From 868537f04dac4685019abf871e32ba1bbd396fec Mon Sep 17 00:00:00 2001 From: NoSkillGirl Date: Thu, 2 Sep 2021 00:02:55 +0530 Subject: [PATCH] added different logic for policy report in CLI Signed-off-by: NoSkillGirl --- pkg/kyverno/apply/apply_command.go | 52 ++++++------ pkg/kyverno/apply/apply_command_test.go | 4 +- pkg/kyverno/apply/report.go | 7 +- pkg/kyverno/apply/report_test.go | 4 +- pkg/kyverno/common/common.go | 103 ++++++++++++++++-------- pkg/kyverno/common/common_test.go | 2 +- pkg/kyverno/test/test_command.go | 2 +- 7 files changed, 106 insertions(+), 68 deletions(-) diff --git a/pkg/kyverno/apply/apply_command.go b/pkg/kyverno/apply/apply_command.go index 028da4e02c..da7ce2b8bb 100644 --- a/pkg/kyverno/apply/apply_command.go +++ b/pkg/kyverno/apply/apply_command.go @@ -19,6 +19,7 @@ import ( "github.com/kyverno/kyverno/pkg/kyverno/store" "github.com/kyverno/kyverno/pkg/openapi" policy2 "github.com/kyverno/kyverno/pkg/policy" + "github.com/kyverno/kyverno/pkg/policyreport" "github.com/spf13/cobra" "k8s.io/apimachinery/pkg/apis/meta/v1/unstructured" "k8s.io/cli-runtime/pkg/genericclioptions" @@ -121,12 +122,12 @@ func Command() *cobra.Command { } }() - validateEngineResponses, rc, resources, skippedPolicies, err := applyCommandHelper(resourcePaths, cluster, policyReport, mutateLogPath, variablesString, valuesFile, namespace, policyPaths, stdin) + validateEngineResponses, rc, resources, skippedPolicies, pvInfos, err := applyCommandHelper(resourcePaths, cluster, policyReport, mutateLogPath, variablesString, valuesFile, namespace, policyPaths, stdin) if err != nil { return err } - printReportOrViolation(policyReport, validateEngineResponses, rc, resourcePaths, len(resources), skippedPolicies, stdin) + printReportOrViolation(policyReport, validateEngineResponses, rc, resourcePaths, len(resources), skippedPolicies, stdin, pvInfos) return nil }, } @@ -144,48 +145,48 @@ func Command() *cobra.Command { } func applyCommandHelper(resourcePaths []string, cluster bool, policyReport bool, mutateLogPath string, - variablesString string, valuesFile string, namespace string, policyPaths []string, stdin bool) (validateEngineResponses []*response.EngineResponse, rc *common.ResultCounts, resources []*unstructured.Unstructured, skippedPolicies []string, err error) { + variablesString string, valuesFile string, namespace string, policyPaths []string, stdin bool) (validateEngineResponses []*response.EngineResponse, rc *common.ResultCounts, resources []*unstructured.Unstructured, skippedPolicies []string, pvInfos []policyreport.Info, err error) { store.SetMock(true) kubernetesConfig := genericclioptions.NewConfigFlags(true) fs := memfs.New() if valuesFile != "" && variablesString != "" { - return validateEngineResponses, rc, resources, skippedPolicies, sanitizederror.NewWithError("pass the values either using set flag or values_file flag", err) + return validateEngineResponses, rc, resources, skippedPolicies, pvInfos, sanitizederror.NewWithError("pass the values either using set flag or values_file flag", err) } variables, valuesMap, namespaceSelectorMap, err := common.GetVariable(variablesString, valuesFile, fs, false, "") if err != nil { if !sanitizederror.IsErrorSanitized(err) { - return validateEngineResponses, rc, resources, skippedPolicies, sanitizederror.NewWithError("failed to decode yaml", err) + return validateEngineResponses, rc, resources, skippedPolicies, pvInfos, sanitizederror.NewWithError("failed to decode yaml", err) } - return validateEngineResponses, rc, resources, skippedPolicies, err + return validateEngineResponses, rc, resources, skippedPolicies, pvInfos, err } openAPIController, err := openapi.NewOpenAPIController() if err != nil { - return validateEngineResponses, rc, resources, skippedPolicies, sanitizederror.NewWithError("failed to initialize openAPIController", err) + return validateEngineResponses, rc, resources, skippedPolicies, pvInfos, sanitizederror.NewWithError("failed to initialize openAPIController", err) } var dClient *client.Client if cluster { restConfig, err := kubernetesConfig.ToRESTConfig() if err != nil { - return validateEngineResponses, rc, resources, skippedPolicies, err + return validateEngineResponses, rc, resources, skippedPolicies, pvInfos, err } dClient, err = client.NewClient(restConfig, 15*time.Minute, make(chan struct{}), log.Log) if err != nil { - return validateEngineResponses, rc, resources, skippedPolicies, err + return validateEngineResponses, rc, resources, skippedPolicies, pvInfos, err } } if len(policyPaths) == 0 { - return validateEngineResponses, rc, resources, skippedPolicies, sanitizederror.NewWithError(fmt.Sprintf("require policy"), err) + return validateEngineResponses, rc, resources, skippedPolicies, pvInfos, sanitizederror.NewWithError(fmt.Sprintf("require policy"), err) } if (len(policyPaths) > 0 && policyPaths[0] == "-") && len(resourcePaths) > 0 && resourcePaths[0] == "-" { - return validateEngineResponses, rc, resources, skippedPolicies, sanitizederror.NewWithError("a stdin pipe can be used for either policies or resources, not both", err) + return validateEngineResponses, rc, resources, skippedPolicies, pvInfos, sanitizederror.NewWithError("a stdin pipe can be used for either policies or resources, not both", err) } policies, err := common.GetPoliciesFromPaths(fs, policyPaths, false, "") @@ -195,15 +196,15 @@ func applyCommandHelper(resourcePaths []string, cluster bool, policyReport bool, } if len(resourcePaths) == 0 && !cluster { - return validateEngineResponses, rc, resources, skippedPolicies, sanitizederror.NewWithError(fmt.Sprintf("resource file(s) or cluster required"), err) + return validateEngineResponses, rc, resources, skippedPolicies, pvInfos, sanitizederror.NewWithError(fmt.Sprintf("resource file(s) or cluster required"), err) } mutateLogPathIsDir, err := checkMutateLogPath(mutateLogPath) if err != nil { if !sanitizederror.IsErrorSanitized(err) { - return validateEngineResponses, rc, resources, skippedPolicies, sanitizederror.NewWithError("failed to create file/folder", err) + return validateEngineResponses, rc, resources, skippedPolicies, pvInfos, sanitizederror.NewWithError("failed to create file/folder", err) } - return validateEngineResponses, rc, resources, skippedPolicies, err + return validateEngineResponses, rc, resources, skippedPolicies, pvInfos, err } // empty the previous contents of the file just in case if the file already existed before with some content(so as to perform overwrites) @@ -212,23 +213,23 @@ func applyCommandHelper(resourcePaths []string, cluster bool, policyReport bool, _, err := os.OpenFile(mutateLogPath, os.O_TRUNC|os.O_WRONLY, 0644) if err != nil { if !sanitizederror.IsErrorSanitized(err) { - return validateEngineResponses, rc, resources, skippedPolicies, sanitizederror.NewWithError("failed to truncate the existing file at "+mutateLogPath, err) + return validateEngineResponses, rc, resources, skippedPolicies, pvInfos, sanitizederror.NewWithError("failed to truncate the existing file at "+mutateLogPath, err) } - return validateEngineResponses, rc, resources, skippedPolicies, err + return validateEngineResponses, rc, resources, skippedPolicies, pvInfos, err } } mutatedPolicies, err := common.MutatePolices(policies) if err != nil { if !sanitizederror.IsErrorSanitized(err) { - return validateEngineResponses, rc, resources, skippedPolicies, sanitizederror.NewWithError("failed to mutate policy", err) + return validateEngineResponses, rc, resources, skippedPolicies, pvInfos, sanitizederror.NewWithError("failed to mutate policy", err) } } for _, policy := range mutatedPolicies { p, err := json.Marshal(policy) if err != nil { - return validateEngineResponses, rc, resources, skippedPolicies, sanitizederror.NewWithError("failed to marsal mutated policy", err) + return validateEngineResponses, rc, resources, skippedPolicies, pvInfos, sanitizederror.NewWithError("failed to marsal mutated policy", err) } log.Log.V(5).Info("mutated Policy:", string(p)) @@ -241,7 +242,7 @@ func applyCommandHelper(resourcePaths []string, cluster bool, policyReport bool, } if (len(resources) > 1 || len(mutatedPolicies) > 1) && variablesString != "" { - return validateEngineResponses, rc, resources, skippedPolicies, sanitizederror.NewWithError("currently `set` flag supports variable for single policy applied on single resource ", nil) + return validateEngineResponses, rc, resources, skippedPolicies, pvInfos, sanitizederror.NewWithError("currently `set` flag supports variable for single policy applied on single resource ", nil) } if variablesString != "" { @@ -311,20 +312,21 @@ func applyCommandHelper(resourcePaths []string, cluster bool, policyReport bool, // skipping the variable check for non matching kind if _, ok := kindOnwhichPolicyIsApplied[resource.GetKind()]; ok { if len(variable) > 0 && len(thisPolicyResourceValues) == 0 && len(store.GetContext().Policies) == 0 { - return validateEngineResponses, rc, resources, skippedPolicies, sanitizederror.NewWithError(fmt.Sprintf("policy `%s` have variables. pass the values for the variables for resource `%s` using set/values_file flag", policy.Name, resource.GetName()), err) + return validateEngineResponses, rc, resources, skippedPolicies, pvInfos, sanitizederror.NewWithError(fmt.Sprintf("policy `%s` have variables. pass the values for the variables for resource `%s` using set/values_file flag", policy.Name, resource.GetName()), err) } } - validateErs, err := common.ApplyPolicyOnResource(policy, resource, mutateLogPath, mutateLogPathIsDir, thisPolicyResourceValues, policyReport, namespaceSelectorMap, stdin, rc) + validateErs, info, err := common.ApplyPolicyOnResource(policy, resource, mutateLogPath, mutateLogPathIsDir, thisPolicyResourceValues, policyReport, namespaceSelectorMap, stdin, rc) if err != nil { - return validateEngineResponses, rc, resources, skippedPolicies, sanitizederror.NewWithError(fmt.Errorf("failed to apply policy %v on resource %v", policy.Name, resource.GetName()).Error(), err) + return validateEngineResponses, rc, resources, skippedPolicies, pvInfos, sanitizederror.NewWithError(fmt.Errorf("failed to apply policy %v on resource %v", policy.Name, resource.GetName()).Error(), err) } + pvInfos = append(pvInfos, info) validateEngineResponses = append(validateEngineResponses, validateErs) } } - return validateEngineResponses, rc, resources, skippedPolicies, nil + return validateEngineResponses, rc, resources, skippedPolicies, pvInfos, nil } // checkMutateLogPath - checking path for printing mutated resource (-o flag) @@ -350,7 +352,7 @@ func checkMutateLogPath(mutateLogPath string) (mutateLogPathIsDir bool, err erro } // printReportOrViolation - printing policy report/violations -func printReportOrViolation(policyReport bool, validateEngineResponses []*response.EngineResponse, rc *common.ResultCounts, resourcePaths []string, resourcesLen int, skippedPolicies []string, stdin bool) { +func printReportOrViolation(policyReport bool, validateEngineResponses []*response.EngineResponse, rc *common.ResultCounts, resourcePaths []string, resourcesLen int, skippedPolicies []string, stdin bool, pvInfos []policyreport.Info) { if len(skippedPolicies) > 0 { fmt.Println("----------------------------------------------------------------------\nPolicies Skipped(as required variables are not provided by the users):") for i, policyName := range skippedPolicies { @@ -361,7 +363,7 @@ func printReportOrViolation(policyReport bool, validateEngineResponses []*respon if policyReport { os.Setenv("POLICY-TYPE", pkgCommon.PolicyReport) - resps := buildPolicyReports(validateEngineResponses) + resps := buildPolicyReports(validateEngineResponses, pvInfos) if len(resps) > 0 || resourcesLen == 0 { fmt.Println("\n----------------------------------------------------------------------\nPOLICY REPORT:\n----------------------------------------------------------------------") report, _ := generateCLIRaw(resps) diff --git a/pkg/kyverno/apply/apply_command_test.go b/pkg/kyverno/apply/apply_command_test.go index 4a6c399486..c5d6ecfd77 100644 --- a/pkg/kyverno/apply/apply_command_test.go +++ b/pkg/kyverno/apply/apply_command_test.go @@ -56,8 +56,8 @@ func Test_Apply(t *testing.T) { } for _, tc := range testcases { - validateEngineResponses, _, _, _, _ := applyCommandHelper(tc.ResourcePaths, false, true, "", "", "", "", tc.PolicyPaths, false) - resps := buildPolicyReports(validateEngineResponses) + validateEngineResponses, _, _, _, info, _ := applyCommandHelper(tc.ResourcePaths, false, true, "", "", "", "", tc.PolicyPaths, false) + resps := buildPolicyReports(validateEngineResponses, info) for i, resp := range resps { compareSummary(tc.expectedPolicyReports[i].Summary, resp.UnstructuredContent()["summary"].(map[string]interface{})) } diff --git a/pkg/kyverno/apply/report.go b/pkg/kyverno/apply/report.go index b0ac120ed8..d8e4d49ccd 100644 --- a/pkg/kyverno/apply/report.go +++ b/pkg/kyverno/apply/report.go @@ -21,11 +21,11 @@ import ( const clusterpolicyreport = "clusterpolicyreport" // resps is the engine responses generated for a single policy -func buildPolicyReports(resps []*response.EngineResponse) (res []*unstructured.Unstructured) { +func buildPolicyReports(resps []*response.EngineResponse, pvInfos []policyreport.Info) (res []*unstructured.Unstructured) { var raw []byte var err error - resultsMap := buildPolicyResults(resps) + resultsMap := buildPolicyResults(resps, pvInfos) for scope, result := range resultsMap { if scope == clusterpolicyreport { report := &report.ClusterPolicyReport{ @@ -74,9 +74,8 @@ func buildPolicyReports(resps []*response.EngineResponse) (res []*unstructured.U // buildPolicyResults returns a string-PolicyReportResult map // the key of the map is one of "clusterpolicyreport", "policyreport-ns-" -func buildPolicyResults(resps []*response.EngineResponse) map[string][]*report.PolicyReportResult { +func buildPolicyResults(resps []*response.EngineResponse, infos []policyreport.Info) map[string][]*report.PolicyReportResult { results := make(map[string][]*report.PolicyReportResult) - infos := policyreport.GeneratePRsFromEngineResponse(resps, log.Log) now := metav1.Timestamp{Seconds: time.Now().Unix()} for _, info := range infos { diff --git a/pkg/kyverno/apply/report_test.go b/pkg/kyverno/apply/report_test.go index fd24c5fd74..625e4a60c4 100644 --- a/pkg/kyverno/apply/report_test.go +++ b/pkg/kyverno/apply/report_test.go @@ -72,7 +72,7 @@ var engineResponses = []*response.EngineResponse{ func Test_buildPolicyReports(t *testing.T) { os.Setenv("POLICY-TYPE", common.PolicyReport) - reports := buildPolicyReports(engineResponses) + reports := buildPolicyReports(engineResponses, nil) assert.Assert(t, len(reports) == 2, len(reports)) for _, report := range reports { @@ -97,7 +97,7 @@ func Test_buildPolicyReports(t *testing.T) { func Test_buildPolicyResults(t *testing.T) { os.Setenv("POLICY-TYPE", common.PolicyReport) - results := buildPolicyResults(engineResponses) + results := buildPolicyResults(engineResponses, nil) assert.Assert(t, len(results[clusterpolicyreport]) == 2, len(results[clusterpolicyreport])) assert.Assert(t, len(results["policyreport-ns-policy1-namespace"]) == 2, len(results["policyreport-ns-policy1-namespace"])) diff --git a/pkg/kyverno/common/common.go b/pkg/kyverno/common/common.go index 7b9afbab34..53ce83f9ab 100644 --- a/pkg/kyverno/common/common.go +++ b/pkg/kyverno/common/common.go @@ -16,6 +16,7 @@ import ( "github.com/go-git/go-billy/v5" "github.com/go-logr/logr" v1 "github.com/kyverno/kyverno/pkg/api/kyverno/v1" + report "github.com/kyverno/kyverno/pkg/api/policyreport/v1alpha2" pkgcommon "github.com/kyverno/kyverno/pkg/common" client "github.com/kyverno/kyverno/pkg/dclient" "github.com/kyverno/kyverno/pkg/engine" @@ -25,6 +26,7 @@ import ( sanitizederror "github.com/kyverno/kyverno/pkg/kyverno/sanitizedError" "github.com/kyverno/kyverno/pkg/kyverno/store" "github.com/kyverno/kyverno/pkg/policymutation" + "github.com/kyverno/kyverno/pkg/policyreport" "github.com/kyverno/kyverno/pkg/utils" ut "github.com/kyverno/kyverno/pkg/utils" yamlv2 "gopkg.in/yaml.v2" @@ -514,7 +516,7 @@ func MutatePolices(policies []*v1.ClusterPolicy) ([]*v1.ClusterPolicy, error) { // ApplyPolicyOnResource - function to apply policy on resource func ApplyPolicyOnResource(policy *v1.ClusterPolicy, resource *unstructured.Unstructured, - mutateLogPath string, mutateLogPathIsDir bool, variables map[string]string, policyReport bool, namespaceSelectorMap map[string]map[string]string, stdin bool, rc *ResultCounts) (*response.EngineResponse, error) { + mutateLogPath string, mutateLogPathIsDir bool, variables map[string]string, policyReport bool, namespaceSelectorMap map[string]map[string]string, stdin bool, rc *ResultCounts) (*response.EngineResponse, policyreport.Info, error) { operationIsDelete := false @@ -539,7 +541,7 @@ func ApplyPolicyOnResource(policy *v1.ClusterPolicy, resource *unstructured.Unst resourceNamespace := resource.GetNamespace() namespaceLabels = namespaceSelectorMap[resource.GetNamespace()] if resourceNamespace != "default" && len(namespaceLabels) < 1 { - return &response.EngineResponse{}, sanitizederror.NewWithError(fmt.Sprintf("failed to get namesapce labels for resource %s. use --values-file flag to pass the namespace labels", resource.GetName()), nil) + return &response.EngineResponse{}, policyreport.Info{}, sanitizederror.NewWithError(fmt.Sprintf("failed to get namesapce labels for resource %s. use --values-file flag to pass the namespace labels", resource.GetName()), nil) } } @@ -579,7 +581,7 @@ func ApplyPolicyOnResource(policy *v1.ClusterPolicy, resource *unstructured.Unst if len(mutateResponse.PolicyResponse.Rules) > 0 { yamlEncodedResource, err := yamlv2.Marshal(mutateResponse.PatchedResource.Object) if err != nil { - return &response.EngineResponse{}, sanitizederror.NewWithError("failed to marshal", err) + return &response.EngineResponse{}, policyreport.Info{}, sanitizederror.NewWithError("failed to marshal", err) } if mutateLogPath == "" { @@ -594,7 +596,7 @@ func ApplyPolicyOnResource(policy *v1.ClusterPolicy, resource *unstructured.Unst } else { err := PrintMutatedOutput(mutateLogPath, mutateLogPathIsDir, string(yamlEncodedResource), resource.GetName()+"-mutated") if err != nil { - return &response.EngineResponse{}, sanitizederror.NewWithError("failed to print mutated result", err) + return &response.EngineResponse{}, policyreport.Info{}, sanitizederror.NewWithError("failed to print mutated result", err) } fmt.Printf("\n\nMutation:\nMutation has been applied successfully. Check the files.") } @@ -612,34 +614,7 @@ func ApplyPolicyOnResource(policy *v1.ClusterPolicy, resource *unstructured.Unst policyCtx := &engine.PolicyContext{Policy: *policy, NewResource: mutateResponse.PatchedResource, JSONContext: ctx, NamespaceLabels: namespaceLabels} validateResponse := engine.Validate(policyCtx) - printCount := 0 - if !policyReport { - for _, policyRule := range policy.Spec.Rules { - ruleFoundInEngineResponse := false - - for i, valResponseRule := range validateResponse.PolicyResponse.Rules { - if policyRule.Name == valResponseRule.Name { - ruleFoundInEngineResponse = true - if valResponseRule.Success { - rc.Pass++ - } else { - if printCount < 1 { - fmt.Printf("\npolicy %s -> resource %s failed: \n", policy.Name, resPath) - printCount++ - } - - fmt.Printf("%d. %s: %s \n", i+1, valResponseRule.Name, valResponseRule.Message) - rc.Fail++ - } - continue - } - } - - if !ruleFoundInEngineResponse { - rc.Skip++ - } - } - } + info := checkValidateEngineResponse(policy, validateResponse, resPath, rc) var policyHasGenerate bool for _, rule := range policy.Spec.Rules { @@ -673,7 +648,7 @@ func ApplyPolicyOnResource(policy *v1.ClusterPolicy, resource *unstructured.Unst } } - return validateResponse, nil + return validateResponse, info, nil } // PrintMutatedOutput - function to print output in provided file or directory @@ -798,3 +773,65 @@ func GetResourceAccordingToResourcePath(fs billy.Filesystem, resourcePaths []str } return resources, err } + +func checkValidateEngineResponse(policy *v1.ClusterPolicy, validateResponse *response.EngineResponse, resPath string, rc *ResultCounts) policyreport.Info { + var violatedRules []v1.ViolatedRule + printCount := 0 + for _, policyRule := range policy.Spec.Rules { + ruleFoundInEngineResponse := false + + for i, valResponseRule := range validateResponse.PolicyResponse.Rules { + if policyRule.Name == valResponseRule.Name { + ruleFoundInEngineResponse = true + vrule := v1.ViolatedRule{ + Name: valResponseRule.Name, + Type: valResponseRule.Type, + Message: valResponseRule.Message, + } + + if valResponseRule.Success { + rc.Pass++ + vrule.Check = report.StatusPass + } else { + if printCount < 1 { + fmt.Printf("\npolicy %s -> resource %s failed: \n", policy.Name, resPath) + printCount++ + } + + fmt.Printf("%d. %s: %s \n", i+1, valResponseRule.Name, valResponseRule.Message) + rc.Fail++ + vrule.Check = report.StatusFail + } + violatedRules = append(violatedRules, vrule) + continue + } + } + + if !ruleFoundInEngineResponse { + rc.Skip++ + vruleSkip := v1.ViolatedRule{ + Name: policyRule.Name, + Type: "Validation", + Message: policyRule.Validation.Message, + Check: report.StatusSkip, + } + violatedRules = append(violatedRules, vruleSkip) + } + + } + return buildPVInfo(validateResponse, violatedRules) +} + +func buildPVInfo(er *response.EngineResponse, violatedRules []v1.ViolatedRule) policyreport.Info { + info := policyreport.Info{ + PolicyName: er.PolicyResponse.Policy.Name, + Namespace: er.PatchedResource.GetNamespace(), + Results: []policyreport.EngineResponseResult{ + { + Resource: er.GetResourceSpec(), + Rules: violatedRules, + }, + }, + } + return info +} diff --git a/pkg/kyverno/common/common_test.go b/pkg/kyverno/common/common_test.go index e0bfc3470f..6476443a71 100644 --- a/pkg/kyverno/common/common_test.go +++ b/pkg/kyverno/common/common_test.go @@ -85,7 +85,7 @@ func Test_NamespaceSelector(t *testing.T) { for _, tc := range testcases { policyArray, _ := ut.GetPolicy(tc.policy) resourceArray, _ := GetResource(tc.resource) - validateErs, _ := ApplyPolicyOnResource(policyArray[0], resourceArray[0], "", false, nil, false, tc.namespaceSelectorMap, false, nil) + validateErs, _, _ := ApplyPolicyOnResource(policyArray[0], resourceArray[0], "", false, nil, false, tc.namespaceSelectorMap, false, nil) assert.Assert(t, tc.success == validateErs.IsSuccessful()) } } diff --git a/pkg/kyverno/test/test_command.go b/pkg/kyverno/test/test_command.go index 76d52f7823..84b38181bd 100644 --- a/pkg/kyverno/test/test_command.go +++ b/pkg/kyverno/test/test_command.go @@ -394,7 +394,7 @@ func applyPoliciesFromPath(fs billy.Filesystem, policyBytes []byte, valuesFile s return sanitizederror.NewWithError(fmt.Sprintf("policy %s have variables. pass the values for the variables using set/values_file flag", policy.Name), err) } - validateErs, err := common.ApplyPolicyOnResource(policy, resource, "", false, thisPolicyResourceValues, true, namespaceSelectorMap, false, nil) + validateErs, _, err := common.ApplyPolicyOnResource(policy, resource, "", false, thisPolicyResourceValues, true, namespaceSelectorMap, false, nil) if err != nil { return sanitizederror.NewWithError(fmt.Errorf("failed to apply policy %v on resource %v", policy.Name, resource.GetName()).Error(), err) }