fix: policy report generation for namespaced policies in CLI (#10923)

* fix policy report generation for namespaced policies Signed-off-by: asr2003 <162500856+asr2003@users.noreply.github.com> * fix Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> --------- Signed-off-by: asr2003 <162500856+asr2003@users.noreply.github.com> Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> Co-authored-by: Jim Bugwadia <jim@nirmata.com> Co-authored-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>
2024-12-14 11:57:48 +00:00 · 2024-09-10 18:20:53 +05:30 · 2024-09-10 18:20:53 +05:30 · bcf6075fd1
commit bcf6075fd1
parent b79e588ff5
3 changed files with 58 additions and 3 deletions
--- a/cmd/cli/kubectl-kyverno/_testdata/policies/namespace-policy.yaml
+++ b/cmd/cli/kubectl-kyverno/_testdata/policies/namespace-policy.yaml
@ -0,0 +1,18 @@
+apiVersion: kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+  name: require-namespace-labels
+  namespace: test
+spec:
+  rules:
+  - name: check-for-label
+    match:
+      resources:
+        kinds:
+        - Namespace
+    validate:
+      message: "Namespaces must have the label `purpose`."
+      pattern:
+        metadata:
+          labels:
+            purpose: "?*"
--- a/cmd/cli/kubectl-kyverno/commands/apply/command.go
+++ b/cmd/cli/kubectl-kyverno/commands/apply/command.go
@ -347,13 +347,18 @@ func (c *ApplyCommandConfig) applyPolicytoResource(
 		ers, err := processor.ApplyPoliciesOnResource()
 		if err != nil {
 			if c.ContinueOnFail {
-				fmt.Printf("failed to apply policies on resource %v (%v)\n", resource.GetName(), err)
+				log.Log.Info(fmt.Sprintf("failed to apply policies on resource %s (%s)\n", resource.GetName(), err.Error()))
 				continue
 			}
-			return &rc, resources, responses, fmt.Errorf("failed to apply policies on resource %v (%w)", resource.GetName(), err)
+			return &rc, resources, responses, fmt.Errorf("failed to apply policies on resource %s (%w)", resource.GetName(), err)
 		}
 		responses = append(responses, ers...)
 	}
+	for _, policy := range validPolicies {
+		if policy.GetNamespace() == "" && policy.GetKind() == "Policy" {
+			log.Log.Info(fmt.Sprintf("Policy %s has no namespace detected. Ensure that namespaced policies are correctly loaded.", policy.GetNamespace()))
+		}
+	}
 	return &rc, resources, responses, nil
 }

@ -415,8 +420,12 @@ func (c *ApplyCommandConfig) loadPolicies(skipInvalidPolicies SkippedInvalidPoli
 				vapBindings = append(vapBindings, loaderResults.VAPBindings...)
 			}
 		}
+		for _, policy := range policies {
+			if policy.GetNamespace() == "" && policy.GetKind() == "Policy" {
+				log.Log.V(3).Info(fmt.Sprintf("Namespace is empty for a namespaced Policy %s. This might cause incorrect report generation.", policy.GetNamespace()))
+			}
+		}
 	}
-
 	return nil, nil, skipInvalidPolicies, nil, policies, vaps, vapBindings, nil
 }

--- a/cmd/cli/kubectl-kyverno/report/report_test.go
+++ b/cmd/cli/kubectl-kyverno/report/report_test.go
@ -348,3 +348,31 @@ func TestComputePolicyReportResultsPerPolicy(t *testing.T) {
 		})
 	}
 }
+
+func TestNamespacedPolicyReportGeneration(t *testing.T) {
+	results, err := policy.Load(nil, "", "../_testdata/policies/namespace-policy.yaml")
+	assert.NilError(t, err)
+	assert.Equal(t, len(results.Policies), 1)
+	policy := results.Policies[0]
+
+	er := engineapi.EngineResponse{}
+	er = er.WithPolicy(engineapi.NewKyvernoPolicy(policy))
+	er.PolicyResponse.Add(
+		engineapi.ExecutionStats{},
+		*engineapi.RuleFail(
+			"validate-pod",
+			engineapi.Validation,
+			"validation error: Pods must have a label `app`.",
+			nil,
+		),
+	)
+
+	clustered, namespaced := ComputePolicyReports(false, er)
+
+	assert.Equal(t, len(clustered), 0)
+	assert.Equal(t, len(namespaced), 1)
+
+	report := namespaced[0]
+	assert.Equal(t, report.GetNamespace(), policy.GetNamespace())
+	assert.Equal(t, report.Kind, "PolicyReport")
+}