Added report generation for verifyImage rules (#2782)

* Add report generation for verifyImage rules Signed-off-by: Kumar Mallikarjuna <kumarmallikarjuna1@gmail.com> * Add flag comment Signed-off-by: Kumar Mallikarjuna <kumarmallikarjuna1@gmail.com> * Mutation: handleDelete() Signed-off-by: Kumar Mallikarjuna <kumarmallikarjuna1@gmail.com> * Remove redundant delete Signed-off-by: Kumar Mallikarjuna <kumarmallikarjuna1@gmail.com> * Test validation failure Signed-off-by: Kumar Mallikarjuna <kumarmallikarjuna1@gmail.com> * Validation force rules test Signed-off-by: Kumar Mallikarjuna <kumarmallikarjuna1@gmail.com> * Default validation behaviour Signed-off-by: Kumar Mallikarjuna <kumarmallikarjuna1@gmail.com> * Manual rules Signed-off-by: Kumar Mallikarjuna <kumarmallikarjuna1@gmail.com> * Update Config Manager Signed-off-by: Kumar Mallikarjuna <kumarmallikarjuna1@gmail.com> * Move Delete check Signed-off-by: Kumar Mallikarjuna <kumarmallikarjuna1@gmail.com> Co-authored-by: Jim Bugwadia <jim@nirmata.com>
2025-03-31 03:45:17 +00:00 · 2022-01-05 12:37:44 +05:30 · 2022-01-05 12:37:44 +05:30 · 3f61e2dd3a
commit 3f61e2dd3a
parent a9fef256c7
5 changed files with 20 additions and 3 deletions
--- a/pkg/policy/existing.go
+++ b/pkg/policy/existing.go
@ -25,7 +25,7 @@ func (pc *PolicyController) processExistingResources(policy *kyverno.ClusterPoli
 	pc.rm.Drop()

 	for _, rule := range policy.Spec.Rules {
-		if !rule.HasValidate() {
+		if !rule.HasValidate() && !rule.HasVerifyImages() {
 			continue
 		}

--- a/pkg/policyreport/builder.go
+++ b/pkg/policyreport/builder.go
@ -99,7 +99,7 @@ func (builder *requestBuilder) build(info Info) (req *unstructured.Unstructured,
 	req = new(unstructured.Unstructured)
 	for _, infoResult := range info.Results {
 		for _, rule := range infoResult.Rules {
-			if rule.Type != utils.Validation.String() {
+			if rule.Type != utils.Validation.String() && rule.Type != utils.ImageVerify.String() {
 				continue
 			}

--- a/pkg/webhookconfig/configmanager.go
+++ b/pkg/webhookconfig/configmanager.go
@ -602,7 +602,7 @@ func (m *webhookConfigManager) compareAndUpdateWebhook(webhookKind, webhookName
 				// init operations
 				ops := []string{string(admregapi.Create), string(admregapi.Update), string(admregapi.Delete), string(admregapi.Connect)}
 				if webhookKind == kindMutating {
-					ops = []string{string(admregapi.Create), string(admregapi.Update)}
+					ops = []string{string(admregapi.Create), string(admregapi.Update), string(admregapi.Delete)}
 				}

 				tmpRules = []interface{}{map[string]interface{}{}}
--- a/pkg/webhooks/server.go
+++ b/pkg/webhooks/server.go
@ -296,6 +296,18 @@ func (ws *WebhookServer) resourceMutation(request *v1beta1.AdmissionRequest) *v1
 		return successResponse(nil)
 	}

+	if request.Operation == v1beta1.Delete {
+		resource, err := utils.ConvertResource(request.OldObject.Raw, request.Kind.Group, request.Kind.Version, request.Kind.Kind, request.Namespace)
+
+		if err == nil {
+			ws.prGenerator.Add(buildDeletionPrInfo(resource))
+		} else {
+			logger.Info(fmt.Sprintf("Converting oldObject failed: %v", err))
+		}
+
+		return successResponse(nil)
+	}
+
 	logger.V(4).Info("received an admission request in mutating webhook")
 	requestTime := time.Now().Unix()
 	kind := request.Kind.Kind
@ -475,6 +487,7 @@ func registerAdmissionRequestsMetricGenerate(logger logr.Logger, promConfig metr

 func (ws *WebhookServer) resourceValidation(request *v1beta1.AdmissionRequest) *v1beta1.AdmissionResponse {
 	logger := ws.log.WithName("ValidateWebhook").WithValues("uid", request.UID, "kind", request.Kind.Kind, "namespace", request.Namespace, "name", request.Name, "operation", request.Operation)
+
 	if request.Operation == v1beta1.Delete {
 		ws.handleDelete(request)
 	}
--- a/pkg/webhooks/verify_images.go
+++ b/pkg/webhooks/verify_images.go
@ -8,6 +8,7 @@ import (
 	"github.com/kyverno/kyverno/pkg/engine"
 	"github.com/kyverno/kyverno/pkg/engine/response"
 	engineutils "github.com/kyverno/kyverno/pkg/engine/utils"
+	"github.com/kyverno/kyverno/pkg/policyreport"
 	"k8s.io/api/admission/v1beta1"
 )

@ -41,6 +42,9 @@ func (ws *WebhookServer) handleVerifyImages(request *v1beta1.AdmissionRequest,
 		patches = append(patches, resp.GetPatches()...)
 	}

+	prInfos := policyreport.GeneratePRsFromEngineResponse(engineResponses, logger)
+	ws.prGenerator.Add(prInfos...)
+
 	blocked := toBlockResource(engineResponses, logger)
 	if blocked {
 		logger.V(4).Info("resource blocked")