2022-09-28 13:45:16 +02:00
|
|
|
package report
|
|
|
|
|
|
|
|
|
|
import (
|
2023-09-19 14:06:53 +02:00
|
|
|
"cmp"
|
2024-03-11 02:32:05 -07:00
|
|
|
"encoding/json"
|
2023-09-19 14:06:53 +02:00
|
|
|
"slices"
|
2023-01-06 11:40:06 +01:00
|
|
|
"strings"
|
2022-09-28 13:45:16 +02:00
|
|
|
"time"
|
|
|
|
|
|
|
|
|
|
"github.com/go-logr/logr"
|
2023-07-06 10:00:36 +02:00
|
|
|
"github.com/kyverno/kyverno/api/kyverno"
|
2022-09-28 13:45:16 +02:00
|
|
|
policyreportv1alpha2 "github.com/kyverno/kyverno/api/policyreport/v1alpha2"
|
2024-06-19 10:08:15 +02:00
|
|
|
reportsv1 "github.com/kyverno/kyverno/api/reports/v1"
|
2023-01-30 12:41:09 +01:00
|
|
|
engineapi "github.com/kyverno/kyverno/pkg/engine/api"
|
2024-03-11 02:32:05 -07:00
|
|
|
"github.com/kyverno/kyverno/pkg/pss/utils"
|
2024-03-08 03:24:00 +05:30
|
|
|
corev1 "k8s.io/api/core/v1"
|
2022-09-28 13:45:16 +02:00
|
|
|
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
|
2024-10-02 17:35:05 +05:30
|
|
|
"k8s.io/apimachinery/pkg/runtime/schema"
|
2022-09-28 13:45:16 +02:00
|
|
|
"k8s.io/client-go/tools/cache"
|
|
|
|
|
)
|
|
|
|
|
|
|
|
|
|
func SortReportResults(results []policyreportv1alpha2.PolicyReportResult) {
|
2023-09-14 23:46:47 +02:00
|
|
|
slices.SortFunc(results, func(a policyreportv1alpha2.PolicyReportResult, b policyreportv1alpha2.PolicyReportResult) int {
|
2023-09-19 14:06:53 +02:00
|
|
|
if x := cmp.Compare(a.Policy, b.Policy); x != 0 {
|
2023-09-14 23:46:47 +02:00
|
|
|
return x
|
2022-09-28 13:45:16 +02:00
|
|
|
}
|
2023-09-19 14:06:53 +02:00
|
|
|
if x := cmp.Compare(a.Rule, b.Rule); x != 0 {
|
2023-09-14 23:46:47 +02:00
|
|
|
return x
|
2022-09-28 13:45:16 +02:00
|
|
|
}
|
2023-09-19 14:06:53 +02:00
|
|
|
if x := cmp.Compare(len(a.Resources), len(b.Resources)); x != 0 {
|
2023-09-14 23:46:47 +02:00
|
|
|
return x
|
2022-09-28 13:45:16 +02:00
|
|
|
}
|
|
|
|
|
for i := range a.Resources {
|
2023-09-19 14:06:53 +02:00
|
|
|
if x := cmp.Compare(a.Resources[i].UID, b.Resources[i].UID); x != 0 {
|
2023-09-14 23:46:47 +02:00
|
|
|
return x
|
2022-09-28 13:45:16 +02:00
|
|
|
}
|
|
|
|
|
}
|
2023-09-19 14:06:53 +02:00
|
|
|
return cmp.Compare(a.Timestamp.String(), b.Timestamp.String())
|
2022-09-28 13:45:16 +02:00
|
|
|
})
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
func CalculateSummary(results []policyreportv1alpha2.PolicyReportResult) (summary policyreportv1alpha2.PolicyReportSummary) {
|
|
|
|
|
for _, res := range results {
|
2023-09-01 11:20:39 +02:00
|
|
|
switch res.Result {
|
2022-09-28 13:45:16 +02:00
|
|
|
case policyreportv1alpha2.StatusPass:
|
|
|
|
|
summary.Pass++
|
|
|
|
|
case policyreportv1alpha2.StatusFail:
|
|
|
|
|
summary.Fail++
|
|
|
|
|
case policyreportv1alpha2.StatusWarn:
|
|
|
|
|
summary.Warn++
|
|
|
|
|
case policyreportv1alpha2.StatusError:
|
|
|
|
|
summary.Error++
|
|
|
|
|
case policyreportv1alpha2.StatusSkip:
|
|
|
|
|
summary.Skip++
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
return
|
|
|
|
|
}
|
|
|
|
|
|
2023-01-30 12:41:09 +01:00
|
|
|
func toPolicyResult(status engineapi.RuleStatus) policyreportv1alpha2.PolicyResult {
|
2022-09-28 13:45:16 +02:00
|
|
|
switch status {
|
2023-01-30 12:41:09 +01:00
|
|
|
case engineapi.RuleStatusPass:
|
2022-09-28 13:45:16 +02:00
|
|
|
return policyreportv1alpha2.StatusPass
|
2023-01-30 12:41:09 +01:00
|
|
|
case engineapi.RuleStatusFail:
|
2022-09-28 13:45:16 +02:00
|
|
|
return policyreportv1alpha2.StatusFail
|
2023-01-30 12:41:09 +01:00
|
|
|
case engineapi.RuleStatusError:
|
2022-09-28 13:45:16 +02:00
|
|
|
return policyreportv1alpha2.StatusError
|
2023-01-30 12:41:09 +01:00
|
|
|
case engineapi.RuleStatusWarn:
|
2022-09-28 13:45:16 +02:00
|
|
|
return policyreportv1alpha2.StatusWarn
|
2023-01-30 12:41:09 +01:00
|
|
|
case engineapi.RuleStatusSkip:
|
2022-09-28 13:45:16 +02:00
|
|
|
return policyreportv1alpha2.StatusSkip
|
|
|
|
|
}
|
|
|
|
|
return ""
|
|
|
|
|
}
|
|
|
|
|
|
2023-07-19 11:46:37 +05:30
|
|
|
func SeverityFromString(severity string) policyreportv1alpha2.PolicySeverity {
|
2022-09-28 13:45:16 +02:00
|
|
|
switch severity {
|
2023-09-01 11:20:39 +02:00
|
|
|
case "critical":
|
2023-08-07 18:51:49 +08:00
|
|
|
return policyreportv1alpha2.SeverityCritical
|
2023-09-01 11:20:39 +02:00
|
|
|
case "high":
|
2022-09-28 13:45:16 +02:00
|
|
|
return policyreportv1alpha2.SeverityHigh
|
2023-09-01 11:20:39 +02:00
|
|
|
case "medium":
|
2022-09-28 13:45:16 +02:00
|
|
|
return policyreportv1alpha2.SeverityMedium
|
2023-09-01 11:20:39 +02:00
|
|
|
case "low":
|
2022-09-28 13:45:16 +02:00
|
|
|
return policyreportv1alpha2.SeverityLow
|
2023-09-01 11:20:39 +02:00
|
|
|
case "info":
|
2023-08-07 18:51:49 +08:00
|
|
|
return policyreportv1alpha2.SeverityInfo
|
2022-09-28 13:45:16 +02:00
|
|
|
}
|
|
|
|
|
return ""
|
|
|
|
|
}
|
|
|
|
|
|
2024-03-08 03:24:00 +05:30
|
|
|
func ToPolicyReportResult(policyType engineapi.PolicyType, policyName string, ruleResult engineapi.RuleResponse, annotations map[string]string, resource *corev1.ObjectReference) policyreportv1alpha2.PolicyReportResult {
|
|
|
|
|
result := policyreportv1alpha2.PolicyReportResult{
|
2024-09-03 23:06:07 +05:30
|
|
|
Source: kyverno.ValueKyvernoApp,
|
|
|
|
|
Policy: policyName,
|
|
|
|
|
Rule: ruleResult.Name(),
|
|
|
|
|
Message: ruleResult.Message(),
|
|
|
|
|
Properties: ruleResult.Properties(),
|
|
|
|
|
Result: toPolicyResult(ruleResult.Status()),
|
|
|
|
|
Scored: annotations[kyverno.AnnotationPolicyScored] != "false",
|
2024-03-08 03:24:00 +05:30
|
|
|
Timestamp: metav1.Timestamp{
|
|
|
|
|
Seconds: time.Now().Unix(),
|
|
|
|
|
},
|
|
|
|
|
Category: annotations[kyverno.AnnotationPolicyCategory],
|
|
|
|
|
Severity: SeverityFromString(annotations[kyverno.AnnotationPolicySeverity]),
|
|
|
|
|
}
|
|
|
|
|
if result.Result == "fail" && !result.Scored {
|
|
|
|
|
result.Result = "warn"
|
|
|
|
|
}
|
|
|
|
|
if resource != nil {
|
|
|
|
|
result.Resources = []corev1.ObjectReference{
|
|
|
|
|
*resource,
|
2022-12-20 06:57:23 +01:00
|
|
|
}
|
2024-03-08 03:24:00 +05:30
|
|
|
}
|
2024-07-25 20:36:19 +03:00
|
|
|
exceptions := ruleResult.Exceptions()
|
|
|
|
|
if len(exceptions) > 0 {
|
|
|
|
|
var names []string
|
|
|
|
|
for _, exception := range exceptions {
|
|
|
|
|
names = append(names, exception.Name)
|
|
|
|
|
}
|
|
|
|
|
addProperty("exceptions", strings.Join(names, ","), &result)
|
2024-03-08 03:24:00 +05:30
|
|
|
}
|
|
|
|
|
pss := ruleResult.PodSecurityChecks()
|
|
|
|
|
if pss != nil && len(pss.Checks) > 0 {
|
2024-03-11 02:32:05 -07:00
|
|
|
addPodSecurityProperties(pss, &result)
|
2022-09-28 13:45:16 +02:00
|
|
|
}
|
2024-03-08 03:24:00 +05:30
|
|
|
if policyType == engineapi.ValidatingAdmissionPolicyType {
|
|
|
|
|
result.Source = "ValidatingAdmissionPolicy"
|
|
|
|
|
result.Policy = ruleResult.Name()
|
|
|
|
|
if ruleResult.ValidatingAdmissionPolicyBinding() != nil {
|
|
|
|
|
addProperty("binding", ruleResult.ValidatingAdmissionPolicyBinding().Name, &result)
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
return result
|
|
|
|
|
}
|
|
|
|
|
|
2024-03-11 02:32:05 -07:00
|
|
|
func addProperty(k, v string, result *policyreportv1alpha2.PolicyReportResult) {
|
|
|
|
|
if result.Properties == nil {
|
|
|
|
|
result.Properties = map[string]string{}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
result.Properties[k] = v
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
type Control struct {
|
|
|
|
|
ID string
|
|
|
|
|
Name string
|
|
|
|
|
Images []string
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
func addPodSecurityProperties(pss *engineapi.PodSecurityChecks, result *policyreportv1alpha2.PolicyReportResult) {
|
|
|
|
|
if pss == nil {
|
|
|
|
|
return
|
|
|
|
|
}
|
|
|
|
|
if result.Properties == nil {
|
|
|
|
|
result.Properties = map[string]string{}
|
|
|
|
|
}
|
|
|
|
|
var controls []Control
|
|
|
|
|
var controlIDs []string
|
|
|
|
|
for _, check := range pss.Checks {
|
|
|
|
|
if !check.CheckResult.Allowed {
|
|
|
|
|
controlName := utils.PSSControlIDToName(check.ID)
|
|
|
|
|
controlIDs = append(controlIDs, check.ID)
|
|
|
|
|
controls = append(controls, Control{
|
|
|
|
|
ID: check.ID,
|
|
|
|
|
Name: controlName,
|
|
|
|
|
Images: check.Images,
|
|
|
|
|
})
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
if len(controls) > 0 {
|
|
|
|
|
controlsJson, _ := json.Marshal(controls)
|
|
|
|
|
result.Properties["standard"] = string(pss.Level)
|
|
|
|
|
result.Properties["version"] = pss.Version
|
|
|
|
|
result.Properties["controls"] = strings.Join(controlIDs, ",")
|
|
|
|
|
result.Properties["controlsJSON"] = string(controlsJson)
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
2024-03-08 03:24:00 +05:30
|
|
|
func EngineResponseToReportResults(response engineapi.EngineResponse) []policyreportv1alpha2.PolicyReportResult {
|
|
|
|
|
pol := response.Policy()
|
|
|
|
|
policyName, _ := cache.MetaNamespaceKeyFunc(pol.AsKyvernoPolicy())
|
|
|
|
|
policyType := pol.GetType()
|
|
|
|
|
annotations := pol.GetAnnotations()
|
|
|
|
|
|
2024-05-20 17:16:35 +08:00
|
|
|
results := make([]policyreportv1alpha2.PolicyReportResult, 0, len(response.PolicyResponse.Rules))
|
2024-03-08 03:24:00 +05:30
|
|
|
for _, ruleResult := range response.PolicyResponse.Rules {
|
|
|
|
|
result := ToPolicyReportResult(policyType, policyName, ruleResult, annotations, nil)
|
|
|
|
|
results = append(results, result)
|
|
|
|
|
}
|
|
|
|
|
|
2022-09-28 13:45:16 +02:00
|
|
|
return results
|
|
|
|
|
}
|
|
|
|
|
|
2024-10-02 17:35:05 +05:30
|
|
|
func MutationEngineResponseToReportResults(response engineapi.EngineResponse) []policyreportv1alpha2.PolicyReportResult {
|
|
|
|
|
pol := response.Policy()
|
|
|
|
|
policyName, _ := cache.MetaNamespaceKeyFunc(pol.AsKyvernoPolicy())
|
|
|
|
|
policyType := pol.GetType()
|
|
|
|
|
annotations := pol.GetAnnotations()
|
|
|
|
|
|
|
|
|
|
results := make([]policyreportv1alpha2.PolicyReportResult, 0, len(response.PolicyResponse.Rules))
|
|
|
|
|
for _, ruleResult := range response.PolicyResponse.Rules {
|
|
|
|
|
result := ToPolicyReportResult(policyType, policyName, ruleResult, annotations, nil)
|
|
|
|
|
if target, _, _ := ruleResult.PatchedTarget(); target != nil {
|
|
|
|
|
addProperty("patched-target", getResourceInfo(target.GroupVersionKind(), target.GetName(), target.GetNamespace()), &result)
|
|
|
|
|
}
|
|
|
|
|
results = append(results, result)
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
return results
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
func GenerationEngineResponseToReportResults(response engineapi.EngineResponse) []policyreportv1alpha2.PolicyReportResult {
|
|
|
|
|
pol := response.Policy()
|
|
|
|
|
policyName, _ := cache.MetaNamespaceKeyFunc(pol.AsKyvernoPolicy())
|
|
|
|
|
policyType := pol.GetType()
|
|
|
|
|
annotations := pol.GetAnnotations()
|
|
|
|
|
|
|
|
|
|
results := make([]policyreportv1alpha2.PolicyReportResult, 0, len(response.PolicyResponse.Rules))
|
|
|
|
|
for _, ruleResult := range response.PolicyResponse.Rules {
|
|
|
|
|
result := ToPolicyReportResult(policyType, policyName, ruleResult, annotations, nil)
|
2024-10-15 12:29:18 +05:30
|
|
|
if generatedResources := ruleResult.GeneratedResources(); len(generatedResources) != 0 {
|
|
|
|
|
property := make([]string, 0)
|
|
|
|
|
for _, r := range generatedResources {
|
|
|
|
|
property = append(property, getResourceInfo(r.GroupVersionKind(), r.GetName(), r.GetNamespace()))
|
|
|
|
|
}
|
|
|
|
|
addProperty("generated-resources", strings.Join(property, "; "), &result)
|
2024-10-02 17:35:05 +05:30
|
|
|
}
|
|
|
|
|
results = append(results, result)
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
return results
|
|
|
|
|
}
|
|
|
|
|
|
2022-09-28 13:45:16 +02:00
|
|
|
func SplitResultsByPolicy(logger logr.Logger, results []policyreportv1alpha2.PolicyReportResult) map[string][]policyreportv1alpha2.PolicyReportResult {
|
|
|
|
|
resultsMap := map[string][]policyreportv1alpha2.PolicyReportResult{}
|
|
|
|
|
keysMap := map[string]string{}
|
|
|
|
|
for _, result := range results {
|
|
|
|
|
if keysMap[result.Policy] == "" {
|
|
|
|
|
ns, n, err := cache.SplitMetaNamespaceKey(result.Policy)
|
|
|
|
|
if err != nil {
|
|
|
|
|
logger.Error(err, "failed to decode policy name", "key", result.Policy)
|
|
|
|
|
} else {
|
|
|
|
|
if ns == "" {
|
|
|
|
|
keysMap[result.Policy] = "cpol-" + n
|
|
|
|
|
} else {
|
|
|
|
|
keysMap[result.Policy] = "pol-" + n
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
for _, result := range results {
|
|
|
|
|
key := keysMap[result.Policy]
|
|
|
|
|
resultsMap[key] = append(resultsMap[key], result)
|
|
|
|
|
}
|
|
|
|
|
return resultsMap
|
|
|
|
|
}
|
|
|
|
|
|
2024-06-19 10:08:15 +02:00
|
|
|
func SetResults(report reportsv1.ReportInterface, results ...policyreportv1alpha2.PolicyReportResult) {
|
2022-09-28 13:45:16 +02:00
|
|
|
SortReportResults(results)
|
|
|
|
|
report.SetResults(results)
|
|
|
|
|
report.SetSummary(CalculateSummary(results))
|
|
|
|
|
}
|
|
|
|
|
|
2024-06-19 10:08:15 +02:00
|
|
|
func SetResponses(report reportsv1.ReportInterface, engineResponses ...engineapi.EngineResponse) {
|
2022-09-28 13:45:16 +02:00
|
|
|
var ruleResults []policyreportv1alpha2.PolicyReportResult
|
|
|
|
|
for _, result := range engineResponses {
|
2023-09-05 14:42:17 +03:00
|
|
|
pol := result.Policy()
|
2023-08-15 22:41:43 +03:00
|
|
|
SetPolicyLabel(report, pol)
|
2022-09-28 13:45:16 +02:00
|
|
|
ruleResults = append(ruleResults, EngineResponseToReportResults(result)...)
|
|
|
|
|
}
|
|
|
|
|
SetResults(report, ruleResults...)
|
|
|
|
|
}
|
2024-10-02 17:35:05 +05:30
|
|
|
|
|
|
|
|
func SetMutationResponses(report reportsv1.ReportInterface, engineResponses ...engineapi.EngineResponse) {
|
|
|
|
|
var ruleResults []policyreportv1alpha2.PolicyReportResult
|
|
|
|
|
for _, result := range engineResponses {
|
|
|
|
|
pol := result.Policy()
|
|
|
|
|
SetPolicyLabel(report, pol)
|
|
|
|
|
ruleResults = append(ruleResults, MutationEngineResponseToReportResults(result)...)
|
|
|
|
|
}
|
|
|
|
|
SetResults(report, ruleResults...)
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
func SetGenerationResponses(report reportsv1.ReportInterface, engineResponses ...engineapi.EngineResponse) {
|
|
|
|
|
var ruleResults []policyreportv1alpha2.PolicyReportResult
|
|
|
|
|
for _, result := range engineResponses {
|
|
|
|
|
pol := result.Policy()
|
|
|
|
|
SetPolicyLabel(report, pol)
|
|
|
|
|
ruleResults = append(ruleResults, GenerationEngineResponseToReportResults(result)...)
|
|
|
|
|
}
|
|
|
|
|
SetResults(report, ruleResults...)
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
func getResourceInfo(gvk schema.GroupVersionKind, name, namespace string) string {
|
|
|
|
|
info := gvk.String() + " Name=" + name
|
|
|
|
|
if len(namespace) != 0 {
|
|
|
|
|
info = info + " Namespace=" + namespace
|
|
|
|
|
}
|
|
|
|
|
return info
|
|
|
|
|
}
|
