From 03cec01fb5efc0f801eb5203103fa163a0233a81 Mon Sep 17 00:00:00 2001 From: vivek kumar sahu Date: Thu, 28 Jul 2022 11:31:50 +0530 Subject: [PATCH] feature: added new type of event, PolicySkipped (#4251) * feature: added new type of event, PolicySkipped Signed-off-by: viveksahu26 * fix html docs Signed-off-by: viveksahu26 Co-authored-by: shuting --- pkg/engine/response/response.go | 10 ++++++++++ pkg/event/controller.go | 4 +++- pkg/event/events.go | 20 ++++++++++++++++++++ pkg/event/reason.go | 2 ++ pkg/policy/report.go | 15 +++++++++------ pkg/webhooks/resource/report.go | 13 +++++++++++-- 6 files changed, 55 insertions(+), 9 deletions(-) diff --git a/pkg/engine/response/response.go b/pkg/engine/response/response.go index 00e73d4df0..c3a5ff3c8f 100644 --- a/pkg/engine/response/response.go +++ b/pkg/engine/response/response.go @@ -139,6 +139,16 @@ func (er EngineResponse) IsSuccessful() bool { return true } +// IsSkipped checks if any rule has skipped resource or not. +func (er EngineResponse) IsSkipped() bool { + for _, r := range er.PolicyResponse.Rules { + if r.Status == RuleStatusSkip { + return true + } + } + return false +} + // IsFailed checks if any rule has succeeded or not func (er EngineResponse) IsFailed() bool { for _, r := range er.PolicyResponse.Rules { diff --git a/pkg/event/controller.go b/pkg/event/controller.go index 8410e31ed4..e9a15bad97 100644 --- a/pkg/event/controller.go +++ b/pkg/event/controller.go @@ -203,8 +203,10 @@ func (gen *Generator) syncHandler(key Info) error { } // set the event type based on reason + // if skip/pass, reason will be: NORMAL + // else reason will be: WARNING eventType := corev1.EventTypeWarning - if key.Reason == PolicyApplied.String() { + if key.Reason == PolicyApplied.String() || key.Reason == PolicySkipped.String() { eventType = corev1.EventTypeNormal } diff --git a/pkg/event/events.go b/pkg/event/events.go index fe65b27b03..1dd9efc86a 100644 --- a/pkg/event/events.go +++ b/pkg/event/events.go @@ -89,6 +89,26 @@ func NewResourceViolationEvent(source Source, reason Reason, engineResponse *res } } +func NewPolicySkippedEvent(source Source, reason Reason, engineResponse *response.EngineResponse, ruleResp *response.RuleResponse) Info { + var bldr strings.Builder + defer bldr.Reset() + resource := engineResponse.GetResourceSpec() + + if resource.Namespace != "" { + fmt.Fprintf(&bldr, "%s %s/%s: %s", resource.Kind, resource.Namespace, resource.Name, ruleResp.Status.String()) + } else { + fmt.Fprintf(&bldr, "%s %s: %s", resource.Kind, resource.Name, ruleResp.Status.String()) + } + return Info{ + Kind: getPolicyKind(engineResponse.Policy), + Name: engineResponse.PolicyResponse.Policy.Name, + Namespace: engineResponse.PolicyResponse.Policy.Namespace, + Reason: PolicySkipped.String(), + Source: source, + Message: bldr.String(), + } +} + func NewBackgroundFailedEvent(err error, policy, rule string, source Source, r *unstructured.Unstructured) []Info { if r == nil { return nil diff --git a/pkg/event/reason.go b/pkg/event/reason.go index 8926a163df..dec8e79653 100644 --- a/pkg/event/reason.go +++ b/pkg/event/reason.go @@ -7,6 +7,7 @@ const ( PolicyViolation Reason = iota PolicyApplied PolicyError + PolicySkipped ) func (r Reason) String() string { @@ -14,5 +15,6 @@ func (r Reason) String() string { "PolicyViolation", "PolicyApplied", "PolicyError", + "PolicySkipped", }[r] } diff --git a/pkg/policy/report.go b/pkg/policy/report.go index b738dde13f..d36daa2ec2 100644 --- a/pkg/policy/report.go +++ b/pkg/policy/report.go @@ -308,13 +308,16 @@ func generateFailEventsPerEr(log logr.Logger, er *response.EngineResponse) []eve for i, rule := range er.PolicyResponse.Rules { if rule.Status == response.RuleStatusPass { continue + } else if rule.Status == response.RuleStatusSkip { + eventResource := event.NewPolicySkippedEvent(event.PolicyController, event.PolicySkipped, er, &er.PolicyResponse.Rules[i]) + eventInfos = append(eventInfos, eventResource) + } else { + eventResource := event.NewResourceViolationEvent(event.PolicyController, event.PolicyViolation, er, &er.PolicyResponse.Rules[i]) + eventInfos = append(eventInfos, eventResource) + + eventPolicy := event.NewPolicyFailEvent(event.PolicyController, event.PolicyViolation, er, &er.PolicyResponse.Rules[i], false) + eventInfos = append(eventInfos, eventPolicy) } - - eventResource := event.NewResourceViolationEvent(event.PolicyController, event.PolicyViolation, er, &er.PolicyResponse.Rules[i]) - eventInfos = append(eventInfos, eventResource) - - eventPolicy := event.NewPolicyFailEvent(event.PolicyController, event.PolicyViolation, er, &er.PolicyResponse.Rules[i], false) - eventInfos = append(eventInfos, eventPolicy) } if len(eventInfos) > 0 { diff --git a/pkg/webhooks/resource/report.go b/pkg/webhooks/resource/report.go index 0b3f5a1582..35c6d0d364 100644 --- a/pkg/webhooks/resource/report.go +++ b/pkg/webhooks/resource/report.go @@ -15,6 +15,8 @@ func generateEvents(engineResponses []*response.EngineResponse, blocked bool, lo // - report failure events on resource // - Some/All policies succeeded // - report success event on resource + // - Some/All policies skipped + // - report skipped event on resource for _, er := range engineResponses { if !er.IsSuccessful() { @@ -30,8 +32,15 @@ func generateEvents(engineResponses []*response.EngineResponse, blocked bool, lo } } } else { - e := event.NewPolicyAppliedEvent(event.AdmissionController, er) - events = append(events, e) + if er.IsSkipped() { + for i := range er.PolicyResponse.Rules { + e := event.NewPolicySkippedEvent(event.AdmissionController, event.PolicySkipped, er, &er.PolicyResponse.Rules[i]) + events = append(events, e) + } + } else { + e := event.NewPolicyAppliedEvent(event.AdmissionController, er) + events = append(events, e) + } } }