mirror of
https://github.com/kyverno/kyverno.git
synced 2025-03-31 03:45:17 +00:00
Merge branch 'master' into refactor_webhookconfigGeneration
This commit is contained in:
Shivkumar Dudhani
GitHub
commit
b1e5f0a8c7
8 changed files with 159 additions and 23 deletions
|
|
@ -129,6 +129,22 @@ type PolicyStatus struct {
|
|||
AvgExecutionTimeValidation string `json:"averageValidationRulesExecutionTime"`
|
||||
// average time required to process the policy Validation rules on a resource
|
||||
AvgExecutionTimeGeneration string `json:"averageGenerationRulesExecutionTime"`
|
||||
// statistics per rule
|
||||
Rules []RuleStats `json:"ruleStatus`
|
||||
}
|
||||
|
||||
//RuleStats provides status per rule
|
||||
type RuleStats struct {
|
||||
// Rule name
|
||||
Name string `json:"ruleName"`
|
||||
// average time require to process the rule
|
||||
ExecutionTime string `json:"averageExecutionTime"`
|
||||
// Count of rules that were applied
|
||||
AppliedCount int `json:"appliedCount"`
|
||||
// Count of rules that failed
|
||||
ViolationCount int `json:"violationCount"`
|
||||
// Count of mutations
|
||||
MutationCount int `json:"mutationsCount"`
|
||||
}
|
||||
|
||||
// PolicyList is a list of Policy resources
|
||||
|
|
|
|||
|
|
@ -16,29 +16,29 @@ import (
|
|||
kyverno "github.com/nirmata/kyverno/pkg/api/kyverno/v1alpha1"
|
||||
)
|
||||
|
||||
// rawResource handles validating admission request
|
||||
// Checks the target resources for rules defined in the policy
|
||||
// TODO: pass in the unstructured object in stead of raw byte?
|
||||
func processOverlay(rule kyverno.Rule, rawResource []byte) ([][]byte, error) {
|
||||
var resource interface{}
|
||||
if err := json.Unmarshal(rawResource, &resource); err != nil {
|
||||
glog.V(4).Infof("unable to unmarshal resource : %v", err)
|
||||
return nil, err
|
||||
}
|
||||
// // rawResource handles validating admission request
|
||||
// // Checks the target resources for rules defined in the policy
|
||||
// // TODO: pass in the unstructured object in stead of raw byte?
|
||||
// func processOverlay(rule kyverno.Rule, rawResource []byte) ([][]byte, error) {
|
||||
// var resource interface{}
|
||||
// if err := json.Unmarshal(rawResource, &resource); err != nil {
|
||||
// glog.V(4).Infof("unable to unmarshal resource : %v", err)
|
||||
// return nil, err
|
||||
// }
|
||||
|
||||
resourceInfo := ParseResourceInfoFromObject(rawResource)
|
||||
patches, err := processOverlayPatches(resource, rule.Mutation.Overlay)
|
||||
if err != nil && strings.Contains(err.Error(), "Conditions are not met") {
|
||||
// glog.V(4).Infof("overlay pattern %s does not match resource %s/%s", rule.Mutation.Overlay, resourceUnstr.GetNamespace(), resourceUnstr.GetName())
|
||||
glog.Infof("Resource does not meet conditions in overlay pattern, resource=%s, rule=%s\n", resourceInfo, rule.Name)
|
||||
// patches, err := processOverlayPatches(resource, rule.Mutation.Overlay)
|
||||
// if err != nil && strings.Contains(err.Error(), "Conditions are not met") {
|
||||
// glog.V(4).Infof("overlay pattern %s does not match resource %s/%s", rule.Mutation.Overlay, resourceUnstr.GetNamespace(), resourceUnstr.GetName())
|
||||
// return nil, nil
|
||||
}
|
||||
// resourceInfo := ParseResourceInfoFromObject(rawResource)
|
||||
// patches, err := processOverlayPatches(resource, rule.Mutation.Overlay)
|
||||
// if err != nil && strings.Contains(err.Error(), "Conditions are not met") {
|
||||
// // glog.V(4).Infof("overlay pattern %s does not match resource %s/%s", rule.Mutation.Overlay, resourceUnstr.GetNamespace(), resourceUnstr.GetName())
|
||||
// glog.Infof("Resource does not meet conditions in overlay pattern, resource=%s, rule=%s\n", resourceInfo, rule.Name)
|
||||
// // patches, err := processOverlayPatches(resource, rule.Mutation.Overlay)
|
||||
// // if err != nil && strings.Contains(err.Error(), "Conditions are not met") {
|
||||
// // glog.V(4).Infof("overlay pattern %s does not match resource %s/%s", rule.Mutation.Overlay, resourceUnstr.GetNamespace(), resourceUnstr.GetName())
|
||||
// // return nil, nil
|
||||
// }
|
||||
|
||||
return patches, err
|
||||
}
|
||||
// return patches, err
|
||||
// }
|
||||
|
||||
// rawResource handles validating admission request
|
||||
// Checks the target resources for rules defined in the policy
|
||||
|
|
|
|||
|
|
@ -148,6 +148,18 @@ func applyPolicy(client *client.Client, resource unstructured.Unstructured, p ky
|
|||
ps.PolicyName = policyName
|
||||
ps.Stats.MutationExecutionTime = policyResponse.ProcessingTime
|
||||
ps.Stats.RulesAppliedCount = policyResponse.RulesAppliedCount
|
||||
// capture rule level stats
|
||||
for _, rule := range policyResponse.Rules {
|
||||
rs := policyctr.RuleStatinfo{}
|
||||
rs.RuleName = rule.Name
|
||||
rs.ExecutionTime = rule.RuleStats.ProcessingTime
|
||||
if rule.Success {
|
||||
rs.RuleAppliedCount++
|
||||
} else {
|
||||
rs.RulesFailedCount++
|
||||
}
|
||||
ps.Stats.Rules = append(ps.Stats.Rules, rs)
|
||||
}
|
||||
policyStats = append(policyStats, ps)
|
||||
}
|
||||
// send stats for aggregation
|
||||
|
|
|
|||
|
|
@ -29,6 +29,21 @@ func applyPolicy(policy kyverno.ClusterPolicy, resource unstructured.Unstructure
|
|||
ps.PolicyName = policyName
|
||||
ps.Stats.MutationExecutionTime = policyResponse.ProcessingTime
|
||||
ps.Stats.RulesAppliedCount = policyResponse.RulesAppliedCount
|
||||
// capture rule level stats
|
||||
for _, rule := range policyResponse.Rules {
|
||||
rs := RuleStatinfo{}
|
||||
rs.RuleName = rule.Name
|
||||
rs.ExecutionTime = rule.RuleStats.ProcessingTime
|
||||
if rule.Success {
|
||||
rs.RuleAppliedCount++
|
||||
} else {
|
||||
rs.RulesFailedCount++
|
||||
}
|
||||
if rule.Patches != nil {
|
||||
rs.MutationCount++
|
||||
}
|
||||
ps.Stats.Rules = append(ps.Stats.Rules, rs)
|
||||
}
|
||||
policyStats = append(policyStats, ps)
|
||||
}
|
||||
// send stats for aggregation
|
||||
|
|
|
|||
|
|
@ -466,15 +466,18 @@ func (pc *PolicyController) calculateStatus(policyName string, pvList []*kyverno
|
|||
}
|
||||
// get stats
|
||||
stats := pc.statusAggregator.GetPolicyStats(policyName)
|
||||
if stats != (PolicyStatInfo{}) {
|
||||
if !reflect.DeepEqual(stats, (PolicyStatInfo{})) {
|
||||
status.RulesAppliedCount = stats.RulesAppliedCount
|
||||
status.ResourcesBlockedCount = stats.ResourceBlocked
|
||||
status.AvgExecutionTimeMutation = stats.MutationExecutionTime.String()
|
||||
status.AvgExecutionTimeValidation = stats.ValidationExecutionTime.String()
|
||||
status.AvgExecutionTimeGeneration = stats.GenerationExecutionTime.String()
|
||||
// update rule stats
|
||||
status.Rules = convertRules(stats.Rules)
|
||||
}
|
||||
return status
|
||||
}
|
||||
|
||||
func (pc *PolicyController) getPolicyViolationsForPolicy(p *kyverno.ClusterPolicy) ([]*kyverno.ClusterPolicyViolation, error) {
|
||||
// List all PolicyViolation to find those we own but that no longer match our
|
||||
// selector. They will be orphaned by ClaimPolicyViolation().
|
||||
|
|
@ -892,3 +895,20 @@ func joinPatches(patches ...[]byte) []byte {
|
|||
result = append(result, []byte("\n]")...)
|
||||
return result
|
||||
}
|
||||
|
||||
// convertRules converts the internal rule stats to one used in policy.stats struct
|
||||
func convertRules(rules []RuleStatinfo) []kyverno.RuleStats {
|
||||
var stats []kyverno.RuleStats
|
||||
for _, r := range rules {
|
||||
stat := kyverno.RuleStats{
|
||||
Name: r.RuleName,
|
||||
ExecutionTime: r.ExecutionTime.String(),
|
||||
AppliedCount: r.RuleAppliedCount,
|
||||
ViolationCount: r.RulesFailedCount,
|
||||
MutationCount: r.MutationCount,
|
||||
}
|
||||
stats = append(stats, stat)
|
||||
}
|
||||
return stats
|
||||
}
|
||||
|
||||
|
|
|
|||
|
|
@ -67,13 +67,19 @@ func (psa *PolicyStatusAggregator) aggregate(ps PolicyStat) {
|
|||
glog.V(4).Infof("write Unlock update policy %s", ps.PolicyName)
|
||||
psa.mux.Unlock()
|
||||
}()
|
||||
|
||||
if len(ps.Stats.Rules) == 0 {
|
||||
glog.V(4).Infof("ignoring stats, as no rule was applied")
|
||||
return
|
||||
}
|
||||
|
||||
info, ok := psa.policyData[ps.PolicyName]
|
||||
if !ok {
|
||||
psa.policyData[ps.PolicyName] = ps.Stats
|
||||
glog.V(4).Infof("added stats for policy %s", ps.PolicyName)
|
||||
return
|
||||
}
|
||||
// aggregate
|
||||
// aggregate policy information
|
||||
info.RulesAppliedCount = info.RulesAppliedCount + ps.Stats.RulesAppliedCount
|
||||
if ps.Stats.ResourceBlocked == 1 {
|
||||
info.ResourceBlocked++
|
||||
|
|
@ -97,11 +103,42 @@ func (psa *PolicyStatusAggregator) aggregate(ps PolicyStat) {
|
|||
} else {
|
||||
info.GenerationExecutionTime = ps.Stats.GenerationExecutionTime
|
||||
}
|
||||
// aggregate rule details
|
||||
info.Rules = aggregateRules(info.Rules, ps.Stats.Rules)
|
||||
// update
|
||||
psa.policyData[ps.PolicyName] = info
|
||||
glog.V(4).Infof("updated stats for policy %s", ps.PolicyName)
|
||||
}
|
||||
|
||||
func aggregateRules(old []RuleStatinfo, update []RuleStatinfo) []RuleStatinfo {
|
||||
glog.V(4).Info(update)
|
||||
var zeroDuration time.Duration
|
||||
searchRule := func(list []RuleStatinfo, key string) *RuleStatinfo {
|
||||
for _, v := range list {
|
||||
if v.RuleName == key {
|
||||
return &v
|
||||
}
|
||||
}
|
||||
return nil
|
||||
}
|
||||
newRules := []RuleStatinfo{}
|
||||
// search for new rules in old rules and update it
|
||||
for _, updateR := range update {
|
||||
if updateR.ExecutionTime != zeroDuration {
|
||||
if rule := searchRule(old, updateR.RuleName); rule != nil {
|
||||
rule.ExecutionTime = (rule.ExecutionTime + updateR.ExecutionTime) / 2
|
||||
rule.RuleAppliedCount = rule.RuleAppliedCount + updateR.RuleAppliedCount
|
||||
rule.RulesFailedCount = rule.RulesFailedCount + updateR.RulesFailedCount
|
||||
rule.MutationCount = rule.MutationCount + updateR.MutationCount
|
||||
newRules = append(newRules, *rule)
|
||||
} else {
|
||||
newRules = append(newRules, updateR)
|
||||
}
|
||||
}
|
||||
}
|
||||
return newRules
|
||||
}
|
||||
|
||||
//GetPolicyStats returns the policy stats
|
||||
func (psa *PolicyStatusAggregator) GetPolicyStats(policyName string) PolicyStatInfo {
|
||||
func() {
|
||||
|
|
@ -148,6 +185,15 @@ type PolicyStatInfo struct {
|
|||
GenerationExecutionTime time.Duration
|
||||
RulesAppliedCount int
|
||||
ResourceBlocked int
|
||||
Rules []RuleStatinfo
|
||||
}
|
||||
|
||||
type RuleStatinfo struct {
|
||||
RuleName string
|
||||
ExecutionTime time.Duration
|
||||
RuleAppliedCount int
|
||||
RulesFailedCount int
|
||||
MutationCount int
|
||||
}
|
||||
|
||||
//SendStat sends the stat information for aggregation
|
||||
|
|
|
|||
|
|
@ -24,6 +24,21 @@ func (ws *WebhookServer) HandleMutation(request *v1beta1.AdmissionRequest) (bool
|
|||
ps.PolicyName = policyName
|
||||
ps.Stats.MutationExecutionTime = policyResponse.ProcessingTime
|
||||
ps.Stats.RulesAppliedCount = policyResponse.RulesAppliedCount
|
||||
// capture rule level stats
|
||||
for _, rule := range policyResponse.Rules {
|
||||
rs := policyctr.RuleStatinfo{}
|
||||
rs.RuleName = rule.Name
|
||||
rs.ExecutionTime = rule.RuleStats.ProcessingTime
|
||||
if rule.Success {
|
||||
rs.RuleAppliedCount++
|
||||
} else {
|
||||
rs.RulesFailedCount++
|
||||
}
|
||||
if rule.Patches != nil {
|
||||
rs.MutationCount++
|
||||
}
|
||||
ps.Stats.Rules = append(ps.Stats.Rules, rs)
|
||||
}
|
||||
policyStats = append(policyStats, ps)
|
||||
}
|
||||
// send stats for aggregation
|
||||
|
|
|
|||
|
|
@ -26,6 +26,18 @@ func (ws *WebhookServer) HandleValidation(request *v1beta1.AdmissionRequest, pat
|
|||
ps.PolicyName = policyName
|
||||
ps.Stats.ValidationExecutionTime = policyResponse.ProcessingTime
|
||||
ps.Stats.RulesAppliedCount = policyResponse.RulesAppliedCount
|
||||
// capture rule level stats
|
||||
for _, rule := range policyResponse.Rules {
|
||||
rs := policyctr.RuleStatinfo{}
|
||||
rs.RuleName = rule.Name
|
||||
rs.ExecutionTime = rule.RuleStats.ProcessingTime
|
||||
if rule.Success {
|
||||
rs.RuleAppliedCount++
|
||||
} else {
|
||||
rs.RulesFailedCount++
|
||||
}
|
||||
ps.Stats.Rules = append(ps.Stats.Rules, rs)
|
||||
}
|
||||
policyStats = append(policyStats, ps)
|
||||
}
|
||||
// send stats for aggregation
|
||||
|
|
|
|||
Loading…
Add table
Reference in a new issue