mirror of
https://github.com/kyverno/kyverno.git
synced 2024-12-15 17:51:20 +00:00
2a656f6de0
* feat: mutate existing, replace GR by UR in webhook server (#3601) * add attributes for post mutation Signed-off-by: ShutingZhao <shuting@nirmata.com> * add UR informer to webhook server Signed-off-by: ShutingZhao <shuting@nirmata.com> * - replace gr with ur in the webhook server; - create ur for mutateExsiting policies Signed-off-by: ShutingZhao <shuting@nirmata.com> * replace gr by ur across entire packages Signed-off-by: ShutingZhao <shuting@nirmata.com> * add YAMLs Signed-off-by: ShutingZhao <shuting@nirmata.com> * update api docs & fix unit tests Signed-off-by: ShutingZhao <shuting@nirmata.com> * add UR deletion handler Signed-off-by: ShutingZhao <shuting@nirmata.com> * add api docs for v1beta1 Signed-off-by: ShutingZhao <shuting@nirmata.com> * fix clientset method Signed-off-by: ShutingZhao <shuting@nirmata.com> * fix v1beta1 client registration Signed-off-by: ShutingZhao <shuting@nirmata.com> * feat: mutate existing - generates UR for admission requests (#3623) Signed-off-by: ShutingZhao <shuting@nirmata.com> * replace with UR in policy controller generate rules (#3635) Signed-off-by: prateekpandey14 <prateek.pandey@nirmata.com> * - enable mutate engine to process mutateExisting rules; - add unit tests Signed-off-by: ShutingZhao <shuting@nirmata.com> * implemented ur background reconciliation for mutateExisting policies Signed-off-by: ShutingZhao <shuting@nirmata.com> * fix webhook update error Signed-off-by: ShutingZhao <shuting@nirmata.com> * temporary comment out new unit tests Signed-off-by: ShutingZhao <shuting@nirmata.com> * feat: mutate existing, replace GR by UR in webhook server (#3601) * add attributes for post mutation Signed-off-by: ShutingZhao <shuting@nirmata.com> * add UR informer to webhook server Signed-off-by: ShutingZhao <shuting@nirmata.com> * - replace gr with ur in the webhook server; - create ur for mutateExsiting policies Signed-off-by: ShutingZhao <shuting@nirmata.com> * replace gr by ur across entire packages Signed-off-by: ShutingZhao <shuting@nirmata.com> * fix missing policy.kyverno.io/policy-name label (#3599) Signed-off-by: prateekpandey14 <prateek.pandey@nirmata.com> * refactor cli code from pkg to cmd (#3591) * refactor cli code from pkg to cmd Signed-off-by: Mritunjay Sharma <mritunjaysharma394@gmail.com> * fixes in imports Signed-off-by: Mritunjay Sharma <mritunjaysharma394@gmail.com> * fixes tests Signed-off-by: Mritunjay Sharma <mritunjaysharma394@gmail.com> * fixed conflicts Signed-off-by: Mritunjay Sharma <mritunjaysharma394@gmail.com> * moved non-commands to utils Signed-off-by: Mritunjay Sharma <mritunjaysharma394@gmail.com> Co-authored-by: Vyankatesh Kudtarkar <vyankateshkd@gmail.com> * add YAMLs Signed-off-by: ShutingZhao <shuting@nirmata.com> * update api docs & fix unit tests Signed-off-by: ShutingZhao <shuting@nirmata.com> * add UR deletion handler Signed-off-by: ShutingZhao <shuting@nirmata.com> * add api docs for v1beta1 Signed-off-by: ShutingZhao <shuting@nirmata.com> * fix clientset method Signed-off-by: ShutingZhao <shuting@nirmata.com> * add-kms-libraries for cosign (#3603) * add-kms-libraries Signed-off-by: anushkamittal20 <anumittal4641@gmail.com> * Shifted providers to cosign package Signed-off-by: anushkamittal20 <anumittal4641@gmail.com> Signed-off-by: ShutingZhao <shuting@nirmata.com> * Add support for custom image extractors (#3596) Signed-off-by: Sambhav Kothari <skothari44@bloomberg.net> * Update vulnerable dependencies (#3577) Signed-off-by: Shubham Gupta <shubham.gupta2956@gmail.com> Co-authored-by: Jim Bugwadia <jim@nirmata.com> Signed-off-by: ShutingZhao <shuting@nirmata.com> * fix v1beta1 client registration Signed-off-by: ShutingZhao <shuting@nirmata.com> * feat: mutate existing - generates UR for admission requests (#3623) Signed-off-by: ShutingZhao <shuting@nirmata.com> * updating version in Chart.yaml (#3618) * updatimg version in Chart.yaml Signed-off-by: Prateeknandle <prateeknandle@gmail.com> * changes from, make gen-helm Signed-off-by: Prateeknandle <prateeknandle@gmail.com> Co-authored-by: Vyankatesh Kudtarkar <vyankateshkd@gmail.com> Signed-off-by: ShutingZhao <shuting@nirmata.com> * Allow kyverno-policies to have preconditions defined (#3606) * Allow kyverno-policies to have preconditions defined Signed-off-by: Trey Dockendorf <tdockendorf@osc.edu> * Fix docs Signed-off-by: Trey Dockendorf <tdockendorf@osc.edu> Signed-off-by: ShutingZhao <shuting@nirmata.com> * replace with UR in policy controller generate rules (#3635) Signed-off-by: prateekpandey14 <prateek.pandey@nirmata.com> Signed-off-by: ShutingZhao <shuting@nirmata.com> * - enable mutate engine to process mutateExisting rules; - add unit tests Signed-off-by: ShutingZhao <shuting@nirmata.com> * implemented ur background reconciliation for mutateExisting policies Signed-off-by: ShutingZhao <shuting@nirmata.com> * fix webhook update error Signed-off-by: ShutingZhao <shuting@nirmata.com> * temporary comment out new unit tests Signed-off-by: ShutingZhao <shuting@nirmata.com> * Image verify attestors (#3614) * fix logs Signed-off-by: Jim Bugwadia <jim@nirmata.com> * fix logs Signed-off-by: Jim Bugwadia <jim@nirmata.com> * support multiple attestors Signed-off-by: Jim Bugwadia <jim@nirmata.com> * rm CLI tests (not currently supported) Signed-off-by: Jim Bugwadia <jim@nirmata.com> * apply attestor repo Signed-off-by: Jim Bugwadia <jim@nirmata.com> * fix linter issues Signed-off-by: Jim Bugwadia <jim@nirmata.com> * fix entryError assignment Signed-off-by: Jim Bugwadia <jim@nirmata.com> * fix tests Signed-off-by: Jim Bugwadia <jim@nirmata.com> * format Signed-off-by: Jim Bugwadia <jim@nirmata.com> * add intermediary certs Signed-off-by: Jim Bugwadia <jim@nirmata.com> * Allow defining imagePullSecrets (#3633) * Allow defining imagePullSecrets Signed-off-by: Trey Dockendorf <tdockendorf@osc.edu> * Use dict for imagePullSecrets Signed-off-by: Trey Dockendorf <tdockendorf@osc.edu> * Simplify how imagePullSecrets is defined Signed-off-by: Trey Dockendorf <tdockendorf@osc.edu> Signed-off-by: ShutingZhao <shuting@nirmata.com> * Fix race condition in pCache (#3632) * fix race condition in pCache Signed-off-by: ShutingZhao <shuting@nirmata.com> * refact: remove unused Run function from generate (#3638) Signed-off-by: prateekpandey14 <prateek.pandey@nirmata.com> * Remove helm mode setting (#3628) Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com> Signed-off-by: ShutingZhao <shuting@nirmata.com> * refactor: image utils (#3630) Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com> Signed-off-by: ShutingZhao <shuting@nirmata.com> * -resolve lift comments; -fix informer sync issue Signed-off-by: ShutingZhao <shuting@nirmata.com> * refact the update request cleanup controller Signed-off-by: prateekpandey14 <prateek.pandey@nirmata.com> * - fix delete request for mutateExisting; - fix context variable substitution; - improve logging Signed-off-by: ShutingZhao <shuting@nirmata.com> * - enable events; - add last applied annotation Signed-off-by: ShutingZhao <shuting@nirmata.com> * enable mutate existing on policy creation Signed-off-by: ShutingZhao <shuting@nirmata.com> * update autogen code Signed-off-by: ShutingZhao <shuting@nirmata.com> * merge main Signed-off-by: ShutingZhao <shuting@nirmata.com> * add unit tests Signed-off-by: ShutingZhao <shuting@nirmata.com> * address list comments Signed-off-by: ShutingZhao <shuting@nirmata.com> * update api docs Signed-off-by: ShutingZhao <shuting@nirmata.com> * fix "Implicit memory aliasing in for loop" Signed-off-by: ShutingZhao <shuting@nirmata.com> * remove unused definitions Signed-off-by: ShutingZhao <shuting@nirmata.com> * update api docs Signed-off-by: ShutingZhao <shuting@nirmata.com> Co-authored-by: Prateek Pandey <prateek.pandey@nirmata.com> Co-authored-by: Mritunjay Kumar Sharma <mritunjaysharma394@gmail.com> Co-authored-by: Vyankatesh Kudtarkar <vyankateshkd@gmail.com> Co-authored-by: Anushka Mittal <55237170+anushkamittal20@users.noreply.github.com> Co-authored-by: Sambhav Kothari <sambhavs.email@gmail.com> Co-authored-by: Shubham Gupta <shubham.gupta2956@gmail.com> Co-authored-by: Jim Bugwadia <jim@nirmata.com> Co-authored-by: Prateek Nandle <56027872+Prateeknandle@users.noreply.github.com> Co-authored-by: treydock <tdockendorf@osc.edu> Co-authored-by: Charles-Edouard Brétéché <charled.breteche@gmail.com>
506 lines
16 KiB
Go
506 lines
16 KiB
Go
package engine
|
|
|
|
import (
|
|
"fmt"
|
|
"reflect"
|
|
"strings"
|
|
"time"
|
|
|
|
"github.com/go-logr/logr"
|
|
wildcard "github.com/kyverno/go-wildcard"
|
|
kyverno "github.com/kyverno/kyverno/api/kyverno/v1"
|
|
urkyverno "github.com/kyverno/kyverno/api/kyverno/v1beta1"
|
|
"github.com/kyverno/kyverno/pkg/engine/common"
|
|
"github.com/kyverno/kyverno/pkg/engine/context"
|
|
"github.com/kyverno/kyverno/pkg/engine/response"
|
|
"github.com/kyverno/kyverno/pkg/engine/variables"
|
|
"github.com/kyverno/kyverno/pkg/engine/wildcards"
|
|
"github.com/kyverno/kyverno/pkg/utils"
|
|
"github.com/pkg/errors"
|
|
authenticationv1 "k8s.io/api/authentication/v1"
|
|
rbacv1 "k8s.io/api/rbac/v1"
|
|
"k8s.io/apiextensions-apiserver/pkg/apis/apiextensions"
|
|
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
|
|
"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
|
|
"k8s.io/apimachinery/pkg/labels"
|
|
"sigs.k8s.io/controller-runtime/pkg/log"
|
|
)
|
|
|
|
//EngineStats stores in the statistics for a single application of resource
|
|
type EngineStats struct {
|
|
// average time required to process the policy rules on a resource
|
|
ExecutionTime time.Duration
|
|
// Count of rules that were applied successfully
|
|
RulesAppliedCount int
|
|
}
|
|
|
|
func checkKind(kinds []string, resource unstructured.Unstructured) bool {
|
|
for _, kind := range kinds {
|
|
SplitGVK := strings.Split(kind, "/")
|
|
if len(SplitGVK) == 1 {
|
|
if resource.GetKind() == strings.Title(kind) || kind == "*" {
|
|
return true
|
|
}
|
|
} else if len(SplitGVK) == 2 {
|
|
if resource.GroupVersionKind().Kind == strings.Title(SplitGVK[1]) && resource.GroupVersionKind().Version == SplitGVK[0] {
|
|
return true
|
|
}
|
|
} else {
|
|
if resource.GroupVersionKind().Group == SplitGVK[0] && resource.GroupVersionKind().Kind == strings.Title(SplitGVK[2]) && (resource.GroupVersionKind().Version == SplitGVK[1] || SplitGVK[1] == "*") {
|
|
return true
|
|
}
|
|
}
|
|
}
|
|
|
|
return false
|
|
}
|
|
|
|
func checkName(name, resourceName string) bool {
|
|
return wildcard.Match(name, resourceName)
|
|
}
|
|
|
|
func checkNameSpace(namespaces []string, resource unstructured.Unstructured) bool {
|
|
resourceNameSpace := resource.GetNamespace()
|
|
if resource.GetKind() == "Namespace" {
|
|
resourceNameSpace = resource.GetName()
|
|
}
|
|
|
|
for _, namespace := range namespaces {
|
|
if wildcard.Match(namespace, resourceNameSpace) {
|
|
return true
|
|
}
|
|
}
|
|
|
|
return false
|
|
}
|
|
|
|
func checkAnnotations(annotations map[string]string, resourceAnnotations map[string]string) bool {
|
|
if len(annotations) == 0 {
|
|
return true
|
|
}
|
|
|
|
for k, v := range annotations {
|
|
match := false
|
|
for k1, v1 := range resourceAnnotations {
|
|
if wildcard.Match(k, k1) && wildcard.Match(v, v1) {
|
|
match = true
|
|
break
|
|
}
|
|
}
|
|
|
|
if match == false {
|
|
return false
|
|
}
|
|
}
|
|
|
|
return true
|
|
}
|
|
|
|
func checkSelector(labelSelector *metav1.LabelSelector, resourceLabels map[string]string) (bool, error) {
|
|
wildcards.ReplaceInSelector(labelSelector, resourceLabels)
|
|
selector, err := metav1.LabelSelectorAsSelector(labelSelector)
|
|
if err != nil {
|
|
log.Log.Error(err, "failed to build label selector")
|
|
return false, err
|
|
}
|
|
|
|
if selector.Matches(labels.Set(resourceLabels)) {
|
|
return true, nil
|
|
}
|
|
|
|
return false, nil
|
|
}
|
|
|
|
// doesResourceMatchConditionBlock filters the resource with defined conditions
|
|
// for a match / exclude block, it has the following attributes:
|
|
// ResourceDescription:
|
|
// Kinds []string
|
|
// Name string
|
|
// Namespaces []string
|
|
// Selector
|
|
// UserInfo:
|
|
// Roles []string
|
|
// ClusterRoles []string
|
|
// Subjects []rbacv1.Subject
|
|
// To filter out the targeted resources with ResourceDescription, the check
|
|
// should be: AND across attributes but an OR inside attributes that of type list
|
|
// To filter out the targeted resources with UserInfo, the check
|
|
// should be: OR (across & inside) attributes
|
|
func doesResourceMatchConditionBlock(conditionBlock kyverno.ResourceDescription, userInfo kyverno.UserInfo, admissionInfo urkyverno.RequestInfo, resource unstructured.Unstructured, dynamicConfig []string, namespaceLabels map[string]string) []error {
|
|
var errs []error
|
|
|
|
if len(conditionBlock.Kinds) > 0 {
|
|
if !checkKind(conditionBlock.Kinds, resource) {
|
|
errs = append(errs, fmt.Errorf("kind does not match %v", conditionBlock.Kinds))
|
|
}
|
|
}
|
|
|
|
if conditionBlock.Name != "" {
|
|
if !checkName(conditionBlock.Name, resource.GetName()) {
|
|
errs = append(errs, fmt.Errorf("name does not match"))
|
|
}
|
|
}
|
|
|
|
if len(conditionBlock.Names) > 0 {
|
|
noneMatch := true
|
|
for i := range conditionBlock.Names {
|
|
if checkName(conditionBlock.Names[i], resource.GetName()) {
|
|
noneMatch = false
|
|
break
|
|
}
|
|
}
|
|
if noneMatch {
|
|
errs = append(errs, fmt.Errorf("none of the names match"))
|
|
}
|
|
}
|
|
|
|
if len(conditionBlock.Namespaces) > 0 {
|
|
if !checkNameSpace(conditionBlock.Namespaces, resource) {
|
|
errs = append(errs, fmt.Errorf("namespace does not match"))
|
|
}
|
|
}
|
|
|
|
if len(conditionBlock.Annotations) > 0 {
|
|
if !checkAnnotations(conditionBlock.Annotations, resource.GetAnnotations()) {
|
|
errs = append(errs, fmt.Errorf("annotations does not match"))
|
|
}
|
|
}
|
|
|
|
if conditionBlock.Selector != nil {
|
|
hasPassed, err := checkSelector(conditionBlock.Selector, resource.GetLabels())
|
|
if err != nil {
|
|
errs = append(errs, fmt.Errorf("failed to parse selector: %v", err))
|
|
} else {
|
|
if !hasPassed {
|
|
errs = append(errs, fmt.Errorf("selector does not match"))
|
|
}
|
|
}
|
|
}
|
|
|
|
if conditionBlock.NamespaceSelector != nil && resource.GetKind() != "Namespace" && resource.GetKind() != "" {
|
|
hasPassed, err := checkSelector(conditionBlock.NamespaceSelector, namespaceLabels)
|
|
if err != nil {
|
|
errs = append(errs, fmt.Errorf("failed to parse namespace selector: %v", err))
|
|
} else {
|
|
if !hasPassed {
|
|
errs = append(errs, fmt.Errorf("namespace selector does not match"))
|
|
}
|
|
}
|
|
}
|
|
|
|
keys := append(admissionInfo.AdmissionUserInfo.Groups, admissionInfo.AdmissionUserInfo.Username)
|
|
var userInfoErrors []error
|
|
var checkedItem int
|
|
if len(userInfo.Roles) > 0 && !utils.SliceContains(keys, dynamicConfig...) {
|
|
checkedItem++
|
|
|
|
if !utils.SliceContains(userInfo.Roles, admissionInfo.Roles...) {
|
|
userInfoErrors = append(userInfoErrors, fmt.Errorf("user info does not match roles for the given conditionBlock"))
|
|
} else {
|
|
return errs
|
|
}
|
|
}
|
|
|
|
if len(userInfo.ClusterRoles) > 0 && !utils.SliceContains(keys, dynamicConfig...) {
|
|
checkedItem++
|
|
|
|
if !utils.SliceContains(userInfo.ClusterRoles, admissionInfo.ClusterRoles...) {
|
|
userInfoErrors = append(userInfoErrors, fmt.Errorf("user info does not match clustersRoles for the given conditionBlock"))
|
|
} else {
|
|
return errs
|
|
}
|
|
}
|
|
|
|
if len(userInfo.Subjects) > 0 {
|
|
checkedItem++
|
|
|
|
if !matchSubjects(userInfo.Subjects, admissionInfo.AdmissionUserInfo, dynamicConfig) {
|
|
userInfoErrors = append(userInfoErrors, fmt.Errorf("user info does not match subject for the given conditionBlock"))
|
|
} else {
|
|
return errs
|
|
}
|
|
}
|
|
|
|
if checkedItem != len(userInfoErrors) {
|
|
return errs
|
|
}
|
|
|
|
return append(errs, userInfoErrors...)
|
|
}
|
|
|
|
// matchSubjects return true if one of ruleSubjects exist in userInfo
|
|
func matchSubjects(ruleSubjects []rbacv1.Subject, userInfo authenticationv1.UserInfo, dynamicConfig []string) bool {
|
|
const SaPrefix = "system:serviceaccount:"
|
|
|
|
userGroups := append(userInfo.Groups, userInfo.Username)
|
|
|
|
// TODO: see issue https://github.com/kyverno/kyverno/issues/861
|
|
for _, e := range dynamicConfig {
|
|
ruleSubjects = append(ruleSubjects,
|
|
rbacv1.Subject{Kind: "Group", Name: e},
|
|
)
|
|
}
|
|
|
|
for _, subject := range ruleSubjects {
|
|
switch subject.Kind {
|
|
case "ServiceAccount":
|
|
if len(userInfo.Username) <= len(SaPrefix) {
|
|
continue
|
|
}
|
|
subjectServiceAccount := subject.Namespace + ":" + subject.Name
|
|
if userInfo.Username[len(SaPrefix):] == subjectServiceAccount {
|
|
return true
|
|
}
|
|
case "User", "Group":
|
|
if utils.ContainsString(userGroups, subject.Name) {
|
|
return true
|
|
}
|
|
}
|
|
}
|
|
|
|
return false
|
|
}
|
|
|
|
//MatchesResourceDescription checks if the resource matches resource description of the rule or not
|
|
func MatchesResourceDescription(resourceRef unstructured.Unstructured, ruleRef kyverno.Rule, admissionInfoRef urkyverno.RequestInfo, dynamicConfig []string, namespaceLabels map[string]string, policyNamespace string) error {
|
|
|
|
rule := ruleRef.DeepCopy()
|
|
resource := *resourceRef.DeepCopy()
|
|
admissionInfo := *admissionInfoRef.DeepCopy()
|
|
|
|
var reasonsForFailure []error
|
|
if policyNamespace != "" && policyNamespace != resourceRef.GetNamespace() {
|
|
return errors.New(" The policy and resource namespace are different. Therefore, policy skip this resource.")
|
|
}
|
|
if len(rule.MatchResources.Any) > 0 {
|
|
// include object if ANY of the criteria match
|
|
// so if one matches then break from loop
|
|
oneMatched := false
|
|
for _, rmr := range rule.MatchResources.Any {
|
|
// if there are no errors it means it was a match
|
|
if len(matchesResourceDescriptionMatchHelper(rmr, admissionInfo, resource, dynamicConfig, namespaceLabels)) == 0 {
|
|
oneMatched = true
|
|
break
|
|
}
|
|
}
|
|
if !oneMatched {
|
|
reasonsForFailure = append(reasonsForFailure, fmt.Errorf("no resource matched"))
|
|
}
|
|
} else if len(rule.MatchResources.All) > 0 {
|
|
// include object if ALL of the criterias match
|
|
for _, rmr := range rule.MatchResources.All {
|
|
reasonsForFailure = append(reasonsForFailure, matchesResourceDescriptionMatchHelper(rmr, admissionInfo, resource, dynamicConfig, namespaceLabels)...)
|
|
}
|
|
} else {
|
|
rmr := kyverno.ResourceFilter{UserInfo: rule.MatchResources.UserInfo, ResourceDescription: rule.MatchResources.ResourceDescription}
|
|
reasonsForFailure = append(reasonsForFailure, matchesResourceDescriptionMatchHelper(rmr, admissionInfo, resource, dynamicConfig, namespaceLabels)...)
|
|
}
|
|
|
|
if len(rule.ExcludeResources.Any) > 0 {
|
|
// exclude the object if ANY of the criterias match
|
|
for _, rer := range rule.ExcludeResources.Any {
|
|
reasonsForFailure = append(reasonsForFailure, matchesResourceDescriptionExcludeHelper(rer, admissionInfo, resource, dynamicConfig, namespaceLabels)...)
|
|
}
|
|
} else if len(rule.ExcludeResources.All) > 0 {
|
|
// exlcude the object if ALL the criterias match
|
|
excludedByAll := true
|
|
for _, rer := range rule.ExcludeResources.All {
|
|
// we got no errors inplying a resource did NOT exclude it
|
|
// "matchesResourceDescriptionExcludeHelper" returns errors if resource is excluded by a filter
|
|
if len(matchesResourceDescriptionExcludeHelper(rer, admissionInfo, resource, dynamicConfig, namespaceLabels)) == 0 {
|
|
excludedByAll = false
|
|
break
|
|
}
|
|
}
|
|
if excludedByAll {
|
|
reasonsForFailure = append(reasonsForFailure, fmt.Errorf("resource excluded since the combination of all criterias exclude it"))
|
|
}
|
|
} else {
|
|
rer := kyverno.ResourceFilter{UserInfo: rule.ExcludeResources.UserInfo, ResourceDescription: rule.ExcludeResources.ResourceDescription}
|
|
reasonsForFailure = append(reasonsForFailure, matchesResourceDescriptionExcludeHelper(rer, admissionInfo, resource, dynamicConfig, namespaceLabels)...)
|
|
}
|
|
|
|
// creating final error
|
|
var errorMessage = fmt.Sprintf("rule %s not matched:", ruleRef.Name)
|
|
for i, reasonForFailure := range reasonsForFailure {
|
|
if reasonForFailure != nil {
|
|
errorMessage += "\n " + fmt.Sprint(i+1) + ". " + reasonForFailure.Error()
|
|
}
|
|
}
|
|
|
|
if len(reasonsForFailure) > 0 {
|
|
return errors.New(errorMessage)
|
|
}
|
|
|
|
return nil
|
|
}
|
|
|
|
func matchesResourceDescriptionMatchHelper(rmr kyverno.ResourceFilter, admissionInfo urkyverno.RequestInfo, resource unstructured.Unstructured, dynamicConfig []string, namespaceLabels map[string]string) []error {
|
|
var errs []error
|
|
if reflect.DeepEqual(admissionInfo, kyverno.RequestInfo{}) {
|
|
rmr.UserInfo = kyverno.UserInfo{}
|
|
}
|
|
|
|
// checking if resource matches the rule
|
|
if !reflect.DeepEqual(rmr.ResourceDescription, kyverno.ResourceDescription{}) ||
|
|
!reflect.DeepEqual(rmr.UserInfo, kyverno.UserInfo{}) {
|
|
matchErrs := doesResourceMatchConditionBlock(rmr.ResourceDescription, rmr.UserInfo, admissionInfo, resource, dynamicConfig, namespaceLabels)
|
|
errs = append(errs, matchErrs...)
|
|
} else {
|
|
errs = append(errs, fmt.Errorf("match cannot be empty"))
|
|
}
|
|
return errs
|
|
}
|
|
|
|
func matchesResourceDescriptionExcludeHelper(rer kyverno.ResourceFilter, admissionInfo urkyverno.RequestInfo, resource unstructured.Unstructured, dynamicConfig []string, namespaceLabels map[string]string) []error {
|
|
var errs []error
|
|
// checking if resource matches the rule
|
|
if !reflect.DeepEqual(rer.ResourceDescription, kyverno.ResourceDescription{}) ||
|
|
!reflect.DeepEqual(rer.UserInfo, kyverno.UserInfo{}) {
|
|
excludeErrs := doesResourceMatchConditionBlock(rer.ResourceDescription, rer.UserInfo, admissionInfo, resource, dynamicConfig, namespaceLabels)
|
|
// it was a match so we want to exclude it
|
|
if len(excludeErrs) == 0 {
|
|
errs = append(errs, fmt.Errorf("resource excluded since one of the criterias excluded it"))
|
|
errs = append(errs, excludeErrs...)
|
|
}
|
|
}
|
|
// len(errs) != 0 if the filter excluded the resource
|
|
return errs
|
|
}
|
|
|
|
func copyAnyAllConditions(original kyverno.AnyAllConditions) kyverno.AnyAllConditions {
|
|
if reflect.DeepEqual(original, kyverno.AnyAllConditions{}) {
|
|
return kyverno.AnyAllConditions{}
|
|
}
|
|
return *original.DeepCopy()
|
|
}
|
|
|
|
// backwards compatibility
|
|
func copyOldConditions(original []kyverno.Condition) []kyverno.Condition {
|
|
if len(original) == 0 {
|
|
return []kyverno.Condition{}
|
|
}
|
|
|
|
var copies []kyverno.Condition
|
|
for _, condition := range original {
|
|
copies = append(copies, *condition.DeepCopy())
|
|
}
|
|
|
|
return copies
|
|
}
|
|
|
|
func transformConditions(original apiextensions.JSON) (interface{}, error) {
|
|
// conditions are currently in the form of []interface{}
|
|
kyvernoOriginalConditions, err := utils.ApiextensionsJsonToKyvernoConditions(original)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
switch typedValue := kyvernoOriginalConditions.(type) {
|
|
case kyverno.AnyAllConditions:
|
|
return copyAnyAllConditions(typedValue), nil
|
|
case []kyverno.Condition: // backwards compatibility
|
|
return copyOldConditions(typedValue), nil
|
|
}
|
|
|
|
return nil, fmt.Errorf("invalid preconditions")
|
|
}
|
|
|
|
// excludeResource checks if the resource has ownerRef set
|
|
func excludeResource(podControllers string, resource unstructured.Unstructured) bool {
|
|
kind := resource.GetKind()
|
|
hasOwner := false
|
|
if kind == "Pod" || kind == "Job" {
|
|
for _, owner := range resource.GetOwnerReferences() {
|
|
hasOwner = true
|
|
if owner.Kind != "ReplicaSet" && !strings.Contains(podControllers, owner.Kind) {
|
|
return false
|
|
}
|
|
}
|
|
return hasOwner
|
|
}
|
|
|
|
return false
|
|
}
|
|
|
|
// ManagedPodResource returns true:
|
|
// - if the policy has auto-gen annotation && resource == Pod
|
|
// - if the auto-gen contains cronJob && resource == Job
|
|
func ManagedPodResource(policy kyverno.PolicyInterface, resource unstructured.Unstructured) bool {
|
|
podControllers, ok := policy.GetAnnotations()[kyverno.PodControllersAnnotation]
|
|
if !ok || strings.ToLower(podControllers) == "none" {
|
|
return false
|
|
}
|
|
|
|
if excludeResource(podControllers, resource) {
|
|
return true
|
|
}
|
|
|
|
if strings.Contains(podControllers, "CronJob") && excludeResource(podControllers, resource) {
|
|
return true
|
|
}
|
|
|
|
return false
|
|
}
|
|
|
|
func checkPreconditions(logger logr.Logger, ctx *PolicyContext, anyAllConditions apiextensions.JSON) (bool, error) {
|
|
preconditions, err := variables.SubstituteAllInPreconditions(logger, ctx.JSONContext, anyAllConditions)
|
|
if err != nil {
|
|
return false, errors.Wrapf(err, "failed to substitute variables in preconditions")
|
|
}
|
|
|
|
typeConditions, err := common.TransformConditions(preconditions)
|
|
if err != nil {
|
|
return false, errors.Wrapf(err, "failed to parse preconditions")
|
|
}
|
|
|
|
pass := variables.EvaluateConditions(logger, ctx.JSONContext, typeConditions)
|
|
return pass, nil
|
|
}
|
|
|
|
func evaluateList(jmesPath string, ctx context.EvalInterface) ([]interface{}, error) {
|
|
i, err := ctx.Query(jmesPath)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
|
|
l, ok := i.([]interface{})
|
|
if !ok {
|
|
return []interface{}{i}, nil
|
|
}
|
|
|
|
return l, nil
|
|
}
|
|
|
|
func ruleError(rule *kyverno.Rule, ruleType response.RuleType, msg string, err error) *response.RuleResponse {
|
|
msg = fmt.Sprintf("%s: %s", msg, err.Error())
|
|
return ruleResponse(*rule, ruleType, msg, response.RuleStatusError, nil)
|
|
}
|
|
|
|
func ruleResponse(rule kyverno.Rule, ruleType response.RuleType, msg string, status response.RuleStatus, patchedResource *unstructured.Unstructured) *response.RuleResponse {
|
|
resp := &response.RuleResponse{
|
|
Name: rule.Name,
|
|
Type: ruleType,
|
|
Message: msg,
|
|
Status: status,
|
|
}
|
|
|
|
if rule.Mutation.Targets != nil {
|
|
resp.PatchedTarget = patchedResource
|
|
}
|
|
return resp
|
|
}
|
|
|
|
func incrementAppliedCount(resp *response.EngineResponse) {
|
|
resp.PolicyResponse.RulesAppliedCount++
|
|
}
|
|
|
|
func incrementErrorCount(resp *response.EngineResponse) {
|
|
resp.PolicyResponse.RulesErrorCount++
|
|
}
|
|
|
|
// invertedElement inverted the order of element for patchStrategicMerge policies as kustomize patch revering the order of patch resources.
|
|
func invertedElement(elements []interface{}) {
|
|
for i, j := 0, len(elements)-1; i < j; i, j = i+1, j-1 {
|
|
elements[i], elements[j] = elements[j], elements[i]
|
|
}
|
|
}
|