From f34d3c342dfcd56d2820b20483b2bbaeaecaf981 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Charles-Edouard=20Br=C3=A9t=C3=A9ch=C3=A9?= Date: Wed, 23 Mar 2022 09:59:41 +0100 Subject: [PATCH] refactor: add ValidationFailureAction to the api (#3451) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Charles-Edouard Brétéché Co-authored-by: Prateek Pandey --- api/kyverno/v1/common_types.go | 6 ----- api/kyverno/v1/spec_types.go | 19 ++++++++++++++- charts/kyverno/templates/crds.yaml | 2 ++ config/crds/kyverno.io_clusterpolicies.yaml | 2 ++ config/crds/kyverno.io_policies.yaml | 2 ++ config/install.yaml | 4 ++++ config/install_debug.yaml | 4 ++++ docs/crd/v1/index.html | 26 +++++++++++++++++---- pkg/common/common.go | 8 ------- pkg/engine/response/response.go | 6 ++--- pkg/metrics/parsers.go | 6 ++--- pkg/policycache/cache.go | 4 ++-- pkg/policymutation/policymutation.go | 4 ++-- pkg/webhooks/common.go | 7 +++--- 14 files changed, 67 insertions(+), 33 deletions(-) diff --git a/api/kyverno/v1/common_types.go b/api/kyverno/v1/common_types.go index 35caa4f4fe..be2ab6a293 100755 --- a/api/kyverno/v1/common_types.go +++ b/api/kyverno/v1/common_types.go @@ -525,9 +525,3 @@ type ResourceSpec struct { // Name specifies the resource name. Name string `json:"name,omitempty" yaml:"name,omitempty"` } - -type ValidationFailureActionOverride struct { - // +kubebuilder:validation:Enum=audit;enforce - Action string `json:"action,omitempty" yaml:"action,omitempty"` - Namespaces []string `json:"namespaces,omitempty" yaml:"namespaces,omitempty"` -} diff --git a/api/kyverno/v1/spec_types.go b/api/kyverno/v1/spec_types.go index 3de485c7ba..6ba5528116 100644 --- a/api/kyverno/v1/spec_types.go +++ b/api/kyverno/v1/spec_types.go @@ -7,6 +7,23 @@ import ( "k8s.io/apimachinery/pkg/util/validation/field" ) +// ValidationFailureAction defines the policy validation failure action +type ValidationFailureAction string + +// Policy Reporting Modes +const ( + // Enforce blocks the request on failure + Enforce ValidationFailureAction = "enforce" + // Audit indicates not to block the request on failure, but report failiures as policy violations + Audit ValidationFailureAction = "audit" +) + +type ValidationFailureActionOverride struct { + // +kubebuilder:validation:Enum=audit;enforce + Action ValidationFailureAction `json:"action,omitempty" yaml:"action,omitempty"` + Namespaces []string `json:"namespaces,omitempty" yaml:"namespaces,omitempty"` +} + // Spec contains a list of Rule instances and other policy controls. type Spec struct { // Rules is a list of Rule instances. A Policy contains multiple rules and @@ -24,7 +41,7 @@ type Spec struct { // and report an error in a policy report. Optional. The default value is "audit". // +optional // +kubebuilder:validation:Enum=audit;enforce - ValidationFailureAction string `json:"validationFailureAction,omitempty" yaml:"validationFailureAction,omitempty"` + ValidationFailureAction ValidationFailureAction `json:"validationFailureAction,omitempty" yaml:"validationFailureAction,omitempty"` // ValidationFailureActionOverrides is a Cluster Policy attribute that specifies ValidationFailureAction // namespace-wise. It overrides ValidationFailureAction for the specified namespaces. diff --git a/charts/kyverno/templates/crds.yaml b/charts/kyverno/templates/crds.yaml index 41b0b32f42..9eb485acf0 100644 --- a/charts/kyverno/templates/crds.yaml +++ b/charts/kyverno/templates/crds.yaml @@ -1344,6 +1344,7 @@ spec: items: properties: action: + description: ValidationFailureAction defines the policy validation failure action enum: - audit - enforce @@ -4782,6 +4783,7 @@ spec: items: properties: action: + description: ValidationFailureAction defines the policy validation failure action enum: - audit - enforce diff --git a/config/crds/kyverno.io_clusterpolicies.yaml b/config/crds/kyverno.io_clusterpolicies.yaml index 8d465e2b13..491b11bffe 100644 --- a/config/crds/kyverno.io_clusterpolicies.yaml +++ b/config/crds/kyverno.io_clusterpolicies.yaml @@ -2145,6 +2145,8 @@ spec: items: properties: action: + description: ValidationFailureAction defines the policy validation + failure action enum: - audit - enforce diff --git a/config/crds/kyverno.io_policies.yaml b/config/crds/kyverno.io_policies.yaml index aefae23cc7..157e7b6e26 100644 --- a/config/crds/kyverno.io_policies.yaml +++ b/config/crds/kyverno.io_policies.yaml @@ -2146,6 +2146,8 @@ spec: items: properties: action: + description: ValidationFailureAction defines the policy validation + failure action enum: - audit - enforce diff --git a/config/install.yaml b/config/install.yaml index 25f9da55ba..f8b76dcad5 100644 --- a/config/install.yaml +++ b/config/install.yaml @@ -2161,6 +2161,8 @@ spec: items: properties: action: + description: ValidationFailureAction defines the policy validation + failure action enum: - audit - enforce @@ -7434,6 +7436,8 @@ spec: items: properties: action: + description: ValidationFailureAction defines the policy validation + failure action enum: - audit - enforce diff --git a/config/install_debug.yaml b/config/install_debug.yaml index 53792e7fa2..a1ca447a1a 100755 --- a/config/install_debug.yaml +++ b/config/install_debug.yaml @@ -2150,6 +2150,8 @@ spec: items: properties: action: + description: ValidationFailureAction defines the policy validation + failure action enum: - audit - enforce @@ -7399,6 +7401,8 @@ spec: items: properties: action: + description: ValidationFailureAction defines the policy validation + failure action enum: - audit - enforce diff --git a/docs/crd/v1/index.html b/docs/crd/v1/index.html index 05ac040c72..91be6477f6 100644 --- a/docs/crd/v1/index.html +++ b/docs/crd/v1/index.html @@ -397,7 +397,9 @@ Allowed values are Ignore or Fail. Defaults to Fail.

validationFailureAction
-string + +ValidationFailureAction + @@ -1646,7 +1648,9 @@ Allowed values are Ignore or Fail. Defaults to Fail.

validationFailureAction
-string + +ValidationFailureAction + @@ -2313,7 +2317,9 @@ Allowed values are Ignore or Fail. Defaults to Fail.

validationFailureAction
-string + +ValidationFailureAction + @@ -2525,6 +2531,16 @@ Deny
+

ValidationFailureAction +(string alias)

+

+(Appears on: +Spec, +ValidationFailureActionOverride) +

+

+

ValidationFailureAction defines the policy validation failure action

+

ValidationFailureActionOverride

@@ -2545,7 +2561,9 @@ Deny action
-string + +ValidationFailureAction + diff --git a/pkg/common/common.go b/pkg/common/common.go index 9d983ba4f2..81e5655226 100644 --- a/pkg/common/common.go +++ b/pkg/common/common.go @@ -20,14 +20,6 @@ import ( "sigs.k8s.io/controller-runtime/pkg/log" ) -// Policy Reporting Modes -const ( - // Enforce blocks the request on failure - Enforce = "enforce" - // Audit indicates not to block the request on failure, but report failiures as policy violations - Audit = "audit" -) - // Policy Reporting Types const ( PolicyViolation = "POLICYVIOLATION" diff --git a/pkg/engine/response/response.go b/pkg/engine/response/response.go index 6eec128eba..464a080b53 100644 --- a/pkg/engine/response/response.go +++ b/pkg/engine/response/response.go @@ -31,7 +31,7 @@ type PolicyResponse struct { // rule response Rules []RuleResponse `json:"rules"` // ValidationFailureAction: audit (default) or enforce - ValidationFailureAction string + ValidationFailureAction kyverno.ValidationFailureAction ValidationFailureActionOverrides []ValidationFailureActionOverride } @@ -177,6 +177,6 @@ func (er EngineResponse) getRules(status RuleStatus) []string { } type ValidationFailureActionOverride struct { - Action string `json:"action"` - Namespaces []string `json:"namespaces"` + Action kyverno.ValidationFailureAction `json:"action"` + Namespaces []string `json:"namespaces"` } diff --git a/pkg/metrics/parsers.go b/pkg/metrics/parsers.go index ed4dc904b5..5b1f95a26e 100644 --- a/pkg/metrics/parsers.go +++ b/pkg/metrics/parsers.go @@ -7,11 +7,11 @@ import ( kyverno "github.com/kyverno/kyverno/api/kyverno/v1" ) -func ParsePolicyValidationMode(validationFailureAction string) (PolicyValidationMode, error) { +func ParsePolicyValidationMode(validationFailureAction kyverno.ValidationFailureAction) (PolicyValidationMode, error) { switch validationFailureAction { - case "enforce": + case kyverno.Enforce: return Enforce, nil - case "audit": + case kyverno.Audit: return Audit, nil default: return "", fmt.Errorf("wrong validation failure action found %s. Allowed: '%s', '%s'", validationFailureAction, "enforce", "audit") diff --git a/pkg/policycache/cache.go b/pkg/policycache/cache.go index 561bd51145..c6ccde8242 100644 --- a/pkg/policycache/cache.go +++ b/pkg/policycache/cache.go @@ -104,9 +104,9 @@ func (m *pMap) add(policy *kyverno.ClusterPolicy) { m.Lock() defer m.Unlock() - enforcePolicy := policy.Spec.ValidationFailureAction == common.Enforce + enforcePolicy := policy.Spec.ValidationFailureAction == kyverno.Enforce for _, k := range policy.Spec.ValidationFailureActionOverrides { - if k.Action == common.Enforce { + if k.Action == kyverno.Enforce { enforcePolicy = true break } diff --git a/pkg/policymutation/policymutation.go b/pkg/policymutation/policymutation.go index 17af444c17..1b9d47988d 100644 --- a/pkg/policymutation/policymutation.go +++ b/pkg/policymutation/policymutation.go @@ -182,7 +182,7 @@ func defaultBackgroundFlag(spec *kyverno.Spec, log logr.Logger) ([]byte, string) func defaultvalidationFailureAction(spec *kyverno.Spec, log logr.Logger) ([]byte, string) { // set ValidationFailureAction to "audit" if not specified - Audit := common.Audit + Audit := kyverno.Audit if spec.ValidationFailureAction == "" { log.V(4).Info("setting default value", "spec.validationFailureAction", Audit) @@ -193,7 +193,7 @@ func defaultvalidationFailureAction(spec *kyverno.Spec, log logr.Logger) ([]byte }{ "/spec/validationFailureAction", "add", - Audit, + string(Audit), } patchByte, err := json.Marshal(jsonPatch) diff --git a/pkg/webhooks/common.go b/pkg/webhooks/common.go index 2b7793d085..99bb7589eb 100644 --- a/pkg/webhooks/common.go +++ b/pkg/webhooks/common.go @@ -6,7 +6,6 @@ import ( "github.com/go-logr/logr" kyverno "github.com/kyverno/kyverno/api/kyverno/v1" - "github.com/kyverno/kyverno/pkg/common" "github.com/kyverno/kyverno/pkg/engine/response" engineutils "github.com/kyverno/kyverno/pkg/engine/utils" "github.com/minio/pkg/wildcard" @@ -27,12 +26,12 @@ func isResponseSuccessful(engineReponses []*response.EngineResponse) bool { } func checkEngineResponse(er *response.EngineResponse) bool { - nsAction := "" + var nsAction kyverno.ValidationFailureAction actionOverride := false for _, v := range er.PolicyResponse.ValidationFailureActionOverrides { action := v.Action - if action != common.Enforce && action != common.Audit { + if action != kyverno.Enforce && action != kyverno.Audit { continue } @@ -49,7 +48,7 @@ func checkEngineResponse(er *response.EngineResponse) bool { } } - return !er.IsSuccessful() && ((actionOverride && nsAction == common.Enforce) || (!actionOverride && er.PolicyResponse.ValidationFailureAction == common.Enforce)) + return !er.IsSuccessful() && ((actionOverride && nsAction == kyverno.Enforce) || (!actionOverride && er.PolicyResponse.ValidationFailureAction == kyverno.Enforce)) } // returns true -> if there is even one policy that blocks resource request