kyverno/pkg/policy/report.go

package policy

import (
	"fmt"

	"github.com/go-logr/logr"
	"github.com/nirmata/kyverno/pkg/engine/response"
	"github.com/nirmata/kyverno/pkg/event"
	"github.com/nirmata/kyverno/pkg/policyviolation"
)

// for each policy-resource response
// - has violation -> report
// - no violation -> cleanup policy violations
func (pc *PolicyController) cleanupAndReport(engineResponses []response.EngineResponse) {
	logger := pc.log
	// generate Events
	eventInfos := generateEvents(pc.log, engineResponses)
	pc.eventGen.Add(eventInfos...)
	// create policy violation
	pvInfos := policyviolation.GeneratePVsFromEngineResponse(engineResponses, logger)
	for i := range pvInfos {
		pvInfos[i].FromSync = true
	}

	pc.pvGenerator.Add(pvInfos...)
	// cleanup existing violations if any
	// if there is any error in clean up, we dont re-queue the resource
	// it will be re-tried in the next controller cache resync
	pc.cleanUp(engineResponses)
}

func generateEvents(log logr.Logger, ers []response.EngineResponse) []event.Info {
	var eventInfos []event.Info
	for _, er := range ers {
		if er.IsSuccessful() {
			continue
		}
		eventInfos = append(eventInfos, generateEventsPerEr(log, er)...)
	}
	return eventInfos
}

func generateEventsPerEr(log logr.Logger, er response.EngineResponse) []event.Info {
	logger := log.WithValues("policy", er.PolicyResponse.Policy, "kind", er.PolicyResponse.Resource.Kind, "namespace", er.PolicyResponse.Resource.Namespace, "name", er.PolicyResponse.Resource.Name)
	var eventInfos []event.Info
	logger.V(4).Info("reporting results for policy")
	for _, rule := range er.PolicyResponse.Rules {
		if rule.Success {
			continue
		}
		// generate event on resource for each failed rule
		logger.V(4).Info("generating event on resource")
		e := event.Info{}
		e.Kind = er.PolicyResponse.Resource.Kind
		e.Namespace = er.PolicyResponse.Resource.Namespace
		e.Name = er.PolicyResponse.Resource.Name
		e.Reason = event.PolicyViolation.String()
		e.Source = event.PolicyController
		e.Message = fmt.Sprintf("policy '%s' (%s) rule '%s' not satisfied. %v", er.PolicyResponse.Policy, rule.Type, rule.Name, rule.Message)
		eventInfos = append(eventInfos, e)
	}
	if er.IsSuccessful() {
		return eventInfos
	}

	// generate a event on policy for all failed rules
	logger.V(4).Info("generating event on policy")
	e := event.Info{}
	e.Kind = "ClusterPolicy"
	e.Namespace = ""
	e.Name = er.PolicyResponse.Policy
	e.Reason = event.PolicyViolation.String()
	e.Source = event.PolicyController
	e.Message = fmt.Sprintf("policy '%s' rules '%v' not satisfied on resource '%s/%s/%s'", er.PolicyResponse.Policy, er.GetFailedRules(), er.PolicyResponse.Resource.Kind, er.PolicyResponse.Resource.Namespace, er.PolicyResponse.Resource.Name)
	eventInfos = append(eventInfos, e)
	return eventInfos
}
existing resource reporting 2019-08-13 13:15:04 -07:00			`package policy`

			`import (`
			`"fmt"`

refactor logging 2020-03-17 16:25:34 -07:00			`"github.com/go-logr/logr"`
Support variable substitution (#549) * initial commit * variable substitution * update tests * update test * refactor engine packages for validate & generate * update vendor * update toml * support variable substitution in overlay mutation * missing update * fix indentation in logs * store context values as single JSON document using merge patches. * remove duplicate functions * fix message string * Handle processing of policies in background (#569) * remove condition check while generating mutation patch as conditions are verified in the first iteration * initial commit * background policy validation * correct message * skip non-background policy process for add/update * fix order to correct policy registration * update comment Co-authored-by: shuting <shutting06@gmail.com> * refactor Co-authored-by: shuting <shutting06@gmail.com> 2019-12-30 17:08:50 -08:00			`"github.com/nirmata/kyverno/pkg/engine/response"`
existing resource reporting 2019-08-13 13:15:04 -07:00			`"github.com/nirmata/kyverno/pkg/event"`
update event message (#515) 2019-11-18 17:13:48 -08:00			`"github.com/nirmata/kyverno/pkg/policyviolation"`
existing resource reporting 2019-08-13 13:15:04 -07:00			`)`

458 cleanup (#464) * cleanup of policy violation on policy spec changes + refactoring * remove unused code * remove duplicate types * cleanup references * fix info log and clean code * code clean * remove dead code 2019-11-08 20:45:26 -08:00			`// for each policy-resource response`
			`// - has violation -> report`
- remove policy violation created on owner and related logic; - use generic call to create violation info 2020-01-06 17:07:11 -08:00			`// - no violation -> cleanup policy violations`
Support variable substitution (#549) * initial commit * variable substitution * update tests * update test * refactor engine packages for validate & generate * update vendor * update toml * support variable substitution in overlay mutation * missing update * fix indentation in logs * store context values as single JSON document using merge patches. * remove duplicate functions * fix message string * Handle processing of policies in background (#569) * remove condition check while generating mutation patch as conditions are verified in the first iteration * initial commit * background policy validation * correct message * skip non-background policy process for add/update * fix order to correct policy registration * update comment Co-authored-by: shuting <shutting06@gmail.com> * refactor Co-authored-by: shuting <shutting06@gmail.com> 2019-12-30 17:08:50 -08:00			`func (pc *PolicyController) cleanupAndReport(engineResponses []response.EngineResponse) {`
logs & access 2020-03-17 11:05:20 -07:00			`logger := pc.log`
introduce policy violation generator 2019-11-12 14:41:29 -08:00			`// generate Events`
refactor logging 2020-03-17 16:25:34 -07:00			`eventInfos := generateEvents(pc.log, engineResponses)`
introduce policy violation generator 2019-11-12 14:41:29 -08:00			`pc.eventGen.Add(eventInfos...)`
			`// create policy violation`
logs & access 2020-03-17 11:05:20 -07:00			`pvInfos := policyviolation.GeneratePVsFromEngineResponse(engineResponses, logger)`
527 skippings stats for sync pv 2020-02-26 00:26:09 +05:30			`for i := range pvInfos {`
			`pvInfos[i].FromSync = true`
			`}`

introduce policy violation generator 2019-11-12 14:41:29 -08:00			`pc.pvGenerator.Add(pvInfos...)`
			`// cleanup existing violations if any`
			`// if there is any error in clean up, we dont re-queue the resource`
			`// it will be re-tried in the next controller cache resync`
			`pc.cleanUp(engineResponses)`
			`}`

refactor logging 2020-03-17 16:25:34 -07:00			`func generateEvents(log logr.Logger, ers []response.EngineResponse) []event.Info {`
introduce policy violation generator 2019-11-12 14:41:29 -08:00			`var eventInfos []event.Info`
			`for _, er := range ers {`
update logging, naming, and event retry (#959) * update logging and naming * check per policy patch count 2020-06-30 11:53:27 -07:00			`if er.IsSuccessful() {`
introduce policy violation generator 2019-11-12 14:41:29 -08:00			`continue`
			`}`
refactor logging 2020-03-17 16:25:34 -07:00			`eventInfos = append(eventInfos, generateEventsPerEr(log, er)...)`
introduce policy violation generator 2019-11-12 14:41:29 -08:00			`}`
			`return eventInfos`
			`}`
existing resource reporting 2019-08-13 13:15:04 -07:00
refactor logging 2020-03-17 16:25:34 -07:00			`func generateEventsPerEr(log logr.Logger, er response.EngineResponse) []event.Info {`
			`logger := log.WithValues("policy", er.PolicyResponse.Policy, "kind", er.PolicyResponse.Resource.Kind, "namespace", er.PolicyResponse.Resource.Namespace, "name", er.PolicyResponse.Resource.Name)`
introduce policy violation generator 2019-11-12 14:41:29 -08:00			`var eventInfos []event.Info`
refactor logging 2020-03-17 16:25:34 -07:00			`logger.V(4).Info("reporting results for policy")`
introduce policy violation generator 2019-11-12 14:41:29 -08:00			`for _, rule := range er.PolicyResponse.Rules {`
			`if rule.Success {`
			`continue`
			`}`
existing resource reporting 2019-08-13 13:15:04 -07:00			`// generate event on resource for each failed rule`
refactor logging 2020-03-17 16:25:34 -07:00			`logger.V(4).Info("generating event on resource")`
replace policyInfo with engineResponse 2019-08-26 13:34:42 -07:00			`e := event.Info{}`
introduce policy violation generator 2019-11-12 14:41:29 -08:00			`e.Kind = er.PolicyResponse.Resource.Kind`
			`e.Namespace = er.PolicyResponse.Resource.Namespace`
			`e.Name = er.PolicyResponse.Resource.Name`
update event message (#515) 2019-11-18 17:13:48 -08:00			`e.Reason = event.PolicyViolation.String()`
add event source and format event messages (#565) 2019-12-26 11:50:41 -08:00			`e.Source = event.PolicyController`
update event message (#515) 2019-11-18 17:13:48 -08:00			`e.Message = fmt.Sprintf("policy '%s' (%s) rule '%s' not satisfied. %v", er.PolicyResponse.Policy, rule.Type, rule.Name, rule.Message)`
introduce policy violation generator 2019-11-12 14:41:29 -08:00			`eventInfos = append(eventInfos, e)`
			`}`
update logging, naming, and event retry (#959) * update logging and naming * check per policy patch count 2020-06-30 11:53:27 -07:00			`if er.IsSuccessful() {`
introduce policy violation generator 2019-11-12 14:41:29 -08:00			`return eventInfos`
existing resource reporting 2019-08-13 13:15:04 -07:00			`}`
introduce policy violation generator 2019-11-12 14:41:29 -08:00
existing resource reporting 2019-08-13 13:15:04 -07:00			`// generate a event on policy for all failed rules`
refactor logging 2020-03-17 16:25:34 -07:00			`logger.V(4).Info("generating event on policy")`
replace policyInfo with engineResponse 2019-08-26 13:34:42 -07:00			`e := event.Info{}`
fix event resource name + add filtered kinds to policy controller & namespace + fix messages 2019-09-12 15:04:35 -07:00			`e.Kind = "ClusterPolicy"`
existing resource reporting 2019-08-13 13:15:04 -07:00			`e.Namespace = ""`
introduce policy violation generator 2019-11-12 14:41:29 -08:00			`e.Name = er.PolicyResponse.Policy`
update event message (#515) 2019-11-18 17:13:48 -08:00			`e.Reason = event.PolicyViolation.String()`
add event source and format event messages (#565) 2019-12-26 11:50:41 -08:00			`e.Source = event.PolicyController`
update event message (#515) 2019-11-18 17:13:48 -08:00			`e.Message = fmt.Sprintf("policy '%s' rules '%v' not satisfied on resource '%s/%s/%s'", er.PolicyResponse.Policy, er.GetFailedRules(), er.PolicyResponse.Resource.Kind, er.PolicyResponse.Resource.Namespace, er.PolicyResponse.Resource.Name)`
introduce policy violation generator 2019-11-12 14:41:29 -08:00			`eventInfos = append(eventInfos, e)`
			`return eventInfos`
existing resource reporting 2019-08-13 13:15:04 -07:00			`}`