aggregate rule status

pkg/api/kyverno/v1alpha1/types.go

@@ -129,6 +129,20 @@ type PolicyStatus struct {
 	AvgExecutionTimeValidation string `json:"averageValidationRulesExecutionTime"`
 	// average time required to process the policy Validation rules on a resource
 	AvgExecutionTimeGeneration string `json:"averageGenerationRulesExecutionTime"`
+	// statistics per rule
+	Rules []RuleStats `json:"ruleStatus`
+}
+
+//RuleStats provides status per rule
+type RuleStats struct {
+	// Rule name
+	RuleName string `json:"ruleName"`
+	// average time require to process the rule
+	ExecutionTime string `json:"averageExecutionTime"`
+	// Count of rules that were applied
+	RulesAppliedCount int `json:"rulesAppliedCount"`
+	// Could of rules that failed
+	RulesFailedCount int `json:"rulesFailedCount"`
 }
 
 // PolicyList is a list of Policy resources

pkg/engine/overlay.go

@@ -16,29 +16,29 @@ import (
 	kyverno "github.com/nirmata/kyverno/pkg/api/kyverno/v1alpha1"
 )
 
-// rawResource handles validating admission request
-// Checks the target resources for rules defined in the policy
-// TODO: pass in the unstructured object in stead of raw byte?
-func processOverlay(rule kyverno.Rule, rawResource []byte) ([][]byte, error) {
-	var resource interface{}
-	if err := json.Unmarshal(rawResource, &resource); err != nil {
-		glog.V(4).Infof("unable to unmarshal resource : %v", err)
-		return nil, err
-	}
+// // rawResource handles validating admission request
+// // Checks the target resources for rules defined in the policy
+// // TODO: pass in the unstructured object in stead of raw byte?
+// func processOverlay(rule kyverno.Rule, rawResource []byte) ([][]byte, error) {
+// 	var resource interface{}
+// 	if err := json.Unmarshal(rawResource, &resource); err != nil {
+// 		glog.V(4).Infof("unable to unmarshal resource : %v", err)
+// 		return nil, err
+// 	}
 
-	resourceInfo := ParseResourceInfoFromObject(rawResource)
-	patches, err := processOverlayPatches(resource, rule.Mutation.Overlay)
-	if err != nil && strings.Contains(err.Error(), "Conditions are not met") {
-		// glog.V(4).Infof("overlay pattern %s does not match resource %s/%s", rule.Mutation.Overlay, resourceUnstr.GetNamespace(), resourceUnstr.GetName())
-		glog.Infof("Resource does not meet conditions in overlay pattern, resource=%s, rule=%s\n", resourceInfo, rule.Name)
-		// patches, err := processOverlayPatches(resource, rule.Mutation.Overlay)
-		// if err != nil && strings.Contains(err.Error(), "Conditions are not met") {
-		// 	glog.V(4).Infof("overlay pattern %s does not match resource %s/%s", rule.Mutation.Overlay, resourceUnstr.GetNamespace(), resourceUnstr.GetName())
-		// 	return nil, nil
-	}
+// 	resourceInfo := ParseResourceInfoFromObject(rawResource)
+// 	patches, err := processOverlayPatches(resource, rule.Mutation.Overlay)
+// 	if err != nil && strings.Contains(err.Error(), "Conditions are not met") {
+// 		// glog.V(4).Infof("overlay pattern %s does not match resource %s/%s", rule.Mutation.Overlay, resourceUnstr.GetNamespace(), resourceUnstr.GetName())
+// 		glog.Infof("Resource does not meet conditions in overlay pattern, resource=%s, rule=%s\n", resourceInfo, rule.Name)
+// 		// patches, err := processOverlayPatches(resource, rule.Mutation.Overlay)
+// 		// if err != nil && strings.Contains(err.Error(), "Conditions are not met") {
+// 		// 	glog.V(4).Infof("overlay pattern %s does not match resource %s/%s", rule.Mutation.Overlay, resourceUnstr.GetNamespace(), resourceUnstr.GetName())
+// 		// 	return nil, nil
+// 	}
 
-	return patches, err
-}
+// 	return patches, err
+// }
 
 // rawResource handles validating admission request
 // Checks the target resources for rules defined in the policy

pkg/namespace/generation.go

@@ -148,6 +148,18 @@ func applyPolicy(client *client.Client, resource unstructured.Unstructured, p ky
 		ps.PolicyName = policyName
 		ps.Stats.MutationExecutionTime = policyResponse.ProcessingTime
 		ps.Stats.RulesAppliedCount = policyResponse.RulesAppliedCount
+		// capture rule level stats
+		for _, rule := range policyResponse.Rules {
+			rs := policyctr.RuleStatinfo{}
+			rs.RuleName = rule.Name
+			rs.ExecutionTime = rule.RuleStats.ProcessingTime
+			if rule.Success {
+				rs.RuleAppliedCount++
+			} else {
+				rs.RulesFailedCount++
+			}
+			ps.Stats.Rules = append(ps.Stats.Rules, rs)
+		}
 		policyStats = append(policyStats, ps)
 	}
 	// send stats for aggregation

pkg/policy/apply.go

@@ -29,6 +29,18 @@ func applyPolicy(policy kyverno.ClusterPolicy, resource unstructured.Unstructure
 		ps.PolicyName = policyName
 		ps.Stats.MutationExecutionTime = policyResponse.ProcessingTime
 		ps.Stats.RulesAppliedCount = policyResponse.RulesAppliedCount
+		// capture rule level stats
+		for _, rule := range policyResponse.Rules {
+			rs := RuleStatinfo{}
+			rs.RuleName = rule.Name
+			rs.ExecutionTime = rule.RuleStats.ProcessingTime
+			if rule.Success {
+				rs.RuleAppliedCount++
+			} else {
+				rs.RulesFailedCount++
+			}
+			ps.Stats.Rules = append(ps.Stats.Rules, rs)
+		}
 		policyStats = append(policyStats, ps)
 	}
 	// send stats for aggregation

pkg/policy/controller.go

@@ -504,15 +504,18 @@ func (pc *PolicyController) calculateStatus(policyName string, pvList []*kyverno
 	}
 	// get stats
 	stats := pc.statusAggregator.GetPolicyStats(policyName)
-	if stats != (PolicyStatInfo{}) {
+	if !reflect.DeepEqual(stats, (PolicyStatInfo{})) {
 		status.RulesAppliedCount = stats.RulesAppliedCount
 		status.ResourcesBlockedCount = stats.ResourceBlocked
 		status.AvgExecutionTimeMutation = stats.MutationExecutionTime.String()
 		status.AvgExecutionTimeValidation = stats.ValidationExecutionTime.String()
 		status.AvgExecutionTimeGeneration = stats.GenerationExecutionTime.String()
+		// update rule stats
+		status.Rules = convertRules(stats.Rules)
 	}
 	return status
 }
+
 func (pc *PolicyController) getPolicyViolationsForPolicy(p *kyverno.ClusterPolicy) ([]*kyverno.ClusterPolicyViolation, error) {
 	// List all PolicyViolation to find those we own but that no longer match our
 	// selector. They will be orphaned by ClaimPolicyViolation().
@@ -949,3 +952,18 @@ func HasMutateOrValidate(policy kyverno.ClusterPolicy) bool {
 	}
 	return false
 }
+
+// convertRules converts the internal rule stats to one used in policy.stats struct
+func convertRules(rules []RuleStatinfo) []kyverno.RuleStats {
+	var stats []kyverno.RuleStats
+	for _, r := range rules {
+		stat := kyverno.RuleStats{
+			RuleName:          r.RuleName,
+			ExecutionTime:     r.ExecutionTime.String(),
+			RulesAppliedCount: r.RuleAppliedCount,
+			RulesFailedCount:  r.RulesFailedCount,
+		}
+		stats = append(stats, stat)
+	}
+	return stats
+}

pkg/policy/status.go

@@ -73,7 +73,7 @@ func (psa *PolicyStatusAggregator) aggregate(ps PolicyStat) {
 		glog.V(4).Infof("added stats for policy %s", ps.PolicyName)
 		return
 	}
-	// aggregate
+	// aggregate policy information
 	info.RulesAppliedCount = info.RulesAppliedCount + ps.Stats.RulesAppliedCount
 	if ps.Stats.ResourceBlocked == 1 {
 		info.ResourceBlocked++
@@ -97,11 +97,40 @@ func (psa *PolicyStatusAggregator) aggregate(ps PolicyStat) {
 	} else {
 		info.GenerationExecutionTime = ps.Stats.GenerationExecutionTime
 	}
+	// aggregate rule details
+	info.Rules = aggregateRules(info.Rules, ps.Stats.Rules)
 	// update
 	psa.policyData[ps.PolicyName] = info
 	glog.V(4).Infof("updated stats for policy %s", ps.PolicyName)
 }
 
+func aggregateRules(old []RuleStatinfo, update []RuleStatinfo) []RuleStatinfo {
+	var zeroDuration time.Duration
+	searchRule := func(list []RuleStatinfo, key string) *RuleStatinfo {
+		for _, v := range list {
+			if v.RuleName == key {
+				return &v
+			}
+		}
+		return nil
+	}
+	newRules := []RuleStatinfo{}
+	// search for new rules in old rules and update it
+	for _, updateR := range update {
+		if updateR.ExecutionTime != zeroDuration {
+			if rule := searchRule(old, updateR.RuleName); rule != nil {
+				rule.ExecutionTime = (rule.ExecutionTime + updateR.ExecutionTime) / 2
+				rule.RuleAppliedCount = rule.RuleAppliedCount + updateR.RuleAppliedCount
+				rule.RulesFailedCount = rule.RulesFailedCount + updateR.RulesFailedCount
+				newRules = append(newRules, *rule)
+			} else {
+				newRules = append(newRules, updateR)
+			}
+		}
+	}
+	return newRules
+}
+
 //GetPolicyStats returns the policy stats
 func (psa *PolicyStatusAggregator) GetPolicyStats(policyName string) PolicyStatInfo {
 	func() {
@@ -148,6 +177,14 @@ type PolicyStatInfo struct {
 	GenerationExecutionTime time.Duration
 	RulesAppliedCount       int
 	ResourceBlocked         int
+	Rules                   []RuleStatinfo
+}
+
+type RuleStatinfo struct {
+	RuleName         string
+	ExecutionTime    time.Duration
+	RuleAppliedCount int
+	RulesFailedCount int
 }
 
 //SendStat sends the stat information for aggregation

pkg/webhooks/mutation.go

@@ -24,6 +24,18 @@ func (ws *WebhookServer) HandleMutation(request *v1beta1.AdmissionRequest) (bool
 		ps.PolicyName = policyName
 		ps.Stats.MutationExecutionTime = policyResponse.ProcessingTime
 		ps.Stats.RulesAppliedCount = policyResponse.RulesAppliedCount
+		// capture rule level stats
+		for _, rule := range policyResponse.Rules {
+			rs := policyctr.RuleStatinfo{}
+			rs.RuleName = rule.Name
+			rs.ExecutionTime = rule.RuleStats.ProcessingTime
+			if rule.Success {
+				rs.RuleAppliedCount++
+			} else {
+				rs.RulesFailedCount++
+			}
+			ps.Stats.Rules = append(ps.Stats.Rules, rs)
+		}
 		policyStats = append(policyStats, ps)
 	}
 	// send stats for aggregation

pkg/webhooks/validation.go

@@ -26,6 +26,18 @@ func (ws *WebhookServer) HandleValidation(request *v1beta1.AdmissionRequest, pat
 		ps.PolicyName = policyName
 		ps.Stats.ValidationExecutionTime = policyResponse.ProcessingTime
 		ps.Stats.RulesAppliedCount = policyResponse.RulesAppliedCount
+		// capture rule level stats
+		for _, rule := range policyResponse.Rules {
+			rs := policyctr.RuleStatinfo{}
+			rs.RuleName = rule.Name
+			rs.ExecutionTime = rule.RuleStats.ProcessingTime
+			if rule.Success {
+				rs.RuleAppliedCount++
+			} else {
+				rs.RulesFailedCount++
+			}
+			ps.Stats.Rules = append(ps.Stats.Rules, rs)
+		}
 		policyStats = append(policyStats, ps)
 	}
 	// send stats for aggregation