fix: generate policy exception events (#5987) (#5996)

Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>

Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>

Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>

pkg/controllers/report/utils/events.go

@@ -1,6 +1,8 @@
 package utils
 
 import (
+	"strings"
+
 	"github.com/go-logr/logr"
 	"github.com/kyverno/kyverno/pkg/config"
 	"github.com/kyverno/kyverno/pkg/engine/response"
@@ -9,7 +11,9 @@ import (
 
 func GenerateEvents(logger logr.Logger, eventGen event.Interface, config config.Configuration, results ...*response.EngineResponse) {
 	for _, result := range results {
-		eventInfos := generateFailEvents(logger, result)
+		var eventInfos []event.Info
+		eventInfos = append(eventInfos, generateFailEvents(logger, result)...)
+		eventInfos = append(eventInfos, generateExceptionEvents(logger, result)...)
 		if config.GetGenerateSuccessEvents() {
 			eventInfos = append(eventInfos, generateSuccessEvents(logger, result)...)
 		}
@@ -29,6 +33,18 @@ func generateSuccessEvents(log logr.Logger, ers ...*response.EngineResponse) (ev
 	return eventInfos
 }
 
+func generateExceptionEvents(log logr.Logger, ers ...*response.EngineResponse) (eventInfos []event.Info) {
+	for _, er := range ers {
+		for i, ruleResp := range er.PolicyResponse.Rules {
+			isException := strings.Contains(ruleResp.Message, "rule skipped due to policy exception")
+			if ruleResp.Status == response.RuleStatusSkip && isException {
+				eventInfos = append(eventInfos, event.NewPolicyExceptionEvents(er, &er.PolicyResponse.Rules[i])...)
+			}
+		}
+	}
+	return eventInfos
+}
+
 func generateFailEvents(log logr.Logger, ers ...*response.EngineResponse) (eventInfos []event.Info) {
 	for _, er := range ers {
 		eventInfos = append(eventInfos, generateFailEventsPerEr(log, er)...)

pkg/event/events.go

@@ -46,7 +46,6 @@ func getPolicyKind(policy kyvernov1.PolicyInterface) string {
 	if policy.IsNamespaced() {
 		return "Policy"
 	}
-
 	return "ClusterPolicy"
 }
 
@@ -125,3 +124,44 @@ func NewBackgroundSuccessEvent(policy, rule string, source Source, r *unstructur
 
 	return events
 }
+
+func NewPolicyExceptionEvents(engineResponse *response.EngineResponse, ruleResp *response.RuleResponse) []Info {
+	exceptionName, exceptionNamespace := getExceptionEventInfoFromRuleResponseMsg(ruleResp.Message)
+	policyMessage := fmt.Sprintf("resource %s was skipped from rule %s due to policy exception %s/%s", engineResponse.PatchedResource.GetName(), ruleResp.Name, exceptionNamespace, exceptionName)
+	var exceptionMessage string
+	if engineResponse.PolicyResponse.Policy.Namespace == "" {
+		exceptionMessage = fmt.Sprintf("resource %s was skipped from policy rule %s/%s", engineResponse.PatchedResource.GetName(), engineResponse.PolicyResponse.Policy.Name, ruleResp.Name)
+	} else {
+		exceptionMessage = fmt.Sprintf("resource %s was skipped from policy rule %s/%s/%s", engineResponse.PatchedResource.GetName(), engineResponse.PolicyResponse.Policy.Namespace, engineResponse.PolicyResponse.Policy.Name, ruleResp.Name)
+	}
+	policyEvent := Info{
+		Kind:      getPolicyKind(engineResponse.Policy),
+		Name:      engineResponse.PolicyResponse.Policy.Name,
+		Namespace: engineResponse.PolicyResponse.Policy.Namespace,
+		Reason:    PolicySkipped.String(),
+		Message:   policyMessage,
+	}
+	exceptionEvent := Info{
+		Kind:      "PolicyException",
+		Name:      exceptionName,
+		Namespace: exceptionNamespace,
+		Reason:    PolicySkipped.String(),
+		Message:   exceptionMessage,
+	}
+	return []Info{policyEvent, exceptionEvent}
+}
+
+func getExceptionEventInfoFromRuleResponseMsg(message string) (name string, namespace string) {
+	key := message[strings.LastIndex(message, " ")+1:]
+	arr := strings.Split(key, "/")
+
+	if len(arr) > 1 {
+		namespace = arr[0]
+		name = arr[1]
+	} else {
+		namespace = ""
+		name = arr[0]
+	}
+
+	return name, namespace
+}

pkg/webhooks/utils/event.go

@@ -1,6 +1,8 @@
 package utils
 
 import (
+	"strings"
+
 	"github.com/kyverno/kyverno/pkg/engine/response"
 	"github.com/kyverno/kyverno/pkg/event"
 )
@@ -8,7 +10,6 @@ import (
 // GenerateEvents generates event info for the engine responses
 func GenerateEvents(engineResponses []*response.EngineResponse, blocked bool) []event.Info {
 	var events []event.Info
-
 	//   - Some/All policies fail or error
 	//     - report failure events on policy
 	//     - report failure events on resource
@@ -16,29 +17,32 @@ func GenerateEvents(engineResponses []*response.EngineResponse, blocked bool) []
 	//     - report success event on resource
 	//   - Some/All policies skipped
 	//     - report skipped event on resource
-
 	for _, er := range engineResponses {
 		if er.IsEmpty() {
 			continue
 		}
-
 		if !er.IsSuccessful() {
 			for i, ruleResp := range er.PolicyResponse.Rules {
 				if ruleResp.Status == response.RuleStatusFail || ruleResp.Status == response.RuleStatusError {
 					e := event.NewPolicyFailEvent(event.AdmissionController, event.PolicyViolation, er, &er.PolicyResponse.Rules[i], blocked)
 					events = append(events, e)
 				}
-
 				if !blocked {
 					e := event.NewResourceViolationEvent(event.AdmissionController, event.PolicyViolation, er, &er.PolicyResponse.Rules[i])
 					events = append(events, e)
 				}
 			}
+		} else if er.IsSkipped() { // Handle PolicyException Event
+			for i, ruleResp := range er.PolicyResponse.Rules {
+				isException := strings.Contains(ruleResp.Message, "rule skipped due to policy exception")
+				if ruleResp.Status == response.RuleStatusSkip && !blocked && isException {
+					events = append(events, event.NewPolicyExceptionEvents(er, &er.PolicyResponse.Rules[i])...)
+				}
+			}
 		} else if !er.IsSkipped() {
 			e := event.NewPolicyAppliedEvent(event.AdmissionController, er)
 			events = append(events, e)
 		}
 	}
-
 	return events
 }