feat: generate k8s event for exception (#5770)

Signed-off-by: Eileen Yu <eileenylj@gmail.com> Signed-off-by: Eileen Yu <eileenylj@gmail.com>
2025-03-30 19:35:06 +00:00 · 2022-12-22 18:34:09 -05:00 · 2022-12-22 18:34:09 -05:00 · 0b378b3ed8
commit 0b378b3ed8
parent 9fb190f07b
2 changed files with 42 additions and 0 deletions
--- a/pkg/event/events.go
+++ b/pkg/event/events.go
@ -125,3 +125,35 @@ func NewBackgroundSuccessEvent(policy, rule string, source Source, r *unstructur

 	return events
 }
+
+func NewPolicyExceptionEvent(engineResponse *response.EngineResponse, ruleResp *response.RuleResponse) Info {
+	var messageBuilder strings.Builder
+	defer messageBuilder.Reset()
+
+	exceptionName, exceptionNamespace := getExceptionEventInfoFromRuleResponseMsg(ruleResp.Message)
+
+	fmt.Fprintf(&messageBuilder, "resource %s was skipped from rule %s due to policy exception %s/%s", engineResponse.PatchedResource.GetName(), ruleResp.Name, exceptionNamespace, exceptionName)
+
+	return Info{
+		Kind:      getPolicyKind(engineResponse.Policy),
+		Name:      engineResponse.PolicyResponse.Policy.Name,
+		Namespace: engineResponse.PolicyResponse.Policy.Namespace,
+		Reason:    PolicySkipped.String(),
+		Message:   messageBuilder.String(),
+	}
+}
+
+func getExceptionEventInfoFromRuleResponseMsg(message string) (name string, namespace string) {
+	key := message[strings.LastIndex(message, " ")+1:]
+	arr := strings.Split(key, "/")
+
+	if len(arr) > 1 {
+		namespace = arr[0]
+		name = arr[1]
+	} else {
+		namespace = ""
+		name = arr[0]
+	}
+
+	return name, namespace
+}
--- a/pkg/webhooks/utils/event.go
+++ b/pkg/webhooks/utils/event.go
@ -1,6 +1,8 @@
 package utils

 import (
+	"strings"
+
 	"github.com/kyverno/kyverno/pkg/engine/response"
 	"github.com/kyverno/kyverno/pkg/event"
 )
@ -34,6 +36,14 @@ func GenerateEvents(engineResponses []*response.EngineResponse, blocked bool) []
 					events = append(events, e)
 				}
 			}
+		} else if er.IsSkipped() { // Handle PolicyException Event
+			for i, ruleResp := range er.PolicyResponse.Rules {
+				isException := strings.Contains(ruleResp.Message, "rule skipped due to policy exception")
+				if ruleResp.Status == response.RuleStatusSkip && !blocked && isException {
+					e := event.NewPolicyExceptionEvent(er, &er.PolicyResponse.Rules[i])
+					events = append(events, e)
+				}
+			}
 		} else if !er.IsSkipped() {
 			e := event.NewPolicyAppliedEvent(event.AdmissionController, er)
 			events = append(events, e)