CLI should respect scored annotation for warnings (#3821)

Co-authored-by: Sambhav Kothari <skothari44@bloomberg.net>
2025-03-28 10:28:36 +00:00 · 2022-05-07 15:33:50 +02:00 · 2022-05-07 15:33:50 +02:00 · 4d2ec26c90
commit 4d2ec26c90
parent c3604c1170
6 changed files with 49 additions and 8 deletions
--- a/cmd/cli/kubectl-kyverno/apply/apply_command_test.go
+++ b/cmd/cli/kubectl-kyverno/apply/apply_command_test.go
@ -53,9 +53,9 @@ func Test_Apply(t *testing.T) {
 					Summary: preport.PolicyReportSummary{
 						Pass:  1,
 						Fail:  1,
-						Skip:  4,
+						Skip:  8,
 						Error: 0,
-						Warn:  0,
+						Warn:  2,
 					},
 				},
 			},
--- a/cmd/cli/kubectl-kyverno/utils/common/common.go
+++ b/cmd/cli/kubectl-kyverno/utils/common/common.go
@ -728,8 +728,16 @@ func ProcessValidateEngineResponse(policy v1.PolicyInterface, validateResponse *
 					vrule.Status = report.StatusPass

 				case response.RuleStatusFail:
-					rc.Fail++
-					vrule.Status = report.StatusFail
+					ann := policy.GetAnnotations()
+					if scored, ok := ann[policyreport.ScoredLabel]; ok && scored == "false" {
+						rc.Warn++
+						vrule.Status = report.StatusWarn
+						break
+					} else {
+						rc.Fail++
+						vrule.Status = report.StatusFail
+					}
+
 					if !policyReport {
 						if printCount < 1 {
 							fmt.Printf("\npolicy %s -> resource %s failed: \n", policy.GetName(), resPath)
--- a/pkg/policyreport/builder.go
+++ b/pkg/policyreport/builder.go
@ -313,7 +313,7 @@ func toPolicyResult(status response.RuleStatus) string {

 const categoryLabel string = "policies.kyverno.io/category"
 const severityLabel string = "policies.kyverno.io/severity"
-const scoredLabel string = "policies.kyverno.io/scored"
+const ScoredLabel string = "policies.kyverno.io/scored"

 type annotationValues struct {
 	category string
@ -342,7 +342,7 @@ func (builder *requestBuilder) fetchAnnotationValues(policy, ns string) annotati
 	if severity, ok := ann[severityLabel]; ok {
 		av.setSeverityFromString(severity)
 	}
-	if scored, ok := ann[scoredLabel]; ok {
+	if scored, ok := ann[ScoredLabel]; ok {
 		if scored == "false" {
 			av.scored = false
 		} else {
--- a/test/cli/apply/policies/policy.yaml
+++ b/test/cli/apply/policies/policy.yaml
@ -21,4 +21,36 @@ spec:
      pattern:
        spec:
          containers:
-          - image: "!*:latest"
+          - image: "!*:latest"
+---
+apiVersion: kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+  name: drop-all-capabilities
+  annotations:
+    policies.kyverno.io/scored: "false"
+spec:
+  validationFailureAction: audit
+  rules:
+    - name: require-drop-all
+      match:
+        any:
+        - resources:
+            kinds:
+              - Pod
+      preconditions:
+        all:
+        - key: "{{ request.operation }}"
+          operator: NotEquals
+          value: DELETE
+      validate:
+        message: >-
+          Containers must drop `ALL` capabilities.
+        foreach:
+          - list: request.object.spec.[ephemeralContainers, initContainers, containers][]
+            deny:
+              conditions:
+                all:
+                - key: ALL
+                  operator: AnyNotIn
+                  value: "{{ element.securityContext.capabilities.drop || '' }}"
--- a/test/cli/test/depecated_apis/kyverno-test.yaml
+++ b/test/cli/test/depecated_apis/kyverno-test.yaml
@ -13,4 +13,4 @@ results:
    rule: validate-v1-25-removal
    resource: hello-fail
    kind: CronJob
-    status: fail
+    status: warn
--- a/test/cli/test/depecated_apis/policy.yaml
+++ b/test/cli/test/depecated_apis/policy.yaml
@ -3,6 +3,7 @@ kind: ClusterPolicy
 metadata:
  name: check-deprecated-api
  annotations:
+    policies.kyverno.io/scored: "false"
    policies.kyverno.io/title: Check deprecated APIs
    policies.kyverno.io/category: Best Practices
    policies.kyverno.io/subject: Kubernetes APIs