- Create events for imageVerify rules (#3710)

- Skip generating events on blocked resource Signed-off-by: ShutingZhao <shuting@nirmata.com>
2024-12-14 11:57:48 +00:00 · 2022-04-28 17:51:06 +08:00 · 2022-04-28 17:51:06 +08:00 · eb0b8d352c
commit eb0b8d352c
parent 68c35b2f2e
6 changed files with 17 additions and 9 deletions
--- a/pkg/openapi/crdSync.go
+++ b/pkg/openapi/crdSync.go
@ -218,7 +218,7 @@ func addingDefaultFieldsToSchema(crdName string, schemaRaw []byte) ([]byte, erro
 	_ = json.Unmarshal(schemaRaw, &schema)

 	if len(schema.Properties) < 1 {
-		log.Log.V(4).Info("crd schema has no properties", "name", crdName)
+		log.Log.V(6).Info("crd schema has no properties", "name", crdName)
 		return schemaRaw, nil
 	}

--- a/pkg/webhooks/common.go
+++ b/pkg/webhooks/common.go
@ -22,7 +22,7 @@ import (
 func toBlockResource(engineReponses []*response.EngineResponse, log logr.Logger) bool {
 	for _, er := range engineReponses {
 		if engineutils2.CheckEngineResponse(er) {
-			log.Info("spec.ValidationFailureAction set to enforce blocking resource request", "policy", er.PolicyResponse.Policy.Name)
+			log.Info("spec.ValidationFailureAction set to enforce, blocking resource request", "policy", er.PolicyResponse.Policy.Name)
 			return true
 		}
 	}
--- a/pkg/webhooks/mutation.go
+++ b/pkg/webhooks/mutation.go
@ -115,7 +115,7 @@ func (ws *WebhookServer) handleMutation(
 	//   all policies were applied successfully.
 	//   create an event on the resource
 	// ADD EVENTS
-	events := generateEvents(engineResponses, false, request.Operation == admissionv1.Update, logger)
+	events := generateEvents(engineResponses, false, logger)
 	ws.eventGen.Add(events...)

 	// debug info
--- a/pkg/webhooks/report.go
+++ b/pkg/webhooks/report.go
@ -4,14 +4,13 @@ import (
 	"strings"

 	"github.com/go-logr/logr"
-	kyvernov1alpha2 "github.com/kyverno/kyverno/api/kyverno/v1alpha2"
+	kyvernov1 "github.com/kyverno/kyverno/api/kyverno/v1"
 	"github.com/kyverno/kyverno/pkg/engine/response"
-
 	"github.com/kyverno/kyverno/pkg/event"
 )

 //generateEvents generates event info for the engine responses
-func generateEvents(engineResponses []*response.EngineResponse, blocked, onUpdate bool, log logr.Logger) []event.Info {
+func generateEvents(engineResponses []*response.EngineResponse, blocked bool, log logr.Logger) []event.Info {
 	var events []event.Info

 	// - Admission-Response is SUCCESS
@ -24,6 +23,7 @@ func generateEvents(engineResponses []*response.EngineResponse, blocked, onUpdat

 	for _, er := range engineResponses {
 		if !er.IsSuccessful() {
+
 			// Rules that failed
 			failedRules := er.GetFailedRules()
 			failedRulesStr := strings.Join(failedRules, ";")
@ -32,7 +32,7 @@ func generateEvents(engineResponses []*response.EngineResponse, blocked, onUpdat
 			pe := event.NewEvent(
 				log,
 				er.Policy.GetKind(),
-				kyvernov1alpha2.SchemeGroupVersion.String(),
+				kyvernov1.SchemeGroupVersion.String(),
 				er.PolicyResponse.Policy.Namespace,
 				er.PolicyResponse.Policy.Name,
 				event.PolicyViolation.String(),
@ -41,7 +41,11 @@ func generateEvents(engineResponses []*response.EngineResponse, blocked, onUpdat
 				failedRulesStr,
 				er.PolicyResponse.Resource.GetKey(),
 			)
+			events = append(events, pe)

+			if blocked {
+				continue
+			}
 			// Event on the resource
 			re := event.NewEvent(
 				log,
@ -66,7 +70,7 @@ func generateEvents(engineResponses []*response.EngineResponse, blocked, onUpdat
 			e := event.NewEvent(
 				log,
 				er.Policy.GetKind(),
-				kyvernov1alpha2.SchemeGroupVersion.String(),
+				kyvernov1.SchemeGroupVersion.String(),
 				er.PolicyResponse.Policy.Namespace,
 				er.PolicyResponse.Policy.Name,
 				event.PolicyApplied.String(),
--- a/pkg/webhooks/validation.go
+++ b/pkg/webhooks/validation.go
@ -94,7 +94,7 @@ func (v *validationHandler) handleValidation(
 	// Scenario 3:
 	//   all policies were applied successfully.
 	//   create an event on the resource
-	events := generateEvents(engineResponses, blocked, (request.Operation == admissionv1.Update), logger)
+	events := generateEvents(engineResponses, blocked, logger)
 	v.eventGen.Add(events...)

 	if blocked {
--- a/pkg/webhooks/verify_images.go
+++ b/pkg/webhooks/verify_images.go
@ -47,6 +47,10 @@ func (ws *WebhookServer) handleVerifyImages(request *admissionv1.AdmissionReques
 	ws.prGenerator.Add(prInfos...)

 	blocked := toBlockResource(engineResponses, logger)
+
+	events := generateEvents(engineResponses, blocked, logger)
+	ws.eventGen.Add(events...)
+
 	if blocked {
 		logger.V(4).Info("resource blocked")
 		return false, getEnforceFailureErrorMsg(engineResponses), nil