diff --git a/pkg/event/msgbuilder.go b/pkg/event/msgbuilder.go index 364f4483e7..70eb1fdda7 100644 --- a/pkg/event/msgbuilder.go +++ b/pkg/event/msgbuilder.go @@ -16,7 +16,7 @@ const ( SRulesApply FPolicyApplyBlockCreate FPolicyApplyBlockUpdate - FPolicyApplyBlockUpdateRule + FPolicyBlockResourceUpdate ) func (k MsgKey) String() string { @@ -25,9 +25,9 @@ func (k MsgKey) String() string { "Failed to process rule '%s' of policy '%s'. Created Policy Violation", "Policy applied successfully on the resource '%s'", "Rule(s) '%s' of Policy '%s' applied successful", - "Resource %s blocked by rule(s) %s", - "Failed to apply rule '%s' of policy '%s' Blocked update of the resource", - "Failed to apply policy on resource '%s'.Blocked update of the resource. The following rules '%s' failed to apply", + "Resource %s creation blocked by rule(s) %s", + "Rule(s) '%s' of policy '%s' blocked update of the resource", + "Resource %s update blocked by rule(s) %s", }[k] } diff --git a/pkg/webhooks/registration.go b/pkg/webhooks/registration.go index 710940df80..31235e335c 100644 --- a/pkg/webhooks/registration.go +++ b/pkg/webhooks/registration.go @@ -202,6 +202,7 @@ func constructWebhook(name, servicePath string, caData []byte) admregapi.Webhook admregapi.RuleWithOperations{ Operations: []admregapi.OperationType{ admregapi.Create, + admregapi.Update, }, Rule: admregapi.Rule{ APIGroups: []string{ @@ -230,6 +231,7 @@ func constructDebugWebhook(name, url string, caData []byte) admregapi.Webhook { admregapi.RuleWithOperations{ Operations: []admregapi.OperationType{ admregapi.Create, + admregapi.Update, }, Rule: admregapi.Rule{ APIGroups: []string{ diff --git a/pkg/webhooks/server.go b/pkg/webhooks/server.go index ced69dd3ec..2e7af869e4 100644 --- a/pkg/webhooks/server.go +++ b/pkg/webhooks/server.go @@ -183,7 +183,7 @@ func (ws *WebhookServer) HandleMutation(request *v1beta1.AdmissionRequest) *v1be policyInfos = append(policyInfos, policyInfo) } - eventsInfo := newEventInfoFromPolicyInfo(policyInfos) + eventsInfo := newEventInfoFromPolicyInfo(policyInfos, (request.Operation == v1beta1.Update)) ws.eventController.Add(eventsInfo) ok, msg := isAdmSuccesful(policyInfos) @@ -272,7 +272,7 @@ func (ws *WebhookServer) HandleValidation(request *v1beta1.AdmissionRequest) *v1 policyInfos = append(policyInfos, policyInfo) } - eventsInfo := newEventInfoFromPolicyInfo(policyInfos) + eventsInfo := newEventInfoFromPolicyInfo(policyInfos, (request.Operation == v1beta1.Update)) ws.eventController.Add(eventsInfo) // If Validation fails then reject the request @@ -385,10 +385,28 @@ func (ws *WebhookServer) bodyToAdmissionReview(request *http.Request, writer htt const policyKind = "Policy" -func newEventInfoFromPolicyInfo(policyInfoList []*info.PolicyInfo) []*event.Info { +func newEventInfoFromPolicyInfo(policyInfoList []*info.PolicyInfo, onUpdate bool) []*event.Info { var eventsInfo []*event.Info ok, msg := isAdmSuccesful(policyInfoList) + // create events on operation UPDATE + if onUpdate { + if !ok { + for _, pi := range policyInfoList { + ruleNames := getRuleNames(*pi, false) + eventsInfo = append(eventsInfo, + event.NewEvent(pi.RKind, pi.RNamespace, pi.RName, event.RequestBlocked, event.FPolicyApplyBlockUpdate, ruleNames, pi.Name)) + + eventsInfo = append(eventsInfo, + event.NewEvent(policyKind, "", pi.Name, event.RequestBlocked, event.FPolicyBlockResourceUpdate, pi.RName, ruleNames)) + + glog.V(3).Infof("Request blocked events info prepared for %s/%s and %s/%s\n", policyKind, pi.Name, pi.RKind, pi.RName) + } + } + return eventsInfo + } + + // create events on operation CREATE if ok { for _, pi := range policyInfoList { ruleNames := getRuleNames(*pi, true)