refactor: simplify engine responses (#6804)

Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>
2024-12-14 11:57:48 +00:00 · 2023-04-06 00:55:42 +02:00 · 2023-04-06 00:55:42 +02:00 · de00c78513
commit de00c78513
parent 04d410d321
8 changed files with 49 additions and 51 deletions
--- a/cmd/cli/kubectl-kyverno/apply/report_test.go
+++ b/cmd/cli/kubectl-kyverno/apply/report_test.go
@ -92,15 +92,18 @@ func Test_buildPolicyReports(t *testing.T) {

 	er := engineapi.EngineResponse{}
 	er.Policy = &policy
-	er.PolicyResponse.Add(engineapi.ExecutionStats{}, *engineapi.RuleFail(
+	er.PolicyResponse.Add(
+		engineapi.ExecutionStats{},
+		*engineapi.RuleFail(
 			"pods-require-account",
 			engineapi.Validation,
-		"validation error: User pods must include an account for charging. Rule pods-require-account failed at path /metadata/labels/"),
-	)
-	er.PolicyResponse.Add(engineapi.ExecutionStats{}, *engineapi.RulePass(
+			"validation error: User pods must include an account for charging. Rule pods-require-account failed at path /metadata/labels/",
+		),
+		*engineapi.RulePass(
 			"pods-require-limits",
 			engineapi.Validation,
-		"validation rule 'pods-require-limits' passed."),
+			"validation rule 'pods-require-limits' passed.",
+		),
 	)

 	info := kyvCommon.ProcessValidateEngineResponse(&policy, &er, "", rc, true, false)
@ -137,15 +140,17 @@ func Test_buildPolicyResults(t *testing.T) {

 	er := engineapi.EngineResponse{}
 	er.Policy = &policy
-	er.PolicyResponse.Add(engineapi.ExecutionStats{}, *engineapi.RuleFail(
+	er.PolicyResponse.Add(
+		engineapi.ExecutionStats{}, *engineapi.RuleFail(
 			"pods-require-account",
 			engineapi.Validation,
-		"validation error: User pods must include an account for charging. Rule pods-require-account failed at path /metadata/labels/"),
-	)
-	er.PolicyResponse.Add(engineapi.ExecutionStats{}, *engineapi.RulePass(
+			"validation error: User pods must include an account for charging. Rule pods-require-account failed at path /metadata/labels/",
+		),
+		*engineapi.RulePass(
 			"pods-require-limits",
 			engineapi.Validation,
-		"validation rule 'pods-require-limits' passed."),
+			"validation rule 'pods-require-limits' passed.",
+		),
 	)

 	info := kyvCommon.ProcessValidateEngineResponse(&policy, &er, "", rc, true, false)
--- a/pkg/controllers/report/utils/events.go
+++ b/pkg/controllers/report/utils/events.go
@ -33,9 +33,9 @@ func generateSuccessEvents(log logr.Logger, ers ...engineapi.EngineResponse) (ev

 func generateExceptionEvents(log logr.Logger, ers ...engineapi.EngineResponse) (eventInfos []event.Info) {
 	for _, er := range ers {
-		for i, ruleResp := range er.PolicyResponse.Rules {
+		for _, ruleResp := range er.PolicyResponse.Rules {
 			if ruleResp.Status() == engineapi.RuleStatusSkip && ruleResp.IsException() {
-				eventInfos = append(eventInfos, event.NewPolicyExceptionEvents(er, &er.PolicyResponse.Rules[i], event.PolicyController)...)
+				eventInfos = append(eventInfos, event.NewPolicyExceptionEvents(er, ruleResp, event.PolicyController)...)
 			}
 		}
 	}
@ -57,11 +57,11 @@ func generateFailEventsPerEr(log logr.Logger, er engineapi.EngineResponse) []eve
 		"namespace", er.Resource.GetNamespace(),
 		"name", er.Resource.GetName(),
 	)
-	for i, rule := range er.PolicyResponse.Rules {
+	for _, rule := range er.PolicyResponse.Rules {
 		if rule.Status() != engineapi.RuleStatusPass && rule.Status() != engineapi.RuleStatusSkip {
-			eventResource := event.NewResourceViolationEvent(event.PolicyController, event.PolicyViolation, er, &er.PolicyResponse.Rules[i])
+			eventResource := event.NewResourceViolationEvent(event.PolicyController, event.PolicyViolation, er, rule)
 			eventInfos = append(eventInfos, eventResource)
-			eventPolicy := event.NewPolicyFailEvent(event.PolicyController, event.PolicyViolation, er, &er.PolicyResponse.Rules[i], false)
+			eventPolicy := event.NewPolicyFailEvent(event.PolicyController, event.PolicyViolation, er, rule, false)
 			eventInfos = append(eventInfos, eventPolicy)
 		}
 	}
--- a/pkg/engine/api/policyresponse.go
+++ b/pkg/engine/api/policyresponse.go
@ -8,7 +8,8 @@ type PolicyResponse struct {
 	Rules []RuleResponse
 }

-func (pr *PolicyResponse) Add(stats ExecutionStats, response RuleResponse) {
+func (pr *PolicyResponse) Add(stats ExecutionStats, responses ...RuleResponse) {
+	for _, response := range responses {
 		pr.Rules = append(pr.Rules, response.WithStats(stats))
 		status := response.Status()
 		if status == RuleStatusPass || status == RuleStatusFail {
@ -16,6 +17,7 @@ func (pr *PolicyResponse) Add(stats ExecutionStats, response RuleResponse) {
 		} else if status == RuleStatusError {
 			pr.Stats.RulesErrorCount++
 		}
+	}
 }

 func NewPolicyResponse() PolicyResponse {
--- a/pkg/engine/image_verify.go
+++ b/pkg/engine/image_verify.go
@ -53,10 +53,7 @@ func (e *engine) verifyAndPatchImages(
 			engineapi.ImageVerify,
 		)
 		matchedResource = resource
-		stats := engineapi.NewExecutionStats(startTime, time.Now())
-		for _, ruleResp := range ruleResp {
-			resp.Add(stats, ruleResp)
-		}
+		resp.Add(engineapi.NewExecutionStats(startTime, time.Now()), ruleResp...)
 		if applyRules == kyvernov1.ApplyOne && resp.Stats.RulesAppliedCount > 0 {
 			break
 		}
--- a/pkg/engine/mutation.go
+++ b/pkg/engine/mutation.go
@ -50,10 +50,7 @@ func (e *engine) mutate(
 			engineapi.Mutation,
 		)
 		matchedResource = resource
-		stats := engineapi.NewExecutionStats(startTime, time.Now())
-		for _, ruleResp := range ruleResp {
-			resp.Add(stats, ruleResp)
-		}
+		resp.Add(engineapi.NewExecutionStats(startTime, time.Now()), ruleResp...)
 		if applyRules == kyvernov1.ApplyOne && resp.Stats.RulesAppliedCount > 0 {
 			break
 		}
--- a/pkg/engine/validation.go
+++ b/pkg/engine/validation.go
@ -68,10 +68,7 @@ func (e *engine) validate(
 			engineapi.Validation,
 		)
 		matchedResource = resource
-		stats := engineapi.NewExecutionStats(startTime, time.Now())
-		for _, ruleResp := range ruleResp {
-			resp.Add(stats, ruleResp)
-		}
+		resp.Add(engineapi.NewExecutionStats(startTime, time.Now()), ruleResp...)
 		if applyRules == kyvernov1.ApplyOne && resp.Stats.RulesAppliedCount > 0 {
 			break
 		}
--- a/pkg/event/events.go
+++ b/pkg/event/events.go
@ -9,7 +9,7 @@ import (
 	"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
 )

-func NewPolicyFailEvent(source Source, reason Reason, engineResponse engineapi.EngineResponse, ruleResp *engineapi.RuleResponse, blocked bool) Info {
+func NewPolicyFailEvent(source Source, reason Reason, engineResponse engineapi.EngineResponse, ruleResp engineapi.RuleResponse, blocked bool) Info {
 	return Info{
 		Kind:      getPolicyKind(engineResponse.Policy),
 		Name:      engineResponse.Policy.GetName(),
@ -20,7 +20,7 @@ func NewPolicyFailEvent(source Source, reason Reason, engineResponse engineapi.E
 	}
 }

-func buildPolicyEventMessage(resp *engineapi.RuleResponse, resource engineapi.ResourceSpec, blocked bool) string {
+func buildPolicyEventMessage(resp engineapi.RuleResponse, resource engineapi.ResourceSpec, blocked bool) string {
 	var b strings.Builder
 	if resource.Namespace != "" {
 		fmt.Fprintf(&b, "%s %s/%s", resource.Kind, resource.Namespace, resource.Name)
@ -68,7 +68,7 @@ func NewPolicyAppliedEvent(source Source, engineResponse engineapi.EngineRespons
 	}
 }

-func NewResourceViolationEvent(source Source, reason Reason, engineResponse engineapi.EngineResponse, ruleResp *engineapi.RuleResponse) Info {
+func NewResourceViolationEvent(source Source, reason Reason, engineResponse engineapi.EngineResponse, ruleResp engineapi.RuleResponse) Info {
 	var bldr strings.Builder
 	defer bldr.Reset()

@ -123,7 +123,7 @@ func NewBackgroundSuccessEvent(policy, rule string, source Source, r *unstructur
 	return events
 }

-func NewPolicyExceptionEvents(engineResponse engineapi.EngineResponse, ruleResp *engineapi.RuleResponse, source Source) []Info {
+func NewPolicyExceptionEvents(engineResponse engineapi.EngineResponse, ruleResp engineapi.RuleResponse, source Source) []Info {
 	exception := ruleResp.Exception()
 	exceptionName, exceptionNamespace := exception.GetName(), exception.GetNamespace()
 	policyMessage := fmt.Sprintf("resource %s was skipped from rule %s due to policy exception %s/%s", resourceKey(engineResponse.PatchedResource), ruleResp.Name(), exceptionNamespace, exceptionName)
--- a/pkg/webhooks/utils/event.go
+++ b/pkg/webhooks/utils/event.go
@ -20,20 +20,20 @@ func GenerateEvents(engineResponses []engineapi.EngineResponse, blocked bool) []
 			continue
 		}
 		if !er.IsSuccessful() {
-			for i, ruleResp := range er.PolicyResponse.Rules {
+			for _, ruleResp := range er.PolicyResponse.Rules {
 				if ruleResp.Status() == engineapi.RuleStatusFail || ruleResp.Status() == engineapi.RuleStatusError {
-					e := event.NewPolicyFailEvent(event.AdmissionController, event.PolicyViolation, er, &er.PolicyResponse.Rules[i], blocked)
+					e := event.NewPolicyFailEvent(event.AdmissionController, event.PolicyViolation, er, ruleResp, blocked)
 					events = append(events, e)
 				}
 				if !blocked {
-					e := event.NewResourceViolationEvent(event.AdmissionController, event.PolicyViolation, er, &er.PolicyResponse.Rules[i])
+					e := event.NewResourceViolationEvent(event.AdmissionController, event.PolicyViolation, er, ruleResp)
 					events = append(events, e)
 				}
 			}
 		} else if er.IsSkipped() { // Handle PolicyException Event
-			for i, ruleResp := range er.PolicyResponse.Rules {
+			for _, ruleResp := range er.PolicyResponse.Rules {
 				if ruleResp.Status() == engineapi.RuleStatusSkip && !blocked && ruleResp.IsException() {
-					events = append(events, event.NewPolicyExceptionEvents(er, &er.PolicyResponse.Rules[i], event.AdmissionController)...)
+					events = append(events, event.NewPolicyExceptionEvents(er, ruleResp, event.AdmissionController)...)
 				}
 			}
 		} else if !er.IsSkipped() {