mirrors/kyverno
mirrors/kyverno
1
0
Fork 0
mirror of https://github.com/kyverno/kyverno.git synced 2025-03-31 03:45:17 +00:00
Code Activity

adding --audit-warn flag ()

Browse source 
Signed-off-by: Steven Lahouchuc <stelah1423@gmail.com>
Co-authored-by: Vyankatesh Kudtarkar <vyankateshkd@gmail.com>
This commit is contained in:
Steven Lahouchuc 2022-11-21 09:21:32 -05:00 committed by GitHub
parent 815a0e4297
commit 1960ced030
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
4 changed files with 46 additions and 9 deletions
cmd/cli/kubectl-kyverno
apply
apply_command.goapply_command_test.goreport_test.go
utils/common
common.go

3
cmd/cli/kubectl-kyverno/apply/apply_command.go
View file

@ -55,6 +55,7 @@ type ApplyCommandConfig struct {
PolicyReport bool PolicyReport bool
Stdin bool Stdin bool
RegistryAccess bool RegistryAccess bool
AuditWarn bool
ResourcePaths []string ResourcePaths []string
PolicyPaths []string PolicyPaths []string
} }
@ -163,6 +164,7 @@ func Command() *cobra.Command {
cmd.Flags().BoolVarP(&applyCommandConfig.RegistryAccess, "registry", "", false, "If set to true, access the image registry using local docker credentials to populate external data") cmd.Flags().BoolVarP(&applyCommandConfig.RegistryAccess, "registry", "", false, "If set to true, access the image registry using local docker credentials to populate external data")
cmd.Flags().StringVarP(&applyCommandConfig.KubeConfig, "kubeconfig", "", "", "path to kubeconfig file with authorization and master location information") cmd.Flags().StringVarP(&applyCommandConfig.KubeConfig, "kubeconfig", "", "", "path to kubeconfig file with authorization and master location information")
cmd.Flags().StringVarP(&applyCommandConfig.Context, "context", "", "", "The name of the kubeconfig context to use") cmd.Flags().StringVarP(&applyCommandConfig.Context, "context", "", "", "The name of the kubeconfig context to use")
cmd.Flags().BoolVarP(&applyCommandConfig.AuditWarn, "audit-warn", "", false, "If set to true, will flag audit policies as warnings instead of failures")
return cmd return cmd
} }
@ -360,6 +362,7 @@ func (c *ApplyCommandConfig) applyCommandHelper() (rc *common.ResultCounts, reso
Rc: rc, Rc: rc,
PrintPatchResource: true, PrintPatchResource: true,
Client: dClient, Client: dClient,
AuditWarn: c.AuditWarn,
} }
_, info, err := common.ApplyPolicyOnResource(applyPolicyConfig) _, info, err := common.ApplyPolicyOnResource(applyPolicyConfig)
if err != nil { if err != nil {

19
cmd/cli/kubectl-kyverno/apply/apply_command_test.go
View file

@ -70,6 +70,25 @@ func Test_Apply(t *testing.T) {
}, },
}, },
}, },
{
config: ApplyCommandConfig{
PolicyPaths: []string{"../../../../test/best_practices/disallow_latest_tag.yaml"},
ResourcePaths: []string{"../../../../test/resources/pod_with_latest_tag.yaml"},
PolicyReport: true,
AuditWarn: true,
},
expectedPolicyReports: []preport.PolicyReport{
{
Summary: preport.PolicyReportSummary{
Pass: 1,
Fail: 0,
Skip: 0,
Error: 0,
Warn: 1,
},
},
},
},
} }
compareSummary := func(expected preport.PolicyReportSummary, actual map[string]interface{}) { compareSummary := func(expected preport.PolicyReportSummary, actual map[string]interface{}) {

4
cmd/cli/kubectl-kyverno/apply/report_test.go
View file

@ -96,7 +96,7 @@ func Test_buildPolicyReports(t *testing.T) {
err = json.Unmarshal(rawEngRes, &er) err = json.Unmarshal(rawEngRes, &er)
assert.NilError(t, err) assert.NilError(t, err)
info := kyvCommon.ProcessValidateEngineResponse(&policy, &er, "", rc, true) info := kyvCommon.ProcessValidateEngineResponse(&policy, &er, "", rc, true, false)
pvInfos = append(pvInfos, info) pvInfos = append(pvInfos, info)
reports := buildPolicyReports(pvInfos) reports := buildPolicyReports(pvInfos)
@ -132,7 +132,7 @@ func Test_buildPolicyResults(t *testing.T) {
err = json.Unmarshal(rawEngRes, &er) err = json.Unmarshal(rawEngRes, &er)
assert.NilError(t, err) assert.NilError(t, err)
info := kyvCommon.ProcessValidateEngineResponse(&policy, &er, "", rc, true) info := kyvCommon.ProcessValidateEngineResponse(&policy, &er, "", rc, true, false)
pvInfos = append(pvInfos, info) pvInfos = append(pvInfos, info)
results := buildPolicyResults(pvInfos) results := buildPolicyResults(pvInfos)

29
cmd/cli/kubectl-kyverno/utils/common/common.go
View file

@ -83,6 +83,7 @@ type ApplyPolicyConfig struct {
PrintPatchResource bool PrintPatchResource bool
RuleToCloneSourceResource map[string]string RuleToCloneSourceResource map[string]string
Client dclient.Interface Client dclient.Interface
AuditWarn bool
} }
// HasVariables - check for variables in the policy // HasVariables - check for variables in the policy
@ -480,7 +481,7 @@ OuterLoop:
var validateResponse *response.EngineResponse var validateResponse *response.EngineResponse
if policyHasValidate { if policyHasValidate {
validateResponse = engine.Validate(policyContext) validateResponse = engine.Validate(policyContext)
info = ProcessValidateEngineResponse(c.Policy, validateResponse, resPath, c.Rc, c.PolicyReport) info = ProcessValidateEngineResponse(c.Policy, validateResponse, resPath, c.Rc, c.PolicyReport, c.AuditWarn)
} }
if validateResponse != nil && !validateResponse.IsEmpty() { if validateResponse != nil && !validateResponse.IsEmpty() {
@ -490,7 +491,7 @@ OuterLoop:
verifyImageResponse, _ := engine.VerifyAndPatchImages(policyContext) verifyImageResponse, _ := engine.VerifyAndPatchImages(policyContext)
if verifyImageResponse != nil && !verifyImageResponse.IsEmpty() { if verifyImageResponse != nil && !verifyImageResponse.IsEmpty() {
engineResponses = append(engineResponses, verifyImageResponse) engineResponses = append(engineResponses, verifyImageResponse)
info = ProcessValidateEngineResponse(c.Policy, verifyImageResponse, resPath, c.Rc, c.PolicyReport) info = ProcessValidateEngineResponse(c.Policy, verifyImageResponse, resPath, c.Rc, c.PolicyReport, c.AuditWarn)
} }
var policyHasGenerate bool var policyHasGenerate bool
@ -521,7 +522,7 @@ OuterLoop:
} }
engineResponses = append(engineResponses, generateResponse) engineResponses = append(engineResponses, generateResponse)
} }
updateResultCounts(c.Policy, generateResponse, resPath, c.Rc) updateResultCounts(c.Policy, generateResponse, resPath, c.Rc, c.AuditWarn)
} }
return engineResponses, info, nil return engineResponses, info, nil
@ -673,7 +674,7 @@ func GetResourceAccordingToResourcePath(fs billy.Filesystem, resourcePaths []str
return resources, err return resources, err
} }
func ProcessValidateEngineResponse(policy kyvernov1.PolicyInterface, validateResponse *response.EngineResponse, resPath string, rc *ResultCounts, policyReport bool) Info { func ProcessValidateEngineResponse(policy kyvernov1.PolicyInterface, validateResponse *response.EngineResponse, resPath string, rc *ResultCounts, policyReport bool, auditWarn bool) Info {
var violatedRules []kyvernov1.ViolatedRule var violatedRules []kyvernov1.ViolatedRule
printCount := 0 printCount := 0
@ -698,11 +699,16 @@ func ProcessValidateEngineResponse(policy kyvernov1.PolicyInterface, validateRes
vrule.Status = policyreportv1alpha2.StatusPass vrule.Status = policyreportv1alpha2.StatusPass
case response.RuleStatusFail: case response.RuleStatusFail:
auditWarning := false
ann := policy.GetAnnotations() ann := policy.GetAnnotations()
if scored, ok := ann[kyvernov1.AnnotationPolicyScored]; ok && scored == "false" { if scored, ok := ann[kyvernov1.AnnotationPolicyScored]; ok && scored == "false" {
rc.Warn++ rc.Warn++
vrule.Status = policyreportv1alpha2.StatusWarn vrule.Status = policyreportv1alpha2.StatusWarn
break break
} else if auditWarn && validateResponse.GetValidationFailureAction().Audit() {
rc.Warn++
auditWarning = true
vrule.Status = policyreportv1alpha2.StatusWarn
} else { } else {
rc.Fail++ rc.Fail++
vrule.Status = policyreportv1alpha2.StatusFail vrule.Status = policyreportv1alpha2.StatusFail
@ -710,7 +716,11 @@ func ProcessValidateEngineResponse(policy kyvernov1.PolicyInterface, validateRes
if !policyReport { if !policyReport {
if printCount < 1 { if printCount < 1 {
fmt.Printf("\npolicy %s -> resource %s failed: \n", policy.GetName(), resPath) if auditWarning {
fmt.Printf("\npolicy %s -> resource %s failed as audit warning: \n", policy.GetName(), resPath)
} else {
fmt.Printf("\npolicy %s -> resource %s failed: \n", policy.GetName(), resPath)
}
printCount++ printCount++
} }
@ -763,7 +773,7 @@ func buildPVInfo(er *response.EngineResponse, violatedRules []kyvernov1.Violated
return info return info
} }
func updateResultCounts(policy kyvernov1.PolicyInterface, engineResponse *response.EngineResponse, resPath string, rc *ResultCounts) { func updateResultCounts(policy kyvernov1.PolicyInterface, engineResponse *response.EngineResponse, resPath string, rc *ResultCounts, auditWarn bool) {
printCount := 0 printCount := 0
for _, policyRule := range autogen.ComputeRules(policy) { for _, policyRule := range autogen.ComputeRules(policy) {
ruleFoundInEngineResponse := false ruleFoundInEngineResponse := false
@ -779,7 +789,12 @@ func updateResultCounts(policy kyvernov1.PolicyInterface, engineResponse *respon
printCount++ printCount++
} }
fmt.Printf("%d. %s - %s\n", i+1, ruleResponse.Name, ruleResponse.Message) fmt.Printf("%d. %s - %s\n", i+1, ruleResponse.Name, ruleResponse.Message)
rc.Fail++
if auditWarn && engineResponse.GetValidationFailureAction().Audit() {
rc.Warn++
} else {
rc.Fail++
}
} }
continue continue
} }