Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat: added --policy flag to pass policy path and implemented kyverno-json engine #60

Merged
merged 1 commit into from
Apr 29, 2024
Merged

feat: added --policy flag to pass policy path and implemented kyverno-json engine #60

merged 1 commit into from
Apr 29, 2024

Conversation

Sanskarzz
Copy link
Contributor

@Sanskarzz Sanskarzz commented Apr 2, 2024
edited
Loading

Added --policy flag to pass the path to the policy
./kyverno-envoy-plugin serve --policy /path/to/policy1.yaml --policy /path/to/policy2.yaml

Also used Load function of this "github.com/kyverno/kyverno-json/pkg/policy" package to load the v1alpha1.ValidatingPolicy type of policies
I also tested ext-authz server with istio , here are the logs of the ext-authz server it seems like policy is successfully loaded in Check function .

Here is policy.yaml i used to check the incoming request

apiVersion: json.kyverno.io/v1alpha1
kind: ValidatingPolicy
metadata:
  name: test-policy
spec:
  rules:
    - name: deny-external-calls
      assert:
        all:
        - message: "The GET method is restricted to the /foo path."
          check:
            request:
                http:
                    method: 'GET'
                    path: '/foo'

Calling the sample application at /foo

sanskar@sanskar-HP-Laptop-15s-du1xxx:~/kyverno-envoy-plugin$ kubectl run test -it --rm --restart=Never --image=busybox -- wget -q --header="x-ext-authz: allow" --output-document - echo.demo.svc.cluster.local:8080/foo
{
  "path": "/foo",
  "headers": {
    "host": "echo.demo.svc.cluster.local:8080",
    "user-agent": "Wget",
    "x-ext-authz": "allow",
    "x-forwarded-proto": "http",
    "x-request-id": "a260ace6-c612-455b-954b-b7d46c1f3139",
    "x-b3-traceid": "88910ca85982e843e696ba2077efddb3",
    "x-b3-spanid": "e696ba2077efddb3",
    "x-b3-sampled": "0"
  },
  "method": "GET",
  "body": "",
  "fresh": false,
  "hostname": "echo.demo.svc.cluster.local",
  "ip": "::ffff:127.0.0.6",
  "ips": [],
  "protocol": "http",
  "query": {},
  "subdomains": [
    "svc",
    "demo",
    "echo"
  ],
  "xhr": false,
  "os": {
    "hostname": "echo-6847f9f85-zt8nf"
  },
  "connection": {}
}pod "test" deleted

Here are the logs of ext-auth server after calling sample application at /foo

sanskar@sanskar-HP-Laptop-15s-du1xxx:~$ kubectl logs "$(kubectl get pod -l app=ext-authz -n demo -o jsonpath={.items..metadata.name})" -n demo -c ext-authz -f
Starting HTTP server on Port 8000
Starting GRPC server on Port 9000
Request is initialized in kyvernojson engine .
Request passed the policies.

Now calling sample application at /bar

sanskar@sanskar-HP-Laptop-15s-du1xxx:~/kyverno-envoy-plugin$ kubectl run test -it --rm --restart=Never --image=busybox -- wget -q --header="x-ext-authz: allow" --output-document - echo.demo.svc.cluster.local:8080/bar

wget: server returned error: HTTP/1.1 403 Forbidden
pod "test" deleted
pod default/test terminated (Error)

The Request Failed , policy denied the request
Here are the logs of ext-auth after both above requests

sanskar@sanskar-HP-Laptop-15s-du1xxx:~$ kubectl logs "$(kubectl get pod -l app=ext-authz -n demo -o jsonpath={.items..metadata.name})" -n demo -c ext-authz -f
Starting HTTP server on Port 8000
Starting GRPC server on Port 9000
Request is initialized in kyvernojson engine .
Request passed the policies.
Request is initialized in kyvernojson engine .
Request denied with reason: -> The GET method is restricted to the /foo path.
 -> all[0].check.request.http.path: Invalid value: "/bar": Expected value: "/foo"

@Sanskarzz Sanskarzz requested a review from a team as a code owner April 2, 2024 15:27
@Sanskarzz Sanskarzz changed the title feat: add --policy flag to pass path to the policy feat: add --policy flag to pass pass path to the policy Apr 2, 2024
@Sanskarzz Sanskarzz changed the title feat: add --policy flag to pass pass path to the policy feat: add --policy flag to pass pass to the policy Apr 3, 2024
@Sanskarzz Sanskarzz changed the title feat: add --policy flag to pass pass to the policy feat: add --policy flag to pass pass to the policy Apr 3, 2024
@Sanskarzz Sanskarzz changed the title feat: add --policy flag to pass pass to the policy feat: added --policy flag to pass policy path and implemented kyverno-json engine Apr 6, 2024
@anushkamittal2001
Copy link

Can you check the linter errors.

@Sanskarzz
Copy link
Contributor Author

Can you check the linter errors.

The CI is green , Lint error is fixed

anushkamittal2001
anushkamittal2001 reviewed Apr 10, 2024
View reviewed changes
main.go Outdated Show resolved Hide resolved
anushkamittal2001
anushkamittal2001 reviewed Apr 17, 2024
View reviewed changes
main.go Outdated Show resolved Hide resolved
@Sanskarzz Sanskarzz force-pushed the policyflag branch 2 times, most recently from 4928dff to 9a3a511 Compare April 27, 2024 16:52
@Sanskarzz
feat: added --policy flag to pass policy path and implemented kyverno…
6d46b0e 
…-json engine

Signed-off-by: Sanskarzz <sanskar.gur@gmail.com>
@anushkamittal2001 anushkamittal2001 merged commit 87597a5 into kyverno:main Apr 29, 2024
6 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@anushkamittal2001 anushkamittal2001 anushkamittal2001 approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@Sanskarzz @anushkamittal2001