mirror of
https://github.com/kyverno/kyverno.git
synced 2025-03-31 03:45:17 +00:00
create violations
This commit is contained in:
shivkumar dudhani
parent
f193ad00de
commit
30bcc6cccd
4 changed files with 49 additions and 32 deletions
|
|
@ -84,7 +84,6 @@ type Violation struct {
|
|||
Kind string `json:"kind,omitempty"`
|
||||
Name string `json:"name,omitempty"`
|
||||
Namespace string `json:"namespace,omitempty"`
|
||||
Rule string `json:"rule,omitempty"`
|
||||
Reason string `json:"reason,omitempty"`
|
||||
Message string `json:"message,omitempty"`
|
||||
}
|
||||
|
|
|
|||
|
|
@ -180,13 +180,18 @@ func (pc *PolicyController) syncHandler(obj interface{}) error {
|
|||
//TODO: processPolicy
|
||||
glog.Infof("process policy %s on existing resources", policy.GetName())
|
||||
policyInfos := engine.ProcessExisting(pc.client, policy)
|
||||
events := createEvents(pc.eventController, policyInfos)
|
||||
pc.eventController.Add(events)
|
||||
events, violations := createEventsAndViolations(pc.eventController, policyInfos)
|
||||
pc.eventController.Add(events...)
|
||||
err = pc.violationBuilder.Add(violations...)
|
||||
if err != nil {
|
||||
glog.Error(err)
|
||||
}
|
||||
return nil
|
||||
}
|
||||
|
||||
func createEvents(eventController event.Generator, policyInfos []*info.PolicyInfo) []*event.Info {
|
||||
func createEventsAndViolations(eventController event.Generator, policyInfos []*info.PolicyInfo) ([]*event.Info, []*violation.Info) {
|
||||
events := []*event.Info{}
|
||||
violations := []*violation.Info{}
|
||||
// Create events from the policyInfo
|
||||
for _, policyInfo := range policyInfos {
|
||||
fruleNames := []string{}
|
||||
|
|
@ -198,11 +203,11 @@ func createEvents(eventController event.Generator, policyInfos []*info.PolicyInf
|
|||
fruleNames = append(fruleNames, rule.Name)
|
||||
switch rule.RuleType {
|
||||
case info.Mutation, info.Validation, info.Generation:
|
||||
// Events
|
||||
e = event.NewEvent(policyInfo.RKind, policyInfo.RNamespace, policyInfo.RName, event.PolicyViolation, event.FProcessRule, rule.Name, policyInfo.Name)
|
||||
default:
|
||||
glog.Info("Unsupported Rule type")
|
||||
}
|
||||
fruleNames = append(fruleNames, rule.Name)
|
||||
events = append(events, e)
|
||||
} else {
|
||||
sruleNames = append(sruleNames, rule.Name)
|
||||
|
|
@ -210,18 +215,22 @@ func createEvents(eventController event.Generator, policyInfos []*info.PolicyInf
|
|||
}
|
||||
|
||||
if !policyInfo.IsSuccessful() {
|
||||
// build Events
|
||||
// Event
|
||||
// list of failed rules : ruleNames
|
||||
e := event.NewEvent("Policy", "", policyInfo.Name, event.PolicyViolation, event.FResourcePolcy, policyInfo.RNamespace+"/"+policyInfo.RName, strings.Join(fruleNames, ";"))
|
||||
events = append(events, e)
|
||||
} else {
|
||||
// Policy was processed succesfully
|
||||
e := event.NewEvent("Policy", "", policyInfo.Name, event.PolicyApplied, event.SPolicyApply, policyInfo.Name)
|
||||
events = append(events, e)
|
||||
// Policy applied succesfully on resource
|
||||
e = event.NewEvent(policyInfo.RKind, policyInfo.RNamespace, policyInfo.RName, event.PolicyApplied, event.SRuleApply, strings.Join(sruleNames, ";"), policyInfo.RName)
|
||||
events = append(events, e)
|
||||
// Violation
|
||||
v := violation.NewViolationFromEvent(e, policyInfo.Name, policyInfo.RKind, policyInfo.RName, policyInfo.RNamespace)
|
||||
violations = append(violations, v)
|
||||
}
|
||||
// else {
|
||||
// // Policy was processed succesfully
|
||||
// e := event.NewEvent("Policy", "", policyInfo.Name, event.PolicyApplied, event.SPolicyApply, policyInfo.Name)
|
||||
// events = append(events, e)
|
||||
// // Policy applied succesfully on resource
|
||||
// e = event.NewEvent(policyInfo.RKind, policyInfo.RNamespace, policyInfo.RName, event.PolicyApplied, event.SRuleApply, strings.Join(sruleNames, ";"), policyInfo.RName)
|
||||
// events = append(events, e)
|
||||
// }
|
||||
}
|
||||
return events
|
||||
return events, violations
|
||||
}
|
||||
|
|
|
|||
|
|
@ -28,7 +28,7 @@ type controller struct {
|
|||
|
||||
//Generator to generate event
|
||||
type Generator interface {
|
||||
Add(infoList []*Info)
|
||||
Add(infoList ...*Info)
|
||||
}
|
||||
|
||||
//Controller api
|
||||
|
|
@ -74,8 +74,8 @@ func initRecorder(client *client.Client) record.EventRecorder {
|
|||
return recorder
|
||||
}
|
||||
|
||||
func (c *controller) Add(infoList []*Info) {
|
||||
for _, info := range infoList {
|
||||
func (c *controller) Add(infos ...*Info) {
|
||||
for _, info := range infos {
|
||||
c.queue.Add(*info)
|
||||
}
|
||||
}
|
||||
|
|
|
|||
|
|
@ -12,7 +12,7 @@ import (
|
|||
|
||||
//Generator to generate policy violation
|
||||
type Generator interface {
|
||||
Add(info Info) error
|
||||
Add(infos ...*Info) error
|
||||
}
|
||||
|
||||
type builder struct {
|
||||
|
|
@ -24,7 +24,7 @@ type builder struct {
|
|||
//Builder is to build policy violations
|
||||
type Builder interface {
|
||||
Generator
|
||||
processViolation(info Info) error
|
||||
processViolation(info *Info) error
|
||||
isActive(kind string, resource string) (bool, error)
|
||||
}
|
||||
|
||||
|
|
@ -41,18 +41,15 @@ func NewPolicyViolationBuilder(client *client.Client,
|
|||
return builder
|
||||
}
|
||||
|
||||
func (b *builder) Add(info Info) error {
|
||||
return b.processViolation(info)
|
||||
func (b *builder) Add(infos ...*Info) error {
|
||||
for _, info := range infos {
|
||||
return b.processViolation(info)
|
||||
}
|
||||
return nil
|
||||
}
|
||||
|
||||
func (b *builder) processViolation(info Info) error {
|
||||
// Get the policy
|
||||
namespace, name, err := cache.SplitMetaNamespaceKey(info.Policy)
|
||||
if err != nil {
|
||||
glog.Errorf("unable to extract namespace and name for %s", info.Policy)
|
||||
return err
|
||||
}
|
||||
policy, err := b.policyLister.Get(name)
|
||||
func (b *builder) processViolation(info *Info) error {
|
||||
policy, err := b.policyLister.Get(info.Policy)
|
||||
if err != nil {
|
||||
glog.Error(err)
|
||||
return err
|
||||
|
|
@ -79,7 +76,7 @@ func (b *builder) processViolation(info Info) error {
|
|||
|
||||
modifiedPolicy.Status.Violations = modifiedViolations
|
||||
// Violations are part of the status sub resource, so we can use the Update Status api instead of updating the policy object
|
||||
_, err = b.client.UpdateStatusResource("policies/status", namespace, modifiedPolicy, false)
|
||||
_, err = b.client.UpdateStatusResource("policies", "", modifiedPolicy, false)
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
|
|
@ -102,14 +99,26 @@ func (b *builder) isActive(kind string, resource string) (bool, error) {
|
|||
}
|
||||
|
||||
//NewViolation return new policy violation
|
||||
func NewViolation(policyName string, kind string, rname string, rnamespace string, ruleName string, reason string, msg string) Info {
|
||||
func NewViolation(policyName string, kind string, rname string, rnamespace string, reason string, msg string) Info {
|
||||
return Info{Policy: policyName,
|
||||
Violation: types.Violation{
|
||||
Kind: kind,
|
||||
Name: rname,
|
||||
Namespace: rnamespace,
|
||||
Rule: ruleName,
|
||||
Reason: reason,
|
||||
},
|
||||
}
|
||||
}
|
||||
|
||||
//NewViolationFromEvent returns violation info from event
|
||||
func NewViolationFromEvent(e *event.Info, pName string, rKind string, rName string, rnamespace string) *Info {
|
||||
return &Info{
|
||||
Policy: pName,
|
||||
Violation: types.Violation{
|
||||
Kind: rKind,
|
||||
Name: rName,
|
||||
Namespace: rnamespace,
|
||||
Reason: e.Message,
|
||||
},
|
||||
}
|
||||
}
|
||||
|
|
|
|||
Loading…
Add table
Reference in a new issue