feat: re-evaluate policy exceptions for existing resources and modify reports accordingly (#8659)

* feat: re-evaluate policy exceptions for existing resources and modify reports accordingly Signed-off-by: Mariam Fahmy <mariam.fahmy@nirmata.com> * fix: use v2 of exceptions Signed-off-by: Mariam Fahmy <mariam.fahmy@nirmata.com> * fix chainsaw test Signed-off-by: Mariam Fahmy <mariam.fahmy@nirmata.com> * fix: use properties in the reports result Signed-off-by: Mariam Fahmy <mariam.fahmy@nirmata.com> * fix chainsaw tests Signed-off-by: Mariam Fahmy <mariam.fahmy@nirmata.com> --------- Signed-off-by: Mariam Fahmy <mariam.fahmy@nirmata.com>
2024-12-14 11:57:48 +00:00 · 2024-01-17 20:00:15 +02:00 · 2024-01-17 20:00:15 +02:00 · f0564b3019
commit f0564b3019
parent a9e3ca20b2
9 changed files with 114 additions and 18 deletions
--- a/cmd/reports-controller/main.go
+++ b/cmd/reports-controller/main.go
@ -63,6 +63,7 @@ func createReportControllers(
 	}

 	kyvernoV1 := kyvernoInformer.Kyverno().V1()
+	kyvernoV2beta1 := kyvernoInformer.Kyverno().V2beta1()
 	if backgroundScan || admissionReports {
 		resourceReportController := resourcereportcontroller.NewController(
 			client,
@ -112,6 +113,7 @@ func createReportControllers(
 				metadataFactory,
 				kyvernoV1.Policies(),
 				kyvernoV1.ClusterPolicies(),
+				kyvernoV2beta1.PolicyExceptions(),
 				vapInformer,
 				kubeInformer.Core().V1().Namespaces(),
 				resourceReportController,
--- a/pkg/controllers/report/background/controller.go
+++ b/pkg/controllers/report/background/controller.go
@ -7,10 +7,13 @@ import (
 	"github.com/go-logr/logr"
 	kyvernov1 "github.com/kyverno/kyverno/api/kyverno/v1"
 	kyvernov1alpha2 "github.com/kyverno/kyverno/api/kyverno/v1alpha2"
+	kyvernov2beta1 "github.com/kyverno/kyverno/api/kyverno/v2beta1"
 	policyreportv1alpha2 "github.com/kyverno/kyverno/api/policyreport/v1alpha2"
 	"github.com/kyverno/kyverno/pkg/client/clientset/versioned"
 	kyvernov1informers "github.com/kyverno/kyverno/pkg/client/informers/externalversions/kyverno/v1"
+	kyvernov2beta1informers "github.com/kyverno/kyverno/pkg/client/informers/externalversions/kyverno/v2beta1"
 	kyvernov1listers "github.com/kyverno/kyverno/pkg/client/listers/kyverno/v1"
+	kyvernov2beta1listers "github.com/kyverno/kyverno/pkg/client/listers/kyverno/v2beta1"
 	"github.com/kyverno/kyverno/pkg/clients/dclient"
 	"github.com/kyverno/kyverno/pkg/config"
 	"github.com/kyverno/kyverno/pkg/controllers"
@ -54,6 +57,7 @@ type controller struct {
 	// listers
 	polLister      kyvernov1listers.PolicyLister
 	cpolLister     kyvernov1listers.ClusterPolicyLister
+	polexLister    kyvernov2beta1listers.PolicyExceptionLister
 	vapLister      admissionregistrationv1alpha1listers.ValidatingAdmissionPolicyLister
 	bgscanrLister  cache.GenericLister
 	cbgscanrLister cache.GenericLister
@ -80,6 +84,7 @@ func NewController(
 	metadataFactory metadatainformers.SharedInformerFactory,
 	polInformer kyvernov1informers.PolicyInformer,
 	cpolInformer kyvernov1informers.ClusterPolicyInformer,
+	polexInformer kyvernov2beta1informers.PolicyExceptionInformer,
 	vapInformer admissionregistrationv1alpha1informers.ValidatingAdmissionPolicyInformer,
 	nsInformer corev1informers.NamespaceInformer,
 	metadataCache resource.MetadataCache,
@ -98,6 +103,7 @@ func NewController(
 		engine:         engine,
 		polLister:      polInformer.Lister(),
 		cpolLister:     cpolInformer.Lister(),
+		polexLister:    polexInformer.Lister(),
 		bgscanrLister:  bgscanr.Lister(),
 		cbgscanrLister: cbgscanr.Lister(),
 		nsLister:       nsInformer.Lister(),
@ -121,6 +127,9 @@ func NewController(
 	if _, err := controllerutils.AddEventHandlersT(cpolInformer.Informer(), c.addPolicy, c.updatePolicy, c.deletePolicy); err != nil {
 		logger.Error(err, "failed to register event handlers")
 	}
+	if _, err := controllerutils.AddEventHandlersT(polexInformer.Informer(), c.addException, c.updateException, c.deleteException); err != nil {
+		logger.Error(err, "failed to register event handlers")
+	}
 	c.metadataCache.AddEventHandler(func(eventType resource.EventType, uid types.UID, _ schema.GroupVersionKind, res resource.Resource) {
 		// if it's a deletion, nothing to do
 		if eventType == resource.Deleted {
@ -154,6 +163,20 @@ func (c *controller) deletePolicy(obj kyvernov1.PolicyInterface) {
 	c.enqueueResources()
 }

+func (c *controller) addException(obj *kyvernov2beta1.PolicyException) {
+	c.enqueueResources()
+}
+
+func (c *controller) updateException(old, obj *kyvernov2beta1.PolicyException) {
+	if old.GetResourceVersion() != obj.GetResourceVersion() {
+		c.enqueueResources()
+	}
+}
+
+func (c *controller) deleteException(obj *kyvernov2beta1.PolicyException) {
+	c.enqueueResources()
+}
+
 func (c *controller) addVAP(obj *admissionregistrationv1alpha1.ValidatingAdmissionPolicy) {
 	c.enqueueResources()
 }
@ -198,7 +221,7 @@ func (c *controller) getMeta(namespace, name string) (metav1.Object, error) {
 	}
 }

-func (c *controller) needsReconcile(namespace, name, hash string, policies ...engineapi.GenericPolicy) (bool, bool, error) {
+func (c *controller) needsReconcile(namespace, name, hash string, exceptions []kyvernov2beta1.PolicyException, policies ...engineapi.GenericPolicy) (bool, bool, error) {
 	// if the reportMetadata does not exist, we need a full reconcile
 	reportMetadata, err := c.getMeta(namespace, name)
 	if err != nil {
@ -225,11 +248,14 @@ func (c *controller) needsReconcile(namespace, name, hash string, policies ...en
 			return true, true, nil
 		}
 	}
-	// if a policy changed, we need a partial reconcile
+	// if a policy or an exception changed, we need a partial reconcile
 	expected := map[string]string{}
 	for _, policy := range policies {
 		expected[reportutils.PolicyLabel(policy)] = policy.GetResourceVersion()
 	}
+	for _, exception := range exceptions {
+		expected[reportutils.PolicyExceptionLabel(exception)] = exception.GetResourceVersion()
+	}
 	actual := map[string]string{}
 	for key, value := range reportMetadata.GetLabels() {
 		if reportutils.IsPolicyLabel(key) {
@ -251,6 +277,7 @@ func (c *controller) reconcileReport(
 	uid types.UID,
 	gvk schema.GroupVersionKind,
 	resource resource.Resource,
+	exceptions []kyvernov2beta1.PolicyException,
 	policies ...engineapi.GenericPolicy,
 ) error {
 	// namespace labels to be used by the scanner
@ -280,6 +307,10 @@ func (c *controller) reconcileReport(
 	for _, policy := range policies {
 		expected[reportutils.PolicyLabel(policy)] = policy.GetResourceVersion()
 	}
+	for _, exception := range exceptions {
+		expected[reportutils.PolicyExceptionLabel(exception)] = exception.GetResourceVersion()
+	}
+
 	actual := map[string]string{}
 	for key, value := range observed.GetLabels() {
 		if reportutils.IsPolicyLabel(key) {
@ -302,18 +333,34 @@ func (c *controller) reconcileReport(
 			}
 			policyNameToLabel[key] = reportutils.PolicyLabel(policy)
 		}
-		// keep up to date results
+
+		for _, exception := range exceptions {
+			key, err := cache.MetaNamespaceKeyFunc(exception)
+			if err != nil {
+				return err
+			}
+			policyNameToLabel[key] = reportutils.PolicyExceptionLabel(exception)
+		}
+
 		for _, result := range observed.GetResults() {
 			// if the policy did not change, keep the result
 			label := policyNameToLabel[result.Policy]
-			if label != "" && expected[label] == actual[label] {
+			exceptionLabel := policyNameToLabel[result.Properties["exception"]]
+			if (label != "" && expected[label] == actual[label]) || (exceptionLabel != "" && expected[exceptionLabel] == actual[exceptionLabel]) {
 				ruleResults = append(ruleResults, result)
 			}
 		}
 	}
 	// calculate necessary results
 	for _, policy := range policies {
-		if full || actual[reportutils.PolicyLabel(policy)] != policy.GetResourceVersion() {
+		reevaluate := false
+		for _, polex := range exceptions {
+			if actual[reportutils.PolicyExceptionLabel(polex)] != polex.GetResourceVersion() {
+				reevaluate = true
+				break
+			}
+		}
+		if full || reevaluate || actual[reportutils.PolicyLabel(policy)] != policy.GetResourceVersion() {
 			scanner := utils.NewScanner(logger, c.engine, c.config, c.jp)
 			for _, result := range scanner.ScanResource(ctx, *target, nsLabels, policy) {
 				if result.Error != nil {
@ -334,6 +381,9 @@ func (c *controller) reconcileReport(
 	for _, policy := range policies {
 		reportutils.SetPolicyLabel(desired, policy)
 	}
+	for _, exception := range exceptions {
+		reportutils.SetPolicyExceptionLabel(desired, exception)
+	}
 	reportutils.SetResourceVersionLabels(desired, target)
 	reportutils.SetResults(desired, ruleResults...)
 	if full || !controllerutils.HasAnnotation(desired, annotationLastScanTime) {
@ -418,15 +468,20 @@ func (c *controller) reconcile(ctx context.Context, log logr.Logger, key, namesp
 			policies = append(policies, engineapi.NewValidatingAdmissionPolicy(pol))
 		}
 	}
+	// load policy exceptions with background process enabled
+	exceptions, err := utils.FetchPolicyExceptions(c.polexLister, namespace)
+	if err != nil {
+		return err
+	}
 	// we have the resource, check if we need to reconcile
-	if needsReconcile, full, err := c.needsReconcile(namespace, name, resource.Hash, policies...); err != nil {
+	if needsReconcile, full, err := c.needsReconcile(namespace, name, resource.Hash, exceptions, policies...); err != nil {
 		return err
 	} else {
 		defer func() {
 			c.queue.AddAfter(key, c.forceDelay)
 		}()
 		if needsReconcile {
-			return c.reconcileReport(ctx, namespace, name, full, uid, gvk, resource, policies...)
+			return c.reconcileReport(ctx, namespace, name, full, uid, gvk, resource, exceptions, policies...)
 		}
 	}
 	return nil
--- a/pkg/controllers/report/utils/utils.go
+++ b/pkg/controllers/report/utils/utils.go
@ -4,8 +4,10 @@ import (
 	"github.com/go-logr/logr"
 	kyvernov1 "github.com/kyverno/kyverno/api/kyverno/v1"
 	kyvernov1alpha2 "github.com/kyverno/kyverno/api/kyverno/v1alpha2"
+	kyvernov2beta1 "github.com/kyverno/kyverno/api/kyverno/v2beta1"
 	"github.com/kyverno/kyverno/pkg/autogen"
 	kyvernov1listers "github.com/kyverno/kyverno/pkg/client/listers/kyverno/v1"
+	kyvernov2beta1listers "github.com/kyverno/kyverno/pkg/client/listers/kyverno/v2beta1"
 	datautils "github.com/kyverno/kyverno/pkg/utils/data"
 	policyvalidation "github.com/kyverno/kyverno/pkg/validation/policy"
 	admissionregistrationv1alpha1 "k8s.io/api/admissionregistration/v1alpha1"
@ -109,6 +111,20 @@ func FetchPolicies(polLister kyvernov1listers.PolicyLister, namespace string) ([
 	return policies, nil
 }

+func FetchPolicyExceptions(polexLister kyvernov2beta1listers.PolicyExceptionLister, namespace string) ([]kyvernov2beta1.PolicyException, error) {
+	var exceptions []kyvernov2beta1.PolicyException
+	if polexs, err := polexLister.PolicyExceptions(namespace).List(labels.Everything()); err != nil {
+		return nil, err
+	} else {
+		for _, polex := range polexs {
+			if polex.Spec.BackgroundProcessingEnabled() {
+				exceptions = append(exceptions, *polex)
+			}
+		}
+	}
+	return exceptions, nil
+}
+
 func FetchValidatingAdmissionPolicies(vapLister admissionregistrationv1alpha1listers.ValidatingAdmissionPolicyLister) ([]admissionregistrationv1alpha1.ValidatingAdmissionPolicy, error) {
 	var policies []admissionregistrationv1alpha1.ValidatingAdmissionPolicy
 	if pols, err := vapLister.List(labels.Everything()); err != nil {
--- a/pkg/utils/report/labels.go
+++ b/pkg/utils/report/labels.go
@ -10,6 +10,7 @@ import (
 	"github.com/kyverno/kyverno/api/kyverno"
 	kyvernov1 "github.com/kyverno/kyverno/api/kyverno/v1"
 	kyvernov1alpha2 "github.com/kyverno/kyverno/api/kyverno/v1alpha2"
+	kyvernov2beta1 "github.com/kyverno/kyverno/api/kyverno/v2beta1"
 	engineapi "github.com/kyverno/kyverno/pkg/engine/api"
 	controllerutils "github.com/kyverno/kyverno/pkg/utils/controller"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
@ -31,13 +32,14 @@ const (
 	LabelDomainPolicy                    = "pol.kyverno.io"
 	LabelPrefixClusterPolicy             = LabelDomainClusterPolicy + "/"
 	LabelPrefixPolicy                    = LabelDomainPolicy + "/"
+	LabelPrefixPolicyException           = "polex.kyverno.io/"
 	LabelPrefixValidatingAdmissionPolicy = "validatingadmissionpolicy.apiserver.io/"
 	//	aggregated admission report label
 	LabelAggregatedReport = "audit.kyverno.io/report.aggregate"
 )

 func IsPolicyLabel(label string) bool {
-	return strings.HasPrefix(label, LabelPrefixPolicy) || strings.HasPrefix(label, LabelPrefixClusterPolicy)
+	return strings.HasPrefix(label, LabelPrefixPolicy) || strings.HasPrefix(label, LabelPrefixClusterPolicy) || strings.HasPrefix(label, LabelPrefixPolicyException)
 }

 func PolicyNameFromLabel(namespace, label string) (string, error) {
@ -73,6 +75,10 @@ func PolicyLabel(policy engineapi.GenericPolicy) string {
 	return PolicyLabelPrefix(policy) + policy.GetName()
 }

+func PolicyExceptionLabel(exception kyvernov2beta1.PolicyException) string {
+	return LabelPrefixPolicyException + exception.GetName()
+}
+
 func CleanupKyvernoLabels(obj metav1.Object) {
 	labels := obj.GetLabels()
 	for key := range labels {
@ -134,6 +140,10 @@ func SetPolicyLabel(report kyvernov1alpha2.ReportInterface, policy engineapi.Gen
 	controllerutils.SetLabel(report, PolicyLabel(policy), policy.GetResourceVersion())
 }

+func SetPolicyExceptionLabel(report kyvernov1alpha2.ReportInterface, exception kyvernov2beta1.PolicyException) {
+	controllerutils.SetLabel(report, PolicyExceptionLabel(exception), exception.GetResourceVersion())
+}
+
 func GetResourceUid(report metav1.Object) types.UID {
 	return types.UID(controllerutils.GetLabel(report, LabelResourceUid))
 }
--- a/pkg/utils/report/results.go
+++ b/pkg/utils/report/results.go
@ -107,6 +107,11 @@ func EngineResponseToReportResults(response engineapi.EngineResponse) []policyre
 				Category: annotations[kyverno.AnnotationPolicyCategory],
 				Severity: SeverityFromString(annotations[kyverno.AnnotationPolicySeverity]),
 			}
+			if ruleResult.Exception() != nil {
+				result.Properties = map[string]string{
+					"exception": ruleResult.Exception().Name,
+				}
+			}
 			pss := ruleResult.PodSecurityChecks()
 			if pss != nil {
 				var controls []string
--- a/test/conformance/chainsaw/reports/admission/exception/report-assert.yaml
+++ b/test/conformance/chainsaw/reports/admission/exception/report-assert.yaml
@ -15,6 +15,8 @@ results:
  rule: require-team
  scored: true
  source: kyverno
+  properties:
+    exception: mynewpolex
 summary:
  error: 0
  fail: 0
--- a/test/conformance/chainsaw/reports/background/exception/README.md
+++ b/test/conformance/chainsaw/reports/background/exception/README.md
@ -5,8 +5,12 @@ It makes sure the generated background scan report contains a skipped result ins

 ## Steps

-1.  - Create a cluster policy
+1.  - Create a confimap named `emergency`
+2.  - Create a cluster policy
    - Assert the policy becomes ready
-1.  - Create a policy exception for the cluster policy created above, configured to apply to configmap named `emergency`
-1.  - Try to create a confimap named `emergency`
-1.  - Assert that a policy report exists with a skipped result
+3.  - Create a policy exception for the cluster policy created above, configured to apply to configmap named `emergency`
+4.  - Assert that a policy report exists with a skipped result
+
+## Reference Issue(s)
+
+https://github.com/kyverno/kyverno/issues/7287
--- a/test/conformance/chainsaw/reports/background/exception/chainsaw-test.yaml
+++ b/test/conformance/chainsaw/reports/background/exception/chainsaw-test.yaml
@ -8,19 +8,19 @@ spec:
  - name: step-01
    try:
    - apply:
-        file: policy.yaml
+        file: configmap.yaml
    - assert:
-        file: policy-assert.yaml
+        file: configmap.yaml
  - name: step-02
    try:
    - apply:
-        file: exception.yaml
+        file: policy.yaml
+    - assert:
+        file: policy-assert.yaml
  - name: step-03
    try:
    - apply:
-        file: configmap.yaml
-    - assert:
-        file: configmap.yaml
+        file: exception.yaml
  - name: step-04
    try:
    - assert:
--- a/test/conformance/chainsaw/reports/background/exception/report-assert.yaml
+++ b/test/conformance/chainsaw/reports/background/exception/report-assert.yaml
@ -15,6 +15,8 @@ results:
  rule: require-team
  scored: true
  source: kyverno
+  properties:
+    exception: mynewpolex
 summary:
  error: 0
  fail: 0