From 09faf48b3548f0a0ff36dc4fb08b7c5a855da2aa Mon Sep 17 00:00:00 2001
From: Yuvraj <yuvraj.yad001@gmail.com>
Date: Thu, 3 Sep 2020 22:35:34 +0530
Subject: [PATCH] policy report removed
---
charts/kyverno/crds/crds.yaml | 90 +++++++++++++++++++
...cy.kubernetes.io_clusterpolicyreports.yaml | 87 ++++++++++++++++++
.../policy.kubernetes.io_policyreports.yaml | 46 ++++++++++
definitions/install.yaml | 90 +++++++++++++++++++
definitions/install_debug.yaml | 90 +++++++++++++++++++
pkg/kyverno/report/common.go | 25 +++---
6 files changed, 414 insertions(+), 14 deletions(-)
diff --git a/charts/kyverno/crds/crds.yaml b/charts/kyverno/crds/crds.yaml
index 557fdc04f8..12ef242ea4 100644
--- a/charts/kyverno/crds/crds.yaml
+++ b/charts/kyverno/crds/crds.yaml
@@ -367,6 +367,36 @@ spec:
description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids'
type: string
type: object
+ resourceSelector:
+ description: ResourceSelector is an optional selector for multiple resources (e.g. Pods). Either one of, or none of, but not both of, Resource or ResourceSelector should be specified.
+ properties:
+ matchExpressions:
+ description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
+ items:
+ description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
+ properties:
+ key:
+ description: key is the label key that the selector applies to.
+ type: string
+ operator:
+ description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
+ type: string
+ values:
+ description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
+ items:
+ type: string
+ type: array
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ matchLabels:
+ additionalProperties:
+ type: string
+ description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
+ type: object
+ type: object
rule:
description: Rule is the name of the policy rule
type: string
@@ -411,6 +441,36 @@ spec:
description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids'
type: string
type: object
+ scopeSelector:
+ description: ScopeSelector is an optional selector for multiple scopes (e.g. Pods). Either one of, or none of, but not both of, Scope or ScopeSelector should be specified.
+ properties:
+ matchExpressions:
+ description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
+ items:
+ description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
+ properties:
+ key:
+ description: key is the label key that the selector applies to.
+ type: string
+ operator:
+ description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
+ type: string
+ values:
+ description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
+ items:
+ type: string
+ type: array
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ matchLabels:
+ additionalProperties:
+ type: string
+ description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
+ type: object
+ type: object
summary:
description: PolicyReportSummary provides a summary of results
properties:
@@ -935,6 +995,36 @@ spec:
description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids'
type: string
type: object
+ resourceSelector:
+ description: ResourceSelector is an optional selector for multiple resources (e.g. Pods). Either one of, or none of, but not both of, Resource or ResourceSelector should be specified.
+ properties:
+ matchExpressions:
+ description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
+ items:
+ description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
+ properties:
+ key:
+ description: key is the label key that the selector applies to.
+ type: string
+ operator:
+ description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
+ type: string
+ values:
+ description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
+ items:
+ type: string
+ type: array
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ matchLabels:
+ additionalProperties:
+ type: string
+ description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
+ type: object
+ type: object
rule:
description: Rule is the name of the policy rule
type: string
diff --git a/definitions/crds/policy.kubernetes.io_clusterpolicyreports.yaml b/definitions/crds/policy.kubernetes.io_clusterpolicyreports.yaml
index ece313e63b..a1e4f8c968 100755
--- a/definitions/crds/policy.kubernetes.io_clusterpolicyreports.yaml
+++ b/definitions/crds/policy.kubernetes.io_clusterpolicyreports.yaml
@@ -115,6 +115,52 @@ spec:
description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids'
type: string
type: object
+ resourceSelector:
+ description: ResourceSelector is an optional selector for multiple
+ resources (e.g. Pods). Either one of, or none of, but not both of,
+ Resource or ResourceSelector should be specified.
+ properties:
+ matchExpressions:
+ description: matchExpressions is a list of label selector requirements.
+ The requirements are ANDed.
+ items:
+ description: A label selector requirement is a selector that
+ contains values, a key, and an operator that relates the key
+ and values.
+ properties:
+ key:
+ description: key is the label key that the selector applies
+ to.
+ type: string
+ operator:
+ description: operator represents a key's relationship to
+ a set of values. Valid operators are In, NotIn, Exists
+ and DoesNotExist.
+ type: string
+ values:
+ description: values is an array of string values. If the
+ operator is In or NotIn, the values array must be non-empty.
+ If the operator is Exists or DoesNotExist, the values
+ array must be empty. This array is replaced during a strategic
+ merge patch.
+ items:
+ type: string
+ type: array
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ matchLabels:
+ additionalProperties:
+ type: string
+ description: matchLabels is a map of {key,value} pairs. A single
+ {key,value} in the matchLabels map is equivalent to an element
+ of matchExpressions, whose key field is "key", the operator
+ is "In", and the values array contains only "value". The requirements
+ are ANDed.
+ type: object
+ type: object
rule:
description: Rule is the name of the policy rule
type: string
@@ -170,6 +216,47 @@ spec:
description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids'
type: string
type: object
+ scopeSelector:
+ description: ScopeSelector is an optional selector for multiple scopes (e.g.
+ Pods). Either one of, or none of, but not both of, Scope or ScopeSelector
+ should be specified.
+ properties:
+ matchExpressions:
+ description: matchExpressions is a list of label selector requirements.
+ The requirements are ANDed.
+ items:
+ description: A label selector requirement is a selector that contains
+ values, a key, and an operator that relates the key and values.
+ properties:
+ key:
+ description: key is the label key that the selector applies to.
+ type: string
+ operator:
+ description: operator represents a key's relationship to a set
+ of values. Valid operators are In, NotIn, Exists and DoesNotExist.
+ type: string
+ values:
+ description: values is an array of string values. If the operator
+ is In or NotIn, the values array must be non-empty. If the operator
+ is Exists or DoesNotExist, the values array must be empty. This
+ array is replaced during a strategic merge patch.
+ items:
+ type: string
+ type: array
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ matchLabels:
+ additionalProperties:
+ type: string
+ description: matchLabels is a map of {key,value} pairs. A single {key,value}
+ in the matchLabels map is equivalent to an element of matchExpressions,
+ whose key field is "key", the operator is "In", and the values array
+ contains only "value". The requirements are ANDed.
+ type: object
+ type: object
summary:
description: PolicyReportSummary provides a summary of results
properties:
diff --git a/definitions/crds/policy.kubernetes.io_policyreports.yaml b/definitions/crds/policy.kubernetes.io_policyreports.yaml
index 097c40730d..417d9869b7 100755
--- a/definitions/crds/policy.kubernetes.io_policyreports.yaml
+++ b/definitions/crds/policy.kubernetes.io_policyreports.yaml
@@ -114,6 +114,52 @@ spec:
description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids'
type: string
type: object
+ resourceSelector:
+ description: ResourceSelector is an optional selector for multiple
+ resources (e.g. Pods). Either one of, or none of, but not both of,
+ Resource or ResourceSelector should be specified.
+ properties:
+ matchExpressions:
+ description: matchExpressions is a list of label selector requirements.
+ The requirements are ANDed.
+ items:
+ description: A label selector requirement is a selector that
+ contains values, a key, and an operator that relates the key
+ and values.
+ properties:
+ key:
+ description: key is the label key that the selector applies
+ to.
+ type: string
+ operator:
+ description: operator represents a key's relationship to
+ a set of values. Valid operators are In, NotIn, Exists
+ and DoesNotExist.
+ type: string
+ values:
+ description: values is an array of string values. If the
+ operator is In or NotIn, the values array must be non-empty.
+ If the operator is Exists or DoesNotExist, the values
+ array must be empty. This array is replaced during a strategic
+ merge patch.
+ items:
+ type: string
+ type: array
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ matchLabels:
+ additionalProperties:
+ type: string
+ description: matchLabels is a map of {key,value} pairs. A single
+ {key,value} in the matchLabels map is equivalent to an element
+ of matchExpressions, whose key field is "key", the operator
+ is "In", and the values array contains only "value". The requirements
+ are ANDed.
+ type: object
+ type: object
rule:
description: Rule is the name of the policy rule
type: string
diff --git a/definitions/install.yaml b/definitions/install.yaml
index 8ab4b527c5..c487d50864 100755
--- a/definitions/install.yaml
+++ b/definitions/install.yaml
@@ -372,6 +372,36 @@ spec:
description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids'
type: string
type: object
+ resourceSelector:
+ description: ResourceSelector is an optional selector for multiple resources (e.g. Pods). Either one of, or none of, but not both of, Resource or ResourceSelector should be specified.
+ properties:
+ matchExpressions:
+ description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
+ items:
+ description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
+ properties:
+ key:
+ description: key is the label key that the selector applies to.
+ type: string
+ operator:
+ description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
+ type: string
+ values:
+ description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
+ items:
+ type: string
+ type: array
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ matchLabels:
+ additionalProperties:
+ type: string
+ description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
+ type: object
+ type: object
rule:
description: Rule is the name of the policy rule
type: string
@@ -416,6 +446,36 @@ spec:
description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids'
type: string
type: object
+ scopeSelector:
+ description: ScopeSelector is an optional selector for multiple scopes (e.g. Pods). Either one of, or none of, but not both of, Scope or ScopeSelector should be specified.
+ properties:
+ matchExpressions:
+ description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
+ items:
+ description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
+ properties:
+ key:
+ description: key is the label key that the selector applies to.
+ type: string
+ operator:
+ description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
+ type: string
+ values:
+ description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
+ items:
+ type: string
+ type: array
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ matchLabels:
+ additionalProperties:
+ type: string
+ description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
+ type: object
+ type: object
summary:
description: PolicyReportSummary provides a summary of results
properties:
@@ -940,6 +1000,36 @@ spec:
description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids'
type: string
type: object
+ resourceSelector:
+ description: ResourceSelector is an optional selector for multiple resources (e.g. Pods). Either one of, or none of, but not both of, Resource or ResourceSelector should be specified.
+ properties:
+ matchExpressions:
+ description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
+ items:
+ description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
+ properties:
+ key:
+ description: key is the label key that the selector applies to.
+ type: string
+ operator:
+ description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
+ type: string
+ values:
+ description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
+ items:
+ type: string
+ type: array
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ matchLabels:
+ additionalProperties:
+ type: string
+ description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
+ type: object
+ type: object
rule:
description: Rule is the name of the policy rule
type: string
diff --git a/definitions/install_debug.yaml b/definitions/install_debug.yaml
index 32cf354dbc..29865ba38b 100755
--- a/definitions/install_debug.yaml
+++ b/definitions/install_debug.yaml
@@ -372,6 +372,36 @@ spec:
description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids'
type: string
type: object
+ resourceSelector:
+ description: ResourceSelector is an optional selector for multiple resources (e.g. Pods). Either one of, or none of, but not both of, Resource or ResourceSelector should be specified.
+ properties:
+ matchExpressions:
+ description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
+ items:
+ description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
+ properties:
+ key:
+ description: key is the label key that the selector applies to.
+ type: string
+ operator:
+ description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
+ type: string
+ values:
+ description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
+ items:
+ type: string
+ type: array
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ matchLabels:
+ additionalProperties:
+ type: string
+ description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
+ type: object
+ type: object
rule:
description: Rule is the name of the policy rule
type: string
@@ -416,6 +446,36 @@ spec:
description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids'
type: string
type: object
+ scopeSelector:
+ description: ScopeSelector is an optional selector for multiple scopes (e.g. Pods). Either one of, or none of, but not both of, Scope or ScopeSelector should be specified.
+ properties:
+ matchExpressions:
+ description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
+ items:
+ description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
+ properties:
+ key:
+ description: key is the label key that the selector applies to.
+ type: string
+ operator:
+ description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
+ type: string
+ values:
+ description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
+ items:
+ type: string
+ type: array
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ matchLabels:
+ additionalProperties:
+ type: string
+ description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
+ type: object
+ type: object
summary:
description: PolicyReportSummary provides a summary of results
properties:
@@ -940,6 +1000,36 @@ spec:
description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids'
type: string
type: object
+ resourceSelector:
+ description: ResourceSelector is an optional selector for multiple resources (e.g. Pods). Either one of, or none of, but not both of, Resource or ResourceSelector should be specified.
+ properties:
+ matchExpressions:
+ description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
+ items:
+ description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
+ properties:
+ key:
+ description: key is the label key that the selector applies to.
+ type: string
+ operator:
+ description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
+ type: string
+ values:
+ description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
+ items:
+ type: string
+ type: array
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ matchLabels:
+ additionalProperties:
+ type: string
+ description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
+ type: object
+ type: object
rule:
description: Rule is the name of the policy rule
type: string
diff --git a/pkg/kyverno/report/common.go b/pkg/kyverno/report/common.go
index 27eb13b850..0c99d53bbe 100644
--- a/pkg/kyverno/report/common.go
+++ b/pkg/kyverno/report/common.go
@@ -115,25 +115,23 @@ func backgroundScan(n, scope string, wg *sync.WaitGroup, restConfig *rest.Config
resourceMap := map[string]unstructured.Unstructured{}
var engineResponses []response.EngineResponse
for _, p := range cpolicies {
-
for _, rule := range p.Spec.Rules {
-
for _, k := range rule.MatchResources.Kinds {
-
resourceSchema, _, err := dClient.DiscoveryClient.FindResource("", k)
if err != nil {
log.Log.Error(err, "failed to find resource", "kind", k)
continue
}
+
if !resourceSchema.Namespaced && scope == Cluster {
rMap := policy.GetResourcesPerNamespace(k, dClient, "", rule, configData, log.Log)
policy.MergeResources(resourceMap, rMap)
} else if resourceSchema.Namespaced {
- namespaces := policy.GetNamespacesForRule(&rule, np.Lister(), log.Log)
+ namespaces := policy.GetNamespacesForRule(&rule, np.Lister(), log.Log)
for _, ns := range namespaces {
if ns == n {
- rMap := policy.GetResourcesPerNamespace(k, dClient, ns, rule, configData, log.Log)
+ rMap := policy.GetResourcesPerNamespace(k, dClient, ns, rule, configData, log.Log)
for _, r := range rMap {
labels := r.GetLabels()
_, okChart := labels["app"]
@@ -145,6 +143,7 @@ func backgroundScan(n, scope string, wg *sync.WaitGroup, restConfig *rest.Config
}
}
}
+
}
}
}
@@ -179,7 +178,6 @@ func backgroundScan(n, scope string, wg *sync.WaitGroup, restConfig *rest.Config
var appname string
switch scope {
case Helm:
- //TODO GET Labels
resource, err := dClient.GetResource(v.Resource.GetAPIVersion(), v.Resource.GetKind(), v.Resource.GetNamespace(), v.Resource.GetName())
if err != nil {
log.Log.Error(err, "failed to get resource")
@@ -375,7 +373,7 @@ func configmapScan(n, scope string, wg *sync.WaitGroup, restConfig *rest.Config)
var appname string
// Increase Count
if scope == Cluster {
- results[appname] = append(results[appname], *result)
+ appname = fmt.Sprintf("kyverno-clusterpolicyreport")
} else if scope == Helm {
resource, err := dClient.GetResource(v.Resource.GetAPIVersion(), v.Resource.GetKind(), v.Resource.GetNamespace(), v.Resource.GetName())
if err != nil {
@@ -387,19 +385,18 @@ func configmapScan(n, scope string, wg *sync.WaitGroup, restConfig *rest.Config)
_, okRelease := labels["release"]
if okChart && okRelease {
appname = fmt.Sprintf("kyverno-policyreport-%s-%s", labels["app"], v.Resource.GetNamespace())
- results[appname] = append(results[appname], *result)
+
}
} else {
appname = fmt.Sprintf("kyverno-policyreport-%s", v.Resource.GetNamespace())
- results[appname] = append(results[appname], *result)
}
+ results[appname] = append(results[appname], *result)
}
}
for k, _ := range results {
if scope == Helm || scope == Namespace {
- log.Log.Info("", "", results)
availablepr, err := kclient.PolicyV1alpha1().PolicyReports(n).Get(k, metav1.GetOptions{})
if err != nil {
if apierrors.IsNotFound(err) {
@@ -486,12 +483,12 @@ func mergeReport(pr *policyreportv1alpha1.PolicyReport, results []policyreportv1
labels := pr.GetLabels()
var action string
if labels["policy-state"] == "init" {
- action = "CREATE"
+ action = "Create"
pr.SetLabels(map[string]string{
"policy-state": "Process",
})
} else {
- action = "UPDATE"
+ action = "Update"
}
for _, r := range results {
var isExist = true
@@ -514,12 +511,12 @@ func mergeClusterReport(pr *policyreportv1alpha1.ClusterPolicyReport, results []
labels := pr.GetLabels()
var action string
if labels["policy-state"] == "init" {
- action = "CREATE"
+ action = "Create"
pr.SetLabels(map[string]string{
"policy-state": "Process",
})
} else {
- action = "UPDATE"
+ action = "Update"
}
for _, r := range results {