feat: propagate psa checks results (#5719)

* feat: propagate psa checks results Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * add to report Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> Co-authored-by: shuting <shuting@nirmata.com>
2025-03-13 19:28:55 +00:00 · 2022-12-20 06:57:23 +01:00 · 2022-12-20 06:57:23 +01:00 · 54b7b65cfe
commit 54b7b65cfe
parent dfa20d6ee7
3 changed files with 38 additions and 2 deletions
--- a/pkg/engine/response/response.go
+++ b/pkg/engine/response/response.go
@ -6,9 +6,11 @@ import (
 	"time"

 	kyvernov1 "github.com/kyverno/kyverno/api/kyverno/v1"
+	pssutils "github.com/kyverno/kyverno/pkg/pss/utils"
 	"github.com/kyverno/kyverno/pkg/utils/wildcard"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
+	"k8s.io/pod-security-admission/api"
 )

 // EngineResponse engine response to the action
@ -123,6 +125,15 @@ type RuleResponse struct {
 	// PatchedTargetParentResourceGVR is the GVR of the parent resource of the PatchedTarget. This is only populated
 	// when PatchedTarget is a subresource.
 	PatchedTargetParentResourceGVR metav1.GroupVersionResource
+
+	// PodSecurityChecks contains pod security checks (only if this is a pod security rule)
+	PodSecurityChecks *PodSecurityChecks
+}
+
+type PodSecurityChecks struct {
+	Level   api.Level
+	Version string
+	Checks  []pssutils.PSSCheckResult
 }

 // ToString ...
--- a/pkg/engine/validation.go
+++ b/pkg/engine/validation.go
@ -534,12 +534,21 @@ func (v *validator) validatePodSecurity() *response.RuleResponse {
 	if err != nil {
 		return ruleError(v.rule, response.Validation, "failed to parse pod security api version", err)
 	}
+	podSecurityChecks := &response.PodSecurityChecks{
+		Level:   v.podSecurity.Level,
+		Version: v.podSecurity.Version,
+		Checks:  pssChecks,
+	}
 	if allowed {
 		msg := fmt.Sprintf("Validation rule '%s' passed.", v.rule.Name)
-		return ruleResponse(*v.rule, response.Validation, msg, response.RuleStatusPass)
+		rspn := ruleResponse(*v.rule, response.Validation, msg, response.RuleStatusPass)
+		rspn.PodSecurityChecks = podSecurityChecks
+		return rspn
 	} else {
 		msg := fmt.Sprintf(`Validation rule '%s' failed. It violates PodSecurity "%s:%s": %s`, v.rule.Name, v.podSecurity.Level, v.podSecurity.Version, pss.FormatChecksPrint(pssChecks))
-		return ruleResponse(*v.rule, response.Validation, msg, response.RuleStatusFail)
+		rspn := ruleResponse(*v.rule, response.Validation, msg, response.RuleStatusFail)
+		rspn.PodSecurityChecks = podSecurityChecks
+		return rspn
 	}
 }

--- a/pkg/utils/report/results.go
+++ b/pkg/utils/report/results.go
@ -1,6 +1,7 @@
 package report

 import (
+	"fmt"
 	"time"

 	"github.com/go-logr/logr"
@ -97,6 +98,21 @@ func EngineResponseToReportResults(response *response.EngineResponse) []policyre
 			Category: annotations[kyvernov1.AnnotationPolicyCategory],
 			Severity: severityFromString(annotations[kyvernov1.AnnotationPolicySeverity]),
 		}
+		if ruleResult.PodSecurityChecks != nil {
+			for _, check := range ruleResult.PodSecurityChecks.Checks {
+				if !check.CheckResult.Allowed {
+					if result.Properties == nil {
+						result.Properties = map[string]string{}
+					}
+					key := fmt.Sprintf("%s/%s/%s", ruleResult.PodSecurityChecks.Level, ruleResult.PodSecurityChecks.Version, check.ID)
+					value := check.CheckResult.ForbiddenDetail
+					if value == "" {
+						value = check.CheckResult.ForbiddenReason
+					}
+					result.Properties[key] = value
+				}
+			}
+		}
 		if result.Result == "fail" && !result.Scored {
 			result.Result = "warn"
 		}