Add Support for policies.kyverno.io/severity annotation (#1763)

Signed-off-by: Frank Jogeleit <fj@move-elevator.de>
2025-04-17 17:56:33 +00:00 · 2021-04-07 23:56:27 +02:00 · 2021-04-07 23:56:27 +02:00 · 072d9f7951
commit 072d9f7951
parent 6f41acde03
2 changed files with 46 additions and 5 deletions
--- a/pkg/api/policyreport/v1alpha1/policyreport_types.go
+++ b/pkg/api/policyreport/v1alpha1/policyreport_types.go
@ -30,6 +30,13 @@ const (
 	StatusSkip  = "skip"
 )

+// Severity specifies priority of a policy result
+const (
+	SeverityHigh   = "high"
+	SeverityMedium = "medium"
+	SeverityLow    = "low"
+)
+
 // PolicyReportSummary provides a status count summary
 type PolicyReportSummary struct {

--- a/pkg/policyreport/builder.go
+++ b/pkg/policyreport/builder.go
@ -132,6 +132,8 @@ func (builder *requestBuilder) build(info Info) (req *unstructured.Unstructured,
 }

 func (builder *requestBuilder) buildRCRResult(policy string, resource response.ResourceSpec, rule kyverno.ViolatedRule) *report.PolicyReportResult {
+	av := builder.fetchAnnoationValues(policy, resource.Namespace)
+
 	result := &report.PolicyReportResult{
 		Policy: policy,
 		Resources: []*v1.ObjectReference{
@ -144,7 +146,8 @@ func (builder *requestBuilder) buildRCRResult(policy string, resource response.R
 			},
 		},
 		Scored:   true,
-		Category: builder.fetchCategory(policy, resource.Namespace),
+		Category: av.category,
+		Severity: av.severity,
 	}

 	result.Rule = rule.Name
@ -254,23 +257,54 @@ func buildViolatedRules(er *response.EngineResponse) []kyverno.ViolatedRule {
 }

 const categoryLabel string = "policies.kyverno.io/category"
+const severityLabel string = "policies.kyverno.io/severity"

-func (builder *requestBuilder) fetchCategory(policy, ns string) string {
+type annotationValues struct {
+	category string
+	severity report.PolicySeverity
+}
+
+func (av *annotationValues) setSeverityFromString(severity string) {
+	switch severity {
+	case report.SeverityHigh:
+		av.severity = report.SeverityHigh
+	case report.SeverityMedium:
+		av.severity = report.SeverityMedium
+	case report.SeverityLow:
+		av.severity = report.SeverityLow
+	}
+}
+
+func (builder *requestBuilder) fetchAnnoationValues(policy, ns string) annotationValues {
+	av := annotationValues{}
+	ann := builder.fetchAnnoations(policy, ns)
+
+	if category, ok := ann[categoryLabel]; ok {
+		av.category = category
+	}
+	if severity, ok := ann[severityLabel]; ok {
+		av.setSeverityFromString(severity)
+	}
+
+	return av
+}
+
+func (builder *requestBuilder) fetchAnnoations(policy, ns string) map[string]string {
 	cpol, err := builder.cpolLister.Get(policy)
 	if err == nil {
 		if ann := cpol.GetAnnotations(); ann != nil {
-			return ann[categoryLabel]
+			return ann
 		}
 	}

 	pol, err := builder.polLister.Policies(ns).Get(policy)
 	if err == nil {
 		if ann := pol.GetAnnotations(); ann != nil {
-			return ann[categoryLabel]
+			return ann
 		}
 	}

-	return ""
+	return make(map[string]string, 0)
 }

 func isResourceDeletion(info Info) bool {