diff --git a/pkg/config/config.go b/pkg/config/config.go index 5ee546e385..d658df547c 100644 --- a/pkg/config/config.go +++ b/pkg/config/config.go @@ -15,6 +15,10 @@ const ( ValidatingWebhookConfigurationDebug = "kyverno-validating-webhook-cfg-debug" ValidatingWebhookName = "nirmata.kyverno.validating-webhook" + PolicyValidatingWebhookConfigurationName = "kyverno-policy-validating-webhook-cfg" + PolicyValidatingWebhookConfigurationDebug = "kyverno-policy-validating-webhook-cfg-debug" + PolicyValidatingWebhookName = "nirmata.kyverno.policy-validating-webhook" + // Due to kubernetes issue, we must use next literal constants instead of deployment TypeMeta fields // Issue: https://github.com/kubernetes/kubernetes/pull/63972 // When the issue is closed, we should use TypeMeta struct instead of this constants @@ -24,9 +28,10 @@ const ( ) var ( - MutatingWebhookServicePath = "/mutate" - ValidatingWebhookServicePath = "/validate" - KubePolicyAppLabels = map[string]string{ + MutatingWebhookServicePath = "/mutate" + ValidatingWebhookServicePath = "/validate" + PolicyValidatingWebhookServicePath = "/policyvalidate" + KubePolicyAppLabels = map[string]string{ "app": "kyverno", } diff --git a/pkg/webhooks/registration.go b/pkg/webhooks/registration.go index e44f238a05..5056f9ee84 100644 --- a/pkg/webhooks/registration.go +++ b/pkg/webhooks/registration.go @@ -4,6 +4,7 @@ import ( "errors" "fmt" "io/ioutil" + "strings" "github.com/golang/glog" "github.com/nirmata/kyverno/pkg/config" @@ -67,6 +68,16 @@ func (wrc *WebhookRegistrationClient) Register() error { return err } + policyValidationWebhookConfig, err := wrc.contructPolicyValidatingWebhookConfig() + if err != nil { + return err + } + + _, err = wrc.registrationClient.ValidatingWebhookConfigurations().Create(policyValidationWebhookConfig) + if err != nil { + return err + } + return nil } @@ -77,11 +88,13 @@ func (wrc *WebhookRegistrationClient) Deregister() { if wrc.serverIP != "" { wrc.registrationClient.MutatingWebhookConfigurations().Delete(config.MutatingWebhookConfigurationDebug, &meta.DeleteOptions{}) wrc.registrationClient.ValidatingWebhookConfigurations().Delete(config.ValidatingWebhookConfigurationDebug, &meta.DeleteOptions{}) + wrc.registrationClient.ValidatingWebhookConfigurations().Delete(config.PolicyValidatingWebhookConfigurationDebug, &meta.DeleteOptions{}) return } wrc.registrationClient.MutatingWebhookConfigurations().Delete(config.MutatingWebhookConfigurationName, &meta.DeleteOptions{}) wrc.registrationClient.ValidatingWebhookConfigurations().Delete(config.ValidatingWebhookConfigurationName, &meta.DeleteOptions{}) + wrc.registrationClient.ValidatingWebhookConfigurations().Delete(config.PolicyValidatingWebhookConfigurationName, &meta.DeleteOptions{}) } func (wrc *WebhookRegistrationClient) constructMutatingWebhookConfig(configuration *rest.Config) (*admregapi.MutatingWebhookConfiguration, error) { @@ -175,7 +188,7 @@ func (wrc *WebhookRegistrationClient) contructDebugValidatingWebhookConfig(caDat return &admregapi.ValidatingWebhookConfiguration{ ObjectMeta: meta.ObjectMeta{ - Name: config.ValidatingWebhookConfigurationName, + Name: config.ValidatingWebhookConfigurationDebug, Labels: config.KubePolicyAppLabels, }, Webhooks: []admregapi.Webhook{ @@ -187,7 +200,63 @@ func (wrc *WebhookRegistrationClient) contructDebugValidatingWebhookConfig(caDat } } +func (wrc *WebhookRegistrationClient) contructPolicyValidatingWebhookConfig() (*admregapi.ValidatingWebhookConfiguration, error) { + // Check if ca is defined in the secret tls-ca + // assume the key and signed cert have been defined in secret tls.kyverno + caData := wrc.client.ReadRootCASecret() + if len(caData) == 0 { + // load the CA from kubeconfig + caData = extractCA(wrc.clientConfig) + } + if len(caData) == 0 { + return nil, errors.New("Unable to extract CA data from configuration") + } + + if wrc.serverIP != "" { + return wrc.contructDebugPolicyValidatingWebhookConfig(caData), nil + } + + return &admregapi.ValidatingWebhookConfiguration{ + ObjectMeta: meta.ObjectMeta{ + Name: config.PolicyValidatingWebhookConfigurationName, + Labels: config.KubePolicyAppLabels, + OwnerReferences: []meta.OwnerReference{ + wrc.constructOwner(), + }, + }, + Webhooks: []admregapi.Webhook{ + constructWebhook( + config.PolicyValidatingWebhookName, + config.PolicyValidatingWebhookServicePath, + caData), + }, + }, nil +} + +func (wrc *WebhookRegistrationClient) contructDebugPolicyValidatingWebhookConfig(caData []byte) *admregapi.ValidatingWebhookConfiguration { + url := fmt.Sprintf("https://%s%s", wrc.serverIP, config.PolicyValidatingWebhookServicePath) + glog.V(3).Infof("Debug PolicyValidatingWebhookConfig is registered with url %s\n", url) + + return &admregapi.ValidatingWebhookConfiguration{ + ObjectMeta: meta.ObjectMeta{ + Name: config.PolicyValidatingWebhookConfigurationDebug, + Labels: config.KubePolicyAppLabels, + }, + Webhooks: []admregapi.Webhook{ + constructDebugWebhook( + config.PolicyValidatingWebhookName, + url, + caData), + }, + } +} + func constructWebhook(name, servicePath string, caData []byte) admregapi.Webhook { + resource := "*/*" + if servicePath == config.PolicyValidatingWebhookServicePath { + resource = "policies/*" + } + return admregapi.Webhook{ Name: name, ClientConfig: admregapi.WebhookClientConfig{ @@ -212,7 +281,7 @@ func constructWebhook(name, servicePath string, caData []byte) admregapi.Webhook "*", }, Resources: []string{ - "*/*", + resource, }, }, }, @@ -221,6 +290,11 @@ func constructWebhook(name, servicePath string, caData []byte) admregapi.Webhook } func constructDebugWebhook(name, url string, caData []byte) admregapi.Webhook { + resource := "*/*" + if strings.Contains(url, config.PolicyValidatingWebhookServicePath) { + resource = "policies/*" + } + return admregapi.Webhook{ Name: name, ClientConfig: admregapi.WebhookClientConfig{ @@ -241,7 +315,7 @@ func constructDebugWebhook(name, url string, caData []byte) admregapi.Webhook { "*", }, Resources: []string{ - "*/*", + resource, }, }, }, diff --git a/pkg/webhooks/server.go b/pkg/webhooks/server.go index 4ce8508d0f..4a09a3f111 100644 --- a/pkg/webhooks/server.go +++ b/pkg/webhooks/server.go @@ -67,6 +67,7 @@ func NewWebhookServer( mux := http.NewServeMux() mux.HandleFunc(config.MutatingWebhookServicePath, ws.serve) mux.HandleFunc(config.ValidatingWebhookServicePath, ws.serve) + mux.HandleFunc(config.PolicyValidatingWebhookServicePath, ws.serve) ws.server = http.Server{ Addr: ":443", // Listen on port for HTTPS requests @@ -98,15 +99,11 @@ func (ws *WebhookServer) serve(w http.ResponseWriter, r *http.Request) { admissionReview.Response = ws.HandleMutation(admissionReview.Request) case config.ValidatingWebhookServicePath: admissionReview.Response = ws.HandleValidation(admissionReview.Request) + case config.PolicyValidatingWebhookServicePath: + admissionReview.Response = ws.HandlePolicyValidation(admissionReview.Request) } } - // validateUniqueRuleName MUST be called after admission webhook - // otherwise admissionReview.Response will be overwritten - if admissionReview.Request.Kind.Kind == policyKind { - admissionReview.Response = ws.validateUniqueRuleName(admissionReview.Request.Object.Raw) - } - admissionReview.Response.UID = admissionReview.Request.UID responseJSON, err := json.Marshal(admissionReview) @@ -391,6 +388,10 @@ func (ws *WebhookServer) bodyToAdmissionReview(request *http.Request, writer htt return admissionReview } +func (ws *WebhookServer) HandlePolicyValidation(request *v1beta1.AdmissionRequest) *v1beta1.AdmissionResponse { + return ws.validateUniqueRuleName(request.Object.Raw) +} + func (ws *WebhookServer) validateUniqueRuleName(rawPolicy []byte) *v1beta1.AdmissionResponse { var policy *policyv1.Policy var ruleNames []string @@ -413,6 +414,7 @@ func (ws *WebhookServer) validateUniqueRuleName(rawPolicy []byte) *v1beta1.Admis } } + glog.V(3).Infof("Policy validation passed.") return &v1beta1.AdmissionResponse{ Allowed: true, }