fix: truncate event messages to 1024 chars (#10636)

* fix: truncate event messages to 1024 chars

Signed-off-by: Mariam Fahmy <mariam.fahmy@nirmata.com>

* add chainsaw test

Signed-off-by: Mariam Fahmy <mariam.fahmy@nirmata.com>

---------

Signed-off-by: Mariam Fahmy <mariam.fahmy@nirmata.com>
Co-authored-by: Jim Bugwadia <jim@nirmata.com>

pkg/event/controller.go

@@ -175,6 +175,10 @@ func (gen *controller) emitEvent(key Info) {
 	if namespace == "" {
 		namespace = metav1.NamespaceDefault
 	}
+	message := key.Message
+	if len(message) > 1024 {
+		message = message[0:1021] + "..."
+	}
 	event := &eventsv1.Event{
 		ObjectMeta: metav1.ObjectMeta{
 			Name:      fmt.Sprintf("%v.%x", refRegarding.Name, t.UnixNano()),
@@ -188,7 +192,7 @@ func (gen *controller) emitEvent(key Info) {
 		Reason:              string(key.Reason),
 		Regarding:           *refRegarding,
 		Related:             refRelated,
-		Note:                key.Message,
+		Note:                message,
 		Type:                eventType,
 	}
 

pkg/event/events.go

@@ -58,13 +58,7 @@ func buildPolicyEventMessage(resp engineapi.RuleResponse, resource engineapi.Res
 	if resp.Message() != "" {
 		fmt.Fprintf(&b, "; %s", resp.Message())
 	}
-
-	msg := b.String()
-	if len(msg) > 1024 {
-		msg = msg[0:1021] + "..."
-	}
-
-	return msg
+	return b.String()
 }
 
 func NewPolicyAppliedEvent(source Source, engineResponse engineapi.EngineResponse) Info {

pkg/event/events_test.go

@@ -1,25 +0,0 @@
-package event
-
-import (
-	"testing"
-
-	engineapi "github.com/kyverno/kyverno/pkg/engine/api"
-	"gotest.tools/assert"
-)
-
-func TestMessageLength(t *testing.T) {
-	msg := "policy psa/baseline fail: Validation rule 'baseline' failed. It violates PodSecurity \"restricted:latest\": (Forbidden reason: allowPrivilegeEscalation != false, field error list: [spec.containers[0].securityContext.allowPrivilegeEscalation is forbidden, forbidden values found: nil])(Forbidden reason: unrestricted capabilities, field error list: [spec.containers[0].securityContext.capabilities.drop: Required value])(Forbidden reason: host namespaces, field error list: [spec.hostNetwork is forbidden, forbidden values found: true])(Forbidden reason: hostPath volumes, field error list: [spec.volumes[1].hostPath is forbidden, forbidden values found: /run/xtables.lock, spec.volumes[2].hostPath is forbidden, forbidden values found: /lib/modules])(Forbidden reason: privileged, field error list: [spec.containers[0].securityContext.privileged is forbidden, forbidden values found: true])(Forbidden reason: restricted volume types, field error list: [spec.volumes[1].hostPath: Forbidden, spec.volumes[2].hostPath: Forbidden])(Forbidden reason: runAsNonRoot != true, field error list: [spec.containers[0].securityContext.runAsNonRoot: Required value])(Forbidden reason: seccompProfile, field error list: [spec.containers[0].securityContext.seccompProfile.type: Required value])"
-	assert.Assert(t, len(msg) > 1024)
-
-	resp := engineapi.NewRuleResponse("podSecurity", engineapi.Validation, msg, engineapi.RuleStatusFail)
-
-	resource := &engineapi.ResourceSpec{
-		Kind:       "Pod",
-		APIVersion: "v1",
-		Namespace:  "default",
-		UID:        "9005aec3-f779-4d19-985b-3ff51a695cca",
-	}
-
-	eventMsg := buildPolicyEventMessage(*resp, *resource, true)
-	assert.Equal(t, 1024, len(eventMsg))
-}

test/conformance/chainsaw/events/clusterpolicy/message-exceeds-1024-characters/chainsaw-test.yaml

@@ -0,0 +1,21 @@
+apiVersion: chainsaw.kyverno.io/v1alpha1
+kind: Test
+metadata:
+  creationTimestamp: null
+  name: message-exceeds-1024-characters
+spec:
+  steps:
+  - name: step-01
+    try:
+    - apply:
+        file: policy.yaml
+    - assert:
+        file: policy-assert.yaml
+  - name: step-02
+    try:
+    - apply:
+        file: resource.yaml
+  - name: step-03
+    try:
+    - assert:
+        file: event-assert.yaml

test/conformance/chainsaw/events/clusterpolicy/message-exceeds-1024-characters/event-assert.yaml

@@ -0,0 +1,17 @@
+apiVersion: v1
+kind: Event
+metadata:
+  namespace: default
+involvedObject:
+  apiVersion: v1
+  kind: Pod
+  name: badpod01
+  namespace: default
+type: Warning
+reason: PolicyViolation
+action: Resource Passed
+reportingComponent: kyverno-scan
+message: 'policy podsecurity-subrule-restricted/restricted fail: Validation rule
+    ''restricted'' failed. It violates PodSecurity "restricted:latest": (Forbidden
+    reason: unrestricted capabilities, field error list: [spec.containers[0].securityContext.capabilities.drop:
+    Required value])'

test/conformance/chainsaw/events/clusterpolicy/message-exceeds-1024-characters/policy-assert.yaml

@@ -0,0 +1,10 @@
+apiVersion: kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+  name: podsecurity-subrule-restricted
+spec: {}
+status:
+  conditions:
+  - reason: Succeeded
+    status: "True"
+    type: Ready

test/conformance/chainsaw/events/clusterpolicy/message-exceeds-1024-characters/policy.yaml

@@ -0,0 +1,18 @@
+apiVersion: kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+  name: podsecurity-subrule-restricted
+spec:
+  background: true
+  validationFailureAction: Audit
+  rules:
+  - name: restricted
+    match:
+      any:
+      - resources:
+          kinds:
+          - Pod
+    validate:
+      podSecurity:
+        level: restricted
+        version: latest

test/conformance/chainsaw/events/clusterpolicy/message-exceeds-1024-characters/resource.yaml

@@ -0,0 +1,14 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: badpod01
+  namespace: default
+spec:
+  containers:
+  - name: container01
+    image: dummyimagename
+    securityContext:
+      allowPrivilegeEscalation: false
+      runAsNonRoot: true
+      seccompProfile:
+        type: RuntimeDefault