1
0
Fork 0
mirror of https://github.com/kyverno/kyverno.git synced 2025-01-20 18:52:16 +00:00

feat: re-evaluate policy exceptions for existing resources and modify reports accordingly (#8659)

* feat: re-evaluate policy exceptions for existing resources and modify reports accordingly

Signed-off-by: Mariam Fahmy <mariam.fahmy@nirmata.com>

* fix: use v2 of exceptions

Signed-off-by: Mariam Fahmy <mariam.fahmy@nirmata.com>

* fix chainsaw test

Signed-off-by: Mariam Fahmy <mariam.fahmy@nirmata.com>

* fix: use properties in the reports result

Signed-off-by: Mariam Fahmy <mariam.fahmy@nirmata.com>

* fix chainsaw tests

Signed-off-by: Mariam Fahmy <mariam.fahmy@nirmata.com>

---------

Signed-off-by: Mariam Fahmy <mariam.fahmy@nirmata.com>
This commit is contained in:
Mariam Fahmy 2024-01-17 20:00:15 +02:00 committed by GitHub
parent a9e3ca20b2
commit f0564b3019
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
9 changed files with 114 additions and 18 deletions

View file

@ -63,6 +63,7 @@ func createReportControllers(
}
kyvernoV1 := kyvernoInformer.Kyverno().V1()
kyvernoV2beta1 := kyvernoInformer.Kyverno().V2beta1()
if backgroundScan || admissionReports {
resourceReportController := resourcereportcontroller.NewController(
client,
@ -112,6 +113,7 @@ func createReportControllers(
metadataFactory,
kyvernoV1.Policies(),
kyvernoV1.ClusterPolicies(),
kyvernoV2beta1.PolicyExceptions(),
vapInformer,
kubeInformer.Core().V1().Namespaces(),
resourceReportController,

View file

@ -7,10 +7,13 @@ import (
"github.com/go-logr/logr"
kyvernov1 "github.com/kyverno/kyverno/api/kyverno/v1"
kyvernov1alpha2 "github.com/kyverno/kyverno/api/kyverno/v1alpha2"
kyvernov2beta1 "github.com/kyverno/kyverno/api/kyverno/v2beta1"
policyreportv1alpha2 "github.com/kyverno/kyverno/api/policyreport/v1alpha2"
"github.com/kyverno/kyverno/pkg/client/clientset/versioned"
kyvernov1informers "github.com/kyverno/kyverno/pkg/client/informers/externalversions/kyverno/v1"
kyvernov2beta1informers "github.com/kyverno/kyverno/pkg/client/informers/externalversions/kyverno/v2beta1"
kyvernov1listers "github.com/kyverno/kyverno/pkg/client/listers/kyverno/v1"
kyvernov2beta1listers "github.com/kyverno/kyverno/pkg/client/listers/kyverno/v2beta1"
"github.com/kyverno/kyverno/pkg/clients/dclient"
"github.com/kyverno/kyverno/pkg/config"
"github.com/kyverno/kyverno/pkg/controllers"
@ -54,6 +57,7 @@ type controller struct {
// listers
polLister kyvernov1listers.PolicyLister
cpolLister kyvernov1listers.ClusterPolicyLister
polexLister kyvernov2beta1listers.PolicyExceptionLister
vapLister admissionregistrationv1alpha1listers.ValidatingAdmissionPolicyLister
bgscanrLister cache.GenericLister
cbgscanrLister cache.GenericLister
@ -80,6 +84,7 @@ func NewController(
metadataFactory metadatainformers.SharedInformerFactory,
polInformer kyvernov1informers.PolicyInformer,
cpolInformer kyvernov1informers.ClusterPolicyInformer,
polexInformer kyvernov2beta1informers.PolicyExceptionInformer,
vapInformer admissionregistrationv1alpha1informers.ValidatingAdmissionPolicyInformer,
nsInformer corev1informers.NamespaceInformer,
metadataCache resource.MetadataCache,
@ -98,6 +103,7 @@ func NewController(
engine: engine,
polLister: polInformer.Lister(),
cpolLister: cpolInformer.Lister(),
polexLister: polexInformer.Lister(),
bgscanrLister: bgscanr.Lister(),
cbgscanrLister: cbgscanr.Lister(),
nsLister: nsInformer.Lister(),
@ -121,6 +127,9 @@ func NewController(
if _, err := controllerutils.AddEventHandlersT(cpolInformer.Informer(), c.addPolicy, c.updatePolicy, c.deletePolicy); err != nil {
logger.Error(err, "failed to register event handlers")
}
if _, err := controllerutils.AddEventHandlersT(polexInformer.Informer(), c.addException, c.updateException, c.deleteException); err != nil {
logger.Error(err, "failed to register event handlers")
}
c.metadataCache.AddEventHandler(func(eventType resource.EventType, uid types.UID, _ schema.GroupVersionKind, res resource.Resource) {
// if it's a deletion, nothing to do
if eventType == resource.Deleted {
@ -154,6 +163,20 @@ func (c *controller) deletePolicy(obj kyvernov1.PolicyInterface) {
c.enqueueResources()
}
func (c *controller) addException(obj *kyvernov2beta1.PolicyException) {
c.enqueueResources()
}
func (c *controller) updateException(old, obj *kyvernov2beta1.PolicyException) {
if old.GetResourceVersion() != obj.GetResourceVersion() {
c.enqueueResources()
}
}
func (c *controller) deleteException(obj *kyvernov2beta1.PolicyException) {
c.enqueueResources()
}
func (c *controller) addVAP(obj *admissionregistrationv1alpha1.ValidatingAdmissionPolicy) {
c.enqueueResources()
}
@ -198,7 +221,7 @@ func (c *controller) getMeta(namespace, name string) (metav1.Object, error) {
}
}
func (c *controller) needsReconcile(namespace, name, hash string, policies ...engineapi.GenericPolicy) (bool, bool, error) {
func (c *controller) needsReconcile(namespace, name, hash string, exceptions []kyvernov2beta1.PolicyException, policies ...engineapi.GenericPolicy) (bool, bool, error) {
// if the reportMetadata does not exist, we need a full reconcile
reportMetadata, err := c.getMeta(namespace, name)
if err != nil {
@ -225,11 +248,14 @@ func (c *controller) needsReconcile(namespace, name, hash string, policies ...en
return true, true, nil
}
}
// if a policy changed, we need a partial reconcile
// if a policy or an exception changed, we need a partial reconcile
expected := map[string]string{}
for _, policy := range policies {
expected[reportutils.PolicyLabel(policy)] = policy.GetResourceVersion()
}
for _, exception := range exceptions {
expected[reportutils.PolicyExceptionLabel(exception)] = exception.GetResourceVersion()
}
actual := map[string]string{}
for key, value := range reportMetadata.GetLabels() {
if reportutils.IsPolicyLabel(key) {
@ -251,6 +277,7 @@ func (c *controller) reconcileReport(
uid types.UID,
gvk schema.GroupVersionKind,
resource resource.Resource,
exceptions []kyvernov2beta1.PolicyException,
policies ...engineapi.GenericPolicy,
) error {
// namespace labels to be used by the scanner
@ -280,6 +307,10 @@ func (c *controller) reconcileReport(
for _, policy := range policies {
expected[reportutils.PolicyLabel(policy)] = policy.GetResourceVersion()
}
for _, exception := range exceptions {
expected[reportutils.PolicyExceptionLabel(exception)] = exception.GetResourceVersion()
}
actual := map[string]string{}
for key, value := range observed.GetLabels() {
if reportutils.IsPolicyLabel(key) {
@ -302,18 +333,34 @@ func (c *controller) reconcileReport(
}
policyNameToLabel[key] = reportutils.PolicyLabel(policy)
}
// keep up to date results
for _, exception := range exceptions {
key, err := cache.MetaNamespaceKeyFunc(exception)
if err != nil {
return err
}
policyNameToLabel[key] = reportutils.PolicyExceptionLabel(exception)
}
for _, result := range observed.GetResults() {
// if the policy did not change, keep the result
label := policyNameToLabel[result.Policy]
if label != "" && expected[label] == actual[label] {
exceptionLabel := policyNameToLabel[result.Properties["exception"]]
if (label != "" && expected[label] == actual[label]) || (exceptionLabel != "" && expected[exceptionLabel] == actual[exceptionLabel]) {
ruleResults = append(ruleResults, result)
}
}
}
// calculate necessary results
for _, policy := range policies {
if full || actual[reportutils.PolicyLabel(policy)] != policy.GetResourceVersion() {
reevaluate := false
for _, polex := range exceptions {
if actual[reportutils.PolicyExceptionLabel(polex)] != polex.GetResourceVersion() {
reevaluate = true
break
}
}
if full || reevaluate || actual[reportutils.PolicyLabel(policy)] != policy.GetResourceVersion() {
scanner := utils.NewScanner(logger, c.engine, c.config, c.jp)
for _, result := range scanner.ScanResource(ctx, *target, nsLabels, policy) {
if result.Error != nil {
@ -334,6 +381,9 @@ func (c *controller) reconcileReport(
for _, policy := range policies {
reportutils.SetPolicyLabel(desired, policy)
}
for _, exception := range exceptions {
reportutils.SetPolicyExceptionLabel(desired, exception)
}
reportutils.SetResourceVersionLabels(desired, target)
reportutils.SetResults(desired, ruleResults...)
if full || !controllerutils.HasAnnotation(desired, annotationLastScanTime) {
@ -418,15 +468,20 @@ func (c *controller) reconcile(ctx context.Context, log logr.Logger, key, namesp
policies = append(policies, engineapi.NewValidatingAdmissionPolicy(pol))
}
}
// load policy exceptions with background process enabled
exceptions, err := utils.FetchPolicyExceptions(c.polexLister, namespace)
if err != nil {
return err
}
// we have the resource, check if we need to reconcile
if needsReconcile, full, err := c.needsReconcile(namespace, name, resource.Hash, policies...); err != nil {
if needsReconcile, full, err := c.needsReconcile(namespace, name, resource.Hash, exceptions, policies...); err != nil {
return err
} else {
defer func() {
c.queue.AddAfter(key, c.forceDelay)
}()
if needsReconcile {
return c.reconcileReport(ctx, namespace, name, full, uid, gvk, resource, policies...)
return c.reconcileReport(ctx, namespace, name, full, uid, gvk, resource, exceptions, policies...)
}
}
return nil

View file

@ -4,8 +4,10 @@ import (
"github.com/go-logr/logr"
kyvernov1 "github.com/kyverno/kyverno/api/kyverno/v1"
kyvernov1alpha2 "github.com/kyverno/kyverno/api/kyverno/v1alpha2"
kyvernov2beta1 "github.com/kyverno/kyverno/api/kyverno/v2beta1"
"github.com/kyverno/kyverno/pkg/autogen"
kyvernov1listers "github.com/kyverno/kyverno/pkg/client/listers/kyverno/v1"
kyvernov2beta1listers "github.com/kyverno/kyverno/pkg/client/listers/kyverno/v2beta1"
datautils "github.com/kyverno/kyverno/pkg/utils/data"
policyvalidation "github.com/kyverno/kyverno/pkg/validation/policy"
admissionregistrationv1alpha1 "k8s.io/api/admissionregistration/v1alpha1"
@ -109,6 +111,20 @@ func FetchPolicies(polLister kyvernov1listers.PolicyLister, namespace string) ([
return policies, nil
}
func FetchPolicyExceptions(polexLister kyvernov2beta1listers.PolicyExceptionLister, namespace string) ([]kyvernov2beta1.PolicyException, error) {
var exceptions []kyvernov2beta1.PolicyException
if polexs, err := polexLister.PolicyExceptions(namespace).List(labels.Everything()); err != nil {
return nil, err
} else {
for _, polex := range polexs {
if polex.Spec.BackgroundProcessingEnabled() {
exceptions = append(exceptions, *polex)
}
}
}
return exceptions, nil
}
func FetchValidatingAdmissionPolicies(vapLister admissionregistrationv1alpha1listers.ValidatingAdmissionPolicyLister) ([]admissionregistrationv1alpha1.ValidatingAdmissionPolicy, error) {
var policies []admissionregistrationv1alpha1.ValidatingAdmissionPolicy
if pols, err := vapLister.List(labels.Everything()); err != nil {

View file

@ -10,6 +10,7 @@ import (
"github.com/kyverno/kyverno/api/kyverno"
kyvernov1 "github.com/kyverno/kyverno/api/kyverno/v1"
kyvernov1alpha2 "github.com/kyverno/kyverno/api/kyverno/v1alpha2"
kyvernov2beta1 "github.com/kyverno/kyverno/api/kyverno/v2beta1"
engineapi "github.com/kyverno/kyverno/pkg/engine/api"
controllerutils "github.com/kyverno/kyverno/pkg/utils/controller"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
@ -31,13 +32,14 @@ const (
LabelDomainPolicy = "pol.kyverno.io"
LabelPrefixClusterPolicy = LabelDomainClusterPolicy + "/"
LabelPrefixPolicy = LabelDomainPolicy + "/"
LabelPrefixPolicyException = "polex.kyverno.io/"
LabelPrefixValidatingAdmissionPolicy = "validatingadmissionpolicy.apiserver.io/"
// aggregated admission report label
LabelAggregatedReport = "audit.kyverno.io/report.aggregate"
)
func IsPolicyLabel(label string) bool {
return strings.HasPrefix(label, LabelPrefixPolicy) || strings.HasPrefix(label, LabelPrefixClusterPolicy)
return strings.HasPrefix(label, LabelPrefixPolicy) || strings.HasPrefix(label, LabelPrefixClusterPolicy) || strings.HasPrefix(label, LabelPrefixPolicyException)
}
func PolicyNameFromLabel(namespace, label string) (string, error) {
@ -73,6 +75,10 @@ func PolicyLabel(policy engineapi.GenericPolicy) string {
return PolicyLabelPrefix(policy) + policy.GetName()
}
func PolicyExceptionLabel(exception kyvernov2beta1.PolicyException) string {
return LabelPrefixPolicyException + exception.GetName()
}
func CleanupKyvernoLabels(obj metav1.Object) {
labels := obj.GetLabels()
for key := range labels {
@ -134,6 +140,10 @@ func SetPolicyLabel(report kyvernov1alpha2.ReportInterface, policy engineapi.Gen
controllerutils.SetLabel(report, PolicyLabel(policy), policy.GetResourceVersion())
}
func SetPolicyExceptionLabel(report kyvernov1alpha2.ReportInterface, exception kyvernov2beta1.PolicyException) {
controllerutils.SetLabel(report, PolicyExceptionLabel(exception), exception.GetResourceVersion())
}
func GetResourceUid(report metav1.Object) types.UID {
return types.UID(controllerutils.GetLabel(report, LabelResourceUid))
}

View file

@ -107,6 +107,11 @@ func EngineResponseToReportResults(response engineapi.EngineResponse) []policyre
Category: annotations[kyverno.AnnotationPolicyCategory],
Severity: SeverityFromString(annotations[kyverno.AnnotationPolicySeverity]),
}
if ruleResult.Exception() != nil {
result.Properties = map[string]string{
"exception": ruleResult.Exception().Name,
}
}
pss := ruleResult.PodSecurityChecks()
if pss != nil {
var controls []string

View file

@ -15,6 +15,8 @@ results:
rule: require-team
scored: true
source: kyverno
properties:
exception: mynewpolex
summary:
error: 0
fail: 0

View file

@ -5,8 +5,12 @@ It makes sure the generated background scan report contains a skipped result ins
## Steps
1. - Create a cluster policy
1. - Create a confimap named `emergency`
2. - Create a cluster policy
- Assert the policy becomes ready
1. - Create a policy exception for the cluster policy created above, configured to apply to configmap named `emergency`
1. - Try to create a confimap named `emergency`
1. - Assert that a policy report exists with a skipped result
3. - Create a policy exception for the cluster policy created above, configured to apply to configmap named `emergency`
4. - Assert that a policy report exists with a skipped result
## Reference Issue(s)
https://github.com/kyverno/kyverno/issues/7287

View file

@ -8,19 +8,19 @@ spec:
- name: step-01
try:
- apply:
file: policy.yaml
file: configmap.yaml
- assert:
file: policy-assert.yaml
file: configmap.yaml
- name: step-02
try:
- apply:
file: exception.yaml
file: policy.yaml
- assert:
file: policy-assert.yaml
- name: step-03
try:
- apply:
file: configmap.yaml
- assert:
file: configmap.yaml
file: exception.yaml
- name: step-04
try:
- assert:

View file

@ -15,6 +15,8 @@ results:
rule: require-team
scored: true
source: kyverno
properties:
exception: mynewpolex
summary:
error: 0
fail: 0