integrate with pv genreator

main.go

@@ -107,7 +107,7 @@ func main() {
 
 	// POLICY VIOLATION GENERATOR
 	// -- generate policy violation
-	pvgen := policyviolation.NewPVGenerator(pclient, pInformer.Kyverno().V1alpha1().ClusterPolicyViolations().Lister())
+	pvgen := policyviolation.NewPVGenerator(pclient, pInformer.Kyverno().V1alpha1().ClusterPolicyViolations().Lister(), pInformer.Kyverno().V1alpha1().NamespacedPolicyViolations().Lister())
 
 	// POLICY CONTROLLER
 	// - reconciliation policy and policy violation

pkg/policyviolation/generator.go

@@ -10,7 +10,7 @@ import (
 	"github.com/golang/glog"
 	kyverno "github.com/nirmata/kyverno/pkg/api/kyverno/v1alpha1"
 	kyvernoclient "github.com/nirmata/kyverno/pkg/client/clientset/versioned"
-	pvInterface "github.com/nirmata/kyverno/pkg/client/clientset/versioned/typed/kyverno/v1alpha1"
+	kyvernov1alpha1 "github.com/nirmata/kyverno/pkg/client/clientset/versioned/typed/kyverno/v1alpha1"
 	kyvernolister "github.com/nirmata/kyverno/pkg/client/listers/kyverno/v1alpha1"
 	client "github.com/nirmata/kyverno/pkg/dclient"
 	dclient "github.com/nirmata/kyverno/pkg/dclient"
@@ -27,8 +27,9 @@ const workQueueRetryLimit = 3
 //Generator creates PV
 type Generator struct {
 	dclient     *dclient.Client
-	pvInterface pvInterface.ClusterPolicyViolationInterface
+	pvInterface kyvernov1alpha1.KyvernoV1alpha1Interface
 	pvLister    kyvernolister.ClusterPolicyViolationLister
+	nspvLister  kyvernolister.NamespacedPolicyViolationLister
 	queue       workqueue.RateLimitingInterface
 	dataStore   *dataStore
 }
@@ -93,10 +94,12 @@ type GeneratorInterface interface {
 
 // NewPVGenerator returns a new instance of policy violation generator
 func NewPVGenerator(client *kyvernoclient.Clientset,
-	pvLister kyvernolister.ClusterPolicyViolationLister) *Generator {
+	pvLister kyvernolister.ClusterPolicyViolationLister,
+	nspvLister kyvernolister.NamespacedPolicyViolationLister) *Generator {
 	gen := Generator{
-		pvInterface: client.KyvernoV1alpha1().ClusterPolicyViolations(),
+		pvInterface: client.KyvernoV1alpha1(),
 		pvLister:    pvLister,
+		nspvLister:  nspvLister,
 		queue:       workqueue.NewNamedRateLimitingQueue(workqueue.DefaultControllerRateLimiter(), workQueueName),
 		dataStore:   NewDataStore(),
 	}
@@ -195,26 +198,40 @@ func (gen *Generator) processNextWorkitem() bool {
 }
 
 func (gen *Generator) syncHandler(info Info) error {
-	var pvs []kyverno.ClusterPolicyViolation
-	if !info.Blocked {
-		pvs = append(pvs, buildPV(info))
-	} else {
-		// blocked
-		// get owners
-		pvs = buildPVWithOwners(gen.dclient, info)
+	// cluster policy violations
+	if info.Resource.GetNamespace() == "" {
+		var pvs []kyverno.ClusterPolicyViolation
+		if !info.Blocked {
+			pvs = append(pvs, buildPV(info))
+		} else {
+			// blocked
+			// get owners
+			pvs = buildPVWithOwners(gen.dclient, info)
+		}
+		// create policy violation
+		createPVS(pvs, gen.pvLister, gen.pvInterface)
+		return nil
 	}
-	// create policy violation
-	createPVS(pvs, gen.pvLister, gen.pvInterface)
+
+	// namespaced policy violations
+	var pvs []kyverno.NamespacedPolicyViolation
+	if !info.Blocked {
+		pvs = append(pvs, buildNamespacedPV(info))
+	} else {
+		pvs = buildNamespacedPVWithOwner(gen.dclient, info)
+	}
+
+	createNamespacedPV(gen.nspvLister, gen.pvInterface, pvs)
 	return nil
 }
 
-func createPVS(pvs []kyverno.ClusterPolicyViolation, pvLister kyvernolister.ClusterPolicyViolationLister, pvInterface pvInterface.ClusterPolicyViolationInterface) {
+func createPVS(pvs []kyverno.ClusterPolicyViolation, pvLister kyvernolister.ClusterPolicyViolationLister, pvInterface kyvernov1alpha1.KyvernoV1alpha1Interface) {
 	for _, pv := range pvs {
 		createPVNew(pv, pvLister, pvInterface)
 	}
 }
 
-func createPVNew(pv kyverno.ClusterPolicyViolation, pvLister kyvernolister.ClusterPolicyViolationLister, pvInterface pvInterface.ClusterPolicyViolationInterface) error {
+func createPVNew(pv kyverno.ClusterPolicyViolation, pvLister kyvernolister.ClusterPolicyViolationLister, pvInterface kyvernov1alpha1.KyvernoV1alpha1Interface) error {
 	var err error
 	// PV already exists
 	ePV, err := getExistingPVIfAny(pvLister, pv)
@@ -225,7 +242,7 @@ func createPVNew(pv kyverno.ClusterPolicyViolation, pvLister kyvernolister.Clust
 	if ePV == nil {
 		// Create a New PV
 		glog.V(4).Infof("creating new policy violation for policy %s & resource %s/%s/%s", pv.Spec.Policy, pv.Spec.ResourceSpec.Kind, pv.Spec.ResourceSpec.Namespace, pv.Spec.ResourceSpec.Name)
-		_, err = pvInterface.Create(&pv)
+		_, err = pvInterface.ClusterPolicyViolations().Create(&pv)
 		if err != nil {
 			glog.Error(err)
 			return err
@@ -239,7 +256,7 @@ func createPVNew(pv kyverno.ClusterPolicyViolation, pvLister kyvernolister.Clust
 		return nil
 	}
 
-	_, err = pvInterface.Update(&pv)
+	_, err = pvInterface.ClusterPolicyViolations().Update(&pv)
 	if err != nil {
 		glog.Error(err)
 		return err

pkg/policyviolation/namespacedpv.go

@@ -7,6 +7,7 @@ import (
 	"github.com/golang/glog"
 	kyverno "github.com/nirmata/kyverno/pkg/api/kyverno/v1alpha1"
 	kyvernoclient "github.com/nirmata/kyverno/pkg/client/clientset/versioned"
+	kyvernov1alpha1 "github.com/nirmata/kyverno/pkg/client/clientset/versioned/typed/kyverno/v1alpha1"
 	kyvernolister "github.com/nirmata/kyverno/pkg/client/listers/kyverno/v1alpha1"
 	dclient "github.com/nirmata/kyverno/pkg/dclient"
 	engine "github.com/nirmata/kyverno/pkg/engine"
@@ -14,54 +15,53 @@ import (
 )
 
 func CreateNamespacePV(pvLister kyvernolister.NamespacedPolicyViolationLister, client *kyvernoclient.Clientset, engineResponses []engine.EngineResponse) {
-	var pvs []kyverno.NamespacedPolicyViolation
-	for _, er := range engineResponses {
-		// ignore creation of PV for resoruces that are yet to be assigned a name
-		if er.PolicyResponse.Resource.Name == "" {
-			glog.V(4).Infof("resource %v, has not been assigned a name, not creating a namespace policy violation for it", er.PolicyResponse.Resource)
-			continue
-		}
+	// var pvs []kyverno.NamespacedPolicyViolation
+	// for _, er := range engineResponses {
+	// 	// ignore creation of PV for resoruces that are yet to be assigned a name
+	// 	if er.PolicyResponse.Resource.Name == "" {
+	// 		glog.V(4).Infof("resource %v, has not been assigned a name, not creating a namespace policy violation for it", er.PolicyResponse.Resource)
+	// 		continue
+	// 	}
 
-		if !er.IsSuccesful() {
-			glog.V(4).Infof("Building namespace policy violation for engine response %v", er)
-			if pv := buildNamespacedPVForPolicy(er); !reflect.DeepEqual(pv, kyverno.NamespacedPolicyViolation{}) {
-				pvs = append(pvs, pv)
-			}
-		}
-	}
+	// 	if !er.IsSuccesful() {
+	// 		glog.V(4).Infof("Building namespace policy violation for engine response %v", er)
+	// 		if pv := buildNamespacedPVForPolicy(er); !reflect.DeepEqual(pv, kyverno.NamespacedPolicyViolation{}) {
+	// 			pvs = append(pvs, pv)
+	// 		}
+	// 	}
+	// }
 
-	createNamespacedPV(pvLister, client, pvs)
+	// createNamespacedPV(pvLister, client, pvs)
 }
 
 // CreateNamespacedPVWhenBlocked creates pv on resource owner only when admission request is denied
 func CreateNamespacedPVWhenBlocked(pvLister kyvernolister.NamespacedPolicyViolationLister, client *kyvernoclient.Clientset,
 	dclient *dclient.Client, engineResponses []engine.EngineResponse) {
-	var pvs []kyverno.NamespacedPolicyViolation
-	for _, er := range engineResponses {
-		// child resource is not created in this case thus it won't have a name
-		glog.V(4).Infof("Building policy violation for denied admission request, engineResponse: %v", er)
-		if pvList := buildNamespacedPVWithOwner(dclient, er); len(pvList) != 0 {
-			pvs = append(pvs, pvList...)
-			glog.V(3).Infof("Built policy violation for denied admission request %s/%s/%s",
-				er.PatchedResource.GetKind(), er.PatchedResource.GetNamespace(), er.PatchedResource.GetName())
-		}
-	}
-	createNamespacedPV(pvLister, client, pvs)
+	// var pvs []kyverno.NamespacedPolicyViolation
+	// for _, er := range engineResponses {
+	// 	// child resource is not created in this case thus it won't have a name
+	// 	glog.V(4).Infof("Building policy violation for denied admission request, engineResponse: %v", er)
+	// 	if pvList := buildNamespacedPVWithOwner(dclient, er); len(pvList) != 0 {
+	// 		pvs = append(pvs, pvList...)
+	// 		glog.V(3).Infof("Built policy violation for denied admission request %s/%s/%s",
+	// 			er.PatchedResource.GetKind(), er.PatchedResource.GetNamespace(), er.PatchedResource.GetName())
+	// 	}
+	// }
+	// createNamespacedPV(pvLister, client, pvs)
 }
 
-func buildNamespacedPVForPolicy(er engine.EngineResponse) kyverno.NamespacedPolicyViolation {
-	pvResourceSpec := kyverno.ResourceSpec{
-		Kind:      er.PolicyResponse.Resource.Kind,
-		Namespace: er.PolicyResponse.Resource.Namespace,
-		Name:      er.PolicyResponse.Resource.Name,
-	}
-
-	violatedRules := newViolatedRules(er, "")
-	return buildNamespacedPolicyViolation(er.PolicyResponse.Policy, pvResourceSpec, violatedRules)
+func buildNamespacedPV(info Info) kyverno.NamespacedPolicyViolation {
+	return buildNamespacedPVObj(info.PolicyName,
+		kyverno.ResourceSpec{
+			Kind:      info.Resource.GetKind(),
+			Namespace: info.Resource.GetNamespace(),
+			Name:      info.Resource.GetName(),
+		},
+		info.Rules)
 }
 
-//buildNamespacedPolicyViolation returns an value of type PolicyViolation
-func buildNamespacedPolicyViolation(policy string, resource kyverno.ResourceSpec, fRules []kyverno.ViolatedRule) kyverno.NamespacedPolicyViolation {
+//buildNamespacedPVObj returns an value of type PolicyViolation
+func buildNamespacedPVObj(policy string, resource kyverno.ResourceSpec, fRules []kyverno.ViolatedRule) kyverno.NamespacedPolicyViolation {
 	pv := kyverno.NamespacedPolicyViolation{
 		Spec: kyverno.PolicyViolationSpec{
 			Policy:        policy,
@@ -69,41 +69,33 @@ func buildNamespacedPolicyViolation(policy string, resource kyverno.ResourceSpec
 			ViolatedRules: fRules,
 		},
 	}
-	//TODO: check if this can be removed or use unstructured?
 
-	// pv.SetGroupVersionKind(kyverno.SchemeGroupVersion.WithKind("NamespacedPolicyViolation"))
 	pv.SetGenerateName("pv-")
 	return pv
 }
 
-func buildNamespacedPVWithOwner(dclient *dclient.Client, er engine.EngineResponse) (pvs []kyverno.NamespacedPolicyViolation) {
-	msg := fmt.Sprintf("Request Blocked for resource %s/%s; ", er.PolicyResponse.Resource.Namespace, er.PolicyResponse.Resource.Kind)
-	violatedRules := newViolatedRules(er, msg)
-
+func buildNamespacedPVWithOwner(dclient *dclient.Client, info Info) (pvs []kyverno.NamespacedPolicyViolation) {
 	// create violation on resource owner (if exist) when action is set to enforce
-	owners := GetOwners(dclient, er.PatchedResource)
+	ownerMap := map[kyverno.ResourceSpec]interface{}{}
+	getOwner(dclient, ownerMap, info.Resource)
 
 	// standaloneresource, set pvResourceSpec with resource itself
-	if len(owners) == 0 {
+	if len(ownerMap) == 0 {
 		pvResourceSpec := kyverno.ResourceSpec{
-			Namespace: er.PolicyResponse.Resource.Namespace,
-			Kind:      er.PolicyResponse.Resource.Kind,
-			Name:      er.PolicyResponse.Resource.Name,
+			Namespace: info.Resource.GetNamespace(),
+			Kind:      info.Resource.GetKind(),
+			Name:      info.Resource.GetName(),
 		}
-		return append(pvs, buildNamespacedPolicyViolation(er.PolicyResponse.Policy, pvResourceSpec, violatedRules))
+		return append(pvs, buildNamespacedPVObj(info.PolicyName, pvResourceSpec, info.Rules))
 	}
 
-	for _, owner := range owners {
-		pvs = append(pvs, buildNamespacedPolicyViolation(er.PolicyResponse.Policy, owner, violatedRules))
+	for owner := range ownerMap {
+		pvs = append(pvs, buildNamespacedPVObj(info.PolicyName, owner, info.Rules))
 	}
 	return
 }
 
-func createNamespacedPV(pvLister kyvernolister.NamespacedPolicyViolationLister, client *kyvernoclient.Clientset, pvs []kyverno.NamespacedPolicyViolation) {
-	if len(pvs) == 0 {
-		return
-	}
-
+func createNamespacedPV(pvLister kyvernolister.NamespacedPolicyViolationLister, pvInterface kyvernov1alpha1.KyvernoV1alpha1Interface, pvs []kyverno.NamespacedPolicyViolation) {
 	for _, newPv := range pvs {
 		glog.V(4).Infof("creating namespaced policyViolation resource for policy %s and resource %s", newPv.Spec.Policy, newPv.Spec.ResourceSpec.ToKey())
 		// check if there was a previous policy voilation for policy & resource combination
@@ -116,7 +108,7 @@ func createNamespacedPV(pvLister kyvernolister.NamespacedPolicyViolationLister,
 		if curPv == nil {
 			glog.V(4).Infof("creating new namespaced policy violation for policy %s & resource %s", newPv.Spec.Policy, newPv.Spec.ResourceSpec.ToKey())
 			// no existing policy violation, create a new one
-			_, err := client.KyvernoV1alpha1().NamespacedPolicyViolations(newPv.Spec.ResourceSpec.Namespace).Create(&newPv)
+			_, err := pvInterface.NamespacedPolicyViolations(newPv.Spec.ResourceSpec.Namespace).Create(&newPv)
 			if err != nil {
 				glog.Error(err)
 			} else {
@@ -135,7 +127,7 @@ func createNamespacedPV(pvLister kyvernolister.NamespacedPolicyViolationLister,
 		glog.V(4).Infof("creating new policy violation for policy %s & resource %s", curPv.Spec.Policy, curPv.Spec.ResourceSpec.ToKey())
 		//TODO: using a generic name, but would it be helpful to have naming convention for policy violations
 		// as we can only have one policy violation for each (policy + resource) combination
-		_, err = client.KyvernoV1alpha1().NamespacedPolicyViolations(newPv.Spec.ResourceSpec.Namespace).Update(&newPv)
+		_, err = pvInterface.NamespacedPolicyViolations(newPv.Spec.ResourceSpec.Namespace).Update(&newPv)
 		if err != nil {
 			glog.Error(err)
 			continue

pkg/webhooks/validation.go

@@ -106,6 +106,7 @@ func (ws *WebhookServer) handleValidation(request *v1beta1.AdmissionRequest, pat
 	// violations are created with resource owner(if exist) on "enforce"
 	// and if there are any then we dont block the resource creation
 	// Even if one the policy being applied
+
 	blocked := toBlockResource(engineResponses)
 	if !isResponseSuccesful(engineResponses) && blocked {
 		glog.V(4).Infof("resource %s/%s/%s is blocked\n", resource.GetKind(), resource.GetNamespace(), resource.GetName())
@@ -116,6 +117,7 @@ func (ws *WebhookServer) handleValidation(request *v1beta1.AdmissionRequest, pat
 	}
 	// ADD POLICY VIOLATIONS
 	// violations are created with resource on "audit"
+
 	pvInfos := generatePV(engineResponses, blocked)
 	ws.pvGenerator.Add(pvInfos...)
 	sendStat(false)