diff --git a/pkg/engine/api/policy.go b/pkg/engine/api/policy.go index 038015dd14..584f3e33db 100644 --- a/pkg/engine/api/policy.go +++ b/pkg/engine/api/policy.go @@ -106,7 +106,7 @@ func (p *ValidatingAdmissionPolicy) GetNamespace() string { } func (p *ValidatingAdmissionPolicy) GetKind() string { - return p.policy.Kind + return "ValidatingAdmissionPolicy" } func (p *ValidatingAdmissionPolicy) GetResourceVersion() string { diff --git a/pkg/event/events.go b/pkg/event/events.go index e39efc6196..08fc563305 100644 --- a/pkg/event/events.go +++ b/pkg/event/events.go @@ -65,24 +65,29 @@ func NewPolicyAppliedEvent(source Source, engineResponse engineapi.EngineRespons res = fmt.Sprintf("%s %s", resource.GetKind(), resource.GetName()) } - pol := engineResponse.Policy().GetPolicy().(kyvernov1.PolicyInterface) - hasValidate := pol.GetSpec().HasValidate() - hasVerifyImages := pol.GetSpec().HasVerifyImages() - hasMutate := pol.GetSpec().HasMutate() - var action Action - if hasValidate || hasVerifyImages { + policy := engineResponse.Policy() + if policy.GetType() == engineapi.KyvernoPolicyType { + pol := engineResponse.Policy().GetPolicy().(kyvernov1.PolicyInterface) + hasValidate := pol.GetSpec().HasValidate() + hasVerifyImages := pol.GetSpec().HasVerifyImages() + hasMutate := pol.GetSpec().HasMutate() + if hasValidate || hasVerifyImages { + fmt.Fprintf(&bldr, "%s: pass", res) + action = ResourcePassed + } else if hasMutate { + fmt.Fprintf(&bldr, "%s is successfully mutated", res) + action = ResourceMutated + } + } else { fmt.Fprintf(&bldr, "%s: pass", res) action = ResourcePassed - } else if hasMutate { - fmt.Fprintf(&bldr, "%s is successfully mutated", res) - action = ResourceMutated } return Info{ - Kind: pol.GetKind(), - Name: pol.GetName(), - Namespace: pol.GetNamespace(), + Kind: policy.GetKind(), + Name: policy.GetName(), + Namespace: policy.GetNamespace(), RelatedAPIVersion: resource.GetAPIVersion(), RelatedKind: resource.GetKind(), RelatedName: resource.GetName(), diff --git a/test/conformance/kuttl/validating-admission-policy-reports/events/01-deployment.yaml b/test/conformance/kuttl/validating-admission-policy-reports/events/01-deployment.yaml new file mode 100644 index 0000000000..4532027a88 --- /dev/null +++ b/test/conformance/kuttl/validating-admission-policy-reports/events/01-deployment.yaml @@ -0,0 +1,6 @@ +apiVersion: kuttl.dev/v1beta1 +kind: TestStep +apply: +- deployment.yaml +assert: +- deployment-assert.yaml diff --git a/test/conformance/kuttl/validating-admission-policy-reports/events/02-policy.yaml b/test/conformance/kuttl/validating-admission-policy-reports/events/02-policy.yaml new file mode 100644 index 0000000000..a2918426aa --- /dev/null +++ b/test/conformance/kuttl/validating-admission-policy-reports/events/02-policy.yaml @@ -0,0 +1,6 @@ +apiVersion: kuttl.dev/v1beta1 +kind: TestStep +apply: +- policy.yaml +assert: +- policy.yaml diff --git a/test/conformance/kuttl/validating-admission-policy-reports/events/03-sleep.yaml b/test/conformance/kuttl/validating-admission-policy-reports/events/03-sleep.yaml new file mode 100644 index 0000000000..62a3d6d08b --- /dev/null +++ b/test/conformance/kuttl/validating-admission-policy-reports/events/03-sleep.yaml @@ -0,0 +1,5 @@ +# A command can only run a single command, not a pipeline and not a script. The program called must exist on the system where the test is run. +apiVersion: kuttl.dev/v1beta1 +kind: TestStep +commands: + - command: sleep 5 \ No newline at end of file diff --git a/test/conformance/kuttl/validating-admission-policy-reports/events/04-event.yaml b/test/conformance/kuttl/validating-admission-policy-reports/events/04-event.yaml new file mode 100644 index 0000000000..cddf003e6d --- /dev/null +++ b/test/conformance/kuttl/validating-admission-policy-reports/events/04-event.yaml @@ -0,0 +1,4 @@ +apiVersion: kuttl.dev/v1beta1 +kind: TestStep +assert: +- policy-event.yaml diff --git a/test/conformance/kuttl/validating-admission-policy-reports/events/README.md b/test/conformance/kuttl/validating-admission-policy-reports/events/README.md new file mode 100644 index 0000000000..66fcee5812 --- /dev/null +++ b/test/conformance/kuttl/validating-admission-policy-reports/events/README.md @@ -0,0 +1,12 @@ +# Title + +This test checks for generated events when applying ValidatingAdmissionPolicies. + +## Expected Behavior + + +This test creates a deployment with 4 replicas that violates the policy. It verifies policy violation events generation for the ValidatingAdmissionPolicy and the Deployment. + +## Reference Issues + +https://github.com/kyverno/kyverno/issues/8781 diff --git a/test/conformance/kuttl/validating-admission-policy-reports/events/deployment-assert.yaml b/test/conformance/kuttl/validating-admission-policy-reports/events/deployment-assert.yaml new file mode 100644 index 0000000000..f36d414d14 --- /dev/null +++ b/test/conformance/kuttl/validating-admission-policy-reports/events/deployment-assert.yaml @@ -0,0 +1,4 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: deployment-fail-01 diff --git a/test/conformance/kuttl/validating-admission-policy-reports/events/deployment.yaml b/test/conformance/kuttl/validating-admission-policy-reports/events/deployment.yaml new file mode 100644 index 0000000000..ed0ac78bb2 --- /dev/null +++ b/test/conformance/kuttl/validating-admission-policy-reports/events/deployment.yaml @@ -0,0 +1,21 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: deployment-fail-01 + labels: + app: nginx-1 +spec: + replicas: 4 + selector: + matchLabels: + app: nginx-1 + template: + metadata: + labels: + app: nginx-1 + spec: + containers: + - name: nginx + image: nginx:1.14.2 + ports: + - containerPort: 80 \ No newline at end of file diff --git a/test/conformance/kuttl/validating-admission-policy-reports/events/policy-event.yaml b/test/conformance/kuttl/validating-admission-policy-reports/events/policy-event.yaml new file mode 100644 index 0000000000..cfa76cfe07 --- /dev/null +++ b/test/conformance/kuttl/validating-admission-policy-reports/events/policy-event.yaml @@ -0,0 +1,11 @@ +apiVersion: v1 +kind: Event +metadata: + namespace: default +involvedObject: + kind: ValidatingAdmissionPolicy + name: check-deployment-replicas-vap +reason: PolicyViolation +action: Resource Passed +reportingComponent: kyverno-scan +type: Warning diff --git a/test/conformance/kuttl/validating-admission-policy-reports/events/policy.yaml b/test/conformance/kuttl/validating-admission-policy-reports/events/policy.yaml new file mode 100644 index 0000000000..a8e2e96850 --- /dev/null +++ b/test/conformance/kuttl/validating-admission-policy-reports/events/policy.yaml @@ -0,0 +1,14 @@ +apiVersion: admissionregistration.k8s.io/v1alpha1 +kind: ValidatingAdmissionPolicy +metadata: + name: check-deployment-replicas-vap +spec: + matchConstraints: + resourceRules: + - apiGroups: ["apps"] + apiVersions: ["v1"] + operations: ["CREATE", "UPDATE"] + resources: ["deployments"] + validations: + - expression: "object.spec.replicas <= 3" + message: "Deployment spec.replicas must be less than 3." \ No newline at end of file