From d5491746e715259ea235bcbb0d756c39c9815feb Mon Sep 17 00:00:00 2001
From: Khaled Emara <khaled.emara@nirmata.com>
Date: Thu, 28 Dec 2023 09:16:55 +0200
Subject: [PATCH] fix(cli): handle excluded resources as pass (#9274)

* fix(cli): handle excluded resources as pass

Signed-off-by: Khaled Emara <khaled.emara@nirmata.com>

* test: add cli test for exclude

Signed-off-by: Khaled Emara <khaled.emara@nirmata.com>

---------

Signed-off-by: Khaled Emara <khaled.emara@nirmata.com>
---
 .../kubectl-kyverno/commands/test/output.go   | 19 +++++++
 cmd/cli/kubectl-kyverno/output/color/color.go |  4 ++
 test/cli/test/exclude/kyverno-test.yaml       | 16 ++++++
 test/cli/test/exclude/policy.yaml             | 50 +++++++++++++++++++
 test/cli/test/exclude/resources.yaml          | 22 ++++++++
 5 files changed, 111 insertions(+)
 create mode 100644 test/cli/test/exclude/kyverno-test.yaml
 create mode 100644 test/cli/test/exclude/policy.yaml
 create mode 100644 test/cli/test/exclude/resources.yaml

diff --git a/cmd/cli/kubectl-kyverno/commands/test/output.go b/cmd/cli/kubectl-kyverno/commands/test/output.go
index 40b41d381f..a885112725 100644
--- a/cmd/cli/kubectl-kyverno/commands/test/output.go
+++ b/cmd/cli/kubectl-kyverno/commands/test/output.go
@@ -74,6 +74,25 @@ func printTestResult(
 					testCount++
 					rows = append(rows, row)
 				}
+
+				// if there are no RuleResponse, the resource has been excluded. This is a pass.
+				if len(rows) == 0 {
+					row := table.Row{
+						RowCompact: table.RowCompact{
+							ID:        testCount,
+							Policy:    color.Policy("", test.Policy),
+							Rule:      color.Rule(test.Rule),
+							Resource:  color.Resource(test.Kind, test.Namespace, resource),
+							Result:    color.ResultPass(),
+							Reason:    color.Excluded(),
+							IsFailure: false,
+						},
+						Message: color.Excluded(),
+					}
+					rc.Skip++
+					testCount++
+					rows = append(rows, row)
+				}
 			}
 			// if not found
 			if len(rows) == 0 {
diff --git a/cmd/cli/kubectl-kyverno/output/color/color.go b/cmd/cli/kubectl-kyverno/output/color/color.go
index 8ad5d05fa1..ff0db5d564 100644
--- a/cmd/cli/kubectl-kyverno/output/color/color.go
+++ b/cmd/cli/kubectl-kyverno/output/color/color.go
@@ -52,6 +52,10 @@ func Resource(kind, namespace, name string) string {
 	return color.BoldFgCyan.Sprint(namespace) + "/" + color.BoldFgCyan.Sprint(kind) + "/" + color.BoldFgCyan.Sprint(name)
 }
 
+func Excluded() string {
+	return color.BoldYellow.Sprint("Excluded")
+}
+
 func NotFound() string {
 	return color.BoldYellow.Sprint("Not found")
 }
diff --git a/test/cli/test/exclude/kyverno-test.yaml b/test/cli/test/exclude/kyverno-test.yaml
new file mode 100644
index 0000000000..5c26a16b31
--- /dev/null
+++ b/test/cli/test/exclude/kyverno-test.yaml
@@ -0,0 +1,16 @@
+apiVersion: cli.kyverno.io/v1alpha1
+kind: Test
+metadata:
+  name: kyverno-test.yaml
+policies:
+- policy.yaml
+resources:
+- resources.yaml
+results:
+- kind: Pod
+  policy: require-requests-limits
+  resources:
+  - require-requests-limits-skip
+  - ceph-csi/require-requests-limits-failed
+  result: skip
+  rule: validate-resources
diff --git a/test/cli/test/exclude/policy.yaml b/test/cli/test/exclude/policy.yaml
new file mode 100644
index 0000000000..24e041062a
--- /dev/null
+++ b/test/cli/test/exclude/policy.yaml
@@ -0,0 +1,50 @@
+---
+apiVersion: kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+  name: require-requests-limits
+  annotations:
+    policies.kyverno.io/title: Require Limits and Requests
+    policies.kyverno.io/category: Best Practices
+    policies.kyverno.io/severity: medium
+    policies.kyverno.io/subject: Pod
+    policies.kyverno.io/description: >-
+      As application workloads share cluster resources, it is important to limit resources
+      requested and consumed by each Pod. It is recommended to require resource requests and
+      limits per Pod, especially for memory and CPU. If a Namespace level request or limit is specified,
+      defaults will automatically be applied to each Pod based on the LimitRange configuration.
+      This policy validates that all containers have something specified for memory and CPU
+      requests and memory limits.
+spec:
+  background: true
+  validationFailureAction: enforce
+  rules:
+    - name: validate-resources
+      match:
+        any:
+          - resources:
+              kinds:
+                - Pod
+      exclude:
+        any:
+          - resources:
+              namespaces:
+                - ceph-csi
+          - resources:
+              kinds:
+                - Pod
+              selector:
+                matchLabels:
+                  require-requests-limits.kyverno.io/exclude: "true"
+      validate:
+        message: "CPU and memory resource requests and limits are required."
+        pattern:
+          spec:
+            containers:
+              - resources:
+                  requests:
+                    memory: "?*"
+                    cpu: "?*"
+                  limits:
+                    memory: "?*"
+                    cpu: "?*"
diff --git a/test/cli/test/exclude/resources.yaml b/test/cli/test/exclude/resources.yaml
new file mode 100644
index 0000000000..ab61ac8868
--- /dev/null
+++ b/test/cli/test/exclude/resources.yaml
@@ -0,0 +1,22 @@
+---
+apiVersion: v1
+kind: Pod
+metadata:
+  labels:
+    require-requests-limits.kyverno.io/exclude: "true"
+  name: require-requests-limits-skip
+  namespace: test
+spec:
+  containers:
+    - name: test
+      image: nginx
+---
+apiVersion: v1
+kind: Pod
+metadata:
+  name: require-requests-limits-failed
+  namespace: ceph-csi
+spec:
+  containers:
+    - name: test
+      image: nginx