mirrors/kyverno
mirrors/kyverno
1
0
Fork 0
mirror of https://github.com/kyverno/kyverno.git synced 2025-03-05 15:37:19 +00:00
Code Activity

fix source in events (#6739)

Browse source 
Signed-off-by: ShutingZhao <shuting@nirmata.com>
This commit is contained in:
shuting 2023-03-31 13:34:31 +08:00 committed by GitHub
parent 94f0829a37
commit efe09b286e
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
11 changed files with 129 additions and 3 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
pkg/controllers/report/utils/events.go
View file

@ -36,7 +36,7 @@ func generateExceptionEvents(log logr.Logger, ers ...engineapi.EngineResponse) (
for i, ruleResp := range er.PolicyResponse.Rules { for i, ruleResp := range er.PolicyResponse.Rules {
isException := ruleResp.Exception != nil isException := ruleResp.Exception != nil
if ruleResp.Status == engineapi.RuleStatusSkip && isException { if ruleResp.Status == engineapi.RuleStatusSkip && isException {
eventInfos = append(eventInfos, event.NewPolicyExceptionEvents(er, &er.PolicyResponse.Rules[i])...) eventInfos = append(eventInfos, event.NewPolicyExceptionEvents(er, &er.PolicyResponse.Rules[i], event.PolicyController)...)
} }
} }
} }

4
pkg/event/events.go
View file

@ -123,7 +123,7 @@ func NewBackgroundSuccessEvent(policy, rule string, source Source, r *unstructur
return events return events
} }
func NewPolicyExceptionEvents(engineResponse engineapi.EngineResponse, ruleResp *engineapi.RuleResponse) []Info { func NewPolicyExceptionEvents(engineResponse engineapi.EngineResponse, ruleResp *engineapi.RuleResponse, source Source) []Info {
exceptionName, exceptionNamespace := ruleResp.Exception.GetName(), ruleResp.Exception.GetNamespace() exceptionName, exceptionNamespace := ruleResp.Exception.GetName(), ruleResp.Exception.GetNamespace()
policyMessage := fmt.Sprintf("resource %s was skipped from rule %s due to policy exception %s/%s", resourceKey(engineResponse.PatchedResource), ruleResp.Name, exceptionNamespace, exceptionName) policyMessage := fmt.Sprintf("resource %s was skipped from rule %s due to policy exception %s/%s", resourceKey(engineResponse.PatchedResource), ruleResp.Name, exceptionNamespace, exceptionName)
var exceptionMessage string var exceptionMessage string
@ -138,6 +138,7 @@ func NewPolicyExceptionEvents(engineResponse engineapi.EngineResponse, ruleResp
Namespace: engineResponse.Policy.GetNamespace(), Namespace: engineResponse.Policy.GetNamespace(),
Reason: PolicySkipped, Reason: PolicySkipped,
Message: policyMessage, Message: policyMessage,
Source: source,
} }
exceptionEvent := Info{ exceptionEvent := Info{
Kind: "PolicyException", Kind: "PolicyException",
@ -145,6 +146,7 @@ func NewPolicyExceptionEvents(engineResponse engineapi.EngineResponse, ruleResp
Namespace: exceptionNamespace, Namespace: exceptionNamespace,
Reason: PolicySkipped, Reason: PolicySkipped,
Message: exceptionMessage, Message: exceptionMessage,
Source: source,
} }
return []Info{policyEvent, exceptionEvent} return []Info{policyEvent, exceptionEvent}
} }

2
pkg/webhooks/utils/event.go
View file

@ -34,7 +34,7 @@ func GenerateEvents(engineResponses []engineapi.EngineResponse, blocked bool) []
for i, ruleResp := range er.PolicyResponse.Rules { for i, ruleResp := range er.PolicyResponse.Rules {
isException := ruleResp.Exception != nil isException := ruleResp.Exception != nil
if ruleResp.Status == engineapi.RuleStatusSkip && !blocked && isException { if ruleResp.Status == engineapi.RuleStatusSkip && !blocked && isException {
events = append(events, event.NewPolicyExceptionEvents(er, &er.PolicyResponse.Rules[i])...) events = append(events, event.NewPolicyExceptionEvents(er, &er.PolicyResponse.Rules[i], event.AdmissionController)...)
} }
} }
} else if !er.IsSkipped() { } else if !er.IsSkipped() {

6
test/conformance/kuttl/exceptions/events-creation/01-policy.yaml Normal file
View file

@ -0,0 +1,6 @@
apiVersion: kuttl.dev/v1beta1
kind: TestStep
apply:
- policy.yaml
assert:
- policy-assert.yaml

20
test/conformance/kuttl/exceptions/events-creation/02-exception.yaml Normal file
View file

@ -0,0 +1,20 @@
apiVersion: v1
kind: Namespace
metadata:
name: policy-exception-events-creation-polex-ns
---
apiVersion: kyverno.io/v2alpha1
kind: PolicyException
metadata:
name: policy-exception-allow-latest
namespace: policy-exception-events-creation-polex-ns
spec:
exceptions:
- policyName: disallow-latest-tag-events-creation
ruleNames:
- validate-image-tag
match:
any:
- resources:
namespaces:
- policy-exception-events-creation-ns

15
test/conformance/kuttl/exceptions/events-creation/03-manifests.yaml Normal file
View file

@ -0,0 +1,15 @@
apiVersion: v1
kind: Namespace
metadata:
name: policy-exception-events-creation-ns
---
apiVersion: v1
kind: Pod
metadata:
name: policy-exception-events-creation-pod
namespace: policy-exception-events-creation-ns
spec:
containers:
- image: nginx
name: nginx

5
test/conformance/kuttl/exceptions/events-creation/04-sleep.yaml Normal file
View file

@ -0,0 +1,5 @@
# A command can only run a single command, not a pipeline and not a script. The program called must exist on the system where the test is run.
apiVersion: kuttl.dev/v1beta1
kind: TestStep
commands:
- command: sleep 3

26
test/conformance/kuttl/exceptions/events-creation/05-assert.yaml Normal file
View file

@ -0,0 +1,26 @@
apiVersion: v1
involvedObject:
apiVersion: kyverno.io/v2alpha1
kind: PolicyException
name: policy-exception-allow-latest
namespace: policy-exception-events-creation-polex-ns
kind: Event
metadata:
namespace: policy-exception-events-creation-polex-ns
reason: PolicySkipped
source:
component: kyverno-admission
type: Normal
---
apiVersion: v1
involvedObject:
apiVersion: kyverno.io/v1
kind: ClusterPolicy
name: disallow-latest-tag-events-creation
kind: Event
metadata:
namespace: default
reason: PolicySkipped
source:
component: kyverno-admission
type: Normal

14
test/conformance/kuttl/exceptions/events-creation/README.md Normal file
View file

@ -0,0 +1,14 @@
## Description
This test checks the events are generated properly for policyexceptions.
## Steps
1. - Create a cluster policy
- Assert the policy becomes ready
1. - Create a policy exception for the cluster policy created above but for a specific namespace
1. - Try to create a pod, expecting two events are created, one for the clusterpolicy, another is for policyexception
## Reference Issue(s)
https://github.com/kyverno/kyverno/issues/6469

9
test/conformance/kuttl/exceptions/events-creation/policy-assert.yaml Normal file
View file

@ -0,0 +1,9 @@
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
name: disallow-latest-tag-events-creation
status:
conditions:
- reason: Succeeded
status: "True"
type: Ready

29
test/conformance/kuttl/exceptions/events-creation/policy.yaml Normal file
View file

@ -0,0 +1,29 @@
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
name: disallow-latest-tag-events-creation
annotations:
policies.kyverno.io/title: Disallow Latest Tag
policies.kyverno.io/category: Best Practices
policies.kyverno.io/severity: medium
policies.kyverno.io/subject: Pod
policies.kyverno.io/description: >-
The ':latest' tag is mutable and can lead to unexpected errors if the
image changes. A best practice is to use an immutable tag that maps to
a specific version of an application Pod. This policy validates that the image
specifies a tag and that it is not called `latest`.
spec:
validationFailureAction: enforce
background: true
rules:
- name: validate-image-tag
match:
resources:
kinds:
- Pod
validate:
message: "An image tag is required (:latest is not allowed)"
pattern:
spec:
containers:
- image: "!*:latest & *:*"