mirror of
https://github.com/kyverno/kyverno.git
synced 2024-12-15 17:51:20 +00:00
922840b344
* added deep copy for rule; changed rule deep copy logic Signed-off-by: Maxim Goncharenko <goncharenko.maxim@apriorit.com> * fixed linter error Signed-off-by: Maxim Goncharenko <goncharenko.maxim@apriorit.com>
358 lines
12 KiB
Go
358 lines
12 KiB
Go
package engine
|
|
|
|
import (
|
|
"fmt"
|
|
"reflect"
|
|
"strings"
|
|
"time"
|
|
|
|
"github.com/go-logr/logr"
|
|
gojmespath "github.com/jmespath/go-jmespath"
|
|
kyverno "github.com/kyverno/kyverno/pkg/api/kyverno/v1"
|
|
"github.com/kyverno/kyverno/pkg/engine/common"
|
|
"github.com/kyverno/kyverno/pkg/engine/context"
|
|
"github.com/kyverno/kyverno/pkg/engine/response"
|
|
"github.com/kyverno/kyverno/pkg/engine/utils"
|
|
"github.com/kyverno/kyverno/pkg/engine/validate"
|
|
"github.com/kyverno/kyverno/pkg/engine/variables"
|
|
"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
|
|
"sigs.k8s.io/controller-runtime/pkg/log"
|
|
)
|
|
|
|
//Validate applies validation rules from policy on the resource
|
|
func Validate(policyContext *PolicyContext) (resp *response.EngineResponse) {
|
|
resp = &response.EngineResponse{}
|
|
startTime := time.Now()
|
|
|
|
logger := buildLogger(policyContext)
|
|
logger.V(4).Info("start policy processing", "startTime", startTime)
|
|
defer func() {
|
|
buildResponse(logger, policyContext, resp, startTime)
|
|
logger.V(4).Info("finished policy processing", "processingTime", resp.PolicyResponse.ProcessingTime.String(), "validationRulesApplied", resp.PolicyResponse.RulesAppliedCount)
|
|
}()
|
|
|
|
resp = validateResource(logger, policyContext)
|
|
return
|
|
}
|
|
|
|
func buildLogger(ctx *PolicyContext) logr.Logger {
|
|
logger := log.Log.WithName("EngineValidate").WithValues("policy", ctx.Policy.Name)
|
|
if reflect.DeepEqual(ctx.NewResource, unstructured.Unstructured{}) {
|
|
logger = logger.WithValues("kind", ctx.OldResource.GetKind(), "namespace", ctx.OldResource.GetNamespace(), "name", ctx.OldResource.GetName())
|
|
} else {
|
|
logger = logger.WithValues("kind", ctx.NewResource.GetKind(), "namespace", ctx.NewResource.GetNamespace(), "name", ctx.NewResource.GetName())
|
|
}
|
|
|
|
return logger
|
|
}
|
|
|
|
func buildResponse(logger logr.Logger, ctx *PolicyContext, resp *response.EngineResponse, startTime time.Time) {
|
|
if reflect.DeepEqual(resp, response.EngineResponse{}) {
|
|
return
|
|
}
|
|
|
|
if reflect.DeepEqual(resp.PatchedResource, unstructured.Unstructured{}) {
|
|
// for delete requests patched resource will be oldResource since newResource is empty
|
|
var resource unstructured.Unstructured = ctx.NewResource
|
|
if reflect.DeepEqual(ctx.NewResource, unstructured.Unstructured{}) {
|
|
resource = ctx.OldResource
|
|
}
|
|
|
|
resp.PatchedResource = resource
|
|
}
|
|
|
|
resp.PolicyResponse.Policy.Name = ctx.Policy.GetName()
|
|
resp.PolicyResponse.Policy.Namespace = ctx.Policy.GetNamespace()
|
|
resp.PolicyResponse.Resource.Name = resp.PatchedResource.GetName()
|
|
resp.PolicyResponse.Resource.Namespace = resp.PatchedResource.GetNamespace()
|
|
resp.PolicyResponse.Resource.Kind = resp.PatchedResource.GetKind()
|
|
resp.PolicyResponse.Resource.APIVersion = resp.PatchedResource.GetAPIVersion()
|
|
resp.PolicyResponse.ValidationFailureAction = ctx.Policy.Spec.ValidationFailureAction
|
|
resp.PolicyResponse.ProcessingTime = time.Since(startTime)
|
|
resp.PolicyResponse.PolicyExecutionTimestamp = startTime.Unix()
|
|
}
|
|
|
|
func incrementAppliedCount(resp *response.EngineResponse) {
|
|
resp.PolicyResponse.RulesAppliedCount++
|
|
}
|
|
|
|
func validateResource(log logr.Logger, ctx *PolicyContext) *response.EngineResponse {
|
|
resp := &response.EngineResponse{}
|
|
if ManagedPodResource(ctx.Policy, ctx.NewResource) {
|
|
log.V(5).Info("skip policy as direct changes to pods managed by workload controllers are not allowed", "policy", ctx.Policy.GetName())
|
|
return resp
|
|
}
|
|
|
|
ctx.JSONContext.Checkpoint()
|
|
defer ctx.JSONContext.Restore()
|
|
|
|
for _, rule := range ctx.Policy.Spec.Rules {
|
|
var err error
|
|
|
|
if !rule.HasValidate() {
|
|
continue
|
|
}
|
|
|
|
log = log.WithValues("rule", rule.Name)
|
|
|
|
if !matches(log, rule, ctx) {
|
|
continue
|
|
}
|
|
|
|
ctx.JSONContext.Restore()
|
|
if err := LoadContext(log, rule.Context, ctx.ResourceCache, ctx, rule.Name); err != nil {
|
|
if _, ok := err.(gojmespath.NotFoundError); ok {
|
|
log.V(3).Info("failed to load context", "reason", err.Error())
|
|
} else {
|
|
log.Error(err, "failed to load context")
|
|
}
|
|
continue
|
|
}
|
|
|
|
log.V(3).Info("matched validate rule")
|
|
|
|
ruleCopy := rule.DeepCopy()
|
|
ruleCopy.AnyAllConditions, err = variables.SubstituteAllInPreconditions(log, ctx.JSONContext, ruleCopy.AnyAllConditions)
|
|
if err != nil {
|
|
log.V(4).Info("failed to substitute vars in preconditions, skip current rule", "rule name", rule.Name)
|
|
return nil
|
|
}
|
|
|
|
preconditions, err := transformConditions(ruleCopy.AnyAllConditions)
|
|
if err != nil {
|
|
log.V(2).Info("wrongfully configured data", "reason", err.Error())
|
|
continue
|
|
}
|
|
|
|
// evaluate pre-conditions
|
|
if !variables.EvaluateConditions(log, ctx.JSONContext, preconditions) {
|
|
log.V(4).Info("resource fails the preconditions")
|
|
continue
|
|
}
|
|
|
|
if rule.Validation.Pattern != nil || rule.Validation.AnyPattern != nil {
|
|
if *ruleCopy, err = substituteAll(log, ctx, *ruleCopy, resp); err != nil {
|
|
continue
|
|
}
|
|
|
|
ruleResponse := validateResourceWithRule(log, ctx, *ruleCopy)
|
|
if ruleResponse != nil {
|
|
if !common.IsConditionalAnchorError(ruleResponse.Message) {
|
|
incrementAppliedCount(resp)
|
|
resp.PolicyResponse.Rules = append(resp.PolicyResponse.Rules, *ruleResponse)
|
|
}
|
|
}
|
|
} else if rule.Validation.Deny != nil {
|
|
ruleCopy.Validation.Deny.AnyAllConditions, err = variables.SubstituteAllInPreconditions(log, ctx.JSONContext, ruleCopy.Validation.Deny.AnyAllConditions)
|
|
if err != nil {
|
|
log.V(4).Info("failed to substitute vars in preconditions, skip current rule", "rule name", rule.Name)
|
|
continue
|
|
}
|
|
|
|
if *ruleCopy, err = substituteAll(log, ctx, *ruleCopy, resp); err != nil {
|
|
continue
|
|
}
|
|
|
|
denyConditions, err := transformConditions(ruleCopy.Validation.Deny.AnyAllConditions)
|
|
if err != nil {
|
|
log.V(2).Info("wrongfully configured data", "reason", err.Error())
|
|
continue
|
|
}
|
|
|
|
deny := variables.EvaluateConditions(log, ctx.JSONContext, denyConditions)
|
|
ruleResp := response.RuleResponse{
|
|
Name: ruleCopy.Name,
|
|
Type: utils.Validation.String(),
|
|
Message: ruleCopy.Validation.Message,
|
|
Success: !deny,
|
|
}
|
|
|
|
incrementAppliedCount(resp)
|
|
resp.PolicyResponse.Rules = append(resp.PolicyResponse.Rules, ruleResp)
|
|
}
|
|
}
|
|
|
|
return resp
|
|
}
|
|
|
|
func validateResourceWithRule(log logr.Logger, ctx *PolicyContext, rule kyverno.Rule) (resp *response.RuleResponse) {
|
|
if reflect.DeepEqual(ctx.OldResource, unstructured.Unstructured{}) {
|
|
resp := validatePatterns(log, ctx.JSONContext, ctx.NewResource, rule)
|
|
return &resp
|
|
}
|
|
|
|
if reflect.DeepEqual(ctx.NewResource, unstructured.Unstructured{}) {
|
|
log.V(3).Info("skipping validation on deleted resource")
|
|
return nil
|
|
}
|
|
|
|
oldResp := validatePatterns(log, ctx.JSONContext, ctx.OldResource, rule)
|
|
newResp := validatePatterns(log, ctx.JSONContext, ctx.NewResource, rule)
|
|
if isSameRuleResponse(oldResp, newResp) {
|
|
log.V(3).Info("skipping modified resource as validation results have not changed")
|
|
return nil
|
|
}
|
|
|
|
return &newResp
|
|
}
|
|
|
|
// matches checks if either the new or old resource satisfies the filter conditions defined in the rule
|
|
func matches(logger logr.Logger, rule kyverno.Rule, ctx *PolicyContext) bool {
|
|
err := MatchesResourceDescription(ctx.NewResource, rule, ctx.AdmissionInfo, ctx.ExcludeGroupRole, ctx.NamespaceLabels)
|
|
if err == nil {
|
|
return true
|
|
}
|
|
|
|
if !reflect.DeepEqual(ctx.OldResource, unstructured.Unstructured{}) {
|
|
err := MatchesResourceDescription(ctx.OldResource, rule, ctx.AdmissionInfo, ctx.ExcludeGroupRole, ctx.NamespaceLabels)
|
|
if err == nil {
|
|
return true
|
|
}
|
|
}
|
|
|
|
logger.V(4).Info("resource does not match rule", "reason", err.Error())
|
|
return false
|
|
}
|
|
|
|
func isSameRuleResponse(r1 response.RuleResponse, r2 response.RuleResponse) bool {
|
|
if r1.Name != r2.Name {
|
|
return false
|
|
}
|
|
|
|
if r1.Type != r2.Type {
|
|
return false
|
|
}
|
|
|
|
if r1.Message != r2.Message {
|
|
return false
|
|
}
|
|
|
|
if r1.Success != r2.Success {
|
|
return false
|
|
}
|
|
|
|
return true
|
|
}
|
|
|
|
// validatePatterns validate pattern and anyPattern
|
|
func validatePatterns(log logr.Logger, ctx context.EvalInterface, resource unstructured.Unstructured, rule kyverno.Rule) (resp response.RuleResponse) {
|
|
startTime := time.Now()
|
|
logger := log.WithValues("rule", rule.Name, "name", resource.GetName(), "kind", resource.GetKind())
|
|
logger.V(5).Info("start processing rule", "startTime", startTime)
|
|
resp.Name = rule.Name
|
|
resp.Type = utils.Validation.String()
|
|
defer func() {
|
|
resp.RuleStats.ProcessingTime = time.Since(startTime)
|
|
resp.RuleStats.RuleExecutionTimestamp = startTime.Unix()
|
|
logger.V(4).Info("finished processing rule", "processingTime", resp.RuleStats.ProcessingTime.String())
|
|
}()
|
|
|
|
validationRule := rule.Validation.DeepCopy()
|
|
if validationRule.Pattern != nil {
|
|
pattern := validationRule.Pattern
|
|
|
|
if path, err := validate.ValidateResourceWithPattern(logger, resource.Object, pattern); err != nil {
|
|
logger.V(3).Info("validation failed", "path", path, "error", err.Error())
|
|
resp.Success = false
|
|
resp.Message = buildErrorMessage(rule, path)
|
|
return resp
|
|
}
|
|
|
|
logger.V(4).Info("successfully processed rule")
|
|
resp.Success = true
|
|
resp.Message = fmt.Sprintf("validation rule '%s' passed.", rule.Name)
|
|
return resp
|
|
}
|
|
|
|
if validationRule.AnyPattern != nil {
|
|
var failedAnyPatternsErrors []error
|
|
var err error
|
|
|
|
anyPatterns, err := rule.Validation.DeserializeAnyPattern()
|
|
if err != nil {
|
|
resp.Success = false
|
|
resp.Message = fmt.Sprintf("failed to deserialize anyPattern, expected type array: %v", err)
|
|
return resp
|
|
}
|
|
|
|
for idx, pattern := range anyPatterns {
|
|
path, err := validate.ValidateResourceWithPattern(logger, resource.Object, pattern)
|
|
if err == nil {
|
|
resp.Success = true
|
|
resp.Message = fmt.Sprintf("validation rule '%s' anyPattern[%d] passed.", rule.Name, idx)
|
|
return resp
|
|
}
|
|
|
|
logger.V(4).Info("validation rule failed", "anyPattern[%d]", idx, "path", path)
|
|
patternErr := fmt.Errorf("Rule %s[%d] failed at path %s.", rule.Name, idx, path)
|
|
failedAnyPatternsErrors = append(failedAnyPatternsErrors, patternErr)
|
|
}
|
|
|
|
// Any Pattern validation errors
|
|
if len(failedAnyPatternsErrors) > 0 {
|
|
var errorStr []string
|
|
for _, err := range failedAnyPatternsErrors {
|
|
errorStr = append(errorStr, err.Error())
|
|
}
|
|
|
|
log.V(4).Info(fmt.Sprintf("Validation rule '%s' failed. %s", rule.Name, errorStr))
|
|
|
|
resp.Success = false
|
|
resp.Message = buildAnyPatternErrorMessage(rule, errorStr)
|
|
return resp
|
|
}
|
|
}
|
|
|
|
return resp
|
|
}
|
|
|
|
func buildErrorMessage(rule kyverno.Rule, path string) string {
|
|
if rule.Validation.Message == "" {
|
|
return fmt.Sprintf("validation error: rule %s failed at path %s", rule.Name, path)
|
|
}
|
|
|
|
if strings.HasSuffix(rule.Validation.Message, ".") {
|
|
return fmt.Sprintf("validation error: %s Rule %s failed at path %s", rule.Validation.Message, rule.Name, path)
|
|
}
|
|
|
|
return fmt.Sprintf("validation error: %s. Rule %s failed at path %s", rule.Validation.Message, rule.Name, path)
|
|
}
|
|
|
|
func buildAnyPatternErrorMessage(rule kyverno.Rule, errors []string) string {
|
|
errStr := strings.Join(errors, " ")
|
|
if rule.Validation.Message == "" {
|
|
return fmt.Sprintf("validation error: %s", errStr)
|
|
}
|
|
|
|
if strings.HasSuffix(rule.Validation.Message, ".") {
|
|
return fmt.Sprintf("validation error: %s %s", rule.Validation.Message, errStr)
|
|
}
|
|
|
|
return fmt.Sprintf("validation error: %s. %s", rule.Validation.Message, errStr)
|
|
}
|
|
|
|
func substituteAll(log logr.Logger, ctx *PolicyContext, rule kyverno.Rule, resp *response.EngineResponse) (kyverno.Rule, error) {
|
|
var err error
|
|
if rule, err = variables.SubstituteAllInRule(log, ctx.JSONContext, rule); err != nil {
|
|
ruleResp := response.RuleResponse{
|
|
Name: rule.Name,
|
|
Type: utils.Validation.String(),
|
|
Message: fmt.Sprintf("variable substitution failed for rule %s: %s", rule.Name, err.Error()),
|
|
Success: true,
|
|
}
|
|
|
|
incrementAppliedCount(resp)
|
|
resp.PolicyResponse.Rules = append(resp.PolicyResponse.Rules, ruleResp)
|
|
|
|
switch err.(type) {
|
|
case gojmespath.NotFoundError:
|
|
log.V(2).Info("failed to substitute variables, skip current rule", "info", err.Error(), "rule name", rule.Name)
|
|
default:
|
|
log.Error(err, "failed to substitute variables, skip current rule", "rule name", rule.Name)
|
|
}
|
|
|
|
return rule, err
|
|
}
|
|
|
|
return rule, nil
|
|
}
|