mirror of
https://github.com/kyverno/kyverno.git
synced 2025-03-06 16:06:56 +00:00
2e39e27102
* rename package: d4f --> breaker Signed-off-by: Jim Bugwadia <jim@nirmata.com> * rename package: d4f --> breaker Signed-off-by: Jim Bugwadia <jim@nirmata.com> --------- Signed-off-by: Jim Bugwadia <jim@nirmata.com>
194 lines
6.2 KiB
Go
194 lines
6.2 KiB
Go
package imageverification
|
|
|
|
import (
|
|
"context"
|
|
"errors"
|
|
"fmt"
|
|
|
|
"github.com/go-logr/logr"
|
|
kyvernov1 "github.com/kyverno/kyverno/api/kyverno/v1"
|
|
"github.com/kyverno/kyverno/pkg/breaker"
|
|
"github.com/kyverno/kyverno/pkg/client/clientset/versioned"
|
|
"github.com/kyverno/kyverno/pkg/config"
|
|
"github.com/kyverno/kyverno/pkg/engine"
|
|
engineapi "github.com/kyverno/kyverno/pkg/engine/api"
|
|
"github.com/kyverno/kyverno/pkg/engine/mutate/patch"
|
|
"github.com/kyverno/kyverno/pkg/event"
|
|
"github.com/kyverno/kyverno/pkg/tracing"
|
|
admissionutils "github.com/kyverno/kyverno/pkg/utils/admission"
|
|
engineutils "github.com/kyverno/kyverno/pkg/utils/engine"
|
|
jsonutils "github.com/kyverno/kyverno/pkg/utils/json"
|
|
reportutils "github.com/kyverno/kyverno/pkg/utils/report"
|
|
webhookutils "github.com/kyverno/kyverno/pkg/webhooks/utils"
|
|
"go.opentelemetry.io/otel/trace"
|
|
"gomodules.xyz/jsonpatch/v2"
|
|
admissionv1 "k8s.io/api/admission/v1"
|
|
"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
|
|
"k8s.io/apimachinery/pkg/runtime/schema"
|
|
corev1listers "k8s.io/client-go/listers/core/v1"
|
|
)
|
|
|
|
type ImageVerificationHandler interface {
|
|
Handle(context.Context, admissionv1.AdmissionRequest, []kyvernov1.PolicyInterface, *engine.PolicyContext) ([]byte, []string, error)
|
|
}
|
|
|
|
type imageVerificationHandler struct {
|
|
kyvernoClient versioned.Interface
|
|
engine engineapi.Engine
|
|
log logr.Logger
|
|
eventGen event.Interface
|
|
admissionReports bool
|
|
cfg config.Configuration
|
|
nsLister corev1listers.NamespaceLister
|
|
reportsBreaker breaker.Breaker
|
|
}
|
|
|
|
func NewImageVerificationHandler(
|
|
log logr.Logger,
|
|
kyvernoClient versioned.Interface,
|
|
engine engineapi.Engine,
|
|
eventGen event.Interface,
|
|
admissionReports bool,
|
|
cfg config.Configuration,
|
|
nsLister corev1listers.NamespaceLister,
|
|
reportsBreaker breaker.Breaker,
|
|
) ImageVerificationHandler {
|
|
return &imageVerificationHandler{
|
|
kyvernoClient: kyvernoClient,
|
|
engine: engine,
|
|
log: log,
|
|
eventGen: eventGen,
|
|
admissionReports: admissionReports,
|
|
cfg: cfg,
|
|
nsLister: nsLister,
|
|
reportsBreaker: reportsBreaker,
|
|
}
|
|
}
|
|
|
|
func (h *imageVerificationHandler) Handle(
|
|
ctx context.Context,
|
|
request admissionv1.AdmissionRequest,
|
|
policies []kyvernov1.PolicyInterface,
|
|
policyContext *engine.PolicyContext,
|
|
) ([]byte, []string, error) {
|
|
ok, message, imagePatches, warnings := h.handleVerifyImages(ctx, h.log, request, policyContext, policies)
|
|
if !ok {
|
|
return nil, nil, errors.New(message)
|
|
}
|
|
h.log.V(6).Info("images verified", "patches", string(imagePatches), "warnings", warnings)
|
|
return imagePatches, warnings, nil
|
|
}
|
|
|
|
func (h *imageVerificationHandler) handleVerifyImages(
|
|
ctx context.Context,
|
|
logger logr.Logger,
|
|
request admissionv1.AdmissionRequest,
|
|
policyContext *engine.PolicyContext,
|
|
policies []kyvernov1.PolicyInterface,
|
|
) (bool, string, []byte, []string) {
|
|
if len(policies) == 0 {
|
|
return true, "", nil, nil
|
|
}
|
|
var engineResponses []engineapi.EngineResponse
|
|
var patches []jsonpatch.JsonPatchOperation
|
|
verifiedImageData := engineapi.ImageVerificationMetadata{}
|
|
failurePolicy := kyvernov1.Ignore
|
|
|
|
for _, policy := range policies {
|
|
tracing.ChildSpan(
|
|
ctx,
|
|
"",
|
|
fmt.Sprintf("POLICY %s/%s", policy.GetNamespace(), policy.GetName()),
|
|
func(ctx context.Context, span trace.Span) {
|
|
if policy.GetSpec().GetFailurePolicy(ctx) == kyvernov1.Fail {
|
|
failurePolicy = kyvernov1.Fail
|
|
}
|
|
|
|
policyContext := policyContext.WithPolicy(policy)
|
|
if request.Kind.Kind != "Namespace" && request.Namespace != "" {
|
|
policyContext = policyContext.WithNamespaceLabels(engineutils.GetNamespaceSelectorsFromNamespaceLister(request.Kind.Kind, request.Namespace, h.nsLister, h.log))
|
|
}
|
|
|
|
resp, ivm := h.engine.VerifyAndPatchImages(ctx, policyContext)
|
|
if !resp.IsEmpty() {
|
|
engineResponses = append(engineResponses, resp)
|
|
}
|
|
|
|
patches = append(patches, resp.GetPatches()...)
|
|
verifiedImageData.Merge(ivm)
|
|
},
|
|
)
|
|
}
|
|
|
|
blocked := webhookutils.BlockRequest(engineResponses, failurePolicy, logger)
|
|
events := webhookutils.GenerateEvents(engineResponses, blocked)
|
|
h.eventGen.Add(events...)
|
|
|
|
if blocked {
|
|
logger.V(4).Info("admission request blocked")
|
|
return false, webhookutils.GetBlockedMessages(engineResponses), nil, nil
|
|
}
|
|
|
|
if !verifiedImageData.IsEmpty() {
|
|
hasAnnotations := hasAnnotations(policyContext)
|
|
annotationPatches, err := verifiedImageData.Patches(hasAnnotations, logger)
|
|
if err != nil {
|
|
logger.Error(err, "failed to create image verification annotation patches")
|
|
} else {
|
|
// add annotation patches first
|
|
patches = append(annotationPatches, patches...)
|
|
}
|
|
}
|
|
|
|
go h.handleAudit(ctx, policyContext.NewResource(), request, nil, engineResponses...)
|
|
|
|
warnings := webhookutils.GetWarningMessages(engineResponses)
|
|
return true, "", jsonutils.JoinPatches(patch.ConvertPatches(patches...)...), warnings
|
|
}
|
|
|
|
func hasAnnotations(context *engine.PolicyContext) bool {
|
|
newResource := context.NewResource()
|
|
annotations := newResource.GetAnnotations()
|
|
return len(annotations) != 0
|
|
}
|
|
|
|
func (v *imageVerificationHandler) handleAudit(
|
|
ctx context.Context,
|
|
resource unstructured.Unstructured,
|
|
request admissionv1.AdmissionRequest,
|
|
_ map[string]string,
|
|
engineResponses ...engineapi.EngineResponse,
|
|
) {
|
|
createReport := v.admissionReports
|
|
if admissionutils.IsDryRun(request) {
|
|
createReport = false
|
|
}
|
|
// we don't need reports for deletions and when it's about sub resources
|
|
if request.Operation == admissionv1.Delete || request.SubResource != "" {
|
|
createReport = false
|
|
}
|
|
// check if the resource supports reporting
|
|
if !reportutils.IsGvkSupported(schema.GroupVersionKind(request.Kind)) {
|
|
createReport = false
|
|
}
|
|
tracing.Span(
|
|
context.Background(),
|
|
"",
|
|
fmt.Sprintf("AUDIT %s %s", request.Operation, request.Kind),
|
|
func(ctx context.Context, span trace.Span) {
|
|
if createReport {
|
|
report := reportutils.BuildAdmissionReport(resource, request, engineResponses...)
|
|
if len(report.GetResults()) > 0 {
|
|
err := v.reportsBreaker.Do(ctx, func(ctx context.Context) error {
|
|
_, err := reportutils.CreateReport(context.Background(), report, v.kyvernoClient)
|
|
return err
|
|
})
|
|
if err != nil {
|
|
v.log.Error(err, "failed to create report")
|
|
}
|
|
}
|
|
}
|
|
},
|
|
trace.WithLinks(trace.LinkFromContext(ctx)),
|
|
)
|
|
}
|