refactor: introduce cli annotations utils package (#8201)

Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>
2025-03-13 19:28:55 +00:00 · 2023-09-01 01:42:08 +02:00 · 2023-09-01 01:42:08 +02:00 · 6c94e5f1cb
commit 6c94e5f1cb
parent 4d6a511437
6 changed files with 200 additions and 15 deletions
--- a/cmd/cli/kubectl-kyverno/apply/report.go
+++ b/cmd/cli/kubectl-kyverno/apply/report.go
@ -7,6 +7,7 @@ import (

 	"github.com/kyverno/kyverno/api/kyverno"
 	policyreportv1alpha2 "github.com/kyverno/kyverno/api/policyreport/v1alpha2"
+	annotationsutils "github.com/kyverno/kyverno/cmd/cli/kubectl-kyverno/utils/annotations"
 	engineapi "github.com/kyverno/kyverno/pkg/engine/api"
 	reportutils "github.com/kyverno/kyverno/pkg/utils/report"
 	corev1 "k8s.io/api/core/v1"
@ -61,7 +62,9 @@ func buildPolicyResults(auditWarn bool, engineResponses ...engineapi.EngineRespo
 		policy := engineResponse.Policy()
 		policyName := policy.GetName()
 		policyNamespace := policy.GetNamespace()
-		ann := policy.GetAnnotations()
+		scored := annotationsutils.Scored(policy.GetAnnotations())
+		category := annotationsutils.Category(policy.GetAnnotations())
+		severity := annotationsutils.Severity(policy.GetAnnotations())

 		var appname string
 		if policyNamespace != "" {
@ -87,8 +90,8 @@ func buildPolicyResults(auditWarn bool, engineResponses ...engineapi.EngineRespo
 					},
 				},
 				Scored:   true,
-				Category: ann[kyverno.AnnotationPolicyCategory],
-				Severity: reportutils.SeverityFromString(ann[kyverno.AnnotationPolicySeverity]),
+				Category: category,
+				Severity: severity,
 			}

 			if ruleResponse.Status() == engineapi.RuleStatusSkip {
@ -98,7 +101,7 @@ func buildPolicyResults(auditWarn bool, engineResponses ...engineapi.EngineRespo
 			} else if ruleResponse.Status() == engineapi.RuleStatusPass {
 				result.Result = policyreportv1alpha2.StatusPass
 			} else if ruleResponse.Status() == engineapi.RuleStatusFail {
-				if scored, ok := ann[kyverno.AnnotationPolicyScored]; ok && scored == "false" {
+				if !scored {
 					result.Result = policyreportv1alpha2.StatusWarn
 				} else if auditWarn && engineResponse.GetValidationFailureAction().Audit() {
 					result.Result = policyreportv1alpha2.StatusWarn
@ -108,7 +111,6 @@ func buildPolicyResults(auditWarn bool, engineResponses ...engineapi.EngineRespo
 			} else {
 				fmt.Println(ruleResponse)
 			}
-
 			if policy.GetType() == engineapi.KyvernoPolicyType {
 				result.Rule = ruleResponse.Name()
 			}
--- a/cmd/cli/kubectl-kyverno/apply/table.go
+++ b/cmd/cli/kubectl-kyverno/apply/table.go
@ -1,7 +1,7 @@
 package apply

 import (
-	"github.com/kyverno/kyverno/api/kyverno"
+	annotationsutils "github.com/kyverno/kyverno/cmd/cli/kubectl-kyverno/utils/annotations"
 	"github.com/kyverno/kyverno/cmd/cli/kubectl-kyverno/utils/color"
 	"github.com/kyverno/kyverno/cmd/cli/kubectl-kyverno/utils/output/table"
 	engineapi "github.com/kyverno/kyverno/pkg/engine/api"
@ -14,7 +14,7 @@ func printTable(compact, auditWarn bool, engineResponses ...engineapi.EngineResp
 		policy := engineResponse.Policy()
 		policyName := policy.GetName()
 		policyNamespace := policy.GetNamespace()
-		ann := policy.GetAnnotations()
+		scored := annotationsutils.Scored(policy.GetAnnotations())
 		resourceKind := engineResponse.Resource.GetKind()
 		resourceNamespace := engineResponse.Resource.GetNamespace()
 		resourceName := engineResponse.Resource.GetName()
@ -31,7 +31,7 @@ func printTable(compact, auditWarn bool, engineResponses ...engineapi.EngineResp
 			if ruleResponse.Status() == engineapi.RuleStatusPass {
 				row.Result = color.ResultPass()
 			} else if ruleResponse.Status() == engineapi.RuleStatusFail {
-				if scored, ok := ann[kyverno.AnnotationPolicyScored]; ok && scored == "false" {
+				if !scored {
 					row.Result = color.ResultWarn()
 				} else if auditWarn && engineResponse.GetValidationFailureAction().Audit() {
 					row.Result = color.ResultWarn()
--- a/cmd/cli/kubectl-kyverno/test/test.go
+++ b/cmd/cli/kubectl-kyverno/test/test.go
@ -7,11 +7,11 @@ import (
 	"strings"

 	"github.com/go-git/go-billy/v5"
-	"github.com/kyverno/kyverno/api/kyverno"
 	kyvernov1 "github.com/kyverno/kyverno/api/kyverno/v1"
 	"github.com/kyverno/kyverno/api/kyverno/v1beta1"
 	policyreportv1alpha2 "github.com/kyverno/kyverno/api/policyreport/v1alpha2"
 	"github.com/kyverno/kyverno/cmd/cli/kubectl-kyverno/test/api"
+	annotationsutils "github.com/kyverno/kyverno/cmd/cli/kubectl-kyverno/utils/annotations"
 	"github.com/kyverno/kyverno/cmd/cli/kubectl-kyverno/utils/common"
 	filterutils "github.com/kyverno/kyverno/cmd/cli/kubectl-kyverno/utils/filter"
 	pathutils "github.com/kyverno/kyverno/cmd/cli/kubectl-kyverno/utils/path"
@ -321,8 +321,7 @@ func buildPolicyResults(
 		policy := resp.Policy()
 		policyName := policy.GetName()
 		policyNamespace := policy.GetNamespace()
-		ann := policy.GetAnnotations()
-
+		scored := annotationsutils.Scored(policy.GetAnnotations())
 		resourceName := resp.Resource.GetName()
 		resourceKind := resp.Resource.GetKind()
 		resourceNamespace := resp.Resource.GetNamespace()
@ -500,7 +499,7 @@ func buildPolicyResults(
 					} else if rule.Status() == engineapi.RuleStatusPass {
 						result.Result = policyreportv1alpha2.StatusPass
 					} else if rule.Status() == engineapi.RuleStatusFail {
-						if scored, ok := ann[kyverno.AnnotationPolicyScored]; ok && scored == "false" {
+						if !scored {
 							result.Result = policyreportv1alpha2.StatusWarn
 						} else if auditWarn && resp.GetValidationFailureAction().Audit() {
 							result.Result = policyreportv1alpha2.StatusWarn
--- a/cmd/cli/kubectl-kyverno/utils/annotations/annotations.go
+++ b/cmd/cli/kubectl-kyverno/utils/annotations/annotations.go
@ -0,0 +1,22 @@
+package annotations
+
+import (
+	"github.com/kyverno/kyverno/api/kyverno"
+	policyreportv1alpha2 "github.com/kyverno/kyverno/api/policyreport/v1alpha2"
+	reportutils "github.com/kyverno/kyverno/pkg/utils/report"
+)
+
+func Scored(annotations map[string]string) bool {
+	if scored, ok := annotations[kyverno.AnnotationPolicyScored]; ok && scored == "false" {
+		return false
+	}
+	return true
+}
+
+func Severity(annotations map[string]string) policyreportv1alpha2.PolicySeverity {
+	return reportutils.SeverityFromString(annotations[kyverno.AnnotationPolicySeverity])
+}
+
+func Category(annotations map[string]string) string {
+	return annotations[kyverno.AnnotationPolicyCategory]
+}
--- a/cmd/cli/kubectl-kyverno/utils/annotations/annotations_test.go
+++ b/cmd/cli/kubectl-kyverno/utils/annotations/annotations_test.go
@ -0,0 +1,162 @@
+package annotations
+
+import (
+	"reflect"
+	"testing"
+
+	"github.com/kyverno/kyverno/api/kyverno"
+	policyreportv1alpha2 "github.com/kyverno/kyverno/api/policyreport/v1alpha2"
+)
+
+func TestScored(t *testing.T) {
+	tests := []struct {
+		name        string
+		annotations map[string]string
+		want        bool
+	}{{
+		name:        "nil",
+		annotations: nil,
+		want:        true,
+	}, {
+		name:        "empty",
+		annotations: map[string]string{},
+		want:        true,
+	}, {
+		name: "not present",
+		annotations: map[string]string{
+			"foo": "bar",
+		},
+		want: true,
+	}, {
+		name: "false",
+		annotations: map[string]string{
+			kyverno.AnnotationPolicyScored: "false",
+		},
+		want: false,
+	}, {
+		name: "true",
+		annotations: map[string]string{
+			kyverno.AnnotationPolicyScored: "true",
+		},
+		want: true,
+	}, {
+		name: "bar",
+		annotations: map[string]string{
+			kyverno.AnnotationPolicyScored: "bar",
+		},
+		want: true,
+	}}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			if got := Scored(tt.annotations); got != tt.want {
+				t.Errorf("Scored() = %v, want %v", got, tt.want)
+			}
+		})
+	}
+}
+
+func TestSeverity(t *testing.T) {
+	tests := []struct {
+		name        string
+		annotations map[string]string
+		want        policyreportv1alpha2.PolicySeverity
+	}{{
+		name:        "nil",
+		annotations: nil,
+		want:        "",
+	}, {
+		name:        "empty",
+		annotations: map[string]string{},
+		want:        "",
+	}, {
+		name: "not present",
+		annotations: map[string]string{
+			"foo": "bar",
+		},
+		want: "",
+	}, {
+		name: "critical",
+		annotations: map[string]string{
+			kyverno.AnnotationPolicySeverity: policyreportv1alpha2.SeverityCritical,
+		},
+		want: policyreportv1alpha2.SeverityCritical,
+	}, {
+		name: "high",
+		annotations: map[string]string{
+			kyverno.AnnotationPolicySeverity: policyreportv1alpha2.SeverityHigh,
+		},
+		want: policyreportv1alpha2.SeverityHigh,
+	}, {
+		name: "medium",
+		annotations: map[string]string{
+			kyverno.AnnotationPolicySeverity: policyreportv1alpha2.SeverityMedium,
+		},
+		want: policyreportv1alpha2.SeverityMedium,
+	}, {
+		name: "low",
+		annotations: map[string]string{
+			kyverno.AnnotationPolicySeverity: policyreportv1alpha2.SeverityLow,
+		},
+		want: policyreportv1alpha2.SeverityLow,
+	}, {
+		name: "info",
+		annotations: map[string]string{
+			kyverno.AnnotationPolicySeverity: policyreportv1alpha2.SeverityInfo,
+		},
+		want: policyreportv1alpha2.SeverityInfo,
+	}, {
+		name: "bar",
+		annotations: map[string]string{
+			kyverno.AnnotationPolicySeverity: "bar",
+		},
+		want: "",
+	}}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			if got := Severity(tt.annotations); !reflect.DeepEqual(got, tt.want) {
+				t.Errorf("Severity() = %v, want %v", got, tt.want)
+			}
+		})
+	}
+}
+
+func TestCategory(t *testing.T) {
+	tests := []struct {
+		name        string
+		annotations map[string]string
+		want        string
+	}{{
+		name:        "nil",
+		annotations: nil,
+		want:        "",
+	}, {
+		name:        "empty",
+		annotations: map[string]string{},
+		want:        "",
+	}, {
+		name: "not present",
+		annotations: map[string]string{
+			"foo": "bar",
+		},
+		want: "",
+	}, {
+		name: "category",
+		annotations: map[string]string{
+			kyverno.AnnotationPolicyCategory: "category",
+		},
+		want: "category",
+	}, {
+		name: "set to empty",
+		annotations: map[string]string{
+			kyverno.AnnotationPolicyCategory: "",
+		},
+		want: "",
+	}}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			if got := Category(tt.annotations); got != tt.want {
+				t.Errorf("Category() = %v, want %v", got, tt.want)
+			}
+		})
+	}
+}
--- a/cmd/cli/kubectl-kyverno/utils/common/common.go
+++ b/cmd/cli/kubectl-kyverno/utils/common/common.go
@ -12,10 +12,10 @@ import (
 	"strings"

 	"github.com/go-git/go-billy/v5"
-	"github.com/kyverno/kyverno/api/kyverno"
 	kyvernov1 "github.com/kyverno/kyverno/api/kyverno/v1"
 	kyvernov1beta1 "github.com/kyverno/kyverno/api/kyverno/v1beta1"
 	"github.com/kyverno/kyverno/cmd/cli/kubectl-kyverno/test/api"
+	annotationsutils "github.com/kyverno/kyverno/cmd/cli/kubectl-kyverno/utils/annotations"
 	sanitizederror "github.com/kyverno/kyverno/cmd/cli/kubectl-kyverno/utils/sanitizedError"
 	"github.com/kyverno/kyverno/cmd/cli/kubectl-kyverno/utils/store"
 	"github.com/kyverno/kyverno/pkg/autogen"
@ -696,6 +696,7 @@ func processEngineResponses(responses []engineapi.EngineResponse, c ApplyPolicyC
 			if polType := pol.GetType(); polType == engineapi.ValidatingAdmissionPolicyType {
 				return
 			}
+			scored := annotationsutils.Scored(c.Policy.GetAnnotations())
 			for _, rule := range autogen.ComputeRules(pol.GetPolicy().(kyvernov1.PolicyInterface)) {
 				if rule.HasValidate() || rule.HasVerifyImageChecks() || rule.HasVerifyImages() {
 					ruleFoundInEngineResponse := false
@ -706,8 +707,7 @@ func processEngineResponses(responses []engineapi.EngineResponse, c ApplyPolicyC
 							case engineapi.RuleStatusPass:
 								c.Rc.Pass++
 							case engineapi.RuleStatusFail:
-								ann := c.Policy.GetAnnotations()
-								if scored, ok := ann[kyverno.AnnotationPolicyScored]; ok && scored == "false" {
+								if !scored {
 									c.Rc.Warn++
 									break
 								} else if c.AuditWarn && response.GetValidationFailureAction().Audit() {