kyverno/pkg/controllers/report/aggregate/utils.go

package aggregate

import (
	"context"
	"errors"
	"time"

	policyreportv1alpha2 "github.com/kyverno/kyverno/api/policyreport/v1alpha2"
	reportsv1 "github.com/kyverno/kyverno/api/reports/v1"
	"github.com/kyverno/kyverno/pkg/client/clientset/versioned"
	controllerutils "github.com/kyverno/kyverno/pkg/utils/controller"
	reportutils "github.com/kyverno/kyverno/pkg/utils/report"
	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
	"k8s.io/apimachinery/pkg/types"
	"k8s.io/apimachinery/pkg/util/sets"
)

type maps struct {
	pol  map[string]policyMapEntry
	vap  sets.Set[string]
	vpol sets.Set[string]
}

func mergeReports(maps maps, accumulator map[string]policyreportv1alpha2.PolicyReportResult, uid types.UID, reports ...reportsv1.ReportInterface) {
	for _, report := range reports {
		if report == nil {
			continue
		}
		for _, result := range report.GetResults() {
			switch result.Source {
			case reportutils.SourceValidatingPolicy:
				if maps.vpol != nil && maps.vpol.Has(result.Policy) {
					key := result.Source + "/" + result.Policy + "/" + string(uid)
					if rule, exists := accumulator[key]; !exists {
						accumulator[key] = result
					} else if rule.Timestamp.Seconds < result.Timestamp.Seconds {
						accumulator[key] = result
					}
				}
			case reportutils.SourceValidatingAdmissionPolicy:
				if maps.vap != nil && maps.vap.Has(result.Policy) {
					key := result.Source + "/" + result.Policy + "/" + string(uid)
					if rule, exists := accumulator[key]; !exists {
						accumulator[key] = result
					} else if rule.Timestamp.Seconds < result.Timestamp.Seconds {
						accumulator[key] = result
					}
				}
			default:
				currentPolicy := maps.pol[result.Policy]
				if currentPolicy.rules != nil && currentPolicy.rules.Has(result.Rule) {
					key := result.Source + "/" + result.Policy + "/" + result.Rule + "/" + string(uid)
					if rule, exists := accumulator[key]; !exists {
						accumulator[key] = result
					} else if rule.Timestamp.Seconds < result.Timestamp.Seconds {
						accumulator[key] = result
					}
				}
			}
		}
	}
}

func deleteReport(ctx context.Context, report reportsv1.ReportInterface, client versioned.Interface) error {
	if !controllerutils.IsManagedByKyverno(report) {
		return errors.New("can't delete report because it is not managed by kyverno")
	}
	return reportutils.DeleteReport(ctx, report, client)
}

func updateReport(ctx context.Context, report reportsv1.ReportInterface, client versioned.Interface) (reportsv1.ReportInterface, error) {
	if !controllerutils.IsManagedByKyverno(report) {
		return nil, errors.New("can't update report because it is not managed by kyverno")
	}
	return reportutils.UpdateReport(ctx, report, client)
}

func isTooOld(reportMeta *metav1.PartialObjectMetadata) bool {
	return reportMeta.GetCreationTimestamp().Add(deletionGrace).Before(time.Now())
}
chore: remove reports aggregation per namespace (#9570) Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> 2024-01-31 00:08:47 +01:00			`package aggregate`
fix: make sure we don't modify reports not owned by kyverno (#8502) Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> 2023-09-22 06:01:21 +02:00
			`import (`
			`"context"`
			`"errors"`
fix: reports aggregation (#9697) * chore: rename admission to ephemeral in reports aggregation controller Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * fix: reports aggregation Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * second queue Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * cleanup Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * fix Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * nit Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * flag Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> --------- Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> 2024-02-08 11:36:01 +01:00			`"time"`
fix: make sure we don't modify reports not owned by kyverno (#8502) Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> 2023-09-22 06:01:21 +02:00
			`policyreportv1alpha2 "github.com/kyverno/kyverno/api/policyreport/v1alpha2"`
feat: remove v1alpha2 group/version (#10500) * feat: remove v1alpha2 group Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * codegen Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * fix tests Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> --------- Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> 2024-06-19 10:08:15 +02:00			`reportsv1 "github.com/kyverno/kyverno/api/reports/v1"`
fix: make alternate reports storage transparent (#9553) * fix: make alternate reports storage transparent Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * bg scan Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * aggregation Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * aggregation Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * rm manager Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * update Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * fixes Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * fixes Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> --------- Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> 2024-01-30 15:53:37 +01:00			`"github.com/kyverno/kyverno/pkg/client/clientset/versioned"`
fix: make sure we don't modify reports not owned by kyverno (#8502) Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> 2023-09-22 06:01:21 +02:00			`controllerutils "github.com/kyverno/kyverno/pkg/utils/controller"`
fix: make alternate reports storage transparent (#9553) * fix: make alternate reports storage transparent Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * bg scan Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * aggregation Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * aggregation Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * rm manager Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * update Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * fixes Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * fixes Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> --------- Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> 2024-01-30 15:53:37 +01:00			`reportutils "github.com/kyverno/kyverno/pkg/utils/report"`
fix: reports aggregation (#9697) * chore: rename admission to ephemeral in reports aggregation controller Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * fix: reports aggregation Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * second queue Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * cleanup Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * fix Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * nit Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * flag Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> --------- Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> 2024-02-08 11:36:01 +01:00			`metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"`
fix: make sure we don't modify reports not owned by kyverno (#8502) Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> 2023-09-22 06:01:21 +02:00			`"k8s.io/apimachinery/pkg/types"`
			`"k8s.io/apimachinery/pkg/util/sets"`
			`)`

feat: add validating policies to reports aggregation (#12096) * feat: add validating policies to reports aggregation Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * chainsaw test Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * unit tests Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> --------- Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> 2025-02-05 14:21:28 +01:00			`type maps struct {`
			`pol map[string]policyMapEntry`
			`vap sets.Set[string]`
			`vpol sets.Set[string]`
			`}`

			`func mergeReports(maps maps, accumulator map[string]policyreportv1alpha2.PolicyReportResult, uid types.UID, reports ...reportsv1.ReportInterface) {`
fix: make sure we don't modify reports not owned by kyverno (#8502) Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> 2023-09-22 06:01:21 +02:00			`for _, report := range reports {`
fix: don't delete garbage collected policy reports (#9679) Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> 2024-02-07 08:10:51 +01:00			`if report == nil {`
			`continue`
			`}`
			`for _, result := range report.GetResults() {`
feat: add validating policies to reports aggregation (#12096) * feat: add validating policies to reports aggregation Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * chainsaw test Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * unit tests Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> --------- Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> 2025-02-05 14:21:28 +01:00			`switch result.Source {`
			`case reportutils.SourceValidatingPolicy:`
			`if maps.vpol != nil && maps.vpol.Has(result.Policy) {`
			`key := result.Source + "/" + result.Policy + "/" + string(uid)`
			`if rule, exists := accumulator[key]; !exists {`
			`accumulator[key] = result`
			`} else if rule.Timestamp.Seconds < result.Timestamp.Seconds {`
			`accumulator[key] = result`
			`}`
			`}`
			`case reportutils.SourceValidatingAdmissionPolicy:`
			`if maps.vap != nil && maps.vap.Has(result.Policy) {`
fix: don't delete garbage collected policy reports (#9679) Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> 2024-02-07 08:10:51 +01:00			`key := result.Source + "/" + result.Policy + "/" + string(uid)`
			`if rule, exists := accumulator[key]; !exists {`
			`accumulator[key] = result`
			`} else if rule.Timestamp.Seconds < result.Timestamp.Seconds {`
			`accumulator[key] = result`
fix: make sure we don't modify reports not owned by kyverno (#8502) Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> 2023-09-22 06:01:21 +02:00			`}`
fix: don't delete garbage collected policy reports (#9679) Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> 2024-02-07 08:10:51 +01:00			`}`
feat: add validating policies to reports aggregation (#12096) * feat: add validating policies to reports aggregation Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * chainsaw test Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * unit tests Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> --------- Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> 2025-02-05 14:21:28 +01:00			`default:`
			`currentPolicy := maps.pol[result.Policy]`
fix: don't delete garbage collected policy reports (#9679) Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> 2024-02-07 08:10:51 +01:00			`if currentPolicy.rules != nil && currentPolicy.rules.Has(result.Rule) {`
			`key := result.Source + "/" + result.Policy + "/" + result.Rule + "/" + string(uid)`
			`if rule, exists := accumulator[key]; !exists {`
			`accumulator[key] = result`
			`} else if rule.Timestamp.Seconds < result.Timestamp.Seconds {`
			`accumulator[key] = result`
fix: make sure we don't modify reports not owned by kyverno (#8502) Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> 2023-09-22 06:01:21 +02:00			`}`
			`}`
			`}`
			`}`
			`}`
			`}`

feat: remove v1alpha2 group/version (#10500) * feat: remove v1alpha2 group Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * codegen Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * fix tests Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> --------- Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> 2024-06-19 10:08:15 +02:00			`func deleteReport(ctx context.Context, report reportsv1.ReportInterface, client versioned.Interface) error {`
fix: make sure we don't modify reports not owned by kyverno (#8502) Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> 2023-09-22 06:01:21 +02:00			`if !controllerutils.IsManagedByKyverno(report) {`
			`return errors.New("can't delete report because it is not managed by kyverno")`
			`}`
fix: make alternate reports storage transparent (#9553) * fix: make alternate reports storage transparent Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * bg scan Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * aggregation Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * aggregation Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * rm manager Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * update Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * fixes Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * fixes Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> --------- Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> 2024-01-30 15:53:37 +01:00			`return reportutils.DeleteReport(ctx, report, client)`
fix: make sure we don't modify reports not owned by kyverno (#8502) Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> 2023-09-22 06:01:21 +02:00			`}`

feat: remove v1alpha2 group/version (#10500) * feat: remove v1alpha2 group Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * codegen Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * fix tests Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> --------- Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> 2024-06-19 10:08:15 +02:00			`func updateReport(ctx context.Context, report reportsv1.ReportInterface, client versioned.Interface) (reportsv1.ReportInterface, error) {`
fix: make sure we don't modify reports not owned by kyverno (#8502) Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> 2023-09-22 06:01:21 +02:00			`if !controllerutils.IsManagedByKyverno(report) {`
			`return nil, errors.New("can't update report because it is not managed by kyverno")`
			`}`
fix: make alternate reports storage transparent (#9553) * fix: make alternate reports storage transparent Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * bg scan Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * aggregation Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * aggregation Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * rm manager Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * update Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * fixes Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * fixes Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> --------- Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> 2024-01-30 15:53:37 +01:00			`return reportutils.UpdateReport(ctx, report, client)`
fix: make sure we don't modify reports not owned by kyverno (#8502) Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> 2023-09-22 06:01:21 +02:00			`}`
fix: reports aggregation (#9697) * chore: rename admission to ephemeral in reports aggregation controller Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * fix: reports aggregation Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * second queue Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * cleanup Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * fix Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * nit Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * flag Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> --------- Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> 2024-02-08 11:36:01 +01:00
			`func isTooOld(reportMeta *metav1.PartialObjectMetadata) bool {`
			`return reportMeta.GetCreationTimestamp().Add(deletionGrace).Before(time.Now())`
			`}`