mirrors/kyverno
mirrors/kyverno
1
0
Fork 0
mirror of https://github.com/kyverno/kyverno.git synced 2025-04-08 10:04:25 +00:00
Code Activity

ignore non-policy files while loading

Browse source
This commit is contained in:
Jim Bugwadia 2020-12-06 10:57:20 -08:00
parent c80ac553f8
commit c766512485
5 changed files with 97 additions and 103 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

95
pkg/kyverno/apply/command.go
View file

@ -18,7 +18,7 @@ import (
"github.com/kyverno/kyverno/pkg/engine/context"
"github.com/kyverno/kyverno/pkg/engine/response"
"github.com/kyverno/kyverno/pkg/kyverno/common"
sanitizedError "github.com/kyverno/kyverno/pkg/kyverno/sanitizedError"
"github.com/kyverno/kyverno/pkg/kyverno/sanitizedError"
"github.com/kyverno/kyverno/pkg/openapi"
policy2 "github.com/kyverno/kyverno/pkg/policy"
"github.com/kyverno/kyverno/pkg/utils"
@ -59,18 +59,7 @@ type SkippedPolicy struct {
Variable string `json:"variable"`
}
func Command() *cobra.Command {
var cmd *cobra.Command
var resourcePaths []string
var cluster, policyReport bool
var mutateLogPath, variablesString, valuesFile, namespace string
kubernetesConfig := genericclioptions.NewConfigFlags(true)
cmd = &cobra.Command{
Use: "apply",
Short: "applies policies on resources",
Example: fmt.Sprintf(`
var applyHelp = `
To apply on a resource:
kyverno apply /path/to/policy.yaml /path/to/folderOfPolicies --resource=/path/to/resource1 --resource=/path/to/resource2
@ -112,12 +101,25 @@ To apply policy with variables:
<variable1 in policy2>: <value>
<variable2 in policy2>: <value>
More info: https://kyverno.io/docs/kyverno-cli/
`),
More info: https://kyverno.io/docs/kyverno-cli/
`
func Command() *cobra.Command {
var cmd *cobra.Command
var resourcePaths []string
var cluster, policyReport bool
var mutateLogPath, variablesString, valuesFile, namespace string
kubernetesConfig := genericclioptions.NewConfigFlags(true)
cmd = &cobra.Command{
Use: "apply",
Short: "applies policies on resources",
Example: applyHelp,
RunE: func(cmd *cobra.Command, policyPaths []string) (err error) {
defer func() {
if err != nil {
if !sanitizedError.IsErrorSanitized(err) {
if !sanitizederror.IsErrorSanitized(err) {
log.Log.Error(err, "failed to sanitize")
err = fmt.Errorf("internal error")
}
@ -125,20 +127,20 @@ To apply policy with variables:
}()
if valuesFile != "" && variablesString != "" {
return sanitizedError.NewWithError("pass the values either using set flag or values_file flag", err)
return sanitizederror.NewWithError("pass the values either using set flag or values_file flag", err)
}
variables, valuesMap, err := getVariable(variablesString, valuesFile)
if err != nil {
if !sanitizedError.IsErrorSanitized(err) {
return sanitizedError.NewWithError("failed to decode yaml", err)
if !sanitizederror.IsErrorSanitized(err) {
return sanitizederror.NewWithError("failed to decode yaml", err)
}
return err
}
openAPIController, err := openapi.NewOpenAPIController()
if err != nil {
return sanitizedError.NewWithError("failed to initialize openAPIController", err)
return sanitizederror.NewWithError("failed to initialize openAPIController", err)
}
var dClient *client.Client
@ -154,33 +156,30 @@ To apply policy with variables:
}
if len(policyPaths) == 0 {
return sanitizedError.NewWithError(fmt.Sprintf("require policy"), err)
return sanitizederror.NewWithError(fmt.Sprintf("require policy"), err)
}
policies, err := common.ValidateAndGetPolicies(policyPaths)
if err != nil {
if !sanitizedError.IsErrorSanitized(err) {
return sanitizedError.NewWithError("failed to mutate policies.", err)
}
return err
policies, errors := common.GetPolicies(policyPaths)
if len(errors) > 0 && len(policies) == 0 {
return sanitizederror.NewWithErrors("failed to read policies", errors)
}
if len(resourcePaths) == 0 && !cluster {
return sanitizedError.NewWithError(fmt.Sprintf("resource file(s) or cluster required"), err)
return sanitizederror.NewWithError(fmt.Sprintf("resource file(s) or cluster required"), err)
}
mutateLogPathIsDir, err := checkMutateLogPath(mutateLogPath)
if err != nil {
if !sanitizedError.IsErrorSanitized(err) {
return sanitizedError.NewWithError("failed to create file/folder", err)
if !sanitizederror.IsErrorSanitized(err) {
return sanitizederror.NewWithError("failed to create file/folder", err)
}
return err
}
mutatedPolicies, err := mutatePolices(policies)
if err != nil {
if !sanitizedError.IsErrorSanitized(err) {
return sanitizedError.NewWithError("failed to mutate policy", err)
if !sanitizederror.IsErrorSanitized(err) {
return sanitizederror.NewWithError("failed to mutate policy", err)
}
}
@ -244,12 +243,12 @@ To apply policy with variables:
}
if len(common.PolicyHasVariables(*policy)) > 0 && len(thisPolicyResourceValues) == 0 {
return sanitizedError.NewWithError(fmt.Sprintf("policy %s have variables. pass the values for the variables using set/values_file flag", policy.Name), err)
return sanitizederror.NewWithError(fmt.Sprintf("policy %s have variables. pass the values for the variables using set/values_file flag", policy.Name), err)
}
ers, validateErs, err := applyPolicyOnResource(policy, resource, mutateLogPath, mutateLogPathIsDir, thisPolicyResourceValues, rc, policyReport)
if err != nil {
return sanitizedError.NewWithError(fmt.Errorf("failed to apply policy %v on resource %v", policy.Name, resource.GetName()).Error(), err)
return sanitizederror.NewWithError(fmt.Errorf("failed to apply policy %v on resource %v", policy.Name, resource.GetName()).Error(), err)
}
engineResponses = append(engineResponses, ers...)
validateEngineResponses = append(validateEngineResponses, validateErs)
@ -285,17 +284,17 @@ func getVariable(variablesString, valuesFile string) (variables map[string]strin
if valuesFile != "" {
yamlFile, err := ioutil.ReadFile(valuesFile)
if err != nil {
return variables, valuesMap, sanitizedError.NewWithError("unable to read yaml", err)
return variables, valuesMap, sanitizederror.NewWithError("unable to read yaml", err)
}
valuesBytes, err := yaml.ToJSON(yamlFile)
if err != nil {
return variables, valuesMap, sanitizedError.NewWithError("failed to convert json", err)
return variables, valuesMap, sanitizederror.NewWithError("failed to convert json", err)
}
values := &Values{}
if err := json.Unmarshal(valuesBytes, values); err != nil {
return variables, valuesMap, sanitizedError.NewWithError("failed to decode yaml", err)
return variables, valuesMap, sanitizederror.NewWithError("failed to decode yaml", err)
}
for _, p := range values.Policies {
@ -323,8 +322,8 @@ func checkMutateLogPath(mutateLogPath string) (mutateLogPathIsDir bool, err erro
err := createFileOrFolder(mutateLogPath, mutateLogPathIsDir)
if err != nil {
if !sanitizedError.IsErrorSanitized(err) {
return mutateLogPathIsDir, sanitizedError.NewWithError("failed to create file/folder.", err)
if !sanitizederror.IsErrorSanitized(err) {
return mutateLogPathIsDir, sanitizederror.NewWithError("failed to create file/folder.", err)
}
return mutateLogPathIsDir, err
}
@ -345,7 +344,7 @@ func getResourceAccordingToResourcePath(resourcePaths []string, cluster bool, po
yamlBytes := []byte(resourceStr)
resources, err = common.GetResource(yamlBytes)
if err != nil {
return resources, sanitizedError.NewWithError("failed to extract the resources", err)
return resources, sanitizederror.NewWithError("failed to extract the resources", err)
}
}
} else if (len(resourcePaths) > 0 && resourcePaths[0] != "-") || len(resourcePaths) < 0 || cluster {
@ -434,7 +433,7 @@ func applyPolicyOnResource(policy *v1.ClusterPolicy, resource *unstructured.Unst
} else {
err := printMutatedOutput(mutateLogPath, mutateLogPathIsDir, string(yamlEncodedResource), resource.GetName()+"-mutated")
if err != nil {
return engineResponses, response.EngineResponse{}, sanitizedError.NewWithError("failed to print mutated result", err)
return engineResponses, response.EngineResponse{}, sanitizederror.NewWithError("failed to print mutated result", err)
}
fmt.Printf("\n\nMutation:\nMutation has been applied successfully. Check the files.")
}
@ -503,8 +502,8 @@ func mutatePolices(policies []*v1.ClusterPolicy) ([]*v1.ClusterPolicy, error) {
for _, policy := range policies {
p, err := common.MutatePolicy(policy, logger)
if err != nil {
if !sanitizedError.IsErrorSanitized(err) {
return nil, sanitizedError.NewWithError("failed to mutate policy.", err)
if !sanitizederror.IsErrorSanitized(err) {
return nil, sanitizederror.NewWithError("failed to mutate policy.", err)
}
return nil, err
}
@ -557,30 +556,30 @@ func createFileOrFolder(mutateLogPath string, mutateLogPathIsDir bool) error {
if os.IsNotExist(err) {
errDir := os.MkdirAll(folderPath, 0755)
if errDir != nil {
return sanitizedError.NewWithError(fmt.Sprintf("failed to create directory"), err)
return sanitizederror.NewWithError(fmt.Sprintf("failed to create directory"), err)
}
}
}
file, err := os.OpenFile(mutateLogPath, os.O_RDONLY|os.O_CREATE, 0644)
if err != nil {
return sanitizedError.NewWithError(fmt.Sprintf("failed to create file"), err)
return sanitizederror.NewWithError(fmt.Sprintf("failed to create file"), err)
}
err = file.Close()
if err != nil {
return sanitizedError.NewWithError(fmt.Sprintf("failed to close file"), err)
return sanitizederror.NewWithError(fmt.Sprintf("failed to close file"), err)
}
} else {
errDir := os.MkdirAll(mutateLogPath, 0755)
if errDir != nil {
return sanitizedError.NewWithError(fmt.Sprintf("failed to create directory"), err)
return sanitizederror.NewWithError(fmt.Sprintf("failed to create directory"), err)
}
}
} else {
return sanitizedError.NewWithError(fmt.Sprintf("failed to describe file"), err)
return sanitizederror.NewWithError(fmt.Sprintf("failed to describe file"), err)
}
}

54
pkg/kyverno/common/common.go
View file

@ -22,62 +22,52 @@ import (
)
// GetPolicies - Extracting the policies from multiple YAML
func GetPolicies(paths []string) (policies []*v1.ClusterPolicy, error error) {
func GetPolicies(paths []string) (policies []*v1.ClusterPolicy, errors []error) {
for _, path := range paths {
path = filepath.Clean(path)
fileDesc, err := os.Stat(path)
if err != nil {
return nil, err
errors = append(errors, err)
continue
}
if fileDesc.IsDir() {
files, err := ioutil.ReadDir(path)
if err != nil {
return nil, sanitizederror.NewWithError(fmt.Sprintf("failed to parse %v", path), err)
errors = append(errors, fmt.Errorf("failed to read %v: %v", path, err.Error()))
continue
}
listOfFiles := make([]string, 0)
for _, file := range files {
listOfFiles = append(listOfFiles, filepath.Join(path, file.Name()))
}
policiesFromDir, err := GetPolicies(listOfFiles)
policiesFromDir, errrosFromDir := GetPolicies(listOfFiles)
if err != nil {
return nil, sanitizederror.NewWithError(fmt.Sprintf("failed to extract policies from %v", listOfFiles), err)
errors = append(errors, errrosFromDir...)
continue
}
policies = append(policies, policiesFromDir...)
} else {
file, err := ioutil.ReadFile(path)
fileBytes, err := ioutil.ReadFile(path)
if err != nil {
return nil, sanitizederror.NewWithError(fmt.Sprintf("failed to load file %v", path), err)
}
getPolicies, getErrors := utils.GetPolicy(file)
var errString string
for _, err := range getErrors {
if err != nil {
errString += err.Error() + "\n"
}
}
if errString != "" {
fmt.Printf("failed to extract policies: %s\n", errString)
os.Exit(2)
errors = append(errors, fmt.Errorf("failed to read %v: %v", path, err.Error()))
continue
}
policies = append(policies, getPolicies...)
policiesFromFile, errorsFromFile := utils.GetPolicy(fileBytes)
if errorsFromFile != nil {
errors = append(errors, errorsFromFile...)
continue
}
policies = append(policies, policiesFromFile...)
}
}
return policies, nil
}
//ValidateAndGetPolicies - validating policies
func ValidateAndGetPolicies(policyPaths []string) ([]*v1.ClusterPolicy, error) {
policies, err := GetPolicies(policyPaths)
if err != nil {
if !sanitizederror.IsErrorSanitized(err) {
return nil, sanitizederror.NewWithError((fmt.Sprintf("failed to parse %v path/s.", policyPaths)), err)
}
return nil, err
}
return policies, nil
return policies, errors
}
// PolicyHasVariables - check for variables in the policy

16
pkg/kyverno/sanitizedError/error.go
View file

@ -1,6 +1,9 @@
package sanitizederror
import "fmt"
import (
"fmt"
"strings"
)
type customError struct {
message string
@ -10,9 +13,14 @@ func (c customError) Error() string {
return c.message
}
// New creates a new sanitized error with given message
func New(message string) error {
return customError{message: message}
func NewWithErrors(message string, errors []error) error {
bldr := strings.Builder{}
bldr.WriteString(message + "\n")
for _, err := range errors {
bldr.WriteString(err.Error() + "\n")
}
return fmt.Errorf(bldr.String())
}
// NewWithError creates a new sanitized error with given message and error

21
pkg/kyverno/validate/command.go
View file

@ -9,13 +9,13 @@ import (
v1 "github.com/kyverno/kyverno/pkg/api/kyverno/v1"
"github.com/kyverno/kyverno/pkg/kyverno/common"
sanitizederror "github.com/kyverno/kyverno/pkg/kyverno/sanitizedError"
"github.com/kyverno/kyverno/pkg/kyverno/sanitizedError"
"github.com/kyverno/kyverno/pkg/openapi"
policy2 "github.com/kyverno/kyverno/pkg/policy"
"github.com/kyverno/kyverno/pkg/utils"
"github.com/spf13/cobra"
log "sigs.k8s.io/controller-runtime/pkg/log"
yaml "sigs.k8s.io/yaml"
"sigs.k8s.io/controller-runtime/pkg/log"
"sigs.k8s.io/yaml"
)
// Command returns validate command
@ -27,12 +27,10 @@ func Command() *cobra.Command {
Short: "Validates kyverno policies",
Example: "kyverno validate /path/to/policy.yaml /path/to/folderOfPolicies",
RunE: func(cmd *cobra.Command, policyPaths []string) (err error) {
log := log.Log
defer func() {
if err != nil {
if !sanitizederror.IsErrorSanitized(err) {
log.Error(err, "failed to sanitize")
log.Log.Error(err, "failed to sanitize")
err = fmt.Errorf("internal error")
}
}
@ -72,12 +70,9 @@ func Command() *cobra.Command {
}
}
} else {
policies, err = common.ValidateAndGetPolicies(policyPaths)
if err != nil {
if !sanitizederror.IsErrorSanitized(err) {
return sanitizederror.NewWithError("failed to mutate policies.", err)
}
return err
policies, errs := common.GetPolicies(policyPaths)
if len(errs) > 0 && len(policies) == 0 {
return sanitizederror.NewWithErrors("failed to read policies", errs)
}
}
@ -109,7 +104,7 @@ func Command() *cobra.Command {
} else {
fmt.Printf("Policy %s is valid.\n\n", policy.Name)
if outputType != "" {
logger := log.WithName("validate")
logger := log.Log.WithName("validate")
p, err := common.MutatePolicy(policy, logger)
if err != nil {
if !sanitizederror.IsErrorSanitized(err) {

14
pkg/utils/loadpolicy.go
View file

@ -11,9 +11,9 @@ import (
"k8s.io/apimachinery/pkg/util/yaml"
)
// GetPolicy - Extracts policies from a YAML
func GetPolicy(file []byte) (clusterPolicies []*v1.ClusterPolicy, errors []error) {
policies, err := SplitYAMLDocuments(file)
// GetPolicy - extracts policies from YAML bytes
func GetPolicy(bytes []byte) (clusterPolicies []*v1.ClusterPolicy, errors []error) {
policies, err := SplitYAMLDocuments(bytes)
if err != nil {
errors = append(errors, err)
return clusterPolicies, errors
@ -22,20 +22,22 @@ func GetPolicy(file []byte) (clusterPolicies []*v1.ClusterPolicy, errors []error
for _, thisPolicyBytes := range policies {
policyBytes, err := yaml.ToJSON(thisPolicyBytes)
if err != nil {
errors = append(errors, fmt.Errorf(fmt.Sprintf("failed to convert json. error: %v", err)))
errors = append(errors, fmt.Errorf("failed to convert json. error: %v", err))
continue
}
policy := &v1.ClusterPolicy{}
if err := json.Unmarshal(policyBytes, policy); err != nil {
errors = append(errors, fmt.Errorf(fmt.Sprintf("failed to decode policy. error: %v", err)))
errors = append(errors, fmt.Errorf("failed to decode policy. error: %v", err))
continue
}
if !(policy.TypeMeta.Kind == "ClusterPolicy" || policy.TypeMeta.Kind == "Policy") {
errors = append(errors, fmt.Errorf(fmt.Sprintf("resource %v is not a policy/clusterPolicy", policy.Name)))
msg := fmt.Sprintf("resource %s/%s is not a Policy or a ClusterPolicy", policy.Kind, policy.Name)
errors = append(errors, fmt.Errorf(msg))
continue
}
clusterPolicies = append(clusterPolicies, policy)
}