mirrors/kyverno
mirrors/kyverno
1
0
Fork 0
mirror of https://github.com/kyverno/kyverno.git synced 2025-03-31 03:45:17 +00:00
Code Activity

fix: generate policy exception events (#5987)

Browse source 
Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>

Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>
This commit is contained in:
Charles-Edouard Brétéché 2023-01-13 10:18:14 +01:00 committed by GitHub
parent 45fe02a989
commit 330709a7b4
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
3 changed files with 36 additions and 18 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

18
pkg/controllers/report/utils/events.go
View file

@ -1,6 +1,8 @@
package utils package utils
import ( import (
"strings"
"github.com/go-logr/logr" "github.com/go-logr/logr"
"github.com/kyverno/kyverno/pkg/config" "github.com/kyverno/kyverno/pkg/config"
"github.com/kyverno/kyverno/pkg/engine/response" "github.com/kyverno/kyverno/pkg/engine/response"
@ -9,7 +11,9 @@ import (
func GenerateEvents(logger logr.Logger, eventGen event.Interface, config config.Configuration, results ...*response.EngineResponse) { func GenerateEvents(logger logr.Logger, eventGen event.Interface, config config.Configuration, results ...*response.EngineResponse) {
for _, result := range results { for _, result := range results {
eventInfos := generateFailEvents(logger, result) var eventInfos []event.Info
eventInfos = append(eventInfos, generateFailEvents(logger, result)...)
eventInfos = append(eventInfos, generateExceptionEvents(logger, result)...)
if config.GetGenerateSuccessEvents() { if config.GetGenerateSuccessEvents() {
eventInfos = append(eventInfos, generateSuccessEvents(logger, result)...) eventInfos = append(eventInfos, generateSuccessEvents(logger, result)...)
} }
@ -29,6 +33,18 @@ func generateSuccessEvents(log logr.Logger, ers ...*response.EngineResponse) (ev
return eventInfos return eventInfos
} }
func generateExceptionEvents(log logr.Logger, ers ...*response.EngineResponse) (eventInfos []event.Info) {
for _, er := range ers {
for i, ruleResp := range er.PolicyResponse.Rules {
isException := strings.Contains(ruleResp.Message, "rule skipped due to policy exception")
if ruleResp.Status == response.RuleStatusSkip && isException {
eventInfos = append(eventInfos, event.NewPolicyExceptionEvents(er, &er.PolicyResponse.Rules[i])...)
}
}
}
return eventInfos
}
func generateFailEvents(log logr.Logger, ers ...*response.EngineResponse) (eventInfos []event.Info) { func generateFailEvents(log logr.Logger, ers ...*response.EngineResponse) (eventInfos []event.Info) {
for _, er := range ers { for _, er := range ers {
eventInfos = append(eventInfos, generateFailEventsPerEr(log, er)...) eventInfos = append(eventInfos, generateFailEventsPerEr(log, er)...)

28
pkg/event/events.go
View file

@ -46,7 +46,6 @@ func getPolicyKind(policy kyvernov1.PolicyInterface) string {
if policy.IsNamespaced() { if policy.IsNamespaced() {
return "Policy" return "Policy"
} }
return "ClusterPolicy" return "ClusterPolicy"
} }
@ -126,21 +125,30 @@ func NewBackgroundSuccessEvent(policy, rule string, source Source, r *unstructur
return events return events
} }
func NewPolicyExceptionEvent(engineResponse *response.EngineResponse, ruleResp *response.RuleResponse) Info { func NewPolicyExceptionEvents(engineResponse *response.EngineResponse, ruleResp *response.RuleResponse) []Info {
var messageBuilder strings.Builder
defer messageBuilder.Reset()
exceptionName, exceptionNamespace := getExceptionEventInfoFromRuleResponseMsg(ruleResp.Message) exceptionName, exceptionNamespace := getExceptionEventInfoFromRuleResponseMsg(ruleResp.Message)
policyMessage := fmt.Sprintf("resource %s was skipped from rule %s due to policy exception %s/%s", engineResponse.PatchedResource.GetName(), ruleResp.Name, exceptionNamespace, exceptionName)
fmt.Fprintf(&messageBuilder, "resource %s was skipped from rule %s due to policy exception %s/%s", engineResponse.PatchedResource.GetName(), ruleResp.Name, exceptionNamespace, exceptionName) var exceptionMessage string
if engineResponse.PolicyResponse.Policy.Namespace == "" {
return Info{ exceptionMessage = fmt.Sprintf("resource %s was skipped from policy rule %s/%s", engineResponse.PatchedResource.GetName(), engineResponse.PolicyResponse.Policy.Name, ruleResp.Name)
} else {
exceptionMessage = fmt.Sprintf("resource %s was skipped from policy rule %s/%s/%s", engineResponse.PatchedResource.GetName(), engineResponse.PolicyResponse.Policy.Namespace, engineResponse.PolicyResponse.Policy.Name, ruleResp.Name)
}
policyEvent := Info{
Kind: getPolicyKind(engineResponse.Policy), Kind: getPolicyKind(engineResponse.Policy),
Name: engineResponse.PolicyResponse.Policy.Name, Name: engineResponse.PolicyResponse.Policy.Name,
Namespace: engineResponse.PolicyResponse.Policy.Namespace, Namespace: engineResponse.PolicyResponse.Policy.Namespace,
Reason: PolicySkipped.String(), Reason: PolicySkipped.String(),
Message: messageBuilder.String(), Message: policyMessage,
} }
exceptionEvent := Info{
Kind: "PolicyException",
Name: exceptionName,
Namespace: exceptionNamespace,
Reason: PolicySkipped.String(),
Message: exceptionMessage,
}
return []Info{policyEvent, exceptionEvent}
} }
func getExceptionEventInfoFromRuleResponseMsg(message string) (name string, namespace string) { func getExceptionEventInfoFromRuleResponseMsg(message string) (name string, namespace string) {

8
pkg/webhooks/utils/event.go
View file

@ -10,7 +10,6 @@ import (
// GenerateEvents generates event info for the engine responses // GenerateEvents generates event info for the engine responses
func GenerateEvents(engineResponses []*response.EngineResponse, blocked bool) []event.Info { func GenerateEvents(engineResponses []*response.EngineResponse, blocked bool) []event.Info {
var events []event.Info var events []event.Info
// - Some/All policies fail or error // - Some/All policies fail or error
// - report failure events on policy // - report failure events on policy
// - report failure events on resource // - report failure events on resource
@ -18,19 +17,16 @@ func GenerateEvents(engineResponses []*response.EngineResponse, blocked bool) []
// - report success event on resource // - report success event on resource
// - Some/All policies skipped // - Some/All policies skipped
// - report skipped event on resource // - report skipped event on resource
for _, er := range engineResponses { for _, er := range engineResponses {
if er.IsEmpty() { if er.IsEmpty() {
continue continue
} }
if !er.IsSuccessful() { if !er.IsSuccessful() {
for i, ruleResp := range er.PolicyResponse.Rules { for i, ruleResp := range er.PolicyResponse.Rules {
if ruleResp.Status == response.RuleStatusFail || ruleResp.Status == response.RuleStatusError { if ruleResp.Status == response.RuleStatusFail || ruleResp.Status == response.RuleStatusError {
e := event.NewPolicyFailEvent(event.AdmissionController, event.PolicyViolation, er, &er.PolicyResponse.Rules[i], blocked) e := event.NewPolicyFailEvent(event.AdmissionController, event.PolicyViolation, er, &er.PolicyResponse.Rules[i], blocked)
events = append(events, e) events = append(events, e)
} }
if !blocked { if !blocked {
e := event.NewResourceViolationEvent(event.AdmissionController, event.PolicyViolation, er, &er.PolicyResponse.Rules[i]) e := event.NewResourceViolationEvent(event.AdmissionController, event.PolicyViolation, er, &er.PolicyResponse.Rules[i])
events = append(events, e) events = append(events, e)
@ -40,8 +36,7 @@ func GenerateEvents(engineResponses []*response.EngineResponse, blocked bool) []
for i, ruleResp := range er.PolicyResponse.Rules { for i, ruleResp := range er.PolicyResponse.Rules {
isException := strings.Contains(ruleResp.Message, "rule skipped due to policy exception") isException := strings.Contains(ruleResp.Message, "rule skipped due to policy exception")
if ruleResp.Status == response.RuleStatusSkip && !blocked && isException { if ruleResp.Status == response.RuleStatusSkip && !blocked && isException {
e := event.NewPolicyExceptionEvent(er, &er.PolicyResponse.Rules[i]) events = append(events, event.NewPolicyExceptionEvents(er, &er.PolicyResponse.Rules[i])...)
events = append(events, e)
} }
} }
} else if !er.IsSkipped() { } else if !er.IsSkipped() {
@ -49,6 +44,5 @@ func GenerateEvents(engineResponses []*response.EngineResponse, blocked bool) []
events = append(events, e) events = append(events, e)
} }
} }
return events return events
} }