From 30bcc6cccd3b0398be0ef59c20188fdc8622a589 Mon Sep 17 00:00:00 2001 From: shivkumar dudhani Date: Thu, 27 Jun 2019 11:43:07 -0700 Subject: [PATCH] create violations --- pkg/apis/policy/v1alpha1/types.go | 1 - pkg/controller/controller.go | 35 ++++++++++++++++----------- pkg/event/controller.go | 6 ++--- pkg/violation/builder.go | 39 +++++++++++++++++++------------ 4 files changed, 49 insertions(+), 32 deletions(-) diff --git a/pkg/apis/policy/v1alpha1/types.go b/pkg/apis/policy/v1alpha1/types.go index dd82165a0c..a0046c4f06 100644 --- a/pkg/apis/policy/v1alpha1/types.go +++ b/pkg/apis/policy/v1alpha1/types.go @@ -84,7 +84,6 @@ type Violation struct { Kind string `json:"kind,omitempty"` Name string `json:"name,omitempty"` Namespace string `json:"namespace,omitempty"` - Rule string `json:"rule,omitempty"` Reason string `json:"reason,omitempty"` Message string `json:"message,omitempty"` } diff --git a/pkg/controller/controller.go b/pkg/controller/controller.go index db75701f22..8205904b13 100644 --- a/pkg/controller/controller.go +++ b/pkg/controller/controller.go @@ -180,13 +180,18 @@ func (pc *PolicyController) syncHandler(obj interface{}) error { //TODO: processPolicy glog.Infof("process policy %s on existing resources", policy.GetName()) policyInfos := engine.ProcessExisting(pc.client, policy) - events := createEvents(pc.eventController, policyInfos) - pc.eventController.Add(events) + events, violations := createEventsAndViolations(pc.eventController, policyInfos) + pc.eventController.Add(events...) + err = pc.violationBuilder.Add(violations...) + if err != nil { + glog.Error(err) + } return nil } -func createEvents(eventController event.Generator, policyInfos []*info.PolicyInfo) []*event.Info { +func createEventsAndViolations(eventController event.Generator, policyInfos []*info.PolicyInfo) ([]*event.Info, []*violation.Info) { events := []*event.Info{} + violations := []*violation.Info{} // Create events from the policyInfo for _, policyInfo := range policyInfos { fruleNames := []string{} @@ -198,11 +203,11 @@ func createEvents(eventController event.Generator, policyInfos []*info.PolicyInf fruleNames = append(fruleNames, rule.Name) switch rule.RuleType { case info.Mutation, info.Validation, info.Generation: + // Events e = event.NewEvent(policyInfo.RKind, policyInfo.RNamespace, policyInfo.RName, event.PolicyViolation, event.FProcessRule, rule.Name, policyInfo.Name) default: glog.Info("Unsupported Rule type") } - fruleNames = append(fruleNames, rule.Name) events = append(events, e) } else { sruleNames = append(sruleNames, rule.Name) @@ -210,18 +215,22 @@ func createEvents(eventController event.Generator, policyInfos []*info.PolicyInf } if !policyInfo.IsSuccessful() { - // build Events + // Event // list of failed rules : ruleNames e := event.NewEvent("Policy", "", policyInfo.Name, event.PolicyViolation, event.FResourcePolcy, policyInfo.RNamespace+"/"+policyInfo.RName, strings.Join(fruleNames, ";")) events = append(events, e) - } else { - // Policy was processed succesfully - e := event.NewEvent("Policy", "", policyInfo.Name, event.PolicyApplied, event.SPolicyApply, policyInfo.Name) - events = append(events, e) - // Policy applied succesfully on resource - e = event.NewEvent(policyInfo.RKind, policyInfo.RNamespace, policyInfo.RName, event.PolicyApplied, event.SRuleApply, strings.Join(sruleNames, ";"), policyInfo.RName) - events = append(events, e) + // Violation + v := violation.NewViolationFromEvent(e, policyInfo.Name, policyInfo.RKind, policyInfo.RName, policyInfo.RNamespace) + violations = append(violations, v) } + // else { + // // Policy was processed succesfully + // e := event.NewEvent("Policy", "", policyInfo.Name, event.PolicyApplied, event.SPolicyApply, policyInfo.Name) + // events = append(events, e) + // // Policy applied succesfully on resource + // e = event.NewEvent(policyInfo.RKind, policyInfo.RNamespace, policyInfo.RName, event.PolicyApplied, event.SRuleApply, strings.Join(sruleNames, ";"), policyInfo.RName) + // events = append(events, e) + // } } - return events + return events, violations } diff --git a/pkg/event/controller.go b/pkg/event/controller.go index 31dcb9bbbc..17095053f6 100644 --- a/pkg/event/controller.go +++ b/pkg/event/controller.go @@ -28,7 +28,7 @@ type controller struct { //Generator to generate event type Generator interface { - Add(infoList []*Info) + Add(infoList ...*Info) } //Controller api @@ -74,8 +74,8 @@ func initRecorder(client *client.Client) record.EventRecorder { return recorder } -func (c *controller) Add(infoList []*Info) { - for _, info := range infoList { +func (c *controller) Add(infos ...*Info) { + for _, info := range infos { c.queue.Add(*info) } } diff --git a/pkg/violation/builder.go b/pkg/violation/builder.go index 2b15dd8723..be94f1ad4a 100644 --- a/pkg/violation/builder.go +++ b/pkg/violation/builder.go @@ -12,7 +12,7 @@ import ( //Generator to generate policy violation type Generator interface { - Add(info Info) error + Add(infos ...*Info) error } type builder struct { @@ -24,7 +24,7 @@ type builder struct { //Builder is to build policy violations type Builder interface { Generator - processViolation(info Info) error + processViolation(info *Info) error isActive(kind string, resource string) (bool, error) } @@ -41,18 +41,15 @@ func NewPolicyViolationBuilder(client *client.Client, return builder } -func (b *builder) Add(info Info) error { - return b.processViolation(info) +func (b *builder) Add(infos ...*Info) error { + for _, info := range infos { + return b.processViolation(info) + } + return nil } -func (b *builder) processViolation(info Info) error { - // Get the policy - namespace, name, err := cache.SplitMetaNamespaceKey(info.Policy) - if err != nil { - glog.Errorf("unable to extract namespace and name for %s", info.Policy) - return err - } - policy, err := b.policyLister.Get(name) +func (b *builder) processViolation(info *Info) error { + policy, err := b.policyLister.Get(info.Policy) if err != nil { glog.Error(err) return err @@ -79,7 +76,7 @@ func (b *builder) processViolation(info Info) error { modifiedPolicy.Status.Violations = modifiedViolations // Violations are part of the status sub resource, so we can use the Update Status api instead of updating the policy object - _, err = b.client.UpdateStatusResource("policies/status", namespace, modifiedPolicy, false) + _, err = b.client.UpdateStatusResource("policies", "", modifiedPolicy, false) if err != nil { return err } @@ -102,14 +99,26 @@ func (b *builder) isActive(kind string, resource string) (bool, error) { } //NewViolation return new policy violation -func NewViolation(policyName string, kind string, rname string, rnamespace string, ruleName string, reason string, msg string) Info { +func NewViolation(policyName string, kind string, rname string, rnamespace string, reason string, msg string) Info { return Info{Policy: policyName, Violation: types.Violation{ Kind: kind, Name: rname, Namespace: rnamespace, - Rule: ruleName, Reason: reason, }, } } + +//NewViolationFromEvent returns violation info from event +func NewViolationFromEvent(e *event.Info, pName string, rKind string, rName string, rnamespace string) *Info { + return &Info{ + Policy: pName, + Violation: types.Violation{ + Kind: rKind, + Name: rName, + Namespace: rnamespace, + Reason: e.Message, + }, + } +}