mirror of
https://github.com/kyverno/kyverno.git
synced 2025-03-06 16:06:56 +00:00
117 lines
4.1 KiB
Go
117 lines
4.1 KiB
Go
package webhooks
|
|
|
|
import (
|
|
"github.com/golang/glog"
|
|
engine "github.com/nirmata/kyverno/pkg/engine"
|
|
"github.com/nirmata/kyverno/pkg/info"
|
|
v1beta1 "k8s.io/api/admission/v1beta1"
|
|
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
|
|
"k8s.io/apimachinery/pkg/labels"
|
|
)
|
|
|
|
// HandleValidation handles validating webhook admission request
|
|
// If there are no errors in validating rule we apply generation rules
|
|
func (ws *WebhookServer) HandleValidation(request *v1beta1.AdmissionRequest, rawResource []byte) *v1beta1.AdmissionResponse {
|
|
|
|
glog.V(4).Infof("Receive request in validating webhook: Kind=%s, Namespace=%s Name=%s UID=%s patchOperation=%s",
|
|
request.Kind.Kind, request.Namespace, request.Name, request.UID, request.Operation)
|
|
|
|
policyInfos := []*info.PolicyInfo{}
|
|
policies, err := ws.policyLister.List(labels.NewSelector())
|
|
if err != nil {
|
|
// Unable to connect to policy Lister to access policies
|
|
glog.Error("Unable to connect to policy controller to access policies. Validation Rules are NOT being applied")
|
|
glog.Warning(err)
|
|
return &v1beta1.AdmissionResponse{
|
|
Allowed: true,
|
|
}
|
|
}
|
|
|
|
rname := engine.ParseNameFromObject(rawResource)
|
|
rns := engine.ParseNamespaceFromObject(rawResource)
|
|
rkind := request.Kind.Kind
|
|
if rkind == "" {
|
|
glog.Errorf("failed to parse KIND from request: Namespace=%s Name=%s UID=%s patchOperation=%s\n", request.Namespace, request.Name, request.UID, request.Operation)
|
|
}
|
|
|
|
for _, policy := range policies {
|
|
|
|
if !StringInSlice(request.Kind.Kind, getApplicableKindsForPolicy(policy)) {
|
|
continue
|
|
}
|
|
//TODO: HACK Check if an update of annotations
|
|
// if checkIfOnlyAnnotationsUpdate(request) {
|
|
// // allow the update of resource to add annotations
|
|
// return &v1beta1.AdmissionResponse{
|
|
// Allowed: true,
|
|
// }
|
|
// }
|
|
|
|
policyInfo := info.NewPolicyInfo(policy.Name,
|
|
rkind,
|
|
rname,
|
|
rns,
|
|
policy.Spec.ValidationFailureAction)
|
|
|
|
glog.V(3).Infof("Handling validation for Kind=%s, Namespace=%s Name=%s UID=%s patchOperation=%s",
|
|
request.Kind.Kind, rns, rname, request.UID, request.Operation)
|
|
|
|
glog.Infof("Validating resource %s/%s/%s with policy %s with %d rules", rkind, rns, rname, policy.ObjectMeta.Name, len(policy.Spec.Rules))
|
|
engineResponse := engine.Validate(*policy, rawResource, request.Kind)
|
|
if engineResponse == nil {
|
|
glog.Errorln("Failed to process validate rule, error parsing rawResource")
|
|
continue
|
|
}
|
|
policyInfo.AddRuleInfos(engineResponse.RuleInfos)
|
|
|
|
if !policyInfo.IsSuccessful() {
|
|
glog.Infof("Failed to apply policy %s on resource %s/%s", policy.Name, rname, rns)
|
|
for _, r := range engineResponse.RuleInfos {
|
|
glog.Warningf("%s: %s\n", r.Name, r.Msgs)
|
|
}
|
|
} else {
|
|
// CleanUp Violations if exists
|
|
err := ws.violationBuilder.RemoveInactiveViolation(policy.Name, request.Kind.Kind, rns, rname, info.Validation)
|
|
if err != nil {
|
|
glog.Info(err)
|
|
}
|
|
|
|
if len(engineResponse.RuleInfos) > 0 {
|
|
glog.Infof("Validation from policy %s has applied succesfully to %s %s/%s", policy.Name, request.Kind.Kind, rname, rns)
|
|
}
|
|
}
|
|
policyInfos = append(policyInfos, policyInfo)
|
|
// // annotations
|
|
// annPatch := addAnnotationsToResource(request.Object.Raw, policyInfo, info.Validation)
|
|
// if annPatch != nil {
|
|
// ws.annotationsController.Add(rkind, rns, rname, annPatch)
|
|
// }
|
|
}
|
|
|
|
if len(policyInfos) > 0 && len(policyInfos[0].Rules) != 0 {
|
|
eventsInfo, violations := newEventInfoFromPolicyInfo(policyInfos, (request.Operation == v1beta1.Update), info.Validation)
|
|
// If the validationFailureAction flag is set "audit",
|
|
// then we dont block the request and report the violations
|
|
ws.violationBuilder.Add(violations...)
|
|
ws.eventController.Add(eventsInfo...)
|
|
}
|
|
// If Validation fails then reject the request
|
|
ok, msg := isAdmSuccesful(policyInfos)
|
|
// violations are created if "audit" flag is set
|
|
// and if there are any then we dont block the resource creation
|
|
// Even if one the policy being applied
|
|
|
|
if !ok && toBlock(policyInfos) {
|
|
return &v1beta1.AdmissionResponse{
|
|
Allowed: false,
|
|
Result: &metav1.Status{
|
|
Message: msg,
|
|
},
|
|
}
|
|
}
|
|
|
|
return &v1beta1.AdmissionResponse{
|
|
Allowed: true,
|
|
}
|
|
// Generation rules applied via generation controller
|
|
}
|