9vuHe8Xs5qXnSaW/c/ABM9alt+Vo+STaOChaDxuIBZU= +github.com/mattn/go-colorable v0.1.1/go.mod h1:FuOcm+DKB9mbwrcAfNl7/TZVBZ6rcnceauSikq3lYCQ= +github.com/mattn/go-ieproxy v0.0.0-20190610004146-91bb50d98149/go.mod h1:31jz6HNzdxOmlERGGEc4v/dMssOfmp2p5bT/okiKFFc= +github.com/mattn/go-ieproxy v0.0.0-20190805055040-f9202b1cfdeb/go.mod h1:31jz6HNzdxOmlERGGEc4v/dMssOfmp2p5bT/okiKFFc= +github.com/mattn/go-isatty v0.0.3/go.mod h1:M+lRXTBqGeGNdLjl/ufCoiOlB5xdOkqRJdNxMWT7Zi4= +github.com/mattn/go-isatty v0.0.4/go.mod h1:M+lRXTBqGeGNdLjl/ufCoiOlB5xdOkqRJdNxMWT7Zi4= +github.com/mattn/go-isatty v0.0.5/go.mod h1:Iq45c/XA43vh69/j3iqttzPXn0bhXyGjM0Hdxcsrc5s= +github.com/mattn/go-isatty v0.0.7/go.mod h1:Iq45c/XA43vh69/j3iqttzPXn0bhXyGjM0Hdxcsrc5s= +github.com/mattn/go-runewidth v0.0.2/go.mod h1:LwmH8dsx7+W8Uxz3IHJYH5QSwggIsqBzpuz5H//U1FU= +github.com/mattn/go-runewidth v0.0.4/go.mod h1:LwmH8dsx7+W8Uxz3IHJYH5QSwggIsqBzpuz5H//U1FU= +github.com/mattn/go-sqlite3 v1.9.0/go.mod h1:FPy6KqzDD04eiIsT53CuJW3U88zkxoIYsOqkbpncsNc= +github.com/mattn/go-sqlite3 v1.10.0/go.mod h1:FPy6KqzDD04eiIsT53CuJW3U88zkxoIYsOqkbpncsNc= +github.com/mattn/go-sqlite3 v1.11.0/go.mod h1:FPy6KqzDD04eiIsT53CuJW3U88zkxoIYsOqkbpncsNc= +github.com/mattn/goveralls v0.0.2/go.mod h1:8d1ZMHsd7fW6IRPKQh46F2WRpyib5/X4FOpevwGNQEw= +github.com/matttproud/golang_protobuf_extensions v1.0.1/go.mod h1:D8He9yQNgCq6Z5Ld7szi9bcBfOoFv/3dc6xSMkL2PC0= +github.com/microcosm-cc/bluemonday v1.0.1/go.mod h1:hsXNsILzKxV+sX77C5b8FSuKF00vh2OMYv+xgHpAMF4= +github.com/microcosm-cc/bluemonday v1.0.2/go.mod h1:iVP4YcDBq+n/5fb23BhYFvIMq/leAFZyRl6bYmGDlGc= +github.com/miekg/dns v1.1.8/go.mod h1:W1PPwlIAgtquWBMBEV9nkV9Cazfe8ScdGz/Lj7v3Nrg= +github.com/minio/cli v1.22.0/go.mod h1:bYxnK0uS629N3Bq+AOZZ+6lwF77Sodk4+UL9vNuXhOY= +github.com/minio/gokrb5/v7 v7.2.5/go.mod h1:z6fE6twrvMN004M+KRTHnmtfpxsBIztP0PVsak0/4f8= +github.com/minio/hdfs/v3 v3.0.1/go.mod h1:6ALh9HsAwG9xAXdpdrZJcSY0vR6z3K+9XIz6Y9pQG/c= +github.com/minio/highwayhash v1.0.0/go.mod h1:xQboMTeM9nY9v/LlAOxFctujiv5+Aq2hR5dxBpaMbdc= +github.com/minio/lsync v1.0.1/go.mod h1:tCFzfo0dlvdGl70IT4IAK/5Wtgb0/BrTmo/jE8pArKA= +github.com/minio/minio v0.0.0-20200114012931-30922148fbb5 h1:CjDeQ78sVdDrENJff3EUwVMUv9GfTL4NyLvjE/Bvrd8= +github.com/minio/minio v0.0.0-20200114012931-30922148fbb5/go.mod h1:HH1U0HOUzfjsCGlGCncWDh8L3zPejMhMDDsLAETqXs0= +github.com/minio/minio-go/v6 v6.0.44/go.mod h1:qD0lajrGW49lKZLtXKtCB4X/qkMf0a5tBvN2PaZg7Gg= +github.com/minio/parquet-go v0.0.0-20191231003236-20b3c07bcd2c/go.mod h1:sl82d+TnCE7qeaNJazHdNoG9Gpyl9SZYfleDAQWrsls= +github.com/minio/sha256-simd v0.1.1/go.mod h1:B5e1o+1/KgNmWrSQK08Y6Z1Vb5pwIktudl0J58iy0KM= +github.com/minio/sio v0.2.0/go.mod h1:nKM5GIWSrqbOZp0uhyj6M1iA0X6xQzSGtYSaTKSCut0= +github.com/mitchellh/cli v1.0.0/go.mod h1:hNIlj7HEI86fIcpObd7a0FcrxTWetlwJDGcceTlRvqc= +github.com/mitchellh/copystructure v1.0.0/go.mod h1:SNtv71yrdKgLRyLFxmLdkAbkKEFWgYaq1OVrnRcwhnw= +github.com/mitchellh/go-homedir v1.0.0/go.mod h1:SfyaCUpYCn1Vlf4IUYiD9fPX4A5wJrkLzIz1N1q0pr0= +github.com/mitchellh/go-homedir v1.1.0/go.mod h1:SfyaCUpYCn1Vlf4IUYiD9fPX4A5wJrkLzIz1N1q0pr0= +github.com/mitchellh/go-testing-interface v0.0.0-20171004221916-a61a99592b77/go.mod h1:kRemZodwjscx+RGhAo8eIhFbs2+BFgRtFPeD/KE+zxI= +github.com/mitchellh/go-testing-interface v1.0.0/go.mod h1:kRemZodwjscx+RGhAo8eIhFbs2+BFgRtFPeD/KE+zxI= +github.com/mitchellh/go-wordwrap v1.0.0/go.mod h1:ZXFpozHsX6DPmq2I0TCekCxypsnAUbP2oI0UX1GXzOo= +github.com/mitchellh/mapstructure v1.0.0/go.mod h1:FVVH3fgwuzCH5S8UJGiWEs2h04kUh9fWfEaFds41c1Y= +github.com/mitchellh/mapstructure v1.1.2/go.mod h1:FVVH3fgwuzCH5S8UJGiWEs2h04kUh9fWfEaFds41c1Y= +github.com/mitchellh/reflectwalk v1.0.0/go.mod h1:mSTlrgnPZtwu0c4WaC2kGObEpuNDbx0jmZXqmk4esnw= +github.com/modern-go/concurrent v0.0.0-20180228061459-e0a39a4cb421/go.mod h1:6dJC0mAP4ikYIbvyc7fijjWJddQyLn8Ig3JB5CqoB9Q= +github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd h1:TRLaZ9cD/w8PVh93nsPXa1VrQ6jlwL5oN8l14QlcNfg= +github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd/go.mod h1:6dJC0mAP4ikYIbvyc7fijjWJddQyLn8Ig3JB5CqoB9Q= +github.com/modern-go/reflect2 v0.0.0-20180320133207-05fbef0ca5da/go.mod h1:bx2lNnkwVCuqBIxFjflWJWanXIb3RllmbCylyMrvgv0= +github.com/modern-go/reflect2 v0.0.0-20180701023420-4b7aa43c6742/go.mod h1:bx2lNnkwVCuqBIxFjflWJWanXIb3RllmbCylyMrvgv0= +github.com/modern-go/reflect2 v1.0.1 h1:9f412s+6RmYXLWZSEzVVgPGK7C2PphHj5RJrvfx9AWI= +github.com/modern-go/reflect2 v1.0.1/go.mod h1:bx2lNnkwVCuqBIxFjflWJWanXIb3RllmbCylyMrvgv0= +github.com/mohae/deepcopy v0.0.0-20170929034955-c48cc78d4826/go.mod h1:TaXosZuwdSHYgviHp1DAtfrULt5eUgsSMsZf+YrPgl8= +github.com/monoculum/formam v0.0.0-20180901015400-4e68be1d79ba/go.mod h1:RKgILGEJq24YyJ2ban8EO0RUVSJlF1pGsEvoLEACr/Q= +github.com/moul/http2curl v0.0.0-20170919181001-9ac6cf4d929b/go.mod h1:8UbvGypXm98wA/IqH45anm5Y2Z6ep6O31QGOAZ3H0fQ= +github.com/munnerz/goautoneg v0.0.0-20120707110453-a547fc61f48d/go.mod h1:+n7T8mK8HuQTcFwEeznm/DIxMOiR9yIdICNftLE1DvQ= +github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822/go.mod h1:+n7T8mK8HuQTcFwEeznm/DIxMOiR9yIdICNftLE1DvQ= +github.com/mwitkow/go-conntrack v0.0.0-20161129095857-cc309e4a2223/go.mod h1:qRWi+5nqEBWmkhHvq77mSJWrCKwh8bxhgT7d/eI7P4U= +github.com/mxk/go-flowrate v0.0.0-20140419014527-cca7078d478f/go.mod h1:ZdcZmHo+o7JKHSa8/e818NopupXU1YMK5fe1lsApnBw= +github.com/nats-io/gnatsd v1.4.1/go.mod h1:nqco77VO78hLCJpIcVfygDP2rPGfsEHkGTUk94uh5DQ= +github.com/nats-io/go-nats v1.7.2/go.mod h1:+t7RHT5ApZebkrQdnn6AhQJmhJJiKAvJUio1PiiCtj0= +github.com/nats-io/go-nats-streaming v0.4.4/go.mod h1:gfq4R3c9sKAINOpelo0gn/b9QDMBZnmrttcsNF+lqyo= +github.com/nats-io/jwt v0.3.0/go.mod h1:fRYCDE99xlTsqUzISS1Bi75UBJ6ljOJQOAAu5VglpSg= +github.com/nats-io/jwt v0.3.2/go.mod h1:/euKqTS1ZD+zzjYrY7pseZrTtWQSjujC7xjPc8wL6eU= +github.com/nats-io/nats-server v1.4.1/go.mod h1:c8f/fHd2B6Hgms3LtCaI7y6pC4WD1f4SUxcCud5vhBc= +github.com/nats-io/nats-server/v2 v2.1.2/go.mod h1:Afk+wRZqkMQs/p45uXdrVLuab3gwv3Z8C4HTBu8GD/k= +github.com/nats-io/nats-streaming-server v0.14.2/go.mod h1:RyqtDJZvMZO66YmyjIYdIvS69zu/wDAkyNWa8PIUa5c= +github.com/nats-io/nats.go v1.9.1/go.mod h1:ZjDU1L/7fJ09jvUSRVBR2e7+RnLiiIQyqyzEE/Zbp4w= +github.com/nats-io/nkeys v0.1.0/go.mod h1:xpnFELMwJABBLVhffcfd1MZx6VsNRFpEugbxziKVo7w= +github.com/nats-io/nkeys v0.1.3/go.mod h1:xpnFELMwJABBLVhffcfd1MZx6VsNRFpEugbxziKVo7w= +github.com/nats-io/nuid v1.0.1/go.mod h1:19wcPz3Ph3q0Jbyiqsd0kePYG7A95tJPxeL+1OSON2c= +github.com/nats-io/stan.go v0.4.5/go.mod h1:Ji7mK6gRZJSH1nc3ZJH6vi7zn/QnZhpR9Arm4iuzsUQ= +github.com/ncw/directio v1.0.5/go.mod h1:rX/pKEYkOXBGOggmcyJeJGloCkleSvphPx2eV3t6ROk= +github.com/nicksnyder/go-i18n v1.10.0/go.mod h1:HrK7VCrbOvQoUAQ7Vpy7i87N7JZZZ7R2xBGjv0j365Q= +github.com/nirmata/client-go v0.17.5-0.20200625181911-7e81180b291e h1:EZ4Yi82Z8uK7OgebBoAQvQaEYoQy0OV4KdYFXoXdDgU= +github.com/nirmata/client-go v0.17.5-0.20200625181911-7e81180b291e/go.mod h1:ouF6o5pz3is8qU0/qYL2RnoxOPqgfuidYLowytyLJmc= +github.com/nsqio/go-nsq v1.0.7/go.mod h1:XP5zaUs3pqf+Q71EqUJs3HYfBIqfK6G83WQMdNN+Ito= +github.com/oklog/run v1.0.0/go.mod h1:dlhp/R75TPv97u0XWUtDeV/lRKWPKSdTuV0TZvrmrQA= +github.com/oklog/ulid v1.3.1/go.mod h1:CirwcVhetQ6Lv90oh/F+FBtV6XMibvdAFo93nm5qn4U= +github.com/oleiade/reflections v1.0.0/go.mod h1:RbATFBbKYkVdqmSFtx13Bb/tVhR0lgOBXunWTZKeL4w= +github.com/olekukonko/tablewriter v0.0.0-20170122224234-a0225b3f23b5/go.mod h1:vsDQFd/mU46D+Z4whnwzcISnGGzXWMclvtLoiIKAKIo= +github.com/onsi/ginkgo v0.0.0-20170829012221-11459a886d9c/go.mod h1:lLunBs/Ym6LB5Z9jYTR76FiuTmxDTDusOGeTQH+WWjE= +github.com/onsi/ginkgo v1.6.0/go.mod h1:lLunBs/Ym6LB5Z9jYTR76FiuTmxDTDusOGeTQH+WWjE= +github.com/onsi/ginkgo v1.7.0/go.mod h1:lLunBs/Ym6LB5Z9jYTR76FiuTmxDTDusOGeTQH+WWjE= +github.com/onsi/ginkgo v1.10.1/go.mod h1:lLunBs/Ym6LB5Z9jYTR76FiuTmxDTDusOGeTQH+WWjE= +github.com/onsi/ginkgo v1.11.0/go.mod h1:lLunBs/Ym6LB5Z9jYTR76FiuTmxDTDusOGeTQH+WWjE= +github.com/onsi/gomega v0.0.0-20170829124025-dcabb60a477c/go.mod h1:C1qb7wdrVGGVU+Z6iS04AVkA3Q65CEZX59MT0QO5uiA= +github.com/onsi/gomega v0.0.0-20190113212917-5533ce8a0da3/go.mod h1:ex+gbHU/CVuBBDIJjb2X0qEXbFg53c61hWP/1CpauHY= +github.com/onsi/gomega v1.4.1/go.mod h1:C1qb7wdrVGGVU+Z6iS04AVkA3Q65CEZX59MT0QO5uiA= +github.com/onsi/gomega v1.4.2/go.mod h1:ex+gbHU/CVuBBDIJjb2X0qEXbFg53c61hWP/1CpauHY= +github.com/onsi/gomega v1.4.3/go.mod h1:ex+gbHU/CVuBBDIJjb2X0qEXbFg53c61hWP/1CpauHY= +github.com/onsi/gomega v1.7.0/go.mod h1:ex+gbHU/CVuBBDIJjb2X0qEXbFg53c61hWP/1CpauHY= +github.com/onsi/gomega v1.8.1/go.mod h1:Ho0h+IUsWyvy1OpqCwxlQ/21gkhVunqlU8fDGcoTdcA= +github.com/opencontainers/go-digest v1.0.0-rc1/go.mod h1:cMLVZDEM3+U2I4VmLI6N8jQYUd2OVphdqWwCJHrFt2s= +github.com/opencontainers/image-spec v1.0.1/go.mod h1:BtxoFyWECRxE4U/7sNtV5W15zMzWCbyJoFRP3s7yZA0= +github.com/opencontainers/runc v0.1.1/go.mod h1:qT5XzbpPznkRYVz/mWwUaVBUv2rmF59PVA73FjuZG0U= +github.com/opentracing/opentracing-go v1.0.2/go.mod h1:UkNAQd3GIcIGf0SeVgPpRdFStlNbqXla1AfSYxPUl2o= +github.com/opentracing/opentracing-go v1.1.0/go.mod h1:UkNAQd3GIcIGf0SeVgPpRdFStlNbqXla1AfSYxPUl2o= +github.com/ory/dockertest v3.3.5+incompatible/go.mod h1:1vX4m9wsvi00u5bseYwXaSnhNrne+V0E6LAcBILJdPs= +github.com/ory/fosite v0.29.0/go.mod h1:0atSZmXO7CAcs6NPMI/Qtot8tmZYj04Nddoold4S2h0= +github.com/ory/go-acc v0.0.0-20181118080137-ddc355013f90/go.mod h1:sxnvPCxChFuSmTJGj8FdMupeq1BezCiEpDjTUXQ4hf4= +github.com/ory/go-acc v0.2.1/go.mod h1:0omgy2aa3nDBJ45VAKeLHH8ccPBudxLeic4xiDRtug0= +github.com/ory/go-convenience v0.1.0/go.mod h1:uEY/a60PL5c12nYz4V5cHY03IBmwIAEm8TWB0yn9KNs= +github.com/ory/gojsonreference v0.0.0-20190720135523-6b606c2d8ee8/go.mod h1:wsH1C4nIeeQClDtD5AH7kF1uTS6zWyqfjVDTmB0Em7A= +github.com/ory/gojsonschema v1.1.1-0.20190919112458-f254ca73d5e9/go.mod h1:BNZpdJgB74KOLSsWFvzw6roXg1I6O51WO8roMmW+T7Y= +github.com/ory/herodot v0.6.2/go.mod h1:3BOneqcyBsVybCPAJoi92KN2BpJHcmDqAMcAAaJiJow= +github.com/ory/viper v1.5.6/go.mod h1:TYmpFpKLxjQwvT4f0QPpkOn4sDXU1kDgAwJpgLYiQ28= +github.com/ory/x v0.0.85/go.mod h1:s44V8t3xyjWZREcU+mWlp4h302rTuM4aLXcW+y5FbQ8= +github.com/parnurzeal/gorequest v0.2.15/go.mod h1:3Kh2QUMJoqw3icWAecsyzkpY7UzRfDhbRdTjtNwNiUE= +github.com/pascaldekloe/goe v0.1.0/go.mod h1:lzWF7FIEvWOWxwDKqyGYQf6ZUaNfKdP144TG7ZOy1lc= +github.com/pborman/getopt v0.0.0-20180729010549-6fdd0a2c7117/go.mod h1:85jBQOZwpVEaDAr341tbn15RS4fCAsIst0qp7i8ex1o= +github.com/pborman/uuid v1.2.0/go.mod h1:X/NO0urCmaxf9VXbdlT7C2Yzkj2IKimNn4k+gtPdI/k= +github.com/pelletier/go-toml v1.2.0/go.mod h1:5z9KED0ma1S8pY6P1sdut58dfprrGBbd/94hg7ilaic= +github.com/pelletier/go-toml v1.4.0/go.mod h1:PN7xzY2wHTK0K9p34ErDQMlFxa51Fk0OUruD3k1mMwo= +github.com/peterbourgon/diskv v2.0.1+incompatible/go.mod h1:uqqh8zWWbv1HBMNONnaR/tNboyR3/BZd58JJSHlUSCU= +github.com/pierrec/lz4 v2.0.5+incompatible/go.mod h1:pdkljMzZIN41W+lC3N2tnIh5sFi+IEE17M5jbnwPHcY= +github.com/pierrec/lz4 v2.2.6+incompatible/go.mod h1:pdkljMzZIN41W+lC3N2tnIh5sFi+IEE17M5jbnwPHcY= +github.com/pkg/errors v0.8.0/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0= +github.com/pkg/errors v0.8.1 h1:iURUrRGxPUNPdy5/HRSm+Yj6okJ6UtLINN0Q9M4+h3I= +github.com/pkg/errors v0.8.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0= +github.com/pkg/profile v1.2.1/go.mod h1:hJw3o1OdXxsrSjjVksARp5W95eeEaEfptyVZyv6JUPA= +github.com/pmezard/go-difflib v0.0.0-20151028094244-d8ed2627bdf0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4= +github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4= +github.com/posener/complete v1.1.1/go.mod h1:em0nMJCgc9GFtwrmVmEMR/ZL6WyhyjMBndrE9hABlRI= +github.com/pquerna/cachecontrol v0.0.0-20171018203845-0dec1b30a021/go.mod h1:prYjPmNq4d1NPVmpShWobRqXY3q7Vp+80DqgxxUrUIA= +github.com/prometheus/client_golang v0.9.1/go.mod h1:7SWBe2y4D6OKWSNQJUaRYU/AaXPKyh/dDVn+NZz0KFw= +github.com/prometheus/client_golang v0.9.2/go.mod h1:OsXs2jCmiKlQ1lTBmv21f2mNfw4xf/QclQDMrYNZzcM= +github.com/prometheus/client_golang v0.9.3-0.20190127221311-3c4408c8b829/go.mod h1:p2iRAGwDERtqlqzRXnrOVns+ignqQo//hLXqYxZYVNs= +github.com/prometheus/client_golang v0.9.3/go.mod h1:/TN21ttK/J9q6uSwhBd54HahCDft0ttaMvbicHlPoso= +github.com/prometheus/client_golang v1.0.0/go.mod h1:db9x61etRT2tGnBNRi70OPL5FsnadC4Ky3P0J6CfImo= +github.com/prometheus/client_model v0.0.0-20180712105110-5c3871d89910/go.mod h1:MbSGuTsp3dbXC40dX6PRTWyKYBIrTGTE9sqQNg2J8bo= +github.com/prometheus/client_model v0.0.0-20190115171406-56726106282f/go.mod h1:MbSGuTsp3dbXC40dX6PRTWyKYBIrTGTE9sqQNg2J8bo= +github.com/prometheus/client_model v0.0.0-20190129233127-fd36f4220a90/go.mod h1:xMI15A0UPsDsEKsMN9yxemIoYk6Tm2C1GtYGdfGttqA= +github.com/prometheus/common v0.0.0-20181113130724-41aa239b4cce/go.mod h1:daVV7qP5qjZbuso7PdcryaAu0sAZbrN9i7WWcTMWvro= +github.com/prometheus/common v0.0.0-20181126121408-4724e9255275/go.mod h1:daVV7qP5qjZbuso7PdcryaAu0sAZbrN9i7WWcTMWvro= +github.com/prometheus/common v0.2.0/go.mod h1:TNfzLD0ON7rHzMJeJkieUDPYmFC7Snx/y86RQel1bk4= +github.com/prometheus/common v0.4.0/go.mod h1:TNfzLD0ON7rHzMJeJkieUDPYmFC7Snx/y86RQel1bk4= +github.com/prometheus/common v0.4.1/go.mod h1:TNfzLD0ON7rHzMJeJkieUDPYmFC7Snx/y86RQel1bk4= +github.com/prometheus/procfs v0.0.0-20181005140218-185b4288413d/go.mod h1:c3At6R/oaqEKCNdg8wHV1ftS6bRYblBhIjjI8uT2IGk= +github.com/prometheus/procfs v0.0.0-20181204211112-1dc9a6cbc91a/go.mod h1:c3At6R/oaqEKCNdg8wHV1ftS6bRYblBhIjjI8uT2IGk= +github.com/prometheus/procfs v0.0.0-20190117184657-bf6a532e95b1/go.mod h1:c3At6R/oaqEKCNdg8wHV1ftS6bRYblBhIjjI8uT2IGk= +github.com/prometheus/procfs v0.0.0-20190507164030-5867b95ac084/go.mod h1:TjEm7ze935MbeOT/UhFTIMYKhuLP4wbCsTZCD3I8kEA= +github.com/prometheus/procfs v0.0.2/go.mod h1:TjEm7ze935MbeOT/UhFTIMYKhuLP4wbCsTZCD3I8kEA= +github.com/prometheus/tsdb v0.7.1/go.mod h1:qhTCs0VvXwvX/y3TZrWD7rabWM+ijKTux40TwIPHuXU= +github.com/rcrowley/go-metrics v0.0.0-20181016184325-3113b8401b8a/go.mod h1:bCqnVzQkZxMG4s8nGwiZ5l3QUCyqpo9Y+/ZMZ9VjZe4= +github.com/rcrowley/go-metrics v0.0.0-20190704165056-9c2d0518ed81/go.mod h1:bCqnVzQkZxMG4s8nGwiZ5l3QUCyqpo9Y+/ZMZ9VjZe4= +github.com/rjeczalik/notify v0.9.2/go.mod h1:aErll2f0sUX9PXZnVNyeiObbmTlk5jnMoCa4QEjJeqM= +github.com/rogpeppe/fastuuid v0.0.0-20150106093220-6724a57986af/go.mod h1:XWv6SoW27p1b0cqNHllgS5HIMJraePCO15w5zCzIWYg= +github.com/rogpeppe/go-internal v1.0.0/go.mod h1:M8bDsm7K2OlrFYOpmOWEs/qY81heoFRclV5y23lUDJ4= +github.com/rogpeppe/go-internal v1.1.0/go.mod h1:M8bDsm7K2OlrFYOpmOWEs/qY81heoFRclV5y23lUDJ4= +github.com/rogpeppe/go-internal v1.2.2/go.mod h1:M8bDsm7K2OlrFYOpmOWEs/qY81heoFRclV5y23lUDJ4= +github.com/rogpeppe/godef v1.1.2/go.mod h1:WtY9A/ovuQ+UakAJ1/CEqwwulX/WJjb2kgkokCHi/GY= +github.com/rs/cors v1.6.0/go.mod h1:gFx+x8UowdsKA9AchylcLynDq+nNFfI8FkUZdN/jGCU= +github.com/rubenv/sql-migrate v0.0.0-20190212093014-1007f53448d7/go.mod h1:WS0rl9eEliYI8DPnr3TOwz4439pay+qNgzJoVya/DmY= +github.com/russross/blackfriday v1.5.2/go.mod h1:JO/DiYxRf+HjHt06OyowR9PTA263kcR/rfWxYHBV53g= +github.com/ryanuber/columnize v2.1.0+incompatible/go.mod h1:sm1tb6uqfes/u+d4ooFouqFdy9/2g9QGwK3SQygK0Ts= +github.com/ryanuber/go-glob v1.0.0/go.mod h1:807d1WSdnB0XRJzKNil9Om6lcp/3a0v4qIHxIXzX/Yc= +github.com/santhosh-tekuri/jsonschema v1.2.4/go.mod h1:TEAUOeZSmIxTTuHatJzrvARHiuO9LYd+cIxzgEHCQI4= +github.com/santhosh-tekuri/jsonschema/v2 v2.1.0/go.mod h1:yzJzKUGV4RbWqWIBBP4wSOBqavX5saE02yirLS0OTyg= +github.com/satori/go.uuid v1.2.0/go.mod h1:dA0hQrYB0VpLJoorglMZABFdXlWrHn1NEOzdhQKdks0= +github.com/secure-io/sio-go v0.3.0/go.mod h1:D3KmXgKETffyYxBdFRN+Hpd2WzhzqS0EQwT3XWsAcBU= +github.com/segmentio/analytics-go v3.0.1+incompatible/go.mod h1:C7CYBtQWk4vRk2RyLu0qOcbHJ18E3F1HV2C/8JvKN48= +github.com/segmentio/backo-go v0.0.0-20160424052352-204274ad699c/go.mod h1:kJ9mm9YmoWSkk+oQ+5Cj8DEoRCX2JT6As4kEtIIOp1M= +github.com/serenize/snaker v0.0.0-20171204205717-a683aaf2d516/go.mod h1:Yow6lPLSAXx2ifx470yD/nUe22Dv5vBvxK/UK9UUTVs= +github.com/sergi/go-diff v1.0.0/go.mod h1:0CfEIISq7TuYL3j771MWULgwwjU+GofnZX9QAmXWZgo= +github.com/shirou/gopsutil v2.18.12+incompatible/go.mod h1:5b4v6he4MtMOwMlS0TUMTu2PcXUg8+E1lC7eC3UO/RA= +github.com/shopspring/decimal v0.0.0-20180709203117-cd690d0c9e24/go.mod h1:M+9NzErvs504Cn4c5DxATwIqPbtswREoFCre64PpcG4= +github.com/shurcooL/go v0.0.0-20180423040247-9e1955d9fb6e/go.mod h1:TDJrrUr11Vxrven61rcy3hJMUqaf/CLWYhHNPmT14Lk= +github.com/shurcooL/go-goon v0.0.0-20170922171312-37c2f522c041/go.mod h1:N5mDOmsrJOB+vfqUK+7DmDyjhSLIIBnXo9lvZJj3MWQ= +github.com/shurcooL/highlight_diff v0.0.0-20170515013008-09bb4053de1b/go.mod h1:ZpfEhSmds4ytuByIcDnOLkTHGUI6KNqRNPDLHDk+mUU= +github.com/shurcooL/highlight_go v0.0.0-20170515013102-78fb10f4a5f8/go.mod h1:UDKB5a1T23gOMUJrI+uSuH0VRDStOiUVSjBTRDVBVag= +github.com/shurcooL/octicon v0.0.0-20180602230221-c42b0e3b24d9/go.mod h1:eWdoE5JD4R5UVWDucdOPg1g2fqQRq78IQa9zlOV1vpQ= +github.com/shurcooL/sanitized_anchor_name v0.0.0-20170918181015-86672fcb3f95/go.mod h1:1NzhyTcUVG4SuEtjjoZeVRXNmyL/1OwPU0+IJeTBvfc= +github.com/sirupsen/logrus v1.0.6/go.mod h1:pMByvHTf9Beacp5x1UXfOR9xyW/9antXMhjMPG0dEzc= +github.com/sirupsen/logrus v1.1.0/go.mod h1:zrgwTnHtNr00buQ1vSptGe8m1f/BbgsPukg8qsT7A+A= +github.com/sirupsen/logrus v1.1.1/go.mod h1:zrgwTnHtNr00buQ1vSptGe8m1f/BbgsPukg8qsT7A+A= +github.com/sirupsen/logrus v1.2.0/go.mod h1:LxeOpSwHxABJmUn/MG1IvRgCAasNZTLOkJPxbbu5VWo= +github.com/sirupsen/logrus v1.3.0/go.mod h1:LxeOpSwHxABJmUn/MG1IvRgCAasNZTLOkJPxbbu5VWo= +github.com/sirupsen/logrus v1.4.2/go.mod h1:tLMulIdttU9McNUspp0xgXVQah82FyeX6MwdIuYE2rE= +github.com/skyrings/skyring-common v0.0.0-20160929130248-d1c0bb1cbd5e/go.mod h1:d8hQseuYt4rJoOo21lFzYJdhMjmDqLY++ayArbgYjWI= +github.com/smartystreets/assertions v0.0.0-20180927180507-b2de0cb4f26d/go.mod h1:OnSkiWE9lh6wB0YB77sQom3nweQdgAjqCqsofrRNTgc= +github.com/smartystreets/assertions v0.0.0-20190401211740-f487f9de1cd3/go.mod h1:OnSkiWE9lh6wB0YB77sQom3nweQdgAjqCqsofrRNTgc= +github.com/smartystreets/go-aws-auth v0.0.0-20180515143844-0c1422d1fdb9/go.mod h1:SnhjPscd9TpLiy1LpzGSKh3bXCfxxXuqd9xmQJy3slM= +github.com/smartystreets/goconvey v0.0.0-20180222194500-ef6db91d284a/go.mod h1:XDJAKZRPZ1CvBcN2aX5YOUTYGHki24fSF0Iv48Ibg0s= +github.com/smartystreets/goconvey v0.0.0-20190330032615-68dc04aab96a/go.mod h1:syvi0/a8iFYH4r/RixwvyeAJjdLS9QV7WQ/tjFTllLA= +github.com/soheilhy/cmux v0.1.4/go.mod h1:IM3LyeVVIOuxMH7sFAkER9+bJ4dT7Ms6E4xg4kGIyLM= +github.com/sourcegraph/annotate v0.0.0-20160123013949-f4cad6c6324d/go.mod h1:UdhH50NIW0fCiwBSr0co2m7BnFLdv4fQTgdqdJTHFeE= +github.com/sourcegraph/syntaxhighlight v0.0.0-20170531221838-bd320f5d308e/go.mod h1:HuIsMU8RRBOtsCgI77wP899iHVBQpCmg4ErYMZB+2IA= +github.com/spaolacci/murmur3 v0.0.0-20180118202830-f09979ecbc72/go.mod h1:JwIasOWyU6f++ZhiEuf87xNszmSA2myDM2Kzu9HwQUA= +github.com/spf13/afero v1.1.2/go.mod h1:j4pytiNVoe2o6bmDsKpLACNPDBIoEAkihy7loJ1B0CQ= +github.com/spf13/afero v1.2.0/go.mod h1:9ZxEEn6pIJ8Rxe320qSDBk6AsU0r9pR7Q4OcevTdifk= +github.com/spf13/afero v1.2.2/go.mod h1:9ZxEEn6pIJ8Rxe320qSDBk6AsU0r9pR7Q4OcevTdifk= +github.com/spf13/cast v1.2.0/go.mod h1:r2rcYCSwa1IExKTDiTfzaxqT2FNHs8hODu4LnUfgKEg= +github.com/spf13/cast v1.3.0/go.mod h1:Qx5cxh0v+4UWYiBimWS+eyWzqEqokIECu5etghLkUJE= +github.com/spf13/cobra v0.0.3/go.mod h1:1l0Ry5zgKvJasoi3XT1TypsSe7PqH0Sj9dhYf7v3XqQ= +github.com/spf13/cobra v0.0.5/go.mod h1:3K3wKZymM7VvHMDS9+Akkh4K60UwM26emMESw8tLCHU= +github.com/spf13/jwalterweatherman v1.0.0/go.mod h1:cQK4TGJAtQXfYWX+Ddv3mKDzgVb68N+wFjFa4jdeBTo= +github.com/spf13/jwalterweatherman v1.1.0/go.mod h1:aNWZUN0dPAAO/Ljvb5BEdw96iTZ0EXowPYD95IqWIGo= +github.com/spf13/pflag v0.0.0-20170130214245-9ff6c6923cff/go.mod h1:DYY7MBk1bdzusC3SYhjObp+wFpr4gzcvqqNjLnInEg4= +github.com/spf13/pflag v1.0.1/go.mod h1:DYY7MBk1bdzusC3SYhjObp+wFpr4gzcvqqNjLnInEg4= +github.com/spf13/pflag v1.0.2/go.mod h1:DYY7MBk1bdzusC3SYhjObp+wFpr4gzcvqqNjLnInEg4= +github.com/spf13/pflag v1.0.3/go.mod h1:DYY7MBk1bdzusC3SYhjObp+wFpr4gzcvqqNjLnInEg4= +github.com/spf13/pflag v1.0.5 h1:iy+VFUOCP1a+8yFto/drg2CJ5u0yRoB7fZw3DKv/JXA= +github.com/spf13/pflag v1.0.5/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg= +github.com/spf13/viper v1.2.1/go.mod h1:P4AexN0a+C9tGAnUFNwDMYYZv3pjFuvmeiMyKRaNVlI= +github.com/spf13/viper v1.3.1/go.mod h1:ZiWeW+zYFKm7srdB9IoDzzZXaJaI5eL9QjNiN/DMA2s= +github.com/spf13/viper v1.3.2/go.mod h1:ZiWeW+zYFKm7srdB9IoDzzZXaJaI5eL9QjNiN/DMA2s= +github.com/streadway/amqp v0.0.0-20190404075320-75d898a42a94/go.mod h1:AZpEONHx3DKn8O/DFsRAY58/XVQiIPMTMB1SddzLXVw= +github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME= +github.com/stretchr/objx v0.1.1/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME= +github.com/stretchr/objx v0.2.0/go.mod h1:qt09Ya8vawLte6SNmTgCsAVtYtaKzEcn8ATUoHMkEqE= +github.com/stretchr/testify v0.0.0-20151208002404-e3a8ff8ce365/go.mod h1:a8OnRcib4nhh0OaRAV+Yts87kKdq0PP7pXfy6kDkUVs= +github.com/stretchr/testify v1.2.2/go.mod h1:a8OnRcib4nhh0OaRAV+Yts87kKdq0PP7pXfy6kDkUVs= +github.com/stretchr/testify v1.3.0/go.mod h1:M5WIy9Dh21IEIfnGCwXGc5bZfKNJtfHm1UVUgZn+9EI= +github.com/stretchr/testify v1.4.0/go.mod h1:j7eGeouHqKxXV5pUuKE4zz7dFj8WfuZ+81PSLYec5m4= +github.com/subosito/gotenv v1.1.1/go.mod h1:N0PQaV/YGNqwC0u51sEeR/aUtSLEXKX9iv69rRypqCw= +github.com/tevino/abool v0.0.0-20170917061928-9b9efcf221b5 h1:hNna6Fi0eP1f2sMBe/rJicDmaHmoXGe1Ta84FPYHLuE= +github.com/tevino/abool v0.0.0-20170917061928-9b9efcf221b5/go.mod h1:f1SCnEOt6sc3fOJfPQDRDzHOtSXuTtnz0ImG9kPRDV0= +github.com/tidwall/gjson v1.3.2/go.mod h1:P256ACg0Mn+j1RXIDXoss50DeIABTYK1PULOJHhxOls= +github.com/tidwall/gjson v1.3.5/go.mod h1:P256ACg0Mn+j1RXIDXoss50DeIABTYK1PULOJHhxOls= +github.com/tidwall/match v1.0.1/go.mod h1:LujAq0jyVjBy028G1WhWfIzbpQfMO8bBZ6Tyb0+pL9E= +github.com/tidwall/pretty v1.0.0/go.mod h1:XNkn88O1ChpSDQmQeStsy+sBenx6DDtFZJxhVysOjyk= +github.com/tidwall/sjson v1.0.4/go.mod h1:bURseu1nuBkFpIES5cz6zBtjmYeOQmEESshn7VpF15Y= +github.com/tmc/grpc-websocket-proxy v0.0.0-20170815181823-89b8d40f7ca8/go.mod h1:ncp9v5uamzpCO7NfCPTXjqaC+bZgJeR0sMTm6dMHP7U= +github.com/tmc/grpc-websocket-proxy v0.0.0-20190109142713-0ad062ec5ee5/go.mod h1:ncp9v5uamzpCO7NfCPTXjqaC+bZgJeR0sMTm6dMHP7U= +github.com/tv42/httpunix v0.0.0-20150427012821-b75d8614f926/go.mod h1:9ESjWnEqriFuLhtthL60Sar/7RFoluCcXsuvEwTV5KM= +github.com/uber-go/atomic v1.3.2/go.mod h1:/Ct5t2lcmbJ4OSe/waGBoaVvVqtO0bmtfVNex1PFV8g= +github.com/uber/jaeger-client-go v2.15.0+incompatible/go.mod h1:WVhlPFC8FDjOFMMWRy2pZqQJSXxYSwNYOkTr/Z6d3Kk= +github.com/uber/jaeger-lib v1.5.0/go.mod h1:ComeNDZlWwrWnDv8aPp0Ba6+uUTzImX/AauajbLI56U= +github.com/ugorji/go v1.1.4/go.mod h1:uQMGLiO92mf5W77hV/PUCpI3pbzQx3CRekS0kk+RGrc= +github.com/ugorji/go v1.1.5-pre/go.mod h1:FwP/aQVg39TXzItUBMwnWp9T9gPQnXw4Poh4/oBQZ/0= +github.com/ugorji/go/codec v0.0.0-20181204163529-d75b2dcb6bc8/go.mod h1:VFNgLljTbGfSG7qAOspJ7OScBnGdDN/yBr0sguwnwf0= +github.com/ugorji/go/codec v1.1.5-pre/go.mod h1:tULtS6Gy1AE1yCENaw4Vb//HLH5njI2tfCQDUqRd8fI= +github.com/unrolled/secure v0.0.0-20180918153822-f340ee86eb8b/go.mod h1:mnPT77IAdsi/kV7+Es7y+pXALeV3h7G6dQF6mNYjcLA= +github.com/unrolled/secure v0.0.0-20181005190816-ff9db2ff917f/go.mod h1:mnPT77IAdsi/kV7+Es7y+pXALeV3h7G6dQF6mNYjcLA= +github.com/urfave/cli v1.20.0/go.mod h1:70zkFmudgCuE/ngEzBv17Jvp/497gISqfk5gWijbERA= +github.com/urfave/negroni v1.0.0/go.mod h1:Meg73S6kFm/4PpbYdq35yYWoCZ9mS/YSx+lKnmiohz4= +github.com/valyala/tcplisten v0.0.0-20161114210144-ceec8f93295a/go.mod h1:v3UYOV9WzVtRmSR+PDvWpU/qWl4Wa5LApYYX4ZtKbio= +github.com/vektah/gqlparser v1.1.2/go.mod h1:1ycwN7Ij5njmMkPPAOaRFY4rET2Enx7IkVv3vaXspKw= +github.com/xdg/scram v0.0.0-20180814205039-7eeb5667e42c/go.mod h1:lB8K/P019DLNhemzwFU4jHLhdvlE6uDZjXFejJXr49I= +github.com/xdg/stringprep v1.0.0/go.mod h1:Jhud4/sHMO4oL310DaZAKk9ZaJ08SJfe+sJh0HrGL1Y= +github.com/xeipuuv/gojsonpointer v0.0.0-20180127040702-4e3ac2762d5f/go.mod h1:N2zxlSyiKSe5eX1tZViRH5QA0qijqEDrYZiPEAiq3wU= +github.com/xiang90/probing v0.0.0-20190116061207-43a291ad63a2/go.mod h1:UETIi67q53MR2AWcXfiuqkDkRtnGDLqkBTpCHuJHxtU= +github.com/xordataexchange/crypt v0.0.3-0.20170626215501-b2862e3d0a77/go.mod h1:aYKd//L2LvnjZzWKhF00oedf4jCCReLcmhLdhm1A27Q= +github.com/xtgo/uuid v0.0.0-20140804021211-a0b114877d4c/go.mod h1:UrdRz5enIKZ63MEE3IF9l2/ebyx59GyGgPi+tICQdmM= +github.com/ziutek/mymysql v1.5.4/go.mod h1:LMSpPZ6DbqWFxNCHW77HeMg9I646SAhApZ/wKdgO/C0= +go.etcd.io/bbolt v1.3.2/go.mod h1:IbVyRI1SCnLcuJnV2u8VeU0CEYM7e686BmAb1XKL+uU= +go.etcd.io/bbolt v1.3.3/go.mod h1:IbVyRI1SCnLcuJnV2u8VeU0CEYM7e686BmAb1XKL+uU= +go.etcd.io/etcd v0.0.0-20191023171146-3cf2f69b5738/go.mod h1:dnLIgRNXwCJa5e+c6mIZCrds/GIG4ncV9HhK5PX7jPg= +go.mongodb.org/mongo-driver v1.0.3/go.mod h1:u7ryQJ+DOzQmeO7zB6MHyr8jkEQvC8vH7qLUO4lqsUM= +go.mongodb.org/mongo-driver v1.1.1/go.mod h1:u7ryQJ+DOzQmeO7zB6MHyr8jkEQvC8vH7qLUO4lqsUM= +go.mongodb.org/mongo-driver v1.1.2/go.mod h1:u7ryQJ+DOzQmeO7zB6MHyr8jkEQvC8vH7qLUO4lqsUM= +go.opencensus.io v0.21.0/go.mod h1:mSImk1erAIZhrmZN+AvHh14ztQfjbGwt4TtuofqLduU= +go.opencensus.io v0.22.0/go.mod h1:+kGneAE2xo2IficOXnaByMWTGM9T73dGwxeWcUqIpI8= +go.opencensus.io v0.22.1/go.mod h1:Ap50jQcDJrx6rB6VgeeFPtuPIf3wMRvRfrfYDO6+BmA= +go.uber.org/atomic v1.3.2/go.mod h1:gD2HeocX3+yG+ygLZcrzQJaqmWj9AIm7n08wl/qW/PE= +go.uber.org/atomic v1.4.0/go.mod h1:gD2HeocX3+yG+ygLZcrzQJaqmWj9AIm7n08wl/qW/PE= +go.uber.org/multierr v1.1.0/go.mod h1:wR5kodmAFQ0UK8QlbwjlSNy0Z68gJhDJUG5sjR94q/0= +go.uber.org/zap v1.10.0/go.mod h1:vwi/ZaCAaUcBkycHslxD9B2zi4UTXhF60s6SWpuDF0Q= +golang.org/x/crypto v0.0.0-20180830192347-182538f80094/go.mod h1:6SG95UA2DQfeDnfUPMdvaQW0Q7yPrPDi9nlGo2tz2b4= +golang.org/x/crypto v0.0.0-20180904163835-0709b304e793/go.mod h1:6SG95UA2DQfeDnfUPMdvaQW0Q7yPrPDi9nlGo2tz2b4= +golang.org/x/crypto v0.0.0-20180910181607-0e37d006457b/go.mod h1:6SG95UA2DQfeDnfUPMdvaQW0Q7yPrPDi9nlGo2tz2b4= +golang.org/x/crypto v0.0.0-20181001203147-e3636079e1a4/go.mod h1:6SG95UA2DQfeDnfUPMdvaQW0Q7yPrPDi9nlGo2tz2b4= +golang.org/x/crypto v0.0.0-20181009213950-7c1a557ab941/go.mod h1:6SG95UA2DQfeDnfUPMdvaQW0Q7yPrPDi9nlGo2tz2b4= +golang.org/x/crypto v0.0.0-20181015023909-0c41d7ab0a0e/go.mod h1:6SG95UA2DQfeDnfUPMdvaQW0Q7yPrPDi9nlGo2tz2b4= +golang.org/x/crypto v0.0.0-20181024171144-74cb1d3d52f4/go.mod h1:6SG95UA2DQfeDnfUPMdvaQW0Q7yPrPDi9nlGo2tz2b4= +golang.org/x/crypto v0.0.0-20181025113841-85e1b3f9139a/go.mod h1:6SG95UA2DQfeDnfUPMdvaQW0Q7yPrPDi9nlGo2tz2b4= +golang.org/x/crypto v0.0.0-20181025213731-e84da0312774/go.mod h1:6SG95UA2DQfeDnfUPMdvaQW0Q7yPrPDi9nlGo2tz2b4= +golang.org/x/crypto v0.0.0-20181106171534-e4dc69e5b2fd/go.mod h1:6SG95UA2DQfeDnfUPMdvaQW0Q7yPrPDi9nlGo2tz2b4= +golang.org/x/crypto v0.0.0-20181112202954-3d3f9f413869/go.mod h1:6SG95UA2DQfeDnfUPMdvaQW0Q7yPrPDi9nlGo2tz2b4= +golang.org/x/crypto v0.0.0-20181127143415-eb0de9b17e85/go.mod h1:6SG95UA2DQfeDnfUPMdvaQW0Q7yPrPDi9nlGo2tz2b4= +golang.org/x/crypto v0.0.0-20181203042331-505ab145d0a9/go.mod h1:6SG95UA2DQfeDnfUPMdvaQW0Q7yPrPDi9nlGo2tz2b4= +golang.org/x/crypto v0.0.0-20190102171810-8d7daa0c54b3/go.mod h1:6SG95UA2DQfeDnfUPMdvaQW0Q7yPrPDi9nlGo2tz2b4= +golang.org/x/crypto v0.0.0-20190103213133-ff983b9c42bc/go.mod h1:6SG95UA2DQfeDnfUPMdvaQW0Q7yPrPDi9nlGo2tz2b4= +golang.org/x/crypto v0.0.0-20190211182817-74369b46fc67/go.mod h1:6SG95UA2DQfeDnfUPMdvaQW0Q7yPrPDi9nlGo2tz2b4= +golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w= +golang.org/x/crypto v0.0.0-20190320223903-b7391e95e576/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w= +golang.org/x/crypto v0.0.0-20190404164418-38d8ce5564a5/go.mod h1:WFFai1msRO1wXaEeE5yQxYXgSfI8pQAWXbQop6sCtWE= +golang.org/x/crypto v0.0.0-20190426145343-a29dc8fdc734/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI= +golang.org/x/crypto v0.0.0-20190513172903-22d7a77e9e5f/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI= +golang.org/x/crypto v0.0.0-20190605123033-f99c8df09eb5/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI= +golang.org/x/crypto v0.0.0-20190611184440-5c40567a22f8/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI= +golang.org/x/crypto v0.0.0-20190617133340-57b3e21c3d56/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI= +golang.org/x/crypto v0.0.0-20190701094942-4def268fd1a4/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI= +golang.org/x/crypto v0.0.0-20190820162420-60c769a6c586/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI= +golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI= +golang.org/x/crypto v0.0.0-20191117063200-497ca9f6d64f/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto= +golang.org/x/crypto v0.0.0-20200220183623-bac4c82f6975 h1:/Tl7pH94bvbAAHBdZJT947M/+gp0+CqQXDtMRC0fseo= +golang.org/x/crypto v0.0.0-20200220183623-bac4c82f6975/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto= +golang.org/x/exp v0.0.0-20190121172915-509febef88a4/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA= +golang.org/x/exp v0.0.0-20190510132918-efd6b22b2522/go.mod h1:ZjyILWgesfNpC6sMxTJOJm9Kp84zZh5NQWvqDGG3Qr8= +golang.org/x/image v0.0.0-20190227222117-0694c2d4d067/go.mod h1:kZ7UVZpmo3dzQBMxlp+ypCbDeSB+sBbTgSJuh5dn5js= +golang.org/x/lint v0.0.0-20181026193005-c67002cb31c3/go.mod h1:UVdnD1Gm6xHRNCYTkRU2/jEulfH38KcIWyp/GAMgvoE= +golang.org/x/lint v0.0.0-20190227174305-5b3e6a55c961/go.mod h1:wehouNa3lNwaWXcvxsM5YxQ5yQlVC4a0KAMCusXpPoU= +golang.org/x/lint v0.0.0-20190301231843-5614ed5bae6f/go.mod h1:UVdnD1Gm6xHRNCYTkRU2/jEulfH38KcIWyp/GAMgvoE= +golang.org/x/lint v0.0.0-20190313153728-d0100b6bd8b3/go.mod h1:6SW0HCj/g11FgYtHlgUYUwCkIfeOF89ocIRzGO/8vkc= +golang.org/x/lint v0.0.0-20190409202823-959b441ac422/go.mod h1:6SW0HCj/g11FgYtHlgUYUwCkIfeOF89ocIRzGO/8vkc= +golang.org/x/mobile v0.0.0-20190312151609-d3739f865fa6/go.mod h1:z+o9i4GpDbdi3rU15maQ/Ox0txvL9dWGYEHz965HBQE= +golang.org/x/mod v0.1.1-0.20191105210325-c90efee705ee/go.mod h1:QqPTAvyqsEbceGzBzNggFXnrqF1CaUcvgkdR5Ot7KZg= +golang.org/x/net v0.0.0-20170114055629-f2499483f923/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= +golang.org/x/net v0.0.0-20180724234803-3673e40ba225/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= +golang.org/x/net v0.0.0-20180816102801-aaf60122140d/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= +golang.org/x/net v0.0.0-20180826012351-8a410e7b638d/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= +golang.org/x/net v0.0.0-20180906233101-161cd47e91fd/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= +golang.org/x/net v0.0.0-20180921000356-2f5d2388922f/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= +golang.org/x/net v0.0.0-20180926154720-4dfa2610cdf3/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= +golang.org/x/net v0.0.0-20181005035420-146acd28ed58/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= +golang.org/x/net v0.0.0-20181011144130-49bb7cea24b1/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= +golang.org/x/net v0.0.0-20181017193950-04a2e542c03f/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= +golang.org/x/net v0.0.0-20181023162649-9b4f9f5ad519/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= +golang.org/x/net v0.0.0-20181102091132-c10e9556a7bc/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= +golang.org/x/net v0.0.0-20181106065722-10aee1819953/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= +golang.org/x/net v0.0.0-20181114220301-adae6a3d119a/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= +golang.org/x/net v0.0.0-20181201002055-351d144fa1fc/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= +golang.org/x/net v0.0.0-20181207154023-610586996380/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= +golang.org/x/net v0.0.0-20181220203305-927f97764cc3/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= +golang.org/x/net v0.0.0-20190108225652-1e06a53dbb7e/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= +golang.org/x/net v0.0.0-20190125091013-d26f9f9a57f3/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= +golang.org/x/net v0.0.0-20190206173232-65e2d4e15006/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= +golang.org/x/net v0.0.0-20190213061140-3a22650c66bd/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= +golang.org/x/net v0.0.0-20190311183353-d8887717615a/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg= +golang.org/x/net v0.0.0-20190320064053-1272bf9dcd53/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg= +golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg= +golang.org/x/net v0.0.0-20190501004415-9ce7a6920f09/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg= +golang.org/x/net v0.0.0-20190503192946-f4e77d36d62c/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg= +golang.org/x/net v0.0.0-20190522155817-f3200d17e092/go.mod h1:HSz+uSET+XFnRR8LxR5pz3Of3rY3CfYBVs4xY44aLks= +golang.org/x/net v0.0.0-20190603091049-60506f45cf65/go.mod h1:HSz+uSET+XFnRR8LxR5pz3Of3rY3CfYBVs4xY44aLks= +golang.org/x/net v0.0.0-20190613194153-d28f0bde5980/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= +golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= +golang.org/x/net v0.0.0-20190628185345-da137c7871d7/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= +golang.org/x/net v0.0.0-20190813141303-74dc4d7220e7/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= +golang.org/x/net v0.0.0-20190827160401-ba9fcec4b297/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= +golang.org/x/net v0.0.0-20190923162816-aa69164e4478/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= +golang.org/x/net v0.0.0-20191004110552-13f9640d40b9/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= +golang.org/x/net v0.0.0-20191209160850-c0dbc17a3553 h1:efeOvDhwQ29Dj3SdAV/MJf8oukgn+8D8WgaCaRMchF8= +golang.org/x/net v0.0.0-20191209160850-c0dbc17a3553/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= +golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U= +golang.org/x/oauth2 v0.0.0-20181003184128-c57b0facaced/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U= +golang.org/x/oauth2 v0.0.0-20190226205417-e64efc72b421/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw= +golang.org/x/oauth2 v0.0.0-20190402181905-9f3314589c9a/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw= +golang.org/x/oauth2 v0.0.0-20190604053449-0f29369cfe45/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw= +golang.org/x/oauth2 v0.0.0-20200107190931-bf48bf16ab8d h1:TzXSXBo42m9gQenoE3b9BGiEpg5IG2JkU5FkPIawgtw= +golang.org/x/oauth2 v0.0.0-20200107190931-bf48bf16ab8d/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw= +golang.org/x/sync v0.0.0-20180314180146-1d60e4601c6f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= +golang.org/x/sync v0.0.0-20181108010431-42b317875d0f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= +golang.org/x/sync v0.0.0-20181221193216-37e7f081c4d4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= +golang.org/x/sync v0.0.0-20190227155943-e225da77a7e6/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= +golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= +golang.org/x/sys v0.0.0-20170830134202-bb24a47a89ea/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= +golang.org/x/sys v0.0.0-20180816055513-1c9583448a9c/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= +golang.org/x/sys v0.0.0-20180823144017-11551d06cbcc/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= +golang.org/x/sys v0.0.0-20180830151530-49385e6e1522/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= +golang.org/x/sys v0.0.0-20180831094639-fa5fdf94c789/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= +golang.org/x/sys v0.0.0-20180905080454-ebe1bf3edb33/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= +golang.org/x/sys v0.0.0-20180906133057-8cf3aee42992/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= +golang.org/x/sys v0.0.0-20180909124046-d0be0721c37e/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= +golang.org/x/sys v0.0.0-20180921163948-d47a0f339242/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= +golang.org/x/sys v0.0.0-20180926160741-c2ed4eda69e7/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= +golang.org/x/sys v0.0.0-20180927150500-dad3d9fb7b6e/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= +golang.org/x/sys v0.0.0-20181005133103-4497e2df6f9e/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= +golang.org/x/sys v0.0.0-20181011152604-fa43e7bc11ba/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= +golang.org/x/sys v0.0.0-20181022134430-8a28ead16f52/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= +golang.org/x/sys v0.0.0-20181024145615-5cd93ef61a7c/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= +golang.org/x/sys v0.0.0-20181025063200-d989b31c8746/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= +golang.org/x/sys v0.0.0-20181026064943-731415f00dce/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= +golang.org/x/sys v0.0.0-20181026203630-95b1ffbd15a5/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= +golang.org/x/sys v0.0.0-20181106135930-3a76605856fd/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= +golang.org/x/sys v0.0.0-20181107165924-66b7b1311ac8/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= +golang.org/x/sys v0.0.0-20181116152217-5ac8a444bdc5/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= +golang.org/x/sys v0.0.0-20181205085412-a5c9d58dba9a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= +golang.org/x/sys v0.0.0-20181206074257-70b957f3b65e/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= +golang.org/x/sys v0.0.0-20190102155601-82a175fd1598/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= +golang.org/x/sys v0.0.0-20190116161447-11f53e031339/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= +golang.org/x/sys v0.0.0-20190129075346-302c3dd5f1cc/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= +golang.org/x/sys v0.0.0-20190130150945-aca44879d564/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= +golang.org/x/sys v0.0.0-20190209173611-3b5209105503/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= +golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= +golang.org/x/sys v0.0.0-20190222072716-a9d3bda3a223/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= +golang.org/x/sys v0.0.0-20190312061237-fead79001313/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20190321052220-f7bb7a8bee54/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20190403152447-81d4e9dc473e/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20190422165155-953cdadca894/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20190502145724-3ef323f4f1fd/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20190507160741-ecd444e8653b/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20190523142557-0e01d883c5c5/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20190606165138-5da285871e9c/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20190616124812-15dcb6c0061f/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20190624142023-c5567b49c5d0/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20190726091711-fc99dfbffb4e/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20190826190057-c7b8b68b1456/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20190922100055-0a153f010e69/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20191105231009-c1f44814a5cd/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20200113162924-86b910548bc1 h1:gZpLHxUX5BdYLA08Lj4YCJNN/jk7KtquiArPoeX0WvA= +golang.org/x/sys v0.0.0-20200113162924-86b910548bc1/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/text v0.0.0-20160726164857-2910a502d2bf/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= +golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= +golang.org/x/text v0.3.1-0.20180807135948-17ff2d5776d2/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= +golang.org/x/text v0.3.1-0.20181227161524-e6919f6577db/go.mod h1:bEr9sfX3Q8Zfm5fL9x+3itogRgK3+ptLWKqgva+5dAk= +golang.org/x/text v0.3.2 h1:tW2bmiBqwgJj/UpqtC8EpXEZVYOwU0yG4iWbprSVAcs= +golang.org/x/text v0.3.2/go.mod h1:bEr9sfX3Q8Zfm5fL9x+3itogRgK3+ptLWKqgva+5dAk= +golang.org/x/time v0.0.0-20180412165947-fbb02b2291d2/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= +golang.org/x/time v0.0.0-20181108054448-85acf8d2951c/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= +golang.org/x/time v0.0.0-20190308202827-9d24e82272b4/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= +golang.org/x/time v0.0.0-20191024005414-555d28b269f0 h1:/5xXl8Y5W96D+TtHSlonuFqGHIWVuyCkGJLwGh9JJFs= +golang.org/x/time v0.0.0-20191024005414-555d28b269f0/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= +golang.org/x/tools v0.0.0-20180221164845-07fd8470d635/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= +golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= +golang.org/x/tools v0.0.0-20181003024731-2f84ea8ef872/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= +golang.org/x/tools v0.0.0-20181006002542-f60d9635b16a/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= +golang.org/x/tools v0.0.0-20181008205924-a2b3f7f249e9/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= +golang.org/x/tools v0.0.0-20181011042414-1f849cf54d09/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= +golang.org/x/tools v0.0.0-20181013182035-5e66757b835f/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= +golang.org/x/tools v0.0.0-20181017214349-06f26fdaaa28/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= +golang.org/x/tools v0.0.0-20181024171208-a2dc47679d30/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= +golang.org/x/tools v0.0.0-20181026183834-f60e5f99f081/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= +golang.org/x/tools v0.0.0-20181030221726-6c7e314b6563/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= +golang.org/x/tools v0.0.0-20181105230042-78dc5bac0cac/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= +golang.org/x/tools v0.0.0-20181107215632-34b416bd17b3/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= +golang.org/x/tools v0.0.0-20181114190951-94339b83286c/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= +golang.org/x/tools v0.0.0-20181119130350-139d099f6620/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= +golang.org/x/tools v0.0.0-20181127195227-b4e97c0ed882/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= +golang.org/x/tools v0.0.0-20181127232545-e782529d0ddd/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= +golang.org/x/tools v0.0.0-20181203210056-e5f3ab76ea4b/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= +golang.org/x/tools v0.0.0-20181205224935-3576414c54a4/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= +golang.org/x/tools v0.0.0-20181206194817-bcd4e47d0288/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= +golang.org/x/tools v0.0.0-20181207183836-8bc39b988060/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= +golang.org/x/tools v0.0.0-20181212172921-837e80568c09/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= +golang.org/x/tools v0.0.0-20190102213336-ca9055ed7d04/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= +golang.org/x/tools v0.0.0-20190104182027-498d95493402/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= +golang.org/x/tools v0.0.0-20190111214448-fc1d57b08d7b/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= +golang.org/x/tools v0.0.0-20190114222345-bf090417da8b/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= +golang.org/x/tools v0.0.0-20190118193359-16909d206f00/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= +golang.org/x/tools v0.0.0-20190125232054-d66bd3c5d5a6/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= +golang.org/x/tools v0.0.0-20190226205152-f727befe758c/go.mod h1:9Yl7xja0Znq3iFh3HoIrodX9oNMXvdceNzlUR8zjMvY= +golang.org/x/tools v0.0.0-20190311212946-11955173bddd/go.mod h1:LCzVGOaR6xXOjkQ3onu1FJEFr0SW1gC7cKk1uF8kGRs= +golang.org/x/tools v0.0.0-20190312151545-0bb0c0a6e846/go.mod h1:LCzVGOaR6xXOjkQ3onu1FJEFr0SW1gC7cKk1uF8kGRs= +golang.org/x/tools v0.0.0-20190312170243-e65039ee4138/go.mod h1:LCzVGOaR6xXOjkQ3onu1FJEFr0SW1gC7cKk1uF8kGRs= +golang.org/x/tools v0.0.0-20190328211700-ab21143f2384/go.mod h1:LCzVGOaR6xXOjkQ3onu1FJEFr0SW1gC7cKk1uF8kGRs= +golang.org/x/tools v0.0.0-20190425150028-36563e24a262/go.mod h1:RgjU9mgBXZiqYHBnxXauZ1Gv1EHHAz9KjViQ78xBX0Q= +golang.org/x/tools v0.0.0-20190506145303-2d16b83fe98c/go.mod h1:RgjU9mgBXZiqYHBnxXauZ1Gv1EHHAz9KjViQ78xBX0Q= +golang.org/x/tools v0.0.0-20190524140312-2c0ae7006135/go.mod h1:RgjU9mgBXZiqYHBnxXauZ1Gv1EHHAz9KjViQ78xBX0Q= +golang.org/x/tools v0.0.0-20190606124116-d0a3d012864b/go.mod h1:/rFqwRUd4F7ZHNgwSSTFct+R/Kf4OFW1sUzUTQQTgfc= +golang.org/x/tools v0.0.0-20190614205625-5aca471b1d59/go.mod h1:/rFqwRUd4F7ZHNgwSSTFct+R/Kf4OFW1sUzUTQQTgfc= +golang.org/x/tools v0.0.0-20190617190820-da514acc4774/go.mod h1:/rFqwRUd4F7ZHNgwSSTFct+R/Kf4OFW1sUzUTQQTgfc= +golang.org/x/tools v0.0.0-20190624190245-7f2218787638/go.mod h1:/rFqwRUd4F7ZHNgwSSTFct+R/Kf4OFW1sUzUTQQTgfc= +golang.org/x/tools v0.0.0-20190628153133-6cdbf07be9d0/go.mod h1:/rFqwRUd4F7ZHNgwSSTFct+R/Kf4OFW1sUzUTQQTgfc= +golang.org/x/tools v0.0.0-20190711191110-9a621aea19f8/go.mod h1:jcCCGcm9btYwXyDqrUWc6MKQKKGJCWEQ3AfLSRIbEuI= +golang.org/x/tools v0.0.0-20190920225731-5eefd052ad72/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo= +golang.org/x/tools v0.0.0-20200226224502-204d844ad48d/go.mod h1:TB2adYChydJhpapKDTa4BR/hXlZSLoq2Wpct/0txZ28= +golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= +golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= +gomodules.xyz/jsonpatch/v2 v2.0.1/go.mod h1:IhYNNY4jnS53ZnfE4PAmpKtDpTCj1JFXc+3mwe7XcUU= +google.golang.org/api v0.4.0/go.mod h1:8k5glujaEP+g9n7WNsDg8QP6cUVNI86fCNMcbazEtwE= +google.golang.org/api v0.5.0/go.mod h1:8k5glujaEP+g9n7WNsDg8QP6cUVNI86fCNMcbazEtwE= +google.golang.org/api v0.7.0/go.mod h1:WtwebWUNSVBH/HAw79HIFXZNqEvBhG+Ra+ax0hx3E3M= +google.golang.org/api v0.8.0/go.mod h1:o4eAsZoiT+ibD93RtjEohWalFOjRDx6CVaqeizhEnKg= +google.golang.org/api v0.9.0/go.mod h1:o4eAsZoiT+ibD93RtjEohWalFOjRDx6CVaqeizhEnKg= +google.golang.org/appengine v1.1.0/go.mod h1:EbEs0AVv82hx2wNQdGPgUI5lhzA/G0D9YwlJXL52JkM= +google.golang.org/appengine v1.2.0/go.mod h1:xpcJRLb0r/rnEns0DIKYYv+WjYCduHsrkT7/EB5XEv4= +google.golang.org/appengine v1.4.0/go.mod h1:xpcJRLb0r/rnEns0DIKYYv+WjYCduHsrkT7/EB5XEv4= +google.golang.org/appengine v1.5.0/go.mod h1:xpcJRLb0r/rnEns0DIKYYv+WjYCduHsrkT7/EB5XEv4= +google.golang.org/appengine v1.6.0/go.mod h1:xpcJRLb0r/rnEns0DIKYYv+WjYCduHsrkT7/EB5XEv4= +google.golang.org/appengine v1.6.1/go.mod h1:i06prIuMbXzDqacNJfV5OdTW448YApPu5ww/cMBSeb0= +google.golang.org/appengine v1.6.5/go.mod h1:8WjMMxjGQR8xUklV/ARdw2HLXBOI7O7uCIDZVag1xfc= +google.golang.org/genproto v0.0.0-20180817151627-c66870c02cf8/go.mod h1:JiN7NxoALGmiZfu7CAH4rXhgtRTLTxftemlI0sWmxmc= +google.golang.org/genproto v0.0.0-20190307195333-5fe7a883aa19/go.mod h1:VzzqZJRnGkLBvHegQrXjBqPurQTc5/KpmUdxsrq26oE= +google.golang.org/genproto v0.0.0-20190404172233-64821d5d2107/go.mod h1:VzzqZJRnGkLBvHegQrXjBqPurQTc5/KpmUdxsrq26oE= +google.golang.org/genproto v0.0.0-20190418145605-e7d98fc518a7/go.mod h1:VzzqZJRnGkLBvHegQrXjBqPurQTc5/KpmUdxsrq26oE= +google.golang.org/genproto v0.0.0-20190425155659-357c62f0e4bb/go.mod h1:VzzqZJRnGkLBvHegQrXjBqPurQTc5/KpmUdxsrq26oE= +google.golang.org/genproto v0.0.0-20190502173448-54afdca5d873/go.mod h1:VzzqZJRnGkLBvHegQrXjBqPurQTc5/KpmUdxsrq26oE= +google.golang.org/genproto v0.0.0-20190508193815-b515fa19cec8/go.mod h1:VzzqZJRnGkLBvHegQrXjBqPurQTc5/KpmUdxsrq26oE= +google.golang.org/genproto v0.0.0-20190513181449-d00d292a067c/go.mod h1:z3L6/3dTEVtUr6QSP8miRzeRqwQOioJ9I66odjN4I7s= +google.golang.org/genproto v0.0.0-20190626174449-989357319d63/go.mod h1:z3L6/3dTEVtUr6QSP8miRzeRqwQOioJ9I66odjN4I7s= +google.golang.org/genproto v0.0.0-20190708153700-3bdd9d9f5532/go.mod h1:z3L6/3dTEVtUr6QSP8miRzeRqwQOioJ9I66odjN4I7s= +google.golang.org/genproto v0.0.0-20190801165951-fa694d86fc64/go.mod h1:DMBHOl98Agz4BDEuKkezgsaosCRResVns1a3J2ZsMNc= +google.golang.org/genproto v0.0.0-20190819201941-24fa4b261c55/go.mod h1:DMBHOl98Agz4BDEuKkezgsaosCRResVns1a3J2ZsMNc= +google.golang.org/grpc v1.14.0/go.mod h1:yo6s7OP7yaDglbqo1J04qKzAhqBH6lvTonzMVmEdcZw= +google.golang.org/grpc v1.19.0/go.mod h1:mqu4LbDTu4XGKhr4mRzUsmM4RtVoemTSY81AxZiDr8c= +google.golang.org/grpc v1.20.1/go.mod h1:10oTOabMzJvdu6/UiuZezV6QK5dSlG84ov/aaiqXj38= +google.golang.org/grpc v1.21.0/go.mod h1:oYelfM1adQP15Ek0mdvEgi9Df8B9CZIaU1084ijfRaM= +google.golang.org/grpc v1.21.1/go.mod h1:oYelfM1adQP15Ek0mdvEgi9Df8B9CZIaU1084ijfRaM= +google.golang.org/grpc v1.22.0/go.mod h1:Y5yQAOtifL1yxbo5wqy6BxZv8vAUGQwXBOALyacEbxg= +google.golang.org/grpc v1.23.1/go.mod h1:Y5yQAOtifL1yxbo5wqy6BxZv8vAUGQwXBOALyacEbxg= +gopkg.in/airbrake/gobrake.v2 v2.0.9/go.mod h1:/h5ZAUhDkGaJfjzjKLSjv6zCL6O0LLBxU4K+aSYdM/U= +gopkg.in/alecthomas/kingpin.v2 v2.2.6/go.mod h1:FMv+mEhP44yOT+4EoQTLFTRgOQ1FBLkstjWtayDeSgw= +gopkg.in/alexcesaro/quotedprintable.v3 v3.0.0-20150716171945-2caba252f4dc/go.mod h1:m7x9LTH6d71AHyAX77c9yqWCCa3UKHcVEj9y7hAtKDk= +gopkg.in/asn1-ber.v1 v1.0.0-20181015200546-f715ec2f112d/go.mod h1:cuepJuh7vyXfUyUwEgHQXw849cJrilpS5NeIjOWESAw= +gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= +gopkg.in/check.v1 v1.0.0-20180628173108-788fd7840127/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= +gopkg.in/check.v1 v1.0.0-20190902080502-41f04d3bba15/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= +gopkg.in/cheggaaa/pb.v1 v1.0.25/go.mod h1:V/YB90LKu/1FcN3WVnfiiE5oMCibMjukxqG/qStrOgw= +gopkg.in/cheggaaa/pb.v1 v1.0.28/go.mod h1:V/YB90LKu/1FcN3WVnfiiE5oMCibMjukxqG/qStrOgw= +gopkg.in/errgo.v2 v2.1.0/go.mod h1:hNsd1EY+bozCKY1Ytp96fpM3vjJbqLJn88ws8XvfDNI= +gopkg.in/fsnotify.v1 v1.4.7/go.mod h1:Tz8NjZHkW78fSQdbUxIjBTcgA1z1m8ZHf0WmKUhAMys= +gopkg.in/gemnasium/logrus-airbrake-hook.v2 v2.1.2/go.mod h1:Xk6kEKp8OKb+X14hQBKWaSkCsqBpgog8nAV2xsGOxlo= +gopkg.in/gomail.v2 v2.0.0-20160411212932-81ebce5c23df/go.mod h1:LRQQ+SO6ZHR7tOkpBDuZnXENFzX8qRjMDMyPD6BRkCw= +gopkg.in/gorp.v1 v1.7.2/go.mod h1:Wo3h+DBQZIxATwftsglhdD/62zRFPhGhTiu5jUJmCaw= +gopkg.in/inf.v0 v0.9.0/go.mod h1:cWUDdTG/fYaXco+Dcufb5Vnc6Gp2YChqWtbxRZE0mXw= +gopkg.in/inf.v0 v0.9.1 h1:73M5CoZyi3ZLMOyDlQh031Cx6N9NDJ2Vvfl76EDAgDc= +gopkg.in/inf.v0 v0.9.1/go.mod h1:cWUDdTG/fYaXco+Dcufb5Vnc6Gp2YChqWtbxRZE0mXw= +gopkg.in/ini.v1 v1.42.0/go.mod h1:pNLf8WUiyNEtQjuu5G5vTm06TEv9tsIgeAvK8hOrP4k= +gopkg.in/ini.v1 v1.48.0/go.mod h1:pNLf8WUiyNEtQjuu5G5vTm06TEv9tsIgeAvK8hOrP4k= +gopkg.in/jcmturner/aescts.v1 v1.0.1/go.mod h1:nsR8qBOg+OucoIW+WMhB3GspUQXq9XorLnQb9XtvcOo= +gopkg.in/jcmturner/dnsutils.v1 v1.0.1/go.mod h1:m3v+5svpVOhtFAP/wSz+yzh4Mc0Fg7eRhxkJMWSIz9Q= +gopkg.in/jcmturner/goidentity.v3 v3.0.0/go.mod h1:oG2kH0IvSYNIu80dVAyu/yoefjq1mNfM5bm88whjWx4= +gopkg.in/jcmturner/gokrb5.v7 v7.2.3/go.mod h1:l8VISx+WGYp+Fp7KRbsiUuXTTOnxIc3Tuvyavf11/WM= +gopkg.in/jcmturner/rpc.v1 v1.1.0/go.mod h1:YIdkC4XfD6GXbzje11McwsDuOlZQSb9W4vfLvuNnlv8= +gopkg.in/ldap.v3 v3.0.3/go.mod h1:oxD7NyBuxchC+SgJDE1Q5Od05eGt29SDQVBmV+HYbzw= +gopkg.in/mail.v2 v2.0.0-20180731213649-a0242b2233b4/go.mod h1:htwXN1Qh09vZJ1NVKxQqHPBaCBbzKhp5GzuJEA4VJWw= +gopkg.in/natefinch/lumberjack.v2 v2.0.0/go.mod h1:l0ndWWf7gzL7RNwBG7wST/UCcT4T24xpD6X8LsfU/+k= +gopkg.in/olivere/elastic.v5 v5.0.80/go.mod h1:uhHoB4o3bvX5sorxBU29rPcmBQdV2Qfg0FBrx5D6pV0= +gopkg.in/resty.v1 v1.12.0/go.mod h1:mDo4pnntr5jdWRML875a/NmxYqAlA73dVijT2AXvQQo= +gopkg.in/square/go-jose.v2 v2.1.9/go.mod h1:M9dMgbHiYLoDGQrXy7OpJDJWiKiU//h+vD76mk0e1AI= +gopkg.in/square/go-jose.v2 v2.2.2/go.mod h1:M9dMgbHiYLoDGQrXy7OpJDJWiKiU//h+vD76mk0e1AI= +gopkg.in/square/go-jose.v2 v2.3.1/go.mod h1:M9dMgbHiYLoDGQrXy7OpJDJWiKiU//h+vD76mk0e1AI= +gopkg.in/tomb.v1 v1.0.0-20141024135613-dd632973f1e7/go.mod h1:dt/ZhP58zS4L8KSrWDmTeBkI65Dw0HsyUHuEVlX15mw= +gopkg.in/urfave/cli.v1 v1.20.0/go.mod h1:vuBzUtMdQeixQj8LVd+/98pzhxNGQoyuPBlsXHOQNO0= +gopkg.in/yaml.v2 v2.0.0-20170812160011-eb3733d160e7/go.mod h1:JAlM8MvJe8wmxCU4Bli9HhUf9+ttbYbLASfIpnQbh74= +gopkg.in/yaml.v2 v2.2.1/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI= +gopkg.in/yaml.v2 v2.2.2/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI= +gopkg.in/yaml.v2 v2.2.4/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI= +gopkg.in/yaml.v2 v2.2.8 h1:obN1ZagJSUGI0Ek/LBmuj4SNLPfIny3KsKFopxRdj10= +gopkg.in/yaml.v2 v2.2.8/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI= +gotest.tools v2.2.0+incompatible/go.mod h1:DsYFclhRJ6vuDpmuTbkuFWG+y2sxOXAzmJt81HFBacw= +honnef.co/go/tools v0.0.0-20190102054323-c2f93a96b099/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4= +honnef.co/go/tools v0.0.0-20190106161140-3f1c8253044a/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4= +honnef.co/go/tools v0.0.0-20190418001031-e561f6794a2a/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4= +honnef.co/go/tools v0.0.0-20190523083050-ea95bdfd59fc/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4= +k8s.io/api v0.17.2/go.mod h1:BS9fjjLc4CMuqfSO8vgbHPKMt5+SF0ET6u/RVDihTo4= +k8s.io/api v0.17.4 h1:HbwOhDapkguO8lTAE8OX3hdF2qp8GtpC9CW/MQATXXo= +k8s.io/api v0.17.4/go.mod h1:5qxx6vjmwUVG2nHQTKGlLts8Tbok8PzHl4vHtVFuZCA= +k8s.io/apiextensions-apiserver v0.17.2/go.mod h1:4KdMpjkEjjDI2pPfBA15OscyNldHWdBCfsWMDWAmSTs= +k8s.io/apimachinery v0.0.0-20190612125636-6a5db36e93ad/go.mod h1:I4A+glKBHiTgiEjQiCCQfCAIcIMFGt291SmsvcrFzJA= +k8s.io/apimachinery v0.17.2/go.mod h1:b9qmWdKlLuU9EBh+06BtLcSf/Mu89rWL33naRxs1uZg= +k8s.io/apimachinery v0.17.4 h1:UzM+38cPUJnzqSQ+E1PY4YxMHIzQyCg29LOoGfo79Zw= +k8s.io/apimachinery v0.17.4/go.mod h1:gxLnyZcGNdZTCLnq3fgzyg2A5BVCHTNDFrw8AmuJ+0g= +k8s.io/apiserver v0.17.2/go.mod h1:lBmw/TtQdtxvrTk0e2cgtOxHizXI+d0mmGQURIHQZlo= +k8s.io/cli-runtime v0.17.4/go.mod h1:IVW4zrKKx/8gBgNNkhiUIc7nZbVVNhc1+HcQh+PiNHc= +k8s.io/client-go v0.17.2/go.mod h1:QAzRgsa0C2xl4/eVpeVAZMvikCn8Nm81yqVx3Kk9XYI= +k8s.io/client-go v0.17.4/go.mod h1:ouF6o5pz3is8qU0/qYL2RnoxOPqgfuidYLowytyLJmc= +k8s.io/code-generator v0.0.0-20200306081859-6a048a382944/go.mod h1:+UHX5rSbxmR8kzS+FAv7um6dtYrZokQvjHpDSYRVkTc= +k8s.io/component-base v0.0.0-20190612130303-4062e14deebe/go.mod h1:MmIDXnint3qMN0cqXHKrSiJ2XQKo3J1BPIz7in7NvO0= +k8s.io/gengo v0.0.0-20190128074634-0689ccc1d7d6/go.mod h1:ezvh/TsK7cY6rbqRK0oQQ8IAqLxYwwyPxAX1Pzy0ii0= +k8s.io/gengo v0.0.0-20200114144118-36b2048a9120/go.mod h1:ezvh/TsK7cY6rbqRK0oQQ8IAqLxYwwyPxAX1Pzy0ii0= +k8s.io/klog v0.0.0-20181102134211-b9b56d5dfc92/go.mod h1:Gq+BEi5rUBO/HRz0bTSXDUcqjScdoY3a9IHpCEIOOfk= +k8s.io/klog v0.3.0/go.mod h1:Gq+BEi5rUBO/HRz0bTSXDUcqjScdoY3a9IHpCEIOOfk= +k8s.io/klog v0.3.1/go.mod h1:Gq+BEi5rUBO/HRz0bTSXDUcqjScdoY3a9IHpCEIOOfk= +k8s.io/klog v1.0.0 h1:Pt+yjF5aB1xDSVbau4VsWe+dQNzA0qv1LlXdC2dF6Q8= +k8s.io/klog v1.0.0/go.mod h1:4Bi6QPql/J/LkTDqv7R/cd3hPo4k2DG6Ptcz060Ez5I= +k8s.io/kube-openapi v0.0.0-20190228160746-b3a7cee44a30/go.mod h1:BXM9ceUBTj2QnfH2MK1odQs778ajze1RxcmP6S8RVVc= +k8s.io/kube-openapi v0.0.0-20191107075043-30be4d16710a/go.mod h1:1TqjTSzOxsLGIKfj0lK8EeCP7K1iUG65v09OM0/WG5E= +k8s.io/kube-openapi v0.0.0-20200121204235-bf4fb3bd569c h1:/KUFqjjqAcY4Us6luF5RDNZ16KJtb49HfR3ZHB9qYXM= +k8s.io/kube-openapi v0.0.0-20200121204235-bf4fb3bd569c/go.mod h1:GRQhZsXIAJ1xR0C9bd8UpWHZ5plfAS9fzPjJuQ6JL3E= +k8s.io/utils v0.0.0-20190221042446-c2654d5206da/go.mod h1:8k8uAuAQ0rXslZKaEWd0c3oVhZz7sSzSiPnVZayjIX0= +k8s.io/utils v0.0.0-20191114184206-e782cd3c129f/go.mod h1:sZAwmy6armz5eXlNoLmJcl4F1QuKu7sr+mFQ0byX7Ew= +k8s.io/utils v0.0.0-20200109141947-94aeca20bf09 h1:sz6xjn8QP74104YNmJpzLbJ+a3ZtHt0tkD0g8vpdWNw= +k8s.io/utils v0.0.0-20200109141947-94aeca20bf09/go.mod h1:sZAwmy6armz5eXlNoLmJcl4F1QuKu7sr+mFQ0byX7Ew= +rsc.io/binaryregexp v0.2.0/go.mod h1:qTv7/COck+e2FymRvadv62gMdZztPaShugOCi3I+8D8= +sigs.k8s.io/controller-runtime v0.5.0 h1:CbqIy5fbUX+4E9bpnBFd204YAzRYlM9SWW77BbrcDQo= +sigs.k8s.io/controller-runtime v0.5.0/go.mod h1:REiJzC7Y00U+2YkMbT8wxgrsX5USpXKGhb2sCtAXiT8= +sigs.k8s.io/kustomize v2.0.3+incompatible/go.mod h1:MkjgH3RdOWrievjo6c9T245dYlB5QeXV4WCbnt/PEpU= +sigs.k8s.io/structured-merge-diff v0.0.0-20190525122527-15d366b2352e/go.mod h1:wWxsB5ozmmv/SG7nM11ayaAW51xMvak/t1r0CSlcokI= +sigs.k8s.io/structured-merge-diff v1.0.1-0.20191108220359-b1b620dd3f06/go.mod h1:/ULNhyfzRopfcjskuui0cTITekDduZ7ycKN3oUT9R18= +sigs.k8s.io/structured-merge-diff/v3 v3.0.0-20200116222232-67a7b8c61874/go.mod h1:PlARxl6Hbt/+BC80dRLi1qAmnMqwqDg62YvvVkZjemw= +sigs.k8s.io/yaml v1.1.0/go.mod h1:UJmg0vDUVViEyp3mgSv9WPwZCDxu4rQW1olrI1uml+o= +sigs.k8s.io/yaml v1.2.0 h1:kr/MCeFWJWTwyaHoR9c8EjH9OumOmoF9YGiZd7lFm/Q= +sigs.k8s.io/yaml v1.2.0/go.mod h1:yfXDCHCao9+ENCvLSE62v9VSji2MKu5jeNfTrofGhJc= diff --git a/pkg/api/kyverno/v1/types.go b/pkg/api/kyverno/v1/types.go index 29c44b4385..c4b4f3b8d8 100644 --- a/pkg/api/kyverno/v1/types.go +++ b/pkg/api/kyverno/v1/types.go @@ -121,7 +121,7 @@ type Policy struct { metav1.TypeMeta `json:",inline"` metav1.ObjectMeta `json:"metadata,omitempty"` Spec Spec `json:"spec"` - Status PolicyStatus `json:"status"` + Status PolicyStatus `json:"status,omitempty"` } // Spec describes policy behavior by its rules @@ -155,9 +155,11 @@ type ConditionOperator string const ( //Equal for Equal operator - Equal ConditionOperator = "Equal" + Equal ConditionOperator = "Equal" + Equals ConditionOperator = "Equals" //NotEqual for NotEqual operator - NotEqual ConditionOperator = "NotEqual" + NotEqual ConditionOperator = "NotEqual" + NotEquals ConditionOperator = "NotEquals" //In for In operator In ConditionOperator = "In" //NotIn for NotIn operator @@ -211,13 +213,19 @@ type Validation struct { Message string `json:"message,omitempty"` Pattern interface{} `json:"pattern,omitempty"` AnyPattern []interface{} `json:"anyPattern,omitempty"` + Deny *Deny `json:"deny,omitempty"` +} + +type Deny struct { + Conditions []Condition `json:"conditions,omitempty"` } // Generation describes which resources will be created when other resource is created type Generation struct { ResourceSpec - Data interface{} `json:"data,omitempty"` - Clone CloneFrom `json:"clone,omitempty"` + Synchronize bool `json:"synchronize,omitempty"` + Data interface{} `json:"data,omitempty"` + Clone CloneFrom `json:"clone,omitempty"` } // CloneFrom - location of the resource @@ -230,7 +238,7 @@ type CloneFrom struct { // PolicyStatus mostly contains statistics related to policy type PolicyStatus struct { // average time required to process the policy rules on a resource - AvgExecutionTime string `json:"averageExecutionTime"` + AvgExecutionTime string `json:"averageExecutionTime,omitempty"` // number of violations created by this policy ViolationCount int `json:"violationCount,omitempty"` // Count of rules that failed diff --git a/pkg/api/kyverno/v1/utils.go b/pkg/api/kyverno/v1/utils.go index abe266eabd..b76363b447 100644 --- a/pkg/api/kyverno/v1/utils.go +++ b/pkg/api/kyverno/v1/utils.go @@ -2,8 +2,14 @@ package v1 import "reflect" +func (p *ClusterPolicy) HasAutoGenAnnotation() bool { + annotations := p.GetAnnotations() + _, ok := annotations["pod-policies.kyverno.io/autogen-controllers"] + return ok +} + //HasMutateOrValidateOrGenerate checks for rule types -func (p ClusterPolicy) HasMutateOrValidateOrGenerate() bool { +func (p *ClusterPolicy) HasMutateOrValidateOrGenerate() bool { for _, rule := range p.Spec.Rules { if rule.HasMutate() || rule.HasValidate() || rule.HasGenerate() { return true @@ -12,6 +18,14 @@ func (p ClusterPolicy) HasMutateOrValidateOrGenerate() bool { return false } +func (p *ClusterPolicy) BackgroundProcessingEnabled() bool { + if p.Spec.Background == nil { + return true + } + + return *p.Spec.Background +} + //HasMutate checks for mutate rule func (r Rule) HasMutate() bool { return !reflect.DeepEqual(r.Mutation, Mutation{}) diff --git a/pkg/api/kyverno/v1/zz_generated.deepcopy.go b/pkg/api/kyverno/v1/zz_generated.deepcopy.go index d4d7cc6820..ff1a7c63e4 100644 --- a/pkg/api/kyverno/v1/zz_generated.deepcopy.go +++ b/pkg/api/kyverno/v1/zz_generated.deepcopy.go @@ -74,7 +74,7 @@ func (in *ClusterPolicy) DeepCopyObject() runtime.Object { func (in *ClusterPolicyList) DeepCopyInto(out *ClusterPolicyList) { *out = *in out.TypeMeta = in.TypeMeta - out.ListMeta = in.ListMeta + in.ListMeta.DeepCopyInto(&out.ListMeta) if in.Items != nil { in, out := &in.Items, &out.Items *out = make([]ClusterPolicy, len(*in)) @@ -135,7 +135,7 @@ func (in *ClusterPolicyViolation) DeepCopyObject() runtime.Object { func (in *ClusterPolicyViolationList) DeepCopyInto(out *ClusterPolicyViolationList) { *out = *in out.TypeMeta = in.TypeMeta - out.ListMeta = in.ListMeta + in.ListMeta.DeepCopyInto(&out.ListMeta) if in.Items != nil { in, out := &in.Items, &out.Items *out = make([]ClusterPolicyViolation, len(*in)) @@ -241,7 +241,7 @@ func (in *GenerateRequestContext) DeepCopy() *GenerateRequestContext { func (in *GenerateRequestList) DeepCopyInto(out *GenerateRequestList) { *out = *in out.TypeMeta = in.TypeMeta - out.ListMeta = in.ListMeta + in.ListMeta.DeepCopyInto(&out.ListMeta) if in.Items != nil { in, out := &in.Items, &out.Items *out = make([]GenerateRequest, len(*in)) @@ -420,7 +420,7 @@ func (in *PolicyViolation) DeepCopyObject() runtime.Object { func (in *PolicyViolationList) DeepCopyInto(out *PolicyViolationList) { *out = *in out.TypeMeta = in.TypeMeta - out.ListMeta = in.ListMeta + in.ListMeta.DeepCopyInto(&out.ListMeta) if in.Items != nil { in, out := &in.Items, &out.Items *out = make([]PolicyViolation, len(*in)) diff --git a/pkg/auth/auth.go b/pkg/auth/auth.go new file mode 100644 index 0000000000..8f1ef24e1e --- /dev/null +++ b/pkg/auth/auth.go @@ -0,0 +1,108 @@ +package auth + +import ( + "fmt" + "reflect" + + "github.com/go-logr/logr" + client "github.com/nirmata/kyverno/pkg/dclient" + authorizationv1 "k8s.io/api/authorization/v1" + "k8s.io/apimachinery/pkg/apis/meta/v1/unstructured" + "k8s.io/apimachinery/pkg/runtime/schema" +) + +//CanIOptions provides utility ti check if user has authorization for the given operation +type CanIOptions struct { + namespace string + verb string + kind string + client *client.Client + log logr.Logger +} + +//NewCanI returns a new instance of operation access controler evaluator +func NewCanI(client *client.Client, kind, namespace, verb string, log logr.Logger) *CanIOptions { + o := CanIOptions{ + client: client, + log: log, + } + + o.namespace = namespace + o.kind = kind + o.verb = verb + + return &o +} + +//RunAccessCheck checks if the caller can perform the operation +// - operation is a combination of namespace, kind, verb +// - can only evaluate a single verb +// - group version resource is determined from the kind using the discovery client REST mapper +// - If disallowed, the reason and evaluationError is avialable in the logs +// - each can generates a SelfSubjectAccessReview resource and response is evaluated for permissions +func (o *CanIOptions) RunAccessCheck() (bool, error) { + // get GroupVersionResource from RESTMapper + // get GVR from kind + gvr := o.client.DiscoveryClient.GetGVRFromKind(o.kind) + if reflect.DeepEqual(gvr, schema.GroupVersionResource{}) { + // cannot find GVR + return false, fmt.Errorf("failed to get the Group Version Resource for kind %s", o.kind) + } + + sar := &authorizationv1.SelfSubjectAccessReview{ + Spec: authorizationv1.SelfSubjectAccessReviewSpec{ + ResourceAttributes: &authorizationv1.ResourceAttributes{ + Namespace: o.namespace, + Verb: o.verb, + Group: gvr.Group, + Resource: gvr.Resource, + }, + }, + } + // Set self subject access review + // - namespace + // - verb + // - resource + // - subresource + logger := o.log.WithValues("kind", sar.Kind, "namespace", sar.Namespace, "name", sar.Name) + + // Create the Resource + resp, err := o.client.CreateResource("SelfSubjectAccessReview", "", sar, false) + if err != nil { + logger.Error(err, "failed to create resource") + return false, err + } + + // status.allowed + allowed, ok, err := unstructured.NestedBool(resp.Object, "status", "allowed") + if !ok { + if err != nil { + logger.Error(err, "failed to get the field", "field", "status.allowed") + } + logger.Info("field not found", "field", "status.allowed") + } + + if !allowed { + // status.reason + reason, ok, err := unstructured.NestedString(resp.Object, "status", "reason") + if !ok { + if err != nil { + logger.Error(err, "failed to get the field", "field", "status.reason") + } + logger.Info("field not found", "field", "status.reason") + } + // status.evaluationError + evaluationError, ok, err := unstructured.NestedString(resp.Object, "status", "evaludationError") + if !ok { + if err != nil { + logger.Error(err, "failed to get the field", "field", "status.evaluationError") + } + logger.Info("field not found", "field", "status.evaluationError") + } + + // Reporting ? (just logs) + logger.Info("disallowed operation", "reason", reason, "evaluationError", evaluationError) + } + + return allowed, nil +} diff --git a/pkg/auth/auth_test.go b/pkg/auth/auth_test.go new file mode 100644 index 0000000000..6dbc800285 --- /dev/null +++ b/pkg/auth/auth_test.go @@ -0,0 +1,48 @@ +package auth + +// import ( +// "testing" +// "time" + +// "github.com/golang/glog" +// "github.com/nirmata/kyverno/pkg/config" +// dclient "github.com/nirmata/kyverno/pkg/dclient" +// "github.com/nirmata/kyverno/pkg/signal" +// ) + +// func Test_Auth_pass(t *testing.T) { +// // needs running cluster +// var kubeconfig string +// stopCh := signal.SetupSignalHandler() +// kubeconfig = "/Users/shivd/.kube/config" +// clientConfig, err := config.CreateClientConfig(kubeconfig) +// if err != nil { +// glog.Fatalf("Error building kubeconfig: %v\n", err) +// } + +// // DYNAMIC CLIENT +// // - client for all registered resources +// // - invalidate local cache of registered resource every 10 seconds +// client, err := dclient.NewClient(clientConfig, 10*time.Second, stopCh) +// if err != nil { +// glog.Fatalf("Error creating client: %v\n", err) +// } + +// // Can i authenticate + +// kind := "Deployment" +// namespace := "default" +// verb := "test" +// canI := NewCanI(client, kind, namespace, verb) +// ok, err := canI.RunAccessCheck() +// if err != nil { +// t.Error(err) +// } +// if ok { +// t.Log("allowed") +// } else { +// t.Log("notallowed") +// } +// t.FailNow() + +// } diff --git a/pkg/checker/checker.go b/pkg/checker/checker.go index 762776dffd..b0a3016b31 100644 --- a/pkg/checker/checker.go +++ b/pkg/checker/checker.go @@ -1,10 +1,11 @@ package checker import ( + "fmt" "sync" "time" - "github.com/golang/glog" + "github.com/go-logr/logr" kyvernolister "github.com/nirmata/kyverno/pkg/client/listers/kyverno/v1" dclient "github.com/nirmata/kyverno/pkg/dclient" "github.com/nirmata/kyverno/pkg/event" @@ -20,8 +21,9 @@ const ( // LastReqTime stores the lastrequest times for incoming api-requests type LastReqTime struct { - t time.Time - mu sync.RWMutex + t time.Time + mu sync.RWMutex + log logr.Logger } //Time returns the lastrequest time @@ -31,25 +33,28 @@ func (t *LastReqTime) Time() time.Time { return t.t } -//SetTime stes the lastrequest time +//SetTime updates the lastrequest time func (t *LastReqTime) SetTime(tm time.Time) { t.mu.Lock() defer t.mu.Unlock() + t.t = tm } //NewLastReqTime returns a new instance of LastRequestTime store -func NewLastReqTime() *LastReqTime { +func NewLastReqTime(log logr.Logger) *LastReqTime { return &LastReqTime{ - t: time.Now(), + t: time.Now(), + log: log, } } -func checkIfPolicyWithMutateAndGenerateExists(pLister kyvernolister.ClusterPolicyLister) bool { +func checkIfPolicyWithMutateAndGenerateExists(pLister kyvernolister.ClusterPolicyLister, log logr.Logger) bool { policies, err := pLister.ListResources(labels.NewSelector()) if err != nil { - glog.Error() + log.Error(err, "failed to list cluster policies") } + for _, policy := range policies { if policy.HasMutateOrValidateOrGenerate() { // as there exists one policy with mutate or validate rule @@ -57,20 +62,22 @@ func checkIfPolicyWithMutateAndGenerateExists(pLister kyvernolister.ClusterPolic return true } } + return false } //Run runs the checker and verify the resource update func (t *LastReqTime) Run(pLister kyvernolister.ClusterPolicyLister, eventGen event.Interface, client *dclient.Client, defaultResync time.Duration, deadline time.Duration, stopCh <-chan struct{}) { - glog.V(2).Infof("starting default resync for webhook checker with resync time %d nanoseconds", defaultResync) + logger := t.log + logger.V(4).Info("starting default resync for webhook checker", "resyncTime", defaultResync) maxDeadline := deadline * time.Duration(MaxRetryCount) ticker := time.NewTicker(defaultResync) /// interface to update and increment kyverno webhook status via annotations - statuscontrol := NewVerifyControl(client, eventGen) + statuscontrol := NewVerifyControl(client, eventGen, logger.WithName("StatusControl")) // send the initial update status - if checkIfPolicyWithMutateAndGenerateExists(pLister) { + if checkIfPolicyWithMutateAndGenerateExists(pLister, logger) { if err := statuscontrol.SuccessStatus(); err != nil { - glog.Error(err) + logger.Error(err, "failed to set 'success' status") } } @@ -82,38 +89,40 @@ func (t *LastReqTime) Run(pLister kyvernolister.ClusterPolicyLister, eventGen ev for { select { case <-ticker.C: - // if there are no policies then we dont have a webhook on resource. - // we indirectly check if the resource - if !checkIfPolicyWithMutateAndGenerateExists(pLister) { + if !checkIfPolicyWithMutateAndGenerateExists(pLister, logger) { continue } - // get current time + timeDiff := time.Since(t.Time()) if timeDiff > maxDeadline { - glog.Infof("failed to receive any request for more than %v ", maxDeadline) - glog.Info("Admission Control failing: Webhook is not receiving requests forwarded by api-server as per webhook configurations") - // set the status unavailable + err := fmt.Errorf("Admission control configuration error") + logger.Error(err, "webhook check failed", "deadline", maxDeadline) if err := statuscontrol.FailedStatus(); err != nil { - glog.Error(err) + logger.Error(err, "error setting webhook check status to failed") } + continue } + if timeDiff > deadline { - glog.Info("Admission Control failing: Webhook is not receiving requests forwarded by api-server as per webhook configurations") + logger.V(3).Info("webhook check deadline exceeded", "deadline", deadline) // send request to update the kyverno deployment if err := statuscontrol.IncrementAnnotation(); err != nil { - glog.Error(err) + logger.Error(err, "failed to increment annotation") } + continue } + // if the status was false before then we update it to true // send request to update the kyverno deployment if err := statuscontrol.SuccessStatus(); err != nil { - glog.Error(err) + logger.Error(err, "error setting webhook check status to success") } + case <-stopCh: // handler termination signal - glog.V(2).Infof("stopping default resync for webhook checker") + logger.V(2).Info("stopping default resync for webhook checker") return } } diff --git a/pkg/checker/status.go b/pkg/checker/status.go index 39b19189dd..401b022ed2 100644 --- a/pkg/checker/status.go +++ b/pkg/checker/status.go @@ -4,7 +4,7 @@ import ( "fmt" "strconv" - "github.com/golang/glog" + "github.com/go-logr/logr" dclient "github.com/nirmata/kyverno/pkg/dclient" "github.com/nirmata/kyverno/pkg/event" ) @@ -13,7 +13,7 @@ const deployName string = "kyverno" const deployNamespace string = "kyverno" const annCounter string = "kyverno.io/generationCounter" -const annWebhookStats string = "kyverno.io/webhookActive" +const annWebhookStatus string = "kyverno.io/webhookActive" //StatusInterface provides api to update webhook active annotations on kyverno deployments type StatusInterface interface { @@ -29,6 +29,7 @@ type StatusInterface interface { type StatusControl struct { client *dclient.Client eventGen event.Interface + log logr.Logger } //SuccessStatus ... @@ -42,44 +43,51 @@ func (vc StatusControl) FailedStatus() error { } // NewVerifyControl ... -func NewVerifyControl(client *dclient.Client, eventGen event.Interface) *StatusControl { +func NewVerifyControl(client *dclient.Client, eventGen event.Interface, log logr.Logger) *StatusControl { return &StatusControl{ client: client, eventGen: eventGen, + log: log, } } func (vc StatusControl) setStatus(status string) error { - glog.Infof("setting deployment %s in ns %s annotation %s to %s", deployName, deployNamespace, annWebhookStats, status) + logger := vc.log.WithValues("name", deployName, "namespace", deployNamespace) var ann map[string]string var err error deploy, err := vc.client.GetResource("Deployment", deployNamespace, deployName) if err != nil { - glog.V(4).Infof("failed to get deployment %s in namespace %s: %v", deployName, deployNamespace, err) + logger.Error(err, "failed to get deployment") return err } + ann = deploy.GetAnnotations() if ann == nil { ann = map[string]string{} - ann[annWebhookStats] = status + ann[annWebhookStatus] = status } - webhookAction, ok := ann[annWebhookStats] + + deployStatus, ok := ann[annWebhookStatus] if ok { // annotatiaion is present - if webhookAction == status { - glog.V(4).Infof("annotation %s already set to '%s'", annWebhookStats, status) + if deployStatus == status { + logger.V(4).Info(fmt.Sprintf("annotation %s already set to '%s'", annWebhookStatus, status)) return nil } } + // set the status - ann[annWebhookStats] = status + logger.Info("updating deployment annotation", "key", annWebhookStatus, "val", status) + ann[annWebhookStatus] = status deploy.SetAnnotations(ann) + // update counter _, err = vc.client.UpdateResource("Deployment", deployNamespace, deploy, false) if err != nil { - glog.V(4).Infof("failed to update annotation %s for deployment %s in namespace %s: %v", annWebhookStats, deployName, deployNamespace, err) + logger.Error(err, "failed to update deployment annotation", "key", annWebhookStatus, "val", status) return err } + // create event on kyverno deployment createStatusUpdateEvent(status, vc.eventGen) return nil @@ -97,34 +105,43 @@ func createStatusUpdateEvent(status string, eventGen event.Interface) { //IncrementAnnotation ... func (vc StatusControl) IncrementAnnotation() error { - glog.Infof("setting deployment %s in ns %s annotation %s", deployName, deployNamespace, annCounter) + logger := vc.log var ann map[string]string var err error deploy, err := vc.client.GetResource("Deployment", deployNamespace, deployName) if err != nil { - glog.V(4).Infof("failed to get deployment %s in namespace %s: %v", deployName, deployNamespace, err) + logger.Error(err, "failed to find Kyverno", "deploymeny", deployName, "namespace", deployNamespace) return err } + ann = deploy.GetAnnotations() if ann == nil { ann = map[string]string{} + } + + if ann[annCounter] == "" { ann[annCounter] = "0" } + counter, err := strconv.Atoi(ann[annCounter]) if err != nil { - glog.V(4).Infof("failed to parse string: %v", err) + logger.Error(err, "Failed to parse string", "name", annCounter, "value", ann[annCounter]) return err } + // increment counter counter++ ann[annCounter] = strconv.Itoa(counter) - glog.Infof("incrementing annotation %s counter to %d", annCounter, counter) + + logger.V(3).Info("updating webhook test annotation", "key", annCounter, "value", counter, "deployment", deployName, "namespace", deployNamespace) deploy.SetAnnotations(ann) + // update counter _, err = vc.client.UpdateResource("Deployment", deployNamespace, deploy, false) if err != nil { - glog.V(4).Infof("failed to update annotation %s for deployment %s in namespace %s: %v", annCounter, deployName, deployNamespace, err) + logger.Error(err, fmt.Sprintf("failed to update annotation %s for deployment %s in namespace %s", annCounter, deployName, deployNamespace)) return err } + return nil } diff --git a/pkg/client/clientset/versioned/clientset.go b/pkg/client/clientset/versioned/clientset.go index 5fbce444ff..8aa7b0e529 100644 --- a/pkg/client/clientset/versioned/clientset.go +++ b/pkg/client/clientset/versioned/clientset.go @@ -19,6 +19,8 @@ limitations under the License. package versioned import ( + "fmt" + kyvernov1 "github.com/nirmata/kyverno/pkg/client/clientset/versioned/typed/kyverno/v1" discovery "k8s.io/client-go/discovery" rest "k8s.io/client-go/rest" @@ -51,9 +53,14 @@ func (c *Clientset) Discovery() discovery.DiscoveryInterface { } // NewForConfig creates a new Clientset for the given config. +// If config's RateLimiter is not set and QPS and Burst are acceptable, +// NewForConfig will generate a rate-limiter in configShallowCopy. func NewForConfig(c *rest.Config) (*Clientset, error) { configShallowCopy := *c if configShallowCopy.RateLimiter == nil && configShallowCopy.QPS > 0 { + if configShallowCopy.Burst <= 0 { + return nil, fmt.Errorf("Burst is required to be greater than 0 when RateLimiter is not set and QPS is set to greater than 0") + } configShallowCopy.RateLimiter = flowcontrol.NewTokenBucketRateLimiter(configShallowCopy.QPS, configShallowCopy.Burst) } var cs Clientset diff --git a/pkg/client/clientset/versioned/fake/clientset_generated.go b/pkg/client/clientset/versioned/fake/clientset_generated.go index 215b1d997a..c3264dcb64 100644 --- a/pkg/client/clientset/versioned/fake/clientset_generated.go +++ b/pkg/client/clientset/versioned/fake/clientset_generated.go @@ -41,7 +41,7 @@ func NewSimpleClientset(objects ...runtime.Object) *Clientset { } } - cs := &Clientset{} + cs := &Clientset{tracker: o} cs.discovery = &fakediscovery.FakeDiscovery{Fake: &cs.Fake} cs.AddReactor("*", "*", testing.ObjectReaction(o)) cs.AddWatchReactor("*", func(action testing.Action) (handled bool, ret watch.Interface, err error) { @@ -63,12 +63,17 @@ func NewSimpleClientset(objects ...runtime.Object) *Clientset { type Clientset struct { testing.Fake discovery *fakediscovery.FakeDiscovery + tracker testing.ObjectTracker } func (c *Clientset) Discovery() discovery.DiscoveryInterface { return c.discovery } +func (c *Clientset) Tracker() testing.ObjectTracker { + return c.tracker +} + var _ clientset.Interface = &Clientset{} // KyvernoV1 retrieves the KyvernoV1Client diff --git a/pkg/client/clientset/versioned/fake/register.go b/pkg/client/clientset/versioned/fake/register.go index 4a90cf5ba8..482e66ffc7 100644 --- a/pkg/client/clientset/versioned/fake/register.go +++ b/pkg/client/clientset/versioned/fake/register.go @@ -29,7 +29,8 @@ import ( var scheme = runtime.NewScheme() var codecs = serializer.NewCodecFactory(scheme) -var parameterCodec = runtime.NewParameterCodec(scheme) + +// var parameterCodec = runtime.NewParameterCodec(scheme) var localSchemeBuilder = runtime.SchemeBuilder{ kyvernov1.AddToScheme, } diff --git a/pkg/client/clientset/versioned/typed/kyverno/v1/kyverno_client.go b/pkg/client/clientset/versioned/typed/kyverno/v1/kyverno_client.go index 54d8944680..8c1b5a0ea8 100644 --- a/pkg/client/clientset/versioned/typed/kyverno/v1/kyverno_client.go +++ b/pkg/client/clientset/versioned/typed/kyverno/v1/kyverno_client.go @@ -21,7 +21,6 @@ package v1 import ( v1 "github.com/nirmata/kyverno/pkg/api/kyverno/v1" "github.com/nirmata/kyverno/pkg/client/clientset/versioned/scheme" - serializer "k8s.io/apimachinery/pkg/runtime/serializer" rest "k8s.io/client-go/rest" ) @@ -86,7 +85,7 @@ func setConfigDefaults(config *rest.Config) error { gv := v1.SchemeGroupVersion config.GroupVersion = &gv config.APIPath = "/apis" - config.NegotiatedSerializer = serializer.DirectCodecFactory{CodecFactory: scheme.Codecs} + config.NegotiatedSerializer = scheme.Codecs.WithoutConversion() if config.UserAgent == "" { config.UserAgent = rest.DefaultKubernetesUserAgent() diff --git a/pkg/config/config.go b/pkg/config/config.go index 241728a2c7..7fced60350 100644 --- a/pkg/config/config.go +++ b/pkg/config/config.go @@ -1,9 +1,7 @@ package config import ( - "flag" - - "github.com/golang/glog" + "github.com/go-logr/logr" rest "k8s.io/client-go/rest" clientcmd "k8s.io/client-go/tools/clientcmd" ) @@ -72,31 +70,19 @@ var ( PolicyMutatingWebhookServicePath = "/policymutate" //VerifyMutatingWebhookServicePath is the path for verify webhook(used to veryfing if admission control is enabled and active) VerifyMutatingWebhookServicePath = "/verifymutate" + // LivenessServicePath is the path for check liveness health + LivenessServicePath = "/health/liveness" + // ReadinessServicePath is the path for check readness health + ReadinessServicePath = "/health/readiness" ) -//LogDefaultFlags sets default glog flags -func LogDefaultFlags() { - var err error - err = flag.Set("logtostderr", "true") - if err != nil { - glog.Fatalf("failed to set flag 'logtostderr' to 'true':%v", err) - } - err = flag.Set("stderrthreshold", "WARNING") - if err != nil { - glog.Fatalf("failed to set flag 'stderrthreshold' to 'WARNING':%v", err) - } - flag.Set("v", "2") - if err != nil { - glog.Fatalf("failed to set flag 'v' to '2':%v", err) - } -} - //CreateClientConfig creates client config -func CreateClientConfig(kubeconfig string) (*rest.Config, error) { +func CreateClientConfig(kubeconfig string, log logr.Logger) (*rest.Config, error) { + logger := log.WithName("CreateClientConfig") if kubeconfig == "" { - glog.Info("Using in-cluster configuration") + logger.Info("Using in-cluster configuration") return rest.InClusterConfig() } - glog.V(4).Infof("Using configuration from '%s'", kubeconfig) + logger.V(4).Info("Using specified kubeconfig", "kubeconfig", kubeconfig) return clientcmd.BuildConfigFromFlags("", kubeconfig) } diff --git a/pkg/config/dynamicconfig.go b/pkg/config/dynamicconfig.go index 6bf624e7bb..1787f67bd9 100644 --- a/pkg/config/dynamicconfig.go +++ b/pkg/config/dynamicconfig.go @@ -1,14 +1,13 @@ package config import ( - "fmt" "os" "reflect" "regexp" "strings" "sync" - "github.com/golang/glog" + "github.com/go-logr/logr" "github.com/minio/minio/pkg/wildcard" v1 "k8s.io/api/core/v1" informers "k8s.io/client-go/informers/core/v1" @@ -31,6 +30,7 @@ type ConfigData struct { filters []k8Resource // hasynced cmSycned cache.InformerSynced + log logr.Logger } // ToFilter checks if the given resource is set to be filtered in the configuration @@ -51,20 +51,21 @@ type Interface interface { } // NewConfigData ... -func NewConfigData(rclient kubernetes.Interface, cmInformer informers.ConfigMapInformer, filterK8Resources string) *ConfigData { +func NewConfigData(rclient kubernetes.Interface, cmInformer informers.ConfigMapInformer, filterK8Resources string, log logr.Logger) *ConfigData { // environment var is read at start only if cmNameEnv == "" { - glog.Info("ConfigMap name not defined in env:INIT_CONFIG: loading no default configuration") + log.Info("ConfigMap name not defined in env:INIT_CONFIG: loading no default configuration") } cd := ConfigData{ client: rclient, cmName: os.Getenv(cmNameEnv), cmSycned: cmInformer.Informer().HasSynced, + log: log, } //TODO: this has been added to backward support command line arguments // will be removed in future and the configuration will be set only via configmaps if filterK8Resources != "" { - glog.Info("Init configuration from commandline arguments") + cd.log.Info("init configuration from commandline arguments") cd.initFilters(filterK8Resources) } @@ -78,9 +79,10 @@ func NewConfigData(rclient kubernetes.Interface, cmInformer informers.ConfigMapI //Run checks syncing func (cd *ConfigData) Run(stopCh <-chan struct{}) { + logger := cd.log // wait for cache to populate first time if !cache.WaitForCacheSync(stopCh, cd.cmSycned) { - glog.Error("configuration: failed to sync informer cache") + logger.Info("configuration: failed to sync informer cache") } } @@ -103,16 +105,17 @@ func (cd *ConfigData) updateCM(old, cur interface{}) { } func (cd *ConfigData) deleteCM(obj interface{}) { + logger := cd.log cm, ok := obj.(*v1.ConfigMap) if !ok { tombstone, ok := obj.(cache.DeletedFinalStateUnknown) if !ok { - glog.Info(fmt.Errorf("Couldn't get object from tombstone %#v", obj)) + logger.Info("failed to get object from tombstone") return } _, ok = tombstone.Obj.(*v1.ConfigMap) if !ok { - glog.Info(fmt.Errorf("Tombstone contained object that is not a ConfigMap %#v", obj)) + logger.Info("Tombstone contained object that is not a ConfigMap", "object", obj) return } } @@ -125,19 +128,20 @@ func (cd *ConfigData) deleteCM(obj interface{}) { } func (cd *ConfigData) load(cm v1.ConfigMap) { + logger := cd.log.WithValues("name", cm.Name, "namespace", cm.Namespace) if cm.Data == nil { - glog.V(4).Infof("Configuration: No data defined in ConfigMap %s", cm.Name) + logger.V(4).Info("configuration: No data defined in ConfigMap") return } // get resource filters filters, ok := cm.Data["resourceFilters"] if !ok { - glog.V(4).Infof("Configuration: No resourceFilters defined in ConfigMap %s", cm.Name) + logger.V(4).Info("configuration: No resourceFilters defined in ConfigMap") return } // filters is a string if filters == "" { - glog.V(4).Infof("Configuration: resourceFilters is empty in ConfigMap %s", cm.Name) + logger.V(4).Info("configuration: resourceFilters is empty in ConfigMap") return } // parse and load the configuration @@ -146,11 +150,10 @@ func (cd *ConfigData) load(cm v1.ConfigMap) { newFilters := parseKinds(filters) if reflect.DeepEqual(newFilters, cd.filters) { - glog.V(4).Infof("Configuration: resourceFilters did not change in ConfigMap %s", cm.Name) + logger.V(4).Info("resourceFilters did not change") return } - glog.V(4).Infof("Configuration: Old resource filters %v", cd.filters) - glog.Infof("Configuration: New resource filters to %v", newFilters) + logger.V(4).Info(" Updated resource filters", "oldFilters", cd.filters, "newFilters", newFilters) // update filters cd.filters = newFilters } @@ -158,20 +161,20 @@ func (cd *ConfigData) load(cm v1.ConfigMap) { //TODO: this has been added to backward support command line arguments // will be removed in future and the configuration will be set only via configmaps func (cd *ConfigData) initFilters(filters string) { + logger := cd.log // parse and load the configuration cd.mux.Lock() defer cd.mux.Unlock() newFilters := parseKinds(filters) - glog.Infof("Configuration: Init resource filters to %v", newFilters) + logger.Info("Init resource filters", "filters", newFilters) // update filters cd.filters = newFilters } func (cd *ConfigData) unload(cm v1.ConfigMap) { - // TODO pick one msg - glog.Infof("Configuration: ConfigMap %s deleted, removing configuration filters", cm.Name) - glog.Infof("Configuration: Removing all resource filters as ConfigMap %s deleted", cm.Name) + logger := cd.log + logger.Info("ConfigMap deleted, removing configuration filters", "name", cm.Name, "namespace", cm.Namespace) cd.mux.Lock() defer cd.mux.Unlock() cd.filters = []k8Resource{} diff --git a/pkg/constant/constant.go b/pkg/constant/constant.go new file mode 100644 index 0000000000..c8ae0dc50a --- /dev/null +++ b/pkg/constant/constant.go @@ -0,0 +1,12 @@ +package constant + +import "time" + +const ( + CRDControllerResync = 15 * time.Minute + PolicyViolationControllerResync = 15 * time.Minute + PolicyControllerResync = 15 * time.Minute + EventControllerResync = 15 * time.Minute + GenerateControllerResync = 15 * time.Minute + GenerateRequestControllerResync = 15 * time.Minute +) diff --git a/pkg/dclient/certificates.go b/pkg/dclient/certificates.go index 76b3cda819..125dc7cec3 100644 --- a/pkg/dclient/certificates.go +++ b/pkg/dclient/certificates.go @@ -6,7 +6,6 @@ import ( "net/url" "time" - "github.com/golang/glog" "github.com/nirmata/kyverno/pkg/config" tls "github.com/nirmata/kyverno/pkg/tls" certificates "k8s.io/api/certificates/v1beta1" @@ -19,13 +18,14 @@ import ( // Created pair is stored in cluster's secret. // Returns struct with key/certificate pair. func (c *Client) InitTLSPemPair(configuration *rest.Config, fqdncn bool) (*tls.TlsPemPair, error) { + logger := c.log certProps, err := c.GetTLSCertProps(configuration) if err != nil { return nil, err } tlsPair := c.ReadTlsPair(certProps) if tls.IsTLSPairShouldBeUpdated(tlsPair) { - glog.Info("Generating new key/certificate pair for TLS") + logger.Info("Generating new key/certificate pair for TLS") tlsPair, err = c.generateTLSPemPair(certProps, fqdncn) if err != nil { return nil, err @@ -35,8 +35,7 @@ func (c *Client) InitTLSPemPair(configuration *rest.Config, fqdncn bool) (*tls.T } return tlsPair, nil } - - glog.Infoln("Using existing TLS key/certificate pair") + logger.Info("Using existing TLS key/certificate pair") return tlsPair, nil } @@ -71,6 +70,7 @@ func (c *Client) generateTLSPemPair(props tls.TlsCertificateProps, fqdncn bool) // Submits and approves certificate request, returns request which need to be fetched func (c *Client) submitAndApproveCertificateRequest(req *certificates.CertificateSigningRequest) (*certificates.CertificateSigningRequest, error) { + logger := c.log.WithName("submitAndApproveCertificateRequest") certClient, err := c.GetCSRInterface() if err != nil { return nil, err @@ -86,7 +86,7 @@ func (c *Client) submitAndApproveCertificateRequest(req *certificates.Certificat if err != nil { return nil, fmt.Errorf("Unable to delete existing certificate request: %v", err) } - glog.Info("Old certificate request is deleted") + logger.Info("Old certificate request is deleted") break } } @@ -95,7 +95,7 @@ func (c *Client) submitAndApproveCertificateRequest(req *certificates.Certificat if err != nil { return nil, err } - glog.Infof("Certificate request %s is created", unstrRes.GetName()) + logger.Info("Certificate request created", "name", unstrRes.GetName()) res, err := convertToCSR(unstrRes) if err != nil { @@ -110,7 +110,7 @@ func (c *Client) submitAndApproveCertificateRequest(req *certificates.Certificat if err != nil { return nil, fmt.Errorf("Unable to approve certificate request: %v", err) } - glog.Infof("Certificate request %s is approved", res.ObjectMeta.Name) + logger.Info("Certificate request is approved", "name", res.ObjectMeta.Name) return res, nil } @@ -144,9 +144,10 @@ func (c *Client) fetchCertificateFromRequest(req *certificates.CertificateSignin //ReadRootCASecret returns the RootCA from the pre-defined secret func (c *Client) ReadRootCASecret() (result []byte) { + logger := c.log.WithName("ReadRootCASecret") certProps, err := c.GetTLSCertProps(c.clientConfig) if err != nil { - glog.Error(err) + logger.Error(err, "failed to get TLS Cert Properties") return result } sname := generateRootCASecretName(certProps) @@ -156,16 +157,16 @@ func (c *Client) ReadRootCASecret() (result []byte) { } tlsca, err := convertToSecret(stlsca) if err != nil { - glog.Error(err) + logger.Error(err, "failed to convert secret", "name", sname, "namespace", certProps.Namespace) return result } result = tlsca.Data[rootCAKey] if len(result) == 0 { - glog.Warningf("root CA certificate not found in secret %s/%s", certProps.Namespace, tlsca.Name) + logger.Info("root CA certificate not found in secret", "name", tlsca.Name, "namespace", certProps.Namespace) return result } - glog.V(4).Infof("using CA bundle defined in secret %s/%s to validate the webhook's server certificate", certProps.Namespace, tlsca.Name) + logger.V(4).Info("using CA bundle defined in secret to validate the webhook's server certificate", "name", tlsca.Name, "namespace", certProps.Namespace) return result } @@ -174,10 +175,11 @@ const rootCAKey string = "rootCA.crt" //ReadTlsPair Reads the pair of TLS certificate and key from the specified secret. func (c *Client) ReadTlsPair(props tls.TlsCertificateProps) *tls.TlsPemPair { + logger := c.log.WithName("ReadTlsPair") sname := generateTLSPairSecretName(props) unstrSecret, err := c.GetResource(Secrets, props.Namespace, sname) if err != nil { - glog.Warningf("Unable to get secret %s/%s: %s", props.Namespace, sname, err) + logger.Error(err, "Failed to get secret", "name", sname, "namespace", props.Namespace) return nil } @@ -188,7 +190,7 @@ func (c *Client) ReadTlsPair(props tls.TlsCertificateProps) *tls.TlsPemPair { sname := generateRootCASecretName(props) _, err := c.GetResource(Secrets, props.Namespace, sname) if err != nil { - glog.Errorf("Root CA secret %s/%s is required while using self-signed certificates TLS pair, defaulting to generating new TLS pair", props.Namespace, sname) + logger.Error(err, "Root CA secret is required while using self-signed certificates TLS pair, defaulting to generating new TLS pair", "name", sname, "namespace", props.Namespace) return nil } } @@ -201,11 +203,11 @@ func (c *Client) ReadTlsPair(props tls.TlsCertificateProps) *tls.TlsPemPair { PrivateKey: secret.Data[v1.TLSPrivateKeyKey], } if len(pemPair.Certificate) == 0 { - glog.Warningf("TLS Certificate not found in secret %s/%s", props.Namespace, sname) + logger.Info("TLS Certificate not found in secret", "name", sname, "namespace", props.Namespace) return nil } if len(pemPair.PrivateKey) == 0 { - glog.Warningf("TLS PrivateKey not found in secret %s/%s", props.Namespace, sname) + logger.Info("TLS PrivateKey not found in secret", "name", sname, "namespace", props.Namespace) return nil } return &pemPair @@ -214,6 +216,7 @@ func (c *Client) ReadTlsPair(props tls.TlsCertificateProps) *tls.TlsPemPair { //WriteTlsPair Writes the pair of TLS certificate and key to the specified secret. // Updates existing secret or creates new one. func (c *Client) WriteTlsPair(props tls.TlsCertificateProps, pemPair *tls.TlsPemPair) error { + logger := c.log.WithName("WriteTlsPair") name := generateTLSPairSecretName(props) _, err := c.GetResource(Secrets, props.Namespace, name) if err != nil { @@ -235,7 +238,7 @@ func (c *Client) WriteTlsPair(props tls.TlsCertificateProps, pemPair *tls.TlsPem _, err := c.CreateResource(Secrets, props.Namespace, secret, false) if err == nil { - glog.Infof("Secret %s is created", name) + logger.Info("secret created", "name", name, "namespace", props.Namespace) } return err } @@ -251,7 +254,7 @@ func (c *Client) WriteTlsPair(props tls.TlsCertificateProps, pemPair *tls.TlsPem if err != nil { return err } - glog.Infof("Secret %s is updated", name) + logger.Info("secret updated", "name", name, "namespace", props.Namespace) return nil } diff --git a/pkg/dclient/client.go b/pkg/dclient/client.go index 6cacaeaf9a..7c27f01b2a 100644 --- a/pkg/dclient/client.go +++ b/pkg/dclient/client.go @@ -5,9 +5,8 @@ import ( "strings" "time" + "github.com/go-logr/logr" openapi_v2 "github.com/googleapis/gnostic/OpenAPIv2" - - "github.com/golang/glog" "github.com/nirmata/kyverno/pkg/config" apps "k8s.io/api/apps/v1" certificates "k8s.io/api/certificates/v1beta1" @@ -32,13 +31,15 @@ import ( //Client enables interaction with k8 resource type Client struct { client dynamic.Interface + log logr.Logger clientConfig *rest.Config kclient kubernetes.Interface DiscoveryClient IDiscovery } //NewClient creates new instance of client -func NewClient(config *rest.Config, resync time.Duration, stopCh <-chan struct{}) (*Client, error) { +func NewClient(config *rest.Config, resync time.Duration, stopCh <-chan struct{}, log logr.Logger) (*Client, error) { + dclient, err := dynamic.NewForConfig(config) if err != nil { return nil, err @@ -51,9 +52,10 @@ func NewClient(config *rest.Config, resync time.Duration, stopCh <-chan struct{} client: dclient, clientConfig: config, kclient: kclient, + log: log.WithName("dclient"), } // Set discovery client - discoveryClient := ServerPreferredResources{memory.NewMemCacheClient(kclient.Discovery())} + discoveryClient := ServerPreferredResources{cachedClient: memory.NewMemCacheClient(kclient.Discovery()), log: client.log} // client will invalidate registered resources cache every x seconds, // As there is no way to identify if the registered resource is available or not // we will be invalidating the local cache, so the next request get a fresh cache @@ -127,6 +129,11 @@ func (c *Client) PatchResource(kind string, namespace string, name string, patch return c.getResourceInterface(kind, namespace).Patch(name, patchTypes.JSONPatchType, patch, meta.PatchOptions{}) } +// GetDynamicInterface fetches underlying dynamic interface +func (c *Client) GetDynamicInterface() dynamic.Interface { + return c.client +} + // ListResource returns the list of resources in unstructured/json format // Access items using []Items func (c *Client) ListResource(kind string, namespace string, lselector *meta.LabelSelector) (*unstructured.UnstructuredList, error) { @@ -189,7 +196,6 @@ func (c *Client) UpdateStatusResource(kind string, namespace string, obj interfa func convertToUnstructured(obj interface{}) *unstructured.Unstructured { unstructuredObj, err := runtime.DefaultUnstructuredConverter.ToUnstructured(&obj) if err != nil { - glog.Errorf("Unable to convert : %v", err) return nil } return &unstructured.Unstructured{Object: unstructuredObj} @@ -215,6 +221,7 @@ func convertToCSR(obj *unstructured.Unstructured) (*certificates.CertificateSign //IDiscovery provides interface to mange Kind and GVR mapping type IDiscovery interface { + FindResource(kind string) (*meta.APIResource, schema.GroupVersionResource, error) GetGVRFromKind(kind string) schema.GroupVersionResource GetServerVersion() (*version.Info, error) OpenAPISchema() (*openapi_v2.Document, error) @@ -228,77 +235,90 @@ func (c *Client) SetDiscovery(discoveryClient IDiscovery) { //ServerPreferredResources stores the cachedClient instance for discovery client type ServerPreferredResources struct { cachedClient discovery.CachedDiscoveryInterface + log logr.Logger } //Poll will keep invalidate the local cache func (c ServerPreferredResources) Poll(resync time.Duration, stopCh <-chan struct{}) { + logger := c.log.WithName("Poll") // start a ticker ticker := time.NewTicker(resync) defer func() { ticker.Stop() }() - glog.Infof("Starting registered resources sync: every %d seconds", resync) + logger.Info("starting registered resources sync", "period", resync) for { select { case <-stopCh: - glog.Info("Stopping registered resources sync") + logger.Info("stopping registered resources sync") return case <-ticker.C: // set cache as stale - glog.V(6).Info("invalidating local client cache for registered resources") + logger.V(6).Info("invalidating local client cache for registered resources") c.cachedClient.Invalidate() } } } +// OpenAPISchema returns the API server OpenAPI schema document func (c ServerPreferredResources) OpenAPISchema() (*openapi_v2.Document, error) { return c.cachedClient.OpenAPISchema() } -//GetGVRFromKind get the Group Version Resource from kind -// if kind is not found in first attempt we invalidate the cache, -// the retry will then fetch the new registered resources and check again -// if not found after 2 attempts, we declare kind is not found -// kind is Case sensitive +// GetGVRFromKind get the Group Version Resource from kind func (c ServerPreferredResources) GetGVRFromKind(kind string) schema.GroupVersionResource { - var gvr schema.GroupVersionResource - var err error - gvr, err = loadServerResources(kind, c.cachedClient) - if err != nil && !c.cachedClient.Fresh() { - - // invalidate cahce & re-try once more - c.cachedClient.Invalidate() - gvr, err = loadServerResources(kind, c.cachedClient) - if err == nil { - return gvr - } + _, gvr, err := c.FindResource(kind) + if err != nil { + c.log.Info("schema not found", "kind", kind) + return schema.GroupVersionResource{} } + return gvr } -//GetServerVersion returns the server version of the cluster +// GetServerVersion returns the server version of the cluster func (c ServerPreferredResources) GetServerVersion() (*version.Info, error) { return c.cachedClient.ServerVersion() } -func loadServerResources(k string, cdi discovery.CachedDiscoveryInterface) (schema.GroupVersionResource, error) { - serverresources, err := cdi.ServerPreferredResources() - emptyGVR := schema.GroupVersionResource{} - if err != nil { - glog.Error(err) - return emptyGVR, err +// FindResource finds an API resource that matches 'kind'. If the resource is not +// found and the Cache is not fresh, the cache is invalidated and a retry is attempted +func (c ServerPreferredResources) FindResource(kind string) (*meta.APIResource, schema.GroupVersionResource, error) { + r, gvr, err := c.findResource(kind) + if err == nil { + return r, gvr, nil } + + if !c.cachedClient.Fresh() { + c.cachedClient.Invalidate() + if r, gvr, err = c.findResource(kind); err == nil { + return r, gvr, nil + } + } + + return nil, schema.GroupVersionResource{}, err +} + +func (c ServerPreferredResources) findResource(k string) (*meta.APIResource, schema.GroupVersionResource, error) { + serverresources, err := c.cachedClient.ServerPreferredResources() + if err != nil { + c.log.Error(err, "failed to get registered preferred resources") + return nil, schema.GroupVersionResource{}, err + } + for _, serverresource := range serverresources { for _, resource := range serverresource.APIResources { - // skip the resource names with "/", to avoid comparison with subresources + // skip the resource names with "/", to avoid comparison with subresources if resource.Kind == k && !strings.Contains(resource.Name, "/") { gv, err := schema.ParseGroupVersion(serverresource.GroupVersion) if err != nil { - glog.Error(err) - return emptyGVR, err + c.log.Error(err, "failed to parse groupVersion", "groupVersion", serverresource.GroupVersion) + return nil, schema.GroupVersionResource{}, err } - return gv.WithResource(resource.Name), nil + + return &resource, gv.WithResource(resource.Name), nil } } } - return emptyGVR, fmt.Errorf("kind '%s' not found", k) + + return nil, schema.GroupVersionResource{}, fmt.Errorf("kind '%s' not found", k) } diff --git a/pkg/dclient/utils.go b/pkg/dclient/utils.go index 8b170eb094..0ed2459901 100644 --- a/pkg/dclient/utils.go +++ b/pkg/dclient/utils.go @@ -1,10 +1,12 @@ package client import ( + "fmt" "strings" openapi_v2 "github.com/googleapis/gnostic/OpenAPIv2" + meta "k8s.io/apimachinery/pkg/apis/meta/v1" "k8s.io/apimachinery/pkg/apis/meta/v1/unstructured" "k8s.io/apimachinery/pkg/runtime" "k8s.io/apimachinery/pkg/runtime/schema" @@ -76,6 +78,10 @@ func (c *fakeDiscoveryClient) GetGVRFromKind(kind string) schema.GroupVersionRes return c.getGVR(resource) } +func (c *fakeDiscoveryClient) FindResource(kind string) (*meta.APIResource, schema.GroupVersionResource, error) { + return nil, schema.GroupVersionResource{}, fmt.Errorf("Not implemented") +} + func (c *fakeDiscoveryClient) OpenAPISchema() (*openapi_v2.Document, error) { return nil, nil } diff --git a/pkg/engine/anchor/anchor.go b/pkg/engine/anchor/anchor.go index 2d81a068ec..9dccab3577 100644 --- a/pkg/engine/anchor/anchor.go +++ b/pkg/engine/anchor/anchor.go @@ -4,7 +4,8 @@ import ( "fmt" "strconv" - "github.com/golang/glog" + "github.com/go-logr/logr" + "sigs.k8s.io/controller-runtime/pkg/log" ) //ValidationHandler for element processes @@ -12,7 +13,7 @@ type ValidationHandler interface { Handle(handler resourceElementHandler, resourceMap map[string]interface{}, originPattern interface{}) (string, error) } -type resourceElementHandler = func(resourceElement, patternElement, originPattern interface{}, path string) (string, error) +type resourceElementHandler = func(log logr.Logger, resourceElement, patternElement, originPattern interface{}, path string) (string, error) //CreateElementHandler factory to process elements func CreateElementHandler(element string, pattern interface{}, path string) ValidationHandler { @@ -82,7 +83,7 @@ func (eh EqualityHandler) Handle(handler resourceElementHandler, resourceMap map // check if anchor is present in resource if value, ok := resourceMap[anchorKey]; ok { // validate the values of the pattern - returnPath, err := handler(value, eh.pattern, originPattern, currentPath) + returnPath, err := handler(log.Log, value, eh.pattern, originPattern, currentPath) if err != nil { return returnPath, err } @@ -115,7 +116,7 @@ func (dh DefaultHandler) Handle(handler resourceElementHandler, resourceMap map[ } else if dh.pattern == "*" && resourceMap[dh.element] == nil { return dh.path, fmt.Errorf("Validation rule failed at %s, Field %s is not present", dh.path, dh.element) } else { - path, err := handler(resourceMap[dh.element], dh.pattern, originPattern, currentPath) + path, err := handler(log.Log, resourceMap[dh.element], dh.pattern, originPattern, currentPath) if err != nil { return path, err } @@ -146,7 +147,7 @@ func (ch ConditionAnchorHandler) Handle(handler resourceElementHandler, resource // check if anchor is present in resource if value, ok := resourceMap[anchorKey]; ok { // validate the values of the pattern - returnPath, err := handler(value, ch.pattern, originPattern, currentPath) + returnPath, err := handler(log.Log, value, ch.pattern, originPattern, currentPath) if err != nil { return returnPath, err } @@ -194,7 +195,6 @@ func (eh ExistenceHandler) Handle(handler resourceElementHandler, resourceMap ma } return validateExistenceListResource(handler, typedResource, typedPatternMap, originPattern, currentPath) default: - glog.Error("Invalid type: Existence ^ () anchor can be used only on list/array type resource") return currentPath, fmt.Errorf("Invalid resource type %T: Existence ^ () anchor can be used only on list/array type resource", value) } } @@ -206,10 +206,9 @@ func validateExistenceListResource(handler resourceElementHandler, resourceList // if non satisfy then throw an error for i, resourceElement := range resourceList { currentPath := path + strconv.Itoa(i) + "/" - _, err := handler(resourceElement, patternMap, originPattern, currentPath) + _, err := handler(log.Log, resourceElement, patternMap, originPattern, currentPath) if err == nil { // condition is satisfied, dont check further - glog.V(4).Infof("Existence check satisfied at path %s, for pattern %v", currentPath, patternMap) return "", nil } } diff --git a/pkg/engine/context/context.go b/pkg/engine/context/context.go index 05805a0a91..732b4eeb48 100644 --- a/pkg/engine/context/context.go +++ b/pkg/engine/context/context.go @@ -5,9 +5,12 @@ import ( "strings" "sync" + "k8s.io/api/admission/v1beta1" + jsonpatch "github.com/evanphx/json-patch" - "github.com/golang/glog" + "github.com/go-logr/logr" kyverno "github.com/nirmata/kyverno/pkg/api/kyverno/v1" + "sigs.k8s.io/controller-runtime/pkg/log" ) //Interface to manage context operations @@ -33,6 +36,7 @@ type Context struct { mu sync.RWMutex jsonRaw []byte whiteListVars []string + log logr.Logger } //NewContext returns a new context @@ -42,6 +46,7 @@ func NewContext(whiteListVars ...string) *Context { // data: map[string]interface{}{}, jsonRaw: []byte(`{}`), // empty json struct whiteListVars: whiteListVars, + log: log.Log.WithName("context"), } return &ctx } @@ -54,19 +59,34 @@ func (ctx *Context) AddJSON(dataRaw []byte) error { // merge json ctx.jsonRaw, err = jsonpatch.MergePatch(ctx.jsonRaw, dataRaw) if err != nil { - glog.V(4).Infof("failed to merge JSON data: %v", err) + ctx.log.Error(err, "failed to merge JSON data") return err } return nil } +func (ctx *Context) AddRequest(request *v1beta1.AdmissionRequest) error { + modifiedResource := struct { + Request interface{} `json:"request"` + }{ + Request: request, + } + + objRaw, err := json.Marshal(modifiedResource) + if err != nil { + ctx.log.Error(err, "failed to marshal the request") + return err + } + return ctx.AddJSON(objRaw) +} + //AddResource data at path: request.object func (ctx *Context) AddResource(dataRaw []byte) error { // unmarshall the resource struct var data interface{} if err := json.Unmarshal(dataRaw, &data); err != nil { - glog.V(4).Infof("failed to unmarshall the context data: %v", err) + ctx.log.Error(err, "failed to unmarshall the resource") return err } @@ -82,7 +102,7 @@ func (ctx *Context) AddResource(dataRaw []byte) error { objRaw, err := json.Marshal(modifiedResource) if err != nil { - glog.V(4).Infof("failed to marshall the updated context data") + ctx.log.Error(err, "failed to marshal the resource") return err } return ctx.AddJSON(objRaw) @@ -98,7 +118,7 @@ func (ctx *Context) AddUserInfo(userRequestInfo kyverno.RequestInfo) error { objRaw, err := json.Marshal(modifiedResource) if err != nil { - glog.V(4).Infof("failed to marshall the updated context data") + ctx.log.Error(err, "failed to marshal the UserInfo") return err } return ctx.AddJSON(objRaw) @@ -118,8 +138,6 @@ func (ctx *Context) AddSA(userName string) error { // filter namespace groups := strings.Split(sa, ":") if len(groups) >= 2 { - glog.V(4).Infof("serviceAccount namespace: %s", groups[0]) - glog.V(4).Infof("serviceAccount name: %s", groups[1]) saName = groups[1] saNamespace = groups[0] } @@ -131,7 +149,7 @@ func (ctx *Context) AddSA(userName string) error { } saNameRaw, err := json.Marshal(saNameObj) if err != nil { - glog.V(4).Infof("failed to marshall the updated context data") + ctx.log.Error(err, "failed to marshal the SA") return err } if err := ctx.AddJSON(saNameRaw); err != nil { @@ -145,7 +163,7 @@ func (ctx *Context) AddSA(userName string) error { } saNsRaw, err := json.Marshal(saNsObj) if err != nil { - glog.V(4).Infof("failed to marshall the updated context data") + ctx.log.Error(err, "failed to marshal the SA namespace") return err } if err := ctx.AddJSON(saNsRaw); err != nil { diff --git a/pkg/engine/context/evaluate.go b/pkg/engine/context/evaluate.go index 78f9643497..e6d57c66c0 100644 --- a/pkg/engine/context/evaluate.go +++ b/pkg/engine/context/evaluate.go @@ -3,8 +3,8 @@ package context import ( "encoding/json" "fmt" + "strings" - "github.com/golang/glog" jmespath "github.com/jmespath/go-jmespath" ) @@ -12,14 +12,14 @@ import ( func (ctx *Context) Query(query string) (interface{}, error) { var emptyResult interface{} // check for white-listed variables - if ctx.isWhiteListed(query) { + if !ctx.isWhiteListed(query) { return emptyResult, fmt.Errorf("variable %s cannot be used", query) } // compile the query queryPath, err := jmespath.Compile(query) if err != nil { - glog.V(4).Infof("incorrect query %s: %v", query, err) + ctx.log.Error(err, "incorrect query", "query", query) return emptyResult, fmt.Errorf("incorrect query %s: %v", query, err) } // search @@ -28,21 +28,24 @@ func (ctx *Context) Query(query string) (interface{}, error) { var data interface{} if err := json.Unmarshal(ctx.jsonRaw, &data); err != nil { - glog.V(4).Infof("failed to unmarshall context: %v", err) + ctx.log.Error(err, "failed to unmarshal context") return emptyResult, fmt.Errorf("failed to unmarshall context: %v", err) } result, err := queryPath.Search(data) if err != nil { - glog.V(4).Infof("failed to search query %s: %v", query, err) + ctx.log.Error(err, "failed to search query", "query", query) return emptyResult, fmt.Errorf("failed to search query %s: %v", query, err) } return result, nil } func (ctx *Context) isWhiteListed(variable string) bool { + if len(ctx.whiteListVars) == 0 { + return true + } for _, wVar := range ctx.whiteListVars { - if wVar == variable { + if strings.HasPrefix(variable, wVar) { return true } } diff --git a/pkg/engine/forceMutate.go b/pkg/engine/forceMutate.go index 14ba42c468..9453109742 100644 --- a/pkg/engine/forceMutate.go +++ b/pkg/engine/forceMutate.go @@ -12,6 +12,7 @@ import ( "github.com/nirmata/kyverno/pkg/engine/utils" "github.com/nirmata/kyverno/pkg/engine/variables" "k8s.io/apimachinery/pkg/apis/meta/v1/unstructured" + "sigs.k8s.io/controller-runtime/pkg/log" ) func mutateResourceWithOverlay(resource unstructured.Unstructured, overlay interface{}) (unstructured.Unstructured, error) { @@ -57,7 +58,7 @@ func ForceMutate(ctx context.EvalInterface, policy kyverno.ClusterPolicy, resour if mutation.Overlay != nil { overlay := mutation.Overlay if ctx != nil { - if overlay, err = variables.SubstituteVars(ctx, overlay); err != nil { + if overlay, err = variables.SubstituteVars(log.Log, ctx, overlay); err != nil { return unstructured.Unstructured{}, err } } else { @@ -72,7 +73,7 @@ func ForceMutate(ctx context.EvalInterface, policy kyverno.ClusterPolicy, resour if rule.Mutation.Patches != nil { var resp response.RuleResponse - resp, resource = mutate.ProcessPatches(rule, resource) + resp, resource = mutate.ProcessPatches(log.Log, rule, resource) if !resp.Success { return unstructured.Unstructured{}, fmt.Errorf(resp.Message) } diff --git a/pkg/engine/generation.go b/pkg/engine/generation.go index 0f8cea1937..552bbc3a4d 100644 --- a/pkg/engine/generation.go +++ b/pkg/engine/generation.go @@ -3,12 +3,14 @@ package engine import ( "time" - "github.com/golang/glog" + "github.com/go-logr/logr" + kyverno "github.com/nirmata/kyverno/pkg/api/kyverno/v1" "github.com/nirmata/kyverno/pkg/engine/context" "github.com/nirmata/kyverno/pkg/engine/response" "github.com/nirmata/kyverno/pkg/engine/variables" "k8s.io/apimachinery/pkg/apis/meta/v1/unstructured" + "sigs.k8s.io/controller-runtime/pkg/log" ) // Generate checks for validity of generate rule on the resource @@ -20,10 +22,11 @@ func Generate(policyContext PolicyContext) (resp response.EngineResponse) { resource := policyContext.NewResource admissionInfo := policyContext.AdmissionInfo ctx := policyContext.Context - return filterRules(policy, resource, admissionInfo, ctx) + logger := log.Log.WithName("Generate").WithValues("policy", policy.Name, "kind", resource.GetKind(), "namespace", resource.GetNamespace(), "name", resource.GetName()) + return filterRules(policy, resource, admissionInfo, ctx, logger) } -func filterRule(rule kyverno.Rule, resource unstructured.Unstructured, admissionInfo kyverno.RequestInfo, ctx context.EvalInterface) *response.RuleResponse { +func filterRule(rule kyverno.Rule, resource unstructured.Unstructured, admissionInfo kyverno.RequestInfo, ctx context.EvalInterface, log logr.Logger) *response.RuleResponse { if !rule.HasGenerate() { return nil } @@ -31,15 +34,14 @@ func filterRule(rule kyverno.Rule, resource unstructured.Unstructured, admission startTime := time.Now() if err := MatchesResourceDescription(resource, rule, admissionInfo); err != nil { - glog.V(4).Infof(err.Error()) return nil } // operate on the copy of the conditions, as we perform variable substitution copyConditions := copyConditions(rule.Conditions) // evaluate pre-conditions - if !variables.EvaluateConditions(ctx, copyConditions) { - glog.V(4).Infof("resource %s/%s does not satisfy the conditions for the rule ", resource.GetNamespace(), resource.GetName()) + if !variables.EvaluateConditions(log, ctx, copyConditions) { + log.V(4).Info("preconditions not satisfied, skipping rule", "rule", rule.Name) return nil } // build rule Response @@ -53,7 +55,7 @@ func filterRule(rule kyverno.Rule, resource unstructured.Unstructured, admission } } -func filterRules(policy kyverno.ClusterPolicy, resource unstructured.Unstructured, admissionInfo kyverno.RequestInfo, ctx context.EvalInterface) response.EngineResponse { +func filterRules(policy kyverno.ClusterPolicy, resource unstructured.Unstructured, admissionInfo kyverno.RequestInfo, ctx context.EvalInterface, log logr.Logger) response.EngineResponse { resp := response.EngineResponse{ PolicyResponse: response.PolicyResponse{ Policy: policy.Name, @@ -66,7 +68,7 @@ func filterRules(policy kyverno.ClusterPolicy, resource unstructured.Unstructure } for _, rule := range policy.Spec.Rules { - if ruleResp := filterRule(rule, resource, admissionInfo, ctx); ruleResp != nil { + if ruleResp := filterRule(rule, resource, admissionInfo, ctx, log); ruleResp != nil { resp.PolicyResponse.Rules = append(resp.PolicyResponse.Rules, *ruleResp) } } diff --git a/pkg/engine/mutate/overlay.go b/pkg/engine/mutate/overlay.go index 3b76f30c74..06b6151994 100644 --- a/pkg/engine/mutate/overlay.go +++ b/pkg/engine/mutate/overlay.go @@ -10,57 +10,59 @@ import ( "strings" "time" - "github.com/golang/glog" "k8s.io/apimachinery/pkg/apis/meta/v1/unstructured" + "sigs.k8s.io/controller-runtime/pkg/log" jsonpatch "github.com/evanphx/json-patch" + "github.com/go-logr/logr" "github.com/nirmata/kyverno/pkg/engine/anchor" "github.com/nirmata/kyverno/pkg/engine/response" "github.com/nirmata/kyverno/pkg/engine/utils" ) // ProcessOverlay processes mutation overlay on the resource -func ProcessOverlay(ruleName string, overlay interface{}, resource unstructured.Unstructured) (resp response.RuleResponse, patchedResource unstructured.Unstructured) { +func ProcessOverlay(log logr.Logger, ruleName string, overlay interface{}, resource unstructured.Unstructured) (resp response.RuleResponse, patchedResource unstructured.Unstructured) { startTime := time.Now() - glog.V(4).Infof("started applying overlay rule %q (%v)", ruleName, startTime) + logger := log.WithValues("rule", ruleName) + logger.V(4).Info("started applying overlay rule", "startTime", startTime) resp.Name = ruleName resp.Type = utils.Mutation.String() defer func() { resp.RuleStats.ProcessingTime = time.Since(startTime) - glog.V(4).Infof("finished applying overlay rule %q (%v)", resp.Name, resp.RuleStats.ProcessingTime) + logger.V(4).Info("finished applying overlay rule", "processingTime", resp.RuleStats.ProcessingTime) }() - patches, overlayerr := processOverlayPatches(resource.UnstructuredContent(), overlay) - // resource does not satisfy the overlay pattern, we don't apply this rule + patches, overlayerr := processOverlayPatches(logger, resource.UnstructuredContent(), overlay) if !reflect.DeepEqual(overlayerr, overlayError{}) { switch overlayerr.statusCode { - // condition key is not present in the resource, don't apply this rule - // consider as success + case conditionNotPresent: - glog.V(3).Infof("Skip applying rule '%s' on resource '%s/%s/%s': %s", ruleName, resource.GetKind(), resource.GetNamespace(), resource.GetName(), overlayerr.ErrorMsg()) + logger.V(3).Info("skip applying rule", "reason", "conditionNotPresent") resp.Success = true return resp, resource - // conditions are not met, don't apply this rule + case conditionFailure: - glog.V(3).Infof("Skip applying rule '%s' on resource '%s/%s/%s': %s", ruleName, resource.GetKind(), resource.GetNamespace(), resource.GetName(), overlayerr.ErrorMsg()) + logger.V(3).Info("skip applying rule", "reason", "conditionFailure") //TODO: send zero response and not consider this as applied? resp.Success = true resp.Message = overlayerr.ErrorMsg() return resp, resource - // rule application failed + case overlayFailure: - glog.Errorf("Resource %s/%s/%s: failed to process overlay: %v in the rule %s", resource.GetKind(), resource.GetNamespace(), resource.GetName(), overlayerr.ErrorMsg(), ruleName) + logger.Info("failed to process overlay") resp.Success = false resp.Message = fmt.Sprintf("failed to process overlay: %v", overlayerr.ErrorMsg()) return resp, resource + default: - glog.Errorf("Resource %s/%s/%s: Unknown type of error: %v", resource.GetKind(), resource.GetNamespace(), resource.GetName(), overlayerr.Error()) + logger.Info("failed to process overlay") resp.Success = false resp.Message = fmt.Sprintf("Unknown type of error: %v", overlayerr.Error()) return resp, resource } } + logger.V(4).Info("processing overlay rule", "patches", len(patches)) if len(patches) == 0 { resp.Success = true return resp, resource @@ -70,24 +72,25 @@ func ProcessOverlay(ruleName string, overlay interface{}, resource unstructured. resourceRaw, err := resource.MarshalJSON() if err != nil { resp.Success = false - glog.Infof("unable to marshall resource: %v", err) + logger.Error(err, "failed to marshal resource") resp.Message = fmt.Sprintf("failed to process JSON patches: %v", err) return resp, resource } var patchResource []byte + logger.V(5).Info("applying overlay patches", "patches", string(utils.JoinPatches(patches))) patchResource, err = utils.ApplyPatches(resourceRaw, patches) if err != nil { msg := fmt.Sprintf("failed to apply JSON patches: %v", err) - glog.V(2).Infof("%s, patches=%s", msg, string(utils.JoinPatches(patches))) resp.Success = false resp.Message = msg return resp, resource } + logger.V(5).Info("patched resource", "patches", string(patchResource)) err = patchedResource.UnmarshalJSON(patchResource) if err != nil { - glog.Infof("failed to unmarshall resource to undstructured: %v", err) + logger.Error(err, "failed to unmarshal resource") resp.Success = false resp.Message = fmt.Sprintf("failed to process JSON patches: %v", err) return resp, resource @@ -101,17 +104,17 @@ func ProcessOverlay(ruleName string, overlay interface{}, resource unstructured. return resp, patchedResource } -func processOverlayPatches(resource, overlay interface{}) ([][]byte, overlayError) { - if path, overlayerr := meetConditions(resource, overlay); !reflect.DeepEqual(overlayerr, overlayError{}) { +func processOverlayPatches(log logr.Logger, resource, overlay interface{}) ([][]byte, overlayError) { + if path, overlayerr := meetConditions(log, resource, overlay); !reflect.DeepEqual(overlayerr, overlayError{}) { switch overlayerr.statusCode { // anchor key does not exist in the resource, skip applying policy case conditionNotPresent: - glog.V(4).Infof("Mutate rule: skip applying policy: %v at %s", overlayerr, path) + log.V(4).Info("skip applying policy", "path", path, "error", overlayerr) return nil, newOverlayError(overlayerr.statusCode, fmt.Sprintf("Policy not applied, condition tag not present: %v at %s", overlayerr.ErrorMsg(), path)) // anchor key is not satisfied in the resource, skip applying policy case conditionFailure: // anchor key is not satisfied in the resource, skip applying policy - glog.V(4).Infof("Mutate rule: failed to validate condition at %s, err: %v", path, overlayerr) + log.V(4).Info("failed to validate condition", "path", path, "error", overlayerr) return nil, newOverlayError(overlayerr.statusCode, fmt.Sprintf("Policy not applied, conditions are not met at %s, %v", path, overlayerr)) } } @@ -383,7 +386,7 @@ func prepareJSONValue(overlay interface{}) string { overlayWithoutAnchors := removeAnchorFromSubTree(overlay) jsonOverlay, err := json.Marshal(overlayWithoutAnchors) if err != nil || hasOnlyAnchors(overlay) { - glog.V(3).Info(err) + log.Log.Error(err, "failed to marshall withoutanchors or has only anchors") return "" } @@ -409,7 +412,7 @@ func removeAnchorFromSubTree(overlay interface{}) interface{} { } func removeAnchroFromMap(overlay map[string]interface{}) map[string]interface{} { - result := make(map[string]interface{}, 0) + result := make(map[string]interface{}) for k, v := range overlay { result[getRawKeyIfWrappedWithAttributes(k)] = removeAnchorFromSubTree(v) } diff --git a/pkg/engine/mutate/overlayCondition.go b/pkg/engine/mutate/overlayCondition.go index 134cc23cc0..97d0210e80 100755 --- a/pkg/engine/mutate/overlayCondition.go +++ b/pkg/engine/mutate/overlayCondition.go @@ -5,17 +5,18 @@ import ( "reflect" "strconv" - "github.com/golang/glog" + "github.com/go-logr/logr" "github.com/nirmata/kyverno/pkg/engine/anchor" "github.com/nirmata/kyverno/pkg/engine/validate" + "sigs.k8s.io/controller-runtime/pkg/log" ) -func meetConditions(resource, overlay interface{}) (string, overlayError) { - return checkConditions(resource, overlay, "/") +func meetConditions(log logr.Logger, resource, overlay interface{}) (string, overlayError) { + return checkConditions(log, resource, overlay, "/") } // resource and overlay should be the same type -func checkConditions(resource, overlay interface{}, path string) (string, overlayError) { +func checkConditions(log logr.Logger, resource, overlay interface{}, path string) (string, overlayError) { // overlay has no anchor, return true if !hasNestedAnchors(overlay) { return "", overlayError{} @@ -26,7 +27,7 @@ func checkConditions(resource, overlay interface{}, path string) (string, overla // condition never be true in this case if reflect.TypeOf(resource) != reflect.TypeOf(overlay) { if hasNestedAnchors(overlay) { - glog.V(4).Infof("Found anchor on different types of element at path %s: overlay %T, resource %T", path, overlay, resource) + log.V(4).Info(fmt.Sprintf("Found anchor on different types of element at path %s: overlay %T, resource %T", path, overlay, resource)) return path, newOverlayError(conditionFailure, fmt.Sprintf("Found anchor on different types of element at path %s: overlay %T %v, resource %T %v", path, overlay, overlay, resource, resource)) @@ -44,7 +45,7 @@ func checkConditions(resource, overlay interface{}, path string) (string, overla default: // anchor on non map/array is invalid: // - anchor defined on values - glog.Warningln("Found invalid conditional anchor: anchor defined on values") + log.Info("Found invalid conditional anchor: anchor defined on values") return "", overlayError{} } } @@ -68,12 +69,12 @@ func checkConditionOnMap(resourceMap, overlayMap map[string]interface{}, path st func checkConditionOnArray(resource, overlay []interface{}, path string) (string, overlayError) { if 0 == len(overlay) { - glog.Infof("Mutate overlay pattern is empty, path %s", path) + log.Log.V(4).Info("Mutate overlay pattern is empty", "path", path) return "", overlayError{} } if reflect.TypeOf(resource[0]) != reflect.TypeOf(overlay[0]) { - glog.V(4).Infof("Overlay array and resource array have elements of different types: %T and %T", overlay[0], resource[0]) + log.Log.V(4).Info(fmt.Sprintf("Overlay array and resource array have elements of different types: %T and %T", overlay[0], resource[0])) return path, newOverlayError(conditionFailure, fmt.Sprintf("Overlay array and resource array have elements of different types: %T and %T", overlay[0], resource[0])) } @@ -111,7 +112,7 @@ func validateConditionAnchorMap(resourceMap, anchors map[string]interface{}, pat // resource - A: B2 func compareOverlay(resource, overlay interface{}, path string) (string, overlayError) { if reflect.TypeOf(resource) != reflect.TypeOf(overlay) { - glog.V(4).Infof("Found anchor on different types of element: overlay %T, resource %T", overlay, resource) + log.Log.V(4).Info("Found anchor on different types of element", "overlay", overlay, "resource", resource) return path, newOverlayError(conditionFailure, fmt.Sprintf("Found anchor on different types of element: overlay %T, resource %T", overlay, resource)) } @@ -139,8 +140,8 @@ func compareOverlay(resource, overlay interface{}, path string) (string, overlay } } case string, float64, int, int64, bool, nil: - if !validate.ValidateValueWithPattern(resource, overlay) { - glog.V(4).Infof("Mutate rule: failed validating value %v with overlay %v", resource, overlay) + if !validate.ValidateValueWithPattern(log.Log, resource, overlay) { + log.Log.V(4).Info(fmt.Sprintf("Mutate rule: failed validating value %v with overlay %v", resource, overlay)) return path, newOverlayError(conditionFailure, fmt.Sprintf("Failed validating value %v with overlay %v", resource, overlay)) } default: @@ -165,7 +166,7 @@ func validateNonAnchorOverlayMap(resourceMap, overlayWithoutAnchor map[string]in continue } } - if newPath, err := checkConditions(resourceValue, overlayValue, curPath); !reflect.DeepEqual(err, overlayError{}) { + if newPath, err := checkConditions(log.Log, resourceValue, overlayValue, curPath); !reflect.DeepEqual(err, overlayError{}) { return newPath, err } } @@ -179,7 +180,7 @@ func checkConditionsOnArrayOfSameTypes(resource, overlay []interface{}, path str default: for i, overlayElement := range overlay { curPath := path + strconv.Itoa(i) + "/" - path, err := checkConditions(resource[i], overlayElement, curPath) + path, err := checkConditions(log.Log, resource[i], overlayElement, curPath) if !reflect.DeepEqual(err, overlayError{}) { return path, err } diff --git a/pkg/engine/mutate/overlayCondition_test.go b/pkg/engine/mutate/overlayCondition_test.go index b898acfbcd..8da6eefee9 100644 --- a/pkg/engine/mutate/overlayCondition_test.go +++ b/pkg/engine/mutate/overlayCondition_test.go @@ -7,6 +7,7 @@ import ( "testing" "gotest.tools/assert" + "sigs.k8s.io/controller-runtime/pkg/log" ) func TestMeetConditions_NoAnchor(t *testing.T) { @@ -26,9 +27,11 @@ func TestMeetConditions_NoAnchor(t *testing.T) { }`) var overlay interface{} - json.Unmarshal(overlayRaw, &overlay) + err := json.Unmarshal(overlayRaw, &overlay) + assert.Assert(t, reflect.DeepEqual(err, nil)) + + _, err = meetConditions(log.Log, nil, overlay) - _, err := meetConditions(nil, overlay) assert.Assert(t, reflect.DeepEqual(err, overlayError{})) } @@ -78,10 +81,12 @@ func TestMeetConditions_conditionalAnchorOnMap(t *testing.T) { var resource, overlay interface{} - json.Unmarshal(resourceRaw, &resource) - json.Unmarshal(overlayRaw, &overlay) + err := json.Unmarshal(resourceRaw, &resource) + assert.NilError(t, err) + err = json.Unmarshal(overlayRaw, &overlay) + assert.NilError(t, err) - _, err := meetConditions(resource, overlay) + _, err = meetConditions(log.Log, resource, overlay) assert.Assert(t, !reflect.DeepEqual(err, overlayError{})) overlayRaw = []byte(` @@ -99,9 +104,10 @@ func TestMeetConditions_conditionalAnchorOnMap(t *testing.T) { ] }`) - json.Unmarshal(overlayRaw, &overlay) + err = json.Unmarshal(overlayRaw, &overlay) + assert.NilError(t, err) - _, overlayerr := meetConditions(resource, overlay) + _, overlayerr := meetConditions(log.Log, resource, overlay) assert.Assert(t, reflect.DeepEqual(overlayerr, overlayError{})) } @@ -136,11 +142,14 @@ func TestMeetConditions_DifferentTypes(t *testing.T) { }`) var resource, overlay interface{} - json.Unmarshal(resourceRaw, &resource) - json.Unmarshal(overlayRaw, &overlay) + err := json.Unmarshal(resourceRaw, &resource) + assert.NilError(t, err) + err = json.Unmarshal(overlayRaw, &overlay) + assert.NilError(t, err) // anchor exist - _, err := meetConditions(resource, overlay) + + _, err = meetConditions(log.Log, resource, overlay) assert.Assert(t, strings.Contains(err.Error(), "Found anchor on different types of element at path /subsets/")) } @@ -190,10 +199,12 @@ func TestMeetConditions_anchosInSameObject(t *testing.T) { var resource, overlay interface{} - json.Unmarshal(resourceRaw, &resource) - json.Unmarshal(overlayRaw, &overlay) + err := json.Unmarshal(resourceRaw, &resource) + assert.NilError(t, err) + err = json.Unmarshal(overlayRaw, &overlay) + assert.NilError(t, err) - _, err := meetConditions(resource, overlay) + _, err = meetConditions(log.Log, resource, overlay) assert.Error(t, err, "[overlayError:0] Failed validating value 443 with overlay 444") } @@ -248,10 +259,13 @@ func TestMeetConditions_anchorOnPeer(t *testing.T) { var resource, overlay interface{} - json.Unmarshal(resourceRaw, &resource) - json.Unmarshal(overlayRaw, &overlay) + err := json.Unmarshal(resourceRaw, &resource) + assert.NilError(t, err) + err = json.Unmarshal(overlayRaw, &overlay) + assert.NilError(t, err) + + _, err = meetConditions(log.Log, resource, overlay) - _, err := meetConditions(resource, overlay) assert.Assert(t, reflect.DeepEqual(err, overlayError{})) } @@ -325,10 +339,13 @@ func TestMeetConditions_anchorsOnMetaAndSpec(t *testing.T) { var resource, overlay interface{} - json.Unmarshal(resourceRaw, &resource) - json.Unmarshal(overlayRaw, &overlay) + err := json.Unmarshal(resourceRaw, &resource) + assert.NilError(t, err) + err = json.Unmarshal(overlayRaw, &overlay) + assert.NilError(t, err) + + _, err = meetConditions(log.Log, resource, overlay) - _, err := meetConditions(resource, overlay) assert.Assert(t, reflect.DeepEqual(err, overlayError{})) } @@ -406,10 +423,13 @@ func TestMeetConditions_anchorsOnPeer_single(t *testing.T) { var resource, overlay interface{} - json.Unmarshal(resourceRawAnchorOnPeers, &resource) - json.Unmarshal(overlayRaw, &overlay) + err := json.Unmarshal(resourceRawAnchorOnPeers, &resource) + assert.NilError(t, err) + err = json.Unmarshal(overlayRaw, &overlay) + assert.NilError(t, err) + + _, err = meetConditions(log.Log, resource, overlay) - _, err := meetConditions(resource, overlay) assert.Assert(t, reflect.DeepEqual(err, overlayError{})) } @@ -440,10 +460,13 @@ func TestMeetConditions_anchorsOnPeer_two(t *testing.T) { var resource, overlay interface{} - json.Unmarshal(resourceRawAnchorOnPeers, &resource) - json.Unmarshal(overlayRaw, &overlay) + err := json.Unmarshal(resourceRawAnchorOnPeers, &resource) + assert.NilError(t, err) + err = json.Unmarshal(overlayRaw, &overlay) + assert.NilError(t, err) + + _, err = meetConditions(log.Log, resource, overlay) - _, err := meetConditions(resource, overlay) assert.Error(t, err, "[overlayError:0] Failed validating value true with overlay false") overlayRaw = []byte(`{ @@ -470,9 +493,10 @@ func TestMeetConditions_anchorsOnPeer_two(t *testing.T) { } }`) - json.Unmarshal(overlayRaw, &overlay) + err = json.Unmarshal(overlayRaw, &overlay) + assert.NilError(t, err) - _, err = meetConditions(resource, overlay) + _, err = meetConditions(log.Log, resource, overlay) assert.Assert(t, reflect.DeepEqual(err, overlayError{})) overlayRaw = []byte(`{ @@ -499,9 +523,10 @@ func TestMeetConditions_anchorsOnPeer_two(t *testing.T) { } }`) - json.Unmarshal(overlayRaw, &overlay) + err = json.Unmarshal(overlayRaw, &overlay) + assert.NilError(t, err) - _, err = meetConditions(resource, overlay) + _, err = meetConditions(log.Log, resource, overlay) assert.Assert(t, reflect.DeepEqual(err, overlayError{})) } @@ -532,10 +557,13 @@ func TestMeetConditions_anchorsOnPeer_multiple(t *testing.T) { var resource, overlay interface{} - json.Unmarshal(resourceRawAnchorOnPeers, &resource) - json.Unmarshal(overlayRaw, &overlay) + err := json.Unmarshal(resourceRawAnchorOnPeers, &resource) + assert.NilError(t, err) + err = json.Unmarshal(overlayRaw, &overlay) + assert.NilError(t, err) + + _, err = meetConditions(log.Log, resource, overlay) - _, err := meetConditions(resource, overlay) assert.Assert(t, reflect.DeepEqual(err, overlayError{})) overlayRaw = []byte(`{ @@ -562,9 +590,10 @@ func TestMeetConditions_anchorsOnPeer_multiple(t *testing.T) { } }`) - json.Unmarshal(overlayRaw, &overlay) + err = json.Unmarshal(overlayRaw, &overlay) + assert.NilError(t, err) - _, err = meetConditions(resource, overlay) + _, err = meetConditions(log.Log, resource, overlay) assert.Assert(t, reflect.DeepEqual(err, overlayError{})) overlayRaw = []byte(`{ @@ -591,9 +620,10 @@ func TestMeetConditions_anchorsOnPeer_multiple(t *testing.T) { } }`) - json.Unmarshal(overlayRaw, &overlay) + err = json.Unmarshal(overlayRaw, &overlay) + assert.NilError(t, err) - _, err = meetConditions(resource, overlay) + _, err = meetConditions(log.Log, resource, overlay) assert.Error(t, err, "[overlayError:0] Failed validating value ENV_VALUE with overlay ENV_VALUE1") } @@ -649,10 +679,13 @@ func TestMeetConditions_AtleastOneExist(t *testing.T) { var resource, overlay interface{} - json.Unmarshal(resourceRaw, &resource) - json.Unmarshal(overlayRaw, &overlay) + err := json.Unmarshal(resourceRaw, &resource) + assert.NilError(t, err) + err = json.Unmarshal(overlayRaw, &overlay) + assert.NilError(t, err) + + path, err := meetConditions(log.Log, resource, overlay) - path, err := meetConditions(resource, overlay) assert.Assert(t, reflect.DeepEqual(err, overlayError{})) assert.Assert(t, len(path) == 0) } diff --git a/pkg/engine/mutate/overlay_test.go b/pkg/engine/mutate/overlay_test.go index 8c062fe58d..a7c8890039 100644 --- a/pkg/engine/mutate/overlay_test.go +++ b/pkg/engine/mutate/overlay_test.go @@ -8,6 +8,7 @@ import ( jsonpatch "github.com/evanphx/json-patch" "github.com/nirmata/kyverno/pkg/engine/utils" "gotest.tools/assert" + "sigs.k8s.io/controller-runtime/pkg/log" ) func compareJSONAsMap(t *testing.T, expected, actual []byte) { @@ -63,10 +64,12 @@ func TestProcessOverlayPatches_NestedListWithAnchor(t *testing.T) { var resource, overlay interface{} - json.Unmarshal(resourceRaw, &resource) - json.Unmarshal(overlayRaw, &overlay) + err := json.Unmarshal(resourceRaw, &resource) + assert.NilError(t, err) + err = json.Unmarshal(overlayRaw, &overlay) + assert.NilError(t, err) - patches, overlayerr := processOverlayPatches(resource, overlay) + patches, overlayerr := processOverlayPatches(log.Log, resource, overlay) assert.Assert(t, reflect.DeepEqual(overlayerr, overlayError{})) assert.Assert(t, patches != nil) @@ -163,10 +166,12 @@ func TestProcessOverlayPatches_InsertIntoArray(t *testing.T) { var resource, overlay interface{} - json.Unmarshal(resourceRaw, &resource) - json.Unmarshal(overlayRaw, &overlay) + err := json.Unmarshal(resourceRaw, &resource) + assert.NilError(t, err) + err = json.Unmarshal(overlayRaw, &overlay) + assert.NilError(t, err) - patches, overlayerr := processOverlayPatches(resource, overlay) + patches, overlayerr := processOverlayPatches(log.Log, resource, overlay) assert.Assert(t, reflect.DeepEqual(overlayerr, overlayError{})) assert.Assert(t, patches != nil) @@ -284,10 +289,12 @@ func TestProcessOverlayPatches_TestInsertToArray(t *testing.T) { var resource, overlay interface{} - json.Unmarshal(resourceRaw, &resource) - json.Unmarshal(overlayRaw, &overlay) + err := json.Unmarshal(resourceRaw, &resource) + assert.NilError(t, err) + err = json.Unmarshal(overlayRaw, &overlay) + assert.NilError(t, err) - patches, overlayerr := processOverlayPatches(resource, overlay) + patches, overlayerr := processOverlayPatches(log.Log, resource, overlay) assert.Assert(t, reflect.DeepEqual(overlayerr, overlayError{})) assert.Assert(t, patches != nil) @@ -367,10 +374,12 @@ func TestProcessOverlayPatches_ImagePullPolicy(t *testing.T) { var resource, overlay interface{} - json.Unmarshal(resourceRaw, &resource) - json.Unmarshal(overlayRaw, &overlay) + err := json.Unmarshal(resourceRaw, &resource) + assert.NilError(t, err) + err = json.Unmarshal(overlayRaw, &overlay) + assert.NilError(t, err) - patches, overlayerr := processOverlayPatches(resource, overlay) + patches, overlayerr := processOverlayPatches(log.Log, resource, overlay) assert.Assert(t, reflect.DeepEqual(overlayerr, overlayError{})) assert.Assert(t, len(patches) != 0) @@ -456,9 +465,10 @@ func TestProcessOverlayPatches_ImagePullPolicy(t *testing.T) { } }`) - json.Unmarshal(overlayRaw, &overlay) + err = json.Unmarshal(overlayRaw, &overlay) + assert.NilError(t, err) - patches, err = processOverlayPatches(resource, overlay) + patches, err = processOverlayPatches(log.Log, resource, overlay) assert.Assert(t, reflect.DeepEqual(err, overlayError{})) assert.Assert(t, len(patches) != 0) @@ -492,9 +502,10 @@ func TestProcessOverlayPatches_ImagePullPolicy(t *testing.T) { } }`) - json.Unmarshal(overlayRaw, &overlay) + err = json.Unmarshal(overlayRaw, &overlay) + assert.NilError(t, err) - patches, err = processOverlayPatches(resource, overlay) + patches, err = processOverlayPatches(log.Log, resource, overlay) assert.Error(t, err, "[overlayError:0] Policy not applied, conditions are not met at /spec/template/metadata/labels/app/, [overlayError:0] Failed validating value nginx with overlay nginx1") assert.Assert(t, len(patches) == 0) } @@ -520,10 +531,12 @@ func TestProcessOverlayPatches_AddingAnchor(t *testing.T) { var resource, overlay interface{} - json.Unmarshal(resourceRaw, &resource) - json.Unmarshal(overlayRaw, &overlay) + err := json.Unmarshal(resourceRaw, &resource) + assert.NilError(t, err) + err = json.Unmarshal(overlayRaw, &overlay) + assert.NilError(t, err) - patches, overlayerr := processOverlayPatches(resource, overlay) + patches, overlayerr := processOverlayPatches(log.Log, resource, overlay) assert.Assert(t, reflect.DeepEqual(overlayerr, overlayError{})) assert.Assert(t, len(patches) != 0) @@ -605,10 +618,12 @@ func TestProcessOverlayPatches_AddingAnchorInsideListElement(t *testing.T) { var resource, overlay interface{} - json.Unmarshal(resourceRaw, &resource) - json.Unmarshal(overlayRaw, &overlay) + err := json.Unmarshal(resourceRaw, &resource) + assert.NilError(t, err) + err = json.Unmarshal(overlayRaw, &overlay) + assert.NilError(t, err) - patches, overlayerr := processOverlayPatches(resource, overlay) + patches, overlayerr := processOverlayPatches(log.Log, resource, overlay) assert.Assert(t, reflect.DeepEqual(overlayerr, overlayError{})) assert.Assert(t, len(patches) != 0) @@ -684,9 +699,10 @@ func TestProcessOverlayPatches_AddingAnchorInsideListElement(t *testing.T) { } }`) - json.Unmarshal(overlayRaw, &overlay) + err = json.Unmarshal(overlayRaw, &overlay) + assert.NilError(t, err) - patches, err = processOverlayPatches(resource, overlay) + patches, err = processOverlayPatches(log.Log, resource, overlay) assert.Assert(t, reflect.DeepEqual(err, overlayError{})) assert.Assert(t, len(patches) != 0) @@ -747,10 +763,12 @@ func TestProcessOverlayPatches_anchorOnPeer(t *testing.T) { var resource, overlay interface{} - json.Unmarshal(resourceRaw, &resource) - json.Unmarshal(overlayRaw, &overlay) + err := json.Unmarshal(resourceRaw, &resource) + assert.NilError(t, err) + err = json.Unmarshal(overlayRaw, &overlay) + assert.NilError(t, err) - patches, overlayerr := processOverlayPatches(resource, overlay) + patches, overlayerr := processOverlayPatches(log.Log, resource, overlay) assert.Assert(t, reflect.DeepEqual(overlayerr, overlayError{})) assert.Assert(t, len(patches) != 0) @@ -805,9 +823,10 @@ func TestProcessOverlayPatches_anchorOnPeer(t *testing.T) { ] }`) - json.Unmarshal(overlayRaw, &overlay) + err = json.Unmarshal(overlayRaw, &overlay) + assert.NilError(t, err) - patches, err = processOverlayPatches(resource, overlay) + patches, err = processOverlayPatches(log.Log, resource, overlay) assert.Error(t, err, "[overlayError:0] Policy not applied, conditions are not met at /subsets/0/ports/0/port/, [overlayError:0] Failed validating value 443 with overlay 444") assert.Assert(t, len(patches) == 0) } @@ -886,10 +905,12 @@ func TestProcessOverlayPatches_insertWithCondition(t *testing.T) { var resource, overlay interface{} - json.Unmarshal(resourceRaw, &resource) - json.Unmarshal(overlayRaw, &overlay) + err := json.Unmarshal(resourceRaw, &resource) + assert.NilError(t, err) + err = json.Unmarshal(overlayRaw, &overlay) + assert.NilError(t, err) - patches, overlayerr := processOverlayPatches(resource, overlay) + patches, overlayerr := processOverlayPatches(log.Log, resource, overlay) assert.Assert(t, reflect.DeepEqual(overlayerr, overlayError{})) assert.Assert(t, len(patches) != 0) @@ -997,10 +1018,12 @@ func TestProcessOverlayPatches_InsertIfNotPresentWithConditions(t *testing.T) { var resource, overlay interface{} - json.Unmarshal(resourceRaw, &resource) - json.Unmarshal(overlayRaw, &overlay) + err := json.Unmarshal(resourceRaw, &resource) + assert.NilError(t, err) + err = json.Unmarshal(overlayRaw, &overlay) + assert.NilError(t, err) - patches, overlayerr := processOverlayPatches(resource, overlay) + patches, overlayerr := processOverlayPatches(log.Log, resource, overlay) assert.Assert(t, reflect.DeepEqual(overlayerr, overlayError{})) assert.Assert(t, len(patches) != 0) diff --git a/pkg/engine/mutate/patches.go b/pkg/engine/mutate/patches.go index 61fc93ecea..7b294bbca9 100644 --- a/pkg/engine/mutate/patches.go +++ b/pkg/engine/mutate/patches.go @@ -6,7 +6,7 @@ import ( "strings" "time" - "github.com/golang/glog" + "github.com/go-logr/logr" kyverno "github.com/nirmata/kyverno/pkg/api/kyverno/v1" "github.com/nirmata/kyverno/pkg/engine/response" "github.com/nirmata/kyverno/pkg/engine/utils" @@ -20,21 +20,22 @@ func applyPatch(resource []byte, patchRaw []byte) ([]byte, error) { } //ProcessPatches applies the patches on the resource and returns the patched resource -func ProcessPatches(rule kyverno.Rule, resource unstructured.Unstructured) (resp response.RuleResponse, patchedResource unstructured.Unstructured) { +func ProcessPatches(log logr.Logger, rule kyverno.Rule, resource unstructured.Unstructured) (resp response.RuleResponse, patchedResource unstructured.Unstructured) { + logger := log.WithValues("rule", rule.Name) startTime := time.Now() - glog.V(4).Infof("started JSON patch rule %q (%v)", rule.Name, startTime) + logger.V(4).Info("started JSON patch", "startTime", startTime) resp.Name = rule.Name resp.Type = utils.Mutation.String() defer func() { resp.RuleStats.ProcessingTime = time.Since(startTime) - glog.V(4).Infof("finished JSON patch rule %q (%v)", resp.Name, resp.RuleStats.ProcessingTime) + logger.V(4).Info("finished JSON patch", "processingTime", resp.RuleStats.ProcessingTime) }() // convert to RAW resourceRaw, err := resource.MarshalJSON() if err != nil { resp.Success = false - glog.Infof("unable to marshall resource: %v", err) + logger.Error(err, "failed to marshal resource") resp.Message = fmt.Sprintf("failed to process JSON patches: %v", err) return resp, resource } @@ -45,14 +46,14 @@ func ProcessPatches(rule kyverno.Rule, resource unstructured.Unstructured) (resp // JSON patch patchRaw, err := json.Marshal(patch) if err != nil { - glog.V(4).Infof("failed to marshall JSON patch %v: %v", patch, err) + logger.Error(err, "failed to marshal JSON patch") errs = append(errs, err) continue } patchResource, err := applyPatch(resourceRaw, patchRaw) // TODO: continue on error if one of the patches fails, will add the failure event in such case if err != nil && patch.Operation == "remove" { - glog.Info(err) + log.Error(err, "failed to process JSON path or patch is a 'remove' operation") continue } if err != nil { @@ -77,7 +78,7 @@ func ProcessPatches(rule kyverno.Rule, resource unstructured.Unstructured) (resp } err = patchedResource.UnmarshalJSON(resourceRaw) if err != nil { - glog.Infof("failed to unmarshall resource to undstructured: %v", err) + logger.Error(err, "failed to unmmarshal resource") resp.Success = false resp.Message = fmt.Sprintf("failed to process JSON patches: %v", err) return resp, resource diff --git a/pkg/engine/mutate/patches_test.go b/pkg/engine/mutate/patches_test.go index f38b68d2c4..1b617d5517 100644 --- a/pkg/engine/mutate/patches_test.go +++ b/pkg/engine/mutate/patches_test.go @@ -5,6 +5,7 @@ import ( "gotest.tools/assert" "k8s.io/apimachinery/pkg/apis/meta/v1/unstructured" + "sigs.k8s.io/controller-runtime/pkg/log" types "github.com/nirmata/kyverno/pkg/api/kyverno/v1" "github.com/nirmata/kyverno/pkg/engine/utils" @@ -41,7 +42,7 @@ func TestProcessPatches_EmptyPatches(t *testing.T) { if err != nil { t.Error(err) } - rr, _ := ProcessPatches(emptyRule, *resourceUnstructured) + rr, _ := ProcessPatches(log.Log, emptyRule, *resourceUnstructured) assert.Check(t, rr.Success) assert.Assert(t, len(rr.Patches) == 0) } @@ -70,14 +71,14 @@ func makeRuleWithPatches(patches []types.Patch) types.Rule { func TestProcessPatches_EmptyDocument(t *testing.T) { rule := makeRuleWithPatch(makeAddIsMutatedLabelPatch()) - rr, _ := ProcessPatches(rule, unstructured.Unstructured{}) + rr, _ := ProcessPatches(log.Log, rule, unstructured.Unstructured{}) assert.Assert(t, !rr.Success) assert.Assert(t, len(rr.Patches) == 0) } func TestProcessPatches_AllEmpty(t *testing.T) { emptyRule := types.Rule{} - rr, _ := ProcessPatches(emptyRule, unstructured.Unstructured{}) + rr, _ := ProcessPatches(log.Log, emptyRule, unstructured.Unstructured{}) assert.Check(t, !rr.Success) assert.Assert(t, len(rr.Patches) == 0) } @@ -90,7 +91,7 @@ func TestProcessPatches_AddPathDoesntExist(t *testing.T) { if err != nil { t.Error(err) } - rr, _ := ProcessPatches(rule, *resourceUnstructured) + rr, _ := ProcessPatches(log.Log, rule, *resourceUnstructured) assert.Check(t, !rr.Success) assert.Assert(t, len(rr.Patches) == 0) } @@ -102,7 +103,7 @@ func TestProcessPatches_RemovePathDoesntExist(t *testing.T) { if err != nil { t.Error(err) } - rr, _ := ProcessPatches(rule, *resourceUnstructured) + rr, _ := ProcessPatches(log.Log, rule, *resourceUnstructured) assert.Check(t, rr.Success) assert.Assert(t, len(rr.Patches) == 0) } @@ -115,7 +116,7 @@ func TestProcessPatches_AddAndRemovePathsDontExist_EmptyResult(t *testing.T) { if err != nil { t.Error(err) } - rr, _ := ProcessPatches(rule, *resourceUnstructured) + rr, _ := ProcessPatches(log.Log, rule, *resourceUnstructured) assert.Check(t, !rr.Success) assert.Assert(t, len(rr.Patches) == 0) } @@ -129,7 +130,7 @@ func TestProcessPatches_AddAndRemovePathsDontExist_ContinueOnError_NotEmptyResul if err != nil { t.Error(err) } - rr, _ := ProcessPatches(rule, *resourceUnstructured) + rr, _ := ProcessPatches(log.Log, rule, *resourceUnstructured) assert.Check(t, rr.Success) assert.Assert(t, len(rr.Patches) != 0) assertEqStringAndData(t, `{"path":"/metadata/labels/label3","op":"add","value":"label3Value"}`, rr.Patches[0]) @@ -142,7 +143,7 @@ func TestProcessPatches_RemovePathDoesntExist_EmptyResult(t *testing.T) { if err != nil { t.Error(err) } - rr, _ := ProcessPatches(rule, *resourceUnstructured) + rr, _ := ProcessPatches(log.Log, rule, *resourceUnstructured) assert.Check(t, rr.Success) assert.Assert(t, len(rr.Patches) == 0) } @@ -155,7 +156,7 @@ func TestProcessPatches_RemovePathDoesntExist_NotEmptyResult(t *testing.T) { if err != nil { t.Error(err) } - rr, _ := ProcessPatches(rule, *resourceUnstructured) + rr, _ := ProcessPatches(log.Log, rule, *resourceUnstructured) assert.Check(t, rr.Success) assert.Assert(t, len(rr.Patches) == 1) assertEqStringAndData(t, `{"path":"/metadata/labels/label2","op":"add","value":"label2Value"}`, rr.Patches[0]) diff --git a/pkg/engine/mutation.go b/pkg/engine/mutation.go index d1fab46211..5f8677d3f9 100644 --- a/pkg/engine/mutation.go +++ b/pkg/engine/mutation.go @@ -1,16 +1,17 @@ package engine import ( - "reflect" + "encoding/json" "strings" "time" - "github.com/golang/glog" + "github.com/go-logr/logr" kyverno "github.com/nirmata/kyverno/pkg/api/kyverno/v1" "github.com/nirmata/kyverno/pkg/engine/mutate" "github.com/nirmata/kyverno/pkg/engine/response" "github.com/nirmata/kyverno/pkg/engine/variables" "k8s.io/apimachinery/pkg/apis/meta/v1/unstructured" + "sigs.k8s.io/controller-runtime/pkg/log" ) const ( @@ -20,6 +21,7 @@ const ( PodControllersAnnotation = "pod-policies.kyverno.io/autogen-controllers" //PodTemplateAnnotation defines the annotation key for Pod-Template PodTemplateAnnotation = "pod-policies.kyverno.io/autogen-applied" + PodControllerRuleName = "podControllerAnnotation" ) // Mutate performs mutation. Overlay first and then mutation patches @@ -28,26 +30,31 @@ func Mutate(policyContext PolicyContext) (resp response.EngineResponse) { policy := policyContext.Policy resource := policyContext.NewResource ctx := policyContext.Context - + logger := log.Log.WithName("Mutate").WithValues("policy", policy.Name, "kind", resource.GetKind(), "namespace", resource.GetNamespace(), "name", resource.GetName()) + logger.V(4).Info("start policy processing", "startTime", startTime) startMutateResultResponse(&resp, policy, resource) - glog.V(4).Infof("started applying mutation rules of policy %q (%v)", policy.Name, startTime) - defer endMutateResultResponse(&resp, startTime) + defer endMutateResultResponse(logger, &resp, startTime) patchedResource := policyContext.NewResource + + if autoGenAnnotationApplied(patchedResource) && policy.HasAutoGenAnnotation() { + resp.PatchedResource = patchedResource + return + } + for _, rule := range policy.Spec.Rules { var ruleResponse response.RuleResponse + logger := logger.WithValues("rule", rule.Name) //TODO: to be checked before calling the resources as well if !rule.HasMutate() && !strings.Contains(PodControllers, resource.GetKind()) { continue } - startTime := time.Now() - glog.V(4).Infof("Time: Mutate matchAdmissionInfo %v", time.Since(startTime)) // check if the resource satisfies the filter conditions defined in the rule //TODO: this needs to be extracted, to filter the resource so that we can avoid passing resources that - // dont statisfy a policy rule resource description + // dont satisfy a policy rule resource description if err := MatchesResourceDescription(resource, rule, policyContext.AdmissionInfo); err != nil { - glog.V(4).Infof("resource %s/%s does not satisfy the resource description for the rule:\n%s", resource.GetNamespace(), resource.GetName(), err.Error()) + logger.V(3).Info("resource not matched", "reason", err.Error()) continue } @@ -55,8 +62,8 @@ func Mutate(policyContext PolicyContext) (resp response.EngineResponse) { copyConditions := copyConditions(rule.Conditions) // evaluate pre-conditions // - handle variable subsitutions - if !variables.EvaluateConditions(ctx, copyConditions) { - glog.V(4).Infof("resource %s/%s does not satisfy the conditions for the rule ", resource.GetNamespace(), resource.GetName()) + if !variables.EvaluateConditions(logger, ctx, copyConditions) { + logger.V(3).Info("resource fails the preconditions") continue } @@ -66,7 +73,7 @@ func Mutate(policyContext PolicyContext) (resp response.EngineResponse) { overlay := mutation.Overlay // subsiitue the variables var err error - if overlay, err = variables.SubstituteVars(ctx, overlay); err != nil { + if overlay, err = variables.SubstituteVars(logger, ctx, overlay); err != nil { // variable subsitution failed ruleResponse.Success = false ruleResponse.Message = err.Error() @@ -74,15 +81,13 @@ func Mutate(policyContext PolicyContext) (resp response.EngineResponse) { continue } - ruleResponse, patchedResource = mutate.ProcessOverlay(rule.Name, overlay, patchedResource) + ruleResponse, patchedResource = mutate.ProcessOverlay(logger, rule.Name, overlay, patchedResource) if ruleResponse.Success { // - overlay pattern does not match the resource conditions if ruleResponse.Patches == nil { - glog.V(4).Infof(ruleResponse.Message) continue } - - glog.V(4).Infof("Mutate overlay in rule '%s' successfully applied on %s/%s/%s", rule.Name, resource.GetKind(), resource.GetNamespace(), resource.GetName()) + logger.V(4).Info("overlay applied succesfully") } resp.PolicyResponse.Rules = append(resp.PolicyResponse.Rules, ruleResponse) @@ -92,36 +97,55 @@ func Mutate(policyContext PolicyContext) (resp response.EngineResponse) { // Process Patches if rule.Mutation.Patches != nil { var ruleResponse response.RuleResponse - ruleResponse, patchedResource = mutate.ProcessPatches(rule, patchedResource) - glog.Infof("Mutate patches in rule '%s' successfully applied on %s/%s/%s", rule.Name, resource.GetKind(), resource.GetNamespace(), resource.GetName()) + ruleResponse, patchedResource = mutate.ProcessPatches(logger, rule, patchedResource) + logger.V(4).Info("patches applied successfully") resp.PolicyResponse.Rules = append(resp.PolicyResponse.Rules, ruleResponse) incrementAppliedRuleCount(&resp) } + } - // insert annotation to podtemplate if resource is pod controller - // skip inserting on existing resource - if reflect.DeepEqual(policyContext.AdmissionInfo, kyverno.RequestInfo{}) { - continue - } - - if strings.Contains(PodControllers, resource.GetKind()) { + // insert annotation to podtemplate if resource is pod controller + // skip inserting on existing resource + if policy.HasAutoGenAnnotation() && strings.Contains(PodControllers, resource.GetKind()) { + if !patchedResourceHasPodControllerAnnotation(patchedResource) { var ruleResponse response.RuleResponse - ruleResponse, patchedResource = mutate.ProcessOverlay(rule.Name, podTemplateRule, patchedResource) + ruleResponse, patchedResource = mutate.ProcessOverlay(logger, PodControllerRuleName, podTemplateRule.Mutation.Overlay, patchedResource) if !ruleResponse.Success { - glog.Errorf("Failed to insert annotation to podTemplate of %s/%s/%s: %s", resource.GetKind(), resource.GetNamespace(), resource.GetName(), ruleResponse.Message) - continue - } - - if ruleResponse.Success && ruleResponse.Patches != nil { - glog.V(2).Infof("Inserted annotation to podTemplate of %s/%s/%s: %s", resource.GetKind(), resource.GetNamespace(), resource.GetName(), ruleResponse.Message) - resp.PolicyResponse.Rules = append(resp.PolicyResponse.Rules, ruleResponse) + logger.Info("failed to insert annotation for podTemplate", "error", ruleResponse.Message) + } else { + if ruleResponse.Success && ruleResponse.Patches != nil { + logger.V(3).Info("inserted annotation for podTemplate") + resp.PolicyResponse.Rules = append(resp.PolicyResponse.Rules, ruleResponse) + } } } } + // send the patched resource resp.PatchedResource = patchedResource return resp } + +func patchedResourceHasPodControllerAnnotation(resource unstructured.Unstructured) bool { + var podController struct { + Spec struct { + Template struct { + Metadata struct { + Annotations map[string]interface{} `json:"annotations"` + } `json:"metadata"` + } `json:"template"` + } `json:"spec"` + } + + resourceRaw, _ := json.Marshal(resource.Object) + _ = json.Unmarshal(resourceRaw, &podController) + + val, ok := podController.Spec.Template.Metadata.Annotations[PodTemplateAnnotation] + + log.Log.V(4).Info("patchedResourceHasPodControllerAnnotation", "resourceRaw", string(resourceRaw), "val", val, "ok", ok) + + return ok +} func incrementAppliedRuleCount(resp *response.EngineResponse) { resp.PolicyResponse.RulesAppliedCount++ } @@ -137,23 +161,21 @@ func startMutateResultResponse(resp *response.EngineResponse, policy kyverno.Clu // TODO(shuting): set response with mutationFailureAction } -func endMutateResultResponse(resp *response.EngineResponse, startTime time.Time) { +func endMutateResultResponse(logger logr.Logger, resp *response.EngineResponse, startTime time.Time) { resp.PolicyResponse.ProcessingTime = time.Since(startTime) - glog.V(4).Infof("finished applying mutation rules policy %v (%v)", resp.PolicyResponse.Policy, resp.PolicyResponse.ProcessingTime) - glog.V(4).Infof("Mutation Rules appplied count %v for policy %q", resp.PolicyResponse.RulesAppliedCount, resp.PolicyResponse.Policy) + logger.V(4).Info("finished processing policy", "processingTime", resp.PolicyResponse.ProcessingTime, "mutationRulesApplied", resp.PolicyResponse.RulesAppliedCount) } // podTemplateRule mutate pod template with annotation // pod-policies.kyverno.io/autogen-applied=true var podTemplateRule = kyverno.Rule{ - Name: "autogen-annotate-podtemplate", Mutation: kyverno.Mutation{ Overlay: map[string]interface{}{ "spec": map[string]interface{}{ "template": map[string]interface{}{ "metadata": map[string]interface{}{ "annotations": map[string]interface{}{ - "+(pod-policies.kyverno.io/autogen-applied)": "true", + "+(" + PodTemplateAnnotation + ")": "true", }, }, }, diff --git a/pkg/engine/mutation_test.go b/pkg/engine/mutation_test.go index 278d9672f2..d019361026 100644 --- a/pkg/engine/mutation_test.go +++ b/pkg/engine/mutation_test.go @@ -67,11 +67,17 @@ func Test_VariableSubstitutionOverlay(t *testing.T) { expectedPatch := []byte(`{ "op": "add", "path": "/metadata/labels", "value":{"appname":"check-root-user"} }`) var policy kyverno.ClusterPolicy - json.Unmarshal(rawPolicy, &policy) + err := json.Unmarshal(rawPolicy, &policy) + if err != nil { + t.Error(err) + } resourceUnstructured, err := utils.ConvertToUnstructured(rawResource) assert.NilError(t, err) ctx := context.NewContext() - ctx.AddResource(rawResource) + err = ctx.AddResource(rawResource) + if err != nil { + t.Error(err) + } value, err := ctx.Query("request.object.metadata.name") t.Log(value) if err != nil { @@ -139,19 +145,21 @@ func Test_variableSubstitutionPathNotExist(t *testing.T) { }`) var policy kyverno.ClusterPolicy - json.Unmarshal(policyraw, &policy) + err := json.Unmarshal(policyraw, &policy) + assert.NilError(t, err) resourceUnstructured, err := utils.ConvertToUnstructured(resourceRaw) assert.NilError(t, err) ctx := context.NewContext() - ctx.AddResource(resourceRaw) + err = ctx.AddResource(resourceRaw) + assert.NilError(t, err) policyContext := PolicyContext{ Policy: policy, Context: ctx, NewResource: *resourceUnstructured} er := Mutate(policyContext) - expectedErrorStr := "[failed to resolve request.object.metadata.name1 at path /spec/name]" + expectedErrorStr := "could not find variable request.object.metadata.name1 at path /spec/name" t.Log(er.PolicyResponse.Rules[0].Message) assert.Equal(t, er.PolicyResponse.Rules[0].Message, expectedErrorStr) } diff --git a/pkg/engine/utils.go b/pkg/engine/utils.go index c97b2eccb8..79c252e823 100644 --- a/pkg/engine/utils.go +++ b/pkg/engine/utils.go @@ -9,8 +9,7 @@ import ( "github.com/nirmata/kyverno/pkg/utils" authenticationv1 "k8s.io/api/authentication/v1" rbacv1 "k8s.io/api/rbac/v1" - - "github.com/golang/glog" + "sigs.k8s.io/controller-runtime/pkg/log" "github.com/minio/minio/pkg/wildcard" kyverno "github.com/nirmata/kyverno/pkg/api/kyverno/v1" @@ -19,6 +18,8 @@ import ( "k8s.io/apimachinery/pkg/labels" ) +var ExcludeUserInfo = []string{"system:nodes", "system:serviceaccounts:kube-system", "system:kube-scheduler"} + //EngineStats stores in the statistics for a single application of resource type EngineStats struct { // average time required to process the policy rules on a resource @@ -43,7 +44,7 @@ func checkName(name, resourceName string) bool { func checkNameSpace(namespaces []string, resourceNameSpace string) bool { for _, namespace := range namespaces { - if resourceNameSpace == namespace { + if wildcard.Match(namespace, resourceNameSpace) { return true } } @@ -53,7 +54,7 @@ func checkNameSpace(namespaces []string, resourceNameSpace string) bool { func checkSelector(labelSelector *metav1.LabelSelector, resourceLabels map[string]string) (bool, error) { selector, err := metav1.LabelSelectorAsSelector(labelSelector) if err != nil { - glog.Error(err) + log.Log.Error(err, "failed to build label selector") return false, err } @@ -68,36 +69,41 @@ func doesResourceMatchConditionBlock(conditionBlock kyverno.ResourceDescription, var errs []error if len(conditionBlock.Kinds) > 0 { if !checkKind(conditionBlock.Kinds, resource.GetKind()) { - errs = append(errs, fmt.Errorf("resource kind does not match conditionBlock")) + errs = append(errs, fmt.Errorf("kind does not match")) } } if conditionBlock.Name != "" { if !checkName(conditionBlock.Name, resource.GetName()) { - errs = append(errs, fmt.Errorf("resource name does not match conditionBlock")) + errs = append(errs, fmt.Errorf("name does not match")) } } if len(conditionBlock.Namespaces) > 0 { if !checkNameSpace(conditionBlock.Namespaces, resource.GetNamespace()) { - errs = append(errs, fmt.Errorf("resource namespace does not match conditionBlock")) + errs = append(errs, fmt.Errorf("namespace does not match")) } } if conditionBlock.Selector != nil { hasPassed, err := checkSelector(conditionBlock.Selector, resource.GetLabels()) if err != nil { - errs = append(errs, fmt.Errorf("could not parse selector block of the policy in conditionBlock: %v", err)) + errs = append(errs, fmt.Errorf("failed to parse selector: %v", err)) } else { if !hasPassed { - errs = append(errs, fmt.Errorf("resource does not match selector of given conditionBlock")) + errs = append(errs, fmt.Errorf("selector does not match")) } } } - if len(userInfo.Roles) > 0 { - if !doesSliceContainsAnyOfTheseValues(userInfo.Roles, admissionInfo.Roles...) { + + keys := append(admissionInfo.AdmissionUserInfo.Groups, admissionInfo.AdmissionUserInfo.Username) + + if len(userInfo.Roles) > 0 && + !utils.SliceContains(keys, ExcludeUserInfo...) { + if !utils.SliceContains(userInfo.Roles, admissionInfo.Roles...) { errs = append(errs, fmt.Errorf("user info does not match roles for the given conditionBlock")) } } - if len(userInfo.ClusterRoles) > 0 { - if !doesSliceContainsAnyOfTheseValues(userInfo.ClusterRoles, admissionInfo.ClusterRoles...) { + if len(userInfo.ClusterRoles) > 0 && + !utils.SliceContains(keys, ExcludeUserInfo...) { + if !utils.SliceContains(userInfo.ClusterRoles, admissionInfo.ClusterRoles...) { errs = append(errs, fmt.Errorf("user info does not match clustersRoles for the given conditionBlock")) } } @@ -115,6 +121,14 @@ func matchSubjects(ruleSubjects []rbacv1.Subject, userInfo authenticationv1.User const SaPrefix = "system:serviceaccount:" userGroups := append(userInfo.Groups, userInfo.Username) + + // TODO: see issue https://github.com/nirmata/kyverno/issues/861 + ruleSubjects = append(ruleSubjects, + rbacv1.Subject{Kind: "Group", Name: "system:serviceaccounts:kube-system"}, + rbacv1.Subject{Kind: "Group", Name: "system:nodes"}, + rbacv1.Subject{Kind: "Group", Name: "system:kube-scheduler"}, + ) + for _, subject := range ruleSubjects { switch subject.Kind { case "ServiceAccount": @@ -135,22 +149,6 @@ func matchSubjects(ruleSubjects []rbacv1.Subject, userInfo authenticationv1.User return false } -func doesSliceContainsAnyOfTheseValues(slice []string, values ...string) bool { - - var sliceElementsMap = make(map[string]bool, len(slice)) - for _, sliceElement := range slice { - sliceElementsMap[sliceElement] = true - } - - for _, value := range values { - if sliceElementsMap[value] { - return true - } - } - - return false -} - //MatchesResourceDescription checks if the resource matches resource description of the rule or not func MatchesResourceDescription(resourceRef unstructured.Unstructured, ruleRef kyverno.Rule, admissionInfoRef kyverno.RequestInfo) error { rule := *ruleRef.DeepCopy() @@ -164,26 +162,28 @@ func MatchesResourceDescription(resourceRef unstructured.Unstructured, ruleRef k } // checking if resource matches the rule - if !reflect.DeepEqual(rule.MatchResources.ResourceDescription, kyverno.ResourceDescription{}) { + if !reflect.DeepEqual(rule.MatchResources.ResourceDescription, kyverno.ResourceDescription{}) || + !reflect.DeepEqual(rule.MatchResources.UserInfo, kyverno.UserInfo{}) { matchErrs := doesResourceMatchConditionBlock(rule.MatchResources.ResourceDescription, rule.MatchResources.UserInfo, admissionInfo, resource) reasonsForFailure = append(reasonsForFailure, matchErrs...) } else { - reasonsForFailure = append(reasonsForFailure, fmt.Errorf("match block in rule cannot be empty")) + reasonsForFailure = append(reasonsForFailure, fmt.Errorf("match cannot be empty")) } // checking if resource has been excluded - if !reflect.DeepEqual(rule.ExcludeResources.ResourceDescription, kyverno.ResourceDescription{}) { + if !reflect.DeepEqual(rule.ExcludeResources.ResourceDescription, kyverno.ResourceDescription{}) || + !reflect.DeepEqual(rule.ExcludeResources.UserInfo, kyverno.UserInfo{}) { excludeErrs := doesResourceMatchConditionBlock(rule.ExcludeResources.ResourceDescription, rule.ExcludeResources.UserInfo, admissionInfo, resource) if excludeErrs == nil { - reasonsForFailure = append(reasonsForFailure, fmt.Errorf("resource has been excluded since it matches the exclude block")) + reasonsForFailure = append(reasonsForFailure, fmt.Errorf("resource excluded")) } } // creating final error - var errorMessage = "rule has failed to match resource for the following reasons:" + var errorMessage = "rule not matched:" for i, reasonForFailure := range reasonsForFailure { if reasonForFailure != nil { - errorMessage += "\n" + fmt.Sprint(i+1) + ". " + reasonForFailure.Error() + errorMessage += "\n " + fmt.Sprint(i+1) + ". " + reasonForFailure.Error() } } @@ -200,3 +200,15 @@ func copyConditions(original []kyverno.Condition) []kyverno.Condition { } return copy } + +// autoGenAnnotationApplied checks if a Pod has annotation "pod-policies.kyverno.io/autogen-applied" +func autoGenAnnotationApplied(resource unstructured.Unstructured) bool { + if resource.GetKind() == "Pod" { + ann := resource.GetAnnotations() + if _, ok := ann[PodTemplateAnnotation]; ok { + return true + } + } + + return false +} diff --git a/pkg/engine/utils/utils.go b/pkg/engine/utils/utils.go index 62b132f3ed..c5f7fafe6a 100644 --- a/pkg/engine/utils/utils.go +++ b/pkg/engine/utils/utils.go @@ -30,7 +30,7 @@ func (ri RuleType) String() string { } // ApplyPatches patches given resource with given patches and returns patched document -// return origin resource if any error occurs +// return original resource if any error occurs func ApplyPatches(resource []byte, patches [][]byte) ([]byte, error) { joinedPatches := JoinPatches(patches) patch, err := jsonpatch.DecodePatch(joinedPatches) @@ -42,6 +42,7 @@ func ApplyPatches(resource []byte, patches [][]byte) ([]byte, error) { if err != nil { return resource, err } + return patchedDocument, err } @@ -56,6 +57,7 @@ func ApplyPatchNew(resource, patch []byte) ([]byte, error) { if err != nil { return nil, err } + return patchedResource, err } diff --git a/pkg/engine/validate/pattern.go b/pkg/engine/validate/pattern.go index e7b37283bd..7779f9b6ca 100644 --- a/pkg/engine/validate/pattern.go +++ b/pkg/engine/validate/pattern.go @@ -1,12 +1,13 @@ package validate import ( + "fmt" "math" "regexp" "strconv" "strings" - "github.com/golang/glog" + "github.com/go-logr/logr" "github.com/minio/minio/pkg/wildcard" "github.com/nirmata/kyverno/pkg/engine/operator" apiresource "k8s.io/apimachinery/pkg/api/resource" @@ -21,52 +22,52 @@ const ( ) // ValidateValueWithPattern validates value with operators and wildcards -func ValidateValueWithPattern(value, pattern interface{}) bool { +func ValidateValueWithPattern(log logr.Logger, value, pattern interface{}) bool { switch typedPattern := pattern.(type) { case bool: typedValue, ok := value.(bool) if !ok { - glog.V(4).Infof("Expected bool, found %T", value) + log.V(4).Info("Expected type bool", "type", fmt.Sprintf("%T", value), "value", value) return false } return typedPattern == typedValue case int: - return validateValueWithIntPattern(value, int64(typedPattern)) + return validateValueWithIntPattern(log, value, int64(typedPattern)) case int64: - return validateValueWithIntPattern(value, typedPattern) + return validateValueWithIntPattern(log, value, typedPattern) case float64: - return validateValueWithFloatPattern(value, typedPattern) + return validateValueWithFloatPattern(log, value, typedPattern) case string: - return validateValueWithStringPatterns(value, typedPattern) + return validateValueWithStringPatterns(log, value, typedPattern) case nil: - return validateValueWithNilPattern(value) + return validateValueWithNilPattern(log, value) case map[string]interface{}: // TODO: check if this is ever called? - return validateValueWithMapPattern(value, typedPattern) + return validateValueWithMapPattern(log, value, typedPattern) case []interface{}: // TODO: check if this is ever called? - glog.Warning("Arrays as patterns are not supported") + log.Info("arrays as patterns is not supported") return false default: - glog.Warningf("Unknown type as pattern: %v", typedPattern) + log.Info("Unkown type", "type", fmt.Sprintf("%T", typedPattern), "value", typedPattern) return false } } -func validateValueWithMapPattern(value interface{}, typedPattern map[string]interface{}) bool { +func validateValueWithMapPattern(log logr.Logger, value interface{}, typedPattern map[string]interface{}) bool { // verify the type of the resource value is map[string]interface, // we only check for existence of object, not the equality of content and value //TODO: check if adding _, ok := value.(map[string]interface{}) if !ok { - glog.Warningf("Expected map[string]interface{}, found %T\n", value) + log.Info("Expected type map[string]interface{}", "type", fmt.Sprintf("%T", value), "value", value) return false } return true } // Handler for int values during validation process -func validateValueWithIntPattern(value interface{}, pattern int64) bool { +func validateValueWithIntPattern(log logr.Logger, value interface{}, pattern int64) bool { switch typedValue := value.(type) { case int: return int64(typedValue) == pattern @@ -78,38 +79,38 @@ func validateValueWithIntPattern(value interface{}, pattern int64) bool { return int64(typedValue) == pattern } - glog.Warningf("Expected int, found float: %f\n", typedValue) + log.Info("Expected type int", "type", fmt.Sprintf("%T", typedValue), "value", typedValue) return false case string: // extract int64 from string int64Num, err := strconv.ParseInt(typedValue, 10, 64) if err != nil { - glog.Warningf("Failed to parse int64 from string: %v", err) + log.Error(err, "Failed to parse int64 from string") return false } return int64Num == pattern default: - glog.Warningf("Expected int, found: %T\n", value) + log.Info("Expected type int", "type", fmt.Sprintf("%T", value), "value", value) return false } } // Handler for float values during validation process -func validateValueWithFloatPattern(value interface{}, pattern float64) bool { +func validateValueWithFloatPattern(log logr.Logger, value interface{}, pattern float64) bool { switch typedValue := value.(type) { case int: // check that float has no fraction if pattern == math.Trunc(pattern) { return int(pattern) == value } - glog.Warningf("Expected float, found int: %d\n", typedValue) + log.Info("Expected type float", "type", fmt.Sprintf("%T", typedValue), "value", typedValue) return false case int64: // check that float has no fraction if pattern == math.Trunc(pattern) { return int64(pattern) == value } - glog.Warningf("Expected float, found int: %d\n", typedValue) + log.Info("Expected type float", "type", fmt.Sprintf("%T", typedValue), "value", typedValue) return false case float64: return typedValue == pattern @@ -117,18 +118,18 @@ func validateValueWithFloatPattern(value interface{}, pattern float64) bool { // extract float64 from string float64Num, err := strconv.ParseFloat(typedValue, 64) if err != nil { - glog.Warningf("Failed to parse float64 from string: %v", err) + log.Error(err, "Failed to parse float64 from string") return false } return float64Num == pattern default: - glog.Warningf("Expected float, found: %T\n", value) + log.Info("Expected type float", "type", fmt.Sprintf("%T", value), "value", value) return false } } // Handler for nil values during validation process -func validateValueWithNilPattern(value interface{}) bool { +func validateValueWithNilPattern(log logr.Logger, value interface{}) bool { switch typed := value.(type) { case float64: return typed == 0.0 @@ -143,20 +144,20 @@ func validateValueWithNilPattern(value interface{}) bool { case nil: return true case map[string]interface{}, []interface{}: - glog.Warningf("Maps and arrays could not be checked with nil pattern") + log.Info("Maps and arrays could not be checked with nil pattern") return false default: - glog.Warningf("Unknown type as value when checking for nil pattern: %T\n", value) + log.Info("Unknown type as value when checking for nil pattern", "type", fmt.Sprintf("%T", value), "value", value) return false } } // Handler for pattern values during validation process -func validateValueWithStringPatterns(value interface{}, pattern string) bool { +func validateValueWithStringPatterns(log logr.Logger, value interface{}, pattern string) bool { statements := strings.Split(pattern, "|") for _, statement := range statements { statement = strings.Trim(statement, " ") - if validateValueWithStringPattern(value, statement) { + if validateValueWithStringPattern(log, value, statement) { return true } } @@ -166,24 +167,24 @@ func validateValueWithStringPatterns(value interface{}, pattern string) bool { // Handler for single pattern value during validation process // Detects if pattern has a number -func validateValueWithStringPattern(value interface{}, pattern string) bool { +func validateValueWithStringPattern(log logr.Logger, value interface{}, pattern string) bool { operator := operator.GetOperatorFromStringPattern(pattern) pattern = pattern[len(operator):] number, str := getNumberAndStringPartsFromPattern(pattern) if "" == number { - return validateString(value, str, operator) + return validateString(log, value, str, operator) } - return validateNumberWithStr(value, pattern, operator) + return validateNumberWithStr(log, value, pattern, operator) } // Handler for string values -func validateString(value interface{}, pattern string, operatorVariable operator.Operator) bool { +func validateString(log logr.Logger, value interface{}, pattern string, operatorVariable operator.Operator) bool { if operator.NotEqual == operatorVariable || operator.Equal == operatorVariable { strValue, ok := value.(string) if !ok { - glog.Warningf("Expected string, found %T\n", value) + log.Info("Expected type string", "type", fmt.Sprintf("%T", value), "value", value) return false } @@ -195,17 +196,16 @@ func validateString(value interface{}, pattern string, operatorVariable operator return wildcardResult } - - glog.Warningf("Operators >, >=, <, <= are not applicable to strings") + log.Info("Operators >, >=, <, <= are not applicable to strings") return false } // validateNumberWithStr compares quantity if pattern type is quantity // or a wildcard match to pattern string -func validateNumberWithStr(value interface{}, pattern string, operator operator.Operator) bool { +func validateNumberWithStr(log logr.Logger, value interface{}, pattern string, operator operator.Operator) bool { typedValue, err := convertToString(value) if err != nil { - glog.Warning(err) + log.Error(err, "failed to convert to string") return false } @@ -214,7 +214,7 @@ func validateNumberWithStr(value interface{}, pattern string, operator operator. if err == nil { valueQuan, err := apiresource.ParseQuantity(typedValue) if err != nil { - glog.Warningf("Invalid quantity in resource %s, err: %v\n", typedValue, err) + log.Error(err, "invalid quantity in resource", "type", fmt.Sprintf("%T", typedValue), "value", typedValue) return false } @@ -223,7 +223,7 @@ func validateNumberWithStr(value interface{}, pattern string, operator operator. // 2. wildcard match if !wildcard.Match(pattern, typedValue) { - glog.Warningf("Value '%s' has not passed wildcard check: %s", typedValue, pattern) + log.Info("value failed wildcard check", "type", fmt.Sprintf("%T", typedValue), "value", typedValue, "check", pattern) return false } return true diff --git a/pkg/engine/validate/pattern_test.go b/pkg/engine/validate/pattern_test.go index 8ee4e34881..8d8d437d2b 100644 --- a/pkg/engine/validate/pattern_test.go +++ b/pkg/engine/validate/pattern_test.go @@ -6,13 +6,14 @@ import ( "github.com/nirmata/kyverno/pkg/engine/operator" "gotest.tools/assert" + "sigs.k8s.io/controller-runtime/pkg/log" ) func TestValidateValueWithPattern_Bool(t *testing.T) { - assert.Assert(t, ValidateValueWithPattern(true, true)) - assert.Assert(t, !ValidateValueWithPattern(true, false)) - assert.Assert(t, !ValidateValueWithPattern(false, true)) - assert.Assert(t, ValidateValueWithPattern(false, false)) + assert.Assert(t, ValidateValueWithPattern(log.Log, true, true)) + assert.Assert(t, !ValidateValueWithPattern(log.Log, true, false)) + assert.Assert(t, !ValidateValueWithPattern(log.Log, false, true)) + assert.Assert(t, ValidateValueWithPattern(log.Log, false, false)) } func TestValidateString_AsteriskTest(t *testing.T) { @@ -20,8 +21,8 @@ func TestValidateString_AsteriskTest(t *testing.T) { value := "anything" empty := "" - assert.Assert(t, validateString(value, pattern, operator.Equal)) - assert.Assert(t, validateString(empty, pattern, operator.Equal)) + assert.Assert(t, validateString(log.Log, value, pattern, operator.Equal)) + assert.Assert(t, validateString(log.Log, empty, pattern, operator.Equal)) } func TestValidateString_LeftAsteriskTest(t *testing.T) { @@ -29,32 +30,32 @@ func TestValidateString_LeftAsteriskTest(t *testing.T) { value := "leftright" right := "right" - assert.Assert(t, validateString(value, pattern, operator.Equal)) - assert.Assert(t, validateString(right, pattern, operator.Equal)) + assert.Assert(t, validateString(log.Log, value, pattern, operator.Equal)) + assert.Assert(t, validateString(log.Log, right, pattern, operator.Equal)) value = "leftmiddle" middle := "middle" - assert.Assert(t, !validateString(value, pattern, operator.Equal)) - assert.Assert(t, !validateString(middle, pattern, operator.Equal)) + assert.Assert(t, !validateString(log.Log, value, pattern, operator.Equal)) + assert.Assert(t, !validateString(log.Log, middle, pattern, operator.Equal)) } func TestValidateString_MiddleAsteriskTest(t *testing.T) { pattern := "ab*ba" value := "abbeba" - assert.Assert(t, validateString(value, pattern, operator.Equal)) + assert.Assert(t, validateString(log.Log, value, pattern, operator.Equal)) value = "abbca" - assert.Assert(t, !validateString(value, pattern, operator.Equal)) + assert.Assert(t, !validateString(log.Log, value, pattern, operator.Equal)) } func TestValidateString_QuestionMark(t *testing.T) { pattern := "ab?ba" value := "abbba" - assert.Assert(t, validateString(value, pattern, operator.Equal)) + assert.Assert(t, validateString(log.Log, value, pattern, operator.Equal)) value = "abbbba" - assert.Assert(t, !validateString(value, pattern, operator.Equal)) + assert.Assert(t, !validateString(log.Log, value, pattern, operator.Equal)) } func TestValidateValueWithPattern_BoolInJson(t *testing.T) { @@ -76,7 +77,7 @@ func TestValidateValueWithPattern_BoolInJson(t *testing.T) { err = json.Unmarshal(rawValue, &value) assert.Assert(t, err) - assert.Assert(t, ValidateValueWithPattern(value["key"], pattern["key"])) + assert.Assert(t, ValidateValueWithPattern(log.Log, value["key"], pattern["key"])) } func TestValidateValueWithPattern_NullPatternStringValue(t *testing.T) { @@ -98,7 +99,7 @@ func TestValidateValueWithPattern_NullPatternStringValue(t *testing.T) { err = json.Unmarshal(rawValue, &value) assert.Assert(t, err) - assert.Assert(t, !ValidateValueWithPattern(value["key"], pattern["key"])) + assert.Assert(t, !ValidateValueWithPattern(log.Log, value["key"], pattern["key"])) } func TestValidateValueWithPattern_NullPatternDefaultString(t *testing.T) { @@ -120,7 +121,7 @@ func TestValidateValueWithPattern_NullPatternDefaultString(t *testing.T) { err = json.Unmarshal(rawValue, &value) assert.Assert(t, err) - assert.Assert(t, ValidateValueWithPattern(value["key"], pattern["key"])) + assert.Assert(t, ValidateValueWithPattern(log.Log, value["key"], pattern["key"])) } func TestValidateValueWithPattern_NullPatternDefaultFloat(t *testing.T) { @@ -142,7 +143,7 @@ func TestValidateValueWithPattern_NullPatternDefaultFloat(t *testing.T) { err = json.Unmarshal(rawValue, &value) assert.Assert(t, err) - assert.Assert(t, ValidateValueWithPattern(value["key"], pattern["key"])) + assert.Assert(t, ValidateValueWithPattern(log.Log, value["key"], pattern["key"])) } func TestValidateValueWithPattern_NullPatternDefaultInt(t *testing.T) { @@ -164,7 +165,7 @@ func TestValidateValueWithPattern_NullPatternDefaultInt(t *testing.T) { err = json.Unmarshal(rawValue, &value) assert.Assert(t, err) - assert.Assert(t, ValidateValueWithPattern(value["key"], pattern["key"])) + assert.Assert(t, ValidateValueWithPattern(log.Log, value["key"], pattern["key"])) } func TestValidateValueWithPattern_NullPatternDefaultBool(t *testing.T) { @@ -186,77 +187,77 @@ func TestValidateValueWithPattern_NullPatternDefaultBool(t *testing.T) { err = json.Unmarshal(rawValue, &value) assert.Assert(t, err) - assert.Assert(t, ValidateValueWithPattern(value["key"], pattern["key"])) + assert.Assert(t, ValidateValueWithPattern(log.Log, value["key"], pattern["key"])) } func TestValidateValueWithPattern_StringsLogicalOr(t *testing.T) { pattern := "192.168.88.1 | 10.100.11.*" value := "10.100.11.54" - assert.Assert(t, ValidateValueWithPattern(value, pattern)) + assert.Assert(t, ValidateValueWithPattern(log.Log, value, pattern)) } func TestValidateValueWithPattern_EqualTwoFloats(t *testing.T) { - assert.Assert(t, ValidateValueWithPattern(7.0, 7.000)) + assert.Assert(t, ValidateValueWithPattern(log.Log, 7.0, 7.000)) } func TestValidateValueWithNilPattern_NullPatternStringValue(t *testing.T) { - assert.Assert(t, !validateValueWithNilPattern("value")) + assert.Assert(t, !validateValueWithNilPattern(log.Log, "value")) } func TestValidateValueWithNilPattern_NullPatternDefaultString(t *testing.T) { - assert.Assert(t, validateValueWithNilPattern("")) + assert.Assert(t, validateValueWithNilPattern(log.Log, "")) } func TestValidateValueWithNilPattern_NullPatternDefaultFloat(t *testing.T) { - assert.Assert(t, validateValueWithNilPattern(0.0)) + assert.Assert(t, validateValueWithNilPattern(log.Log, 0.0)) } func TestValidateValueWithNilPattern_NullPatternFloat(t *testing.T) { - assert.Assert(t, !validateValueWithNilPattern(0.1)) + assert.Assert(t, !validateValueWithNilPattern(log.Log, 0.1)) } func TestValidateValueWithNilPattern_NullPatternDefaultInt(t *testing.T) { - assert.Assert(t, validateValueWithNilPattern(0)) + assert.Assert(t, validateValueWithNilPattern(log.Log, 0)) } func TestValidateValueWithNilPattern_NullPatternInt(t *testing.T) { - assert.Assert(t, !validateValueWithNilPattern(1)) + assert.Assert(t, !validateValueWithNilPattern(log.Log, 1)) } func TestValidateValueWithNilPattern_NullPatternDefaultBool(t *testing.T) { - assert.Assert(t, validateValueWithNilPattern(false)) + assert.Assert(t, validateValueWithNilPattern(log.Log, false)) } func TestValidateValueWithNilPattern_NullPatternTrueBool(t *testing.T) { - assert.Assert(t, !validateValueWithNilPattern(true)) + assert.Assert(t, !validateValueWithNilPattern(log.Log, true)) } func TestValidateValueWithFloatPattern_FloatValue(t *testing.T) { - assert.Assert(t, validateValueWithFloatPattern(7.9914, 7.9914)) + assert.Assert(t, validateValueWithFloatPattern(log.Log, 7.9914, 7.9914)) } func TestValidateValueWithFloatPattern_FloatValueNotPass(t *testing.T) { - assert.Assert(t, !validateValueWithFloatPattern(7.9914, 7.99141)) + assert.Assert(t, !validateValueWithFloatPattern(log.Log, 7.9914, 7.99141)) } func TestValidateValueWithFloatPattern_FloatPatternWithoutFractionIntValue(t *testing.T) { - assert.Assert(t, validateValueWithFloatPattern(7, 7.000000)) + assert.Assert(t, validateValueWithFloatPattern(log.Log, 7, 7.000000)) } func TestValidateValueWithFloatPattern_FloatPatternWithoutFraction(t *testing.T) { - assert.Assert(t, validateValueWithFloatPattern(7.000000, 7.000000)) + assert.Assert(t, validateValueWithFloatPattern(log.Log, 7.000000, 7.000000)) } func TestValidateValueWithIntPattern_FloatValueWithoutFraction(t *testing.T) { - assert.Assert(t, validateValueWithFloatPattern(7.000000, 7)) + assert.Assert(t, validateValueWithFloatPattern(log.Log, 7.000000, 7)) } func TestValidateValueWithIntPattern_FloatValueWitFraction(t *testing.T) { - assert.Assert(t, !validateValueWithFloatPattern(7.000001, 7)) + assert.Assert(t, !validateValueWithFloatPattern(log.Log, 7.000001, 7)) } func TestValidateValueWithIntPattern_NotPass(t *testing.T) { - assert.Assert(t, !validateValueWithFloatPattern(8, 7)) + assert.Assert(t, !validateValueWithFloatPattern(log.Log, 8, 7)) } func TestGetNumberAndStringPartsFromPattern_NumberAndString(t *testing.T) { @@ -290,35 +291,35 @@ func TestGetNumberAndStringPartsFromPattern_Empty(t *testing.T) { } func TestValidateNumberWithStr_LessFloatAndInt(t *testing.T) { - assert.Assert(t, validateNumberWithStr(7.00001, "7.000001", operator.More)) - assert.Assert(t, validateNumberWithStr(7.00001, "7", operator.NotEqual)) + assert.Assert(t, validateNumberWithStr(log.Log, 7.00001, "7.000001", operator.More)) + assert.Assert(t, validateNumberWithStr(log.Log, 7.00001, "7", operator.NotEqual)) - assert.Assert(t, validateNumberWithStr(7.0000, "7", operator.Equal)) - assert.Assert(t, !validateNumberWithStr(6.000000001, "6", operator.Less)) + assert.Assert(t, validateNumberWithStr(log.Log, 7.0000, "7", operator.Equal)) + assert.Assert(t, !validateNumberWithStr(log.Log, 6.000000001, "6", operator.Less)) } func TestValidateQuantity_InvalidQuantity(t *testing.T) { - assert.Assert(t, !validateNumberWithStr("1024Gi", "", operator.Equal)) - assert.Assert(t, !validateNumberWithStr("gii", "1024Gi", operator.Equal)) + assert.Assert(t, !validateNumberWithStr(log.Log, "1024Gi", "", operator.Equal)) + assert.Assert(t, !validateNumberWithStr(log.Log, "gii", "1024Gi", operator.Equal)) } func TestValidateQuantity_Equal(t *testing.T) { - assert.Assert(t, validateNumberWithStr("1024Gi", "1024Gi", operator.Equal)) - assert.Assert(t, validateNumberWithStr("1024Mi", "1Gi", operator.Equal)) - assert.Assert(t, validateNumberWithStr("0.2", "200m", operator.Equal)) - assert.Assert(t, validateNumberWithStr("500", "500", operator.Equal)) - assert.Assert(t, !validateNumberWithStr("2048", "1024", operator.Equal)) - assert.Assert(t, validateNumberWithStr(1024, "1024", operator.Equal)) + assert.Assert(t, validateNumberWithStr(log.Log, "1024Gi", "1024Gi", operator.Equal)) + assert.Assert(t, validateNumberWithStr(log.Log, "1024Mi", "1Gi", operator.Equal)) + assert.Assert(t, validateNumberWithStr(log.Log, "0.2", "200m", operator.Equal)) + assert.Assert(t, validateNumberWithStr(log.Log, "500", "500", operator.Equal)) + assert.Assert(t, !validateNumberWithStr(log.Log, "2048", "1024", operator.Equal)) + assert.Assert(t, validateNumberWithStr(log.Log, 1024, "1024", operator.Equal)) } func TestValidateQuantity_Operation(t *testing.T) { - assert.Assert(t, validateNumberWithStr("1Gi", "1000Mi", operator.More)) - assert.Assert(t, validateNumberWithStr("1G", "1Gi", operator.Less)) - assert.Assert(t, validateNumberWithStr("500m", "0.5", operator.MoreEqual)) - assert.Assert(t, validateNumberWithStr("1", "500m", operator.MoreEqual)) - assert.Assert(t, validateNumberWithStr("0.5", ".5", operator.LessEqual)) - assert.Assert(t, validateNumberWithStr("0.2", ".5", operator.LessEqual)) - assert.Assert(t, validateNumberWithStr("0.2", ".5", operator.NotEqual)) + assert.Assert(t, validateNumberWithStr(log.Log, "1Gi", "1000Mi", operator.More)) + assert.Assert(t, validateNumberWithStr(log.Log, "1G", "1Gi", operator.Less)) + assert.Assert(t, validateNumberWithStr(log.Log, "500m", "0.5", operator.MoreEqual)) + assert.Assert(t, validateNumberWithStr(log.Log, "1", "500m", operator.MoreEqual)) + assert.Assert(t, validateNumberWithStr(log.Log, "0.5", ".5", operator.LessEqual)) + assert.Assert(t, validateNumberWithStr(log.Log, "0.2", ".5", operator.LessEqual)) + assert.Assert(t, validateNumberWithStr(log.Log, "0.2", ".5", operator.NotEqual)) } func TestGetOperatorFromStringPattern_OneChar(t *testing.T) { diff --git a/pkg/engine/validate/validate.go b/pkg/engine/validate/validate.go index 9d94f07789..f148f88f85 100644 --- a/pkg/engine/validate/validate.go +++ b/pkg/engine/validate/validate.go @@ -3,20 +3,20 @@ package validate import ( "errors" "fmt" - "path/filepath" + "path" "reflect" "strconv" "strings" - "github.com/golang/glog" + "github.com/go-logr/logr" "github.com/nirmata/kyverno/pkg/engine/anchor" "github.com/nirmata/kyverno/pkg/engine/operator" ) // ValidateResourceWithPattern is a start of element-by-element validation process // It assumes that validation is started from root, so "/" is passed -func ValidateResourceWithPattern(resource, pattern interface{}) (string, error) { - path, err := validateResourceElement(resource, pattern, pattern, "/") +func ValidateResourceWithPattern(log logr.Logger, resource, pattern interface{}) (string, error) { + path, err := validateResourceElement(log, resource, pattern, pattern, "/") if err != nil { return path, err } @@ -27,44 +27,44 @@ func ValidateResourceWithPattern(resource, pattern interface{}) (string, error) // validateResourceElement detects the element type (map, array, nil, string, int, bool, float) // and calls corresponding handler // Pattern tree and resource tree can have different structure. In this case validation fails -func validateResourceElement(resourceElement, patternElement, originPattern interface{}, path string) (string, error) { +func validateResourceElement(log logr.Logger, resourceElement, patternElement, originPattern interface{}, path string) (string, error) { var err error switch typedPatternElement := patternElement.(type) { // map case map[string]interface{}: typedResourceElement, ok := resourceElement.(map[string]interface{}) if !ok { - glog.V(4).Infof("Pattern and resource have different structures. Path: %s. Expected %T, found %T", path, patternElement, resourceElement) + log.V(4).Info("Pattern and resource have different structures.", "path", path, "expected", fmt.Sprintf("%T", patternElement), "current", fmt.Sprintf("%T", resourceElement)) return path, fmt.Errorf("Pattern and resource have different structures. Path: %s. Expected %T, found %T", path, patternElement, resourceElement) } - return validateMap(typedResourceElement, typedPatternElement, originPattern, path) + return validateMap(log, typedResourceElement, typedPatternElement, originPattern, path) // array case []interface{}: typedResourceElement, ok := resourceElement.([]interface{}) if !ok { - glog.V(4).Infof("Pattern and resource have different structures. Path: %s. Expected %T, found %T", path, patternElement, resourceElement) + log.V(4).Info("Pattern and resource have different structures.", "path", path, "expected", fmt.Sprintf("%T", patternElement), "current", fmt.Sprintf("%T", resourceElement)) return path, fmt.Errorf("Validation rule Failed at path %s, resource does not satisfy the expected overlay pattern", path) } - return validateArray(typedResourceElement, typedPatternElement, originPattern, path) + return validateArray(log, typedResourceElement, typedPatternElement, originPattern, path) // elementary values case string, float64, int, int64, bool, nil: /*Analyze pattern */ if checkedPattern := reflect.ValueOf(patternElement); checkedPattern.Kind() == reflect.String { if isStringIsReference(checkedPattern.String()) { //check for $ anchor - patternElement, err = actualizePattern(originPattern, checkedPattern.String(), path) + patternElement, err = actualizePattern(log, originPattern, checkedPattern.String(), path) if err != nil { return path, err } } } - if !ValidateValueWithPattern(resourceElement, patternElement) { + if !ValidateValueWithPattern(log, resourceElement, patternElement) { return path, fmt.Errorf("Validation rule failed at '%s' to validate value '%v' with pattern '%v'", path, resourceElement, patternElement) } default: - glog.V(4).Infof("Pattern contains unknown type %T. Path: %s", patternElement, path) + log.V(4).Info("Pattern contains unknown type", "path", path, "current", fmt.Sprintf("%T", patternElement)) return path, fmt.Errorf("Validation rule failed at '%s', pattern contains unknown type", path) } return "", nil @@ -72,7 +72,7 @@ func validateResourceElement(resourceElement, patternElement, originPattern inte // If validateResourceElement detects map element inside resource and pattern trees, it goes to validateMap // For each element of the map we must detect the type again, so we pass these elements to validateResourceElement -func validateMap(resourceMap, patternMap map[string]interface{}, origPattern interface{}, path string) (string, error) { +func validateMap(log logr.Logger, resourceMap, patternMap map[string]interface{}, origPattern interface{}, path string) (string, error) { // check if there is anchor in pattern // Phase 1 : Evaluate all the anchors // Phase 2 : Evaluate non-anchors @@ -91,7 +91,7 @@ func validateMap(resourceMap, patternMap map[string]interface{}, origPattern int if err != nil { // If Conditional anchor fails then we dont process the resources if anchor.IsConditionAnchor(key) { - glog.V(4).Infof("condition anchor did not satisfy, wont process the resources: %s", err) + log.Error(err, "condition anchor did not satisfy, wont process the resource") return "", nil } return handlerPath, err @@ -109,7 +109,7 @@ func validateMap(resourceMap, patternMap map[string]interface{}, origPattern int return "", nil } -func validateArray(resourceArray, patternArray []interface{}, originPattern interface{}, path string) (string, error) { +func validateArray(log logr.Logger, resourceArray, patternArray []interface{}, originPattern interface{}, path string) (string, error) { if 0 == len(patternArray) { return path, fmt.Errorf("Pattern Array empty") @@ -119,7 +119,7 @@ func validateArray(resourceArray, patternArray []interface{}, originPattern inte case map[string]interface{}: // This is special case, because maps in arrays can have anchors that must be // processed with the special way affecting the entire array - path, err := validateArrayOfMaps(resourceArray, typedPatternElement, originPattern, path) + path, err := validateArrayOfMaps(log, resourceArray, typedPatternElement, originPattern, path) if err != nil { return path, err } @@ -127,7 +127,7 @@ func validateArray(resourceArray, patternArray []interface{}, originPattern inte // In all other cases - detect type and handle each array element with validateResourceElement for i, patternElement := range patternArray { currentPath := path + strconv.Itoa(i) + "/" - path, err := validateResourceElement(resourceArray[i], patternElement, originPattern, currentPath) + path, err := validateResourceElement(log, resourceArray[i], patternElement, originPattern, currentPath) if err != nil { return path, err } @@ -137,7 +137,7 @@ func validateArray(resourceArray, patternArray []interface{}, originPattern inte return "", nil } -func actualizePattern(origPattern interface{}, referencePattern, absolutePath string) (interface{}, error) { +func actualizePattern(log logr.Logger, origPattern interface{}, referencePattern, absolutePath string) (interface{}, error) { var foundValue interface{} referencePattern = strings.Trim(referencePattern, "$()") @@ -155,7 +155,7 @@ func actualizePattern(origPattern interface{}, referencePattern, absolutePath st // value := actualPath := formAbsolutePath(referencePattern, absolutePath) - valFromReference, err := getValueFromReference(origPattern, actualPath) + valFromReference, err := getValueFromReference(log, origPattern, actualPath) if err != nil { return err, nil } @@ -188,23 +188,23 @@ func valFromReferenceToString(value interface{}, operator string) (string, error // returns absolute path func formAbsolutePath(referencePath, absolutePath string) string { - if filepath.IsAbs(referencePath) { + if path.IsAbs(referencePath) { return referencePath } - return filepath.Join(absolutePath, referencePath) + return path.Join(absolutePath, referencePath) } //Prepares original pattern, path to value, and call traverse function -func getValueFromReference(origPattern interface{}, reference string) (interface{}, error) { +func getValueFromReference(log logr.Logger, origPattern interface{}, reference string) (interface{}, error) { originalPatternMap := origPattern.(map[string]interface{}) reference = reference[1:] statements := strings.Split(reference, "/") - return getValueFromPattern(originalPatternMap, statements, 0) + return getValueFromPattern(log, originalPatternMap, statements, 0) } -func getValueFromPattern(patternMap map[string]interface{}, keys []string, currentKeyIndex int) (interface{}, error) { +func getValueFromPattern(log logr.Logger, patternMap map[string]interface{}, keys []string, currentKeyIndex int) (interface{}, error) { for key, pattern := range patternMap { rawKey := getRawKeyIfWrappedWithAttributes(key) @@ -221,19 +221,21 @@ func getValueFromPattern(patternMap map[string]interface{}, keys []string, curre for i, value := range typedPattern { resourceMap, ok := value.(map[string]interface{}) if !ok { - glog.V(4).Infof("Pattern and resource have different structures. Expected %T, found %T", pattern, value) + log.V(4).Info("Pattern and resource have different structures.", "expected", fmt.Sprintf("%T", pattern), "current", fmt.Sprintf("%T", value)) return nil, fmt.Errorf("Validation rule failed, resource does not have expected pattern %v", patternMap) } if keys[currentKeyIndex+1] == strconv.Itoa(i) { - return getValueFromPattern(resourceMap, keys, currentKeyIndex+2) + return getValueFromPattern(log, resourceMap, keys, currentKeyIndex+2) } + // TODO : SA4004: the surrounding loop is unconditionally terminated (staticcheck) return nil, errors.New("Reference to non-existent place in the document") } + return nil, nil // Just a hack to fix the lint } return nil, errors.New("Reference to non-existent place in the document") case map[string]interface{}: if keys[currentKeyIndex] == rawKey { - return getValueFromPattern(typedPattern, keys, currentKeyIndex+1) + return getValueFromPattern(log, typedPattern, keys, currentKeyIndex+1) } return nil, errors.New("Reference to non-existent place in the document") case string, float64, int, int64, bool, nil: @@ -251,12 +253,12 @@ func getValueFromPattern(patternMap map[string]interface{}, keys []string, curre // validateArrayOfMaps gets anchors from pattern array map element, applies anchors logic // and then validates each map due to the pattern -func validateArrayOfMaps(resourceMapArray []interface{}, patternMap map[string]interface{}, originPattern interface{}, path string) (string, error) { +func validateArrayOfMaps(log logr.Logger, resourceMapArray []interface{}, patternMap map[string]interface{}, originPattern interface{}, path string) (string, error) { for i, resourceElement := range resourceMapArray { // check the types of resource element // expect it to be map, but can be anything ?:( currentPath := path + strconv.Itoa(i) + "/" - returnpath, err := validateResourceElement(resourceElement, patternMap, originPattern, currentPath) + returnpath, err := validateResourceElement(log, resourceElement, patternMap, originPattern, currentPath) if err != nil { return returnpath, err } diff --git a/pkg/engine/validate/validate_test.go b/pkg/engine/validate/validate_test.go index acabd87ac1..7f916239e0 100644 --- a/pkg/engine/validate/validate_test.go +++ b/pkg/engine/validate/validate_test.go @@ -5,6 +5,7 @@ import ( "testing" "gotest.tools/assert" + "sigs.k8s.io/controller-runtime/pkg/log" ) func TestValidateMap(t *testing.T) { @@ -100,7 +101,7 @@ func TestValidateMap(t *testing.T) { assert.Assert(t, json.Unmarshal(rawPattern, &pattern)) assert.Assert(t, json.Unmarshal(rawMap, &resource)) - path, err := validateMap(resource, pattern, pattern, "/") + path, err := validateMap(log.Log, resource, pattern, pattern, "/") assert.Equal(t, path, "") assert.NilError(t, err) } @@ -196,7 +197,7 @@ func TestValidateMap_AsteriskForInt(t *testing.T) { assert.Assert(t, json.Unmarshal(rawPattern, &pattern)) assert.Assert(t, json.Unmarshal(rawMap, &resource)) - path, err := validateMap(resource, pattern, pattern, "/") + path, err := validateMap(log.Log, resource, pattern, pattern, "/") t.Log(path) assert.NilError(t, err) } @@ -289,7 +290,7 @@ func TestValidateMap_AsteriskForMap(t *testing.T) { assert.Assert(t, json.Unmarshal(rawPattern, &pattern)) assert.Assert(t, json.Unmarshal(rawMap, &resource)) - path, err := validateMap(resource, pattern, pattern, "/") + path, err := validateMap(log.Log, resource, pattern, pattern, "/") assert.Equal(t, path, "") assert.NilError(t, err) } @@ -377,7 +378,7 @@ func TestValidateMap_AsteriskForArray(t *testing.T) { assert.Assert(t, json.Unmarshal(rawPattern, &pattern)) assert.Assert(t, json.Unmarshal(rawMap, &resource)) - path, err := validateMap(resource, pattern, pattern, "/") + path, err := validateMap(log.Log, resource, pattern, pattern, "/") assert.Equal(t, path, "") assert.NilError(t, err) } @@ -468,7 +469,7 @@ func TestValidateMap_AsteriskFieldIsMissing(t *testing.T) { assert.Assert(t, json.Unmarshal(rawPattern, &pattern)) assert.Assert(t, json.Unmarshal(rawMap, &resource)) - path, err := validateMap(resource, pattern, pattern, "/") + path, err := validateMap(log.Log, resource, pattern, pattern, "/") assert.Equal(t, path, "/spec/template/spec/containers/0/") assert.Assert(t, err != nil) } @@ -557,9 +558,10 @@ func TestValidateMap_livenessProbeIsNull(t *testing.T) { var pattern, resource map[string]interface{} assert.Assert(t, json.Unmarshal(rawPattern, &pattern)) - json.Unmarshal(rawMap, &resource) + err := json.Unmarshal(rawMap, &resource) + assert.NilError(t, err) - path, err := validateMap(resource, pattern, pattern, "/") + path, err := validateMap(log.Log, resource, pattern, pattern, "/") assert.Equal(t, path, "") assert.NilError(t, err) } @@ -649,7 +651,7 @@ func TestValidateMap_livenessProbeIsMissing(t *testing.T) { assert.Assert(t, json.Unmarshal(rawPattern, &pattern)) assert.Assert(t, json.Unmarshal(rawMap, &resource)) - path, err := validateMap(resource, pattern, pattern, "/") + path, err := validateMap(log.Log, resource, pattern, pattern, "/") assert.Equal(t, path, "") assert.NilError(t, err) } @@ -695,7 +697,7 @@ func TestValidateMapElement_TwoElementsInArrayOnePass(t *testing.T) { assert.Assert(t, json.Unmarshal(rawPattern, &pattern)) assert.Assert(t, json.Unmarshal(rawMap, &resource)) - path, err := validateResourceElement(resource, pattern, pattern, "/") + path, err := validateResourceElement(log.Log, resource, pattern, pattern, "/") assert.Equal(t, path, "") // assert.Equal(t, path, "/1/object/0/key2/") // assert.NilError(t, err) @@ -730,7 +732,7 @@ func TestValidateMapElement_OneElementInArrayPass(t *testing.T) { assert.Assert(t, json.Unmarshal(rawPattern, &pattern)) assert.Assert(t, json.Unmarshal(rawMap, &resource)) - path, err := validateResourceElement(resource, pattern, pattern, "/") + path, err := validateResourceElement(log.Log, resource, pattern, pattern, "/") assert.Equal(t, path, "") assert.NilError(t, err) } @@ -784,7 +786,7 @@ func TestValidateMap_CorrectRelativePathInConfig(t *testing.T) { assert.Assert(t, json.Unmarshal(rawPattern, &pattern)) assert.Assert(t, json.Unmarshal(rawMap, &resource)) - path, err := validateResourceElement(resource, pattern, pattern, "/") + path, err := validateResourceElement(log.Log, resource, pattern, pattern, "/") assert.Equal(t, path, "") assert.NilError(t, err) } @@ -838,7 +840,7 @@ func TestValidateMap_RelativePathDoesNotExists(t *testing.T) { assert.Assert(t, json.Unmarshal(rawPattern, &pattern)) assert.Assert(t, json.Unmarshal(rawMap, &resource)) - path, err := validateResourceElement(resource, pattern, pattern, "/") + path, err := validateResourceElement(log.Log, resource, pattern, pattern, "/") assert.Equal(t, path, "/spec/containers/0/resources/requests/memory/") assert.Assert(t, err != nil) } @@ -892,7 +894,7 @@ func TestValidateMap_OnlyAnchorsInPath(t *testing.T) { assert.Assert(t, json.Unmarshal(rawPattern, &pattern)) assert.Assert(t, json.Unmarshal(rawMap, &resource)) - path, err := validateResourceElement(resource, pattern, pattern, "/") + path, err := validateResourceElement(log.Log, resource, pattern, pattern, "/") assert.Equal(t, path, "/spec/containers/0/resources/requests/memory/") assert.Assert(t, err != nil) } @@ -946,7 +948,7 @@ func TestValidateMap_MalformedReferenceOnlyDolarMark(t *testing.T) { assert.Assert(t, json.Unmarshal(rawPattern, &pattern)) assert.Assert(t, json.Unmarshal(rawMap, &resource)) - path, err := validateResourceElement(resource, pattern, pattern, "/") + path, err := validateResourceElement(log.Log, resource, pattern, pattern, "/") assert.Equal(t, path, "/spec/containers/0/resources/requests/memory/") assert.Assert(t, err != nil) } @@ -1000,7 +1002,7 @@ func TestValidateMap_RelativePathWithParentheses(t *testing.T) { assert.Assert(t, json.Unmarshal(rawPattern, &pattern)) assert.Assert(t, json.Unmarshal(rawMap, &resource)) - path, err := validateResourceElement(resource, pattern, pattern, "/") + path, err := validateResourceElement(log.Log, resource, pattern, pattern, "/") assert.Equal(t, path, "") assert.NilError(t, err) } @@ -1054,7 +1056,7 @@ func TestValidateMap_MalformedPath(t *testing.T) { assert.Assert(t, json.Unmarshal(rawPattern, &pattern)) assert.Assert(t, json.Unmarshal(rawMap, &resource)) - path, err := validateResourceElement(resource, pattern, pattern, "/") + path, err := validateResourceElement(log.Log, resource, pattern, pattern, "/") assert.Equal(t, path, "/spec/containers/0/resources/requests/memory/") assert.Assert(t, err != nil) } @@ -1108,7 +1110,7 @@ func TestValidateMap_AbosolutePathExists(t *testing.T) { assert.Assert(t, json.Unmarshal(rawPattern, &pattern)) assert.Assert(t, json.Unmarshal(rawMap, &resource)) - path, err := validateResourceElement(resource, pattern, pattern, "/") + path, err := validateResourceElement(log.Log, resource, pattern, pattern, "/") assert.Equal(t, path, "") assert.Assert(t, err == nil) } @@ -1149,7 +1151,7 @@ func TestValidateMap_AbsolutePathToMetadata(t *testing.T) { assert.Assert(t, json.Unmarshal(rawPattern, &pattern)) assert.Assert(t, json.Unmarshal(rawMap, &resource)) - path, err := validateResourceElement(resource, pattern, pattern, "/") + path, err := validateResourceElement(log.Log, resource, pattern, pattern, "/") assert.Equal(t, path, "") assert.Assert(t, err == nil) } @@ -1191,7 +1193,7 @@ func TestValidateMap_AbsolutePathToMetadata_fail(t *testing.T) { assert.Assert(t, json.Unmarshal(rawPattern, &pattern)) assert.Assert(t, json.Unmarshal(rawMap, &resource)) - path, err := validateResourceElement(resource, pattern, pattern, "/") + path, err := validateResourceElement(log.Log, resource, pattern, pattern, "/") assert.Equal(t, path, "/spec/containers/0/image/") assert.Assert(t, err != nil) } @@ -1245,7 +1247,7 @@ func TestValidateMap_AbosolutePathDoesNotExists(t *testing.T) { assert.Assert(t, json.Unmarshal(rawPattern, &pattern)) assert.Assert(t, json.Unmarshal(rawMap, &resource)) - path, err := validateResourceElement(resource, pattern, pattern, "/") + path, err := validateResourceElement(log.Log, resource, pattern, pattern, "/") assert.Equal(t, path, "/spec/containers/0/resources/requests/memory/") assert.Assert(t, err != nil) } @@ -1276,7 +1278,7 @@ func TestActualizePattern_GivenRelativePathThatExists(t *testing.T) { assert.Assert(t, json.Unmarshal(rawPattern, &pattern)) - pattern, err := actualizePattern(pattern, referencePath, absolutePath) + pattern, err := actualizePattern(log.Log, pattern, referencePath, absolutePath) assert.Assert(t, err == nil) } @@ -1344,10 +1346,12 @@ func TestValidateMapElement_OneElementInArrayNotPass(t *testing.T) { ]`) var pattern, resource interface{} - json.Unmarshal(rawPattern, &pattern) - json.Unmarshal(rawMap, &resource) + err := json.Unmarshal(rawPattern, &pattern) + assert.NilError(t, err) + err = json.Unmarshal(rawMap, &resource) + assert.NilError(t, err) - path, err := validateResourceElement(resource, pattern, pattern, "/") + path, err := validateResourceElement(log.Log, resource, pattern, pattern, "/") assert.Equal(t, path, "/0/object/0/key2/") assert.Assert(t, err != nil) } diff --git a/pkg/engine/validation.go b/pkg/engine/validation.go index de05323f87..a6c2de1374 100644 --- a/pkg/engine/validation.go +++ b/pkg/engine/validation.go @@ -5,7 +5,7 @@ import ( "reflect" "time" - "github.com/golang/glog" + "github.com/go-logr/logr" kyverno "github.com/nirmata/kyverno/pkg/api/kyverno/v1" "github.com/nirmata/kyverno/pkg/engine/context" "github.com/nirmata/kyverno/pkg/engine/response" @@ -13,6 +13,7 @@ import ( "github.com/nirmata/kyverno/pkg/engine/validate" "github.com/nirmata/kyverno/pkg/engine/variables" "k8s.io/apimachinery/pkg/apis/meta/v1/unstructured" + "sigs.k8s.io/controller-runtime/pkg/log" ) //Validate applies validation rules from policy on the resource @@ -23,42 +24,59 @@ func Validate(policyContext PolicyContext) (resp response.EngineResponse) { oldR := policyContext.OldResource ctx := policyContext.Context admissionInfo := policyContext.AdmissionInfo + logger := log.Log.WithName("Validate").WithValues("policy", policy.Name) - // policy information - glog.V(4).Infof("started applying validation rules of policy %q (%v)", policy.Name, startTime) - - // Process new & old resource - if reflect.DeepEqual(oldR, unstructured.Unstructured{}) { - // Create Mode - // Operate on New Resource only - resp := validateResource(ctx, policy, newR, admissionInfo) - startResultResponse(resp, policy, newR) - defer endResultResponse(resp, startTime) - // set PatchedResource with origin resource if empty - // in order to create policy violation - if reflect.DeepEqual(resp.PatchedResource, unstructured.Unstructured{}) { - resp.PatchedResource = newR - } - return *resp + if reflect.DeepEqual(newR, unstructured.Unstructured{}) { + logger = logger.WithValues("kind", oldR.GetKind(), "namespace", oldR.GetNamespace(), "name", oldR.GetName()) + } else { + logger = logger.WithValues("kind", newR.GetKind(), "namespace", newR.GetNamespace(), "name", newR.GetName()) } - // Update Mode - // Operate on New and Old Resource only - // New resource - oldResponse := validateResource(ctx, policy, oldR, admissionInfo) - newResponse := validateResource(ctx, policy, newR, admissionInfo) - // if the old and new response is same then return empty response - if !isSameResponse(oldResponse, newResponse) { - // there are changes send response - startResultResponse(newResponse, policy, newR) - defer endResultResponse(newResponse, startTime) - if reflect.DeepEqual(newResponse.PatchedResource, unstructured.Unstructured{}) { - newResponse.PatchedResource = newR + logger.V(4).Info("start processing", "startTime", startTime) + + defer func() { + if reflect.DeepEqual(resp, response.EngineResponse{}) { + return } + var resource unstructured.Unstructured + if reflect.DeepEqual(resp.PatchedResource, unstructured.Unstructured{}) { + // for delete requests patched resource will be oldR since newR is empty + if reflect.DeepEqual(newR, unstructured.Unstructured{}) { + resource = oldR + } else { + resource = newR + } + } + for i := range resp.PolicyResponse.Rules { + messageInterface, err := variables.SubstituteVars(logger, ctx, resp.PolicyResponse.Rules[i].Message) + if err != nil { + continue + } + resp.PolicyResponse.Rules[i].Message, _ = messageInterface.(string) + } + resp.PatchedResource = resource + startResultResponse(&resp, policy, resource) + endResultResponse(logger, &resp, startTime) + }() + + // If request is delete, newR will be empty + if reflect.DeepEqual(newR, unstructured.Unstructured{}) { + return *isRequestDenied(logger, ctx, policy, oldR, admissionInfo) + } + + if denyResp := isRequestDenied(logger, ctx, policy, newR, admissionInfo); !denyResp.IsSuccesful() { + return *denyResp + } + + if reflect.DeepEqual(oldR, unstructured.Unstructured{}) { + return *validateResource(logger, ctx, policy, newR, admissionInfo) + } + + oldResponse := validateResource(logger, ctx, policy, oldR, admissionInfo) + newResponse := validateResource(logger, ctx, policy, newR, admissionInfo) + if !isSameResponse(oldResponse, newResponse) { return *newResponse } - // if there are no changes with old and new response then sent empty response - // skip processing return response.EngineResponse{} } @@ -73,10 +91,9 @@ func startResultResponse(resp *response.EngineResponse, policy kyverno.ClusterPo resp.PolicyResponse.ValidationFailureAction = policy.Spec.ValidationFailureAction } -func endResultResponse(resp *response.EngineResponse, startTime time.Time) { +func endResultResponse(log logr.Logger, resp *response.EngineResponse, startTime time.Time) { resp.PolicyResponse.ProcessingTime = time.Since(startTime) - glog.V(4).Infof("Finished applying validation rules policy %v (%v)", resp.PolicyResponse.Policy, resp.PolicyResponse.ProcessingTime) - glog.V(4).Infof("Validation Rules appplied successfully count %v for policy %q", resp.PolicyResponse.RulesAppliedCount, resp.PolicyResponse.Policy) + log.V(4).Info("finshed processing", "processingTime", resp.PolicyResponse.ProcessingTime, "validationRulesApplied", resp.PolicyResponse.RulesAppliedCount) } func incrementAppliedCount(resp *response.EngineResponse) { @@ -84,37 +101,79 @@ func incrementAppliedCount(resp *response.EngineResponse) { resp.PolicyResponse.RulesAppliedCount++ } -func validateResource(ctx context.EvalInterface, policy kyverno.ClusterPolicy, resource unstructured.Unstructured, admissionInfo kyverno.RequestInfo) *response.EngineResponse { +func isRequestDenied(log logr.Logger, ctx context.EvalInterface, policy kyverno.ClusterPolicy, resource unstructured.Unstructured, admissionInfo kyverno.RequestInfo) *response.EngineResponse { resp := &response.EngineResponse{} + + for _, rule := range policy.Spec.Rules { + if !rule.HasValidate() { + continue + } + + if err := MatchesResourceDescription(resource, rule, admissionInfo); err != nil { + log.V(4).Info("resource fails the match description", "reason", err.Error()) + continue + } + + preconditionsCopy := copyConditions(rule.Conditions) + + if !variables.EvaluateConditions(log, ctx, preconditionsCopy) { + log.V(4).Info("resource fails the preconditions") + continue + } + + if rule.Validation.Deny != nil { + denyConditionsCopy := copyConditions(rule.Validation.Deny.Conditions) + if len(rule.Validation.Deny.Conditions) == 0 || variables.EvaluateConditions(log, ctx, denyConditionsCopy) { + ruleResp := response.RuleResponse{ + Name: rule.Name, + Type: utils.Validation.String(), + Message: rule.Validation.Message, + Success: false, + } + resp.PolicyResponse.Rules = append(resp.PolicyResponse.Rules, ruleResp) + } + continue + } + + } + return resp +} + +func validateResource(log logr.Logger, ctx context.EvalInterface, policy kyverno.ClusterPolicy, resource unstructured.Unstructured, admissionInfo kyverno.RequestInfo) *response.EngineResponse { + resp := &response.EngineResponse{} + + if autoGenAnnotationApplied(resource) && policy.HasAutoGenAnnotation() { + return resp + } + for _, rule := range policy.Spec.Rules { if !rule.HasValidate() { continue } - startTime := time.Now() - glog.V(4).Infof("Time: Validate matchAdmissionInfo %v", time.Since(startTime)) // check if the resource satisfies the filter conditions defined in the rule // TODO: this needs to be extracted, to filter the resource so that we can avoid passing resources that - // dont statisfy a policy rule resource description + // dont satisfy a policy rule resource description if err := MatchesResourceDescription(resource, rule, admissionInfo); err != nil { - glog.V(4).Infof("resource %s/%s does not satisfy the resource description for the rule:\n%s", resource.GetNamespace(), resource.GetName(), err.Error()) + log.V(4).Info("resource fails the match description", "reason", err.Error()) continue } // operate on the copy of the conditions, as we perform variable substitution - copyConditions := copyConditions(rule.Conditions) + preconditionsCopy := copyConditions(rule.Conditions) // evaluate pre-conditions // - handle variable subsitutions - if !variables.EvaluateConditions(ctx, copyConditions) { - glog.V(4).Infof("resource %s/%s does not satisfy the conditions for the rule ", resource.GetNamespace(), resource.GetName()) + if !variables.EvaluateConditions(log, ctx, preconditionsCopy) { + log.V(4).Info("resource fails the preconditions") continue } if rule.Validation.Pattern != nil || rule.Validation.AnyPattern != nil { - ruleResponse := validatePatterns(ctx, resource, rule) + ruleResponse := validatePatterns(log, ctx, resource, rule) incrementAppliedCount(resp) resp.PolicyResponse.Rules = append(resp.PolicyResponse.Rules, ruleResponse) } + } return resp } @@ -159,15 +218,17 @@ func isSameRules(oldRules []response.RuleResponse, newRules []response.RuleRespo } // validatePatterns validate pattern and anyPattern -func validatePatterns(ctx context.EvalInterface, resource unstructured.Unstructured, rule kyverno.Rule) (resp response.RuleResponse) { +func validatePatterns(log logr.Logger, ctx context.EvalInterface, resource unstructured.Unstructured, rule kyverno.Rule) (resp response.RuleResponse) { startTime := time.Now() - glog.V(4).Infof("started applying validation rule %q (%v)", rule.Name, startTime) + logger := log.WithValues("rule", rule.Name) + logger.V(4).Info("start processing rule", "startTime", startTime) resp.Name = rule.Name resp.Type = utils.Validation.String() defer func() { resp.RuleStats.ProcessingTime = time.Since(startTime) - glog.V(4).Infof("finished applying validation rule %q (%v)", resp.Name, resp.RuleStats.ProcessingTime) + logger.V(4).Info("finished processing rule", "processingTime", resp.RuleStats.ProcessingTime) }() + // work on a copy of validation rule validationRule := rule.Validation.DeepCopy() @@ -176,7 +237,7 @@ func validatePatterns(ctx context.EvalInterface, resource unstructured.Unstructu // substitute variables in the pattern pattern := validationRule.Pattern var err error - if pattern, err = variables.SubstituteVars(ctx, pattern); err != nil { + if pattern, err = variables.SubstituteVars(logger, ctx, pattern); err != nil { // variable subsitution failed resp.Success = false resp.Message = fmt.Sprintf("Validation error: %s; Validation rule '%s' failed. '%s'", @@ -184,15 +245,15 @@ func validatePatterns(ctx context.EvalInterface, resource unstructured.Unstructu return resp } - if path, err := validate.ValidateResourceWithPattern(resource.Object, pattern); err != nil { + if path, err := validate.ValidateResourceWithPattern(logger, resource.Object, pattern); err != nil { // validation failed resp.Success = false - resp.Message = fmt.Sprintf("Validation error: %s; Validation rule '%s' failed at path '%s'", + resp.Message = fmt.Sprintf("Validation error: %s; Validation rule %s failed at path %s", rule.Validation.Message, rule.Name, path) return resp } // rule application successful - glog.V(4).Infof("rule %s pattern validated successfully on resource %s/%s/%s", rule.Name, resource.GetKind(), resource.GetNamespace(), resource.GetName()) + logger.V(4).Info("successfully processed rule") resp.Success = true resp.Message = fmt.Sprintf("Validation rule '%s' succeeded.", rule.Name) return resp @@ -203,19 +264,18 @@ func validatePatterns(ctx context.EvalInterface, resource unstructured.Unstructu var failedAnyPatternsErrors []error var err error for idx, pattern := range validationRule.AnyPattern { - if pattern, err = variables.SubstituteVars(ctx, pattern); err != nil { + if pattern, err = variables.SubstituteVars(logger, ctx, pattern); err != nil { // variable subsitution failed failedSubstitutionsErrors = append(failedSubstitutionsErrors, err) continue } - _, err := validate.ValidateResourceWithPattern(resource.Object, pattern) + _, err := validate.ValidateResourceWithPattern(logger, resource.Object, pattern) if err == nil { resp.Success = true resp.Message = fmt.Sprintf("Validation rule '%s' anyPattern[%d] succeeded.", rule.Name, idx) return resp } - glog.V(4).Infof("Validation error: %s; Validation rule %s anyPattern[%d] for %s/%s/%s", - rule.Validation.Message, rule.Name, idx, resource.GetKind(), resource.GetNamespace(), resource.GetName()) + logger.V(4).Info(fmt.Sprintf("validation rule failed for anyPattern[%d]", idx), "message", rule.Validation.Message) patternErr := fmt.Errorf("anyPattern[%d] failed; %s", idx, err) failedAnyPatternsErrors = append(failedAnyPatternsErrors, patternErr) } @@ -234,7 +294,12 @@ func validatePatterns(ctx context.EvalInterface, resource unstructured.Unstructu errorStr = append(errorStr, err.Error()) } resp.Success = false - resp.Message = fmt.Sprintf("Validation rule '%s' failed. %s", rule.Name, errorStr) + log.V(4).Info(fmt.Sprintf("Validation rule '%s' failed. %s", rule.Name, errorStr)) + if rule.Validation.Message == "" { + resp.Message = fmt.Sprintf("Validation rule '%s' has failed", rule.Name) + } else { + resp.Message = rule.Validation.Message + } return resp } } diff --git a/pkg/engine/validation_test.go b/pkg/engine/validation_test.go index 2792723d09..03c3361768 100644 --- a/pkg/engine/validation_test.go +++ b/pkg/engine/validation_test.go @@ -4,9 +4,12 @@ import ( "encoding/json" "testing" + "k8s.io/api/admission/v1beta1" + kyverno "github.com/nirmata/kyverno/pkg/api/kyverno/v1" "github.com/nirmata/kyverno/pkg/engine/context" "github.com/nirmata/kyverno/pkg/engine/utils" + utils2 "github.com/nirmata/kyverno/pkg/utils" "gotest.tools/assert" ) @@ -23,7 +26,8 @@ func TestGetAnchorsFromMap_ThereAreAnchors(t *testing.T) { }`) var unmarshalled map[string]interface{} - json.Unmarshal(rawMap, &unmarshalled) + err := json.Unmarshal(rawMap, &unmarshalled) + assert.NilError(t, err) actualMap := utils.GetAnchorsFromMap(unmarshalled) assert.Equal(t, len(actualMap), 2) @@ -114,13 +118,14 @@ func TestValidate_image_tag_fail(t *testing.T) { `) var policy kyverno.ClusterPolicy - json.Unmarshal(rawPolicy, &policy) + err := json.Unmarshal(rawPolicy, &policy) + assert.NilError(t, err) resourceUnstructured, err := utils.ConvertToUnstructured(rawResource) assert.NilError(t, err) msgs := []string{ "Validation rule 'validate-tag' succeeded.", - "Validation error: imagePullPolicy 'Always' required with tag 'latest'; Validation rule 'validate-latest' failed at path '/spec/containers/0/imagePullPolicy/'", + "Validation error: imagePullPolicy 'Always' required with tag 'latest'; Validation rule validate-latest failed at path /spec/containers/0/imagePullPolicy/", } er := Validate(PolicyContext{Policy: policy, NewResource: *resourceUnstructured}) for index, r := range er.PolicyResponse.Rules { @@ -212,7 +217,8 @@ func TestValidate_image_tag_pass(t *testing.T) { `) var policy kyverno.ClusterPolicy - json.Unmarshal(rawPolicy, &policy) + err := json.Unmarshal(rawPolicy, &policy) + assert.NilError(t, err) resourceUnstructured, err := utils.ConvertToUnstructured(rawResource) assert.NilError(t, err) @@ -289,12 +295,13 @@ func TestValidate_Fail_anyPattern(t *testing.T) { `) var policy kyverno.ClusterPolicy - json.Unmarshal(rawPolicy, &policy) + err := json.Unmarshal(rawPolicy, &policy) + assert.NilError(t, err) resourceUnstructured, err := utils.ConvertToUnstructured(rawResource) assert.NilError(t, err) er := Validate(PolicyContext{Policy: policy, NewResource: *resourceUnstructured}) - msgs := []string{"Validation rule 'check-default-namespace' failed. [anyPattern[0] failed; Validation rule failed at '/metadata/namespace/' to validate value '' with pattern '?*' anyPattern[1] failed; Validation rule failed at '/metadata/namespace/' to validate value '' with pattern '!default']"} + msgs := []string{"A namespace is required"} for index, r := range er.PolicyResponse.Rules { assert.Equal(t, r.Message, msgs[index]) } @@ -370,12 +377,13 @@ func TestValidate_host_network_port(t *testing.T) { `) var policy kyverno.ClusterPolicy - json.Unmarshal(rawPolicy, &policy) + err := json.Unmarshal(rawPolicy, &policy) + assert.NilError(t, err) resourceUnstructured, err := utils.ConvertToUnstructured(rawResource) assert.NilError(t, err) er := Validate(PolicyContext{Policy: policy, NewResource: *resourceUnstructured}) - msgs := []string{"Validation error: Host network and port are not allowed; Validation rule 'validate-host-network-port' failed at path '/spec/containers/0/ports/0/hostPort/'"} + msgs := []string{"Validation error: Host network and port are not allowed; Validation rule validate-host-network-port failed at path /spec/containers/0/ports/0/hostPort/"} for index, r := range er.PolicyResponse.Rules { assert.Equal(t, r.Message, msgs[index]) @@ -459,7 +467,8 @@ func TestValidate_anchor_arraymap_pass(t *testing.T) { } `) var policy kyverno.ClusterPolicy - json.Unmarshal(rawPolicy, &policy) + err := json.Unmarshal(rawPolicy, &policy) + assert.NilError(t, err) resourceUnstructured, err := utils.ConvertToUnstructured(rawResource) assert.NilError(t, err) @@ -547,12 +556,12 @@ func TestValidate_anchor_arraymap_fail(t *testing.T) { } `) var policy kyverno.ClusterPolicy - json.Unmarshal(rawPolicy, &policy) - + err := json.Unmarshal(rawPolicy, &policy) + assert.NilError(t, err) resourceUnstructured, err := utils.ConvertToUnstructured(rawResource) assert.NilError(t, err) er := Validate(PolicyContext{Policy: policy, NewResource: *resourceUnstructured}) - msgs := []string{"Validation error: Host path '/var/lib/' is not allowed; Validation rule 'validate-host-path' failed at path '/spec/volumes/0/hostPath/path/'"} + msgs := []string{"Validation error: Host path '/var/lib/' is not allowed; Validation rule validate-host-path failed at path /spec/volumes/0/hostPath/path/"} for index, r := range er.PolicyResponse.Rules { assert.Equal(t, r.Message, msgs[index]) @@ -616,7 +625,8 @@ func TestValidate_anchor_map_notfound(t *testing.T) { `) var policy kyverno.ClusterPolicy - json.Unmarshal(rawPolicy, &policy) + err := json.Unmarshal(rawPolicy, &policy) + assert.NilError(t, err) resourceUnstructured, err := utils.ConvertToUnstructured(rawResource) assert.NilError(t, err) @@ -688,7 +698,8 @@ func TestValidate_anchor_map_found_valid(t *testing.T) { `) var policy kyverno.ClusterPolicy - json.Unmarshal(rawPolicy, &policy) + err := json.Unmarshal(rawPolicy, &policy) + assert.NilError(t, err) resourceUnstructured, err := utils.ConvertToUnstructured(rawResource) assert.NilError(t, err) @@ -760,12 +771,13 @@ func TestValidate_anchor_map_found_invalid(t *testing.T) { `) var policy kyverno.ClusterPolicy - json.Unmarshal(rawPolicy, &policy) + err := json.Unmarshal(rawPolicy, &policy) + assert.NilError(t, err) resourceUnstructured, err := utils.ConvertToUnstructured(rawResource) assert.NilError(t, err) er := Validate(PolicyContext{Policy: policy, NewResource: *resourceUnstructured}) - msgs := []string{"Validation error: pod: validate run as non root user; Validation rule 'pod rule 2' failed at path '/spec/securityContext/runAsNonRoot/'"} + msgs := []string{"Validation error: pod: validate run as non root user; Validation rule pod rule 2 failed at path /spec/securityContext/runAsNonRoot/"} for index, r := range er.PolicyResponse.Rules { assert.Equal(t, r.Message, msgs[index]) @@ -834,7 +846,8 @@ func TestValidate_AnchorList_pass(t *testing.T) { `) var policy kyverno.ClusterPolicy - json.Unmarshal(rawPolicy, &policy) + err := json.Unmarshal(rawPolicy, &policy) + assert.NilError(t, err) resourceUnstructured, err := utils.ConvertToUnstructured(rawResource) assert.NilError(t, err) @@ -908,7 +921,8 @@ func TestValidate_AnchorList_fail(t *testing.T) { `) var policy kyverno.ClusterPolicy - json.Unmarshal(rawPolicy, &policy) + err := json.Unmarshal(rawPolicy, &policy) + assert.NilError(t, err) resourceUnstructured, err := utils.ConvertToUnstructured(rawResource) assert.NilError(t, err) @@ -982,7 +996,8 @@ func TestValidate_existenceAnchor_fail(t *testing.T) { `) var policy kyverno.ClusterPolicy - json.Unmarshal(rawPolicy, &policy) + err := json.Unmarshal(rawPolicy, &policy) + assert.NilError(t, err) resourceUnstructured, err := utils.ConvertToUnstructured(rawResource) assert.NilError(t, err) @@ -1057,7 +1072,8 @@ func TestValidate_existenceAnchor_pass(t *testing.T) { `) var policy kyverno.ClusterPolicy - json.Unmarshal(rawPolicy, &policy) + err := json.Unmarshal(rawPolicy, &policy) + assert.NilError(t, err) resourceUnstructured, err := utils.ConvertToUnstructured(rawResource) assert.NilError(t, err) @@ -1144,12 +1160,13 @@ func TestValidate_negationAnchor_deny(t *testing.T) { } `) var policy kyverno.ClusterPolicy - json.Unmarshal(rawPolicy, &policy) + err := json.Unmarshal(rawPolicy, &policy) + assert.NilError(t, err) resourceUnstructured, err := utils.ConvertToUnstructured(rawResource) assert.NilError(t, err) er := Validate(PolicyContext{Policy: policy, NewResource: *resourceUnstructured}) - msgs := []string{"Validation error: Host path is not allowed; Validation rule 'validate-host-path' failed at path '/spec/volumes/0/hostPath/'"} + msgs := []string{"Validation error: Host path is not allowed; Validation rule validate-host-path failed at path /spec/volumes/0/hostPath/"} for index, r := range er.PolicyResponse.Rules { assert.Equal(t, r.Message, msgs[index]) @@ -1230,7 +1247,8 @@ func TestValidate_negationAnchor_pass(t *testing.T) { `) var policy kyverno.ClusterPolicy - json.Unmarshal(rawPolicy, &policy) + err := json.Unmarshal(rawPolicy, &policy) + assert.NilError(t, err) resourceUnstructured, err := utils.ConvertToUnstructured(rawResource) assert.NilError(t, err) @@ -1297,12 +1315,14 @@ func Test_VariableSubstitutionPathNotExistInPattern(t *testing.T) { }`) var policy kyverno.ClusterPolicy - json.Unmarshal(policyraw, &policy) + err := json.Unmarshal(policyraw, &policy) + assert.NilError(t, err) resourceUnstructured, err := utils.ConvertToUnstructured(resourceRaw) assert.NilError(t, err) ctx := context.NewContext() - ctx.AddResource(resourceRaw) + err = ctx.AddResource(resourceRaw) + assert.NilError(t, err) policyContext := PolicyContext{ Policy: policy, @@ -1310,7 +1330,7 @@ func Test_VariableSubstitutionPathNotExistInPattern(t *testing.T) { NewResource: *resourceUnstructured} er := Validate(policyContext) assert.Assert(t, !er.PolicyResponse.Rules[0].Success) - assert.Equal(t, er.PolicyResponse.Rules[0].Message, "Validation error: ; Validation rule 'test-path-not-exist' failed. '[failed to resolve [request.object.metadata.name1] at path /spec/containers/0/name]'") + assert.Equal(t, er.PolicyResponse.Rules[0].Message, "Validation error: ; Validation rule 'test-path-not-exist' failed. 'could not find variable request.object.metadata.name1 at path /spec/containers/0/name'") } func Test_VariableSubstitutionPathNotExistInAnyPattern_OnePatternStatisfies(t *testing.T) { @@ -1392,7 +1412,8 @@ func Test_VariableSubstitutionPathNotExistInAnyPattern_OnePatternStatisfies(t *t assert.NilError(t, err) ctx := context.NewContext() - ctx.AddResource(resourceRaw) + err = ctx.AddResource(resourceRaw) + assert.NilError(t, err) policyContext := PolicyContext{ Policy: policy, @@ -1482,7 +1503,8 @@ func Test_VariableSubstitutionPathNotExistInAnyPattern_AllPathNotPresent(t *test assert.NilError(t, err) ctx := context.NewContext() - ctx.AddResource(resourceRaw) + err = ctx.AddResource(resourceRaw) + assert.NilError(t, err) policyContext := PolicyContext{ Policy: policy, @@ -1490,7 +1512,7 @@ func Test_VariableSubstitutionPathNotExistInAnyPattern_AllPathNotPresent(t *test NewResource: *resourceUnstructured} er := Validate(policyContext) assert.Assert(t, !er.PolicyResponse.Rules[0].Success) - assert.Equal(t, er.PolicyResponse.Rules[0].Message, "Substitutions failed: [[failed to resolve [request.object.metadata.name1] at path /spec/template/spec/containers/0/name] [failed to resolve [request.object.metadata.name2] at path /spec/template/spec/containers/0/name]]") + assert.Equal(t, er.PolicyResponse.Rules[0].Message, "Substitutions failed: [could not find variable request.object.metadata.name1 at path /spec/template/spec/containers/0/name could not find variable request.object.metadata.name2 at path /spec/template/spec/containers/0/name]") } func Test_VariableSubstitutionPathNotExistInAnyPattern_AllPathPresent_NonePatternSatisfy(t *testing.T) { @@ -1572,7 +1594,8 @@ func Test_VariableSubstitutionPathNotExistInAnyPattern_AllPathPresent_NonePatter assert.NilError(t, err) ctx := context.NewContext() - ctx.AddResource(resourceRaw) + err = ctx.AddResource(resourceRaw) + assert.NilError(t, err) policyContext := PolicyContext{ Policy: policy, @@ -1582,5 +1605,119 @@ func Test_VariableSubstitutionPathNotExistInAnyPattern_AllPathPresent_NonePatter // expectedMsg := "Validation error: ; Validation rule test-path-not-exist anyPattern[0] failed at path /spec/template/spec/containers/0/name/. Validation rule test-path-not-exist anyPattern[1] failed at path /spec/template/spec/containers/0/name/." assert.Assert(t, !er.PolicyResponse.Rules[0].Success) - assert.Equal(t, er.PolicyResponse.Rules[0].Message, "Validation rule 'test-path-not-exist' failed. [anyPattern[0] failed; Validation rule failed at '/spec/template/spec/containers/0/name/' to validate value 'pod-test-pod' with pattern 'test*' anyPattern[1] failed; Validation rule failed at '/spec/template/spec/containers/0/name/' to validate value 'pod-test-pod' with pattern 'test*']") + assert.Equal(t, er.PolicyResponse.Rules[0].Message, "Validation rule 'test-path-not-exist' has failed") +} + +func Test_denyFeatureIssue744(t *testing.T) { + testcases := []struct { + description string + policy []byte + request []byte + userInfo []byte + requestDenied bool + }{ + { + description: "Blocks delete requests for resources with label allow-deletes(success case)", + policy: []byte(`{"apiVersion":"kyverno.io/v1","kind":"ClusterPolicy","metadata":{"name":"block-deletes-success"},"spec":{"validationFailureAction":"enforce","background":false,"rules":[{"name":"check-allow-deletes","match":{"resources":{"selector":{"matchLabels":{"allow-deletes":"false"}}}},"exclude":{"clusterRoles":["random"]},"validate":{"message":"Deleting {{request.oldObject.kind}} / {{request.oldObject.metadata.name}} is not allowed","deny":{"conditions":[{"key":"{{request.operation}}","operator":"Equal","value":"DELETE"}]}}}]}}`), + request: []byte(`{"uid":"b553344a-172a-4257-8ec4-a8f379f8b844","kind":{"group":"","version":"v1","kind":"Pod"},"resource":{"group":"","version":"v1","resource":"pods"},"requestKind":{"group":"","version":"v1","kind":"Pod"},"requestResource":{"group":"","version":"v1","resource":"pods"},"name":"hello-world","namespace":"default","operation":"DELETE","userInfo":{"username":"kubernetes-admin","groups":["system:masters","system:authenticated"]},"object":null,"oldObject":{"kind":"Pod","apiVersion":"v1","metadata":{"name":"hello-world","namespace":"default","uid":"f093e3da-f13a-474f-87e8-43e98fe363bf","resourceVersion":"1983","creationTimestamp":"2020-05-06T20:28:43Z","labels":{"allow-deletes":"false"},"annotations":{"kubectl.kubernetes.io/last-applied-configuration":"{\"apiVersion\":\"v1\",\"kind\":\"Pod\",\"metadata\":{\"annotations\":{},\"labels\":{\"allow-deletes\":\"false\"},\"name\":\"hello-world\",\"namespace\":\"default\"},\"spec\":{\"containers\":[{\"image\":\"hello-world:latest\",\"name\":\"hello-world\",\"ports\":[{\"containerPort\":80}],\"resources\":{\"limits\":{\"cpu\":\"0.2\",\"memory\":\"30Mi\"},\"requests\":{\"cpu\":\"0.1\",\"memory\":\"20Mi\"}}}]}}\n"}},"spec":{"volumes":[{"name":"default-token-4q2mj","secret":{"secretName":"default-token-4q2mj","defaultMode":420}}],"containers":[{"name":"hello-world","image":"hello-world:latest","ports":[{"containerPort":80,"protocol":"TCP"}],"resources":{"limits":{"cpu":"200m","memory":"30Mi"},"requests":{"cpu":"100m","memory":"20Mi"}},"volumeMounts":[{"name":"default-token-4q2mj","readOnly":true,"mountPath":"/var/run/secrets/kubernetes.io/serviceaccount"}],"terminationMessagePath":"/dev/termination-log","terminationMessagePolicy":"File","imagePullPolicy":"Always"}],"restartPolicy":"Always","terminationGracePeriodSeconds":30,"dnsPolicy":"ClusterFirst","serviceAccountName":"default","serviceAccount":"default","nodeName":"kind-control-plane","securityContext":{},"schedulerName":"default-scheduler","tolerations":[{"key":"node.kubernetes.io/not-ready","operator":"Exists","effect":"NoExecute","tolerationSeconds":300},{"key":"node.kubernetes.io/unreachable","operator":"Exists","effect":"NoExecute","tolerationSeconds":300}],"priority":0,"enableServiceLinks":true},"status":{"phase":"Pending","conditions":[{"type":"Initialized","status":"True","lastProbeTime":null,"lastTransitionTime":"2020-05-06T20:28:43Z"},{"type":"Ready","status":"False","lastProbeTime":null,"lastTransitionTime":"2020-05-06T20:28:43Z","reason":"ContainersNotReady","message":"containers with unready status: [hello-world]"},{"type":"ContainersReady","status":"False","lastProbeTime":null,"lastTransitionTime":"2020-05-06T20:28:43Z","reason":"ContainersNotReady","message":"containers with unready status: [hello-world]"},{"type":"PodScheduled","status":"True","lastProbeTime":null,"lastTransitionTime":"2020-05-06T20:28:43Z"}],"hostIP":"172.17.0.2","startTime":"2020-05-06T20:28:43Z","containerStatuses":[{"name":"hello-world","state":{"waiting":{"reason":"ContainerCreating"}},"lastState":{},"ready":false,"restartCount":0,"image":"hello-world:latest","imageID":"","started":false}],"qosClass":"Burstable"}},"dryRun":false,"options":{"kind":"DeleteOptions","apiVersion":"meta.k8s.io/v1","gracePeriodSeconds":30,"propagationPolicy":"Background"}}`), + userInfo: []byte(`{"roles":null,"clusterRoles":["cluster-admin","system:basic-user","system:discovery","system:public-info-viewer"],"userInfo":{"username":"kubernetes-admin","groups":["system:masters","system:authenticated"]}}`), + requestDenied: true, + }, + { + description: "Blocks delete requests for resources with label allow-deletes(failure case)", + policy: []byte(`{"apiVersion":"kyverno.io/v1","kind":"ClusterPolicy","metadata":{"name":"block-deletes-failure"},"spec":{"validationFailureAction":"enforce","background":false,"rules":[{"name":"check-allow-deletes","match":{"resources":{"selector":{"matchLabels":{"allow-deletes":"false"}}}},"exclude":{"clusterRoles":["random"]},"validate":{"message":"Deleting {{request.oldObject.kind}} / {{request.oldObject.metadata.name}} is not allowed","deny":{"conditions":[{"key":"{{request.operation}}","operator":"Equal","value":"DELETE"}]}}}]}}`), + request: []byte(`{"uid":"9a83234d-95d1-4105-b6bf-7d72fd0183ce","kind":{"group":"","version":"v1","kind":"Pod"},"resource":{"group":"","version":"v1","resource":"pods"},"subResource":"status","requestKind":{"group":"","version":"v1","kind":"Pod"},"requestResource":{"group":"","version":"v1","resource":"pods"},"requestSubResource":"status","name":"hello-world","namespace":"default","operation":"UPDATE","userInfo":{"username":"system:node:kind-control-plane","groups":["system:nodes","system:authenticated"]},"object":{"kind":"Pod","apiVersion":"v1","metadata":{"name":"hello-world","namespace":"default","uid":"10fb7e1f-3710-43fa-9b7d-fc532b5ff70e","resourceVersion":"2829","creationTimestamp":"2020-05-06T20:36:51Z","labels":{"allow-deletes":"false"},"annotations":{"kubectl.kubernetes.io/last-applied-configuration":"{\"apiVersion\":\"v1\",\"kind\":\"Pod\",\"metadata\":{\"annotations\":{},\"labels\":{\"allow-deletes\":\"false\"},\"name\":\"hello-world\",\"namespace\":\"default\"},\"spec\":{\"containers\":[{\"image\":\"hello-world:latest\",\"name\":\"hello-world\",\"ports\":[{\"containerPort\":80}],\"resources\":{\"limits\":{\"cpu\":\"0.2\",\"memory\":\"30Mi\"},\"requests\":{\"cpu\":\"0.1\",\"memory\":\"20Mi\"}}}]}}\n"}},"spec":{"volumes":[{"name":"default-token-4q2mj","secret":{"secretName":"default-token-4q2mj","defaultMode":420}}],"containers":[{"name":"hello-world","image":"hello-world:latest","ports":[{"containerPort":80,"protocol":"TCP"}],"resources":{"limits":{"cpu":"200m","memory":"30Mi"},"requests":{"cpu":"100m","memory":"20Mi"}},"volumeMounts":[{"name":"default-token-4q2mj","readOnly":true,"mountPath":"/var/run/secrets/kubernetes.io/serviceaccount"}],"terminationMessagePath":"/dev/termination-log","terminationMessagePolicy":"File","imagePullPolicy":"Always"}],"restartPolicy":"Always","terminationGracePeriodSeconds":30,"dnsPolicy":"ClusterFirst","serviceAccountName":"default","serviceAccount":"default","nodeName":"kind-control-plane","securityContext":{},"schedulerName":"default-scheduler","tolerations":[{"key":"node.kubernetes.io/not-ready","operator":"Exists","effect":"NoExecute","tolerationSeconds":300},{"key":"node.kubernetes.io/unreachable","operator":"Exists","effect":"NoExecute","tolerationSeconds":300}],"priority":0,"enableServiceLinks":true},"status":{"phase":"Pending","conditions":[{"type":"Initialized","status":"True","lastProbeTime":null,"lastTransitionTime":"2020-05-06T20:36:51Z"},{"type":"Ready","status":"False","lastProbeTime":null,"lastTransitionTime":"2020-05-06T20:36:51Z","reason":"ContainersNotReady","message":"containers with unready status: [hello-world]"},{"type":"ContainersReady","status":"False","lastProbeTime":null,"lastTransitionTime":"2020-05-06T20:36:51Z","reason":"ContainersNotReady","message":"containers with unready status: [hello-world]"},{"type":"PodScheduled","status":"True","lastProbeTime":null,"lastTransitionTime":"2020-05-06T20:36:51Z"}],"hostIP":"172.17.0.2","startTime":"2020-05-06T20:36:51Z","containerStatuses":[{"name":"hello-world","state":{"waiting":{"reason":"ContainerCreating"}},"lastState":{},"ready":false,"restartCount":0,"image":"hello-world:latest","imageID":"","started":false}],"qosClass":"Burstable"}},"oldObject":{"kind":"Pod","apiVersion":"v1","metadata":{"name":"hello-world","namespace":"default","uid":"10fb7e1f-3710-43fa-9b7d-fc532b5ff70e","resourceVersion":"2829","creationTimestamp":"2020-05-06T20:36:51Z","labels":{"allow-deletes":"false"},"annotations":{"kubectl.kubernetes.io/last-applied-configuration":"{\"apiVersion\":\"v1\",\"kind\":\"Pod\",\"metadata\":{\"annotations\":{},\"labels\":{\"allow-deletes\":\"false\"},\"name\":\"hello-world\",\"namespace\":\"default\"},\"spec\":{\"containers\":[{\"image\":\"hello-world:latest\",\"name\":\"hello-world\",\"ports\":[{\"containerPort\":80}],\"resources\":{\"limits\":{\"cpu\":\"0.2\",\"memory\":\"30Mi\"},\"requests\":{\"cpu\":\"0.1\",\"memory\":\"20Mi\"}}}]}}\n"}},"spec":{"volumes":[{"name":"default-token-4q2mj","secret":{"secretName":"default-token-4q2mj","defaultMode":420}}],"containers":[{"name":"hello-world","image":"hello-world:latest","ports":[{"containerPort":80,"protocol":"TCP"}],"resources":{"limits":{"cpu":"200m","memory":"30Mi"},"requests":{"cpu":"100m","memory":"20Mi"}},"volumeMounts":[{"name":"default-token-4q2mj","readOnly":true,"mountPath":"/var/run/secrets/kubernetes.io/serviceaccount"}],"terminationMessagePath":"/dev/termination-log","terminationMessagePolicy":"File","imagePullPolicy":"Always"}],"restartPolicy":"Always","terminationGracePeriodSeconds":30,"dnsPolicy":"ClusterFirst","serviceAccountName":"default","serviceAccount":"default","nodeName":"kind-control-plane","securityContext":{},"schedulerName":"default-scheduler","tolerations":[{"key":"node.kubernetes.io/not-ready","operator":"Exists","effect":"NoExecute","tolerationSeconds":300},{"key":"node.kubernetes.io/unreachable","operator":"Exists","effect":"NoExecute","tolerationSeconds":300}],"priority":0,"enableServiceLinks":true},"status":{"phase":"Pending","conditions":[{"type":"PodScheduled","status":"True","lastProbeTime":null,"lastTransitionTime":"2020-05-06T20:36:51Z"}],"qosClass":"Burstable"}},"dryRun":false,"options":{"kind":"UpdateOptions","apiVersion":"meta.k8s.io/v1"}}`), + userInfo: []byte(`{"roles":["kube-system:kubeadm:nodes-kubeadm-config","kube-system:kubeadm:kubelet-config-1.17"],"clusterRoles":["system:discovery","system:certificates.k8s.io:certificatesigningrequests:selfnodeclient","system:public-info-viewer","system:basic-user"],"userInfo":{"username":"kubernetes-admin","groups":["system:nodes","system:authenticated"]}}`), + requestDenied: false, + }, + { + description: "Blocks update requests for resources with label allow-updates(success case)", + policy: []byte(`{"apiVersion":"kyverno.io/v1","kind":"ClusterPolicy","metadata":{"name":"block-updates-success"},"spec":{"validationFailureAction":"enforce","background":false,"rules":[{"name":"check-allow-updates","match":{"resources":{"selector":{"matchLabels":{"allow-updates":"false"}}}},"exclude":{"clusterRoles":["random"]},"validate":{"message":"Updating {{request.object.kind}} / {{request.object.metadata.name}} is not allowed","deny":{"conditions":[{"key":"{{request.operation}}","operator":"Equals","value":"UPDATE"}]}}}]}}`), + request: []byte(`{"uid":"7b0600b7-0258-4ecb-9666-c2839bd19612","kind":{"group":"","version":"v1","kind":"Pod"},"resource":{"group":"","version":"v1","resource":"pods"},"subResource":"status","requestKind":{"group":"","version":"v1","kind":"Pod"},"requestResource":{"group":"","version":"v1","resource":"pods"},"requestSubResource":"status","name":"hello-world","namespace":"default","operation":"UPDATE","userInfo":{"username":"system:node:kind-control-plane","groups":["system:authenticated"]},"object":{"kind":"Pod","apiVersion":"v1","metadata":{"name":"hello-world","namespace":"default","uid":"2b42971e-6fcf-41a7-ae44-80963f957eae","resourceVersion":"3438","creationTimestamp":"2020-05-06T20:41:37Z","labels":{"allow-updates":"false","something":"hereeeeeseee"},"annotations":{"kubectl.kubernetes.io/last-applied-configuration":"{\"apiVersion\":\"v1\",\"kind\":\"Pod\",\"metadata\":{\"annotations\":{},\"labels\":{\"allow-updates\":\"false\",\"something\":\"hereeeeeseee\"},\"name\":\"hello-world\",\"namespace\":\"default\"},\"spec\":{\"containers\":[{\"image\":\"hello-world:latest\",\"name\":\"hello-world\",\"ports\":[{\"containerPort\":80}],\"resources\":{\"limits\":{\"cpu\":\"0.2\",\"memory\":\"30Mi\"},\"requests\":{\"cpu\":\"0.1\",\"memory\":\"20Mi\"}}}]}}\n"}},"spec":{"volumes":[{"name":"default-token-4q2mj","secret":{"secretName":"default-token-4q2mj","defaultMode":420}}],"containers":[{"name":"hello-world","image":"hello-world:latest","ports":[{"containerPort":80,"protocol":"TCP"}],"resources":{"limits":{"cpu":"200m","memory":"30Mi"},"requests":{"cpu":"100m","memory":"20Mi"}},"volumeMounts":[{"name":"default-token-4q2mj","readOnly":true,"mountPath":"/var/run/secrets/kubernetes.io/serviceaccount"}],"terminationMessagePath":"/dev/termination-log","terminationMessagePolicy":"File","imagePullPolicy":"Always"}],"restartPolicy":"Always","terminationGracePeriodSeconds":30,"dnsPolicy":"ClusterFirst","serviceAccountName":"default","serviceAccount":"default","nodeName":"kind-control-plane","securityContext":{},"schedulerName":"default-scheduler","tolerations":[{"key":"node.kubernetes.io/not-ready","operator":"Exists","effect":"NoExecute","tolerationSeconds":300},{"key":"node.kubernetes.io/unreachable","operator":"Exists","effect":"NoExecute","tolerationSeconds":300}],"priority":0,"enableServiceLinks":true},"status":{"phase":"Running","conditions":[{"type":"Initialized","status":"True","lastProbeTime":null,"lastTransitionTime":"2020-05-06T20:41:37Z"},{"type":"Ready","status":"False","lastProbeTime":null,"lastTransitionTime":"2020-05-06T20:41:37Z","reason":"ContainersNotReady","message":"containers with unready status: [hello-world]"},{"type":"ContainersReady","status":"False","lastProbeTime":null,"lastTransitionTime":"2020-05-06T20:41:37Z","reason":"ContainersNotReady","message":"containers with unready status: [hello-world]"},{"type":"PodScheduled","status":"True","lastProbeTime":null,"lastTransitionTime":"2020-05-06T20:41:37Z"}],"hostIP":"172.17.0.2","podIP":"10.244.0.8","podIPs":[{"ip":"10.244.0.8"}],"startTime":"2020-05-06T20:41:37Z","containerStatuses":[{"name":"hello-world","state":{"terminated":{"exitCode":0,"reason":"Completed","startedAt":"2020-05-06T20:42:01Z","finishedAt":"2020-05-06T20:42:01Z","containerID":"containerd://46dc1c3dead976b5cc6e5f6a8dc86988e8ce401e6fd903d4637848dd4baac0c4"}},"lastState":{},"ready":false,"restartCount":0,"image":"docker.io/library/hello-world:latest","imageID":"docker.io/library/hello-world@sha256:8e3114318a995a1ee497790535e7b88365222a21771ae7e53687ad76563e8e76","containerID":"containerd://46dc1c3dead976b5cc6e5f6a8dc86988e8ce401e6fd903d4637848dd4baac0c4","started":false}],"qosClass":"Burstable"}},"oldObject":{"kind":"Pod","apiVersion":"v1","metadata":{"name":"hello-world","namespace":"default","uid":"2b42971e-6fcf-41a7-ae44-80963f957eae","resourceVersion":"3438","creationTimestamp":"2020-05-06T20:41:37Z","labels":{"allow-updates":"false","something":"hereeeeeseee"},"annotations":{"kubectl.kubernetes.io/last-applied-configuration":"{\"apiVersion\":\"v1\",\"kind\":\"Pod\",\"metadata\":{\"annotations\":{},\"labels\":{\"allow-updates\":\"false\",\"something\":\"hereeeeeseee\"},\"name\":\"hello-world\",\"namespace\":\"default\"},\"spec\":{\"containers\":[{\"image\":\"hello-world:latest\",\"name\":\"hello-world\",\"ports\":[{\"containerPort\":80}],\"resources\":{\"limits\":{\"cpu\":\"0.2\",\"memory\":\"30Mi\"},\"requests\":{\"cpu\":\"0.1\",\"memory\":\"20Mi\"}}}]}}\n"}},"spec":{"volumes":[{"name":"default-token-4q2mj","secret":{"secretName":"default-token-4q2mj","defaultMode":420}}],"containers":[{"name":"hello-world","image":"hello-world:latest","ports":[{"containerPort":80,"protocol":"TCP"}],"resources":{"limits":{"cpu":"200m","memory":"30Mi"},"requests":{"cpu":"100m","memory":"20Mi"}},"volumeMounts":[{"name":"default-token-4q2mj","readOnly":true,"mountPath":"/var/run/secrets/kubernetes.io/serviceaccount"}],"terminationMessagePath":"/dev/termination-log","terminationMessagePolicy":"File","imagePullPolicy":"Always"}],"restartPolicy":"Always","terminationGracePeriodSeconds":30,"dnsPolicy":"ClusterFirst","serviceAccountName":"default","serviceAccount":"default","nodeName":"kind-control-plane","securityContext":{},"schedulerName":"default-scheduler","tolerations":[{"key":"node.kubernetes.io/not-ready","operator":"Exists","effect":"NoExecute","tolerationSeconds":300},{"key":"node.kubernetes.io/unreachable","operator":"Exists","effect":"NoExecute","tolerationSeconds":300}],"priority":0,"enableServiceLinks":true},"status":{"phase":"Pending","conditions":[{"type":"Initialized","status":"True","lastProbeTime":null,"lastTransitionTime":"2020-05-06T20:41:37Z"},{"type":"Ready","status":"False","lastProbeTime":null,"lastTransitionTime":"2020-05-06T20:41:37Z","reason":"ContainersNotReady","message":"containers with unready status: [hello-world]"},{"type":"ContainersReady","status":"False","lastProbeTime":null,"lastTransitionTime":"2020-05-06T20:41:37Z","reason":"ContainersNotReady","message":"containers with unready status: [hello-world]"},{"type":"PodScheduled","status":"True","lastProbeTime":null,"lastTransitionTime":"2020-05-06T20:41:37Z"}],"hostIP":"172.17.0.2","startTime":"2020-05-06T20:41:37Z","containerStatuses":[{"name":"hello-world","state":{"waiting":{"reason":"ContainerCreating"}},"lastState":{},"ready":false,"restartCount":0,"image":"hello-world:latest","imageID":"","started":false}],"qosClass":"Burstable"}},"dryRun":false,"options":{"kind":"UpdateOptions","apiVersion":"meta.k8s.io/v1"}}`), + userInfo: []byte(`{"roles":["kube-system:kubeadm:kubelet-config-1.17","kube-system:kubeadm:nodes-kubeadm-config"],"clusterRoles":["system:basic-user","system:certificates.k8s.io:certificatesigningrequests:selfnodeclient","system:public-info-viewer","system:discovery"],"userInfo":{"username":"kubernetes-admin","groups":["system:authenticated"]}}`), + requestDenied: true, + }, + { + description: "Blocks update requests for resources with label allow-updates(failure case)", + policy: []byte(`{"apiVersion":"kyverno.io/v1","kind":"ClusterPolicy","metadata":{"name":"block-updates-failure"},"spec":{"validationFailureAction":"enforce","background":false,"rules":[{"name":"check-allow-deletes","match":{"resources":{"selector":{"matchLabels":{"allow-deletes":"false"}}}},"exclude":{"clusterRoles":["random"]},"validate":{"message":"Deleting {{request.oldObject.kind}} / {{request.oldObject.metadata.name}} is not allowed","deny":{"conditions":[{"key":"{{request.operation}}","operator":"Equal","value":"DELETE"}]}}}]}}`), + request: []byte(`{"uid":"9c284cdb-b0de-42aa-adf5-649a44bc861b","kind":{"group":"","version":"v1","kind":"Pod"},"resource":{"group":"","version":"v1","resource":"pods"},"requestKind":{"group":"","version":"v1","kind":"Pod"},"requestResource":{"group":"","version":"v1","resource":"pods"},"name":"hello-world","namespace":"default","operation":"CREATE","userInfo":{"username":"kubernetes-admin","groups":["system:masters","system:authenticated"]},"object":{"kind":"Pod","apiVersion":"v1","metadata":{"name":"hello-world","namespace":"default","uid":"41a928a7-73f4-419f-bd64-de11f4f0a8ca","creationTimestamp":"2020-05-06T20:43:50Z","labels":{"allow-updates":"false","something":"hereeeeeseee"},"annotations":{"kubectl.kubernetes.io/last-applied-configuration":"{\"apiVersion\":\"v1\",\"kind\":\"Pod\",\"metadata\":{\"annotations\":{},\"labels\":{\"allow-updates\":\"false\",\"something\":\"hereeeeeseee\"},\"name\":\"hello-world\",\"namespace\":\"default\"},\"spec\":{\"containers\":[{\"image\":\"hello-world:latest\",\"name\":\"hello-world\",\"ports\":[{\"containerPort\":80}],\"resources\":{\"limits\":{\"cpu\":\"0.2\",\"memory\":\"30Mi\"},\"requests\":{\"cpu\":\"0.1\",\"memory\":\"20Mi\"}}}]}}\n"}},"spec":{"volumes":[{"name":"default-token-4q2mj","secret":{"secretName":"default-token-4q2mj"}}],"containers":[{"name":"hello-world","image":"hello-world:latest","ports":[{"containerPort":80,"protocol":"TCP"}],"resources":{"limits":{"cpu":"200m","memory":"30Mi"},"requests":{"cpu":"100m","memory":"20Mi"}},"volumeMounts":[{"name":"default-token-4q2mj","readOnly":true,"mountPath":"/var/run/secrets/kubernetes.io/serviceaccount"}],"terminationMessagePath":"/dev/termination-log","terminationMessagePolicy":"File","imagePullPolicy":"Always"}],"restartPolicy":"Always","terminationGracePeriodSeconds":30,"dnsPolicy":"ClusterFirst","serviceAccountName":"default","serviceAccount":"default","securityContext":{},"schedulerName":"default-scheduler","tolerations":[{"key":"node.kubernetes.io/not-ready","operator":"Exists","effect":"NoExecute","tolerationSeconds":300},{"key":"node.kubernetes.io/unreachable","operator":"Exists","effect":"NoExecute","tolerationSeconds":300}],"priority":0,"enableServiceLinks":true},"status":{"phase":"Pending","qosClass":"Burstable"}},"oldObject":null,"dryRun":false,"options":{"kind":"CreateOptions","apiVersion":"meta.k8s.io/v1"}}`), + userInfo: []byte(`{"roles":null,"clusterRoles":["system:public-info-viewer","cluster-admin","system:discovery","system:basic-user"],"userInfo":{"username":"kubernetes-admin","groups":["system:masters","system:authenticated"]}}`), + requestDenied: false, + }, + { + description: "Blocks certain fields(success case)", + policy: []byte(`{"apiVersion":"kyverno.io/v1","kind":"ClusterPolicy","metadata":{"name":"prevent-field-update-success"},"spec":{"validationFailureAction":"enforce","background":false,"rules":[{"name":"prevent-field-update","match":{"resources":{"selector":{"matchLabels":{"allow-updates":"false"}}}},"validate":{"message":"Updating field label 'something' is not allowed","deny":{"conditions":[{"key":"{{request.object.metadata.labels.something}}","operator":"NotEqual","value":""},{"key":"{{request.object.metadata.labels.something}}","operator":"NotEquals","value":"{{request.oldObject.metadata.labels.something}}"}]}}}]}}`), + request: []byte(`{"uid":"11d46f83-a31b-444e-8209-c43b24f1af8a","kind":{"group":"","version":"v1","kind":"Pod"},"resource":{"group":"","version":"v1","resource":"pods"},"requestKind":{"group":"","version":"v1","kind":"Pod"},"requestResource":{"group":"","version":"v1","resource":"pods"},"name":"hello-world","namespace":"default","operation":"UPDATE","userInfo":{"username":"kubernetes-admin","groups":["system:masters","system:authenticated"]},"object":{"kind":"Pod","apiVersion":"v1","metadata":{"name":"hello-world","namespace":"default","uid":"42bd0f0a-4b1f-4f7c-a40d-4dbed5522732","resourceVersion":"4333","creationTimestamp":"2020-05-06T20:51:58Z","labels":{"allow-updates":"false","something":"existes","something2":"feeereeeeeeeee"},"annotations":{"kubectl.kubernetes.io/last-applied-configuration":"{\"apiVersion\":\"v1\",\"kind\":\"Pod\",\"metadata\":{\"annotations\":{},\"labels\":{\"allow-updates\":\"false\",\"something\":\"existes\",\"something2\":\"feeereeeeeeeee\"},\"name\":\"hello-world\",\"namespace\":\"default\"},\"spec\":{\"containers\":[{\"image\":\"hello-world:latest\",\"name\":\"hello-world\",\"ports\":[{\"containerPort\":80}],\"resources\":{\"limits\":{\"cpu\":\"0.2\",\"memory\":\"30Mi\"},\"requests\":{\"cpu\":\"0.1\",\"memory\":\"20Mi\"}}}]}}\n"}},"spec":{"volumes":[{"name":"default-token-4q2mj","secret":{"secretName":"default-token-4q2mj","defaultMode":420}}],"containers":[{"name":"hello-world","image":"hello-world:latest","ports":[{"containerPort":80,"protocol":"TCP"}],"resources":{"limits":{"cpu":"200m","memory":"30Mi"},"requests":{"cpu":"100m","memory":"20Mi"}},"volumeMounts":[{"name":"default-token-4q2mj","readOnly":true,"mountPath":"/var/run/secrets/kubernetes.io/serviceaccount"}],"terminationMessagePath":"/dev/termination-log","terminationMessagePolicy":"File","imagePullPolicy":"Always"}],"restartPolicy":"Always","terminationGracePeriodSeconds":30,"dnsPolicy":"ClusterFirst","serviceAccountName":"default","serviceAccount":"default","securityContext":{},"schedulerName":"default-scheduler","tolerations":[{"key":"node.kubernetes.io/not-ready","operator":"Exists","effect":"NoExecute","tolerationSeconds":300},{"key":"node.kubernetes.io/unreachable","operator":"Exists","effect":"NoExecute","tolerationSeconds":300}],"priority":0,"enableServiceLinks":true},"status":{"phase":"Pending","qosClass":"Burstable"}},"oldObject":{"kind":"Pod","apiVersion":"v1","metadata":{"name":"hello-world","namespace":"default","uid":"42bd0f0a-4b1f-4f7c-a40d-4dbed5522732","resourceVersion":"4333","creationTimestamp":"2020-05-06T20:51:58Z","labels":{"allow-updates":"false","something":"exists","something2":"feeereeeeeeeee"},"annotations":{"kubectl.kubernetes.io/last-applied-configuration":"{\"apiVersion\":\"v1\",\"kind\":\"Pod\",\"metadata\":{\"annotations\":{},\"labels\":{\"allow-updates\":\"false\",\"something\":\"exists\",\"something2\":\"feeereeeeeeeee\"},\"name\":\"hello-world\",\"namespace\":\"default\"},\"spec\":{\"containers\":[{\"image\":\"hello-world:latest\",\"name\":\"hello-world\",\"ports\":[{\"containerPort\":80}],\"resources\":{\"limits\":{\"cpu\":\"0.2\",\"memory\":\"30Mi\"},\"requests\":{\"cpu\":\"0.1\",\"memory\":\"20Mi\"}}}]}}\n"}},"spec":{"volumes":[{"name":"default-token-4q2mj","secret":{"secretName":"default-token-4q2mj","defaultMode":420}}],"containers":[{"name":"hello-world","image":"hello-world:latest","ports":[{"containerPort":80,"protocol":"TCP"}],"resources":{"limits":{"cpu":"200m","memory":"30Mi"},"requests":{"cpu":"100m","memory":"20Mi"}},"volumeMounts":[{"name":"default-token-4q2mj","readOnly":true,"mountPath":"/var/run/secrets/kubernetes.io/serviceaccount"}],"terminationMessagePath":"/dev/termination-log","terminationMessagePolicy":"File","imagePullPolicy":"Always"}],"restartPolicy":"Always","terminationGracePeriodSeconds":30,"dnsPolicy":"ClusterFirst","serviceAccountName":"default","serviceAccount":"default","securityContext":{},"schedulerName":"default-scheduler","tolerations":[{"key":"node.kubernetes.io/not-ready","operator":"Exists","effect":"NoExecute","tolerationSeconds":300},{"key":"node.kubernetes.io/unreachable","operator":"Exists","effect":"NoExecute","tolerationSeconds":300}],"priority":0,"enableServiceLinks":true},"status":{"phase":"Pending","qosClass":"Burstable"}},"dryRun":false,"options":{"kind":"UpdateOptions","apiVersion":"meta.k8s.io/v1"}}`), + userInfo: []byte(`{"roles":null,"clusterRoles":null,"userInfo":{"username":"kubernetes-admin","groups":["system:masters","system:authenticated"]}}`), + requestDenied: true, + }, + { + description: "Blocks certain fields(failure case)", + policy: []byte(`{"apiVersion":"kyverno.io/v1","kind":"ClusterPolicy","metadata":{"name":"prevent-field-update-failure"},"spec":{"validationFailureAction":"enforce","background":false,"rules":[{"name":"prevent-field-update","match":{"resources":{"selector":{"matchLabels":{"allow-updates":"false"}}}},"validate":{"message":"Updating field label 'something' is not allowed","deny":{"conditions":[{"key":"{{request.object.metadata.labels.something}}","operator":"NotEqual","value":""},{"key":"{{request.object.metadata.labels.something}}","operator":"NotEquals","value":"{{request.oldObject.metadata.labels.something}}"}]}}}]}}`), + request: []byte(`{"uid":"cbdce9bb-741d-466a-a440-36155eb4b45b","kind":{"group":"","version":"v1","kind":"Pod"},"resource":{"group":"","version":"v1","resource":"pods"},"requestKind":{"group":"","version":"v1","kind":"Pod"},"requestResource":{"group":"","version":"v1","resource":"pods"},"name":"hello-world","namespace":"kube-system","operation":"CREATE","userInfo":{"username":"kubernetes-admin","groups":["system:masters","system:authenticated"]},"object":{"kind":"Pod","apiVersion":"v1","metadata":{"name":"hello-world","namespace":"kube-system","uid":"490c240c-f96a-4d5a-8860-75597bab0a7e","creationTimestamp":"2020-05-06T21:01:50Z","annotations":{"kubectl.kubernetes.io/last-applied-configuration":"{\"apiVersion\":\"v1\",\"kind\":\"Pod\",\"metadata\":{\"annotations\":{},\"name\":\"hello-world\",\"namespace\":\"kube-system\"},\"spec\":{\"containers\":[{\"image\":\"hello-world:latest\",\"name\":\"hello-world\",\"ports\":[{\"containerPort\":80}],\"resources\":{\"limits\":{\"cpu\":\"0.2\",\"memory\":\"30Mi\"},\"requests\":{\"cpu\":\"0.1\",\"memory\":\"20Mi\"}}}]}}\n"}},"spec":{"volumes":[{"name":"default-token-8h2h8","secret":{"secretName":"default-token-8h2h8"}}],"containers":[{"name":"hello-world","image":"hello-world:latest","ports":[{"containerPort":80,"protocol":"TCP"}],"resources":{"limits":{"cpu":"200m","memory":"30Mi"},"requests":{"cpu":"100m","memory":"20Mi"}},"volumeMounts":[{"name":"default-token-8h2h8","readOnly":true,"mountPath":"/var/run/secrets/kubernetes.io/serviceaccount"}],"terminationMessagePath":"/dev/termination-log","terminationMessagePolicy":"File","imagePullPolicy":"Always"}],"restartPolicy":"Always","terminationGracePeriodSeconds":30,"dnsPolicy":"ClusterFirst","serviceAccountName":"default","serviceAccount":"default","securityContext":{},"schedulerName":"default-scheduler","tolerations":[{"key":"node.kubernetes.io/not-ready","operator":"Exists","effect":"NoExecute","tolerationSeconds":300},{"key":"node.kubernetes.io/unreachable","operator":"Exists","effect":"NoExecute","tolerationSeconds":300}],"priority":0,"enableServiceLinks":true},"status":{"phase":"Pending","qosClass":"Burstable"}},"oldObject":null,"dryRun":false,"options":{"kind":"CreateOptions","apiVersion":"meta.k8s.io/v1"}}`), + userInfo: []byte(`{"roles":null,"clusterRoles":null,"userInfo":{"username":"kubernetes-admin","groups":["system:masters","system:authenticated"]}}`), + requestDenied: false, + }, + { + description: "Deny all requests on a namespace", + policy: []byte(`{"apiVersion":"kyverno.io/v1","kind":"ClusterPolicy","metadata":{"name":"block-request"},"spec":{"validationFailureAction":"enforce","rules":[{"name":"block-request","match":{"resources":{"namespaces":["kube-system"]}},"validate":{"deny":{}}}]}}`), + request: []byte(`{"uid":"2cf2b192-2c25-4f14-ac3a-315408d398f2","kind":{"group":"","version":"v1","kind":"Pod"},"resource":{"group":"","version":"v1","resource":"pods"},"requestKind":{"group":"","version":"v1","kind":"Pod"},"requestResource":{"group":"","version":"v1","resource":"pods"},"name":"hello-world","namespace":"default","operation":"UPDATE","userInfo":{"username":"kubernetes-admin","groups":["system:masters","system:authenticated"]},"object":{"kind":"Pod","apiVersion":"v1","metadata":{"name":"hello-world","namespace":"default","uid":"f5c33eaf-79d8-4bc0-8819-749b3606012c","resourceVersion":"5470","creationTimestamp":"2020-05-06T20:57:15Z","labels":{"allow-updates":"false","something":"existes","something2":"feeereeeeeeeee"},"annotations":{"kubectl.kubernetes.io/last-applied-configuration":"{\"apiVersion\":\"v1\",\"kind\":\"Pod\",\"metadata\":{\"annotations\":{},\"labels\":{\"allow-updates\":\"false\",\"something\":\"existes\",\"something2\":\"feeereeeeeeeee\"},\"name\":\"hello-world\",\"namespace\":\"default\"},\"spec\":{\"containers\":[{\"image\":\"hello-world:latest\",\"name\":\"hello-world\",\"ports\":[{\"containerPort\":80}],\"resources\":{\"limits\":{\"cpu\":\"0.2\",\"memory\":\"30Mi\"},\"requests\":{\"cpu\":\"0.1\",\"memory\":\"20Mi\"}}}]}}\n"}},"spec":{"volumes":[{"name":"default-token-4q2mj","secret":{"secretName":"default-token-4q2mj","defaultMode":420}}],"containers":[{"name":"hello-world","image":"hello-world:latest","ports":[{"containerPort":80,"protocol":"TCP"}],"resources":{"limits":{"cpu":"200m","memory":"30Mi"},"requests":{"cpu":"100m","memory":"20Mi"}},"volumeMounts":[{"name":"default-token-4q2mj","readOnly":true,"mountPath":"/var/run/secrets/kubernetes.io/serviceaccount"}],"terminationMessagePath":"/dev/termination-log","terminationMessagePolicy":"File","imagePullPolicy":"Always"}],"restartPolicy":"Always","terminationGracePeriodSeconds":30,"dnsPolicy":"ClusterFirst","serviceAccountName":"default","serviceAccount":"default","nodeName":"kind-control-plane","securityContext":{},"schedulerName":"default-scheduler","tolerations":[{"key":"node.kubernetes.io/not-ready","operator":"Exists","effect":"NoExecute","tolerationSeconds":300},{"key":"node.kubernetes.io/unreachable","operator":"Exists","effect":"NoExecute","tolerationSeconds":300}],"priority":0,"enableServiceLinks":true},"status":{"phase":"Pending","conditions":[{"type":"Initialized","status":"True","lastProbeTime":null,"lastTransitionTime":"2020-05-06T20:57:15Z"},{"type":"Ready","status":"False","lastProbeTime":null,"lastTransitionTime":"2020-05-06T20:57:15Z","reason":"ContainersNotReady","message":"containers with unready status: [hello-world]"},{"type":"ContainersReady","status":"False","lastProbeTime":null,"lastTransitionTime":"2020-05-06T20:57:15Z","reason":"ContainersNotReady","message":"containers with unready status: [hello-world]"},{"type":"PodScheduled","status":"True","lastProbeTime":null,"lastTransitionTime":"2020-05-06T20:57:15Z"}],"hostIP":"172.17.0.2","startTime":"2020-05-06T20:57:15Z","containerStatuses":[{"name":"hello-world","state":{"waiting":{"reason":"ContainerCreating"}},"lastState":{},"ready":false,"restartCount":0,"image":"hello-world:latest","imageID":"","started":false}],"qosClass":"Burstable"}},"oldObject":{"kind":"Pod","apiVersion":"v1","metadata":{"name":"hello-world","namespace":"default","uid":"f5c33eaf-79d8-4bc0-8819-749b3606012c","resourceVersion":"5470","creationTimestamp":"2020-05-06T20:57:15Z","labels":{"allow-updates":"false","something":"existes","something2":"feeereeeeeeeee"},"annotations":{"kubectl.kubernetes.io/last-applied-configuration":"{\"apiVersion\":\"v1\",\"kind\":\"Pod\",\"metadata\":{\"annotations\":{},\"labels\":{\"allow-updates\":\"false\",\"something\":\"existes\",\"something2\":\"feeereeeeeeeee\"},\"name\":\"hello-world\",\"namespace\":\"default\"},\"spec\":{\"containers\":[{\"image\":\"hello-world:latest\",\"name\":\"hello-world\",\"ports\":[{\"containerPort\":80}],\"resources\":{\"limits\":{\"cpu\":\"0.2\",\"memory\":\"30Mi\"},\"requests\":{\"cpu\":\"0.1\",\"memory\":\"20Mi\"}}}]}}\n"}},"spec":{"volumes":[{"name":"default-token-4q2mj","secret":{"secretName":"default-token-4q2mj","defaultMode":420}}],"containers":[{"name":"hello-world","image":"hello-world:latest","ports":[{"containerPort":80,"protocol":"TCP"}],"resources":{"limits":{"cpu":"200m","memory":"30Mi"},"requests":{"cpu":"100m","memory":"20Mi"}},"volumeMounts":[{"name":"default-token-4q2mj","readOnly":true,"mountPath":"/var/run/secrets/kubernetes.io/serviceaccount"}],"terminationMessagePath":"/dev/termination-log","terminationMessagePolicy":"File","imagePullPolicy":"Always"}],"restartPolicy":"Always","terminationGracePeriodSeconds":30,"dnsPolicy":"ClusterFirst","serviceAccountName":"default","serviceAccount":"default","nodeName":"kind-control-plane","securityContext":{},"schedulerName":"default-scheduler","tolerations":[{"key":"node.kubernetes.io/not-ready","operator":"Exists","effect":"NoExecute","tolerationSeconds":300},{"key":"node.kubernetes.io/unreachable","operator":"Exists","effect":"NoExecute","tolerationSeconds":300}],"priority":0,"enableServiceLinks":true},"status":{"phase":"Pending","conditions":[{"type":"Initialized","status":"True","lastProbeTime":null,"lastTransitionTime":"2020-05-06T20:57:15Z"},{"type":"Ready","status":"False","lastProbeTime":null,"lastTransitionTime":"2020-05-06T20:57:15Z","reason":"ContainersNotReady","message":"containers with unready status: [hello-world]"},{"type":"ContainersReady","status":"False","lastProbeTime":null,"lastTransitionTime":"2020-05-06T20:57:15Z","reason":"ContainersNotReady","message":"containers with unready status: [hello-world]"},{"type":"PodScheduled","status":"True","lastProbeTime":null,"lastTransitionTime":"2020-05-06T20:57:15Z"}],"hostIP":"172.17.0.2","startTime":"2020-05-06T20:57:15Z","containerStatuses":[{"name":"hello-world","state":{"waiting":{"reason":"ContainerCreating"}},"lastState":{},"ready":false,"restartCount":0,"image":"hello-world:latest","imageID":"","started":false}],"qosClass":"Burstable"}},"dryRun":false,"options":{"kind":"UpdateOptions","apiVersion":"meta.k8s.io/v1"}}`), + userInfo: []byte(`{"roles":null,"clusterRoles":null,"userInfo":{"username":"kubernetes-admin","groups":["system:masters","system:authenticated"]}}`), + requestDenied: false, + }, + } + + var err error + for _, testcase := range testcases { + var policy kyverno.ClusterPolicy + err = json.Unmarshal(testcase.policy, &policy) + if err != nil { + t.Fatal(err) + } + + var request *v1beta1.AdmissionRequest + err = json.Unmarshal(testcase.request, &request) + if err != nil { + t.Fatal(err) + } + + var userInfo kyverno.RequestInfo + err = json.Unmarshal(testcase.userInfo, &userInfo) + if err != nil { + t.Fatal(err) + } + + ctx := context.NewContext() + err = ctx.AddRequest(request) + if err != nil { + t.Fatal(err) + } + err = ctx.AddUserInfo(userInfo) + if err != nil { + t.Fatal(err) + } + err = ctx.AddSA(userInfo.AdmissionUserInfo.Username) + if err != nil { + t.Fatal(err) + } + + newR, oldR, err := utils2.ExtractResources(nil, request) + if err != nil { + t.Fatal(err) + } + + pc := PolicyContext{ + Policy: policy, + NewResource: newR, + OldResource: oldR, + AdmissionInfo: userInfo, + Context: ctx, + } + resp := Validate(pc) + if resp.IsSuccesful() == !testcase.requestDenied { + continue + } + + t.Errorf("Testcase has failed, policy: %v", policy.Name) + } } diff --git a/pkg/engine/variables/common.go b/pkg/engine/variables/common.go new file mode 100644 index 0000000000..febc1ccb6a --- /dev/null +++ b/pkg/engine/variables/common.go @@ -0,0 +1,12 @@ +package variables + +import ( + "regexp" +) + +//IsVariable returns true if the element contains a 'valid' variable {{}} +func IsVariable(element string) bool { + validRegex := regexp.MustCompile(variableRegex) + groups := validRegex.FindAllStringSubmatch(element, -1) + return len(groups) != 0 +} diff --git a/pkg/engine/variables/evaluate.go b/pkg/engine/variables/evaluate.go index 519a909d01..d0ebf7ed74 100644 --- a/pkg/engine/variables/evaluate.go +++ b/pkg/engine/variables/evaluate.go @@ -1,16 +1,16 @@ package variables import ( - "github.com/golang/glog" + "github.com/go-logr/logr" kyverno "github.com/nirmata/kyverno/pkg/api/kyverno/v1" "github.com/nirmata/kyverno/pkg/engine/context" "github.com/nirmata/kyverno/pkg/engine/variables/operator" ) //Evaluate evaluates the condition -func Evaluate(ctx context.EvalInterface, condition kyverno.Condition) bool { +func Evaluate(log logr.Logger, ctx context.EvalInterface, condition kyverno.Condition) bool { // get handler for the operator - handle := operator.CreateOperatorHandler(ctx, condition.Operator, SubstituteVars) + handle := operator.CreateOperatorHandler(log, ctx, condition.Operator, SubstituteVars) if handle == nil { return false } @@ -18,11 +18,10 @@ func Evaluate(ctx context.EvalInterface, condition kyverno.Condition) bool { } //EvaluateConditions evaluates multiple conditions -func EvaluateConditions(ctx context.EvalInterface, conditions []kyverno.Condition) bool { +func EvaluateConditions(log logr.Logger, ctx context.EvalInterface, conditions []kyverno.Condition) bool { // AND the conditions for _, condition := range conditions { - if !Evaluate(ctx, condition) { - glog.V(4).Infof("condition %v failed", condition) + if !Evaluate(log, ctx, condition) { return false } } diff --git a/pkg/engine/variables/evaluate_test.go b/pkg/engine/variables/evaluate_test.go index 33b3a4f2b7..d7d409b8f5 100644 --- a/pkg/engine/variables/evaluate_test.go +++ b/pkg/engine/variables/evaluate_test.go @@ -6,6 +6,7 @@ import ( kyverno "github.com/nirmata/kyverno/pkg/api/kyverno/v1" "github.com/nirmata/kyverno/pkg/engine/context" + "sigs.k8s.io/controller-runtime/pkg/log" ) // STRINGS @@ -18,7 +19,7 @@ func Test_Eval_Equal_Const_String_Pass(t *testing.T) { Value: "name", } - if !Evaluate(ctx, condition) { + if !Evaluate(log.Log, ctx, condition) { t.Error("expected to pass") } } @@ -32,7 +33,7 @@ func Test_Eval_Equal_Const_String_Fail(t *testing.T) { Value: "name1", } - if Evaluate(ctx, condition) { + if Evaluate(log.Log, ctx, condition) { t.Error("expected to fail") } } @@ -46,7 +47,7 @@ func Test_Eval_NoEqual_Const_String_Pass(t *testing.T) { Value: "name1", } - if !Evaluate(ctx, condition) { + if !Evaluate(log.Log, ctx, condition) { t.Error("expected to pass") } } @@ -60,7 +61,7 @@ func Test_Eval_NoEqual_Const_String_Fail(t *testing.T) { Value: "name", } - if Evaluate(ctx, condition) { + if Evaluate(log.Log, ctx, condition) { t.Error("expected to fail") } } @@ -76,7 +77,7 @@ func Test_Eval_Equal_Const_Bool_Pass(t *testing.T) { Value: true, } - if !Evaluate(ctx, condition) { + if !Evaluate(log.Log, ctx, condition) { t.Error("expected to pass") } } @@ -90,7 +91,7 @@ func Test_Eval_Equal_Const_Bool_Fail(t *testing.T) { Value: false, } - if Evaluate(ctx, condition) { + if Evaluate(log.Log, ctx, condition) { t.Error("expected to fail") } } @@ -104,7 +105,7 @@ func Test_Eval_NoEqual_Const_Bool_Pass(t *testing.T) { Value: false, } - if !Evaluate(ctx, condition) { + if !Evaluate(log.Log, ctx, condition) { t.Error("expected to pass") } } @@ -118,7 +119,7 @@ func Test_Eval_NoEqual_Const_Bool_Fail(t *testing.T) { Value: true, } - if Evaluate(ctx, condition) { + if Evaluate(log.Log, ctx, condition) { t.Error("expected to fail") } } @@ -133,7 +134,7 @@ func Test_Eval_Equal_Const_int_Pass(t *testing.T) { Value: 1, } - if !Evaluate(ctx, condition) { + if !Evaluate(log.Log, ctx, condition) { t.Error("expected to pass") } } @@ -147,7 +148,7 @@ func Test_Eval_Equal_Const_int_Fail(t *testing.T) { Value: 2, } - if Evaluate(ctx, condition) { + if Evaluate(log.Log, ctx, condition) { t.Error("expected to fail") } } @@ -161,7 +162,7 @@ func Test_Eval_NoEqual_Const_int_Pass(t *testing.T) { Value: 2, } - if !Evaluate(ctx, condition) { + if !Evaluate(log.Log, ctx, condition) { t.Error("expected to pass") } } @@ -175,7 +176,7 @@ func Test_Eval_NoEqual_Const_int_Fail(t *testing.T) { Value: 1, } - if Evaluate(ctx, condition) { + if Evaluate(log.Log, ctx, condition) { t.Error("expected to fail") } } @@ -190,7 +191,7 @@ func Test_Eval_Equal_Const_int64_Pass(t *testing.T) { Value: int64(1), } - if !Evaluate(ctx, condition) { + if !Evaluate(log.Log, ctx, condition) { t.Error("expected to pass") } } @@ -204,7 +205,7 @@ func Test_Eval_Equal_Const_int64_Fail(t *testing.T) { Value: int64(2), } - if Evaluate(ctx, condition) { + if Evaluate(log.Log, ctx, condition) { t.Error("expected to fail") } } @@ -218,7 +219,7 @@ func Test_Eval_NoEqual_Const_int64_Pass(t *testing.T) { Value: int64(2), } - if !Evaluate(ctx, condition) { + if !Evaluate(log.Log, ctx, condition) { t.Error("expected to pass") } } @@ -232,7 +233,7 @@ func Test_Eval_NoEqual_Const_int64_Fail(t *testing.T) { Value: int64(1), } - if Evaluate(ctx, condition) { + if Evaluate(log.Log, ctx, condition) { t.Error("expected to fail") } } @@ -248,7 +249,7 @@ func Test_Eval_Equal_Const_float64_Pass(t *testing.T) { Value: 1.5, } - if !Evaluate(ctx, condition) { + if !Evaluate(log.Log, ctx, condition) { t.Error("expected to pass") } } @@ -262,7 +263,7 @@ func Test_Eval_Equal_Const_float64_Fail(t *testing.T) { Value: 1.6, } - if Evaluate(ctx, condition) { + if Evaluate(log.Log, ctx, condition) { t.Error("expected to fail") } } @@ -276,7 +277,7 @@ func Test_Eval_NoEqual_Const_float64_Pass(t *testing.T) { Value: 1.6, } - if !Evaluate(ctx, condition) { + if !Evaluate(log.Log, ctx, condition) { t.Error("expected to pass") } } @@ -290,7 +291,7 @@ func Test_Eval_NoEqual_Const_float64_Fail(t *testing.T) { Value: 1.5, } - if Evaluate(ctx, condition) { + if Evaluate(log.Log, ctx, condition) { t.Error("expected to fail") } } @@ -320,7 +321,7 @@ func Test_Eval_Equal_Const_object_Pass(t *testing.T) { Value: obj2, } - if !Evaluate(ctx, condition) { + if !Evaluate(log.Log, ctx, condition) { t.Error("expected to pass") } } @@ -348,7 +349,7 @@ func Test_Eval_Equal_Const_object_Fail(t *testing.T) { Value: obj2, } - if Evaluate(ctx, condition) { + if Evaluate(log.Log, ctx, condition) { t.Error("expected to fail") } } @@ -376,7 +377,7 @@ func Test_Eval_NotEqual_Const_object_Pass(t *testing.T) { Value: obj2, } - if !Evaluate(ctx, condition) { + if !Evaluate(log.Log, ctx, condition) { t.Error("expected to pass") } } @@ -404,7 +405,7 @@ func Test_Eval_NotEqual_Const_object_Fail(t *testing.T) { Value: obj2, } - if Evaluate(ctx, condition) { + if Evaluate(log.Log, ctx, condition) { t.Error("expected to fail") } } @@ -434,7 +435,7 @@ func Test_Eval_Equal_Const_list_Pass(t *testing.T) { Value: obj2, } - if !Evaluate(ctx, condition) { + if !Evaluate(log.Log, ctx, condition) { t.Error("expected to pass") } } @@ -460,7 +461,7 @@ func Test_Eval_Equal_Const_list_Fail(t *testing.T) { Value: obj2, } - if Evaluate(ctx, condition) { + if Evaluate(log.Log, ctx, condition) { t.Error("expected to fail") } } @@ -486,7 +487,7 @@ func Test_Eval_NotEqual_Const_list_Pass(t *testing.T) { Value: obj2, } - if !Evaluate(ctx, condition) { + if !Evaluate(log.Log, ctx, condition) { t.Error("expected to pass") } } @@ -512,7 +513,7 @@ func Test_Eval_NotEqual_Const_list_Fail(t *testing.T) { Value: obj2, } - if Evaluate(ctx, condition) { + if Evaluate(log.Log, ctx, condition) { t.Error("expected to fail") } } @@ -545,7 +546,7 @@ func Test_Eval_Equal_Var_Pass(t *testing.T) { Value: "temp", } - if !Evaluate(ctx, condition) { + if !Evaluate(log.Log, ctx, condition) { t.Error("expected to pass") } } @@ -576,7 +577,7 @@ func Test_Eval_Equal_Var_Fail(t *testing.T) { Value: "temp1", } - if Evaluate(ctx, condition) { + if Evaluate(log.Log, ctx, condition) { t.Error("expected to fail") } } diff --git a/pkg/engine/variables/operator/equal.go b/pkg/engine/variables/operator/equal.go index 81ea80c621..1bc181f0f8 100644 --- a/pkg/engine/variables/operator/equal.go +++ b/pkg/engine/variables/operator/equal.go @@ -1,19 +1,21 @@ package operator import ( + "fmt" "math" "reflect" "strconv" - "github.com/golang/glog" + "github.com/go-logr/logr" "github.com/nirmata/kyverno/pkg/engine/context" ) //NewEqualHandler returns handler to manage Equal operations -func NewEqualHandler(ctx context.EvalInterface, subHandler VariableSubstitutionHandler) OperatorHandler { +func NewEqualHandler(log logr.Logger, ctx context.EvalInterface, subHandler VariableSubstitutionHandler) OperatorHandler { return EqualHandler{ ctx: ctx, subHandler: subHandler, + log: log, } } @@ -21,6 +23,7 @@ func NewEqualHandler(ctx context.EvalInterface, subHandler VariableSubstitutionH type EqualHandler struct { ctx context.EvalInterface subHandler VariableSubstitutionHandler + log logr.Logger } //Evaluate evaluates expression with Equal Operator @@ -28,14 +31,14 @@ func (eh EqualHandler) Evaluate(key, value interface{}) bool { var err error //TODO: decouple variables from evaluation // substitute the variables - if key, err = eh.subHandler(eh.ctx, key); err != nil { + if key, err = eh.subHandler(eh.log, eh.ctx, key); err != nil { // Failed to resolve the variable - glog.Infof("Failed to resolve variables in key: %s: %v", key, err) + eh.log.Error(err, "Failed to resolve variable", "variable", key) return false } - if value, err = eh.subHandler(eh.ctx, value); err != nil { + if value, err = eh.subHandler(eh.log, eh.ctx, value); err != nil { // Failed to resolve the variable - glog.Infof("Failed to resolve variables in value: %s: %v", value, err) + eh.log.Error(err, "Failed to resolve variable", "variable", value) return false } @@ -56,7 +59,7 @@ func (eh EqualHandler) Evaluate(key, value interface{}) bool { case []interface{}: return eh.validateValueWithSlicePattern(typedKey, value) default: - glog.Errorf("Unsupported type %v", typedKey) + eh.log.Info("Unsupported type", "value", typedKey, "type", fmt.Sprintf("%T", typedKey)) return false } } @@ -65,7 +68,7 @@ func (eh EqualHandler) validateValueWithSlicePattern(key []interface{}, value in if val, ok := value.([]interface{}); ok { return reflect.DeepEqual(key, val) } - glog.Warningf("Expected []interface{}, %v is of type %T", value, value) + eh.log.Info("Expected type []interface{}", "value", value, "type", fmt.Sprintf("%T", value)) return false } @@ -73,7 +76,7 @@ func (eh EqualHandler) validateValueWithMapPattern(key map[string]interface{}, v if val, ok := value.(map[string]interface{}); ok { return reflect.DeepEqual(key, val) } - glog.Warningf("Expected map[string]interface{}, %v is of type %T", value, value) + eh.log.Info("Expected type map[string]interface{}", "value", value, "type", fmt.Sprintf("%T", value)) return false } @@ -81,7 +84,8 @@ func (eh EqualHandler) validateValuewithStringPattern(key string, value interfac if val, ok := value.(string); ok { return key == val } - glog.Warningf("Expected string, %v is of type %T", value, value) + + eh.log.Info("Expected type string", "value", value, "type", fmt.Sprintf("%T", value)) return false } @@ -92,25 +96,25 @@ func (eh EqualHandler) validateValuewithFloatPattern(key float64, value interfac if key == math.Trunc(key) { return int(key) == typedValue } - glog.Warningf("Expected float, found int: %d\n", typedValue) + eh.log.Info("Expected type float, found int", "typedValue", typedValue) case int64: // check that float has not fraction if key == math.Trunc(key) { return int64(key) == typedValue } - glog.Warningf("Expected float, found int: %d\n", typedValue) + eh.log.Info("Expected type float, found int", "typedValue", typedValue) case float64: return typedValue == key case string: // extract float from string float64Num, err := strconv.ParseFloat(typedValue, 64) if err != nil { - glog.Warningf("Failed to parse float64 from string: %v", err) + eh.log.Error(err, "Failed to parse float64 from string") return false } return float64Num == key default: - glog.Warningf("Expected float, found: %T\n", value) + eh.log.Info("Expected type float", "value", value, "type", fmt.Sprintf("%T", value)) return false } return false @@ -119,7 +123,7 @@ func (eh EqualHandler) validateValuewithFloatPattern(key float64, value interfac func (eh EqualHandler) validateValuewithBoolPattern(key bool, value interface{}) bool { typedValue, ok := value.(bool) if !ok { - glog.Error("Expected bool, found %V", value) + eh.log.Info("Expected type bool", "value", value, "type", fmt.Sprintf("%T", value)) return false } return key == typedValue @@ -136,18 +140,18 @@ func (eh EqualHandler) validateValuewithIntPattern(key int64, value interface{}) if typedValue == math.Trunc(typedValue) { return int64(typedValue) == key } - glog.Warningf("Expected int, found float: %f", typedValue) + eh.log.Info("Expected type int, found float", "value", typedValue, "type", fmt.Sprintf("%T", typedValue)) return false case string: // extract in64 from string int64Num, err := strconv.ParseInt(typedValue, 10, 64) if err != nil { - glog.Warningf("Failed to parse int64 from string: %v", err) + eh.log.Error(err, "Failed to parse int64 from string") return false } return int64Num == key default: - glog.Warningf("Expected int, %v is of type %T", value, value) + eh.log.Info("Expected type int", "value", value, "type", fmt.Sprintf("%T", value)) return false } } diff --git a/pkg/engine/variables/operator/notequal.go b/pkg/engine/variables/operator/notequal.go index 9af9e891f3..ce9b4e87f8 100644 --- a/pkg/engine/variables/operator/notequal.go +++ b/pkg/engine/variables/operator/notequal.go @@ -1,19 +1,21 @@ package operator import ( + "fmt" "math" "reflect" "strconv" - "github.com/golang/glog" + "github.com/go-logr/logr" "github.com/nirmata/kyverno/pkg/engine/context" ) //NewNotEqualHandler returns handler to manage NotEqual operations -func NewNotEqualHandler(ctx context.EvalInterface, subHandler VariableSubstitutionHandler) OperatorHandler { +func NewNotEqualHandler(log logr.Logger, ctx context.EvalInterface, subHandler VariableSubstitutionHandler) OperatorHandler { return NotEqualHandler{ ctx: ctx, subHandler: subHandler, + log: log, } } @@ -21,6 +23,7 @@ func NewNotEqualHandler(ctx context.EvalInterface, subHandler VariableSubstituti type NotEqualHandler struct { ctx context.EvalInterface subHandler VariableSubstitutionHandler + log logr.Logger } //Evaluate evaluates expression with NotEqual Operator @@ -28,14 +31,14 @@ func (neh NotEqualHandler) Evaluate(key, value interface{}) bool { var err error //TODO: decouple variables from evaluation // substitute the variables - if key, err = neh.subHandler(neh.ctx, key); err != nil { + if key, err = neh.subHandler(neh.log, neh.ctx, key); err != nil { // Failed to resolve the variable - glog.Infof("Failed to resolve variables in key: %s: %v", key, err) + neh.log.Error(err, "Failed to resolve variable", "variable", key) return false } - if value, err = neh.subHandler(neh.ctx, value); err != nil { + if value, err = neh.subHandler(neh.log, neh.ctx, value); err != nil { // Failed to resolve the variable - glog.Infof("Failed to resolve variables in value: %s: %v", value, err) + neh.log.Error(err, "Failed to resolve variable", "variable", value) return false } // key and value need to be of same type @@ -55,7 +58,7 @@ func (neh NotEqualHandler) Evaluate(key, value interface{}) bool { case []interface{}: return neh.validateValueWithSlicePattern(typedKey, value) default: - glog.Error("Unsupported type %V", typedKey) + neh.log.Info("Unsupported type", "value", typedKey, "type", fmt.Sprintf("%T", typedKey)) return false } } @@ -64,7 +67,7 @@ func (neh NotEqualHandler) validateValueWithSlicePattern(key []interface{}, valu if val, ok := value.([]interface{}); ok { return !reflect.DeepEqual(key, val) } - glog.Warningf("Expected []interface{}, %v is of type %T", value, value) + neh.log.Info("Expected type []interface{}", "value", value, "type", fmt.Sprintf("%T", value)) return false } @@ -72,7 +75,7 @@ func (neh NotEqualHandler) validateValueWithMapPattern(key map[string]interface{ if val, ok := value.(map[string]interface{}); ok { return !reflect.DeepEqual(key, val) } - glog.Warningf("Expected map[string]interface{}, %v is of type %T", value, value) + neh.log.Info("Expected type map[string]interface{}", "value", value, "type", fmt.Sprintf("%T", value)) return false } @@ -80,7 +83,7 @@ func (neh NotEqualHandler) validateValuewithStringPattern(key string, value inte if val, ok := value.(string); ok { return key != val } - glog.Warningf("Expected string, %v is of type %T", value, value) + neh.log.Info("Expected type string", "value", value, "type", fmt.Sprintf("%T", value)) return false } @@ -91,25 +94,25 @@ func (neh NotEqualHandler) validateValuewithFloatPattern(key float64, value inte if key == math.Trunc(key) { return int(key) != typedValue } - glog.Warningf("Expected float, found int: %d\n", typedValue) + neh.log.Info("Expected type float, found int", "typedValue", typedValue) case int64: // check that float has not fraction if key == math.Trunc(key) { return int64(key) != typedValue } - glog.Warningf("Expected float, found int: %d\n", typedValue) + neh.log.Info("Expected type float, found int", "typedValue", typedValue) case float64: return typedValue != key case string: // extract float from string float64Num, err := strconv.ParseFloat(typedValue, 64) if err != nil { - glog.Warningf("Failed to parse float64 from string: %v", err) + neh.log.Error(err, "Failed to parse float64 from string") return false } return float64Num != key default: - glog.Warningf("Expected float, found: %T\n", value) + neh.log.Info("Expected type float", "value", value, "type", fmt.Sprintf("%T", value)) return false } return false @@ -118,7 +121,7 @@ func (neh NotEqualHandler) validateValuewithFloatPattern(key float64, value inte func (neh NotEqualHandler) validateValuewithBoolPattern(key bool, value interface{}) bool { typedValue, ok := value.(bool) if !ok { - glog.Error("Expected bool, found %V", value) + neh.log.Info("Expected type bool", "value", value, "type", fmt.Sprintf("%T", value)) return false } return key != typedValue @@ -135,18 +138,18 @@ func (neh NotEqualHandler) validateValuewithIntPattern(key int64, value interfac if typedValue == math.Trunc(typedValue) { return int64(typedValue) != key } - glog.Warningf("Expected int, found float: %f\n", typedValue) + neh.log.Info("Expected type int, found float", "value", typedValue, "type", fmt.Sprintf("%T", typedValue)) return false case string: // extract in64 from string int64Num, err := strconv.ParseInt(typedValue, 10, 64) if err != nil { - glog.Warningf("Failed to parse int64 from string: %v", err) + neh.log.Error(err, "Failed to parse int64 from string") return false } return int64Num != key default: - glog.Warningf("Expected int, %v is of type %T", value, value) + neh.log.Info("Expected type int", "value", value, "type", fmt.Sprintf("%T", value)) return false } } diff --git a/pkg/engine/variables/operator/operator.go b/pkg/engine/variables/operator/operator.go index 2b3f9ce7a1..8dbc6cf0bc 100644 --- a/pkg/engine/variables/operator/operator.go +++ b/pkg/engine/variables/operator/operator.go @@ -1,7 +1,7 @@ package operator import ( - "github.com/golang/glog" + "github.com/go-logr/logr" kyverno "github.com/nirmata/kyverno/pkg/api/kyverno/v1" "github.com/nirmata/kyverno/pkg/engine/context" ) @@ -17,17 +17,21 @@ type OperatorHandler interface { } //VariableSubstitutionHandler defines the handler function for variable substitution -type VariableSubstitutionHandler = func(ctx context.EvalInterface, pattern interface{}) (interface{}, error) +type VariableSubstitutionHandler = func(log logr.Logger, ctx context.EvalInterface, pattern interface{}) (interface{}, error) //CreateOperatorHandler returns the operator handler based on the operator used in condition -func CreateOperatorHandler(ctx context.EvalInterface, op kyverno.ConditionOperator, subHandler VariableSubstitutionHandler) OperatorHandler { +func CreateOperatorHandler(log logr.Logger, ctx context.EvalInterface, op kyverno.ConditionOperator, subHandler VariableSubstitutionHandler) OperatorHandler { switch op { case kyverno.Equal: - return NewEqualHandler(ctx, subHandler) + return NewEqualHandler(log, ctx, subHandler) case kyverno.NotEqual: - return NewNotEqualHandler(ctx, subHandler) + return NewNotEqualHandler(log, ctx, subHandler) + case kyverno.Equals: + return NewEqualHandler(log, ctx, subHandler) + case kyverno.NotEquals: + return NewNotEqualHandler(log, ctx, subHandler) default: - glog.Errorf("unsupported operator: %s", string(op)) + log.Info("operator not supported", "operator", string(op)) } return nil } diff --git a/pkg/engine/variables/variables_test.go b/pkg/engine/variables/variables_test.go index 6d2eb7c60c..bb88cc13ac 100644 --- a/pkg/engine/variables/variables_test.go +++ b/pkg/engine/variables/variables_test.go @@ -7,6 +7,7 @@ import ( kyverno "github.com/nirmata/kyverno/pkg/api/kyverno/v1" authenticationv1 "k8s.io/api/authentication/v1" + "sigs.k8s.io/controller-runtime/pkg/log" "github.com/nirmata/kyverno/pkg/engine/context" ) @@ -84,7 +85,7 @@ func Test_variablesub1(t *testing.T) { t.Error(err) } - if _, err := SubstituteVars(ctx, patternCopy); err != nil { + if patternCopy, err = SubstituteVars(log.Log, ctx, patternCopy); err != nil { t.Error(err) } resultRaw, err := json.Marshal(patternCopy) @@ -174,7 +175,7 @@ func Test_variablesub_multiple(t *testing.T) { t.Error(err) } - if _, err := SubstituteVars(ctx, patternCopy); err != nil { + if patternCopy, err = SubstituteVars(log.Log, ctx, patternCopy); err != nil { t.Error(err) } resultRaw, err := json.Marshal(patternCopy) @@ -261,7 +262,7 @@ func Test_variablesubstitution(t *testing.T) { t.Error(err) } - if _, err := SubstituteVars(ctx, patternCopy); err != nil { + if patternCopy, err = SubstituteVars(log.Log, ctx, patternCopy); err != nil { t.Error(err) } resultRaw, err := json.Marshal(patternCopy) @@ -322,7 +323,7 @@ func Test_variableSubstitutionValue(t *testing.T) { t.Error(err) } - if _, err := SubstituteVars(ctx, patternCopy); err != nil { + if patternCopy, err = SubstituteVars(log.Log, ctx, patternCopy); err != nil { t.Error(err) } resultRaw, err := json.Marshal(patternCopy) @@ -380,7 +381,7 @@ func Test_variableSubstitutionValueOperatorNotEqual(t *testing.T) { t.Error(err) } - if _, err := SubstituteVars(ctx, patternCopy); err != nil { + if patternCopy, err = SubstituteVars(log.Log, ctx, patternCopy); err != nil { t.Error(err) } resultRaw, err := json.Marshal(patternCopy) @@ -439,7 +440,7 @@ func Test_variableSubstitutionValueFail(t *testing.T) { t.Error(err) } - if _, err := SubstituteVars(ctx, patternCopy); err == nil { + if patternCopy, err = SubstituteVars(log.Log, ctx, patternCopy); err == nil { t.Log("expected to fails") t.Fail() } @@ -497,7 +498,7 @@ func Test_variableSubstitutionObject(t *testing.T) { t.Error(err) } - if _, err := SubstituteVars(ctx, patternCopy); err != nil { + if patternCopy, err = SubstituteVars(log.Log, ctx, patternCopy); err != nil { t.Error(err) } resultRaw, err := json.Marshal(patternCopy) @@ -561,7 +562,7 @@ func Test_variableSubstitutionObjectOperatorNotEqualFail(t *testing.T) { t.Error(err) } - if _, err := SubstituteVars(ctx, patternCopy); err == nil { + if patternCopy, err = SubstituteVars(log.Log, ctx, patternCopy); err == nil { t.Error(err) } @@ -620,7 +621,7 @@ func Test_variableSubstitutionMultipleObject(t *testing.T) { t.Error(err) } - if _, err := SubstituteVars(ctx, patternCopy); err != nil { + if patternCopy, err = SubstituteVars(log.Log, ctx, patternCopy); err != nil { t.Error(err) } resultRaw, err := json.Marshal(patternCopy) diff --git a/pkg/engine/variables/vars.go b/pkg/engine/variables/vars.go index 4c336f2ede..b57bfbfd7b 100644 --- a/pkg/engine/variables/vars.go +++ b/pkg/engine/variables/vars.go @@ -6,162 +6,111 @@ import ( "strconv" "strings" - "github.com/golang/glog" + "github.com/go-logr/logr" "github.com/nirmata/kyverno/pkg/engine/context" ) const ( - variableRegex = `\{\{([^{}]*)\}\}` - singleVarRegex = `^\{\{([^{}]*)\}\}$` + variableRegex = `\{\{([^{}]*)\}\}` ) //SubstituteVars replaces the variables with the values defined in the context // - if any variable is invaid or has nil value, it is considered as a failed varable substitution -func SubstituteVars(ctx context.EvalInterface, pattern interface{}) (interface{}, error) { - errs := []error{} - pattern = subVars(ctx, pattern, "", &errs) - if len(errs) == 0 { - // no error while parsing the pattern - return pattern, nil +func SubstituteVars(log logr.Logger, ctx context.EvalInterface, pattern interface{}) (interface{}, error) { + pattern, err := subVars(log, ctx, pattern, "") + if err != nil { + return pattern, err } - return pattern, fmt.Errorf("%v", errs) + return pattern, nil } -func subVars(ctx context.EvalInterface, pattern interface{}, path string, errs *[]error) interface{} { +func subVars(log logr.Logger, ctx context.EvalInterface, pattern interface{}, path string) (interface{}, error) { switch typedPattern := pattern.(type) { case map[string]interface{}: - return subMap(ctx, typedPattern, path, errs) + mapCopy := make(map[string]interface{}) + for k, v := range typedPattern { + mapCopy[k] = v + } + + return subMap(log, ctx, mapCopy, path) case []interface{}: - return subArray(ctx, typedPattern, path, errs) + sliceCopy := make([]interface{}, len(typedPattern)) + copy(sliceCopy, typedPattern) + + return subArray(log, ctx, sliceCopy, path) case string: - return subValR(ctx, typedPattern, path, errs) + return subValR(ctx, typedPattern, path) default: - return pattern + return pattern, nil } } -func subMap(ctx context.EvalInterface, patternMap map[string]interface{}, path string, errs *[]error) map[string]interface{} { +func subMap(log logr.Logger, ctx context.EvalInterface, patternMap map[string]interface{}, path string) (map[string]interface{}, error) { for key, patternElement := range patternMap { curPath := path + "/" + key - value := subVars(ctx, patternElement, curPath, errs) + value, err := subVars(log, ctx, patternElement, curPath) + if err != nil { + return nil, err + } patternMap[key] = value } - return patternMap + return patternMap, nil } -func subArray(ctx context.EvalInterface, patternList []interface{}, path string, errs *[]error) []interface{} { +func subArray(log logr.Logger, ctx context.EvalInterface, patternList []interface{}, path string) ([]interface{}, error) { for idx, patternElement := range patternList { curPath := path + "/" + strconv.Itoa(idx) - value := subVars(ctx, patternElement, curPath, errs) + value, err := subVars(log, ctx, patternElement, curPath) + if err != nil { + return nil, err + } patternList[idx] = value } - return patternList + return patternList, nil +} + +type NotFoundVariableErr struct { + variable string + path string +} + +func (n NotFoundVariableErr) Error() string { + return fmt.Sprintf("could not find variable %v at path %v", n.variable, n.path) } // subValR resolves the variables if defined -func subValR(ctx context.EvalInterface, valuePattern string, path string, errs *[]error) interface{} { +func subValR(ctx context.EvalInterface, valuePattern string, path string) (interface{}, error) { + originalPattern := valuePattern - // variable values can be scalar values(string,int, float) or they can be obects(map,slice) - // - {{variable}} - // there is a single variable resolution so the value can be scalar or object - // - {{variable1--{{variable2}}}}} - // variable2 is evaluted first as an individual variable and can be have scalar or object values - // but resolving the outer variable, {{variable--}} - // if is scalar then it can replaced, but for object types its tricky - // as object cannot be directy replaced, if the object is stringyfied then it loses it structure. - // since this might be a potential place for error, required better error reporting and handling - - // object values are only suported for single variable substitution - if ok, retVal := processIfSingleVariable(ctx, valuePattern, path, errs); ok { - return retVal - } - // var emptyInterface interface{} - var failedVars []string - // process type string + regex := regexp.MustCompile(`\{\{([^{}]*)\}\}`) for { - valueStr := valuePattern - if len(failedVars) != 0 { - glog.Info("some failed variables short-circuiting") + if vars := regex.FindAllString(valuePattern, -1); len(vars) > 0 { + for _, variable := range vars { + underlyingVariable := strings.ReplaceAll(strings.ReplaceAll(variable, "}}", ""), "{{", "") + substitutedVar, err := ctx.Query(underlyingVariable) + if err != nil { + return nil, fmt.Errorf("failed to resolve %v at path %s", underlyingVariable, path) + } + if val, ok := substitutedVar.(string); ok { + valuePattern = strings.Replace(valuePattern, variable, val, -1) + } else { + if substitutedVar != nil { + if originalPattern == variable { + return substitutedVar, nil + } + return nil, fmt.Errorf("failed to resolve %v at path %s", underlyingVariable, path) + } + return nil, NotFoundVariableErr{ + variable: underlyingVariable, + path: path, + } + } + } + } else { break } - // get variables at this level - validRegex := regexp.MustCompile(variableRegex) - groups := validRegex.FindAllStringSubmatch(valueStr, -1) - if len(groups) == 0 { - // there was no match - // not variable defined - break - } - subs := map[string]interface{}{} - for _, group := range groups { - if _, ok := subs[group[0]]; ok { - // value has already been substituted - continue - } - // here we do the querying of the variables from the context - variable, err := ctx.Query(group[1]) - if err != nil { - // error while evaluating - failedVars = append(failedVars, group[1]) - continue - } - // path not found in context and value stored in null/nill - if variable == nil { - failedVars = append(failedVars, group[1]) - continue - } - // get values for each and replace - subs[group[0]] = variable - } - // perform substitutions - newVal := valueStr - for k, v := range subs { - // if value is of type string then cast else consider it as direct replacement - if val, ok := v.(string); ok { - newVal = strings.Replace(newVal, k, val, -1) - continue - } - // if type is not scalar then consider this as a failed variable - glog.Infof("variable %s resolves to non-scalar value %v. Non-Scalar values are not supported for nested variables", k, v) - failedVars = append(failedVars, k) - } - valuePattern = newVal - } - // update errors if any - if len(failedVars) > 0 { - *errs = append(*errs, fmt.Errorf("failed to resolve %v at path %s", failedVars, path)) } - return valuePattern -} - -// processIfSingleVariable will process the evaluation of single variables -// {{variable-{{variable}}}} -> compound/nested variables -// {{variable}}{{variable}} -> multiple variables -// {{variable}} -> single variable -// if the value can be evaluted return the value -// -> return value can be scalar or object type -// -> if the variable is not present in the context then add an error and dont process further -func processIfSingleVariable(ctx context.EvalInterface, valuePattern interface{}, path string, errs *[]error) (bool, interface{}) { - valueStr, ok := valuePattern.(string) - if !ok { - glog.Infof("failed to convert %v to string", valuePattern) - return false, nil - } - // get variables at this level - validRegex := regexp.MustCompile(singleVarRegex) - groups := validRegex.FindAllStringSubmatch(valueStr, -1) - if len(groups) == 0 { - return false, nil - } - // as there will be exactly one variable based on the above regex - group := groups[0] - variable, err := ctx.Query(group[1]) - if err != nil || variable == nil { - *errs = append(*errs, fmt.Errorf("failed to resolve %v at path %s", group[1], path)) - // return the same value pattern, and add un-resolvable variable error - return true, valuePattern - } - return true, variable + return valuePattern, nil } diff --git a/pkg/engine/variables/vars_test.go b/pkg/engine/variables/vars_test.go index 171c62ace4..0e25e269e1 100644 --- a/pkg/engine/variables/vars_test.go +++ b/pkg/engine/variables/vars_test.go @@ -6,6 +6,7 @@ import ( "github.com/nirmata/kyverno/pkg/engine/context" "gotest.tools/assert" + "sigs.k8s.io/controller-runtime/pkg/log" ) func Test_subVars_success(t *testing.T) { @@ -64,7 +65,7 @@ func Test_subVars_success(t *testing.T) { t.Error(err) } - if _, err := SubstituteVars(ctx, pattern); err != nil { + if _, err := SubstituteVars(log.Log, ctx, pattern); err != nil { t.Error(err) } } @@ -125,7 +126,7 @@ func Test_subVars_failed(t *testing.T) { t.Error(err) } - if _, err := SubstituteVars(ctx, pattern); err == nil { + if _, err := SubstituteVars(log.Log, ctx, pattern); err == nil { t.Error("error is expected") } } @@ -151,6 +152,5 @@ func Test_SubvarRecursive(t *testing.T) { ctx := context.NewContext() assert.Assert(t, ctx.AddResource(resourceRaw)) - errs := []error{} - subValR(ctx, string(patternRaw), "/", &errs) + subValR(ctx, string(patternRaw), "/") } diff --git a/pkg/event/controller.go b/pkg/event/controller.go index aa98d09e42..db39f1d9d6 100644 --- a/pkg/event/controller.go +++ b/pkg/event/controller.go @@ -1,13 +1,12 @@ package event import ( - "time" - - "github.com/golang/glog" + "github.com/go-logr/logr" "github.com/nirmata/kyverno/pkg/client/clientset/versioned/scheme" kyvernoinformer "github.com/nirmata/kyverno/pkg/client/informers/externalversions/kyverno/v1" kyvernolister "github.com/nirmata/kyverno/pkg/client/listers/kyverno/v1" + "github.com/nirmata/kyverno/pkg/constant" client "github.com/nirmata/kyverno/pkg/dclient" v1 "k8s.io/api/core/v1" "k8s.io/apimachinery/pkg/runtime" @@ -17,6 +16,7 @@ import ( "k8s.io/client-go/tools/cache" "k8s.io/client-go/tools/record" "k8s.io/client-go/util/workqueue" + "k8s.io/klog" ) //Generator generate events @@ -34,6 +34,7 @@ type Generator struct { admissionCtrRecorder record.EventRecorder // events generated at namespaced policy controller to process 'generate' rule genPolicyRecorder record.EventRecorder + log logr.Logger } //Interface to generate event @@ -42,32 +43,33 @@ type Interface interface { } //NewEventGenerator to generate a new event controller -func NewEventGenerator(client *client.Client, pInformer kyvernoinformer.ClusterPolicyInformer) *Generator { +func NewEventGenerator(client *client.Client, pInformer kyvernoinformer.ClusterPolicyInformer, log logr.Logger) *Generator { gen := Generator{ client: client, pLister: pInformer.Lister(), queue: workqueue.NewNamedRateLimitingQueue(workqueue.DefaultControllerRateLimiter(), eventWorkQueueName), pSynced: pInformer.Informer().HasSynced, - policyCtrRecorder: initRecorder(client, PolicyController), - admissionCtrRecorder: initRecorder(client, AdmissionController), - genPolicyRecorder: initRecorder(client, GeneratePolicyController), + policyCtrRecorder: initRecorder(client, PolicyController, log), + admissionCtrRecorder: initRecorder(client, AdmissionController, log), + genPolicyRecorder: initRecorder(client, GeneratePolicyController, log), + log: log, } return &gen } -func initRecorder(client *client.Client, eventSource Source) record.EventRecorder { +func initRecorder(client *client.Client, eventSource Source, log logr.Logger) record.EventRecorder { // Initliaze Event Broadcaster err := scheme.AddToScheme(scheme.Scheme) if err != nil { - glog.Error(err) + log.Error(err, "failed to add to scheme") return nil } eventBroadcaster := record.NewBroadcaster() - eventBroadcaster.StartLogging(glog.V(4).Infof) + eventBroadcaster.StartLogging(klog.V(5).Infof) eventInterface, err := client.GetEventsInterface() if err != nil { - glog.Error(err) // TODO: add more specific error + log.Error(err, "failed to get event interface for logging") return nil } eventBroadcaster.StartRecordingToSink( @@ -81,11 +83,12 @@ func initRecorder(client *client.Client, eventSource Source) record.EventRecorde //Add queues an event for generation func (gen *Generator) Add(infos ...Info) { + logger := gen.log for _, info := range infos { if info.Name == "" { // dont create event for resources with generateName // as the name is not generated yet - glog.V(4).Infof("received info %v, not creating an event as the resource has not been assigned a name yet", info) + logger.V(4).Info("not creating an event as the resource has not been assigned a name yet", "kind", info.Kind, "name", info.Name, "namespace", info.Namespace) continue } gen.queue.Add(info) @@ -94,16 +97,18 @@ func (gen *Generator) Add(infos ...Info) { // Run begins generator func (gen *Generator) Run(workers int, stopCh <-chan struct{}) { + logger := gen.log defer utilruntime.HandleCrash() - glog.Info("Starting event generator") - defer glog.Info("Shutting down event generator") + + logger.Info("start") + defer logger.Info("shutting down") if !cache.WaitForCacheSync(stopCh, gen.pSynced) { - glog.Error("event generator: failed to sync informer cache") + logger.Info("failed to sync informer cache") } for i := 0; i < workers; i++ { - go wait.Until(gen.runWorker, time.Second, stopCh) + go wait.Until(gen.runWorker, constant.EventControllerResync, stopCh) } <-stopCh } @@ -114,24 +119,25 @@ func (gen *Generator) runWorker() { } func (gen *Generator) handleErr(err error, key interface{}) { + logger := gen.log if err == nil { gen.queue.Forget(key) return } // This controller retries if something goes wrong. After that, it stops trying. if gen.queue.NumRequeues(key) < workQueueRetryLimit { - glog.Warningf("Error syncing events %v(re-queuing request, the resource might not have been created yet): %v", key, err) + logger.Error(err, "Error syncing events;re-queuing request,the resource might not have been created yet", "key", key) // Re-enqueue the key rate limited. Based on the rate limiter on the // queue and the re-enqueue history, the key will be processed later again. gen.queue.AddRateLimited(key) return } gen.queue.Forget(key) - glog.Error(err) - glog.Warningf("Dropping the key out of the queue: %v", err) + logger.Error(err, "dropping the key out of queue", "key", key) } func (gen *Generator) processNextWorkItem() bool { + logger := gen.log obj, shutdown := gen.queue.Get() if shutdown { return false @@ -144,7 +150,7 @@ func (gen *Generator) processNextWorkItem() bool { if key, ok = obj.(Info); !ok { gen.queue.Forget(obj) - glog.Warningf("Expecting type info by got %v\n", obj) + logger.Info("Incorrect type; expected type 'info'", "obj", obj) return nil } err := gen.syncHandler(key) @@ -152,13 +158,14 @@ func (gen *Generator) processNextWorkItem() bool { return nil }(obj) if err != nil { - glog.Error(err) + logger.Error(err, "failed to process next work item") return true } return true } func (gen *Generator) syncHandler(key Info) error { + logger := gen.log var robj runtime.Object var err error switch key.Kind { @@ -166,13 +173,13 @@ func (gen *Generator) syncHandler(key Info) error { //TODO: policy is clustered resource so wont need namespace robj, err = gen.pLister.Get(key.Name) if err != nil { - glog.V(4).Infof("Error creating event: unable to get policy %s, will retry ", key.Name) + logger.Error(err, "failed to get policy", "name", key.Name) return err } default: robj, err = gen.client.GetResource(key.Kind, key.Namespace, key.Name) if err != nil { - glog.V(4).Infof("Error creating event: unable to get resource %s/%s/%s, will retry ", key.Kind, key.Namespace, key.Name) + logger.Error(err, "failed to get resource", "kind", key.Kind, "name", key.Name, "namespace", key.Namespace) return err } } @@ -192,13 +199,14 @@ func (gen *Generator) syncHandler(key Info) error { case GeneratePolicyController: gen.genPolicyRecorder.Event(robj, eventType, key.Reason, key.Message) default: - glog.Info("info.source not defined for the event generator request") + logger.Info("info.source not defined for the request") } return nil } //NewEvent builds a event creation request func NewEvent( + log logr.Logger, rkind, rapiVersion, rnamespace, @@ -209,7 +217,7 @@ func NewEvent( args ...interface{}) Info { msgText, err := getEventMsg(message, args...) if err != nil { - glog.Error(err) + log.Error(err, "failed to get event message") } return Info{ Kind: rkind, diff --git a/pkg/generate/cleanup/cleanup.go b/pkg/generate/cleanup/cleanup.go index d25fddd44e..de1758aeba 100644 --- a/pkg/generate/cleanup/cleanup.go +++ b/pkg/generate/cleanup/cleanup.go @@ -1,19 +1,20 @@ package cleanup import ( - "github.com/golang/glog" + "github.com/go-logr/logr" kyverno "github.com/nirmata/kyverno/pkg/api/kyverno/v1" dclient "github.com/nirmata/kyverno/pkg/dclient" apierrors "k8s.io/apimachinery/pkg/api/errors" ) func (c *Controller) processGR(gr kyverno.GenerateRequest) error { + logger := c.log.WithValues("kind", gr.Kind, "namespace", gr.Namespace, "name", gr.Name) // 1- Corresponding policy has been deleted // then we dont delete the generated resources // 2- The trigger resource is deleted, then delete the generated resources - if !ownerResourceExists(c.client, gr) { - if err := deleteGeneratedResources(c.client, gr); err != nil { + if !ownerResourceExists(logger, c.client, gr) { + if err := deleteGeneratedResources(logger, c.client, gr); err != nil { return err } // - trigger-resource is deleted @@ -24,25 +25,25 @@ func (c *Controller) processGR(gr kyverno.GenerateRequest) error { return nil } -func ownerResourceExists(client *dclient.Client, gr kyverno.GenerateRequest) bool { +func ownerResourceExists(log logr.Logger, client *dclient.Client, gr kyverno.GenerateRequest) bool { _, err := client.GetResource(gr.Spec.Resource.Kind, gr.Spec.Resource.Namespace, gr.Spec.Resource.Name) // trigger resources has been deleted if apierrors.IsNotFound(err) { return false } if err != nil { - glog.V(4).Infof("Failed to get resource %s/%s/%s: error : %s", gr.Spec.Resource.Kind, gr.Spec.Resource.Namespace, gr.Spec.Resource.Name, err) + log.Error(err, "failed to get resource", "genKind", gr.Spec.Resource.Kind, "genNamespace", gr.Spec.Resource.Namespace, "genName", gr.Spec.Resource.Name) } // if there was an error while querying the resources we dont delete the generated resources // but expect the deletion in next reconciliation loop return true } -func deleteGeneratedResources(client *dclient.Client, gr kyverno.GenerateRequest) error { +func deleteGeneratedResources(log logr.Logger, client *dclient.Client, gr kyverno.GenerateRequest) error { for _, genResource := range gr.Status.GeneratedResources { err := client.DeleteResource(genResource.Kind, genResource.Namespace, genResource.Name, false) if apierrors.IsNotFound(err) { - glog.V(4).Infof("resource %s/%s/%s not found, will no delete", genResource.Kind, genResource.Namespace, genResource.Name) + log.Error(err, "resource not foundl will not delete", "genKind", gr.Spec.Resource.Kind, "genNamespace", gr.Spec.Resource.Namespace, "genName", gr.Spec.Resource.Name) continue } if err != nil { diff --git a/pkg/generate/cleanup/controller.go b/pkg/generate/cleanup/controller.go index 396058a346..a232dd4813 100644 --- a/pkg/generate/cleanup/controller.go +++ b/pkg/generate/cleanup/controller.go @@ -1,15 +1,14 @@ package cleanup import ( - "fmt" "time" - "github.com/golang/glog" - + "github.com/go-logr/logr" kyverno "github.com/nirmata/kyverno/pkg/api/kyverno/v1" kyvernoclient "github.com/nirmata/kyverno/pkg/client/clientset/versioned" kyvernoinformer "github.com/nirmata/kyverno/pkg/client/informers/externalversions/kyverno/v1" kyvernolister "github.com/nirmata/kyverno/pkg/client/listers/kyverno/v1" + "github.com/nirmata/kyverno/pkg/constant" dclient "github.com/nirmata/kyverno/pkg/dclient" "k8s.io/apimachinery/pkg/api/errors" "k8s.io/apimachinery/pkg/apis/meta/v1/unstructured" @@ -53,6 +52,7 @@ type Controller struct { //TODO: list of generic informers // only support Namespaces for deletion of resource nsInformer informers.GenericInformer + log logr.Logger } //NewController returns a new controller instance to manage generate-requests @@ -62,6 +62,7 @@ func NewController( pInformer kyvernoinformer.ClusterPolicyInformer, grInformer kyvernoinformer.GenerateRequestInformer, dynamicInformer dynamicinformer.DynamicSharedInformerFactory, + log logr.Logger, ) *Controller { c := Controller{ kyvernoClient: kyvernoclient, @@ -70,6 +71,7 @@ func NewController( // as we dont want a deleted GR to be re-queue queue: workqueue.NewNamedRateLimitingQueue(workqueue.NewItemExponentialFailureRateLimiter(1, 30), "generate-request-cleanup"), dynamicInformer: dynamicInformer, + log: log, } c.control = Control{client: kyvernoclient} c.enqueueGR = c.enqueue @@ -102,10 +104,11 @@ func NewController( } func (c *Controller) deleteGenericResource(obj interface{}) { + logger := c.log r := obj.(*unstructured.Unstructured) grs, err := c.grLister.GetGenerateRequestsForResource(r.GetKind(), r.GetNamespace(), r.GetName()) if err != nil { - glog.Errorf("failed to Generate Requests for resource %s/%s/%s: %v", r.GetKind(), r.GetNamespace(), r.GetName(), err) + logger.Error(err, "failed to get generate request CR for resource", "kind", r.GetKind(), "namespace", r.GetNamespace(), "name", r.GetName()) return } // re-evaluate the GR as the resource was deleted @@ -115,26 +118,27 @@ func (c *Controller) deleteGenericResource(obj interface{}) { } func (c *Controller) deletePolicy(obj interface{}) { + logger := c.log p, ok := obj.(*kyverno.ClusterPolicy) if !ok { tombstone, ok := obj.(cache.DeletedFinalStateUnknown) if !ok { - glog.Info(fmt.Errorf("Couldn't get object from tombstone %#v", obj)) + logger.Info("ouldn't get object from tombstone", "obj", obj) return } _, ok = tombstone.Obj.(*kyverno.ClusterPolicy) if !ok { - glog.Info(fmt.Errorf("Tombstone contained object that is not a Generate Request %#v", obj)) + logger.Info("Tombstone contained object that is not a Generate Request", "obj", obj) return } } - glog.V(4).Infof("Deleting Policy %s", p.Name) + logger.V(4).Info("deleting policy", "name", p.Name) // clean up the GR // Get the corresponding GR // get the list of GR for the current Policy version grs, err := c.grLister.GetGenerateRequestsForClusterPolicy(p.Name) if err != nil { - glog.Errorf("failed to Generate Requests for policy %s: %v", p.Name, err) + logger.Error(err, "failed to generate request CR for the policy", "name", p.Name) return } for _, gr := range grs { @@ -153,48 +157,50 @@ func (c *Controller) updateGR(old, cur interface{}) { } func (c *Controller) deleteGR(obj interface{}) { + logger := c.log gr, ok := obj.(*kyverno.GenerateRequest) if !ok { tombstone, ok := obj.(cache.DeletedFinalStateUnknown) if !ok { - glog.Info(fmt.Errorf("Couldn't get object from tombstone %#v", obj)) + logger.Info("Couldn't get object from tombstone", "obj", obj) return } _, ok = tombstone.Obj.(*kyverno.GenerateRequest) if !ok { - glog.Info(fmt.Errorf("Tombstone contained object that is not a Generate Request %#v", obj)) + logger.Info("ombstone contained object that is not a Generate Request", "obj", obj) return } } - glog.V(4).Infof("Deleting GR %s", gr.Name) + logger.V(4).Info("deleting Generate Request CR", "name", gr.Name) // sync Handler will remove it from the queue c.enqueueGR(gr) } func (c *Controller) enqueue(gr *kyverno.GenerateRequest) { + logger := c.log key, err := cache.MetaNamespaceKeyFunc(gr) if err != nil { - glog.Error(err) + logger.Error(err, "failed to extract key") return } - glog.V(4).Infof("cleanup enqueu: %v", gr.Name) + logger.V(4).Info("eneque generate request", "name", gr.Name) c.queue.Add(key) } //Run starts the generate-request re-conciliation loop func (c *Controller) Run(workers int, stopCh <-chan struct{}) { + logger := c.log defer utilruntime.HandleCrash() defer c.queue.ShutDown() - - glog.Info("Starting generate-policy-cleanup controller") - defer glog.Info("Shutting down generate-policy-cleanup controller") + logger.Info("starting") + defer logger.Info("shutting down") if !cache.WaitForCacheSync(stopCh, c.pSynced, c.grSynced) { - glog.Error("generate-policy-cleanup controller: failed to sync informer cache") + logger.Info("failed to sync informer cache") return } for i := 0; i < workers; i++ { - go wait.Until(c.worker, time.Second, stopCh) + go wait.Until(c.worker, constant.GenerateRequestControllerResync, stopCh) } <-stopCh } @@ -219,31 +225,33 @@ func (c *Controller) processNextWorkItem() bool { } func (c *Controller) handleErr(err error, key interface{}) { + logger := c.log if err == nil { c.queue.Forget(key) return } if c.queue.NumRequeues(key) < maxRetries { - glog.Errorf("Error syncing Generate Request %v: %v", key, err) + logger.Error(err, "failed to sync generate request", "key", key) c.queue.AddRateLimited(key) return } utilruntime.HandleError(err) - glog.Infof("Dropping generate request %q out of the queue: %v", key, err) + logger.Error(err, "dropping generate request out of the queue", "key", key) c.queue.Forget(key) } func (c *Controller) syncGenerateRequest(key string) error { + logger := c.log.WithValues("key", key) var err error startTime := time.Now() - glog.V(4).Infof("Started syncing GR %q (%v)", key, startTime) + logger.Info("started syncing generate request", "startTime", startTime) defer func() { - glog.V(4).Infof("Finished syncing GR %q (%v)", key, time.Since(startTime)) + logger.V(4).Info("finished syncying generate request", "processingTIme", time.Since(startTime)) }() _, grName, err := cache.SplitMetaNamespaceKey(key) if errors.IsNotFound(err) { - glog.Infof("Generate Request %s has been deleted", key) + logger.Info("generate request has been deleted") return nil } if err != nil { diff --git a/pkg/generate/controller.go b/pkg/generate/controller.go index d40ed2af0d..a03dfe2734 100644 --- a/pkg/generate/controller.go +++ b/pkg/generate/controller.go @@ -1,14 +1,14 @@ package generate import ( - "fmt" "time" - "github.com/golang/glog" + "github.com/go-logr/logr" kyverno "github.com/nirmata/kyverno/pkg/api/kyverno/v1" kyvernoclient "github.com/nirmata/kyverno/pkg/client/clientset/versioned" kyvernoinformer "github.com/nirmata/kyverno/pkg/client/informers/externalversions/kyverno/v1" kyvernolister "github.com/nirmata/kyverno/pkg/client/listers/kyverno/v1" + "github.com/nirmata/kyverno/pkg/constant" dclient "github.com/nirmata/kyverno/pkg/dclient" "github.com/nirmata/kyverno/pkg/event" "github.com/nirmata/kyverno/pkg/policystatus" @@ -57,9 +57,9 @@ type Controller struct { dynamicInformer dynamicinformer.DynamicSharedInformerFactory //TODO: list of generic informers // only support Namespaces for re-evalutation on resource updates - nsInformer informers.GenericInformer - + nsInformer informers.GenericInformer policyStatusListener policystatus.Listener + log logr.Logger } //NewController returns an instance of the Generate-Request Controller @@ -72,6 +72,7 @@ func NewController( pvGenerator policyviolation.GeneratorInterface, dynamicInformer dynamicinformer.DynamicSharedInformerFactory, policyStatus policystatus.Listener, + log logr.Logger, ) *Controller { c := Controller{ client: client, @@ -82,6 +83,7 @@ func NewController( // as we dont want a deleted GR to be re-queue queue: workqueue.NewNamedRateLimitingQueue(workqueue.NewItemExponentialFailureRateLimiter(1, 30), "generate-request"), dynamicInformer: dynamicInformer, + log: log, policyStatusListener: policyStatus, } c.statusControl = StatusControl{client: kyvernoclient} @@ -117,11 +119,12 @@ func NewController( } func (c *Controller) updateGenericResource(old, cur interface{}) { + logger := c.log curR := cur.(*unstructured.Unstructured) grs, err := c.grLister.GetGenerateRequestsForResource(curR.GetKind(), curR.GetNamespace(), curR.GetName()) if err != nil { - glog.Errorf("failed to Generate Requests for resource %s/%s/%s: %v", curR.GetKind(), curR.GetNamespace(), curR.GetName(), err) + logger.Error(err, "failed to get generate request CR for the resoource", "kind", curR.GetKind(), "name", curR.GetName(), "namespace", curR.GetNamespace()) return } // re-evaluate the GR as the resource was updated @@ -134,13 +137,14 @@ func (c *Controller) updateGenericResource(old, cur interface{}) { func (c *Controller) enqueue(gr *kyverno.GenerateRequest) { key, err := cache.MetaNamespaceKeyFunc(gr) if err != nil { - glog.Error(err) + c.log.Error(err, "failed to extract name") return } c.queue.Add(key) } func (c *Controller) updatePolicy(old, cur interface{}) { + logger := c.log oldP := old.(*kyverno.ClusterPolicy) curP := cur.(*kyverno.ClusterPolicy) if oldP.ResourceVersion == curP.ResourceVersion { @@ -148,11 +152,11 @@ func (c *Controller) updatePolicy(old, cur interface{}) { // Two different versions of the same replica set will always have different RVs. return } - glog.V(4).Infof("Updating Policy %s", oldP.Name) + logger.V(4).Info("updating policy", "name", oldP.Name) // get the list of GR for the current Policy version grs, err := c.grLister.GetGenerateRequestsForClusterPolicy(curP.Name) if err != nil { - glog.Errorf("failed to Generate Requests for policy %s: %v", curP.Name, err) + logger.Error(err, "failed to generate request for policy", "name", curP.Name) return } // re-evaluate the GR as the policy was updated @@ -183,38 +187,40 @@ func (c *Controller) updateGR(old, cur interface{}) { } func (c *Controller) deleteGR(obj interface{}) { + logger := c.log gr, ok := obj.(*kyverno.GenerateRequest) if !ok { tombstone, ok := obj.(cache.DeletedFinalStateUnknown) if !ok { - glog.Info(fmt.Errorf("Couldn't get object from tombstone %#v", obj)) + logger.Info("Couldn't get object from tombstone", "obj", obj) return } _, ok = tombstone.Obj.(*kyverno.GenerateRequest) if !ok { - glog.Info(fmt.Errorf("Tombstone contained object that is not a Generate Request %#v", obj)) + logger.Info("tombstone contained object that is not a Generate Request CR", "obj", obj) return } } - glog.V(4).Infof("Deleting GR %s", gr.Name) + logger.Info("deleting generate request", "name", gr.Name) // sync Handler will remove it from the queue c.enqueueGR(gr) } //Run ... func (c *Controller) Run(workers int, stopCh <-chan struct{}) { + logger := c.log defer utilruntime.HandleCrash() defer c.queue.ShutDown() - glog.Info("Starting generate-policy controller") - defer glog.Info("Shutting down generate-policy controller") + logger.Info("starting") + defer logger.Info("shutting down") if !cache.WaitForCacheSync(stopCh, c.pSynced, c.grSynced) { - glog.Error("generate-policy controller: failed to sync informer cache") + logger.Info("failed to sync informer cache") return } for i := 0; i < workers; i++ { - go wait.Until(c.worker, time.Second, stopCh) + go wait.Until(c.worker, constant.GenerateControllerResync, stopCh) } <-stopCh } @@ -239,27 +245,29 @@ func (c *Controller) processNextWorkItem() bool { } func (c *Controller) handleErr(err error, key interface{}) { + logger := c.log if err == nil { c.queue.Forget(key) return } if c.queue.NumRequeues(key) < maxRetries { - glog.Errorf("Error syncing Generate Request %v: %v", key, err) + logger.Error(err, "failed to sync generate request", "key", key) c.queue.AddRateLimited(key) return } utilruntime.HandleError(err) - glog.Infof("Dropping generate request %q out of the queue: %v", key, err) + logger.Error(err, "Dropping generate request from the queue", "key", key) c.queue.Forget(key) } func (c *Controller) syncGenerateRequest(key string) error { + logger := c.log var err error startTime := time.Now() - glog.V(4).Infof("Started syncing GR %q (%v)", key, startTime) + logger.Info("started sync", "key", key, "startTime", startTime) defer func() { - glog.V(4).Infof("Finished syncing GR %q (%v)", key, time.Since(startTime)) + logger.V(4).Info("finished sync", "key", key, "processingTime", time.Since(startTime)) }() _, grName, err := cache.SplitMetaNamespaceKey(key) if err != nil { @@ -268,7 +276,7 @@ func (c *Controller) syncGenerateRequest(key string) error { gr, err := c.grLister.Get(grName) if err != nil { - glog.V(4).Info(err) + logger.Error(err, "failed to list generate requests") return err } return c.processGR(gr) diff --git a/pkg/generate/generate.go b/pkg/generate/generate.go index bff1dbbca6..5182b126f7 100644 --- a/pkg/generate/generate.go +++ b/pkg/generate/generate.go @@ -3,9 +3,10 @@ package generate import ( "encoding/json" "fmt" + "reflect" "time" - "github.com/golang/glog" + "github.com/go-logr/logr" kyverno "github.com/nirmata/kyverno/pkg/api/kyverno/v1" dclient "github.com/nirmata/kyverno/pkg/dclient" "github.com/nirmata/kyverno/pkg/engine" @@ -17,6 +18,7 @@ import ( ) func (c *Controller) processGR(gr *kyverno.GenerateRequest) error { + logger := c.log.WithValues("name", gr.Name, "policy", gr.Spec.Policy, "kind", gr.Spec.Resource.Kind, "namespace", gr.Spec.Resource.Namespace, "name", gr.Spec.Resource.Name) var err error var resource *unstructured.Unstructured var genResources []kyverno.ResourceSpec @@ -24,45 +26,46 @@ func (c *Controller) processGR(gr *kyverno.GenerateRequest) error { resource, err = getResource(c.client, gr.Spec.Resource) if err != nil { // Dont update status - glog.V(4).Infof("resource does not exist or is yet to be created, requeuing: %v", err) + logger.Error(err, "resource does not exist or is yet to be created, requeueing") return err } // 2 - Apply the generate policy on the resource genResources, err = c.applyGenerate(*resource, *gr) // 3 - Report Events - reportEvents(err, c.eventGen, *gr, *resource) + reportEvents(logger, err, c.eventGen, *gr, *resource) // 4 - Update Status return updateStatus(c.statusControl, *gr, err, genResources) } func (c *Controller) applyGenerate(resource unstructured.Unstructured, gr kyverno.GenerateRequest) ([]kyverno.ResourceSpec, error) { + logger := c.log.WithValues("name", gr.Name, "policy", gr.Spec.Policy, "kind", gr.Spec.Resource.Kind, "namespace", gr.Spec.Resource.Namespace, "name", gr.Spec.Resource.Name) // Get the list of rules to be applied // get policy policy, err := c.pLister.Get(gr.Spec.Policy) if err != nil { - glog.V(4).Infof("policy %s not found: %v", gr.Spec.Policy, err) + logger.Error(err, "policy not found") return nil, nil } // build context ctx := context.NewContext() resourceRaw, err := resource.MarshalJSON() if err != nil { - glog.V(4).Infof("failed to marshal resource: %v", err) + logger.Error(err, "failed to marshal resource") return nil, err } err = ctx.AddResource(resourceRaw) if err != nil { - glog.Infof("Failed to load resource in context: %v", err) + logger.Error(err, "failed to load resource in context") return nil, err } err = ctx.AddUserInfo(gr.Spec.Context.UserRequestInfo) if err != nil { - glog.Infof("Failed to load userInfo in context: %v", err) + logger.Error(err, "failed to load SA in context") return nil, err } err = ctx.AddSA(gr.Spec.Context.UserRequestInfo.AdmissionUserInfo.Username) if err != nil { - glog.Infof("Failed to load serviceAccount in context: %v", err) + logger.Error(err, "failed to load UserInfo in context") return nil, err } @@ -76,12 +79,12 @@ func (c *Controller) applyGenerate(resource unstructured.Unstructured, gr kyvern // check if the policy still applies to the resource engineResponse := engine.Generate(policyContext) if len(engineResponse.PolicyResponse.Rules) == 0 { - glog.V(4).Infof("policy %s, dont not apply to resource %v", gr.Spec.Policy, gr.Spec.Resource) + logger.V(4).Info("policy does not apply to resource") return nil, fmt.Errorf("policy %s, dont not apply to resource %v", gr.Spec.Policy, gr.Spec.Resource) } // Apply the generate rule on resource - return c.applyGeneratePolicy(policyContext, gr) + return c.applyGeneratePolicy(logger, policyContext, gr) } func updateStatus(statusControl StatusControlInterface, gr kyverno.GenerateRequest, err error, genResources []kyverno.ResourceSpec) error { @@ -93,7 +96,7 @@ func updateStatus(statusControl StatusControlInterface, gr kyverno.GenerateReque return statusControl.Success(gr, genResources) } -func (c *Controller) applyGeneratePolicy(policyContext engine.PolicyContext, gr kyverno.GenerateRequest) ([]kyverno.ResourceSpec, error) { +func (c *Controller) applyGeneratePolicy(log logr.Logger, policyContext engine.PolicyContext, gr kyverno.GenerateRequest) ([]kyverno.ResourceSpec, error) { // List of generatedResources var genResources []kyverno.ResourceSpec // Get the response as the actions to be performed on the resource @@ -113,9 +116,8 @@ func (c *Controller) applyGeneratePolicy(policyContext engine.PolicyContext, gr if !rule.HasGenerate() { continue } - startTime := time.Now() - genResource, err := applyRule(c.client, rule, resource, ctx, processExisting) + genResource, err := applyRule(log, c.client, rule, resource, ctx, processExisting) if err != nil { return nil, err } @@ -172,7 +174,7 @@ func updateGenerateExecutionTime(newTime time.Duration, oldAverageTimeString str return time.Duration(newAverageTimeInNanoSeconds) * time.Nanosecond } -func applyRule(client *dclient.Client, rule kyverno.Rule, resource unstructured.Unstructured, ctx context.EvalInterface, processExisting bool) (kyverno.ResourceSpec, error) { +func applyRule(log logr.Logger, client *dclient.Client, rule kyverno.Rule, resource unstructured.Unstructured, ctx context.EvalInterface, processExisting bool) (kyverno.ResourceSpec, error) { var rdata map[string]interface{} var err error var mode ResourceMode @@ -187,9 +189,12 @@ func applyRule(client *dclient.Client, rule kyverno.Rule, resource unstructured. // format : {{ results in error and rule is not applied // - valid variables are replaced with the values - if _, err := variables.SubstituteVars(ctx, genUnst.Object); err != nil { + object, err := variables.SubstituteVars(log, ctx, genUnst.Object) + if err != nil { return noGenResource, err } + genUnst.Object, _ = object.(map[string]interface{}) + genKind, _, err := unstructured.NestedString(genUnst.Object, "kind") if err != nil { return noGenResource, err @@ -219,9 +224,9 @@ func applyRule(client *dclient.Client, rule kyverno.Rule, resource unstructured. } if genData != nil { - rdata, mode, err = manageData(genKind, genNamespace, genName, genData, client, resource) + rdata, mode, err = manageData(log, genKind, genNamespace, genName, genData, client, resource) } else { - rdata, mode, err = manageClone(genKind, genNamespace, genName, genCopy, client, resource) + rdata, mode, err = manageClone(log, genKind, genNamespace, genName, genCopy, client, resource) } if err != nil { return noGenResource, err @@ -236,6 +241,7 @@ func applyRule(client *dclient.Client, rule kyverno.Rule, resource unstructured. // policy was generated after the resource // we do not create new resource return noGenResource, err + } // build the resource template @@ -243,43 +249,51 @@ func applyRule(client *dclient.Client, rule kyverno.Rule, resource unstructured. newResource.SetUnstructuredContent(rdata) newResource.SetName(genName) newResource.SetNamespace(genNamespace) + if newResource.GetKind() == "" { + newResource.SetKind(genKind) + } // manage labels // - app.kubernetes.io/managed-by: kyverno // - kyverno.io/generated-by: kind/namespace/name (trigger resource) manageLabels(newResource, resource) - + logger := log.WithValues("genKind", genKind, "genNamespace", genNamespace, "genName", genName) if mode == Create { // Reset resource version newResource.SetResourceVersion("") // Create the resource - glog.V(4).Infof("Creating new resource %s/%s/%s", genKind, genNamespace, genName) + logger.V(4).Info("creating new resource") _, err = client.CreateResource(genKind, genNamespace, newResource, false) if err != nil { // Failed to create resource return noGenResource, err } - glog.V(4).Infof("Created new resource %s/%s/%s", genKind, genNamespace, genName) + logger.V(4).Info("created new resource") } else if mode == Update { - glog.V(4).Infof("Updating existing resource %s/%s/%s", genKind, genNamespace, genName) - // Update the resource - _, err := client.UpdateResource(genKind, genNamespace, newResource, false) - if err != nil { - // Failed to update resource - return noGenResource, err + if rule.Generation.Synchronize { + logger.V(4).Info("updating existing resource") + // Update the resource + _, err := client.UpdateResource(genKind, genNamespace, newResource, false) + if err != nil { + // Failed to update resource + return noGenResource, err + } + logger.V(4).Info("updated new resource") + + } else { + logger.V(4).Info("Synchronize resource is disabled") } - glog.V(4).Infof("Updated existing resource %s/%s/%s", genKind, genNamespace, genName) } return newGenResource, nil } -func manageData(kind, namespace, name string, data map[string]interface{}, client *dclient.Client, resource unstructured.Unstructured) (map[string]interface{}, ResourceMode, error) { +func manageData(log logr.Logger, kind, namespace, name string, data map[string]interface{}, client *dclient.Client, resource unstructured.Unstructured) (map[string]interface{}, ResourceMode, error) { // check if resource to be generated exists obj, err := client.GetResource(kind, namespace, name) if apierrors.IsNotFound(err) { - glog.V(4).Infof("Resource %s/%s/%s does not exists, will try to create", kind, namespace, name) + log.Error(err, "resource does not exist, will try to create", "genKind", kind, "genNamespace", namespace, "genName", name) return data, Create, nil } if err != nil { @@ -288,30 +302,17 @@ func manageData(kind, namespace, name string, data map[string]interface{}, clien return nil, Skip, err } // Resource exists; verfiy the content of the resource - err = checkResource(data, obj) + err = checkResource(log, data, obj) if err == nil { // Existing resource does contain the mentioned configuration in spec, skip processing the resource as it is already in expected state return nil, Skip, nil } - - glog.V(4).Infof("Resource %s/%s/%s exists but missing required configuration, will try to update", kind, namespace, name) + log.Info("to be generated resoruce already exists, but is missing the specifeid configurations, will try to update", "genKind", kind, "genNamespace", namespace, "genName", name) return data, Update, nil } -func manageClone(kind, namespace, name string, clone map[string]interface{}, client *dclient.Client, resource unstructured.Unstructured) (map[string]interface{}, ResourceMode, error) { - // check if resource to be generated exists - _, err := client.GetResource(kind, namespace, name) - if err == nil { - // resource does exists, not need to process further as it is already in expected state - return nil, Skip, nil - } - //TODO: check this - if !apierrors.IsNotFound(err) { - //something wrong while fetching resource - return nil, Skip, err - } - +func manageClone(log logr.Logger, kind, namespace, name string, clone map[string]interface{}, client *dclient.Client, resource unstructured.Unstructured) (map[string]interface{}, ResourceMode, error) { newRNs, _, err := unstructured.NestedString(clone, "namespace") if err != nil { return nil, Skip, err @@ -326,12 +327,33 @@ func manageClone(kind, namespace, name string, clone map[string]interface{}, cli return nil, Skip, nil } - glog.V(4).Infof("check if resource %s/%s/%s exists", kind, newRNs, newRName) // check if the resource as reference in clone exists? obj, err := client.GetResource(kind, newRNs, newRName) if err != nil { return nil, Skip, fmt.Errorf("reference clone resource %s/%s/%s not found. %v", kind, newRNs, newRName, err) } + + // check if resource to be generated exists + newResource, err := client.GetResource(kind, namespace, name) + if err == nil { + obj.SetUID(newResource.GetUID()) + obj.SetSelfLink(newResource.GetSelfLink()) + obj.SetCreationTimestamp(newResource.GetCreationTimestamp()) + obj.SetManagedFields(newResource.GetManagedFields()) + obj.SetResourceVersion(newResource.GetResourceVersion()) + if reflect.DeepEqual(obj, newResource) { + return nil, Skip, nil + } + return obj.UnstructuredContent(), Update, nil + } + + //TODO: check this + if !apierrors.IsNotFound(err) { + log.Error(err, "reference/clone resource is not found", "genKind", kind, "genNamespace", namespace, "genName", name) + //something wrong while fetching resource + return nil, Skip, err + } + // create the resource based on the reference clone return obj.UnstructuredContent(), Create, nil @@ -349,10 +371,10 @@ const ( Update = "UPDATE" ) -func checkResource(newResourceSpec interface{}, resource *unstructured.Unstructured) error { +func checkResource(log logr.Logger, newResourceSpec interface{}, resource *unstructured.Unstructured) error { // check if the resource spec if a subset of the resource - if path, err := validate.ValidateResourceWithPattern(resource.Object, newResourceSpec); err != nil { - glog.V(4).Infof("Failed to match the resource at path %s: err %v", path, err) + if path, err := validate.ValidateResourceWithPattern(log, resource.Object, newResourceSpec); err != nil { + log.Error(err, "Failed to match the resource ", "path", path) return err } return nil diff --git a/pkg/generate/labels.go b/pkg/generate/labels.go index 282caf55fa..c7d67b5a55 100644 --- a/pkg/generate/labels.go +++ b/pkg/generate/labels.go @@ -3,8 +3,8 @@ package generate import ( "fmt" - "github.com/golang/glog" "k8s.io/apimachinery/pkg/apis/meta/v1/unstructured" + "sigs.k8s.io/controller-runtime/pkg/log" ) func manageLabels(unstr *unstructured.Unstructured, triggerResource unstructured.Unstructured) { @@ -30,7 +30,7 @@ func managedBy(labels map[string]string) { val, ok := labels[key] if ok { if val != value { - glog.Infof("resource managed by %s, kyverno wont over-ride the label", val) + log.Log.Info(fmt.Sprintf("resource managed by %s, kyverno wont over-ride the label", val)) return } } @@ -46,7 +46,7 @@ func generatedBy(labels map[string]string, triggerResource unstructured.Unstruct val, ok := labels[key] if ok { if val != value { - glog.Infof("resource generated by %s, kyverno wont over-ride the label", val) + log.Log.Info(fmt.Sprintf("resource generated by %s, kyverno wont over-ride the label", val)) return } } diff --git a/pkg/generate/policyStatus_test.go b/pkg/generate/policyStatus_test.go index b0fa04b591..b465a8547b 100644 --- a/pkg/generate/policyStatus_test.go +++ b/pkg/generate/policyStatus_test.go @@ -15,7 +15,7 @@ func Test_Stats(t *testing.T) { expectedOutput []byte existingStatus map[string]v1.PolicyStatus }{ - expectedOutput: []byte(`{"policy1":{"averageExecutionTime":"","resourcesGeneratedCount":2,"ruleStatus":[{"ruleName":"rule1","averageExecutionTime":"23ns","resourcesGeneratedCount":1},{"ruleName":"rule2","averageExecutionTime":"44ns","resourcesGeneratedCount":1},{"ruleName":"rule3"}]}}`), + expectedOutput: []byte(`{"policy1":{"resourcesGeneratedCount":2,"ruleStatus":[{"ruleName":"rule1","averageExecutionTime":"23ns","resourcesGeneratedCount":1},{"ruleName":"rule2","averageExecutionTime":"44ns","resourcesGeneratedCount":1},{"ruleName":"rule3"}]}}`), generatedSyncStats: []generateSyncStats{ { policyName: "policy1", diff --git a/pkg/generate/report.go b/pkg/generate/report.go index eaa5939e41..f9d24fcc10 100644 --- a/pkg/generate/report.go +++ b/pkg/generate/report.go @@ -3,13 +3,13 @@ package generate import ( "fmt" - "github.com/golang/glog" + "github.com/go-logr/logr" kyverno "github.com/nirmata/kyverno/pkg/api/kyverno/v1" "github.com/nirmata/kyverno/pkg/event" "k8s.io/apimachinery/pkg/apis/meta/v1/unstructured" ) -func reportEvents(err error, eventGen event.Interface, gr kyverno.GenerateRequest, resource unstructured.Unstructured) { +func reportEvents(log logr.Logger, err error, eventGen event.Interface, gr kyverno.GenerateRequest, resource unstructured.Unstructured) { if err == nil { // Success Events // - resource -> policy rule applied successfully @@ -18,7 +18,6 @@ func reportEvents(err error, eventGen event.Interface, gr kyverno.GenerateReques eventGen.Add(events...) return } - glog.V(4).Infof("reporing events for %v", err) events := failedEvents(err, gr, resource) eventGen.Add(events...) } diff --git a/pkg/generate/status.go b/pkg/generate/status.go index 70d9539053..db0182f89a 100644 --- a/pkg/generate/status.go +++ b/pkg/generate/status.go @@ -1,9 +1,9 @@ package generate import ( - "github.com/golang/glog" kyverno "github.com/nirmata/kyverno/pkg/api/kyverno/v1" kyvernoclient "github.com/nirmata/kyverno/pkg/client/clientset/versioned" + "sigs.k8s.io/controller-runtime/pkg/log" ) //StatusControlInterface provides interface to update status subresource @@ -25,10 +25,10 @@ func (sc StatusControl) Failed(gr kyverno.GenerateRequest, message string, genRe gr.Status.GeneratedResources = genResources _, err := sc.client.KyvernoV1().GenerateRequests("kyverno").UpdateStatus(&gr) if err != nil { - glog.V(4).Infof("FAILED: updated gr %s status to %s", gr.Name, string(kyverno.Failed)) + log.Log.Error(err, "failed to update generate request status", "name", gr.Name) return err } - glog.V(4).Infof("updated gr %s status to %s", gr.Name, string(kyverno.Failed)) + log.Log.Info("updated generate request status", "name", gr.Name, "status", string(kyverno.Failed)) return nil } @@ -41,9 +41,9 @@ func (sc StatusControl) Success(gr kyverno.GenerateRequest, genResources []kyver _, err := sc.client.KyvernoV1().GenerateRequests("kyverno").UpdateStatus(&gr) if err != nil { - glog.V(4).Infof("FAILED: updated gr %s status to %s", gr.Name, string(kyverno.Completed)) + log.Log.Error(err, "failed to update generate request status", "name", gr.Name) return err } - glog.V(4).Infof("updated gr %s status to %s", gr.Name, string(kyverno.Completed)) + log.Log.Info("updated generate request status", "name", gr.Name, "status", string(kyverno.Completed)) return nil } diff --git a/pkg/kyverno/apply/command.go b/pkg/kyverno/apply/command.go index dd00f94ef7..ebd66124f2 100644 --- a/pkg/kyverno/apply/command.go +++ b/pkg/kyverno/apply/command.go @@ -2,23 +2,24 @@ package apply import ( "encoding/json" + "errors" "fmt" "io/ioutil" "os" - "path/filepath" + "regexp" + "time" + client "github.com/nirmata/kyverno/pkg/dclient" + + "github.com/nirmata/kyverno/pkg/utils" + + "github.com/nirmata/kyverno/pkg/kyverno/common" "github.com/nirmata/kyverno/pkg/kyverno/sanitizedError" policy2 "github.com/nirmata/kyverno/pkg/policy" - "github.com/golang/glog" - "k8s.io/apimachinery/pkg/runtime/schema" - "k8s.io/client-go/discovery" - - "k8s.io/apimachinery/pkg/util/yaml" - "github.com/nirmata/kyverno/pkg/engine" engineutils "github.com/nirmata/kyverno/pkg/engine/utils" @@ -32,6 +33,7 @@ import ( yamlv2 "gopkg.in/yaml.v2" "k8s.io/cli-runtime/pkg/genericclioptions" "k8s.io/client-go/kubernetes/scheme" + log "sigs.k8s.io/controller-runtime/pkg/log" ) func Command() *cobra.Command { @@ -49,54 +51,58 @@ func Command() *cobra.Command { defer func() { if err != nil { if !sanitizedError.IsErrorSanitized(err) { - glog.V(4).Info(err) + log.Log.Error(err, "failed to sanitize") err = fmt.Errorf("Internal error") } } }() if len(resourcePaths) == 0 && !cluster { - return sanitizedError.New(fmt.Sprintf("Specify path to resource file or cluster name")) + return sanitizedError.NewWithError(fmt.Sprintf("resource file or cluster required"), err) } - policies, err := getPolicies(policyPaths) + policies, openAPIController, err := common.GetPoliciesValidation(policyPaths) if err != nil { - if !sanitizedError.IsErrorSanitized(err) { - return sanitizedError.New("Could not parse policy paths") - } else { - return err - } + return err } for _, policy := range policies { - err := policy2.Validate(*policy) + err := policy2.Validate(utils.MarshalPolicy(*policy), nil, true, openAPIController) if err != nil { - return sanitizedError.New(fmt.Sprintf("Policy %v is not valid", policy.Name)) + fmt.Printf("Policy %v is not valid\n", policy.Name) + os.Exit(3) + } + if policyHasVariables(*policy) { + return sanitizedError.NewWithError(fmt.Sprintf("invalid policy %s. 'apply' does not support policies with variables", policy.Name), err) } } - var dClient discovery.CachedDiscoveryInterface + var dClient *client.Client if cluster { - dClient, err = kubernetesConfig.ToDiscoveryClient() + restConfig, err := kubernetesConfig.ToRESTConfig() if err != nil { - return sanitizedError.New(fmt.Errorf("Issues with kubernetes Config").Error()) + return err + } + dClient, err = client.NewClient(restConfig, 5*time.Minute, make(chan struct{}), log.Log) + if err != nil { + return err } } resources, err := getResources(policies, resourcePaths, dClient) if err != nil { - return sanitizedError.New(fmt.Errorf("Issues fetching resources").Error()) + return sanitizedError.NewWithError("failed to load resources", err) } for i, policy := range policies { for j, resource := range resources { if !(j == 0 && i == 0) { - fmt.Printf("\n\n=======================================================================\n") + fmt.Printf("\n\n==========================================================================================\n") } err = applyPolicyOnResource(policy, resource) if err != nil { - return sanitizedError.New(fmt.Errorf("Issues applying policy %v on resource %v", policy.Name, resource.GetName()).Error()) + return sanitizedError.NewWithError(fmt.Errorf("failed to apply policy %v on resource %v", policy.Name, resource.GetName()).Error(), err) } } } @@ -111,7 +117,7 @@ func Command() *cobra.Command { return cmd } -func getResources(policies []*v1.ClusterPolicy, resourcePaths []string, dClient discovery.CachedDiscoveryInterface) ([]*unstructured.Unstructured, error) { +func getResources(policies []*v1.ClusterPolicy, resourcePaths []string, dClient *client.Client) ([]*unstructured.Unstructured, error) { var resources []*unstructured.Unstructured var err error @@ -137,37 +143,24 @@ func getResources(policies []*v1.ClusterPolicy, resourcePaths []string, dClient } for _, resourcePath := range resourcePaths { - resource, err := getResource(resourcePath) + getResources, err := getResource(resourcePath) if err != nil { return nil, err } - resources = append(resources, resource) + for _, resource := range getResources { + resources = append(resources, resource) + } } return resources, nil } -func getResourcesOfTypeFromCluster(resourceTypes []string, dClient discovery.CachedDiscoveryInterface) ([]*unstructured.Unstructured, error) { +func getResourcesOfTypeFromCluster(resourceTypes []string, dClient *client.Client) ([]*unstructured.Unstructured, error) { var resources []*unstructured.Unstructured for _, kind := range resourceTypes { - endpoint, err := getListEndpointForKind(kind) - if err != nil { - return nil, err - } - - listObjectRaw, err := dClient.RESTClient().Get().RequestURI(endpoint).Do().Raw() - if err != nil { - return nil, err - } - - listObject, err := engineutils.ConvertToUnstructured(listObjectRaw) - if err != nil { - return nil, err - } - - resourceList, err := listObject.ToList() + resourceList, err := dClient.ListResource(kind, "", nil) if err != nil { return nil, err } @@ -186,133 +179,71 @@ func getResourcesOfTypeFromCluster(resourceTypes []string, dClient discovery.Cac return resources, nil } -func getPoliciesInDir(path string) ([]*v1.ClusterPolicy, error) { - var policies []*v1.ClusterPolicy +func getResource(path string) ([]*unstructured.Unstructured, error) { - files, err := ioutil.ReadDir(path) - if err != nil { - return nil, err - } - - for _, file := range files { - if file.IsDir() { - policiesFromDir, err := getPoliciesInDir(filepath.Join(path, file.Name())) - if err != nil { - return nil, err - } - - policies = append(policies, policiesFromDir...) - } else { - policy, err := getPolicy(filepath.Join(path, file.Name())) - if err != nil { - return nil, err - } - - policies = append(policies, policy) - } - } - - return policies, nil -} - -func getPolicies(paths []string) ([]*v1.ClusterPolicy, error) { - var policies = make([]*v1.ClusterPolicy, 0, len(paths)) - for _, path := range paths { - path = filepath.Clean(path) - - fileDesc, err := os.Stat(path) - if err != nil { - return nil, err - } - - if fileDesc.IsDir() { - policiesFromDir, err := getPoliciesInDir(path) - if err != nil { - return nil, err - } - - policies = append(policies, policiesFromDir...) - } else { - policy, err := getPolicy(path) - if err != nil { - return nil, err - } - - policies = append(policies, policy) - } - } - - for i := range policies { - setFalse := false - policies[i].Spec.Background = &setFalse - } - - return policies, nil -} - -func getPolicy(path string) (*v1.ClusterPolicy, error) { - policy := &v1.ClusterPolicy{} + resources := make([]*unstructured.Unstructured, 0) + getResourceErrors := make([]error, 0) file, err := ioutil.ReadFile(path) - if err != nil { - return nil, fmt.Errorf("failed to load file: %v", err) - } - - policyBytes, err := yaml.ToJSON(file) if err != nil { return nil, err } - if err := json.Unmarshal(policyBytes, policy); err != nil { - return nil, sanitizedError.New(fmt.Sprintf("failed to decode policy in %s", path)) + files, splitDocError := common.SplitYAMLDocuments(file) + if splitDocError != nil { + return nil, splitDocError } - if policy.TypeMeta.Kind != "ClusterPolicy" { - return nil, sanitizedError.New(fmt.Sprintf("resource %v is not a cluster policy", policy.Name)) + for _, resourceYaml := range files { + + decode := scheme.Codecs.UniversalDeserializer().Decode + resourceObject, metaData, err := decode(resourceYaml, nil, nil) + if err != nil { + getResourceErrors = append(getResourceErrors, err) + continue + } + + resourceUnstructured, err := runtime.DefaultUnstructuredConverter.ToUnstructured(&resourceObject) + if err != nil { + getResourceErrors = append(getResourceErrors, err) + continue + } + + resourceJSON, err := json.Marshal(resourceUnstructured) + if err != nil { + getResourceErrors = append(getResourceErrors, err) + continue + } + + resource, err := engineutils.ConvertToUnstructured(resourceJSON) + if err != nil { + getResourceErrors = append(getResourceErrors, err) + continue + } + + resource.SetGroupVersionKind(*metaData) + + if resource.GetNamespace() == "" { + resource.SetNamespace("default") + } + + resources = append(resources, resource) } - return policy, nil -} - -func getResource(path string) (*unstructured.Unstructured, error) { - - resourceYaml, err := ioutil.ReadFile(path) - if err != nil { - return nil, err + var getErrString string + for _, getResourceError := range getResourceErrors { + getErrString = getErrString + getResourceError.Error() + "\n" } - decode := scheme.Codecs.UniversalDeserializer().Decode - resourceObject, metaData, err := decode(resourceYaml, nil, nil) - if err != nil { - return nil, err + if getErrString != "" { + return nil, errors.New(getErrString) } - resourceUnstructured, err := runtime.DefaultUnstructuredConverter.ToUnstructured(&resourceObject) - if err != nil { - return nil, err - } - - resourceJSON, err := json.Marshal(resourceUnstructured) - if err != nil { - return nil, err - } - - resource, err := engineutils.ConvertToUnstructured(resourceJSON) - if err != nil { - return nil, err - } - - resource.SetGroupVersionKind(*metaData) - - if resource.GetNamespace() == "" { - resource.SetNamespace("default") - } - - return resource, nil + return resources, nil } func applyPolicyOnResource(policy *v1.ClusterPolicy, resource *unstructured.Unstructured) error { - + responseError := false fmt.Printf("\n\nApplying Policy %s on Resource %s/%s/%s\n", policy.Name, resource.GetNamespace(), resource.GetKind(), resource.GetName()) mutateResponse := engine.Mutate(engine.PolicyContext{Policy: *policy, NewResource: *resource}) @@ -323,6 +254,7 @@ func applyPolicyOnResource(policy *v1.ClusterPolicy, resource *unstructured.Unst fmt.Printf("\n%d. %s", i+1, r.Message) } fmt.Printf("\n\n") + responseError = true } else { if len(mutateResponse.PolicyResponse.Rules) > 0 { fmt.Printf("\n\nMutation:") @@ -345,6 +277,7 @@ func applyPolicyOnResource(policy *v1.ClusterPolicy, resource *unstructured.Unst fmt.Printf("\n%d. %s", i+1, r.Message) } fmt.Printf("\n\n") + responseError = true } else { if len(validateResponse.PolicyResponse.Rules) > 0 { fmt.Printf("\n\nValidation:") @@ -373,8 +306,18 @@ func applyPolicyOnResource(policy *v1.ClusterPolicy, resource *unstructured.Unst fmt.Printf("\n%d. %s", i+1, r.Message) } fmt.Printf("\n\n") + responseError = true } } + if responseError == true { + os.Exit(1) + } return nil } + +func policyHasVariables(policy v1.ClusterPolicy) bool { + policyRaw, _ := json.Marshal(policy) + regex := regexp.MustCompile(`\{\{([^{}]*)\}\}`) + return len(regex.FindAllStringSubmatch(string(policyRaw), -1)) > 0 +} diff --git a/pkg/kyverno/apply/helper.go b/pkg/kyverno/apply/helper.go deleted file mode 100644 index 04dc142a9a..0000000000 --- a/pkg/kyverno/apply/helper.go +++ /dev/null @@ -1,37 +0,0 @@ -package apply - -import ( - "fmt" - "strings" - - "github.com/nirmata/kyverno/pkg/openapi" -) - -func getListEndpointForKind(kind string) (string, error) { - - definitionName := openapi.GetDefinitionNameFromKind(kind) - definitionNameWithoutPrefix := strings.Replace(definitionName, "io.k8s.", "", -1) - - parts := strings.Split(definitionNameWithoutPrefix, ".") - definitionPrefix := strings.Join(parts[:len(parts)-1], ".") - - defPrefixToApiPrefix := map[string]string{ - "api.core.v1": "/api/v1", - "api.apps.v1": "/apis/apps/v1", - "api.batch.v1": "/apis/batch/v1", - "api.admissionregistration.v1": "/apis/admissionregistration.k8s.io/v1", - "kube-aggregator.pkg.apis.apiregistration.v1": "/apis/apiregistration.k8s.io/v1", - "apiextensions-apiserver.pkg.apis.apiextensions.v1": "/apis/apiextensions.k8s.io/v1", - "api.autoscaling.v1": "/apis/autoscaling/v1/", - "api.storage.v1": "/apis/storage.k8s.io/v1", - "api.coordination.v1": "/apis/coordination.k8s.io/v1", - "api.scheduling.v1": "/apis/scheduling.k8s.io/v1", - "api.rbac.v1": "/apis/rbac.authorization.k8s.io/v1", - } - - if defPrefixToApiPrefix[definitionPrefix] == "" { - return "", fmt.Errorf("Unsupported resource type %v", kind) - } - - return defPrefixToApiPrefix[definitionPrefix] + "/" + strings.ToLower(kind) + "s", nil -} diff --git a/pkg/kyverno/common/common.go b/pkg/kyverno/common/common.go new file mode 100644 index 0000000000..b454174abc --- /dev/null +++ b/pkg/kyverno/common/common.go @@ -0,0 +1,148 @@ +package common + +import ( + "bufio" + "bytes" + "encoding/json" + "fmt" + "io" + "io/ioutil" + "os" + "path/filepath" + + v1 "github.com/nirmata/kyverno/pkg/api/kyverno/v1" + "github.com/nirmata/kyverno/pkg/kyverno/sanitizedError" + "github.com/nirmata/kyverno/pkg/openapi" + "k8s.io/apimachinery/pkg/util/yaml" + log "sigs.k8s.io/controller-runtime/pkg/log" +) + +// GetPolicies - Extracting the policies from multiple YAML +func GetPolicies(paths []string) (policies []*v1.ClusterPolicy, error error) { + log := log.Log + for _, path := range paths { + path = filepath.Clean(path) + + fileDesc, err := os.Stat(path) + if err != nil { + log.Error(err, "failed to describe file") + return nil, err + } + + if fileDesc.IsDir() { + files, err := ioutil.ReadDir(path) + if err != nil { + return nil, sanitizedError.NewWithError(fmt.Sprintf("failed to parse %v", path), err) + } + + listOfFiles := make([]string, 0) + for _, file := range files { + listOfFiles = append(listOfFiles, filepath.Join(path, file.Name())) + } + + policiesFromDir, err := GetPolicies(listOfFiles) + if err != nil { + log.Error(err, fmt.Sprintf("failed to extract policies from %v", listOfFiles)) + return nil, sanitizedError.NewWithError(("failed to extract policies"), err) + } + + policies = append(policies, policiesFromDir...) + } else { + getPolicies, getErrors := GetPolicy(path) + var errString string + for _, err := range getErrors { + if err != nil { + errString += err.Error() + "\n" + } + } + + if errString != "" { + fmt.Println("falied to extract policies") + os.Exit(2) + } + + policies = append(policies, getPolicies...) + } + } + + for i := range policies { + setFalse := false + policies[i].Spec.Background = &setFalse + } + + return policies, nil +} + +// GetPolicy - Extracts policies from a YAML +func GetPolicy(path string) (clusterPolicies []*v1.ClusterPolicy, errors []error) { + file, err := ioutil.ReadFile(path) + if err != nil { + errors = append(errors, fmt.Errorf(fmt.Sprintf("failed to load file: %v. error: %v", path, err))) + return clusterPolicies, errors + } + + policies, splitDocErrors := SplitYAMLDocuments(file) + if splitDocErrors != nil { + errors = append(errors, splitDocErrors) + return clusterPolicies, errors + } + + for _, thisPolicyBytes := range policies { + policyBytes, err := yaml.ToJSON(thisPolicyBytes) + if err != nil { + errors = append(errors, fmt.Errorf(fmt.Sprintf("failed to convert json. error: %v", err))) + continue + } + + policy := &v1.ClusterPolicy{} + if err := json.Unmarshal(policyBytes, policy); err != nil { + errors = append(errors, fmt.Errorf(fmt.Sprintf("failed to decode policy in %s. error: %v", path, err))) + continue + } + + if policy.TypeMeta.Kind != "ClusterPolicy" { + errors = append(errors, fmt.Errorf(fmt.Sprintf("resource %v is not a cluster policy", policy.Name))) + continue + } + clusterPolicies = append(clusterPolicies, policy) + } + + return clusterPolicies, errors +} + +// SplitYAMLDocuments reads the YAML bytes per-document, unmarshals the TypeMeta information from each document +// and returns a map between the GroupVersionKind of the document and the document bytes +func SplitYAMLDocuments(yamlBytes []byte) (policies [][]byte, error error) { + buf := bytes.NewBuffer(yamlBytes) + reader := yaml.NewYAMLReader(bufio.NewReader(buf)) + for { + // Read one YAML document at a time, until io.EOF is returned + b, err := reader.Read() + if err == io.EOF || len(b) == 0 { + break + } else if err != nil { + return policies, fmt.Errorf("unable to read yaml") + } + + policies = append(policies, b) + } + return policies, error +} + +//GetPoliciesValidation - validating policies +func GetPoliciesValidation(policyPaths []string) ([]*v1.ClusterPolicy, *openapi.Controller, error) { + policies, err := GetPolicies(policyPaths) + if err != nil { + if !sanitizedError.IsErrorSanitized(err) { + return nil, nil, sanitizedError.NewWithError((fmt.Sprintf("failed to parse %v path/s.", policyPaths)), err) + } + return nil, nil, err + } + + openAPIController, err := openapi.NewOpenAPIController() + if err != nil { + return nil, nil, err + } + + return policies, openAPIController, nil +} diff --git a/pkg/kyverno/main.go b/pkg/kyverno/main.go index d0d1163ef6..6424a57ddc 100644 --- a/pkg/kyverno/main.go +++ b/pkg/kyverno/main.go @@ -9,6 +9,9 @@ import ( "github.com/nirmata/kyverno/pkg/kyverno/apply" "github.com/nirmata/kyverno/pkg/kyverno/version" + "k8s.io/klog" + "k8s.io/klog/klogr" + log "sigs.k8s.io/controller-runtime/pkg/log" "github.com/spf13/cobra" ) @@ -19,7 +22,7 @@ func CLI() { Short: "kyverno manages native policies of Kubernetes", } - configureGlog(cli) + configurelog(cli) commands := []*cobra.Command{ version.Command(), @@ -36,9 +39,9 @@ func CLI() { } } -func configureGlog(cli *cobra.Command) { - flag.Parse() - _ = flag.Set("logtostderr", "true") +func configurelog(cli *cobra.Command) { + klog.InitFlags(nil) + log.SetLogger(klogr.New()) cli.PersistentFlags().AddGoFlagSet(flag.CommandLine) _ = cli.PersistentFlags().MarkHidden("alsologtostderr") diff --git a/pkg/kyverno/sanitizedError/error.go b/pkg/kyverno/sanitizedError/error.go index 3c8ef003f7..9d0dbab0af 100644 --- a/pkg/kyverno/sanitizedError/error.go +++ b/pkg/kyverno/sanitizedError/error.go @@ -1,5 +1,7 @@ package sanitizedError +import "fmt" + type customError struct { message string } @@ -12,6 +14,11 @@ func New(message string) error { return customError{message: message} } +func NewWithError(message string, err error) error { + msg := fmt.Sprintf("%s \nCause: %s", message, err.Error()) + return customError{message: msg} +} + func IsErrorSanitized(err error) bool { if _, ok := err.(customError); !ok { return false diff --git a/pkg/kyverno/validate/command.go b/pkg/kyverno/validate/command.go index bf20511e0d..a1b6f6eeaf 100644 --- a/pkg/kyverno/validate/command.go +++ b/pkg/kyverno/validate/command.go @@ -1,21 +1,18 @@ package validate import ( - "encoding/json" "fmt" - "io/ioutil" "os" - "path/filepath" + "github.com/nirmata/kyverno/pkg/utils" + + "github.com/nirmata/kyverno/pkg/kyverno/common" "github.com/nirmata/kyverno/pkg/kyverno/sanitizedError" - "github.com/golang/glog" - policyvalidate "github.com/nirmata/kyverno/pkg/policy" - v1 "github.com/nirmata/kyverno/pkg/api/kyverno/v1" "github.com/spf13/cobra" - "k8s.io/apimachinery/pkg/util/yaml" + log "sigs.k8s.io/controller-runtime/pkg/log" ) func Command() *cobra.Command { @@ -27,121 +24,33 @@ func Command() *cobra.Command { defer func() { if err != nil { if !sanitizedError.IsErrorSanitized(err) { - glog.V(4).Info(err) + log.Log.Error(err, "failed to sanitize") err = fmt.Errorf("Internal error") } } }() - policies, err := getPolicies(policyPaths) + policies, openAPIController, err := common.GetPoliciesValidation(policyPaths) if err != nil { - if !sanitizedError.IsErrorSanitized(err) { - return sanitizedError.New("Could not parse policy paths") - } else { - return err - } + return err } + invalidPolicyFound := false for _, policy := range policies { - err = policyvalidate.Validate(*policy) + err = policyvalidate.Validate(utils.MarshalPolicy(*policy), nil, true, openAPIController) if err != nil { fmt.Println("Policy " + policy.Name + " is invalid") + invalidPolicyFound = true } else { fmt.Println("Policy " + policy.Name + " is valid") } } + if invalidPolicyFound == true { + os.Exit(1) + } return nil }, } - return cmd } - -func getPoliciesInDir(path string) ([]*v1.ClusterPolicy, error) { - var policies []*v1.ClusterPolicy - - files, err := ioutil.ReadDir(path) - if err != nil { - return nil, err - } - - for _, file := range files { - if file.IsDir() { - policiesFromDir, err := getPoliciesInDir(filepath.Join(path, file.Name())) - if err != nil { - return nil, err - } - - policies = append(policies, policiesFromDir...) - } else { - policy, err := getPolicy(filepath.Join(path, file.Name())) - if err != nil { - return nil, err - } - - policies = append(policies, policy) - } - } - - return policies, nil -} - -func getPolicies(paths []string) ([]*v1.ClusterPolicy, error) { - var policies = make([]*v1.ClusterPolicy, 0, len(paths)) - for _, path := range paths { - path = filepath.Clean(path) - - fileDesc, err := os.Stat(path) - if err != nil { - return nil, err - } - - if fileDesc.IsDir() { - policiesFromDir, err := getPoliciesInDir(path) - if err != nil { - return nil, err - } - - policies = append(policies, policiesFromDir...) - } else { - policy, err := getPolicy(path) - if err != nil { - return nil, err - } - - policies = append(policies, policy) - } - } - - for i := range policies { - setFalse := false - policies[i].Spec.Background = &setFalse - } - - return policies, nil -} - -func getPolicy(path string) (*v1.ClusterPolicy, error) { - policy := &v1.ClusterPolicy{} - - file, err := ioutil.ReadFile(path) - if err != nil { - return nil, fmt.Errorf("failed to load file: %v", err) - } - - policyBytes, err := yaml.ToJSON(file) - if err != nil { - return nil, err - } - - if err := json.Unmarshal(policyBytes, policy); err != nil { - return nil, sanitizedError.New(fmt.Sprintf("failed to decode policy in %s", path)) - } - - if policy.TypeMeta.Kind != "ClusterPolicy" { - return nil, sanitizedError.New(fmt.Sprintf("resource %v is not a cluster policy", policy.Name)) - } - - return policy, nil -} diff --git a/pkg/openapi/crdSync.go b/pkg/openapi/crdSync.go index da428c2955..bc86df86ec 100644 --- a/pkg/openapi/crdSync.go +++ b/pkg/openapi/crdSync.go @@ -2,23 +2,46 @@ package openapi import ( "encoding/json" - "time" + "errors" + "fmt" + + v1 "k8s.io/apimachinery/pkg/apis/meta/v1" + + runtimeSchema "k8s.io/apimachinery/pkg/runtime/schema" "k8s.io/apimachinery/pkg/apis/meta/v1/unstructured" - "github.com/golang/glog" - "gopkg.in/yaml.v2" "github.com/googleapis/gnostic/compiler" openapi_v2 "github.com/googleapis/gnostic/OpenAPIv2" + "sigs.k8s.io/controller-runtime/pkg/log" + "github.com/nirmata/kyverno/pkg/constant" client "github.com/nirmata/kyverno/pkg/dclient" "k8s.io/apimachinery/pkg/util/wait" ) -type crdDefinition struct { +type crdSync struct { + client *client.Client + controller *Controller +} + +// crdDefinitionPrior represents CRDs version prior to 1.16 +var crdDefinitionPrior struct { + Spec struct { + Names struct { + Kind string `json:"kind"` + } `json:"names"` + Validation struct { + OpenAPIV3Schema interface{} `json:"openAPIV3Schema"` + } `json:"validation"` + } `json:"spec"` +} + +// crdDefinitionNew represents CRDs version 1.16+ +var crdDefinitionNew struct { Spec struct { Names struct { Kind string `json:"kind"` @@ -27,86 +50,148 @@ type crdDefinition struct { Schema struct { OpenAPIV3Schema interface{} `json:"openAPIV3Schema"` } `json:"schema"` + Storage bool `json:"storage"` } `json:"versions"` } `json:"spec"` } -type crdSync struct { - client *client.Client -} +func NewCRDSync(client *client.Client, controller *Controller) *crdSync { + if controller == nil { + panic(fmt.Errorf("nil controller sent into crd sync")) + } -func NewCRDSync(client *client.Client) *crdSync { return &crdSync{ - client: client, + controller: controller, + client: client, } } func (c *crdSync) Run(workers int, stopCh <-chan struct{}) { newDoc, err := c.client.DiscoveryClient.OpenAPISchema() if err != nil { - glog.V(4).Infof("cannot get openapi schema: %v", err) + log.Log.Error(err, "cannot get OpenAPI schema") } - err = useOpenApiDocument(newDoc) + err = c.controller.useOpenApiDocument(newDoc) if err != nil { - glog.V(4).Infof("Could not set custom OpenApi document: %v\n", err) + log.Log.Error(err, "Could not set custom OpenAPI document") } + // Sync CRD before kyverno starts + c.sync() + for i := 0; i < workers; i++ { - go wait.Until(c.sync, time.Second*10, stopCh) + go wait.Until(c.sync, constant.CRDControllerResync, stopCh) } - <-stopCh } func (c *crdSync) sync() { - openApiGlobalState.mutex.Lock() - defer openApiGlobalState.mutex.Unlock() - - crds, err := c.client.ListResource("CustomResourceDefinition", "", nil) + crds, err := c.client.GetDynamicInterface().Resource(runtimeSchema.GroupVersionResource{ + Group: "apiextensions.k8s.io", + Version: "v1beta1", + Resource: "customresourcedefinitions", + }).List(v1.ListOptions{}) if err != nil { - glog.V(4).Infof("could not fetch crd's from server: %v", err) + log.Log.Error(err, "could not fetch crd's from server") return } - deleteCRDFromPreviousSync() + c.controller.mutex.Lock() + defer c.controller.mutex.Unlock() + + c.controller.deleteCRDFromPreviousSync() for _, crd := range crds.Items { - parseCRD(crd) + c.controller.parseCRD(crd) } } -func deleteCRDFromPreviousSync() { - for _, crd := range openApiGlobalState.crdList { - delete(openApiGlobalState.kindToDefinitionName, crd) - delete(openApiGlobalState.definitions, crd) +func (o *Controller) deleteCRDFromPreviousSync() { + for _, crd := range o.crdList { + delete(o.kindToDefinitionName, crd) + delete(o.definitions, crd) } - openApiGlobalState.crdList = []string{} + o.crdList = make([]string, 0) } -func parseCRD(crd unstructured.Unstructured) { - var crdDefinition crdDefinition +func (o *Controller) parseCRD(crd unstructured.Unstructured) { + var err error + crdRaw, _ := json.Marshal(crd.Object) - _ = json.Unmarshal(crdRaw, &crdDefinition) + _ = json.Unmarshal(crdRaw, &crdDefinitionPrior) - crdName := crdDefinition.Spec.Names.Kind - if len(crdDefinition.Spec.Versions) < 1 { - glog.V(4).Infof("could not parse crd schema, no versions present") + openV3schema := crdDefinitionPrior.Spec.Validation.OpenAPIV3Schema + crdName := crdDefinitionPrior.Spec.Names.Kind + + if openV3schema == nil { + _ = json.Unmarshal(crdRaw, &crdDefinitionNew) + for _, crdVersion := range crdDefinitionNew.Spec.Versions { + if crdVersion.Storage { + openV3schema = crdVersion.Schema.OpenAPIV3Schema + crdName = crdDefinitionNew.Spec.Names.Kind + break + } + } + } + + if openV3schema == nil { + log.Log.V(3).Info("skip adding schema, CRD has no properties", "name", crdName) + return + } + + schemaRaw, _ := json.Marshal(openV3schema) + if len(schemaRaw) < 1 { + log.Log.V(3).Info("could not parse crd schema", "name", crdName) + return + } + + schemaRaw, err = addingDefaultFieldsToSchema(schemaRaw) + if err != nil { + log.Log.Error(err, "could not parse crd schema", "name", crdName) return } var schema yaml.MapSlice - schemaRaw, _ := json.Marshal(crdDefinition.Spec.Versions[0].Schema.OpenAPIV3Schema) _ = yaml.Unmarshal(schemaRaw, &schema) parsedSchema, err := openapi_v2.NewSchema(schema, compiler.NewContext("schema", nil)) if err != nil { - glog.V(4).Infof("could not parse crd schema:%v", err) + log.Log.Error(err, "could not parse crd schema", "name", crdName) return } - openApiGlobalState.crdList = append(openApiGlobalState.crdList, crdName) - - openApiGlobalState.kindToDefinitionName[crdName] = crdName - openApiGlobalState.definitions[crdName] = parsedSchema + o.crdList = append(o.crdList, crdName) + o.kindToDefinitionName[crdName] = crdName + o.definitions[crdName] = parsedSchema +} + +// addingDefaultFieldsToSchema will add any default missing fields like apiVersion, metadata +func addingDefaultFieldsToSchema(schemaRaw []byte) ([]byte, error) { + var schema struct { + Properties map[string]interface{} `json:"properties"` + } + _ = json.Unmarshal(schemaRaw, &schema) + + if len(schema.Properties) < 1 { + return nil, errors.New("crd schema has no properties") + } + + if schema.Properties["apiVersion"] == nil { + apiVersionDefRaw := `{"description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"}` + apiVersionDef := make(map[string]interface{}) + _ = json.Unmarshal([]byte(apiVersionDefRaw), &apiVersionDef) + schema.Properties["apiVersion"] = apiVersionDef + } + + if schema.Properties["metadata"] == nil { + metadataDefRaw := `{"$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta","description":"Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata"}` + metadataDef := make(map[string]interface{}) + _ = json.Unmarshal([]byte(metadataDefRaw), &metadataDef) + schema.Properties["metadata"] = metadataDef + } + + schemaWithDefaultFields, _ := json.Marshal(schema) + + return schemaWithDefaultFields, nil } diff --git a/pkg/openapi/validation.go b/pkg/openapi/validation.go index 71b8fa4b43..a8c8ea6f1a 100644 --- a/pkg/openapi/validation.go +++ b/pkg/openapi/validation.go @@ -1,14 +1,15 @@ package openapi import ( + "encoding/json" + "errors" "fmt" "strconv" "strings" "sync" - "github.com/nirmata/kyverno/data" - - "github.com/golang/glog" + data "github.com/nirmata/kyverno/api" + "github.com/nirmata/kyverno/pkg/engine/utils" "github.com/nirmata/kyverno/pkg/engine" "k8s.io/apimachinery/pkg/apis/meta/v1/unstructured" @@ -19,86 +20,75 @@ import ( "github.com/googleapis/gnostic/compiler" "k8s.io/kube-openapi/pkg/util/proto" "k8s.io/kube-openapi/pkg/util/proto/validation" + log "sigs.k8s.io/controller-runtime/pkg/log" "gopkg.in/yaml.v2" ) -var openApiGlobalState struct { - mutex sync.RWMutex - document *openapi_v2.Document - definitions map[string]*openapi_v2.Schema +type Controller struct { + mutex sync.RWMutex + definitions map[string]*openapi_v2.Schema + // kindToDefinitionName holds the kind - definition map + // i.e. - Namespace: io.k8s.api.core.v1.Namespace kindToDefinitionName map[string]string crdList []string models proto.Models } -func init() { +func NewOpenAPIController() (*Controller, error) { + controller := &Controller{ + definitions: make(map[string]*openapi_v2.Schema), + kindToDefinitionName: make(map[string]string), + } + defaultDoc, err := getSchemaDocument() if err != nil { - panic(err) + return nil, err } - err = useOpenApiDocument(defaultDoc) + err = controller.useOpenApiDocument(defaultDoc) if err != nil { - panic(err) + return nil, err } + + return controller, nil } -func ValidatePolicyMutation(policy v1.ClusterPolicy) error { - openApiGlobalState.mutex.RLock() - defer openApiGlobalState.mutex.RUnlock() +func (o *Controller) ValidatePolicyFields(policyRaw []byte) error { + o.mutex.RLock() + defer o.mutex.RUnlock() - var kindToRules = make(map[string][]v1.Rule) - for _, rule := range policy.Spec.Rules { - if rule.HasMutate() { - rule.MatchResources = v1.MatchResources{ - UserInfo: v1.UserInfo{}, - ResourceDescription: v1.ResourceDescription{ - Kinds: rule.MatchResources.Kinds, - }, - } - rule.ExcludeResources = v1.ExcludeResources{} - for _, kind := range rule.MatchResources.Kinds { - kindToRules[kind] = append(kindToRules[kind], rule) - } - } + var policy v1.ClusterPolicy + err := json.Unmarshal(policyRaw, &policy) + if err != nil { + return err } - for kind, rules := range kindToRules { - newPolicy := *policy.DeepCopy() - newPolicy.Spec.Rules = rules - resource, _ := generateEmptyResource(openApiGlobalState.definitions[openApiGlobalState.kindToDefinitionName[kind]]).(map[string]interface{}) - if resource == nil { - glog.V(4).Infof("Cannot Validate policy: openApi definition now found for %v", kind) - return nil - } - newResource := unstructured.Unstructured{Object: resource} - newResource.SetKind(kind) - - patchedResource, err := engine.ForceMutate(nil, *newPolicy.DeepCopy(), newResource) - if err != nil { - return err - } - err = ValidateResource(*patchedResource.DeepCopy(), kind) - if err != nil { - return err - } + policyUnst, err := utils.ConvertToUnstructured(policyRaw) + if err != nil { + return err } - return nil + err = o.ValidateResource(*policyUnst.DeepCopy(), "ClusterPolicy") + if err != nil { + return err + } + + return o.ValidatePolicyMutation(policy) } -func ValidateResource(patchedResource unstructured.Unstructured, kind string) error { - openApiGlobalState.mutex.RLock() - defer openApiGlobalState.mutex.RUnlock() +func (o *Controller) ValidateResource(patchedResource unstructured.Unstructured, kind string) error { + o.mutex.RLock() + defer o.mutex.RUnlock() var err error - kind = openApiGlobalState.kindToDefinitionName[kind] - schema := openApiGlobalState.models.LookupModel(kind) + kind = o.kindToDefinitionName[kind] + schema := o.models.LookupModel(kind) if schema == nil { - schema, err = getSchemaFromDefinitions(kind) + // Check if kind is a CRD + schema, err = o.getCRDSchema(kind) if err != nil || schema == nil { - return fmt.Errorf("pre-validation: couldn't find model %s", kind) + return fmt.Errorf("pre-validation: couldn't find model %s, err: %v", kind, err) } delete(patchedResource.Object, "kind") } @@ -115,28 +105,61 @@ func ValidateResource(patchedResource unstructured.Unstructured, kind string) er return nil } -func GetDefinitionNameFromKind(kind string) string { - openApiGlobalState.mutex.RLock() - defer openApiGlobalState.mutex.RUnlock() - return openApiGlobalState.kindToDefinitionName[kind] +func (o *Controller) GetDefinitionNameFromKind(kind string) string { + o.mutex.RLock() + defer o.mutex.RUnlock() + return o.kindToDefinitionName[kind] } -func useOpenApiDocument(customDoc *openapi_v2.Document) error { - openApiGlobalState.mutex.Lock() - defer openApiGlobalState.mutex.Unlock() +func (o *Controller) ValidatePolicyMutation(policy v1.ClusterPolicy) error { + o.mutex.RLock() + defer o.mutex.RUnlock() - openApiGlobalState.document = customDoc + var kindToRules = make(map[string][]v1.Rule) + for _, rule := range policy.Spec.Rules { + if rule.HasMutate() { + for _, kind := range rule.MatchResources.Kinds { + kindToRules[kind] = append(kindToRules[kind], rule) + } + } + } - openApiGlobalState.definitions = make(map[string]*openapi_v2.Schema) - openApiGlobalState.kindToDefinitionName = make(map[string]string) - for _, definition := range openApiGlobalState.document.GetDefinitions().AdditionalProperties { - openApiGlobalState.definitions[definition.GetName()] = definition.GetValue() + for kind, rules := range kindToRules { + newPolicy := *policy.DeepCopy() + newPolicy.Spec.Rules = rules + resource, _ := o.generateEmptyResource(o.definitions[o.kindToDefinitionName[kind]]).(map[string]interface{}) + if resource == nil { + log.Log.V(4).Info(fmt.Sprintf("Cannot Validate policy: openApi definition now found for %v", kind)) + return nil + } + newResource := unstructured.Unstructured{Object: resource} + newResource.SetKind(kind) + + patchedResource, err := engine.ForceMutate(nil, *newPolicy.DeepCopy(), newResource) + if err != nil { + return err + } + err = o.ValidateResource(*patchedResource.DeepCopy(), kind) + if err != nil { + return err + } + } + + return nil +} + +func (o *Controller) useOpenApiDocument(doc *openapi_v2.Document) error { + o.mutex.Lock() + defer o.mutex.Unlock() + + for _, definition := range doc.GetDefinitions().AdditionalProperties { + o.definitions[definition.GetName()] = definition.GetValue() path := strings.Split(definition.GetName(), ".") - openApiGlobalState.kindToDefinitionName[path[len(path)-1]] = definition.GetName() + o.kindToDefinitionName[path[len(path)-1]] = definition.GetName() } var err error - openApiGlobalState.models, err = proto.NewOpenAPIData(openApiGlobalState.document) + o.models, err = proto.NewOpenAPIData(doc) if err != nil { return err } @@ -155,17 +178,32 @@ func getSchemaDocument() (*openapi_v2.Document, error) { } // For crd, we do not store definition in document -func getSchemaFromDefinitions(kind string) (proto.Schema, error) { +func (o *Controller) getCRDSchema(kind string) (proto.Schema, error) { + if kind == "" { + return nil, errors.New("invalid kind") + } + path := proto.NewPath(kind) - return (&proto.Definitions{}).ParseSchema(openApiGlobalState.definitions[kind], &path) + definition := o.definitions[kind] + if definition == nil { + return nil, errors.New("could not find definition") + } + + // This was added so crd's can access + // normal definitions from existing schema such as + // `metadata` - this maybe a breaking change. + // Removing this may cause policy validate to stop working + existingDefinitions, _ := o.models.(*proto.Definitions) + + return (existingDefinitions).ParseSchema(definition, &path) } -func generateEmptyResource(kindSchema *openapi_v2.Schema) interface{} { +func (o *Controller) generateEmptyResource(kindSchema *openapi_v2.Schema) interface{} { types := kindSchema.GetType().GetValue() if kindSchema.GetXRef() != "" { - return generateEmptyResource(openApiGlobalState.definitions[strings.TrimPrefix(kindSchema.GetXRef(), "#/definitions/")]) + return o.generateEmptyResource(o.definitions[strings.TrimPrefix(kindSchema.GetXRef(), "#/definitions/")]) } if len(types) != 1 { @@ -189,7 +227,7 @@ func generateEmptyResource(kindSchema *openapi_v2.Schema) interface{} { wg.Add(len(properties)) for _, property := range properties { go func(property *openapi_v2.NamedSchema) { - prop := generateEmptyResource(property.GetValue()) + prop := o.generateEmptyResource(property.GetValue()) mutex.Lock() props[property.GetName()] = prop mutex.Unlock() @@ -201,7 +239,7 @@ func generateEmptyResource(kindSchema *openapi_v2.Schema) interface{} { case "array": var array []interface{} for _, schema := range kindSchema.GetItems().GetSchema() { - array = append(array, generateEmptyResource(schema)) + array = append(array, o.generateEmptyResource(schema)) } return array case "string": diff --git a/pkg/openapi/validation_test.go b/pkg/openapi/validation_test.go index 813c2ed15b..2e86215df3 100644 --- a/pkg/openapi/validation_test.go +++ b/pkg/openapi/validation_test.go @@ -47,12 +47,14 @@ func Test_ValidateMutationPolicy(t *testing.T) { }, } + o, _ := NewOpenAPIController() + for i, tc := range tcs { policy := v1.ClusterPolicy{} _ = json.Unmarshal(tc.policy, &policy) var errMessage string - err := ValidatePolicyMutation(policy) + err := o.ValidatePolicyMutation(policy) if err != nil { errMessage = err.Error() } @@ -63,3 +65,8 @@ func Test_ValidateMutationPolicy(t *testing.T) { } } + +func Test_addDefaultFieldsToSchema(t *testing.T) { + addingDefaultFieldsToSchema([]byte(`null`)) + addingDefaultFieldsToSchema(nil) +} diff --git a/pkg/policy/actions.go b/pkg/policy/actions.go new file mode 100644 index 0000000000..4442113cd4 --- /dev/null +++ b/pkg/policy/actions.go @@ -0,0 +1,61 @@ +package policy + +import ( + "fmt" + + kyverno "github.com/nirmata/kyverno/pkg/api/kyverno/v1" + dclient "github.com/nirmata/kyverno/pkg/dclient" + "github.com/nirmata/kyverno/pkg/policy/generate" + "github.com/nirmata/kyverno/pkg/policy/mutate" + "github.com/nirmata/kyverno/pkg/policy/validate" + "sigs.k8s.io/controller-runtime/pkg/log" +) + +//Validation provides methods to validate a rule +type Validation interface { + Validate() (string, error) +} + +//validateAction performs validation on the rule actions +// - Mutate +// - Validation +// - Generate +func validateActions(idx int, rule kyverno.Rule, client *dclient.Client, mock bool) error { + var checker Validation + + // Mutate + if rule.HasMutate() { + checker = mutate.NewMutateFactory(rule.Mutation) + if path, err := checker.Validate(); err != nil { + return fmt.Errorf("path: spec.rules[%d].mutate.%s.: %v", idx, path, err) + } + } + + // Validate + if rule.HasValidate() { + checker = validate.NewValidateFactory(rule.Validation) + if path, err := checker.Validate(); err != nil { + return fmt.Errorf("path: spec.rules[%d].validate.%s.: %v", idx, path, err) + } + } + + // Generate + if rule.HasGenerate() { + //TODO: this check is there to support offline validations + // generate uses selfSubjectReviews to verify actions + // this need to modified to use different implementation for online and offline mode + if mock { + checker = generate.NewFakeGenerate(rule.Generation) + if path, err := checker.Validate(); err != nil { + return fmt.Errorf("path: spec.rules[%d].generate.%s.: %v", idx, path, err) + } + } else { + checker = generate.NewGenerateFactory(client, rule.Generation, log.Log) + if path, err := checker.Validate(); err != nil { + return fmt.Errorf("path: spec.rules[%d].generate.%s.: %v", idx, path, err) + } + } + } + + return nil +} diff --git a/pkg/policy/apply.go b/pkg/policy/apply.go index 32d654346c..0bd7b72c16 100644 --- a/pkg/policy/apply.go +++ b/pkg/policy/apply.go @@ -8,7 +8,7 @@ import ( "time" jsonpatch "github.com/evanphx/json-patch" - "github.com/golang/glog" + "github.com/go-logr/logr" kyverno "github.com/nirmata/kyverno/pkg/api/kyverno/v1" "github.com/nirmata/kyverno/pkg/engine" "github.com/nirmata/kyverno/pkg/engine/context" @@ -19,83 +19,94 @@ import ( // applyPolicy applies policy on a resource //TODO: generation rules -func applyPolicy(policy kyverno.ClusterPolicy, resource unstructured.Unstructured) (responses []response.EngineResponse) { +func applyPolicy(policy kyverno.ClusterPolicy, resource unstructured.Unstructured, logger logr.Logger) (responses []response.EngineResponse) { startTime := time.Now() - - glog.V(4).Infof("Started apply policy %s on resource %s/%s/%s (%v)", policy.Name, resource.GetKind(), resource.GetNamespace(), resource.GetName(), startTime) defer func() { - glog.V(4).Infof("Finished applying %s on resource %s/%s/%s (%v)", policy.Name, resource.GetKind(), resource.GetNamespace(), resource.GetName(), time.Since(startTime)) + name := resource.GetKind() + "/" + resource.GetName() + ns := resource.GetNamespace() + if ns != "" { + name = ns + "/" + name + } + + logger.V(3).Info("applyPolicy", "resource", name, "processingTime", time.Since(startTime)) }() var engineResponses []response.EngineResponse - var engineResponse response.EngineResponse + var engineResponseMutation, engineResponseValidation response.EngineResponse var err error // build context ctx := context.NewContext() - ctx.AddResource(transformResource(resource)) - - //MUTATION - engineResponse, err = mutation(policy, resource, ctx) - engineResponses = append(engineResponses, engineResponse) + err = ctx.AddResource(transformResource(resource)) if err != nil { - glog.Errorf("unable to process mutation rules: %v", err) + logger.Error(err, "enable to add transform resource to ctx") + } + //MUTATION + engineResponseMutation, err = mutation(policy, resource, ctx, logger) + if err != nil { + logger.Error(err, "failed to process mutation rule") } //VALIDATION - engineResponse = engine.Validate(engine.PolicyContext{Policy: policy, Context: ctx, NewResource: resource}) - engineResponses = append(engineResponses, engineResponse) + engineResponseValidation = engine.Validate(engine.PolicyContext{Policy: policy, Context: ctx, NewResource: resource}) + engineResponses = append(engineResponses, mergeRuleRespose(engineResponseMutation, engineResponseValidation)) //TODO: GENERATION return engineResponses } -func mutation(policy kyverno.ClusterPolicy, resource unstructured.Unstructured, ctx context.EvalInterface) (response.EngineResponse, error) { +func mutation(policy kyverno.ClusterPolicy, resource unstructured.Unstructured, ctx context.EvalInterface, log logr.Logger) (response.EngineResponse, error) { engineResponse := engine.Mutate(engine.PolicyContext{Policy: policy, NewResource: resource, Context: ctx}) if !engineResponse.IsSuccesful() { - glog.V(4).Infof("mutation had errors reporting them") + log.V(4).Info("failed to apply mutation rules; reporting them") return engineResponse, nil } // Verify if the JSON pathes returned by the Mutate are already applied to the resource if reflect.DeepEqual(resource, engineResponse.PatchedResource) { // resources matches - glog.V(4).Infof("resource %s/%s/%s satisfies policy %s", engineResponse.PolicyResponse.Resource.Kind, engineResponse.PolicyResponse.Resource.Namespace, engineResponse.PolicyResponse.Resource.Name, engineResponse.PolicyResponse.Policy) + log.V(4).Info("resource already satisfys the policy") return engineResponse, nil } - return getFailedOverallRuleInfo(resource, engineResponse) + return getFailedOverallRuleInfo(resource, engineResponse, log) } // getFailedOverallRuleInfo gets detailed info for over-all mutation failure -func getFailedOverallRuleInfo(resource unstructured.Unstructured, engineResponse response.EngineResponse) (response.EngineResponse, error) { +func getFailedOverallRuleInfo(resource unstructured.Unstructured, engineResponse response.EngineResponse, log logr.Logger) (response.EngineResponse, error) { rawResource, err := resource.MarshalJSON() if err != nil { - glog.V(4).Infof("unable to marshal resource: %v\n", err) + log.Error(err, "faield to marshall resource") return response.EngineResponse{}, err } // resource does not match so there was a mutation rule violated for index, rule := range engineResponse.PolicyResponse.Rules { - glog.V(4).Infof("veriying if policy %s rule %s was applied before to resource %s/%s/%s", engineResponse.PolicyResponse.Policy, rule.Name, engineResponse.PolicyResponse.Resource.Kind, engineResponse.PolicyResponse.Resource.Namespace, engineResponse.PolicyResponse.Resource.Name) - if len(rule.Patches) == 0 { + log.V(4).Info("verifying if policy rule was applied before", "rule", rule.Name) + + if rule.Name == engine.PodControllerRuleName { continue } - patch, err := jsonpatch.DecodePatch(utils.JoinPatches(rule.Patches)) + + patches := rule.Patches + + patch, err := jsonpatch.DecodePatch(utils.JoinPatches(patches)) if err != nil { - glog.V(4).Infof("unable to decode patch %s: %v", rule.Patches, err) + log.Error(err, "failed to decode JSON patch", "patches", patches) return response.EngineResponse{}, err } // apply the patches returned by mutate to the original resource patchedResource, err := patch.Apply(rawResource) if err != nil { - glog.V(4).Infof("unable to apply patch %s: %v", rule.Patches, err) + log.Error(err, "failed to apply JSON patch", "patches", patches) return response.EngineResponse{}, err } + if !jsonpatch.Equal(patchedResource, rawResource) { - glog.V(4).Infof("policy %s rule %s condition not satisfied by existing resource", engineResponse.PolicyResponse.Policy, rule.Name) + log.V(4).Info("policy rule conditions not satisfied by resource", "rule", rule.Name) engineResponse.PolicyResponse.Rules[index].Success = false - engineResponse.PolicyResponse.Rules[index].Message = fmt.Sprintf("mutation json patches not found at resource path %s", extractPatchPath(rule.Patches)) + engineResponse.PolicyResponse.Rules[index].Message = fmt.Sprintf("mutation json patches not found at resource path %s", extractPatchPath(patches, log)) } } + return engineResponse, nil } @@ -105,17 +116,22 @@ type jsonPatch struct { Value interface{} `json:"value"` } -func extractPatchPath(patches [][]byte) string { +func extractPatchPath(patches [][]byte, log logr.Logger) string { var resultPath []string // extract the patch path and value for _, patch := range patches { - glog.V(4).Infof("expected json patch not found in resource: %s", string(patch)) + log.V(4).Info("expected json patch not found in resource", "patch", string(patch)) var data jsonPatch if err := json.Unmarshal(patch, &data); err != nil { - glog.V(4).Infof("Failed to decode the generated patch %v: Error %v", string(patch), err) + log.Error(err, "failed to decode the generate patch", "patch", string(patch)) continue } resultPath = append(resultPath, data.Path) } return strings.Join(resultPath, ";") } + +func mergeRuleRespose(mutation, validation response.EngineResponse) response.EngineResponse { + mutation.PolicyResponse.Rules = append(mutation.PolicyResponse.Rules, validation.PolicyResponse.Rules...) + return mutation +} diff --git a/pkg/policy/background.go b/pkg/policy/background.go index 423fc51c4d..a495cfaa60 100644 --- a/pkg/policy/background.go +++ b/pkg/policy/background.go @@ -6,59 +6,79 @@ import ( kyverno "github.com/nirmata/kyverno/pkg/api/kyverno/v1" "github.com/nirmata/kyverno/pkg/engine/context" "github.com/nirmata/kyverno/pkg/engine/variables" + "sigs.k8s.io/controller-runtime/pkg/log" ) -//ContainsUserInfo returns error is userInfo is defined -func ContainsUserInfo(policy kyverno.ClusterPolicy) error { +//ContainsVariablesOtherThanObject returns error if variable that does not start from request.object +func ContainsVariablesOtherThanObject(policy kyverno.ClusterPolicy) error { var err error - // iterate of the policy rules to identify if userInfo is used for idx, rule := range policy.Spec.Rules { if path := userInfoDefined(rule.MatchResources.UserInfo); path != "" { - return fmt.Errorf("userInfo variable used at path: spec/rules[%d]/match/%s", idx, path) + return fmt.Errorf("invalid variable used at path: spec/rules[%d]/match/%s", idx, path) } if path := userInfoDefined(rule.ExcludeResources.UserInfo); path != "" { - return fmt.Errorf("userInfo variable used at path: spec/rules[%d]/exclude/%s", idx, path) + return fmt.Errorf("invalid variable used at path: spec/rules[%d]/exclude/%s", idx, path) } - // variable defined with user information - // - condition.key - // - condition.value - // - mutate.overlay - // - validate.pattern - // - validate.anyPattern[*] - // variables to filter - // - request.userInfo* - // - serviceAccountName - // - serviceAccountNamespace - - filterVars := []string{"request.userInfo*", "serviceAccountName", "serviceAccountNamespace"} + filterVars := []string{"request.object"} ctx := context.NewContext(filterVars...) for condIdx, condition := range rule.Conditions { - if condition.Key, err = variables.SubstituteVars(ctx, condition.Key); err != nil { - return fmt.Errorf("userInfo variable used at spec/rules[%d]/condition[%d]/key", idx, condIdx) + if condition.Key, err = variables.SubstituteVars(log.Log, ctx, condition.Key); !checkNotFoundErr(err) { + return fmt.Errorf("invalid variable used at spec/rules[%d]/condition[%d]/key", idx, condIdx) } - if condition.Value, err = variables.SubstituteVars(ctx, condition.Value); err != nil { - return fmt.Errorf("userInfo variable used at spec/rules[%d]/condition[%d]/value", idx, condIdx) + if condition.Value, err = variables.SubstituteVars(log.Log, ctx, condition.Value); !checkNotFoundErr(err) { + return fmt.Errorf("invalid variable used at spec/rules[%d]/condition[%d]/value", idx, condIdx) } } - if rule.Mutation.Overlay, err = variables.SubstituteVars(ctx, rule.Mutation.Overlay); err != nil { - return fmt.Errorf("userInfo variable used at spec/rules[%d]/mutate/overlay", idx) + if rule.Mutation.Overlay != nil { + if rule.Mutation.Overlay, err = variables.SubstituteVars(log.Log, ctx, rule.Mutation.Overlay); !checkNotFoundErr(err) { + return fmt.Errorf("invalid variable used at spec/rules[%d]/mutate/overlay", idx) + } } - if rule.Validation.Pattern, err = variables.SubstituteVars(ctx, rule.Validation.Pattern); err != nil { - return fmt.Errorf("userInfo variable used at spec/rules[%d]/validate/pattern", idx) + + if rule.Validation.Pattern != nil { + if rule.Validation.Pattern, err = variables.SubstituteVars(log.Log, ctx, rule.Validation.Pattern); !checkNotFoundErr(err) { + return fmt.Errorf("invalid variable used at spec/rules[%d]/validate/pattern", idx) + } } for idx2, pattern := range rule.Validation.AnyPattern { - if rule.Validation.AnyPattern[idx2], err = variables.SubstituteVars(ctx, pattern); err != nil { - return fmt.Errorf("userInfo variable used at spec/rules[%d]/validate/anyPattern[%d]", idx, idx2) + if rule.Validation.AnyPattern[idx2], err = variables.SubstituteVars(log.Log, ctx, pattern); !checkNotFoundErr(err) { + return fmt.Errorf("invalid variable used at spec/rules[%d]/validate/anyPattern[%d]", idx, idx2) + } + } + if _, err = variables.SubstituteVars(log.Log, ctx, rule.Validation.Message); !checkNotFoundErr(err) { + return fmt.Errorf("invalid variable used at spec/rules[%d]/validate/message", idx) + } + if rule.Validation.Deny != nil { + for i := range rule.Validation.Deny.Conditions { + if _, err = variables.SubstituteVars(log.Log, ctx, rule.Validation.Deny.Conditions[i].Key); !checkNotFoundErr(err) { + return fmt.Errorf("invalid variable used at spec/rules[%d]/validate/deny/conditions[%d]/key", idx, i) + } + if _, err = variables.SubstituteVars(log.Log, ctx, rule.Validation.Deny.Conditions[i].Value); !checkNotFoundErr(err) { + return fmt.Errorf("invalid variable used at spec/rules[%d]/validate/deny/conditions[%d]/value", idx, i) + } } } } return nil } +func checkNotFoundErr(err error) bool { + if err != nil { + switch err.(type) { + case variables.NotFoundVariableErr: + return true + default: + return false + } + } + + return true +} + func userInfoDefined(ui kyverno.UserInfo) string { if len(ui.Roles) > 0 { return "roles" diff --git a/pkg/policy/cleanup.go b/pkg/policy/cleanup.go index 6a41c579ba..40394c2785 100644 --- a/pkg/policy/cleanup.go +++ b/pkg/policy/cleanup.go @@ -4,57 +4,71 @@ import ( "fmt" "reflect" - "github.com/golang/glog" + "github.com/go-logr/logr" kyverno "github.com/nirmata/kyverno/pkg/api/kyverno/v1" kyvernolister "github.com/nirmata/kyverno/pkg/client/listers/kyverno/v1" "github.com/nirmata/kyverno/pkg/engine/response" "k8s.io/apimachinery/pkg/labels" ) +func (pc *PolicyController) cleanUp(ers []response.EngineResponse) { + for _, er := range ers { + if !er.IsSuccesful() { + continue + } + if len(er.PolicyResponse.Rules) == 0 { + continue + } + // clean up after the policy has been corrected + pc.cleanUpPolicyViolation(er.PolicyResponse) + } +} + func (pc *PolicyController) cleanUpPolicyViolation(pResponse response.PolicyResponse) { + logger := pc.log // - check if there is violation on resource (label:Selector) if pResponse.Resource.Namespace == "" { - pv, err := getClusterPV(pc.cpvLister, pResponse.Policy, pResponse.Resource.Kind, pResponse.Resource.Name) + pv, err := getClusterPV(pc.cpvLister, pResponse.Policy, pResponse.Resource.Kind, pResponse.Resource.Name, logger) if err != nil { - glog.Errorf("failed to cleanUp violations: %v", err) + logger.Error(err, "failed to get cluster policy violation on policy and resource", "policy", pResponse.Policy, "kind", pResponse.Resource.Kind, "name", pResponse.Resource.Name) return } if reflect.DeepEqual(pv, kyverno.ClusterPolicyViolation{}) { return } - - glog.V(4).Infof("cleanup cluster violation %s on %s", pv.Name, pv.Spec.ResourceSpec.ToKey()) if err := pc.pvControl.DeleteClusterPolicyViolation(pv.Name); err != nil { - glog.Errorf("failed to delete cluster policy violation %s on %s: %v", pv.Name, pv.Spec.ResourceSpec.ToKey(), err) + logger.Error(err, "failed to delete cluster policy violation", "name", pv.Name) + } else { + logger.Info("deleted cluster policy violation", "name", pv.Name) } - return } // namespace policy violation - nspv, err := getNamespacedPV(pc.nspvLister, pResponse.Policy, pResponse.Resource.Kind, pResponse.Resource.Namespace, pResponse.Resource.Name) + nspv, err := getNamespacedPV(pc.nspvLister, pResponse.Policy, pResponse.Resource.Kind, pResponse.Resource.Namespace, pResponse.Resource.Name, logger) if err != nil { - glog.Error(err) + logger.Error(err, "failed to get namespaced policy violation on policy and resource", "policy", pResponse.Policy, "kind", pResponse.Resource.Kind, "namespace", pResponse.Resource.Namespace, "name", pResponse.Resource.Name) return } if reflect.DeepEqual(nspv, kyverno.PolicyViolation{}) { return } - glog.V(4).Infof("cleanup namespaced violation %s on %s.%s", nspv.Name, pResponse.Resource.Namespace, nspv.Spec.ResourceSpec.ToKey()) if err := pc.pvControl.DeleteNamespacedPolicyViolation(nspv.Namespace, nspv.Name); err != nil { - glog.Errorf("failed to delete namespaced policy violation %s on %s: %v", nspv.Name, nspv.Spec.ResourceSpec.ToKey(), err) + logger.Error(err, "failed to delete cluster policy violation", "name", nspv.Name, "namespace", nspv.Namespace) + } else { + logger.Info("deleted namespaced policy violation", "name", nspv.Name, "namespace", nspv.Namespace) } } // Wont do the claiming of objects, just lookup based on selectors -func getClusterPV(pvLister kyvernolister.ClusterPolicyViolationLister, policyName, rkind, rname string) (kyverno.ClusterPolicyViolation, error) { +func getClusterPV(pvLister kyvernolister.ClusterPolicyViolationLister, policyName, rkind, rname string, log logr.Logger) (kyverno.ClusterPolicyViolation, error) { var err error // Check Violation on resource pvs, err := pvLister.List(labels.Everything()) if err != nil { - glog.V(2).Infof("unable to list policy violations : %v", err) + log.Error(err, "failed to list cluster policy violations") return kyverno.ClusterPolicyViolation{}, fmt.Errorf("failed to list cluster pv: %v", err) } @@ -69,10 +83,10 @@ func getClusterPV(pvLister kyvernolister.ClusterPolicyViolationLister, policyNam return kyverno.ClusterPolicyViolation{}, nil } -func getNamespacedPV(nspvLister kyvernolister.PolicyViolationLister, policyName, rkind, rnamespace, rname string) (kyverno.PolicyViolation, error) { +func getNamespacedPV(nspvLister kyvernolister.PolicyViolationLister, policyName, rkind, rnamespace, rname string, log logr.Logger) (kyverno.PolicyViolation, error) { nspvs, err := nspvLister.PolicyViolations(rnamespace).List(labels.Everything()) if err != nil { - glog.V(2).Infof("failed to list namespaced pv: %v", err) + log.Error(err, "failed to list namespaced policy violation") return kyverno.PolicyViolation{}, fmt.Errorf("failed to list namespaced pv: %v", err) } diff --git a/pkg/policy/clusterpv.go b/pkg/policy/clusterpv.go index 0f9f2564ae..35704f72d8 100644 --- a/pkg/policy/clusterpv.go +++ b/pkg/policy/clusterpv.go @@ -1,15 +1,13 @@ package policy import ( - "fmt" - - "github.com/golang/glog" kyverno "github.com/nirmata/kyverno/pkg/api/kyverno/v1" "k8s.io/client-go/tools/cache" ) func (pc *PolicyController) addClusterPolicyViolation(obj interface{}) { pv := obj.(*kyverno.ClusterPolicyViolation) + logger := pc.log.WithValues("kind", pv.Kind, "namespace", pv.Namespace, "name", pv.Name) if pv.DeletionTimestamp != nil { // On a restart of the controller manager, it's possible for an object to @@ -22,15 +20,15 @@ func (pc *PolicyController) addClusterPolicyViolation(obj interface{}) { ps := pc.getPolicyForClusterPolicyViolation(pv) if len(ps) == 0 { // there is no cluster policy for this violation, so we can delete this cluster policy violation - glog.V(4).Infof("Cluster Policy Violation %s does not belong to an active policy, will be cleanedup", pv.Name) + logger.V(4).Info("Cluster Policy Violation does not belong to an active policy, will be cleanedup") if err := pc.pvControl.DeleteClusterPolicyViolation(pv.Name); err != nil { - glog.Errorf("Failed to deleted cluster policy violation %s: %v", pv.Name, err) + logger.Error(err, "failed to delete resource") return } - glog.V(4).Infof("Cluster Policy Violation %s deleted", pv.Name) + logger.V(4).Info("resource deleted") return } - glog.V(4).Infof("Cluster Policy Violation %s added.", pv.Name) + logger.V(4).Info("resource added") for _, p := range ps { pc.enqueuePolicy(p) } @@ -44,19 +42,20 @@ func (pc *PolicyController) updateClusterPolicyViolation(old, cur interface{}) { // Two different versions of the same replica set will always have different RVs. return } + logger := pc.log.WithValues("kind", curPV.Kind, "namespace", curPV.Namespace, "name", curPV.Name) ps := pc.getPolicyForClusterPolicyViolation(curPV) if len(ps) == 0 { // there is no cluster policy for this violation, so we can delete this cluster policy violation - glog.V(4).Infof("Cluster Policy Violation %s does not belong to an active policy, will be cleanedup", curPV.Name) + logger.V(4).Info("Cluster Policy Violation does not belong to an active policy, will be cleanedup") if err := pc.pvControl.DeleteClusterPolicyViolation(curPV.Name); err != nil { - glog.Errorf("Failed to deleted cluster policy violation %s: %v", curPV.Name, err) + logger.Error(err, "failed to delete resource") return } - glog.V(4).Infof("PolicyViolation %s deleted", curPV.Name) + logger.V(4).Info("resource deleted") return } - glog.V(4).Infof("Cluster PolicyViolation %s updated", curPV.Name) + logger.V(4).Info("resource updated") for _, p := range ps { pc.enqueuePolicy(p) } @@ -67,6 +66,7 @@ func (pc *PolicyController) updateClusterPolicyViolation(old, cur interface{}) { // a DeletionFinalStateUnknown marker item. func (pc *PolicyController) deleteClusterPolicyViolation(obj interface{}) { + logger := pc.log pv, ok := obj.(*kyverno.ClusterPolicyViolation) // When a delete is dropped, the relist will notice a PolicyViolation in the store not // in the list, leading to the insertion of a tombstone object which contains @@ -75,33 +75,35 @@ func (pc *PolicyController) deleteClusterPolicyViolation(obj interface{}) { if !ok { tombstone, ok := obj.(cache.DeletedFinalStateUnknown) if !ok { - glog.Info(fmt.Errorf("Couldn't get object from tombstone %#v", obj)) + logger.Info("Couldn't get object from tombstone", "obj", obj) return } pv, ok = tombstone.Obj.(*kyverno.ClusterPolicyViolation) if !ok { - glog.Info(fmt.Errorf("Couldn't get object from tombstone %#v", obj)) + logger.Info("Couldn't get object from tombstone", "obj", obj) return } } + logger = logger.WithValues("kind", pv.Kind, "namespace", pv.Namespace, "name", pv.Name) ps := pc.getPolicyForClusterPolicyViolation(pv) if len(ps) == 0 { // there is no cluster policy for this violation, so we can delete this cluster policy violation - glog.V(4).Infof("Cluster Policy Violation %s does not belong to an active policy, will be cleanedup", pv.Name) + logger.V(4).Info("Cluster Policy Violation does not belong to an active policy, will be cleanedup") if err := pc.pvControl.DeleteClusterPolicyViolation(pv.Name); err != nil { - glog.Errorf("Failed to deleted cluster policy violation %s: %v", pv.Name, err) + logger.Error(err, "failed to delete resource") return } - glog.V(4).Infof("Cluster Policy Violation %s deleted", pv.Name) + logger.V(4).Info("resource deleted") return } - glog.V(4).Infof("Cluster PolicyViolation %s updated", pv.Name) + logger.V(4).Info("resource updated") for _, p := range ps { pc.enqueuePolicy(p) } } func (pc *PolicyController) getPolicyForClusterPolicyViolation(pv *kyverno.ClusterPolicyViolation) []*kyverno.ClusterPolicy { + logger := pc.log.WithValues("kind", pv.Kind, "namespace", pv.Namespace, "name", pv.Name) policies, err := pc.pLister.GetPolicyForPolicyViolation(pv) if err != nil || len(policies) == 0 { return nil @@ -113,8 +115,7 @@ func (pc *PolicyController) getPolicyForClusterPolicyViolation(pv *kyverno.Clust if len(policies) > 1 { // ControllerRef will ensure we don't do anything crazy, but more than one // item in this list nevertheless constitutes user error. - glog.V(4).Infof("user error! more than one policy is selecting policy violation %s with labels: %#v, returning %s", - pv.Name, pv.Labels, policies[0].Name) + logger.V(4).Info("user error! more than one policy is selecting policy violation", "labels", pv.Labels, "policy", policies[0].Name) } return policies } diff --git a/pkg/policy/common.go b/pkg/policy/common.go index b4d6155abc..cb99b9dd2f 100644 --- a/pkg/policy/common.go +++ b/pkg/policy/common.go @@ -3,10 +3,10 @@ package policy import ( "fmt" - "github.com/golang/glog" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" "k8s.io/apimachinery/pkg/apis/meta/v1/unstructured" "k8s.io/apimachinery/pkg/labels" + "sigs.k8s.io/controller-runtime/pkg/log" ) func buildPolicyLabel(policyName string) (labels.Selector, error) { @@ -27,7 +27,7 @@ func buildPolicyLabel(policyName string) (labels.Selector, error) { func transformResource(resource unstructured.Unstructured) []byte { data, err := resource.MarshalJSON() if err != nil { - glog.Errorf("failed to marshall resource %v: %v", resource, err) + log.Log.Error(err, "failed to marshal resource") return nil } return data diff --git a/pkg/policy/common/common.go b/pkg/policy/common/common.go new file mode 100644 index 0000000000..35bc132007 --- /dev/null +++ b/pkg/policy/common/common.go @@ -0,0 +1,85 @@ +package common + +import ( + "fmt" + "regexp" + "strconv" + + "github.com/nirmata/kyverno/pkg/engine/anchor" +) + +//ValidatePattern validates the pattern +func ValidatePattern(patternElement interface{}, path string, supportedAnchors []anchor.IsAnchor) (string, error) { + switch typedPatternElement := patternElement.(type) { + case map[string]interface{}: + return validateMap(typedPatternElement, path, supportedAnchors) + case []interface{}: + return validateArray(typedPatternElement, path, supportedAnchors) + case string, float64, int, int64, bool, nil: + //TODO? check operator + return "", nil + default: + return path, fmt.Errorf("Validation rule failed at '%s', pattern contains unknown type", path) + } +} +func validateMap(patternMap map[string]interface{}, path string, supportedAnchors []anchor.IsAnchor) (string, error) { + // check if anchors are defined + for key, value := range patternMap { + // if key is anchor + // check regex () -> this is anchor + // () + // single char () + re, err := regexp.Compile(`^.?\(.+\)$`) + if err != nil { + return path + "/" + key, fmt.Errorf("Unable to parse the field %s: %v", key, err) + } + + matched := re.MatchString(key) + // check the type of anchor + if matched { + // some type of anchor + // check if valid anchor + if !checkAnchors(key, supportedAnchors) { + return path + "/" + key, fmt.Errorf("Unsupported anchor %s", key) + } + + // addition check for existence anchor + // value must be of type list + if anchor.IsExistenceAnchor(key) { + typedValue, ok := value.([]interface{}) + if !ok { + return path + "/" + key, fmt.Errorf("Existence anchor should have value of type list") + } + // validate there is only one entry in the list + if len(typedValue) == 0 || len(typedValue) > 1 { + return path + "/" + key, fmt.Errorf("Existence anchor: single value expected, multiple specified") + } + } + } + // lets validate the values now :) + if errPath, err := ValidatePattern(value, path+"/"+key, supportedAnchors); err != nil { + return errPath, err + } + } + return "", nil +} + +func validateArray(patternArray []interface{}, path string, supportedAnchors []anchor.IsAnchor) (string, error) { + for i, patternElement := range patternArray { + currentPath := path + strconv.Itoa(i) + "/" + // lets validate the values now :) + if errPath, err := ValidatePattern(patternElement, currentPath, supportedAnchors); err != nil { + return errPath, err + } + } + return "", nil +} + +func checkAnchors(key string, supportedAnchors []anchor.IsAnchor) bool { + for _, f := range supportedAnchors { + if f(key) { + return true + } + } + return false +} diff --git a/pkg/policy/controller.go b/pkg/policy/controller.go index d303bebf52..323e96a8b3 100644 --- a/pkg/policy/controller.go +++ b/pkg/policy/controller.go @@ -1,19 +1,20 @@ package policy import ( - "fmt" "time" - "github.com/golang/glog" + informers "k8s.io/client-go/informers/core/v1" + + "github.com/go-logr/logr" kyverno "github.com/nirmata/kyverno/pkg/api/kyverno/v1" kyvernoclient "github.com/nirmata/kyverno/pkg/client/clientset/versioned" "github.com/nirmata/kyverno/pkg/client/clientset/versioned/scheme" kyvernoinformer "github.com/nirmata/kyverno/pkg/client/informers/externalversions/kyverno/v1" kyvernolister "github.com/nirmata/kyverno/pkg/client/listers/kyverno/v1" "github.com/nirmata/kyverno/pkg/config" + "github.com/nirmata/kyverno/pkg/constant" client "github.com/nirmata/kyverno/pkg/dclient" "github.com/nirmata/kyverno/pkg/event" - "github.com/nirmata/kyverno/pkg/policystore" "github.com/nirmata/kyverno/pkg/policyviolation" "github.com/nirmata/kyverno/pkg/webhookconfig" v1 "k8s.io/api/core/v1" @@ -22,6 +23,7 @@ import ( utilruntime "k8s.io/apimachinery/pkg/util/runtime" "k8s.io/apimachinery/pkg/util/wait" typedcorev1 "k8s.io/client-go/kubernetes/typed/core/v1" + listerv1 "k8s.io/client-go/listers/core/v1" "k8s.io/client-go/tools/cache" "k8s.io/client-go/tools/record" "k8s.io/client-go/util/workqueue" @@ -48,30 +50,47 @@ type PolicyController struct { //pvControl is used for adoptin/releasing policy violation pvControl PVControlInterface + // Policys that need to be synced queue workqueue.RateLimitingInterface + // pLister can list/get policy from the shared informer's store pLister kyvernolister.ClusterPolicyLister + // pvLister can list/get policy violation from the shared informer's store cpvLister kyvernolister.ClusterPolicyViolationLister + // nspvLister can list/get namespaced policy violation from the shared informer's store nspvLister kyvernolister.PolicyViolationLister + + // nsLister can list/get namespacecs from the shared informer's store + nsLister listerv1.NamespaceLister + // pListerSynced returns true if the Policy store has been synced at least once pListerSynced cache.InformerSynced + // pvListerSynced returns true if the Policy store has been synced at least once cpvListerSynced cache.InformerSynced + // pvListerSynced returns true if the Policy Violation store has been synced at least once nspvListerSynced cache.InformerSynced + + // nsListerSynced returns true if the namespace store has been synced at least once + nsListerSynced cache.InformerSynced + // Resource manager, manages the mapping for already processed resource rm resourceManager + // helpers to validate against current loaded configuration configHandler config.Interface - // store to hold policy meta data for faster lookup - pMetaStore policystore.UpdateInterface + // policy violation generator pvGenerator policyviolation.GeneratorInterface + // resourceWebhookWatcher queues the webhook creation request, creates the webhook resourceWebhookWatcher *webhookconfig.ResourceWebhookRegister + + log logr.Logger } // NewPolicyController create a new PolicyController @@ -80,14 +99,15 @@ func NewPolicyController(kyvernoClient *kyvernoclient.Clientset, pInformer kyvernoinformer.ClusterPolicyInformer, cpvInformer kyvernoinformer.ClusterPolicyViolationInformer, nspvInformer kyvernoinformer.PolicyViolationInformer, - configHandler config.Interface, - eventGen event.Interface, + configHandler config.Interface, eventGen event.Interface, pvGenerator policyviolation.GeneratorInterface, - pMetaStore policystore.UpdateInterface, - resourceWebhookWatcher *webhookconfig.ResourceWebhookRegister) (*PolicyController, error) { + resourceWebhookWatcher *webhookconfig.ResourceWebhookRegister, + namespaces informers.NamespaceInformer, + log logr.Logger) (*PolicyController, error) { + // Event broad caster eventBroadcaster := record.NewBroadcaster() - eventBroadcaster.StartLogging(glog.Infof) + eventBroadcaster.StartLogging(log.V(5).Info) eventInterface, err := client.GetEventsInterface() if err != nil { return nil, err @@ -101,9 +121,9 @@ func NewPolicyController(kyvernoClient *kyvernoclient.Clientset, eventRecorder: eventBroadcaster.NewRecorder(scheme.Scheme, v1.EventSource{Component: "policy_controller"}), queue: workqueue.NewNamedRateLimitingQueue(workqueue.DefaultControllerRateLimiter(), "policy"), configHandler: configHandler, - pMetaStore: pMetaStore, pvGenerator: pvGenerator, resourceWebhookWatcher: resourceWebhookWatcher, + log: log, } pc.pvControl = RealPVControl{Client: kyvernoClient, Recorder: pc.eventRecorder} @@ -132,10 +152,13 @@ func NewPolicyController(kyvernoClient *kyvernoclient.Clientset, pc.pLister = pInformer.Lister() pc.cpvLister = cpvInformer.Lister() pc.nspvLister = nspvInformer.Lister() + pc.nsLister = namespaces.Lister() pc.pListerSynced = pInformer.Informer().HasSynced pc.cpvListerSynced = cpvInformer.Informer().HasSynced pc.nspvListerSynced = nspvInformer.Informer().HasSynced + pc.nsListerSynced = namespaces.Informer().HasSynced + // resource manager // rebuild after 300 seconds/ 5 mins //TODO: pass the time in seconds instead of converting it internally @@ -144,97 +167,74 @@ func NewPolicyController(kyvernoClient *kyvernoclient.Clientset, return &pc, nil } -func (pc *PolicyController) addPolicy(obj interface{}) { - p := obj.(*kyverno.ClusterPolicy) - // Only process policies that are enabled for "background" execution - // policy.spec.background -> "True" - // register with policy meta-store - pc.pMetaStore.Register(*p) - - // TODO: code might seem vague, awaiting resolution of issue https://github.com/nirmata/kyverno/issues/598 - if p.Spec.Background == nil { - // if userInfo is not defined in policy we process the policy - if err := ContainsUserInfo(*p); err != nil { - return - } - } else { - if !*p.Spec.Background { - return - } - // If userInfo is used then skip the policy - // ideally this should be handled by background flag only - if err := ContainsUserInfo(*p); err != nil { - // contains userInfo used in policy - return - } +func (pc *PolicyController) canBackgroundProcess(p *kyverno.ClusterPolicy) bool { + logger := pc.log.WithValues("policy", p.Name) + if !p.BackgroundProcessingEnabled() { + logger.V(4).Info("background processed is disabled") + return false } - glog.V(4).Infof("Adding Policy %s", p.Name) + if err := ContainsVariablesOtherThanObject(*p); err != nil { + logger.V(4).Info("policy cannot be processed in the background") + return false + } + + return true +} + +func (pc *PolicyController) addPolicy(obj interface{}) { + logger := pc.log + p := obj.(*kyverno.ClusterPolicy) + if !pc.canBackgroundProcess(p) { + return + } + + logger.V(4).Info("queuing policy for background processing", "name", p.Name) pc.enqueuePolicy(p) } func (pc *PolicyController) updatePolicy(old, cur interface{}) { + logger := pc.log oldP := old.(*kyverno.ClusterPolicy) curP := cur.(*kyverno.ClusterPolicy) - // TODO: optimize this : policy meta-store - // Update policy-> (remove,add) - err := pc.pMetaStore.UnRegister(*oldP) - if err != nil { - glog.Infof("Failed to unregister policy %s", oldP.Name) - } - pc.pMetaStore.Register(*curP) - // Only process policies that are enabled for "background" execution - // policy.spec.background -> "True" - // TODO: code might seem vague, awaiting resolution of issue https://github.com/nirmata/kyverno/issues/598 - if curP.Spec.Background == nil { - // if userInfo is not defined in policy we process the policy - if err := ContainsUserInfo(*curP); err != nil { - return - } - } else { - if !*curP.Spec.Background { - return - } - // If userInfo is used then skip the policy - // ideally this should be handled by background flag only - if err := ContainsUserInfo(*curP); err != nil { - // contains userInfo used in policy - return - } + if !pc.canBackgroundProcess(curP) { + return } - glog.V(4).Infof("Updating Policy %s", oldP.Name) + + logger.V(4).Info("updating policy", "name", oldP.Name) pc.enqueuePolicy(curP) } func (pc *PolicyController) deletePolicy(obj interface{}) { + logger := pc.log p, ok := obj.(*kyverno.ClusterPolicy) if !ok { tombstone, ok := obj.(cache.DeletedFinalStateUnknown) if !ok { - glog.Info(fmt.Errorf("Couldn't get object from tombstone %#v", obj)) + logger.Info("couldnt get object from tomstone", "obj", obj) return } + p, ok = tombstone.Obj.(*kyverno.ClusterPolicy) if !ok { - glog.Info(fmt.Errorf("Tombstone contained object that is not a Policy %#v", obj)) + logger.Info("tombstone container object that is not a policy", "obj", obj) return } } - glog.V(4).Infof("Deleting Policy %s", p.Name) - // Unregister from policy meta-store - if err := pc.pMetaStore.UnRegister(*p); err != nil { - glog.Infof("failed to unregister policy %s", p.Name) - } + + logger.V(4).Info("deleting policy", "name", p.Name) + // we process policies that are not set of background processing as we need to perform policy violation // cleanup when a policy is deleted. pc.enqueuePolicy(p) } func (pc *PolicyController) enqueue(policy *kyverno.ClusterPolicy) { + logger := pc.log key, err := cache.MetaNamespaceKeyFunc(policy) if err != nil { - glog.Error(err) + logger.Error(err, "failed to enqueu policy") return } pc.queue.Add(key) @@ -242,21 +242,23 @@ func (pc *PolicyController) enqueue(policy *kyverno.ClusterPolicy) { // Run begins watching and syncing. func (pc *PolicyController) Run(workers int, stopCh <-chan struct{}) { + logger := pc.log defer utilruntime.HandleCrash() defer pc.queue.ShutDown() - glog.Info("Starting policy controller") - defer glog.Info("Shutting down policy controller") + logger.Info("starting") + defer logger.Info("shutting down") - if !cache.WaitForCacheSync(stopCh, pc.pListerSynced, pc.cpvListerSynced, pc.nspvListerSynced) { - glog.Error("failed to sync informer cache") + if !cache.WaitForCacheSync(stopCh, pc.pListerSynced, pc.cpvListerSynced, pc.nspvListerSynced, pc.nsListerSynced) { + logger.Info("failed to sync informer cache") return } for i := 0; i < workers; i++ { - go wait.Until(pc.worker, time.Second, stopCh) + go wait.Until(pc.worker, constant.PolicyControllerResync, stopCh) } + <-stopCh } @@ -285,72 +287,78 @@ func (pc *PolicyController) processNextWorkItem() bool { } func (pc *PolicyController) handleErr(err error, key interface{}) { + logger := pc.log if err == nil { pc.queue.Forget(key) return } if pc.queue.NumRequeues(key) < maxRetries { - glog.V(2).Infof("Error syncing Policy %v: %v", key, err) + logger.Error(err, "failed to sync policy", "key", key) pc.queue.AddRateLimited(key) return } utilruntime.HandleError(err) - glog.V(2).Infof("Dropping policy %q out of the queue: %v", key, err) + logger.V(2).Info("dropping policy out of queue", "key", key) pc.queue.Forget(key) } func (pc *PolicyController) syncPolicy(key string) error { + logger := pc.log startTime := time.Now() - glog.V(4).Infof("Started syncing policy %q (%v)", key, startTime) + logger.V(4).Info("started syncing policy", "key", key, "startTime", startTime) defer func() { - glog.V(4).Infof("Finished syncing policy %q (%v)", key, time.Since(startTime)) + logger.V(4).Info("finished syncing policy", "key", key, "processingTime", time.Since(startTime)) }() + policy, err := pc.pLister.Get(key) if errors.IsNotFound(err) { - glog.V(2).Infof("Policy %v has been deleted", key) - // delete cluster policy violation - if err := pc.deleteClusterPolicyViolations(key); err != nil { - return err - } - // delete namespaced policy violation - if err := pc.deleteNamespacedPolicyViolations(key); err != nil { - return err - } + go pc.deletePolicyViolations(key) // remove webhook configurations if there are no policies if err := pc.removeResourceWebhookConfiguration(); err != nil { // do not fail, if unable to delete resource webhook config - glog.V(4).Infof("failed to remove resource webhook configuration: %v", err) - glog.Errorln(err) + logger.Error(err, "failed to remove resource webhook configurations") } + return nil } + if err != nil { return err } pc.resourceWebhookWatcher.RegisterResourceWebhook() - // process policies on existing resources - engineResponses := pc.processExistingResources(*policy) - // report errors + engineResponses := pc.processExistingResources(policy) pc.cleanupAndReport(engineResponses) return nil } +func (pc *PolicyController) deletePolicyViolations(key string) { + if err := pc.deleteClusterPolicyViolations(key); err != nil { + pc.log.Error(err, "failed to delete policy violation", "key", key) + } + + if err := pc.deleteNamespacedPolicyViolations(key); err != nil { + pc.log.Error(err, "failed to delete policy violation", "key", key) + } +} + func (pc *PolicyController) deleteClusterPolicyViolations(policy string) error { cpvList, err := pc.getClusterPolicyViolationForPolicy(policy) if err != nil { return err } + for _, cpv := range cpvList { if err := pc.pvControl.DeleteClusterPolicyViolation(cpv.Name); err != nil { - return err + pc.log.Error(err, "failed to delete policy violation", "name", cpv.Name) } } + return nil } @@ -359,11 +367,13 @@ func (pc *PolicyController) deleteNamespacedPolicyViolations(policy string) erro if err != nil { return err } + for _, nspv := range nspvList { if err := pc.pvControl.DeleteNamespacedPolicyViolation(nspv.Namespace, nspv.Name); err != nil { - return err + pc.log.Error(err, "failed to delete policy violation", "name", nspv.Name) } } + return nil } diff --git a/pkg/policy/existing.go b/pkg/policy/existing.go index 97c09affac..2365ae1e8a 100644 --- a/pkg/policy/existing.go +++ b/pkg/policy/existing.go @@ -2,10 +2,13 @@ package policy import ( "reflect" + "strings" "sync" "time" - "github.com/golang/glog" + listerv1 "k8s.io/client-go/listers/core/v1" + + "github.com/go-logr/logr" "github.com/minio/minio/pkg/wildcard" kyverno "github.com/nirmata/kyverno/pkg/api/kyverno/v1" "github.com/nirmata/kyverno/pkg/config" @@ -18,28 +21,33 @@ import ( "k8s.io/apimachinery/pkg/labels" ) -func (pc *PolicyController) processExistingResources(policy kyverno.ClusterPolicy) []response.EngineResponse { +func (pc *PolicyController) processExistingResources(policy *kyverno.ClusterPolicy) []response.EngineResponse { + logger := pc.log.WithValues("policy", policy.Name) // Parse through all the resources // drops the cache after configured rebuild time pc.rm.Drop() var engineResponses []response.EngineResponse // get resource that are satisfy the resource description defined in the rules - resourceMap := listResources(pc.client, policy, pc.configHandler) + resourceMap := pc.listResources(policy) for _, resource := range resourceMap { // pre-processing, check if the policy and resource version has been processed before if !pc.rm.ProcessResource(policy.Name, policy.ResourceVersion, resource.GetKind(), resource.GetNamespace(), resource.GetName(), resource.GetResourceVersion()) { - glog.V(4).Infof("policy %s with resource version %s already processed on resource %s/%s/%s with resource version %s", policy.Name, policy.ResourceVersion, resource.GetKind(), resource.GetNamespace(), resource.GetName(), resource.GetResourceVersion()) + logger.V(4).Info("policy and resource already processed", "policyResourceVersion", policy.ResourceVersion, "resourceResourceVersion", resource.GetResourceVersion(), "kind", resource.GetKind(), "namespace", resource.GetNamespace(), "name", resource.GetName()) continue } // skip reporting violation on pod which has annotation pod-policies.kyverno.io/autogen-applied - if skipPodApplication(resource) { - continue + ann := policy.GetAnnotations() + if annValue, ok := ann[engine.PodControllersAnnotation]; ok { + if annValue != "none" { + if skipPodApplication(resource, logger) { + continue + } + } } // apply the policy on each - glog.V(4).Infof("apply policy %s with resource version %s on resource %s/%s/%s with resource version %s", policy.Name, policy.ResourceVersion, resource.GetKind(), resource.GetNamespace(), resource.GetName(), resource.GetResourceVersion()) - engineResponse := applyPolicy(policy, resource) + engineResponse := applyPolicy(*policy, resource, logger) // get engine response for mutation & validation independently engineResponses = append(engineResponses, engineResponse...) // post-processing, register the resource as processed @@ -48,62 +56,149 @@ func (pc *PolicyController) processExistingResources(policy kyverno.ClusterPolic return engineResponses } -func listResources(client *client.Client, policy kyverno.ClusterPolicy, configHandler config.Interface) map[string]unstructured.Unstructured { +func (pc *PolicyController) listResources(policy *kyverno.ClusterPolicy) map[string]unstructured.Unstructured { + pc.log.V(4).Info("list resources to be processed") + // key uid resourceMap := map[string]unstructured.Unstructured{} for _, rule := range policy.Spec.Rules { - // resources that match for _, k := range rule.MatchResources.Kinds { - // if kindIsExcluded(k, rule.ExcludeResources.Kinds) { - // glog.V(4).Infof("processing policy %s rule %s: kind %s is exluded", policy.Name, rule.Name, k) - // continue - // } - var namespaces []string - if k == "Namespace" { - // TODO - // this is handled by generator controller - glog.V(4).Infof("skipping processing policy %s rule %s for kind Namespace", policy.Name, rule.Name) + + resourceSchema, _, err := pc.client.DiscoveryClient.FindResource(k) + if err != nil { + pc.log.Error(err, "failed to find resource", "kind", k) continue } - if len(rule.MatchResources.Namespaces) > 0 { - namespaces = append(namespaces, rule.MatchResources.Namespaces...) - glog.V(4).Infof("namespaces specified for inclusion: %v", rule.MatchResources.Namespaces) + + if !resourceSchema.Namespaced { + rMap := getResourcesPerNamespace(k, pc.client, "", rule, pc.configHandler, pc.log) + mergeResources(resourceMap, rMap) } else { - glog.V(4).Infof("processing policy %s rule %s, namespace not defined, getting all namespaces ", policy.Name, rule.Name) - // get all namespaces - namespaces = getAllNamespaces(client) + namespaces := getNamespacesForRule(&rule, pc.nsLister, pc.log) + for _, ns := range namespaces { + rMap := getResourcesPerNamespace(k, pc.client, ns, rule, pc.configHandler, pc.log) + mergeResources(resourceMap, rMap) + } } - - // get resources in the namespaces - for _, ns := range namespaces { - rMap := getResourcesPerNamespace(k, client, ns, rule, configHandler) - mergeresources(resourceMap, rMap) - } - } } + + if policy.HasAutoGenAnnotation() { + return excludePod(resourceMap, pc.log) + } + return resourceMap } -func getResourcesPerNamespace(kind string, client *client.Client, namespace string, rule kyverno.Rule, configHandler config.Interface) map[string]unstructured.Unstructured { +// excludePod filter out the pods with ownerReference +func excludePod(resourceMap map[string]unstructured.Unstructured, log logr.Logger) map[string]unstructured.Unstructured { + for uid, r := range resourceMap { + if r.GetKind() != "Pod" { + continue + } + + if len(r.GetOwnerReferences()) > 0 { + log.V(4).Info("exclude Pod", "namespace", r.GetNamespace(), "name", r.GetName()) + delete(resourceMap, uid) + } + } + + return resourceMap +} + +func getNamespacesForRule(rule *kyverno.Rule, nslister listerv1.NamespaceLister, log logr.Logger) []string { + if len(rule.MatchResources.Namespaces) == 0 { + return getAllNamespaces(nslister, log) + } + + var wildcards []string + var results []string + for _, nsName := range rule.MatchResources.Namespaces { + if hasWildcard(nsName) { + wildcards = append(wildcards, nsName) + } + + results = append(results, nsName) + } + + if len(wildcards) > 0 { + wildcardMatches := getMatchingNamespaces(wildcards, nslister, log) + results = append(results, wildcardMatches...) + } + + return results +} + +func hasWildcard(s string) bool { + if s == "" { + return false + } + + return strings.Contains(s, "*") || strings.Contains(s, "?") +} + +func getMatchingNamespaces(wildcards []string, nslister listerv1.NamespaceLister, log logr.Logger) []string { + all := getAllNamespaces(nslister, log) + if len(all) == 0 { + return all + } + + var results []string + for _, wc := range wildcards { + for _, ns := range all { + if wildcard.Match(wc, ns) { + results = append(results, ns) + } + } + } + + return results +} + +func getAllNamespaces(nslister listerv1.NamespaceLister, log logr.Logger) []string { + var results []string + namespaces, err := nslister.List(labels.NewSelector()) + if err != nil { + log.Error(err, "Failed to list namespaces") + } + + for _, n := range namespaces { + name := n.GetName() + results = append(results, name) + } + + return results +} + +func getResourcesPerNamespace(kind string, client *client.Client, namespace string, rule kyverno.Rule, configHandler config.Interface, log logr.Logger) map[string]unstructured.Unstructured { resourceMap := map[string]unstructured.Unstructured{} - // merge include and exclude label selector values ls := rule.MatchResources.Selector - // ls := mergeLabelSectors(rule.MatchResources.Selector, rule.ExcludeResources.Selector) - // list resources - glog.V(4).Infof("get resources for kind %s, namespace %s, selector %v", kind, namespace, rule.MatchResources.Selector) + + if kind == "Namespace" { + namespace = "" + } + list, err := client.ListResource(kind, namespace, ls) if err != nil { - glog.Infof("unable to get resources: err %v", err) + log.Error(err, "failed to list resources", "kind", kind, "namespace", namespace) return nil } // filter based on name for _, r := range list.Items { + if r.GetDeletionTimestamp() != nil { + continue + } + + if r.GetKind() == "Pod" { + if !isRunningPod(r) { + continue + } + } + // match name if rule.MatchResources.Name != "" { if !wildcard.Match(rule.MatchResources.Name, r.GetName()) { - glog.V(4).Infof("skipping resource %s/%s due to include condition name=%s mistatch", r.GetNamespace(), r.GetName(), rule.MatchResources.Name) continue } } @@ -118,12 +213,11 @@ func getResourcesPerNamespace(kind string, client *client.Client, namespace stri // exclude the resources // skip resources to be filtered - excludeResources(resourceMap, rule.ExcludeResources.ResourceDescription, configHandler) - // glog.V(4).Infof("resource map: %v", resourceMap) + excludeResources(resourceMap, rule.ExcludeResources.ResourceDescription, configHandler, log) return resourceMap } -func excludeResources(included map[string]unstructured.Unstructured, exclude kyverno.ResourceDescription, configHandler config.Interface) { +func excludeResources(included map[string]unstructured.Unstructured, exclude kyverno.ResourceDescription, configHandler config.Interface, log logr.Logger) { if reflect.DeepEqual(exclude, (kyverno.ResourceDescription{})) { return } @@ -154,7 +248,7 @@ func excludeResources(included map[string]unstructured.Unstructured, exclude kyv selector, err := metav1.LabelSelectorAsSelector(exclude.Selector) // if the label selector is incorrect, should be fail or if err != nil { - glog.Error(err) + log.Error(err, "failed to build label selector") return Skip } if selector.Matches(labels.Set(labelsMap)) { @@ -205,8 +299,6 @@ func excludeResources(included map[string]unstructured.Unstructured, exclude kyv } // exclude the filtered resources if configHandler.ToFilter(resource.GetKind(), resource.GetNamespace(), resource.GetName()) { - //TODO: improve the text - glog.V(4).Infof("excluding resource %s/%s/%s as its satisfies the filtered resources", resource.GetKind(), resource.GetNamespace(), resource.GetName()) delete(included, uid) continue } @@ -238,26 +330,12 @@ const ( ) // merge b into a map -func mergeresources(a, b map[string]unstructured.Unstructured) { +func mergeResources(a, b map[string]unstructured.Unstructured) { for k, v := range b { a[k] = v } } -func getAllNamespaces(client *client.Client) []string { - var namespaces []string - // get all namespaces - nsList, err := client.ListResource("Namespace", "", nil) - if err != nil { - glog.Error(err) - return namespaces - } - for _, ns := range nsList.Items { - namespaces = append(namespaces, ns.GetName()) - } - return namespaces -} - //NewResourceManager returns a new ResourceManager func NewResourceManager(rebuildTime int64) *ResourceManager { rm := ResourceManager{ @@ -291,14 +369,11 @@ type resourceManager interface { //TODO: or drop based on the size func (rm *ResourceManager) Drop() { timeSince := time.Since(rm.time) - glog.V(4).Infof("time since last cache reset time %v is %v", rm.time, timeSince) - glog.V(4).Infof("cache rebuild time %v", time.Duration(rm.rebuildTime)*time.Second) if timeSince > time.Duration(rm.rebuildTime)*time.Second { rm.mux.Lock() defer rm.mux.Unlock() rm.data = map[string]interface{}{} rm.time = time.Now() - glog.V(4).Infof("dropping cache at time %v", rm.time) } } @@ -327,14 +402,14 @@ func buildKey(policy, pv, kind, ns, name, rv string) string { return policy + "/" + pv + "/" + kind + "/" + ns + "/" + name + "/" + rv } -func skipPodApplication(resource unstructured.Unstructured) bool { +func skipPodApplication(resource unstructured.Unstructured, log logr.Logger) bool { if resource.GetKind() != "Pod" { return false } annotation := resource.GetAnnotations() if _, ok := annotation[engine.PodTemplateAnnotation]; ok { - glog.V(4).Infof("Policies already processed on pod controllers, skip processing policy on Pod/%s/%s", resource.GetNamespace(), resource.GetName()) + log.V(4).Info("Policies already processed on pod controllers, skip processing policy on Pod", "kind", resource.GetKind(), "namespace", resource.GetNamespace(), "name", resource.GetName()) return true } diff --git a/pkg/policy/generate/auth.go b/pkg/policy/generate/auth.go new file mode 100644 index 0000000000..3da64a4289 --- /dev/null +++ b/pkg/policy/generate/auth.go @@ -0,0 +1,74 @@ +package generate + +import ( + "github.com/go-logr/logr" + "github.com/nirmata/kyverno/pkg/auth" + dclient "github.com/nirmata/kyverno/pkg/dclient" +) + +//Operations provides methods to performing operations on resource +type Operations interface { + // CanICreate returns 'true' if self can 'create' resource + CanICreate(kind, namespace string) (bool, error) + // CanIUpdate returns 'true' if self can 'update' resource + CanIUpdate(kind, namespace string) (bool, error) + // CanIDelete returns 'true' if self can 'delete' resource + CanIDelete(kind, namespace string) (bool, error) + // CanIGet returns 'true' if self can 'get' resource + CanIGet(kind, namespace string) (bool, error) +} + +//Auth provides implementation to check if caller/self/kyverno has access to perofrm operations +type Auth struct { + client *dclient.Client + log logr.Logger +} + +//NewAuth returns a new instance of Auth for operations +func NewAuth(client *dclient.Client, log logr.Logger) *Auth { + a := Auth{ + client: client, + log: log, + } + return &a +} + +// CanICreate returns 'true' if self can 'create' resource +func (a *Auth) CanICreate(kind, namespace string) (bool, error) { + canI := auth.NewCanI(a.client, kind, namespace, "create", a.log) + ok, err := canI.RunAccessCheck() + if err != nil { + return false, err + } + return ok, nil +} + +// CanIUpdate returns 'true' if self can 'update' resource +func (a *Auth) CanIUpdate(kind, namespace string) (bool, error) { + canI := auth.NewCanI(a.client, kind, namespace, "update", a.log) + ok, err := canI.RunAccessCheck() + if err != nil { + return false, err + } + return ok, nil +} + +// CanIDelete returns 'true' if self can 'delete' resource +func (a *Auth) CanIDelete(kind, namespace string) (bool, error) { + canI := auth.NewCanI(a.client, kind, namespace, "delete", a.log) + ok, err := canI.RunAccessCheck() + if err != nil { + return false, err + } + return ok, nil +} + +// CanIGet returns 'true' if self can 'get' resource +func (a *Auth) CanIGet(kind, namespace string) (bool, error) { + canI := auth.NewCanI(a.client, kind, namespace, "get", a.log) + ok, err := canI.RunAccessCheck() + if err != nil { + return false, err + } + return ok, nil +} diff --git a/pkg/policy/generate/fake.go b/pkg/policy/generate/fake.go new file mode 100644 index 0000000000..22fcd408e9 --- /dev/null +++ b/pkg/policy/generate/fake.go @@ -0,0 +1,23 @@ +package generate + +import ( + kyverno "github.com/nirmata/kyverno/pkg/api/kyverno/v1" + "github.com/nirmata/kyverno/pkg/policy/generate/fake" + "sigs.k8s.io/controller-runtime/pkg/log" +) + +//FakeGenerate provides implementation for generate rule processing +// with mocks/fakes for cluster interactions +type FakeGenerate struct { + Generate +} + +//NewFakeGenerate returns a new instance of generatecheck that uses +// fake/mock implementation for operation access(always returns true) +func NewFakeGenerate(rule kyverno.Generation) *FakeGenerate { + g := FakeGenerate{} + g.rule = rule + g.authCheck = fake.NewFakeAuth() + g.log = log.Log + return &g +} diff --git a/pkg/policy/generate/fake/auth.go b/pkg/policy/generate/fake/auth.go new file mode 100644 index 0000000000..3e7467bf06 --- /dev/null +++ b/pkg/policy/generate/fake/auth.go @@ -0,0 +1,31 @@ +package fake + +//FakeAuth providers implementation for testing, retuning true for all operations +type FakeAuth struct { +} + +//NewFakeAuth returns a new instance of Fake Auth that returns true for each operation +func NewFakeAuth() *FakeAuth { + a := FakeAuth{} + return &a +} + +// CanICreate returns 'true' +func (a *FakeAuth) CanICreate(kind, namespace string) (bool, error) { + return true, nil +} + +// CanIUpdate returns 'true' +func (a *FakeAuth) CanIUpdate(kind, namespace string) (bool, error) { + return true, nil +} + +// CanIDelete returns 'true' +func (a *FakeAuth) CanIDelete(kind, namespace string) (bool, error) { + return true, nil +} + +// CanIGet returns 'true' +func (a *FakeAuth) CanIGet(kind, namespace string) (bool, error) { + return true, nil +} diff --git a/pkg/policy/generate/validate.go b/pkg/policy/generate/validate.go new file mode 100644 index 0000000000..460842ea98 --- /dev/null +++ b/pkg/policy/generate/validate.go @@ -0,0 +1,151 @@ +package generate + +import ( + "fmt" + "reflect" + + "github.com/go-logr/logr" + kyverno "github.com/nirmata/kyverno/pkg/api/kyverno/v1" + dclient "github.com/nirmata/kyverno/pkg/dclient" + "github.com/nirmata/kyverno/pkg/engine/anchor" + "github.com/nirmata/kyverno/pkg/engine/variables" + "github.com/nirmata/kyverno/pkg/policy/common" +) + +// Generate provides implementation to validate 'generate' rule +type Generate struct { + // rule to hold 'generate' rule specifications + rule kyverno.Generation + // authCheck to check access for operations + authCheck Operations + //logger + log logr.Logger +} + +//NewGenerateFactory returns a new instance of Generate validation checker +func NewGenerateFactory(client *dclient.Client, rule kyverno.Generation, log logr.Logger) *Generate { + g := Generate{ + rule: rule, + authCheck: NewAuth(client, log), + log: log, + } + + return &g +} + +//Validate validates the 'generate' rule +func (g *Generate) Validate() (string, error) { + rule := g.rule + if rule.Data == nil && rule.Clone == (kyverno.CloneFrom{}) { + return "", fmt.Errorf("clone or data are required") + } + if rule.Data != nil && rule.Clone != (kyverno.CloneFrom{}) { + return "", fmt.Errorf("only one operation allowed per generate rule(data or clone)") + } + kind, name, namespace := rule.Kind, rule.Name, rule.Namespace + + if name == "" { + return "name", fmt.Errorf("name cannot be empty") + } + if kind == "" { + return "kind", fmt.Errorf("kind cannot be empty") + } + // Can I generate resource + + if !reflect.DeepEqual(rule.Clone, kyverno.CloneFrom{}) { + if path, err := g.validateClone(rule.Clone, kind); err != nil { + return fmt.Sprintf("clone.%s", path), err + } + } + if rule.Data != nil { + //TODO: is this required ?? as anchors can only be on pattern and not resource + // we can add this check by not sure if its needed here + if path, err := common.ValidatePattern(rule.Data, "/", []anchor.IsAnchor{}); err != nil { + return fmt.Sprintf("data.%s", path), fmt.Errorf("anchors not supported on generate resources: %v", err) + } + } + + // Kyverno generate-controller create/update/deletes the resources specified in generate rule of policy + // kyverno uses SA 'kyverno-service-account' and has default ClusterRoles and ClusterRoleBindings + // instuctions to modify the RBAC for kyverno are mentioned at https://github.com/nirmata/kyverno/blob/master/documentation/installation.md + // - operations required: create/update/delete/get + // If kind and namespace contain variables, then we cannot resolve then so we skip the processing + if err := g.canIGenerate(kind, namespace); err != nil { + return "", err + } + return "", nil +} + +func (g *Generate) validateClone(c kyverno.CloneFrom, kind string) (string, error) { + if c.Name == "" { + return "name", fmt.Errorf("name cannot be empty") + } + if c.Namespace == "" { + return "namespace", fmt.Errorf("namespace cannot be empty") + } + namespace := c.Namespace + // Skip if there is variable defined + if !variables.IsVariable(kind) && !variables.IsVariable(namespace) { + // GET + ok, err := g.authCheck.CanIGet(kind, namespace) + if err != nil { + return "", err + } + if !ok { + return "", fmt.Errorf("kyverno does not have permissions to 'get' resource %s/%s. Update permissions in ClusterRole 'kyverno:generatecontroller'", kind, namespace) + } + } else { + g.log.V(4).Info("name & namespace uses variables, so cannot be resolved. Skipping Auth Checks.") + } + return "", nil +} + +//canIGenerate returns a error if kyverno cannot perform oprations +func (g *Generate) canIGenerate(kind, namespace string) error { + // Skip if there is variable defined + authCheck := g.authCheck + if !variables.IsVariable(kind) && !variables.IsVariable(namespace) { + // CREATE + ok, err := authCheck.CanICreate(kind, namespace) + if err != nil { + // machinery error + return err + } + if !ok { + return fmt.Errorf("kyverno does not have permissions to 'create' resource %s/%s. Update permissions in ClusterRole 'kyverno:generatecontroller'", kind, namespace) + } + // UPDATE + ok, err = authCheck.CanIUpdate(kind, namespace) + if err != nil { + // machinery error + return err + } + if !ok { + return fmt.Errorf("kyverno does not have permissions to 'update' resource %s/%s. Update permissions in ClusterRole 'kyverno:generatecontroller'", kind, namespace) + } + // GET + ok, err = authCheck.CanIGet(kind, namespace) + if err != nil { + // machinery error + return err + } + if !ok { + return fmt.Errorf("kyverno does not have permissions to 'get' resource %s/%s. Update permissions in ClusterRole 'kyverno:generatecontroller'", kind, namespace) + } + + // DELETE + ok, err = authCheck.CanIDelete(kind, namespace) + if err != nil { + // machinery error + return err + } + if !ok { + return fmt.Errorf("kyverno does not have permissions to 'delete' resource %s/%s. Update permissions in ClusterRole 'kyverno:generatecontroller'", kind, namespace) + } + + } else { + g.log.V(4).Info("name & namespace uses variables, so cannot be resolved. Skipping Auth Checks.") + } + + return nil +} diff --git a/pkg/policy/generate/validate_test.go b/pkg/policy/generate/validate_test.go new file mode 100644 index 0000000000..631aac6ed3 --- /dev/null +++ b/pkg/policy/generate/validate_test.go @@ -0,0 +1,89 @@ +package generate + +import ( + "encoding/json" + "testing" + + kyverno "github.com/nirmata/kyverno/pkg/api/kyverno/v1" + "gotest.tools/assert" +) + +func Test_Validate_Generate(t *testing.T) { + rawGenerate := []byte(` + { + "kind": "NetworkPolicy", + "name": "defaultnetworkpolicy", + "data": { + "spec": { + "podSelector": {}, + "policyTypes": [ + "Ingress", + "Egress" + ], + "ingress": [ + {} + ], + "egress": [ + {} + ] + } + } + }`) + + var genRule kyverno.Generation + err := json.Unmarshal(rawGenerate, &genRule) + assert.NilError(t, err) + checker := NewFakeGenerate(genRule) + if _, err := checker.Validate(); err != nil { + assert.Assert(t, err != nil) + } +} + +func Test_Validate_Generate_HasAnchors(t *testing.T) { + var err error + rawGenerate := []byte(` + { + "kind": "NetworkPolicy", + "name": "defaultnetworkpolicy", + "data": { + "spec": { + "(podSelector)": {}, + "policyTypes": [ + "Ingress", + "Egress" + ], + "ingress": [ + {} + ], + "egress": [ + {} + ] + } + } + }`) + + var genRule kyverno.Generation + err = json.Unmarshal(rawGenerate, &genRule) + assert.NilError(t, err) + checker := NewFakeGenerate(genRule) + if _, err := checker.Validate(); err != nil { + assert.Assert(t, err != nil) + } + + rawGenerate = []byte(` + { + "kind": "ConfigMap", + "name": "copied-cm", + "clone": { + "^(namespace)": "default", + "name": "game" + } + }`) + + err = json.Unmarshal(rawGenerate, &genRule) + assert.NilError(t, err) + checker = NewFakeGenerate(genRule) + if _, err := checker.Validate(); err != nil { + assert.Assert(t, err != nil) + } +} diff --git a/pkg/policy/mutate/validate.go b/pkg/policy/mutate/validate.go new file mode 100644 index 0000000000..6a24c3d388 --- /dev/null +++ b/pkg/policy/mutate/validate.go @@ -0,0 +1,63 @@ +package mutate + +import ( + "errors" + "fmt" + + kyverno "github.com/nirmata/kyverno/pkg/api/kyverno/v1" + "github.com/nirmata/kyverno/pkg/engine/anchor" + "github.com/nirmata/kyverno/pkg/policy/common" +) + +// Mutate provides implementation to validate 'mutate' rule +type Mutate struct { + // rule to hold 'mutate' rule specifications + rule kyverno.Mutation +} + +//NewMutateFactory returns a new instance of Mutate validation checker +func NewMutateFactory(rule kyverno.Mutation) *Mutate { + m := Mutate{ + rule: rule, + } + return &m +} + +//Validate validates the 'mutate' rule +func (m *Mutate) Validate() (string, error) { + rule := m.rule + // JSON Patches + if len(rule.Patches) != 0 { + for i, patch := range rule.Patches { + if err := validatePatch(patch); err != nil { + return fmt.Sprintf("patch[%d]", i), err + } + } + } + // Overlay + if rule.Overlay != nil { + path, err := common.ValidatePattern(rule.Overlay, "/", []anchor.IsAnchor{anchor.IsConditionAnchor, anchor.IsAddingAnchor}) + if err != nil { + return path, err + } + } + return "", nil +} + +// Validate if all mandatory PolicyPatch fields are set +func validatePatch(pp kyverno.Patch) error { + if pp.Path == "" { + return errors.New("JSONPatch field 'path' is mandatory") + } + if pp.Operation == "add" || pp.Operation == "replace" { + if pp.Value == nil { + return fmt.Errorf("JSONPatch field 'value' is mandatory for operation '%s'", pp.Operation) + } + + return nil + } else if pp.Operation == "remove" { + return nil + } + + return fmt.Errorf("Unsupported JSONPatch operation '%s'", pp.Operation) +} diff --git a/pkg/policy/mutate/validate_test.go b/pkg/policy/mutate/validate_test.go new file mode 100644 index 0000000000..84ff0e59b7 --- /dev/null +++ b/pkg/policy/mutate/validate_test.go @@ -0,0 +1,151 @@ +package mutate + +import ( + "encoding/json" + "testing" + + kyverno "github.com/nirmata/kyverno/pkg/api/kyverno/v1" + "gotest.tools/assert" +) + +func Test_Validate_Mutate_ConditionAnchor(t *testing.T) { + rawMutate := []byte(` + { + "overlay": { + "spec": { + "(serviceAccountName)": "*", + "automountServiceAccountToken": false + } + } + }`) + + var mutate kyverno.Mutation + err := json.Unmarshal(rawMutate, &mutate) + assert.NilError(t, err) + checker := NewMutateFactory(mutate) + if _, err := checker.Validate(); err != nil { + assert.NilError(t, err) + } +} + +func Test_Validate_Mutate_PlusAnchor(t *testing.T) { + rawMutate := []byte(` + { + "overlay": { + "spec": { + "+(serviceAccountName)": "*", + "automountServiceAccountToken": false + } + } + }`) + + var mutate kyverno.Mutation + err := json.Unmarshal(rawMutate, &mutate) + assert.NilError(t, err) + + checker := NewMutateFactory(mutate) + if _, err := checker.Validate(); err != nil { + assert.NilError(t, err) + } +} + +func Test_Validate_Mutate_Mismatched(t *testing.T) { + rawMutate := []byte(` + { + "overlay": { + "spec": { + "^(serviceAccountName)": "*", + "automountServiceAccountToken": false + } + } + }`) + + var mutateExistence kyverno.Mutation + err := json.Unmarshal(rawMutate, &mutateExistence) + assert.NilError(t, err) + + checker := NewMutateFactory(mutateExistence) + if _, err := checker.Validate(); err != nil { + assert.Assert(t, err != nil) + } + + var mutateEqual kyverno.Mutation + rawMutate = []byte(` + { + "overlay": { + "spec": { + "=(serviceAccountName)": "*", + "automountServiceAccountToken": false + } + } + }`) + + err = json.Unmarshal(rawMutate, &mutateEqual) + assert.NilError(t, err) + + checker = NewMutateFactory(mutateEqual) + if _, err := checker.Validate(); err != nil { + assert.Assert(t, err != nil) + } + + var mutateNegation kyverno.Mutation + rawMutate = []byte(` + { + "overlay": { + "spec": { + "X(serviceAccountName)": "*", + "automountServiceAccountToken": false + } + } + }`) + + err = json.Unmarshal(rawMutate, &mutateNegation) + assert.NilError(t, err) + + checker = NewMutateFactory(mutateEqual) + if _, err := checker.Validate(); err != nil { + assert.Assert(t, err != nil) + } +} + +func Test_Validate_Mutate_Unsupported(t *testing.T) { + var err error + var mutate kyverno.Mutation + // case 1 + rawMutate := []byte(` + { + "overlay": { + "spec": { + "!(serviceAccountName)": "*", + "automountServiceAccountToken": false + } + } + }`) + + err = json.Unmarshal(rawMutate, &mutate) + assert.NilError(t, err) + + checker := NewMutateFactory(mutate) + if _, err := checker.Validate(); err != nil { + assert.Assert(t, err != nil) + } + + // case 2 + rawMutate = []byte(` + { + "overlay": { + "spec": { + "~(serviceAccountName)": "*", + "automountServiceAccountToken": false + } + } + }`) + + err = json.Unmarshal(rawMutate, &mutate) + assert.NilError(t, err) + + checker = NewMutateFactory(mutate) + if _, err := checker.Validate(); err != nil { + assert.Assert(t, err != nil) + } +} diff --git a/pkg/policy/namespacedpv.go b/pkg/policy/namespacedpv.go index 654343d7df..8dd83d1f12 100644 --- a/pkg/policy/namespacedpv.go +++ b/pkg/policy/namespacedpv.go @@ -1,13 +1,13 @@ package policy import ( - "github.com/golang/glog" kyverno "github.com/nirmata/kyverno/pkg/api/kyverno/v1" cache "k8s.io/client-go/tools/cache" ) func (pc *PolicyController) addNamespacedPolicyViolation(obj interface{}) { pv := obj.(*kyverno.PolicyViolation) + logger := pc.log.WithValues("kind", pv.Kind, "namespace", pv.Namespace, "name", pv.Name) if pv.DeletionTimestamp != nil { // On a restart of the controller manager, it's possible for an object to @@ -20,15 +20,16 @@ func (pc *PolicyController) addNamespacedPolicyViolation(obj interface{}) { ps := pc.getPolicyForNamespacedPolicyViolation(pv) if len(ps) == 0 { // there is no cluster policy for this violation, so we can delete this cluster policy violation - glog.V(4).Infof("PolicyViolation %s does not belong to an active policy, will be cleanedup", pv.Name) + logger.V(4).Info("namepaced policy violation does not belong to an active policy, will be cleanedup") if err := pc.pvControl.DeleteNamespacedPolicyViolation(pv.Namespace, pv.Name); err != nil { - glog.Errorf("Failed to deleted policy violation %s: %v", pv.Name, err) + logger.Error(err, "failed to delete resource") return } - glog.V(4).Infof("PolicyViolation %s deleted", pv.Name) + logger.V(4).Info("resource deleted") return } - glog.V(4).Infof("Orphan Policy Violation %s added.", pv.Name) + + logger.V(4).Info("resource added") for _, p := range ps { pc.enqueuePolicy(p) } @@ -42,19 +43,20 @@ func (pc *PolicyController) updateNamespacedPolicyViolation(old, cur interface{} // Two different versions of the same replica set will always have different RVs. return } + logger := pc.log.WithValues("kind", curPV.Kind, "namespace", curPV.Namespace, "name", curPV.Name) ps := pc.getPolicyForNamespacedPolicyViolation(curPV) if len(ps) == 0 { // there is no namespaced policy for this violation, so we can delete this cluster policy violation - glog.V(4).Infof("Namespaced Policy Violation %s does not belong to an active policy, will be cleanedup", curPV.Name) + logger.V(4).Info("nameapced policy violation does not belong to an active policy, will be cleanedup") if err := pc.pvControl.DeleteNamespacedPolicyViolation(curPV.Namespace, curPV.Name); err != nil { - glog.Errorf("Failed to deleted namespaced policy violation %s: %v", curPV.Name, err) + logger.Error(err, "failed to delete resource") return } - glog.V(4).Infof("Namespaced Policy Violation %s deleted", curPV.Name) + logger.V(4).Info("resource deleted") return } - glog.V(4).Infof("Namespaced Policy sViolation %s updated", curPV.Name) + logger.V(4).Info("resource updated") for _, p := range ps { pc.enqueuePolicy(p) } @@ -62,6 +64,7 @@ func (pc *PolicyController) updateNamespacedPolicyViolation(old, cur interface{} } func (pc *PolicyController) deleteNamespacedPolicyViolation(obj interface{}) { + logger := pc.log pv, ok := obj.(*kyverno.PolicyViolation) // When a delete is dropped, the relist will notice a PolicyViolation in the store not // in the list, leading to the insertion of a tombstone object which contains @@ -70,34 +73,36 @@ func (pc *PolicyController) deleteNamespacedPolicyViolation(obj interface{}) { if !ok { tombstone, ok := obj.(cache.DeletedFinalStateUnknown) if !ok { - glog.Infof("Couldn't get object from tombstone %#v", obj) + logger.Info("Couldn't get object from tombstone", "obj", obj) return } pv, ok = tombstone.Obj.(*kyverno.PolicyViolation) if !ok { - glog.Infof("Couldn't get object from tombstone %#v", obj) + logger.Info("Couldn't get object from tombstone", "obj", obj) return } } + logger = logger.WithValues("kind", pv.Kind, "namespace", pv.Namespace, "name", pv.Name) ps := pc.getPolicyForNamespacedPolicyViolation(pv) if len(ps) == 0 { // there is no cluster policy for this violation, so we can delete this cluster policy violation - glog.V(4).Infof("Namespaced Policy Violation %s does not belong to an active policy, will be cleanedup", pv.Name) + logger.V(4).Info("nameapced policy violation does not belong to an active policy, will be cleanedup") if err := pc.pvControl.DeleteNamespacedPolicyViolation(pv.Namespace, pv.Name); err != nil { - glog.Errorf("Failed to deleted namespaced policy violation %s: %v", pv.Name, err) + logger.Error(err, "failed to delete resource") return } - glog.V(4).Infof("Namespaced Policy Violation %s deleted", pv.Name) + logger.V(4).Info("resource deleted") return } - glog.V(4).Infof("Namespaced PolicyViolation %s updated", pv.Name) + logger.V(4).Info("resource updated") for _, p := range ps { pc.enqueuePolicy(p) } } func (pc *PolicyController) getPolicyForNamespacedPolicyViolation(pv *kyverno.PolicyViolation) []*kyverno.ClusterPolicy { + logger := pc.log.WithValues("kind", pv.Kind, "namespace", pv.Namespace, "name", pv.Name) policies, err := pc.pLister.GetPolicyForNamespacedPolicyViolation(pv) if err != nil || len(policies) == 0 { return nil @@ -109,8 +114,7 @@ func (pc *PolicyController) getPolicyForNamespacedPolicyViolation(pv *kyverno.Po if len(policies) > 1 { // ControllerRef will ensure we don't do anything crazy, but more than one // item in this list nevertheless constitutes user error. - glog.V(4).Infof("user error! more than one policy is selecting policy violation %s with labels: %#v, returning %s", - pv.Name, pv.Labels, policies[0].Name) + logger.V(4).Info("user error! more than one policy is selecting policy violation", "labels", pv.Labels, "policy", policies[0].Name) } return policies } diff --git a/pkg/policy/report.go b/pkg/policy/report.go index 3614da9b32..476e07abb9 100644 --- a/pkg/policy/report.go +++ b/pkg/policy/report.go @@ -3,7 +3,7 @@ package policy import ( "fmt" - "github.com/golang/glog" + "github.com/go-logr/logr" "github.com/nirmata/kyverno/pkg/engine/response" "github.com/nirmata/kyverno/pkg/event" "github.com/nirmata/kyverno/pkg/policyviolation" @@ -13,11 +13,12 @@ import ( // - has violation -> report // - no violation -> cleanup policy violations func (pc *PolicyController) cleanupAndReport(engineResponses []response.EngineResponse) { + logger := pc.log // generate Events - eventInfos := generateEvents(engineResponses) + eventInfos := generateEvents(pc.log, engineResponses) pc.eventGen.Add(eventInfos...) // create policy violation - pvInfos := policyviolation.GeneratePVsFromEngineResponse(engineResponses) + pvInfos := policyviolation.GeneratePVsFromEngineResponse(engineResponses, logger) for i := range pvInfos { pvInfos[i].FromSync = true } @@ -29,39 +30,27 @@ func (pc *PolicyController) cleanupAndReport(engineResponses []response.EngineRe pc.cleanUp(engineResponses) } -func (pc *PolicyController) cleanUp(ers []response.EngineResponse) { - for _, er := range ers { - if !er.IsSuccesful() { - continue - } - if len(er.PolicyResponse.Rules) == 0 { - continue - } - // clean up after the policy has been corrected - pc.cleanUpPolicyViolation(er.PolicyResponse) - } -} - -func generateEvents(ers []response.EngineResponse) []event.Info { +func generateEvents(log logr.Logger, ers []response.EngineResponse) []event.Info { var eventInfos []event.Info for _, er := range ers { if er.IsSuccesful() { continue } - eventInfos = append(eventInfos, generateEventsPerEr(er)...) + eventInfos = append(eventInfos, generateEventsPerEr(log, er)...) } return eventInfos } -func generateEventsPerEr(er response.EngineResponse) []event.Info { +func generateEventsPerEr(log logr.Logger, er response.EngineResponse) []event.Info { + logger := log.WithValues("policy", er.PolicyResponse.Policy, "kind", er.PolicyResponse.Resource.Kind, "namespace", er.PolicyResponse.Resource.Namespace, "name", er.PolicyResponse.Resource.Name) var eventInfos []event.Info - glog.V(4).Infof("reporting results for policy '%s' application on resource '%s/%s/%s'", er.PolicyResponse.Policy, er.PolicyResponse.Resource.Kind, er.PolicyResponse.Resource.Namespace, er.PolicyResponse.Resource.Name) + logger.V(4).Info("reporting results for policy") for _, rule := range er.PolicyResponse.Rules { if rule.Success { continue } // generate event on resource for each failed rule - glog.V(4).Infof("generation event on resource '%s/%s/%s' for policy '%s'", er.PolicyResponse.Resource.Kind, er.PolicyResponse.Resource.Namespace, er.PolicyResponse.Resource.Name, er.PolicyResponse.Policy) + logger.V(4).Info("generating event on resource") e := event.Info{} e.Kind = er.PolicyResponse.Resource.Kind e.Namespace = er.PolicyResponse.Resource.Namespace @@ -76,7 +65,7 @@ func generateEventsPerEr(er response.EngineResponse) []event.Info { } // generate a event on policy for all failed rules - glog.V(4).Infof("generation event on policy '%s'", er.PolicyResponse.Policy) + logger.V(4).Info("generating event on policy") e := event.Info{} e.Kind = "ClusterPolicy" e.Namespace = "" diff --git a/pkg/policy/utils.go b/pkg/policy/utils.go index 52d83d0df4..b99c343848 100644 --- a/pkg/policy/utils.go +++ b/pkg/policy/utils.go @@ -1,5 +1,7 @@ package policy +import "k8s.io/apimachinery/pkg/apis/meta/v1/unstructured" + //Contains Check if strint is contained in a list of string func containString(list []string, element string) bool { for _, e := range list { @@ -9,3 +11,13 @@ func containString(list []string, element string) bool { } return false } + +func isRunningPod(obj unstructured.Unstructured) bool { + objMap := obj.UnstructuredContent() + phase, ok, err := unstructured.NestedString(objMap, "status", "phase") + if !ok || err != nil { + return false + } + + return phase == "Running" +} diff --git a/pkg/policy/validate.go b/pkg/policy/validate.go index 4789687afa..de7b791f04 100644 --- a/pkg/policy/validate.go +++ b/pkg/policy/validate.go @@ -1,17 +1,18 @@ package policy import ( + "encoding/json" "errors" "fmt" "reflect" - "regexp" - "strconv" "strings" + "github.com/minio/minio/pkg/wildcard" + "github.com/nirmata/kyverno/pkg/openapi" kyverno "github.com/nirmata/kyverno/pkg/api/kyverno/v1" - "github.com/nirmata/kyverno/pkg/engine/anchor" + dclient "github.com/nirmata/kyverno/pkg/dclient" rbacv1 "k8s.io/api/rbac/v1" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" ) @@ -19,29 +20,23 @@ import ( // Validate does some initial check to verify some conditions // - One operation per rule // - ResourceDescription mandatory checks -func Validate(p kyverno.ClusterPolicy) error { +func Validate(policyRaw []byte, client *dclient.Client, mock bool, openAPIController *openapi.Controller) error { + var p kyverno.ClusterPolicy + err := json.Unmarshal(policyRaw, &p) + if err != nil { + return fmt.Errorf("failed to unmarshal policy admission request err %v", err) + } + if path, err := validateUniqueRuleName(p); err != nil { return fmt.Errorf("path: spec.%s: %v", path, err) } - if p.Spec.Background == nil { - //skipped policy mutation default -> skip validation -> will not be processed for background processing - return nil - } - if *p.Spec.Background { - if err := ContainsUserInfo(p); err != nil { - // policy.spec.background -> "true" - // - cannot use variables with request.userInfo - // - cannot define userInfo(roles, cluserRoles, subjects) for filtering (match & exclude) - return fmt.Errorf("userInfo is not allowed in match or exclude when backgroud policy mode is true. Set spec.background=false to disable background mode for this policy rule. %s ", err) + if p.Spec.Background == nil || (p.Spec.Background != nil && *p.Spec.Background) { + if err := ContainsVariablesOtherThanObject(p); err != nil { + return fmt.Errorf("only variables referring request.object are allowed in background mode. Set spec.background=false to disable background mode for this policy rule. %s ", err) } } for i, rule := range p.Spec.Rules { - // only one type of rule is allowed per rule - if err := validateRuleType(rule); err != nil { - return fmt.Errorf("path: spec.rules[%d]: %v", i, err) - } - // validate resource description if path, err := validateResources(rule); err != nil { return fmt.Errorf("path: spec.rules[%d].%s: %v", i, path, err) @@ -52,24 +47,17 @@ func Validate(p kyverno.ClusterPolicy) error { // as there are more than 1 operation in rule, not need to evaluate it further return fmt.Errorf("path: spec.rules[%d]: %v", i, err) } - // Operation Validation - // Mutation - if rule.HasMutate() { - if path, err := validateMutation(rule.Mutation); err != nil { - return fmt.Errorf("path: spec.rules[%d].mutate.%s.: %v", i, path, err) - } + + if doesMatchAndExcludeConflict(rule) { + return fmt.Errorf("path: spec.rules[%v]: rule is matching an empty set", rule.Name) } - // Validation - if rule.HasValidate() { - if path, err := validateValidation(rule.Validation); err != nil { - return fmt.Errorf("path: spec.rules[%d].validate.%s.: %v", i, path, err) - } - } - // Generation - if rule.HasGenerate() { - if path, err := validateGeneration(rule.Generation); err != nil { - return fmt.Errorf("path: spec.rules[%d].generate.%s.: %v", i, path, err) - } + + // validate rule actions + // - Mutate + // - Validate + // - Generate + if err := validateActions(i, rule, client, mock); err != nil { + return err } // If a rules match block does not match any kind, @@ -82,13 +70,158 @@ func Validate(p kyverno.ClusterPolicy) error { } } - if err := openapi.ValidatePolicyMutation(p); err != nil { - return err + if !mock { + if err := openAPIController.ValidatePolicyFields(policyRaw); err != nil { + return err + } + } else { + if err := openAPIController.ValidatePolicyMutation(p); err != nil { + return err + } } return nil } +// doesMatchAndExcludeConflict checks if the resultant +// of match and exclude block is not an empty set +func doesMatchAndExcludeConflict(rule kyverno.Rule) bool { + + if reflect.DeepEqual(rule.ExcludeResources, kyverno.ExcludeResources{}) { + return false + } + + excludeRoles := make(map[string]bool) + for _, role := range rule.ExcludeResources.UserInfo.Roles { + excludeRoles[role] = true + } + + excludeClusterRoles := make(map[string]bool) + for _, clusterRoles := range rule.ExcludeResources.UserInfo.ClusterRoles { + excludeClusterRoles[clusterRoles] = true + } + + excludeSubjects := make(map[string]bool) + for _, subject := range rule.ExcludeResources.UserInfo.Subjects { + subjectRaw, _ := json.Marshal(subject) + excludeSubjects[string(subjectRaw)] = true + } + + excludeKinds := make(map[string]bool) + for _, kind := range rule.ExcludeResources.ResourceDescription.Kinds { + excludeKinds[kind] = true + } + + excludeNamespaces := make(map[string]bool) + for _, namespace := range rule.ExcludeResources.ResourceDescription.Namespaces { + excludeNamespaces[namespace] = true + } + + excludeMatchExpressions := make(map[string]bool) + if rule.ExcludeResources.ResourceDescription.Selector != nil { + for _, matchExpression := range rule.ExcludeResources.ResourceDescription.Selector.MatchExpressions { + matchExpressionRaw, _ := json.Marshal(matchExpression) + excludeMatchExpressions[string(matchExpressionRaw)] = true + } + } + + if len(excludeRoles) > 0 { + if len(rule.MatchResources.UserInfo.Roles) == 0 { + return false + } + + for _, role := range rule.MatchResources.UserInfo.Roles { + if !excludeRoles[role] { + return false + } + } + } + + if len(excludeClusterRoles) > 0 { + if len(rule.MatchResources.UserInfo.ClusterRoles) == 0 { + return false + } + + for _, clusterRole := range rule.MatchResources.UserInfo.ClusterRoles { + if !excludeClusterRoles[clusterRole] { + return false + } + } + } + + if len(excludeSubjects) > 0 { + if len(rule.MatchResources.UserInfo.Subjects) == 0 { + return false + } + + for _, subject := range rule.MatchResources.UserInfo.Subjects { + subjectRaw, _ := json.Marshal(subject) + if !excludeSubjects[string(subjectRaw)] { + return false + } + } + } + + if rule.ExcludeResources.ResourceDescription.Name != "" { + if !wildcard.Match(rule.ExcludeResources.ResourceDescription.Name, rule.MatchResources.ResourceDescription.Name) { + return false + } + } + + if len(excludeNamespaces) > 0 { + if len(rule.MatchResources.ResourceDescription.Namespaces) == 0 { + return false + } + + for _, namespace := range rule.MatchResources.ResourceDescription.Namespaces { + if !excludeNamespaces[namespace] { + return false + } + } + } + + if len(excludeKinds) > 0 { + if len(rule.MatchResources.ResourceDescription.Kinds) == 0 { + return false + } + + for _, kind := range rule.MatchResources.ResourceDescription.Kinds { + if !excludeKinds[kind] { + return false + } + } + } + + if rule.MatchResources.ResourceDescription.Selector != nil && rule.ExcludeResources.ResourceDescription.Selector != nil { + if len(excludeMatchExpressions) > 0 { + if len(rule.MatchResources.ResourceDescription.Selector.MatchExpressions) == 0 { + return false + } + + for _, matchExpression := range rule.MatchResources.ResourceDescription.Selector.MatchExpressions { + matchExpressionRaw, _ := json.Marshal(matchExpression) + if !excludeMatchExpressions[string(matchExpressionRaw)] { + return false + } + } + } + + if len(rule.ExcludeResources.ResourceDescription.Selector.MatchLabels) > 0 { + if len(rule.MatchResources.ResourceDescription.Selector.MatchLabels) == 0 { + return false + } + + for label, value := range rule.MatchResources.ResourceDescription.Selector.MatchLabels { + if rule.ExcludeResources.ResourceDescription.Selector.MatchLabels[label] != value { + return false + } + } + } + } + + return true +} + func ruleOnlyDealsWithResourceMetaData(rule kyverno.Rule) bool { overlayMap, _ := rule.Mutation.Overlay.(map[string]interface{}) for k := range overlayMap { @@ -268,193 +401,3 @@ func validateResourceDescription(rd kyverno.ResourceDescription) error { } return nil } - -func validateMutation(m kyverno.Mutation) (string, error) { - // JSON Patches - if len(m.Patches) != 0 { - for i, patch := range m.Patches { - if err := validatePatch(patch); err != nil { - return fmt.Sprintf("patch[%d]", i), err - } - } - } - // Overlay - if m.Overlay != nil { - path, err := validatePattern(m.Overlay, "/", []anchor.IsAnchor{anchor.IsConditionAnchor, anchor.IsAddingAnchor}) - if err != nil { - return path, err - } - } - return "", nil -} - -// Validate if all mandatory PolicyPatch fields are set -func validatePatch(pp kyverno.Patch) error { - if pp.Path == "" { - return errors.New("JSONPatch field 'path' is mandatory") - } - if pp.Operation == "add" || pp.Operation == "replace" { - if pp.Value == nil { - return fmt.Errorf("JSONPatch field 'value' is mandatory for operation '%s'", pp.Operation) - } - - return nil - } else if pp.Operation == "remove" { - return nil - } - - return fmt.Errorf("Unsupported JSONPatch operation '%s'", pp.Operation) -} - -func validateValidation(v kyverno.Validation) (string, error) { - if err := validateOverlayPattern(v); err != nil { - // no need to proceed ahead - return "", err - } - - if v.Pattern != nil { - if path, err := validatePattern(v.Pattern, "/", []anchor.IsAnchor{anchor.IsConditionAnchor, anchor.IsExistenceAnchor, anchor.IsEqualityAnchor, anchor.IsNegationAnchor}); err != nil { - return fmt.Sprintf("pattern.%s", path), err - } - } - - if len(v.AnyPattern) != 0 { - for i, pattern := range v.AnyPattern { - if path, err := validatePattern(pattern, "/", []anchor.IsAnchor{anchor.IsConditionAnchor, anchor.IsExistenceAnchor, anchor.IsEqualityAnchor, anchor.IsNegationAnchor}); err != nil { - return fmt.Sprintf("anyPattern[%d].%s", i, path), err - } - } - } - return "", nil -} - -// validateOverlayPattern checks one of pattern/anyPattern must exist -func validateOverlayPattern(v kyverno.Validation) error { - if v.Pattern == nil && len(v.AnyPattern) == 0 { - return fmt.Errorf("a pattern or anyPattern must be specified") - } - - if v.Pattern != nil && len(v.AnyPattern) != 0 { - return fmt.Errorf("only one operation allowed per validation rule(pattern or anyPattern)") - } - - return nil -} - -// Validate returns error if generator is configured incompletely -func validateGeneration(gen kyverno.Generation) (string, error) { - - if gen.Data == nil && gen.Clone == (kyverno.CloneFrom{}) { - return "", fmt.Errorf("clone or data are required") - } - if gen.Data != nil && gen.Clone != (kyverno.CloneFrom{}) { - return "", fmt.Errorf("only one operation allowed per generate rule(data or clone)") - } - // check kind is non empty - // check name is non empty - if gen.Name == "" { - return "name", fmt.Errorf("name cannot be empty") - } - if gen.Kind == "" { - return "kind", fmt.Errorf("kind cannot be empty") - } - if !reflect.DeepEqual(gen.Clone, kyverno.CloneFrom{}) { - if path, err := validateClone(gen.Clone); err != nil { - return fmt.Sprintf("clone.%s", path), err - } - } - if gen.Data != nil { - //TODO: is this required ?? as anchors can only be on pattern and not resource - // we can add this check by not sure if its needed here - if path, err := validatePattern(gen.Data, "/", []anchor.IsAnchor{}); err != nil { - return fmt.Sprintf("data.%s", path), fmt.Errorf("anchors not supported on generate resources: %v", err) - } - } - return "", nil -} - -func validateClone(c kyverno.CloneFrom) (string, error) { - if c.Name == "" { - return "name", fmt.Errorf("name cannot be empty") - } - if c.Namespace == "" { - return "namespace", fmt.Errorf("namespace cannot be empty") - } - return "", nil -} - -func validatePattern(patternElement interface{}, path string, supportedAnchors []anchor.IsAnchor) (string, error) { - switch typedPatternElement := patternElement.(type) { - case map[string]interface{}: - return validateMap(typedPatternElement, path, supportedAnchors) - case []interface{}: - return validateArray(typedPatternElement, path, supportedAnchors) - case string, float64, int, int64, bool, nil: - //TODO? check operator - return "", nil - default: - return path, fmt.Errorf("Validation rule failed at '%s', pattern contains unknown type", path) - } -} - -func validateMap(patternMap map[string]interface{}, path string, supportedAnchors []anchor.IsAnchor) (string, error) { - // check if anchors are defined - for key, value := range patternMap { - // if key is anchor - // check regex () -> this is anchor - // () - // single char () - re, err := regexp.Compile(`^.?\(.+\)$`) - if err != nil { - return path + "/" + key, fmt.Errorf("Unable to parse the field %s: %v", key, err) - } - - matched := re.MatchString(key) - // check the type of anchor - if matched { - // some type of anchor - // check if valid anchor - if !checkAnchors(key, supportedAnchors) { - return path + "/" + key, fmt.Errorf("Unsupported anchor %s", key) - } - - // addition check for existence anchor - // value must be of type list - if anchor.IsExistenceAnchor(key) { - typedValue, ok := value.([]interface{}) - if !ok { - return path + "/" + key, fmt.Errorf("Existence anchor should have value of type list") - } - // validate there is only one entry in the list - if len(typedValue) == 0 || len(typedValue) > 1 { - return path + "/" + key, fmt.Errorf("Existence anchor: single value expected, multiple specified") - } - } - } - // lets validate the values now :) - if errPath, err := validatePattern(value, path+"/"+key, supportedAnchors); err != nil { - return errPath, err - } - } - return "", nil -} - -func validateArray(patternArray []interface{}, path string, supportedAnchors []anchor.IsAnchor) (string, error) { - for i, patternElement := range patternArray { - currentPath := path + strconv.Itoa(i) + "/" - // lets validate the values now :) - if errPath, err := validatePattern(patternElement, currentPath, supportedAnchors); err != nil { - return errPath, err - } - } - return "", nil -} - -func checkAnchors(key string, supportedAnchors []anchor.IsAnchor) bool { - for _, f := range supportedAnchors { - if f(key) { - return true - } - } - return false -} diff --git a/pkg/policy/validate/validate.go b/pkg/policy/validate/validate.go new file mode 100644 index 0000000000..c14099cbad --- /dev/null +++ b/pkg/policy/validate/validate.go @@ -0,0 +1,61 @@ +package validate + +import ( + "fmt" + + kyverno "github.com/nirmata/kyverno/pkg/api/kyverno/v1" + "github.com/nirmata/kyverno/pkg/engine/anchor" + "github.com/nirmata/kyverno/pkg/policy/common" +) + +// Validate provides implementation to validate 'validate' rule +type Validate struct { + // rule to hold 'validate' rule specifications + rule kyverno.Validation +} + +//NewValidateFactory returns a new instance of Mutate validation checker +func NewValidateFactory(rule kyverno.Validation) *Validate { + m := Validate{ + rule: rule, + } + return &m +} + +//Validate validates the 'validate' rule +func (v *Validate) Validate() (string, error) { + rule := v.rule + if err := v.validateOverlayPattern(); err != nil { + // no need to proceed ahead + return "", err + } + + if rule.Pattern != nil { + if path, err := common.ValidatePattern(rule.Pattern, "/", []anchor.IsAnchor{anchor.IsConditionAnchor, anchor.IsExistenceAnchor, anchor.IsEqualityAnchor, anchor.IsNegationAnchor}); err != nil { + return fmt.Sprintf("pattern.%s", path), err + } + } + + if len(rule.AnyPattern) != 0 { + for i, pattern := range rule.AnyPattern { + if path, err := common.ValidatePattern(pattern, "/", []anchor.IsAnchor{anchor.IsConditionAnchor, anchor.IsExistenceAnchor, anchor.IsEqualityAnchor, anchor.IsNegationAnchor}); err != nil { + return fmt.Sprintf("anyPattern[%d].%s", i, path), err + } + } + } + return "", nil +} + +// validateOverlayPattern checks one of pattern/anyPattern must exist +func (v *Validate) validateOverlayPattern() error { + rule := v.rule + if rule.Pattern == nil && len(rule.AnyPattern) == 0 && rule.Deny == nil { + return fmt.Errorf("pattern, anyPattern or deny must be specified") + } + + if rule.Pattern != nil && len(rule.AnyPattern) != 0 { + return fmt.Errorf("only one operation allowed per validation rule(pattern or anyPattern)") + } + + return nil +} diff --git a/pkg/policy/validate/validate_test.go b/pkg/policy/validate/validate_test.go new file mode 100644 index 0000000000..ee83204707 --- /dev/null +++ b/pkg/policy/validate/validate_test.go @@ -0,0 +1,381 @@ +package validate + +import ( + "encoding/json" + "testing" + + kyverno "github.com/nirmata/kyverno/pkg/api/kyverno/v1" + "gotest.tools/assert" +) + +func Test_Validate_OverlayPattern_Empty(t *testing.T) { + rawValidation := []byte(` + {}`) + + var validation kyverno.Validation + err := json.Unmarshal(rawValidation, &validation) + assert.NilError(t, err) + + checker := NewValidateFactory(validation) + if _, err := checker.Validate(); err != nil { + assert.Assert(t, err != nil) + } +} +func Test_Validate_OverlayPattern_Nil_PatternAnypattern(t *testing.T) { + rawValidation := []byte(` + { "message": "Privileged mode is not allowed. Set allowPrivilegeEscalation and privileged to false" + } + `) + + var validation kyverno.Validation + err := json.Unmarshal(rawValidation, &validation) + assert.NilError(t, err) + checker := NewValidateFactory(validation) + if _, err := checker.Validate(); err != nil { + assert.Assert(t, err != nil) + } +} + +func Test_Validate_OverlayPattern_Exist_PatternAnypattern(t *testing.T) { + rawValidation := []byte(` + { + "message": "Privileged mode is not allowed. Set allowPrivilegeEscalation and privileged to false", + "anyPattern": [ + { + "spec": { + "securityContext": { + "allowPrivilegeEscalation": false, + "privileged": false + } + } + } + ], + "pattern": { + "spec": { + "containers": [ + { + "name": "*", + "securityContext": { + "allowPrivilegeEscalation": false, + "privileged": false + } + } + ] + } + } + }`) + + var validation kyverno.Validation + err := json.Unmarshal(rawValidation, &validation) + assert.NilError(t, err) + checker := NewValidateFactory(validation) + if _, err := checker.Validate(); err != nil { + assert.Assert(t, err != nil) + } +} +func Test_Validate_OverlayPattern_Valid(t *testing.T) { + rawValidation := []byte(` + { + "message": "Privileged mode is not allowed. Set allowPrivilegeEscalation and privileged to false", + "anyPattern": [ + { + "spec": { + "securityContext": { + "allowPrivilegeEscalation": false, + "privileged": false + } + } + }, + { + "spec": { + "containers": [ + { + "name": "*", + "securityContext": { + "allowPrivilegeEscalation": false, + "privileged": false + } + } + ] + } + } + ] + } +`) + + var validation kyverno.Validation + err := json.Unmarshal(rawValidation, &validation) + assert.NilError(t, err) + checker := NewValidateFactory(validation) + if _, err := checker.Validate(); err != nil { + assert.NilError(t, err) + } +} + +func Test_Validate_ExistingAnchor_AnchorOnMap(t *testing.T) { + rawValidation := []byte(` + { + "message": "validate container security contexts", + "anyPattern": [ + { + "spec": { + "template": { + "spec": { + "containers": [ + { + "^(securityContext)": { + "runAsNonRoot": true + } + } + ] + } + } + } + } + ] + } +`) + + var validation kyverno.Validation + err := json.Unmarshal(rawValidation, &validation) + assert.NilError(t, err) + checker := NewValidateFactory(validation) + if _, err := checker.Validate(); err != nil { + assert.Assert(t, err != nil) + } +} + +func Test_Validate_ExistingAnchor_AnchorOnString(t *testing.T) { + rawValidation := []byte(`{ + "message": "validate container security contexts", + "pattern": { + "spec": { + "template": { + "spec": { + "containers": [ + { + "securityContext": { + "allowPrivilegeEscalation": "^(false)" + } + } + ] + } + } + } + } + } + `) + + var validation kyverno.Validation + err := json.Unmarshal(rawValidation, &validation) + assert.NilError(t, err) + checker := NewValidateFactory(validation) + if _, err := checker.Validate(); err != nil { + assert.Assert(t, err != nil) + } +} + +func Test_Validate_ExistingAnchor_Valid(t *testing.T) { + var err error + var validation kyverno.Validation + rawValidation := []byte(` + { + "message": "validate container security contexts", + "anyPattern": [ + { + "spec": { + "template": { + "spec": { + "^(containers)": [ + { + "securityContext": { + "runAsNonRoot": "true" + } + } + ] + } + } + } + } + ] + }`) + + err = json.Unmarshal(rawValidation, &validation) + assert.NilError(t, err) + checker := NewValidateFactory(validation) + if _, err := checker.Validate(); err != nil { + assert.Assert(t, err != nil) + } + rawValidation = []byte(` + { + "message": "validate container security contexts", + "pattern": { + "spec": { + "template": { + "spec": { + "^(containers)": [ + { + "securityContext": { + "allowPrivilegeEscalation": "false" + } + } + ] + } + } + } + } + } `) + err = json.Unmarshal(rawValidation, &validation) + assert.NilError(t, err) + checker = NewValidateFactory(validation) + if _, err := checker.Validate(); err != nil { + assert.Assert(t, err != nil) + } + +} + +func Test_Validate_Validate_ValidAnchor(t *testing.T) { + var err error + var validate kyverno.Validation + var rawValidate []byte + // case 1 + rawValidate = []byte(` + { + "message": "Root user is not allowed. Set runAsNonRoot to true.", + "anyPattern": [ + { + "spec": { + "securityContext": { + "(runAsNonRoot)": true + } + } + }, + { + "spec": { + "^(containers)": [ + { + "name": "*", + "securityContext": { + "runAsNonRoot": true + } + } + ] + } + } + ] + }`) + + err = json.Unmarshal(rawValidate, &validate) + assert.NilError(t, err) + + checker := NewValidateFactory(validate) + if _, err := checker.Validate(); err != nil { + assert.NilError(t, err) + } + + // case 2 + validate = kyverno.Validation{} + rawValidate = []byte(` + { + "message": "Root user is not allowed. Set runAsNonRoot to true.", + "pattern": { + "spec": { + "=(securityContext)": { + "runAsNonRoot": "true" + } + } + } + }`) + + err = json.Unmarshal(rawValidate, &validate) + assert.NilError(t, err) + + checker = NewValidateFactory(validate) + if _, err := checker.Validate(); err != nil { + assert.NilError(t, err) + } +} + +func Test_Validate_Validate_Mismatched(t *testing.T) { + rawValidate := []byte(` + { + "message": "Root user is not allowed. Set runAsNonRoot to true.", + "pattern": { + "spec": { + "containers": [ + { + "name": "*", + "securityContext": { + "+(runAsNonRoot)": true + } + } + ] + } + } + }`) + + var validate kyverno.Validation + err := json.Unmarshal(rawValidate, &validate) + assert.NilError(t, err) + checker := NewValidateFactory(validate) + if _, err := checker.Validate(); err != nil { + assert.Assert(t, err != nil) + } +} + +func Test_Validate_Validate_Unsupported(t *testing.T) { + var err error + var validate kyverno.Validation + + // case 1 + rawValidate := []byte(` + { + "message": "Root user is not allowed. Set runAsNonRoot to true.", + "pattern": { + "spec": { + "containers": [ + { + "name": "*", + "securityContext": { + "!(runAsNonRoot)": true + } + } + ] + } + } + }`) + + err = json.Unmarshal(rawValidate, &validate) + assert.NilError(t, err) + checker := NewValidateFactory(validate) + if _, err := checker.Validate(); err != nil { + assert.Assert(t, err != nil) + } + + // case 2 + rawValidate = []byte(` + { + "message": "Root user is not allowed. Set runAsNonRoot to true.", + "pattern": { + "spec": { + "containers": [ + { + "name": "*", + "securityContext": { + "~(runAsNonRoot)": true + } + } + ] + } + } + }`) + + err = json.Unmarshal(rawValidate, &validate) + assert.NilError(t, err) + + checker = NewValidateFactory(validate) + if _, err := checker.Validate(); err != nil { + assert.Assert(t, err != nil) + } + +} diff --git a/pkg/policy/validate_test.go b/pkg/policy/validate_test.go index 387c87707b..9855f2130c 100644 --- a/pkg/policy/validate_test.go +++ b/pkg/policy/validate_test.go @@ -4,6 +4,8 @@ import ( "encoding/json" "testing" + "github.com/nirmata/kyverno/pkg/openapi" + kyverno "github.com/nirmata/kyverno/pkg/api/kyverno/v1" "gotest.tools/assert" ) @@ -287,369 +289,6 @@ func Test_Validate_ResourceDescription_InvalidSelector(t *testing.T) { assert.Assert(t, err != nil) } -func Test_Validate_OverlayPattern_Empty(t *testing.T) { - rawValidation := []byte(` - {}`) - - var validation kyverno.Validation - err := json.Unmarshal(rawValidation, &validation) - assert.NilError(t, err) - - if _, err := validateValidation(validation); err != nil { - assert.Assert(t, err != nil) - } -} - -func Test_Validate_OverlayPattern_Nil_PatternAnypattern(t *testing.T) { - rawValidation := []byte(` - { "message": "Privileged mode is not allowed. Set allowPrivilegeEscalation and privileged to false" - } - `) - - var validation kyverno.Validation - err := json.Unmarshal(rawValidation, &validation) - assert.NilError(t, err) - if _, err := validateValidation(validation); err != nil { - assert.Assert(t, err != nil) - } -} - -func Test_Validate_OverlayPattern_Exist_PatternAnypattern(t *testing.T) { - rawValidation := []byte(` - { - "message": "Privileged mode is not allowed. Set allowPrivilegeEscalation and privileged to false", - "anyPattern": [ - { - "spec": { - "securityContext": { - "allowPrivilegeEscalation": false, - "privileged": false - } - } - } - ], - "pattern": { - "spec": { - "containers": [ - { - "name": "*", - "securityContext": { - "allowPrivilegeEscalation": false, - "privileged": false - } - } - ] - } - } - }`) - - var validation kyverno.Validation - err := json.Unmarshal(rawValidation, &validation) - assert.NilError(t, err) - if _, err := validateValidation(validation); err != nil { - assert.Assert(t, err != nil) - } -} - -func Test_Validate_OverlayPattern_Valid(t *testing.T) { - rawValidation := []byte(` - { - "message": "Privileged mode is not allowed. Set allowPrivilegeEscalation and privileged to false", - "anyPattern": [ - { - "spec": { - "securityContext": { - "allowPrivilegeEscalation": false, - "privileged": false - } - } - }, - { - "spec": { - "containers": [ - { - "name": "*", - "securityContext": { - "allowPrivilegeEscalation": false, - "privileged": false - } - } - ] - } - } - ] - } -`) - - var validation kyverno.Validation - err := json.Unmarshal(rawValidation, &validation) - assert.NilError(t, err) - if _, err := validateValidation(validation); err != nil { - assert.NilError(t, err) - } - -} - -func Test_Validate_ExistingAnchor_AnchorOnMap(t *testing.T) { - rawValidation := []byte(` - { - "message": "validate container security contexts", - "anyPattern": [ - { - "spec": { - "template": { - "spec": { - "containers": [ - { - "^(securityContext)": { - "runAsNonRoot": true - } - } - ] - } - } - } - } - ] - } -`) - - var validation kyverno.Validation - err := json.Unmarshal(rawValidation, &validation) - assert.NilError(t, err) - if _, err := validateValidation(validation); err != nil { - assert.Assert(t, err != nil) - } - -} - -func Test_Validate_ExistingAnchor_AnchorOnString(t *testing.T) { - rawValidation := []byte(`{ - "message": "validate container security contexts", - "pattern": { - "spec": { - "template": { - "spec": { - "containers": [ - { - "securityContext": { - "allowPrivilegeEscalation": "^(false)" - } - } - ] - } - } - } - } - } - `) - - var validation kyverno.Validation - err := json.Unmarshal(rawValidation, &validation) - assert.NilError(t, err) - if _, err := validateValidation(validation); err != nil { - assert.Assert(t, err != nil) - } -} - -func Test_Validate_ExistingAnchor_Valid(t *testing.T) { - var err error - var validation kyverno.Validation - rawValidation := []byte(` - { - "message": "validate container security contexts", - "anyPattern": [ - { - "spec": { - "template": { - "spec": { - "^(containers)": [ - { - "securityContext": { - "runAsNonRoot": "true" - } - } - ] - } - } - } - } - ] - }`) - - err = json.Unmarshal(rawValidation, &validation) - assert.NilError(t, err) - if _, err := validateValidation(validation); err != nil { - assert.Assert(t, err != nil) - } - rawValidation = []byte(` - { - "message": "validate container security contexts", - "pattern": { - "spec": { - "template": { - "spec": { - "^(containers)": [ - { - "securityContext": { - "allowPrivilegeEscalation": "false" - } - } - ] - } - } - } - } - } `) - err = json.Unmarshal(rawValidation, &validation) - assert.NilError(t, err) - if _, err := validateValidation(validation); err != nil { - assert.Assert(t, err != nil) - } - -} - -func Test_Validate_Validate_ValidAnchor(t *testing.T) { - var err error - var validate kyverno.Validation - var rawValidate []byte - // case 1 - rawValidate = []byte(` - { - "message": "Root user is not allowed. Set runAsNonRoot to true.", - "anyPattern": [ - { - "spec": { - "securityContext": { - "(runAsNonRoot)": true - } - } - }, - { - "spec": { - "^(containers)": [ - { - "name": "*", - "securityContext": { - "runAsNonRoot": true - } - } - ] - } - } - ] - }`) - - err = json.Unmarshal(rawValidate, &validate) - assert.NilError(t, err) - - if _, err := validateValidation(validate); err != nil { - assert.NilError(t, err) - } - - // case 2 - validate = kyverno.Validation{} - rawValidate = []byte(` - { - "message": "Root user is not allowed. Set runAsNonRoot to true.", - "pattern": { - "spec": { - "=(securityContext)": { - "runAsNonRoot": "true" - } - } - } - }`) - - err = json.Unmarshal(rawValidate, &validate) - assert.NilError(t, err) - - if _, err := validateValidation(validate); err != nil { - assert.NilError(t, err) - } -} - -func Test_Validate_Validate_Mismatched(t *testing.T) { - rawValidate := []byte(` - { - "message": "Root user is not allowed. Set runAsNonRoot to true.", - "pattern": { - "spec": { - "containers": [ - { - "name": "*", - "securityContext": { - "+(runAsNonRoot)": true - } - } - ] - } - } - }`) - - var validate kyverno.Validation - err := json.Unmarshal(rawValidate, &validate) - assert.NilError(t, err) - if _, err := validateValidation(validate); err != nil { - assert.Assert(t, err != nil) - } -} - -func Test_Validate_Validate_Unsupported(t *testing.T) { - var err error - var validate kyverno.Validation - - // case 1 - rawValidate := []byte(` - { - "message": "Root user is not allowed. Set runAsNonRoot to true.", - "pattern": { - "spec": { - "containers": [ - { - "name": "*", - "securityContext": { - "!(runAsNonRoot)": true - } - } - ] - } - } - }`) - - err = json.Unmarshal(rawValidate, &validate) - assert.NilError(t, err) - if _, err := validateValidation(validate); err != nil { - assert.Assert(t, err != nil) - } - - // case 2 - rawValidate = []byte(` - { - "message": "Root user is not allowed. Set runAsNonRoot to true.", - "pattern": { - "spec": { - "containers": [ - { - "name": "*", - "securityContext": { - "~(runAsNonRoot)": true - } - } - ] - } - } - }`) - - err = json.Unmarshal(rawValidate, &validate) - assert.NilError(t, err) - - if _, err := validateValidation(validate); err != nil { - assert.Assert(t, err != nil) - } - -} - func Test_Validate_Policy(t *testing.T) { rawPolicy := []byte(` { @@ -732,227 +371,10 @@ func Test_Validate_Policy(t *testing.T) { } }`) - var policy kyverno.ClusterPolicy - err := json.Unmarshal(rawPolicy, &policy) + openAPIController, _ := openapi.NewOpenAPIController() + + err := Validate(rawPolicy, nil, true, openAPIController) assert.NilError(t, err) - - err = Validate(policy) - assert.NilError(t, err) -} - -func Test_Validate_Mutate_ConditionAnchor(t *testing.T) { - rawMutate := []byte(` - { - "overlay": { - "spec": { - "(serviceAccountName)": "*", - "automountServiceAccountToken": false - } - } - }`) - - var mutate kyverno.Mutation - err := json.Unmarshal(rawMutate, &mutate) - assert.NilError(t, err) - if _, err := validateMutation(mutate); err != nil { - assert.NilError(t, err) - } -} - -func Test_Validate_Mutate_PlusAnchor(t *testing.T) { - rawMutate := []byte(` - { - "overlay": { - "spec": { - "+(serviceAccountName)": "*", - "automountServiceAccountToken": false - } - } - }`) - - var mutate kyverno.Mutation - err := json.Unmarshal(rawMutate, &mutate) - assert.NilError(t, err) - - if _, err := validateMutation(mutate); err != nil { - assert.NilError(t, err) - } -} - -func Test_Validate_Mutate_Mismatched(t *testing.T) { - rawMutate := []byte(` - { - "overlay": { - "spec": { - "^(serviceAccountName)": "*", - "automountServiceAccountToken": false - } - } - }`) - - var mutateExistence kyverno.Mutation - err := json.Unmarshal(rawMutate, &mutateExistence) - assert.NilError(t, err) - - if _, err := validateMutation(mutateExistence); err != nil { - assert.Assert(t, err != nil) - } - - var mutateEqual kyverno.Mutation - rawMutate = []byte(` - { - "overlay": { - "spec": { - "=(serviceAccountName)": "*", - "automountServiceAccountToken": false - } - } - }`) - - err = json.Unmarshal(rawMutate, &mutateEqual) - assert.NilError(t, err) - - if _, err := validateMutation(mutateEqual); err != nil { - assert.Assert(t, err != nil) - } - - var mutateNegation kyverno.Mutation - rawMutate = []byte(` - { - "overlay": { - "spec": { - "X(serviceAccountName)": "*", - "automountServiceAccountToken": false - } - } - }`) - - err = json.Unmarshal(rawMutate, &mutateNegation) - assert.NilError(t, err) - - if _, err := validateMutation(mutateEqual); err != nil { - assert.Assert(t, err != nil) - } -} - -func Test_Validate_Mutate_Unsupported(t *testing.T) { - var err error - var mutate kyverno.Mutation - // case 1 - rawMutate := []byte(` - { - "overlay": { - "spec": { - "!(serviceAccountName)": "*", - "automountServiceAccountToken": false - } - } - }`) - - err = json.Unmarshal(rawMutate, &mutate) - assert.NilError(t, err) - - if _, err := validateMutation(mutate); err != nil { - assert.Assert(t, err != nil) - } - - // case 2 - rawMutate = []byte(` - { - "overlay": { - "spec": { - "~(serviceAccountName)": "*", - "automountServiceAccountToken": false - } - } - }`) - - err = json.Unmarshal(rawMutate, &mutate) - assert.NilError(t, err) - - if _, err := validateMutation(mutate); err != nil { - assert.Assert(t, err != nil) - } -} - -func Test_Validate_Generate(t *testing.T) { - rawGenerate := []byte(` - { - "kind": "NetworkPolicy", - "name": "defaultnetworkpolicy", - "data": { - "spec": { - "podSelector": {}, - "policyTypes": [ - "Ingress", - "Egress" - ], - "ingress": [ - {} - ], - "egress": [ - {} - ] - } - } - }`) - - var generate kyverno.Generation - err := json.Unmarshal(rawGenerate, &generate) - assert.NilError(t, err) - - if _, err := validateGeneration(generate); err != nil { - assert.Assert(t, err != nil) - } -} - -func Test_Validate_Generate_HasAnchors(t *testing.T) { - var err error - var generate kyverno.Generation - rawGenerate := []byte(` - { - "kind": "NetworkPolicy", - "name": "defaultnetworkpolicy", - "data": { - "spec": { - "(podSelector)": {}, - "policyTypes": [ - "Ingress", - "Egress" - ], - "ingress": [ - {} - ], - "egress": [ - {} - ] - } - } - }`) - - err = json.Unmarshal(rawGenerate, &generate) - assert.NilError(t, err) - if _, err := validateGeneration(generate); err != nil { - assert.Assert(t, err != nil) - } - - rawGenerate = []byte(` - { - "kind": "ConfigMap", - "name": "copied-cm", - "clone": { - "^(namespace)": "default", - "name": "game" - } - }`) - - errNew := json.Unmarshal(rawGenerate, &generate) - assert.NilError(t, errNew) - err = json.Unmarshal(rawGenerate, &generate) - assert.NilError(t, err) - if _, err := validateGeneration(generate); err != nil { - assert.Assert(t, err != nil) - } } func Test_Validate_ErrorFormat(t *testing.T) { @@ -1093,11 +515,8 @@ func Test_Validate_ErrorFormat(t *testing.T) { } `) - var policy kyverno.ClusterPolicy - err := json.Unmarshal(rawPolicy, &policy) - assert.NilError(t, err) - - err = Validate(policy) + openAPIController, _ := openapi.NewOpenAPIController() + err := Validate(rawPolicy, nil, true, openAPIController) assert.Assert(t, err != nil) } @@ -1189,8 +608,8 @@ func Test_BackGroundUserInfo_match_roles(t *testing.T) { err = json.Unmarshal(rawPolicy, &policy) assert.NilError(t, err) - err = ContainsUserInfo(*policy) - assert.Equal(t, err.Error(), "userInfo variable used at path: spec/rules[0]/match/roles") + err = ContainsVariablesOtherThanObject(*policy) + assert.Equal(t, err.Error(), "invalid variable used at path: spec/rules[0]/match/roles") } func Test_BackGroundUserInfo_match_clusterRoles(t *testing.T) { @@ -1221,9 +640,9 @@ func Test_BackGroundUserInfo_match_clusterRoles(t *testing.T) { err = json.Unmarshal(rawPolicy, &policy) assert.NilError(t, err) - err = ContainsUserInfo(*policy) + err = ContainsVariablesOtherThanObject(*policy) - assert.Equal(t, err.Error(), "userInfo variable used at path: spec/rules[0]/match/clusterRoles") + assert.Equal(t, err.Error(), "invalid variable used at path: spec/rules[0]/match/clusterRoles") } func Test_BackGroundUserInfo_match_subjects(t *testing.T) { @@ -1257,9 +676,9 @@ func Test_BackGroundUserInfo_match_subjects(t *testing.T) { err = json.Unmarshal(rawPolicy, &policy) assert.NilError(t, err) - err = ContainsUserInfo(*policy) + err = ContainsVariablesOtherThanObject(*policy) - assert.Equal(t, err.Error(), "userInfo variable used at path: spec/rules[0]/match/subjects") + assert.Equal(t, err.Error(), "invalid variable used at path: spec/rules[0]/match/subjects") } func Test_BackGroundUserInfo_mutate_overlay1(t *testing.T) { @@ -1289,9 +708,9 @@ func Test_BackGroundUserInfo_mutate_overlay1(t *testing.T) { err = json.Unmarshal(rawPolicy, &policy) assert.NilError(t, err) - err = ContainsUserInfo(*policy) + err = ContainsVariablesOtherThanObject(*policy) - if err.Error() != "userInfo variable used at spec/rules[0]/mutate/overlay" { + if err.Error() != "invalid variable used at spec/rules[0]/mutate/overlay" { t.Log(err) t.Error("Incorrect Path") } @@ -1324,9 +743,9 @@ func Test_BackGroundUserInfo_mutate_overlay2(t *testing.T) { err = json.Unmarshal(rawPolicy, &policy) assert.NilError(t, err) - err = ContainsUserInfo(*policy) + err = ContainsVariablesOtherThanObject(*policy) - if err.Error() != "userInfo variable used at spec/rules[0]/mutate/overlay" { + if err.Error() != "invalid variable used at spec/rules[0]/mutate/overlay" { t.Log(err) t.Error("Incorrect Path") } @@ -1359,9 +778,9 @@ func Test_BackGroundUserInfo_validate_pattern(t *testing.T) { err = json.Unmarshal(rawPolicy, &policy) assert.NilError(t, err) - err = ContainsUserInfo(*policy) + err = ContainsVariablesOtherThanObject(*policy) - if err.Error() != "userInfo variable used at spec/rules[0]/validate/pattern" { + if err.Error() != "invalid variable used at spec/rules[0]/validate/pattern" { t.Log(err) t.Error("Incorrect Path") } @@ -1398,9 +817,9 @@ func Test_BackGroundUserInfo_validate_anyPattern(t *testing.T) { err = json.Unmarshal(rawPolicy, &policy) assert.NilError(t, err) - err = ContainsUserInfo(*policy) + err = ContainsVariablesOtherThanObject(*policy) - if err.Error() != "userInfo variable used at spec/rules[0]/validate/anyPattern[1]" { + if err.Error() != "invalid variable used at spec/rules[0]/validate/anyPattern[1]" { t.Log(err) t.Error("Incorrect Path") } @@ -1437,9 +856,9 @@ func Test_BackGroundUserInfo_validate_anyPattern_multiple_var(t *testing.T) { err = json.Unmarshal(rawPolicy, &policy) assert.NilError(t, err) - err = ContainsUserInfo(*policy) + err = ContainsVariablesOtherThanObject(*policy) - if err.Error() != "userInfo variable used at spec/rules[0]/validate/anyPattern[1]" { + if err.Error() != "invalid variable used at spec/rules[0]/validate/anyPattern[1]" { t.Log(err) t.Error("Incorrect Path") } @@ -1476,9 +895,9 @@ func Test_BackGroundUserInfo_validate_anyPattern_serviceAccount(t *testing.T) { err = json.Unmarshal(rawPolicy, &policy) assert.NilError(t, err) - err = ContainsUserInfo(*policy) + err = ContainsVariablesOtherThanObject(*policy) - if err.Error() != "userInfo variable used at spec/rules[0]/validate/anyPattern[1]" { + if err.Error() != "invalid variable used at spec/rules[0]/validate/anyPattern[1]" { t.Log(err) t.Error("Incorrect Path") } @@ -1541,3 +960,81 @@ func Test_ruleOnlyDealsWithResourceMetaData(t *testing.T) { } } } + +func Test_doesMatchExcludeConflict(t *testing.T) { + testcases := []struct { + description string + rule []byte + expectedOutput bool + }{ + { + description: "Same match and exclude", + rule: []byte(`{"name":"set-image-pull-policy-2","match":{"resources":{"kinds":["Pod","Namespace"],"name":"something","namespaces":["something","something1"],"selector":{"matchLabels":{"memory":"high"},"matchExpressions":[{"key":"tier","operator":"In","values":["database"]}]}},"subjects":[{"name":"something","kind":"something","Namespace":"something","apiGroup":"something"},{"name":"something1","kind":"something1","Namespace":"something1","apiGroup":"something1"}],"clusterroles":["something","something1"],"roles":["something","something1"]},"exclude":{"resources":{"kinds":["Pod","Namespace"],"name":"something","namespaces":["something","something1"],"selector":{"matchLabels":{"memory":"high"},"matchExpressions":[{"key":"tier","operator":"In","values":["database"]}]}},"subjects":[{"name":"something","kind":"something","Namespace":"something","apiGroup":"something"},{"name":"something1","kind":"something1","Namespace":"something1","apiGroup":"something1"}],"clusterroles":["something","something1"],"roles":["something","something1"]}}`), + expectedOutput: true, + }, + { + description: "Failed to exclude kind", + rule: []byte(`{"name":"set-image-pull-policy-2","match":{"resources":{"kinds":["Pod","Namespace"],"name":"something","namespaces":["something","something1"],"selector":{"matchLabels":{"memory":"high"},"matchExpressions":[{"key":"tier","operator":"In","values":["database"]}]}},"subjects":[{"name":"something","kind":"something","Namespace":"something","apiGroup":"something"},{"name":"something1","kind":"something1","Namespace":"something1","apiGroup":"something1"}],"clusterroles":["something","something1"],"roles":["something","something1"]},"exclude":{"resources":{"kinds":["Namespace"],"name":"something","namespaces":["something","something1"],"selector":{"matchLabels":{"memory":"high"},"matchExpressions":[{"key":"tier","operator":"In","values":["database"]}]}},"subjects":[{"name":"something","kind":"something","Namespace":"something","apiGroup":"something"},{"name":"something1","kind":"something1","Namespace":"something1","apiGroup":"something1"}],"clusterroles":["something","something1"],"roles":["something","something1"]}}`), + expectedOutput: false, + }, + { + description: "Failed to exclude name", + rule: []byte(`{"name":"set-image-pull-policy-2","match":{"resources":{"kinds":["Pod","Namespace"],"name":"something","namespaces":["something","something1"],"selector":{"matchLabels":{"memory":"high"},"matchExpressions":[{"key":"tier","operator":"In","values":["database"]}]}},"subjects":[{"name":"something","kind":"something","Namespace":"something","apiGroup":"something"},{"name":"something1","kind":"something1","Namespace":"something1","apiGroup":"something1"}],"clusterroles":["something","something1"],"roles":["something","something1"]},"exclude":{"resources":{"kinds":["Pod","Namespace"],"name":"something-*","namespaces":["something","something1"],"selector":{"matchLabels":{"memory":"high"},"matchExpressions":[{"key":"tier","operator":"In","values":["database"]}]}},"subjects":[{"name":"something","kind":"something","Namespace":"something","apiGroup":"something"},{"name":"something1","kind":"something1","Namespace":"something1","apiGroup":"something1"}],"clusterroles":["something","something1"],"roles":["something","something1"]}}`), + expectedOutput: false, + }, + { + description: "Failed to exclude namespace", + rule: []byte(`{"name":"set-image-pull-policy-2","match":{"resources":{"kinds":["Pod","Namespace"],"name":"something","namespaces":["something","something1"],"selector":{"matchLabels":{"memory":"high"},"matchExpressions":[{"key":"tier","operator":"In","values":["database"]}]}},"subjects":[{"name":"something","kind":"something","Namespace":"something","apiGroup":"something"},{"name":"something1","kind":"something1","Namespace":"something1","apiGroup":"something1"}],"clusterroles":["something","something1"],"roles":["something","something1"]},"exclude":{"resources":{"kinds":["Pod","Namespace"],"name":"something","namespaces":["something3","something1"],"selector":{"matchLabels":{"memory":"high"},"matchExpressions":[{"key":"tier","operator":"In","values":["database"]}]}},"subjects":[{"name":"something","kind":"something","Namespace":"something","apiGroup":"something"},{"name":"something1","kind":"something1","Namespace":"something1","apiGroup":"something1"}],"clusterroles":["something","something1"],"roles":["something","something1"]}}`), + expectedOutput: false, + }, + { + description: "Failed to exclude labels", + rule: []byte(`{"name":"set-image-pull-policy-2","match":{"resources":{"kinds":["Pod","Namespace"],"name":"something","namespaces":["something","something1"],"selector":{"matchLabels":{"memory":"high"},"matchExpressions":[{"key":"tier","operator":"In","values":["database"]}]}},"subjects":[{"name":"something","kind":"something","Namespace":"something","apiGroup":"something"},{"name":"something1","kind":"something1","Namespace":"something1","apiGroup":"something1"}],"clusterroles":["something","something1"],"roles":["something","something1"]},"exclude":{"resources":{"kinds":["Pod","Namespace"],"name":"something","namespaces":["something","something1"],"selector":{"matchLabels":{"memory":"higha"},"matchExpressions":[{"key":"tier","operator":"In","values":["database"]}]}},"subjects":[{"name":"something","kind":"something","Namespace":"something","apiGroup":"something"},{"name":"something1","kind":"something1","Namespace":"something1","apiGroup":"something1"}],"clusterroles":["something","something1"],"roles":["something","something1"]}}`), + expectedOutput: false, + }, + { + description: "Failed to exclude expression", + rule: []byte(`{"name":"set-image-pull-policy-2","match":{"resources":{"kinds":["Pod","Namespace"],"name":"something","namespaces":["something","something1"],"selector":{"matchLabels":{"memory":"high"},"matchExpressions":[{"key":"tier","operator":"In","values":["database"]}]}},"subjects":[{"name":"something","kind":"something","Namespace":"something","apiGroup":"something"},{"name":"something1","kind":"something1","Namespace":"something1","apiGroup":"something1"}],"clusterroles":["something","something1"],"roles":["something","something1"]},"exclude":{"resources":{"kinds":["Pod","Namespace"],"name":"something","namespaces":["something","something1"],"selector":{"matchLabels":{"memory":"high"},"matchExpressions":[{"key":"tier","operator":"In","values":["databases"]}]}},"subjects":[{"name":"something","kind":"something","Namespace":"something","apiGroup":"something"},{"name":"something1","kind":"something1","Namespace":"something1","apiGroup":"something1"}],"clusterroles":["something","something1"],"roles":["something","something1"]}}`), + expectedOutput: false, + }, + { + description: "Failed to exclude subjects", + rule: []byte(`{"name":"set-image-pull-policy-2","match":{"resources":{"kinds":["Pod","Namespace"],"name":"something","namespaces":["something","something1"],"selector":{"matchLabels":{"memory":"high"},"matchExpressions":[{"key":"tier","operator":"In","values":["database"]}]}},"subjects":[{"name":"something","kind":"something","Namespace":"something","apiGroup":"something"},{"name":"something1","kind":"something1","Namespace":"something1","apiGroup":"something1"}],"clusterroles":["something","something1"],"roles":["something","something1"]},"exclude":{"resources":{"kinds":["Pod","Namespace"],"name":"something","namespaces":["something","something1"],"selector":{"matchLabels":{"memory":"high"},"matchExpressions":[{"key":"tier","operator":"In","values":["database"]}]}},"subjects":[{"name":"something2","kind":"something","Namespace":"something","apiGroup":"something"},{"name":"something1","kind":"something1","Namespace":"something1","apiGroup":"something1"}],"clusterroles":["something","something1"],"roles":["something","something1"]}}`), + expectedOutput: false, + }, + { + description: "Failed to exclude clusterroles", + rule: []byte(`{"name":"set-image-pull-policy-2","match":{"resources":{"kinds":["Pod","Namespace"],"name":"something","namespaces":["something","something1"],"selector":{"matchLabels":{"memory":"high"},"matchExpressions":[{"key":"tier","operator":"In","values":["database"]}]}},"subjects":[{"name":"something","kind":"something","Namespace":"something","apiGroup":"something"},{"name":"something1","kind":"something1","Namespace":"something1","apiGroup":"something1"}],"clusterroles":["something","something1"],"roles":["something","something1"]},"exclude":{"resources":{"kinds":["Pod","Namespace"],"name":"something","namespaces":["something","something1"],"selector":{"matchLabels":{"memory":"high"},"matchExpressions":[{"key":"tier","operator":"In","values":["database"]}]}},"subjects":[{"name":"something","kind":"something","Namespace":"something","apiGroup":"something"},{"name":"something1","kind":"something1","Namespace":"something1","apiGroup":"something1"}],"clusterroles":["something3","something1"],"roles":["something","something1"]}}`), + expectedOutput: false, + }, + { + description: "Failed to exclude roles", + rule: []byte(`{"name":"set-image-pull-policy-2","match":{"resources":{"kinds":["Pod","Namespace"],"name":"something","namespaces":["something","something1"],"selector":{"matchLabels":{"memory":"high"},"matchExpressions":[{"key":"tier","operator":"In","values":["database"]}]}},"subjects":[{"name":"something","kind":"something","Namespace":"something","apiGroup":"something"},{"name":"something1","kind":"something1","Namespace":"something1","apiGroup":"something1"}],"clusterroles":["something","something1"],"roles":["something","something1"]},"exclude":{"resources":{"kinds":["Pod","Namespace"],"name":"something","namespaces":["something","something1"],"selector":{"matchLabels":{"memory":"high"},"matchExpressions":[{"key":"tier","operator":"In","values":["database"]}]}},"subjects":[{"name":"something","kind":"something","Namespace":"something","apiGroup":"something"},{"name":"something1","kind":"something1","Namespace":"something1","apiGroup":"something1"}],"clusterroles":["something","something1"],"roles":["something3","something1"]}}`), + expectedOutput: false, + }, + { + description: "simple", + rule: []byte(`{"name":"set-image-pull-policy-2","match":{"resources":{"kinds":["Pod","Namespace"],"name":"something","namespaces":["something","something1"]}},"exclude":{"resources":{"kinds":["Pod","Namespace","Job"],"name":"some*","namespaces":["something","something1","something2"]}}}`), + expectedOutput: true, + }, + { + description: "simple - fail", + rule: []byte(`{"name":"set-image-pull-policy-2","match":{"resources":{"kinds":["Pod","Namespace"],"name":"somxething","namespaces":["something","something1"]}},"exclude":{"resources":{"kinds":["Pod","Namespace","Job"],"name":"some*","namespaces":["something","something1","something2"]}}}`), + expectedOutput: false, + }, + { + description: "empty case", + rule: []byte(`{"name":"check-allow-deletes","match":{"resources":{"selector":{"matchLabels":{"allow-deletes":"false"}}}},"exclude":{"clusterRoles":["random"]},"validate":{"message":"Deleting {{request.object.kind}}/{{request.object.metadata.name}} is not allowed","deny":{"conditions":[{"key":"{{request.operation}}","operator":"Equal","value":"DELETE"}]}}}`), + expectedOutput: false, + }, + } + + for i, testcase := range testcases { + var rule kyverno.Rule + _ = json.Unmarshal(testcase.rule, &rule) + + if doesMatchAndExcludeConflict(rule) != testcase.expectedOutput { + t.Errorf("Testcase [%d] failed - description - %v", i+1, testcase.description) + } + } +} diff --git a/pkg/policy/webhookregistration.go b/pkg/policy/webhookregistration.go index f4b2188b2a..5c8fc0aa69 100644 --- a/pkg/policy/webhookregistration.go +++ b/pkg/policy/webhookregistration.go @@ -1,25 +1,25 @@ package policy import ( - "github.com/golang/glog" "k8s.io/apimachinery/pkg/labels" ) func (pc *PolicyController) removeResourceWebhookConfiguration() error { + logger := pc.log var err error // get all existing policies policies, err := pc.pLister.List(labels.NewSelector()) if err != nil { - glog.V(4).Infof("failed to list policies: %v", err) + logger.Error(err, "failed to list policies") return err } if len(policies) == 0 { - glog.V(4).Info("no policies loaded, removing resource webhook configuration if one exists") + logger.V(4).Info("no policies loaded, removing resource webhook configuration if one exists") return pc.resourceWebhookWatcher.RemoveResourceWebhookConfiguration() } - glog.V(4).Info("no policies with mutating or validating webhook configurations, remove resource webhook configuration if one exists") + logger.V(4).Info("no policies with mutating or validating webhook configurations, remove resource webhook configuration if one exists") return pc.resourceWebhookWatcher.RemoveResourceWebhookConfiguration() } diff --git a/pkg/policystatus/main.go b/pkg/policystatus/main.go index 3e633aaf82..34d849cc55 100644 --- a/pkg/policystatus/main.go +++ b/pkg/policystatus/main.go @@ -2,16 +2,17 @@ package policystatus import ( "encoding/json" + "fmt" + kyvernolister "github.com/nirmata/kyverno/pkg/client/listers/kyverno/v1" "sync" "time" - "github.com/golang/glog" - "k8s.io/apimachinery/pkg/util/wait" "github.com/nirmata/kyverno/pkg/client/clientset/versioned" v1 "github.com/nirmata/kyverno/pkg/api/kyverno/v1" + log "sigs.k8s.io/controller-runtime/pkg/log" ) // Policy status implementation works in the following way, @@ -35,10 +36,6 @@ type statusUpdater interface { UpdateStatus(status v1.PolicyStatus) v1.PolicyStatus } -type policyStore interface { - Get(policyName string) (*v1.ClusterPolicy, error) -} - type Listener chan statusUpdater func (l Listener) Send(s statusUpdater) { @@ -53,7 +50,7 @@ type Sync struct { cache *cache Listener Listener client *versioned.Clientset - policyStore policyStore + lister kyvernolister.ClusterPolicyLister } type cache struct { @@ -62,7 +59,7 @@ type cache struct { keyToMutex *keyToMutex } -func NewSync(c *versioned.Clientset, p policyStore) *Sync { +func NewSync(c *versioned.Clientset, lister kyvernolister.ClusterPolicyLister) *Sync { return &Sync{ cache: &cache{ dataMu: sync.RWMutex{}, @@ -70,7 +67,7 @@ func NewSync(c *versioned.Clientset, p policyStore) *Sync { keyToMutex: newKeyToMutex(), }, client: c, - policyStore: p, + lister: lister, Listener: make(chan statusUpdater, 20), } } @@ -80,7 +77,7 @@ func (s *Sync) Run(workers int, stopCh <-chan struct{}) { go s.updateStatusCache(stopCh) } - wait.Until(s.updatePolicyStatus, 2*time.Second, stopCh) + wait.Until(s.updatePolicyStatus, 10*time.Second, stopCh) <-stopCh } @@ -96,7 +93,7 @@ func (s *Sync) updateStatusCache(stopCh <-chan struct{}) { status, exist := s.cache.data[statusUpdater.PolicyName()] s.cache.dataMu.RUnlock() if !exist { - policy, _ := s.policyStore.Get(statusUpdater.PolicyName()) + policy, _ := s.lister.Get(statusUpdater.PolicyName()) if policy != nil { status = policy.Status } @@ -111,8 +108,7 @@ func (s *Sync) updateStatusCache(stopCh <-chan struct{}) { s.cache.keyToMutex.Get(statusUpdater.PolicyName()).Unlock() oldStatus, _ := json.Marshal(status) newStatus, _ := json.Marshal(updatedStatus) - - glog.V(4).Infof("\nupdated status of policy - %v\noldStatus:\n%v\nnewStatus:\n%v\n", statusUpdater.PolicyName(), string(oldStatus), string(newStatus)) + log.Log.V(4).Info(fmt.Sprintf("\nupdated status of policy - %v\noldStatus:\n%v\nnewStatus:\n%v\n", statusUpdater.PolicyName(), string(oldStatus), string(newStatus))) case <-stopCh: return } @@ -130,17 +126,18 @@ func (s *Sync) updatePolicyStatus() { s.cache.dataMu.Unlock() for policyName, status := range nameToStatus { - policy, err := s.policyStore.Get(policyName) + policy, err := s.lister.Get(policyName) if err != nil { continue } + policy.Status = status _, err = s.client.KyvernoV1().ClusterPolicies().UpdateStatus(policy) if err != nil { s.cache.dataMu.Lock() delete(s.cache.data, policyName) s.cache.dataMu.Unlock() - glog.V(4).Info(err) + log.Log.Error(err, "failed to update policy status") } } } diff --git a/pkg/policystatus/status_test.go b/pkg/policystatus/status_test.go index 310852cf2f..1f768c21e7 100644 --- a/pkg/policystatus/status_test.go +++ b/pkg/policystatus/status_test.go @@ -2,6 +2,8 @@ package policystatus import ( "encoding/json" + "fmt" + "k8s.io/apimachinery/pkg/labels" "testing" "time" @@ -27,11 +29,35 @@ func (d dummyStatusUpdater) PolicyName() string { return "policy1" } + +type dummyLister struct { +} + +func (dl dummyLister) List(selector labels.Selector) (ret []*v1.ClusterPolicy, err error) { + return nil, fmt.Errorf("not implemented") +} + +func (dl dummyLister) Get(name string) (*v1.ClusterPolicy, error) { + return nil, fmt.Errorf("not implemented") +} + +func (dl dummyLister) GetPolicyForPolicyViolation(pv *v1.ClusterPolicyViolation) ([]*v1.ClusterPolicy, error) { + return nil, fmt.Errorf("not implemented") +} + +func (dl dummyLister) GetPolicyForNamespacedPolicyViolation(pv *v1.PolicyViolation) ([]*v1.ClusterPolicy, error) { + return nil, fmt.Errorf("not implemented") +} + +func (dl dummyLister) ListResources(selector labels.Selector) (ret []*v1.ClusterPolicy, err error) { + return nil, fmt.Errorf("not implemented") +} + func TestKeyToMutex(t *testing.T) { - expectedCache := `{"policy1":{"averageExecutionTime":"","rulesAppliedCount":100}}` + expectedCache := `{"policy1":{"rulesAppliedCount":100}}` stopCh := make(chan struct{}) - s := NewSync(nil, dummyStore{}) + s := NewSync(nil, dummyLister{}) for i := 0; i < 100; i++ { go s.updateStatusCache(stopCh) } diff --git a/pkg/policystore/policystore.go b/pkg/policystore/policystore.go deleted file mode 100644 index f8a8e30874..0000000000 --- a/pkg/policystore/policystore.go +++ /dev/null @@ -1,164 +0,0 @@ -package policystore - -import ( - "sync" - - "k8s.io/apimachinery/pkg/labels" - - "github.com/golang/glog" - kyverno "github.com/nirmata/kyverno/pkg/api/kyverno/v1" - kyvernoinformer "github.com/nirmata/kyverno/pkg/client/informers/externalversions/kyverno/v1" - kyvernolister "github.com/nirmata/kyverno/pkg/client/listers/kyverno/v1" - "k8s.io/client-go/tools/cache" -) - -type policyMap map[string]interface{} -type namespaceMap map[string]policyMap -type kindMap map[string]namespaceMap - -//PolicyStore Store the meta-data information to faster lookup policies -type PolicyStore struct { - data map[string]namespaceMap - mu sync.RWMutex - // list/get cluster policy - pLister kyvernolister.ClusterPolicyLister - // returns true if the cluster policy store has been synced at least once - pSynched cache.InformerSynced -} - -//UpdateInterface provides api to update policies -type UpdateInterface interface { - // Register a new policy - Register(policy kyverno.ClusterPolicy) - // Remove policy information - UnRegister(policy kyverno.ClusterPolicy) error -} - -//LookupInterface provides api to lookup policies -type LookupInterface interface { - ListAll() ([]kyverno.ClusterPolicy, error) -} - -// NewPolicyStore returns a new policy store -func NewPolicyStore(pInformer kyvernoinformer.ClusterPolicyInformer) *PolicyStore { - ps := PolicyStore{ - data: make(kindMap), - pLister: pInformer.Lister(), - pSynched: pInformer.Informer().HasSynced, - } - return &ps -} - -//Run checks syncing -func (ps *PolicyStore) Run(stopCh <-chan struct{}) { - if !cache.WaitForCacheSync(stopCh, ps.pSynched) { - glog.Error("policy meta store: failed to sync informer cache") - } -} - -//Register a new policy -func (ps *PolicyStore) Register(policy kyverno.ClusterPolicy) { - glog.V(4).Infof("adding resources %s", policy.Name) - ps.mu.Lock() - defer ps.mu.Unlock() - var pmap policyMap - // add an entry for each rule in policy - for _, rule := range policy.Spec.Rules { - // rule.MatchResources.Kinds - List - mandatory - atleast on entry - for _, kind := range rule.MatchResources.Kinds { - kindMap := ps.addKind(kind) - // namespaces - if len(rule.MatchResources.Namespaces) == 0 { - // all namespaces - * - pmap = addNamespace(kindMap, "*") - } else { - for _, ns := range rule.MatchResources.Namespaces { - pmap = addNamespace(kindMap, ns) - } - } - // add policy to the pmap - addPolicyElement(pmap, policy.Name) - } - } -} - -func (ps *PolicyStore) ListAll() ([]kyverno.ClusterPolicy, error) { - policyPointers, err := ps.pLister.List(labels.NewSelector()) - if err != nil { - return nil, err - } - - var policies = make([]kyverno.ClusterPolicy, 0, len(policyPointers)) - for _, policy := range policyPointers { - policies = append(policies, *policy) - } - - return policies, nil -} - -func (ps *PolicyStore) Get(policyName string) (*kyverno.ClusterPolicy, error) { - return ps.pLister.Get(policyName) -} - -//UnRegister Remove policy information -func (ps *PolicyStore) UnRegister(policy kyverno.ClusterPolicy) error { - ps.mu.Lock() - defer ps.mu.Unlock() - for _, rule := range policy.Spec.Rules { - for _, kind := range rule.MatchResources.Kinds { - // get kind Map - kindMap := ps.getKind(kind) - if kindMap == nil { - // kind does not exist - return nil - } - if len(rule.MatchResources.Namespaces) == 0 { - namespace := "*" - pmap := getNamespace(kindMap, namespace) - // remove element - delete(pmap, policy.Name) - } else { - for _, ns := range rule.MatchResources.Namespaces { - pmap := getNamespace(kindMap, ns) - // remove element - delete(pmap, policy.Name) - } - } - } - } - return nil -} - -func (ps *PolicyStore) addKind(kind string) namespaceMap { - val, ok := ps.data[kind] - if ok { - return val - } - ps.data[kind] = make(namespaceMap) - return ps.data[kind] -} - -func (ps *PolicyStore) getKind(kind string) namespaceMap { - return ps.data[kind] -} - -func addNamespace(kindMap map[string]policyMap, namespace string) policyMap { - val, ok := kindMap[namespace] - if ok { - return val - } - kindMap[namespace] = make(policyMap) - return kindMap[namespace] -} - -func getNamespace(kindMap map[string]policyMap, namespace string) policyMap { - return kindMap[namespace] -} - -func addPolicyElement(pmap policyMap, name string) { - var emptyInterface interface{} - - if _, ok := pmap[name]; !ok { - pmap[name] = emptyInterface - } -} diff --git a/pkg/policyviolation/builder.go b/pkg/policyviolation/builder.go index 1de366eb66..da556697be 100644 --- a/pkg/policyviolation/builder.go +++ b/pkg/policyviolation/builder.go @@ -3,24 +3,23 @@ package policyviolation import ( "fmt" - "github.com/golang/glog" + "github.com/go-logr/logr" kyverno "github.com/nirmata/kyverno/pkg/api/kyverno/v1" "github.com/nirmata/kyverno/pkg/engine/response" ) //GeneratePVsFromEngineResponse generate Violations from engine responses -func GeneratePVsFromEngineResponse(ers []response.EngineResponse) (pvInfos []Info) { +func GeneratePVsFromEngineResponse(ers []response.EngineResponse, log logr.Logger) (pvInfos []Info) { for _, er := range ers { // ignore creation of PV for resources that are yet to be assigned a name if er.PolicyResponse.Resource.Name == "" { - glog.V(4).Infof("resource %v, has not been assigned a name, not creating a policy violation for it", er.PolicyResponse.Resource) + log.V(4).Info("resource does no have a name assigned yet, not creating a policy violation", "resource", er.PolicyResponse.Resource) continue } // skip when response succeed if er.IsSuccesful() { continue } - glog.V(4).Infof("Building policy violation for engine response %v", er) // build policy violation info pvInfos = append(pvInfos, buildPVInfo(er)) } diff --git a/pkg/policyviolation/builder_test.go b/pkg/policyviolation/builder_test.go index bd3f8c97f0..a44314f9f2 100644 --- a/pkg/policyviolation/builder_test.go +++ b/pkg/policyviolation/builder_test.go @@ -5,6 +5,7 @@ import ( "github.com/nirmata/kyverno/pkg/engine/response" "gotest.tools/assert" + "sigs.k8s.io/controller-runtime/pkg/log" ) func Test_GeneratePVsFromEngineResponse_PathNotExist(t *testing.T) { @@ -52,6 +53,6 @@ func Test_GeneratePVsFromEngineResponse_PathNotExist(t *testing.T) { }, } - pvInfos := GeneratePVsFromEngineResponse(ers) + pvInfos := GeneratePVsFromEngineResponse(ers, log.Log) assert.Assert(t, len(pvInfos) == 1) } diff --git a/pkg/policyviolation/clusterpv.go b/pkg/policyviolation/clusterpv.go index c9336f8059..6ddbe7e05b 100644 --- a/pkg/policyviolation/clusterpv.go +++ b/pkg/policyviolation/clusterpv.go @@ -2,9 +2,8 @@ package policyviolation import ( "fmt" - "reflect" - "github.com/golang/glog" + "github.com/go-logr/logr" kyverno "github.com/nirmata/kyverno/pkg/api/kyverno/v1" kyvernov1 "github.com/nirmata/kyverno/pkg/client/clientset/versioned/typed/kyverno/v1" kyvernolister "github.com/nirmata/kyverno/pkg/client/listers/kyverno/v1" @@ -21,11 +20,13 @@ type clusterPV struct { cpvLister kyvernolister.ClusterPolicyViolationLister // policy violation interface kyvernoInterface kyvernov1.KyvernoV1Interface + // logger + log logr.Logger // update policy stats with violationCount policyStatusListener policystatus.Listener } -func newClusterPV(dclient *client.Client, +func newClusterPV(log logr.Logger, dclient *client.Client, cpvLister kyvernolister.ClusterPolicyViolationLister, kyvernoInterface kyvernov1.KyvernoV1Interface, policyStatus policystatus.Listener, @@ -34,6 +35,7 @@ func newClusterPV(dclient *client.Client, dclient: dclient, cpvLister: cpvLister, kyvernoInterface: kyvernoInterface, + log: log, policyStatusListener: policyStatus, } return &cpv @@ -56,6 +58,7 @@ func (cpv *clusterPV) create(pv kyverno.PolicyViolationTemplate) error { } func (cpv *clusterPV) getExisting(newPv kyverno.ClusterPolicyViolation) (*kyverno.ClusterPolicyViolation, error) { + logger := cpv.log.WithValues("namespace", newPv.Namespace, "name", newPv.Name) var err error // use labels policyLabelmap := map[string]string{"policy": newPv.Spec.Policy, "resource": newPv.Spec.ResourceSpec.ToKey()} @@ -66,7 +69,7 @@ func (cpv *clusterPV) getExisting(newPv kyverno.ClusterPolicyViolation) (*kyvern pvs, err := cpv.cpvLister.List(ls) if err != nil { - glog.Errorf("unable to list cluster policy violations : %v", err) + logger.Error(err, "failed to list cluster policy violations") return nil, err } @@ -83,19 +86,29 @@ func (cpv *clusterPV) getExisting(newPv kyverno.ClusterPolicyViolation) (*kyvern func (cpv *clusterPV) createPV(newPv *kyverno.ClusterPolicyViolation) error { var err error - glog.V(4).Infof("creating new policy violation for policy %s & resource %s/%s", newPv.Spec.Policy, newPv.Spec.ResourceSpec.Kind, newPv.Spec.ResourceSpec.Name) + logger := cpv.log.WithValues("policy", newPv.Spec.Policy, "kind", newPv.Spec.ResourceSpec.Kind, "namespace", newPv.Spec.ResourceSpec.Namespace, "name", newPv.Spec.ResourceSpec.Name) + logger.V(4).Info("creating new policy violation") obj, err := retryGetResource(cpv.dclient, newPv.Spec.ResourceSpec) if err != nil { return fmt.Errorf("failed to retry getting resource for policy violation %s/%s: %v", newPv.Name, newPv.Spec.Policy, err) } + + if obj.GetDeletionTimestamp() != nil { + return nil + } + // set owner reference to resource - ownerRef := createOwnerReference(obj) + ownerRef, ok := createOwnerReference(obj) + if !ok { + return nil + } + newPv.SetOwnerReferences([]metav1.OwnerReference{ownerRef}) // create resource _, err = cpv.kyvernoInterface.ClusterPolicyViolations().Create(newPv) if err != nil { - glog.V(4).Infof("failed to create Cluster Policy Violation: %v", err) + logger.Error(err, "failed to create cluster policy violation") return err } @@ -103,27 +116,29 @@ func (cpv *clusterPV) createPV(newPv *kyverno.ClusterPolicyViolation) error { cpv.policyStatusListener.Send(violationCount{policyName: newPv.Spec.Policy, violatedRules: newPv.Spec.ViolatedRules}) } - glog.Infof("policy violation created for resource %v", newPv.Spec.ResourceSpec) + logger.Info("cluster policy violation created") return nil } func (cpv *clusterPV) updatePV(newPv, oldPv *kyverno.ClusterPolicyViolation) error { + logger := cpv.log.WithValues("policy", newPv.Spec.Policy, "kind", newPv.Spec.ResourceSpec.Kind, "namespace", newPv.Spec.ResourceSpec.Namespace, "name", newPv.Spec.ResourceSpec.Name) var err error // check if there is any update - if reflect.DeepEqual(newPv.Spec, oldPv.Spec) { - glog.V(4).Infof("policy violation spec %v did not change so not updating it", newPv.Spec) + if !hasViolationSpecChanged(newPv.Spec.DeepCopy(), oldPv.Spec.DeepCopy()) { + logger.V(4).Info("policy violation spec did not change, not upadating the resource") return nil } // set name newPv.SetName(oldPv.Name) newPv.SetResourceVersion(oldPv.ResourceVersion) + newPv.SetOwnerReferences(oldPv.GetOwnerReferences()) // update resource _, err = cpv.kyvernoInterface.ClusterPolicyViolations().Update(newPv) if err != nil { return fmt.Errorf("failed to update cluster policy violation: %v", err) } - glog.Infof("cluster policy violation updated for resource %v", newPv.Spec.ResourceSpec) + logger.Info("cluster policy violation updated") if newPv.Annotations["fromSync"] != "true" { cpv.policyStatusListener.Send(violationCount{policyName: newPv.Spec.Policy, violatedRules: newPv.Spec.ViolatedRules}) diff --git a/pkg/policyviolation/common.go b/pkg/policyviolation/common.go index 6f077b25b8..4fdc20ace8 100644 --- a/pkg/policyviolation/common.go +++ b/pkg/policyviolation/common.go @@ -2,21 +2,32 @@ package policyviolation import ( "fmt" + "reflect" "time" backoff "github.com/cenkalti/backoff" - "github.com/golang/glog" kyverno "github.com/nirmata/kyverno/pkg/api/kyverno/v1" v1 "github.com/nirmata/kyverno/pkg/api/kyverno/v1" client "github.com/nirmata/kyverno/pkg/dclient" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" unstructured "k8s.io/apimachinery/pkg/apis/meta/v1/unstructured" "k8s.io/apimachinery/pkg/labels" + "sigs.k8s.io/controller-runtime/pkg/log" ) -func createOwnerReference(resource *unstructured.Unstructured) metav1.OwnerReference { +func createOwnerReference(resource *unstructured.Unstructured) (metav1.OwnerReference, bool) { controllerFlag := true blockOwnerDeletionFlag := true + + apiversion := resource.GetAPIVersion() + kind := resource.GetKind() + name := resource.GetName() + uid := resource.GetUID() + + if apiversion == "" || kind == "" || name == "" || uid == "" { + return metav1.OwnerReference{}, false + } + ownerRef := metav1.OwnerReference{ APIVersion: resource.GetAPIVersion(), Kind: resource.GetKind(), @@ -25,7 +36,7 @@ func createOwnerReference(resource *unstructured.Unstructured) metav1.OwnerRefer Controller: &controllerFlag, BlockOwnerDeletion: &blockOwnerDeletionFlag, } - return ownerRef + return ownerRef, true } func retryGetResource(client *client.Client, rspec kyverno.ResourceSpec) (*unstructured.Unstructured, error) { @@ -34,7 +45,7 @@ func retryGetResource(client *client.Client, rspec kyverno.ResourceSpec) (*unstr var err error getResource := func() error { obj, err = client.GetResource(rspec.Kind, rspec.Namespace, rspec.Name) - glog.V(4).Infof("retry %v getting %s/%s/%s", i, rspec.Kind, rspec.Namespace, rspec.Name) + log.Log.V(4).Info(fmt.Sprintf("retry %v getting %s/%s/%s", i, rspec.Kind, rspec.Namespace, rspec.Name)) i++ return err } @@ -95,3 +106,25 @@ func (vc violationCount) UpdateStatus(status kyverno.PolicyStatus) kyverno.Polic return status } + +// hasViolationSpecChanged returns true if oldSpec & newSpec +// are identical, exclude message in violated rules +func hasViolationSpecChanged(new, old *kyverno.PolicyViolationSpec) bool { + if new.Policy != old.Policy { + return true + } + + if new.ResourceSpec.ToKey() != old.ResourceSpec.ToKey() { + return true + } + + for i := range new.ViolatedRules { + new.ViolatedRules[i].Message = "" + } + + for i := range old.ViolatedRules { + old.ViolatedRules[i].Message = "" + } + + return !reflect.DeepEqual(*new, *old) +} diff --git a/pkg/policyviolation/generator.go b/pkg/policyviolation/generator.go index db5ca63fcd..f395ef1475 100644 --- a/pkg/policyviolation/generator.go +++ b/pkg/policyviolation/generator.go @@ -6,14 +6,14 @@ import ( "strconv" "strings" "sync" - "time" - "github.com/golang/glog" + "github.com/go-logr/logr" kyverno "github.com/nirmata/kyverno/pkg/api/kyverno/v1" kyvernoclient "github.com/nirmata/kyverno/pkg/client/clientset/versioned" kyvernov1 "github.com/nirmata/kyverno/pkg/client/clientset/versioned/typed/kyverno/v1" kyvernoinformer "github.com/nirmata/kyverno/pkg/client/informers/externalversions/kyverno/v1" kyvernolister "github.com/nirmata/kyverno/pkg/client/listers/kyverno/v1" + "github.com/nirmata/kyverno/pkg/constant" "github.com/nirmata/kyverno/pkg/policystatus" dclient "github.com/nirmata/kyverno/pkg/dclient" @@ -38,6 +38,7 @@ type Generator struct { // returns true if the cluster policy store has been synced at least once pvSynced cache.InformerSynced // returns true if the namespaced cluster policy store has been synced at at least once + log logr.Logger nspvSynced cache.InformerSynced queue workqueue.RateLimitingInterface dataStore *dataStore @@ -107,7 +108,8 @@ func NewPVGenerator(client *kyvernoclient.Clientset, dclient *dclient.Client, pvInformer kyvernoinformer.ClusterPolicyViolationInformer, nspvInformer kyvernoinformer.PolicyViolationInformer, - policyStatus policystatus.Listener) *Generator { + policyStatus policystatus.Listener, + log logr.Logger) *Generator { gen := Generator{ kyvernoInterface: client.KyvernoV1(), dclient: dclient, @@ -117,6 +119,7 @@ func NewPVGenerator(client *kyvernoclient.Clientset, nspvSynced: nspvInformer.Informer().HasSynced, queue: workqueue.NewNamedRateLimitingQueue(workqueue.DefaultControllerRateLimiter(), workQueueName), dataStore: newDataStore(), + log: log, policyStatusListener: policyStatus, } return &gen @@ -135,22 +138,22 @@ func (gen *Generator) enqueue(info Info) { func (gen *Generator) Add(infos ...Info) { for _, info := range infos { gen.enqueue(info) - glog.V(3).Infof("Added policy violation: %s", info.toKey()) } } // Run starts the workers func (gen *Generator) Run(workers int, stopCh <-chan struct{}) { + logger := gen.log defer utilruntime.HandleCrash() - glog.Info("Start policy violation generator") - defer glog.Info("Shutting down policy violation generator") + logger.Info("start") + defer logger.Info("shutting down") if !cache.WaitForCacheSync(stopCh, gen.pvSynced, gen.nspvSynced) { - glog.Error("policy violation generator: failed to sync informer cache") + logger.Info("failed to sync informer cache") } for i := 0; i < workers; i++ { - go wait.Until(gen.runWorker, time.Second, stopCh) + go wait.Until(gen.runWorker, constant.PolicyViolationControllerResync, stopCh) } <-stopCh } @@ -161,6 +164,7 @@ func (gen *Generator) runWorker() { } func (gen *Generator) handleErr(err error, key interface{}) { + logger := gen.log if err == nil { gen.queue.Forget(key) return @@ -168,23 +172,22 @@ func (gen *Generator) handleErr(err error, key interface{}) { // retires requests if there is error if gen.queue.NumRequeues(key) < workQueueRetryLimit { - glog.V(4).Infof("Error syncing policy violation %v: %v", key, err) + logger.Error(err, "failed to sync policy violation", "key", key) // Re-enqueue the key rate limited. Based on the rate limiter on the // queue and the re-enqueue history, the key will be processed later again. gen.queue.AddRateLimited(key) return } gen.queue.Forget(key) - glog.Error(err) // remove from data store if keyHash, ok := key.(string); ok { gen.dataStore.delete(keyHash) } - - glog.Warningf("Dropping the key out of the queue: %v", err) + logger.Error(err, "dropping key out of the queue", "key", key) } func (gen *Generator) processNextWorkitem() bool { + logger := gen.log obj, shutdown := gen.queue.Get() if shutdown { return false @@ -196,7 +199,7 @@ func (gen *Generator) processNextWorkitem() bool { var ok bool if keyHash, ok = obj.(string); !ok { gen.queue.Forget(obj) - glog.Warningf("Expecting type string but got %v\n", obj) + logger.Info("incorrect type; expecting type 'string'", "obj", obj) return nil } // lookup data store @@ -204,7 +207,7 @@ func (gen *Generator) processNextWorkitem() bool { if reflect.DeepEqual(info, Info{}) { // empty key gen.queue.Forget(obj) - glog.Warningf("Got empty key %v\n", obj) + logger.Info("empty key") return nil } err := gen.syncHandler(info) @@ -212,22 +215,22 @@ func (gen *Generator) processNextWorkitem() bool { return nil }(obj) if err != nil { - glog.Error(err) + logger.Error(err, "failed to process item") return true } return true } func (gen *Generator) syncHandler(info Info) error { - glog.V(4).Infof("received info:%v", info) + logger := gen.log var handler pvGenerator builder := newPvBuilder() if info.Resource.GetNamespace() == "" { // cluster scope resource generate a clusterpolicy violation - handler = newClusterPV(gen.dclient, gen.cpvLister, gen.kyvernoInterface, gen.policyStatusListener) + handler = newClusterPV(gen.log.WithName("ClusterPV"), gen.dclient, gen.cpvLister, gen.kyvernoInterface, gen.policyStatusListener) } else { // namespaced resources generated a namespaced policy violation in the namespace of the resource - handler = newNamespacedPV(gen.dclient, gen.nspvLister, gen.kyvernoInterface, gen.policyStatusListener) + handler = newNamespacedPV(gen.log.WithName("NamespacedPV"), gen.dclient, gen.nspvLister, gen.kyvernoInterface, gen.policyStatusListener) } failure := false @@ -240,12 +243,10 @@ func (gen *Generator) syncHandler(info Info) error { } // Create Policy Violations - glog.V(3).Infof("Creating policy violation: %s", info.toKey()) + logger.V(4).Info("creating policy violation", "key", info.toKey()) if err := handler.create(pv); err != nil { failure = true - glog.V(3).Infof("Failed to create policy violation: %v", err) - } else { - glog.V(3).Infof("Policy violation created: %s", info.toKey()) + logger.Error(err, "failed to create policy violation") } if failure { diff --git a/pkg/policyviolation/namespacedpv.go b/pkg/policyviolation/namespacedpv.go index ff32748d0b..5352e2a23a 100644 --- a/pkg/policyviolation/namespacedpv.go +++ b/pkg/policyviolation/namespacedpv.go @@ -2,9 +2,8 @@ package policyviolation import ( "fmt" - "reflect" - "github.com/golang/glog" + "github.com/go-logr/logr" kyverno "github.com/nirmata/kyverno/pkg/api/kyverno/v1" kyvernov1 "github.com/nirmata/kyverno/pkg/client/clientset/versioned/typed/kyverno/v1" kyvernolister "github.com/nirmata/kyverno/pkg/client/listers/kyverno/v1" @@ -21,11 +20,13 @@ type namespacedPV struct { nspvLister kyvernolister.PolicyViolationLister // policy violation interface kyvernoInterface kyvernov1.KyvernoV1Interface + // logger + log logr.Logger // update policy status with violationCount policyStatusListener policystatus.Listener } -func newNamespacedPV(dclient *client.Client, +func newNamespacedPV(log logr.Logger, dclient *client.Client, nspvLister kyvernolister.PolicyViolationLister, kyvernoInterface kyvernov1.KyvernoV1Interface, policyStatus policystatus.Listener, @@ -34,6 +35,7 @@ func newNamespacedPV(dclient *client.Client, dclient: dclient, nspvLister: nspvLister, kyvernoInterface: kyvernoInterface, + log: log, policyStatusListener: policyStatus, } return &nspv @@ -56,6 +58,7 @@ func (nspv *namespacedPV) create(pv kyverno.PolicyViolationTemplate) error { } func (nspv *namespacedPV) getExisting(newPv kyverno.PolicyViolation) (*kyverno.PolicyViolation, error) { + logger := nspv.log.WithValues("namespace", newPv.Namespace, "name", newPv.Name) var err error // use labels policyLabelmap := map[string]string{"policy": newPv.Spec.Policy, "resource": newPv.Spec.ResourceSpec.ToKey()} @@ -65,7 +68,7 @@ func (nspv *namespacedPV) getExisting(newPv kyverno.PolicyViolation) (*kyverno.P } pvs, err := nspv.nspvLister.PolicyViolations(newPv.GetNamespace()).List(ls) if err != nil { - glog.Errorf("unable to list namespaced policy violations : %v", err) + logger.Error(err, "failed to list namespaced policy violations") return nil, err } @@ -82,39 +85,51 @@ func (nspv *namespacedPV) getExisting(newPv kyverno.PolicyViolation) (*kyverno.P func (nspv *namespacedPV) createPV(newPv *kyverno.PolicyViolation) error { var err error - glog.V(4).Infof("creating new policy violation for policy %s & resource %s/%s/%s", newPv.Spec.Policy, newPv.Spec.ResourceSpec.Kind, newPv.Spec.ResourceSpec.Namespace, newPv.Spec.ResourceSpec.Name) + logger := nspv.log.WithValues("policy", newPv.Spec.Policy, "kind", newPv.Spec.ResourceSpec.Kind, "namespace", newPv.Spec.ResourceSpec.Namespace, "name", newPv.Spec.ResourceSpec.Name) + logger.V(4).Info("creating new policy violation") obj, err := retryGetResource(nspv.dclient, newPv.Spec.ResourceSpec) if err != nil { return fmt.Errorf("failed to retry getting resource for policy violation %s/%s: %v", newPv.Name, newPv.Spec.Policy, err) } + + if obj.GetDeletionTimestamp() != nil { + return nil + } + // set owner reference to resource - ownerRef := createOwnerReference(obj) + ownerRef, ok := createOwnerReference(obj) + if !ok { + return nil + } + newPv.SetOwnerReferences([]metav1.OwnerReference{ownerRef}) // create resource _, err = nspv.kyvernoInterface.PolicyViolations(newPv.GetNamespace()).Create(newPv) if err != nil { - glog.V(4).Infof("failed to create Cluster Policy Violation: %v", err) + logger.Error(err, "failed to create namespaced policy violation") return err } if newPv.Annotations["fromSync"] != "true" { nspv.policyStatusListener.Send(violationCount{policyName: newPv.Spec.Policy, violatedRules: newPv.Spec.ViolatedRules}) } - glog.Infof("policy violation created for resource %v", newPv.Spec.ResourceSpec) + logger.Info("namespaced policy violation created") return nil } func (nspv *namespacedPV) updatePV(newPv, oldPv *kyverno.PolicyViolation) error { + logger := nspv.log.WithValues("policy", newPv.Spec.Policy, "kind", newPv.Spec.ResourceSpec.Kind, "namespace", newPv.Spec.ResourceSpec.Namespace, "name", newPv.Spec.ResourceSpec.Name) var err error // check if there is any update - if reflect.DeepEqual(newPv.Spec, oldPv.Spec) { - glog.V(4).Infof("policy violation spec %v did not change so not updating it", newPv.Spec) + if !hasViolationSpecChanged(newPv.Spec.DeepCopy(), oldPv.Spec.DeepCopy()) { + logger.V(4).Info("policy violation spec did not change, not upadating the resource") return nil } // set name newPv.SetName(oldPv.Name) newPv.SetResourceVersion(oldPv.ResourceVersion) + newPv.SetOwnerReferences(oldPv.GetOwnerReferences()) // update resource _, err = nspv.kyvernoInterface.PolicyViolations(newPv.GetNamespace()).Update(newPv) if err != nil { @@ -124,6 +139,6 @@ func (nspv *namespacedPV) updatePV(newPv, oldPv *kyverno.PolicyViolation) error if newPv.Annotations["fromSync"] != "true" { nspv.policyStatusListener.Send(violationCount{policyName: newPv.Spec.Policy, violatedRules: newPv.Spec.ViolatedRules}) } - glog.Infof("namespaced policy violation updated for resource %v", newPv.Spec.ResourceSpec) + logger.Info("namespaced policy violation updated") return nil } diff --git a/pkg/policyviolation/policyStatus_test.go b/pkg/policyviolation/policyStatus_test.go index 8db26ae4a6..39f718ba13 100644 --- a/pkg/policyviolation/policyStatus_test.go +++ b/pkg/policyviolation/policyStatus_test.go @@ -33,7 +33,7 @@ func Test_Stats(t *testing.T) { }, }, }, - expectedOutput: []byte(`{"policy1":{"averageExecutionTime":"","violationCount":1,"ruleStatus":[{"ruleName":"rule4","violationCount":1}]},"policy2":{"averageExecutionTime":"","violationCount":1,"ruleStatus":[{"ruleName":"rule4","violationCount":1}]}}`), + expectedOutput: []byte(`{"policy1":{"violationCount":1,"ruleStatus":[{"ruleName":"rule4","violationCount":1}]},"policy2":{"violationCount":1,"ruleStatus":[{"ruleName":"rule4","violationCount":1}]}}`), violationCountStats: []struct { policyName string violatedRules []v1.ViolatedRule diff --git a/pkg/testrunner/scenario.go b/pkg/testrunner/scenario.go index 39eaeb7257..33e58656ac 100644 --- a/pkg/testrunner/scenario.go +++ b/pkg/testrunner/scenario.go @@ -3,7 +3,6 @@ package testrunner import ( "bytes" "encoding/json" - "flag" "io/ioutil" "os" ospath "path" @@ -19,7 +18,6 @@ import ( "k8s.io/apimachinery/pkg/runtime/schema" "k8s.io/client-go/kubernetes/scheme" - "github.com/golang/glog" "gopkg.in/yaml.v2" apiyaml "k8s.io/apimachinery/pkg/util/yaml" ) @@ -163,7 +161,7 @@ func runTestCase(t *testing.T, tc scaseT) bool { er = engine.Generate(policyContext) t.Log(("---Generation---")) validateResponse(t, er.PolicyResponse, tc.Expected.Generation.PolicyResponse) - // Expected generate resource will be in same namesapces as resource + // Expected generate resource will be in same namespaces as resource validateGeneratedResources(t, client, *policy, resource.GetName(), tc.Expected.Generation.GeneratedResources) } } @@ -198,7 +196,7 @@ func validateResource(t *testing.T, responseResource unstructured.Unstructured, // load expected resource expectedResource := loadPolicyResource(t, expectedResourceFile) if expectedResource == nil { - t.Log("failed to get the expected resource") + t.Logf("failed to get the expected resource: %s", expectedResourceFile) return } @@ -308,7 +306,7 @@ func loadPolicyResource(t *testing.T, file string) *unstructured.Unstructured { func getClient(t *testing.T, files []string) *client.Client { var objects []runtime.Object if files != nil { - glog.V(4).Infof("loading resources: %v", files) + for _, file := range files { objects = loadObjects(t, file) } @@ -404,7 +402,7 @@ func loadPolicy(t *testing.T, path string) *kyverno.ClusterPolicy { policy := kyverno.ClusterPolicy{} pBytes, err := apiyaml.ToJSON(p) if err != nil { - glog.Error(err) + t.Error(err) continue } @@ -427,7 +425,8 @@ func loadPolicy(t *testing.T, path string) *kyverno.ClusterPolicy { } func testScenario(t *testing.T, path string) { - flag.Set("logtostderr", "true") + + // flag.Set("logtostderr", "true") // flag.Set("v", "8") scenario, err := loadScenario(t, path) diff --git a/pkg/testrunner/testrunner_test.go b/pkg/testrunner/testrunner_test.go index 6e13f58ded..163c34cf13 100644 --- a/pkg/testrunner/testrunner_test.go +++ b/pkg/testrunner/testrunner_test.go @@ -137,3 +137,7 @@ func Test_known_ingress(t *testing.T) { func Test_unknown_ingress(t *testing.T) { testScenario(t, "test/scenarios/samples/more/unknown_ingress_class.yaml") } + +func Test_mutate_pod_spec(t *testing.T) { + testScenario(t, "test/scenarios/other/scenario_mutate_pod_spec.yaml") +} diff --git a/pkg/testrunner/utils.go b/pkg/testrunner/utils.go index d888cdcdc6..6fdfb91c78 100644 --- a/pkg/testrunner/utils.go +++ b/pkg/testrunner/utils.go @@ -4,8 +4,8 @@ import ( "io/ioutil" "os" - "github.com/golang/glog" "k8s.io/apimachinery/pkg/apis/meta/v1/unstructured" + "sigs.k8s.io/controller-runtime/pkg/log" ) const ( @@ -42,7 +42,7 @@ func ConvertToUnstructured(data []byte) (*unstructured.Unstructured, error) { resource := &unstructured.Unstructured{} err := resource.UnmarshalJSON(data) if err != nil { - glog.V(4).Infof("failed to unmarshall resource: %v", err) + log.Log.Error(err, "failed to unmarshal resource") return nil, err } return resource, nil diff --git a/pkg/tls/tls.go b/pkg/tls/tls.go index c91c9b922c..4acc08272d 100644 --- a/pkg/tls/tls.go +++ b/pkg/tls/tls.go @@ -142,5 +142,6 @@ func IsTLSPairShouldBeUpdated(tlsPair *TlsPemPair) bool { return true } + // TODO : should use time.Until instead of t.Sub(time.Now()) (gosimple) return expirationDate.Sub(time.Now()) < timeReserveBeforeCertificateExpiration } diff --git a/pkg/userinfo/roleRef.go b/pkg/userinfo/roleRef.go index ac089bc041..93517dd1c9 100644 --- a/pkg/userinfo/roleRef.go +++ b/pkg/userinfo/roleRef.go @@ -4,12 +4,14 @@ import ( "fmt" "strings" - "github.com/golang/glog" + "github.com/nirmata/kyverno/pkg/engine" + "github.com/nirmata/kyverno/pkg/utils" v1beta1 "k8s.io/api/admission/v1beta1" authenticationv1 "k8s.io/api/authentication/v1" rbacv1 "k8s.io/api/rbac/v1" labels "k8s.io/apimachinery/pkg/labels" rbaclister "k8s.io/client-go/listers/rbac/v1" + "sigs.k8s.io/controller-runtime/pkg/log" ) const ( @@ -20,6 +22,11 @@ const ( //GetRoleRef gets the list of roles and cluster roles for the incoming api-request func GetRoleRef(rbLister rbaclister.RoleBindingLister, crbLister rbaclister.ClusterRoleBindingLister, request *v1beta1.AdmissionRequest) (roles []string, clusterRoles []string, err error) { + keys := append(request.UserInfo.Groups, request.UserInfo.Username) + if utils.SliceContains(keys, engine.ExcludeUserInfo...) { + return + } + // rolebindings roleBindings, err := rbLister.List(labels.NewSelector()) if err != nil { @@ -101,10 +108,10 @@ func matchSubjectsMap(subject rbacv1.Subject, userInfo authenticationv1.UserInfo func matchServiceAccount(subject rbacv1.Subject, userInfo authenticationv1.UserInfo) bool { subjectServiceAccount := subject.Namespace + ":" + subject.Name if userInfo.Username[len(SaPrefix):] != subjectServiceAccount { - glog.V(3).Infof("service account not match, expect %s, got %s", subjectServiceAccount, userInfo.Username[len(SaPrefix):]) return false } + log.Log.V(3).Info(fmt.Sprintf("found a matched service account not match: %s", subjectServiceAccount)) return true } @@ -113,10 +120,10 @@ func matchUserOrGroup(subject rbacv1.Subject, userInfo authenticationv1.UserInfo keys := append(userInfo.Groups, userInfo.Username) for _, key := range keys { if subject.Name == key { + log.Log.V(3).Info(fmt.Sprintf("found a matched user/group '%v' in request userInfo: %v", subject.Name, keys)) return true } } - glog.V(3).Infof("user/group '%v' info not found in request userInfo: %v", subject.Name, keys) return false } diff --git a/pkg/userinfo/roleRef_test.go b/pkg/userinfo/roleRef_test.go index 3929c38577..003bbe2cd6 100644 --- a/pkg/userinfo/roleRef_test.go +++ b/pkg/userinfo/roleRef_test.go @@ -1,7 +1,6 @@ package userinfo import ( - "flag" "reflect" "testing" @@ -153,9 +152,10 @@ func newRoleBinding(name, ns string, subjects []rbacv1.Subject, roles rbacv1.Rol } func Test_getRoleRefByRoleBindings(t *testing.T) { - flag.Parse() - flag.Set("logtostderr", "true") - flag.Set("v", "3") + + // flag.Parse() + // flag.Set("logtostderr", "true") + // flag.Set("v", "3") list := make([]*rbacv1.RoleBinding, 2) diff --git a/pkg/utils/json.go b/pkg/utils/json.go index 471714958f..23eec81ffb 100644 --- a/pkg/utils/json.go +++ b/pkg/utils/json.go @@ -1,5 +1,12 @@ package utils +import ( + "encoding/json" + "reflect" + + v1 "github.com/nirmata/kyverno/pkg/api/kyverno/v1" +) + // JoinPatches joins array of serialized JSON patches to the single JSONPatch array func JoinPatches(patches [][]byte) []byte { var result []byte @@ -17,3 +24,42 @@ func JoinPatches(patches [][]byte) []byte { result = append(result, []byte("\n]")...) return result } + +// MarshalPolicy accurately marshals a policy to JSON, +// normal marshal would cause empty sub structs in +// policy to be non nil. +// TODO This needs to be removed. A simpler way to encode and decode Policy is needed. +func MarshalPolicy(policy v1.ClusterPolicy) []byte { + var rules []interface{} + rulesRaw, _ := json.Marshal(policy.Spec.Rules) + _ = json.Unmarshal(rulesRaw, &rules) + for i, r := range rules { + rule, _ := r.(map[string]interface{}) + + if reflect.DeepEqual(policy.Spec.Rules[i].Mutation, v1.Mutation{}) { + delete(rule, "mutate") + } + if reflect.DeepEqual(policy.Spec.Rules[i].Validation, v1.Validation{}) { + delete(rule, "validate") + } + if reflect.DeepEqual(policy.Spec.Rules[i].Generation, v1.Generation{}) { + delete(rule, "generate") + } + + rules[i] = rule + } + + var policyRepresentation = make(map[string]interface{}) + policyRaw, _ := json.Marshal(policy) + _ = json.Unmarshal(policyRaw, &policyRepresentation) + + specRepresentation, _ := policyRepresentation["spec"].(map[string]interface{}) + + specRepresentation["rules"] = rules + + policyRepresentation["spec"] = specRepresentation + + policyRaw, _ = json.Marshal(policyRepresentation) + + return policyRaw +} diff --git a/pkg/utils/util.go b/pkg/utils/util.go index c6c41f4be0..13920a02c4 100644 --- a/pkg/utils/util.go +++ b/pkg/utils/util.go @@ -1,10 +1,16 @@ package utils import ( + "fmt" "reflect" + "regexp" + "strconv" - "github.com/golang/glog" + engineutils "github.com/nirmata/kyverno/pkg/engine/utils" + "k8s.io/api/admission/v1beta1" + "k8s.io/apimachinery/pkg/apis/meta/v1/unstructured" + "github.com/go-logr/logr" "github.com/minio/minio/pkg/wildcard" client "github.com/nirmata/kyverno/pkg/dclient" dclient "github.com/nirmata/kyverno/pkg/dclient" @@ -59,14 +65,15 @@ func Btoi(b bool) int { } //CRDInstalled to check if the CRD is installed or not -func CRDInstalled(discovery client.IDiscovery) bool { +func CRDInstalled(discovery client.IDiscovery, log logr.Logger) bool { + logger := log.WithName("CRDInstalled") check := func(kind string) bool { gvr := discovery.GetGVRFromKind(kind) if reflect.DeepEqual(gvr, (schema.GroupVersionResource{})) { - glog.Errorf("%s CRD not installed", kind) + logger.Info("CRD not installed", "kind", kind) return false } - glog.Infof("CRD %s found ", kind) + logger.Info("CRD found", "kind", kind) return true } if !check("ClusterPolicy") || !check("ClusterPolicyViolation") || !check("PolicyViolation") { @@ -77,11 +84,108 @@ func CRDInstalled(discovery client.IDiscovery) bool { //CleanupOldCrd deletes any existing NamespacedPolicyViolation resources in cluster // If resource violates policy, new Violations will be generated -func CleanupOldCrd(client *dclient.Client) { +func CleanupOldCrd(client *dclient.Client, log logr.Logger) { + logger := log.WithName("CleanupOldCrd") gvr := client.DiscoveryClient.GetGVRFromKind("NamespacedPolicyViolation") if !reflect.DeepEqual(gvr, (schema.GroupVersionResource{})) { if err := client.DeleteResource("CustomResourceDefinition", "", "namespacedpolicyviolations.kyverno.io", false); err != nil { - glog.Infof("Failed to remove previous CRD namespacedpolicyviolations: %v", err) + logger.Error(err, "Failed to remove prevous CRD", "kind", "namespacedpolicyviolation") } } } + +// extracts the new and old resource as unstructured +func ExtractResources(newRaw []byte, request *v1beta1.AdmissionRequest) (unstructured.Unstructured, unstructured.Unstructured, error) { + var emptyResource unstructured.Unstructured + var newResource unstructured.Unstructured + var oldResource unstructured.Unstructured + var err error + + // New Resource + if newRaw == nil { + newRaw = request.Object.Raw + } + + if newRaw != nil { + newResource, err = ConvertResource(newRaw, request.Kind.Group, request.Kind.Version, request.Kind.Kind, request.Namespace) + if err != nil { + return emptyResource, emptyResource, fmt.Errorf("failed to convert new raw to unstructured: %v", err) + } + } + + // Old Resource + oldRaw := request.OldObject.Raw + if oldRaw != nil { + oldResource, err = ConvertResource(oldRaw, request.Kind.Group, request.Kind.Version, request.Kind.Kind, request.Namespace) + if err != nil { + return emptyResource, emptyResource, fmt.Errorf("failed to convert old raw to unstructured: %v", err) + } + } + + return newResource, oldResource, err +} + +// convertResource converts raw bytes to an unstructured object +func ConvertResource(raw []byte, group, version, kind, namespace string) (unstructured.Unstructured, error) { + obj, err := engineutils.ConvertToUnstructured(raw) + if err != nil { + return unstructured.Unstructured{}, fmt.Errorf("failed to convert raw to unstructured: %v", err) + } + + obj.SetGroupVersionKind(schema.GroupVersionKind{Group: group, Version: version, Kind: kind}) + obj.SetNamespace(namespace) + return *obj, nil +} + +// HigherThanKubernetesVersion compare kuberneates client version to user given version +func HigherThanKubernetesVersion(client *client.Client, log logr.Logger, k8smajor, k8sminor, k8ssub int) bool { + logger := log.WithName("CompareKubernetesVersion") + serverVersion, err := client.DiscoveryClient.GetServerVersion() + if err != nil { + logger.Error(err, "Failed to get kubernetes server version") + return false + } + exp := regexp.MustCompile(`v(\d*).(\d*).(\d*)`) + groups := exp.FindAllStringSubmatch(serverVersion.String(), -1) + if len(groups) != 1 || len(groups[0]) != 4 { + logger.Error(err, "Failed to extract kubernetes server version", "serverVersion", serverVersion) + return false + } + // convert string to int + // assuming the version are always intergers + major, err := strconv.Atoi(groups[0][1]) + if err != nil { + logger.Error(err, "Failed to extract kubernetes major server version", "serverVersion", serverVersion) + return false + } + minor, err := strconv.Atoi(groups[0][2]) + if err != nil { + logger.Error(err, "Failed to extract kubernetes minor server version", "serverVersion", serverVersion) + return false + } + sub, err := strconv.Atoi(groups[0][3]) + if err != nil { + logger.Error(err, "Failed to extract kubernetes sub minor server version", "serverVersion", serverVersion) + return false + } + if major <= k8smajor && minor <= k8sminor && sub < k8ssub { + return false + } + return true +} + +func SliceContains(slice []string, values ...string) bool { + + var sliceElementsMap = make(map[string]bool, len(slice)) + for _, sliceElement := range slice { + sliceElementsMap[sliceElement] = true + } + + for _, value := range values { + if sliceElementsMap[value] { + return true + } + } + + return false +} diff --git a/pkg/version/version.go b/pkg/version/version.go index ef768a35bf..8d9303d204 100644 --- a/pkg/version/version.go +++ b/pkg/version/version.go @@ -1,7 +1,7 @@ package version import ( - "github.com/golang/glog" + "github.com/go-logr/logr" ) // These fields are set during an official build @@ -13,8 +13,8 @@ var ( ) //PrintVersionInfo displays the kyverno version - git version -func PrintVersionInfo() { - glog.Infof("Kyverno version: %s\n", BuildVersion) - glog.Infof("Kyverno BuildHash: %s\n", BuildHash) - glog.Infof("Kyverno BuildTime: %s\n", BuildTime) +func PrintVersionInfo(log logr.Logger) { + log.Info("Kyverno", "Version", BuildVersion) + log.Info("Kyverno", "BuildHash", BuildHash) + log.Info("Kyverno", "BuildTime", BuildTime) } diff --git a/pkg/webhookconfig/checker.go b/pkg/webhookconfig/checker.go index ee85f36c35..50a8c100f2 100644 --- a/pkg/webhookconfig/checker.go +++ b/pkg/webhookconfig/checker.go @@ -4,7 +4,6 @@ import ( "fmt" "sync" - "github.com/golang/glog" "github.com/nirmata/kyverno/pkg/config" admregapi "k8s.io/api/admissionregistration/v1beta1" errorsapi "k8s.io/apimachinery/pkg/api/errors" @@ -19,8 +18,8 @@ func (wrc *WebhookRegistrationClient) constructVerifyMutatingWebhookConfig(caDat wrc.constructOwner(), }, }, - Webhooks: []admregapi.Webhook{ - generateWebhook( + Webhooks: []admregapi.MutatingWebhook{ + generateMutatingWebhook( config.VerifyMutatingWebhookName, config.VerifyMutatingWebhookServicePath, caData, @@ -36,14 +35,15 @@ func (wrc *WebhookRegistrationClient) constructVerifyMutatingWebhookConfig(caDat } func (wrc *WebhookRegistrationClient) constructDebugVerifyMutatingWebhookConfig(caData []byte) *admregapi.MutatingWebhookConfiguration { + logger := wrc.log url := fmt.Sprintf("https://%s%s", wrc.serverIP, config.VerifyMutatingWebhookServicePath) - glog.V(4).Infof("Debug VerifyMutatingWebhookConfig is registered with url %s\n", url) + logger.V(4).Info("Debug VerifyMutatingWebhookConfig is registered with url", "url", url) return &admregapi.MutatingWebhookConfiguration{ ObjectMeta: v1.ObjectMeta{ Name: config.VerifyMutatingWebhookConfigurationDebugName, }, - Webhooks: []admregapi.Webhook{ - generateDebugWebhook( + Webhooks: []admregapi.MutatingWebhook{ + generateDebugMutatingWebhook( config.VerifyMutatingWebhookName, url, caData, @@ -60,7 +60,7 @@ func (wrc *WebhookRegistrationClient) constructDebugVerifyMutatingWebhookConfig( func (wrc *WebhookRegistrationClient) removeVerifyWebhookMutatingWebhookConfig(wg *sync.WaitGroup) { defer wg.Done() - // Mutating webhook configuration + var err error var mutatingConfig string if wrc.serverIP != "" { @@ -68,13 +68,18 @@ func (wrc *WebhookRegistrationClient) removeVerifyWebhookMutatingWebhookConfig(w } else { mutatingConfig = config.VerifyMutatingWebhookConfigurationName } - glog.V(4).Infof("removing webhook configuration %s", mutatingConfig) + + logger := wrc.log.WithValues("name", mutatingConfig) err = wrc.client.DeleteResource(MutatingWebhookConfigurationKind, "", mutatingConfig, false) if errorsapi.IsNotFound(err) { - glog.V(4).Infof("verify webhook configuration %s, does not exits. not deleting", mutatingConfig) - } else if err != nil { - glog.Errorf("failed to delete verify webhook configuration %s: %v", mutatingConfig, err) - } else { - glog.V(4).Infof("successfully deleted verify webhook configuration %s", mutatingConfig) + logger.V(5).Info("verify webhook configuration not found") + return } + + if err != nil { + logger.Error(err, "failed to delete verify wwebhook configuration") + return + } + + logger.V(4).Info("successfully deleted verify webhook configuration") } diff --git a/pkg/webhookconfig/common.go b/pkg/webhookconfig/common.go index d73fcafb13..2b1c17f6e0 100644 --- a/pkg/webhookconfig/common.go +++ b/pkg/webhookconfig/common.go @@ -3,7 +3,6 @@ package webhookconfig import ( "io/ioutil" - "github.com/golang/glog" "github.com/nirmata/kyverno/pkg/config" admregapi "k8s.io/api/admissionregistration/v1beta1" v1 "k8s.io/apimachinery/pkg/apis/meta/v1" @@ -11,20 +10,21 @@ import ( ) func (wrc *WebhookRegistrationClient) readCaData() []byte { + logger := wrc.log var caData []byte // Check if ca is defined in the secret tls-ca // assume the key and signed cert have been defined in secret tls.kyverno if caData = wrc.client.ReadRootCASecret(); len(caData) != 0 { - glog.V(4).Infof("read CA from secret") + logger.V(4).Info("read CA from secret") return caData } - glog.V(4).Infof("failed to read CA from secret, reading from kubeconfig") + logger.V(4).Info("failed to read CA from secret, reading from kubeconfig") // load the CA from kubeconfig if caData = extractCA(wrc.clientConfig); len(caData) != 0 { - glog.V(4).Infof("read CA from kubeconfig") + logger.V(4).Info("read CA from kubeconfig") return caData } - glog.V(4).Infof("failed to read CA from kubeconfig") + logger.V(4).Info("failed to read CA from kubeconfig") return nil } @@ -46,10 +46,11 @@ func extractCA(config *rest.Config) (result []byte) { } func (wrc *WebhookRegistrationClient) constructOwner() v1.OwnerReference { + logger := wrc.log kubePolicyDeployment, err := wrc.client.GetKubePolicyDeployment() if err != nil { - glog.Errorf("Error when constructing OwnerReference, err: %v\n", err) + logger.Error(err, "failed to construct OwnerReference") return v1.OwnerReference{} } @@ -61,10 +62,11 @@ func (wrc *WebhookRegistrationClient) constructOwner() v1.OwnerReference { } } -func generateDebugWebhook(name, url string, caData []byte, validate bool, timeoutSeconds int32, resource, apiGroups, apiVersions string, operationTypes []admregapi.OperationType) admregapi.Webhook { +// debug mutating webhook +func generateDebugMutatingWebhook(name, url string, caData []byte, validate bool, timeoutSeconds int32, resource, apiGroups, apiVersions string, operationTypes []admregapi.OperationType) admregapi.MutatingWebhook { sideEffect := admregapi.SideEffectClassNoneOnDryRun failurePolicy := admregapi.Ignore - return admregapi.Webhook{ + return admregapi.MutatingWebhook{ Name: name, ClientConfig: admregapi.WebhookClientConfig{ URL: &url, @@ -93,10 +95,116 @@ func generateDebugWebhook(name, url string, caData []byte, validate bool, timeou } } -func generateWebhook(name, servicePath string, caData []byte, validation bool, timeoutSeconds int32, resource, apiGroups, apiVersions string, operationTypes []admregapi.OperationType) admregapi.Webhook { +func generateDebugValidatingWebhook(name, url string, caData []byte, validate bool, timeoutSeconds int32, resource, apiGroups, apiVersions string, operationTypes []admregapi.OperationType) admregapi.ValidatingWebhook { sideEffect := admregapi.SideEffectClassNoneOnDryRun failurePolicy := admregapi.Ignore - return admregapi.Webhook{ + return admregapi.ValidatingWebhook{ + Name: name, + ClientConfig: admregapi.WebhookClientConfig{ + URL: &url, + CABundle: caData, + }, + SideEffects: &sideEffect, + Rules: []admregapi.RuleWithOperations{ + admregapi.RuleWithOperations{ + Operations: operationTypes, + Rule: admregapi.Rule{ + APIGroups: []string{ + apiGroups, + }, + APIVersions: []string{ + apiVersions, + }, + Resources: []string{ + resource, + }, + }, + }, + }, + AdmissionReviewVersions: []string{"v1beta1"}, + TimeoutSeconds: &timeoutSeconds, + FailurePolicy: &failurePolicy, + } +} + +// func generateWebhook(name, servicePath string, caData []byte, validation bool, timeoutSeconds int32, resource, apiGroups, apiVersions string, operationTypes []admregapi.OperationType) admregapi.Webhook { +// sideEffect := admregapi.SideEffectClassNoneOnDryRun +// failurePolicy := admregapi.Ignore +// return admregapi.Webhook{ +// Name: name, +// ClientConfig: admregapi.WebhookClientConfig{ +// Service: &admregapi.ServiceReference{ +// Namespace: config.KubePolicyNamespace, +// Name: config.WebhookServiceName, +// Path: &servicePath, +// }, +// CABundle: caData, +// }, +// SideEffects: &sideEffect, +// Rules: []admregapi.RuleWithOperations{ +// admregapi.RuleWithOperations{ +// Operations: operationTypes, +// Rule: admregapi.Rule{ +// APIGroups: []string{ +// apiGroups, +// }, +// APIVersions: []string{ +// apiVersions, +// }, +// Resources: []string{ +// resource, +// }, +// }, +// }, +// }, +// AdmissionReviewVersions: []string{"v1beta1"}, +// TimeoutSeconds: &timeoutSeconds, +// FailurePolicy: &failurePolicy, +// } +// } + +// mutating webhook +func generateMutatingWebhook(name, servicePath string, caData []byte, validation bool, timeoutSeconds int32, resource, apiGroups, apiVersions string, operationTypes []admregapi.OperationType) admregapi.MutatingWebhook { + sideEffect := admregapi.SideEffectClassNoneOnDryRun + failurePolicy := admregapi.Ignore + return admregapi.MutatingWebhook{ + Name: name, + ClientConfig: admregapi.WebhookClientConfig{ + Service: &admregapi.ServiceReference{ + Namespace: config.KubePolicyNamespace, + Name: config.WebhookServiceName, + Path: &servicePath, + }, + CABundle: caData, + }, + SideEffects: &sideEffect, + Rules: []admregapi.RuleWithOperations{ + admregapi.RuleWithOperations{ + Operations: operationTypes, + Rule: admregapi.Rule{ + APIGroups: []string{ + apiGroups, + }, + APIVersions: []string{ + apiVersions, + }, + Resources: []string{ + resource, + }, + }, + }, + }, + AdmissionReviewVersions: []string{"v1beta1"}, + TimeoutSeconds: &timeoutSeconds, + FailurePolicy: &failurePolicy, + } +} + +// validating webhook +func generateValidatingWebhook(name, servicePath string, caData []byte, validation bool, timeoutSeconds int32, resource, apiGroups, apiVersions string, operationTypes []admregapi.OperationType) admregapi.ValidatingWebhook { + sideEffect := admregapi.SideEffectClassNoneOnDryRun + failurePolicy := admregapi.Ignore + return admregapi.ValidatingWebhook{ Name: name, ClientConfig: admregapi.WebhookClientConfig{ Service: &admregapi.ServiceReference{ diff --git a/pkg/webhookconfig/policy.go b/pkg/webhookconfig/policy.go index d1798a54e5..da9fa0fa8a 100644 --- a/pkg/webhookconfig/policy.go +++ b/pkg/webhookconfig/policy.go @@ -3,7 +3,6 @@ package webhookconfig import ( "fmt" - "github.com/golang/glog" "github.com/nirmata/kyverno/pkg/config" admregapi "k8s.io/api/admissionregistration/v1beta1" v1 "k8s.io/apimachinery/pkg/apis/meta/v1" @@ -18,8 +17,8 @@ func (wrc *WebhookRegistrationClient) contructPolicyValidatingWebhookConfig(caDa wrc.constructOwner(), }, }, - Webhooks: []admregapi.Webhook{ - generateWebhook( + Webhooks: []admregapi.ValidatingWebhook{ + generateValidatingWebhook( config.PolicyValidatingWebhookName, config.PolicyValidatingWebhookServicePath, caData, @@ -35,15 +34,16 @@ func (wrc *WebhookRegistrationClient) contructPolicyValidatingWebhookConfig(caDa } func (wrc *WebhookRegistrationClient) contructDebugPolicyValidatingWebhookConfig(caData []byte) *admregapi.ValidatingWebhookConfiguration { + logger := wrc.log url := fmt.Sprintf("https://%s%s", wrc.serverIP, config.PolicyValidatingWebhookServicePath) - glog.V(4).Infof("Debug PolicyValidatingWebhookConfig is registered with url %s\n", url) + logger.V(4).Info("Debug PolicyValidatingWebhookConfig is registered with url ", "url", url) return &admregapi.ValidatingWebhookConfiguration{ ObjectMeta: v1.ObjectMeta{ Name: config.PolicyValidatingWebhookConfigurationDebugName, }, - Webhooks: []admregapi.Webhook{ - generateDebugWebhook( + Webhooks: []admregapi.ValidatingWebhook{ + generateDebugValidatingWebhook( config.PolicyValidatingWebhookName, url, caData, @@ -66,8 +66,8 @@ func (wrc *WebhookRegistrationClient) contructPolicyMutatingWebhookConfig(caData wrc.constructOwner(), }, }, - Webhooks: []admregapi.Webhook{ - generateWebhook( + Webhooks: []admregapi.MutatingWebhook{ + generateMutatingWebhook( config.PolicyMutatingWebhookName, config.PolicyMutatingWebhookServicePath, caData, @@ -82,15 +82,16 @@ func (wrc *WebhookRegistrationClient) contructPolicyMutatingWebhookConfig(caData } } func (wrc *WebhookRegistrationClient) contructDebugPolicyMutatingWebhookConfig(caData []byte) *admregapi.MutatingWebhookConfiguration { + logger := wrc.log url := fmt.Sprintf("https://%s%s", wrc.serverIP, config.PolicyMutatingWebhookServicePath) - glog.V(4).Infof("Debug PolicyMutatingWebhookConfig is registered with url %s\n", url) + logger.V(4).Info("Debug PolicyMutatingWebhookConfig is registered with url ", "url", url) return &admregapi.MutatingWebhookConfiguration{ ObjectMeta: v1.ObjectMeta{ Name: config.PolicyMutatingWebhookConfigurationDebugName, }, - Webhooks: []admregapi.Webhook{ - generateDebugWebhook( + Webhooks: []admregapi.MutatingWebhook{ + generateDebugMutatingWebhook( config.PolicyMutatingWebhookName, url, caData, diff --git a/pkg/webhookconfig/registration.go b/pkg/webhookconfig/registration.go index 8db0cba73c..9dd7ef1eb6 100644 --- a/pkg/webhookconfig/registration.go +++ b/pkg/webhookconfig/registration.go @@ -2,10 +2,11 @@ package webhookconfig import ( "errors" + "fmt" "sync" "time" - "github.com/golang/glog" + "github.com/go-logr/logr" "github.com/nirmata/kyverno/pkg/config" client "github.com/nirmata/kyverno/pkg/dclient" admregapi "k8s.io/api/admissionregistration/v1beta1" @@ -27,6 +28,7 @@ type WebhookRegistrationClient struct { // serverIP should be used if running Kyverno out of clutser serverIP string timeoutSeconds int32 + log logr.Logger } // NewWebhookRegistrationClient creates new WebhookRegistrationClient instance @@ -34,19 +36,22 @@ func NewWebhookRegistrationClient( clientConfig *rest.Config, client *client.Client, serverIP string, - webhookTimeout int32) *WebhookRegistrationClient { + webhookTimeout int32, + log logr.Logger) *WebhookRegistrationClient { return &WebhookRegistrationClient{ clientConfig: clientConfig, client: client, serverIP: serverIP, timeoutSeconds: webhookTimeout, + log: log.WithName("WebhookRegistrationClient"), } } // Register creates admission webhooks configs on cluster func (wrc *WebhookRegistrationClient) Register() error { + logger := wrc.log.WithName("Register") if wrc.serverIP != "" { - glog.Infof("Registering webhook with url https://%s\n", wrc.serverIP) + logger.V(4).Info("Registering webhook", "url", fmt.Sprintf("https://%s", wrc.serverIP)) } // For the case if cluster already has this configs @@ -88,6 +93,7 @@ func (wrc *WebhookRegistrationClient) RemoveWebhookConfigurations(cleanUp chan<- // used to forward request to kyverno webhooks to apply policeis // Mutationg webhook is be used for Mutating purpose func (wrc *WebhookRegistrationClient) CreateResourceMutatingWebhookConfiguration() error { + logger := wrc.log var caData []byte var config *admregapi.MutatingWebhookConfiguration @@ -108,16 +114,17 @@ func (wrc *WebhookRegistrationClient) CreateResourceMutatingWebhookConfiguration } _, err := wrc.client.CreateResource(MutatingWebhookConfigurationKind, "", *config, false) if errorsapi.IsAlreadyExists(err) { - glog.V(4).Infof("resource mutating webhook configuration %s, already exists. not creating one", config.Name) + logger.V(6).Info("resource mutating webhook configuration already exists", "name", config.Name) return nil } if err != nil { - glog.V(4).Infof("failed to create resource mutating webhook configuration %s: %v", config.Name, err) + logger.Error(err, "failed to create resource mutating webhook configuration", "name", config.Name) return err } return nil } +//CreateResourceValidatingWebhookConfiguration ... func (wrc *WebhookRegistrationClient) CreateResourceValidatingWebhookConfiguration() error { var caData []byte var config *admregapi.ValidatingWebhookConfiguration @@ -134,14 +141,15 @@ func (wrc *WebhookRegistrationClient) CreateResourceValidatingWebhookConfigurati // clientConfig - service config = wrc.constructValidatingWebhookConfig(caData) } + logger := wrc.log.WithValues("kind", ValidatingWebhookConfigurationKind, "name", config.Name) _, err := wrc.client.CreateResource(ValidatingWebhookConfigurationKind, "", *config, false) if errorsapi.IsAlreadyExists(err) { - glog.V(4).Infof("resource validating webhook configuration %s, already exists. not creating one", config.Name) + logger.V(6).Info("resource validating webhook configuration already exists", "name", config.Name) return nil } if err != nil { - glog.V(4).Infof("failed to create resource validating webhook configuration %s: %v", config.Name, err) + logger.Error(err, "failed to create resource") return err } return nil @@ -168,20 +176,19 @@ func (wrc *WebhookRegistrationClient) createPolicyValidatingWebhookConfiguration // clientConfig - service config = wrc.contructPolicyValidatingWebhookConfig(caData) } + logger := wrc.log.WithValues("kind", ValidatingWebhookConfigurationKind, "name", config.Name) // create validating webhook configuration resource if _, err := wrc.client.CreateResource(ValidatingWebhookConfigurationKind, "", *config, false); err != nil { return err } - - glog.V(4).Infof("created Validating Webhook Configuration %s ", config.Name) + logger.V(4).Info("created resource") return nil } func (wrc *WebhookRegistrationClient) createPolicyMutatingWebhookConfiguration() error { var caData []byte var config *admregapi.MutatingWebhookConfiguration - // read CA data from // 1) secret(config) // 2) kubeconfig @@ -203,8 +210,7 @@ func (wrc *WebhookRegistrationClient) createPolicyMutatingWebhookConfiguration() if _, err := wrc.client.CreateResource(MutatingWebhookConfigurationKind, "", *config, false); err != nil { return err } - - glog.V(4).Infof("created Mutating Webhook Configuration %s ", config.Name) + wrc.log.V(4).Info("reated Mutating Webhook Configuration", "name", config.Name) return nil } @@ -234,7 +240,7 @@ func (wrc *WebhookRegistrationClient) createVerifyMutatingWebhookConfiguration() return err } - glog.V(4).Infof("created Mutating Webhook Configuration %s ", config.Name) + wrc.log.V(4).Info("reated Mutating Webhook Configuration", "name", config.Name) return nil } @@ -243,20 +249,23 @@ func (wrc *WebhookRegistrationClient) createVerifyMutatingWebhookConfiguration() // Register will fail if the config exists, so there is no need to fail on error func (wrc *WebhookRegistrationClient) removeWebhookConfigurations() { startTime := time.Now() - glog.V(4).Infof("Started cleaning up webhookconfigurations") + wrc.log.Info("removing prior webhook configurations") defer func() { - glog.V(4).Infof("Finished cleaning up webhookcongfigurations (%v)", time.Since(startTime)) + wrc.log.V(4).Info("removed webhookcongfigurations", "processingTime", time.Since(startTime)) }() var wg sync.WaitGroup wg.Add(5) + // mutating and validating webhook configuration for Kubernetes resources go wrc.removeResourceMutatingWebhookConfiguration(&wg) go wrc.removeResourceValidatingWebhookConfiguration(&wg) + // mutating and validating webhook configurtion for Policy CRD resource go wrc.removePolicyMutatingWebhookConfiguration(&wg) go wrc.removePolicyValidatingWebhookConfiguration(&wg) + // mutating webhook configuration for verifying webhook go wrc.removeVerifyWebhookMutatingWebhookConfig(&wg) @@ -269,21 +278,19 @@ func (wrc *WebhookRegistrationClient) removeWebhookConfigurations() { func (wrc *WebhookRegistrationClient) removeResourceMutatingWebhookConfiguration(wg *sync.WaitGroup) { defer wg.Done() if err := wrc.RemoveResourceMutatingWebhookConfiguration(); err != nil { - glog.Error(err) + wrc.log.Error(err, "failed to remove resource mutating webhook configuration") } } func (wrc *WebhookRegistrationClient) removeResourceValidatingWebhookConfiguration(wg *sync.WaitGroup) { defer wg.Done() if err := wrc.RemoveResourceValidatingWebhookConfiguration(); err != nil { - glog.Error(err) + wrc.log.Error(err, "failed to remove resource validation webhook configuration") } } -// delete policy mutating webhookconfigurations -// handle wait group func (wrc *WebhookRegistrationClient) removePolicyMutatingWebhookConfiguration(wg *sync.WaitGroup) { defer wg.Done() - // Mutating webhook configuration + var mutatingConfig string if wrc.serverIP != "" { mutatingConfig = config.PolicyMutatingWebhookConfigurationDebugName @@ -291,35 +298,48 @@ func (wrc *WebhookRegistrationClient) removePolicyMutatingWebhookConfiguration(w mutatingConfig = config.PolicyMutatingWebhookConfigurationName } - glog.V(4).Infof("removing webhook configuration %s", mutatingConfig) + logger := wrc.log.WithValues("name", mutatingConfig) err := wrc.client.DeleteResource(MutatingWebhookConfigurationKind, "", mutatingConfig, false) if errorsapi.IsNotFound(err) { - glog.V(4).Infof("policy webhook configuration %s, does not exits. not deleting", mutatingConfig) - } else if err != nil { - glog.Errorf("failed to delete policy webhook configuration %s: %v", mutatingConfig, err) - } else { - glog.V(4).Infof("successfully deleted policy webhook configuration %s", mutatingConfig) + logger.V(5).Info("policy mutating webhook configuration not found") + return } + + if err != nil { + logger.Error(err, "failed to delete policy mutating webhook configuration") + return + } + + logger.V(4).Info("successfully deleted policy mutating webhook configutation") } -// delete policy validating webhookconfigurations -// handle wait group func (wrc *WebhookRegistrationClient) removePolicyValidatingWebhookConfiguration(wg *sync.WaitGroup) { defer wg.Done() - // Validating webhook configuration + var validatingConfig string if wrc.serverIP != "" { validatingConfig = config.PolicyValidatingWebhookConfigurationDebugName } else { validatingConfig = config.PolicyValidatingWebhookConfigurationName } - glog.V(4).Infof("removing webhook configuration %s", validatingConfig) + + logger := wrc.log.WithValues("name", validatingConfig) + logger.V(4).Info("removing validating webhook configuration") err := wrc.client.DeleteResource(ValidatingWebhookConfigurationKind, "", validatingConfig, false) if errorsapi.IsNotFound(err) { - glog.V(4).Infof("policy webhook configuration %s, does not exits. not deleting", validatingConfig) - } else if err != nil { - glog.Errorf("failed to delete policy webhook configuration %s: %v", validatingConfig, err) - } else { - glog.V(4).Infof("successfully deleted policy webhook configuration %s", validatingConfig) + logger.V(5).Info("policy validating webhook configuration not found") + return } + + if err != nil { + logger.Error(err, "failed to delete policy validating webhook configuration") + return + } + + logger.V(4).Info("successfully deleted policy validating webhook configutation") +} + +// GetWebhookTimeOut returns the value of webhook timeout +func (wrc *WebhookRegistrationClient) GetWebhookTimeOut() time.Duration { + return time.Duration(wrc.timeoutSeconds) } diff --git a/pkg/webhookconfig/resource.go b/pkg/webhookconfig/resource.go index 090c33636a..462e243627 100644 --- a/pkg/webhookconfig/resource.go +++ b/pkg/webhookconfig/resource.go @@ -3,7 +3,6 @@ package webhookconfig import ( "fmt" - "github.com/golang/glog" "github.com/nirmata/kyverno/pkg/config" admregapi "k8s.io/api/admissionregistration/v1beta1" "k8s.io/apimachinery/pkg/api/errors" @@ -11,15 +10,15 @@ import ( ) func (wrc *WebhookRegistrationClient) constructDebugMutatingWebhookConfig(caData []byte) *admregapi.MutatingWebhookConfiguration { + logger := wrc.log url := fmt.Sprintf("https://%s%s", wrc.serverIP, config.MutatingWebhookServicePath) - glog.V(4).Infof("Debug MutatingWebhookConfig is registered with url %s\n", url) - + logger.V(4).Info("Debug MutatingWebhookConfig registered", "url", url) return &admregapi.MutatingWebhookConfiguration{ ObjectMeta: v1.ObjectMeta{ Name: config.MutatingWebhookConfigurationDebugName, }, - Webhooks: []admregapi.Webhook{ - generateDebugWebhook( + Webhooks: []admregapi.MutatingWebhook{ + generateDebugMutatingWebhook( config.MutatingWebhookName, url, caData, @@ -42,8 +41,8 @@ func (wrc *WebhookRegistrationClient) constructMutatingWebhookConfig(caData []by wrc.constructOwner(), }, }, - Webhooks: []admregapi.Webhook{ - generateWebhook( + Webhooks: []admregapi.MutatingWebhook{ + generateMutatingWebhook( config.MutatingWebhookName, config.MutatingWebhookServicePath, caData, @@ -58,7 +57,7 @@ func (wrc *WebhookRegistrationClient) constructMutatingWebhookConfig(caData []by } } -//GetResourceMutatingWebhookConfigName provi +//GetResourceMutatingWebhookConfigName returns the webhook configuration name func (wrc *WebhookRegistrationClient) GetResourceMutatingWebhookConfigName() string { if wrc.serverIP != "" { return config.MutatingWebhookConfigurationDebugName @@ -68,32 +67,33 @@ func (wrc *WebhookRegistrationClient) GetResourceMutatingWebhookConfigName() str //RemoveResourceMutatingWebhookConfiguration removes mutating webhook configuration for all resources func (wrc *WebhookRegistrationClient) RemoveResourceMutatingWebhookConfiguration() error { - configName := wrc.GetResourceMutatingWebhookConfigName() + logger := wrc.log.WithValues("kind", MutatingWebhookConfigurationKind, "name", configName) // delete webhook configuration err := wrc.client.DeleteResource(MutatingWebhookConfigurationKind, "", configName, false) if errors.IsNotFound(err) { - glog.V(4).Infof("resource webhook configuration %s does not exits, so not deleting", configName) + logger.V(5).Info("webhook configuration not found") return nil } + if err != nil { - glog.V(4).Infof("failed to delete resource webhook configuration %s: %v", configName, err) + logger.V(4).Info("failed to delete webhook configuration") return err } - glog.V(4).Infof("deleted resource webhook configuration %s", configName) + + logger.V(4).Info("deleted webhook configuration") return nil } func (wrc *WebhookRegistrationClient) constructDebugValidatingWebhookConfig(caData []byte) *admregapi.ValidatingWebhookConfiguration { url := fmt.Sprintf("https://%s%s", wrc.serverIP, config.ValidatingWebhookServicePath) - glog.V(4).Infof("Debug ValidatingWebhookConfig is registered with url %s\n", url) return &admregapi.ValidatingWebhookConfiguration{ ObjectMeta: v1.ObjectMeta{ Name: config.ValidatingWebhookConfigurationDebugName, }, - Webhooks: []admregapi.Webhook{ - generateDebugWebhook( + Webhooks: []admregapi.ValidatingWebhook{ + generateDebugValidatingWebhook( config.ValidatingWebhookName, url, caData, @@ -102,7 +102,7 @@ func (wrc *WebhookRegistrationClient) constructDebugValidatingWebhookConfig(caDa "*/*", "*", "*", - []admregapi.OperationType{admregapi.Create, admregapi.Update}, + []admregapi.OperationType{admregapi.Create, admregapi.Update, admregapi.Delete}, ), }, } @@ -116,8 +116,8 @@ func (wrc *WebhookRegistrationClient) constructValidatingWebhookConfig(caData [] wrc.constructOwner(), }, }, - Webhooks: []admregapi.Webhook{ - generateWebhook( + Webhooks: []admregapi.ValidatingWebhook{ + generateValidatingWebhook( config.ValidatingWebhookName, config.ValidatingWebhookServicePath, caData, @@ -126,30 +126,36 @@ func (wrc *WebhookRegistrationClient) constructValidatingWebhookConfig(caData [] "*/*", "*", "*", - []admregapi.OperationType{admregapi.Create, admregapi.Update}, + []admregapi.OperationType{admregapi.Create, admregapi.Update, admregapi.Delete}, ), }, } } +// GetResourceValidatingWebhookConfigName returns the webhook configuration name func (wrc *WebhookRegistrationClient) GetResourceValidatingWebhookConfigName() string { if wrc.serverIP != "" { return config.ValidatingWebhookConfigurationDebugName } + return config.ValidatingWebhookConfigurationName } +// RemoveResourceValidatingWebhookConfiguration deletes an existing webhook configuration func (wrc *WebhookRegistrationClient) RemoveResourceValidatingWebhookConfiguration() error { configName := wrc.GetResourceValidatingWebhookConfigName() + logger := wrc.log.WithValues("kind", ValidatingWebhookConfigurationKind, "name", configName) err := wrc.client.DeleteResource(ValidatingWebhookConfigurationKind, "", configName, false) if errors.IsNotFound(err) { - glog.V(4).Infof("resource webhook configuration %s does not exits, so not deleting", configName) + logger.V(5).Info("webhook configuration not found") return nil } + if err != nil { - glog.V(4).Infof("failed to delete resource webhook configuration %s: %v", configName, err) + logger.Error(err, "failed to delete the webhook configuration") return err } - glog.V(4).Infof("deleted resource webhook configuration %s", configName) + + logger.Info("webhook configuration deleted") return nil } diff --git a/pkg/webhookconfig/rwebhookregister.go b/pkg/webhookconfig/rwebhookregister.go index aacdc72b9f..38a3fbfb7a 100644 --- a/pkg/webhookconfig/rwebhookregister.go +++ b/pkg/webhookconfig/rwebhookregister.go @@ -3,7 +3,7 @@ package webhookconfig import ( "time" - "github.com/golang/glog" + "github.com/go-logr/logr" checker "github.com/nirmata/kyverno/pkg/checker" "github.com/tevino/abool" mconfiginformer "k8s.io/client-go/informers/admissionregistration/v1beta1" @@ -14,15 +14,16 @@ import ( //ResourceWebhookRegister manages the resource webhook registration type ResourceWebhookRegister struct { // pendingCreation indicates the status of resource webhook creation - pendingCreation *abool.AtomicBool - LastReqTime *checker.LastReqTime - mwebhookconfigSynced cache.InformerSynced - vwebhookconfigSynced cache.InformerSynced - // list/get mutatingwebhookconfigurations + pendingMutateWebhookCreation *abool.AtomicBool + pendingValidateWebhookCreation *abool.AtomicBool + LastReqTime *checker.LastReqTime + mwebhookconfigSynced cache.InformerSynced + vwebhookconfigSynced cache.InformerSynced mWebhookConfigLister mconfiglister.MutatingWebhookConfigurationLister vWebhookConfigLister mconfiglister.ValidatingWebhookConfigurationLister webhookRegistrationClient *WebhookRegistrationClient RunValidationInMutatingWebhook string + log logr.Logger } // NewResourceWebhookRegister returns a new instance of ResourceWebhookRegister manager @@ -32,9 +33,11 @@ func NewResourceWebhookRegister( vconfigwebhookinformer mconfiginformer.ValidatingWebhookConfigurationInformer, webhookRegistrationClient *WebhookRegistrationClient, runValidationInMutatingWebhook string, + log logr.Logger, ) *ResourceWebhookRegister { return &ResourceWebhookRegister{ - pendingCreation: abool.New(), + pendingMutateWebhookCreation: abool.New(), + pendingValidateWebhookCreation: abool.New(), LastReqTime: lastReqTime, mwebhookconfigSynced: mconfigwebhookinformer.Informer().HasSynced, mWebhookConfigLister: mconfigwebhookinformer.Lister(), @@ -42,73 +45,85 @@ func NewResourceWebhookRegister( vWebhookConfigLister: vconfigwebhookinformer.Lister(), webhookRegistrationClient: webhookRegistrationClient, RunValidationInMutatingWebhook: runValidationInMutatingWebhook, + log: log, } } //RegisterResourceWebhook registers a resource webhook func (rww *ResourceWebhookRegister) RegisterResourceWebhook() { - // drop the request if creation is in processing - if rww.pendingCreation.IsSet() { - glog.V(3).Info("resource webhook configuration is in pending creation, skip the request") + timeDiff := time.Since(rww.LastReqTime.Time()) + if timeDiff < checker.DefaultDeadline { + if !rww.pendingMutateWebhookCreation.IsSet() { + go rww.createMutatingWebhook() + } + + if !rww.pendingValidateWebhookCreation.IsSet() { + go rww.createValidateWebhook() + } + } +} + +func (rww *ResourceWebhookRegister) createMutatingWebhook() { + rww.pendingMutateWebhookCreation.Set() + defer rww.pendingMutateWebhookCreation.UnSet() + + mutatingConfigName := rww.webhookRegistrationClient.GetResourceMutatingWebhookConfigName() + mutatingConfig, _ := rww.mWebhookConfigLister.Get(mutatingConfigName) + if mutatingConfig != nil { + rww.log.V(5).Info("mutating webhoook configuration exists", "name", mutatingConfigName) + } else { + err := rww.webhookRegistrationClient.CreateResourceMutatingWebhookConfiguration() + if err != nil { + rww.log.Error(err, "failed to create resource mutating webhook configuration, re-queue creation request") + rww.RegisterResourceWebhook() + return + } + + rww.log.V(2).Info("created mutating webhook", "name", mutatingConfigName) + } +} + +func (rww *ResourceWebhookRegister) createValidateWebhook() { + rww.pendingValidateWebhookCreation.Set() + defer rww.pendingValidateWebhookCreation.UnSet() + + if rww.RunValidationInMutatingWebhook == "true" { + rww.log.V(2).Info("validation is configured to run during mutate webhook") return } - timeDiff := time.Since(rww.LastReqTime.Time()) - if timeDiff < checker.DefaultDeadline { - glog.V(3).Info("Verified webhook status, creating webhook configuration") - go func() { - mutatingConfigName := rww.webhookRegistrationClient.GetResourceMutatingWebhookConfigName() - mutatingConfig, _ := rww.mWebhookConfigLister.Get(mutatingConfigName) - if mutatingConfig != nil { - glog.V(4).Info("mutating webhoook configuration already exists") - } else { - rww.pendingCreation.Set() - err1 := rww.webhookRegistrationClient.CreateResourceMutatingWebhookConfiguration() - rww.pendingCreation.UnSet() - if err1 != nil { - glog.Errorf("failed to create resource mutating webhook configuration: %v, re-queue creation request", err1) - rww.RegisterResourceWebhook() - return - } - glog.V(3).Info("Successfully created mutating webhook configuration for resources") - } + validatingConfigName := rww.webhookRegistrationClient.GetResourceValidatingWebhookConfigName() + validatingConfig, _ := rww.vWebhookConfigLister.Get(validatingConfigName) + if validatingConfig != nil { + rww.log.V(4).Info("validating webhoook configuration exists", "name", validatingConfigName) + } else { + err := rww.webhookRegistrationClient.CreateResourceValidatingWebhookConfiguration() + if err != nil { + rww.log.Error(err, "failed to create resource validating webhook configuration; re-queue creation request") + rww.RegisterResourceWebhook() + return + } - if rww.RunValidationInMutatingWebhook != "true" { - validatingConfigName := rww.webhookRegistrationClient.GetResourceValidatingWebhookConfigName() - validatingConfig, _ := rww.vWebhookConfigLister.Get(validatingConfigName) - if validatingConfig != nil { - glog.V(4).Info("validating webhoook configuration already exists") - } else { - rww.pendingCreation.Set() - err2 := rww.webhookRegistrationClient.CreateResourceValidatingWebhookConfiguration() - rww.pendingCreation.UnSet() - if err2 != nil { - glog.Errorf("failed to create resource validating webhook configuration: %v, re-queue creation request", err2) - rww.RegisterResourceWebhook() - return - } - glog.V(3).Info("Successfully created validating webhook configuration for resources") - } - } - }() + rww.log.V(2).Info("created validating webhook", "name", validatingConfigName) } } //Run starts the ResourceWebhookRegister manager func (rww *ResourceWebhookRegister) Run(stopCh <-chan struct{}) { + logger := rww.log // wait for cache to populate first time if !cache.WaitForCacheSync(stopCh, rww.mwebhookconfigSynced, rww.vwebhookconfigSynced) { - glog.Error("configuration: failed to sync webhook informer cache") + logger.Info("configuration: failed to sync webhook informer cache") } - } // RemoveResourceWebhookConfiguration removes the resource webhook configurations func (rww *ResourceWebhookRegister) RemoveResourceWebhookConfiguration() error { + logger := rww.log mutatingConfigName := rww.webhookRegistrationClient.GetResourceMutatingWebhookConfigName() mutatingConfig, err := rww.mWebhookConfigLister.Get(mutatingConfigName) if err != nil { - glog.V(4).Infof("failed to list mutating webhook config: %v", err) + logger.Error(err, "failed to list mutating webhook config") return err } if mutatingConfig != nil { @@ -116,14 +131,14 @@ func (rww *ResourceWebhookRegister) RemoveResourceWebhookConfiguration() error { if err != nil { return err } - glog.V(3).Info("removed mutating resource webhook configuration") + logger.V(3).Info("removed mutating resource webhook configuration") } if rww.RunValidationInMutatingWebhook != "true" { validatingConfigName := rww.webhookRegistrationClient.GetResourceValidatingWebhookConfigName() validatingConfig, err := rww.vWebhookConfigLister.Get(validatingConfigName) if err != nil { - glog.V(4).Infof("failed to list validating webhook config: %v", err) + logger.Error(err, "failed to list validating webhook config") return err } if validatingConfig != nil { @@ -131,7 +146,7 @@ func (rww *ResourceWebhookRegister) RemoveResourceWebhookConfiguration() error { if err != nil { return err } - glog.V(3).Info("removed validating resource webhook configuration") + logger.V(3).Info("removed validating resource webhook configuration") } } return nil diff --git a/pkg/webhooks/admission_test.go b/pkg/webhooks/admission_test.go deleted file mode 100644 index d753352a72..0000000000 --- a/pkg/webhooks/admission_test.go +++ /dev/null @@ -1 +0,0 @@ -package webhooks_test diff --git a/pkg/webhooks/annotations.go b/pkg/webhooks/annotations.go index 34d3e10468..e02ba00c96 100644 --- a/pkg/webhooks/annotations.go +++ b/pkg/webhooks/annotations.go @@ -7,10 +7,8 @@ import ( yamlv2 "gopkg.in/yaml.v2" jsonpatch "github.com/evanphx/json-patch" - "github.com/golang/glog" - "github.com/nirmata/kyverno/pkg/engine" + "github.com/go-logr/logr" "github.com/nirmata/kyverno/pkg/engine/response" - "k8s.io/apimachinery/pkg/apis/meta/v1/unstructured" ) const ( @@ -38,7 +36,7 @@ var operationToPastTense = map[string]string{ "test": "tested", } -func generateAnnotationPatches(engineResponses []response.EngineResponse) []byte { +func generateAnnotationPatches(engineResponses []response.EngineResponse, log logr.Logger) []byte { var annotations map[string]string for _, er := range engineResponses { @@ -53,7 +51,7 @@ func generateAnnotationPatches(engineResponses []response.EngineResponse) []byte } var patchResponse annresponse - value := annotationFromEngineResponses(engineResponses) + value := annotationFromEngineResponses(engineResponses, log) if value == nil { // no patches or error while processing patches return nil @@ -90,21 +88,21 @@ func generateAnnotationPatches(engineResponses []response.EngineResponse) []byte // check the patch _, err := jsonpatch.DecodePatch([]byte("[" + string(patchByte) + "]")) if err != nil { - glog.Errorf("Failed to make patch from annotation'%s', err: %v\n ", string(patchByte), err) + log.Error(err, "failed o build JSON patch for annotation", "patch", string(patchByte)) } return patchByte } -func annotationFromEngineResponses(engineResponses []response.EngineResponse) []byte { +func annotationFromEngineResponses(engineResponses []response.EngineResponse, log logr.Logger) []byte { var annotationContent = make(map[string]string) for _, engineResponse := range engineResponses { if !engineResponse.IsSuccesful() { - glog.V(3).Infof("Policy %s failed, skip preparing annotation\n", engineResponse.PolicyResponse.Policy) + log.V(3).Info("skip building annotation; policy failed to apply", "policy", engineResponse.PolicyResponse.Policy) continue } - rulePatches := annotationFromPolicyResponse(engineResponse.PolicyResponse) + rulePatches := annotationFromPolicyResponse(engineResponse.PolicyResponse, log) if rulePatches == nil { continue } @@ -126,13 +124,13 @@ func annotationFromEngineResponses(engineResponses []response.EngineResponse) [] return result } -func annotationFromPolicyResponse(policyResponse response.PolicyResponse) []rulePatch { +func annotationFromPolicyResponse(policyResponse response.PolicyResponse, log logr.Logger) []rulePatch { var rulePatches []rulePatch for _, ruleInfo := range policyResponse.Rules { for _, patch := range ruleInfo.Patches { var patchmap map[string]interface{} if err := json.Unmarshal(patch, &patchmap); err != nil { - glog.Errorf("Failed to parse patch bytes, err: %v\n", err) + log.Error(err, "Failed to parse JSON patch bytes") continue } @@ -142,25 +140,11 @@ func annotationFromPolicyResponse(policyResponse response.PolicyResponse) []rule Path: patchmap["path"].(string)} rulePatches = append(rulePatches, rp) - glog.V(4).Infof("Annotation value prepared: %v\n", rulePatches) + log.V(4).Info("annotation value prepared", "patches", rulePatches) } } - if len(rulePatches) == 0 { return nil } - return rulePatches } - -// checkPodTemplateAnn checks if a Pod has annotation "pod-policies.kyverno.io/autogen-applied" -func checkPodTemplateAnn(resource unstructured.Unstructured) bool { - if resource.GetKind() == "Pod" { - ann := resource.GetAnnotations() - if _, ok := ann[engine.PodTemplateAnnotation]; ok { - return true - } - } - - return false -} diff --git a/pkg/webhooks/annotations_test.go b/pkg/webhooks/annotations_test.go index 320e347ea3..d14657b6cb 100644 --- a/pkg/webhooks/annotations_test.go +++ b/pkg/webhooks/annotations_test.go @@ -6,6 +6,7 @@ import ( "github.com/nirmata/kyverno/pkg/engine/response" "gotest.tools/assert" "k8s.io/apimachinery/pkg/apis/meta/v1/unstructured" + "sigs.k8s.io/controller-runtime/pkg/log" ) func newPolicyResponse(policy, rule string, patchesStr []string, success bool) response.PolicyResponse { @@ -42,7 +43,7 @@ func Test_empty_annotation(t *testing.T) { patchStr := `{ "op": "replace", "path": "/spec/containers/0/imagePullPolicy", "value": "IfNotPresent" }` engineResponse := newEngineResponse("mutate-container", "default-imagepullpolicy", []string{patchStr}, true, nil) - annPatches := generateAnnotationPatches([]response.EngineResponse{engineResponse}) + annPatches := generateAnnotationPatches([]response.EngineResponse{engineResponse}, log.Log) expectedPatches := `{"op":"add","path":"/metadata/annotations","value":{"policies.kyverno.io/patches":"default-imagepullpolicy.mutate-container.kyverno.io: replaced /spec/containers/0/imagePullPolicy\n"}}` assert.Assert(t, string(annPatches) == expectedPatches) } @@ -54,7 +55,7 @@ func Test_exist_annotation(t *testing.T) { patchStr := `{ "op": "replace", "path": "/spec/containers/0/imagePullPolicy", "value": "IfNotPresent" }` engineResponse := newEngineResponse("mutate-container", "default-imagepullpolicy", []string{patchStr}, true, annotation) - annPatches := generateAnnotationPatches([]response.EngineResponse{engineResponse}) + annPatches := generateAnnotationPatches([]response.EngineResponse{engineResponse}, log.Log) expectedPatches := `{"op":"add","path":"/metadata/annotations","value":{"policies.kyverno.io/patches":"default-imagepullpolicy.mutate-container.kyverno.io: replaced /spec/containers/0/imagePullPolicy\n"}}` assert.Assert(t, string(annPatches) == expectedPatches) @@ -67,7 +68,7 @@ func Test_exist_kyverno_annotation(t *testing.T) { patchStr := `{ "op": "replace", "path": "/spec/containers/0/imagePullPolicy", "value": "IfNotPresent" }` engineResponse := newEngineResponse("mutate-container", "default-imagepullpolicy", []string{patchStr}, true, annotation) - annPatches := generateAnnotationPatches([]response.EngineResponse{engineResponse}) + annPatches := generateAnnotationPatches([]response.EngineResponse{engineResponse}, log.Log) expectedPatches := `{"op":"add","path":"/metadata/annotations","value":{"policies.kyverno.io/patches":"default-imagepullpolicy.mutate-container.kyverno.io: replaced /spec/containers/0/imagePullPolicy\n"}}` assert.Assert(t, string(annPatches) == expectedPatches) @@ -79,11 +80,11 @@ func Test_annotation_nil_patch(t *testing.T) { } engineResponse := newEngineResponse("mutate-container", "default-imagepullpolicy", nil, true, annotation) - annPatches := generateAnnotationPatches([]response.EngineResponse{engineResponse}) + annPatches := generateAnnotationPatches([]response.EngineResponse{engineResponse}, log.Log) assert.Assert(t, annPatches == nil) engineResponseNew := newEngineResponse("mutate-container", "default-imagepullpolicy", []string{""}, true, annotation) - annPatchesNew := generateAnnotationPatches([]response.EngineResponse{engineResponseNew}) + annPatchesNew := generateAnnotationPatches([]response.EngineResponse{engineResponseNew}, log.Log) assert.Assert(t, annPatchesNew == nil) } @@ -93,7 +94,7 @@ func Test_annotation_failed_Patch(t *testing.T) { } engineResponse := newEngineResponse("mutate-container", "default-imagepullpolicy", nil, false, annotation) - annPatches := generateAnnotationPatches([]response.EngineResponse{engineResponse}) + annPatches := generateAnnotationPatches([]response.EngineResponse{engineResponse}, log.Log) assert.Assert(t, annPatches == nil) } diff --git a/pkg/webhooks/checker.go b/pkg/webhooks/checker.go index e6ccfc41c9..a648a0034c 100644 --- a/pkg/webhooks/checker.go +++ b/pkg/webhooks/checker.go @@ -1,13 +1,12 @@ package webhooks import ( - "github.com/golang/glog" "k8s.io/api/admission/v1beta1" ) -func (ws *WebhookServer) handleVerifyRequest(request *v1beta1.AdmissionRequest) *v1beta1.AdmissionResponse { - glog.V(4).Infof("Receive request in mutating webhook '/verify': Kind=%s, Namespace=%s Name=%s UID=%s patchOperation=%s", - request.Kind.Kind, request.Namespace, request.Name, request.UID, request.Operation) +func (ws *WebhookServer) verifyHandler(request *v1beta1.AdmissionRequest) *v1beta1.AdmissionResponse { + logger := ws.log.WithValues("action", "verify", "uid", request.UID, "kind", request.Kind, "namespace", request.Namespace, "name", request.Name, "operation", request.Operation) + logger.V(4).Info("incoming request") return &v1beta1.AdmissionResponse{ Allowed: true, } diff --git a/pkg/webhooks/common.go b/pkg/webhooks/common.go index a6a2682476..3bdbb569df 100644 --- a/pkg/webhooks/common.go +++ b/pkg/webhooks/common.go @@ -4,10 +4,11 @@ import ( "fmt" "strings" - "github.com/golang/glog" + "github.com/go-logr/logr" kyverno "github.com/nirmata/kyverno/pkg/api/kyverno/v1" "github.com/nirmata/kyverno/pkg/engine/response" engineutils "github.com/nirmata/kyverno/pkg/engine/utils" + yamlv2 "gopkg.in/yaml.v2" "k8s.io/api/admission/v1beta1" "k8s.io/apimachinery/pkg/apis/meta/v1/unstructured" "k8s.io/apimachinery/pkg/runtime/schema" @@ -25,34 +26,37 @@ func isResponseSuccesful(engineReponses []response.EngineResponse) bool { // returns true -> if there is even one policy that blocks resource request // returns false -> if all the policies are meant to report only, we dont block resource request -func toBlockResource(engineReponses []response.EngineResponse) bool { +func toBlockResource(engineReponses []response.EngineResponse, log logr.Logger) bool { for _, er := range engineReponses { if !er.IsSuccesful() && er.PolicyResponse.ValidationFailureAction == Enforce { - glog.V(4).Infof("ValidationFailureAction set to enforce for policy %s , blocking resource request ", er.PolicyResponse.Policy) + log.Info("spec.ValidationFailureAction set to enforcel blocking resource request", "policy", er.PolicyResponse.Policy) return true } } - glog.V(4).Infoln("ValidationFailureAction set to audit, allowing resource request, reporting with policy violation") + log.V(4).Info("sepc.ValidationFailureAction set to auit for all applicable policies;allowing resource reques; reporting with policy violation ") return false } // getEnforceFailureErrorMsg gets the error messages for failed enforce policy -func getEnforceFailureErrorMsg(engineReponses []response.EngineResponse) string { - var str []string - var resourceInfo string - - for _, er := range engineReponses { +func getEnforceFailureErrorMsg(engineResponses []response.EngineResponse) string { + policyToRule := make(map[string]interface{}) + var resourceName string + for _, er := range engineResponses { if !er.IsSuccesful() && er.PolicyResponse.ValidationFailureAction == Enforce { - resourceInfo = fmt.Sprintf("%s/%s/%s", er.PolicyResponse.Resource.Kind, er.PolicyResponse.Resource.Namespace, er.PolicyResponse.Resource.Name) - str = append(str, fmt.Sprintf("failed policy %s:", er.PolicyResponse.Policy)) + ruleToReason := make(map[string]string) for _, rule := range er.PolicyResponse.Rules { if !rule.Success { - str = append(str, rule.ToString()) + ruleToReason[rule.Name] = rule.Message } } + resourceName = fmt.Sprintf("%s/%s/%s", er.PolicyResponse.Resource.Kind, er.PolicyResponse.Resource.Namespace, er.PolicyResponse.Resource.Name) + + policyToRule[er.PolicyResponse.Policy] = ruleToReason } } - return fmt.Sprintf("Resource %s %s", resourceInfo, strings.Join(str, ";")) + + result, _ := yamlv2.Marshal(policyToRule) + return "\n\nresource " + resourceName + " was blocked due to the following policies\n\n" + string(result) } // getErrorMsg gets all failed engine response message @@ -98,20 +102,20 @@ const ( Audit = "audit" // dont block the request on failure, but report failiures as policy violations ) -func processResourceWithPatches(patch []byte, resource []byte) []byte { +func processResourceWithPatches(patch []byte, resource []byte, log logr.Logger) []byte { if patch == nil { return resource } resource, err := engineutils.ApplyPatchNew(resource, patch) if err != nil { - glog.Errorf("failed to patch resource: %v", err) + log.Error(err, "failed to patch resource:") return nil } return resource } -func containRBACinfo(policies []kyverno.ClusterPolicy) bool { +func containRBACinfo(policies []*kyverno.ClusterPolicy) bool { for _, policy := range policies { for _, rule := range policy.Spec.Rules { if len(rule.MatchResources.Roles) > 0 || len(rule.MatchResources.ClusterRoles) > 0 || len(rule.ExcludeResources.Roles) > 0 || len(rule.ExcludeResources.ClusterRoles) > 0 { @@ -163,3 +167,13 @@ func convertResource(raw []byte, group, version, kind, namespace string) (unstru obj.SetNamespace(namespace) return *obj, nil } + +func excludeKyvernoResources(kind string) bool { + switch kind { + case "ClusterPolicy", "ClusterPolicyViolation", "PolicyViolation", "GenerateRequest": + return true + default: + return false + } + +} diff --git a/pkg/webhooks/generate/generate.go b/pkg/webhooks/generate/generate.go index f120c9fb5d..b0b4728319 100644 --- a/pkg/webhooks/generate/generate.go +++ b/pkg/webhooks/generate/generate.go @@ -2,77 +2,93 @@ package generate import ( "fmt" + "k8s.io/api/admission/v1beta1" "time" backoff "github.com/cenkalti/backoff" - "github.com/golang/glog" + "github.com/go-logr/logr" kyverno "github.com/nirmata/kyverno/pkg/api/kyverno/v1" kyvernoclient "github.com/nirmata/kyverno/pkg/client/clientset/versioned" + "github.com/nirmata/kyverno/pkg/constant" utilruntime "k8s.io/apimachinery/pkg/util/runtime" "k8s.io/apimachinery/pkg/util/wait" ) //GenerateRequests provides interface to manage generate requests type GenerateRequests interface { - Create(gr kyverno.GenerateRequestSpec) error + Apply(gr kyverno.GenerateRequestSpec,action v1beta1.Operation) error +} + +type GeneratorChannel struct { + spec kyverno.GenerateRequestSpec + action v1beta1.Operation } // Generator defines the implmentation to mange generate request resource type Generator struct { // channel to receive request - ch chan kyverno.GenerateRequestSpec + ch chan GeneratorChannel client *kyvernoclient.Clientset stopCh <-chan struct{} + log logr.Logger } //NewGenerator returns a new instance of Generate-Request resource generator -func NewGenerator(client *kyvernoclient.Clientset, stopCh <-chan struct{}) *Generator { +func NewGenerator(client *kyvernoclient.Clientset, stopCh <-chan struct{}, log logr.Logger) *Generator { gen := &Generator{ - ch: make(chan kyverno.GenerateRequestSpec, 1000), + ch: make(chan GeneratorChannel, 1000), client: client, stopCh: stopCh, + log: log, } return gen } //Create to create generate request resoruce (blocking call if channel is full) -func (g *Generator) Create(gr kyverno.GenerateRequestSpec) error { - glog.V(4).Infof("create GR %v", gr) +func (g *Generator) Apply(gr kyverno.GenerateRequestSpec,action v1beta1.Operation) error { + logger := g.log + logger.V(4).Info("creating Generate Request", "request", gr) // Send to channel + message := GeneratorChannel{ + action: action, + spec : gr, + } select { - case g.ch <- gr: + case g.ch <- message: return nil case <-g.stopCh: - glog.Info("shutting down channel") + logger.Info("shutting down channel") return fmt.Errorf("shutting down gr create channel") } } // Run starts the generate request spec func (g *Generator) Run(workers int) { + logger := g.log defer utilruntime.HandleCrash() - glog.V(4).Info("Started generate request") + logger.V(4).Info("starting") defer func() { - glog.V(4).Info("Shutting down generate request") + logger.V(4).Info("shutting down") }() for i := 0; i < workers; i++ { - go wait.Until(g.process, time.Second, g.stopCh) + go wait.Until(g.processApply, constant.GenerateControllerResync, g.stopCh) } <-g.stopCh } -func (g *Generator) process() { +func (g *Generator) processApply() { + logger := g.log for r := range g.ch { - glog.V(4).Infof("received generate request %v", r) - if err := g.generate(r); err != nil { - glog.Errorf("Failed to create Generate Request CR: %v", err) + logger.V(4).Info("recieved generate request", "request", r) + if err := g.generate(r.spec,r.action); err != nil { + logger.Error(err, "failed to generate request CR") } } } -func (g *Generator) generate(grSpec kyverno.GenerateRequestSpec) error { - // create a generate request - if err := retryCreateResource(g.client, grSpec); err != nil { +func (g *Generator) generate(grSpec kyverno.GenerateRequestSpec,action v1beta1.Operation) error { + // create/update a generate request + if err := retryApplyResource(g.client, grSpec, g.log,action); err != nil { return err } return nil @@ -81,12 +97,17 @@ func (g *Generator) generate(grSpec kyverno.GenerateRequestSpec) error { // -> receiving channel to take requests to create request // use worker pattern to read and create the CR resource -func retryCreateResource(client *kyvernoclient.Clientset, grSpec kyverno.GenerateRequestSpec) error { +func retryApplyResource(client *kyvernoclient.Clientset, + grSpec kyverno.GenerateRequestSpec, + log logr.Logger, + action v1beta1.Operation, +) error { var i int var err error - createResource := func() error { + + applyResource := func() error { gr := kyverno.GenerateRequest{ - Spec: grSpec, + Spec: grSpec, } gr.SetGenerateName("gr-") gr.SetNamespace("kyverno") @@ -94,11 +115,21 @@ func retryCreateResource(client *kyvernoclient.Clientset, grSpec kyverno.Generat // TODO: status is not updated // gr.Status.State = kyverno.Pending // generate requests created in kyverno namespace - _, err = client.KyvernoV1().GenerateRequests("kyverno").Create(&gr) - glog.V(4).Infof("retry %v create generate request", i) + if action == v1beta1.Create { + _, err = client.KyvernoV1().GenerateRequests("kyverno").Create(&gr) + } + if action == v1beta1.Update { + gr.SetLabels(map[string]string{ + "resources-update": "true", + }) + _, err = client.KyvernoV1().GenerateRequests("kyverno").Update(&gr) + } + + log.V(4).Info("retrying update generate request CR", "retryCount", i, "name", gr.GetGenerateName(), "namespace", gr.GetNamespace()) i++ return err } + exbackoff := &backoff.ExponentialBackOff{ InitialInterval: 500 * time.Millisecond, RandomizationFactor: 0.5, @@ -109,7 +140,9 @@ func retryCreateResource(client *kyvernoclient.Clientset, grSpec kyverno.Generat } exbackoff.Reset() - err = backoff.Retry(createResource, exbackoff) + err = backoff.Retry(applyResource, exbackoff) + + if err != nil { return err } diff --git a/pkg/webhooks/generation.go b/pkg/webhooks/generation.go index 956c568cac..6d73701d60 100644 --- a/pkg/webhooks/generation.go +++ b/pkg/webhooks/generation.go @@ -5,7 +5,6 @@ import ( "sort" "time" - "github.com/golang/glog" kyverno "github.com/nirmata/kyverno/pkg/api/kyverno/v1" v1 "github.com/nirmata/kyverno/pkg/api/kyverno/v1" "github.com/nirmata/kyverno/pkg/engine" @@ -17,41 +16,20 @@ import ( ) //HandleGenerate handles admission-requests for policies with generate rules -func (ws *WebhookServer) HandleGenerate(request *v1beta1.AdmissionRequest, policies []kyverno.ClusterPolicy, patchedResource []byte, roles, clusterRoles []string) (bool, string) { +func (ws *WebhookServer) HandleGenerate(request *v1beta1.AdmissionRequest, policies []*kyverno.ClusterPolicy, ctx *context.Context, userRequestInfo kyverno.RequestInfo) (bool, string) { + logger := ws.log.WithValues("action", "generation", "uid", request.UID, "kind", request.Kind, "namespace", request.Namespace, "name", request.Name, "operation", request.Operation) + logger.V(4).Info("incoming request") var engineResponses []response.EngineResponse // convert RAW to unstructured resource, err := utils.ConvertToUnstructured(request.Object.Raw) if err != nil { //TODO: skip applying the admission control ? - glog.Errorf("unable to convert raw resource to unstructured: %v", err) + logger.Error(err, "failed to convert RAR resource to unstructured format") return true, "" } // CREATE resources, do not have name, assigned in admission-request - glog.V(4).Infof("Handle Generate: Kind=%s, Namespace=%s Name=%s UID=%s patchOperation=%s", - resource.GetKind(), resource.GetNamespace(), resource.GetName(), request.UID, request.Operation) - - userRequestInfo := kyverno.RequestInfo{ - Roles: roles, - ClusterRoles: clusterRoles, - AdmissionUserInfo: request.UserInfo} - // build context - ctx := context.NewContext() - // load incoming resource into the context - err = ctx.AddResource(request.Object.Raw) - if err != nil { - glog.Infof("Failed to load resource in context:%v", err) - } - err = ctx.AddUserInfo(userRequestInfo) - if err != nil { - glog.Infof("Failed to load userInfo in context:%v", err) - } - // load service account in context - err = ctx.AddSA(userRequestInfo.AdmissionUserInfo.Username) - if err != nil { - glog.Infof("Failed to load service account in context:%v", err) - } policyContext := engine.PolicyContext{ NewResource: *resource, @@ -61,7 +39,7 @@ func (ws *WebhookServer) HandleGenerate(request *v1beta1.AdmissionRequest, polic // engine.Generate returns a list of rules that are applicable on this resource for _, policy := range policies { - policyContext.Policy = policy + policyContext.Policy = *policy engineResponse := engine.Generate(policyContext) if len(engineResponse.PolicyResponse.Rules) > 0 { // some generate rules do apply to the resource @@ -72,10 +50,12 @@ func (ws *WebhookServer) HandleGenerate(request *v1beta1.AdmissionRequest, polic } } // Adds Generate Request to a channel(queue size 1000) to generators - if err := createGenerateRequest(ws.grGenerator, userRequestInfo, engineResponses...); err != nil { + if err := applyGenerateRequest(ws.grGenerator, userRequestInfo,request.Operation, engineResponses...); err != nil { //TODO: send appropriate error return false, "Kyverno blocked: failed to create Generate Requests" } + + // Generate Stats wont be used here, as we delegate the generate rule // - Filter policies that apply on this resource // - - build CR context(userInfo+roles+clusterRoles) @@ -87,9 +67,9 @@ func (ws *WebhookServer) HandleGenerate(request *v1beta1.AdmissionRequest, polic return true, "" } -func createGenerateRequest(gnGenerator generate.GenerateRequests, userRequestInfo kyverno.RequestInfo, engineResponses ...response.EngineResponse) error { +func applyGenerateRequest(gnGenerator generate.GenerateRequests, userRequestInfo kyverno.RequestInfo,action v1beta1.Operation, engineResponses ...response.EngineResponse) error { for _, er := range engineResponses { - if err := gnGenerator.Create(transform(userRequestInfo, er)); err != nil { + if err := gnGenerator.Apply(transform(userRequestInfo, er),action); err != nil { return err } } diff --git a/pkg/webhooks/mutation.go b/pkg/webhooks/mutation.go index 1991427ebf..041046cd65 100644 --- a/pkg/webhooks/mutation.go +++ b/pkg/webhooks/mutation.go @@ -5,9 +5,6 @@ import ( "sort" "time" - "github.com/nirmata/kyverno/pkg/openapi" - - "github.com/golang/glog" kyverno "github.com/nirmata/kyverno/pkg/api/kyverno/v1" v1 "github.com/nirmata/kyverno/pkg/api/kyverno/v1" "github.com/nirmata/kyverno/pkg/engine" @@ -21,36 +18,22 @@ import ( // HandleMutation handles mutating webhook admission request // return value: generated patches -func (ws *WebhookServer) HandleMutation(request *v1beta1.AdmissionRequest, resource unstructured.Unstructured, policies []kyverno.ClusterPolicy, roles, clusterRoles []string) []byte { - glog.V(4).Infof("Receive request in mutating webhook: Kind=%s, Namespace=%s Name=%s UID=%s patchOperation=%s", - request.Kind.Kind, request.Namespace, request.Name, request.UID, request.Operation) +func (ws *WebhookServer) HandleMutation( + request *v1beta1.AdmissionRequest, + resource unstructured.Unstructured, + policies []*kyverno.ClusterPolicy, + ctx *context.Context, + userRequestInfo kyverno.RequestInfo) []byte { + + resourceName := request.Kind.Kind + "/" + request.Name + if request.Namespace != "" { + resourceName = request.Namespace + "/" + resourceName + } + + logger := ws.log.WithValues("action", "mutate", "resource", resourceName, "operation", request.Operation) var patches [][]byte var engineResponses []response.EngineResponse - - userRequestInfo := kyverno.RequestInfo{ - Roles: roles, - ClusterRoles: clusterRoles, - AdmissionUserInfo: request.UserInfo} - - // build context - ctx := context.NewContext() - var err error - // load incoming resource into the context - err = ctx.AddResource(request.Object.Raw) - if err != nil { - glog.Infof("Failed to load resource in context:%v", err) - } - - err = ctx.AddUserInfo(userRequestInfo) - if err != nil { - glog.Infof("Failed to load userInfo in context:%v", err) - } - err = ctx.AddSA(userRequestInfo.AdmissionUserInfo.Username) - if err != nil { - glog.Infof("Failed to load service account in context:%v", err) - } - policyContext := engine.PolicyContext{ NewResource: resource, AdmissionInfo: userRequestInfo, @@ -58,40 +41,43 @@ func (ws *WebhookServer) HandleMutation(request *v1beta1.AdmissionRequest, resou } for _, policy := range policies { - glog.V(2).Infof("Handling mutation for Kind=%s, Namespace=%s Name=%s UID=%s patchOperation=%s", - resource.GetKind(), resource.GetNamespace(), resource.GetName(), request.UID, request.Operation) - policyContext.Policy = policy + logger.V(3).Info("evaluating policy", "policy", policy.Name) + + policyContext.Policy = *policy engineResponse := engine.Mutate(policyContext) - engineResponses = append(engineResponses, engineResponse) + ws.statusListener.Send(mutateStats{resp: engineResponse}) if !engineResponse.IsSuccesful() { - glog.V(4).Infof("Failed to apply policy %s on resource %s/%s\n", policy.Name, resource.GetNamespace(), resource.GetName()) + logger.Info("failed to apply policy", "policy", policy.Name, "failed rules", engineResponse.GetFailedRules()) continue } - err := openapi.ValidateResource(*engineResponse.PatchedResource.DeepCopy(), engineResponse.PatchedResource.GetKind()) + + err := ws.openAPIController.ValidateResource(*engineResponse.PatchedResource.DeepCopy(), engineResponse.PatchedResource.GetKind()) if err != nil { - glog.V(4).Infoln(err) + logger.Error(err, "validation error", "policy", policy.Name) continue } + // gather patches patches = append(patches, engineResponse.GetPatches()...) - glog.V(4).Infof("Mutation from policy %s has applied successfully to %s %s/%s", policy.Name, request.Kind.Kind, resource.GetNamespace(), resource.GetName()) + if len(engineResponse.GetPatches()) != 0 { + logger.Info("mutation rules from policy applied succesfully", "policy", policy.Name) + } policyContext.NewResource = engineResponse.PatchedResource + engineResponses = append(engineResponses, engineResponse) } // generate annotations - if annPatches := generateAnnotationPatches(engineResponses); annPatches != nil { + if annPatches := generateAnnotationPatches(engineResponses, logger); annPatches != nil { patches = append(patches, annPatches) } - // report time - reportTime := time.Now() - // AUDIT // generate violation when response fails - pvInfos := policyviolation.GeneratePVsFromEngineResponse(engineResponses) + pvInfos := policyviolation.GeneratePVsFromEngineResponse(engineResponses, logger) ws.pvGenerator.Add(pvInfos...) + // REPORTING EVENTS // Scenario 1: // some/all policies failed to apply on the resource. a policy volation is generated. @@ -100,25 +86,21 @@ func (ws *WebhookServer) HandleMutation(request *v1beta1.AdmissionRequest, resou // all policies were applied succesfully. // create an event on the resource // ADD EVENTS - events := generateEvents(engineResponses, false, (request.Operation == v1beta1.Update)) + events := generateEvents(engineResponses, false, (request.Operation == v1beta1.Update), logger) ws.eventGen.Add(events...) // debug info func() { if len(patches) != 0 { - glog.V(4).Infof("Patches generated for %s/%s/%s, operation=%v:\n %v", - resource.GetKind(), resource.GetNamespace(), resource.GetName(), request.Operation, string(engineutils.JoinPatches(patches))) + logger.V(4).Info("JSON patches generated") } // if any of the policies fails, print out the error if !isResponseSuccesful(engineResponses) { - glog.Errorf("Failed to mutate the resource, report as violation: %s\n", getErrorMsg(engineResponses)) + logger.Info("failed to apply mutation rules on the resource, reporting policy violation", "errors", getErrorMsg(engineResponses)) } }() - // report time end - glog.V(4).Infof("report: %v %s/%s/%s", time.Since(reportTime), resource.GetKind(), resource.GetNamespace(), resource.GetName()) - // patches holds all the successful patches, if no patch is created, it returns nil return engineutils.JoinPatches(patches) } diff --git a/pkg/webhooks/policymutation.go b/pkg/webhooks/policymutation.go index 8081528edd..926bd10fe5 100644 --- a/pkg/webhooks/policymutation.go +++ b/pkg/webhooks/policymutation.go @@ -8,7 +8,7 @@ import ( "strings" jsonpatch "github.com/evanphx/json-patch" - "github.com/golang/glog" + "github.com/go-logr/logr" kyverno "github.com/nirmata/kyverno/pkg/api/kyverno/v1" "github.com/nirmata/kyverno/pkg/engine" "github.com/nirmata/kyverno/pkg/utils" @@ -16,13 +16,14 @@ import ( metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" ) -func (ws *WebhookServer) handlePolicyMutation(request *v1beta1.AdmissionRequest) *v1beta1.AdmissionResponse { +func (ws *WebhookServer) policyMutation(request *v1beta1.AdmissionRequest) *v1beta1.AdmissionResponse { + logger := ws.log.WithValues("action", "policymutation", "uid", request.UID, "kind", request.Kind, "namespace", request.Namespace, "name", request.Name, "operation", request.Operation) var policy *kyverno.ClusterPolicy raw := request.Object.Raw //TODO: can this happen? wont this be picked by OpenAPI spec schema ? if err := json.Unmarshal(raw, &policy); err != nil { - glog.Errorf("Failed to unmarshal policy admission request, err %v\n", err) + logger.Error(err, "faield to unmarshall policy admission request") return &v1beta1.AdmissionResponse{ Allowed: true, Result: &metav1.Status{ @@ -31,10 +32,9 @@ func (ws *WebhookServer) handlePolicyMutation(request *v1beta1.AdmissionRequest) } } // Generate JSON Patches for defaults - patches, updateMsgs := generateJSONPatchesForDefaults(policy) + patches, updateMsgs := generateJSONPatchesForDefaults(policy, logger) if patches != nil { patchType := v1beta1.PatchTypeJSONPatch - glog.V(4).Infof("defaulted values %v policy %s", updateMsgs, policy.Name) return &v1beta1.AdmissionResponse{ Allowed: true, Result: &metav1.Status{ @@ -44,35 +44,34 @@ func (ws *WebhookServer) handlePolicyMutation(request *v1beta1.AdmissionRequest) PatchType: &patchType, } } - glog.V(4).Infof("nothing to default for policy %s", policy.Name) return &v1beta1.AdmissionResponse{ Allowed: true, } } -func generateJSONPatchesForDefaults(policy *kyverno.ClusterPolicy) ([]byte, []string) { +func generateJSONPatchesForDefaults(policy *kyverno.ClusterPolicy, log logr.Logger) ([]byte, []string) { var patches [][]byte var updateMsgs []string // default 'ValidationFailureAction' - if patch, updateMsg := defaultvalidationFailureAction(policy); patch != nil { + if patch, updateMsg := defaultvalidationFailureAction(policy, log); patch != nil { patches = append(patches, patch) updateMsgs = append(updateMsgs, updateMsg) } // default 'Background' - if patch, updateMsg := defaultBackgroundFlag(policy); patch != nil { + if patch, updateMsg := defaultBackgroundFlag(policy, log); patch != nil { patches = append(patches, patch) updateMsgs = append(updateMsgs, updateMsg) } - patch, errs := generatePodControllerRule(*policy) + patch, errs := generatePodControllerRule(*policy, log) if len(errs) > 0 { var errMsgs []string for _, err := range errs { errMsgs = append(errMsgs, err.Error()) + log.Error(err, "failed to generate pod controller rule") } - glog.Errorf("failed auto generating rule for pod controllers: %s", errMsgs) updateMsgs = append(updateMsgs, strings.Join(errMsgs, ";")) } @@ -81,11 +80,11 @@ func generateJSONPatchesForDefaults(policy *kyverno.ClusterPolicy) ([]byte, []st return utils.JoinPatches(patches), updateMsgs } -func defaultBackgroundFlag(policy *kyverno.ClusterPolicy) ([]byte, string) { - // default 'Background' flag to 'true' if not specified +func defaultBackgroundFlag(policy *kyverno.ClusterPolicy, log logr.Logger) ([]byte, string) { + // set 'Background' flag to 'true' if not specified defaultVal := true if policy.Spec.Background == nil { - glog.V(4).Infof("default policy %s 'Background' to '%s'", policy.Name, strconv.FormatBool(true)) + log.V(4).Info("setting default value", "spec.background", true) jsonPatch := struct { Path string `json:"path"` Op string `json:"op"` @@ -95,21 +94,24 @@ func defaultBackgroundFlag(policy *kyverno.ClusterPolicy) ([]byte, string) { "add", &defaultVal, } + patchByte, err := json.Marshal(jsonPatch) if err != nil { - glog.Errorf("failed to set default 'Background' to '%s' for policy %s", strconv.FormatBool(true), policy.Name) + log.Error(err, "failed to set default value", "spec.background", true) return nil, "" } - glog.V(4).Infof("generate JSON Patch to set default 'Background' to '%s' for policy %s", strconv.FormatBool(true), policy.Name) + + log.V(3).Info("generated JSON Patch to set default", "spec.background", true) return patchByte, fmt.Sprintf("default 'Background' to '%s'", strconv.FormatBool(true)) } + return nil, "" } -func defaultvalidationFailureAction(policy *kyverno.ClusterPolicy) ([]byte, string) { - // default ValidationFailureAction to "audit" if not specified +func defaultvalidationFailureAction(policy *kyverno.ClusterPolicy, log logr.Logger) ([]byte, string) { + // set ValidationFailureAction to "audit" if not specified if policy.Spec.ValidationFailureAction == "" { - glog.V(4).Infof("defaulting policy %s 'ValidationFailureAction' to '%s'", policy.Name, Audit) + log.V(4).Info("setting defautl value", "spec.validationFailureAction", Audit) jsonPatch := struct { Path string `json:"path"` Op string `json:"op"` @@ -117,16 +119,19 @@ func defaultvalidationFailureAction(policy *kyverno.ClusterPolicy) ([]byte, stri }{ "/spec/validationFailureAction", "add", - Audit, //audit + Audit, } + patchByte, err := json.Marshal(jsonPatch) if err != nil { - glog.Errorf("failed to set default 'ValidationFailureAction' to '%s' for policy %s", Audit, policy.Name) + log.Error(err, "failed to default value", "spec.validationFailureAction", Audit) return nil, "" } - glog.V(4).Infof("generate JSON Patch to set default 'ValidationFailureAction' to '%s' for policy %s", Audit, policy.Name) + + log.V(3).Info("generated JSON Patch to set default", "spec.validationFailureAction", Audit) return patchByte, fmt.Sprintf("default 'ValidationFailureAction' to '%s'", Audit) } + return nil, "" } @@ -140,13 +145,13 @@ func defaultvalidationFailureAction(policy *kyverno.ClusterPolicy) ([]byte, stri // make sure all fields are applicable to pod cotrollers // generatePodControllerRule returns two patches: rulePatches and annotation patch(if necessary) -func generatePodControllerRule(policy kyverno.ClusterPolicy) (patches [][]byte, errs []error) { +func generatePodControllerRule(policy kyverno.ClusterPolicy, log logr.Logger) (patches [][]byte, errs []error) { ann := policy.GetAnnotations() controllers, ok := ann[engine.PodControllersAnnotation] // scenario A if !ok { - controllers = "all" + controllers = "DaemonSet,Deployment,Job,StatefulSet" annPatch, err := defaultPodControllerAnnotation(ann) if err != nil { errs = append(errs, fmt.Errorf("failed to generate pod controller annotation for policy '%s': %v", policy.Name, err)) @@ -160,9 +165,9 @@ func generatePodControllerRule(policy kyverno.ClusterPolicy) (patches [][]byte, return nil, nil } - glog.V(3).Infof("Auto generating rule for pod controller: %s", controllers) + log.V(3).Info("auto generating rule for pod controllers", "controlers", controllers) - p, err := generateRulePatches(policy, controllers) + p, err := generateRulePatches(policy, controllers, log) patches = append(patches, p...) errs = append(errs, err...) return @@ -197,8 +202,9 @@ func createRuleMap(rules []kyverno.Rule) map[string]kyvernoRule { } // generateRulePatches generates rule for podControllers based on scenario A and C -func generateRulePatches(policy kyverno.ClusterPolicy, controllers string) (rulePatches [][]byte, errs []error) { +func generateRulePatches(policy kyverno.ClusterPolicy, controllers string, log logr.Logger) (rulePatches [][]byte, errs []error) { var genRule kyvernoRule + insertIdx := len(policy.Spec.Rules) ruleMap := createRuleMap(policy.Spec.Rules) @@ -210,7 +216,7 @@ func generateRulePatches(policy kyverno.ClusterPolicy, controllers string) (rule for _, rule := range policy.Spec.Rules { patchPostion := insertIdx - genRule = generateRuleForControllers(rule, controllers) + genRule = generateRuleForControllers(rule, controllers, log) if reflect.DeepEqual(genRule, kyvernoRule{}) { continue } @@ -272,7 +278,7 @@ type kyvernoRule struct { Validation *kyverno.Validation `json:"validate,omitempty"` } -func generateRuleForControllers(rule kyverno.Rule, controllers string) kyvernoRule { +func generateRuleForControllers(rule kyverno.Rule, controllers string, log logr.Logger) kyvernoRule { if strings.HasPrefix(rule.Name, "autogen-") { return kyvernoRule{} } @@ -288,14 +294,34 @@ func generateRuleForControllers(rule kyverno.Rule, controllers string) kyvernoRu return kyvernoRule{} } - // scenario A + // Support backword compatibility + skipAutoGeneration := false + var controllersValidated []string if controllers == "all" { + skipAutoGeneration = true + } else if controllers != "none" && controllers != "all" { + controllersList := map[string]int{"DaemonSet": 1, "Deployment": 1, "Job": 1, "StatefulSet": 1} + for _, value := range strings.Split(controllers, ",") { + if _, ok := controllersList[value]; ok { + controllersValidated = append(controllersValidated, value) + } + } + if len(controllersValidated) > 0 { + skipAutoGeneration = true + } + } + + if skipAutoGeneration { if match.ResourceDescription.Name != "" || match.ResourceDescription.Selector != nil || exclude.ResourceDescription.Name != "" || exclude.ResourceDescription.Selector != nil { - glog.Warningf("Rule '%s' skip generating rule on pod controllers: Name / Selector in resource decription may not be applicable.", rule.Name) + log.Info("skip generating rule on pod controllers: Name / Selector in resource decription may not be applicable.", "rule", rule.Name) return kyvernoRule{} } - controllers = engine.PodControllers + if controllers == "all" { + controllers = engine.PodControllers + } else { + controllers = strings.Join(controllersValidated, ",") + } } controllerRule := &kyvernoRule{ @@ -363,7 +389,7 @@ func generateRuleForControllers(rule kyverno.Rule, controllers string) kyvernoRu func defaultPodControllerAnnotation(ann map[string]string) ([]byte, error) { if ann == nil { ann = make(map[string]string) - ann[engine.PodControllersAnnotation] = "all" + ann[engine.PodControllersAnnotation] = "DaemonSet,Deployment,Job,StatefulSet" jsonPatch := struct { Path string `json:"path"` Op string `json:"op"` @@ -388,7 +414,7 @@ func defaultPodControllerAnnotation(ann map[string]string) ([]byte, error) { }{ "/metadata/annotations/pod-policies.kyverno.io~1autogen-controllers", "add", - "all", + "DaemonSet,Deployment,Job,StatefulSet", } patchByte, err := json.Marshal(jsonPatch) diff --git a/pkg/webhooks/policymutation_test.go b/pkg/webhooks/policymutation_test.go index 0b5af63c59..3df5873922 100644 --- a/pkg/webhooks/policymutation_test.go +++ b/pkg/webhooks/policymutation_test.go @@ -8,6 +8,7 @@ import ( kyverno "github.com/nirmata/kyverno/pkg/api/kyverno/v1" "github.com/nirmata/kyverno/pkg/engine/utils" "gotest.tools/assert" + "sigs.k8s.io/controller-runtime/pkg/log" ) func compareJSONAsMap(t *testing.T, expected, actual []byte) { @@ -28,7 +29,7 @@ func TestGeneratePodControllerRule_NilAnnotation(t *testing.T) { var policy kyverno.ClusterPolicy assert.Assert(t, json.Unmarshal(policyRaw, &policy)) - patches, errs := generatePodControllerRule(policy) + patches, errs := generatePodControllerRule(policy, log.Log) assert.Assert(t, len(errs) == 0) p, err := utils.ApplyPatches(policyRaw, patches) @@ -40,7 +41,7 @@ func TestGeneratePodControllerRule_NilAnnotation(t *testing.T) { "metadata": { "name": "add-safe-to-evict", "annotations": { - "pod-policies.kyverno.io/autogen-controllers": "all" + "pod-policies.kyverno.io/autogen-controllers": "DaemonSet,Deployment,Job,StatefulSet" } } }`) @@ -61,7 +62,7 @@ func TestGeneratePodControllerRule_PredefinedAnnotation(t *testing.T) { var policy kyverno.ClusterPolicy assert.Assert(t, json.Unmarshal(policyRaw, &policy)) - patches, errs := generatePodControllerRule(policy) + patches, errs := generatePodControllerRule(policy, log.Log) assert.Assert(t, len(errs) == 0) assert.Assert(t, len(patches) == 0) } @@ -112,7 +113,7 @@ func TestGeneratePodControllerRule_DisableFeature(t *testing.T) { var policy kyverno.ClusterPolicy assert.Assert(t, json.Unmarshal(policyRaw, &policy)) - patches, errs := generatePodControllerRule(policy) + patches, errs := generatePodControllerRule(policy, log.Log) assert.Assert(t, len(errs) == 0) assert.Assert(t, len(patches) == 0) } @@ -163,7 +164,7 @@ func TestGeneratePodControllerRule_Mutate(t *testing.T) { var policy kyverno.ClusterPolicy assert.Assert(t, json.Unmarshal(policyRaw, &policy)) - patches, errs := generatePodControllerRule(policy) + patches, errs := generatePodControllerRule(policy, log.Log) assert.Assert(t, len(errs) == 0) p, err := utils.ApplyPatches(policyRaw, patches) @@ -261,7 +262,7 @@ func TestGeneratePodControllerRule_ExistOtherAnnotation(t *testing.T) { var policy kyverno.ClusterPolicy assert.Assert(t, json.Unmarshal(policyRaw, &policy)) - patches, errs := generatePodControllerRule(policy) + patches, errs := generatePodControllerRule(policy, log.Log) assert.Assert(t, len(errs) == 0) p, err := utils.ApplyPatches(policyRaw, patches) @@ -273,7 +274,7 @@ func TestGeneratePodControllerRule_ExistOtherAnnotation(t *testing.T) { "metadata": { "name": "add-safe-to-evict", "annotations": { - "pod-policies.kyverno.io/autogen-controllers": "all", + "pod-policies.kyverno.io/autogen-controllers": "DaemonSet,Deployment,Job,StatefulSet", "test": "annotation" } } @@ -333,7 +334,7 @@ func TestGeneratePodControllerRule_ValidateAnyPattern(t *testing.T) { var policy kyverno.ClusterPolicy assert.Assert(t, json.Unmarshal(policyRaw, &policy)) - patches, errs := generatePodControllerRule(policy) + patches, errs := generatePodControllerRule(policy, log.Log) assert.Assert(t, len(errs) == 0) p, err := utils.ApplyPatches(policyRaw, patches) @@ -471,7 +472,7 @@ func TestGeneratePodControllerRule_ValidatePattern(t *testing.T) { var policy kyverno.ClusterPolicy assert.Assert(t, json.Unmarshal(policyRaw, &policy)) - patches, errs := generatePodControllerRule(policy) + patches, errs := generatePodControllerRule(policy, log.Log) assert.Assert(t, len(errs) == 0) p, err := utils.ApplyPatches(policyRaw, patches) @@ -482,7 +483,7 @@ func TestGeneratePodControllerRule_ValidatePattern(t *testing.T) { "kind": "ClusterPolicy", "metadata": { "annotations": { - "pod-policies.kyverno.io/autogen-controllers": "all" + "pod-policies.kyverno.io/autogen-controllers": "DaemonSet,Deployment,Job,StatefulSet" }, "name": "add-safe-to-evict" }, diff --git a/pkg/webhooks/policyvalidation.go b/pkg/webhooks/policyvalidation.go index fefa9a11f7..5b2cf94c18 100644 --- a/pkg/webhooks/policyvalidation.go +++ b/pkg/webhooks/policyvalidation.go @@ -1,45 +1,29 @@ package webhooks import ( - "encoding/json" - "fmt" - policyvalidate "github.com/nirmata/kyverno/pkg/policy" - "github.com/golang/glog" - kyverno "github.com/nirmata/kyverno/pkg/api/kyverno/v1" v1beta1 "k8s.io/api/admission/v1beta1" + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" ) //HandlePolicyValidation performs the validation check on policy resource -func (ws *WebhookServer) handlePolicyValidation(request *v1beta1.AdmissionRequest) *v1beta1.AdmissionResponse { - var policy *kyverno.ClusterPolicy - admissionResp := &v1beta1.AdmissionResponse{ - Allowed: true, - } - +func (ws *WebhookServer) policyValidation(request *v1beta1.AdmissionRequest) *v1beta1.AdmissionResponse { //TODO: can this happen? wont this be picked by OpenAPI spec schema ? - raw := request.Object.Raw - if err := json.Unmarshal(raw, &policy); err != nil { - glog.Errorf("Failed to unmarshal policy admission request, err %v\n", err) - return &v1beta1.AdmissionResponse{Allowed: false, - Result: &metav1.Status{ - Message: fmt.Sprintf("Failed to unmarshal policy admission request err %v", err), - }} - } - if err := policyvalidate.Validate(*policy); err != nil { - admissionResp = &v1beta1.AdmissionResponse{ + if err := policyvalidate.Validate(request.Object.Raw, ws.client, false, ws.openAPIController); err != nil { + return &v1beta1.AdmissionResponse{ Allowed: false, Result: &metav1.Status{ Message: err.Error(), }, } } - if admissionResp.Allowed { - // if the policy contains mutating & validation rules and it config does not exist we create one - // queue the request - ws.resourceWebhookWatcher.RegisterResourceWebhook() + + // if the policy contains mutating & validation rules and it config does not exist we create one + // queue the request + ws.resourceWebhookWatcher.RegisterResourceWebhook() + return &v1beta1.AdmissionResponse{ + Allowed: true, } - return admissionResp } diff --git a/pkg/webhooks/report.go b/pkg/webhooks/report.go index 035a60688e..83e67c5753 100644 --- a/pkg/webhooks/report.go +++ b/pkg/webhooks/report.go @@ -3,6 +3,7 @@ package webhooks import ( "strings" + "github.com/go-logr/logr" kyverno "github.com/nirmata/kyverno/pkg/api/kyverno/v1" "github.com/nirmata/kyverno/pkg/engine/response" @@ -10,7 +11,7 @@ import ( ) //generateEvents generates event info for the engine responses -func generateEvents(engineResponses []response.EngineResponse, blocked, onUpdate bool) []event.Info { +func generateEvents(engineResponses []response.EngineResponse, blocked, onUpdate bool, log logr.Logger) []event.Info { var events []event.Info // Scenario 1 // - Admission-Response is SUCCESS && CREATE @@ -26,6 +27,7 @@ func generateEvents(engineResponses []response.EngineResponse, blocked, onUpdate successRulesStr := strings.Join(successRules, ";") // event on resource e := event.NewEvent( + log, er.PolicyResponse.Resource.Kind, er.PolicyResponse.Resource.APIVersion, er.PolicyResponse.Resource.Namespace, @@ -59,6 +61,7 @@ func generateEvents(engineResponses []response.EngineResponse, blocked, onUpdate filedRulesStr := strings.Join(failedRules, ";") // Event on Policy e := event.NewEvent( + log, "ClusterPolicy", kyverno.SchemeGroupVersion.String(), "", @@ -90,6 +93,7 @@ func generateEvents(engineResponses []response.EngineResponse, blocked, onUpdate filedRulesStr := strings.Join(failedRules, ";") // Event on the policy e := event.NewEvent( + log, "ClusterPolicy", kyverno.SchemeGroupVersion.String(), "", @@ -104,6 +108,7 @@ func generateEvents(engineResponses []response.EngineResponse, blocked, onUpdate // Event on the resource // event on resource e = event.NewEvent( + log, er.PolicyResponse.Resource.Kind, er.PolicyResponse.Resource.APIVersion, er.PolicyResponse.Resource.Namespace, diff --git a/pkg/webhooks/server.go b/pkg/webhooks/server.go index b0ca988449..cde1283156 100644 --- a/pkg/webhooks/server.go +++ b/pkg/webhooks/server.go @@ -10,19 +10,25 @@ import ( "net/http" "time" - "github.com/golang/glog" + "k8s.io/apimachinery/pkg/labels" + + "github.com/go-logr/logr" + "github.com/julienschmidt/httprouter" + v1 "github.com/nirmata/kyverno/pkg/api/kyverno/v1" "github.com/nirmata/kyverno/pkg/checker" kyvernoclient "github.com/nirmata/kyverno/pkg/client/clientset/versioned" kyvernoinformer "github.com/nirmata/kyverno/pkg/client/informers/externalversions/kyverno/v1" kyvernolister "github.com/nirmata/kyverno/pkg/client/listers/kyverno/v1" "github.com/nirmata/kyverno/pkg/config" client "github.com/nirmata/kyverno/pkg/dclient" + context2 "github.com/nirmata/kyverno/pkg/engine/context" "github.com/nirmata/kyverno/pkg/event" + "github.com/nirmata/kyverno/pkg/openapi" "github.com/nirmata/kyverno/pkg/policystatus" - "github.com/nirmata/kyverno/pkg/policystore" "github.com/nirmata/kyverno/pkg/policyviolation" tlsutils "github.com/nirmata/kyverno/pkg/tls" userinfo "github.com/nirmata/kyverno/pkg/userinfo" + "github.com/nirmata/kyverno/pkg/utils" "github.com/nirmata/kyverno/pkg/webhookconfig" "github.com/nirmata/kyverno/pkg/webhooks/generate" v1beta1 "k8s.io/api/admission/v1beta1" @@ -33,42 +39,56 @@ import ( ) // WebhookServer contains configured TLS server with MutationWebhook. -// MutationWebhook gets policies from policyController and takes control of the cluster with kubeclient. type WebhookServer struct { server http.Server client *client.Client kyvernoClient *kyvernoclient.Clientset + // list/get cluster policy resource pLister kyvernolister.ClusterPolicyLister + // returns true if the cluster policy store has synced atleast pSynced cache.InformerSynced + // list/get role binding resource rbLister rbaclister.RoleBindingLister + // return true if role bining store has synced atleast once rbSynced cache.InformerSynced + // list/get cluster role binding resource crbLister rbaclister.ClusterRoleBindingLister + // return true if cluster role binding store has synced atleast once crbSynced cache.InformerSynced + // generate events eventGen event.Interface + // webhook registration client webhookRegistrationClient *webhookconfig.WebhookRegistrationClient + // API to send policy stats for aggregation statusListener policystatus.Listener + // helpers to validate against current loaded configuration configHandler config.Interface + // channel for cleanup notification cleanUp chan<- struct{} + // last request time lastReqTime *checker.LastReqTime - // store to hold policy meta data for faster lookup - pMetaStore policystore.LookupInterface + // policy violation generator pvGenerator policyviolation.GeneratorInterface + // generate request generator - grGenerator *generate.Generator + grGenerator *generate.Generator + resourceWebhookWatcher *webhookconfig.ResourceWebhookRegister + log logr.Logger + openAPIController *openapi.Controller } // NewWebhookServer creates new instance of WebhookServer accordingly to given configuration @@ -84,11 +104,13 @@ func NewWebhookServer( webhookRegistrationClient *webhookconfig.WebhookRegistrationClient, statusSync policystatus.Listener, configHandler config.Interface, - pMetaStore policystore.LookupInterface, pvGenerator policyviolation.GeneratorInterface, grGenerator *generate.Generator, resourceWebhookWatcher *webhookconfig.ResourceWebhookRegister, - cleanUp chan<- struct{}) (*WebhookServer, error) { + cleanUp chan<- struct{}, + log logr.Logger, + openAPIController *openapi.Controller, +) (*WebhookServer, error) { if tlsPair == nil { return nil, errors.New("NewWebhookServer is not initialized properly") @@ -117,16 +139,34 @@ func NewWebhookServer( cleanUp: cleanUp, lastReqTime: resourceWebhookWatcher.LastReqTime, pvGenerator: pvGenerator, - pMetaStore: pMetaStore, grGenerator: grGenerator, resourceWebhookWatcher: resourceWebhookWatcher, + log: log, + openAPIController: openAPIController, } - mux := http.NewServeMux() - mux.HandleFunc(config.MutatingWebhookServicePath, ws.serve) - mux.HandleFunc(config.ValidatingWebhookServicePath, ws.serve) - mux.HandleFunc(config.VerifyMutatingWebhookServicePath, ws.serve) - mux.HandleFunc(config.PolicyValidatingWebhookServicePath, ws.serve) - mux.HandleFunc(config.PolicyMutatingWebhookServicePath, ws.serve) + + mux := httprouter.New() + mux.HandlerFunc("POST", config.MutatingWebhookServicePath, ws.handlerFunc(ws.resourceMutation, true)) + mux.HandlerFunc("POST", config.ValidatingWebhookServicePath, ws.handlerFunc(ws.resourceValidation, true)) + mux.HandlerFunc("POST", config.PolicyMutatingWebhookServicePath, ws.handlerFunc(ws.policyMutation, true)) + mux.HandlerFunc("POST", config.PolicyValidatingWebhookServicePath, ws.handlerFunc(ws.policyValidation, true)) + mux.HandlerFunc("POST", config.VerifyMutatingWebhookServicePath, ws.handlerFunc(ws.verifyHandler, false)) + + // Handle Liveness responds to a Kubernetes Liveness probe + // Fail this request if Kubernetes should restart this instance + mux.HandlerFunc("GET", config.LivenessServicePath, func(w http.ResponseWriter, r *http.Request) { + defer r.Body.Close() + w.WriteHeader(http.StatusOK) + }) + + // Handle Readiness responds to a Kubernetes Readiness probe + // Fail this request if this instance can't accept traffic, but Kubernetes shouldn't restart it + mux.HandlerFunc("GET", config.ReadinessServicePath, func(w http.ResponseWriter, r *http.Request) { + defer r.Body.Close() + + w.WriteHeader(http.StatusOK) + }) + ws.server = http.Server{ Addr: ":443", // Listen on port for HTTPS requests TLSConfig: &tlsConfig, @@ -138,88 +178,85 @@ func NewWebhookServer( return ws, nil } -// Main server endpoint for all requests -func (ws *WebhookServer) serve(w http.ResponseWriter, r *http.Request) { - startTime := time.Now() - // for every request received on the ep update last request time, - // this is used to verify admission control - ws.lastReqTime.SetTime(time.Now()) - admissionReview := ws.bodyToAdmissionReview(r, w) - if admissionReview == nil { +func (ws *WebhookServer) handlerFunc(handler func(request *v1beta1.AdmissionRequest) *v1beta1.AdmissionResponse, filter bool) http.HandlerFunc { + return func(rw http.ResponseWriter, r *http.Request) { + startTime := time.Now() + ws.lastReqTime.SetTime(startTime) + + admissionReview := ws.bodyToAdmissionReview(r, rw) + if admissionReview == nil { + ws.log.Info("failed to parse admission review request", "request", r) + return + } + + logger := ws.log.WithValues("kind", admissionReview.Request.Kind, "namespace", admissionReview.Request.Namespace, "name", admissionReview.Request.Name) + + admissionReview.Response = &v1beta1.AdmissionResponse{ + Allowed: true, + UID: admissionReview.Request.UID, + } + + // Do not process the admission requests for kinds that are in filterKinds for filtering + request := admissionReview.Request + if filter && ws.configHandler.ToFilter(request.Kind.Kind, request.Namespace, request.Name) { + writeResponse(rw, admissionReview) + return + } + + admissionReview.Response = handler(request) + writeResponse(rw, admissionReview) + logger.V(4).Info("request processed", "processingTime", time.Since(startTime).Milliseconds()) + return } - defer func() { - glog.V(4).Infof("request: %v %s/%s/%s", time.Since(startTime), admissionReview.Request.Kind, admissionReview.Request.Namespace, admissionReview.Request.Name) - }() - - admissionReview.Response = &v1beta1.AdmissionResponse{ - Allowed: true, - } - - // Do not process the admission requests for kinds that are in filterKinds for filtering - request := admissionReview.Request - switch r.URL.Path { - case config.VerifyMutatingWebhookServicePath: - // we do not apply filters as this endpoint is used explicitly - // to watch kyveno deployment and verify if admission control is enabled - admissionReview.Response = ws.handleVerifyRequest(request) - case config.MutatingWebhookServicePath: - if !ws.configHandler.ToFilter(request.Kind.Kind, request.Namespace, request.Name) { - admissionReview.Response = ws.handleMutateAdmissionRequest(request) - } - case config.ValidatingWebhookServicePath: - if !ws.configHandler.ToFilter(request.Kind.Kind, request.Namespace, request.Name) { - admissionReview.Response = ws.handleValidateAdmissionRequest(request) - } - case config.PolicyValidatingWebhookServicePath: - if !ws.configHandler.ToFilter(request.Kind.Kind, request.Namespace, request.Name) { - admissionReview.Response = ws.handlePolicyValidation(request) - } - case config.PolicyMutatingWebhookServicePath: - if !ws.configHandler.ToFilter(request.Kind.Kind, request.Namespace, request.Name) { - admissionReview.Response = ws.handlePolicyMutation(request) - } - } - admissionReview.Response.UID = request.UID - - responseJSON, err := json.Marshal(admissionReview) - if err != nil { - http.Error(w, fmt.Sprintf("Could not encode response: %v", err), http.StatusInternalServerError) - return - } - - w.Header().Set("Content-Type", "application/json; charset=utf-8") - if _, err := w.Write(responseJSON); err != nil { - http.Error(w, fmt.Sprintf("could not write response: %v", err), http.StatusInternalServerError) - } } -func (ws *WebhookServer) handleMutateAdmissionRequest(request *v1beta1.AdmissionRequest) *v1beta1.AdmissionResponse { - policies, err := ws.pMetaStore.ListAll() +func writeResponse(rw http.ResponseWriter, admissionReview *v1beta1.AdmissionReview) { + responseJSON, err := json.Marshal(admissionReview) + if err != nil { + http.Error(rw, fmt.Sprintf("Could not encode response: %v", err), http.StatusInternalServerError) + return + } + + rw.Header().Set("Content-Type", "application/json; charset=utf-8") + if _, err := rw.Write(responseJSON); err != nil { + http.Error(rw, fmt.Sprintf("could not write response: %v", err), http.StatusInternalServerError) + } +} + +func (ws *WebhookServer) resourceMutation(request *v1beta1.AdmissionRequest) *v1beta1.AdmissionResponse { + + if excludeKyvernoResources(request.Kind.Kind) { + return &v1beta1.AdmissionResponse{ + Allowed: true, + Result: &metav1.Status{ + Status: "Success", + }, + } + } + + logger := ws.log.WithName("resourceMutation").WithValues("uid", request.UID, "kind", request.Kind.Kind, "namespace", request.Namespace, "name", request.Name, "operation", request.Operation) + policies, err := ws.pLister.ListResources(labels.NewSelector()) if err != nil { // Unable to connect to policy Lister to access policies - glog.Errorf("Unable to connect to policy controller to access policies. Policies are NOT being applied: %v", err) + logger.Error(err, "failed to list policies. Policies are NOT being applied") return &v1beta1.AdmissionResponse{Allowed: true} } - var roles, clusterRoles []string - // getRoleRef only if policy has roles/clusterroles defined - startTime := time.Now() + var roles, clusterRoles []string if containRBACinfo(policies) { roles, clusterRoles, err = userinfo.GetRoleRef(ws.rbLister, ws.crbLister, request) if err != nil { // TODO(shuting): continue apply policy if error getting roleRef? - glog.Errorf("Unable to get rbac information for request Kind=%s, Namespace=%s Name=%s UID=%s patchOperation=%s: %v", - request.Kind.Kind, request.Namespace, request.Name, request.UID, request.Operation, err) + logger.Error(err, "failed to get RBAC infromation for request") } } - glog.V(4).Infof("Time: webhook GetRoleRef %v", time.Since(startTime)) // convert RAW to unstructured - resource, err := convertResource(request.Object.Raw, request.Kind.Group, request.Kind.Version, request.Kind.Kind, request.Namespace) + resource, err := utils.ConvertResource(request.Object.Raw, request.Kind.Group, request.Kind.Version, request.Kind.Kind, request.Namespace) if err != nil { - glog.Errorf(err.Error()) + logger.Error(err, "failed to convert RAW resource to unstructured format") return &v1beta1.AdmissionResponse{ Allowed: false, @@ -230,46 +267,68 @@ func (ws *WebhookServer) handleMutateAdmissionRequest(request *v1beta1.Admission } } - if checkPodTemplateAnn(resource) { - return &v1beta1.AdmissionResponse{ - Allowed: true, - Result: &metav1.Status{ - Status: "Success", - }, - } + userRequestInfo := v1.RequestInfo{ + Roles: roles, + ClusterRoles: clusterRoles, + AdmissionUserInfo: request.UserInfo} + + // build context + ctx := context2.NewContext() + err = ctx.AddRequest(request) + if err != nil { + logger.Error(err, "failed to load incoming request in context") } - // MUTATION - // mutation failure should not block the resource creation - // any mutation failure is reported as the violation - patches := ws.HandleMutation(request, resource, policies, roles, clusterRoles) + err = ctx.AddUserInfo(userRequestInfo) + if err != nil { + logger.Error(err, "failed to load userInfo in context") + } + err = ctx.AddSA(userRequestInfo.AdmissionUserInfo.Username) + if err != nil { + logger.Error(err, "failed to load service account in context") + } - // patch the resource with patches before handling validation rules - patchedResource := processResourceWithPatches(patches, request.Object.Raw) + var patches []byte + patchedResource := request.Object.Raw - if ws.resourceWebhookWatcher != nil && ws.resourceWebhookWatcher.RunValidationInMutatingWebhook == "true" { - // VALIDATION - ok, msg := ws.HandleValidation(request, policies, patchedResource, roles, clusterRoles) - if !ok { - glog.V(4).Infof("Deny admission request: %v/%s/%s", request.Kind, request.Namespace, request.Name) - return &v1beta1.AdmissionResponse{ - Allowed: false, - Result: &metav1.Status{ - Status: "Failure", - Message: msg, - }, + higherVersion := utils.HigherThanKubernetesVersion(ws.client, ws.log, 1, 14, 0) + if higherVersion { + // MUTATION + // mutation failure should not block the resource creation + // any mutation failure is reported as the violation + patches = ws.HandleMutation(request, resource, policies, ctx, userRequestInfo) + logger.V(6).Info("", "generated patches", string(patches)) + + // patch the resource with patches before handling validation rules + patchedResource = processResourceWithPatches(patches, request.Object.Raw, logger) + logger.V(6).Info("", "patchedResource", string(patchedResource)) + + if ws.resourceWebhookWatcher != nil && ws.resourceWebhookWatcher.RunValidationInMutatingWebhook == "true" { + // VALIDATION + ok, msg := ws.HandleValidation(request, policies, patchedResource, ctx, userRequestInfo) + if !ok { + logger.Info("admission request denied") + return &v1beta1.AdmissionResponse{ + Allowed: false, + Result: &metav1.Status{ + Status: "Failure", + Message: msg, + }, + } } } + } else { + logger.Info("mutate and validate rules are not supported prior to Kubernetes 1.14.0") } // GENERATE - // Only applied during resource creation + // Only applied during resource creation and update // Success -> Generate Request CR created successsfully // Failed -> Failed to create Generate Request CR - if request.Operation == v1beta1.Create { - ok, msg := ws.HandleGenerate(request, policies, patchedResource, roles, clusterRoles) + if request.Operation == v1beta1.Create || request.Operation == v1beta1.Update { + ok, msg := ws.HandleGenerate(request, policies, ctx, userRequestInfo) if !ok { - glog.V(4).Infof("Deny admission request: %v/%s/%s", request.Kind, request.Namespace, request.Name) + logger.Info("admission request denied") return &v1beta1.AdmissionResponse{ Allowed: false, Result: &metav1.Status{ @@ -279,6 +338,7 @@ func (ws *WebhookServer) handleMutateAdmissionRequest(request *v1beta1.Admission } } } + // Succesfful processing of mutation & validation rules in policy patchType := v1beta1.PatchTypeJSONPatch return &v1beta1.AdmissionResponse{ @@ -289,34 +349,73 @@ func (ws *WebhookServer) handleMutateAdmissionRequest(request *v1beta1.Admission Patch: patches, PatchType: &patchType, } + } -func (ws *WebhookServer) handleValidateAdmissionRequest(request *v1beta1.AdmissionRequest) *v1beta1.AdmissionResponse { - policies, err := ws.pMetaStore.ListAll() +func (ws *WebhookServer) resourceValidation(request *v1beta1.AdmissionRequest) *v1beta1.AdmissionResponse { + logger := ws.log.WithName("resourceValidation").WithValues("uid", request.UID, "kind", request.Kind.Kind, "namespace", request.Namespace, "name", request.Name, "operation", request.Operation) + + if ok := utils.HigherThanKubernetesVersion(ws.client, ws.log, 1, 14, 0); !ok { + logger.Info("mutate and validate rules are not supported prior to Kubernetes 1.14.0") + return &v1beta1.AdmissionResponse{ + Allowed: true, + Result: &metav1.Status{ + Status: "Success", + }, + } + } + + if excludeKyvernoResources(request.Kind.Kind) { + return &v1beta1.AdmissionResponse{ + Allowed: true, + Result: &metav1.Status{ + Status: "Success", + }, + } + } + + policies, err := ws.pLister.ListResources(labels.NewSelector()) if err != nil { // Unable to connect to policy Lister to access policies - glog.Errorf("Unable to connect to policy controller to access policies. Policies are NOT being applied: %v", err) + logger.Error(err, "failed to list policies. Policies are NOT being applied") return &v1beta1.AdmissionResponse{Allowed: true} } var roles, clusterRoles []string // getRoleRef only if policy has roles/clusterroles defined - startTime := time.Now() if containRBACinfo(policies) { roles, clusterRoles, err = userinfo.GetRoleRef(ws.rbLister, ws.crbLister, request) if err != nil { // TODO(shuting): continue apply policy if error getting roleRef? - glog.Errorf("Unable to get rbac information for request Kind=%s, Namespace=%s Name=%s UID=%s patchOperation=%s: %v", - request.Kind.Kind, request.Namespace, request.Name, request.UID, request.Operation, err) + logger.Error(err, "failed to get RBAC information for request") } } - glog.V(4).Infof("Time: webhook GetRoleRef %v", time.Since(startTime)) - // VALIDATION - ok, msg := ws.HandleValidation(request, policies, nil, roles, clusterRoles) + userRequestInfo := v1.RequestInfo{ + Roles: roles, + ClusterRoles: clusterRoles, + AdmissionUserInfo: request.UserInfo} + + // build context + ctx := context2.NewContext() + err = ctx.AddRequest(request) + if err != nil { + logger.Error(err, "failed to load incoming request in context") + } + + err = ctx.AddUserInfo(userRequestInfo) + if err != nil { + logger.Error(err, "failed to load userInfo in context") + } + err = ctx.AddSA(userRequestInfo.AdmissionUserInfo.Username) + if err != nil { + logger.Error(err, "failed to load service account in context") + } + + ok, msg := ws.HandleValidation(request, policies, nil, ctx, userRequestInfo) if !ok { - glog.V(4).Infof("Deny admission request: %v/%s/%s", request.Kind, request.Namespace, request.Name) + logger.Info("admission request denied") return &v1beta1.AdmissionResponse{ Allowed: false, Result: &metav1.Status{ @@ -336,27 +435,29 @@ func (ws *WebhookServer) handleValidateAdmissionRequest(request *v1beta1.Admissi // RunAsync TLS server in separate thread and returns control immediately func (ws *WebhookServer) RunAsync(stopCh <-chan struct{}) { + logger := ws.log if !cache.WaitForCacheSync(stopCh, ws.pSynced, ws.rbSynced, ws.crbSynced) { - glog.Error("webhook: failed to sync informer cache") + logger.Info("failed to sync informer cache") } go func(ws *WebhookServer) { - glog.V(3).Infof("serving on %s\n", ws.server.Addr) + logger.V(3).Info("started serving requests", "addr", ws.server.Addr) if err := ws.server.ListenAndServeTLS("", ""); err != http.ErrServerClosed { - glog.Infof("HTTP server error: %v", err) + logger.Error(err, "failed to listen to requests") } }(ws) - glog.Info("Started Webhook Server") + logger.Info("starting") + // verifys if the admission control is enabled and active // resync: 60 seconds // deadline: 60 seconds (send request) // max deadline: deadline*3 (set the deployment annotation as false) go ws.lastReqTime.Run(ws.pLister, ws.eventGen, ws.client, checker.DefaultResync, checker.DefaultDeadline, stopCh) - } // Stop TLS server and returns control after the server is shut down func (ws *WebhookServer) Stop(ctx context.Context) { + logger := ws.log // cleanUp // remove the static webhookconfigurations go ws.webhookRegistrationClient.RemoveWebhookConfigurations(ws.cleanUp) @@ -364,7 +465,7 @@ func (ws *WebhookServer) Stop(ctx context.Context) { err := ws.server.Shutdown(ctx) if err != nil { // Error from closing listeners, or context timeout: - glog.Info("Server Shutdown error: ", err) + logger.Error(err, "shutting down server") ws.server.Close() } } @@ -372,28 +473,30 @@ func (ws *WebhookServer) Stop(ctx context.Context) { // bodyToAdmissionReview creates AdmissionReview object from request body // Answers to the http.ResponseWriter if request is not valid func (ws *WebhookServer) bodyToAdmissionReview(request *http.Request, writer http.ResponseWriter) *v1beta1.AdmissionReview { - var body []byte - if request.Body != nil { - if data, err := ioutil.ReadAll(request.Body); err == nil { - body = data - } - } - if len(body) == 0 { - glog.Error("Error: empty body") + logger := ws.log + if request.Body == nil { + logger.Info("empty body", "req", request.URL.String()) http.Error(writer, "empty body", http.StatusBadRequest) return nil } + defer request.Body.Close() + body, err := ioutil.ReadAll(request.Body) + if err != nil { + logger.Info("failed to read HTTP body", "req", request.URL.String()) + http.Error(writer, "failed to read HTTP body", http.StatusBadRequest) + } + contentType := request.Header.Get("Content-Type") if contentType != "application/json" { - glog.Error("Error: invalid Content-Type: ", contentType) + logger.Info("invalid Content-Type", "contextType", contentType) http.Error(writer, "invalid Content-Type, expect `application/json`", http.StatusUnsupportedMediaType) return nil } admissionReview := &v1beta1.AdmissionReview{} if err := json.Unmarshal(body, &admissionReview); err != nil { - glog.Errorf("Error: Can't decode body as AdmissionReview: %v", err) + logger.Error(err, "failed to decode request body to type 'AdmissionReview") http.Error(writer, "Can't decode body as AdmissionReview", http.StatusExpectationFailed) return nil } diff --git a/pkg/webhooks/validation.go b/pkg/webhooks/validation.go index 54a7fbdf3e..55b0f365ec 100644 --- a/pkg/webhooks/validation.go +++ b/pkg/webhooks/validation.go @@ -5,7 +5,8 @@ import ( "sort" "time" - "github.com/golang/glog" + "github.com/nirmata/kyverno/pkg/utils" + kyverno "github.com/nirmata/kyverno/pkg/api/kyverno/v1" v1 "github.com/nirmata/kyverno/pkg/api/kyverno/v1" "github.com/nirmata/kyverno/pkg/engine" @@ -13,44 +14,44 @@ import ( "github.com/nirmata/kyverno/pkg/engine/response" "github.com/nirmata/kyverno/pkg/policyviolation" v1beta1 "k8s.io/api/admission/v1beta1" + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + "k8s.io/apimachinery/pkg/apis/meta/v1/unstructured" ) // HandleValidation handles validating webhook admission request // If there are no errors in validating rule we apply generation rules // patchedResource is the (resource + patches) after applying mutation rules -func (ws *WebhookServer) HandleValidation(request *v1beta1.AdmissionRequest, policies []kyverno.ClusterPolicy, patchedResource []byte, roles, clusterRoles []string) (bool, string) { - glog.V(4).Infof("Receive request in validating webhook: Kind=%s, Namespace=%s Name=%s UID=%s patchOperation=%s", - request.Kind.Kind, request.Namespace, request.Name, request.UID, request.Operation) +func (ws *WebhookServer) HandleValidation( + request *v1beta1.AdmissionRequest, + policies []*kyverno.ClusterPolicy, + patchedResource []byte, + ctx *context.Context, + userRequestInfo kyverno.RequestInfo) (bool, string) { - evalTime := time.Now() + resourceName := request.Kind.Kind + "/" + request.Name + if request.Namespace != "" { + resourceName = request.Namespace + "/" + resourceName + } + + logger := ws.log.WithValues("action", "validate", "resource", resourceName, "operation", request.Operation) // Get new and old resource - newR, oldR, err := extractResources(patchedResource, request) + newR, oldR, err := utils.ExtractResources(patchedResource, request) if err != nil { // as resource cannot be parsed, we skip processing - glog.Error(err) + logger.Error(err, "failed to extract resource") return true, "" } - userRequestInfo := kyverno.RequestInfo{ - Roles: roles, - ClusterRoles: clusterRoles, - AdmissionUserInfo: request.UserInfo} - // build context - ctx := context.NewContext() - // load incoming resource into the context - err = ctx.AddResource(request.Object.Raw) - if err != nil { - glog.Infof("Failed to load resource in context:%v", err) + + var deletionTimeStamp *metav1.Time + if reflect.DeepEqual(newR, unstructured.Unstructured{}) { + deletionTimeStamp = newR.GetDeletionTimestamp() + } else { + deletionTimeStamp = oldR.GetDeletionTimestamp() } - err = ctx.AddUserInfo(userRequestInfo) - if err != nil { - glog.Infof("Failed to load userInfo in context:%v", err) - } - - err = ctx.AddSA(userRequestInfo.AdmissionUserInfo.Username) - if err != nil { - glog.Infof("Failed to load service account in context:%v", err) + if deletionTimeStamp != nil && request.Operation == v1beta1.Update { + return true, "" } policyContext := engine.PolicyContext{ @@ -59,11 +60,11 @@ func (ws *WebhookServer) HandleValidation(request *v1beta1.AdmissionRequest, pol Context: ctx, AdmissionInfo: userRequestInfo, } + var engineResponses []response.EngineResponse for _, policy := range policies { - glog.V(2).Infof("Handling validation for Kind=%s, Namespace=%s Name=%s UID=%s patchOperation=%s", - newR.GetKind(), newR.GetNamespace(), newR.GetName(), request.UID, request.Operation) - policyContext.Policy = policy + logger.V(3).Info("evaluating policy", "policy", policy.Name) + policyContext.Policy = *policy engineResponse := engine.Validate(policyContext) if reflect.DeepEqual(engineResponse, response.EngineResponse{}) { // we get an empty response if old and new resources created the same response @@ -75,17 +76,15 @@ func (ws *WebhookServer) HandleValidation(request *v1beta1.AdmissionRequest, pol resp: engineResponse, }) if !engineResponse.IsSuccesful() { - glog.V(4).Infof("Failed to apply policy %s on resource %s/%s\n", policy.Name, newR.GetNamespace(), newR.GetName()) + logger.V(4).Info("failed to apply policy", "policy", policy.Name, "failed rules", engineResponse.GetFailedRules()) continue } - } - glog.V(4).Infof("eval: %v %s/%s/%s ", time.Since(evalTime), request.Kind, request.Namespace, request.Name) - // report time - reportTime := time.Now() + logger.Info("validation rules from policy applied succesfully", "policy", policy.Name) + } // If Validation fails then reject the request // no violations will be created on "enforce" - blocked := toBlockResource(engineResponses) + blocked := toBlockResource(engineResponses, logger) // REPORTING EVENTS // Scenario 1: @@ -97,19 +96,18 @@ func (ws *WebhookServer) HandleValidation(request *v1beta1.AdmissionRequest, pol // Scenario 3: // all policies were applied succesfully. // create an event on the resource - events := generateEvents(engineResponses, blocked, (request.Operation == v1beta1.Update)) + events := generateEvents(engineResponses, blocked, (request.Operation == v1beta1.Update), logger) ws.eventGen.Add(events...) if blocked { - glog.V(4).Infof("resource %s/%s/%s is blocked\n", newR.GetKind(), newR.GetNamespace(), newR.GetName()) + logger.V(4).Info("resource blocked") return false, getEnforceFailureErrorMsg(engineResponses) } // ADD POLICY VIOLATIONS // violations are created with resource on "audit" - pvInfos := policyviolation.GeneratePVsFromEngineResponse(engineResponses) + pvInfos := policyviolation.GeneratePVsFromEngineResponse(engineResponses, logger) ws.pvGenerator.Add(pvInfos...) // report time end - glog.V(4).Infof("report: %v %s/%s/%s", time.Since(reportTime), request.Kind, request.Namespace, request.Name) return true, "" } diff --git a/samples/RequirePodRequestsLimits.md b/samples/RequirePodRequestsLimits.md index 173492b408..d49220391b 100644 --- a/samples/RequirePodRequestsLimits.md +++ b/samples/RequirePodRequestsLimits.md @@ -31,5 +31,4 @@ spec: cpu: "?*" limits: memory: "?*" - cpu: "?*" ```` diff --git a/samples/best_practices/disallow_sysctls.yaml b/samples/best_practices/disallow_sysctls.yaml index acbe320e56..cde6e19c03 100644 --- a/samples/best_practices/disallow_sysctls.yaml +++ b/samples/best_practices/disallow_sysctls.yaml @@ -18,5 +18,5 @@ spec: message: "Changes to kernel paramaters are not allowed" pattern: spec: - securityContext: + =(securityContext): X(sysctls): null \ No newline at end of file diff --git a/samples/best_practices/require_pod_requests_limits.yaml b/samples/best_practices/require_pod_requests_limits.yaml index 3902b97c6b..175f5c01c7 100644 --- a/samples/best_practices/require_pod_requests_limits.yaml +++ b/samples/best_practices/require_pod_requests_limits.yaml @@ -26,5 +26,4 @@ spec: memory: "?*" cpu: "?*" limits: - memory: "?*" - cpu: "?*" \ No newline at end of file + memory: "?*" \ No newline at end of file diff --git a/scripts/install-cli.sh b/scripts/install-cli.sh new file mode 100755 index 0000000000..dbe33b1f89 --- /dev/null +++ b/scripts/install-cli.sh @@ -0,0 +1,337 @@ +#!/bin/sh +set -e +# Code generated by godownloader on 2020-06-04T12:59:08Z. DO NOT EDIT. +# + +usage() { + this=$1 + cat </dev/null +} +echoerr() { + echo "$@" 1>&2 +} +log_prefix() { + echo "$0" +} +_logp=6 +log_set_priority() { + _logp="$1" +} +log_priority() { + if test -z "$1"; then + echo "$_logp" + return + fi + [ "$1" -le "$_logp" ] +} +log_tag() { + case $1 in + 0) echo "emerg" ;; + 1) echo "alert" ;; + 2) echo "crit" ;; + 3) echo "err" ;; + 4) echo "warning" ;; + 5) echo "notice" ;; + 6) echo "info" ;; + 7) echo "debug" ;; + *) echo "$1" ;; + esac +} +log_debug() { + log_priority 7 || return 0 + echoerr "$(log_prefix)" "$(log_tag 7)" "$@" +} +log_info() { + log_priority 6 || return 0 + echoerr "$(log_prefix)" "$(log_tag 6)" "$@" +} +log_err() { + log_priority 3 || return 0 + echoerr "$(log_prefix)" "$(log_tag 3)" "$@" +} +log_crit() { + log_priority 2 || return 0 + echoerr "$(log_prefix)" "$(log_tag 2)" "$@" +} +uname_os() { + os=$(uname -s | tr '[:upper:]' '[:lower:]') + case "$os" in + cygwin_nt*) os="windows" ;; + mingw*) os="windows" ;; + msys_nt*) os="windows" ;; + esac + echo "$os" +} +uname_arch() { + arch=$(uname -m) + case $arch in + x86_64) arch="amd64" ;; + x86) arch="386" ;; + i686) arch="386" ;; + i386) arch="386" ;; + aarch64) arch="arm64" ;; + armv5*) arch="armv5" ;; + armv6*) arch="armv6" ;; + armv7*) arch="armv7" ;; + esac + echo ${arch} +} +uname_os_check() { + os=$(uname_os) + case "$os" in + darwin) return 0 ;; + dragonfly) return 0 ;; + freebsd) return 0 ;; + linux) return 0 ;; + android) return 0 ;; + nacl) return 0 ;; + netbsd) return 0 ;; + openbsd) return 0 ;; + plan9) return 0 ;; + solaris) return 0 ;; + windows) return 0 ;; + esac + log_crit "uname_os_check '$(uname -s)' got converted to '$os' which is not a GOOS value. Please file bug at https://github.com/client9/shlib" + return 1 +} +uname_arch_check() { + arch=$(uname_arch) + case "$arch" in + 386) return 0 ;; + amd64) return 0 ;; + arm64) return 0 ;; + armv5) return 0 ;; + armv6) return 0 ;; + armv7) return 0 ;; + ppc64) return 0 ;; + ppc64le) return 0 ;; + mips) return 0 ;; + mipsle) return 0 ;; + mips64) return 0 ;; + mips64le) return 0 ;; + s390x) return 0 ;; + amd64p32) return 0 ;; + esac + log_crit "uname_arch_check '$(uname -m)' got converted to '$arch' which is not a GOARCH value. Please file bug report at https://github.com/client9/shlib" + return 1 +} +untar() { + tarball=$1 + case "${tarball}" in + *.tar.gz | *.tgz) tar --no-same-owner -xzf "${tarball}" ;; + *.tar) tar --no-same-owner -xf "${tarball}" ;; + *.zip) unzip "${tarball}" ;; + *) + log_err "untar unknown archive format for ${tarball}" + return 1 + ;; + esac +} +http_download_curl() { + local_file=$1 + source_url=$2 + header=$3 + if [ -z "$header" ]; then + code=$(curl -w '%{http_code}' -sL -o "$local_file" "$source_url") + else + code=$(curl -w '%{http_code}' -sL -H "$header" -o "$local_file" "$source_url") + fi + if [ "$code" != "200" ]; then + log_debug "http_download_curl received HTTP status $code" + return 1 + fi + return 0 +} +http_download_wget() { + local_file=$1 + source_url=$2 + header=$3 + if [ -z "$header" ]; then + wget -q -O "$local_file" "$source_url" + else + wget -q --header "$header" -O "$local_file" "$source_url" + fi +} +http_download() { + log_debug "http_download $2" + if is_command curl; then + http_download_curl "$@" + return + elif is_command wget; then + http_download_wget "$@" + return + fi + log_crit "http_download unable to find wget or curl" + return 1 +} +http_copy() { + tmp=$(mktemp) + http_download "${tmp}" "$1" "$2" || return 1 + body=$(cat "$tmp") + rm -f "${tmp}" + echo "$body" +} +github_release() { + owner_repo=$1 + version=$2 + test -z "$version" && version="latest" + giturl="https://github.com/${owner_repo}/releases/${version}" + json=$(http_copy "$giturl" "Accept:application/json") + test -z "$json" && return 1 + version=$(echo "$json" | tr -s '\n' ' ' | sed 's/.*"tag_name":"//' | sed 's/".*//') + test -z "$version" && return 1 + echo "$version" +} +hash_sha256() { + TARGET=${1:-/dev/stdin} + if is_command gsha256sum; then + hash=$(gsha256sum "$TARGET") || return 1 + echo "$hash" | cut -d ' ' -f 1 + elif is_command sha256sum; then + hash=$(sha256sum "$TARGET") || return 1 + echo "$hash" | cut -d ' ' -f 1 + elif is_command shasum; then + hash=$(shasum -a 256 "$TARGET" 2>/dev/null) || return 1 + echo "$hash" | cut -d ' ' -f 1 + elif is_command openssl; then + hash=$(openssl -dst openssl dgst -sha256 "$TARGET") || return 1 + echo "$hash" | cut -d ' ' -f a + else + log_crit "hash_sha256 unable to find command to compute sha-256 hash" + return 1 + fi +} +hash_sha256_verify() { + TARGET=$1 + checksums=$2 + if [ -z "$checksums" ]; then + log_err "hash_sha256_verify checksum file not specified in arg2" + return 1 + fi + BASENAME=${TARGET##*/} + want=$(grep "${BASENAME}" "${checksums}" 2>/dev/null | tr '\t' ' ' | cut -d ' ' -f 1) + if [ -z "$want" ]; then + log_err "hash_sha256_verify unable to find checksum for '${TARGET}' in '${checksums}'" + return 1 + fi + got=$(hash_sha256 "$TARGET") + if [ "$want" != "$got" ]; then + log_err "hash_sha256_verify checksum for '$TARGET' did not verify ${want} vs $got" + return 1 + fi +} +cat /dev/null <