1
0
Fork 0
mirror of https://github.com/kyverno/kyverno.git synced 2024-12-14 11:57:48 +00:00

Events fix (#1006)

* remove success event

* remove event success message

* remove events generated on clusterpolicy
This commit is contained in:
shuting 2020-07-20 08:00:02 -07:00 committed by GitHub
parent e7fa601148
commit 75a7543c6d
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
10 changed files with 30 additions and 191 deletions

1
.gitignore vendored
View file

@ -8,3 +8,4 @@ coverage.txt
cmd/initContainer/kyvernopre
cmd/kyverno/kyverno
cmd/cli/kubectl-kyverno/kyverno
kubectl-kyverno

View file

@ -9,8 +9,9 @@ import (
func TestPositive(t *testing.T) {
resourceName := "test_resource"
expectedMsg := fmt.Sprintf("Policy applied successfully on the resource '%s'", resourceName)
msg, err := getEventMsg(SPolicyApply, resourceName)
ruleName := "test_rule"
expectedMsg := fmt.Sprintf("Rule(s) '%s' failed to apply on resource %s", ruleName, resourceName)
msg, err := getEventMsg(FPolicyApplyFailed, ruleName, resourceName)
assert.NilError(t, err)
assert.Equal(t, expectedMsg, msg)
}
@ -18,6 +19,6 @@ func TestPositive(t *testing.T) {
// passing incorrect args
func TestIncorrectArgs(t *testing.T) {
resourceName := "test_resource"
_, err := getEventMsg(SPolicyApply, resourceName, "extra_args")
assert.Error(t, err, "message expects 1 arguments, but 2 arguments passed")
_, err := getEventMsg(FPolicyApplyFailed, resourceName, "extra_args1", "extra_args2")
assert.Error(t, err, "message expects 2 arguments, but 3 arguments passed")
}

View file

@ -1,9 +1,10 @@
package event
import (
"github.com/go-logr/logr"
"time"
"github.com/go-logr/logr"
"github.com/nirmata/kyverno/pkg/client/clientset/versioned/scheme"
kyvernoinformer "github.com/nirmata/kyverno/pkg/client/informers/externalversions/kyverno/v1"
kyvernolister "github.com/nirmata/kyverno/pkg/client/listers/kyverno/v1"
@ -192,9 +193,6 @@ func (gen *Generator) syncHandler(key Info) error {
// set the event type based on reason
eventType := v1.EventTypeWarning
if key.Reason == PolicyApplied.String() {
eventType = v1.EventTypeNormal
}
// based on the source of event generation, use different event recorders
switch key.Source {

View file

@ -10,11 +10,7 @@ type MsgKey int
//Message id for pre-defined messages
const (
FResourcePolcy MsgKey = iota
FProcessRule
SPolicyApply
SRulesApply
FPolicyApplyBlockCreate
FPolicyApplyBlockCreate MsgKey = iota
FPolicyApplyBlockUpdate
FPolicyBlockResourceUpdate
FPolicyApplyFailed
@ -23,10 +19,6 @@ const (
func (k MsgKey) String() string {
return [...]string{
"Policy violation on resource '%s'. The rule(s) '%s' not satisfied",
"Failed to process rule '%s' of policy '%s'.",
"Policy applied successfully on the resource '%s'",
"Rule(s) '%s' of Policy '%s' applied successfully",
"Resource %s creation blocked by rule(s) %s",
"Rule(s) '%s' of policy '%s' blocked update of the resource",
"Resource %s update blocked by rule(s) %s",

View file

@ -6,8 +6,6 @@ type Reason int
const (
//PolicyViolation there is a violation of policy
PolicyViolation Reason = iota
//PolicyApplied policy applied
PolicyApplied
//RequestBlocked the request to create/update the resource was blocked( generated from admission-controller)
RequestBlocked
//PolicyFailed policy failed
@ -17,7 +15,6 @@ const (
func (r Reason) String() string {
return [...]string{
"PolicyViolation",
"PolicyApplied",
"RequestBlocked",
"PolicyFailed",
}[r]

View file

@ -22,6 +22,7 @@ func (c *Controller) processGR(gr *kyverno.GenerateRequest) error {
var err error
var resource *unstructured.Unstructured
var genResources []kyverno.ResourceSpec
// 1 - Check if the resource exists
resource, err = getResource(c.client, gr.Spec.Resource)
if err != nil {
@ -29,10 +30,14 @@ func (c *Controller) processGR(gr *kyverno.GenerateRequest) error {
logger.Error(err, "resource does not exist or is yet to be created, requeueing")
return err
}
// 2 - Apply the generate policy on the resource
genResources, err = c.applyGenerate(*resource, *gr)
// 3 - Report Events
reportEvents(logger, err, c.eventGen, *gr, *resource)
events := failedEvents(err, *gr, *resource)
c.eventGen.Add(events...)
// 4 - Update Status
return updateStatus(c.statusControl, *gr, err, genResources)
}
@ -47,16 +52,16 @@ func (c *Controller) applyGenerate(resource unstructured.Unstructured, gr kyvern
policy, err := c.pLister.Get(gr.Spec.Policy)
if err != nil {
if apierrors.IsNotFound(err) {
for _,e := range gr.Status.GeneratedResources {
resp, err := c.client.GetResource(e.Kind,e.Namespace,e.Name);
for _, e := range gr.Status.GeneratedResources {
resp, err := c.client.GetResource(e.Kind, e.Namespace, e.Name)
if err != nil {
logger.Error(err,"Generated resource failed to get","Resource",e.Name)
logger.Error(err, "Generated resource failed to get", "Resource", e.Name)
}
labels := resp.GetLabels()
if labels["policy.kyverno.io/synchronize"] == "enable" {
if err := c.client.DeleteResource(resp.GetKind(), resp.GetNamespace(), resp.GetName(), false); err != nil {
logger.Error(err,"Generated resource is not deleted","Resource",e.Name)
logger.Error(err, "Generated resource is not deleted", "Resource", e.Name)
}
}
}
@ -135,7 +140,7 @@ func (c *Controller) applyGeneratePolicy(log logr.Logger, policyContext engine.P
continue
}
startTime := time.Now()
genResource, err := applyRule(log, c.client, rule, resource, ctx, processExisting,policy.Name)
genResource, err := applyRule(log, c.client, rule, resource, ctx, processExisting, policy.Name)
if err != nil {
return nil, err
}
@ -192,7 +197,7 @@ func updateGenerateExecutionTime(newTime time.Duration, oldAverageTimeString str
return time.Duration(newAverageTimeInNanoSeconds) * time.Nanosecond
}
func applyRule(log logr.Logger, client *dclient.Client, rule kyverno.Rule, resource unstructured.Unstructured, ctx context.EvalInterface, processExisting bool,policy string) (kyverno.ResourceSpec, error) {
func applyRule(log logr.Logger, client *dclient.Client, rule kyverno.Rule, resource unstructured.Unstructured, ctx context.EvalInterface, processExisting bool, policy string) (kyverno.ResourceSpec, error) {
var rdata map[string]interface{}
var err error
var mode ResourceMode

View file

@ -3,38 +3,13 @@ package generate
import (
"fmt"
"github.com/go-logr/logr"
kyverno "github.com/nirmata/kyverno/pkg/api/kyverno/v1"
"github.com/nirmata/kyverno/pkg/event"
"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
)
func reportEvents(log logr.Logger, err error, eventGen event.Interface, gr kyverno.GenerateRequest, resource unstructured.Unstructured) {
if err == nil {
// Success Events
// - resource -> policy rule applied successfully
// - policy -> rule successfully applied on resource
events := successEvents(gr, resource)
eventGen.Add(events...)
return
}
events := failedEvents(err, gr, resource)
eventGen.Add(events...)
}
func failedEvents(err error, gr kyverno.GenerateRequest, resource unstructured.Unstructured) []event.Info {
var events []event.Info
// Cluster Policy
pe := event.Info{}
pe.Kind = "ClusterPolicy"
// cluserwide-resource
pe.Name = gr.Spec.Policy
pe.Reason = event.PolicyFailed.String()
pe.Source = event.GeneratePolicyController
pe.Message = fmt.Sprintf("policy failed to apply on resource %s/%s/%s: %v", resource.GetKind(), resource.GetNamespace(), resource.GetName(), err)
events = append(events, pe)
// Resource
re := event.Info{}
re.Kind = resource.GetKind()
re.Namespace = resource.GetNamespace()
@ -42,32 +17,6 @@ func failedEvents(err error, gr kyverno.GenerateRequest, resource unstructured.U
re.Reason = event.PolicyFailed.String()
re.Source = event.GeneratePolicyController
re.Message = fmt.Sprintf("policy %s failed to apply: %v", gr.Spec.Policy, err)
events = append(events, re)
return events
}
func successEvents(gr kyverno.GenerateRequest, resource unstructured.Unstructured) []event.Info {
var events []event.Info
// Cluster Policy
pe := event.Info{}
pe.Kind = "ClusterPolicy"
// clusterwide-resource
pe.Name = gr.Spec.Policy
pe.Reason = event.PolicyApplied.String()
pe.Source = event.GeneratePolicyController
pe.Message = fmt.Sprintf("applied successfully on resource %s/%s/%s", resource.GetKind(), resource.GetNamespace(), resource.GetName())
events = append(events, pe)
// Resource
re := event.Info{}
re.Kind = resource.GetKind()
re.Namespace = resource.GetNamespace()
re.Name = resource.GetName()
re.Reason = event.PolicyApplied.String()
re.Source = event.GeneratePolicyController
re.Message = fmt.Sprintf("policy %s successfully applied", gr.Spec.Policy)
events = append(events, re)
return events
return []event.Info{re}
}

View file

@ -42,9 +42,11 @@ func generateEvents(log logr.Logger, ers []response.EngineResponse) []event.Info
}
func generateEventsPerEr(log logr.Logger, er response.EngineResponse) []event.Info {
logger := log.WithValues("policy", er.PolicyResponse.Policy, "kind", er.PolicyResponse.Resource.Kind, "namespace", er.PolicyResponse.Resource.Namespace, "name", er.PolicyResponse.Resource.Name)
var eventInfos []event.Info
logger := log.WithValues("policy", er.PolicyResponse.Policy, "kind", er.PolicyResponse.Resource.Kind, "namespace", er.PolicyResponse.Resource.Namespace, "name", er.PolicyResponse.Resource.Name)
logger.V(4).Info("reporting results for policy")
for _, rule := range er.PolicyResponse.Rules {
if rule.Success {
continue
@ -57,22 +59,9 @@ func generateEventsPerEr(log logr.Logger, er response.EngineResponse) []event.In
e.Name = er.PolicyResponse.Resource.Name
e.Reason = event.PolicyViolation.String()
e.Source = event.PolicyController
e.Message = fmt.Sprintf("policy '%s' (%s) rule '%s' not satisfied. %v", er.PolicyResponse.Policy, rule.Type, rule.Name, rule.Message)
e.Message = fmt.Sprintf("policy '%s' (%s) rule '%s' failed. %v", er.PolicyResponse.Policy, rule.Type, rule.Name, rule.Message)
eventInfos = append(eventInfos, e)
}
if er.IsSuccessful() {
return eventInfos
}
// generate a event on policy for all failed rules
logger.V(4).Info("generating event on policy")
e := event.Info{}
e.Kind = "ClusterPolicy"
e.Namespace = ""
e.Name = er.PolicyResponse.Policy
e.Reason = event.PolicyViolation.String()
e.Source = event.PolicyController
e.Message = fmt.Sprintf("policy '%s' rules '%v' not satisfied on resource '%s/%s/%s'", er.PolicyResponse.Policy, er.GetFailedRules(), er.PolicyResponse.Resource.Kind, er.PolicyResponse.Resource.Namespace, er.PolicyResponse.Resource.Name)
eventInfos = append(eventInfos, e)
return eventInfos
}

View file

@ -189,18 +189,6 @@ func (resp generateRequestResponse) error() string {
}
func failedEvents(err error, gr kyverno.GenerateRequestSpec, resource unstructured.Unstructured) []event.Info {
var events []event.Info
// Cluster Policy
pe := event.Info{}
pe.Kind = "ClusterPolicy"
// cluserwide-resource
pe.Name = gr.Policy
pe.Reason = event.PolicyFailed.String()
pe.Source = event.GeneratePolicyController
pe.Message = fmt.Sprintf("policy failed to apply on resource %s/%s/%s: %v", resource.GetKind(), resource.GetNamespace(), resource.GetName(), err)
events = append(events, pe)
// Resource
re := event.Info{}
re.Kind = resource.GetKind()
re.Namespace = resource.GetNamespace()
@ -208,7 +196,6 @@ func failedEvents(err error, gr kyverno.GenerateRequestSpec, resource unstructur
re.Reason = event.PolicyFailed.String()
re.Source = event.GeneratePolicyController
re.Message = fmt.Sprintf("policy %s failed to apply: %v", gr.Policy, err)
events = append(events, re)
return events
return []event.Info{re}
}

View file

@ -4,8 +4,6 @@ import (
"strings"
"github.com/go-logr/logr"
kyverno "github.com/nirmata/kyverno/pkg/api/kyverno/v1"
"github.com/nirmata/kyverno/pkg/common"
"github.com/nirmata/kyverno/pkg/engine/response"
"github.com/nirmata/kyverno/pkg/event"
@ -14,101 +12,23 @@ import (
//generateEvents generates event info for the engine responses
func generateEvents(engineResponses []response.EngineResponse, blocked, onUpdate bool, log logr.Logger) []event.Info {
var events []event.Info
// Scenario 1
// - Admission-Response is SUCCESS && CREATE
// - All policies were succesfully
// - report event on resources
if isResponseSuccesful(engineResponses) {
if !onUpdate {
// we only report events on CREATE requests
return events
}
for _, er := range engineResponses {
successRules := er.GetSuccessRules()
successRulesStr := strings.Join(successRules, ";")
// event on resource
e := event.NewEvent(
log,
er.PolicyResponse.Resource.Kind,
er.PolicyResponse.Resource.APIVersion,
er.PolicyResponse.Resource.Namespace,
er.PolicyResponse.Resource.Name,
event.PolicyApplied.String(),
event.AdmissionController,
event.SRulesApply,
successRulesStr,
er.PolicyResponse.Policy,
)
events = append(events, e)
}
return events
}
// Scneario 2
// - Admission-Response is BLOCKED
// - report event of policy is in enforce mode and failed to apply
if blocked {
for _, er := range engineResponses {
if er.IsSuccessful() {
// do not create event on polices that were succesfuly
continue
}
if er.PolicyResponse.ValidationFailureAction != common.Enforce {
// do not create event on "audit" policy
continue
}
// Rules that failed
failedRules := er.GetFailedRules()
filedRulesStr := strings.Join(failedRules, ";")
// Event on Policy
e := event.NewEvent(
log,
"ClusterPolicy",
kyverno.SchemeGroupVersion.String(),
"",
er.PolicyResponse.Policy,
event.RequestBlocked.String(),
event.AdmissionController,
event.FPolicyBlockResourceUpdate,
er.PolicyResponse.Resource.GetKey(),
filedRulesStr,
)
events = append(events, e)
}
return events
}
// Scenario 3
// - Admission-Response is SUCCESS
// - Some/All policies failed (policy violations generated)
// - report event on policy that failed
// - report event on resource that failed
for _, er := range engineResponses {
if er.IsSuccessful() {
// do not create event on polices that were succesfuly
// do not create event on rules that were succesful
continue
}
// Rules that failed
failedRules := er.GetFailedRules()
filedRulesStr := strings.Join(failedRules, ";")
// Event on the policy
e := event.NewEvent(
log,
"ClusterPolicy",
kyverno.SchemeGroupVersion.String(),
"",
er.PolicyResponse.Policy,
event.PolicyFailed.String(),
event.AdmissionController,
event.FPolicyApplyFailed,
filedRulesStr,
er.PolicyResponse.Resource.GetKey(),
)
events = append(events, e)
// Event on the resource
// event on resource
e = event.NewEvent(
e := event.NewEvent(
log,
er.PolicyResponse.Resource.Kind,
er.PolicyResponse.Resource.APIVersion,