From 32d834ea261453972048bd687f329701660b77de Mon Sep 17 00:00:00 2001 From: Shuting Zhao Date: Mon, 26 Oct 2020 16:08:25 -0700 Subject: [PATCH] - update json tag of report summary; - update definition manifests; - fix dclient creation --- charts/kyverno/crds/crds.yaml | 120 ++++++++-------- cmd/kyverno/main.go | 29 ++-- ...cy.kubernetes.io_clusterpolicyreports.yaml | 30 ++-- ...y.kubernetes.io_clusterreportrequests.yaml | 30 ++-- .../policy.kubernetes.io_policyreports.yaml | 30 ++-- .../policy.kubernetes.io_reportrequests.yaml | 30 ++-- definitions/install.yaml | 128 +++++++++--------- definitions/install_debug.yaml | 126 ++++++++--------- definitions/k8s-resource/configmap.yaml | 2 +- definitions/k8s-resource/rbac.yaml | 4 + definitions/manifest/deployment.yaml | 2 +- .../v1alpha1/clusterpolicyreport_types.go | 10 +- .../v1alpha1/clusterreportrequest_types.go | 10 +- .../v1alpha1/policyreport_types.go | 24 ++-- .../v1alpha1/reportrequest_types.go | 10 +- .../v1alpha1/zz_generated.deepcopy.go | 30 +--- pkg/policy/controller.go | 4 +- pkg/policyreport/builder.go | 17 ++- pkg/policyreport/reportrequest.go | 51 ++++--- pkg/policyviolation/builder.go | 11 +- pkg/policyviolation/generator.go | 2 + 21 files changed, 357 insertions(+), 343 deletions(-) diff --git a/charts/kyverno/crds/crds.yaml b/charts/kyverno/crds/crds.yaml index ff54310a17..d8104911d3 100644 --- a/charts/kyverno/crds/crds.yaml +++ b/charts/kyverno/crds/crds.yaml @@ -288,19 +288,19 @@ spec: name: Name priority: 1 type: string - - JSONPath: .summary.pass + - JSONPath: .summary.Pass name: Pass type: integer - - JSONPath: .summary.fail + - JSONPath: .summary.Fail name: Fail type: integer - - JSONPath: .summary.warn + - JSONPath: .summary.Warn name: Warn type: integer - - JSONPath: .summary.error + - JSONPath: .summary.Error name: Error type: integer - - JSONPath: .summary.skip + - JSONPath: .summary.Skip name: Skip type: integer - JSONPath: .metadata.creationTimestamp @@ -572,32 +572,32 @@ spec: summary: description: PolicyReportSummary provides a summary of results properties: - error: + Error: description: Error provides the count of policies that could not be evaluated type: integer - fail: + Fail: description: Fail provides the count of policies whose requirements were not met type: integer - pass: + Pass: description: Pass provides the count of policies whose requirements were met type: integer - skip: + Skip: description: Skip indicates the count of policies that were not selected for evaluation type: integer - warn: + Warn: description: Warn provides the count of unscored policies whose requirements were not met type: integer required: - - error - - fail - - pass - - skip - - warn + - Error + - Fail + - Pass + - Skip + - Warn type: object type: object version: v1alpha1 @@ -701,19 +701,19 @@ spec: name: Name priority: 1 type: string - - JSONPath: .summary.pass + - JSONPath: .summary.Pass name: Pass type: integer - - JSONPath: .summary.fail + - JSONPath: .summary.Fail name: Fail type: integer - - JSONPath: .summary.warn + - JSONPath: .summary.Warn name: Warn type: integer - - JSONPath: .summary.error + - JSONPath: .summary.Error name: Error type: integer - - JSONPath: .summary.skip + - JSONPath: .summary.Skip name: Skip type: integer - JSONPath: .metadata.creationTimestamp @@ -982,32 +982,32 @@ spec: summary: description: PolicyReportSummary provides a summary of results properties: - error: + Error: description: Error provides the count of policies that could not be evaluated type: integer - fail: + Fail: description: Fail provides the count of policies whose requirements were not met type: integer - pass: + Pass: description: Pass provides the count of policies whose requirements were met type: integer - skip: + Skip: description: Skip indicates the count of policies that were not selected for evaluation type: integer - warn: + Warn: description: Warn provides the count of unscored policies whose requirements were not met type: integer required: - - error - - fail - - pass - - skip - - warn + - Error + - Fail + - Pass + - Skip + - Warn type: object type: object version: v1alpha1 @@ -1362,19 +1362,19 @@ spec: name: Name priority: 1 type: string - - JSONPath: .summary.pass + - JSONPath: .summary.Pass name: Pass type: integer - - JSONPath: .summary.fail + - JSONPath: .summary.Fail name: Fail type: integer - - JSONPath: .summary.warn + - JSONPath: .summary.Warn name: Warn type: integer - - JSONPath: .summary.error + - JSONPath: .summary.Error name: Error type: integer - - JSONPath: .summary.skip + - JSONPath: .summary.Skip name: Skip type: integer - JSONPath: .metadata.creationTimestamp @@ -1645,32 +1645,32 @@ spec: summary: description: PolicyReportSummary provides a summary of results properties: - error: + Error: description: Error provides the count of policies that could not be evaluated type: integer - fail: + Fail: description: Fail provides the count of policies whose requirements were not met type: integer - pass: + Pass: description: Pass provides the count of policies whose requirements were met type: integer - skip: + Skip: description: Skip indicates the count of policies that were not selected for evaluation type: integer - warn: + Warn: description: Warn provides the count of unscored policies whose requirements were not met type: integer required: - - error - - fail - - pass - - skip - - warn + - Error + - Fail + - Pass + - Skip + - Warn type: object type: object version: v1alpha1 @@ -1774,19 +1774,19 @@ spec: name: Name priority: 1 type: string - - JSONPath: .summary.pass + - JSONPath: .summary.Pass name: Pass type: integer - - JSONPath: .summary.fail + - JSONPath: .summary.Fail name: Fail type: integer - - JSONPath: .summary.warn + - JSONPath: .summary.Warn name: Warn type: integer - - JSONPath: .summary.error + - JSONPath: .summary.Error name: Error type: integer - - JSONPath: .summary.skip + - JSONPath: .summary.Skip name: Skip type: integer - JSONPath: .metadata.creationTimestamp @@ -2055,32 +2055,32 @@ spec: summary: description: PolicyReportSummary provides a summary of results properties: - error: + Error: description: Error provides the count of policies that could not be evaluated type: integer - fail: + Fail: description: Fail provides the count of policies whose requirements were not met type: integer - pass: + Pass: description: Pass provides the count of policies whose requirements were met type: integer - skip: + Skip: description: Skip indicates the count of policies that were not selected for evaluation type: integer - warn: + Warn: description: Warn provides the count of unscored policies whose requirements were not met type: integer required: - - error - - fail - - pass - - skip - - warn + - Error + - Fail + - Pass + - Skip + - Warn type: object type: object version: v1alpha1 diff --git a/cmd/kyverno/main.go b/cmd/kyverno/main.go index 8b2be5d4e6..3a0cdbf8ae 100755 --- a/cmd/kyverno/main.go +++ b/cmd/kyverno/main.go @@ -191,20 +191,6 @@ func main() { pInformer.Kyverno().V1().ClusterPolicies().Lister(), pInformer.Kyverno().V1().Policies().Lister()) - // POLICY VIOLATION GENERATOR - // -- generate policy violation - var pvgen *policyviolation.Generator - pvgen = policyviolation.NewPVGenerator(pclient, - client, - pInformer.Kyverno().V1().ClusterPolicyViolations(), - pInformer.Kyverno().V1().PolicyViolations(), - pInformer.Policy().V1alpha1().ClusterPolicyReports(), - pInformer.Policy().V1alpha1().PolicyReports(), - statusSync.Listener, - log.Log.WithName("PolicyViolationGenerator"), - stopCh, - ) - // POLICY Report GENERATOR // -- generate policy report var prgen *policyreport.Generator @@ -218,6 +204,21 @@ func main() { ) } + // POLICY VIOLATION GENERATOR + // -- generate policy violation + var pvgen *policyviolation.Generator + pvgen = policyviolation.NewPVGenerator(pclient, + client, + pInformer.Kyverno().V1().ClusterPolicyViolations(), + pInformer.Kyverno().V1().PolicyViolations(), + pInformer.Policy().V1alpha1().ClusterPolicyReports(), + pInformer.Policy().V1alpha1().PolicyReports(), + statusSync.Listener, + prgen, + log.Log.WithName("PolicyViolationGenerator"), + stopCh, + ) + // POLICY CONTROLLER // - reconciliation policy and policy violation // - process policy on existing resources diff --git a/definitions/crds/policy.kubernetes.io_clusterpolicyreports.yaml b/definitions/crds/policy.kubernetes.io_clusterpolicyreports.yaml index 43d31a031c..ad24e7ae4c 100644 --- a/definitions/crds/policy.kubernetes.io_clusterpolicyreports.yaml +++ b/definitions/crds/policy.kubernetes.io_clusterpolicyreports.yaml @@ -17,19 +17,19 @@ spec: name: Name priority: 1 type: string - - JSONPath: .summary.pass + - JSONPath: .summary.Pass name: Pass type: integer - - JSONPath: .summary.fail + - JSONPath: .summary.Fail name: Fail type: integer - - JSONPath: .summary.warn + - JSONPath: .summary.Warn name: Warn type: integer - - JSONPath: .summary.error + - JSONPath: .summary.Error name: Error type: integer - - JSONPath: .summary.skip + - JSONPath: .summary.Skip name: Skip type: integer - JSONPath: .metadata.creationTimestamp @@ -301,32 +301,32 @@ spec: summary: description: PolicyReportSummary provides a summary of results properties: - error: + Error: description: Error provides the count of policies that could not be evaluated type: integer - fail: + Fail: description: Fail provides the count of policies whose requirements were not met type: integer - pass: + Pass: description: Pass provides the count of policies whose requirements were met type: integer - skip: + Skip: description: Skip indicates the count of policies that were not selected for evaluation type: integer - warn: + Warn: description: Warn provides the count of unscored policies whose requirements were not met type: integer required: - - error - - fail - - pass - - skip - - warn + - Error + - Fail + - Pass + - Skip + - Warn type: object type: object version: v1alpha1 diff --git a/definitions/crds/policy.kubernetes.io_clusterreportrequests.yaml b/definitions/crds/policy.kubernetes.io_clusterreportrequests.yaml index dd7c2219c8..21c5dda5e4 100644 --- a/definitions/crds/policy.kubernetes.io_clusterreportrequests.yaml +++ b/definitions/crds/policy.kubernetes.io_clusterreportrequests.yaml @@ -17,19 +17,19 @@ spec: name: Name priority: 1 type: string - - JSONPath: .summary.pass + - JSONPath: .summary.Pass name: Pass type: integer - - JSONPath: .summary.fail + - JSONPath: .summary.Fail name: Fail type: integer - - JSONPath: .summary.warn + - JSONPath: .summary.Warn name: Warn type: integer - - JSONPath: .summary.error + - JSONPath: .summary.Error name: Error type: integer - - JSONPath: .summary.skip + - JSONPath: .summary.Skip name: Skip type: integer - JSONPath: .metadata.creationTimestamp @@ -298,32 +298,32 @@ spec: summary: description: PolicyReportSummary provides a summary of results properties: - error: + Error: description: Error provides the count of policies that could not be evaluated type: integer - fail: + Fail: description: Fail provides the count of policies whose requirements were not met type: integer - pass: + Pass: description: Pass provides the count of policies whose requirements were met type: integer - skip: + Skip: description: Skip indicates the count of policies that were not selected for evaluation type: integer - warn: + Warn: description: Warn provides the count of unscored policies whose requirements were not met type: integer required: - - error - - fail - - pass - - skip - - warn + - Error + - Fail + - Pass + - Skip + - Warn type: object type: object version: v1alpha1 diff --git a/definitions/crds/policy.kubernetes.io_policyreports.yaml b/definitions/crds/policy.kubernetes.io_policyreports.yaml index fdc9b32a3f..e35911c62e 100644 --- a/definitions/crds/policy.kubernetes.io_policyreports.yaml +++ b/definitions/crds/policy.kubernetes.io_policyreports.yaml @@ -17,19 +17,19 @@ spec: name: Name priority: 1 type: string - - JSONPath: .summary.pass + - JSONPath: .summary.Pass name: Pass type: integer - - JSONPath: .summary.fail + - JSONPath: .summary.Fail name: Fail type: integer - - JSONPath: .summary.warn + - JSONPath: .summary.Warn name: Warn type: integer - - JSONPath: .summary.error + - JSONPath: .summary.Error name: Error type: integer - - JSONPath: .summary.skip + - JSONPath: .summary.Skip name: Skip type: integer - JSONPath: .metadata.creationTimestamp @@ -300,32 +300,32 @@ spec: summary: description: PolicyReportSummary provides a summary of results properties: - error: + Error: description: Error provides the count of policies that could not be evaluated type: integer - fail: + Fail: description: Fail provides the count of policies whose requirements were not met type: integer - pass: + Pass: description: Pass provides the count of policies whose requirements were met type: integer - skip: + Skip: description: Skip indicates the count of policies that were not selected for evaluation type: integer - warn: + Warn: description: Warn provides the count of unscored policies whose requirements were not met type: integer required: - - error - - fail - - pass - - skip - - warn + - Error + - Fail + - Pass + - Skip + - Warn type: object type: object version: v1alpha1 diff --git a/definitions/crds/policy.kubernetes.io_reportrequests.yaml b/definitions/crds/policy.kubernetes.io_reportrequests.yaml index f966ad7c08..1f1f7d0f6e 100644 --- a/definitions/crds/policy.kubernetes.io_reportrequests.yaml +++ b/definitions/crds/policy.kubernetes.io_reportrequests.yaml @@ -17,19 +17,19 @@ spec: name: Name priority: 1 type: string - - JSONPath: .summary.pass + - JSONPath: .summary.Pass name: Pass type: integer - - JSONPath: .summary.fail + - JSONPath: .summary.Fail name: Fail type: integer - - JSONPath: .summary.warn + - JSONPath: .summary.Warn name: Warn type: integer - - JSONPath: .summary.error + - JSONPath: .summary.Error name: Error type: integer - - JSONPath: .summary.skip + - JSONPath: .summary.Skip name: Skip type: integer - JSONPath: .metadata.creationTimestamp @@ -298,32 +298,32 @@ spec: summary: description: PolicyReportSummary provides a summary of results properties: - error: + Error: description: Error provides the count of policies that could not be evaluated type: integer - fail: + Fail: description: Fail provides the count of policies whose requirements were not met type: integer - pass: + Pass: description: Pass provides the count of policies whose requirements were met type: integer - skip: + Skip: description: Skip indicates the count of policies that were not selected for evaluation type: integer - warn: + Warn: description: Warn provides the count of unscored policies whose requirements were not met type: integer required: - - error - - fail - - pass - - skip - - warn + - Error + - Fail + - Pass + - Skip + - Warn type: object type: object version: v1alpha1 diff --git a/definitions/install.yaml b/definitions/install.yaml index 117ae22482..1592cf7e6a 100755 --- a/definitions/install.yaml +++ b/definitions/install.yaml @@ -293,19 +293,19 @@ spec: name: Name priority: 1 type: string - - JSONPath: .summary.pass + - JSONPath: .summary.Pass name: Pass type: integer - - JSONPath: .summary.fail + - JSONPath: .summary.Fail name: Fail type: integer - - JSONPath: .summary.warn + - JSONPath: .summary.Warn name: Warn type: integer - - JSONPath: .summary.error + - JSONPath: .summary.Error name: Error type: integer - - JSONPath: .summary.skip + - JSONPath: .summary.Skip name: Skip type: integer - JSONPath: .metadata.creationTimestamp @@ -577,32 +577,32 @@ spec: summary: description: PolicyReportSummary provides a summary of results properties: - error: + Error: description: Error provides the count of policies that could not be evaluated type: integer - fail: + Fail: description: Fail provides the count of policies whose requirements were not met type: integer - pass: + Pass: description: Pass provides the count of policies whose requirements were met type: integer - skip: + Skip: description: Skip indicates the count of policies that were not selected for evaluation type: integer - warn: + Warn: description: Warn provides the count of unscored policies whose requirements were not met type: integer required: - - error - - fail - - pass - - skip - - warn + - Error + - Fail + - Pass + - Skip + - Warn type: object type: object version: v1alpha1 @@ -706,19 +706,19 @@ spec: name: Name priority: 1 type: string - - JSONPath: .summary.pass + - JSONPath: .summary.Pass name: Pass type: integer - - JSONPath: .summary.fail + - JSONPath: .summary.Fail name: Fail type: integer - - JSONPath: .summary.warn + - JSONPath: .summary.Warn name: Warn type: integer - - JSONPath: .summary.error + - JSONPath: .summary.Error name: Error type: integer - - JSONPath: .summary.skip + - JSONPath: .summary.Skip name: Skip type: integer - JSONPath: .metadata.creationTimestamp @@ -987,32 +987,32 @@ spec: summary: description: PolicyReportSummary provides a summary of results properties: - error: + Error: description: Error provides the count of policies that could not be evaluated type: integer - fail: + Fail: description: Fail provides the count of policies whose requirements were not met type: integer - pass: + Pass: description: Pass provides the count of policies whose requirements were met type: integer - skip: + Skip: description: Skip indicates the count of policies that were not selected for evaluation type: integer - warn: + Warn: description: Warn provides the count of unscored policies whose requirements were not met type: integer required: - - error - - fail - - pass - - skip - - warn + - Error + - Fail + - Pass + - Skip + - Warn type: object type: object version: v1alpha1 @@ -1367,19 +1367,19 @@ spec: name: Name priority: 1 type: string - - JSONPath: .summary.pass + - JSONPath: .summary.Pass name: Pass type: integer - - JSONPath: .summary.fail + - JSONPath: .summary.Fail name: Fail type: integer - - JSONPath: .summary.warn + - JSONPath: .summary.Warn name: Warn type: integer - - JSONPath: .summary.error + - JSONPath: .summary.Error name: Error type: integer - - JSONPath: .summary.skip + - JSONPath: .summary.Skip name: Skip type: integer - JSONPath: .metadata.creationTimestamp @@ -1650,32 +1650,32 @@ spec: summary: description: PolicyReportSummary provides a summary of results properties: - error: + Error: description: Error provides the count of policies that could not be evaluated type: integer - fail: + Fail: description: Fail provides the count of policies whose requirements were not met type: integer - pass: + Pass: description: Pass provides the count of policies whose requirements were met type: integer - skip: + Skip: description: Skip indicates the count of policies that were not selected for evaluation type: integer - warn: + Warn: description: Warn provides the count of unscored policies whose requirements were not met type: integer required: - - error - - fail - - pass - - skip - - warn + - Error + - Fail + - Pass + - Skip + - Warn type: object type: object version: v1alpha1 @@ -1779,19 +1779,19 @@ spec: name: Name priority: 1 type: string - - JSONPath: .summary.pass + - JSONPath: .summary.Pass name: Pass type: integer - - JSONPath: .summary.fail + - JSONPath: .summary.Fail name: Fail type: integer - - JSONPath: .summary.warn + - JSONPath: .summary.Warn name: Warn type: integer - - JSONPath: .summary.error + - JSONPath: .summary.Error name: Error type: integer - - JSONPath: .summary.skip + - JSONPath: .summary.Skip name: Skip type: integer - JSONPath: .metadata.creationTimestamp @@ -2060,32 +2060,32 @@ spec: summary: description: PolicyReportSummary provides a summary of results properties: - error: + Error: description: Error provides the count of policies that could not be evaluated type: integer - fail: + Fail: description: Fail provides the count of policies whose requirements were not met type: integer - pass: + Pass: description: Pass provides the count of policies whose requirements were met type: integer - skip: + Skip: description: Skip indicates the count of policies that were not selected for evaluation type: integer - warn: + Warn: description: Warn provides the count of unscored policies whose requirements were not met type: integer required: - - error - - fail - - pass - - skip - - warn + - Error + - Fail + - Pass + - Skip + - Warn type: object type: object version: v1alpha1 @@ -2128,6 +2128,10 @@ rules: - policyviolations/status - generaterequests - generaterequests/status + - reportrequests + - reportrequests/status + - clusterreportrequests + - clusterreportrequests/status verbs: - create - delete @@ -2482,7 +2486,7 @@ subjects: apiVersion: v1 data: excludeGroupRole: system:serviceaccounts:kube-system,system:nodes,system:kube-scheduler - resourceFilters: '[Event,*,*][*,kube-system,*][*,kube-public,*][*,kube-node-lease,*][Node,*,*][APIService,*,*][TokenReview,*,*][SubjectAccessReview,*,*][*,kyverno,*][Binding,*,*][ReplicaSet,*,*]' + resourceFilters: '[Event,*,*][*,kube-system,*][*,kube-public,*][*,kube-node-lease,*][Node,*,*][APIService,*,*][TokenReview,*,*][SubjectAccessReview,*,*][*,kyverno,*][Binding,*,*][ReplicaSet,*,*][ReportRequest,*,*][ClusterReportRequest,*,*]' kind: ConfigMap metadata: name: init-config @@ -2521,7 +2525,7 @@ spec: spec: containers: - args: - - --filterK8Resources=[Event,*,*][*,kube-system,*][*,kube-public,*][*,kube-node-lease,*][Node,*,*][APIService,*,*][TokenReview,*,*][SubjectAccessReview,*,*][*,kyverno,*][Binding,*,*][ReplicaSet,*,*] + - --filterK8Resources=[Event,*,*][*,kube-system,*][*,kube-public,*][*,kube-node-lease,*][Node,*,*][APIService,*,*][TokenReview,*,*][SubjectAccessReview,*,*][*,kyverno,*][Binding,*,*][ReplicaSet,*,*][ReportRequest,*,*][ClusterReportRequest,*,*] - -v=2 env: - name: INIT_CONFIG diff --git a/definitions/install_debug.yaml b/definitions/install_debug.yaml index 40f273f410..0b813cb263 100755 --- a/definitions/install_debug.yaml +++ b/definitions/install_debug.yaml @@ -293,19 +293,19 @@ spec: name: Name priority: 1 type: string - - JSONPath: .summary.pass + - JSONPath: .summary.Pass name: Pass type: integer - - JSONPath: .summary.fail + - JSONPath: .summary.Fail name: Fail type: integer - - JSONPath: .summary.warn + - JSONPath: .summary.Warn name: Warn type: integer - - JSONPath: .summary.error + - JSONPath: .summary.Error name: Error type: integer - - JSONPath: .summary.skip + - JSONPath: .summary.Skip name: Skip type: integer - JSONPath: .metadata.creationTimestamp @@ -577,32 +577,32 @@ spec: summary: description: PolicyReportSummary provides a summary of results properties: - error: + Error: description: Error provides the count of policies that could not be evaluated type: integer - fail: + Fail: description: Fail provides the count of policies whose requirements were not met type: integer - pass: + Pass: description: Pass provides the count of policies whose requirements were met type: integer - skip: + Skip: description: Skip indicates the count of policies that were not selected for evaluation type: integer - warn: + Warn: description: Warn provides the count of unscored policies whose requirements were not met type: integer required: - - error - - fail - - pass - - skip - - warn + - Error + - Fail + - Pass + - Skip + - Warn type: object type: object version: v1alpha1 @@ -706,19 +706,19 @@ spec: name: Name priority: 1 type: string - - JSONPath: .summary.pass + - JSONPath: .summary.Pass name: Pass type: integer - - JSONPath: .summary.fail + - JSONPath: .summary.Fail name: Fail type: integer - - JSONPath: .summary.warn + - JSONPath: .summary.Warn name: Warn type: integer - - JSONPath: .summary.error + - JSONPath: .summary.Error name: Error type: integer - - JSONPath: .summary.skip + - JSONPath: .summary.Skip name: Skip type: integer - JSONPath: .metadata.creationTimestamp @@ -987,32 +987,32 @@ spec: summary: description: PolicyReportSummary provides a summary of results properties: - error: + Error: description: Error provides the count of policies that could not be evaluated type: integer - fail: + Fail: description: Fail provides the count of policies whose requirements were not met type: integer - pass: + Pass: description: Pass provides the count of policies whose requirements were met type: integer - skip: + Skip: description: Skip indicates the count of policies that were not selected for evaluation type: integer - warn: + Warn: description: Warn provides the count of unscored policies whose requirements were not met type: integer required: - - error - - fail - - pass - - skip - - warn + - Error + - Fail + - Pass + - Skip + - Warn type: object type: object version: v1alpha1 @@ -1367,19 +1367,19 @@ spec: name: Name priority: 1 type: string - - JSONPath: .summary.pass + - JSONPath: .summary.Pass name: Pass type: integer - - JSONPath: .summary.fail + - JSONPath: .summary.Fail name: Fail type: integer - - JSONPath: .summary.warn + - JSONPath: .summary.Warn name: Warn type: integer - - JSONPath: .summary.error + - JSONPath: .summary.Error name: Error type: integer - - JSONPath: .summary.skip + - JSONPath: .summary.Skip name: Skip type: integer - JSONPath: .metadata.creationTimestamp @@ -1650,32 +1650,32 @@ spec: summary: description: PolicyReportSummary provides a summary of results properties: - error: + Error: description: Error provides the count of policies that could not be evaluated type: integer - fail: + Fail: description: Fail provides the count of policies whose requirements were not met type: integer - pass: + Pass: description: Pass provides the count of policies whose requirements were met type: integer - skip: + Skip: description: Skip indicates the count of policies that were not selected for evaluation type: integer - warn: + Warn: description: Warn provides the count of unscored policies whose requirements were not met type: integer required: - - error - - fail - - pass - - skip - - warn + - Error + - Fail + - Pass + - Skip + - Warn type: object type: object version: v1alpha1 @@ -1779,19 +1779,19 @@ spec: name: Name priority: 1 type: string - - JSONPath: .summary.pass + - JSONPath: .summary.Pass name: Pass type: integer - - JSONPath: .summary.fail + - JSONPath: .summary.Fail name: Fail type: integer - - JSONPath: .summary.warn + - JSONPath: .summary.Warn name: Warn type: integer - - JSONPath: .summary.error + - JSONPath: .summary.Error name: Error type: integer - - JSONPath: .summary.skip + - JSONPath: .summary.Skip name: Skip type: integer - JSONPath: .metadata.creationTimestamp @@ -2060,32 +2060,32 @@ spec: summary: description: PolicyReportSummary provides a summary of results properties: - error: + Error: description: Error provides the count of policies that could not be evaluated type: integer - fail: + Fail: description: Fail provides the count of policies whose requirements were not met type: integer - pass: + Pass: description: Pass provides the count of policies whose requirements were met type: integer - skip: + Skip: description: Skip indicates the count of policies that were not selected for evaluation type: integer - warn: + Warn: description: Warn provides the count of unscored policies whose requirements were not met type: integer required: - - error - - fail - - pass - - skip - - warn + - Error + - Fail + - Pass + - Skip + - Warn type: object type: object version: v1alpha1 @@ -2128,6 +2128,10 @@ rules: - policyviolations/status - generaterequests - generaterequests/status + - reportrequests + - reportrequests/status + - clusterreportrequests + - clusterreportrequests/status verbs: - create - delete @@ -2482,7 +2486,7 @@ subjects: apiVersion: v1 data: excludeGroupRole: system:serviceaccounts:kube-system,system:nodes,system:kube-scheduler - resourceFilters: '[Event,*,*][*,kube-system,*][*,kube-public,*][*,kube-node-lease,*][Node,*,*][APIService,*,*][TokenReview,*,*][SubjectAccessReview,*,*][*,kyverno,*][Binding,*,*][ReplicaSet,*,*]' + resourceFilters: '[Event,*,*][*,kube-system,*][*,kube-public,*][*,kube-node-lease,*][Node,*,*][APIService,*,*][TokenReview,*,*][SubjectAccessReview,*,*][*,kyverno,*][Binding,*,*][ReplicaSet,*,*][ReportRequest,*,*][ClusterReportRequest,*,*]' kind: ConfigMap metadata: name: init-config diff --git a/definitions/k8s-resource/configmap.yaml b/definitions/k8s-resource/configmap.yaml index c5c50fc4a7..a72525c505 100755 --- a/definitions/k8s-resource/configmap.yaml +++ b/definitions/k8s-resource/configmap.yaml @@ -1,6 +1,6 @@ apiVersion: v1 data: - resourceFilters: '[Event,*,*][*,kube-system,*][*,kube-public,*][*,kube-node-lease,*][Node,*,*][APIService,*,*][TokenReview,*,*][SubjectAccessReview,*,*][*,kyverno,*][Binding,*,*][ReplicaSet,*,*]' + resourceFilters: '[Event,*,*][*,kube-system,*][*,kube-public,*][*,kube-node-lease,*][Node,*,*][APIService,*,*][TokenReview,*,*][SubjectAccessReview,*,*][*,kyverno,*][Binding,*,*][ReplicaSet,*,*][ReportRequest,*,*][ClusterReportRequest,*,*]' excludeGroupRole: 'system:serviceaccounts:kube-system,system:nodes,system:kube-scheduler' kind: ConfigMap metadata: diff --git a/definitions/k8s-resource/rbac.yaml b/definitions/k8s-resource/rbac.yaml index 1bf6b08ecb..77cd43dbb2 100755 --- a/definitions/k8s-resource/rbac.yaml +++ b/definitions/k8s-resource/rbac.yaml @@ -186,6 +186,10 @@ rules: - policyviolations/status - generaterequests - generaterequests/status + - reportrequests + - reportrequests/status + - clusterreportrequests + - clusterreportrequests/status verbs: - create - delete diff --git a/definitions/manifest/deployment.yaml b/definitions/manifest/deployment.yaml index 37b919a81e..b21ab6c5ab 100755 --- a/definitions/manifest/deployment.yaml +++ b/definitions/manifest/deployment.yaml @@ -37,7 +37,7 @@ spec: image: nirmata/kyverno:latest imagePullPolicy: Always args: - - "--filterK8Resources=[Event,*,*][*,kube-system,*][*,kube-public,*][*,kube-node-lease,*][Node,*,*][APIService,*,*][TokenReview,*,*][SubjectAccessReview,*,*][*,kyverno,*][Binding,*,*][ReplicaSet,*,*]" + - "--filterK8Resources=[Event,*,*][*,kube-system,*][*,kube-public,*][*,kube-node-lease,*][Node,*,*][APIService,*,*][TokenReview,*,*][SubjectAccessReview,*,*][*,kyverno,*][Binding,*,*][ReplicaSet,*,*][ReportRequest,*,*][ClusterReportRequest,*,*]" # customize webhook timeout #- "--webhooktimeout=4" # enable profiling diff --git a/pkg/api/policyreport/v1alpha1/clusterpolicyreport_types.go b/pkg/api/policyreport/v1alpha1/clusterpolicyreport_types.go index d4633568af..f2caa6e4bf 100755 --- a/pkg/api/policyreport/v1alpha1/clusterpolicyreport_types.go +++ b/pkg/api/policyreport/v1alpha1/clusterpolicyreport_types.go @@ -30,11 +30,11 @@ import ( // +kubebuilder:object:root=true // +kubebuilder:printcolumn:name="Kind",type=string,JSONPath=`.scope.kind`,priority=1 // +kubebuilder:printcolumn:name="Name",type=string,JSONPath=`.scope.name`,priority=1 -// +kubebuilder:printcolumn:name="Pass",type=integer,JSONPath=`.summary.pass` -// +kubebuilder:printcolumn:name="Fail",type=integer,JSONPath=`.summary.fail` -// +kubebuilder:printcolumn:name="Warn",type=integer,JSONPath=`.summary.warn` -// +kubebuilder:printcolumn:name="Error",type=integer,JSONPath=`.summary.error` -// +kubebuilder:printcolumn:name="Skip",type=integer,JSONPath=`.summary.skip` +// +kubebuilder:printcolumn:name="Pass",type=integer,JSONPath=`.summary.Pass` +// +kubebuilder:printcolumn:name="Fail",type=integer,JSONPath=`.summary.Fail` +// +kubebuilder:printcolumn:name="Warn",type=integer,JSONPath=`.summary.Warn` +// +kubebuilder:printcolumn:name="Error",type=integer,JSONPath=`.summary.Error` +// +kubebuilder:printcolumn:name="Skip",type=integer,JSONPath=`.summary.Skip` // +kubebuilder:printcolumn:name="Age",type="date",JSONPath=".metadata.creationTimestamp" // +kubebuilder:resource:shortName=cpolr diff --git a/pkg/api/policyreport/v1alpha1/clusterreportrequest_types.go b/pkg/api/policyreport/v1alpha1/clusterreportrequest_types.go index 45d849dc72..291d691d62 100644 --- a/pkg/api/policyreport/v1alpha1/clusterreportrequest_types.go +++ b/pkg/api/policyreport/v1alpha1/clusterreportrequest_types.go @@ -30,11 +30,11 @@ import ( // +kubebuilder:object:root=true // +kubebuilder:printcolumn:name="Kind",type=string,JSONPath=`.scope.kind`,priority=1 // +kubebuilder:printcolumn:name="Name",type=string,JSONPath=`.scope.name`,priority=1 -// +kubebuilder:printcolumn:name="Pass",type=integer,JSONPath=`.summary.pass` -// +kubebuilder:printcolumn:name="Fail",type=integer,JSONPath=`.summary.fail` -// +kubebuilder:printcolumn:name="Warn",type=integer,JSONPath=`.summary.warn` -// +kubebuilder:printcolumn:name="Error",type=integer,JSONPath=`.summary.error` -// +kubebuilder:printcolumn:name="Skip",type=integer,JSONPath=`.summary.skip` +// +kubebuilder:printcolumn:name="Pass",type=integer,JSONPath=`.summary.Pass` +// +kubebuilder:printcolumn:name="Fail",type=integer,JSONPath=`.summary.Fail` +// +kubebuilder:printcolumn:name="Warn",type=integer,JSONPath=`.summary.Warn` +// +kubebuilder:printcolumn:name="Error",type=integer,JSONPath=`.summary.Error` +// +kubebuilder:printcolumn:name="Skip",type=integer,JSONPath=`.summary.Skip` // +kubebuilder:printcolumn:name="Age",type="date",JSONPath=".metadata.creationTimestamp" // ClusterReportRequest is the Schema for the reportrequests API diff --git a/pkg/api/policyreport/v1alpha1/policyreport_types.go b/pkg/api/policyreport/v1alpha1/policyreport_types.go index 40df0fa3c7..37017f88f1 100755 --- a/pkg/api/policyreport/v1alpha1/policyreport_types.go +++ b/pkg/api/policyreport/v1alpha1/policyreport_types.go @@ -22,27 +22,27 @@ import ( // NOTE: json tags are required. Any new fields you add must have json tags for the fields to be serialized. const ( - StatusPass = "pass" - StatusFail = "fail" + StatusPass = "Pass" + StatusFail = "Fail" ) // PolicyReportSummary provides a status count summary type PolicyReportSummary struct { // Pass provides the count of policies whose requirements were met - Pass int `json:"pass"` + Pass int `json:"Pass"` // Fail provides the count of policies whose requirements were not met - Fail int `json:"fail"` + Fail int `json:"Fail"` // Warn provides the count of unscored policies whose requirements were not met - Warn int `json:"warn"` + Warn int `json:"Warn"` // Error provides the count of policies that could not be evaluated - Error int `json:"error"` + Error int `json:"Error"` // Skip indicates the count of policies that were not selected for evaluation - Skip int `json:"skip"` + Skip int `json:"Skip"` } // PolicyStatus has one of the following values: @@ -109,11 +109,11 @@ type PolicyReportResult struct { // +kubebuilder:object:root=true // +kubebuilder:printcolumn:name="Kind",type=string,JSONPath=`.scope.kind`,priority=1 // +kubebuilder:printcolumn:name="Name",type=string,JSONPath=`.scope.name`,priority=1 -// +kubebuilder:printcolumn:name="Pass",type=integer,JSONPath=`.summary.pass` -// +kubebuilder:printcolumn:name="Fail",type=integer,JSONPath=`.summary.fail` -// +kubebuilder:printcolumn:name="Warn",type=integer,JSONPath=`.summary.warn` -// +kubebuilder:printcolumn:name="Error",type=integer,JSONPath=`.summary.error` -// +kubebuilder:printcolumn:name="Skip",type=integer,JSONPath=`.summary.skip` +// +kubebuilder:printcolumn:name="Pass",type=integer,JSONPath=`.summary.Pass` +// +kubebuilder:printcolumn:name="Fail",type=integer,JSONPath=`.summary.Fail` +// +kubebuilder:printcolumn:name="Warn",type=integer,JSONPath=`.summary.Warn` +// +kubebuilder:printcolumn:name="Error",type=integer,JSONPath=`.summary.Error` +// +kubebuilder:printcolumn:name="Skip",type=integer,JSONPath=`.summary.Skip` // +kubebuilder:printcolumn:name="Age",type="date",JSONPath=".metadata.creationTimestamp" // +kubebuilder:resource:shortName=polr diff --git a/pkg/api/policyreport/v1alpha1/reportrequest_types.go b/pkg/api/policyreport/v1alpha1/reportrequest_types.go index a73cc9dff7..bdbeb05b28 100644 --- a/pkg/api/policyreport/v1alpha1/reportrequest_types.go +++ b/pkg/api/policyreport/v1alpha1/reportrequest_types.go @@ -29,11 +29,11 @@ import ( // +kubebuilder:object:root=true // +kubebuilder:printcolumn:name="Kind",type=string,JSONPath=`.scope.kind`,priority=1 // +kubebuilder:printcolumn:name="Name",type=string,JSONPath=`.scope.name`,priority=1 -// +kubebuilder:printcolumn:name="Pass",type=integer,JSONPath=`.summary.pass` -// +kubebuilder:printcolumn:name="Fail",type=integer,JSONPath=`.summary.fail` -// +kubebuilder:printcolumn:name="Warn",type=integer,JSONPath=`.summary.warn` -// +kubebuilder:printcolumn:name="Error",type=integer,JSONPath=`.summary.error` -// +kubebuilder:printcolumn:name="Skip",type=integer,JSONPath=`.summary.skip` +// +kubebuilder:printcolumn:name="Pass",type=integer,JSONPath=`.summary.Pass` +// +kubebuilder:printcolumn:name="Fail",type=integer,JSONPath=`.summary.Fail` +// +kubebuilder:printcolumn:name="Warn",type=integer,JSONPath=`.summary.Warn` +// +kubebuilder:printcolumn:name="Error",type=integer,JSONPath=`.summary.Error` +// +kubebuilder:printcolumn:name="Skip",type=integer,JSONPath=`.summary.Skip` // +kubebuilder:printcolumn:name="Age",type="date",JSONPath=".metadata.creationTimestamp" // ReportRequest is the Schema for the reportrequests API diff --git a/pkg/api/policyreport/v1alpha1/zz_generated.deepcopy.go b/pkg/api/policyreport/v1alpha1/zz_generated.deepcopy.go index 338e1b9e74..c198c184e6 100644 --- a/pkg/api/policyreport/v1alpha1/zz_generated.deepcopy.go +++ b/pkg/api/policyreport/v1alpha1/zz_generated.deepcopy.go @@ -1,27 +1,11 @@ // +build !ignore_autogenerated -/* -Copyright The Kubernetes Authors. - -Licensed under the Apache License, Version 2.0 (the "License"); -you may not use this file except in compliance with the License. -You may obtain a copy of the License at - - http://www.apache.org/licenses/LICENSE-2.0 - -Unless required by applicable law or agreed to in writing, software -distributed under the License is distributed on an "AS IS" BASIS, -WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -See the License for the specific language governing permissions and -limitations under the License. -*/ - -// Code generated by deepcopy-gen. DO NOT EDIT. +// Code generated by controller-gen. DO NOT EDIT. package v1alpha1 import ( - v1 "k8s.io/api/core/v1" + "k8s.io/api/core/v1" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" runtime "k8s.io/apimachinery/pkg/runtime" ) @@ -53,7 +37,6 @@ func (in *ClusterPolicyReport) DeepCopyInto(out *ClusterPolicyReport) { } } } - return } // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ClusterPolicyReport. @@ -86,7 +69,6 @@ func (in *ClusterPolicyReportList) DeepCopyInto(out *ClusterPolicyReportList) { (*in)[i].DeepCopyInto(&(*out)[i]) } } - return } // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ClusterPolicyReportList. @@ -134,7 +116,6 @@ func (in *ClusterReportRequest) DeepCopyInto(out *ClusterReportRequest) { } } } - return } // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ClusterReportRequest. @@ -167,7 +148,6 @@ func (in *ClusterReportRequestList) DeepCopyInto(out *ClusterReportRequestList) (*in)[i].DeepCopyInto(&(*out)[i]) } } - return } // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ClusterReportRequestList. @@ -215,7 +195,6 @@ func (in *PolicyReport) DeepCopyInto(out *PolicyReport) { } } } - return } // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PolicyReport. @@ -248,7 +227,6 @@ func (in *PolicyReportList) DeepCopyInto(out *PolicyReportList) { (*in)[i].DeepCopyInto(&(*out)[i]) } } - return } // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PolicyReportList. @@ -295,7 +273,6 @@ func (in *PolicyReportResult) DeepCopyInto(out *PolicyReportResult) { (*out)[key] = val } } - return } // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PolicyReportResult. @@ -311,7 +288,6 @@ func (in *PolicyReportResult) DeepCopy() *PolicyReportResult { // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *PolicyReportSummary) DeepCopyInto(out *PolicyReportSummary) { *out = *in - return } // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PolicyReportSummary. @@ -351,7 +327,6 @@ func (in *ReportRequest) DeepCopyInto(out *ReportRequest) { } } } - return } // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ReportRequest. @@ -384,7 +359,6 @@ func (in *ReportRequestList) DeepCopyInto(out *ReportRequestList) { (*in)[i].DeepCopyInto(&(*out)[i]) } } - return } // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ReportRequestList. diff --git a/pkg/policy/controller.go b/pkg/policy/controller.go index 0fa43a6922..1679a41d42 100644 --- a/pkg/policy/controller.go +++ b/pkg/policy/controller.go @@ -453,7 +453,9 @@ func (pc *PolicyController) syncPolicy(key string) error { pc.resourceWebhookWatcher.RegisterResourceWebhook() engineResponses := pc.processExistingResources(policy) - pc.cleanupAndReport(engineResponses) + if os.Getenv("POLICY-TYPE") == common.PolicyViolation { + pc.cleanupAndReport(engineResponses) + } return nil } diff --git a/pkg/policyreport/builder.go b/pkg/policyreport/builder.go index 7d09dcbb01..4ea8d74891 100755 --- a/pkg/policyreport/builder.go +++ b/pkg/policyreport/builder.go @@ -87,8 +87,7 @@ func (pvb *requestBuilder) build(info Info) (*unstructured.Unstructured, error) } req := &unstructured.Unstructured{Object: obj} - kind, apiversion := rr.GetObjectKind().GroupVersionKind().ToAPIVersionAndKind() - set(req, kind, apiversion, fmt.Sprintf("reportrequest-%s-%s", info.PolicyName, info.Resource.GetName()), info) + set(req, fmt.Sprintf("reportrequest-%s-%s", info.PolicyName, info.Resource.GetName()), info) return req, nil } @@ -102,17 +101,20 @@ func (pvb *requestBuilder) build(info Info) (*unstructured.Unstructured, error) return nil, err } req := &unstructured.Unstructured{Object: obj} - kind, apiversion := rr.GetObjectKind().GroupVersionKind().ToAPIVersionAndKind() - set(req, kind, apiversion, fmt.Sprintf("%s-%s", clusterreportrequest, info.Resource.GetName()), info) + set(req, fmt.Sprintf("%s-%s", clusterreportrequest, info.Resource.GetName()), info) return req, nil } -func set(obj *unstructured.Unstructured, kind, apiversion, name string, info Info) { +func set(obj *unstructured.Unstructured, name string, info Info) { resource := info.Resource obj.SetName(name) obj.SetNamespace(resource.GetNamespace()) - obj.SetKind(kind) - obj.SetAPIVersion(apiversion) + obj.SetAPIVersion("policy.kubernetes.io/v1alpha1") + if resource.GetNamespace() == "" { + obj.SetKind("ClusterReportRequest") + } else { + obj.SetKind("ReportRequest") + } obj.SetLabels(map[string]string{ "policy": info.PolicyName, @@ -127,6 +129,7 @@ func set(obj *unstructured.Unstructured, kind, apiversion, name string, info Inf controllerFlag := true blockOwnerDeletionFlag := true + obj.SetOwnerReferences([]metav1.OwnerReference{ { APIVersion: resource.GetAPIVersion(), diff --git a/pkg/policyreport/reportrequest.go b/pkg/policyreport/reportrequest.go index 18104df825..edbb6bb5c8 100755 --- a/pkg/policyreport/reportrequest.go +++ b/pkg/policyreport/reportrequest.go @@ -19,6 +19,7 @@ import ( dclient "github.com/kyverno/kyverno/pkg/dclient" "github.com/kyverno/kyverno/pkg/policystatus" apierrors "k8s.io/apimachinery/pkg/api/errors" + v1 "k8s.io/apimachinery/pkg/apis/meta/v1" unstructured "k8s.io/apimachinery/pkg/apis/meta/v1/unstructured" "k8s.io/apimachinery/pkg/runtime" utilruntime "k8s.io/apimachinery/pkg/util/runtime" @@ -27,7 +28,7 @@ import ( "k8s.io/client-go/util/workqueue" ) -const workQueueName = "policy-violation-controller" +const workQueueName = "report-request-controller" const workQueueRetryLimit = 3 // Generator creates report request @@ -75,7 +76,7 @@ func NewReportRequestGenerator(client *policyreportclient.Clientset, return &gen } -//NewDataStore returns an instance of data store +// NewDataStore returns an instance of data store func newDataStore() *dataStore { ds := dataStore{ data: make(map[string]Info), @@ -126,12 +127,7 @@ func (i Info) toKey() string { return strings.Join(keys, "/") } -type PVEvent struct { - Namespace map[string][]Info - Cluster map[string][]Info -} - -//GeneratorInterface provides API to create PVs +// GeneratorInterface provides API to create PVs type GeneratorInterface interface { Add(infos ...Info) } @@ -142,7 +138,7 @@ func (gen *Generator) enqueue(info Info) { gen.queue.Add(keyHash) } -//Add queues a policy violation create request +// Add queues a policy violation create request func (gen *Generator) Add(infos ...Info) { for _, info := range infos { gen.enqueue(info) @@ -252,52 +248,69 @@ func (gen *Generator) sync(reportReq *unstructured.Unstructured, info Info) erro } }() + logger := gen.log.WithName("reportRequestGenerator") + reportReq.SetCreationTimestamp(v1.Now()) if reportReq.GetNamespace() == "" { old, err := gen.clusterReportRequestLister.Get(reportReq.GetName()) if err != nil { if apierrors.IsNotFound(err) { - return updateReportRequest(gen.dclient, old, reportReq) + if _, err = gen.dclient.CreateResource(reportReq.GetAPIVersion(), reportReq.GetKind(), reportReq.GetNamespace(), reportReq, false); err != nil { + return fmt.Errorf("failed to create clusterReportRequest: %v", err) + } + + logger.V(3).Info("successfully created clusterReportRequest", "namespace", reportReq.GetNamespace, "name", reportReq.GetName()) + return nil } - return fmt.Errorf("unable to get clusterReportRequest: %v", err) + return fmt.Errorf("unable to get %s: %v", reportReq.GetKind(), err) } - _, err = gen.dclient.CreateResource(reportReq.GetAPIVersion(), reportReq.GetKind(), reportReq.GetNamespace(), reportReq, false) - return fmt.Errorf("failed to create clusterReportRequest: %v", err) + return updateReportRequest(gen.dclient, old, reportReq, logger) } old, err := gen.reportRequestLister.ReportRequests(reportReq.GetNamespace()).Get(reportReq.GetName()) if err != nil { if apierrors.IsNotFound(err) { - return updateReportRequest(gen.dclient, old, reportReq) + if _, err = gen.dclient.CreateResource(reportReq.GetAPIVersion(), reportReq.GetKind(), reportReq.GetNamespace(), reportReq, false); err != nil { + return fmt.Errorf("failed to create %s: %v", reportReq.GetKind(), err) + } + + logger.V(3).Info("successfully created reportRequest", "namespace", reportReq.GetNamespace, "name", reportReq.GetName()) + return nil } return fmt.Errorf("unable to get existing reportRequest %v", err) } - _, err = gen.dclient.CreateResource(reportReq.GetAPIVersion(), reportReq.GetKind(), reportReq.GetNamespace(), reportReq, false) - return fmt.Errorf("failed to create reportRequest: %v", err) + return updateReportRequest(gen.dclient, old, reportReq, logger) } -func updateReportRequest(dClient *client.Client, old interface{}, new *unstructured.Unstructured) (err error) { +func updateReportRequest(dClient *client.Client, old interface{}, new *unstructured.Unstructured, log logr.Logger) (err error) { oldUnstructed := make(map[string]interface{}) if oldTyped, ok := old.(*report.ReportRequest); ok { if oldUnstructed, err = runtime.DefaultUnstructuredConverter.ToUnstructured(oldTyped); err != nil { return fmt.Errorf("unable to convert reportRequest: %v", err) } new.SetResourceVersion(oldTyped.GetResourceVersion()) + new.SetUID(oldTyped.GetUID()) } else { oldTyped := old.(*report.ClusterReportRequest) if oldUnstructed, err = runtime.DefaultUnstructuredConverter.ToUnstructured(oldTyped); err != nil { return fmt.Errorf("unable to convert clusterReportRequest: %v", err) } + new.SetUID(oldTyped.GetUID()) new.SetResourceVersion(oldTyped.GetResourceVersion()) } if !hasResultsChanged(oldUnstructed, new.UnstructuredContent()) { + log.V(4).Info("unchanged report request", "namespace", new.GetNamespace(), "name", new.GetName()) return nil } // TODO(shuting): set annotation / label - _, err = dClient.UpdateResource(new.GetAPIVersion(), new.GetKind(), new.GetNamespace(), new, false) - return fmt.Errorf("failed to update report request: %v", err) + if _, err = dClient.UpdateResource(new.GetAPIVersion(), new.GetKind(), new.GetNamespace(), new, false); err != nil { + return fmt.Errorf("failed to update report request: %v", err) + } + + log.V(4).Info("successfully updated report request", "kind", new.GetKind(), "namespace", new.GetNamespace(), "name", new.GetName()) + return } func hasResultsChanged(old, new map[string]interface{}) bool { diff --git a/pkg/policyviolation/builder.go b/pkg/policyviolation/builder.go index 42e1ba58d3..afa553722a 100755 --- a/pkg/policyviolation/builder.go +++ b/pkg/policyviolation/builder.go @@ -6,6 +6,7 @@ import ( "github.com/go-logr/logr" kyverno "github.com/kyverno/kyverno/pkg/api/kyverno/v1" + report "github.com/kyverno/kyverno/pkg/api/policyreport/v1alpha1" "github.com/kyverno/kyverno/pkg/common" "github.com/kyverno/kyverno/pkg/engine/response" ) @@ -87,14 +88,20 @@ func buildPVInfo(er response.EngineResponse) Info { func buildViolatedRules(er response.EngineResponse) []kyverno.ViolatedRule { var violatedRules []kyverno.ViolatedRule for _, rule := range er.PolicyResponse.Rules { - if rule.Success { - continue + if os.Getenv("POLICY-TYPE") != common.PolicyReport { + if rule.Success { + continue + } } vrule := kyverno.ViolatedRule{ Name: rule.Name, Type: rule.Type, Message: rule.Message, } + vrule.Check = report.StatusFail + if rule.Success { + vrule.Check = report.StatusPass + } violatedRules = append(violatedRules, vrule) } return violatedRules diff --git a/pkg/policyviolation/generator.go b/pkg/policyviolation/generator.go index b56a2d844a..2335fcf064 100755 --- a/pkg/policyviolation/generator.go +++ b/pkg/policyviolation/generator.go @@ -115,6 +115,7 @@ func NewPVGenerator(client *kyvernoclient.Clientset, prInformer policyreportinformer.ClusterPolicyReportInformer, nsprInformer policyreportinformer.PolicyReportInformer, policyStatus policystatus.Listener, + prgen *policyreport.Generator, log logr.Logger, stopChna <-chan struct{}) *Generator { gen := Generator{ @@ -126,6 +127,7 @@ func NewPVGenerator(client *kyvernoclient.Clientset, nspvSynced: nspvInformer.Informer().HasSynced, queue: workqueue.NewNamedRateLimitingQueue(workqueue.DefaultControllerRateLimiter(), workQueueName), dataStore: newDataStore(), + prgen: prgen, log: log, policyStatusListener: policyStatus, }