add events for generation

2025-04-08 18:15:48 +00:00 · 2019-07-08 16:53:34 -07:00 · 2019-07-08 16:53:34 -07:00 · e820a80c5b
commit e820a80c5b
parent db28e0fb63
10 changed files with 67 additions and 22 deletions
--- a/4
+++ b/4
@ -15,9 +15,9 @@ MAIN ?=$(PACKAGE)
 LD_FLAGS="-s -w -X $(PACKAGE)/pkg/version.BuildVersion=$(GIT_VERSION) -X $(PACKAGE)/pkg/version.BuildHash=$(GIT_HASH) -X $(PACKAGE)/pkg/version.BuildTime=$(TIMESTAMP)"

 # default docker hub
-REGISTRY=index.docker.io
+REGISTRY=registry-v2.nirmata.io
 REPO=$(REGISTRY)/nirmata/kyverno
-IMAGE_TAG=$(GIT_VERSION)
+IMAGE_TAG=testImage

 GOOS ?= $(shell go env GOOS)
 OUTPUT=$(shell pwd)/_output/cli/$(BIN)
--- a/definitions/install.yaml
+++ b/definitions/install.yaml
@ -177,7 +177,7 @@ spec:
      serviceAccountName: kyverno-service-account
      containers:
        - name: kyverno
-          image: nirmata/kyverno:latest
+          image: registry-v2.nirmata.io/nirmata/kyverno:testImage
          args: ["--filterKind","Nodes,Events,APIService,SubjectAccessReview"]
          ports:
          - containerPort: 443
--- a/pkg/event/controller.go
+++ b/pkg/event/controller.go
@ -135,17 +135,18 @@ func (c *controller) SyncHandler(key Info) error {
 		//TODO: policy is clustered resource so wont need namespace
 		robj, err = c.policyLister.Get(key.Name)
 		if err != nil {
-			glog.Errorf("unable to create event for policy %s, will retry ", key.Name)
+			glog.Errorf("Error creating event: unable to get policy %s, will retry ", key.Name)
 			return err
 		}
 	default:
 		resource := c.client.DiscoveryClient.GetGVRFromKind(key.Kind).Resource
 		robj, err = c.client.GetResource(resource, key.Namespace, key.Name)
 		if err != nil {
-			glog.Errorf("unable to create event for resource %s, will retry ", key.Namespace+"/"+key.Name)
+			glog.Errorf("Error creating event: unable to get resource %s, %s, will retry ", resource, key.Namespace+"/"+key.Name)
 			return err
 		}
 	}
+
 	if key.Reason == PolicyApplied.String() {
 		c.recorder.Event(robj, v1.EventTypeNormal, key.Reason, key.Message)
 	} else {
--- a/pkg/event/msgbuilder.go
+++ b/pkg/event/msgbuilder.go
@ -24,7 +24,7 @@ func (k MsgKey) String() string {
 		"Failed to satisfy policy on resource '%s'.The following rule(s) '%s' failed to apply. Created Policy Violation",
 		"Failed to process rule '%s' of policy '%s'. Created Policy Violation",
 		"Policy applied successfully on the resource '%s'",
-		"Rule(s) '%s' of Policy '%s' applied successful",
+		"Rule(s) '%s' of Policy '%s' applied successfully",
 		"Resource %s creation blocked by rule(s) %s",
 		"Rule(s) '%s' of policy '%s' blocked update of the resource",
 		"Resource %s update blocked by rule(s) %s",
--- a/pkg/gencontroller/controller.go
+++ b/pkg/gencontroller/controller.go
@ -26,6 +26,7 @@ type Controller struct {
 	namespaceLister v1CoreLister.NamespaceLister
 	namespaceSynced cache.InformerSynced
 	policyLister    policyLister.PolicyLister
+	eventController event.Generator
 	workqueue       workqueue.RateLimitingInterface
 }

@ -42,6 +43,7 @@ func NewGenController(client *client.Client,
 		namespaceLister: namespaceInformer.Lister(),
 		namespaceSynced: namespaceInformer.Informer().HasSynced,
 		policyLister:    policyInformer.GetLister(),
+		eventController: eventController,
 		workqueue:       workqueue.NewNamedRateLimitingQueue(workqueue.DefaultControllerRateLimiter(), wqNamespace),
 	}
 	namespaceInformer.Informer().AddEventHandler(cache.ResourceEventHandlerFuncs{
@ -148,7 +150,6 @@ func (c *Controller) syncHandler(obj interface{}) error {
 		}
 	}

-	glog.Info("apply generation policy to resources :)")
 	//TODO: need to find a way to store the policy such that we can directly queury the
 	// policies with generation policies
 	// PolicyListerExpansion
--- a/pkg/gencontroller/generation.go
+++ b/pkg/gencontroller/generation.go
@ -4,6 +4,7 @@ import (
 	"github.com/golang/glog"
 	v1alpha1 "github.com/nirmata/kyverno/pkg/apis/policy/v1alpha1"
 	"github.com/nirmata/kyverno/pkg/engine"
+	event "github.com/nirmata/kyverno/pkg/event"
 	"github.com/nirmata/kyverno/pkg/info"
 	corev1 "k8s.io/api/core/v1"
 	"k8s.io/apimachinery/pkg/labels"
@ -46,23 +47,39 @@ func (c *Controller) listPolicies(ns *corev1.Namespace) ([]*v1alpha1.Policy, err
 	return fpolicies, nil
 }

-func (c *Controller) processPolicy(ns *corev1.Namespace, p *v1alpha1.Policy) error {
+func (c *Controller) processPolicy(ns *corev1.Namespace, p *v1alpha1.Policy) {
+	var eventInfo *event.Info
+
 	policyInfo := info.NewPolicyInfo(p.Name,
-		ns.Kind,
+		"Namespace",
 		ns.Name,
 		"") // Namespace has no namespace..WOW

 	ruleInfos := engine.GenerateNew(c.client, p, ns)
 	policyInfo.AddRuleInfos(ruleInfos)
+
 	if !policyInfo.IsSuccessful() {
 		glog.Infof("Failed to apply policy %s on resource %s %s", p.Name, ns.Kind, ns.Name)
 		for _, r := range ruleInfos {
 			glog.Warning(r.Msgs)
 		}
-	} else {
-		glog.Infof("Generation from policy %s has succesfully applied to %s %s", p.Name, ns.Kind, ns.Name)
+
+		eventInfo = event.NewEvent(policyKind, "", policyInfo.Name, event.RequestBlocked,
+			event.FPolicyApplyBlockCreate, policyInfo.RName, policyInfo.GetRuleNames(false))
+
+		glog.V(3).Infof("Request blocked event info has prepared for %s/%s\n", policyKind, policyInfo.Name)
+
+		// TODO: Generate policy Violations based on policyInfo
+		c.eventController.Add(eventInfo)
+		return
 	}

-	//TODO Generate policy Violations and corresponding events based on policyInfo
-	return nil
+	glog.Infof("Generation from policy %s has succesfully applied to %s/%s", p.Name, policyInfo.RKind, policyInfo.RName)
+
+	eventInfo = event.NewEvent(policyInfo.RKind, policyInfo.RNamespace, policyInfo.RName,
+		event.PolicyApplied, event.SRulesApply, policyInfo.GetRuleNames(true), policyInfo.Name)
+
+	glog.V(3).Infof("Success event info has prepared for %s/%s\n", policyInfo.RKind, policyInfo.RName)
+
+	c.eventController.Add(eventInfo)
 }
--- a/pkg/gencontroller/utils.go
+++ b/pkg/gencontroller/utils.go
@ -12,6 +12,7 @@ const (
 	wqNamespace  string = "namespace"
 	workerCount  int    = 1
 	wqRetryLimit int    = 5
+	policyKind   string = "Policy"
 )

 func namespaceMeetsRuleDescription(ns *corev1.Namespace, resourceDescription v1alpha1.ResourceDescription) bool {
--- a/pkg/info/info.go
+++ b/pkg/info/info.go
@ -127,3 +127,21 @@ func (pi *PolicyInfo) AddRuleInfos(rules []*RuleInfo) {

 	pi.Rules = append(pi.Rules, rules...)
 }
+
+//GetRuleNames gets the name of successful rules
+func (pi *PolicyInfo) GetRuleNames(onSuccess bool) string {
+	var ruleNames []string
+	for _, rule := range pi.Rules {
+		if onSuccess {
+			if rule.IsSuccessful() {
+				ruleNames = append(ruleNames, rule.Name)
+			}
+		} else {
+			if !rule.IsSuccessful() {
+				ruleNames = append(ruleNames, rule.Name)
+			}
+		}
+	}
+
+	return strings.Join(ruleNames, ",")
+}
--- a/pkg/webhooks/server.go
+++ b/pkg/webhooks/server.go
@ -189,8 +189,10 @@ func (ws *WebhookServer) HandleMutation(request *v1beta1.AdmissionRequest) *v1be
 		policyInfos = append(policyInfos, policyInfo)
 	}

-	eventsInfo := newEventInfoFromPolicyInfo(policyInfos, (request.Operation == v1beta1.Update))
-	ws.eventController.Add(eventsInfo...)
+	if len(allPatches) > 0 {
+		eventsInfo := newEventInfoFromPolicyInfo(policyInfos, (request.Operation == v1beta1.Update))
+		ws.eventController.Add(eventsInfo...)
+	}

 	ok, msg := isAdmSuccesful(policyInfos)
 	if ok {
@ -278,8 +280,11 @@ func (ws *WebhookServer) HandleValidation(request *v1beta1.AdmissionRequest) *v1
 		policyInfos = append(policyInfos, policyInfo)
 	}

-	eventsInfo := newEventInfoFromPolicyInfo(policyInfos, (request.Operation == v1beta1.Update))
-	ws.eventController.Add(eventsInfo...)
+	if len(policyInfos) > 0 && len(policyInfos[0].Rules) != 0 {
+		eventsInfo := newEventInfoFromPolicyInfo(policyInfos, (request.Operation == v1beta1.Update))
+		ws.eventController.Add(eventsInfo...)
+
+	}

 	// If Validation fails then reject the request
 	ok, msg := isAdmSuccesful(policyInfos)
@ -291,7 +296,7 @@ func (ws *WebhookServer) HandleValidation(request *v1beta1.AdmissionRequest) *v1
 			},
 		}
 	}
-	glog.V(3).Info("Validation is successful")
+
 	return &v1beta1.AdmissionResponse{
 		Allowed: true,
 	}
@ -356,7 +361,7 @@ func (ws *WebhookServer) validateUniqueRuleName(rawPolicy []byte) *v1beta1.Admis
 		ruleNames = append(ruleNames, rule.Name)
 	}

-	glog.V(3).Infof("Policy validation passed.")
+	glog.V(3).Infof("Policy validation passed")
 	return &v1beta1.AdmissionResponse{
 		Allowed: true,
 	}
@ -377,7 +382,7 @@ func newEventInfoFromPolicyInfo(policyInfoList []*info.PolicyInfo, onUpdate bool
 				eventsInfo = append(eventsInfo,
 					event.NewEvent(policyKind, "", pi.Name, event.RequestBlocked, event.FPolicyBlockResourceUpdate, pi.RName, ruleNames))

-				glog.V(3).Infof("Request blocked events info prepared for %s/%s and %s/%s\n", policyKind, pi.Name, pi.RKind, pi.RName)
+				glog.V(3).Infof("Request blocked events info has prepared for %s/%s and %s/%s\n", policyKind, pi.Name, pi.RKind, pi.RName)
 			}
 		}
 		return eventsInfo
@ -387,16 +392,18 @@ func newEventInfoFromPolicyInfo(policyInfoList []*info.PolicyInfo, onUpdate bool
 	if ok {
 		for _, pi := range policyInfoList {
 			ruleNames := getRuleNames(*pi, true)
+
 			eventsInfo = append(eventsInfo,
 				event.NewEvent(pi.RKind, pi.RNamespace, pi.RName, event.PolicyApplied, event.SRulesApply, ruleNames, pi.Name))

-			glog.V(3).Infof("Success event info prepared for %s/%s\n", pi.RKind, pi.RName)
+			glog.V(3).Infof("Success event info has prepared for %s/%s\n", pi.RKind, pi.RName)
 		}
 		return eventsInfo
 	}

 	for _, pi := range policyInfoList {
 		ruleNames := getRuleNames(*pi, false)
+
 		eventsInfo = append(eventsInfo,
 			event.NewEvent(policyKind, "", pi.Name, event.RequestBlocked, event.FPolicyApplyBlockCreate, pi.RName, ruleNames))

--- a/test/mix/policy.yaml
+++ b/test/mix/policy.yaml
@ -36,7 +36,7 @@ spec :
        - path: /metadata/labels/app1
          op: replace
          value: "nginx_is_mutated" 
-    - name: add-label3
+    - name: add-label
      resource:
        kinds : 
        - Deployment