This repository has been archived by the owner on Jan 12, 2023. It is now read-only.
generated from cruise-automation/oss-template
/
policies.go
94 lines (86 loc) · 3.56 KB
/
policies.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
// Copyright 2019 Cruise LLC
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
// https://www.apache.org/licenses/LICENSE-2.0
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.package ingress
package server
import (
"context"
"github.com/cruise-automation/k-rail/policies"
"github.com/cruise-automation/k-rail/policies/ingress"
"github.com/cruise-automation/k-rail/policies/persistentVolume"
"github.com/cruise-automation/k-rail/policies/pod"
"github.com/cruise-automation/k-rail/policies/service"
log "github.com/sirupsen/logrus"
admissionv1beta1 "k8s.io/api/admission/v1beta1"
)
// Policy specifies how a Policy is implemented
// Returns a slice of violations and an optional slice of patch operations if mutation is desired.
type Policy interface {
Name() string
Validate(ctx context.Context,
config policies.Config,
ar *admissionv1beta1.AdmissionRequest,
) ([]policies.ResourceViolation, []policies.PatchOperation)
}
func (s *Server) registerPolicies() {
// Policies will be run in the order that they are registered.
// Policies that mutate will have their resulting patch merged with any previous patches in that order as well.
s.registerPolicy(pod.PolicyNoExec{})
s.registerPolicy(pod.PolicyBindMounts{})
s.registerPolicy(pod.PolicyDockerSock{})
s.registerPolicy(pod.PolicyEmptyDirSizeLimit{})
s.registerPolicy(pod.PolicyImageImmutableReference{})
s.registerPolicy(pod.PolicyNoTiller{})
s.registerPolicy(pod.PolicyTrustedRepository{})
s.registerPolicy(pod.PolicyNoHostNetwork{})
s.registerPolicy(pod.PolicyNoPrivilegedContainer{})
s.registerPolicy(pod.PolicyNoNewCapabilities{})
s.registerPolicy(pod.PolicyNoHostPID{})
s.registerPolicy(pod.PolicySafeToEvict{})
s.registerPolicy(pod.PolicyMutateSafeToEvict{})
s.registerPolicy(pod.PolicyDefaultSeccompPolicy{})
s.registerPolicy(pod.PolicyNoShareProcessNamespace{})
s.registerPolicy(pod.PolicyImagePullPolicy{})
s.registerPolicy(ingress.PolicyRequireIngressExemption{})
s.registerPolicy(service.PolicyRequireServiceLoadbalancerExemption{})
s.registerPolicy(persistentVolume.PolicyNoPersistentVolumeHost{})
requireUniqueHostPolicy, err := ingress.NewPolicyRequireUniqueHost()
if err != nil {
log.WithError(err).Error("could not load RequireUniqueHostPolicy")
} else {
s.registerPolicy(requireUniqueHostPolicy)
}
}
func (s *Server) registerPolicy(v Policy) {
found := false
for _, val := range s.Config.Policies {
if val.Name == v.Name() {
found = true
if val.Enabled {
if s.Config.GlobalReportOnly {
s.ReportOnlyPolicies = append(s.ReportOnlyPolicies, v)
log.Infof("enabling %s validator in REPORT ONLY mode because GLOBAL REPORT ONLY MODE is on", v.Name())
} else if val.ReportOnly {
s.ReportOnlyPolicies = append(s.ReportOnlyPolicies, v)
log.Infof("enabling %s validator in REPORT ONLY mode", v.Name())
} else {
s.EnforcedPolicies = append(s.EnforcedPolicies, v)
log.Infof("enabling %s validator in ENFORCE mode", v.Name())
}
} else {
log.Infof("validator %s is NOT ENABLED", v.Name())
}
}
}
if !found {
s.ReportOnlyPolicies = append(s.ReportOnlyPolicies, v)
log.Warnf("configuration not present for %s validator, enabling REPORT ONLY mode", v.Name())
}
}