pepr 0.46.3 → 0.47.0-nightly.0

package/src/lib/filter/filter.ts

@@ -1,57 +1,30 @@
 // SPDX-License-Identifier: Apache-2.0
 // SPDX-FileCopyrightText: 2023-Present The Pepr Authors
 
-import { Binding } from "../types";
+import { AdjudicationResult, Binding } from "../types";
 import { Operation } from "../enums";
 import { KubernetesObject } from "kubernetes-fluent-client";
-import {
-  carriesIgnoredNamespace,
-  misboundDeleteWithDeletionTimestamp,
-  misboundNamespace,
-  missingCarriableNamespace,
-  unbindableNamespaces,
-  uncarryableNamespace,
-} from "./adjudicators/postCollection";
-import {
-  declaredOperation,
-  declaredGroup,
-  declaredVersion,
-  declaredKind,
-} from "./adjudicators/admissionRequest";
-import {
-  definedEvent,
-  definedName,
-  definedGroup,
-  definedVersion,
-  definedKind,
-  definedNamespaces,
-  definedLabels,
-  definedAnnotations,
-  definedNamespaceRegexes,
-  definedNameRegex,
-} from "./adjudicators/binding";
-import {
-  carriedName,
-  carriedNamespace,
-  carriedLabels,
-  carriedAnnotations,
-} from "./adjudicators/kubernetesObject";
-import {
-  mismatchedDeletionTimestamp,
-  mismatchedEvent,
-  mismatchedName,
-  mismatchedGroup,
-  mismatchedVersion,
-  mismatchedKind,
-  mismatchedNamespace,
-  mismatchedLabels,
-  mismatchedAnnotations,
-  mismatchedNamespaceRegex,
-  mismatchedNameRegex,
-} from "./adjudicators/mismatch";
 import { AdmissionRequest } from "../common-types";
+import {
+  adjudicateMisboundDeleteWithDeletionTimestamp,
+  adjudicateMismatchedDeletionTimestamp,
+  adjudicateMismatchedEvent,
+  adjudicateMismatchedName,
+  adjudicateMismatchedGroup,
+  adjudicateMismatchedVersion,
+  adjudicateMismatchedKind,
+  adjudicateUnbindableNamespaces,
+  adjudicateUncarryableNamespace,
+  adjudicateMismatchedNamespace,
+  adjudicateMismatchedLabels,
+  adjudicateMismatchedAnnotations,
+  adjudicateMismatchedNamespaceRegex,
+  adjudicateMismatchedNameRegex,
+  adjudicateCarriesIgnoredNamespace,
+  adjudicateMissingCarriableNamespace,
+  adjudicateMisboundNamespace,
+} from "./adjudication";
 
-type AdjudicationResult = string | null;
 type Adjudicator = () => AdjudicationResult;
 
 /**
@@ -142,150 +115,3 @@ export function filterNoMatchReason(
 
   return "";
 }
-
-export function adjudicateMisboundNamespace(binding: Binding): AdjudicationResult {
-  return misboundNamespace(binding) ? "Cannot use namespace filter on a namespace object." : null;
-}
-
-export function adjudicateMisboundDeleteWithDeletionTimestamp(
-  binding: Binding,
-): AdjudicationResult {
-  return misboundDeleteWithDeletionTimestamp(binding)
-    ? "Cannot use deletionTimestamp filter on a DELETE operation."
-    : null;
-}
-
-export function adjudicateMismatchedDeletionTimestamp(
-  binding: Binding,
-  obj: KubernetesObject,
-): AdjudicationResult {
-  return mismatchedDeletionTimestamp(binding, obj)
-    ? "Binding defines deletionTimestamp but Object does not carry it."
-    : null;
-}
-
-export function adjudicateMismatchedEvent(
-  binding: Binding,
-  req: AdmissionRequest,
-): AdjudicationResult {
-  return mismatchedEvent(binding, req)
-    ? `Binding defines event '${definedEvent(binding)}' but Request declares '${declaredOperation(req)}'.`
-    : null;
-}
-
-export function adjudicateMismatchedName(
-  binding: Binding,
-  obj: KubernetesObject,
-): AdjudicationResult {
-  return mismatchedName(binding, obj)
-    ? `Binding defines name '${definedName(binding)}' but Object carries '${carriedName(obj)}'.`
-    : null;
-}
-
-export function adjudicateMismatchedGroup(
-  binding: Binding,
-  req: AdmissionRequest,
-): AdjudicationResult {
-  return mismatchedGroup(binding, req)
-    ? `Binding defines group '${definedGroup(binding)}' but Request declares '${declaredGroup(req)}'.`
-    : null;
-}
-
-export function adjudicateMismatchedVersion(
-  binding: Binding,
-  req: AdmissionRequest,
-): AdjudicationResult {
-  return mismatchedVersion(binding, req)
-    ? `Binding defines version '${definedVersion(binding)}' but Request declares '${declaredVersion(req)}'.`
-    : null;
-}
-
-export function adjudicateMismatchedKind(
-  binding: Binding,
-  req: AdmissionRequest,
-): AdjudicationResult {
-  return mismatchedKind(binding, req)
-    ? `Binding defines kind '${definedKind(binding)}' but Request declares '${declaredKind(req)}'.`
-    : null;
-}
-
-export function adjudicateUnbindableNamespaces(
-  capabilityNamespaces: string[],
-  binding: Binding,
-): AdjudicationResult {
-  return unbindableNamespaces(capabilityNamespaces, binding)
-    ? `Binding defines namespaces ${JSON.stringify(definedNamespaces(binding))} but namespaces allowed by Capability are '${JSON.stringify(capabilityNamespaces)}'.`
-    : null;
-}
-
-export function adjudicateUncarryableNamespace(
-  capabilityNamespaces: string[],
-  obj: KubernetesObject,
-): AdjudicationResult {
-  return uncarryableNamespace(capabilityNamespaces, obj)
-    ? `Object carries namespace '${obj.kind && obj.kind === "Namespace" ? obj.metadata?.name : carriedNamespace(obj)}' but namespaces allowed by Capability are '${JSON.stringify(capabilityNamespaces)}'.`
-    : null;
-}
-
-export function adjudicateMismatchedNamespace(
-  binding: Binding,
-  obj: KubernetesObject,
-): AdjudicationResult {
-  return mismatchedNamespace(binding, obj)
-    ? `Binding defines namespaces '${JSON.stringify(definedNamespaces(binding))}' but Object carries '${carriedNamespace(obj)}'.`
-    : null;
-}
-
-export function adjudicateMismatchedLabels(
-  binding: Binding,
-  obj: KubernetesObject,
-): AdjudicationResult {
-  return mismatchedLabels(binding, obj)
-    ? `Binding defines labels '${JSON.stringify(definedLabels(binding))}' but Object carries '${JSON.stringify(carriedLabels(obj))}'.`
-    : null;
-}
-
-export function adjudicateMismatchedAnnotations(
-  binding: Binding,
-  obj: KubernetesObject,
-): AdjudicationResult {
-  return mismatchedAnnotations(binding, obj)
-    ? `Binding defines annotations '${JSON.stringify(definedAnnotations(binding))}' but Object carries '${JSON.stringify(carriedAnnotations(obj))}'.`
-    : null;
-}
-
-export function adjudicateMismatchedNamespaceRegex(
-  binding: Binding,
-  obj: KubernetesObject,
-): AdjudicationResult {
-  return mismatchedNamespaceRegex(binding, obj)
-    ? `Binding defines namespace regexes '${JSON.stringify(definedNamespaceRegexes(binding))}' but Object carries '${carriedNamespace(obj)}'.`
-    : null;
-}
-
-export function adjudicateMismatchedNameRegex(
-  binding: Binding,
-  obj: KubernetesObject,
-): AdjudicationResult {
-  return mismatchedNameRegex(binding, obj)
-    ? `Binding defines name regex '${definedNameRegex(binding)}' but Object carries '${carriedName(obj)}'.`
-    : null;
-}
-
-export function adjudicateCarriesIgnoredNamespace(
-  ignoredNamespaces: string[] | undefined,
-  obj: KubernetesObject,
-): AdjudicationResult {
-  return carriesIgnoredNamespace(ignoredNamespaces, obj)
-    ? `Object carries namespace '${obj.kind && obj.kind === "Namespace" ? obj.metadata?.name : carriedNamespace(obj)}' but ignored namespaces include '${JSON.stringify(ignoredNamespaces)}'.`
-    : null;
-}
-
-export function adjudicateMissingCarriableNamespace(
-  capabilityNamespaces: string[],
-  obj: KubernetesObject,
-): AdjudicationResult {
-  return missingCarriableNamespace(capabilityNamespaces, obj)
-    ? `Object does not carry a namespace but namespaces allowed by Capability are '${JSON.stringify(capabilityNamespaces)}'.`
-    : null;
-}

package/src/lib/processors/validate-processor.ts

@@ -41,6 +41,11 @@ export async function processRequest(
       };
     }
 
+    // Transfer any warnings from the callback response to the validation response
+    if (callbackResp.warnings && callbackResp.warnings.length > 0) {
+      valResp.warnings = callbackResp.warnings;
+    }
+
     Log.info(
       actionMetadata,
       `Validation action complete (${label}): ${callbackResp.allowed ? "allowed" : "denied"}`,

package/src/lib/types.ts

@@ -308,3 +308,4 @@ export type PeprModuleOptions = {
   /** A user-defined callback to post-process or intercept a Pepr response just before it is returned to K8s */
   afterHook?: (res: MutateResponse | ValidateResponse) => void;
 }; // Track if this is a watch mode controller
+export type AdjudicationResult = string | null;

package/src/lib/validate-request.ts

@@ -6,8 +6,8 @@
 import { KubernetesObject } from "kubernetes-fluent-client";
 
 import { clone } from "ramda";
-import { Operation } from "./enums";
 import { AdmissionRequest, ValidateActionResponse } from "./common-types";
+import { Operation } from "./enums";
 
 /**
  * The RequestWrapper class provides methods to modify Kubernetes objects in the context
@@ -79,9 +79,10 @@ export class PeprValidateRequest<T extends KubernetesObject> {
    *
    * @returns The validation response.
    */
-  Approve = (): ValidateActionResponse => {
+  Approve = (warnings?: string[]): ValidateActionResponse => {
     return {
       allowed: true,
+      warnings,
     };
   };
 
@@ -92,11 +93,16 @@ export class PeprValidateRequest<T extends KubernetesObject> {
    * @param statusCode Optional status code to return to the user.
    * @returns The validation response.
    */
-  Deny = (statusMessage?: string, statusCode?: number): ValidateActionResponse => {
+  Deny = (
+    statusMessage?: string,
+    statusCode?: number,
+    warnings?: string[],
+  ): ValidateActionResponse => {
     return {
       allowed: false,
       statusCode,
       statusMessage,
+      warnings,
     };
   };
 }

package/src/fixtures/data/admission-create-clusterrole.json

@@ -1,52 +0,0 @@
-{
-  "uid": "2ac28f03-c045-4af6-86f1-aa0007571863",
-  "kind": {
-    "group": "rbac.authorization.k8s.io",
-    "version": "v1",
-    "kind": "ClusterRole"
-  },
-  "resource": {
-    "group": "rbac.authorization.k8s.io",
-    "version": "v1",
-    "resource": "clusterroles"
-  },
-  "requestKind": {
-    "group": "rbac.authorization.k8s.io",
-    "version": "v1",
-    "kind": "ClusterRole"
-  },
-  "requestResource": {
-    "group": "rbac.authorization.k8s.io",
-    "version": "v1",
-    "resource": "clusterroles"
-  },
-  "name": "pod-creator",
-  "operation": "CREATE",
-  "userInfo": {
-    "username": "system:admin",
-    "groups": ["system:masters", "system:authenticated"]
-  },
-  "object": {
-    "kind": "ClusterRole",
-    "apiVersion": "rbac.authorization.k8s.io/v1",
-    "metadata": {
-      "name": "pod-creator",
-      "creationTimestamp": null
-    },
-    "rules": [
-      {
-        "verbs": ["create", "update", "patch"],
-        "apiGroups": [""],
-        "resources": ["pods"]
-      }
-    ]
-  },
-  "oldObject": null,
-  "dryRun": false,
-  "options": {
-    "kind": "CreateOptions",
-    "apiVersion": "meta.k8s.io/v1",
-    "fieldManager": "kubectl-create",
-    "fieldValidation": "Strict"
-  }
-}

package/src/fixtures/data/admission-create-deployment.json

@@ -1,93 +0,0 @@
-{
-  "uid": "501f5447-a028-4a3f-b4ac-fc56f3f78ffc",
-  "kind": {
-    "group": "apps",
-    "version": "v1",
-    "kind": "Deployment"
-  },
-  "resource": {
-    "group": "apps",
-    "version": "v1",
-    "resource": "deployments"
-  },
-  "requestKind": {
-    "group": "apps",
-    "version": "v1",
-    "kind": "Deployment"
-  },
-  "requestResource": {
-    "group": "apps",
-    "version": "v1",
-    "resource": "deployments"
-  },
-  "name": "lower",
-  "namespace": "pepr-demo",
-  "operation": "CREATE",
-  "userInfo": {
-    "username": "system:admin",
-    "groups": ["system:masters", "system:authenticated"]
-  },
-  "object": {
-    "kind": "Deployment",
-    "apiVersion": "apps/v1",
-    "metadata": {
-      "name": "lower",
-      "namespace": "pepr-demo",
-      "creationTimestamp": null,
-      "labels": {
-        "app": "lower"
-      }
-    },
-    "spec": {
-      "replicas": 3,
-      "selector": {
-        "matchLabels": {
-          "app": "lower"
-        }
-      },
-      "template": {
-        "metadata": {
-          "creationTimestamp": null,
-          "labels": {
-            "app": "lower"
-          }
-        },
-        "spec": {
-          "containers": [
-            {
-              "name": "nginx",
-              "image": "nginx",
-              "resources": {},
-              "terminationMessagePath": "/dev/termination-log",
-              "terminationMessagePolicy": "File",
-              "imagePullPolicy": "Always"
-            }
-          ],
-          "restartPolicy": "Always",
-          "terminationGracePeriodSeconds": 30,
-          "dnsPolicy": "ClusterFirst",
-          "securityContext": {},
-          "schedulerName": "default-scheduler"
-        }
-      },
-      "strategy": {
-        "type": "RollingUpdate",
-        "rollingUpdate": {
-          "maxUnavailable": "25%",
-          "maxSurge": "25%"
-        }
-      },
-      "revisionHistoryLimit": 10,
-      "progressDeadlineSeconds": 600
-    },
-    "status": {}
-  },
-  "oldObject": null,
-  "dryRun": false,
-  "options": {
-    "kind": "CreateOptions",
-    "apiVersion": "meta.k8s.io/v1",
-    "fieldManager": "kubectl-create",
-    "fieldValidation": "Strict"
-  }
-}

package/src/fixtures/data/admission-create-pod.json

@@ -1,272 +0,0 @@
-{
-  "uid": "af5c3d45-72b8-11eb-a3a3-0242ac130003",
-  "kind": {
-    "group": "",
-    "version": "v1",
-    "kind": "Pod"
-  },
-  "resource": {
-    "group": "",
-    "version": "v1",
-    "resource": "pods"
-  },
-  "subResource": "",
-  "name": "podinfo",
-  "namespace": "default",
-  "operation": "CREATE",
-  "userInfo": {
-    "username": "system:serviceaccount:kube-system:replicaset-controller",
-    "uid": "95c8f0ca-d31a-4d3f-9f27-9a2a2661ab3c",
-    "groups": [
-      "system:serviceaccounts",
-      "system:serviceaccounts:kube-system",
-      "system:authenticated"
-    ]
-  },
-  "oldObject": {},
-  "dryRun": false,
-  "options": null,
-  "object": {
-    "apiVersion": "v1",
-    "kind": "Pod",
-    "metadata": {
-      "annotations": {
-        "prometheus.io/port": "9898",
-        "prometheus.io/scrape": "true"
-      },
-      "creationTimestamp": "2023-03-07T07:48:13Z",
-      "generateName": "cool-name-podinfo-66bbff7cf4-",
-      "labels": {
-        "app.kubernetes.io/name": "cool-name-podinfo",
-        "pod-template-hash": "66bbff7cf4",
-        "zarf-agent": "patched",
-        "test-op": "create"
-      },
-      "name": "cool-name-podinfo-66bbff7cf4-fwhl2",
-      "namespace": "helm-releasename",
-      "ownerReferences": [
-        {
-          "apiVersion": "apps/v1",
-          "blockOwnerDeletion": true,
-          "controller": true,
-          "kind": "ReplicaSet",
-          "name": "cool-name-podinfo-66bbff7cf4",
-          "uid": "41d30484-6ccd-462b-b96a-e166095e3681"
-        }
-      ],
-      "resourceVersion": "46512",
-      "uid": "883303bc-e4b7-4fa8-a576-575cc4407201"
-    },
-    "spec": {
-      "containers": [
-        {
-          "command": [
-            "./podinfo",
-            "--port=9898",
-            "--cert-path=/data/cert",
-            "--port-metrics=9797",
-            "--grpc-port=9999",
-            "--grpc-service-name=podinfo",
-            "--level=info",
-            "--random-delay=false",
-            "--random-error=false"
-          ],
-          "env": [
-            {
-              "name": "PODINFO_UI_COLOR",
-              "value": "#34577c"
-            }
-          ],
-          "image": "127.0.0.1:31999/stefanprodan/podinfo-2985051089:6.1.6",
-          "imagePullPolicy": "IfNotPresent",
-          "livenessProbe": {
-            "exec": {
-              "command": ["podcli", "check", "http", "localhost:9898/healthz"]
-            },
-            "failureThreshold": 3,
-            "initialDelaySeconds": 1,
-            "periodSeconds": 10,
-            "successThreshold": 1,
-            "timeoutSeconds": 5
-          },
-          "name": "podinfo",
-          "ports": [
-            {
-              "containerPort": 9898,
-              "name": "http",
-              "protocol": "TCP"
-            },
-            {
-              "containerPort": 9797,
-              "name": "http-metrics",
-              "protocol": "TCP"
-            },
-            {
-              "containerPort": 9999,
-              "name": "grpc",
-              "protocol": "TCP"
-            }
-          ],
-          "readinessProbe": {
-            "exec": {
-              "command": ["podcli", "check", "http", "localhost:9898/readyz"]
-            },
-            "failureThreshold": 3,
-            "initialDelaySeconds": 1,
-            "periodSeconds": 10,
-            "successThreshold": 1,
-            "timeoutSeconds": 5
-          },
-          "resources": {
-            "requests": {
-              "cpu": "1m",
-              "memory": "16Mi"
-            }
-          },
-          "terminationMessagePath": "/dev/termination-log",
-          "terminationMessagePolicy": "File",
-          "volumeMounts": [
-            {
-              "mountPath": "/data",
-              "name": "data"
-            },
-            {
-              "mountPath": "/var/run/secrets/kubernetes.io/serviceaccount",
-              "name": "kube-api-access-vn9dc",
-              "readOnly": true
-            }
-          ]
-        }
-      ],
-      "dnsPolicy": "ClusterFirst",
-      "enableServiceLinks": true,
-      "imagePullSecrets": [
-        {
-          "name": "private-registry"
-        }
-      ],
-      "nodeName": "k3d-k3s-default-server-0",
-      "preemptionPolicy": "PreemptLowerPriority",
-      "priority": 0,
-      "restartPolicy": "Always",
-      "schedulerName": "default-scheduler",
-      "securityContext": {},
-      "serviceAccount": "default",
-      "serviceAccountName": "default",
-      "terminationGracePeriodSeconds": 30,
-      "tolerations": [
-        {
-          "effect": "NoExecute",
-          "key": "node.kubernetes.io/not-ready",
-          "operator": "Exists",
-          "tolerationSeconds": 300
-        },
-        {
-          "effect": "NoExecute",
-          "key": "node.kubernetes.io/unreachable",
-          "operator": "Exists",
-          "tolerationSeconds": 300
-        }
-      ],
-      "volumes": [
-        {
-          "emptyDir": {},
-          "name": "data"
-        },
-        {
-          "name": "kube-api-access-vn9dc",
-          "projected": {
-            "defaultMode": 420,
-            "sources": [
-              {
-                "serviceAccountToken": {
-                  "expirationSeconds": 3607,
-                  "path": "token"
-                }
-              },
-              {
-                "configMap": {
-                  "items": [
-                    {
-                      "key": "ca.crt",
-                      "path": "ca.crt"
-                    }
-                  ],
-                  "name": "kube-root-ca.crt"
-                }
-              },
-              {
-                "downwardAPI": {
-                  "items": [
-                    {
-                      "fieldRef": {
-                        "apiVersion": "v1",
-                        "fieldPath": "metadata.namespace"
-                      },
-                      "path": "namespace"
-                    }
-                  ]
-                }
-              }
-            ]
-          }
-        }
-      ]
-    },
-    "status": {
-      "conditions": [
-        {
-          "lastProbeTime": null,
-          "lastTransitionTime": "2023-03-07T07:48:13Z",
-          "status": "True",
-          "type": "Initialized"
-        },
-        {
-          "lastProbeTime": null,
-          "lastTransitionTime": "2023-03-07T07:48:16Z",
-          "status": "True",
-          "type": "Ready"
-        },
-        {
-          "lastProbeTime": null,
-          "lastTransitionTime": "2023-03-07T07:48:16Z",
-          "status": "True",
-          "type": "ContainersReady"
-        },
-        {
-          "lastProbeTime": null,
-          "lastTransitionTime": "2023-03-07T07:48:13Z",
-          "status": "True",
-          "type": "PodScheduled"
-        }
-      ],
-      "containerStatuses": [
-        {
-          "containerID": "containerd://81b20dafbf2498a52c8ab46fa1e95ce25c06271684e590a377ee4ac9fd2a85ee",
-          "image": "127.0.0.1:31999/stefanprodan/podinfo-2985051089:6.1.6",
-          "imageID": "127.0.0.1:31999/stefanprodan/podinfo-2985051089@sha256:1f1fb2d1bfadac8a487106ea62b2b582bedc83fe17b3332dffe9151dfc820742",
-          "lastState": {},
-          "name": "podinfo",
-          "ready": true,
-          "restartCount": 0,
-          "started": true,
-          "state": {
-            "running": {
-              "startedAt": "2023-03-07T07:48:14Z"
-            }
-          }
-        }
-      ],
-      "hostIP": "172.19.0.3",
-      "phase": "Running",
-      "podIP": "10.42.0.26",
-      "podIPs": [
-        {
-          "ip": "10.42.0.26"
-        }
-      ],
-      "qosClass": "Burstable",
-      "startTime": "2023-03-07T07:48:13Z"
-    }
-  }
-}