mirror of
https://github.com/kyverno/kyverno.git
synced 2025-03-06 07:57:07 +00:00
Indicate in report result the origin, admission, or background (#12056)
* Indicate in report result the origin, admission or background Signed-off-by: Rohanraj123 <rajrohan88293@gmail.com> * Add Null check on AsKyvernoPolicy() method Signed-off-by: Rohanraj123 <rajrohan88293@gmail.com> --------- Signed-off-by: Rohanraj123 <rajrohan88293@gmail.com> Co-authored-by: shuting <shuting@nirmata.com>
This commit is contained in:
Rohan Raj
GitHub
parent
f2f724469d
commit
1202eef054
2 changed files with 72 additions and 55 deletions
|
|
@ -183,15 +183,16 @@ func TestComputePolicyReportResult(t *testing.T) {
|
|||
engineResponse: engineapi.NewEngineResponse(unstructured.Unstructured{}, engineapi.NewKyvernoPolicy(policy), nil),
|
||||
ruleResponse: *engineapi.RuleSkip("xxx", engineapi.Mutation, "test", nil),
|
||||
want: policyreportv1alpha2.PolicyReportResult{
|
||||
Source: "kyverno",
|
||||
Policy: "pod-requirements",
|
||||
Rule: "xxx",
|
||||
Result: policyreportv1alpha2.StatusSkip,
|
||||
Resources: []corev1.ObjectReference{{}},
|
||||
Message: "test",
|
||||
Scored: true,
|
||||
Category: "Pod Security Standards (Restricted)",
|
||||
Severity: policyreportv1alpha2.SeverityMedium,
|
||||
Source: "kyverno",
|
||||
Policy: "pod-requirements",
|
||||
Rule: "xxx",
|
||||
Result: policyreportv1alpha2.StatusSkip,
|
||||
Resources: []corev1.ObjectReference{{}},
|
||||
Message: "test",
|
||||
Scored: true,
|
||||
Category: "Pod Security Standards (Restricted)",
|
||||
Properties: map[string]string{"source": "admission review"},
|
||||
Severity: policyreportv1alpha2.SeverityMedium,
|
||||
},
|
||||
}, {
|
||||
name: "pass",
|
||||
|
|
@ -199,15 +200,16 @@ func TestComputePolicyReportResult(t *testing.T) {
|
|||
engineResponse: engineapi.NewEngineResponse(unstructured.Unstructured{}, engineapi.NewKyvernoPolicy(policy), nil),
|
||||
ruleResponse: *engineapi.RulePass("xxx", engineapi.Mutation, "test", nil),
|
||||
want: policyreportv1alpha2.PolicyReportResult{
|
||||
Source: "kyverno",
|
||||
Policy: "pod-requirements",
|
||||
Rule: "xxx",
|
||||
Result: policyreportv1alpha2.StatusPass,
|
||||
Resources: []corev1.ObjectReference{{}},
|
||||
Message: "test",
|
||||
Scored: true,
|
||||
Category: "Pod Security Standards (Restricted)",
|
||||
Severity: policyreportv1alpha2.SeverityMedium,
|
||||
Source: "kyverno",
|
||||
Policy: "pod-requirements",
|
||||
Rule: "xxx",
|
||||
Result: policyreportv1alpha2.StatusPass,
|
||||
Resources: []corev1.ObjectReference{{}},
|
||||
Message: "test",
|
||||
Scored: true,
|
||||
Category: "Pod Security Standards (Restricted)",
|
||||
Properties: map[string]string{"source": "admission review"},
|
||||
Severity: policyreportv1alpha2.SeverityMedium,
|
||||
},
|
||||
}, {
|
||||
name: "fail",
|
||||
|
|
@ -215,15 +217,16 @@ func TestComputePolicyReportResult(t *testing.T) {
|
|||
engineResponse: engineapi.NewEngineResponse(unstructured.Unstructured{}, engineapi.NewKyvernoPolicy(policy), nil),
|
||||
ruleResponse: *engineapi.RuleFail("xxx", engineapi.Mutation, "test", nil),
|
||||
want: policyreportv1alpha2.PolicyReportResult{
|
||||
Source: "kyverno",
|
||||
Policy: "pod-requirements",
|
||||
Rule: "xxx",
|
||||
Result: policyreportv1alpha2.StatusFail,
|
||||
Resources: []corev1.ObjectReference{{}},
|
||||
Message: "test",
|
||||
Scored: true,
|
||||
Category: "Pod Security Standards (Restricted)",
|
||||
Severity: policyreportv1alpha2.SeverityMedium,
|
||||
Source: "kyverno",
|
||||
Policy: "pod-requirements",
|
||||
Rule: "xxx",
|
||||
Result: policyreportv1alpha2.StatusFail,
|
||||
Resources: []corev1.ObjectReference{{}},
|
||||
Message: "test",
|
||||
Scored: true,
|
||||
Category: "Pod Security Standards (Restricted)",
|
||||
Properties: map[string]string{"source": "admission review"},
|
||||
Severity: policyreportv1alpha2.SeverityMedium,
|
||||
},
|
||||
}, {
|
||||
name: "fail - audit warn",
|
||||
|
|
@ -231,15 +234,16 @@ func TestComputePolicyReportResult(t *testing.T) {
|
|||
engineResponse: engineapi.NewEngineResponse(unstructured.Unstructured{}, engineapi.NewKyvernoPolicy(policy), nil),
|
||||
ruleResponse: *engineapi.RuleFail("xxx", engineapi.Mutation, "test", nil),
|
||||
want: policyreportv1alpha2.PolicyReportResult{
|
||||
Source: "kyverno",
|
||||
Policy: "pod-requirements",
|
||||
Rule: "xxx",
|
||||
Result: policyreportv1alpha2.StatusWarn,
|
||||
Resources: []corev1.ObjectReference{{}},
|
||||
Message: "test",
|
||||
Scored: true,
|
||||
Category: "Pod Security Standards (Restricted)",
|
||||
Severity: policyreportv1alpha2.SeverityMedium,
|
||||
Source: "kyverno",
|
||||
Policy: "pod-requirements",
|
||||
Rule: "xxx",
|
||||
Result: policyreportv1alpha2.StatusWarn,
|
||||
Resources: []corev1.ObjectReference{{}},
|
||||
Message: "test",
|
||||
Scored: true,
|
||||
Category: "Pod Security Standards (Restricted)",
|
||||
Properties: map[string]string{"source": "admission review"},
|
||||
Severity: policyreportv1alpha2.SeverityMedium,
|
||||
},
|
||||
}, {
|
||||
name: "error",
|
||||
|
|
@ -247,15 +251,16 @@ func TestComputePolicyReportResult(t *testing.T) {
|
|||
engineResponse: engineapi.NewEngineResponse(unstructured.Unstructured{}, engineapi.NewKyvernoPolicy(policy), nil),
|
||||
ruleResponse: *engineapi.RuleError("xxx", engineapi.Mutation, "test", nil, nil),
|
||||
want: policyreportv1alpha2.PolicyReportResult{
|
||||
Source: "kyverno",
|
||||
Policy: "pod-requirements",
|
||||
Rule: "xxx",
|
||||
Result: policyreportv1alpha2.StatusError,
|
||||
Resources: []corev1.ObjectReference{{}},
|
||||
Message: "test",
|
||||
Scored: true,
|
||||
Category: "Pod Security Standards (Restricted)",
|
||||
Severity: policyreportv1alpha2.SeverityMedium,
|
||||
Source: "kyverno",
|
||||
Policy: "pod-requirements",
|
||||
Rule: "xxx",
|
||||
Result: policyreportv1alpha2.StatusError,
|
||||
Resources: []corev1.ObjectReference{{}},
|
||||
Message: "test",
|
||||
Scored: true,
|
||||
Category: "Pod Security Standards (Restricted)",
|
||||
Properties: map[string]string{"source": "admission review"},
|
||||
Severity: policyreportv1alpha2.SeverityMedium,
|
||||
},
|
||||
}, {
|
||||
name: "warn",
|
||||
|
|
@ -263,15 +268,16 @@ func TestComputePolicyReportResult(t *testing.T) {
|
|||
engineResponse: engineapi.NewEngineResponse(unstructured.Unstructured{}, engineapi.NewKyvernoPolicy(policy), nil),
|
||||
ruleResponse: *engineapi.RuleWarn("xxx", engineapi.Mutation, "test", nil),
|
||||
want: policyreportv1alpha2.PolicyReportResult{
|
||||
Source: "kyverno",
|
||||
Policy: "pod-requirements",
|
||||
Rule: "xxx",
|
||||
Result: policyreportv1alpha2.StatusWarn,
|
||||
Resources: []corev1.ObjectReference{{}},
|
||||
Message: "test",
|
||||
Scored: true,
|
||||
Category: "Pod Security Standards (Restricted)",
|
||||
Severity: policyreportv1alpha2.SeverityMedium,
|
||||
Source: "kyverno",
|
||||
Policy: "pod-requirements",
|
||||
Rule: "xxx",
|
||||
Result: policyreportv1alpha2.StatusWarn,
|
||||
Resources: []corev1.ObjectReference{{}},
|
||||
Message: "test",
|
||||
Scored: true,
|
||||
Category: "Pod Security Standards (Restricted)",
|
||||
Properties: map[string]string{"source": "admission review"},
|
||||
Severity: policyreportv1alpha2.SeverityMedium,
|
||||
},
|
||||
}}
|
||||
for _, tt := range tests {
|
||||
|
|
@ -311,7 +317,7 @@ func TestPSSComputePolicyReportResult(t *testing.T) {
|
|||
Scored: true,
|
||||
Category: "Pod Security Standards (Restricted)",
|
||||
Severity: policyreportv1alpha2.SeverityMedium,
|
||||
Properties: nil,
|
||||
Properties: map[string]string{"source": "background scan"},
|
||||
},
|
||||
}}
|
||||
for _, tt := range tests {
|
||||
|
|
|
|||
|
|
@ -106,6 +106,17 @@ func ToPolicyReportResult(pol engineapi.GenericPolicy, ruleResult engineapi.Rule
|
|||
Category: annotations[kyverno.AnnotationPolicyCategory],
|
||||
Severity: SeverityFromString(annotations[kyverno.AnnotationPolicySeverity]),
|
||||
}
|
||||
|
||||
source := ""
|
||||
if kyvernoPolicy := pol.AsKyvernoPolicy(); kyvernoPolicy != nil {
|
||||
if kyvernoPolicy.BackgroundProcessingEnabled() {
|
||||
source = "background scan"
|
||||
} else if kyvernoPolicy.AdmissionProcessingEnabled() {
|
||||
source = "admission review"
|
||||
}
|
||||
}
|
||||
addProperty("source", source, &result)
|
||||
|
||||
if result.Result == "fail" && !result.Scored {
|
||||
result.Result = "warn"
|
||||
}
|
||||
|
|
|
|||
Loading…
Add table
Reference in a new issue