Enable a simple image policy admission controller

Start adding policy and rules

Author: smarterclayton

pkg/cmd/server/api/install/install.go

@@ -13,6 +13,7 @@ import (
 
 	_ "github.com/openshift/origin/pkg/build/admission/defaults/api/install"
 	_ "github.com/openshift/origin/pkg/build/admission/overrides/api/install"
+	_ "github.com/openshift/origin/pkg/image/admission/imagepolicy/api/install"
 	_ "github.com/openshift/origin/pkg/project/admission/requestlimit/api/install"
 	_ "github.com/openshift/origin/pkg/quota/admission/clusterresourceoverride/api/install"
 	_ "github.com/openshift/origin/pkg/quota/admission/runonceduration/api/install"

pkg/cmd/server/origin/master_config.go

@@ -324,6 +324,7 @@ var (
 		overrideapi.PluginName,
 		serviceadmit.ExternalIPPluginName,
 		serviceadmit.RestrictedEndpointsPluginName,
+		imagepolicy.PluginName,
 		"LimitRanger",
 		"ServiceAccount",
 		"SecurityContextConstraint",
@@ -356,6 +357,7 @@ var (
 		overrideapi.PluginName,
 		serviceadmit.ExternalIPPluginName,
 		serviceadmit.RestrictedEndpointsPluginName,
+		imagepolicy.PluginName,
 		"LimitRanger",
 		"ServiceAccount",
 		"SecurityContextConstraint",

pkg/cmd/server/start/admission.go

@@ -12,6 +12,7 @@ import (
 	_ "github.com/openshift/origin/pkg/build/admission/overrides"
 	_ "github.com/openshift/origin/pkg/build/admission/strategyrestrictions"
 	_ "github.com/openshift/origin/pkg/image/admission"
+	_ "github.com/openshift/origin/pkg/image/admission/imagepolicy"
 	_ "github.com/openshift/origin/pkg/project/admission/lifecycle"
 	_ "github.com/openshift/origin/pkg/project/admission/nodeenv"
 	_ "github.com/openshift/origin/pkg/project/admission/requestlimit"

pkg/image/admission/imagepolicy/api/install/install.go

@@ -0,0 +1,41 @@
+package install
+
+import (
+	"github.com/golang/glog"
+
+	"k8s.io/kubernetes/pkg/api/unversioned"
+
+	configapi "github.com/openshift/origin/pkg/cmd/server/api"
+	"github.com/openshift/origin/pkg/image/admission/imagepolicy/api"
+	"github.com/openshift/origin/pkg/image/admission/imagepolicy/api/v1"
+)
+
+// availableVersions lists all known external versions for this group from most preferred to least preferred
+var availableVersions = []unversioned.GroupVersion{v1.SchemeGroupVersion}
+
+func init() {
+	if err := enableVersions(availableVersions); err != nil {
+		panic(err)
+	}
+}
+
+// TODO: enableVersions should be centralized rather than spread in each API group.
+func enableVersions(externalVersions []unversioned.GroupVersion) error {
+	addVersionsToScheme(externalVersions...)
+	return nil
+}
+
+func addVersionsToScheme(externalVersions ...unversioned.GroupVersion) {
+	// add the internal version to Scheme
+	api.AddToScheme(configapi.Scheme)
+	// add the enabled external versions to Scheme
+	for _, v := range externalVersions {
+		switch v {
+		case v1.SchemeGroupVersion:
+			v1.AddToScheme(configapi.Scheme)
+		default:
+			glog.Errorf("Version %s is not known, so it will not be added to the Scheme.", v)
+			continue
+		}
+	}
+}

pkg/image/admission/imagepolicy/api/name.go

@@ -0,0 +1,4 @@
+package api
+
+const PluginName = "ImagePolicy"
+const ConfigKind = "ImagePolicyConfig"

pkg/image/admission/imagepolicy/api/register.go

@@ -0,0 +1,17 @@
+package api
+
+import (
+	"k8s.io/kubernetes/pkg/api/unversioned"
+	"k8s.io/kubernetes/pkg/runtime"
+)
+
+var SchemeGroupVersion = unversioned.GroupVersion{Group: "", Version: runtime.APIVersionInternal}
+
+// Adds the list of known types to api.Scheme.
+func AddToScheme(scheme *runtime.Scheme) {
+	scheme.AddKnownTypes(SchemeGroupVersion,
+		&ImagePolicyConfig{},
+	)
+}
+
+func (obj *ImagePolicyConfig) GetObjectKind() unversioned.ObjectKind { return &obj.TypeMeta }

pkg/image/admission/imagepolicy/api/types.go

@@ -0,0 +1,129 @@
+package api
+
+import (
+	"k8s.io/kubernetes/pkg/api"
+	"k8s.io/kubernetes/pkg/api/unversioned"
+)
+
+// ImagePolicyConfig is the configuration for controlling how images are used in the cluster.
+type ImagePolicyConfig struct {
+	unversioned.TypeMeta
+
+	// ExecutionRules determine whether the use of an image is allowed in an object with a pod spec.
+	// By default, these rules only apply to pods, but may be extended to other resource types.
+	ExecutionRules []ImageExecutionPolicyRule
+	// ConsumptionRules are applied when creating resources with pod specs.
+	ConsumptionRules []ImageConsumptionPolicyRule
+	// PlacementRules are applied when creating resources with pod specs.
+	PlacementRules []ImagePlacementPolicyRule
+
+	// Everyone except cluster admins or platform infra must use an image from the registry
+	// Content in this namespace must use an image from the registry
+	// Images with a certain annotation/label must be run on these nodes
+	// Using this image consumes a certain amount of resource
+	// Images cannot be run or imported unless they come from these registries (unless the user is an admin)
+	// Images with/without these annotations/labels cannot be run (except in certain namespaces)
+	// Image cannot be tagged with/without these labels
+	// Images that are not signed by the listed authorities cannot be run (cert not expired)
+	// Unsigned images may not be run on the following nodes
+
+	// Enforce/Relax by namespace, labels, user permission
+	// Actions: Create pod, Tag image, Import image (ISM), Mutate pod (node selector, resources)
+	//   Add a resource to pod / container (for the image, this is not resource auto-sizing)
+	//   Add a node selector constraint
+	// Require a permission check on the service account / current user to tag / create an image
+
+	// Pods with this annotation / label should consume one resource increment (per container / per pod)
+	//
+}
+
+// ImagePlacementPolicyRule, when matching an image, applies the provided tolerations or taints.
+type ImagePlacementPolicyRule struct {
+	ImageSourceRule
+
+	Constrain []ConstrainPodNodeSelectorEffect
+	Tolerate  []TolerateNodeSelectorEffect
+}
+
+type ConstrainPodNodeSelectorEffect struct {
+	Add map[string]string
+}
+
+type TolerateNodeSelectorEffect struct {
+	Add api.Toleration
+}
+
+// ImageConsumptionPolicyRule, when matching an image, adds a counted resource to the object.
+type ImageConsumptionPolicyRule struct {
+	ImageSourceRule
+
+	Add []ConsumeResourceEffect
+}
+
+type ConsumeResourceEffect struct {
+	// Name is the name of a quantity to set on each matching container.
+	// May not be specified if NameFromImageAnnotation or NameFromDockerImageLabel is set.
+	Name string
+	// NameFromImageAnnotation is the name of an image annotation to use to set the name of the resource
+	// quantity on each matching container.
+	// May not be specified if Name or NameFromDockerImageLabel is set.
+	NameFromImageAnnotation string
+	// NameFromDockerImageLabel is the name of a docker image label to use to set the name of the resource
+	// quantity on each matching container.
+	// May not be specified if Name or NameFromImageAnnotation is set.
+	NameFromDockerImageLabel string
+
+	// Quantity is the amount of quantity to set
+	Quantity string
+	// QuantityFromImageAnnotation is the key on an image annotation to use for the value of this resource.
+	// If this value is specified and no annotation is found, the value of Quantity is used instead.
+	QuantityFromImageAnnotation string
+	// QuantityFromDockerImageLabel is the key on a docker image label to use for the value of this resource.
+	// If this value is specified and no annotation is found, the value of Quantity is used instead.
+	QuantityFromDockerImageLabel string
+}
+
+type ImageExecutionPolicyRule struct {
+	ImageSourceRule
+
+	// Deny indicates this rule is inverted and a match results in a rejection
+	Deny bool
+
+	// Resolve indicates that images referenced by this resource must be resolved
+	Resolve bool
+}
+
+// ImageSourceRule defines the conditions for matching a particular image source. The conditions below
+// are all required (logical AND)
+type ImageSourceRule struct {
+	// Name is the name of this policy rule for reference. It must be unique across all rules.
+	Name string
+	// OnResources determines which resources this applies to. Defaults to 'pods' for RuntimeSourceRules.
+	OnResources []string
+	// IgnoreNamespaceOverride prevents this rule from being overriden when the
+	// `alpha.image.policy.openshift.io/ignore-rules` is set on a namespace and contains this rule name.
+	IgnoreNamespaceOverride bool
+
+	MatchIntegratedRegistry bool
+	MatchRegistries         []string
+
+	// AllowResolutionFailure allows the subsequent rules to be bypassed if the integrated registry does
+	// not have access to image metadata (no image exists matching the image digest).
+	AllowResolutionFailure bool
+
+	MatchDockerImageLabels []ValueMatch
+	MatchImageLabels       []ValueMatch
+	MatchImageAnnotations  []ValueMatch
+	MatchSignatures        []SignatureMatch
+}
+
+type ValueMatch struct {
+	Key string
+
+	// One of the following conditions must apply
+	Set   bool
+	Value string
+}
+
+type SignatureMatch struct {
+}

pkg/image/admission/imagepolicy/api/v1/register.go

@@ -0,0 +1,27 @@
+package v1
+
+import (
+	"k8s.io/kubernetes/pkg/api/unversioned"
+	"k8s.io/kubernetes/pkg/runtime"
+)
+
+// SchemeGroupVersion is group version used to register these objects
+var SchemeGroupVersion = unversioned.GroupVersion{Group: "", Version: "v1"}
+
+// Adds the list of known types to api.Scheme.
+func AddToScheme(scheme *runtime.Scheme) {
+	scheme.AddKnownTypes(SchemeGroupVersion,
+		&ImagePolicyConfig{},
+	)
+	scheme.AddDefaultingFuncs(
+		func(c *ImagePolicyConfig) {
+			for i := range c.ExecutionRules {
+				if len(c.ExecutionRules[i].OnResources) == 0 {
+					c.ExecutionRules[i].OnResources = []string{"pods"}
+				}
+			}
+		},
+	)
+}
+
+func (obj *ImagePolicyConfig) GetObjectKind() unversioned.ObjectKind { return &obj.TypeMeta }

pkg/image/admission/imagepolicy/api/v1/types.go

@@ -0,0 +1,129 @@
+package v1
+
+import (
+	"k8s.io/kubernetes/pkg/api/unversioned"
+	"k8s.io/kubernetes/pkg/api/v1"
+)
+
+// ImagePolicyConfig is the configuration for control of images running on the platform.
+type ImagePolicyConfig struct {
+	unversioned.TypeMeta `json:",inline"`
+
+	// ExecutionRules determine whether the use of an image is allowed in an object with a pod spec.
+	// By default, these rules only apply to pods, but may be extended to other resource types.
+	ExecutionRules []ImageExecutionPolicyRule `json:"executionRules"`
+	// ConsumptionRules are applied when creating resources with pod specs.
+	ConsumptionRules []ImageConsumptionPolicyRule `json:"consumptionRules"`
+	// PlacementRules are applied when creating resources with pod specs.
+	PlacementRules []ImagePlacementPolicyRule `json:"placementRules"`
+
+	// Everyone except cluster admins or platform infra must use an image from the registry
+	// Content in this namespace must use an image from the registry
+	// Images with a certain annotation/label must be run on these nodes
+	// Using this image consumes a certain amount of resource
+	// Images cannot be run or imported unless they come from these registries (unless the user is an admin)
+	// Images with/without these annotations/labels cannot be run (except in certain namespaces)
+	// Image cannot be tagged with/without these labels
+	// Images that are not signed by the listed authorities cannot be run (cert not expired)
+	// Unsigned images may not be run on the following nodes
+
+	// Enforce/Relax by namespace, labels, user permission
+	// Actions: Create pod, Tag image, Import image (ISM), Mutate pod (node selector, resources)
+	//   Add a resource to pod / container (for the image, this is not resource auto-sizing)
+	//   Add a node selector constraint
+	// Require a permission check on the service account / current user to tag / create an image
+
+	// Pods with this annotation / label should consume one resource increment (per container / per pod)
+	//
+}
+
+// ImagePlacementPolicyRule, when matching an image, applies the provided tolerations or taints.
+type ImagePlacementPolicyRule struct {
+	ImageSourceRule `json:",inline"`
+
+	Constrain []ConstrainPodNodeSelectorEffect `json:"constrain"`
+	Tolerate  []TolerateNodeSelectorEffect     `json:"tolerate"`
+}
+
+type ConstrainPodNodeSelectorEffect struct {
+	Add map[string]string `json:"add"`
+}
+
+type TolerateNodeSelectorEffect struct {
+	Add v1.Toleration `json:"add"`
+}
+
+// ImageConsumptionPolicyRule, when matching an image, adds a counted resource to the object.
+type ImageConsumptionPolicyRule struct {
+	ImageSourceRule `json:",inline"`
+
+	Add []ConsumeResourceEffect `json:"add"`
+}
+
+type ConsumeResourceEffect struct {
+	// Name is the name of a quantity to set on each matching container.
+	// May not be specified if NameFromImageAnnotation or NameFromDockerImageLabel is set.
+	Name string `json:"name"`
+	// NameFromImageAnnotation is the name of an image annotation to use to set the name of the resource
+	// quantity on each matching container.
+	// May not be specified if Name or NameFromDockerImageLabel is set.
+	NameFromImageAnnotation string `json:"nameFromImageAnnotation"`
+	// NameFromDockerImageLabel is the name of a docker image label to use to set the name of the resource
+	// quantity on each matching container.
+	// May not be specified if Name or NameFromImageAnnotation is set.
+	NameFromDockerImageLabel string `json:"nameFromDockerImageLabel"`
+
+	// Quantity is the amount of quantity to set
+	Quantity string `json:"quantity"`
+	// QuantityFromImageAnnotation is the key on an image annotation to use for the value of this resource.
+	// If this value is specified and no annotation is found, the value of Quantity is used instead.
+	QuantityFromImageAnnotation string `json:"quantityFromImageAnnotation"`
+	// QuantityFromDockerImageLabel is the key on a docker image label to use for the value of this resource.
+	// If this value is specified and no annotation is found, the value of Quantity is used instead.
+	QuantityFromDockerImageLabel string `json:"quantityFromDockerImageLabel"`
+}
+
+type ImageExecutionPolicyRule struct {
+	ImageSourceRule `json:",inline"`
+
+	// Deny indicates this rule is inverted and a match results in a rejection
+	Deny bool `json:"deny"`
+
+	// Resolve indicates that images referenced by this resource must be resolved
+	Resolve bool `json:"resolve"`
+}
+
+// ImageSourceRule defines the conditions for matching a particular image source. The conditions below
+// are all required (logical AND)
+type ImageSourceRule struct {
+	// Name is the name of this policy rule for reference. It must be unique across all rules.
+	Name string `json:"name"`
+	// OnResources determines which resources this applies to. Defaults to 'pods' for RuntimeSourceRules.
+	OnResources []string `json:"onResources"`
+	// IgnoreNamespaceOverride prevents this rule from being overriden when the
+	// `alpha.image.policy.openshift.io/ignore-rules` is set on a namespace and contains this rule name.
+	IgnoreNamespaceOverride bool `json:"ignoreNamespaceOverride"`
+
+	MatchIntegratedRegistry bool     `json:"matchIntegratedRegistry"`
+	MatchRegistries         []string `json:"matchRegistries"`
+
+	// AllowResolutionFailure allows the subsequent rules to be bypassed if the integrated registry does
+	// not have access to image metadata (no image exists matching the image digest).
+	AllowResolutionFailure bool `json:"allowResolutionFailure"`
+
+	MatchDockerImageLabels []ValueMatch     `json:"matchDockerImageLabels"`
+	MatchImageLabels       []ValueMatch     `json:"matchImageLabels"`
+	MatchImageAnnotations  []ValueMatch     `json:"matchImageAnnotations"`
+	MatchSignatures        []SignatureMatch `json:"matchSignatures"`
+}
+
+type ValueMatch struct {
+	Key string `json:"key"`
+
+	// One of the following conditions must apply
+	Set   bool   `json:"set"`
+	Value string `json:"value"`
+}
+
+type SignatureMatch struct {
+}