From 26df05d8c18572c80525aa318f2ecc73a0d93741 Mon Sep 17 00:00:00 2001 From: Suruchi Kumari Date: Fri, 8 Mar 2024 03:24:00 +0530 Subject: [PATCH] [Bug] [CLI] PSS report does not show properties with control details (#9785) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit * add properties in pss report Signed-off-by: GitHub Signed-off-by: Jim Bugwadia * remove tests Signed-off-by: GitHub Signed-off-by: Jim Bugwadia * fix Signed-off-by: GitHub Signed-off-by: Jim Bugwadia * fix lint Signed-off-by: GitHub Signed-off-by: Jim Bugwadia * chore: move chainsaw config at the root of the repo (#9768) Signed-off-by: Charles-Edouard Brétéché Signed-off-by: Jim Bugwadia * chore(deps): bump svenstaro/upload-release-action from 2.7.0 to 2.9.0 (#9767) Bumps [svenstaro/upload-release-action](https://github.com/svenstaro/upload-release-action) from 2.7.0 to 2.9.0. - [Release notes](https://github.com/svenstaro/upload-release-action/releases) - [Changelog](https://github.com/svenstaro/upload-release-action/blob/master/CHANGELOG.md) - [Commits](https://github.com/svenstaro/upload-release-action/compare/1beeb572c19a9242f4361f4cee78f8e0d9aec5df...04733e069f2d7f7f0b4aebc4fbdbce8613b03ccd) --- updated-dependencies: - dependency-name: svenstaro/upload-release-action dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: Jim Bugwadia * add test Signed-off-by: Suruchi Kumari Signed-off-by: Jim Bugwadia * fill properties field in test Signed-off-by: Suruchi Kumari Signed-off-by: Jim Bugwadia * remove unwanted folders Signed-off-by: Suruchi Kumari Signed-off-by: Jim Bugwadia * remote gitpod file Signed-off-by: Suruchi Kumari Signed-off-by: Jim Bugwadia * fix: remove unnecessary podSecurity chainsaw test (#9791) Signed-off-by: Mariam Fahmy Signed-off-by: Jim Bugwadia * fix: remove unnecessary validation check for podSecurity rule (#9790) Signed-off-by: Mariam Fahmy Signed-off-by: Jim Bugwadia * update versions (#9783) Signed-off-by: Jim Bugwadia * chore: add tests for exceptions in the CLI (#9781) Signed-off-by: Mariam Fahmy Signed-off-by: Jim Bugwadia * chore(deps): bump go.opentelemetry.io/otel/sdk/metric (#9799) Bumps [go.opentelemetry.io/otel/sdk/metric](https://github.com/open-telemetry/opentelemetry-go) from 1.23.1 to 1.24.0. - [Release notes](https://github.com/open-telemetry/opentelemetry-go/releases) - [Changelog](https://github.com/open-telemetry/opentelemetry-go/blob/main/CHANGELOG.md) - [Commits](https://github.com/open-telemetry/opentelemetry-go/compare/v1.23.1...v1.24.0) --- updated-dependencies: - dependency-name: go.opentelemetry.io/otel/sdk/metric dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: Jim Bugwadia * chore(deps): bump go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetricgrpc (#9797) Bumps [go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetricgrpc](https://github.com/open-telemetry/opentelemetry-go) from 1.23.1 to 1.24.0. - [Release notes](https://github.com/open-telemetry/opentelemetry-go/releases) - [Changelog](https://github.com/open-telemetry/opentelemetry-go/blob/main/CHANGELOG.md) - [Commits](https://github.com/open-telemetry/opentelemetry-go/compare/v1.23.1...v1.24.0) --- updated-dependencies: - dependency-name: go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetricgrpc dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: Jim Bugwadia * chore(deps): bump codecov/codecov-action from 4.0.1 to 4.0.2 (#9794) Bumps [codecov/codecov-action](https://github.com/codecov/codecov-action) from 4.0.1 to 4.0.2. - [Release notes](https://github.com/codecov/codecov-action/releases) - [Changelog](https://github.com/codecov/codecov-action/blob/main/CHANGELOG.md) - [Commits](https://github.com/codecov/codecov-action/compare/e0b68c6749509c5f83f984dd99a76a1c1a231044...0cfda1dd0a4ad9efc75517f399d859cd1ea4ced1) --- updated-dependencies: - dependency-name: codecov/codecov-action dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: Jim Bugwadia * chore(deps): bump go.opentelemetry.io/otel/exporters/prometheus (#9796) Bumps [go.opentelemetry.io/otel/exporters/prometheus](https://github.com/open-telemetry/opentelemetry-go) from 0.45.2 to 0.46.0. - [Release notes](https://github.com/open-telemetry/opentelemetry-go/releases) - [Changelog](https://github.com/open-telemetry/opentelemetry-go/blob/main/CHANGELOG.md) - [Commits](https://github.com/open-telemetry/opentelemetry-go/compare/example/prometheus/v0.45.2...example/prometheus/v0.46.0) --- updated-dependencies: - dependency-name: go.opentelemetry.io/otel/exporters/prometheus dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: Jim Bugwadia * chore(deps): bump go.opentelemetry.io/otel/exporters/otlp/otlptrace (#9795) Bumps [go.opentelemetry.io/otel/exporters/otlp/otlptrace](https://github.com/open-telemetry/opentelemetry-go) from 1.23.1 to 1.24.0. - [Release notes](https://github.com/open-telemetry/opentelemetry-go/releases) - [Changelog](https://github.com/open-telemetry/opentelemetry-go/blob/main/CHANGELOG.md) - [Commits](https://github.com/open-telemetry/opentelemetry-go/compare/v1.23.1...v1.24.0) --- updated-dependencies: - dependency-name: go.opentelemetry.io/otel/exporters/otlp/otlptrace dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: Jim Bugwadia * changes Signed-off-by: Suruchi Kumari Signed-off-by: Jim Bugwadia * chore(deps): bump go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc (#9798) Bumps [go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc](https://github.com/open-telemetry/opentelemetry-go) from 1.23.1 to 1.24.0. - [Release notes](https://github.com/open-telemetry/opentelemetry-go/releases) - [Changelog](https://github.com/open-telemetry/opentelemetry-go/blob/main/CHANGELOG.md) - [Commits](https://github.com/open-telemetry/opentelemetry-go/compare/v1.23.1...v1.24.0) --- updated-dependencies: - dependency-name: go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: Jim Bugwadia * chore(deps): bump codecov/codecov-action from 4.0.2 to 4.1.0 (#9811) Bumps [codecov/codecov-action](https://github.com/codecov/codecov-action) from 4.0.2 to 4.1.0. - [Release notes](https://github.com/codecov/codecov-action/releases) - [Changelog](https://github.com/codecov/codecov-action/blob/main/CHANGELOG.md) - [Commits](https://github.com/codecov/codecov-action/compare/0cfda1dd0a4ad9efc75517f399d859cd1ea4ced1...54bcd8715eee62d40e33596ef5e8f0f48dbbccab) --- updated-dependencies: - dependency-name: codecov/codecov-action dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: Jim Bugwadia * chore(deps): bump go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp (#9809) Bumps [go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp](https://github.com/open-telemetry/opentelemetry-go-contrib) from 0.48.0 to 0.49.0. - [Release notes](https://github.com/open-telemetry/opentelemetry-go-contrib/releases) - [Changelog](https://github.com/open-telemetry/opentelemetry-go-contrib/blob/main/CHANGELOG.md) - [Commits](https://github.com/open-telemetry/opentelemetry-go-contrib/compare/zpages/v0.48.0...zpages/v0.49.0) --- updated-dependencies: - dependency-name: go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: Jim Bugwadia * chore(deps): bump golang.org/x/crypto from 0.19.0 to 0.20.0 (#9810) Bumps [golang.org/x/crypto](https://github.com/golang/crypto) from 0.19.0 to 0.20.0. - [Commits](https://github.com/golang/crypto/compare/v0.19.0...v0.20.0) --- updated-dependencies: - dependency-name: golang.org/x/crypto dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: Jim Bugwadia * fix lint Signed-off-by: Suruchi Kumari Signed-off-by: Jim Bugwadia * fix(globalcontext): old WaitGroup not stopping (#9813) * fix(globalcontext): old waitgroup not stopping Signed-off-by: Khaled Emara * chore(globalcontext): add AGE Signed-off-by: Khaled Emara * feat(globalcontext): add lastRefreshTime Signed-off-by: Khaled Emara * fix(globalcontext): unhandled intormer run exception Signed-off-by: Khaled Emara * chore(globalcontext): comment wording Signed-off-by: Khaled Emara * chore(globalcontext): codegen Signed-off-by: Khaled Emara * fix(globalcontext): linter Signed-off-by: Khaled Emara --------- Signed-off-by: Khaled Emara Signed-off-by: Jim Bugwadia * add empty declaration of properties Signed-off-by: Suruchi Kumari Signed-off-by: Jim Bugwadia * add changes Signed-off-by: Suruchi Kumari Signed-off-by: Jim Bugwadia * fix: add podSecurity validation checks for exceptions (#9817) Signed-off-by: Mariam Fahmy Signed-off-by: Jim Bugwadia * chore(deps): bump github.com/sigstore/sigstore from 1.8.1 to 1.8.2 (#9825) Bumps [github.com/sigstore/sigstore](https://github.com/sigstore/sigstore) from 1.8.1 to 1.8.2. - [Release notes](https://github.com/sigstore/sigstore/releases) - [Commits](https://github.com/sigstore/sigstore/compare/v1.8.1...v1.8.2) --- updated-dependencies: - dependency-name: github.com/sigstore/sigstore dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: Jim Bugwadia * chore(deps): bump github.com/sigstore/sigstore/pkg/signature/kms/hashivault (#9821) Bumps [github.com/sigstore/sigstore/pkg/signature/kms/hashivault](https://github.com/sigstore/sigstore) from 1.8.1 to 1.8.2. - [Release notes](https://github.com/sigstore/sigstore/releases) - [Commits](https://github.com/sigstore/sigstore/compare/v1.8.1...v1.8.2) --- updated-dependencies: - dependency-name: github.com/sigstore/sigstore/pkg/signature/kms/hashivault dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: Jim Bugwadia * chore(deps): bump github.com/sigstore/sigstore/pkg/signature/kms/azure (#9823) Bumps [github.com/sigstore/sigstore/pkg/signature/kms/azure](https://github.com/sigstore/sigstore) from 1.8.1 to 1.8.2. - [Release notes](https://github.com/sigstore/sigstore/releases) - [Commits](https://github.com/sigstore/sigstore/compare/v1.8.1...v1.8.2) --- updated-dependencies: - dependency-name: github.com/sigstore/sigstore/pkg/signature/kms/azure dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: Jim Bugwadia * chore(deps): bump kyverno/action-install-chainsaw from 0.1.6 to 0.1.7 (#9832) Bumps [kyverno/action-install-chainsaw](https://github.com/kyverno/action-install-chainsaw) from 0.1.6 to 0.1.7. - [Release notes](https://github.com/kyverno/action-install-chainsaw/releases) - [Commits](https://github.com/kyverno/action-install-chainsaw/compare/204730d723e1fd712e54e069031290ba2c1c14bd...3bf0752f44d348d859fefa022f113bda6a24a1ae) --- updated-dependencies: - dependency-name: kyverno/action-install-chainsaw dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: Jim Bugwadia * chore(deps): bump aquasecurity/trivy-action from 0.17.0 to 0.18.0 (#9831) Bumps [aquasecurity/trivy-action](https://github.com/aquasecurity/trivy-action) from 0.17.0 to 0.18.0. - [Release notes](https://github.com/aquasecurity/trivy-action/releases) - [Commits](https://github.com/aquasecurity/trivy-action/compare/84384bd6e777ef152729993b8145ea352e9dd3ef...062f2592684a31eb3aa050cc61e7ca1451cecd3d) --- updated-dependencies: - dependency-name: aquasecurity/trivy-action dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: Jim Bugwadia * chore(deps): bump github.com/sigstore/sigstore/pkg/signature/kms/gcp (#9830) Bumps [github.com/sigstore/sigstore/pkg/signature/kms/gcp](https://github.com/sigstore/sigstore) from 1.8.1 to 1.8.2. - [Release notes](https://github.com/sigstore/sigstore/releases) - [Commits](https://github.com/sigstore/sigstore/compare/v1.8.1...v1.8.2) --- updated-dependencies: - dependency-name: github.com/sigstore/sigstore/pkg/signature/kms/gcp dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: Jim Bugwadia * [Bug] [CLI] Restore warn-exit-code functionality for apply command (#9828) * Restore warn-exite-code functionality for apply command Signed-off-by: Matt Veitas * Nove error handling Signed-off-by: Matt Veitas * Uncomment println statement Signed-off-by: Matt Veitas * Fixing linting Signed-off-by: Matt Veitas * Adding conformance tets for cli apply command with warn-exit-code Signed-off-by: Matt Veitas * Update path to kubectl-kyverno binary Signed-off-by: Matt Veitas * Add prepare-cli as needed dependency Signed-off-by: Matt Veitas * feat: install kubectl-kyverno in standard conformance tests Signed-off-by: ShutingZhao * fix: update chainsaw config Signed-off-by: ShutingZhao * fix: move CLI chainsaw tests to a separate action Signed-off-by: ShutingZhao * fix: CLI path Signed-off-by: ShutingZhao * fix: name Signed-off-by: ShutingZhao * fix: add chainsaw flag '--no-cluster' Signed-off-by: ShutingZhao * fix: CLI name Signed-off-by: ShutingZhao --------- Signed-off-by: Matt Veitas Signed-off-by: ShutingZhao Signed-off-by: shuting Co-authored-by: ShutingZhao Signed-off-by: Jim Bugwadia * chore(deps): bump github.com/sigstore/sigstore/pkg/signature/kms/aws (#9822) Bumps [github.com/sigstore/sigstore/pkg/signature/kms/aws](https://github.com/sigstore/sigstore) from 1.8.1 to 1.8.2. - [Release notes](https://github.com/sigstore/sigstore/releases) - [Commits](https://github.com/sigstore/sigstore/compare/v1.8.1...v1.8.2) --- updated-dependencies: - dependency-name: github.com/sigstore/sigstore/pkg/signature/kms/aws dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: Jim Bugwadia * remove comment and shift line 91 Signed-off-by: Suruchi Kumari Signed-off-by: Jim Bugwadia * modify test Signed-off-by: Suruchi Kumari Signed-off-by: Jim Bugwadia * added rseperate function for adding properties in result Signed-off-by: Suruchi Kumari Signed-off-by: Jim Bugwadia * fix test Signed-off-by: Suruchi Kumari Signed-off-by: Jim Bugwadia * add test for pss report Signed-off-by: Suruchi Kumari Signed-off-by: Jim Bugwadia * remove comments Signed-off-by: Suruchi Kumari Signed-off-by: Jim Bugwadia * fix: remove duplicate chainsaw tests for PSA (#9835) Signed-off-by: Mariam Fahmy Signed-off-by: Jim Bugwadia * modify policy Signed-off-by: Suruchi Kumari Signed-off-by: Jim Bugwadia * modify policy in test_dta Signed-off-by: Suruchi Kumari Signed-off-by: Jim Bugwadia * docs: Add new adopter to ADOPTERS.md (#9841) Signed-off-by: Younsung Lee Signed-off-by: Jim Bugwadia * fix: use gcr crane opts while fetching image descriptors (#9838) Signed-off-by: Vishal Choudhary Signed-off-by: Jim Bugwadia * fix: add missing unit tests for podSecurity.hostpathVolume check (#9845) * fix: add missing unit tests Signed-off-by: ShutingZhao * fix: update pinned lib Signed-off-by: ShutingZhao * fix: uncomment code Signed-off-by: ShutingZhao --------- Signed-off-by: ShutingZhao Signed-off-by: Jim Bugwadia * fix: release CRDs manifests (#9849) Signed-off-by: Charles-Edouard Brétéché Signed-off-by: Jim Bugwadia * chore(deps): bump github.com/stretchr/testify from 1.8.4 to 1.9.0 (#9842) Bumps [github.com/stretchr/testify](https://github.com/stretchr/testify) from 1.8.4 to 1.9.0. - [Release notes](https://github.com/stretchr/testify/releases) - [Commits](https://github.com/stretchr/testify/compare/v1.8.4...v1.9.0) --- updated-dependencies: - dependency-name: github.com/stretchr/testify dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: Jim Bugwadia * fix name access for policy types Signed-off-by: Jim Bugwadia * modify pkg report Signed-off-by: Suruchi Kumari Signed-off-by: Jim Bugwadia * modify name Signed-off-by: Suruchi Kumari Signed-off-by: Jim Bugwadia * add bindings Signed-off-by: Jim Bugwadia * Revert "add bindings" This reverts commit c616c11d9bb4dd0554104025fcfb9cf9e25dc02d. Signed-off-by: Jim Bugwadia * revert add bindings Signed-off-by: Jim Bugwadia * update chainsaw Signed-off-by: Jim Bugwadia * update name Signed-off-by: Jim Bugwadia * Revert "update name" This reverts commit 84de45b4ce1c5f94d8cbd0a66e893c7907f4a600. Signed-off-by: Jim Bugwadia * simplify results Signed-off-by: Jim Bugwadia --------- Signed-off-by: GitHub Signed-off-by: Jim Bugwadia Signed-off-by: Charles-Edouard Brétéché Signed-off-by: dependabot[bot] Signed-off-by: Suruchi Kumari Signed-off-by: Mariam Fahmy Signed-off-by: Khaled Emara Signed-off-by: Matt Veitas Signed-off-by: ShutingZhao Signed-off-by: shuting Signed-off-by: Younsung Lee Signed-off-by: Vishal Choudhary Co-authored-by: Charles-Edouard Brétéché Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Mariam Fahmy Co-authored-by: Jim Bugwadia Co-authored-by: Khaled Emara Co-authored-by: Matt Veitas Co-authored-by: ShutingZhao Co-authored-by: Younsung Lee Co-authored-by: Vishal Choudhary --- .chainsaw.yaml | 2 +- .../_testdata/policies/restricted.yaml | 23 +++ cmd/cli/kubectl-kyverno/report/report.go | 53 ++----- cmd/cli/kubectl-kyverno/report/report_test.go | 57 ++++++-- pkg/utils/report/results.go | 133 +++++++++--------- 5 files changed, 156 insertions(+), 112 deletions(-) create mode 100644 cmd/cli/kubectl-kyverno/_testdata/policies/restricted.yaml diff --git a/.chainsaw.yaml b/.chainsaw.yaml index b32d689e13..1f5763c914 100755 --- a/.chainsaw.yaml +++ b/.chainsaw.yaml @@ -1,7 +1,7 @@ apiVersion: chainsaw.kyverno.io/v1alpha1 kind: Configuration metadata: - name: congiguration + name: configuration spec: timeouts: assert: 90s diff --git a/cmd/cli/kubectl-kyverno/_testdata/policies/restricted.yaml b/cmd/cli/kubectl-kyverno/_testdata/policies/restricted.yaml new file mode 100644 index 0000000000..7cf97bb114 --- /dev/null +++ b/cmd/cli/kubectl-kyverno/_testdata/policies/restricted.yaml @@ -0,0 +1,23 @@ +--- +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + annotations: + pod-policies.kyverno.io/autogen-controllers: none + policies.kyverno.io/category: Pod Security Standards (Restricted) + policies.kyverno.io/severity: medium + name: psa +spec: + background: true + rules: + - name: restricted + match: + any: + - resources: + kinds: + - Pod + validate: + podSecurity: + level: restricted + version: latest + validationFailureAction: Audit diff --git a/cmd/cli/kubectl-kyverno/report/report.go b/cmd/cli/kubectl-kyverno/report/report.go index 8c5b7066ce..1bfabd0659 100644 --- a/cmd/cli/kubectl-kyverno/report/report.go +++ b/cmd/cli/kubectl-kyverno/report/report.go @@ -1,9 +1,7 @@ package report import ( - "github.com/kyverno/kyverno/api/kyverno" policyreportv1alpha2 "github.com/kyverno/kyverno/api/policyreport/v1alpha2" - "github.com/kyverno/kyverno/cmd/cli/kubectl-kyverno/policy/annotations" engineapi "github.com/kyverno/kyverno/pkg/engine/api" reportutils "github.com/kyverno/kyverno/pkg/utils/report" corev1 "k8s.io/api/core/v1" @@ -13,47 +11,26 @@ import ( func ComputePolicyReportResult(auditWarn bool, engineResponse engineapi.EngineResponse, ruleResponse engineapi.RuleResponse) policyreportv1alpha2.PolicyReportResult { policy := engineResponse.Policy() + policyType := policy.GetType() policyName := cache.MetaObjectToName(policy.MetaObject()).String() - audit := engineResponse.GetValidationFailureAction().Audit() - scored := annotations.Scored(policy.GetAnnotations()) - category := annotations.Category(policy.GetAnnotations()) - severity := annotations.Severity(policy.GetAnnotations()) - result := policyreportv1alpha2.PolicyReportResult{ - Policy: policyName, - Resources: []corev1.ObjectReference{ - { - Kind: engineResponse.Resource.GetKind(), - Namespace: engineResponse.Resource.GetNamespace(), - APIVersion: engineResponse.Resource.GetAPIVersion(), - Name: engineResponse.Resource.GetName(), - UID: engineResponse.Resource.GetUID(), - }, - }, - Scored: scored, - Category: category, - Severity: severity, + resource := engineResponse.Resource + resorceRef := &corev1.ObjectReference{ + Kind: resource.GetKind(), + Name: resource.GetName(), + Namespace: resource.GetNamespace(), + UID: resource.GetUID(), + APIVersion: resource.GetAPIVersion(), + ResourceVersion: resource.GetResourceVersion(), } - if ruleResponse.Status() == engineapi.RuleStatusSkip { - result.Result = policyreportv1alpha2.StatusSkip - } else if ruleResponse.Status() == engineapi.RuleStatusError { - result.Result = policyreportv1alpha2.StatusError - } else if ruleResponse.Status() == engineapi.RuleStatusPass { - result.Result = policyreportv1alpha2.StatusPass - } else if ruleResponse.Status() == engineapi.RuleStatusFail { - if !scored || (audit && auditWarn) { + + result := reportutils.ToPolicyReportResult(policyType, policyName, ruleResponse, policy.GetAnnotations(), resorceRef) + if result.Result == policyreportv1alpha2.StatusFail { + audit := engineResponse.GetValidationFailureAction().Audit() + if audit && auditWarn { result.Result = policyreportv1alpha2.StatusWarn - } else { - result.Result = policyreportv1alpha2.StatusFail } - } else { - result.Result = policyreportv1alpha2.StatusError } - if policy.GetType() == engineapi.KyvernoPolicyType { - result.Rule = ruleResponse.Name() - } - result.Message = ruleResponse.Message() - result.Source = kyverno.ValueKyvernoApp - result.Timestamp = metav1.Timestamp{Seconds: ruleResponse.Stats().Timestamp()} + return result } diff --git a/cmd/cli/kubectl-kyverno/report/report_test.go b/cmd/cli/kubectl-kyverno/report/report_test.go index ec6f917398..2e790713d0 100644 --- a/cmd/cli/kubectl-kyverno/report/report_test.go +++ b/cmd/cli/kubectl-kyverno/report/report_test.go @@ -5,7 +5,6 @@ import ( "testing" policyreportv1alpha2 "github.com/kyverno/kyverno/api/policyreport/v1alpha2" - report "github.com/kyverno/kyverno/api/policyreport/v1alpha2" "github.com/kyverno/kyverno/cmd/cli/kubectl-kyverno/policy" engineapi "github.com/kyverno/kyverno/pkg/engine/api" "gotest.tools/assert" @@ -120,7 +119,7 @@ func TestMergeClusterReport(t *testing.T) { clustered := []policyreportv1alpha2.ClusterPolicyReport{{ TypeMeta: metav1.TypeMeta{ Kind: "ClusterPolicyReport", - APIVersion: report.SchemeGroupVersion.String(), + APIVersion: policyreportv1alpha2.SchemeGroupVersion.String(), }, ObjectMeta: metav1.ObjectMeta{ Name: "cpolr-4", @@ -128,13 +127,13 @@ func TestMergeClusterReport(t *testing.T) { Results: []policyreportv1alpha2.PolicyReportResult{ { Policy: "cpolr-4", - Result: report.StatusFail, + Result: policyreportv1alpha2.StatusFail, }, }, }, { TypeMeta: metav1.TypeMeta{ Kind: "ClusterPolicyReport", - APIVersion: report.SchemeGroupVersion.String(), + APIVersion: policyreportv1alpha2.SchemeGroupVersion.String(), }, ObjectMeta: metav1.ObjectMeta{ Name: "cpolr-5", @@ -142,19 +141,19 @@ func TestMergeClusterReport(t *testing.T) { Results: []policyreportv1alpha2.PolicyReportResult{ { Policy: "cpolr-5", - Result: report.StatusFail, + Result: policyreportv1alpha2.StatusFail, }, }, }} expectedResults := []policyreportv1alpha2.PolicyReportResult{{ Policy: "cpolr-4", - Result: report.StatusFail, + Result: policyreportv1alpha2.StatusFail, }, { Policy: "cpolr-5", - Result: report.StatusFail, + Result: policyreportv1alpha2.StatusFail, }} cpolr := MergeClusterReports(clustered) - assert.Equal(t, cpolr.APIVersion, report.SchemeGroupVersion.String()) + assert.Equal(t, cpolr.APIVersion, policyreportv1alpha2.SchemeGroupVersion.String()) assert.Equal(t, cpolr.Kind, "ClusterPolicyReport") assert.DeepEqual(t, cpolr.Results, expectedResults) assert.Equal(t, cpolr.Summary.Pass, 0) @@ -261,7 +260,7 @@ func TestComputePolicyReportResult(t *testing.T) { Source: "kyverno", Policy: "pod-requirements", Rule: "xxx", - Result: policyreportv1alpha2.StatusError, + Result: policyreportv1alpha2.StatusWarn, Resources: []corev1.ObjectReference{{}}, Message: "test", Scored: true, @@ -280,6 +279,46 @@ func TestComputePolicyReportResult(t *testing.T) { } } +func TestPSSComputePolicyReportResult(t *testing.T) { + policies, _, _, err := policy.Load(nil, "", "../_testdata/policies/restricted.yaml") + assert.NilError(t, err) + assert.Equal(t, len(policies), 1) + policy := policies[0] + tests := []struct { + name string + auditWarn bool + engineResponse engineapi.EngineResponse + ruleResponse engineapi.RuleResponse + want policyreportv1alpha2.PolicyReportResult + }{{ + name: "fail", + auditWarn: false, + engineResponse: engineapi.NewEngineResponse(unstructured.Unstructured{}, engineapi.NewKyvernoPolicy(policy), nil), + ruleResponse: *engineapi.RuleFail("xxx", engineapi.Mutation, "test"), + want: policyreportv1alpha2.PolicyReportResult{ + Source: "kyverno", + Policy: "psa", + Rule: "xxx", + Result: policyreportv1alpha2.StatusFail, + Resources: []corev1.ObjectReference{{}}, + Message: "test", + Scored: true, + Category: "Pod Security Standards (Restricted)", + Severity: policyreportv1alpha2.SeverityMedium, + Properties: nil, + }, + }} + for _, tt := range tests { + t.Run(tt.name, func(t *testing.T) { + got := ComputePolicyReportResult(tt.auditWarn, tt.engineResponse, tt.ruleResponse) + got.Timestamp = metav1.Timestamp{} + if !reflect.DeepEqual(got, tt.want) { + t.Errorf("ComputePolicyReportResult() = %v, want %v", got, tt.want) + } + }) + } +} + func TestComputePolicyReportResultsPerPolicy(t *testing.T) { tests := []struct { name string diff --git a/pkg/utils/report/results.go b/pkg/utils/report/results.go index f1c6873e52..38bf51722a 100644 --- a/pkg/utils/report/results.go +++ b/pkg/utils/report/results.go @@ -12,6 +12,7 @@ import ( kyvernov1alpha2 "github.com/kyverno/kyverno/api/kyverno/v1alpha2" policyreportv1alpha2 "github.com/kyverno/kyverno/api/policyreport/v1alpha2" engineapi "github.com/kyverno/kyverno/pkg/engine/api" + corev1 "k8s.io/api/core/v1" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" "k8s.io/client-go/tools/cache" ) @@ -86,72 +87,76 @@ func SeverityFromString(severity string) policyreportv1alpha2.PolicySeverity { return "" } -func EngineResponseToReportResults(response engineapi.EngineResponse) []policyreportv1alpha2.PolicyReportResult { - pol := response.Policy() - var results []policyreportv1alpha2.PolicyReportResult - if pol.GetType() == engineapi.KyvernoPolicyType { - key, _ := cache.MetaNamespaceKeyFunc(pol.AsKyvernoPolicy()) - for _, ruleResult := range response.PolicyResponse.Rules { - annotations := pol.GetAnnotations() - result := policyreportv1alpha2.PolicyReportResult{ - Source: kyverno.ValueKyvernoApp, - Policy: key, - Rule: ruleResult.Name(), - Message: ruleResult.Message(), - Result: toPolicyResult(ruleResult.Status()), - Scored: annotations[kyverno.AnnotationPolicyScored] != "false", - Timestamp: metav1.Timestamp{ - Seconds: time.Now().Unix(), - }, - Category: annotations[kyverno.AnnotationPolicyCategory], - Severity: SeverityFromString(annotations[kyverno.AnnotationPolicySeverity]), - } - if ruleResult.Exception() != nil { - result.Properties = map[string]string{ - "exception": ruleResult.Exception().Name, - } - } - pss := ruleResult.PodSecurityChecks() - if pss != nil { - var controls []string - for _, check := range pss.Checks { - if !check.CheckResult.Allowed { - controls = append(controls, check.ID) - } - } - if len(controls) > 0 { - sort.Strings(controls) - result.Properties = map[string]string{ - "standard": string(pss.Level), - "version": pss.Version, - "controls": strings.Join(controls, ","), - } - } - } - if result.Result == "fail" && !result.Scored { - result.Result = "warn" - } - results = append(results, result) - } - } else { - for _, ruleResult := range response.PolicyResponse.Rules { - result := policyreportv1alpha2.PolicyReportResult{ - Source: "ValidatingAdmissionPolicy", - Policy: ruleResult.Name(), - Message: ruleResult.Message(), - Result: toPolicyResult(ruleResult.Status()), - Timestamp: metav1.Timestamp{ - Seconds: time.Now().Unix(), - }, - } - if ruleResult.ValidatingAdmissionPolicyBinding() != nil { - result.Properties = map[string]string{ - "binding": ruleResult.ValidatingAdmissionPolicyBinding().Name, - } - } - results = append(results, result) +func addProperty(k, v string, result *policyreportv1alpha2.PolicyReportResult) { + if result.Properties == nil { + result.Properties = map[string]string{} + } + + result.Properties[k] = v +} + +func ToPolicyReportResult(policyType engineapi.PolicyType, policyName string, ruleResult engineapi.RuleResponse, annotations map[string]string, resource *corev1.ObjectReference) policyreportv1alpha2.PolicyReportResult { + result := policyreportv1alpha2.PolicyReportResult{ + Source: kyverno.ValueKyvernoApp, + Policy: policyName, + Rule: ruleResult.Name(), + Message: ruleResult.Message(), + Result: toPolicyResult(ruleResult.Status()), + Scored: annotations[kyverno.AnnotationPolicyScored] != "false", + Timestamp: metav1.Timestamp{ + Seconds: time.Now().Unix(), + }, + Category: annotations[kyverno.AnnotationPolicyCategory], + Severity: SeverityFromString(annotations[kyverno.AnnotationPolicySeverity]), + } + if result.Result == "fail" && !result.Scored { + result.Result = "warn" + } + if resource != nil { + result.Resources = []corev1.ObjectReference{ + *resource, } } + if ruleResult.Exception() != nil { + addProperty("exception", ruleResult.Exception().Name, &result) + } + pss := ruleResult.PodSecurityChecks() + if pss != nil && len(pss.Checks) > 0 { + var controls []string + for _, check := range pss.Checks { + if !check.CheckResult.Allowed { + controls = append(controls, check.ID) + } + } + if len(controls) > 0 { + sort.Strings(controls) + addProperty("standard", string(pss.Level), &result) + addProperty("version", pss.Version, &result) + addProperty("controls", strings.Join(controls, ","), &result) + } + } + if policyType == engineapi.ValidatingAdmissionPolicyType { + result.Source = "ValidatingAdmissionPolicy" + result.Policy = ruleResult.Name() + if ruleResult.ValidatingAdmissionPolicyBinding() != nil { + addProperty("binding", ruleResult.ValidatingAdmissionPolicyBinding().Name, &result) + } + } + return result +} + +func EngineResponseToReportResults(response engineapi.EngineResponse) []policyreportv1alpha2.PolicyReportResult { + pol := response.Policy() + policyName, _ := cache.MetaNamespaceKeyFunc(pol.AsKyvernoPolicy()) + policyType := pol.GetType() + annotations := pol.GetAnnotations() + + var results []policyreportv1alpha2.PolicyReportResult + for _, ruleResult := range response.PolicyResponse.Rules { + result := ToPolicyReportResult(policyType, policyName, ruleResult, annotations, nil) + results = append(results, result) + } + return results }