1
0
Fork 0
mirror of https://github.com/kyverno/kyverno.git synced 2024-12-14 11:57:48 +00:00

add flag for policy reports (#7888)

* add flag for policy reports

Signed-off-by: Jim Bugwadia <jim@nirmata.com>

* remove logger param

Signed-off-by: Jim Bugwadia <jim@nirmata.com>

* update launch

Signed-off-by: Jim Bugwadia <jim@nirmata.com>

* remove logging changes

Signed-off-by: Jim Bugwadia <jim@nirmata.com>

* remove logging changes

Signed-off-by: Jim Bugwadia <jim@nirmata.com>

* remove logging changes

Signed-off-by: Jim Bugwadia <jim@nirmata.com>

* update Helm chart

Signed-off-by: Jim Bugwadia <jim@nirmata.com>

---------

Signed-off-by: Jim Bugwadia <jim@nirmata.com>
This commit is contained in:
Jim Bugwadia 2023-07-25 21:22:51 -07:00 committed by GitHub
parent 51e479c819
commit be2abbeaa8
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
8 changed files with 32 additions and 5 deletions

View file

@ -5,7 +5,8 @@
### Note
- Deprecated flag `--imageSignatureRepository`. Will be removed in 1.12. Use per rule configuration `verifyImages.Repository` instead.
- Added `--aggregateReports` flag to reports controller to enable/disable aggregated reports (default value is `true`).
- Added `--aggregateReports` flag for reports controller to enable/disable aggregated reports (default value is `true`).
- Added `--policyReports` flag for reports controller to enable/disable policy reports (default value is `true`).
## v1.10.0

View file

@ -292,6 +292,7 @@ The chart values are organised per component.
|-----|------|---------|-------------|
| features.admissionReports.enabled | bool | `true` | Enables the feature |
| features.aggregateReports.enabled | bool | `true` | Enables the feature |
| features.policyReports.enabled | bool | `true` | Enables the feature |
| features.autoUpdateWebhooks.enabled | bool | `true` | Enables the feature |
| features.backgroundScan.enabled | bool | `true` | Enables the feature |
| features.backgroundScan.backgroundScanWorkers | int | `2` | Number of background scan workers |

View file

@ -16,6 +16,9 @@
{{- with .aggregateReports -}}
{{- $flags = append $flags (print "--aggregateReports=" .enabled) -}}
{{- end -}}
{{- with .policyReports -}}
{{- $flags = append $flags (print "--policyReports=" .enabled) -}}
{{- end -}}
{{- with .autoUpdateWebhooks -}}
{{- $flags = append $flags (print "--autoUpdateWebhooks=" .enabled) -}}
{{- end -}}

View file

@ -110,6 +110,7 @@ spec:
{{- include "kyverno.features.flags" (pick (mergeOverwrite .Values.features .Values.reportsController.featuresOverride)
"admissionReports"
"aggregateReports"
"policyReports"
"backgroundScan"
"configMapCaching"
"deferredLoading"

View file

@ -349,6 +349,9 @@ features:
aggregateReports:
# -- Enables the feature
enabled: true
policyReports:
# -- Enables the feature
enabled: true
autoUpdateWebhooks:
# -- Enables the feature
enabled: true

View file

@ -37,6 +37,7 @@ func createReportControllers(
backgroundScan bool,
admissionReports bool,
aggregateReports bool,
policyReports bool,
reportsChunkSize int,
backgroundScanWorkers int,
client dclient.Interface,
@ -107,6 +108,7 @@ func createReportControllers(
configuration,
jp,
eventGenerator,
policyReports,
),
backgroundScanWorkers,
))
@ -127,6 +129,7 @@ func createrLeaderControllers(
backgroundScan bool,
admissionReports bool,
aggregateReports bool,
policyReports bool,
reportsChunkSize int,
backgroundScanWorkers int,
kubeInformer kubeinformers.SharedInformerFactory,
@ -144,6 +147,7 @@ func createrLeaderControllers(
backgroundScan,
admissionReports,
aggregateReports,
policyReports,
reportsChunkSize,
backgroundScanWorkers,
dynamicClient,
@ -164,6 +168,7 @@ func main() {
backgroundScan bool
admissionReports bool
aggregateReports bool
policyReports bool
reportsChunkSize int
backgroundScanWorkers int
backgroundScanInterval time.Duration
@ -175,6 +180,7 @@ func main() {
flagset.BoolVar(&backgroundScan, "backgroundScan", true, "Enable or disable background scan.")
flagset.BoolVar(&admissionReports, "admissionReports", true, "Enable or disable admission reports.")
flagset.BoolVar(&aggregateReports, "aggregateReports", true, "Enable or disable aggregated policy reports.")
flagset.BoolVar(&policyReports, "policyReports", true, "Enable or disable policy reports.")
flagset.IntVar(&reportsChunkSize, "reportsChunkSize", 1000, "Max number of results in generated reports, reports will be split accordingly if there are more results to be stored.")
flagset.IntVar(&backgroundScanWorkers, "backgroundScanWorkers", backgroundscancontroller.Workers, "Configure the number of background scan workers.")
flagset.DurationVar(&backgroundScanInterval, "backgroundScanInterval", time.Hour, "Configure background scan interval.")
@ -268,6 +274,7 @@ func main() {
backgroundScan,
admissionReports,
aggregateReports,
policyReports,
reportsChunkSize,
backgroundScanWorkers,
kubeInformer,

View file

@ -39203,6 +39203,7 @@ spec:
- --metricsPort=8000
- --admissionReports=true
- --aggregateReports=true
- --policyReports=true
- --backgroundScan=true
- --backgroundScanWorkers=2
- --backgroundScanInterval=1h

View file

@ -63,9 +63,10 @@ type controller struct {
forceDelay time.Duration
// config
config config.Configuration
jp jmespath.Interface
eventGen event.Interface
config config.Configuration
jp jmespath.Interface
eventGen event.Interface
policyReports bool
}
func NewController(
@ -81,6 +82,7 @@ func NewController(
config config.Configuration,
jp jmespath.Interface,
eventGen event.Interface,
policyReports bool,
) controllers.Controller {
bgscanr := metadataFactory.ForResource(kyvernov1alpha2.SchemeGroupVersion.WithResource("backgroundscanreports"))
cbgscanr := metadataFactory.ForResource(kyvernov1alpha2.SchemeGroupVersion.WithResource("clusterbackgroundscanreports"))
@ -100,6 +102,7 @@ func NewController(
config: config,
jp: jp,
eventGen: eventGen,
policyReports: policyReports,
}
controllerutils.AddDefaultEventHandlers(logger, bgscanr.Informer(), queue)
controllerutils.AddDefaultEventHandlers(logger, cbgscanr.Informer(), queue)
@ -303,7 +306,14 @@ func (c *controller) reconcileReport(
if full || !controllerutils.HasAnnotation(desired, annotationLastScanTime) {
controllerutils.SetAnnotation(desired, annotationLastScanTime, time.Now().Format(time.RFC3339))
}
// store report
if c.policyReports {
return c.storeReport(ctx, observed, desired)
}
return nil
}
func (c *controller) storeReport(ctx context.Context, observed, desired kyvernov1alpha2.ReportInterface) error {
var err error
hasReport := observed.GetResourceVersion() != ""
wantsReport := desired != nil && len(desired.GetResults()) != 0
if !hasReport && !wantsReport {