mirrors/kyverno
mirrors/kyverno
1
0
Fork 0
mirror of https://github.com/kyverno/kyverno.git synced 2025-03-29 02:45:06 +00:00
Code Activity

tested policy report

Browse source
This commit is contained in:
evalsocket 2020-09-16 06:56:38 -07:00
parent 6089f5651c
commit d6b0af986e
16 changed files with 897 additions and 522 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

247
charts/kyverno/crds/crds.yaml
View file

@ -335,7 +335,7 @@ spec:
description: PolicyReportResult provides result details
items:
description: PolicyReportResult provides the result for an individual
policy or rule
policy
properties:
data:
additionalProperties:
@ -349,47 +349,12 @@ spec:
policy:
description: Policy is the name of the policy
type: string
resource:
description: Resource is an optional reference to the resource check
bu the policy rule
properties:
apiVersion:
description: API version of the referent.
type: string
fieldPath:
description: 'If referring to a piece of an object instead of
an entire object, this string should contain a valid JSON/Go
field access statement, such as desiredState.manifest.containers[2].
For example, if the object reference is to a container within
a pod, this would take on a value like: "spec.containers{name}"
(where "name" refers to the name of the container that triggered
the event) or if no container name is specified "spec.containers[2]"
(container with index 2 in this pod). This syntax is chosen
only to have some well-defined way of referencing a part of
an object. TODO: this design is not final and this field is
subject to change in the future.'
type: string
kind:
description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
type: string
name:
description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
type: string
namespace:
description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/'
type: string
resourceVersion:
description: 'Specific resourceVersion to which this reference
is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency'
type: string
uid:
description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids'
type: string
type: object
resourceSelector:
description: ResourceSelector is an optional selector for multiple
resources (e.g. Pods). Either one of, or none of, but not both of,
Resource or ResourceSelector should be specified.
description: ResourceSelector is an optional selector for policy results
that apply to multiple resources. For example, a policy result may
apply to all pods that match a label. Either a Resource or a ResourceSelector
can be specified. If neither are provided, the result is assumed
to be for the policy report scope.
properties:
matchExpressions:
description: matchExpressions is a list of label selector requirements.
@ -432,6 +397,70 @@ spec:
are ANDed.
type: object
type: object
resources:
description: Resources is an optional reference to the resource checked
by the policy and rule
items:
description: 'ObjectReference contains enough information to let
you inspect or modify the referred object. --- New uses of this
type are discouraged because of difficulty describing its usage
when embedded in APIs. 1. Ignored fields. It includes many fields
which are not generally honored. For instance, ResourceVersion
and FieldPath are both very rarely valid in actual usage. 2.
Invalid usage help. It is impossible to add specific help for
individual usage. In most embedded usages, there are particular restrictions
like, "must refer only to types A and B" or "UID not honored"
or "name must be restricted". Those cannot be well described
when embedded. 3. Inconsistent validation. Because the usages
are different, the validation rules are different by usage, which
makes it hard for users to predict what will happen. 4. The fields
are both imprecise and overly precise. Kind is not a precise
mapping to a URL. This can produce ambiguity during interpretation
and require a REST mapping. In most cases, the dependency is
on the group,resource tuple and the version of the actual
struct is irrelevant. 5. We cannot easily change it. Because
this type is embedded in many locations, updates to this type will
affect numerous schemas. Don''t make new APIs embed an underspecified
API type they do not control. Instead of using this type, create
a locally provided and used type that is well-focused on your
reference. For example, ServiceReferences for admission registration:
https://github.com/kubernetes/api/blob/release-1.17/admissionregistration/v1/types.go#L533
.'
properties:
apiVersion:
description: API version of the referent.
type: string
fieldPath:
description: 'If referring to a piece of an object instead of
an entire object, this string should contain a valid JSON/Go
field access statement, such as desiredState.manifest.containers[2].
For example, if the object reference is to a container within
a pod, this would take on a value like: "spec.containers{name}"
(where "name" refers to the name of the container that triggered
the event) or if no container name is specified "spec.containers[2]"
(container with index 2 in this pod). This syntax is chosen
only to have some well-defined way of referencing a part of
an object. TODO: this design is not final and this field is
subject to change in the future.'
type: string
kind:
description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
type: string
name:
description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
type: string
namespace:
description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/'
type: string
resourceVersion:
description: 'Specific resourceVersion to which this reference
is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency'
type: string
uid:
description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids'
type: string
type: object
type: array
rule:
description: Rule is the name of the policy rule
type: string
@ -452,8 +481,9 @@ spec:
type: object
type: array
scope:
description: Scope is an optional reference to the report scope (e.g. a
Deployment, Namespace, or Node)
description: Scope is an optional reference to the policy report scope.
For example. the report may be for all resources in a namespace, a for
a node, or cluster-wide.
properties:
apiVersion:
description: API version of the referent.
@ -532,14 +562,24 @@ spec:
description: PolicyReportSummary provides a summary of results
properties:
error:
description: Error provides the count of policies that could not be
evaluated
type: integer
fail:
description: Fail provides the count of policies whose requirements
were not met
type: integer
pass:
description: Pass provides the count of policies whose requirements
were met
type: integer
skip:
description: Skip indicates the count of policies that were not selected
for evaluation
type: integer
warn:
description: Warn provides the count of unscored policies whose requirements
were not met
type: integer
required:
- error
@ -1019,7 +1059,7 @@ spec:
description: PolicyReportResult provides result details
items:
description: PolicyReportResult provides the result for an individual
policy or rule
policy
properties:
data:
additionalProperties:
@ -1033,47 +1073,12 @@ spec:
policy:
description: Policy is the name of the policy
type: string
resource:
description: Resource is an optional reference to the resource check
bu the policy rule
properties:
apiVersion:
description: API version of the referent.
type: string
fieldPath:
description: 'If referring to a piece of an object instead of
an entire object, this string should contain a valid JSON/Go
field access statement, such as desiredState.manifest.containers[2].
For example, if the object reference is to a container within
a pod, this would take on a value like: "spec.containers{name}"
(where "name" refers to the name of the container that triggered
the event) or if no container name is specified "spec.containers[2]"
(container with index 2 in this pod). This syntax is chosen
only to have some well-defined way of referencing a part of
an object. TODO: this design is not final and this field is
subject to change in the future.'
type: string
kind:
description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
type: string
name:
description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
type: string
namespace:
description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/'
type: string
resourceVersion:
description: 'Specific resourceVersion to which this reference
is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency'
type: string
uid:
description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids'
type: string
type: object
resourceSelector:
description: ResourceSelector is an optional selector for multiple
resources (e.g. Pods). Either one of, or none of, but not both of,
Resource or ResourceSelector should be specified.
description: ResourceSelector is an optional selector for policy results
that apply to multiple resources. For example, a policy result may
apply to all pods that match a label. Either a Resource or a ResourceSelector
can be specified. If neither are provided, the result is assumed
to be for the policy report scope.
properties:
matchExpressions:
description: matchExpressions is a list of label selector requirements.
@ -1116,6 +1121,70 @@ spec:
are ANDed.
type: object
type: object
resources:
description: Resources is an optional reference to the resource checked
by the policy and rule
items:
description: 'ObjectReference contains enough information to let
you inspect or modify the referred object. --- New uses of this
type are discouraged because of difficulty describing its usage
when embedded in APIs. 1. Ignored fields. It includes many fields
which are not generally honored. For instance, ResourceVersion
and FieldPath are both very rarely valid in actual usage. 2.
Invalid usage help. It is impossible to add specific help for
individual usage. In most embedded usages, there are particular restrictions
like, "must refer only to types A and B" or "UID not honored"
or "name must be restricted". Those cannot be well described
when embedded. 3. Inconsistent validation. Because the usages
are different, the validation rules are different by usage, which
makes it hard for users to predict what will happen. 4. The fields
are both imprecise and overly precise. Kind is not a precise
mapping to a URL. This can produce ambiguity during interpretation
and require a REST mapping. In most cases, the dependency is
on the group,resource tuple and the version of the actual
struct is irrelevant. 5. We cannot easily change it. Because
this type is embedded in many locations, updates to this type will
affect numerous schemas. Don''t make new APIs embed an underspecified
API type they do not control. Instead of using this type, create
a locally provided and used type that is well-focused on your
reference. For example, ServiceReferences for admission registration:
https://github.com/kubernetes/api/blob/release-1.17/admissionregistration/v1/types.go#L533
.'
properties:
apiVersion:
description: API version of the referent.
type: string
fieldPath:
description: 'If referring to a piece of an object instead of
an entire object, this string should contain a valid JSON/Go
field access statement, such as desiredState.manifest.containers[2].
For example, if the object reference is to a container within
a pod, this would take on a value like: "spec.containers{name}"
(where "name" refers to the name of the container that triggered
the event) or if no container name is specified "spec.containers[2]"
(container with index 2 in this pod). This syntax is chosen
only to have some well-defined way of referencing a part of
an object. TODO: this design is not final and this field is
subject to change in the future.'
type: string
kind:
description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
type: string
name:
description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
type: string
namespace:
description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/'
type: string
resourceVersion:
description: 'Specific resourceVersion to which this reference
is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency'
type: string
uid:
description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids'
type: string
type: object
type: array
rule:
description: Rule is the name of the policy rule
type: string
@ -1216,14 +1285,24 @@ spec:
description: PolicyReportSummary provides a summary of results
properties:
error:
description: Error provides the count of policies that could not be
evaluated
type: integer
fail:
description: Fail provides the count of policies whose requirements
were not met
type: integer
pass:
description: Pass provides the count of policies whose requirements
were met
type: integer
skip:
description: Skip indicates the count of policies that were not selected
for evaluation
type: integer
warn:
description: Warn provides the count of unscored policies whose requirements
were not met
type: integer
required:
- error

5
cmd/kyverno/main.go
View file

@ -383,6 +383,11 @@ func main() {
// max deadline: deadline*3 (set the deployment annotation as false)
server.RunAsync(stopCh)
// Create a sync Job for policy report
jobController.Add(jobs.JobInfo{
JobType: "POLICYSYNC",
JobData: "",
})
<-stopCh
// by default http.Server waits indefinitely for connections to return to idle and then shuts down

126
definitions/crds/policy.kubernetes.io_clusterpolicyreports.yaml
View file

@ -64,7 +64,7 @@ spec:
description: PolicyReportResult provides result details
items:
description: PolicyReportResult provides the result for an individual
policy or rule
policy
properties:
data:
additionalProperties:
@ -78,47 +78,12 @@ spec:
policy:
description: Policy is the name of the policy
type: string
resource:
description: Resource is an optional reference to the resource check
bu the policy rule
properties:
apiVersion:
description: API version of the referent.
type: string
fieldPath:
description: 'If referring to a piece of an object instead of
an entire object, this string should contain a valid JSON/Go
field access statement, such as desiredState.manifest.containers[2].
For example, if the object reference is to a container within
a pod, this would take on a value like: "spec.containers{name}"
(where "name" refers to the name of the container that triggered
the event) or if no container name is specified "spec.containers[2]"
(container with index 2 in this pod). This syntax is chosen
only to have some well-defined way of referencing a part of
an object. TODO: this design is not final and this field is
subject to change in the future.'
type: string
kind:
description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
type: string
name:
description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
type: string
namespace:
description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/'
type: string
resourceVersion:
description: 'Specific resourceVersion to which this reference
is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency'
type: string
uid:
description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids'
type: string
type: object
resourceSelector:
description: ResourceSelector is an optional selector for multiple
resources (e.g. Pods). Either one of, or none of, but not both of,
Resource or ResourceSelector should be specified.
description: ResourceSelector is an optional selector for policy results
that apply to multiple resources. For example, a policy result may
apply to all pods that match a label. Either a Resource or a ResourceSelector
can be specified. If neither are provided, the result is assumed
to be for the policy report scope.
properties:
matchExpressions:
description: matchExpressions is a list of label selector requirements.
@ -161,6 +126,70 @@ spec:
are ANDed.
type: object
type: object
resources:
description: Resources is an optional reference to the resource checked
by the policy and rule
items:
description: 'ObjectReference contains enough information to let
you inspect or modify the referred object. --- New uses of this
type are discouraged because of difficulty describing its usage
when embedded in APIs. 1. Ignored fields. It includes many fields
which are not generally honored. For instance, ResourceVersion
and FieldPath are both very rarely valid in actual usage. 2.
Invalid usage help. It is impossible to add specific help for
individual usage. In most embedded usages, there are particular restrictions
like, "must refer only to types A and B" or "UID not honored"
or "name must be restricted". Those cannot be well described
when embedded. 3. Inconsistent validation. Because the usages
are different, the validation rules are different by usage, which
makes it hard for users to predict what will happen. 4. The fields
are both imprecise and overly precise. Kind is not a precise
mapping to a URL. This can produce ambiguity during interpretation
and require a REST mapping. In most cases, the dependency is
on the group,resource tuple and the version of the actual
struct is irrelevant. 5. We cannot easily change it. Because
this type is embedded in many locations, updates to this type will
affect numerous schemas. Don''t make new APIs embed an underspecified
API type they do not control. Instead of using this type, create
a locally provided and used type that is well-focused on your
reference. For example, ServiceReferences for admission registration:
https://github.com/kubernetes/api/blob/release-1.17/admissionregistration/v1/types.go#L533
.'
properties:
apiVersion:
description: API version of the referent.
type: string
fieldPath:
description: 'If referring to a piece of an object instead of
an entire object, this string should contain a valid JSON/Go
field access statement, such as desiredState.manifest.containers[2].
For example, if the object reference is to a container within
a pod, this would take on a value like: "spec.containers{name}"
(where "name" refers to the name of the container that triggered
the event) or if no container name is specified "spec.containers[2]"
(container with index 2 in this pod). This syntax is chosen
only to have some well-defined way of referencing a part of
an object. TODO: this design is not final and this field is
subject to change in the future.'
type: string
kind:
description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
type: string
name:
description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
type: string
namespace:
description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/'
type: string
resourceVersion:
description: 'Specific resourceVersion to which this reference
is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency'
type: string
uid:
description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids'
type: string
type: object
type: array
rule:
description: Rule is the name of the policy rule
type: string
@ -181,8 +210,9 @@ spec:
type: object
type: array
scope:
description: Scope is an optional reference to the report scope (e.g. a
Deployment, Namespace, or Node)
description: Scope is an optional reference to the policy report scope.
For example. the report may be for all resources in a namespace, a for
a node, or cluster-wide.
properties:
apiVersion:
description: API version of the referent.
@ -261,14 +291,24 @@ spec:
description: PolicyReportSummary provides a summary of results
properties:
error:
description: Error provides the count of policies that could not be
evaluated
type: integer
fail:
description: Fail provides the count of policies whose requirements
were not met
type: integer
pass:
description: Pass provides the count of policies whose requirements
were met
type: integer
skip:
description: Skip indicates the count of policies that were not selected
for evaluation
type: integer
warn:
description: Warn provides the count of unscored policies whose requirements
were not met
type: integer
required:
- error

121
definitions/crds/policy.kubernetes.io_policyreports.yaml
View file

@ -63,7 +63,7 @@ spec:
description: PolicyReportResult provides result details
items:
description: PolicyReportResult provides the result for an individual
policy or rule
policy
properties:
data:
additionalProperties:
@ -77,47 +77,12 @@ spec:
policy:
description: Policy is the name of the policy
type: string
resource:
description: Resource is an optional reference to the resource check
bu the policy rule
properties:
apiVersion:
description: API version of the referent.
type: string
fieldPath:
description: 'If referring to a piece of an object instead of
an entire object, this string should contain a valid JSON/Go
field access statement, such as desiredState.manifest.containers[2].
For example, if the object reference is to a container within
a pod, this would take on a value like: "spec.containers{name}"
(where "name" refers to the name of the container that triggered
the event) or if no container name is specified "spec.containers[2]"
(container with index 2 in this pod). This syntax is chosen
only to have some well-defined way of referencing a part of
an object. TODO: this design is not final and this field is
subject to change in the future.'
type: string
kind:
description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
type: string
name:
description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
type: string
namespace:
description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/'
type: string
resourceVersion:
description: 'Specific resourceVersion to which this reference
is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency'
type: string
uid:
description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids'
type: string
type: object
resourceSelector:
description: ResourceSelector is an optional selector for multiple
resources (e.g. Pods). Either one of, or none of, but not both of,
Resource or ResourceSelector should be specified.
description: ResourceSelector is an optional selector for policy results
that apply to multiple resources. For example, a policy result may
apply to all pods that match a label. Either a Resource or a ResourceSelector
can be specified. If neither are provided, the result is assumed
to be for the policy report scope.
properties:
matchExpressions:
description: matchExpressions is a list of label selector requirements.
@ -160,6 +125,70 @@ spec:
are ANDed.
type: object
type: object
resources:
description: Resources is an optional reference to the resource checked
by the policy and rule
items:
description: 'ObjectReference contains enough information to let
you inspect or modify the referred object. --- New uses of this
type are discouraged because of difficulty describing its usage
when embedded in APIs. 1. Ignored fields. It includes many fields
which are not generally honored. For instance, ResourceVersion
and FieldPath are both very rarely valid in actual usage. 2.
Invalid usage help. It is impossible to add specific help for
individual usage. In most embedded usages, there are particular restrictions
like, "must refer only to types A and B" or "UID not honored"
or "name must be restricted". Those cannot be well described
when embedded. 3. Inconsistent validation. Because the usages
are different, the validation rules are different by usage, which
makes it hard for users to predict what will happen. 4. The fields
are both imprecise and overly precise. Kind is not a precise
mapping to a URL. This can produce ambiguity during interpretation
and require a REST mapping. In most cases, the dependency is
on the group,resource tuple and the version of the actual
struct is irrelevant. 5. We cannot easily change it. Because
this type is embedded in many locations, updates to this type will
affect numerous schemas. Don''t make new APIs embed an underspecified
API type they do not control. Instead of using this type, create
a locally provided and used type that is well-focused on your
reference. For example, ServiceReferences for admission registration:
https://github.com/kubernetes/api/blob/release-1.17/admissionregistration/v1/types.go#L533
.'
properties:
apiVersion:
description: API version of the referent.
type: string
fieldPath:
description: 'If referring to a piece of an object instead of
an entire object, this string should contain a valid JSON/Go
field access statement, such as desiredState.manifest.containers[2].
For example, if the object reference is to a container within
a pod, this would take on a value like: "spec.containers{name}"
(where "name" refers to the name of the container that triggered
the event) or if no container name is specified "spec.containers[2]"
(container with index 2 in this pod). This syntax is chosen
only to have some well-defined way of referencing a part of
an object. TODO: this design is not final and this field is
subject to change in the future.'
type: string
kind:
description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
type: string
name:
description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
type: string
namespace:
description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/'
type: string
resourceVersion:
description: 'Specific resourceVersion to which this reference
is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency'
type: string
uid:
description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids'
type: string
type: object
type: array
rule:
description: Rule is the name of the policy rule
type: string
@ -260,14 +289,24 @@ spec:
description: PolicyReportSummary provides a summary of results
properties:
error:
description: Error provides the count of policies that could not be
evaluated
type: integer
fail:
description: Fail provides the count of policies whose requirements
were not met
type: integer
pass:
description: Pass provides the count of policies whose requirements
were met
type: integer
skip:
description: Skip indicates the count of policies that were not selected
for evaluation
type: integer
warn:
description: Warn provides the count of unscored policies whose requirements
were not met
type: integer
required:
- error

250
definitions/install.yaml
View file

@ -340,7 +340,7 @@ spec:
description: PolicyReportResult provides result details
items:
description: PolicyReportResult provides the result for an individual
policy or rule
policy
properties:
data:
additionalProperties:
@ -354,47 +354,12 @@ spec:
policy:
description: Policy is the name of the policy
type: string
resource:
description: Resource is an optional reference to the resource check
bu the policy rule
properties:
apiVersion:
description: API version of the referent.
type: string
fieldPath:
description: 'If referring to a piece of an object instead of
an entire object, this string should contain a valid JSON/Go
field access statement, such as desiredState.manifest.containers[2].
For example, if the object reference is to a container within
a pod, this would take on a value like: "spec.containers{name}"
(where "name" refers to the name of the container that triggered
the event) or if no container name is specified "spec.containers[2]"
(container with index 2 in this pod). This syntax is chosen
only to have some well-defined way of referencing a part of
an object. TODO: this design is not final and this field is
subject to change in the future.'
type: string
kind:
description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
type: string
name:
description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
type: string
namespace:
description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/'
type: string
resourceVersion:
description: 'Specific resourceVersion to which this reference
is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency'
type: string
uid:
description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids'
type: string
type: object
resourceSelector:
description: ResourceSelector is an optional selector for multiple
resources (e.g. Pods). Either one of, or none of, but not both of,
Resource or ResourceSelector should be specified.
description: ResourceSelector is an optional selector for policy results
that apply to multiple resources. For example, a policy result may
apply to all pods that match a label. Either a Resource or a ResourceSelector
can be specified. If neither are provided, the result is assumed
to be for the policy report scope.
properties:
matchExpressions:
description: matchExpressions is a list of label selector requirements.
@ -437,6 +402,70 @@ spec:
are ANDed.
type: object
type: object
resources:
description: Resources is an optional reference to the resource checked
by the policy and rule
items:
description: 'ObjectReference contains enough information to let
you inspect or modify the referred object. --- New uses of this
type are discouraged because of difficulty describing its usage
when embedded in APIs. 1. Ignored fields. It includes many fields
which are not generally honored. For instance, ResourceVersion
and FieldPath are both very rarely valid in actual usage. 2.
Invalid usage help. It is impossible to add specific help for
individual usage. In most embedded usages, there are particular restrictions
like, "must refer only to types A and B" or "UID not honored"
or "name must be restricted". Those cannot be well described
when embedded. 3. Inconsistent validation. Because the usages
are different, the validation rules are different by usage, which
makes it hard for users to predict what will happen. 4. The fields
are both imprecise and overly precise. Kind is not a precise
mapping to a URL. This can produce ambiguity during interpretation
and require a REST mapping. In most cases, the dependency is
on the group,resource tuple and the version of the actual
struct is irrelevant. 5. We cannot easily change it. Because
this type is embedded in many locations, updates to this type will
affect numerous schemas. Don''t make new APIs embed an underspecified
API type they do not control. Instead of using this type, create
a locally provided and used type that is well-focused on your
reference. For example, ServiceReferences for admission registration:
https://github.com/kubernetes/api/blob/release-1.17/admissionregistration/v1/types.go#L533
.'
properties:
apiVersion:
description: API version of the referent.
type: string
fieldPath:
description: 'If referring to a piece of an object instead of
an entire object, this string should contain a valid JSON/Go
field access statement, such as desiredState.manifest.containers[2].
For example, if the object reference is to a container within
a pod, this would take on a value like: "spec.containers{name}"
(where "name" refers to the name of the container that triggered
the event) or if no container name is specified "spec.containers[2]"
(container with index 2 in this pod). This syntax is chosen
only to have some well-defined way of referencing a part of
an object. TODO: this design is not final and this field is
subject to change in the future.'
type: string
kind:
description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
type: string
name:
description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
type: string
namespace:
description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/'
type: string
resourceVersion:
description: 'Specific resourceVersion to which this reference
is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency'
type: string
uid:
description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids'
type: string
type: object
type: array
rule:
description: Rule is the name of the policy rule
type: string
@ -457,8 +486,9 @@ spec:
type: object
type: array
scope:
description: Scope is an optional reference to the report scope (e.g. a
Deployment, Namespace, or Node)
description: Scope is an optional reference to the policy report scope.
For example. the report may be for all resources in a namespace, a for
a node, or cluster-wide.
properties:
apiVersion:
description: API version of the referent.
@ -537,14 +567,24 @@ spec:
description: PolicyReportSummary provides a summary of results
properties:
error:
description: Error provides the count of policies that could not be
evaluated
type: integer
fail:
description: Fail provides the count of policies whose requirements
were not met
type: integer
pass:
description: Pass provides the count of policies whose requirements
were met
type: integer
skip:
description: Skip indicates the count of policies that were not selected
for evaluation
type: integer
warn:
description: Warn provides the count of unscored policies whose requirements
were not met
type: integer
required:
- error
@ -1024,7 +1064,7 @@ spec:
description: PolicyReportResult provides result details
items:
description: PolicyReportResult provides the result for an individual
policy or rule
policy
properties:
data:
additionalProperties:
@ -1038,47 +1078,12 @@ spec:
policy:
description: Policy is the name of the policy
type: string
resource:
description: Resource is an optional reference to the resource check
bu the policy rule
properties:
apiVersion:
description: API version of the referent.
type: string
fieldPath:
description: 'If referring to a piece of an object instead of
an entire object, this string should contain a valid JSON/Go
field access statement, such as desiredState.manifest.containers[2].
For example, if the object reference is to a container within
a pod, this would take on a value like: "spec.containers{name}"
(where "name" refers to the name of the container that triggered
the event) or if no container name is specified "spec.containers[2]"
(container with index 2 in this pod). This syntax is chosen
only to have some well-defined way of referencing a part of
an object. TODO: this design is not final and this field is
subject to change in the future.'
type: string
kind:
description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
type: string
name:
description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
type: string
namespace:
description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/'
type: string
resourceVersion:
description: 'Specific resourceVersion to which this reference
is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency'
type: string
uid:
description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids'
type: string
type: object
resourceSelector:
description: ResourceSelector is an optional selector for multiple
resources (e.g. Pods). Either one of, or none of, but not both of,
Resource or ResourceSelector should be specified.
description: ResourceSelector is an optional selector for policy results
that apply to multiple resources. For example, a policy result may
apply to all pods that match a label. Either a Resource or a ResourceSelector
can be specified. If neither are provided, the result is assumed
to be for the policy report scope.
properties:
matchExpressions:
description: matchExpressions is a list of label selector requirements.
@ -1121,6 +1126,70 @@ spec:
are ANDed.
type: object
type: object
resources:
description: Resources is an optional reference to the resource checked
by the policy and rule
items:
description: 'ObjectReference contains enough information to let
you inspect or modify the referred object. --- New uses of this
type are discouraged because of difficulty describing its usage
when embedded in APIs. 1. Ignored fields. It includes many fields
which are not generally honored. For instance, ResourceVersion
and FieldPath are both very rarely valid in actual usage. 2.
Invalid usage help. It is impossible to add specific help for
individual usage. In most embedded usages, there are particular restrictions
like, "must refer only to types A and B" or "UID not honored"
or "name must be restricted". Those cannot be well described
when embedded. 3. Inconsistent validation. Because the usages
are different, the validation rules are different by usage, which
makes it hard for users to predict what will happen. 4. The fields
are both imprecise and overly precise. Kind is not a precise
mapping to a URL. This can produce ambiguity during interpretation
and require a REST mapping. In most cases, the dependency is
on the group,resource tuple and the version of the actual
struct is irrelevant. 5. We cannot easily change it. Because
this type is embedded in many locations, updates to this type will
affect numerous schemas. Don''t make new APIs embed an underspecified
API type they do not control. Instead of using this type, create
a locally provided and used type that is well-focused on your
reference. For example, ServiceReferences for admission registration:
https://github.com/kubernetes/api/blob/release-1.17/admissionregistration/v1/types.go#L533
.'
properties:
apiVersion:
description: API version of the referent.
type: string
fieldPath:
description: 'If referring to a piece of an object instead of
an entire object, this string should contain a valid JSON/Go
field access statement, such as desiredState.manifest.containers[2].
For example, if the object reference is to a container within
a pod, this would take on a value like: "spec.containers{name}"
(where "name" refers to the name of the container that triggered
the event) or if no container name is specified "spec.containers[2]"
(container with index 2 in this pod). This syntax is chosen
only to have some well-defined way of referencing a part of
an object. TODO: this design is not final and this field is
subject to change in the future.'
type: string
kind:
description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
type: string
name:
description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
type: string
namespace:
description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/'
type: string
resourceVersion:
description: 'Specific resourceVersion to which this reference
is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency'
type: string
uid:
description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids'
type: string
type: object
type: array
rule:
description: Rule is the name of the policy rule
type: string
@ -1221,14 +1290,24 @@ spec:
description: PolicyReportSummary provides a summary of results
properties:
error:
description: Error provides the count of policies that could not be
evaluated
type: integer
fail:
description: Fail provides the count of policies whose requirements
were not met
type: integer
pass:
description: Pass provides the count of policies whose requirements
were met
type: integer
skip:
description: Skip indicates the count of policies that were not selected
for evaluation
type: integer
warn:
description: Warn provides the count of unscored policies whose requirements
were not met
type: integer
required:
- error
@ -1699,7 +1778,7 @@ metadata:
---
apiVersion: v1
data:
Helm: ""
App: ""
kind: ConfigMap
metadata:
name: kyverno-event
@ -1790,6 +1869,7 @@ apiVersion: batch/v1beta1
kind: CronJob
metadata:
name: policyreport-background-scan
namespace: kyverno
spec:
concurrencyPolicy: Forbid
failedJobsHistoryLimit: 4

250
definitions/install_debug.yaml
View file

@ -340,7 +340,7 @@ spec:
description: PolicyReportResult provides result details
items:
description: PolicyReportResult provides the result for an individual
policy or rule
policy
properties:
data:
additionalProperties:
@ -354,47 +354,12 @@ spec:
policy:
description: Policy is the name of the policy
type: string
resource:
description: Resource is an optional reference to the resource check
bu the policy rule
properties:
apiVersion:
description: API version of the referent.
type: string
fieldPath:
description: 'If referring to a piece of an object instead of
an entire object, this string should contain a valid JSON/Go
field access statement, such as desiredState.manifest.containers[2].
For example, if the object reference is to a container within
a pod, this would take on a value like: "spec.containers{name}"
(where "name" refers to the name of the container that triggered
the event) or if no container name is specified "spec.containers[2]"
(container with index 2 in this pod). This syntax is chosen
only to have some well-defined way of referencing a part of
an object. TODO: this design is not final and this field is
subject to change in the future.'
type: string
kind:
description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
type: string
name:
description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
type: string
namespace:
description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/'
type: string
resourceVersion:
description: 'Specific resourceVersion to which this reference
is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency'
type: string
uid:
description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids'
type: string
type: object
resourceSelector:
description: ResourceSelector is an optional selector for multiple
resources (e.g. Pods). Either one of, or none of, but not both of,
Resource or ResourceSelector should be specified.
description: ResourceSelector is an optional selector for policy results
that apply to multiple resources. For example, a policy result may
apply to all pods that match a label. Either a Resource or a ResourceSelector
can be specified. If neither are provided, the result is assumed
to be for the policy report scope.
properties:
matchExpressions:
description: matchExpressions is a list of label selector requirements.
@ -437,6 +402,70 @@ spec:
are ANDed.
type: object
type: object
resources:
description: Resources is an optional reference to the resource checked
by the policy and rule
items:
description: 'ObjectReference contains enough information to let
you inspect or modify the referred object. --- New uses of this
type are discouraged because of difficulty describing its usage
when embedded in APIs. 1. Ignored fields. It includes many fields
which are not generally honored. For instance, ResourceVersion
and FieldPath are both very rarely valid in actual usage. 2.
Invalid usage help. It is impossible to add specific help for
individual usage. In most embedded usages, there are particular restrictions
like, "must refer only to types A and B" or "UID not honored"
or "name must be restricted". Those cannot be well described
when embedded. 3. Inconsistent validation. Because the usages
are different, the validation rules are different by usage, which
makes it hard for users to predict what will happen. 4. The fields
are both imprecise and overly precise. Kind is not a precise
mapping to a URL. This can produce ambiguity during interpretation
and require a REST mapping. In most cases, the dependency is
on the group,resource tuple and the version of the actual
struct is irrelevant. 5. We cannot easily change it. Because
this type is embedded in many locations, updates to this type will
affect numerous schemas. Don''t make new APIs embed an underspecified
API type they do not control. Instead of using this type, create
a locally provided and used type that is well-focused on your
reference. For example, ServiceReferences for admission registration:
https://github.com/kubernetes/api/blob/release-1.17/admissionregistration/v1/types.go#L533
.'
properties:
apiVersion:
description: API version of the referent.
type: string
fieldPath:
description: 'If referring to a piece of an object instead of
an entire object, this string should contain a valid JSON/Go
field access statement, such as desiredState.manifest.containers[2].
For example, if the object reference is to a container within
a pod, this would take on a value like: "spec.containers{name}"
(where "name" refers to the name of the container that triggered
the event) or if no container name is specified "spec.containers[2]"
(container with index 2 in this pod). This syntax is chosen
only to have some well-defined way of referencing a part of
an object. TODO: this design is not final and this field is
subject to change in the future.'
type: string
kind:
description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
type: string
name:
description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
type: string
namespace:
description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/'
type: string
resourceVersion:
description: 'Specific resourceVersion to which this reference
is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency'
type: string
uid:
description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids'
type: string
type: object
type: array
rule:
description: Rule is the name of the policy rule
type: string
@ -457,8 +486,9 @@ spec:
type: object
type: array
scope:
description: Scope is an optional reference to the report scope (e.g. a
Deployment, Namespace, or Node)
description: Scope is an optional reference to the policy report scope.
For example. the report may be for all resources in a namespace, a for
a node, or cluster-wide.
properties:
apiVersion:
description: API version of the referent.
@ -537,14 +567,24 @@ spec:
description: PolicyReportSummary provides a summary of results
properties:
error:
description: Error provides the count of policies that could not be
evaluated
type: integer
fail:
description: Fail provides the count of policies whose requirements
were not met
type: integer
pass:
description: Pass provides the count of policies whose requirements
were met
type: integer
skip:
description: Skip indicates the count of policies that were not selected
for evaluation
type: integer
warn:
description: Warn provides the count of unscored policies whose requirements
were not met
type: integer
required:
- error
@ -1024,7 +1064,7 @@ spec:
description: PolicyReportResult provides result details
items:
description: PolicyReportResult provides the result for an individual
policy or rule
policy
properties:
data:
additionalProperties:
@ -1038,47 +1078,12 @@ spec:
policy:
description: Policy is the name of the policy
type: string
resource:
description: Resource is an optional reference to the resource check
bu the policy rule
properties:
apiVersion:
description: API version of the referent.
type: string
fieldPath:
description: 'If referring to a piece of an object instead of
an entire object, this string should contain a valid JSON/Go
field access statement, such as desiredState.manifest.containers[2].
For example, if the object reference is to a container within
a pod, this would take on a value like: "spec.containers{name}"
(where "name" refers to the name of the container that triggered
the event) or if no container name is specified "spec.containers[2]"
(container with index 2 in this pod). This syntax is chosen
only to have some well-defined way of referencing a part of
an object. TODO: this design is not final and this field is
subject to change in the future.'
type: string
kind:
description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
type: string
name:
description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
type: string
namespace:
description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/'
type: string
resourceVersion:
description: 'Specific resourceVersion to which this reference
is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency'
type: string
uid:
description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids'
type: string
type: object
resourceSelector:
description: ResourceSelector is an optional selector for multiple
resources (e.g. Pods). Either one of, or none of, but not both of,
Resource or ResourceSelector should be specified.
description: ResourceSelector is an optional selector for policy results
that apply to multiple resources. For example, a policy result may
apply to all pods that match a label. Either a Resource or a ResourceSelector
can be specified. If neither are provided, the result is assumed
to be for the policy report scope.
properties:
matchExpressions:
description: matchExpressions is a list of label selector requirements.
@ -1121,6 +1126,70 @@ spec:
are ANDed.
type: object
type: object
resources:
description: Resources is an optional reference to the resource checked
by the policy and rule
items:
description: 'ObjectReference contains enough information to let
you inspect or modify the referred object. --- New uses of this
type are discouraged because of difficulty describing its usage
when embedded in APIs. 1. Ignored fields. It includes many fields
which are not generally honored. For instance, ResourceVersion
and FieldPath are both very rarely valid in actual usage. 2.
Invalid usage help. It is impossible to add specific help for
individual usage. In most embedded usages, there are particular restrictions
like, "must refer only to types A and B" or "UID not honored"
or "name must be restricted". Those cannot be well described
when embedded. 3. Inconsistent validation. Because the usages
are different, the validation rules are different by usage, which
makes it hard for users to predict what will happen. 4. The fields
are both imprecise and overly precise. Kind is not a precise
mapping to a URL. This can produce ambiguity during interpretation
and require a REST mapping. In most cases, the dependency is
on the group,resource tuple and the version of the actual
struct is irrelevant. 5. We cannot easily change it. Because
this type is embedded in many locations, updates to this type will
affect numerous schemas. Don''t make new APIs embed an underspecified
API type they do not control. Instead of using this type, create
a locally provided and used type that is well-focused on your
reference. For example, ServiceReferences for admission registration:
https://github.com/kubernetes/api/blob/release-1.17/admissionregistration/v1/types.go#L533
.'
properties:
apiVersion:
description: API version of the referent.
type: string
fieldPath:
description: 'If referring to a piece of an object instead of
an entire object, this string should contain a valid JSON/Go
field access statement, such as desiredState.manifest.containers[2].
For example, if the object reference is to a container within
a pod, this would take on a value like: "spec.containers{name}"
(where "name" refers to the name of the container that triggered
the event) or if no container name is specified "spec.containers[2]"
(container with index 2 in this pod). This syntax is chosen
only to have some well-defined way of referencing a part of
an object. TODO: this design is not final and this field is
subject to change in the future.'
type: string
kind:
description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
type: string
name:
description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
type: string
namespace:
description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/'
type: string
resourceVersion:
description: 'Specific resourceVersion to which this reference
is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency'
type: string
uid:
description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids'
type: string
type: object
type: array
rule:
description: Rule is the name of the policy rule
type: string
@ -1221,14 +1290,24 @@ spec:
description: PolicyReportSummary provides a summary of results
properties:
error:
description: Error provides the count of policies that could not be
evaluated
type: integer
fail:
description: Fail provides the count of policies whose requirements
were not met
type: integer
pass:
description: Pass provides the count of policies whose requirements
were met
type: integer
skip:
description: Skip indicates the count of policies that were not selected
for evaluation
type: integer
warn:
description: Warn provides the count of unscored policies whose requirements
were not met
type: integer
required:
- error
@ -1699,7 +1778,7 @@ metadata:
---
apiVersion: v1
data:
Helm: ""
App: ""
kind: ConfigMap
metadata:
name: kyverno-event
@ -1723,6 +1802,7 @@ apiVersion: batch/v1beta1
kind: CronJob
metadata:
name: policyreport-background-scan
namespace: kyverno
spec:
concurrencyPolicy: Forbid
failedJobsHistoryLimit: 4

2
definitions/k8s-resource/configmap.yaml
View file

@ -9,7 +9,7 @@ metadata:
---
apiVersion: v1
data:
Helm: ''
App: ''
kind: ConfigMap
metadata:
name: kyverno-event

1
definitions/k8s-resource/cronjob.yaml
View file

@ -2,6 +2,7 @@ apiVersion: batch/v1beta1
kind: CronJob
metadata:
name: policyreport-background-scan
namespace: kyverno
spec:
schedule: "*/6 * * * *"
concurrencyPolicy : Forbid

18
pkg/constant/constant.go
View file

@ -10,6 +10,20 @@ const (
GenerateControllerResync = 15 * time.Minute
GenerateRequestControllerResync = 15 * time.Minute
PolicyReportPolicyChangeResync = 120 * time.Second
PolicyReportResourceChangeResync = 120 * time.Second
PolicyReportPolicyChangeResync = 60 * time.Second
PolicyReportResourceChangeResync = 60 * time.Second
)
const (
App string = "App"
Namespace string = "Namespace"
Cluster string = "Cluster"
All string = "All"
)
const (
ConfiigmapMode string = "CONFIGMAP"
BackgroundPolicySync string = "POLICYSYNC"
BackgroundSync string = "SYNC"
)

86
pkg/jobs/controller.go
View file

@ -195,62 +195,70 @@ func (j *Job) syncHandler(info JobInfo) error {
}()
j.mux.Lock()
var wg sync.WaitGroup
if info.JobType == "POLICYSYNC" {
if info.JobType == constant.BackgroundPolicySync {
wg.Add(1)
go j.syncKyverno(&wg, "All", "SYNC", info.JobData)
}else if info.JobType == "CONFIGMAP" {
go j.syncKyverno(&wg, constant.All, constant.BackgroundPolicySync, info.JobData)
}else if info.JobType == constant.ConfiigmapMode {
if info.JobData != "" {
str := strings.Split(info.JobData, ",")
wg.Add(len(str))
for _, scope := range str {
go j.syncKyverno(&wg, scope, "CONFIGMAP", "")
if len(str) > 1 {
wg.Add(1)
go j.syncKyverno(&wg, constant.All, constant.ConfiigmapMode, "")
}else{
wg.Add(len(str))
for _, scope := range str {
go j.syncKyverno(&wg, scope, constant.ConfiigmapMode, "")
}
}
}
}
return nil
}
func (j *Job) syncKyverno(wg *sync.WaitGroup, jobType, scope, data string) {
func (j *Job) syncKyverno(wg *sync.WaitGroup, scope, jobType, data string) {
var args []string
var mode string
if scope == "SYNC" || scope == "POLICYSYNC" {
if jobType == constant.BackgroundPolicySync || jobType == constant.BackgroundSync {
mode = "cli"
switch scope {
case constant.App:
args = []string{
"report",
"app",
fmt.Sprintf("--mode=%s", mode),
}
break
case constant.Namespace:
args = []string{
"report",
"namespace",
fmt.Sprintf("--mode=%s", mode),
}
break
case constant.Cluster:
args = []string{
"report",
"cluster",
fmt.Sprintf("--mode=%s", mode),
}
break
case constant.All:
args = []string{
"report",
"all",
fmt.Sprintf("--mode=%s", mode),
}
break
}
} else {
mode = "configmap"
}
switch jobType {
case "Helm":
args = []string{
"report",
"helm",
fmt.Sprintf("--mode=%s", mode),
}
break
case "Namespace":
args = []string{
"report",
"namespace",
fmt.Sprintf("--mode=%s", mode),
}
break
case "Cluster":
args = []string{
"report",
"cluster",
fmt.Sprintf("--mode=%s", mode),
}
break
case "All":
args = []string{
"report",
"all",
fmt.Sprintf("--mode=%s", mode),
fmt.Sprintf("--mode=%s", "configmap"),
}
break
}
if scope == "POLICYSYNC" && data != "" {
if jobType == constant.BackgroundPolicySync && data != "" {
args = append(args, fmt.Sprintf("-p=%s", data))
}
resourceList, err := j.dclient.ListResource("", "Job", config.KubePolicyNamespace, &metav1.LabelSelector{
@ -307,7 +315,7 @@ func (j *Job) CreateJob(args []string, jobType, scope string, wg *sync.WaitGroup
j.log.Error(err, "Error in converting job Default Unstructured Converter", "job_name", job.GetName())
return
}
deadline := time.Now().Add(150 * time.Second)
deadline := time.Now().Add(100 * time.Second)
for {
time.Sleep(20 * time.Second)
resource, err := j.dclient.GetResource("", "Job", config.KubePolicyNamespace, job.GetName())
@ -323,7 +331,7 @@ func (j *Job) CreateJob(args []string, jobType, scope string, wg *sync.WaitGroup
j.log.Error(err, "Error in converting job Default Unstructured Converter", "job_name", job.GetName())
continue
}
if time.Now().After(deadline) {
if job.Status.Succeeded > 0 && time.Now().After(deadline) {
if err := j.dclient.DeleteResource("", "Job", config.KubePolicyNamespace, job.GetName(), false); err != nil {
j.log.Error(err, "Error in deleting jobs", "job_name", job.GetName())
continue

11
pkg/kyverno/report/allreports.go
View file

@ -3,6 +3,7 @@ package report
import (
"fmt"
"github.com/nirmata/kyverno/pkg/common"
"github.com/nirmata/kyverno/pkg/constant"
"github.com/nirmata/kyverno/pkg/utils"
"github.com/spf13/cobra"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
@ -15,7 +16,7 @@ import (
func AllReportsCommand() *cobra.Command {
kubernetesConfig := genericclioptions.NewConfigFlags(true)
var mode,namespace, policy string
var mode, namespace, policy string
cmd := &cobra.Command{
Use: "all",
Short: "generate report for all scope",
@ -38,7 +39,7 @@ func AllReportsCommand() *cobra.Command {
if mode == "cli" {
if namespace != "" {
wg.Add(1)
go backgroundScan(namespace, All, policy, &wg, restConfig, logger)
go backgroundScan(namespace, constant.All, policy, &wg, restConfig, logger)
} else {
ns, err := kubeClient.CoreV1().Namespaces().List(metav1.ListOptions{})
if err != nil {
@ -46,12 +47,12 @@ func AllReportsCommand() *cobra.Command {
}
wg.Add(len(ns.Items))
for _, n := range ns.Items {
go backgroundScan(n.GetName(), All, policy, &wg, restConfig, logger)
go backgroundScan(n.GetName(), constant.All, policy, &wg, restConfig, logger)
}
}
}else{
} else {
wg.Add(1)
go configmapScan(All, &wg, restConfig, logger)
go configmapScan(constant.All, &wg, restConfig, logger)
}
wg.Wait()
os.Exit(0)

9
pkg/kyverno/report/helm.go → pkg/kyverno/report/app.go
View file

@ -2,6 +2,7 @@ package report
import (
"fmt"
"github.com/nirmata/kyverno/pkg/constant"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
"os"
"sync"
@ -18,7 +19,7 @@ func AppCommand() *cobra.Command {
kubernetesConfig := genericclioptions.NewConfigFlags(true)
var mode, policy, namespace string
cmd := &cobra.Command{
Use: "helm",
Use: "app",
Short: "generate report for scope app",
Example: fmt.Sprintf("To create a helm report from background scan:\nkyverno report helm --namespace=defaults \n kyverno report helm"),
RunE: func(cmd *cobra.Command, args []string) (err error) {
@ -40,7 +41,7 @@ func AppCommand() *cobra.Command {
if mode == "cli" {
if namespace != "" {
wg.Add(1)
go backgroundScan(namespace, App, policy, &wg, restConfig, logger)
go backgroundScan(namespace, constant.App, policy, &wg, restConfig, logger)
} else {
ns, err := kubeClient.CoreV1().Namespaces().List(metav1.ListOptions{})
if err != nil {
@ -49,12 +50,12 @@ func AppCommand() *cobra.Command {
}
wg.Add(len(ns.Items))
for _, n := range ns.Items {
go backgroundScan(n.GetName(), App, policy, &wg, restConfig, logger)
go backgroundScan(n.GetName(), constant.App, policy, &wg, restConfig, logger)
}
}
} else {
wg.Add(1)
go configmapScan(App, &wg, restConfig, logger)
go configmapScan(constant.App, &wg, restConfig, logger)
}
wg.Wait()
os.Exit(0)

5
pkg/kyverno/report/cluster.go
View file

@ -3,6 +3,7 @@ package report
import (
"fmt"
"github.com/nirmata/kyverno/pkg/common"
"github.com/nirmata/kyverno/pkg/constant"
"github.com/spf13/cobra"
"k8s.io/cli-runtime/pkg/genericclioptions"
"os"
@ -28,11 +29,11 @@ func ClusterCommand() *cobra.Command {
var wg sync.WaitGroup
wg.Add(1)
if mode == "cli" {
go backgroundScan("", Cluster, policy, &wg, restConfig, logger)
go backgroundScan("", constant.Cluster, policy, &wg, restConfig, logger)
wg.Wait()
os.Exit(0)
}
go configmapScan(Cluster, &wg, restConfig, logger)
go configmapScan(constant.Cluster, &wg, restConfig, logger)
wg.Wait()
os.Exit(0)
return nil

266
pkg/kyverno/report/common.go
View file

@ -4,12 +4,12 @@ import (
"encoding/json"
"fmt"
"github.com/go-logr/logr"
kyvernov1 "github.com/nirmata/kyverno/pkg/api/kyverno/v1"
policyreportv1alpha1 "github.com/nirmata/kyverno/pkg/api/policyreport/v1alpha1"
kyvernoclient "github.com/nirmata/kyverno/pkg/client/clientset/versioned"
kyvernoinformer "github.com/nirmata/kyverno/pkg/client/informers/externalversions"
"github.com/nirmata/kyverno/pkg/config"
"github.com/nirmata/kyverno/pkg/constant"
client "github.com/nirmata/kyverno/pkg/dclient"
"github.com/nirmata/kyverno/pkg/engine"
"github.com/nirmata/kyverno/pkg/engine/context"
@ -21,7 +21,6 @@ import (
v1 "k8s.io/api/core/v1"
apierrors "k8s.io/apimachinery/pkg/api/errors"
"k8s.io/apimachinery/pkg/labels"
"k8s.io/apimachinery/pkg/runtime/schema"
"k8s.io/client-go/tools/cache"
"os"
@ -37,13 +36,6 @@ import (
log "sigs.k8s.io/controller-runtime/pkg/log"
)
const (
App string = "App"
Namespace string = "Namespace"
Cluster string = "Cluster"
All string = "All"
)
func backgroundScan(n, scope, policychange string, wg *sync.WaitGroup, restConfig *rest.Config, logger logr.Logger) {
lgr := logger.WithValues("namespace", n, "scope", scope, "policychange", policychange)
defer func() {
@ -149,9 +141,6 @@ func backgroundScan(n, scope, policychange string, wg *sync.WaitGroup, restConfi
}
// key uid
resourceMap := map[string]map[string]unstructured.Unstructured{}
resourceMap[Cluster] = make(map[string]unstructured.Unstructured)
resourceMap[App] = make(map[string]unstructured.Unstructured)
resourceMap[Namespace] = make(map[string]unstructured.Unstructured)
for _, p := range cpolicies {
for _, rule := range p.Spec.Rules {
for _, k := range rule.MatchResources.Kinds {
@ -162,8 +151,12 @@ func backgroundScan(n, scope, policychange string, wg *sync.WaitGroup, restConfi
}
if !resourceSchema.Namespaced {
rMap := policy.GetResourcesPerNamespace(k, dClient, "", rule, configData, log.Log)
policy.MergeResources(resourceMap[Cluster], rMap)
} else if resourceSchema.Namespaced {
if len(resourceMap[constant.Cluster]) == 0 {
resourceMap[constant.Cluster] = make(map[string]unstructured.Unstructured)
}
policy.MergeResources(resourceMap[constant.Cluster], rMap)
}
if resourceSchema.Namespaced {
namespaces := policy.GetNamespacesForRule(&rule, np.Lister(), log.Log)
for _, ns := range namespaces {
if ns == n {
@ -173,9 +166,15 @@ func backgroundScan(n, scope, policychange string, wg *sync.WaitGroup, restConfi
_, okChart := labels["app"]
_, okRelease := labels["release"]
if okChart && okRelease {
policy.MergeResources(resourceMap[App], rMap)
} else if r.GetNamespace() != "" {
policy.MergeResources(resourceMap[Namespace], rMap)
if len(resourceMap[constant.App]) == 0 {
resourceMap[constant.App] = make(map[string]unstructured.Unstructured)
}
policy.MergeResources(resourceMap[constant.App], rMap)
} else {
if len(resourceMap[constant.Namespace]) == 0 {
resourceMap[constant.Namespace] = make(map[string]unstructured.Unstructured)
}
policy.MergeResources(resourceMap[constant.Namespace], rMap)
}
}
}
@ -187,27 +186,28 @@ func backgroundScan(n, scope, policychange string, wg *sync.WaitGroup, restConfi
if p.HasAutoGenAnnotation() {
switch scope {
case Cluster:
resourceMap[Cluster] = policy.ExcludePod(resourceMap[Cluster], log.Log)
delete(resourceMap,Namespace)
delete(resourceMap,App)
case constant.Cluster:
resourceMap[constant.Cluster] = policy.ExcludePod(resourceMap[constant.Cluster], log.Log)
delete(resourceMap, constant.Namespace)
delete(resourceMap, constant.App)
break
case Namespace:
resourceMap[Namespace] = policy.ExcludePod(resourceMap[Namespace], log.Log)
delete(resourceMap,Cluster)
delete(resourceMap,App)
case constant.Namespace:
resourceMap[constant.Namespace] = policy.ExcludePod(resourceMap[constant.Namespace], log.Log)
delete(resourceMap, constant.Cluster)
delete(resourceMap, constant.App)
break
case App:
resourceMap[App] = policy.ExcludePod(resourceMap[App], log.Log)
delete(resourceMap,Namespace)
delete(resourceMap,Cluster)
case constant.App:
resourceMap[constant.App] = policy.ExcludePod(resourceMap[constant.App], log.Log)
delete(resourceMap, constant.Namespace)
delete(resourceMap, constant.Cluster)
break
case All:
resourceMap[Cluster] = policy.ExcludePod(resourceMap[Cluster], log.Log)
resourceMap[Namespace] = policy.ExcludePod(resourceMap[Namespace], log.Log)
resourceMap[App] = policy.ExcludePod(resourceMap[App], log.Log)
case constant.All:
resourceMap[constant.Cluster] = policy.ExcludePod(resourceMap[constant.Cluster], log.Log)
resourceMap[constant.Namespace] = policy.ExcludePod(resourceMap[constant.Namespace], log.Log)
resourceMap[constant.App] = policy.ExcludePod(resourceMap[constant.App], log.Log)
}
}
results := make(map[string][]policyreportv1alpha1.PolicyReportResult)
for key, _ := range resourceMap {
for _, resource := range resourceMap[key] {
@ -220,11 +220,12 @@ func backgroundScan(n, scope, policychange string, wg *sync.WaitGroup, restConfi
results = createResults(policyContext, key, results)
}
}
for k, _ := range results {
if k == "" {
continue
}
err := createReport(kclient, k, n, results[k], lgr)
err := createReport(kclient, k, results[k], removePolicy, lgr)
if err != nil {
continue
}
@ -232,31 +233,36 @@ func backgroundScan(n, scope, policychange string, wg *sync.WaitGroup, restConfi
}
}
func createReport(kclient *kyvernoclient.Clientset, name, namespace string, results []policyreportv1alpha1.PolicyReportResult, lgr logr.Logger) error {
str := strings.Split(name, "-")
var scope string
if len(str) == 1 {
scope = Cluster
} else if strings.Contains(name, "policyreport-helm-") {
scope = App
} else {
scope = Cluster
func createReport(kclient *kyvernoclient.Clientset, name string, results []policyreportv1alpha1.PolicyReportResult,removePolicy []string, lgr logr.Logger) error {
var scope, ns string
if strings.Contains(name, "clusterpolicyreport") {
scope = constant.Cluster
} else if strings.Contains(name, "policyreport-app-") {
scope = constant.App
ns = strings.ReplaceAll(name, "policyreport-app-", "")
str := strings.Split(ns, "--")
ns = str[1]
} else if strings.Contains(name, "policyreport-ns-") {
scope = constant.Namespace
ns = strings.ReplaceAll(name, "policyreport-ns-", "")
}
if len(str) > 1 {
availablepr, err := kclient.PolicyV1alpha1().PolicyReports(namespace).Get(name, metav1.GetOptions{})
if scope == constant.App || scope == constant.Namespace {
availablepr, err := kclient.PolicyV1alpha1().PolicyReports(ns).Get(name, metav1.GetOptions{})
if err != nil {
if apierrors.IsNotFound(err) {
availablepr = initPolicyReport(scope, namespace, name)
availablepr = initPolicyReport(scope, ns, name)
} else {
return err
}
}
availablepr, action := mergeReport(availablepr, results, []string{})
availablepr, action := mergeReport(availablepr, results, removePolicy)
if action == "Create" {
availablepr.SetLabels(map[string]string{
"policy-state": "state",
})
_, err := kclient.PolicyV1alpha1().PolicyReports(availablepr.GetNamespace()).Create(availablepr)
if err != nil {
lgr.Error(err, "Error in Create policy report", "appreport", name)
@ -282,7 +288,7 @@ func createReport(kclient *kyvernoclient.Clientset, name, namespace string, resu
if action == "Create" {
_, err := kclient.PolicyV1alpha1().ClusterPolicyReports().Create(availablepr)
if err != nil {
lgr.Error(err, "Error in Create policy report", "appreport", name)
lgr.Error(err, "Error in Create policy report", "appreport", availablepr)
return err
}
} else {
@ -314,36 +320,37 @@ func createResults(policyContext engine.PolicyContext, key string, results map[s
for _, v := range pv {
var appname string
if key == App {
labels := policyContext.NewResource.GetLabels()
_, okChart := labels["app"]
_, okRelease := labels["release"]
labels := policyContext.NewResource.GetLabels()
_, okChart := labels["app"]
_, okRelease := labels["release"]
if key == constant.App {
if okChart && okRelease {
appname = fmt.Sprintf("policyreport-helm-%s-%s", labels["app"], policyContext.NewResource.GetNamespace())
appname = fmt.Sprintf("policyreport-app-%s--%s", labels["app"], policyContext.NewResource.GetNamespace())
}
} else if key == Namespace {
appname = fmt.Sprintf("policyreport-%s", policyContext.NewResource.GetNamespace())
} else if key == constant.Namespace {
appname = fmt.Sprintf("policyreport-ns-%s", policyContext.NewResource.GetNamespace())
} else {
appname = fmt.Sprintf("clusterpolicyreport")
}
if appname != "" {
builder := policyreport.NewPrBuilder()
pv := builder.Generate(v)
builder := policyreport.NewPrBuilder()
pv := builder.Generate(v)
for _, e := range pv.Spec.ViolatedRules {
result := &policyreportv1alpha1.PolicyReportResult{
Policy: pv.Spec.Policy,
Rule: e.Name,
Message: e.Message,
Status: policyreportv1alpha1.PolicyStatus(e.Check),
Resource: &corev1.ObjectReference{
Kind: pv.Spec.Kind,
Namespace: pv.Spec.Namespace,
APIVersion: pv.Spec.APIVersion,
Name: pv.Spec.Name,
},
for _, e := range pv.Spec.ViolatedRules {
result := &policyreportv1alpha1.PolicyReportResult{
Policy: pv.Spec.Policy,
Rule: e.Name,
Message: e.Message,
Status: policyreportv1alpha1.PolicyStatus(e.Check),
Resource: &corev1.ObjectReference{
Kind: pv.Spec.Kind,
Namespace: pv.Spec.Namespace,
APIVersion: pv.Spec.APIVersion,
Name: pv.Spec.Name,
},
}
results[appname] = append(results[appname], *result)
}
results[appname] = append(results[appname], *result)
}
}
return results
@ -376,57 +383,71 @@ func configmapScan(scope string, wg *sync.WaitGroup, restConfig *rest.Config, lo
lgr.Error(err, "Error in converting resource to Default Unstructured Converter")
os.Exit(1)
}
var response map[string][]policyreport.Info
if scope == Cluster {
if err := json.Unmarshal([]byte(job.Data[Cluster]), &response); err != nil {
response := make(map[string]map[string][]policyreport.Info)
var temp = map[string][]policyreport.Info{}
if scope == constant.Cluster {
if err := json.Unmarshal([]byte(job.Data[constant.Cluster]), &temp); err != nil {
lgr.Error(err, "Error in json marshal of namespace data")
}
} else if scope == App {
if err := json.Unmarshal([]byte(job.Data[App]), &response); err != nil {
response[constant.Cluster] = temp
delete(job.Data, constant.Namespace)
delete(job.Data, constant.App)
} else if scope == constant.App {
if err := json.Unmarshal([]byte(job.Data[constant.App]), &temp); err != nil {
lgr.Error(err, "Error in json marshal of namespace data")
}
} else if scope == Namespace {
if err := json.Unmarshal([]byte(job.Data[Namespace]), &response); err != nil {
response[constant.App] = temp
delete(job.Data, constant.Cluster)
delete(job.Data, constant.Namespace)
} else if scope == constant.Namespace {
if err := json.Unmarshal([]byte(job.Data[constant.Namespace]), &temp); err != nil {
lgr.Error(err, "Error in json marshal of namespace data")
}
response[constant.Namespace] = temp
delete(job.Data, constant.Cluster)
delete(job.Data, constant.App)
} else {
if err := json.Unmarshal([]byte(job.Data[Cluster]), &response); err != nil {
if err := json.Unmarshal([]byte(job.Data[constant.Cluster]), &temp); err != nil {
lgr.Error(err, "Error in json marshal of namespace data")
}
if err := json.Unmarshal([]byte(job.Data[App]), &response); err != nil {
response[constant.Cluster] = temp
temp = make(map[string][]policyreport.Info)
if err := json.Unmarshal([]byte(job.Data[constant.App]), &temp); err != nil {
lgr.Error(err, "Error in json marshal of namespace data")
}
if err := json.Unmarshal([]byte(job.Data[Namespace]), &response); err != nil {
response[constant.App] = temp
temp = make(map[string][]policyreport.Info)
if err := json.Unmarshal([]byte(job.Data[constant.Namespace]), &temp); err != nil {
lgr.Error(err, "Error in json marshal of namespace data")
}
response[constant.Namespace] = temp
temp = make(map[string][]policyreport.Info)
}
var results = make(map[string][]policyreportv1alpha1.PolicyReportResult)
var ns []string
for k := range response {
for _, v := range response[k] {
for _, r := range v.Rules {
builder := policyreport.NewPrBuilder()
pv := builder.Generate(v)
result := &policyreportv1alpha1.PolicyReportResult{
Policy: pv.Spec.Policy,
Rule: r.Name,
Message: r.Message,
Status: policyreportv1alpha1.PolicyStatus(r.Check),
Resource: &corev1.ObjectReference{
Kind: pv.Spec.Kind,
Namespace: pv.Spec.Namespace,
APIVersion: pv.Spec.APIVersion,
Name: pv.Spec.Name,
},
}
if !strings.Contains(strings.Join(ns, ","), v.Resource.GetNamespace()) {
ns = append(ns, v.Resource.GetNamespace())
}
var appname string
// Increase Count
if k == Cluster {
appname = fmt.Sprintf("clusterpolicyreport")
} else if k == App {
for n, infos := range response[k] {
for _, v := range infos {
for _, r := range v.Rules {
builder := policyreport.NewPrBuilder()
pv := builder.Generate(v)
result := &policyreportv1alpha1.PolicyReportResult{
Policy: pv.Spec.Policy,
Rule: r.Name,
Message: r.Message,
Status: policyreportv1alpha1.PolicyStatus(r.Check),
Resource: &corev1.ObjectReference{
Kind: pv.Spec.Kind,
Namespace: n,
APIVersion: pv.Spec.APIVersion,
Name: pv.Spec.Name,
},
}
if !strings.Contains(strings.Join(ns, ","), v.Resource.GetNamespace()) {
ns = append(ns, n)
}
var appname string
resource, err := dClient.GetResource(v.Resource.GetAPIVersion(), v.Resource.GetKind(), v.Resource.GetNamespace(), v.Resource.GetName())
if err != nil {
lgr.Error(err, "failed to get resource")
@ -435,23 +456,30 @@ func configmapScan(scope string, wg *sync.WaitGroup, restConfig *rest.Config, lo
labels := resource.GetLabels()
_, okChart := labels["app"]
_, okRelease := labels["release"]
if okChart && okRelease {
appname = fmt.Sprintf("policyreport-helm-%s-%s", labels["app"], v.Resource.GetNamespace())
// Increase Count
if k == constant.Cluster {
appname = fmt.Sprintf("clusterpolicyreport")
} else if k == constant.App {
if okChart && okRelease {
appname = fmt.Sprintf("policyreport-app-%s--%s", labels["app"], v.Resource.GetNamespace())
}
} else {
if !okChart && !okRelease {
appname = fmt.Sprintf("policyreport-ns-%s", v.Resource.GetNamespace())
}
}
} else {
appname = fmt.Sprintf("policyreport-%s", v.Resource.GetNamespace())
results[appname] = append(results[appname], *result)
}
results[appname] = append(results[appname], *result)
}
}
}
for k := range results {
if k != "" {
if k == "" {
continue
}
err := createReport(kclient, k, "", results[k], lgr)
err := createReport(kclient, k, results[k],[]string{}, lgr)
if err != nil {
continue
}
@ -476,6 +504,9 @@ func mergeReport(pr *policyreportv1alpha1.PolicyReport, results []policyreportv1
if r.Policy == v.Policy && r.Rule == v.Rule && r.Resource.APIVersion == v.Resource.APIVersion && r.Resource.Kind == v.Resource.Kind && r.Resource.Namespace == v.Resource.Namespace && r.Resource.Name == v.Resource.Name {
v = &r
isExist = true
if string(r.Status) != string(v.Status) {
pr = changeCount(string(r.Status), string(v.Status), pr)
}
break
}
}
@ -656,10 +687,5 @@ func initClusterPolicyReport(scope, name string) *policyreportv1alpha1.ClusterPo
}
availablepr.SetName(name)
availablepr.SetLabels(labelMap)
availablepr.SetGroupVersionKind(schema.GroupVersionKind{
Kind: "PolicyReport",
Version: "v1alpha1",
Group: "policy.kubernetes.io",
})
return availablepr
}

7
pkg/kyverno/report/namespace.go
View file

@ -3,6 +3,7 @@ package report
import (
"fmt"
"github.com/nirmata/kyverno/pkg/common"
"github.com/nirmata/kyverno/pkg/constant"
"github.com/nirmata/kyverno/pkg/utils"
"github.com/spf13/cobra"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
@ -40,7 +41,7 @@ func NamespaceCommand() *cobra.Command {
if mode == "cli" {
if namespace != "" {
wg.Add(1)
go backgroundScan(namespace, Namespace, policy, &wg, restConfig, logger)
go backgroundScan(namespace, constant.Namespace, policy, &wg, restConfig, logger)
} else {
ns, err := kubeClient.CoreV1().Namespaces().List(metav1.ListOptions{})
if err != nil {
@ -48,12 +49,12 @@ func NamespaceCommand() *cobra.Command {
}
wg.Add(len(ns.Items))
for _, n := range ns.Items {
go backgroundScan(n.GetName(), Namespace, policy, &wg, restConfig, logger)
go backgroundScan(n.GetName(), constant.Namespace, policy, &wg, restConfig, logger)
}
}
} else {
wg.Add(1)
go configmapScan( Namespace, &wg, restConfig, logger)
go configmapScan(constant.Namespace, &wg, restConfig, logger)
}
wg.Wait()
os.Exit(0)

15
pkg/policyreport/generator.go
View file

@ -14,7 +14,6 @@ import (
"github.com/go-logr/logr"
kyverno "github.com/nirmata/kyverno/pkg/api/kyverno/v1"
report "github.com/nirmata/kyverno/pkg/kyverno/report"
policyreportclient "github.com/nirmata/kyverno/pkg/client/clientset/versioned"
policyreportv1alpha1 "github.com/nirmata/kyverno/pkg/client/clientset/versioned/typed/policyreport/v1alpha1"
policyreportinformer "github.com/nirmata/kyverno/pkg/client/informers/externalversions/policyreport/v1alpha1"
@ -188,16 +187,16 @@ func (gen *Generator) Run(workers int, stopCh <-chan struct{}) {
err := gen.createConfigmap()
scops := []string{}
if len(gen.inMemoryConfigMap.Namespace) > 0 {
scops = append(scops, report.Namespace)
scops = append(scops, constant.Namespace)
}
if len(gen.inMemoryConfigMap.App) > 0 {
scops = append(scops, report.App)
scops = append(scops, constant.App)
}
if len(gen.inMemoryConfigMap.Cluster["cluster"]) > 0 {
scops = append(scops, report.Cluster)
scops = append(scops, constant.Cluster)
}
gen.job.Add(jobs.JobInfo{
JobType: "CONFIGMAP",
JobType: constant.ConfiigmapMode,
JobData: strings.Join(scops, ","),
})
if err != nil {
@ -299,11 +298,11 @@ func (gen *Generator) createConfigmap() error {
return err
}
rawData, _ := json.Marshal(gen.inMemoryConfigMap.App)
cm.Data[report.App] = string(rawData)
cm.Data[constant.App] = string(rawData)
rawData, _ = json.Marshal(gen.inMemoryConfigMap.Cluster)
cm.Data[report.Cluster] = string(rawData)
cm.Data[constant.Cluster] = string(rawData)
rawData, _ = json.Marshal(gen.inMemoryConfigMap.Namespace)
cm.Data[report.Namespace] = string(rawData)
cm.Data[constant.Namespace] = string(rawData)
_, err = gen.dclient.UpdateResource("", "ConfigMap", config.KubePolicyNamespace, cm, false)
if err != nil {