kyverno/cmd/cli/kubectl-kyverno/apply/report.go

package apply

import (
	"encoding/json"
	"fmt"
	"strings"
	"time"

	kyvernov1 "github.com/kyverno/kyverno/api/kyverno/v1"
	policyreportv1alpha2 "github.com/kyverno/kyverno/api/policyreport/v1alpha2"
	"github.com/kyverno/kyverno/cmd/cli/kubectl-kyverno/utils/common"
	"github.com/kyverno/kyverno/pkg/engine/response"
	kubeutils "github.com/kyverno/kyverno/pkg/utils/kube"
	corev1 "k8s.io/api/core/v1"
	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
	"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
	"k8s.io/apimachinery/pkg/types"
	log "sigs.k8s.io/controller-runtime/pkg/log"
)

const clusterpolicyreport = "clusterpolicyreport"

// resps is the engine responses generated for a single policy
func buildPolicyReports(pvInfos []common.Info) (res []*unstructured.Unstructured) {
	var raw []byte
	var err error

	resultsMap := buildPolicyResults(pvInfos)
	for scope, result := range resultsMap {
		if scope == clusterpolicyreport {
			report := &policyreportv1alpha2.ClusterPolicyReport{
				TypeMeta: metav1.TypeMeta{
					APIVersion: policyreportv1alpha2.SchemeGroupVersion.String(),
					Kind:       "ClusterPolicyReport",
				},
				Results: result,
				Summary: calculateSummary(result),
			}

			report.SetName(scope)
			if raw, err = json.Marshal(report); err != nil {
				log.Log.V(3).Info("failed to serialize policy report", "name", report.Name, "scope", scope, "error", err)
			}
		} else {
			report := &policyreportv1alpha2.PolicyReport{
				TypeMeta: metav1.TypeMeta{
					APIVersion: policyreportv1alpha2.SchemeGroupVersion.String(),
					Kind:       "PolicyReport",
				},
				Results: result,
				Summary: calculateSummary(result),
			}

			ns := strings.ReplaceAll(scope, "policyreport-ns-", "")
			report.SetName(scope)
			report.SetNamespace(ns)

			if raw, err = json.Marshal(report); err != nil {
				log.Log.V(3).Info("failed to serialize policy report", "name", report.Name, "scope", scope, "error", err)
			}
		}

		reportUnstructured, err := kubeutils.BytesToUnstructured(raw)
		if err != nil {
			log.Log.V(3).Info("failed to convert policy report", "scope", scope, "error", err)
			continue
		}

		res = append(res, reportUnstructured)
	}

	return
}

// buildPolicyResults returns a string-PolicyReportResult map
// the key of the map is one of "clusterpolicyreport", "policyreport-ns-<namespace>"
func buildPolicyResults(infos []common.Info) map[string][]policyreportv1alpha2.PolicyReportResult {
	results := make(map[string][]policyreportv1alpha2.PolicyReportResult)
	now := metav1.Timestamp{Seconds: time.Now().Unix()}

	for _, info := range infos {
		var appname string
		ns := info.Namespace
		if ns != "" {
			appname = fmt.Sprintf("policyreport-ns-%s", ns)
		} else {
			appname = clusterpolicyreport
		}

		for _, infoResult := range info.Results {
			for _, rule := range infoResult.Rules {
				if rule.Type != string(response.Validation) {
					continue
				}

				result := policyreportv1alpha2.PolicyReportResult{
					Policy: info.PolicyName,
					Resources: []corev1.ObjectReference{
						{
							Kind:       infoResult.Resource.Kind,
							Namespace:  infoResult.Resource.Namespace,
							APIVersion: infoResult.Resource.APIVersion,
							Name:       infoResult.Resource.Name,
							UID:        types.UID(infoResult.Resource.UID),
						},
					},
					Scored: true,
				}

				result.Rule = rule.Name
				result.Message = rule.Message
				result.Result = policyreportv1alpha2.PolicyResult(rule.Status)
				result.Source = kyvernov1.ValueKyvernoApp
				result.Timestamp = now
				results[appname] = append(results[appname], result)
			}
		}
	}

	return results
}

func calculateSummary(results []policyreportv1alpha2.PolicyReportResult) (summary policyreportv1alpha2.PolicyReportSummary) {
	for _, res := range results {
		switch string(res.Result) {
		case policyreportv1alpha2.StatusPass:
			summary.Pass++
		case policyreportv1alpha2.StatusFail:
			summary.Fail++
		case "warn":
			summary.Warn++
		case "error":
			summary.Error++
		case "skip":
			summary.Skip++
		}
	}
	return
}
add report logic in command apply 2020-10-15 17:29:07 -07:00			`package apply`

			`import (`
			`"encoding/json"`
			`"fmt"`
			`"strings"`
Update PolicyReport CRDs to wgpolicyk8s.io/v1alpha2 (#1825) 2021-08-21 19:35:17 +02:00			`"time"`
add report logic in command apply 2020-10-15 17:29:07 -07:00
feat: reports v2 implementation (#4608) This PR refactors the reports generation code. It removes RCR and CRCR crds and replaces them with AdmissionReport, ClusterAdmissionReport, BackgroundScanReport and ClusterBackgroundScanReport crds. The new reports system is based on 4 controllers: Admission reports controller is responsible for cleaning up admission reports and attaching admission reports to their corresponding resource in case of a creation Background scan reports controller is responsible for creating background scan reports when a resource and/or policy changes Aggregation controller takes care of aggregation per resource reports into higher level reports (per namespace) Resources controller is responsible for watching reports that need background scan reports I added two new flags to disable admission reports and/or background scan reports, the whole reporting system can be disabled if something goes wrong. I also added a flag to split reports in chunks to avoid creating too large resources. Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com> Signed-off-by: prateekpandey14 <prateek.pandey@nirmata.com> Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com> Signed-off-by: prateekpandey14 <prateek.pandey@nirmata.com> Co-authored-by: prateekpandey14 <prateek.pandey@nirmata.com> 2022-09-28 13:45:16 +02:00			`kyvernov1 "github.com/kyverno/kyverno/api/kyverno/v1"`
chore: make kyverno api import aliases consistent (#3939) Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com> 2022-05-17 13:12:43 +02:00			`policyreportv1alpha2 "github.com/kyverno/kyverno/api/policyreport/v1alpha2"`
refactor: remove policyreport package (#5174) Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> 2022-11-02 09:06:44 +00:00			`"github.com/kyverno/kyverno/cmd/cli/kubectl-kyverno/utils/common"`
refactor: make response type (RuleType) typed (#3556) * refactor: move common utils Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com> * refactor: make response type (RuleType) typed Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com> * fix: merge Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com> Co-authored-by: shuting <shuting@nirmata.com> Co-authored-by: Vyankatesh Kudtarkar <vyankateshkd@gmail.com> 2022-04-06 21:04:08 +02:00			`"github.com/kyverno/kyverno/pkg/engine/response"`
chore: move ConvertToUnstructured from engine utils to kube utils (#5847) Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> 2023-01-03 13:02:15 +01:00			`kubeutils "github.com/kyverno/kyverno/pkg/utils/kube"`
add report logic in command apply 2020-10-15 17:29:07 -07:00			`corev1 "k8s.io/api/core/v1"`
add unit test for CLI report 2020-10-16 16:27:04 -07:00			`metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"`
add report logic in command apply 2020-10-15 17:29:07 -07:00			`"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"`
1398 - Reduce RCR throttling requests (#1406) * reduce RCR throttling requests by merging policy application (policy - namespace) results into single RCR * - refactor policy controller; - fix RCR issue * - refactor RCR controller; - fix cpolr on ns update; - reduce throttling when getting resources; - fix tests * update CRD schema * fix typo 2020-12-21 11:04:19 -08:00			`"k8s.io/apimachinery/pkg/types"`
add report logic in command apply 2020-10-15 17:29:07 -07:00			`log "sigs.k8s.io/controller-runtime/pkg/log"`
			`)`

			`const clusterpolicyreport = "clusterpolicyreport"`

fixed skip policy 2020-10-27 00:41:16 +05:30			`// resps is the engine responses generated for a single policy`
refactor: remove policyreport package (#5174) Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> 2022-11-02 09:06:44 +00:00			`func buildPolicyReports(pvInfos []common.Info) (res []*unstructured.Unstructured) {`
add report logic in command apply 2020-10-15 17:29:07 -07:00			`var raw []byte`
			`var err error`

fixed apply test cases Signed-off-by: NoSkillGirl <singhpooja240393@gmail.com> 2021-09-02 01:06:29 +05:30			`resultsMap := buildPolicyResults(pvInfos)`
add report logic in command apply 2020-10-15 17:29:07 -07:00			`for scope, result := range resultsMap {`
			`if scope == clusterpolicyreport {`
chore: make kyverno api import aliases consistent (#3939) Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com> 2022-05-17 13:12:43 +02:00			`report := &policyreportv1alpha2.ClusterPolicyReport{`
add unit test for CLI report 2020-10-16 16:27:04 -07:00			`TypeMeta: metav1.TypeMeta{`
chore: make kyverno api import aliases consistent (#3939) Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com> 2022-05-17 13:12:43 +02:00			`APIVersion: policyreportv1alpha2.SchemeGroupVersion.String(),`
add unit test for CLI report 2020-10-16 16:27:04 -07:00			`Kind: "ClusterPolicyReport",`
			`},`
add report logic in command apply 2020-10-15 17:29:07 -07:00			`Results: result,`
			`Summary: calculateSummary(result),`
			`}`

			`report.SetName(scope)`
			`if raw, err = json.Marshal(report); err != nil {`
1398 - Reduce RCR throttling requests (#1406) * reduce RCR throttling requests by merging policy application (policy - namespace) results into single RCR * - refactor policy controller; - fix RCR issue * - refactor RCR controller; - fix cpolr on ns update; - reduce throttling when getting resources; - fix tests * update CRD schema * fix typo 2020-12-21 11:04:19 -08:00			`log.Log.V(3).Info("failed to serialize policy report", "name", report.Name, "scope", scope, "error", err)`
add report logic in command apply 2020-10-15 17:29:07 -07:00			`}`
			`} else {`
chore: make kyverno api import aliases consistent (#3939) Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com> 2022-05-17 13:12:43 +02:00			`report := &policyreportv1alpha2.PolicyReport{`
add unit test for CLI report 2020-10-16 16:27:04 -07:00			`TypeMeta: metav1.TypeMeta{`
chore: make kyverno api import aliases consistent (#3939) Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com> 2022-05-17 13:12:43 +02:00			`APIVersion: policyreportv1alpha2.SchemeGroupVersion.String(),`
add unit test for CLI report 2020-10-16 16:27:04 -07:00			`Kind: "PolicyReport",`
			`},`
add report logic in command apply 2020-10-15 17:29:07 -07:00			`Results: result,`
			`Summary: calculateSummary(result),`
			`}`

			`ns := strings.ReplaceAll(scope, "policyreport-ns-", "")`
			`report.SetName(scope)`
			`report.SetNamespace(ns)`
add unit test for CLI report 2020-10-16 16:27:04 -07:00
			`if raw, err = json.Marshal(report); err != nil {`
1398 - Reduce RCR throttling requests (#1406) * reduce RCR throttling requests by merging policy application (policy - namespace) results into single RCR * - refactor policy controller; - fix RCR issue * - refactor RCR controller; - fix cpolr on ns update; - reduce throttling when getting resources; - fix tests * update CRD schema * fix typo 2020-12-21 11:04:19 -08:00			`log.Log.V(3).Info("failed to serialize policy report", "name", report.Name, "scope", scope, "error", err)`
add unit test for CLI report 2020-10-16 16:27:04 -07:00			`}`
add report logic in command apply 2020-10-15 17:29:07 -07:00			`}`

chore: move ConvertToUnstructured from engine utils to kube utils (#5847) Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> 2023-01-03 13:02:15 +01:00			`reportUnstructured, err := kubeutils.BytesToUnstructured(raw)`
add report logic in command apply 2020-10-15 17:29:07 -07:00			`if err != nil {`
added log 2020-11-19 15:56:14 +05:30			`log.Log.V(3).Info("failed to convert policy report", "scope", scope, "error", err)`
add report logic in command apply 2020-10-15 17:29:07 -07:00			`continue`
			`}`
add unit test for CLI report 2020-10-16 16:27:04 -07:00
add report logic in command apply 2020-10-15 17:29:07 -07:00			`res = append(res, reportUnstructured)`
			`}`

			`return`
			`}`

			`// buildPolicyResults returns a string-PolicyReportResult map`
			`// the key of the map is one of "clusterpolicyreport", "policyreport-ns-<namespace>"`
refactor: remove policyreport package (#5174) Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> 2022-11-02 09:06:44 +00:00			`func buildPolicyResults(infos []common.Info) map[string][]policyreportv1alpha2.PolicyReportResult {`
chore: make kyverno api import aliases consistent (#3939) Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com> 2022-05-17 13:12:43 +02:00			`results := make(map[string][]policyreportv1alpha2.PolicyReportResult)`
Update PolicyReport CRDs to wgpolicyk8s.io/v1alpha2 (#1825) 2021-08-21 19:35:17 +02:00			`now := metav1.Timestamp{Seconds: time.Now().Unix()}`
add report logic in command apply 2020-10-15 17:29:07 -07:00
			`for _, info := range infos {`
			`var appname string`
1398 - Reduce RCR throttling requests (#1406) * reduce RCR throttling requests by merging policy application (policy - namespace) results into single RCR * - refactor policy controller; - fix RCR issue * - refactor RCR controller; - fix cpolr on ns update; - reduce throttling when getting resources; - fix tests * update CRD schema * fix typo 2020-12-21 11:04:19 -08:00			`ns := info.Namespace`
add report logic in command apply 2020-10-15 17:29:07 -07:00			`if ns != "" {`
			`appname = fmt.Sprintf("policyreport-ns-%s", ns)`
			`} else {`
fix: golangci-lint warnings in cmd (#3843) Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com> Co-authored-by: Vyankatesh Kudtarkar <vyankateshkd@gmail.com> 2022-05-09 18:55:35 +02:00			`appname = clusterpolicyreport`
add report logic in command apply 2020-10-15 17:29:07 -07:00			`}`

1398 - Reduce RCR throttling requests (#1406) * reduce RCR throttling requests by merging policy application (policy - namespace) results into single RCR * - refactor policy controller; - fix RCR issue * - refactor RCR controller; - fix cpolr on ns update; - reduce throttling when getting resources; - fix tests * update CRD schema * fix typo 2020-12-21 11:04:19 -08:00			`for _, infoResult := range info.Results {`
			`for _, rule := range infoResult.Rules {`
refactor: make response type (RuleType) typed (#3556) * refactor: move common utils Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com> * refactor: make response type (RuleType) typed Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com> * fix: merge Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com> Co-authored-by: shuting <shuting@nirmata.com> Co-authored-by: Vyankatesh Kudtarkar <vyankateshkd@gmail.com> 2022-04-06 21:04:08 +02:00			`if rule.Type != string(response.Validation) {`
1398 - Reduce RCR throttling requests (#1406) * reduce RCR throttling requests by merging policy application (policy - namespace) results into single RCR * - refactor policy controller; - fix RCR issue * - refactor RCR controller; - fix cpolr on ns update; - reduce throttling when getting resources; - fix tests * update CRD schema * fix typo 2020-12-21 11:04:19 -08:00			`continue`
			`}`

chore: make kyverno api import aliases consistent (#3939) Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com> 2022-05-17 13:12:43 +02:00			`result := policyreportv1alpha2.PolicyReportResult{`
1398 - Reduce RCR throttling requests (#1406) * reduce RCR throttling requests by merging policy application (policy - namespace) results into single RCR * - refactor policy controller; - fix RCR issue * - refactor RCR controller; - fix cpolr on ns update; - reduce throttling when getting resources; - fix tests * update CRD schema * fix typo 2020-12-21 11:04:19 -08:00			`Policy: info.PolicyName,`
refactor: remove some api unnecessary pointers (2) (#3705) * refactor: remove some api unnecessary pointers Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com> * refactor: remove some api unnecessary pointers (2) Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com> 2022-04-28 11:11:14 +02:00			`Resources: []corev1.ObjectReference{`
1398 - Reduce RCR throttling requests (#1406) * reduce RCR throttling requests by merging policy application (policy - namespace) results into single RCR * - refactor policy controller; - fix RCR issue * - refactor RCR controller; - fix cpolr on ns update; - reduce throttling when getting resources; - fix tests * update CRD schema * fix typo 2020-12-21 11:04:19 -08:00			`{`
			`Kind: infoResult.Resource.Kind,`
			`Namespace: infoResult.Resource.Namespace,`
			`APIVersion: infoResult.Resource.APIVersion,`
			`Name: infoResult.Resource.Name,`
			`UID: types.UID(infoResult.Resource.UID),`
			`},`
add unit test for CLI report 2020-10-16 16:27:04 -07:00			`},`
1398 - Reduce RCR throttling requests (#1406) * reduce RCR throttling requests by merging policy application (policy - namespace) results into single RCR * - refactor policy controller; - fix RCR issue * - refactor RCR controller; - fix cpolr on ns update; - reduce throttling when getting resources; - fix tests * update CRD schema * fix typo 2020-12-21 11:04:19 -08:00			`Scored: true,`
			`}`
add report logic in command apply 2020-10-15 17:29:07 -07:00
1398 - Reduce RCR throttling requests (#1406) * reduce RCR throttling requests by merging policy application (policy - namespace) results into single RCR * - refactor policy controller; - fix RCR issue * - refactor RCR controller; - fix cpolr on ns update; - reduce throttling when getting resources; - fix tests * update CRD schema * fix typo 2020-12-21 11:04:19 -08:00			`result.Rule = rule.Name`
			`result.Message = rule.Message`
chore: make kyverno api import aliases consistent (#3939) Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com> 2022-05-17 13:12:43 +02:00			`result.Result = policyreportv1alpha2.PolicyResult(rule.Status)`
feat: reports v2 implementation (#4608) This PR refactors the reports generation code. It removes RCR and CRCR crds and replaces them with AdmissionReport, ClusterAdmissionReport, BackgroundScanReport and ClusterBackgroundScanReport crds. The new reports system is based on 4 controllers: Admission reports controller is responsible for cleaning up admission reports and attaching admission reports to their corresponding resource in case of a creation Background scan reports controller is responsible for creating background scan reports when a resource and/or policy changes Aggregation controller takes care of aggregation per resource reports into higher level reports (per namespace) Resources controller is responsible for watching reports that need background scan reports I added two new flags to disable admission reports and/or background scan reports, the whole reporting system can be disabled if something goes wrong. I also added a flag to split reports in chunks to avoid creating too large resources. Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com> Signed-off-by: prateekpandey14 <prateek.pandey@nirmata.com> Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com> Signed-off-by: prateekpandey14 <prateek.pandey@nirmata.com> Co-authored-by: prateekpandey14 <prateek.pandey@nirmata.com> 2022-09-28 13:45:16 +02:00			`result.Source = kyvernov1.ValueKyvernoApp`
Update PolicyReport CRDs to wgpolicyk8s.io/v1alpha2 (#1825) 2021-08-21 19:35:17 +02:00			`result.Timestamp = now`
refactor: remove some api unnecessary pointers (2) (#3705) * refactor: remove some api unnecessary pointers Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com> * refactor: remove some api unnecessary pointers (2) Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com> 2022-04-28 11:11:14 +02:00			`results[appname] = append(results[appname], result)`
1398 - Reduce RCR throttling requests (#1406) * reduce RCR throttling requests by merging policy application (policy - namespace) results into single RCR * - refactor policy controller; - fix RCR issue * - refactor RCR controller; - fix cpolr on ns update; - reduce throttling when getting resources; - fix tests * update CRD schema * fix typo 2020-12-21 11:04:19 -08:00			`}`
add report logic in command apply 2020-10-15 17:29:07 -07:00			`}`
			`}`

change of logic for aggregation count 2020-10-31 01:55:05 +05:30			`return results`
add report logic in command apply 2020-10-15 17:29:07 -07:00			`}`

chore: make kyverno api import aliases consistent (#3939) Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com> 2022-05-17 13:12:43 +02:00			`func calculateSummary(results []policyreportv1alpha2.PolicyReportResult) (summary policyreportv1alpha2.PolicyReportSummary) {`
add report logic in command apply 2020-10-15 17:29:07 -07:00			`for _, res := range results {`
Update PolicyReport CRDs to wgpolicyk8s.io/v1alpha2 (#1825) 2021-08-21 19:35:17 +02:00			`switch string(res.Result) {`
chore: make kyverno api import aliases consistent (#3939) Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com> 2022-05-17 13:12:43 +02:00			`case policyreportv1alpha2.StatusPass:`
Merge commit 2020-11-10 10:49:29 +05:30			`summary.Pass++`
chore: make kyverno api import aliases consistent (#3939) Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com> 2022-05-17 13:12:43 +02:00			`case policyreportv1alpha2.StatusFail:`
add report logic in command apply 2020-10-15 17:29:07 -07:00			`summary.Fail++`
add unit test for CLI report 2020-10-16 16:27:04 -07:00			`case "warn":`
add report logic in command apply 2020-10-15 17:29:07 -07:00			`summary.Warn++`
add unit test for CLI report 2020-10-16 16:27:04 -07:00			`case "error":`
add report logic in command apply 2020-10-15 17:29:07 -07:00			`summary.Error++`
add unit test for CLI report 2020-10-16 16:27:04 -07:00			`case "skip":`
add report logic in command apply 2020-10-15 17:29:07 -07:00			`summary.Skip++`
			`}`
			`}`
			`return`
			`}`