feature: added new type of event, PolicySkipped (#4251)

* feature: added new type of event, PolicySkipped Signed-off-by: viveksahu26 <vivekkumarsahu650@gmail.com> * fix html docs Signed-off-by: viveksahu26 <vivekkumarsahu650@gmail.com> Co-authored-by: shuting <shuting@nirmata.com>
2025-03-31 03:45:17 +00:00 · 2022-07-28 11:31:50 +05:30 · 2022-07-28 11:31:50 +05:30 · 03cec01fb5
commit 03cec01fb5
parent 750b4b106c
6 changed files with 55 additions and 9 deletions
--- a/pkg/engine/response/response.go
+++ b/pkg/engine/response/response.go
@ -139,6 +139,16 @@ func (er EngineResponse) IsSuccessful() bool {
 	return true
 }

+// IsSkipped checks if any rule has skipped resource or not.
+func (er EngineResponse) IsSkipped() bool {
+	for _, r := range er.PolicyResponse.Rules {
+		if r.Status == RuleStatusSkip {
+			return true
+		}
+	}
+	return false
+}
+
 // IsFailed checks if any rule has succeeded or not
 func (er EngineResponse) IsFailed() bool {
 	for _, r := range er.PolicyResponse.Rules {
--- a/pkg/event/controller.go
+++ b/pkg/event/controller.go
@ -203,8 +203,10 @@ func (gen *Generator) syncHandler(key Info) error {
 	}

 	// set the event type based on reason
+	// if skip/pass, reason will be: NORMAL
+	// else reason will be: WARNING
 	eventType := corev1.EventTypeWarning
-	if key.Reason == PolicyApplied.String() {
+	if key.Reason == PolicyApplied.String() || key.Reason == PolicySkipped.String() {
 		eventType = corev1.EventTypeNormal
 	}

--- a/pkg/event/events.go
+++ b/pkg/event/events.go
@ -89,6 +89,26 @@ func NewResourceViolationEvent(source Source, reason Reason, engineResponse *res
 	}
 }

+func NewPolicySkippedEvent(source Source, reason Reason, engineResponse *response.EngineResponse, ruleResp *response.RuleResponse) Info {
+	var bldr strings.Builder
+	defer bldr.Reset()
+	resource := engineResponse.GetResourceSpec()
+
+	if resource.Namespace != "" {
+		fmt.Fprintf(&bldr, "%s %s/%s: %s", resource.Kind, resource.Namespace, resource.Name, ruleResp.Status.String())
+	} else {
+		fmt.Fprintf(&bldr, "%s %s: %s", resource.Kind, resource.Name, ruleResp.Status.String())
+	}
+	return Info{
+		Kind:      getPolicyKind(engineResponse.Policy),
+		Name:      engineResponse.PolicyResponse.Policy.Name,
+		Namespace: engineResponse.PolicyResponse.Policy.Namespace,
+		Reason:    PolicySkipped.String(),
+		Source:    source,
+		Message:   bldr.String(),
+	}
+}
+
 func NewBackgroundFailedEvent(err error, policy, rule string, source Source, r *unstructured.Unstructured) []Info {
 	if r == nil {
 		return nil
--- a/pkg/event/reason.go
+++ b/pkg/event/reason.go
@ -7,6 +7,7 @@ const (
 	PolicyViolation Reason = iota
 	PolicyApplied
 	PolicyError
+	PolicySkipped
 )

 func (r Reason) String() string {
@ -14,5 +15,6 @@ func (r Reason) String() string {
 		"PolicyViolation",
 		"PolicyApplied",
 		"PolicyError",
+		"PolicySkipped",
 	}[r]
 }
--- a/pkg/policy/report.go
+++ b/pkg/policy/report.go
@ -308,13 +308,16 @@ func generateFailEventsPerEr(log logr.Logger, er *response.EngineResponse) []eve
 	for i, rule := range er.PolicyResponse.Rules {
 		if rule.Status == response.RuleStatusPass {
 			continue
+		} else if rule.Status == response.RuleStatusSkip {
+			eventResource := event.NewPolicySkippedEvent(event.PolicyController, event.PolicySkipped, er, &er.PolicyResponse.Rules[i])
+			eventInfos = append(eventInfos, eventResource)
+		} else {
+			eventResource := event.NewResourceViolationEvent(event.PolicyController, event.PolicyViolation, er, &er.PolicyResponse.Rules[i])
+			eventInfos = append(eventInfos, eventResource)
+
+			eventPolicy := event.NewPolicyFailEvent(event.PolicyController, event.PolicyViolation, er, &er.PolicyResponse.Rules[i], false)
+			eventInfos = append(eventInfos, eventPolicy)
 		}
-
-		eventResource := event.NewResourceViolationEvent(event.PolicyController, event.PolicyViolation, er, &er.PolicyResponse.Rules[i])
-		eventInfos = append(eventInfos, eventResource)
-
-		eventPolicy := event.NewPolicyFailEvent(event.PolicyController, event.PolicyViolation, er, &er.PolicyResponse.Rules[i], false)
-		eventInfos = append(eventInfos, eventPolicy)
 	}

 	if len(eventInfos) > 0 {
--- a/pkg/webhooks/resource/report.go
+++ b/pkg/webhooks/resource/report.go
@ -15,6 +15,8 @@ func generateEvents(engineResponses []*response.EngineResponse, blocked bool, lo
 	//     - report failure events on resource
 	//   - Some/All policies succeeded
 	//     - report success event on resource
+	//   - Some/All policies skipped
+	//     - report skipped event on resource

 	for _, er := range engineResponses {
 		if !er.IsSuccessful() {
@ -30,8 +32,15 @@ func generateEvents(engineResponses []*response.EngineResponse, blocked bool, lo
 				}
 			}
 		} else {
-			e := event.NewPolicyAppliedEvent(event.AdmissionController, er)
-			events = append(events, e)
+			if er.IsSkipped() {
+				for i := range er.PolicyResponse.Rules {
+					e := event.NewPolicySkippedEvent(event.AdmissionController, event.PolicySkipped, er, &er.PolicyResponse.Rules[i])
+					events = append(events, e)
+				}
+			} else {
+				e := event.NewPolicyAppliedEvent(event.AdmissionController, er)
+				events = append(events, e)
+			}
 		}
 	}