1
0
Fork 0
mirror of https://github.com/kyverno/kyverno.git synced 2025-03-05 07:26:55 +00:00

refactor: introduce cli annotations utils package (#8201)

Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>
This commit is contained in:
Charles-Edouard Brétéché 2023-09-01 01:42:08 +02:00 committed by GitHub
parent 4d6a511437
commit 6c94e5f1cb
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
6 changed files with 200 additions and 15 deletions

View file

@ -7,6 +7,7 @@ import (
"github.com/kyverno/kyverno/api/kyverno"
policyreportv1alpha2 "github.com/kyverno/kyverno/api/policyreport/v1alpha2"
annotationsutils "github.com/kyverno/kyverno/cmd/cli/kubectl-kyverno/utils/annotations"
engineapi "github.com/kyverno/kyverno/pkg/engine/api"
reportutils "github.com/kyverno/kyverno/pkg/utils/report"
corev1 "k8s.io/api/core/v1"
@ -61,7 +62,9 @@ func buildPolicyResults(auditWarn bool, engineResponses ...engineapi.EngineRespo
policy := engineResponse.Policy()
policyName := policy.GetName()
policyNamespace := policy.GetNamespace()
ann := policy.GetAnnotations()
scored := annotationsutils.Scored(policy.GetAnnotations())
category := annotationsutils.Category(policy.GetAnnotations())
severity := annotationsutils.Severity(policy.GetAnnotations())
var appname string
if policyNamespace != "" {
@ -87,8 +90,8 @@ func buildPolicyResults(auditWarn bool, engineResponses ...engineapi.EngineRespo
},
},
Scored: true,
Category: ann[kyverno.AnnotationPolicyCategory],
Severity: reportutils.SeverityFromString(ann[kyverno.AnnotationPolicySeverity]),
Category: category,
Severity: severity,
}
if ruleResponse.Status() == engineapi.RuleStatusSkip {
@ -98,7 +101,7 @@ func buildPolicyResults(auditWarn bool, engineResponses ...engineapi.EngineRespo
} else if ruleResponse.Status() == engineapi.RuleStatusPass {
result.Result = policyreportv1alpha2.StatusPass
} else if ruleResponse.Status() == engineapi.RuleStatusFail {
if scored, ok := ann[kyverno.AnnotationPolicyScored]; ok && scored == "false" {
if !scored {
result.Result = policyreportv1alpha2.StatusWarn
} else if auditWarn && engineResponse.GetValidationFailureAction().Audit() {
result.Result = policyreportv1alpha2.StatusWarn
@ -108,7 +111,6 @@ func buildPolicyResults(auditWarn bool, engineResponses ...engineapi.EngineRespo
} else {
fmt.Println(ruleResponse)
}
if policy.GetType() == engineapi.KyvernoPolicyType {
result.Rule = ruleResponse.Name()
}

View file

@ -1,7 +1,7 @@
package apply
import (
"github.com/kyverno/kyverno/api/kyverno"
annotationsutils "github.com/kyverno/kyverno/cmd/cli/kubectl-kyverno/utils/annotations"
"github.com/kyverno/kyverno/cmd/cli/kubectl-kyverno/utils/color"
"github.com/kyverno/kyverno/cmd/cli/kubectl-kyverno/utils/output/table"
engineapi "github.com/kyverno/kyverno/pkg/engine/api"
@ -14,7 +14,7 @@ func printTable(compact, auditWarn bool, engineResponses ...engineapi.EngineResp
policy := engineResponse.Policy()
policyName := policy.GetName()
policyNamespace := policy.GetNamespace()
ann := policy.GetAnnotations()
scored := annotationsutils.Scored(policy.GetAnnotations())
resourceKind := engineResponse.Resource.GetKind()
resourceNamespace := engineResponse.Resource.GetNamespace()
resourceName := engineResponse.Resource.GetName()
@ -31,7 +31,7 @@ func printTable(compact, auditWarn bool, engineResponses ...engineapi.EngineResp
if ruleResponse.Status() == engineapi.RuleStatusPass {
row.Result = color.ResultPass()
} else if ruleResponse.Status() == engineapi.RuleStatusFail {
if scored, ok := ann[kyverno.AnnotationPolicyScored]; ok && scored == "false" {
if !scored {
row.Result = color.ResultWarn()
} else if auditWarn && engineResponse.GetValidationFailureAction().Audit() {
row.Result = color.ResultWarn()

View file

@ -7,11 +7,11 @@ import (
"strings"
"github.com/go-git/go-billy/v5"
"github.com/kyverno/kyverno/api/kyverno"
kyvernov1 "github.com/kyverno/kyverno/api/kyverno/v1"
"github.com/kyverno/kyverno/api/kyverno/v1beta1"
policyreportv1alpha2 "github.com/kyverno/kyverno/api/policyreport/v1alpha2"
"github.com/kyverno/kyverno/cmd/cli/kubectl-kyverno/test/api"
annotationsutils "github.com/kyverno/kyverno/cmd/cli/kubectl-kyverno/utils/annotations"
"github.com/kyverno/kyverno/cmd/cli/kubectl-kyverno/utils/common"
filterutils "github.com/kyverno/kyverno/cmd/cli/kubectl-kyverno/utils/filter"
pathutils "github.com/kyverno/kyverno/cmd/cli/kubectl-kyverno/utils/path"
@ -321,8 +321,7 @@ func buildPolicyResults(
policy := resp.Policy()
policyName := policy.GetName()
policyNamespace := policy.GetNamespace()
ann := policy.GetAnnotations()
scored := annotationsutils.Scored(policy.GetAnnotations())
resourceName := resp.Resource.GetName()
resourceKind := resp.Resource.GetKind()
resourceNamespace := resp.Resource.GetNamespace()
@ -500,7 +499,7 @@ func buildPolicyResults(
} else if rule.Status() == engineapi.RuleStatusPass {
result.Result = policyreportv1alpha2.StatusPass
} else if rule.Status() == engineapi.RuleStatusFail {
if scored, ok := ann[kyverno.AnnotationPolicyScored]; ok && scored == "false" {
if !scored {
result.Result = policyreportv1alpha2.StatusWarn
} else if auditWarn && resp.GetValidationFailureAction().Audit() {
result.Result = policyreportv1alpha2.StatusWarn

View file

@ -0,0 +1,22 @@
package annotations
import (
"github.com/kyverno/kyverno/api/kyverno"
policyreportv1alpha2 "github.com/kyverno/kyverno/api/policyreport/v1alpha2"
reportutils "github.com/kyverno/kyverno/pkg/utils/report"
)
func Scored(annotations map[string]string) bool {
if scored, ok := annotations[kyverno.AnnotationPolicyScored]; ok && scored == "false" {
return false
}
return true
}
func Severity(annotations map[string]string) policyreportv1alpha2.PolicySeverity {
return reportutils.SeverityFromString(annotations[kyverno.AnnotationPolicySeverity])
}
func Category(annotations map[string]string) string {
return annotations[kyverno.AnnotationPolicyCategory]
}

View file

@ -0,0 +1,162 @@
package annotations
import (
"reflect"
"testing"
"github.com/kyverno/kyverno/api/kyverno"
policyreportv1alpha2 "github.com/kyverno/kyverno/api/policyreport/v1alpha2"
)
func TestScored(t *testing.T) {
tests := []struct {
name string
annotations map[string]string
want bool
}{{
name: "nil",
annotations: nil,
want: true,
}, {
name: "empty",
annotations: map[string]string{},
want: true,
}, {
name: "not present",
annotations: map[string]string{
"foo": "bar",
},
want: true,
}, {
name: "false",
annotations: map[string]string{
kyverno.AnnotationPolicyScored: "false",
},
want: false,
}, {
name: "true",
annotations: map[string]string{
kyverno.AnnotationPolicyScored: "true",
},
want: true,
}, {
name: "bar",
annotations: map[string]string{
kyverno.AnnotationPolicyScored: "bar",
},
want: true,
}}
for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) {
if got := Scored(tt.annotations); got != tt.want {
t.Errorf("Scored() = %v, want %v", got, tt.want)
}
})
}
}
func TestSeverity(t *testing.T) {
tests := []struct {
name string
annotations map[string]string
want policyreportv1alpha2.PolicySeverity
}{{
name: "nil",
annotations: nil,
want: "",
}, {
name: "empty",
annotations: map[string]string{},
want: "",
}, {
name: "not present",
annotations: map[string]string{
"foo": "bar",
},
want: "",
}, {
name: "critical",
annotations: map[string]string{
kyverno.AnnotationPolicySeverity: policyreportv1alpha2.SeverityCritical,
},
want: policyreportv1alpha2.SeverityCritical,
}, {
name: "high",
annotations: map[string]string{
kyverno.AnnotationPolicySeverity: policyreportv1alpha2.SeverityHigh,
},
want: policyreportv1alpha2.SeverityHigh,
}, {
name: "medium",
annotations: map[string]string{
kyverno.AnnotationPolicySeverity: policyreportv1alpha2.SeverityMedium,
},
want: policyreportv1alpha2.SeverityMedium,
}, {
name: "low",
annotations: map[string]string{
kyverno.AnnotationPolicySeverity: policyreportv1alpha2.SeverityLow,
},
want: policyreportv1alpha2.SeverityLow,
}, {
name: "info",
annotations: map[string]string{
kyverno.AnnotationPolicySeverity: policyreportv1alpha2.SeverityInfo,
},
want: policyreportv1alpha2.SeverityInfo,
}, {
name: "bar",
annotations: map[string]string{
kyverno.AnnotationPolicySeverity: "bar",
},
want: "",
}}
for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) {
if got := Severity(tt.annotations); !reflect.DeepEqual(got, tt.want) {
t.Errorf("Severity() = %v, want %v", got, tt.want)
}
})
}
}
func TestCategory(t *testing.T) {
tests := []struct {
name string
annotations map[string]string
want string
}{{
name: "nil",
annotations: nil,
want: "",
}, {
name: "empty",
annotations: map[string]string{},
want: "",
}, {
name: "not present",
annotations: map[string]string{
"foo": "bar",
},
want: "",
}, {
name: "category",
annotations: map[string]string{
kyverno.AnnotationPolicyCategory: "category",
},
want: "category",
}, {
name: "set to empty",
annotations: map[string]string{
kyverno.AnnotationPolicyCategory: "",
},
want: "",
}}
for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) {
if got := Category(tt.annotations); got != tt.want {
t.Errorf("Category() = %v, want %v", got, tt.want)
}
})
}
}

View file

@ -12,10 +12,10 @@ import (
"strings"
"github.com/go-git/go-billy/v5"
"github.com/kyverno/kyverno/api/kyverno"
kyvernov1 "github.com/kyverno/kyverno/api/kyverno/v1"
kyvernov1beta1 "github.com/kyverno/kyverno/api/kyverno/v1beta1"
"github.com/kyverno/kyverno/cmd/cli/kubectl-kyverno/test/api"
annotationsutils "github.com/kyverno/kyverno/cmd/cli/kubectl-kyverno/utils/annotations"
sanitizederror "github.com/kyverno/kyverno/cmd/cli/kubectl-kyverno/utils/sanitizedError"
"github.com/kyverno/kyverno/cmd/cli/kubectl-kyverno/utils/store"
"github.com/kyverno/kyverno/pkg/autogen"
@ -696,6 +696,7 @@ func processEngineResponses(responses []engineapi.EngineResponse, c ApplyPolicyC
if polType := pol.GetType(); polType == engineapi.ValidatingAdmissionPolicyType {
return
}
scored := annotationsutils.Scored(c.Policy.GetAnnotations())
for _, rule := range autogen.ComputeRules(pol.GetPolicy().(kyvernov1.PolicyInterface)) {
if rule.HasValidate() || rule.HasVerifyImageChecks() || rule.HasVerifyImages() {
ruleFoundInEngineResponse := false
@ -706,8 +707,7 @@ func processEngineResponses(responses []engineapi.EngineResponse, c ApplyPolicyC
case engineapi.RuleStatusPass:
c.Rc.Pass++
case engineapi.RuleStatusFail:
ann := c.Policy.GetAnnotations()
if scored, ok := ann[kyverno.AnnotationPolicyScored]; ok && scored == "false" {
if !scored {
c.Rc.Warn++
break
} else if c.AuditWarn && response.GetValidationFailureAction().Audit() {