mirrors/kyverno
mirrors/kyverno
1
0
Fork 0
mirror of https://github.com/kyverno/kyverno.git synced 2025-03-31 03:45:17 +00:00
Code Activity

initial commit

Browse source
This commit is contained in:
shivkumar dudhani 2019-09-25 15:12:33 -07:00
parent 9992ab0f63
commit c65f12b97b
6 changed files with 756 additions and 43 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
examples/best_practices/policy_validate_image_latest_ifnotpresent_deny.yaml
View file

@ -14,5 +14,5 @@ spec:
pattern:
spec:
containers:
- (image): "*:latest"
- ^(image): "*:latest"
imagePullPolicy: "!IfNotPresent"

3
examples/best_practices/resources/resource_validate_image_tag_latest_deny.yaml
View file

@ -7,4 +7,5 @@ metadata:
spec:
containers:
- name: nginx
image: nginx:latest
image: nginx:latest
imagePullPolicy: NotPresent

4
examples/policy_validate_healthChecks.yaml
View file

@ -14,7 +14,7 @@ spec:
pattern:
spec:
containers:
- (name): "check-readiness"
- ^(name): "check-readiness"
readinessProbe:
successThreshold: ">1"
- name: check-livenessProbe-exists
@ -27,7 +27,7 @@ spec:
pattern:
spec:
containers:
- (name): "check-liveness"
- ^(name): "check-liveness"
livenessProbe:
httpGet:
path: "?*"

173
pkg/engine/anchor.go
View file

@ -7,6 +7,21 @@ import (
"github.com/golang/glog"
)
type ValidationHandler interface {
Handle(resourceMap map[string]interface{}, originPattenr interface{}) (string, bool, error)
}
func CreateElementHandler(element string, pattern interface{}, path string) ValidationHandler {
switch {
case isConditionAnchor(element):
return NewConditionAnchorHandler(element, pattern, path)
case isExistanceAnchor(element):
return NewExistanceHandler(element, pattern, path)
default:
return NewDefaultHandler(element, pattern, path)
}
}
// CreateAnchorHandler is a factory that create anchor handlers
func CreateAnchorHandler(anchor string, pattern interface{}, path string) ValidationAnchorHandler {
switch {
@ -19,6 +34,164 @@ func CreateAnchorHandler(anchor string, pattern interface{}, path string) Valida
}
}
func NewDefaultHandler(element string, pattern interface{}, path string) ValidationHandler {
return DefaultHandler{
element: element,
pattern: pattern,
path: path,
}
}
type DefaultHandler struct {
element string
pattern interface{}
path string
}
func (dh DefaultHandler) Handle(resourceMap map[string]interface{}, originPattern interface{}) (string, bool, error) {
// skip is used by existance anchor to not process further if condition is not satisfied
skip := false
currentPath := dh.path + dh.element + "/"
if dh.pattern == "*" && resourceMap[dh.element] != nil {
return "", skip, nil
} else if dh.pattern == "*" && resourceMap[dh.element] == nil {
return dh.path, skip, fmt.Errorf("Validation rule failed at %s, Field %s is not present", dh.path, dh.element)
} else {
path, err := validateResourceElement(resourceMap[dh.element], dh.pattern, originPattern, currentPath)
if err != nil {
return path, skip, err
}
}
return "", skip, nil
}
func NewConditionAnchorHandler(anchor string, pattern interface{}, path string) ValidationHandler {
return ConditionAnchorHandler{
anchor: anchor,
pattern: pattern,
path: path,
}
}
type ConditionAnchorHandler struct {
anchor string
pattern interface{}
path string
}
func (ch ConditionAnchorHandler) Handle(resourceMap map[string]interface{}, originPattern interface{}) (string, bool, error) {
// skip is used by existance anchor to not process further if condition is not satisfied
skip := false
var value interface{}
var currentPath string
var ok bool
// check for anchor condition
anchorSatisfied := func() bool {
anchorKey := removeAnchor(ch.anchor)
currentPath = ch.path + anchorKey + "/"
// check if anchor is present in resource
if value, ok = resourceMap[anchorKey]; ok {
// if the key exists then we process its values
return true
// return ValidateValueWithPattern(value, ch.pattern)
}
return false
}()
if !anchorSatisfied {
return "", skip, nil
}
path, err := validateResourceElement(value, ch.pattern, originPattern, currentPath)
if err != nil {
return path, skip, err
}
// evauluate the anchor and resource values
// for key, element := range resourceMap {
// currentPath := ch.path + key + "/"
// if !ValidateValueWithPattern(element, ch.pattern) {
// // the anchor does not match so ignore
// continue
// }
// path, err := validateResourceElement(element, ch.pattern, originPattern, currentPath)
// if err != nil {
// return path, err
// }
// }
return "", skip, nil
}
func NewExistanceHandler(anchor string, pattern interface{}, path string) ValidationHandler {
return ExistanceHandler{
anchor: anchor,
pattern: pattern,
path: path,
}
}
type ExistanceHandler struct {
anchor string
pattern interface{}
path string
}
func (eh ExistanceHandler) Handle(resourceMap map[string]interface{}, originPattern interface{}) (string, bool, error) {
// skip is used by existance anchor to not process further if condition is not satisfied
var value interface{}
var currentPath string
var ok bool
// anchoredEntries := 0
// check for anchor condition
anchorSatisfied := func() bool {
anchorKey := removeAnchor(eh.anchor)
currentPath = eh.path + anchorKey + "/"
// check if anchor is present in resource
if value, ok = resourceMap[anchorKey]; ok {
// if the key exists then validate
// not handled for arrays
// maps we only check if key exists
return ValidateValueWithPattern(value, eh.pattern)
}
return false
}()
if !anchorSatisfied {
// if the existance anchor is not satisfied then we dont process that node further
// so we skip processing further
return "", true, nil
}
// anchoredEntries++
path, err := validateResourceElement(value, eh.pattern, originPattern, currentPath)
if err != nil {
return path, false, err
}
// if anchoredEntries == 0 {
// return eh.path, fmt.Errorf("Existance anchor %s used, but no suitable entries were found", eh.anchor)
// }
return "", false, nil
// anchoredEntries := 0
// for key, element := range resourceMap {
// currentPath := eh.path + key + "/"
// // check for anchor condition
// if !ValidateValueWithPattern(element, eh.pattern) {
// // the anchor does not match so ignore
// continue
// }
// anchoredEntries++
// path, err := validateResourceElement(element, eh.pattern, originPattern, currentPath)
// if err != nil {
// return path, err
// }
// }
// if anchoredEntries == 0 {
// return eh.path, fmt.Errorf("Existance anchor %s used, but no suitable entries were found", eh.anchor)
// }
// return "", nil
}
// ValidationAnchorHandler is an interface that represents
// a family of anchor handlers for array of maps
// resourcePart must be an array of dictionaries

44
pkg/engine/validation.go
View file

@ -184,20 +184,22 @@ func validateResourceElement(resourceElement, patternElement, originPattern inte
// If validateResourceElement detects map element inside resource and pattern trees, it goes to validateMap
// For each element of the map we must detect the type again, so we pass these elements to validateResourceElement
func validateMap(resourceMap, patternMap map[string]interface{}, origPattern interface{}, path string) (string, error) {
// check if there is anchor in pattern
// anchor, pattern := getAnchorFromMap(patternMap)
for key, patternElement := range patternMap {
key = removeAnchor(key)
// The '*' pattern means that key exists and has value
if patternElement == "*" && resourceMap[key] != nil {
continue
} else if patternElement == "*" && resourceMap[key] == nil {
return path, fmt.Errorf("Validation rule failed at %s, Field %s is not present", path, key)
} else {
path, err := validateResourceElement(resourceMap[key], patternElement, origPattern, path+key+"/")
if err != nil {
return path, err
}
// get handler for each pattern in the pattern
// - Anchor
// - Existance
// - No Anchor(Default)
handler := CreateElementHandler(key, patternElement, path)
handlerPath, skip, err := handler.Handle(resourceMap, origPattern)
if err != nil {
return handlerPath, err
}
if skip {
// for existance anchor, if not present, then dont process the node in the tree further
return "", nil
}
}
@ -346,8 +348,18 @@ func getValueFromPattern(patternMap map[string]interface{}, keys []string, curre
// validateArrayOfMaps gets anchors from pattern array map element, applies anchors logic
// and then validates each map due to the pattern
func validateArrayOfMaps(resourceMapArray []interface{}, patternMap map[string]interface{}, originPattern interface{}, path string) (string, error) {
anchor, pattern := getAnchorFromMap(patternMap)
handler := CreateAnchorHandler(anchor, pattern, path)
return handler.Handle(resourceMapArray, patternMap, originPattern)
for i, resourceElement := range resourceMapArray {
// check the types of resource element
// expect it to be map, but can be anything ?:(
currentPath := path + strconv.Itoa(i) + "/"
//TODO: converting map to interface ???
returnpath, err := validateResourceElement(resourceElement, patternMap, originPattern, currentPath)
if err != nil {
return returnpath, err
}
}
return "", nil
// anchor, pattern := getAnchorFromMap(patternMap)
// handler := CreateAnchorHandler(anchor, pattern, path)
// return handler.Handle(resourceMapArray, patternMap, originPattern)
}

573
pkg/engine/validation_test.go
View file

@ -848,7 +848,7 @@ func TestValidateMapElement_TwoElementsInArrayOnePass(t *testing.T) {
"(name)":"nirmata-*",
"object":[
{
"(key1)":"value*",
"^(key1)":"value*",
"key2":"value*"
}
]
@ -881,7 +881,9 @@ func TestValidateMapElement_TwoElementsInArrayOnePass(t *testing.T) {
path, err := validateResourceElement(resource, pattern, pattern, "/")
assert.Equal(t, path, "")
assert.NilError(t, err)
// assert.Equal(t, path, "/1/object/0/key2/")
// assert.NilError(t, err)
assert.Assert(t, err == nil)
}
func TestValidateMapElement_OneElementInArrayPass(t *testing.T) {
@ -1306,15 +1308,13 @@ func TestValidateMap_AbsolutePathToMetadata(t *testing.T) {
"containers":[
{
"(name)":"$(/metadata/labels/app)",
"image":"nirmata.io*"
"(image)":"nirmata.io*"
}
]
}
}`)
rawMap := []byte(`{
"apiVersion":"apps/v1",
"kind":"Deployment",
"metadata":{
"labels":{
"app":"nirmata*"
@ -1323,14 +1323,6 @@ func TestValidateMap_AbsolutePathToMetadata(t *testing.T) {
"spec":{
"containers":[
{
"resources":{
"requests":{
"memory":"1024Mi"
},
"limits":{
"memory":"2048Mi"
}
},
"name":"nirmata"
}
]
@ -1346,6 +1338,48 @@ func TestValidateMap_AbsolutePathToMetadata(t *testing.T) {
assert.Assert(t, err == nil)
}
func TestValidateMap_AbsolutePathToMetadata_fail(t *testing.T) {
rawPattern := []byte(`{
"metadata":{
"labels":{
"app":"nirmata*"
}
},
"spec":{
"containers":[
{
"(name)":"$(/metadata/labels/app)",
"image":"nirmata.io*"
}
]
}
}`)
rawMap := []byte(`{
"metadata":{
"labels":{
"app":"nirmata*"
}
},
"spec":{
"containers":[
{
"name":"nirmata",
"image":"nginx"
}
]
}
}`)
var pattern, resource interface{}
json.Unmarshal(rawPattern, &pattern)
json.Unmarshal(rawMap, &resource)
path, err := validateResourceElement(resource, pattern, pattern, "/")
assert.Equal(t, path, "/spec/containers/0/image/")
assert.Assert(t, err != nil)
}
func TestValidateMap_AbosolutePathDoesNotExists(t *testing.T) {
rawPattern := []byte(`{
"spec":{
@ -1691,7 +1725,8 @@ func TestValidate_MapHasFloats(t *testing.T) {
assert.Assert(t, len(er.PolicyResponse.Rules) == 0)
}
func TestValidate_image_tag(t *testing.T) {
func TestValidate_image_tag_fail(t *testing.T) {
// If image tag is latest then imagepull policy needs to be checked
rawPolicy := []byte(`{
"apiVersion": "kyverno.io/v1alpha1",
"kind": "ClusterPolicy",
@ -1737,7 +1772,106 @@ func TestValidate_image_tag(t *testing.T) {
"spec": {
"containers": [
{
"(image)": "*latest",
"^(image)": "*latest",
"imagePullPolicy": "NotPresent"
}
]
}
}
}
}
]
}
}
`)
rawResource := []byte(`
{
"apiVersion": "v1",
"kind": "Pod",
"metadata": {
"name": "myapp-pod",
"labels": {
"app": "myapp"
}
},
"spec": {
"containers": [
{
"name": "nginx",
"image": "nginx:latest",
"imagePullPolicy": "Always"
}
]
}
}
`)
var policy kyverno.ClusterPolicy
json.Unmarshal(rawPolicy, &policy)
resourceUnstructured, err := ConvertToUnstructured(rawResource)
assert.NilError(t, err)
// msgs := []string{
// "Validation rule 'validate-tag' failed at '/spec/containers/0/image/' for resource Pod//myapp-pod. An image tag is required",
// "Validation rule 'validate-latest' succesfully validated",
// }
er := Validate(policy, *resourceUnstructured)
for _, r := range er.PolicyResponse.Rules {
t.Log(r.Message)
// assert.Equal(t, r.Message, msgs[index])
}
assert.Assert(t, !er.IsSuccesful())
}
func TestValidate_image_tag_pass(t *testing.T) {
// If image tag is latest then imagepull policy needs to be checked
rawPolicy := []byte(`{
"apiVersion": "kyverno.io/v1alpha1",
"kind": "ClusterPolicy",
"metadata": {
"name": "validate-image"
},
"spec": {
"rules": [
{
"name": "validate-tag",
"match": {
"resources": {
"kinds": [
"Pod"
]
}
},
"validate": {
"message": "An image tag is required",
"pattern": {
"spec": {
"containers": [
{
"image": "*:*"
}
]
}
}
}
},
{
"name": "validate-latest",
"match": {
"resources": {
"kinds": [
"Pod"
]
}
},
"validate": {
"message": "imagePullPolicy 'Always' required with tag 'latest'",
"pattern": {
"spec": {
"containers": [
{
"^(image)": "*latest",
"imagePullPolicy": "Always"
}
]
@ -1764,7 +1898,8 @@ func TestValidate_image_tag(t *testing.T) {
"containers": [
{
"name": "nginx",
"image": "nginx"
"image": "nginx:latest",
"imagePullPolicy": "Always"
}
]
}
@ -1776,15 +1911,16 @@ func TestValidate_image_tag(t *testing.T) {
resourceUnstructured, err := ConvertToUnstructured(rawResource)
assert.NilError(t, err)
msgs := []string{
"Validation rule 'validate-tag' failed at '/spec/containers/0/image/' for resource Pod//myapp-pod. An image tag is required",
"Validation rule 'validate-latest' succesfully validated",
}
// msgs := []string{
// "Validation rule 'validate-tag' failed at '/spec/containers/0/image/' for resource Pod//myapp-pod. An image tag is required",
// "Validation rule 'validate-latest' succesfully validated",
// }
er := Validate(policy, *resourceUnstructured)
for index, r := range er.PolicyResponse.Rules {
assert.Equal(t, r.Message, msgs[index])
for _, r := range er.PolicyResponse.Rules {
t.Log(r.Message)
// assert.Equal(t, r.Message, msgs[index])
}
assert.Assert(t, !er.IsSuccesful())
assert.Assert(t, er.IsSuccesful())
}
func TestValidate_Fail_anyPattern(t *testing.T) {
@ -1942,3 +2078,394 @@ func TestValidate_host_network_port(t *testing.T) {
}
assert.Assert(t, !er.IsSuccesful())
}
func TestValidate_anchor_arraymap_pass(t *testing.T) {
rawPolicy := []byte(`
{
"apiVersion": "kyverno.io/v1alpha1",
"kind": "ClusterPolicy",
"metadata": {
"name": "validate-host-path"
},
"spec": {
"rules": [
{
"name": "validate-host-path",
"match": {
"resources": {
"kinds": [
"Pod"
]
}
},
"validate": {
"message": "Host path '/var/lib/' is not allowed",
"pattern": {
"spec": {
"volumes": [
{
"name": "*",
"(hostPath)": {
"path": "!/var/lib"
}
}
]
}
}
}
}
]
}
}
`)
rawResource := []byte(`
{
"apiVersion": "v1",
"kind": "Pod",
"metadata": {
"name": "image-with-hostpath",
"labels": {
"app.type": "prod",
"namespace": "my-namespace"
}
},
"spec": {
"containers": [
{
"name": "image-with-hostpath",
"image": "docker.io/nautiker/curl",
"volumeMounts": [
{
"name": "var-lib-etcd",
"mountPath": "/var/lib"
}
]
}
],
"volumes": [
{
"name": "var-lib-etcd",
"hostPath": {
"path": "/var/lib1"
}
}
]
}
} `)
var policy kyverno.ClusterPolicy
json.Unmarshal(rawPolicy, &policy)
resourceUnstructured, err := ConvertToUnstructured(rawResource)
assert.NilError(t, err)
er := Validate(policy, *resourceUnstructured)
msgs := []string{"Validation rule 'validate-host-path' succesfully validated"}
for index, r := range er.PolicyResponse.Rules {
assert.Equal(t, r.Message, msgs[index])
}
assert.Assert(t, er.IsSuccesful())
}
func TestValidate_anchor_arraymap_fail(t *testing.T) {
rawPolicy := []byte(`
{
"apiVersion": "kyverno.io/v1alpha1",
"kind": "ClusterPolicy",
"metadata": {
"name": "validate-host-path"
},
"spec": {
"rules": [
{
"name": "validate-host-path",
"match": {
"resources": {
"kinds": [
"Pod"
]
}
},
"validate": {
"message": "Host path '/var/lib/' is not allowed",
"pattern": {
"spec": {
"volumes": [
{
"name": "*",
"(hostPath)": {
"path": "!/var/lib"
}
}
]
}
}
}
}
]
}
}
`)
rawResource := []byte(`
{
"apiVersion": "v1",
"kind": "Pod",
"metadata": {
"name": "image-with-hostpath",
"labels": {
"app.type": "prod",
"namespace": "my-namespace"
}
},
"spec": {
"containers": [
{
"name": "image-with-hostpath",
"image": "docker.io/nautiker/curl",
"volumeMounts": [
{
"name": "var-lib-etcd",
"mountPath": "/var/lib"
}
]
}
],
"volumes": [
{
"name": "var-lib-etcd",
"hostPath": {
"path": "/var/lib"
}
}
]
}
} `)
var policy kyverno.ClusterPolicy
json.Unmarshal(rawPolicy, &policy)
resourceUnstructured, err := ConvertToUnstructured(rawResource)
assert.NilError(t, err)
er := Validate(policy, *resourceUnstructured)
msgs := []string{"Validation rule 'validate-host-path' failed at '/spec/volumes/0/hostPath/path/' for resource Pod//image-with-hostpath. Host path '/var/lib/' is not allowed"}
for index, r := range er.PolicyResponse.Rules {
assert.Equal(t, r.Message, msgs[index])
}
assert.Assert(t, !er.IsSuccesful())
}
func TestValidate_anchor_map_notfound(t *testing.T) {
// anchor not present in resource
rawPolicy := []byte(`{
"apiVersion": "kyverno.io/v1alpha1",
"kind": "ClusterPolicy",
"metadata": {
"name": "policy-secaas-k8s"
},
"spec": {
"rules": [
{
"name": "pod rule 2",
"match": {
"resources": {
"kinds": [
"Pod"
]
}
},
"validate": {
"message": "pod: validate run as non root user",
"pattern": {
"spec": {
"(securityContext)": {
"runAsNonRoot": true
}
}
}
}
}
]
}
} `)
rawResource := []byte(`
{
"apiVersion": "v1",
"kind": "Pod",
"metadata": {
"name": "myapp-pod",
"labels": {
"app": "v1"
}
},
"spec": {
"containers": [
{
"name": "nginx",
"image": "nginx"
}
]
}
}
`)
var policy kyverno.ClusterPolicy
json.Unmarshal(rawPolicy, &policy)
resourceUnstructured, err := ConvertToUnstructured(rawResource)
assert.NilError(t, err)
er := Validate(policy, *resourceUnstructured)
msgs := []string{"Validation rule 'pod rule 2' succesfully validated"}
for index, r := range er.PolicyResponse.Rules {
assert.Equal(t, r.Message, msgs[index])
}
assert.Assert(t, er.IsSuccesful())
}
func TestValidate_anchor_map_found_valid(t *testing.T) {
// anchor not present in resource
rawPolicy := []byte(`{
"apiVersion": "kyverno.io/v1alpha1",
"kind": "ClusterPolicy",
"metadata": {
"name": "policy-secaas-k8s"
},
"spec": {
"rules": [
{
"name": "pod rule 2",
"match": {
"resources": {
"kinds": [
"Pod"
]
}
},
"validate": {
"message": "pod: validate run as non root user",
"pattern": {
"spec": {
"(securityContext)": {
"runAsNonRoot": true
}
}
}
}
}
]
}
} `)
rawResource := []byte(`
{
"apiVersion": "v1",
"kind": "Pod",
"metadata": {
"name": "myapp-pod",
"labels": {
"app": "v1"
}
},
"spec": {
"containers": [
{
"name": "nginx",
"image": "nginx"
}
],
"securityContext": {
"runAsNonRoot": true
}
}
}
`)
var policy kyverno.ClusterPolicy
json.Unmarshal(rawPolicy, &policy)
resourceUnstructured, err := ConvertToUnstructured(rawResource)
assert.NilError(t, err)
er := Validate(policy, *resourceUnstructured)
msgs := []string{"Validation rule 'pod rule 2' succesfully validated"}
for index, r := range er.PolicyResponse.Rules {
assert.Equal(t, r.Message, msgs[index])
}
assert.Assert(t, er.IsSuccesful())
}
func TestValidate_anchor_map_found_invalid(t *testing.T) {
// anchor not present in resource
rawPolicy := []byte(`{
"apiVersion": "kyverno.io/v1alpha1",
"kind": "ClusterPolicy",
"metadata": {
"name": "policy-secaas-k8s"
},
"spec": {
"rules": [
{
"name": "pod rule 2",
"match": {
"resources": {
"kinds": [
"Pod"
]
}
},
"validate": {
"message": "pod: validate run as non root user",
"pattern": {
"spec": {
"(securityContext)": {
"runAsNonRoot": true
}
}
}
}
}
]
}
} `)
rawResource := []byte(`
{
"apiVersion": "v1",
"kind": "Pod",
"metadata": {
"name": "myapp-pod",
"labels": {
"app": "v1"
}
},
"spec": {
"containers": [
{
"name": "nginx",
"image": "nginx"
}
],
"securityContext": {
"runAsNonRoot": false
}
}
}
`)
var policy kyverno.ClusterPolicy
json.Unmarshal(rawPolicy, &policy)
resourceUnstructured, err := ConvertToUnstructured(rawResource)
assert.NilError(t, err)
er := Validate(policy, *resourceUnstructured)
msgs := []string{"Validation rule 'pod rule 2' failed at '/spec/securityContext/runAsNonRoot/' for resource Pod//myapp-pod. pod: validate run as non root user"}
for index, r := range er.PolicyResponse.Rules {
assert.Equal(t, r.Message, msgs[index])
}
assert.Assert(t, !er.IsSuccesful())
}