mirror of
https://github.com/kyverno/kyverno.git
synced 2025-03-05 07:26:55 +00:00
refactor: introduce cli annotations utils package (#8201)
Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>
This commit is contained in:
parent
4d6a511437
commit
6c94e5f1cb
6 changed files with 200 additions and 15 deletions
|
@ -7,6 +7,7 @@ import (
|
|||
|
||||
"github.com/kyverno/kyverno/api/kyverno"
|
||||
policyreportv1alpha2 "github.com/kyverno/kyverno/api/policyreport/v1alpha2"
|
||||
annotationsutils "github.com/kyverno/kyverno/cmd/cli/kubectl-kyverno/utils/annotations"
|
||||
engineapi "github.com/kyverno/kyverno/pkg/engine/api"
|
||||
reportutils "github.com/kyverno/kyverno/pkg/utils/report"
|
||||
corev1 "k8s.io/api/core/v1"
|
||||
|
@ -61,7 +62,9 @@ func buildPolicyResults(auditWarn bool, engineResponses ...engineapi.EngineRespo
|
|||
policy := engineResponse.Policy()
|
||||
policyName := policy.GetName()
|
||||
policyNamespace := policy.GetNamespace()
|
||||
ann := policy.GetAnnotations()
|
||||
scored := annotationsutils.Scored(policy.GetAnnotations())
|
||||
category := annotationsutils.Category(policy.GetAnnotations())
|
||||
severity := annotationsutils.Severity(policy.GetAnnotations())
|
||||
|
||||
var appname string
|
||||
if policyNamespace != "" {
|
||||
|
@ -87,8 +90,8 @@ func buildPolicyResults(auditWarn bool, engineResponses ...engineapi.EngineRespo
|
|||
},
|
||||
},
|
||||
Scored: true,
|
||||
Category: ann[kyverno.AnnotationPolicyCategory],
|
||||
Severity: reportutils.SeverityFromString(ann[kyverno.AnnotationPolicySeverity]),
|
||||
Category: category,
|
||||
Severity: severity,
|
||||
}
|
||||
|
||||
if ruleResponse.Status() == engineapi.RuleStatusSkip {
|
||||
|
@ -98,7 +101,7 @@ func buildPolicyResults(auditWarn bool, engineResponses ...engineapi.EngineRespo
|
|||
} else if ruleResponse.Status() == engineapi.RuleStatusPass {
|
||||
result.Result = policyreportv1alpha2.StatusPass
|
||||
} else if ruleResponse.Status() == engineapi.RuleStatusFail {
|
||||
if scored, ok := ann[kyverno.AnnotationPolicyScored]; ok && scored == "false" {
|
||||
if !scored {
|
||||
result.Result = policyreportv1alpha2.StatusWarn
|
||||
} else if auditWarn && engineResponse.GetValidationFailureAction().Audit() {
|
||||
result.Result = policyreportv1alpha2.StatusWarn
|
||||
|
@ -108,7 +111,6 @@ func buildPolicyResults(auditWarn bool, engineResponses ...engineapi.EngineRespo
|
|||
} else {
|
||||
fmt.Println(ruleResponse)
|
||||
}
|
||||
|
||||
if policy.GetType() == engineapi.KyvernoPolicyType {
|
||||
result.Rule = ruleResponse.Name()
|
||||
}
|
||||
|
|
|
@ -1,7 +1,7 @@
|
|||
package apply
|
||||
|
||||
import (
|
||||
"github.com/kyverno/kyverno/api/kyverno"
|
||||
annotationsutils "github.com/kyverno/kyverno/cmd/cli/kubectl-kyverno/utils/annotations"
|
||||
"github.com/kyverno/kyverno/cmd/cli/kubectl-kyverno/utils/color"
|
||||
"github.com/kyverno/kyverno/cmd/cli/kubectl-kyverno/utils/output/table"
|
||||
engineapi "github.com/kyverno/kyverno/pkg/engine/api"
|
||||
|
@ -14,7 +14,7 @@ func printTable(compact, auditWarn bool, engineResponses ...engineapi.EngineResp
|
|||
policy := engineResponse.Policy()
|
||||
policyName := policy.GetName()
|
||||
policyNamespace := policy.GetNamespace()
|
||||
ann := policy.GetAnnotations()
|
||||
scored := annotationsutils.Scored(policy.GetAnnotations())
|
||||
resourceKind := engineResponse.Resource.GetKind()
|
||||
resourceNamespace := engineResponse.Resource.GetNamespace()
|
||||
resourceName := engineResponse.Resource.GetName()
|
||||
|
@ -31,7 +31,7 @@ func printTable(compact, auditWarn bool, engineResponses ...engineapi.EngineResp
|
|||
if ruleResponse.Status() == engineapi.RuleStatusPass {
|
||||
row.Result = color.ResultPass()
|
||||
} else if ruleResponse.Status() == engineapi.RuleStatusFail {
|
||||
if scored, ok := ann[kyverno.AnnotationPolicyScored]; ok && scored == "false" {
|
||||
if !scored {
|
||||
row.Result = color.ResultWarn()
|
||||
} else if auditWarn && engineResponse.GetValidationFailureAction().Audit() {
|
||||
row.Result = color.ResultWarn()
|
||||
|
|
|
@ -7,11 +7,11 @@ import (
|
|||
"strings"
|
||||
|
||||
"github.com/go-git/go-billy/v5"
|
||||
"github.com/kyverno/kyverno/api/kyverno"
|
||||
kyvernov1 "github.com/kyverno/kyverno/api/kyverno/v1"
|
||||
"github.com/kyverno/kyverno/api/kyverno/v1beta1"
|
||||
policyreportv1alpha2 "github.com/kyverno/kyverno/api/policyreport/v1alpha2"
|
||||
"github.com/kyverno/kyverno/cmd/cli/kubectl-kyverno/test/api"
|
||||
annotationsutils "github.com/kyverno/kyverno/cmd/cli/kubectl-kyverno/utils/annotations"
|
||||
"github.com/kyverno/kyverno/cmd/cli/kubectl-kyverno/utils/common"
|
||||
filterutils "github.com/kyverno/kyverno/cmd/cli/kubectl-kyverno/utils/filter"
|
||||
pathutils "github.com/kyverno/kyverno/cmd/cli/kubectl-kyverno/utils/path"
|
||||
|
@ -321,8 +321,7 @@ func buildPolicyResults(
|
|||
policy := resp.Policy()
|
||||
policyName := policy.GetName()
|
||||
policyNamespace := policy.GetNamespace()
|
||||
ann := policy.GetAnnotations()
|
||||
|
||||
scored := annotationsutils.Scored(policy.GetAnnotations())
|
||||
resourceName := resp.Resource.GetName()
|
||||
resourceKind := resp.Resource.GetKind()
|
||||
resourceNamespace := resp.Resource.GetNamespace()
|
||||
|
@ -500,7 +499,7 @@ func buildPolicyResults(
|
|||
} else if rule.Status() == engineapi.RuleStatusPass {
|
||||
result.Result = policyreportv1alpha2.StatusPass
|
||||
} else if rule.Status() == engineapi.RuleStatusFail {
|
||||
if scored, ok := ann[kyverno.AnnotationPolicyScored]; ok && scored == "false" {
|
||||
if !scored {
|
||||
result.Result = policyreportv1alpha2.StatusWarn
|
||||
} else if auditWarn && resp.GetValidationFailureAction().Audit() {
|
||||
result.Result = policyreportv1alpha2.StatusWarn
|
||||
|
|
22
cmd/cli/kubectl-kyverno/utils/annotations/annotations.go
Normal file
22
cmd/cli/kubectl-kyverno/utils/annotations/annotations.go
Normal file
|
@ -0,0 +1,22 @@
|
|||
package annotations
|
||||
|
||||
import (
|
||||
"github.com/kyverno/kyverno/api/kyverno"
|
||||
policyreportv1alpha2 "github.com/kyverno/kyverno/api/policyreport/v1alpha2"
|
||||
reportutils "github.com/kyverno/kyverno/pkg/utils/report"
|
||||
)
|
||||
|
||||
func Scored(annotations map[string]string) bool {
|
||||
if scored, ok := annotations[kyverno.AnnotationPolicyScored]; ok && scored == "false" {
|
||||
return false
|
||||
}
|
||||
return true
|
||||
}
|
||||
|
||||
func Severity(annotations map[string]string) policyreportv1alpha2.PolicySeverity {
|
||||
return reportutils.SeverityFromString(annotations[kyverno.AnnotationPolicySeverity])
|
||||
}
|
||||
|
||||
func Category(annotations map[string]string) string {
|
||||
return annotations[kyverno.AnnotationPolicyCategory]
|
||||
}
|
162
cmd/cli/kubectl-kyverno/utils/annotations/annotations_test.go
Normal file
162
cmd/cli/kubectl-kyverno/utils/annotations/annotations_test.go
Normal file
|
@ -0,0 +1,162 @@
|
|||
package annotations
|
||||
|
||||
import (
|
||||
"reflect"
|
||||
"testing"
|
||||
|
||||
"github.com/kyverno/kyverno/api/kyverno"
|
||||
policyreportv1alpha2 "github.com/kyverno/kyverno/api/policyreport/v1alpha2"
|
||||
)
|
||||
|
||||
func TestScored(t *testing.T) {
|
||||
tests := []struct {
|
||||
name string
|
||||
annotations map[string]string
|
||||
want bool
|
||||
}{{
|
||||
name: "nil",
|
||||
annotations: nil,
|
||||
want: true,
|
||||
}, {
|
||||
name: "empty",
|
||||
annotations: map[string]string{},
|
||||
want: true,
|
||||
}, {
|
||||
name: "not present",
|
||||
annotations: map[string]string{
|
||||
"foo": "bar",
|
||||
},
|
||||
want: true,
|
||||
}, {
|
||||
name: "false",
|
||||
annotations: map[string]string{
|
||||
kyverno.AnnotationPolicyScored: "false",
|
||||
},
|
||||
want: false,
|
||||
}, {
|
||||
name: "true",
|
||||
annotations: map[string]string{
|
||||
kyverno.AnnotationPolicyScored: "true",
|
||||
},
|
||||
want: true,
|
||||
}, {
|
||||
name: "bar",
|
||||
annotations: map[string]string{
|
||||
kyverno.AnnotationPolicyScored: "bar",
|
||||
},
|
||||
want: true,
|
||||
}}
|
||||
for _, tt := range tests {
|
||||
t.Run(tt.name, func(t *testing.T) {
|
||||
if got := Scored(tt.annotations); got != tt.want {
|
||||
t.Errorf("Scored() = %v, want %v", got, tt.want)
|
||||
}
|
||||
})
|
||||
}
|
||||
}
|
||||
|
||||
func TestSeverity(t *testing.T) {
|
||||
tests := []struct {
|
||||
name string
|
||||
annotations map[string]string
|
||||
want policyreportv1alpha2.PolicySeverity
|
||||
}{{
|
||||
name: "nil",
|
||||
annotations: nil,
|
||||
want: "",
|
||||
}, {
|
||||
name: "empty",
|
||||
annotations: map[string]string{},
|
||||
want: "",
|
||||
}, {
|
||||
name: "not present",
|
||||
annotations: map[string]string{
|
||||
"foo": "bar",
|
||||
},
|
||||
want: "",
|
||||
}, {
|
||||
name: "critical",
|
||||
annotations: map[string]string{
|
||||
kyverno.AnnotationPolicySeverity: policyreportv1alpha2.SeverityCritical,
|
||||
},
|
||||
want: policyreportv1alpha2.SeverityCritical,
|
||||
}, {
|
||||
name: "high",
|
||||
annotations: map[string]string{
|
||||
kyverno.AnnotationPolicySeverity: policyreportv1alpha2.SeverityHigh,
|
||||
},
|
||||
want: policyreportv1alpha2.SeverityHigh,
|
||||
}, {
|
||||
name: "medium",
|
||||
annotations: map[string]string{
|
||||
kyverno.AnnotationPolicySeverity: policyreportv1alpha2.SeverityMedium,
|
||||
},
|
||||
want: policyreportv1alpha2.SeverityMedium,
|
||||
}, {
|
||||
name: "low",
|
||||
annotations: map[string]string{
|
||||
kyverno.AnnotationPolicySeverity: policyreportv1alpha2.SeverityLow,
|
||||
},
|
||||
want: policyreportv1alpha2.SeverityLow,
|
||||
}, {
|
||||
name: "info",
|
||||
annotations: map[string]string{
|
||||
kyverno.AnnotationPolicySeverity: policyreportv1alpha2.SeverityInfo,
|
||||
},
|
||||
want: policyreportv1alpha2.SeverityInfo,
|
||||
}, {
|
||||
name: "bar",
|
||||
annotations: map[string]string{
|
||||
kyverno.AnnotationPolicySeverity: "bar",
|
||||
},
|
||||
want: "",
|
||||
}}
|
||||
for _, tt := range tests {
|
||||
t.Run(tt.name, func(t *testing.T) {
|
||||
if got := Severity(tt.annotations); !reflect.DeepEqual(got, tt.want) {
|
||||
t.Errorf("Severity() = %v, want %v", got, tt.want)
|
||||
}
|
||||
})
|
||||
}
|
||||
}
|
||||
|
||||
func TestCategory(t *testing.T) {
|
||||
tests := []struct {
|
||||
name string
|
||||
annotations map[string]string
|
||||
want string
|
||||
}{{
|
||||
name: "nil",
|
||||
annotations: nil,
|
||||
want: "",
|
||||
}, {
|
||||
name: "empty",
|
||||
annotations: map[string]string{},
|
||||
want: "",
|
||||
}, {
|
||||
name: "not present",
|
||||
annotations: map[string]string{
|
||||
"foo": "bar",
|
||||
},
|
||||
want: "",
|
||||
}, {
|
||||
name: "category",
|
||||
annotations: map[string]string{
|
||||
kyverno.AnnotationPolicyCategory: "category",
|
||||
},
|
||||
want: "category",
|
||||
}, {
|
||||
name: "set to empty",
|
||||
annotations: map[string]string{
|
||||
kyverno.AnnotationPolicyCategory: "",
|
||||
},
|
||||
want: "",
|
||||
}}
|
||||
for _, tt := range tests {
|
||||
t.Run(tt.name, func(t *testing.T) {
|
||||
if got := Category(tt.annotations); got != tt.want {
|
||||
t.Errorf("Category() = %v, want %v", got, tt.want)
|
||||
}
|
||||
})
|
||||
}
|
||||
}
|
|
@ -12,10 +12,10 @@ import (
|
|||
"strings"
|
||||
|
||||
"github.com/go-git/go-billy/v5"
|
||||
"github.com/kyverno/kyverno/api/kyverno"
|
||||
kyvernov1 "github.com/kyverno/kyverno/api/kyverno/v1"
|
||||
kyvernov1beta1 "github.com/kyverno/kyverno/api/kyverno/v1beta1"
|
||||
"github.com/kyverno/kyverno/cmd/cli/kubectl-kyverno/test/api"
|
||||
annotationsutils "github.com/kyverno/kyverno/cmd/cli/kubectl-kyverno/utils/annotations"
|
||||
sanitizederror "github.com/kyverno/kyverno/cmd/cli/kubectl-kyverno/utils/sanitizedError"
|
||||
"github.com/kyverno/kyverno/cmd/cli/kubectl-kyverno/utils/store"
|
||||
"github.com/kyverno/kyverno/pkg/autogen"
|
||||
|
@ -696,6 +696,7 @@ func processEngineResponses(responses []engineapi.EngineResponse, c ApplyPolicyC
|
|||
if polType := pol.GetType(); polType == engineapi.ValidatingAdmissionPolicyType {
|
||||
return
|
||||
}
|
||||
scored := annotationsutils.Scored(c.Policy.GetAnnotations())
|
||||
for _, rule := range autogen.ComputeRules(pol.GetPolicy().(kyvernov1.PolicyInterface)) {
|
||||
if rule.HasValidate() || rule.HasVerifyImageChecks() || rule.HasVerifyImages() {
|
||||
ruleFoundInEngineResponse := false
|
||||
|
@ -706,8 +707,7 @@ func processEngineResponses(responses []engineapi.EngineResponse, c ApplyPolicyC
|
|||
case engineapi.RuleStatusPass:
|
||||
c.Rc.Pass++
|
||||
case engineapi.RuleStatusFail:
|
||||
ann := c.Policy.GetAnnotations()
|
||||
if scored, ok := ann[kyverno.AnnotationPolicyScored]; ok && scored == "false" {
|
||||
if !scored {
|
||||
c.Rc.Warn++
|
||||
break
|
||||
} else if c.AuditWarn && response.GetValidationFailureAction().Audit() {
|
||||
|
|
Loading…
Add table
Reference in a new issue