Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Adding the option to use a new crd modules in policies #2

Open
wants to merge 9 commits into
base: main
Choose a base branch
from
Open

Adding the option to use a new crd modules in policies #2

Show file tree
Hide file tree
Changes from 6 commits
Commits
Show all changes
9 commits
Select commit Hold shift + click to select a range
04e5df2
Implementing module usage in policies
lieberlois Dec 30, 2022
4bd5fea
Adding module code to validating webhook and auditing
lieberlois Dec 30, 2022
350e139
Using loaded module code in audit
lieberlois Dec 30, 2022
b06776f
Adding unit test for module usage
lieberlois Dec 30, 2022
8832169
Using ObjectStore trait across the project
lieberlois Dec 30, 2022
ce165df
Properly handling module events in event watcher
lieberlois Dec 30, 2022
541b8a1
Changes from Code Review
lieberlois Feb 16, 2023
cde6a42
Updating CRD
lieberlois Feb 16, 2023
1bc3a93
Merge branch 'main' of github.com:lieberlois/bridgekeeper into python…
lieberlois Feb 19, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
206 changes: 123 additions & 83 deletions charts/bridgekeeper/templates/crds.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,5 +1,4 @@
{{- if .Values.installCRDs }}
---
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
Expand All @@ -14,88 +13,129 @@ spec:
singular: policy
scope: Cluster
versions:
- additionalPrinterColumns: []
name: v1alpha1
schema:
openAPIV3Schema:
description: "Auto-generated derived type for PolicySpec via `CustomResource`"
properties:
spec:
properties:
audit:
nullable: true
type: boolean
enforce:
nullable: true
type: boolean
rule:
properties:
python:
- additionalPrinterColumns: []
name: v1alpha1
schema:
openAPIV3Schema:
description: Auto-generated derived type for PolicySpec via `CustomResource`
properties:
spec:
properties:
audit:
nullable: true
type: boolean
enforce:
nullable: true
type: boolean
modules:
items:
type: string
nullable: true
type: array
rule:
properties:
python:
type: string
required:
- python
type: object
target:
properties:
excludedNamespaces:
items:
type: string
required:
- python
type: object
target:
properties:
excludedNamespaces:
items:
type: string
nullable: true
type: array
matches:
items:
properties:
apiGroup:
type: string
kind:
type: string
required:
- apiGroup
- kind
type: object
type: array
namespaces:
items:
type: string
nullable: true
type: array
required:
- matches
type: object
required:
- rule
- target
type: object
status:
nullable: true
properties:
audit:
nullable: true
properties:
timestamp:
nullable: true
nullable: true
type: array
matches:
items:
properties:
apiGroup:
type: string
kind:
type: string
required:
- apiGroup
- kind
type: object
type: array
namespaces:
items:
type: string
violations:
items:
properties:
identifier:
type: string
message:
type: string
required:
- identifier
- message
type: object
nullable: true
type: array
type: object
type: object
required:
- spec
title: Policy
type: object
served: true
storage: true
subresources:
status: {}
nullable: true
type: array
required:
- matches
type: object
required:
- rule
- target
type: object
status:
nullable: true
properties:
audit:
nullable: true
properties:
timestamp:
nullable: true
type: string
violations:
items:
properties:
identifier:
type: string
message:
type: string
required:
- identifier
- message
type: object
nullable: true
type: array
type: object
type: object
required:
- spec
title: Policy
type: object
served: true
storage: true
subresources:
status: {}
---
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
name: modules.bridgekeeper.maibornwolff.de
spec:
group: bridgekeeper.maibornwolff.de
names:
categories: []
kind: Module
plural: modules
shortNames: []
singular: module
scope: Cluster
versions:
- additionalPrinterColumns: []
name: v1alpha1
schema:
openAPIV3Schema:
description: Auto-generated derived type for ModuleSpec via `CustomResource`
properties:
spec:
properties:
python:
type: string
required:
- python
type: object
required:
- spec
title: Module
type: object
served: true
storage: true
subresources: {}
---
{{- end }}
27 changes: 26 additions & 1 deletion src/api.rs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -83,6 +83,7 @@ async fn admission_mutate(
#[rocket::post("/validate-policy", data = "<data>")]
async fn api_validate_policy(
data: Json<AdmissionReview<Policy>>,
evaluator: &State<PolicyEvaluatorRef>,
) -> Result<Json<AdmissionReview<DynamicObject>>, ApiError> {
HTTP_REQUEST_COUNTER
.with_label_values(&["/validate-policy"])
Expand All @@ -93,7 +94,31 @@ async fn api_validate_policy(
})?;
let mut response: AdmissionResponse = AdmissionResponse::from(&admission_request);

let (allowed, reason) = validate_policy_admission(&admission_request);
let mut module_code = String::new();

if let Some(policy) = &admission_request.object {
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think it would be cleaner to move the code to collect the modules into the validate_policy_admission function and to make that function into a method of the PolicyEvaluator to have access to all the needed state.

if let Some(used_modules) = policy.spec.modules.clone() {
let evaluator = evaluator.inner().clone();
let modules = evaluator.get_available_modules();

for module_name in used_modules.iter() {
match modules.get(module_name) {
Some(module_info) => {
module_code.push_str(&module_info.module.python);
module_code.push_str("\n");
},
None => {
response.allowed = false;
response.result.code = Some(403);
response.result.message = Some(format!("Could not find module '{}'", module_name));
return Ok(Json(response.into_review()))
}
};
}
}
}

let (allowed, reason) = validate_policy_admission(&admission_request, &module_code);
response.allowed = allowed;
if !allowed {
response.result.message = reason;
Expand Down
Loading