mirrors/kyverno
mirrors/kyverno
1
0
Fork 0
mirror of https://github.com/kyverno/kyverno.git synced 2025-03-10 01:46:55 +00:00
Code Activity
kyverno/pkg/webhooks/resource/imageverification/handler.go
Charles-Edouard Brétéché e0ab72bb9a
feat: reports v2 implementation (#4608) 
This PR refactors the reports generation code.
It removes RCR and CRCR crds and replaces them with AdmissionReport, ClusterAdmissionReport, BackgroundScanReport and ClusterBackgroundScanReport crds.

The new reports system is based on 4 controllers:

Admission reports controller is responsible for cleaning up admission reports and attaching admission reports to their corresponding resource in case of a creation
Background scan reports controller is responsible for creating background scan reports when a resource and/or policy changes
Aggregation controller takes care of aggregation per resource reports into higher level reports (per namespace)
Resources controller is responsible for watching reports that need background scan reports
I added two new flags to disable admission reports and/or background scan reports, the whole reporting system can be disabled if something goes wrong.

I also added a flag to split reports in chunks to avoid creating too large resources.

Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com>

Signed-off-by: prateekpandey14 <prateek.pandey@nirmata.com>

Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com>
Signed-off-by: prateekpandey14 <prateek.pandey@nirmata.com>
Co-authored-by: prateekpandey14 <prateek.pandey@nirmata.com>
2022-09-28 17:15:16 +05:30

112 lines
3.6 KiB
Go
Raw Blame History

package imageverification
import (
"errors"
"reflect"
"github.com/go-logr/logr"
kyvernov1 "github.com/kyverno/kyverno/api/kyverno/v1"
"github.com/kyverno/kyverno/pkg/engine"
"github.com/kyverno/kyverno/pkg/engine/response"
"github.com/kyverno/kyverno/pkg/event"
"github.com/kyverno/kyverno/pkg/metrics"
jsonutils "github.com/kyverno/kyverno/pkg/utils/json"
webhookutils "github.com/kyverno/kyverno/pkg/webhooks/utils"
admissionv1 "k8s.io/api/admission/v1"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
)
type ImageVerificationHandler interface {
Handle(
*metrics.MetricsConfig,
*admissionv1.AdmissionRequest,
[]kyvernov1.PolicyInterface,
*engine.PolicyContext,
) ([]byte, []string, error)
}
func NewImageVerificationHandler(log logr.Logger, eventGen event.Interface) ImageVerificationHandler {
return &imageVerificationHandler{
log: log,
eventGen: eventGen,
}
}
type imageVerificationHandler struct {
log logr.Logger
eventGen event.Interface
}
func (h *imageVerificationHandler) Handle(
metricsConfig *metrics.MetricsConfig,
request *admissionv1.AdmissionRequest,
policies []kyvernov1.PolicyInterface,
policyContext *engine.PolicyContext,
) ([]byte, []string, error) {
ok, message, imagePatches, warnings := h.handleVerifyImages(h.log, request, policyContext, policies)
if !ok {
return nil, nil, errors.New(message)
}
h.log.V(6).Info("images verified", "patches", string(imagePatches), "warnings", warnings)
return imagePatches, warnings, nil
}
func (h *imageVerificationHandler) handleVerifyImages(logger logr.Logger, request *admissionv1.AdmissionRequest, policyContext *engine.PolicyContext, policies []kyvernov1.PolicyInterface) (bool, string, []byte, []string) {
if len(policies) == 0 {
return true, "", nil, nil
}
var engineResponses []*response.EngineResponse
var patches [][]byte
verifiedImageData := &engine.ImageVerificationMetadata{}
for _, p := range policies {
policyContext.Policy = p
resp, ivm := engine.VerifyAndPatchImages(policyContext)
engineResponses = append(engineResponses, resp)
patches = append(patches, resp.GetPatches()...)
verifiedImageData.Merge(ivm)
}
failurePolicy := policyContext.Policy.GetSpec().GetFailurePolicy()
blocked := webhookutils.BlockRequest(engineResponses, failurePolicy, logger)
if !isResourceDeleted(policyContext) {
events := webhookutils.GenerateEvents(engineResponses, blocked)
h.eventGen.Add(events...)
}
if blocked {
logger.V(4).Info("admission request blocked")
return false, webhookutils.GetBlockedMessages(engineResponses), nil, nil
}
if !verifiedImageData.IsEmpty() {
hasAnnotations := hasAnnotations(policyContext)
annotationPatches, err := verifiedImageData.Patches(hasAnnotations, logger)
if err != nil {
logger.Error(err, "failed to create image verification annotation patches")
} else {
// add annotation patches first
patches = append(annotationPatches, patches...)
}
}
warnings := webhookutils.GetWarningMessages(engineResponses)
return true, "", jsonutils.JoinPatches(patches...), warnings
}
func hasAnnotations(context *engine.PolicyContext) bool {
annotations := context.NewResource.GetAnnotations()
return len(annotations) != 0
}
func isResourceDeleted(policyContext *engine.PolicyContext) bool {
var deletionTimeStamp *metav1.Time
if reflect.DeepEqual(policyContext.NewResource, unstructured.Unstructured{}) {
deletionTimeStamp = policyContext.NewResource.GetDeletionTimestamp()
} else {
deletionTimeStamp = policyContext.OldResource.GetDeletionTimestamp()
}
return deletionTimeStamp != nil
}
View git blame Copy permalink