feat: add external bindings support to the engine (#401)

Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>
kyverno · Jun 10, 2024 · 69a4a1f · 69a4a1f
1 parent 66a3679
commit 69a4a1f
Show file tree

Hide file tree

Showing 9 changed files with 71 additions and 1 deletion.
diff --git a/pkg/commands/scan/command.go b/pkg/commands/scan/command.go
@@ -14,6 +14,7 @@ func Command() *cobra.Command {
 		SilenceUsage: true,
 		RunE:         command.run,
 	}
+	cmd.Flags().StringVar(&command.bindings, "bindings", "", "Bindings file (json or yaml file). Top level keys will be interpreted as bindings names.")
 	cmd.Flags().StringVar(&command.payload, "payload", "", "Path to payload (json or yaml file)")
 	cmd.Flags().StringSliceVar(&command.preprocessors, "pre-process", nil, "JMESPath expression used to pre process payload")
 	cmd.Flags().StringSliceVar(&command.policies, "policy", nil, "Path to kyverno-json policies")

diff --git a/pkg/commands/scan/command_test.go b/pkg/commands/scan/command_test.go
@@ -12,6 +12,7 @@ import (
 func Test_Execute(t *testing.T) {
 	tests := []struct {
 		name          string
+		bindings      string
 		payload       string
 		preprocessors []string
 		policies      []string
@@ -29,6 +30,13 @@ func Test_Execute(t *testing.T) {
 		policies: []string{"../../../test/commands/scan/wildcard/policy.yaml"},
 		out:      "../../../test/commands/scan/wildcard/out.txt",
 		wantErr:  false,
+	}, {
+		name:     "bindings",
+		bindings: "../../../test/commands/scan/bindings/bindings.yaml",
+		payload:  "../../../test/commands/scan/bindings/payload.yaml",
+		policies: []string{"../../../test/commands/scan/bindings/policy.yaml"},
+		out:      "../../../test/commands/scan/bindings/out.txt",
+		wantErr:  false,
 	}, {
 		name:     "pod-no-latest",
 		payload:  "../../../test/commands/scan/pod-no-latest/payload.yaml",
@@ -135,6 +143,9 @@ func Test_Execute(t *testing.T) {
 				args = append(args, "--policy", policy)
 			}
 			args = append(args, "--payload", tt.payload)
+			if tt.bindings != "" {
+				args = append(args, "--bindings", tt.bindings)
+			}
 			cmd.SetArgs(args)
 			out := bytes.NewBufferString("")
 			cmd.SetOut(out)

diff --git a/pkg/commands/scan/options.go b/pkg/commands/scan/options.go
@@ -17,6 +17,7 @@ import (
 )
 
 type options struct {
+	bindings      string
 	payload       string
 	preprocessors []string
 	policies      []string
@@ -48,6 +49,24 @@ func (c *options) run(cmd *cobra.Command, _ []string) error {
 		}
 		policies = filteredPolicies
 	}
+	var bindings map[string]any
+	if c.bindings != "" {
+		out.println("Loading bindings ...")
+		payload, err := payload.Load(c.bindings)
+		if err != nil {
+			return err
+		}
+		if payload != nil {
+			if m, ok := payload.(map[string]any); ok {
+				bindings = m
+				for key, value := range bindings {
+					out.println("-", key, "->", value)
+				}
+			} else {
+				return errors.New("bindings are not a map[string]any object")
+			}
+		}
+	}
 	out.println("Loading payload ...")
 	payload, err := payload.Load(c.payload)
 	if err != nil {
@@ -80,6 +99,7 @@ func (c *options) run(cmd *cobra.Command, _ []string) error {
 		responses = append(responses, e.Run(context.Background(), jsonengine.Request{
 			Resource: resource,
 			Policies: policies,
+			Bindings: bindings,
 		}))
 	}
 	for _, response := range responses {

diff --git a/pkg/json-engine/engine.go b/pkg/json-engine/engine.go
@@ -3,6 +3,7 @@ package jsonengine
 import (
 	"context"
 	"fmt"
+	"time"
 
 	jpbinding "github.com/jmespath-community/go-jmespath/pkg/binding"
 	"github.com/kyverno/kyverno-json/pkg/apis/policy/v1alpha1"
@@ -16,6 +17,7 @@ import (
 type Request struct {
 	Resource any
 	Policies []*v1alpha1.ValidatingPolicy
+	Bindings map[string]any
 }
 
 type Response struct {
@@ -30,6 +32,7 @@ type PolicyResponse struct {
 
 type RuleResponse struct {
 	Rule       v1alpha1.ValidatingRule
+	Timestamp  time.Time
 	Identifier string
 	Error      error
 	Violations matching.Results
@@ -75,6 +78,7 @@ func New() engine.Engine[Request, Response] {
 				if err != nil {
 					return []RuleResponse{{
 						Rule:       r.rule,
+						Timestamp:  time.Now(),
 						Identifier: identifier,
 						Error:      err,
 					}}
@@ -89,6 +93,7 @@ func New() engine.Engine[Request, Response] {
 				if err != nil {
 					return []RuleResponse{{
 						Rule:       r.rule,
+						Timestamp:  time.Now(),
 						Identifier: identifier,
 						Error:      err,
 					}}
@@ -102,12 +107,14 @@ func New() engine.Engine[Request, Response] {
 			if err != nil {
 				return []RuleResponse{{
 					Rule:       r.rule,
+					Timestamp:  time.Now(),
 					Identifier: identifier,
 					Error:      err,
 				}}
 			}
 			return []RuleResponse{{
 				Rule:       r.rule,
+				Timestamp:  time.Now(),
 				Identifier: identifier,
 				Violations: violations,
 			}}
@@ -132,7 +139,11 @@ func New() engine.Engine[Request, Response] {
 			response := Response{
 				Resource: r.Resource,
 			}
-			bindings := jpbinding.NewBindings().Register("$payload", jpbinding.NewBinding(r.Resource))
+			bindings := jpbinding.NewBindings()
+			for k, v := range r.Bindings {
+				bindings = bindings.Register("$"+k, jpbinding.NewBinding(v))
+			}
+			bindings = bindings.Register("$payload", jpbinding.NewBinding(r.Resource))
 			for _, policy := range r.Policies {
 				response.Policies = append(response.Policies, policyEngine.Run(ctx, policyRequest{
 					policy:   policy,

diff --git a/test/commands/scan/bindings/bindings.yaml b/test/commands/scan/bindings/bindings.yaml
@@ -0,0 +1 @@
+foo: bar
diff --git a/test/commands/scan/bindings/out.txt b/test/commands/scan/bindings/out.txt
@@ -0,0 +1,8 @@
+Loading policies ...
+Loading bindings ...
+- foo -> bar
+Loading payload ...
+Pre processing ...
+Running ( evaluating 1 resource against 1 policy ) ...
+- test / foo-bar-4 /  PASSED
+Done
diff --git a/test/commands/scan/bindings/payload.yaml b/test/commands/scan/bindings/payload.yaml
@@ -0,0 +1,2 @@
+foo:
+  bar: 4
diff --git a/test/commands/scan/bindings/policy.yaml b/test/commands/scan/bindings/policy.yaml
@@ -0,0 +1,15 @@
+apiVersion: json.kyverno.io/v1alpha1
+kind: ValidatingPolicy
+metadata:
+  name: test
+spec:
+  rules:
+    - name: foo-bar-4
+      match:
+        all:
+        - ($foo): bar
+      assert:
+        all:
+        - check:
+            foo:
+              bar: 4
diff --git a/website/docs/cli/commands/kyverno-json_scan.md b/website/docs/cli/commands/kyverno-json_scan.md
@@ -13,6 +13,7 @@ kyverno-json scan [flags]
 ### Options
 
 ```
+      --bindings string       Bindings file (json or yaml file). Top level keys will be interpreted as bindings names.
   -h, --help                  help for scan
       --labels strings        Labels selectors for policies
       --output string         Output format (text or json) (default "text")