package webhooks import ( "fmt" jsonpatch "github.com/evanphx/json-patch" "github.com/golang/glog" "github.com/nirmata/kyverno/pkg/annotations" engine "github.com/nirmata/kyverno/pkg/engine" "github.com/nirmata/kyverno/pkg/info" v1beta1 "k8s.io/api/admission/v1beta1" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" "k8s.io/apimachinery/pkg/labels" ) // HandleMutation handles mutating webhook admission request func (ws *WebhookServer) HandleMutation(request *v1beta1.AdmissionRequest) *v1beta1.AdmissionResponse { policies, err := ws.policyLister.List(labels.NewSelector()) if err != nil { // Unable to connect to policy Lister to access policies glog.Error("Unable to connect to policy controller to access policies. Mutation Rules are NOT being applied") glog.Warning(err) return &v1beta1.AdmissionResponse{ Allowed: true, } } var allPatches [][]byte var annPatches []byte policyInfos := []*info.PolicyInfo{} for _, policy := range policies { // check if policy has a rule for the admission request kind if !StringInSlice(request.Kind.Kind, getApplicableKindsForPolicy(policy)) { continue } rname := engine.ParseNameFromObject(request.Object.Raw) rns := engine.ParseNamespaceFromObject(request.Object.Raw) rkind := engine.ParseKindFromObject(request.Object.Raw) policyInfo := info.NewPolicyInfo(policy.Name, rkind, rname, rns, policy.Spec.ValidationFailureAction) glog.V(3).Infof("Handling mutation for Kind=%s, Namespace=%s Name=%s UID=%s patchOperation=%s", request.Kind.Kind, rns, rname, request.UID, request.Operation) glog.Infof("Applying policy %s with %d rules\n", policy.ObjectMeta.Name, len(policy.Spec.Rules)) policyPatches, ruleInfos := engine.Mutate(*policy, request.Object.Raw, request.Kind) policyInfo.AddRuleInfos(ruleInfos) if !policyInfo.IsSuccessful() { glog.Infof("Failed to apply policy %s on resource %s/%s", policy.Name, rname, rns) for _, r := range ruleInfos { glog.Warning(r.Msgs) } } else { // CleanUp Violations if exists err := ws.violationBuilder.RemoveInactiveViolation(policy.Name, request.Kind.Kind, rns, rname, info.Mutation) if err != nil { glog.Info(err) } if len(policyPatches) > 0 { allPatches = append(allPatches, policyPatches...) glog.Infof("Mutation from policy %s has applied succesfully to %s %s/%s", policy.Name, request.Kind.Kind, rname, rns) } } policyInfos = append(policyInfos, policyInfo) annPatch := addAnnotationsToResource(request.Object.Raw, policyInfo, info.Mutation) if annPatch != nil { if annPatches == nil { annPatches = annPatch } else { annPatches, err = jsonpatch.MergePatch(annPatches, annPatch) if err != nil { fmt.Println("Mergining docs") fmt.Println(err) } } } } if len(allPatches) > 0 { eventsInfo, _ := newEventInfoFromPolicyInfo(policyInfos, (request.Operation == v1beta1.Update), false) ws.eventController.Add(eventsInfo...) } ok, msg := isAdmSuccesful(policyInfos) if ok { patches := engine.JoinPatches(allPatches) if len(annPatches) > 0 { patches, err = jsonpatch.MergePatch(patches, annPatches) if err != nil { fmt.Println(err) } } patchType := v1beta1.PatchTypeJSONPatch return &v1beta1.AdmissionResponse{ Allowed: true, Patch: patches, PatchType: &patchType, } } return &v1beta1.AdmissionResponse{ Allowed: false, Result: &metav1.Status{ Message: msg, }, } } func addAnnotationsToResource(rawResource []byte, pi *info.PolicyInfo, ruleType info.RuleType) []byte { // get annotations ann := annotations.ParseAnnotationsFromObject(rawResource) patch, err := annotations.AddPolicyJSONPatch(ann, pi, ruleType) if err != nil { fmt.Println(err) return nil } return patch }