mirror of
https://github.com/kyverno/kyverno.git
synced 2025-03-09 17:37:12 +00:00
2a656f6de0
* feat: mutate existing, replace GR by UR in webhook server (#3601) * add attributes for post mutation Signed-off-by: ShutingZhao <shuting@nirmata.com> * add UR informer to webhook server Signed-off-by: ShutingZhao <shuting@nirmata.com> * - replace gr with ur in the webhook server; - create ur for mutateExsiting policies Signed-off-by: ShutingZhao <shuting@nirmata.com> * replace gr by ur across entire packages Signed-off-by: ShutingZhao <shuting@nirmata.com> * add YAMLs Signed-off-by: ShutingZhao <shuting@nirmata.com> * update api docs & fix unit tests Signed-off-by: ShutingZhao <shuting@nirmata.com> * add UR deletion handler Signed-off-by: ShutingZhao <shuting@nirmata.com> * add api docs for v1beta1 Signed-off-by: ShutingZhao <shuting@nirmata.com> * fix clientset method Signed-off-by: ShutingZhao <shuting@nirmata.com> * fix v1beta1 client registration Signed-off-by: ShutingZhao <shuting@nirmata.com> * feat: mutate existing - generates UR for admission requests (#3623) Signed-off-by: ShutingZhao <shuting@nirmata.com> * replace with UR in policy controller generate rules (#3635) Signed-off-by: prateekpandey14 <prateek.pandey@nirmata.com> * - enable mutate engine to process mutateExisting rules; - add unit tests Signed-off-by: ShutingZhao <shuting@nirmata.com> * implemented ur background reconciliation for mutateExisting policies Signed-off-by: ShutingZhao <shuting@nirmata.com> * fix webhook update error Signed-off-by: ShutingZhao <shuting@nirmata.com> * temporary comment out new unit tests Signed-off-by: ShutingZhao <shuting@nirmata.com> * feat: mutate existing, replace GR by UR in webhook server (#3601) * add attributes for post mutation Signed-off-by: ShutingZhao <shuting@nirmata.com> * add UR informer to webhook server Signed-off-by: ShutingZhao <shuting@nirmata.com> * - replace gr with ur in the webhook server; - create ur for mutateExsiting policies Signed-off-by: ShutingZhao <shuting@nirmata.com> * replace gr by ur across entire packages Signed-off-by: ShutingZhao <shuting@nirmata.com> * fix missing policy.kyverno.io/policy-name label (#3599) Signed-off-by: prateekpandey14 <prateek.pandey@nirmata.com> * refactor cli code from pkg to cmd (#3591) * refactor cli code from pkg to cmd Signed-off-by: Mritunjay Sharma <mritunjaysharma394@gmail.com> * fixes in imports Signed-off-by: Mritunjay Sharma <mritunjaysharma394@gmail.com> * fixes tests Signed-off-by: Mritunjay Sharma <mritunjaysharma394@gmail.com> * fixed conflicts Signed-off-by: Mritunjay Sharma <mritunjaysharma394@gmail.com> * moved non-commands to utils Signed-off-by: Mritunjay Sharma <mritunjaysharma394@gmail.com> Co-authored-by: Vyankatesh Kudtarkar <vyankateshkd@gmail.com> * add YAMLs Signed-off-by: ShutingZhao <shuting@nirmata.com> * update api docs & fix unit tests Signed-off-by: ShutingZhao <shuting@nirmata.com> * add UR deletion handler Signed-off-by: ShutingZhao <shuting@nirmata.com> * add api docs for v1beta1 Signed-off-by: ShutingZhao <shuting@nirmata.com> * fix clientset method Signed-off-by: ShutingZhao <shuting@nirmata.com> * add-kms-libraries for cosign (#3603) * add-kms-libraries Signed-off-by: anushkamittal20 <anumittal4641@gmail.com> * Shifted providers to cosign package Signed-off-by: anushkamittal20 <anumittal4641@gmail.com> Signed-off-by: ShutingZhao <shuting@nirmata.com> * Add support for custom image extractors (#3596) Signed-off-by: Sambhav Kothari <skothari44@bloomberg.net> * Update vulnerable dependencies (#3577) Signed-off-by: Shubham Gupta <shubham.gupta2956@gmail.com> Co-authored-by: Jim Bugwadia <jim@nirmata.com> Signed-off-by: ShutingZhao <shuting@nirmata.com> * fix v1beta1 client registration Signed-off-by: ShutingZhao <shuting@nirmata.com> * feat: mutate existing - generates UR for admission requests (#3623) Signed-off-by: ShutingZhao <shuting@nirmata.com> * updating version in Chart.yaml (#3618) * updatimg version in Chart.yaml Signed-off-by: Prateeknandle <prateeknandle@gmail.com> * changes from, make gen-helm Signed-off-by: Prateeknandle <prateeknandle@gmail.com> Co-authored-by: Vyankatesh Kudtarkar <vyankateshkd@gmail.com> Signed-off-by: ShutingZhao <shuting@nirmata.com> * Allow kyverno-policies to have preconditions defined (#3606) * Allow kyverno-policies to have preconditions defined Signed-off-by: Trey Dockendorf <tdockendorf@osc.edu> * Fix docs Signed-off-by: Trey Dockendorf <tdockendorf@osc.edu> Signed-off-by: ShutingZhao <shuting@nirmata.com> * replace with UR in policy controller generate rules (#3635) Signed-off-by: prateekpandey14 <prateek.pandey@nirmata.com> Signed-off-by: ShutingZhao <shuting@nirmata.com> * - enable mutate engine to process mutateExisting rules; - add unit tests Signed-off-by: ShutingZhao <shuting@nirmata.com> * implemented ur background reconciliation for mutateExisting policies Signed-off-by: ShutingZhao <shuting@nirmata.com> * fix webhook update error Signed-off-by: ShutingZhao <shuting@nirmata.com> * temporary comment out new unit tests Signed-off-by: ShutingZhao <shuting@nirmata.com> * Image verify attestors (#3614) * fix logs Signed-off-by: Jim Bugwadia <jim@nirmata.com> * fix logs Signed-off-by: Jim Bugwadia <jim@nirmata.com> * support multiple attestors Signed-off-by: Jim Bugwadia <jim@nirmata.com> * rm CLI tests (not currently supported) Signed-off-by: Jim Bugwadia <jim@nirmata.com> * apply attestor repo Signed-off-by: Jim Bugwadia <jim@nirmata.com> * fix linter issues Signed-off-by: Jim Bugwadia <jim@nirmata.com> * fix entryError assignment Signed-off-by: Jim Bugwadia <jim@nirmata.com> * fix tests Signed-off-by: Jim Bugwadia <jim@nirmata.com> * format Signed-off-by: Jim Bugwadia <jim@nirmata.com> * add intermediary certs Signed-off-by: Jim Bugwadia <jim@nirmata.com> * Allow defining imagePullSecrets (#3633) * Allow defining imagePullSecrets Signed-off-by: Trey Dockendorf <tdockendorf@osc.edu> * Use dict for imagePullSecrets Signed-off-by: Trey Dockendorf <tdockendorf@osc.edu> * Simplify how imagePullSecrets is defined Signed-off-by: Trey Dockendorf <tdockendorf@osc.edu> Signed-off-by: ShutingZhao <shuting@nirmata.com> * Fix race condition in pCache (#3632) * fix race condition in pCache Signed-off-by: ShutingZhao <shuting@nirmata.com> * refact: remove unused Run function from generate (#3638) Signed-off-by: prateekpandey14 <prateek.pandey@nirmata.com> * Remove helm mode setting (#3628) Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com> Signed-off-by: ShutingZhao <shuting@nirmata.com> * refactor: image utils (#3630) Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com> Signed-off-by: ShutingZhao <shuting@nirmata.com> * -resolve lift comments; -fix informer sync issue Signed-off-by: ShutingZhao <shuting@nirmata.com> * refact the update request cleanup controller Signed-off-by: prateekpandey14 <prateek.pandey@nirmata.com> * - fix delete request for mutateExisting; - fix context variable substitution; - improve logging Signed-off-by: ShutingZhao <shuting@nirmata.com> * - enable events; - add last applied annotation Signed-off-by: ShutingZhao <shuting@nirmata.com> * enable mutate existing on policy creation Signed-off-by: ShutingZhao <shuting@nirmata.com> * update autogen code Signed-off-by: ShutingZhao <shuting@nirmata.com> * merge main Signed-off-by: ShutingZhao <shuting@nirmata.com> * add unit tests Signed-off-by: ShutingZhao <shuting@nirmata.com> * address list comments Signed-off-by: ShutingZhao <shuting@nirmata.com> * update api docs Signed-off-by: ShutingZhao <shuting@nirmata.com> * fix "Implicit memory aliasing in for loop" Signed-off-by: ShutingZhao <shuting@nirmata.com> * remove unused definitions Signed-off-by: ShutingZhao <shuting@nirmata.com> * update api docs Signed-off-by: ShutingZhao <shuting@nirmata.com> Co-authored-by: Prateek Pandey <prateek.pandey@nirmata.com> Co-authored-by: Mritunjay Kumar Sharma <mritunjaysharma394@gmail.com> Co-authored-by: Vyankatesh Kudtarkar <vyankateshkd@gmail.com> Co-authored-by: Anushka Mittal <55237170+anushkamittal20@users.noreply.github.com> Co-authored-by: Sambhav Kothari <sambhavs.email@gmail.com> Co-authored-by: Shubham Gupta <shubham.gupta2956@gmail.com> Co-authored-by: Jim Bugwadia <jim@nirmata.com> Co-authored-by: Prateek Nandle <56027872+Prateeknandle@users.noreply.github.com> Co-authored-by: treydock <tdockendorf@osc.edu> Co-authored-by: Charles-Edouard Brétéché <charled.breteche@gmail.com>
259 lines
9.5 KiB
Go
259 lines
9.5 KiB
Go
package webhooks
|
|
|
|
import (
|
|
"fmt"
|
|
"net/http"
|
|
"reflect"
|
|
"strings"
|
|
"time"
|
|
|
|
"github.com/go-logr/logr"
|
|
kyverno "github.com/kyverno/kyverno/api/kyverno/v1"
|
|
urkyverno "github.com/kyverno/kyverno/api/kyverno/v1beta1"
|
|
"github.com/kyverno/kyverno/pkg/common"
|
|
"github.com/kyverno/kyverno/pkg/engine"
|
|
enginectx "github.com/kyverno/kyverno/pkg/engine/context"
|
|
policyvalidate "github.com/kyverno/kyverno/pkg/policy"
|
|
"github.com/kyverno/kyverno/pkg/policycache"
|
|
"github.com/kyverno/kyverno/pkg/policymutation"
|
|
"github.com/kyverno/kyverno/pkg/userinfo"
|
|
"github.com/kyverno/kyverno/pkg/utils"
|
|
admissionutils "github.com/kyverno/kyverno/pkg/utils/admission"
|
|
"github.com/kyverno/kyverno/pkg/webhooks/handlers"
|
|
admissionv1 "k8s.io/api/admission/v1"
|
|
)
|
|
|
|
// TODO: use admission review sub resource ?
|
|
func isStatusUpdate(old, new kyverno.PolicyInterface) bool {
|
|
if !reflect.DeepEqual(old.GetAnnotations(), new.GetAnnotations()) {
|
|
return false
|
|
}
|
|
if !reflect.DeepEqual(old.GetLabels(), new.GetLabels()) {
|
|
return false
|
|
}
|
|
if !reflect.DeepEqual(old.GetSpec(), new.GetSpec()) {
|
|
return false
|
|
}
|
|
return true
|
|
}
|
|
|
|
func errorResponse(logger logr.Logger, err error, message string) *admissionv1.AdmissionResponse {
|
|
logger.Error(err, message)
|
|
return admissionutils.ResponseFailure(false, message+": "+err.Error())
|
|
}
|
|
|
|
func setupLogger(logger logr.Logger, name string, request *admissionv1.AdmissionRequest) logr.Logger {
|
|
return logger.WithName("MutateWebhook").WithValues(
|
|
"uid", request.UID,
|
|
"kind", request.Kind,
|
|
"namespace", request.Namespace,
|
|
"name", request.Name,
|
|
"operation", request.Operation,
|
|
"gvk", request.Kind.String(),
|
|
)
|
|
}
|
|
|
|
func (ws *WebhookServer) admissionHandler(filter bool, inner handlers.AdmissionHandler) http.HandlerFunc {
|
|
if filter {
|
|
inner = handlers.Filter(ws.configHandler, inner)
|
|
}
|
|
return handlers.Monitor(ws.webhookMonitor, handlers.Admission(ws.log.WithName("handlerFunc"), inner))
|
|
}
|
|
|
|
func (ws *WebhookServer) policyMutation(request *admissionv1.AdmissionRequest) *admissionv1.AdmissionResponse {
|
|
logger := setupLogger(ws.log, "policy mutation", request)
|
|
|
|
policy, oldPolicy, err := admissionutils.GetPolicies(request)
|
|
if err != nil {
|
|
logger.Error(err, "failed to unmarshal policies from admission request")
|
|
return admissionutils.ResponseWithMessage(true, fmt.Sprintf("failed to default value, check kyverno controller logs for details: %v", err))
|
|
}
|
|
|
|
if oldPolicy != nil && isStatusUpdate(oldPolicy, policy) {
|
|
logger.V(4).Info("skip policy mutation on status update")
|
|
return admissionutils.Response(true)
|
|
}
|
|
|
|
startTime := time.Now()
|
|
logger.V(3).Info("start policy change mutation")
|
|
defer logger.V(3).Info("finished policy change mutation", "time", time.Since(startTime).String())
|
|
|
|
// Generate JSON Patches for defaults
|
|
if patches, updateMsgs := policymutation.GenerateJSONPatchesForDefaults(policy, logger); len(patches) != 0 {
|
|
return admissionutils.ResponseWithMessageAndPatch(true, strings.Join(updateMsgs, "'"), patches)
|
|
}
|
|
|
|
return admissionutils.Response(true)
|
|
}
|
|
|
|
//policyValidation performs the validation check on policy resource
|
|
func (ws *WebhookServer) policyValidation(request *admissionv1.AdmissionRequest) *admissionv1.AdmissionResponse {
|
|
logger := setupLogger(ws.log, "policy validation", request)
|
|
policy, oldPolicy, err := admissionutils.GetPolicies(request)
|
|
if err != nil {
|
|
logger.Error(err, "failed to unmarshal policies from admission request")
|
|
return admissionutils.ResponseWithMessage(true, fmt.Sprintf("failed to validate policy, check kyverno controller logs for details: %v", err))
|
|
}
|
|
|
|
if oldPolicy != nil && isStatusUpdate(oldPolicy, policy) {
|
|
logger.V(4).Info("skip policy validation on status update")
|
|
return admissionutils.Response(true)
|
|
}
|
|
|
|
startTime := time.Now()
|
|
logger.V(3).Info("start policy change validation")
|
|
defer logger.V(3).Info("finished policy change validation", "time", time.Since(startTime).String())
|
|
|
|
response, err := policyvalidate.Validate(policy, ws.client, false, ws.openAPIController)
|
|
if err != nil {
|
|
logger.Error(err, "policy validation errors")
|
|
return admissionutils.ResponseWithMessage(true, err.Error())
|
|
}
|
|
|
|
if response != nil && len(response.Warnings) != 0 {
|
|
return response
|
|
}
|
|
|
|
return admissionutils.Response(true)
|
|
}
|
|
|
|
// resourceMutation mutates resource
|
|
func (ws *WebhookServer) resourceMutation(request *admissionv1.AdmissionRequest) *admissionv1.AdmissionResponse {
|
|
logger := setupLogger(ws.log, "resource mutation", request)
|
|
if excludeKyvernoResources(request.Kind.Kind) {
|
|
return admissionutils.ResponseSuccess(true, "")
|
|
}
|
|
|
|
if request.Operation == admissionv1.Delete {
|
|
resource, err := utils.ConvertResource(request.OldObject.Raw, request.Kind.Group, request.Kind.Version, request.Kind.Kind, request.Namespace)
|
|
if err == nil {
|
|
ws.prGenerator.Add(buildDeletionPrInfo(resource))
|
|
} else {
|
|
logger.Info(fmt.Sprintf("Converting oldObject failed: %v", err))
|
|
}
|
|
return admissionutils.ResponseSuccess(true, "")
|
|
|
|
}
|
|
|
|
logger.V(4).Info("received an admission request in mutating webhook")
|
|
|
|
requestTime := time.Now().Unix()
|
|
mutatePolicies := ws.pCache.GetPolicies(policycache.Mutate, request.Kind.Kind, request.Namespace)
|
|
verifyImagesPolicies := ws.pCache.GetPolicies(policycache.VerifyImages, request.Kind.Kind, request.Namespace)
|
|
|
|
if len(mutatePolicies) == 0 && len(verifyImagesPolicies) == 0 {
|
|
logger.V(4).Info("no policies matched admission request")
|
|
return admissionutils.ResponseSuccess(true, "")
|
|
}
|
|
|
|
addRoles := containsRBACInfo(mutatePolicies)
|
|
policyContext, err := ws.buildPolicyContext(request, addRoles)
|
|
if err != nil {
|
|
logger.Error(err, "failed to build policy context")
|
|
return admissionutils.ResponseFailure(false, err.Error())
|
|
}
|
|
|
|
// update container images to a canonical form
|
|
if err := enginectx.MutateResourceWithImageInfo(request.Object.Raw, policyContext.JSONContext); err != nil {
|
|
ws.log.Error(err, "failed to patch images info to resource, policies that mutate images may be impacted")
|
|
}
|
|
|
|
mutatePatches := ws.applyMutatePolicies(request, policyContext, mutatePolicies, requestTime, logger)
|
|
newRequest := patchRequest(mutatePatches, request, logger)
|
|
imagePatches, err := ws.applyImageVerifyPolicies(newRequest, policyContext, verifyImagesPolicies, logger)
|
|
if err != nil {
|
|
logger.Error(err, "image verification failed")
|
|
return admissionutils.ResponseFailure(false, err.Error())
|
|
}
|
|
|
|
var patches = append(mutatePatches, imagePatches...)
|
|
|
|
return admissionutils.ResponseSuccessWithPatch(true, "", patches)
|
|
}
|
|
|
|
func (ws *WebhookServer) resourceValidation(request *admissionv1.AdmissionRequest) *admissionv1.AdmissionResponse {
|
|
logger := setupLogger(ws.log, "resource validation", request)
|
|
if request.Operation == admissionv1.Delete {
|
|
ws.handleDelete(request)
|
|
}
|
|
|
|
if excludeKyvernoResources(request.Kind.Kind) {
|
|
return admissionutils.ResponseSuccess(true, "")
|
|
}
|
|
|
|
logger.V(6).Info("received an admission request in validating webhook")
|
|
|
|
// timestamp at which this admission request got triggered
|
|
requestTime := time.Now().Unix()
|
|
policies := ws.pCache.GetPolicies(policycache.ValidateEnforce, request.Kind.Kind, request.Namespace)
|
|
mutatePolicies := ws.pCache.GetPolicies(policycache.Mutate, request.Kind.Kind, request.Namespace)
|
|
generatePolicies := ws.pCache.GetPolicies(policycache.Generate, request.Kind.Kind, request.Namespace)
|
|
if len(generatePolicies) == 0 && request.Operation == admissionv1.Update {
|
|
// handle generate source resource updates
|
|
go ws.handleUpdatesForGenerateRules(request, []kyverno.PolicyInterface{})
|
|
}
|
|
|
|
var roles, clusterRoles []string
|
|
if containsRBACInfo(policies, generatePolicies) {
|
|
var err error
|
|
roles, clusterRoles, err = userinfo.GetRoleRef(ws.rbLister, ws.crbLister, request, ws.configHandler)
|
|
if err != nil {
|
|
return errorResponse(logger, err, "failed to fetch RBAC data")
|
|
}
|
|
}
|
|
|
|
userRequestInfo := urkyverno.RequestInfo{
|
|
Roles: roles,
|
|
ClusterRoles: clusterRoles,
|
|
AdmissionUserInfo: *request.UserInfo.DeepCopy(),
|
|
}
|
|
|
|
ctx, err := newVariablesContext(request, &userRequestInfo)
|
|
if err != nil {
|
|
return errorResponse(logger, err, "failed create policy rule context")
|
|
}
|
|
|
|
namespaceLabels := make(map[string]string)
|
|
if request.Kind.Kind != "Namespace" && request.Namespace != "" {
|
|
namespaceLabels = common.GetNamespaceSelectorsFromNamespaceLister(request.Kind.Kind, request.Namespace, ws.nsLister, logger)
|
|
}
|
|
|
|
newResource, oldResource, err := utils.ExtractResources(nil, request)
|
|
if err != nil {
|
|
return errorResponse(logger, err, "failed create parse resource")
|
|
}
|
|
|
|
if err := ctx.AddImageInfos(&newResource); err != nil {
|
|
return errorResponse(logger, err, "failed add image information to policy rule context")
|
|
}
|
|
|
|
policyContext := &engine.PolicyContext{
|
|
NewResource: newResource,
|
|
OldResource: oldResource,
|
|
AdmissionInfo: userRequestInfo,
|
|
ExcludeGroupRole: ws.configHandler.GetExcludeGroupRole(),
|
|
ExcludeResourceFunc: ws.configHandler.ToFilter,
|
|
JSONContext: ctx,
|
|
Client: ws.client,
|
|
AdmissionOperation: true,
|
|
}
|
|
|
|
vh := &validationHandler{
|
|
log: ws.log,
|
|
eventGen: ws.eventGen,
|
|
prGenerator: ws.prGenerator,
|
|
}
|
|
|
|
ok, msg := vh.handleValidation(ws.promConfig, request, policies, policyContext, namespaceLabels, requestTime)
|
|
if !ok {
|
|
logger.Info("admission request denied")
|
|
return admissionutils.ResponseFailure(false, msg)
|
|
}
|
|
|
|
// push admission request to audit handler, this won't block the admission request
|
|
ws.auditHandler.Add(request.DeepCopy())
|
|
|
|
go ws.createUpdateRequests(request, policyContext, generatePolicies, mutatePolicies, requestTime, logger)
|
|
|
|
return admissionutils.ResponseSuccess(true, "")
|
|
}
|