fix: generate events for scanning VAPs in reports controller (#8783) (#8804)

Co-authored-by: Mariam Fahmy <mariam.fahmy@nirmata.com>
2025-03-31 03:45:17 +00:00 · 2023-11-01 04:15:23 +00:00 · 2023-11-01 04:15:23 +00:00 · 24f8b877b6
commit 24f8b877b6
parent 0a98200abd
11 changed files with 101 additions and 13 deletions
--- a/pkg/engine/api/policy.go
+++ b/pkg/engine/api/policy.go
@ -106,7 +106,7 @@ func (p *ValidatingAdmissionPolicy) GetNamespace() string {
 }

 func (p *ValidatingAdmissionPolicy) GetKind() string {
-	return p.policy.Kind
+	return "ValidatingAdmissionPolicy"
 }

 func (p *ValidatingAdmissionPolicy) GetResourceVersion() string {
--- a/pkg/event/events.go
+++ b/pkg/event/events.go
@ -65,24 +65,29 @@ func NewPolicyAppliedEvent(source Source, engineResponse engineapi.EngineRespons
 		res = fmt.Sprintf("%s %s", resource.GetKind(), resource.GetName())
 	}

-	pol := engineResponse.Policy().GetPolicy().(kyvernov1.PolicyInterface)
-	hasValidate := pol.GetSpec().HasValidate()
-	hasVerifyImages := pol.GetSpec().HasVerifyImages()
-	hasMutate := pol.GetSpec().HasMutate()
-
 	var action Action
-	if hasValidate || hasVerifyImages {
+	policy := engineResponse.Policy()
+	if policy.GetType() == engineapi.KyvernoPolicyType {
+		pol := engineResponse.Policy().GetPolicy().(kyvernov1.PolicyInterface)
+		hasValidate := pol.GetSpec().HasValidate()
+		hasVerifyImages := pol.GetSpec().HasVerifyImages()
+		hasMutate := pol.GetSpec().HasMutate()
+		if hasValidate || hasVerifyImages {
+			fmt.Fprintf(&bldr, "%s: pass", res)
+			action = ResourcePassed
+		} else if hasMutate {
+			fmt.Fprintf(&bldr, "%s is successfully mutated", res)
+			action = ResourceMutated
+		}
+	} else {
 		fmt.Fprintf(&bldr, "%s: pass", res)
 		action = ResourcePassed
-	} else if hasMutate {
-		fmt.Fprintf(&bldr, "%s is successfully mutated", res)
-		action = ResourceMutated
 	}

 	return Info{
-		Kind:              pol.GetKind(),
-		Name:              pol.GetName(),
-		Namespace:         pol.GetNamespace(),
+		Kind:              policy.GetKind(),
+		Name:              policy.GetName(),
+		Namespace:         policy.GetNamespace(),
 		RelatedAPIVersion: resource.GetAPIVersion(),
 		RelatedKind:       resource.GetKind(),
 		RelatedName:       resource.GetName(),
--- a/test/conformance/kuttl/validating-admission-policy-reports/events/01-deployment.yaml
+++ b/test/conformance/kuttl/validating-admission-policy-reports/events/01-deployment.yaml
@ -0,0 +1,6 @@
+apiVersion: kuttl.dev/v1beta1
+kind: TestStep
+apply:
+- deployment.yaml
+assert:
+- deployment-assert.yaml
--- a/test/conformance/kuttl/validating-admission-policy-reports/events/02-policy.yaml
+++ b/test/conformance/kuttl/validating-admission-policy-reports/events/02-policy.yaml
@ -0,0 +1,6 @@
+apiVersion: kuttl.dev/v1beta1
+kind: TestStep
+apply:
+- policy.yaml
+assert:
+- policy.yaml
--- a/test/conformance/kuttl/validating-admission-policy-reports/events/03-sleep.yaml
+++ b/test/conformance/kuttl/validating-admission-policy-reports/events/03-sleep.yaml
@ -0,0 +1,5 @@
+# A command can only run a single command, not a pipeline and not a script. The program called must exist on the system where the test is run.
+apiVersion: kuttl.dev/v1beta1
+kind: TestStep
+commands:
+  - command: sleep 5
--- a/test/conformance/kuttl/validating-admission-policy-reports/events/04-event.yaml
+++ b/test/conformance/kuttl/validating-admission-policy-reports/events/04-event.yaml
@ -0,0 +1,4 @@
+apiVersion: kuttl.dev/v1beta1
+kind: TestStep
+assert:
+- policy-event.yaml
--- a/test/conformance/kuttl/validating-admission-policy-reports/events/README.md
+++ b/test/conformance/kuttl/validating-admission-policy-reports/events/README.md
@ -0,0 +1,12 @@
+# Title
+
+This test checks for generated events when applying ValidatingAdmissionPolicies.
+
+## Expected Behavior
+
+
+This test creates a deployment with 4 replicas that violates the policy. It verifies policy violation events generation for the ValidatingAdmissionPolicy and the Deployment.
+
+## Reference Issues
+
+https://github.com/kyverno/kyverno/issues/8781
--- a/test/conformance/kuttl/validating-admission-policy-reports/events/deployment-assert.yaml
+++ b/test/conformance/kuttl/validating-admission-policy-reports/events/deployment-assert.yaml
@ -0,0 +1,4 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: deployment-fail-01
--- a/test/conformance/kuttl/validating-admission-policy-reports/events/deployment.yaml
+++ b/test/conformance/kuttl/validating-admission-policy-reports/events/deployment.yaml
@ -0,0 +1,21 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: deployment-fail-01
+  labels:
+    app: nginx-1
+spec:
+  replicas: 4
+  selector:
+    matchLabels:
+      app: nginx-1
+  template:
+    metadata:
+      labels:
+        app: nginx-1
+    spec:
+      containers:
+      - name: nginx
+        image: nginx:1.14.2
+        ports:
+        - containerPort: 80
--- a/test/conformance/kuttl/validating-admission-policy-reports/events/policy-event.yaml
+++ b/test/conformance/kuttl/validating-admission-policy-reports/events/policy-event.yaml
@ -0,0 +1,11 @@
+apiVersion: v1
+kind: Event
+metadata:
+  namespace: default
+involvedObject:
+  kind: ValidatingAdmissionPolicy
+  name: check-deployment-replicas-vap
+reason: PolicyViolation
+action: Resource Passed
+reportingComponent: kyverno-scan
+type: Warning
--- a/test/conformance/kuttl/validating-admission-policy-reports/events/policy.yaml
+++ b/test/conformance/kuttl/validating-admission-policy-reports/events/policy.yaml
@ -0,0 +1,14 @@
+apiVersion: admissionregistration.k8s.io/v1alpha1
+kind: ValidatingAdmissionPolicy
+metadata:
+  name: check-deployment-replicas-vap
+spec:
+  matchConstraints:
+    resourceRules:
+    - apiGroups:   ["apps"]
+      apiVersions: ["v1"]
+      operations:  ["CREATE", "UPDATE"]
+      resources:   ["deployments"]
+  validations:
+    - expression: "object.spec.replicas <= 3"
+      message: "Deployment spec.replicas must be less than 3."