From 24f8b877b64b603b3b9081df553d3d2f9b41ff9b Mon Sep 17 00:00:00 2001
From: "gcp-cherry-pick-bot[bot]"
 <98988430+gcp-cherry-pick-bot[bot]@users.noreply.github.com>
Date: Wed, 1 Nov 2023 04:15:23 +0000
Subject: [PATCH] fix: generate events for scanning VAPs in reports controller
 (#8783) (#8804)

Co-authored-by: Mariam Fahmy <mariam.fahmy@nirmata.com>
---
 pkg/engine/api/policy.go                      |  2 +-
 pkg/event/events.go                           | 29 +++++++++++--------
 .../events/01-deployment.yaml                 |  6 ++++
 .../events/02-policy.yaml                     |  6 ++++
 .../events/03-sleep.yaml                      |  5 ++++
 .../events/04-event.yaml                      |  4 +++
 .../events/README.md                          | 12 ++++++++
 .../events/deployment-assert.yaml             |  4 +++
 .../events/deployment.yaml                    | 21 ++++++++++++++
 .../events/policy-event.yaml                  | 11 +++++++
 .../events/policy.yaml                        | 14 +++++++++
 11 files changed, 101 insertions(+), 13 deletions(-)
 create mode 100644 test/conformance/kuttl/validating-admission-policy-reports/events/01-deployment.yaml
 create mode 100644 test/conformance/kuttl/validating-admission-policy-reports/events/02-policy.yaml
 create mode 100644 test/conformance/kuttl/validating-admission-policy-reports/events/03-sleep.yaml
 create mode 100644 test/conformance/kuttl/validating-admission-policy-reports/events/04-event.yaml
 create mode 100644 test/conformance/kuttl/validating-admission-policy-reports/events/README.md
 create mode 100644 test/conformance/kuttl/validating-admission-policy-reports/events/deployment-assert.yaml
 create mode 100644 test/conformance/kuttl/validating-admission-policy-reports/events/deployment.yaml
 create mode 100644 test/conformance/kuttl/validating-admission-policy-reports/events/policy-event.yaml
 create mode 100644 test/conformance/kuttl/validating-admission-policy-reports/events/policy.yaml

diff --git a/pkg/engine/api/policy.go b/pkg/engine/api/policy.go
index 038015dd14..584f3e33db 100644
--- a/pkg/engine/api/policy.go
+++ b/pkg/engine/api/policy.go
@@ -106,7 +106,7 @@ func (p *ValidatingAdmissionPolicy) GetNamespace() string {
 }
 
 func (p *ValidatingAdmissionPolicy) GetKind() string {
-	return p.policy.Kind
+	return "ValidatingAdmissionPolicy"
 }
 
 func (p *ValidatingAdmissionPolicy) GetResourceVersion() string {
diff --git a/pkg/event/events.go b/pkg/event/events.go
index e39efc6196..08fc563305 100644
--- a/pkg/event/events.go
+++ b/pkg/event/events.go
@@ -65,24 +65,29 @@ func NewPolicyAppliedEvent(source Source, engineResponse engineapi.EngineRespons
 		res = fmt.Sprintf("%s %s", resource.GetKind(), resource.GetName())
 	}
 
-	pol := engineResponse.Policy().GetPolicy().(kyvernov1.PolicyInterface)
-	hasValidate := pol.GetSpec().HasValidate()
-	hasVerifyImages := pol.GetSpec().HasVerifyImages()
-	hasMutate := pol.GetSpec().HasMutate()
-
 	var action Action
-	if hasValidate || hasVerifyImages {
+	policy := engineResponse.Policy()
+	if policy.GetType() == engineapi.KyvernoPolicyType {
+		pol := engineResponse.Policy().GetPolicy().(kyvernov1.PolicyInterface)
+		hasValidate := pol.GetSpec().HasValidate()
+		hasVerifyImages := pol.GetSpec().HasVerifyImages()
+		hasMutate := pol.GetSpec().HasMutate()
+		if hasValidate || hasVerifyImages {
+			fmt.Fprintf(&bldr, "%s: pass", res)
+			action = ResourcePassed
+		} else if hasMutate {
+			fmt.Fprintf(&bldr, "%s is successfully mutated", res)
+			action = ResourceMutated
+		}
+	} else {
 		fmt.Fprintf(&bldr, "%s: pass", res)
 		action = ResourcePassed
-	} else if hasMutate {
-		fmt.Fprintf(&bldr, "%s is successfully mutated", res)
-		action = ResourceMutated
 	}
 
 	return Info{
-		Kind:              pol.GetKind(),
-		Name:              pol.GetName(),
-		Namespace:         pol.GetNamespace(),
+		Kind:              policy.GetKind(),
+		Name:              policy.GetName(),
+		Namespace:         policy.GetNamespace(),
 		RelatedAPIVersion: resource.GetAPIVersion(),
 		RelatedKind:       resource.GetKind(),
 		RelatedName:       resource.GetName(),
diff --git a/test/conformance/kuttl/validating-admission-policy-reports/events/01-deployment.yaml b/test/conformance/kuttl/validating-admission-policy-reports/events/01-deployment.yaml
new file mode 100644
index 0000000000..4532027a88
--- /dev/null
+++ b/test/conformance/kuttl/validating-admission-policy-reports/events/01-deployment.yaml
@@ -0,0 +1,6 @@
+apiVersion: kuttl.dev/v1beta1
+kind: TestStep
+apply:
+- deployment.yaml
+assert:
+- deployment-assert.yaml
diff --git a/test/conformance/kuttl/validating-admission-policy-reports/events/02-policy.yaml b/test/conformance/kuttl/validating-admission-policy-reports/events/02-policy.yaml
new file mode 100644
index 0000000000..a2918426aa
--- /dev/null
+++ b/test/conformance/kuttl/validating-admission-policy-reports/events/02-policy.yaml
@@ -0,0 +1,6 @@
+apiVersion: kuttl.dev/v1beta1
+kind: TestStep
+apply:
+- policy.yaml
+assert:
+- policy.yaml
diff --git a/test/conformance/kuttl/validating-admission-policy-reports/events/03-sleep.yaml b/test/conformance/kuttl/validating-admission-policy-reports/events/03-sleep.yaml
new file mode 100644
index 0000000000..62a3d6d08b
--- /dev/null
+++ b/test/conformance/kuttl/validating-admission-policy-reports/events/03-sleep.yaml
@@ -0,0 +1,5 @@
+# A command can only run a single command, not a pipeline and not a script. The program called must exist on the system where the test is run.
+apiVersion: kuttl.dev/v1beta1
+kind: TestStep
+commands:
+  - command: sleep 5
\ No newline at end of file
diff --git a/test/conformance/kuttl/validating-admission-policy-reports/events/04-event.yaml b/test/conformance/kuttl/validating-admission-policy-reports/events/04-event.yaml
new file mode 100644
index 0000000000..cddf003e6d
--- /dev/null
+++ b/test/conformance/kuttl/validating-admission-policy-reports/events/04-event.yaml
@@ -0,0 +1,4 @@
+apiVersion: kuttl.dev/v1beta1
+kind: TestStep
+assert:
+- policy-event.yaml
diff --git a/test/conformance/kuttl/validating-admission-policy-reports/events/README.md b/test/conformance/kuttl/validating-admission-policy-reports/events/README.md
new file mode 100644
index 0000000000..66fcee5812
--- /dev/null
+++ b/test/conformance/kuttl/validating-admission-policy-reports/events/README.md
@@ -0,0 +1,12 @@
+# Title
+
+This test checks for generated events when applying ValidatingAdmissionPolicies.
+
+## Expected Behavior
+
+
+This test creates a deployment with 4 replicas that violates the policy. It verifies policy violation events generation for the ValidatingAdmissionPolicy and the Deployment.
+
+## Reference Issues
+
+https://github.com/kyverno/kyverno/issues/8781
diff --git a/test/conformance/kuttl/validating-admission-policy-reports/events/deployment-assert.yaml b/test/conformance/kuttl/validating-admission-policy-reports/events/deployment-assert.yaml
new file mode 100644
index 0000000000..f36d414d14
--- /dev/null
+++ b/test/conformance/kuttl/validating-admission-policy-reports/events/deployment-assert.yaml
@@ -0,0 +1,4 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: deployment-fail-01
diff --git a/test/conformance/kuttl/validating-admission-policy-reports/events/deployment.yaml b/test/conformance/kuttl/validating-admission-policy-reports/events/deployment.yaml
new file mode 100644
index 0000000000..ed0ac78bb2
--- /dev/null
+++ b/test/conformance/kuttl/validating-admission-policy-reports/events/deployment.yaml
@@ -0,0 +1,21 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: deployment-fail-01
+  labels:
+    app: nginx-1
+spec:
+  replicas: 4
+  selector:
+    matchLabels:
+      app: nginx-1
+  template:
+    metadata:
+      labels:
+        app: nginx-1
+    spec:
+      containers:
+      - name: nginx
+        image: nginx:1.14.2
+        ports:
+        - containerPort: 80
\ No newline at end of file
diff --git a/test/conformance/kuttl/validating-admission-policy-reports/events/policy-event.yaml b/test/conformance/kuttl/validating-admission-policy-reports/events/policy-event.yaml
new file mode 100644
index 0000000000..cfa76cfe07
--- /dev/null
+++ b/test/conformance/kuttl/validating-admission-policy-reports/events/policy-event.yaml
@@ -0,0 +1,11 @@
+apiVersion: v1
+kind: Event
+metadata:
+  namespace: default
+involvedObject:
+  kind: ValidatingAdmissionPolicy
+  name: check-deployment-replicas-vap
+reason: PolicyViolation
+action: Resource Passed
+reportingComponent: kyverno-scan
+type: Warning
diff --git a/test/conformance/kuttl/validating-admission-policy-reports/events/policy.yaml b/test/conformance/kuttl/validating-admission-policy-reports/events/policy.yaml
new file mode 100644
index 0000000000..a8e2e96850
--- /dev/null
+++ b/test/conformance/kuttl/validating-admission-policy-reports/events/policy.yaml
@@ -0,0 +1,14 @@
+apiVersion: admissionregistration.k8s.io/v1alpha1
+kind: ValidatingAdmissionPolicy
+metadata:
+  name: check-deployment-replicas-vap
+spec:
+  matchConstraints:
+    resourceRules:
+    - apiGroups:   ["apps"]
+      apiVersions: ["v1"]
+      operations:  ["CREATE", "UPDATE"]
+      resources:   ["deployments"]
+  validations:
+    - expression: "object.spec.replicas <= 3"
+      message: "Deployment spec.replicas must be less than 3."
\ No newline at end of file