kyverno/pkg/webhooks/report.go

package webhooks

import (
	"strings"

	"github.com/go-logr/logr"
	kyverno "github.com/nirmata/kyverno/pkg/api/kyverno/v1"
	"github.com/nirmata/kyverno/pkg/engine/response"

	"github.com/nirmata/kyverno/pkg/event"
)

//generateEvents generates event info for the engine responses
func generateEvents(engineResponses []response.EngineResponse, blocked, onUpdate bool, log logr.Logger) []event.Info {
	var events []event.Info
	// Scenario 1
	// - Admission-Response is SUCCESS && CREATE
	//   - All policies were succesfully
	//     - report event on resources
	if isResponseSuccesful(engineResponses) {
		if !onUpdate {
			// we only report events on CREATE requests
			return events
		}
		for _, er := range engineResponses {
			successRules := er.GetSuccessRules()
			successRulesStr := strings.Join(successRules, ";")
			// event on resource
			e := event.NewEvent(
				log,
				er.PolicyResponse.Resource.Kind,
				er.PolicyResponse.Resource.APIVersion,
				er.PolicyResponse.Resource.Namespace,
				er.PolicyResponse.Resource.Name,
				event.PolicyApplied.String(),
				event.AdmissionController,
				event.SRulesApply,
				successRulesStr,
				er.PolicyResponse.Policy,
			)
			events = append(events, e)
		}
		return events
	}

	// Scneario 2
	// - Admission-Response is BLOCKED
	//   - report event of policy is in enforce mode and failed to apply
	if blocked {
		for _, er := range engineResponses {
			if er.IsSuccesful() {
				// do not create event on polices that were succesfuly
				continue
			}
			if er.PolicyResponse.ValidationFailureAction != Enforce {
				// do not create event on "audit" policy
				continue
			}
			// Rules that failed
			failedRules := er.GetFailedRules()
			filedRulesStr := strings.Join(failedRules, ";")
			// Event on Policy
			e := event.NewEvent(
				log,
				"ClusterPolicy",
				kyverno.SchemeGroupVersion.String(),
				"",
				er.PolicyResponse.Policy,
				event.RequestBlocked.String(),
				event.AdmissionController,
				event.FPolicyBlockResourceUpdate,
				er.PolicyResponse.Resource.GetKey(),
				filedRulesStr,
			)
			events = append(events, e)
		}
		return events
	}

	// Scenario 3
	// - Admission-Response is SUCCESS
	//   - Some/All policies failed (policy violations generated)
	//     - report event on policy that failed
	//     - report event on resource that failed

	for _, er := range engineResponses {
		if er.IsSuccesful() {
			// do not create event on polices that were succesfuly
			continue
		}
		// Rules that failed
		failedRules := er.GetFailedRules()
		filedRulesStr := strings.Join(failedRules, ";")
		// Event on the policy
		e := event.NewEvent(
			log,
			"ClusterPolicy",
			kyverno.SchemeGroupVersion.String(),
			"",
			er.PolicyResponse.Policy,
			event.PolicyFailed.String(),
			event.AdmissionController,
			event.FPolicyApplyFailed,
			filedRulesStr,
			er.PolicyResponse.Resource.GetKey(),
		)
		events = append(events, e)
		// Event on the resource
		// event on resource
		e = event.NewEvent(
			log,
			er.PolicyResponse.Resource.Kind,
			er.PolicyResponse.Resource.APIVersion,
			er.PolicyResponse.Resource.Namespace,
			er.PolicyResponse.Resource.Name,
			event.PolicyViolation.String(),
			event.AdmissionController,
			event.FResourcePolicyFailed,
			filedRulesStr,
			er.PolicyResponse.Policy,
		)
		events = append(events, e)
	}

	return events
}
restructure webhooks pkg 2019-07-15 16:07:56 -07:00			`package webhooks`

			`import (`
			`"strings"`

logs & access 2020-03-17 11:05:20 -07:00			`"github.com/go-logr/logr"`
update apiversion to v1 in code 2019-11-13 13:41:08 -08:00			`kyverno "github.com/nirmata/kyverno/pkg/api/kyverno/v1"`
Support variable substitution (#549) * initial commit * variable substitution * update tests * update test * refactor engine packages for validate & generate * update vendor * update toml * support variable substitution in overlay mutation * missing update * fix indentation in logs * store context values as single JSON document using merge patches. * remove duplicate functions * fix message string * Handle processing of policies in background (#569) * remove condition check while generating mutation patch as conditions are verified in the first iteration * initial commit * background policy validation * correct message * skip non-background policy process for add/update * fix order to correct policy registration * update comment Co-authored-by: shuting <shutting06@gmail.com> * refactor Co-authored-by: shuting <shutting06@gmail.com> 2019-12-30 17:08:50 -08:00			`"github.com/nirmata/kyverno/pkg/engine/response"`
replace policyInfo with engineResponse 2019-08-26 13:34:42 -07:00
restructure webhooks pkg 2019-07-15 16:07:56 -07:00			`"github.com/nirmata/kyverno/pkg/event"`
			`)`

replace policyInfo with engineResponse 2019-08-26 13:34:42 -07:00			`//generateEvents generates event info for the engine responses`
logs & access 2020-03-17 11:05:20 -07:00			`func generateEvents(engineResponses []response.EngineResponse, blocked, onUpdate bool, log logr.Logger) []event.Info {`
replace policyInfo with engineResponse 2019-08-26 13:34:42 -07:00			`var events []event.Info`
refactor events 2020-02-19 19:24:34 -08:00			`// Scenario 1`
			`// - Admission-Response is SUCCESS && CREATE`
			`// - All policies were succesfully`
			`// - report event on resources`
			`if isResponseSuccesful(engineResponses) {`
			`if !onUpdate {`
			`// we only report events on CREATE requests`
			`return events`
restructure webhooks pkg 2019-07-15 16:07:56 -07:00			`}`
replace policyInfo with engineResponse 2019-08-26 13:34:42 -07:00			`for _, er := range engineResponses {`
			`successRules := er.GetSuccessRules()`
			`successRulesStr := strings.Join(successRules, ";")`
			`// event on resource`
add event source and format event messages (#565) 2019-12-26 11:50:41 -08:00			`e := event.NewEvent(`
logs & access 2020-03-17 11:05:20 -07:00			`log,`
replace policyInfo with engineResponse 2019-08-26 13:34:42 -07:00			`er.PolicyResponse.Resource.Kind,`
			`er.PolicyResponse.Resource.APIVersion,`
			`er.PolicyResponse.Resource.Namespace,`
			`er.PolicyResponse.Resource.Name,`
			`event.PolicyApplied.String(),`
add event source and format event messages (#565) 2019-12-26 11:50:41 -08:00			`event.AdmissionController,`
replace policyInfo with engineResponse 2019-08-26 13:34:42 -07:00			`event.SRulesApply,`
			`successRulesStr,`
			`er.PolicyResponse.Policy,`
			`)`
			`events = append(events, e)`
restructure webhooks pkg 2019-07-15 16:07:56 -07:00			`}`
refactor events 2020-02-19 19:24:34 -08:00			`return events`
			`}`

			`// Scneario 2`
			`// - Admission-Response is BLOCKED`
			`// - report event of policy is in enforce mode and failed to apply`
			`if blocked {`
			`for _, er := range engineResponses {`
			`if er.IsSuccesful() {`
			`// do not create event on polices that were succesfuly`
			`continue`
			`}`
			`if er.PolicyResponse.ValidationFailureAction != Enforce {`
			`// do not create event on "audit" policy`
			`continue`
			`}`
			`// Rules that failed`
			`failedRules := er.GetFailedRules()`
			`filedRulesStr := strings.Join(failedRules, ";")`
			`// Event on Policy`
			`e := event.NewEvent(`
logs & access 2020-03-17 11:05:20 -07:00			`log,`
refactor events 2020-02-19 19:24:34 -08:00			`"ClusterPolicy",`
			`kyverno.SchemeGroupVersion.String(),`
			`"",`
			`er.PolicyResponse.Policy,`
			`event.RequestBlocked.String(),`
			`event.AdmissionController,`
			`event.FPolicyBlockResourceUpdate,`
			`er.PolicyResponse.Resource.GetKey(),`
			`filedRulesStr,`
			`)`
			`events = append(events, e)`
			`}`
			`return events`
			`}`

			`// Scenario 3`
			`// - Admission-Response is SUCCESS`
			`// - Some/All policies failed (policy violations generated)`
			`// - report event on policy that failed`
			`// - report event on resource that failed`
replace policyInfo with engineResponse 2019-08-26 13:34:42 -07:00
refactor events 2020-02-19 19:24:34 -08:00			`for _, er := range engineResponses {`
			`if er.IsSuccesful() {`
			`// do not create event on polices that were succesfuly`
			`continue`
			`}`
			`// Rules that failed`
			`failedRules := er.GetFailedRules()`
			`filedRulesStr := strings.Join(failedRules, ";")`
			`// Event on the policy`
			`e := event.NewEvent(`
logs & access 2020-03-17 11:05:20 -07:00			`log,`
refactor events 2020-02-19 19:24:34 -08:00			`"ClusterPolicy",`
			`kyverno.SchemeGroupVersion.String(),`
			`"",`
			`er.PolicyResponse.Policy,`
			`event.PolicyFailed.String(),`
			`event.AdmissionController,`
			`event.FPolicyApplyFailed,`
			`filedRulesStr,`
			`er.PolicyResponse.Resource.GetKey(),`
			`)`
fix ineffective assign 2020-02-20 10:01:29 -08:00			`events = append(events, e)`
refactor events 2020-02-19 19:24:34 -08:00			`// Event on the resource`
			`// event on resource`
			`e = event.NewEvent(`
logs & access 2020-03-17 11:05:20 -07:00			`log,`
refactor events 2020-02-19 19:24:34 -08:00			`er.PolicyResponse.Resource.Kind,`
			`er.PolicyResponse.Resource.APIVersion,`
			`er.PolicyResponse.Resource.Namespace,`
			`er.PolicyResponse.Resource.Name,`
			`event.PolicyViolation.String(),`
			`event.AdmissionController,`
			`event.FResourcePolicyFailed,`
			`filedRulesStr,`
			`er.PolicyResponse.Policy,`
			`)`
			`events = append(events, e)`
restructure webhooks pkg 2019-07-15 16:07:56 -07:00			`}`
refactor events 2020-02-19 19:24:34 -08:00
replace policyInfo with engineResponse 2019-08-26 13:34:42 -07:00			`return events`
annotation generation from policy controller 2019-07-17 17:53:13 -07:00			`}`