mirrors/kyverno
mirrors/kyverno
1
0
Fork 0
mirror of https://github.com/kyverno/kyverno.git synced 2025-03-31 03:45:17 +00:00
Code Activity

527 added accurate violation Count

Browse source
This commit is contained in:
shravan 2020-02-23 23:24:18 +05:30
parent ac37ec66f0
commit d758a4ad45
3 changed files with 88 additions and 13 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

7
cmd/kyverno/main.go
View file

@ -200,7 +200,12 @@ func main() {
glog.Fatalf("Failed registering Admission Webhooks: %v\n", err) glog.Fatalf("Failed registering Admission Webhooks: %v\n", err)
} }
statusSync := policy.NewStatusSync(pclient, stopCh, policyMetaStore) statusSync := policy.NewStatusSync(
pclient,
stopCh,
policyMetaStore,
pInformer.Kyverno().V1().ClusterPolicyViolations().Lister(),
pInformer.Kyverno().V1().PolicyViolations().Lister())
// WEBHOOOK // WEBHOOOK
// - https server to provide endpoints called based on rules defined in Mutating & Validation webhook configuration // - https server to provide endpoints called based on rules defined in Mutating & Validation webhook configuration

8
pkg/api/kyverno/v1/types.go
View file

@ -231,8 +231,10 @@ type CloneFrom struct {
type PolicyStatus struct { type PolicyStatus struct {
// average time required to process the policy rules on a resource // average time required to process the policy rules on a resource
AvgExecutionTime string `json:"averageExecutionTime"` AvgExecutionTime string `json:"averageExecutionTime"`
// Count of rules that failed // number of violations related to the policy
ViolationCount int `json:"violationCount,omitempty"` ViolationCount int `json:"violationCount,omitempty"`
// Count of rules that failed
RulesFailedCount int `json:"rulesFailedCount,omitempty"`
// Count of rules that were applied // Count of rules that were applied
RulesAppliedCount int `json:"rulesAppliedCount,omitempty"` RulesAppliedCount int `json:"rulesAppliedCount,omitempty"`
// Count of resources that were blocked for failing a validate, across all rules // Count of resources that were blocked for failing a validate, across all rules
@ -249,8 +251,10 @@ type RuleStats struct {
Name string `json:"ruleName"` Name string `json:"ruleName"`
// average time require to process the rule // average time require to process the rule
ExecutionTime string `json:"averageExecutionTime,omitempty"` ExecutionTime string `json:"averageExecutionTime,omitempty"`
// Count of rules that failed // number of violations related to this rule
ViolationCount int `json:"violationCount,omitempty"` ViolationCount int `json:"violationCount,omitempty"`
// Count of rules that failed
FailedCount int `json:"failedCount,omitempty"`
// Count of rules that were applied // Count of rules that were applied
AppliedCount int `json:"appliedCount,omitempty"` AppliedCount int `json:"appliedCount,omitempty"`
// Count of resources for whom update/create api requests were blocked as the resource did not satisfy the policy rules // Count of resources for whom update/create api requests were blocked as the resource did not satisfy the policy rules

86
pkg/policy/status.go
View file

@ -6,6 +6,8 @@ import (
"sync" "sync"
"time" "time"
v12 "github.com/nirmata/kyverno/pkg/client/listers/kyverno/v1"
"github.com/nirmata/kyverno/pkg/policystore" "github.com/nirmata/kyverno/pkg/policystore"
"github.com/nirmata/kyverno/pkg/engine/response" "github.com/nirmata/kyverno/pkg/engine/response"
@ -27,9 +29,17 @@ type StatSync struct {
stop <-chan struct{} stop <-chan struct{}
client *versioned.Clientset client *versioned.Clientset
policyStore *policystore.PolicyStore policyStore *policystore.PolicyStore
cpvLister v12.ClusterPolicyViolationLister
pvLister v12.PolicyViolationLister
} }
func NewStatusSync(client *versioned.Clientset, stopCh <-chan struct{}, pMetaStore *policystore.PolicyStore) *StatSync { func NewStatusSync(
client *versioned.Clientset,
stopCh <-chan struct{},
pMetaStore *policystore.PolicyStore,
cpvLister v12.ClusterPolicyViolationLister,
pvLister v12.PolicyViolationLister,
) *StatSync {
return &StatSync{ return &StatSync{
cache: &statusCache{ cache: &statusCache{
mu: sync.RWMutex{}, mu: sync.RWMutex{},
@ -38,6 +48,8 @@ func NewStatusSync(client *versioned.Clientset, stopCh <-chan struct{}, pMetaSto
stop: stopCh, stop: stopCh,
client: client, client: client,
policyStore: pMetaStore, policyStore: pMetaStore,
cpvLister: cpvLister,
pvLister: pvLister,
} }
} }
@ -57,6 +69,10 @@ func (s *StatSync) updateStats() {
s.cache.mu.Unlock() s.cache.mu.Unlock()
for policyName, status := range nameToStatus { for policyName, status := range nameToStatus {
cpvList, _ := s.getClusterPolicyViolationForPolicy(policyName)
pvList, _ := s.getNamespacedPolicyViolationForPolicy(policyName)
updateStatusWithViolationCount(&status, cpvList, pvList)
var policy = &v1.ClusterPolicy{} var policy = &v1.ClusterPolicy{}
policy, err := s.policyStore.Get(policyName) policy, err := s.policyStore.Get(policyName)
if err != nil { if err != nil {
@ -90,7 +106,7 @@ func (s *StatSync) UpdateStatusWithMutateStats(response response.EngineResponse)
ruleStat := nameToRule[rule.Name] ruleStat := nameToRule[rule.Name]
ruleStat.Name = rule.Name ruleStat.Name = rule.Name
averageOver := int64(ruleStat.AppliedCount + ruleStat.ViolationCount) averageOver := int64(ruleStat.AppliedCount + ruleStat.FailedCount)
ruleStat.ExecutionTime = updateAverageTime( ruleStat.ExecutionTime = updateAverageTime(
rule.ProcessingTime, rule.ProcessingTime,
ruleStat.ExecutionTime, ruleStat.ExecutionTime,
@ -102,8 +118,8 @@ func (s *StatSync) UpdateStatusWithMutateStats(response response.EngineResponse)
ruleStat.AppliedCount++ ruleStat.AppliedCount++
ruleStat.ResourcesMutatedCount++ ruleStat.ResourcesMutatedCount++
} else { } else {
policyStatus.ViolationCount++ policyStatus.RulesFailedCount++
ruleStat.ViolationCount++ ruleStat.FailedCount++
} }
nameToRule[rule.Name] = ruleStat nameToRule[rule.Name] = ruleStat
@ -150,7 +166,7 @@ func (s *StatSync) UpdateStatusWithValidateStats(response response.EngineRespons
ruleStat := nameToRule[rule.Name] ruleStat := nameToRule[rule.Name]
ruleStat.Name = rule.Name ruleStat.Name = rule.Name
averageOver := int64(ruleStat.AppliedCount + ruleStat.ViolationCount) averageOver := int64(ruleStat.AppliedCount + ruleStat.FailedCount)
ruleStat.ExecutionTime = updateAverageTime( ruleStat.ExecutionTime = updateAverageTime(
rule.ProcessingTime, rule.ProcessingTime,
ruleStat.ExecutionTime, ruleStat.ExecutionTime,
@ -160,8 +176,8 @@ func (s *StatSync) UpdateStatusWithValidateStats(response response.EngineRespons
policyStatus.RulesAppliedCount++ policyStatus.RulesAppliedCount++
ruleStat.AppliedCount++ ruleStat.AppliedCount++
} else { } else {
policyStatus.ViolationCount++ policyStatus.RulesFailedCount++
ruleStat.ViolationCount++ ruleStat.FailedCount++
if response.PolicyResponse.ValidationFailureAction == "enforce" { if response.PolicyResponse.ValidationFailureAction == "enforce" {
policyStatus.ResourcesBlockedCount++ policyStatus.ResourcesBlockedCount++
ruleStat.ResourcesBlockedCount++ ruleStat.ResourcesBlockedCount++
@ -212,7 +228,7 @@ func (s *StatSync) UpdateStatusWithGenerateStats(response response.EngineRespons
ruleStat := nameToRule[rule.Name] ruleStat := nameToRule[rule.Name]
ruleStat.Name = rule.Name ruleStat.Name = rule.Name
averageOver := int64(ruleStat.AppliedCount + ruleStat.ViolationCount) averageOver := int64(ruleStat.AppliedCount + ruleStat.FailedCount)
ruleStat.ExecutionTime = updateAverageTime( ruleStat.ExecutionTime = updateAverageTime(
rule.ProcessingTime, rule.ProcessingTime,
ruleStat.ExecutionTime, ruleStat.ExecutionTime,
@ -222,8 +238,8 @@ func (s *StatSync) UpdateStatusWithGenerateStats(response response.EngineRespons
policyStatus.RulesAppliedCount++ policyStatus.RulesAppliedCount++
ruleStat.AppliedCount++ ruleStat.AppliedCount++
} else { } else {
policyStatus.ViolationCount++ policyStatus.RulesFailedCount++
ruleStat.ViolationCount++ ruleStat.FailedCount++
} }
nameToRule[rule.Name] = ruleStat nameToRule[rule.Name] = ruleStat
@ -260,3 +276,53 @@ func updateAverageTime(newTime time.Duration, oldAverageTimeString string, avera
newAverageTimeInNanoSeconds := numerator / denominator newAverageTimeInNanoSeconds := numerator / denominator
return time.Duration(newAverageTimeInNanoSeconds) * time.Nanosecond return time.Duration(newAverageTimeInNanoSeconds) * time.Nanosecond
} }
func (s *StatSync) getClusterPolicyViolationForPolicy(policy string) ([]*v1.ClusterPolicyViolation, error) {
policySelector, err := buildPolicyLabel(policy)
if err != nil {
return nil, err
}
// Get List of cluster policy violation
cpvList, err := s.cpvLister.List(policySelector)
if err != nil {
return nil, err
}
return cpvList, nil
}
func (s *StatSync) getNamespacedPolicyViolationForPolicy(policy string) ([]*v1.PolicyViolation, error) {
policySelector, err := buildPolicyLabel(policy)
if err != nil {
return nil, err
}
// Get List of cluster policy violation
nspvList, err := s.pvLister.List(policySelector)
if err != nil {
return nil, err
}
return nspvList, nil
}
func updateStatusWithViolationCount(status *v1.PolicyStatus, cpvList []*v1.ClusterPolicyViolation, pvList []*v1.PolicyViolation) {
status.ViolationCount = len(cpvList) + len(pvList)
var ruleNameToNumberOfViolations = make(map[string]int)
for _, cpv := range cpvList {
for _, violatedRule := range cpv.Spec.ViolatedRules {
ruleNameToNumberOfViolations[violatedRule.Name]++
}
}
for _, pv := range pvList {
for _, violatedRule := range pv.Spec.ViolatedRules {
ruleNameToNumberOfViolations[violatedRule.Name]++
}
}
for i, rule := range status.Rules {
status.Rules[i].ViolationCount = ruleNameToNumberOfViolations[rule.Name]
}
}