pepr 0.18.1 → 0.20.1

package/package.json

@@ -9,7 +9,7 @@
   "engines": {
     "node": ">=18.0.0"
   },
-  "version": "0.18.1",
+  "version": "0.20.1",
   "main": "dist/lib.js",
   "types": "dist/lib.d.ts",
   "scripts": {
@@ -33,8 +33,8 @@
     "express": "4.18.2",
     "fast-json-patch": "3.1.1",
     "kubernetes-fluent-client": "1.9.0",
-    "pino": "8.16.2",
-    "pino-pretty": "10.2.3",
+    "pino": "8.17.1",
+    "pino-pretty": "10.3.0",
     "prom-client": "15.0.0",
     "ramda": "0.29.1"
   },
@@ -42,7 +42,7 @@
     "@commitlint/cli": "18.4.3",
     "@commitlint/config-conventional": "18.4.3",
     "@jest/globals": "29.7.0",
-    "@types/eslint": "8.44.8",
+    "@types/eslint": "8.44.9",
     "@types/express": "4.17.21",
     "@types/node": "18.x.x",
     "@types/node-forge": "1.3.10",

package/src/cli.ts

@@ -8,6 +8,7 @@ import build from "./cli/build";
 import deploy from "./cli/deploy";
 import dev from "./cli/dev";
 import format from "./cli/format";
+import monitor from "./cli/monitor";
 import init from "./cli/init/index";
 import { version } from "./cli/init/templates";
 import { RootCmd } from "./cli/root";
@@ -39,5 +40,6 @@ deploy(program);
 dev(program);
 update(program);
 format(program);
+monitor(program);
 
 program.parse();

package/src/lib/assets/index.ts

@@ -6,15 +6,19 @@ import crypto from "crypto";
 import { ModuleConfig } from "../module";
 import { TLSOut, genTLS } from "../tls";
 import { CapabilityExport } from "../types";
+import { WebhookIgnore } from "../k8s";
 import { deploy } from "./deploy";
 import { loadCapabilities } from "./loader";
 import { allYaml, zarfYaml } from "./yaml";
+import { namespaceComplianceValidator } from "../helpers";
 
 export class Assets {
   readonly name: string;
   readonly tls: TLSOut;
   readonly apiToken: string;
+  readonly alwaysIgnore!: WebhookIgnore;
   capabilities!: CapabilityExport[];
+
   image: string;
 
   constructor(
@@ -23,7 +27,7 @@ export class Assets {
     readonly host?: string,
   ) {
     this.name = `pepr-${config.uuid}`;
-
+    this.alwaysIgnore = config.alwaysIgnore;
     this.image = `ghcr.io/defenseunicorns/pepr/controller:v${config.peprVersion}`;
 
     // Generate the ephemeral tls things
@@ -42,6 +46,11 @@ export class Assets {
 
   allYaml = async (rbacMode: string) => {
     this.capabilities = await loadCapabilities(this.path);
+    // give error if namespaces are not respected
+    for (const capability of this.capabilities) {
+      namespaceComplianceValidator(capability, this.alwaysIgnore.namespaces);
+    }
+
     return allYaml(this, rbacMode);
   };
 }

package/src/lib/assets/networking.ts

@@ -43,10 +43,14 @@ export function service(name: string): kind.Service {
     metadata: {
       name,
       namespace: "pepr-system",
+      labels: {
+        "pepr.dev/controller": "admission",
+      },
     },
     spec: {
       selector: {
         app: name,
+        "pepr.dev/controller": "admission",
       },
       ports: [
         {
@@ -65,10 +69,14 @@ export function watcherService(name: string): kind.Service {
     metadata: {
       name: `${name}-watcher`,
       namespace: "pepr-system",
+      labels: {
+        "pepr.dev/controller": "watcher",
+      },
     },
     spec: {
       selector: {
         app: `${name}-watcher`,
+        "pepr.dev/controller": "watcher",
       },
       ports: [
         {

package/src/lib/assets/pods.ts

@@ -1,10 +1,12 @@
 // SPDX-License-Identifier: Apache-2.0
 // SPDX-FileCopyrightText: 2023-Present The Pepr Authors
 
+import { V1EnvVar } from "@kubernetes/client-node";
 import { kind } from "kubernetes-fluent-client";
 import { gzipSync } from "zlib";
 
 import { Assets } from ".";
+import { ModuleConfig } from "../module";
 import { Binding } from "../types";
 
 /** Generate the pepr-system namespace */
@@ -45,6 +47,7 @@ export function watcher(assets: Assets, hash: string) {
       namespace: "pepr-system",
       labels: {
         app,
+        "pepr.dev/controller": "watcher",
       },
     },
     spec: {
@@ -55,12 +58,14 @@ export function watcher(assets: Assets, hash: string) {
       selector: {
         matchLabels: {
           app,
+          "pepr.dev/controller": "watcher",
         },
       },
       template: {
         metadata: {
           labels: {
             app,
+            "pepr.dev/controller": "watcher",
           },
         },
         spec: {
@@ -112,11 +117,7 @@ export function watcher(assets: Assets, hash: string) {
                   readOnly: true,
                 },
               ],
-              env: [
-                { name: "PEPR_WATCH_MODE", value: "true" },
-                { name: "PEPR_PRETTY_LOG", value: "false" },
-                { name: "LOG_LEVEL", value: config.logLevel || "debug" },
-              ],
+              env: genEnv(config, true),
             },
           ],
           volumes: [
@@ -151,6 +152,7 @@ export function deployment(assets: Assets, hash: string): kind.Deployment {
       namespace: "pepr-system",
       labels: {
         app,
+        "pepr.dev/controller": "admission",
       },
     },
     spec: {
@@ -158,12 +160,14 @@ export function deployment(assets: Assets, hash: string): kind.Deployment {
       selector: {
         matchLabels: {
           app,
+          "pepr.dev/controller": "admission",
         },
       },
       template: {
         metadata: {
           labels: {
             app,
+            "pepr.dev/controller": "admission",
           },
         },
         spec: {
@@ -204,10 +208,7 @@ export function deployment(assets: Assets, hash: string): kind.Deployment {
                   cpu: "500m",
                 },
               },
-              env: [
-                { name: "PEPR_PRETTY_LOG", value: "false" },
-                { name: "LOG_LEVEL", value: config.logLevel || "debug" },
-              ],
+              env: genEnv(config),
               volumeMounts: [
                 {
                   name: "tls-certs",
@@ -270,3 +271,19 @@ export function moduleSecret(name: string, data: Buffer, hash: string): kind.Sec
     },
   };
 }
+
+function genEnv(config: ModuleConfig, watchMode = false): V1EnvVar[] {
+  const env = [
+    { name: "PEPR_WATCH_MODE", value: watchMode ? "true" : "false" },
+    { name: "PEPR_PRETTY_LOG", value: "false" },
+    { name: "LOG_LEVEL", value: config.logLevel || "debug" },
+  ];
+
+  if (config.env) {
+    for (const [name, value] of Object.entries(config.env)) {
+      env.push({ name, value });
+    }
+  }
+
+  return env;
+}

package/src/lib/assets/webhooks.ts

@@ -129,7 +129,7 @@ export async function webhookConfig(
         name: `${name}.pepr.dev`,
         admissionReviewVersions: ["v1", "v1beta1"],
         clientConfig,
-        failurePolicy: "Ignore",
+        failurePolicy: config.onError === "reject" ? "Fail" : "Ignore",
         matchPolicy: "Equivalent",
         timeoutSeconds,
         namespaceSelector: {

package/src/lib/controller/index.ts

@@ -13,6 +13,7 @@ import { ModuleConfig, isWatchMode } from "../module";
 import { mutateProcessor } from "../mutate-processor";
 import { validateProcessor } from "../validate-processor";
 import { PeprControllerStore } from "./store";
+import { ResponseItem } from "../types";
 
 export class Controller {
   // Track whether the server is running
@@ -233,34 +234,40 @@ export class Controller {
         const responseList: ValidateResponse[] | MutateResponse[] = Array.isArray(response) ? response : [response];
         responseList.map(res => {
           this.#afterHook && this.#afterHook(res);
+          // Log the response
+          Log.debug({ ...reqMetadata, res }, "Check response");
         });
 
-        // Log the response
-        Log.debug({ ...reqMetadata, response }, "Outgoing response");
+        let kubeAdmissionResponse: ValidateResponse[] | MutateResponse | ResponseItem;
 
         if (admissionKind === "Mutate") {
+          kubeAdmissionResponse = response;
+          Log.debug({ ...reqMetadata, response }, "Outgoing response");
           res.send({
             apiVersion: "admission.k8s.io/v1",
             kind: "AdmissionReview",
-            response,
+            response: kubeAdmissionResponse,
           });
         } else {
+          kubeAdmissionResponse = {
+            uid: responseList[0].uid,
+            allowed: responseList.filter(r => !r.allowed).length === 0,
+            status: {
+              message: (responseList as ValidateResponse[])
+                .filter(rl => !rl.allowed)
+                .map(curr => curr.status?.message)
+                .join("; "),
+            },
+          };
           res.send({
             apiVersion: "admission.k8s.io/v1",
             kind: "AdmissionReview",
-            response: {
-              uid: responseList[0].uid,
-              allowed: responseList.filter(r => !r.allowed).length === 0,
-              status: {
-                message: (responseList as ValidateResponse[])
-                  .filter(rl => !rl.allowed)
-                  .map(curr => curr.status?.message)
-                  .join("; "),
-              },
-            },
+            response: kubeAdmissionResponse,
           });
         }
 
+        Log.debug({ ...reqMetadata, kubeAdmissionResponse }, "Outgoing response");
+
         this.#metricsCollector.observeEnd(startTime, admissionKind);
       } catch (err) {
         Log.error(err);

package/src/lib/controller/store.ts

@@ -31,7 +31,7 @@ export class PeprControllerStore {
       for (const { name, registerScheduleStore, hasSchedule } of capabilities) {
         // Guard Clause to exit  early
         if (hasSchedule !== true) {
-          return;
+          continue;
         }
         // Register the scheduleStore with the capability
         const { scheduleStore } = registerScheduleStore();

package/src/lib/helpers.ts

@@ -50,3 +50,72 @@ export async function createDirectoryIfNotExists(path: string) {
     }
   }
 }
+
+export function hasEveryOverlap<T>(array1: T[], array2: T[]): boolean {
+  if (!Array.isArray(array1) || !Array.isArray(array2)) {
+    return false;
+  }
+
+  return array1.every(element => array2.includes(element));
+}
+
+export function hasAnyOverlap<T>(array1: T[], array2: T[]): boolean {
+  if (!Array.isArray(array1) || !Array.isArray(array2)) {
+    return false;
+  }
+
+  return array1.some(element => array2.includes(element));
+}
+
+export function ignoredNamespaceConflict(ignoreNamespaces: string[], bindingNamespaces: string[]) {
+  return hasAnyOverlap(bindingNamespaces, ignoreNamespaces);
+}
+
+export function bindingAndCapabilityNSConflict(bindingNamespaces: string[], capabilityNamespaces: string[]) {
+  if (!capabilityNamespaces) {
+    return false;
+  }
+  return capabilityNamespaces.length !== 0 && !hasEveryOverlap(bindingNamespaces, capabilityNamespaces);
+}
+
+export function generateWatchNamespaceError(
+  ignoredNamespaces: string[],
+  bindingNamespaces: string[],
+  capabilityNamespaces: string[],
+) {
+  let err = "";
+
+  // check if binding uses an ignored namespace
+  if (ignoredNamespaceConflict(ignoredNamespaces, bindingNamespaces)) {
+    err += `Binding uses a Pepr ignored namespace: ignoredNamespaces: [${ignoredNamespaces.join(
+      ", ",
+    )}] bindingNamespaces: [${bindingNamespaces.join(", ")}].`;
+  }
+
+  // ensure filter namespaces are part of capability namespaces
+  if (bindingAndCapabilityNSConflict(bindingNamespaces, capabilityNamespaces)) {
+    err += `Binding uses namespace not governed by capability: bindingNamespaces: [${bindingNamespaces.join(
+      ", ",
+    )}] capabilityNamespaces:$[${capabilityNamespaces.join(", ")}].`;
+  }
+
+  // add a space if there is a period in the middle of the string
+  return err.replace(/\.([^ ])/g, ". $1");
+}
+
+// namespaceComplianceValidator ensures that capability bindinds respect ignored and capability namespaces
+export function namespaceComplianceValidator(capability: CapabilityExport, ignoredNamespaces?: string[]) {
+  const { namespaces: capabilityNamespaces, bindings, name } = capability;
+  const bindingNamespaces = bindings.flatMap(binding => binding.filters.namespaces);
+
+  const namespaceError = generateWatchNamespaceError(
+    ignoredNamespaces ? ignoredNamespaces : [],
+    bindingNamespaces,
+    capabilityNamespaces ? capabilityNamespaces : [],
+  );
+  if (namespaceError !== "") {
+    throw new Error(
+      `Error in ${name} capability. A binding violates namespace rules. Please check ignoredNamespaces and capability namespaces: ${namespaceError}`,
+    );
+  }
+}

package/src/lib/module-helpers.ts

@@ -0,0 +1,27 @@
+// SPDX-License-Identifier: Apache-2.0
+// SPDX-FileCopyrightText: 2023-Present The Pepr Authors
+
+import { PeprValidateRequest } from "./validate-request";
+import { PeprMutateRequest } from "./mutate-request";
+import { a } from "../lib";
+
+// Returns all containers in the pod
+export function containers(
+  request: PeprValidateRequest<a.Pod> | PeprMutateRequest<a.Pod>,
+  containerType?: "containers" | "initContainers" | "ephemeralContainers",
+) {
+  const containers = request.Raw.spec?.containers || [];
+  const initContainers = request.Raw.spec?.initContainers || [];
+  const ephemeralContainers = request.Raw.spec?.ephemeralContainers || [];
+
+  if (containerType === "containers") {
+    return containers;
+  }
+  if (containerType === "initContainers") {
+    return initContainers;
+  }
+  if (containerType === "ephemeralContainers") {
+    return ephemeralContainers;
+  }
+  return [...containers, ...initContainers, ...ephemeralContainers];
+}

package/src/lib/module.ts

@@ -28,6 +28,8 @@ export type ModuleConfig = {
   alwaysIgnore: WebhookIgnore;
   /** Define the log level for the in-cluster controllers */
   logLevel?: string;
+  /** Propagate env variables to in-cluster controllers */
+  env?: Record<string, string>;
 };
 
 export type PackageJSON = {

package/src/lib/types.ts

@@ -7,6 +7,16 @@ import { WatchAction } from "kubernetes-fluent-client/dist/fluent/types";
 import { PeprMutateRequest } from "./mutate-request";
 import { PeprValidateRequest } from "./validate-request";
 
+/**
+ * Specifically for parsing logs in monitor mode
+ */
+export interface ResponseItem {
+  uid?: string;
+  allowed: boolean;
+  status: {
+    message: string;
+  };
+}
 /**
  * Recursively make all properties in T optional.
  */

package/src/lib.ts

@@ -7,6 +7,7 @@ import { PeprModule } from "./lib/module";
 import { PeprMutateRequest } from "./lib/mutate-request";
 import * as PeprUtils from "./lib/utils";
 import { PeprValidateRequest } from "./lib/validate-request";
+import { containers } from "./lib/module-helpers";
 
 export {
   Capability,
@@ -22,4 +23,5 @@ export {
   fetch,
   fetchStatus,
   kind,
+  containers,
 };