2020-11-09 11:26:12 -08:00
|
|
|
package policyreport
|
|
|
|
|
|
|
|
|
|
import (
|
2022-01-22 13:36:42 +08:00
|
|
|
"context"
|
2020-11-09 11:26:12 -08:00
|
|
|
"fmt"
|
|
|
|
|
"reflect"
|
|
|
|
|
"strings"
|
2020-12-23 17:48:00 -08:00
|
|
|
"time"
|
2020-11-09 11:26:12 -08:00
|
|
|
|
|
|
|
|
"github.com/go-logr/logr"
|
2022-05-17 13:12:43 +02:00
|
|
|
kyvernov1alpha2 "github.com/kyverno/kyverno/api/kyverno/v1alpha2"
|
|
|
|
|
policyreportv1alpha2 "github.com/kyverno/kyverno/api/policyreport/v1alpha2"
|
2022-05-03 18:58:20 +02:00
|
|
|
kyvernoclient "github.com/kyverno/kyverno/pkg/client/clientset/versioned"
|
|
|
|
|
requestinformer "github.com/kyverno/kyverno/pkg/client/informers/externalversions/kyverno/v1alpha2"
|
|
|
|
|
policyreportinformer "github.com/kyverno/kyverno/pkg/client/informers/externalversions/policyreport/v1alpha2"
|
|
|
|
|
requestlister "github.com/kyverno/kyverno/pkg/client/listers/kyverno/v1alpha2"
|
|
|
|
|
policyreport "github.com/kyverno/kyverno/pkg/client/listers/policyreport/v1alpha2"
|
|
|
|
|
"github.com/kyverno/kyverno/pkg/config"
|
|
|
|
|
dclient "github.com/kyverno/kyverno/pkg/dclient"
|
|
|
|
|
kubeutils "github.com/kyverno/kyverno/pkg/utils/kube"
|
|
|
|
|
"github.com/kyverno/kyverno/pkg/version"
|
2020-11-09 11:26:12 -08:00
|
|
|
v1 "k8s.io/api/core/v1"
|
|
|
|
|
apierrors "k8s.io/apimachinery/pkg/api/errors"
|
|
|
|
|
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
|
|
|
|
|
"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
|
2021-10-29 18:13:20 +02:00
|
|
|
"k8s.io/apimachinery/pkg/labels"
|
2020-11-09 11:26:12 -08:00
|
|
|
"k8s.io/apimachinery/pkg/runtime"
|
|
|
|
|
"k8s.io/apimachinery/pkg/runtime/schema"
|
|
|
|
|
utilruntime "k8s.io/apimachinery/pkg/util/runtime"
|
|
|
|
|
"k8s.io/apimachinery/pkg/util/wait"
|
|
|
|
|
informers "k8s.io/client-go/informers/core/v1"
|
|
|
|
|
listerv1 "k8s.io/client-go/listers/core/v1"
|
|
|
|
|
"k8s.io/client-go/tools/cache"
|
|
|
|
|
"k8s.io/client-go/util/workqueue"
|
|
|
|
|
)
|
|
|
|
|
|
|
|
|
|
const (
|
|
|
|
|
prWorkQueueName = "policy-report-controller"
|
|
|
|
|
clusterpolicyreport = "clusterpolicyreport"
|
2021-12-17 06:03:52 +01:00
|
|
|
|
|
|
|
|
LabelSelectorKey = "managed-by"
|
|
|
|
|
LabelSelectorValue = "kyverno"
|
2020-11-09 11:26:12 -08:00
|
|
|
)
|
|
|
|
|
|
2021-12-17 06:03:52 +01:00
|
|
|
var LabelSelector = &metav1.LabelSelector{
|
|
|
|
|
MatchLabels: map[string]string{
|
|
|
|
|
LabelSelectorKey: LabelSelectorValue,
|
|
|
|
|
},
|
|
|
|
|
}
|
|
|
|
|
|
2020-11-09 11:26:12 -08:00
|
|
|
// ReportGenerator creates policy report
|
|
|
|
|
type ReportGenerator struct {
|
2022-05-02 22:30:07 +02:00
|
|
|
pclient kyvernoclient.Interface
|
2022-05-03 07:30:04 +02:00
|
|
|
dclient dclient.Interface
|
2020-11-09 11:26:12 -08:00
|
|
|
|
2021-06-08 12:37:19 -07:00
|
|
|
clusterReportInformer policyreportinformer.ClusterPolicyReportInformer
|
|
|
|
|
reportInformer policyreportinformer.PolicyReportInformer
|
|
|
|
|
reportReqInformer requestinformer.ReportChangeRequestInformer
|
|
|
|
|
clusterReportReqInformer requestinformer.ClusterReportChangeRequestInformer
|
|
|
|
|
|
2022-05-02 19:41:39 +02:00
|
|
|
reportLister policyreport.PolicyReportLister
|
|
|
|
|
clusterReportLister policyreport.ClusterPolicyReportLister
|
|
|
|
|
reportChangeRequestLister requestlister.ReportChangeRequestLister
|
2020-11-09 11:26:12 -08:00
|
|
|
clusterReportChangeRequestLister requestlister.ClusterReportChangeRequestLister
|
2022-05-02 19:41:39 +02:00
|
|
|
nsLister listerv1.NamespaceLister
|
2020-11-09 11:26:12 -08:00
|
|
|
|
|
|
|
|
queue workqueue.RateLimitingInterface
|
|
|
|
|
|
2021-03-25 12:28:03 -07:00
|
|
|
// ReconcileCh sends a signal to policy controller to force the reconciliation of policy report
|
|
|
|
|
// if send true, the reports' results will be erased, this is used to recover from the invalid records
|
|
|
|
|
ReconcileCh chan bool
|
|
|
|
|
|
2020-11-09 11:26:12 -08:00
|
|
|
log logr.Logger
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// NewReportGenerator returns a new instance of policy report generator
|
|
|
|
|
func NewReportGenerator(
|
2022-05-02 22:30:07 +02:00
|
|
|
pclient kyvernoclient.Interface,
|
2022-05-03 07:30:04 +02:00
|
|
|
dclient dclient.Interface,
|
2020-11-09 11:26:12 -08:00
|
|
|
clusterReportInformer policyreportinformer.ClusterPolicyReportInformer,
|
|
|
|
|
reportInformer policyreportinformer.PolicyReportInformer,
|
|
|
|
|
reportReqInformer requestinformer.ReportChangeRequestInformer,
|
|
|
|
|
clusterReportReqInformer requestinformer.ClusterReportChangeRequestInformer,
|
|
|
|
|
namespace informers.NamespaceInformer,
|
2022-05-10 19:01:29 +02:00
|
|
|
log logr.Logger,
|
|
|
|
|
) (*ReportGenerator, error) {
|
2020-11-09 11:26:12 -08:00
|
|
|
gen := &ReportGenerator{
|
2021-06-08 12:37:19 -07:00
|
|
|
pclient: pclient,
|
|
|
|
|
dclient: dclient,
|
|
|
|
|
clusterReportInformer: clusterReportInformer,
|
|
|
|
|
reportInformer: reportInformer,
|
|
|
|
|
reportReqInformer: reportReqInformer,
|
|
|
|
|
clusterReportReqInformer: clusterReportReqInformer,
|
|
|
|
|
queue: workqueue.NewNamedRateLimitingQueue(workqueue.DefaultControllerRateLimiter(), prWorkQueueName),
|
|
|
|
|
ReconcileCh: make(chan bool, 10),
|
|
|
|
|
log: log,
|
2020-11-09 11:26:12 -08:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
gen.clusterReportLister = clusterReportInformer.Lister()
|
|
|
|
|
gen.reportLister = reportInformer.Lister()
|
|
|
|
|
gen.clusterReportChangeRequestLister = clusterReportReqInformer.Lister()
|
|
|
|
|
gen.reportChangeRequestLister = reportReqInformer.Lister()
|
|
|
|
|
gen.nsLister = namespace.Lister()
|
|
|
|
|
|
2021-06-08 12:37:19 -07:00
|
|
|
return gen, nil
|
2020-11-09 11:26:12 -08:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
const deletedPolicyKey string = "deletedpolicy"
|
|
|
|
|
|
|
|
|
|
// the key of queue can be
|
|
|
|
|
// - <namespace name> for the resource
|
|
|
|
|
// - "" for cluster wide resource
|
|
|
|
|
// - "deletedpolicy/policyName/ruleName(optional)" for a deleted policy or rule
|
|
|
|
|
func generateCacheKey(changeRequest interface{}) string {
|
2022-05-17 13:12:43 +02:00
|
|
|
if request, ok := changeRequest.(*kyvernov1alpha2.ReportChangeRequest); ok {
|
2020-11-09 11:26:12 -08:00
|
|
|
label := request.GetLabels()
|
|
|
|
|
policy := label[deletedLabelPolicy]
|
|
|
|
|
rule := label[deletedLabelRule]
|
|
|
|
|
if rule != "" || policy != "" {
|
|
|
|
|
return strings.Join([]string{deletedPolicyKey, policy, rule}, "/")
|
|
|
|
|
}
|
|
|
|
|
|
2020-11-18 14:31:43 -08:00
|
|
|
ns := label[resourceLabelNamespace]
|
2020-11-09 11:26:12 -08:00
|
|
|
if ns == "" {
|
|
|
|
|
ns = "default"
|
|
|
|
|
}
|
|
|
|
|
return ns
|
2022-05-17 13:12:43 +02:00
|
|
|
} else if request, ok := changeRequest.(*kyvernov1alpha2.ClusterReportChangeRequest); ok {
|
2020-11-09 11:26:12 -08:00
|
|
|
label := request.GetLabels()
|
|
|
|
|
policy := label[deletedLabelPolicy]
|
|
|
|
|
rule := label[deletedLabelRule]
|
|
|
|
|
if rule != "" || policy != "" {
|
|
|
|
|
return strings.Join([]string{deletedPolicyKey, policy, rule}, "/")
|
|
|
|
|
}
|
|
|
|
|
return ""
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
return ""
|
|
|
|
|
}
|
|
|
|
|
|
2021-09-14 01:06:56 -07:00
|
|
|
// managedRequest returns true if the request is managed by
|
|
|
|
|
// the current version of Kyverno instance
|
|
|
|
|
func managedRequest(changeRequest interface{}) bool {
|
|
|
|
|
labels := make(map[string]string)
|
|
|
|
|
|
2022-05-17 13:12:43 +02:00
|
|
|
if request, ok := changeRequest.(*kyvernov1alpha2.ReportChangeRequest); ok {
|
2021-09-14 01:06:56 -07:00
|
|
|
labels = request.GetLabels()
|
2022-05-17 13:12:43 +02:00
|
|
|
} else if request, ok := changeRequest.(*kyvernov1alpha2.ClusterReportChangeRequest); ok {
|
2021-09-14 01:06:56 -07:00
|
|
|
labels = request.GetLabels()
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if v, ok := labels[appVersion]; !ok || v != version.BuildVersion {
|
|
|
|
|
return false
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
return true
|
|
|
|
|
}
|
|
|
|
|
|
2020-11-09 11:26:12 -08:00
|
|
|
func (g *ReportGenerator) addReportChangeRequest(obj interface{}) {
|
2021-09-14 01:06:56 -07:00
|
|
|
if !managedRequest(obj) {
|
2022-05-17 13:12:43 +02:00
|
|
|
g.cleanupReportRequests([]*kyvernov1alpha2.ReportChangeRequest{obj.(*kyvernov1alpha2.ReportChangeRequest)})
|
2021-09-14 01:06:56 -07:00
|
|
|
return
|
|
|
|
|
}
|
|
|
|
|
|
2020-11-09 11:26:12 -08:00
|
|
|
key := generateCacheKey(obj)
|
|
|
|
|
g.queue.Add(key)
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
func (g *ReportGenerator) updateReportChangeRequest(old interface{}, cur interface{}) {
|
2022-05-17 13:12:43 +02:00
|
|
|
oldReq := old.(*kyvernov1alpha2.ReportChangeRequest)
|
|
|
|
|
curReq := cur.(*kyvernov1alpha2.ReportChangeRequest)
|
2020-11-09 11:26:12 -08:00
|
|
|
if reflect.DeepEqual(oldReq.Results, curReq.Results) {
|
|
|
|
|
return
|
|
|
|
|
}
|
|
|
|
|
|
2021-09-14 01:06:56 -07:00
|
|
|
if !managedRequest(curReq) {
|
2022-05-17 13:12:43 +02:00
|
|
|
g.cleanupReportRequests([]*kyvernov1alpha2.ReportChangeRequest{curReq})
|
2021-09-14 01:06:56 -07:00
|
|
|
return
|
|
|
|
|
}
|
|
|
|
|
|
2020-11-09 11:26:12 -08:00
|
|
|
key := generateCacheKey(cur)
|
|
|
|
|
g.queue.Add(key)
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
func (g *ReportGenerator) addClusterReportChangeRequest(obj interface{}) {
|
2021-09-14 01:06:56 -07:00
|
|
|
if !managedRequest(obj) {
|
2022-05-17 13:12:43 +02:00
|
|
|
g.cleanupReportRequests([]*kyvernov1alpha2.ClusterReportChangeRequest{obj.(*kyvernov1alpha2.ClusterReportChangeRequest)})
|
2021-09-14 01:06:56 -07:00
|
|
|
return
|
|
|
|
|
}
|
|
|
|
|
|
2020-11-09 11:26:12 -08:00
|
|
|
key := generateCacheKey(obj)
|
|
|
|
|
g.queue.Add(key)
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
func (g *ReportGenerator) updateClusterReportChangeRequest(old interface{}, cur interface{}) {
|
2022-05-17 13:12:43 +02:00
|
|
|
oldReq := old.(*kyvernov1alpha2.ClusterReportChangeRequest)
|
|
|
|
|
curReq := cur.(*kyvernov1alpha2.ClusterReportChangeRequest)
|
2020-11-09 11:26:12 -08:00
|
|
|
|
|
|
|
|
if reflect.DeepEqual(oldReq.Results, curReq.Results) {
|
|
|
|
|
return
|
|
|
|
|
}
|
|
|
|
|
|
2021-09-14 01:06:56 -07:00
|
|
|
if !managedRequest(curReq) {
|
|
|
|
|
return
|
|
|
|
|
}
|
|
|
|
|
|
2020-11-09 11:26:12 -08:00
|
|
|
g.queue.Add("")
|
|
|
|
|
}
|
|
|
|
|
|
2021-03-25 12:28:03 -07:00
|
|
|
func (g *ReportGenerator) deletePolicyReport(obj interface{}) {
|
2022-05-17 13:12:43 +02:00
|
|
|
report, ok := kubeutils.GetObjectWithTombstone(obj).(*policyreportv1alpha2.PolicyReport)
|
2022-05-03 18:58:20 +02:00
|
|
|
if ok {
|
|
|
|
|
g.log.V(2).Info("PolicyReport deleted", "name", report.GetName())
|
|
|
|
|
} else {
|
|
|
|
|
g.log.Info("Failed to get deleted object", "obj", obj)
|
|
|
|
|
}
|
2021-03-25 12:28:03 -07:00
|
|
|
g.ReconcileCh <- false
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
func (g *ReportGenerator) deleteClusterPolicyReport(obj interface{}) {
|
|
|
|
|
g.log.V(2).Info("ClusterPolicyReport deleted")
|
|
|
|
|
g.ReconcileCh <- false
|
|
|
|
|
}
|
|
|
|
|
|
2020-11-09 11:26:12 -08:00
|
|
|
// Run starts the workers
|
|
|
|
|
func (g *ReportGenerator) Run(workers int, stopCh <-chan struct{}) {
|
|
|
|
|
logger := g.log
|
|
|
|
|
defer utilruntime.HandleCrash()
|
|
|
|
|
defer g.queue.ShutDown()
|
|
|
|
|
|
|
|
|
|
logger.Info("start")
|
|
|
|
|
defer logger.Info("shutting down")
|
|
|
|
|
|
2021-06-08 12:37:19 -07:00
|
|
|
g.reportReqInformer.Informer().AddEventHandler(
|
|
|
|
|
cache.ResourceEventHandlerFuncs{
|
|
|
|
|
AddFunc: g.addReportChangeRequest,
|
|
|
|
|
UpdateFunc: g.updateReportChangeRequest,
|
|
|
|
|
})
|
|
|
|
|
|
|
|
|
|
g.clusterReportReqInformer.Informer().AddEventHandler(
|
|
|
|
|
cache.ResourceEventHandlerFuncs{
|
|
|
|
|
AddFunc: g.addClusterReportChangeRequest,
|
|
|
|
|
UpdateFunc: g.updateClusterReportChangeRequest,
|
|
|
|
|
})
|
|
|
|
|
|
|
|
|
|
g.reportInformer.Informer().AddEventHandler(
|
|
|
|
|
cache.ResourceEventHandlerFuncs{
|
|
|
|
|
DeleteFunc: g.deletePolicyReport,
|
|
|
|
|
})
|
|
|
|
|
|
|
|
|
|
g.clusterReportInformer.Informer().AddEventHandler(
|
|
|
|
|
cache.ResourceEventHandlerFuncs{
|
|
|
|
|
DeleteFunc: g.deleteClusterPolicyReport,
|
|
|
|
|
})
|
|
|
|
|
|
2020-11-09 11:26:12 -08:00
|
|
|
for i := 0; i < workers; i++ {
|
2020-12-23 17:48:00 -08:00
|
|
|
go wait.Until(g.runWorker, time.Second, stopCh)
|
2020-11-09 11:26:12 -08:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
<-stopCh
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
func (g *ReportGenerator) runWorker() {
|
|
|
|
|
for g.processNextWorkItem() {
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
func (g *ReportGenerator) processNextWorkItem() bool {
|
|
|
|
|
key, shutdown := g.queue.Get()
|
|
|
|
|
if shutdown {
|
|
|
|
|
return false
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
defer g.queue.Done(key)
|
|
|
|
|
keyStr, ok := key.(string)
|
|
|
|
|
if !ok {
|
|
|
|
|
g.queue.Forget(key)
|
|
|
|
|
g.log.Info("incorrect type; expecting type 'string'", "obj", key)
|
|
|
|
|
return true
|
|
|
|
|
}
|
|
|
|
|
|
2021-07-14 09:57:16 -07:00
|
|
|
aggregatedRequests, err := g.syncHandler(keyStr)
|
|
|
|
|
g.handleErr(err, key, aggregatedRequests)
|
2020-11-09 11:26:12 -08:00
|
|
|
|
|
|
|
|
return true
|
|
|
|
|
}
|
|
|
|
|
|
2021-07-14 09:57:16 -07:00
|
|
|
func (g *ReportGenerator) handleErr(err error, key interface{}, aggregatedRequests interface{}) {
|
2020-11-09 11:26:12 -08:00
|
|
|
logger := g.log
|
|
|
|
|
if err == nil {
|
|
|
|
|
g.queue.Forget(key)
|
|
|
|
|
return
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// retires requests if there is error
|
|
|
|
|
if g.queue.NumRequeues(key) < workQueueRetryLimit {
|
2020-12-01 12:30:08 -08:00
|
|
|
logger.V(3).Info("retrying policy report", "key", key, "error", err.Error())
|
2020-11-09 11:26:12 -08:00
|
|
|
g.queue.AddRateLimited(key)
|
|
|
|
|
return
|
|
|
|
|
}
|
2020-12-01 12:30:08 -08:00
|
|
|
|
|
|
|
|
logger.Error(err, "failed to process policy report", "key", key)
|
2020-11-09 11:26:12 -08:00
|
|
|
g.queue.Forget(key)
|
2021-07-14 09:57:16 -07:00
|
|
|
|
|
|
|
|
if aggregatedRequests != nil {
|
|
|
|
|
g.cleanupReportRequests(aggregatedRequests)
|
|
|
|
|
}
|
2020-11-09 11:26:12 -08:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// syncHandler reconciles clusterPolicyReport if namespace == ""
|
2020-12-04 10:04:46 -08:00
|
|
|
// otherwise it updates policyReport
|
2021-07-14 09:57:16 -07:00
|
|
|
func (g *ReportGenerator) syncHandler(key string) (aggregatedRequests interface{}, err error) {
|
2020-12-21 11:04:19 -08:00
|
|
|
g.log.V(4).Info("syncing policy report", "key", key)
|
|
|
|
|
|
2020-11-09 11:26:12 -08:00
|
|
|
if policy, rule, ok := isDeletedPolicyKey(key); ok {
|
2021-10-27 22:59:59 -07:00
|
|
|
g.log.V(4).Info("sync policy report on policy deletion")
|
2020-11-09 11:26:12 -08:00
|
|
|
return g.removePolicyEntryFromReport(policy, rule)
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
namespace := key
|
|
|
|
|
new, aggregatedRequests, err := g.aggregateReports(namespace)
|
|
|
|
|
if err != nil {
|
2021-07-14 09:57:16 -07:00
|
|
|
return aggregatedRequests, fmt.Errorf("failed to aggregate reportChangeRequest results %v", err)
|
2020-11-09 11:26:12 -08:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
var old interface{}
|
2020-12-08 23:04:16 -08:00
|
|
|
if old, err = g.createReportIfNotPresent(namespace, new, aggregatedRequests); err != nil {
|
2021-07-14 09:57:16 -07:00
|
|
|
return aggregatedRequests, err
|
2020-11-09 11:26:12 -08:00
|
|
|
}
|
2021-10-27 22:59:59 -07:00
|
|
|
|
2020-12-08 23:04:16 -08:00
|
|
|
if old == nil {
|
2021-10-27 22:59:59 -07:00
|
|
|
g.log.V(4).Info("no existing policy report is found, clean up related report change requests")
|
2020-12-08 23:04:16 -08:00
|
|
|
g.cleanupReportRequests(aggregatedRequests)
|
2021-07-14 09:57:16 -07:00
|
|
|
return nil, nil
|
2020-12-08 23:04:16 -08:00
|
|
|
}
|
2020-11-09 11:26:12 -08:00
|
|
|
|
|
|
|
|
if err := g.updateReport(old, new, aggregatedRequests); err != nil {
|
2021-07-14 09:57:16 -07:00
|
|
|
return aggregatedRequests, err
|
2020-11-09 11:26:12 -08:00
|
|
|
}
|
|
|
|
|
|
2020-12-04 10:04:46 -08:00
|
|
|
g.cleanupReportRequests(aggregatedRequests)
|
2021-07-14 09:57:16 -07:00
|
|
|
return nil, nil
|
2020-11-09 11:26:12 -08:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// createReportIfNotPresent creates cluster / policyReport if not present
|
|
|
|
|
// return the existing report if exist
|
|
|
|
|
func (g *ReportGenerator) createReportIfNotPresent(namespace string, new *unstructured.Unstructured, aggregatedRequests interface{}) (report interface{}, err error) {
|
|
|
|
|
log := g.log.WithName("createReportIfNotPresent")
|
2021-02-08 14:42:17 -08:00
|
|
|
obj, hasDuplicate, err := updateResults(new.UnstructuredContent(), new.UnstructuredContent(), nil)
|
|
|
|
|
if hasDuplicate && err != nil {
|
|
|
|
|
g.log.Error(err, "failed to remove duplicate results", "policy report", new.GetName())
|
|
|
|
|
} else {
|
|
|
|
|
new.Object = obj
|
|
|
|
|
}
|
|
|
|
|
|
2020-11-09 11:26:12 -08:00
|
|
|
if namespace != "" {
|
2020-12-08 23:04:16 -08:00
|
|
|
ns, err := g.nsLister.Get(namespace)
|
|
|
|
|
if err != nil {
|
|
|
|
|
if apierrors.IsNotFound(err) {
|
2020-11-16 13:02:45 -08:00
|
|
|
return nil, nil
|
|
|
|
|
}
|
2020-12-08 23:04:16 -08:00
|
|
|
return nil, fmt.Errorf("failed to fetch namespace: %v", err)
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if ns.GetDeletionTimestamp() != nil {
|
|
|
|
|
return nil, nil
|
2020-11-16 13:02:45 -08:00
|
|
|
}
|
|
|
|
|
|
2021-12-17 06:03:52 +01:00
|
|
|
report, err = g.reportLister.PolicyReports(namespace).Get(GeneratePolicyReportName(namespace))
|
2020-11-09 11:26:12 -08:00
|
|
|
if err != nil {
|
|
|
|
|
if apierrors.IsNotFound(err) && new != nil {
|
2022-01-22 13:36:42 +08:00
|
|
|
polr, err := convertToPolr(new)
|
|
|
|
|
if err != nil {
|
|
|
|
|
return nil, fmt.Errorf("failed to convert to policyReport: %v", err)
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if _, err := g.pclient.Wgpolicyk8sV1alpha2().PolicyReports(new.GetNamespace()).Create(context.TODO(), polr, metav1.CreateOptions{}); err != nil {
|
2020-11-09 11:26:12 -08:00
|
|
|
return nil, fmt.Errorf("failed to create policyReport: %v", err)
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
log.V(2).Info("successfully created policyReport", "namespace", new.GetNamespace(), "name", new.GetName())
|
2020-12-04 10:04:46 -08:00
|
|
|
g.cleanupReportRequests(aggregatedRequests)
|
2020-11-09 11:26:12 -08:00
|
|
|
return nil, nil
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
return nil, fmt.Errorf("unable to get policyReport: %v", err)
|
|
|
|
|
}
|
|
|
|
|
} else {
|
2021-12-17 06:03:52 +01:00
|
|
|
report, err = g.clusterReportLister.Get(GeneratePolicyReportName(namespace))
|
2020-11-09 11:26:12 -08:00
|
|
|
if err != nil {
|
|
|
|
|
if apierrors.IsNotFound(err) {
|
|
|
|
|
if new != nil {
|
2022-01-22 13:36:42 +08:00
|
|
|
cpolr, err := convertToCpolr(new)
|
|
|
|
|
if err != nil {
|
|
|
|
|
return nil, fmt.Errorf("failed to convert to ClusterPolicyReport: %v", err)
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if _, err := g.pclient.Wgpolicyk8sV1alpha2().ClusterPolicyReports().Create(context.TODO(), cpolr, metav1.CreateOptions{}); err != nil {
|
2020-11-09 11:26:12 -08:00
|
|
|
return nil, fmt.Errorf("failed to create ClusterPolicyReport: %v", err)
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
log.V(2).Info("successfully created ClusterPolicyReport")
|
2020-12-04 10:04:46 -08:00
|
|
|
g.cleanupReportRequests(aggregatedRequests)
|
2020-11-09 11:26:12 -08:00
|
|
|
return nil, nil
|
|
|
|
|
}
|
|
|
|
|
return nil, nil
|
|
|
|
|
}
|
|
|
|
|
return nil, fmt.Errorf("unable to get ClusterPolicyReport: %v", err)
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
return report, nil
|
|
|
|
|
}
|
|
|
|
|
|
2021-07-14 09:57:16 -07:00
|
|
|
func (g *ReportGenerator) removePolicyEntryFromReport(policyName, ruleName string) (aggregatedRequests interface{}, err error) {
|
2020-12-21 11:04:19 -08:00
|
|
|
if err := g.removeFromClusterPolicyReport(policyName, ruleName); err != nil {
|
2021-07-14 09:57:16 -07:00
|
|
|
return nil, err
|
2020-12-21 11:04:19 -08:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if err := g.removeFromPolicyReport(policyName, ruleName); err != nil {
|
2021-07-14 09:57:16 -07:00
|
|
|
return nil, err
|
2020-12-21 11:04:19 -08:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
labelset := labels.Set(map[string]string{deletedLabelPolicy: policyName})
|
|
|
|
|
if ruleName != "" {
|
|
|
|
|
labelset = labels.Set(map[string]string{
|
|
|
|
|
deletedLabelPolicy: policyName,
|
|
|
|
|
deletedLabelRule: ruleName,
|
|
|
|
|
})
|
|
|
|
|
}
|
2022-05-11 08:14:30 +02:00
|
|
|
aggregatedRequests, err = g.reportChangeRequestLister.ReportChangeRequests(config.KyvernoNamespace()).List(labels.SelectorFromSet(labelset))
|
2020-12-21 11:04:19 -08:00
|
|
|
if err != nil {
|
2021-07-14 09:57:16 -07:00
|
|
|
return aggregatedRequests, err
|
2020-12-21 11:04:19 -08:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
g.cleanupReportRequests(aggregatedRequests)
|
2021-07-14 09:57:16 -07:00
|
|
|
return nil, nil
|
2020-12-21 11:04:19 -08:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
func (g *ReportGenerator) removeFromClusterPolicyReport(policyName, ruleName string) error {
|
2020-11-09 11:26:12 -08:00
|
|
|
cpolrs, err := g.clusterReportLister.List(labels.Everything())
|
|
|
|
|
if err != nil {
|
|
|
|
|
return fmt.Errorf("failed to list clusterPolicyReport %v", err)
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
for _, cpolr := range cpolrs {
|
2022-05-17 13:12:43 +02:00
|
|
|
newRes := []policyreportv1alpha2.PolicyReportResult{}
|
2020-11-09 11:26:12 -08:00
|
|
|
for _, result := range cpolr.Results {
|
|
|
|
|
if ruleName != "" && result.Rule == ruleName && result.Policy == policyName {
|
|
|
|
|
continue
|
|
|
|
|
} else if ruleName == "" && result.Policy == policyName {
|
|
|
|
|
continue
|
|
|
|
|
}
|
|
|
|
|
newRes = append(newRes, result)
|
|
|
|
|
}
|
|
|
|
|
cpolr.Results = newRes
|
|
|
|
|
cpolr.Summary = calculateSummary(newRes)
|
2022-05-17 13:12:43 +02:00
|
|
|
gv := policyreportv1alpha2.SchemeGroupVersion
|
2020-11-09 11:26:12 -08:00
|
|
|
cpolr.SetGroupVersionKind(schema.GroupVersionKind{Group: gv.Group, Version: gv.Version, Kind: "ClusterPolicyReport"})
|
2022-01-22 13:36:42 +08:00
|
|
|
if _, err := g.pclient.Wgpolicyk8sV1alpha2().ClusterPolicyReports().Update(context.TODO(), cpolr, metav1.UpdateOptions{}); err != nil {
|
2020-11-09 11:26:12 -08:00
|
|
|
return fmt.Errorf("failed to update clusterPolicyReport %s %v", cpolr.Name, err)
|
|
|
|
|
}
|
|
|
|
|
}
|
2020-12-21 11:04:19 -08:00
|
|
|
return nil
|
|
|
|
|
}
|
2020-11-09 11:26:12 -08:00
|
|
|
|
2020-12-21 11:04:19 -08:00
|
|
|
func (g *ReportGenerator) removeFromPolicyReport(policyName, ruleName string) error {
|
2020-11-09 11:26:12 -08:00
|
|
|
namespaces, err := g.dclient.ListResource("", "Namespace", "", nil)
|
|
|
|
|
if err != nil {
|
|
|
|
|
return fmt.Errorf("unable to list namespace %v", err)
|
|
|
|
|
}
|
|
|
|
|
|
2021-12-17 06:03:52 +01:00
|
|
|
selector, err := metav1.LabelSelectorAsSelector(LabelSelector)
|
2022-01-22 13:36:42 +08:00
|
|
|
if err != nil {
|
|
|
|
|
g.log.Error(err, "failed to build labelSelector")
|
|
|
|
|
}
|
|
|
|
|
|
2022-05-17 13:12:43 +02:00
|
|
|
policyReports := []*policyreportv1alpha2.PolicyReport{}
|
2020-11-09 11:26:12 -08:00
|
|
|
for _, ns := range namespaces.Items {
|
2021-12-17 06:03:52 +01:00
|
|
|
reports, err := g.reportLister.PolicyReports(ns.GetName()).List(selector)
|
2020-11-09 11:26:12 -08:00
|
|
|
if err != nil {
|
|
|
|
|
return fmt.Errorf("unable to list policyReport for namespace %s %v", ns.GetName(), err)
|
|
|
|
|
}
|
|
|
|
|
policyReports = append(policyReports, reports...)
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
for _, r := range policyReports {
|
2022-05-17 13:12:43 +02:00
|
|
|
newRes := []policyreportv1alpha2.PolicyReportResult{}
|
2020-11-09 11:26:12 -08:00
|
|
|
for _, result := range r.Results {
|
|
|
|
|
if ruleName != "" && result.Rule == ruleName && result.Policy == policyName {
|
|
|
|
|
continue
|
|
|
|
|
} else if ruleName == "" && result.Policy == policyName {
|
|
|
|
|
continue
|
|
|
|
|
}
|
|
|
|
|
newRes = append(newRes, result)
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
r.Results = newRes
|
|
|
|
|
r.Summary = calculateSummary(newRes)
|
2022-05-17 13:12:43 +02:00
|
|
|
gv := policyreportv1alpha2.SchemeGroupVersion
|
2020-11-09 11:26:12 -08:00
|
|
|
gvk := schema.GroupVersionKind{Group: gv.Group, Version: gv.Version, Kind: "PolicyReport"}
|
|
|
|
|
r.SetGroupVersionKind(gvk)
|
2022-01-22 13:36:42 +08:00
|
|
|
if _, err := g.pclient.Wgpolicyk8sV1alpha2().PolicyReports(r.GetNamespace()).Update(context.TODO(), r, metav1.UpdateOptions{}); err != nil {
|
2020-11-09 11:26:12 -08:00
|
|
|
return fmt.Errorf("failed to update PolicyReport %s %v", r.GetName(), err)
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
return nil
|
|
|
|
|
}
|
|
|
|
|
|
2020-12-21 11:04:19 -08:00
|
|
|
// aggregateReports aggregates cluster / report change requests to a policy report
|
2020-11-09 11:26:12 -08:00
|
|
|
func (g *ReportGenerator) aggregateReports(namespace string) (
|
2022-05-10 19:01:29 +02:00
|
|
|
report *unstructured.Unstructured,
|
|
|
|
|
aggregatedRequests interface{},
|
|
|
|
|
err error,
|
|
|
|
|
) {
|
2022-05-11 08:14:30 +02:00
|
|
|
kyvernoNamespace, err := g.nsLister.Get(config.KyvernoNamespace())
|
2022-02-18 16:50:18 +08:00
|
|
|
if err != nil {
|
|
|
|
|
g.log.Error(err, "failed to get Kyverno namespace, policy reports will not be garbage collected upon termination")
|
|
|
|
|
}
|
|
|
|
|
|
2020-11-09 11:26:12 -08:00
|
|
|
if namespace == "" {
|
2021-09-14 01:06:56 -07:00
|
|
|
selector := labels.SelectorFromSet(labels.Set(map[string]string{appVersion: version.BuildVersion}))
|
|
|
|
|
requests, err := g.clusterReportChangeRequestLister.List(selector)
|
2020-11-09 11:26:12 -08:00
|
|
|
if err != nil {
|
|
|
|
|
return nil, nil, fmt.Errorf("unable to list ClusterReportChangeRequests within: %v", err)
|
|
|
|
|
}
|
|
|
|
|
|
2022-02-18 16:50:18 +08:00
|
|
|
if report, aggregatedRequests, err = mergeRequests(nil, kyvernoNamespace, requests); err != nil {
|
2020-11-09 11:26:12 -08:00
|
|
|
return nil, nil, fmt.Errorf("unable to merge ClusterReportChangeRequests results: %v", err)
|
|
|
|
|
}
|
|
|
|
|
} else {
|
|
|
|
|
ns, err := g.nsLister.Get(namespace)
|
|
|
|
|
if err != nil {
|
2020-11-16 13:02:45 -08:00
|
|
|
if !apierrors.IsNotFound(err) {
|
|
|
|
|
return nil, nil, fmt.Errorf("unable to get namespace %s: %v", namespace, err)
|
|
|
|
|
}
|
2020-12-08 23:04:16 -08:00
|
|
|
// Namespace is deleted, create a fake ns to clean up RCRs
|
|
|
|
|
ns = new(v1.Namespace)
|
|
|
|
|
ns.SetName(namespace)
|
|
|
|
|
now := metav1.Now()
|
|
|
|
|
ns.SetDeletionTimestamp(&now)
|
2020-11-09 11:26:12 -08:00
|
|
|
}
|
|
|
|
|
|
2021-09-14 01:06:56 -07:00
|
|
|
selector := labels.SelectorFromSet(labels.Set(map[string]string{appVersion: version.BuildVersion, resourceLabelNamespace: namespace}))
|
2022-05-11 08:14:30 +02:00
|
|
|
requests, err := g.reportChangeRequestLister.ReportChangeRequests(config.KyvernoNamespace()).List(selector)
|
2020-11-09 11:26:12 -08:00
|
|
|
if err != nil {
|
|
|
|
|
return nil, nil, fmt.Errorf("unable to list reportChangeRequests within namespace %s: %v", ns, err)
|
|
|
|
|
}
|
|
|
|
|
|
2022-02-18 16:50:18 +08:00
|
|
|
if report, aggregatedRequests, err = mergeRequests(ns, kyvernoNamespace, requests); err != nil {
|
2020-11-09 11:26:12 -08:00
|
|
|
return nil, nil, fmt.Errorf("unable to merge results: %v", err)
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
return report, aggregatedRequests, nil
|
|
|
|
|
}
|
|
|
|
|
|
2022-02-18 16:50:18 +08:00
|
|
|
func mergeRequests(ns, kyvernoNs *v1.Namespace, requestsGeneral interface{}) (*unstructured.Unstructured, interface{}, error) {
|
2022-05-17 13:12:43 +02:00
|
|
|
results := []policyreportv1alpha2.PolicyReportResult{}
|
2020-11-09 11:26:12 -08:00
|
|
|
|
2022-05-17 13:12:43 +02:00
|
|
|
if requests, ok := requestsGeneral.([]*kyvernov1alpha2.ClusterReportChangeRequest); ok {
|
|
|
|
|
aggregatedRequests := []*kyvernov1alpha2.ClusterReportChangeRequest{}
|
2020-11-09 11:26:12 -08:00
|
|
|
for _, request := range requests {
|
|
|
|
|
if request.GetDeletionTimestamp() != nil {
|
|
|
|
|
continue
|
|
|
|
|
}
|
|
|
|
|
if len(request.Results) != 0 {
|
|
|
|
|
results = append(results, request.Results...)
|
|
|
|
|
}
|
|
|
|
|
aggregatedRequests = append(aggregatedRequests, request)
|
|
|
|
|
}
|
|
|
|
|
|
2022-05-17 13:12:43 +02:00
|
|
|
report := &policyreportv1alpha2.ClusterPolicyReport{
|
2020-11-09 11:26:12 -08:00
|
|
|
Results: results,
|
|
|
|
|
Summary: calculateSummary(results),
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
obj, err := runtime.DefaultUnstructuredConverter.ToUnstructured(report)
|
|
|
|
|
if err != nil {
|
|
|
|
|
return nil, aggregatedRequests, err
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
req := &unstructured.Unstructured{Object: obj}
|
2022-02-18 16:50:18 +08:00
|
|
|
setReport(req, nil, kyvernoNs)
|
2020-11-09 11:26:12 -08:00
|
|
|
return req, aggregatedRequests, nil
|
|
|
|
|
}
|
|
|
|
|
|
2022-05-17 13:12:43 +02:00
|
|
|
if requests, ok := requestsGeneral.([]*kyvernov1alpha2.ReportChangeRequest); ok {
|
|
|
|
|
aggregatedRequests := []*kyvernov1alpha2.ReportChangeRequest{}
|
2020-11-09 11:26:12 -08:00
|
|
|
for _, request := range requests {
|
|
|
|
|
if request.GetDeletionTimestamp() != nil {
|
|
|
|
|
continue
|
|
|
|
|
}
|
|
|
|
|
if len(request.Results) != 0 {
|
|
|
|
|
results = append(results, request.Results...)
|
|
|
|
|
}
|
|
|
|
|
aggregatedRequests = append(aggregatedRequests, request)
|
|
|
|
|
}
|
|
|
|
|
|
2022-05-17 13:12:43 +02:00
|
|
|
report := &policyreportv1alpha2.PolicyReport{
|
2020-11-09 11:26:12 -08:00
|
|
|
Results: results,
|
|
|
|
|
Summary: calculateSummary(results),
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
obj, err := runtime.DefaultUnstructuredConverter.ToUnstructured(report)
|
|
|
|
|
if err != nil {
|
|
|
|
|
return nil, aggregatedRequests, err
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
req := &unstructured.Unstructured{Object: obj}
|
2022-02-18 16:50:18 +08:00
|
|
|
setReport(req, ns, kyvernoNs)
|
2020-12-08 23:04:16 -08:00
|
|
|
|
2020-11-09 11:26:12 -08:00
|
|
|
return req, aggregatedRequests, nil
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
return nil, nil, nil
|
|
|
|
|
}
|
|
|
|
|
|
2022-02-18 16:50:18 +08:00
|
|
|
func setReport(reportUnstructured *unstructured.Unstructured, ns, kyvernoNs *v1.Namespace) {
|
2022-05-17 13:12:43 +02:00
|
|
|
reportUnstructured.SetAPIVersion(policyreportv1alpha2.SchemeGroupVersion.String())
|
2021-12-17 06:03:52 +01:00
|
|
|
reportUnstructured.SetLabels(LabelSelector.MatchLabels)
|
2020-11-09 11:26:12 -08:00
|
|
|
|
2022-02-18 16:50:18 +08:00
|
|
|
if kyvernoNs != nil {
|
|
|
|
|
controllerFlag := true
|
|
|
|
|
|
|
|
|
|
reportUnstructured.SetOwnerReferences([]metav1.OwnerReference{
|
|
|
|
|
{
|
|
|
|
|
APIVersion: "v1",
|
|
|
|
|
Kind: "Namespace",
|
|
|
|
|
Name: kyvernoNs.GetName(),
|
|
|
|
|
UID: kyvernoNs.GetUID(),
|
|
|
|
|
Controller: &controllerFlag,
|
|
|
|
|
},
|
|
|
|
|
})
|
|
|
|
|
}
|
|
|
|
|
|
2020-11-09 11:26:12 -08:00
|
|
|
if ns == nil {
|
2021-12-17 06:03:52 +01:00
|
|
|
reportUnstructured.SetName(GeneratePolicyReportName(""))
|
2020-11-11 15:09:07 -08:00
|
|
|
reportUnstructured.SetKind("ClusterPolicyReport")
|
2020-11-09 11:26:12 -08:00
|
|
|
return
|
|
|
|
|
}
|
|
|
|
|
|
2021-12-17 06:03:52 +01:00
|
|
|
reportUnstructured.SetName(GeneratePolicyReportName(ns.GetName()))
|
2020-11-11 15:09:07 -08:00
|
|
|
reportUnstructured.SetNamespace(ns.GetName())
|
|
|
|
|
reportUnstructured.SetKind("PolicyReport")
|
2020-11-09 11:26:12 -08:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
func (g *ReportGenerator) updateReport(old interface{}, new *unstructured.Unstructured, aggregatedRequests interface{}) (err error) {
|
|
|
|
|
if new == nil {
|
|
|
|
|
g.log.V(4).Info("empty report to update")
|
|
|
|
|
return nil
|
|
|
|
|
}
|
2021-10-27 22:59:59 -07:00
|
|
|
g.log.V(4).Info("reconcile policy report")
|
2020-11-09 11:26:12 -08:00
|
|
|
|
2020-12-04 10:04:46 -08:00
|
|
|
oldUnstructured := make(map[string]interface{})
|
2020-11-09 11:26:12 -08:00
|
|
|
|
2022-05-17 13:12:43 +02:00
|
|
|
if oldTyped, ok := old.(*policyreportv1alpha2.ClusterPolicyReport); ok {
|
2020-11-09 11:26:12 -08:00
|
|
|
if oldTyped.GetDeletionTimestamp() != nil {
|
2022-01-22 13:36:42 +08:00
|
|
|
return g.pclient.Wgpolicyk8sV1alpha2().ClusterPolicyReports().Delete(context.TODO(), oldTyped.Name, metav1.DeleteOptions{})
|
2020-11-09 11:26:12 -08:00
|
|
|
}
|
|
|
|
|
|
2020-12-04 10:04:46 -08:00
|
|
|
if oldUnstructured, err = runtime.DefaultUnstructuredConverter.ToUnstructured(oldTyped); err != nil {
|
2020-11-09 11:26:12 -08:00
|
|
|
return fmt.Errorf("unable to convert clusterPolicyReport: %v", err)
|
|
|
|
|
}
|
|
|
|
|
new.SetUID(oldTyped.GetUID())
|
|
|
|
|
new.SetResourceVersion(oldTyped.GetResourceVersion())
|
2022-05-17 13:12:43 +02:00
|
|
|
} else if oldTyped, ok := old.(*policyreportv1alpha2.PolicyReport); ok {
|
2020-11-09 11:26:12 -08:00
|
|
|
if oldTyped.GetDeletionTimestamp() != nil {
|
2022-01-22 13:36:42 +08:00
|
|
|
return g.pclient.Wgpolicyk8sV1alpha2().PolicyReports(oldTyped.Namespace).Delete(context.TODO(), oldTyped.Name, metav1.DeleteOptions{})
|
2020-11-09 11:26:12 -08:00
|
|
|
}
|
|
|
|
|
|
2020-12-04 10:04:46 -08:00
|
|
|
if oldUnstructured, err = runtime.DefaultUnstructuredConverter.ToUnstructured(oldTyped); err != nil {
|
2020-11-09 11:26:12 -08:00
|
|
|
return fmt.Errorf("unable to convert policyReport: %v", err)
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
new.SetUID(oldTyped.GetUID())
|
|
|
|
|
new.SetResourceVersion(oldTyped.GetResourceVersion())
|
|
|
|
|
}
|
|
|
|
|
|
2021-10-27 22:59:59 -07:00
|
|
|
g.log.V(4).Info("update results entries")
|
2021-02-08 14:42:17 -08:00
|
|
|
obj, _, err := updateResults(oldUnstructured, new.UnstructuredContent(), aggregatedRequests)
|
2020-11-09 11:26:12 -08:00
|
|
|
if err != nil {
|
|
|
|
|
return fmt.Errorf("failed to update results entry: %v", err)
|
|
|
|
|
}
|
|
|
|
|
new.Object = obj
|
|
|
|
|
|
2020-12-04 10:04:46 -08:00
|
|
|
if !hasResultsChanged(oldUnstructured, new.UnstructuredContent()) {
|
2020-12-21 11:04:19 -08:00
|
|
|
g.log.V(4).Info("unchanged policy report", "kind", new.GetKind(), "namespace", new.GetNamespace(), "name", new.GetName())
|
2020-11-09 11:26:12 -08:00
|
|
|
return nil
|
|
|
|
|
}
|
|
|
|
|
|
2022-01-22 13:36:42 +08:00
|
|
|
if new.GetKind() == "PolicyReport" {
|
|
|
|
|
polr, err := convertToPolr(new)
|
|
|
|
|
if err != nil {
|
|
|
|
|
return fmt.Errorf("error converting to PolicyReport: %v", err)
|
|
|
|
|
}
|
|
|
|
|
if _, err := g.pclient.Wgpolicyk8sV1alpha2().PolicyReports(new.GetNamespace()).Update(context.TODO(), polr, metav1.UpdateOptions{}); err != nil {
|
|
|
|
|
return fmt.Errorf("failed to update PolicyReport: %v", err)
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if new.GetKind() == "ClusterPolicyReport" {
|
|
|
|
|
cpolr, err := convertToCpolr(new)
|
|
|
|
|
if err != nil {
|
|
|
|
|
return fmt.Errorf("error converting to ClusterPolicyReport: %v", err)
|
|
|
|
|
}
|
|
|
|
|
if _, err := g.pclient.Wgpolicyk8sV1alpha2().ClusterPolicyReports().Update(context.TODO(), cpolr, metav1.UpdateOptions{}); err != nil {
|
|
|
|
|
return fmt.Errorf("failed to update ClusterPolicyReport: %v", err)
|
|
|
|
|
}
|
2020-11-09 11:26:12 -08:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
g.log.V(3).Info("successfully updated policy report", "kind", new.GetKind(), "namespace", new.GetNamespace(), "name", new.GetName())
|
|
|
|
|
return
|
|
|
|
|
}
|
|
|
|
|
|
2020-12-04 10:04:46 -08:00
|
|
|
func (g *ReportGenerator) cleanupReportRequests(requestsGeneral interface{}) {
|
2020-11-09 11:26:12 -08:00
|
|
|
defer g.log.V(5).Info("successfully cleaned up report requests")
|
2022-05-17 13:12:43 +02:00
|
|
|
if requests, ok := requestsGeneral.([]*kyvernov1alpha2.ReportChangeRequest); ok {
|
2020-11-09 11:26:12 -08:00
|
|
|
for _, request := range requests {
|
2022-05-11 08:14:30 +02:00
|
|
|
if err := g.pclient.KyvernoV1alpha2().ReportChangeRequests(config.KyvernoNamespace()).Delete(context.TODO(), request.Name, metav1.DeleteOptions{}); err != nil {
|
2020-12-09 09:29:52 -08:00
|
|
|
if !apierrors.IsNotFound(err) {
|
|
|
|
|
g.log.Error(err, "failed to delete report request")
|
2020-11-09 11:26:12 -08:00
|
|
|
}
|
2020-12-09 09:29:52 -08:00
|
|
|
}
|
2020-11-09 11:26:12 -08:00
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
2022-05-17 13:12:43 +02:00
|
|
|
if requests, ok := requestsGeneral.([]*kyvernov1alpha2.ClusterReportChangeRequest); ok {
|
2020-11-09 11:26:12 -08:00
|
|
|
for _, request := range requests {
|
2022-01-22 13:36:42 +08:00
|
|
|
if err := g.pclient.KyvernoV1alpha2().ClusterReportChangeRequests().Delete(context.TODO(), request.Name, metav1.DeleteOptions{}); err != nil {
|
2020-11-09 11:26:12 -08:00
|
|
|
if !apierrors.IsNotFound(err) {
|
|
|
|
|
g.log.Error(err, "failed to delete clusterReportChangeRequest")
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
}
|
