mirror of
https://github.com/kyverno/kyverno.git
synced 2025-03-06 16:06:56 +00:00
added rule for skipped policy in policy report
This commit is contained in:
NoSkillGirl
parent
59f9709189
commit
98fd08e6ad
3 changed files with 91 additions and 35 deletions
|
|
@ -55,6 +55,7 @@ type Values struct {
|
|||
|
||||
type SkippedPolicy struct {
|
||||
Name string `json:"name"`
|
||||
Rules []v1.Rule `json:"rules`
|
||||
Variable string `json:"variable"`
|
||||
}
|
||||
|
||||
|
|
@ -69,7 +70,50 @@ func Command() *cobra.Command {
|
|||
cmd = &cobra.Command{
|
||||
Use: "apply",
|
||||
Short: "applies policies on resources",
|
||||
Example: fmt.Sprintf("To apply on a resource:\nkyverno apply /path/to/policy.yaml /path/to/folderOfPolicies --resource=/path/to/resource1 --resource=/path/to/resource2\n\nTo apply on a cluster\nkyverno apply /path/to/policy.yaml /path/to/folderOfPolicies --cluster"),
|
||||
Example: fmt.Sprintf(`
|
||||
To apply on a resource:
|
||||
kyverno apply /path/to/policy.yaml /path/to/folderOfPolicies --resource=/path/to/resource1 --resource=/path/to/resource2
|
||||
|
||||
To apply on a cluster:
|
||||
kyverno apply /path/to/policy.yaml /path/to/folderOfPolicies --cluster
|
||||
|
||||
|
||||
To apply policy with variables:
|
||||
|
||||
1. To apply single policy with variable on single resource use flag "set".
|
||||
Example:
|
||||
kyverno apply /path/to/policy.yaml --resource /path/to/resource.yaml --set <variable1>=<value1>,<variable2>=<value2>
|
||||
|
||||
2. To apply multiple policy with variable on multiple resource use flag "values_file".
|
||||
Example:
|
||||
kyverno apply /path/to/policy1.yaml /path/to/policy2.yaml --resource /path/to/resource1.yaml --resource /path/to/resource2.yaml -f /path/to/value.yaml
|
||||
|
||||
Format of value.yaml:
|
||||
|
||||
policies:
|
||||
- name: <policy1 name>
|
||||
resources:
|
||||
- name: <resource1 name>
|
||||
values:
|
||||
<variable1 in policy1>: <value>
|
||||
<variable2 in policy1>: <value>
|
||||
- name: <resource2 name>
|
||||
values:
|
||||
<variable1 in policy1>: <value>
|
||||
<variable2 in policy1>: <value>
|
||||
- name: <policy2 name>
|
||||
resources:
|
||||
- name: <resource1 name>
|
||||
values:
|
||||
<variable1 in policy2>: <value>
|
||||
<variable2 in policy2>: <value>
|
||||
- name: <resource2 name>
|
||||
values:
|
||||
<variable1 in policy2>: <value>
|
||||
<variable2 in policy2>: <value>
|
||||
|
||||
More info: https://kyverno.io/docs/kyverno-cli/
|
||||
`),
|
||||
RunE: func(cmd *cobra.Command, policyPaths []string) (err error) {
|
||||
defer func() {
|
||||
if err != nil {
|
||||
|
|
@ -140,7 +184,7 @@ func Command() *cobra.Command {
|
|||
}
|
||||
}
|
||||
|
||||
resources, err := getResourceAccordingToResourcePath(resourcePaths, cluster, mutatedPolicies, dClient, namespace)
|
||||
resources, err := getResourceAccordingToResourcePath(resourcePaths, cluster, mutatedPolicies, dClient, namespace, policyReport)
|
||||
if err != nil {
|
||||
fmt.Printf("Error: failed to load resources\nCause: %s\n", err)
|
||||
os.Exit(1)
|
||||
|
|
@ -179,6 +223,7 @@ func Command() *cobra.Command {
|
|||
if len(matches) > 0 && variablesString == "" && valuesFile == "" {
|
||||
skipPolicy := SkippedPolicy{
|
||||
Name: policy.GetName(),
|
||||
Rules: policy.Spec.Rules,
|
||||
Variable: variable,
|
||||
}
|
||||
skippedPolicies = append(skippedPolicies, skipPolicy)
|
||||
|
|
@ -287,7 +332,7 @@ func checkMutateLogPath(mutateLogPath string) (mutateLogPathIsDir bool, err erro
|
|||
}
|
||||
|
||||
// getResourceAccordingToResourcePath - get resources according to the resource path
|
||||
func getResourceAccordingToResourcePath(resourcePaths []string, cluster bool, policies []*v1.ClusterPolicy, dClient *client.Client, namespace string) (resources []*unstructured.Unstructured, err error) {
|
||||
func getResourceAccordingToResourcePath(resourcePaths []string, cluster bool, policies []*v1.ClusterPolicy, dClient *client.Client, namespace string, policyReport bool) (resources []*unstructured.Unstructured, err error) {
|
||||
if len(resourcePaths) > 0 && resourcePaths[0] == "-" {
|
||||
if common.IsInputFromPipe() {
|
||||
resourceStr := ""
|
||||
|
|
@ -303,7 +348,7 @@ func getResourceAccordingToResourcePath(resourcePaths []string, cluster bool, po
|
|||
}
|
||||
}
|
||||
} else if (len(resourcePaths) > 0 && resourcePaths[0] != "-") || len(resourcePaths) < 0 || cluster {
|
||||
resources, err = common.GetResources(policies, resourcePaths, dClient, cluster, namespace)
|
||||
resources, err = common.GetResources(policies, resourcePaths, dClient, cluster, namespace, policyReport)
|
||||
if err != nil {
|
||||
return resources, err
|
||||
}
|
||||
|
|
|
|||
|
|
@ -23,10 +23,12 @@ func buildPolicyReports(resps []response.EngineResponse, skippedPolicies []Skipp
|
|||
var err error
|
||||
|
||||
for _, sp := range skippedPolicies {
|
||||
for _, r := range sp.Rules {
|
||||
result := []*report.PolicyReportResult{
|
||||
{
|
||||
Message: fmt.Sprintln("policy skipped. policy has variable -", sp.Variable),
|
||||
Message: fmt.Sprintln("skipped policy with variables -", sp.Variable),
|
||||
Policy: sp.Name,
|
||||
Rule: r.Name,
|
||||
Status: "skip",
|
||||
},
|
||||
}
|
||||
|
|
@ -52,6 +54,7 @@ func buildPolicyReports(resps []response.EngineResponse, skippedPolicies []Skipp
|
|||
|
||||
res = append(res, reportUnstructured)
|
||||
}
|
||||
}
|
||||
|
||||
resultsMap := buildPolicyResults(resps)
|
||||
for scope, result := range resultsMap {
|
||||
|
|
|
|||
|
|
@ -21,7 +21,7 @@ import (
|
|||
// the resources are fetched from
|
||||
// - local paths to resources, if given
|
||||
// - the k8s cluster, if given
|
||||
func GetResources(policies []*v1.ClusterPolicy, resourcePaths []string, dClient *client.Client, cluster bool, namespace string) ([]*unstructured.Unstructured, error) {
|
||||
func GetResources(policies []*v1.ClusterPolicy, resourcePaths []string, dClient *client.Client, cluster bool, namespace string, policyReport bool) ([]*unstructured.Unstructured, error) {
|
||||
resources := make([]*unstructured.Unstructured, 0)
|
||||
var err error
|
||||
var resourceTypesMap = make(map[string]bool)
|
||||
|
|
@ -63,7 +63,11 @@ func GetResources(policies []*v1.ClusterPolicy, resourcePaths []string, dClient
|
|||
}
|
||||
}
|
||||
if lenOfResource >= len(resources) {
|
||||
if policyReport {
|
||||
log.Log.V(3).Info(fmt.Sprintf("%s not found in cluster", resourcePath))
|
||||
} else {
|
||||
fmt.Printf("\n----------------------------------------------------------------------\nresource %s not found in cluster\n----------------------------------------------------------------------\n", resourcePath)
|
||||
}
|
||||
return nil, errors.New(fmt.Sprintf("%s not found in cluster", resourcePath))
|
||||
}
|
||||
}
|
||||
|
|
@ -72,7 +76,11 @@ func GetResources(policies []*v1.ClusterPolicy, resourcePaths []string, dClient
|
|||
for _, resourcePath := range resourcePaths {
|
||||
resourceBytes, err := getFileBytes(resourcePath)
|
||||
if err != nil {
|
||||
if policyReport {
|
||||
log.Log.V(3).Info(fmt.Sprintf("failed to load resources: %s.", resourcePath), "error", err)
|
||||
} else {
|
||||
fmt.Printf("\n----------------------------------------------------------------------\nfailed to load resources: %s. \nerror: %s\n----------------------------------------------------------------------\n", resourcePath, err)
|
||||
}
|
||||
continue
|
||||
}
|
||||
|
||||
|
|
|
|||
Loading…
Add table
Reference in a new issue