kyverno/pkg/webhooks/report.go

package webhooks

import (
	"fmt"
	"strings"

	kyverno "github.com/nirmata/kyverno/pkg/api/kyverno/v1alpha1"
	"github.com/nirmata/kyverno/pkg/engine"
	"github.com/nirmata/kyverno/pkg/policyviolation"

	"github.com/golang/glog"
	"github.com/nirmata/kyverno/pkg/event"
)

//generateEvents generates event info for the engine responses
func generateEvents(engineResponses []engine.EngineResponse, onUpdate bool) []event.Info {
	var events []event.Info
	if !isResponseSuccesful(engineResponses) {
		for _, er := range engineResponses {
			if er.IsSuccesful() {
				// dont create events on success
				continue
			}
			failedRules := er.GetFailedRules()
			filedRulesStr := strings.Join(failedRules, ";")
			if onUpdate {
				var e event.Info
				// UPDATE
				// event on resource
				e = event.NewEventNew(
					er.PolicyResponse.Resource.Kind,
					er.PolicyResponse.Resource.APIVersion,
					er.PolicyResponse.Resource.Namespace,
					er.PolicyResponse.Resource.Name,
					event.RequestBlocked.String(),
					event.FPolicyApplyBlockUpdate,
					filedRulesStr,
					er.PolicyResponse.Policy,
				)
				glog.V(4).Infof("UPDATE event on resource %s/%s/%s with policy %s", er.PolicyResponse.Resource.Kind, er.PolicyResponse.Resource.Namespace, er.PolicyResponse.Resource.Name, er.PolicyResponse.Policy)
				events = append(events, e)

				// event on policy
				e = event.NewEventNew(
					"ClusterPolicy",
					kyverno.SchemeGroupVersion.String(),
					"",
					er.PolicyResponse.Policy,
					event.RequestBlocked.String(),
					event.FPolicyBlockResourceUpdate,
					er.PolicyResponse.Resource.Namespace+"/"+er.PolicyResponse.Resource.Name,
					filedRulesStr,
				)
				glog.V(4).Infof("UPDATE event on policy %s", er.PolicyResponse.Policy)
				events = append(events, e)

			} else {
				// CREATE
				// event on policy
				e := event.NewEventNew(
					"ClusterPolicy",
					kyverno.SchemeGroupVersion.String(),
					"",
					er.PolicyResponse.Policy,
					event.RequestBlocked.String(),
					event.FPolicyApplyBlockCreate,
					er.PolicyResponse.Resource.Namespace+"/"+er.PolicyResponse.Resource.Name,
					filedRulesStr,
				)
				glog.V(4).Infof("CREATE event on policy %s", er.PolicyResponse.Policy)
				events = append(events, e)
			}
		}
		return events
	}
	if !onUpdate {
		// All policies were applied succesfully
		// CREATE
		for _, er := range engineResponses {
			successRules := er.GetSuccessRules()
			successRulesStr := strings.Join(successRules, ";")
			// event on resource
			e := event.NewEventNew(
				er.PolicyResponse.Resource.Kind,
				er.PolicyResponse.Resource.APIVersion,
				er.PolicyResponse.Resource.Namespace,
				er.PolicyResponse.Resource.Name,
				event.PolicyApplied.String(),
				event.SRulesApply,
				successRulesStr,
				er.PolicyResponse.Policy,
			)
			events = append(events, e)
		}

	}
	return events
}

func generatePV(ers []engine.EngineResponse, blocked bool) []policyviolation.Info {
	var pvInfos []policyviolation.Info
	// generate PV for each
	for _, er := range ers {
		// ignore creation of PV for resoruces that are yet to be assigned a name
		if er.IsSuccesful() {
			continue
		}
		glog.V(4).Infof("Building policy violation for engine response %v", er)
		// build policy violation info
		pvInfos = append(pvInfos, buildPVInfo(er, blocked))
	}
	return pvInfos
}

func buildPVInfo(er engine.EngineResponse, blocked bool) policyviolation.Info {
	info := policyviolation.Info{
		Blocked:    blocked,
		PolicyName: er.PolicyResponse.Policy,
		Resource:   er.PatchedResource,
		Rules:      buildViolatedRules(er, blocked),
	}
	return info
}

func buildViolatedRules(er engine.EngineResponse, blocked bool) []kyverno.ViolatedRule {
	blockMsg := fmt.Sprintf("Request Blocked for resource %s/%s; ", er.PolicyResponse.Resource.Kind, er.PolicyResponse.Resource.Name)
	var violatedRules []kyverno.ViolatedRule
	// if resource was blocked we create dependent
	dependant := kyverno.ManagedResourceSpec{
		Kind:            er.PolicyResponse.Resource.Kind,
		Namespace:       er.PolicyResponse.Resource.Namespace,
		CreationBlocked: true,
	}

	for _, rule := range er.PolicyResponse.Rules {
		if rule.Success {
			continue
		}
		vrule := kyverno.ViolatedRule{
			Name: rule.Name,
			Type: rule.Type,
		}

		if blocked {
			vrule.Message = blockMsg + rule.Message
			vrule.ManagedResource = dependant
		} else {
			vrule.Message = rule.Message
		}
		violatedRules = append(violatedRules, vrule)
	}
	return violatedRules
}
restructure webhooks pkg 2019-07-15 16:07:56 -07:00			`package webhooks`

			`import (`
introduce policy violation generator 2019-11-12 14:41:29 -08:00			`"fmt"`
restructure webhooks pkg 2019-07-15 16:07:56 -07:00			`"strings"`

replace policyInfo with engineResponse 2019-08-26 13:34:42 -07:00			`kyverno "github.com/nirmata/kyverno/pkg/api/kyverno/v1alpha1"`
			`"github.com/nirmata/kyverno/pkg/engine"`
introduce policy violation generator 2019-11-12 14:41:29 -08:00			`"github.com/nirmata/kyverno/pkg/policyviolation"`
replace policyInfo with engineResponse 2019-08-26 13:34:42 -07:00
restructure webhooks pkg 2019-07-15 16:07:56 -07:00			`"github.com/golang/glog"`
			`"github.com/nirmata/kyverno/pkg/event"`
			`)`

replace policyInfo with engineResponse 2019-08-26 13:34:42 -07:00			`//generateEvents generates event info for the engine responses`
update engineResponse Name 2019-10-08 10:57:24 -07:00			`func generateEvents(engineResponses []engine.EngineResponse, onUpdate bool) []event.Info {`
replace policyInfo with engineResponse 2019-08-26 13:34:42 -07:00			`var events []event.Info`
			`if !isResponseSuccesful(engineResponses) {`
			`for _, er := range engineResponses {`
			`if er.IsSuccesful() {`
			`// dont create events on success`
change flag & corrections 2019-07-16 15:53:14 -07:00			`continue`
			`}`
replace policyInfo with engineResponse 2019-08-26 13:34:42 -07:00			`failedRules := er.GetFailedRules()`
			`filedRulesStr := strings.Join(failedRules, ";")`
			`if onUpdate {`
			`var e event.Info`
			`// UPDATE`
			`// event on resource`
			`e = event.NewEventNew(`
			`er.PolicyResponse.Resource.Kind,`
			`er.PolicyResponse.Resource.APIVersion,`
			`er.PolicyResponse.Resource.Namespace,`
			`er.PolicyResponse.Resource.Name,`
			`event.RequestBlocked.String(),`
			`event.FPolicyApplyBlockUpdate,`
			`filedRulesStr,`
			`er.PolicyResponse.Policy,`
			`)`
			`glog.V(4).Infof("UPDATE event on resource %s/%s/%s with policy %s", er.PolicyResponse.Resource.Kind, er.PolicyResponse.Resource.Namespace, er.PolicyResponse.Resource.Name, er.PolicyResponse.Policy)`
			`events = append(events, e)`

			`// event on policy`
			`e = event.NewEventNew(`
fix event resource name + add filtered kinds to policy controller & namespace + fix messages 2019-09-12 15:04:35 -07:00			`"ClusterPolicy",`
replace policyInfo with engineResponse 2019-08-26 13:34:42 -07:00			`kyverno.SchemeGroupVersion.String(),`
			`"",`
			`er.PolicyResponse.Policy,`
			`event.RequestBlocked.String(),`
			`event.FPolicyBlockResourceUpdate,`
			`er.PolicyResponse.Resource.Namespace+"/"+er.PolicyResponse.Resource.Name,`
			`filedRulesStr,`
			`)`
			`glog.V(4).Infof("UPDATE event on policy %s", er.PolicyResponse.Policy)`
			`events = append(events, e)`
restructure webhooks pkg 2019-07-15 16:07:56 -07:00
			`} else {`
replace policyInfo with engineResponse 2019-08-26 13:34:42 -07:00			`// CREATE`
			`// event on policy`
			`e := event.NewEventNew(`
fix event resource name + add filtered kinds to policy controller & namespace + fix messages 2019-09-12 15:04:35 -07:00			`"ClusterPolicy",`
replace policyInfo with engineResponse 2019-08-26 13:34:42 -07:00			`kyverno.SchemeGroupVersion.String(),`
			`"",`
			`er.PolicyResponse.Policy,`
			`event.RequestBlocked.String(),`
			`event.FPolicyApplyBlockCreate,`
			`er.PolicyResponse.Resource.Namespace+"/"+er.PolicyResponse.Resource.Name,`
			`filedRulesStr,`
			`)`
			`glog.V(4).Infof("CREATE event on policy %s", er.PolicyResponse.Policy)`
			`events = append(events, e)`
restructure webhooks pkg 2019-07-15 16:07:56 -07:00			`}`
			`}`
replace policyInfo with engineResponse 2019-08-26 13:34:42 -07:00			`return events`
			`}`
			`if !onUpdate {`
			`// All policies were applied succesfully`
			`// CREATE`
			`for _, er := range engineResponses {`
			`successRules := er.GetSuccessRules()`
			`successRulesStr := strings.Join(successRules, ";")`
			`// event on resource`
			`e := event.NewEventNew(`
			`er.PolicyResponse.Resource.Kind,`
			`er.PolicyResponse.Resource.APIVersion,`
			`er.PolicyResponse.Resource.Namespace,`
			`er.PolicyResponse.Resource.Name,`
			`event.PolicyApplied.String(),`
			`event.SRulesApply,`
			`successRulesStr,`
			`er.PolicyResponse.Policy,`
			`)`
			`events = append(events, e)`
restructure webhooks pkg 2019-07-15 16:07:56 -07:00			`}`
replace policyInfo with engineResponse 2019-08-26 13:34:42 -07:00
restructure webhooks pkg 2019-07-15 16:07:56 -07:00			`}`
replace policyInfo with engineResponse 2019-08-26 13:34:42 -07:00			`return events`
annotation generation from policy controller 2019-07-17 17:53:13 -07:00			`}`
introduce policy violation generator 2019-11-12 14:41:29 -08:00
			`func generatePV(ers []engine.EngineResponse, blocked bool) []policyviolation.Info {`
			`var pvInfos []policyviolation.Info`
			`// generate PV for each`
			`for _, er := range ers {`
			`// ignore creation of PV for resoruces that are yet to be assigned a name`
			`if er.IsSuccesful() {`
			`continue`
			`}`
			`glog.V(4).Infof("Building policy violation for engine response %v", er)`
			`// build policy violation info`
			`pvInfos = append(pvInfos, buildPVInfo(er, blocked))`
			`}`
pass dynamic client 2019-11-12 18:25:50 -08:00			`return pvInfos`
introduce policy violation generator 2019-11-12 14:41:29 -08:00			`}`

			`func buildPVInfo(er engine.EngineResponse, blocked bool) policyviolation.Info {`
			`info := policyviolation.Info{`
			`Blocked: blocked,`
			`PolicyName: er.PolicyResponse.Policy,`
			`Resource: er.PatchedResource,`
			`Rules: buildViolatedRules(er, blocked),`
			`}`
			`return info`
			`}`

			`func buildViolatedRules(er engine.EngineResponse, blocked bool) []kyverno.ViolatedRule {`
			`blockMsg := fmt.Sprintf("Request Blocked for resource %s/%s; ", er.PolicyResponse.Resource.Kind, er.PolicyResponse.Resource.Name)`
			`var violatedRules []kyverno.ViolatedRule`
			`// if resource was blocked we create dependent`
			`dependant := kyverno.ManagedResourceSpec{`
			`Kind: er.PolicyResponse.Resource.Kind,`
			`Namespace: er.PolicyResponse.Resource.Namespace,`
			`CreationBlocked: true,`
			`}`

			`for _, rule := range er.PolicyResponse.Rules {`
			`if rule.Success {`
			`continue`
			`}`
			`vrule := kyverno.ViolatedRule{`
			`Name: rule.Name,`
			`Type: rule.Type,`
			`}`

			`if blocked {`
			`vrule.Message = blockMsg + rule.Message`
			`vrule.ManagedResource = dependant`
			`} else {`
			`vrule.Message = rule.Message`
			`}`
			`violatedRules = append(violatedRules, vrule)`
			`}`
			`return violatedRules`
			`}`