mirrors/kyverno
mirrors/kyverno
1
0
Fork 0
mirror of https://github.com/kyverno/kyverno.git synced 2025-03-28 02:18:15 +00:00
Code Activity

feat: add events for successful generation (#7550)

Browse source 
* feat: add events for successful generation

Signed-off-by: Mariam Fahmy <mariamfahmy66@gmail.com>

* fix

Signed-off-by: Mariam Fahmy <mariamfahmy66@gmail.com>

* fix

Signed-off-by: Mariam Fahmy <mariamfahmy66@gmail.com>

* modify generate events messages

Signed-off-by: Mariam Fahmy <mariamfahmy66@gmail.com>

* fix: modify mutate event messages

Signed-off-by: Mariam Fahmy <mariamfahmy66@gmail.com>

* feat: add kuttl tests

Signed-off-by: Mariam Fahmy <mariamfahmy66@gmail.com>

* fix

Signed-off-by: Mariam Fahmy <mariamfahmy66@gmail.com>

* add kuttl test for skip generation

Signed-off-by: Mariam Fahmy <mariamfahmy66@gmail.com>

* Add kuttl test for failures

Signed-off-by: Mariam Fahmy <mariamfahmy66@gmail.com>

---------

Signed-off-by: Mariam Fahmy <mariamfahmy66@gmail.com>
This commit is contained in:
Mariam Fahmy 2023-07-10 14:22:28 +03:00 committed by GitHub
parent 119d587f33
commit e20745b01d
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
36 changed files with 601 additions and 4 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

16
pkg/background/generate/generate.go
View file

@ -252,7 +252,21 @@ func (c *GenerateController) applyGenerate(resource unstructured.Unstructured, u
}
// Apply the generate rule on resource
return c.ApplyGeneratePolicy(logger, policyContext, ur, applicableRules)
genResources, err := c.ApplyGeneratePolicy(logger, policyContext, ur, applicableRules)
// generate events.
if err == nil {
for _, res := range genResources {
e := event.NewResourceGenerationEvent(ur.Spec.Policy, ur.Spec.Rule, event.GeneratePolicyController, res)
c.eventGen.Add(e)
}
unstructuredPol := kubeutils.NewUnstructured("kyverno.io/v1", policy.GetKind(), policy.GetNamespace(), policy.GetName())
e := event.NewBackgroundSuccessEvent(ur.Spec.Policy, ur.Spec.Rule, event.GeneratePolicyController, unstructuredPol)
c.eventGen.Add(e...)
}
return genResources, err
}
// getPolicySpec gets the policy spec from the ClusterPolicy/Policy

32
pkg/event/events.go
View file

@ -52,10 +52,18 @@ func NewPolicyAppliedEvent(source Source, engineResponse engineapi.EngineRespons
var bldr strings.Builder
defer bldr.Reset()
var res string
if resource.GetNamespace() != "" {
fmt.Fprintf(&bldr, "%s %s/%s: pass", resource.GetKind(), resource.GetNamespace(), resource.GetName())
res = fmt.Sprintf("%s %s/%s", resource.GetKind(), resource.GetNamespace(), resource.GetName())
} else {
fmt.Fprintf(&bldr, "%s %s: pass", resource.GetKind(), resource.GetName())
res = fmt.Sprintf("%s %s", resource.GetKind(), resource.GetName())
}
hasValidate := engineResponse.Policy().GetSpec().HasValidate()
if hasValidate {
fmt.Fprintf(&bldr, "%s: pass", res)
} else {
fmt.Fprintf(&bldr, "%s is successfully mutated", res)
}
return Info{
@ -86,6 +94,19 @@ func NewResourceViolationEvent(source Source, reason Reason, engineResponse engi
}
}
func NewResourceGenerationEvent(policy, rule string, source Source, resource kyvernov1.ResourceSpec) Info {
msg := fmt.Sprintf("Created %s %s as a result of applying policy %s/%s", resource.GetKind(), resource.GetName(), policy, rule)
return Info{
Kind: resource.GetKind(),
Namespace: resource.GetNamespace(),
Name: resource.GetName(),
Source: source,
Reason: PolicyApplied,
Message: msg,
}
}
func NewBackgroundFailedEvent(err error, policy, rule string, source Source, r *unstructured.Unstructured) []Info {
if r == nil {
return nil
@ -110,7 +131,12 @@ func NewBackgroundSuccessEvent(policy, rule string, source Source, r *unstructur
}
var events []Info
msg := fmt.Sprintf("policy %s/%s applied", policy, rule)
msg := "resource generated"
if source == MutateExistingController {
msg = "resource mutated"
}
events = append(events, Info{
Kind: r.GetKind(),
Namespace: r.GetNamespace(),

6
test/conformance/kuttl/events/clusterpolicy/generate-events-upon-successful-generation/01-policy.yaml Normal file
View file

@ -0,0 +1,6 @@
apiVersion: kuttl.dev/v1beta1
kind: TestStep
apply:
- policy.yaml
assert:
- policy-assert.yaml

4
test/conformance/kuttl/events/clusterpolicy/generate-events-upon-successful-generation/02-resource.yaml Normal file
View file

@ -0,0 +1,4 @@
apiVersion: kuttl.dev/v1beta1
kind: TestStep
apply:
- resource.yaml

5
test/conformance/kuttl/events/clusterpolicy/generate-events-upon-successful-generation/03-sleep.yaml Normal file
View file

@ -0,0 +1,5 @@
# A command can only run a single command, not a pipeline and not a script. The program called must exist on the system where the test is run.
apiVersion: kuttl.dev/v1beta1
kind: TestStep
commands:
- command: sleep 3

5
test/conformance/kuttl/events/clusterpolicy/generate-events-upon-successful-generation/04-event.yaml Normal file
View file

@ -0,0 +1,5 @@
apiVersion: kuttl.dev/v1beta1
kind: TestStep
assert:
- policy-event.yaml
- resource-event.yaml

14
test/conformance/kuttl/events/clusterpolicy/generate-events-upon-successful-generation/README.md Normal file
View file

@ -0,0 +1,14 @@
## Description
This test creates a generate policy, and the trigger resource (namespace).
Two events are generated:
1. An event for the policy to indicate that a new resource is generated.
2. An event for the generated resource itself.
## Steps
1. - Create a generate policy
- Assert the policy becomes ready
2. Create the namespace.
3. - An event is created for the policy with message "resource generated"
- An event is created for the generated resource.

10
test/conformance/kuttl/events/clusterpolicy/generate-events-upon-successful-generation/policy-assert.yaml Normal file
View file

@ -0,0 +1,10 @@
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
name: zk-kafka-address
spec: {}
status:
conditions:
- reason: Succeeded
status: "True"
type: Ready

13
test/conformance/kuttl/events/clusterpolicy/generate-events-upon-successful-generation/policy-event.yaml Normal file
View file

@ -0,0 +1,13 @@
apiVersion: v1
kind: Event
metadata:
namespace: default
involvedObject:
apiVersion: kyverno.io/v1
kind: ClusterPolicy
name: zk-kafka-address
type: Normal
message: resource generated
reason: PolicyApplied
source:
component: kyverno-generate

35
test/conformance/kuttl/events/clusterpolicy/generate-events-upon-successful-generation/policy.yaml Normal file
View file

@ -0,0 +1,35 @@
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
name: zk-kafka-address
spec:
rules:
- name: k-kafka-address
match:
any:
- resources:
kinds:
- Namespace
exclude:
any:
- resources:
namespaces:
- kube-system
- default
- kube-public
- kyverno
generate:
synchronize: true
apiVersion: v1
kind: ConfigMap
name: zk-kafka-address
# generate the resource in the new namespace
namespace: "{{request.object.metadata.name}}"
data:
kind: ConfigMap
metadata:
labels:
somekey: somevalue
data:
ZK_ADDRESS: "192.168.10.10:2181,192.168.10.11:2181,192.168.10.12:2181"
KAFKA_ADDRESS: "192.168.10.13:9092,192.168.10.14:9092,192.168.10.15:9092"

13
test/conformance/kuttl/events/clusterpolicy/generate-events-upon-successful-generation/resource-event.yaml Normal file
View file

@ -0,0 +1,13 @@
apiVersion: v1
kind: Event
metadata:
namespace: test-ns
involvedObject:
apiVersion: v1
kind: ConfigMap
name: zk-kafka-address
namespace: test-ns
type: Normal
reason: PolicyApplied
source:
component: kyverno-generate

4
test/conformance/kuttl/events/clusterpolicy/generate-events-upon-successful-generation/resource.yaml Normal file
View file

@ -0,0 +1,4 @@
apiVersion: v1
kind: Namespace
metadata:
name: test-ns

6
test/conformance/kuttl/events/clusterpolicy/generate-events-upon-successful-mutation/01-policy.yaml Normal file
View file

@ -0,0 +1,6 @@
apiVersion: kuttl.dev/v1beta1
kind: TestStep
apply:
- policy.yaml
assert:
- policy-assert.yaml

4
test/conformance/kuttl/events/clusterpolicy/generate-events-upon-successful-mutation/02-resource.yaml Normal file
View file

@ -0,0 +1,4 @@
apiVersion: kuttl.dev/v1beta1
kind: TestStep
apply:
- resource.yaml

4
test/conformance/kuttl/events/clusterpolicy/generate-events-upon-successful-mutation/03-event.yaml Normal file
View file

@ -0,0 +1,4 @@
apiVersion: kuttl.dev/v1beta1
kind: TestStep
assert:
- event-assert.yaml

11
test/conformance/kuttl/events/clusterpolicy/generate-events-upon-successful-mutation/README.md Normal file
View file

@ -0,0 +1,11 @@
## Description
This test creates a mutate policy which adds labels to the newly created config maps.
An event is generated upon successful generation.
## Steps
1. - Create a mutate policy
- Assert the policy becomes ready
2. Create a configmap.
3. An event is created with a message indicating that the config map is successfully mutated.

12
test/conformance/kuttl/events/clusterpolicy/generate-events-upon-successful-mutation/event-assert.yaml Normal file
View file

@ -0,0 +1,12 @@
apiVersion: v1
kind: Event
metadata:
namespace: default
involvedObject:
apiVersion: kyverno.io/v1
kind: ClusterPolicy
name: add-labels
type: Normal
reason: PolicyApplied
source:
component: kyverno-admission

10
test/conformance/kuttl/events/clusterpolicy/generate-events-upon-successful-mutation/policy-assert.yaml Normal file
View file

@ -0,0 +1,10 @@
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
name: add-labels
spec: {}
status:
conditions:
- reason: Succeeded
status: "True"
type: Ready

17
test/conformance/kuttl/events/clusterpolicy/generate-events-upon-successful-mutation/policy.yaml Normal file
View file

@ -0,0 +1,17 @@
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
name: add-labels
spec:
rules:
- name: add-foo
match:
any:
- resources:
kinds:
- ConfigMap
mutate:
patchStrategicMerge:
metadata:
labels:
foo: bar

6
test/conformance/kuttl/events/clusterpolicy/generate-events-upon-successful-mutation/resource.yaml Normal file
View file

@ -0,0 +1,6 @@
apiVersion: v1
kind: ConfigMap
metadata:
name: game-demo
data:
key: "some value"

234
test/conformance/kuttl/events/clusterpolicy/no-events-upon-fail-generation/01-crd.yaml Normal file
View file

@ -0,0 +1,234 @@
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
creationTimestamp: null
name: roles.iam.aws.crossplane.io
spec:
group: iam.aws.crossplane.io
names:
categories:
- crossplane
- managed
- aws
kind: Role
listKind: RoleList
plural: roles
shortNames:
- iamrole
singular: role
scope: Cluster
versions:
- additionalPrinterColumns:
- jsonPath: .status.conditions[?(@.type=='Ready')].status
name: READY
type: string
- jsonPath: .status.conditions[?(@.type=='Synced')].status
name: SYNCED
type: string
- jsonPath: .metadata.creationTimestamp
name: AGE
type: date
name: v1beta1
schema:
openAPIV3Schema:
description: An Role is a managed resource that represents an AWS IAM Role.
properties:
apiVersion:
description: 'APIVersion defines the versioned schema of this representation
of an object. Servers should convert recognized schemas to the latest
internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
type: string
kind:
description: 'Kind is a string value representing the REST resource this
object represents. Servers may infer this from the endpoint the client
submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
type: string
metadata:
type: object
spec:
description: An RoleSpec defines the desired state of an Role.
properties:
deletionPolicy:
default: Delete
description: DeletionPolicy specifies what will happen to the underlying
external when this managed resource is deleted - either "Delete"
or "Orphan" the external resource.
enum:
- Orphan
- Delete
type: string
forProvider:
description: RoleParameters define the desired state of an AWS IAM
Role.
properties:
assumeRolePolicyDocument:
description: AssumeRolePolicyDocument is the the trust relationship
policy document that grants an entity permission to assume the
role.
type: string
description:
description: Description is a description of the role.
type: string
maxSessionDuration:
description: 'MaxSessionDuration is the duration (in seconds)
that you want to set for the specified role. The default maximum
of one hour is applied. This setting can have a value from 1
hour to 12 hours. Default: 3600'
format: int32
type: integer
path:
description: 'Path is the path to the role. Default: /'
type: string
permissionsBoundary:
description: PermissionsBoundary is the ARN of the policy that
is used to set the permissions boundary for the role.
type: string
tags:
description: Tags. For more information about tagging, see Tagging
IAM Identities (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_tags.html)
in the IAM User Guide.
items:
description: Tag represents user-provided metadata that can
be associated with a IAM role. For more information about
tagging, see Tagging IAM Identities (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_tags.html)
in the IAM User Guide.
properties:
key:
description: The key name that can be used to look up or
retrieve the associated value. For example, Department
or Cost Center are common choices.
type: string
value:
description: "The value associated with this tag. For example,
tags with a key name of Department could have values such
as Human Resources, Accounting, and Support. Tags with
a key name of Cost Center might have values that consist
of the number associated with the different cost centers
in your company. Typically, many resources have tags with
the same key name but with different values. \n AWS always
interprets the tag Value as a single string. If you need
to store an array, you can store comma-separated values
in the string. However, you must interpret the value in
your code."
type: string
required:
- key
type: object
type: array
required:
- assumeRolePolicyDocument
type: object
providerConfigRef:
default:
name: default
description: ProviderConfigReference specifies how the provider that
will be used to create, observe, update, and delete this managed
resource should be configured.
properties:
name:
description: Name of the referenced object.
type: string
required:
- name
type: object
providerRef:
description: 'ProviderReference specifies the provider that will be
used to create, observe, update, and delete this managed resource.
Deprecated: Please use ProviderConfigReference, i.e. `providerConfigRef`'
properties:
name:
description: Name of the referenced object.
type: string
required:
- name
type: object
writeConnectionSecretToRef:
description: WriteConnectionSecretToReference specifies the namespace
and name of a Secret to which any connection details for this managed
resource should be written. Connection details frequently include
the endpoint, username, and password required to connect to the
managed resource.
properties:
name:
description: Name of the secret.
type: string
namespace:
description: Namespace of the secret.
type: string
required:
- name
- namespace
type: object
required:
- forProvider
type: object
status:
description: An RoleStatus represents the observed state of an Role.
properties:
atProvider:
description: RoleExternalStatus keeps the state for the external resource
properties:
arn:
description: ARN is the Amazon Resource Name (ARN) specifying
the role. For more information about ARNs and how to use them
in policies, see IAM Identifiers (http://docs.aws.amazon.com/IAM/latest/UserGuide/Using_Identifiers.html)
in the IAM User Guide guide.
type: string
roleID:
description: RoleID is the stable and unique string identifying
the role. For more information about IDs, see IAM Identifiers
(http://docs.aws.amazon.com/IAM/latest/UserGuide/Using_Identifiers.html)
in the Using IAM guide.
type: string
required:
- arn
- roleID
type: object
conditions:
description: Conditions of the resource.
items:
description: A Condition that may apply to a resource.
properties:
lastTransitionTime:
description: LastTransitionTime is the last time this condition
transitioned from one status to another.
format: date-time
type: string
message:
description: A Message containing details about this condition's
last transition from one status to another, if any.
type: string
reason:
description: A Reason for this condition's last transition from
one status to another.
type: string
status:
description: Status of this condition; is it currently True,
False, or Unknown?
type: string
type:
description: Type of this condition. At most one of each condition
type may apply to a resource at any point in time.
type: string
required:
- lastTransitionTime
- reason
- status
- type
type: object
type: array
type: object
required:
- spec
type: object
served: true
storage: true
subresources:
status: {}
status:
acceptedNames:
kind: ""
plural: ""
conditions: []
storedVersions:
- v1beta1

6
test/conformance/kuttl/events/clusterpolicy/no-events-upon-fail-generation/02-policy.yaml Normal file
View file

@ -0,0 +1,6 @@
apiVersion: kuttl.dev/v1beta1
kind: TestStep
apply:
- policy.yaml
assert:
- policy-assert.yaml

4
test/conformance/kuttl/events/clusterpolicy/no-events-upon-fail-generation/03-resource.yaml Normal file
View file

@ -0,0 +1,4 @@
apiVersion: kuttl.dev/v1beta1
kind: TestStep
apply:
- resource.yaml

5
test/conformance/kuttl/events/clusterpolicy/no-events-upon-fail-generation/04-event.yaml Normal file
View file

@ -0,0 +1,5 @@
apiVersion: kuttl.dev/v1beta1
kind: TestStep
error:
- event.yaml

10
test/conformance/kuttl/events/clusterpolicy/no-events-upon-fail-generation/event.yaml Normal file
View file

@ -0,0 +1,10 @@
apiVersion: v1
kind: Event
metadata:
namespace: default
involvedObject:
apiVersion: kyverno.io/v1
kind: ClusterPolicy
name: rbac-policy
source:
component: kyverno-generate

10
test/conformance/kuttl/events/clusterpolicy/no-events-upon-fail-generation/policy-assert.yaml Normal file
View file

@ -0,0 +1,10 @@
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
name: rbac-policy
spec: {}
status:
conditions:
- reason: Succeeded
status: "True"
type: Ready

26
test/conformance/kuttl/events/clusterpolicy/no-events-upon-fail-generation/policy.yaml Normal file
View file

@ -0,0 +1,26 @@
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
name: rbac-policy
spec:
rules:
- name: rbac-rule
generate:
apiVersion: iam.aws.crossplane.io/v1beta1
data:
rules:
- verbs:
- "*"
apiGroups:
- "*"
resources:
- "*"
kind: Role
name: superuser
namespace: "{{request.object.metadata.name}}"
synchronize: true
match:
any:
- resources:
kinds:
- Namespace

4
test/conformance/kuttl/events/clusterpolicy/no-events-upon-fail-generation/resource.yaml Normal file
View file

@ -0,0 +1,4 @@
apiVersion: v1
kind: Namespace
metadata:
name: ns-2

6
test/conformance/kuttl/events/clusterpolicy/no-events-upon-skip-generation/01-policy.yaml Normal file
View file

@ -0,0 +1,6 @@
apiVersion: kuttl.dev/v1beta1
kind: TestStep
apply:
- policy.yaml
assert:
- policy-assert.yaml

4
test/conformance/kuttl/events/clusterpolicy/no-events-upon-skip-generation/02-resource.yaml Normal file
View file

@ -0,0 +1,4 @@
apiVersion: kuttl.dev/v1beta1
kind: TestStep
apply:
- resource.yaml

4
test/conformance/kuttl/events/clusterpolicy/no-events-upon-skip-generation/03-event.yaml Normal file
View file

@ -0,0 +1,4 @@
apiVersion: kuttl.dev/v1beta1
kind: TestStep
error:
- event.yaml

11
test/conformance/kuttl/events/clusterpolicy/no-events-upon-skip-generation/README.md Normal file
View file

@ -0,0 +1,11 @@
## Description
This test creates a generate policy, and the trigger resource (namespace) `ns-1` which is excluded by the policy.
No events generated since the `ns-1`
## Steps
1. - Create a generate policy
- Assert the policy becomes ready
2. Create the namespace.
3. No events generated as the rule result is `skip`

10
test/conformance/kuttl/events/clusterpolicy/no-events-upon-skip-generation/event.yaml Normal file
View file

@ -0,0 +1,10 @@
apiVersion: v1
kind: Event
metadata:
namespace: default
involvedObject:
apiVersion: kyverno.io/v1
kind: ClusterPolicy
name: default
source:
component: kyverno-generate

10
test/conformance/kuttl/events/clusterpolicy/no-events-upon-skip-generation/policy-assert.yaml Normal file
View file

@ -0,0 +1,10 @@
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
name: default
spec: {}
status:
conditions:
- reason: Succeeded
status: "True"
type: Ready

30
test/conformance/kuttl/events/clusterpolicy/no-events-upon-skip-generation/policy.yaml Normal file
View file

@ -0,0 +1,30 @@
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
name: default
spec:
rules:
- name: deny-all-traffic
match:
any:
- resources:
kinds:
- Namespace
exclude:
any:
- resources:
namespaces:
- test-ns
- ns-1
generate:
kind: NetworkPolicy
apiVersion: networking.k8s.io/v1
name: deny-all-traffic
namespace: "{{request.object.metadata.name}}"
data:
spec:
# select all pods in the namespace
podSelector: {}
policyTypes:
- Ingress
- Egress

4
test/conformance/kuttl/events/clusterpolicy/no-events-upon-skip-generation/resource.yaml Normal file
View file

@ -0,0 +1,4 @@
apiVersion: v1
kind: Namespace
metadata:
name: ns-1