mirrors/kyverno
mirrors/kyverno
1
0
Fork 0
mirror of https://github.com/kyverno/kyverno.git synced 2025-03-06 16:06:56 +00:00
Code Activity
kyverno/pkg/engine/response/response.go
Charles-Edouard Brétéché 54b7b65cfe
feat: propagate psa checks results (#5719) 
* feat: propagate psa checks results

Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>

* add to report

Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>

Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>
Co-authored-by: shuting <shuting@nirmata.com>
2022-12-20 05:57:23 +00:00

263 lines
7.2 KiB
Go
Raw Blame History

package response
import (
"fmt"
"reflect"
"time"
kyvernov1 "github.com/kyverno/kyverno/api/kyverno/v1"
pssutils "github.com/kyverno/kyverno/pkg/pss/utils"
"github.com/kyverno/kyverno/pkg/utils/wildcard"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
"k8s.io/pod-security-admission/api"
)
// EngineResponse engine response to the action
type EngineResponse struct {
// Resource patched with the engine action changes
PatchedResource unstructured.Unstructured
// Original policy
Policy kyvernov1.PolicyInterface
// Policy Response
PolicyResponse PolicyResponse
}
// PolicyResponse policy application response
type PolicyResponse struct {
// policy details
Policy PolicySpec `json:"policy"`
// resource details
Resource ResourceSpec `json:"resource"`
// policy statistics
PolicyStats `json:",inline"`
// rule response
Rules []RuleResponse `json:"rules"`
// ValidationFailureAction: audit (default) or enforce
ValidationFailureAction kyvernov1.ValidationFailureAction
ValidationFailureActionOverrides []ValidationFailureActionOverride
}
// PolicySpec policy
type PolicySpec struct {
Name string `json:"name"`
Namespace string `json:"namespace"`
}
// ResourceSpec resource action applied on
type ResourceSpec struct {
Kind string `json:"kind"`
APIVersion string `json:"apiVersion"`
Namespace string `json:"namespace"`
Name string `json:"name"`
// UID is not used to build the unique identifier
// optional
UID string `json:"uid"`
}
// GetKey returns the key
func (rs ResourceSpec) GetKey() string {
return rs.Kind + "/" + rs.Namespace + "/" + rs.Name
}
// PolicyStats stores statistics for the single policy application
type PolicyStats struct {
// time required to process the policy rules on a resource
ProcessingTime time.Duration `json:"processingTime"`
// Count of rules that were applied successfully
RulesAppliedCount int `json:"rulesAppliedCount"`
// Count of rules that with execution errors
RulesErrorCount int `json:"rulesErrorCount"`
// Timestamp of the instant the Policy was triggered
PolicyExecutionTimestamp int64 `json:"policyExecutionTimestamp"`
}
type RuleType string
const (
// Mutation type for mutation rule
Mutation RuleType = "Mutation"
// Validation type for validation rule
Validation RuleType = "Validation"
// Generation type for generation rule
Generation RuleType = "Generation"
// ImageVerify type for image verification
ImageVerify RuleType = "ImageVerify"
)
// RuleResponse details for each rule application
type RuleResponse struct {
// rule name specified in policy
Name string `json:"name"`
// rule type (Mutation,Generation,Validation) for Kyverno Policy
Type RuleType `json:"type"`
// message response from the rule application
Message string `json:"message"`
// JSON patches, for mutation rules
Patches [][]byte `json:"patches,omitempty"`
// Resource generated by the generate rules of a policy
GeneratedResource unstructured.Unstructured `json:"generatedResource,omitempty"`
// rule status
Status RuleStatus `json:"status"`
// statistics
RuleStats `json:",inline"`
// PatchedTarget is the patched resource for mutate.targets
PatchedTarget *unstructured.Unstructured
// PatchedTargetSubresourceName is the name of the subresource which is patched, empty if the resource patched is
// not a subresource.
PatchedTargetSubresourceName string
// PatchedTargetParentResourceGVR is the GVR of the parent resource of the PatchedTarget. This is only populated
// when PatchedTarget is a subresource.
PatchedTargetParentResourceGVR metav1.GroupVersionResource
// PodSecurityChecks contains pod security checks (only if this is a pod security rule)
PodSecurityChecks *PodSecurityChecks
}
type PodSecurityChecks struct {
Level api.Level
Version string
Checks []pssutils.PSSCheckResult
}
// ToString ...
func (rr RuleResponse) ToString() string {
return fmt.Sprintf("rule %s (%s): %v", rr.Name, rr.Type, rr.Message)
}
// RuleStats stores the statistics for the single rule application
type RuleStats struct {
// time required to apply the rule on the resource
ProcessingTime time.Duration `json:"processingTime"`
// Timestamp of the instant the rule got triggered
RuleExecutionTimestamp int64 `json:"ruleExecutionTimestamp"`
}
// IsSuccessful checks if any rule has failed or produced an error during execution
func (er EngineResponse) IsSuccessful() bool {
for _, r := range er.PolicyResponse.Rules {
if r.Status == RuleStatusFail || r.Status == RuleStatusError {
return false
}
}
return true
}
// IsSkipped checks if any rule has skipped resource or not.
func (er EngineResponse) IsSkipped() bool {
for _, r := range er.PolicyResponse.Rules {
if r.Status == RuleStatusSkip {
return true
}
}
return false
}
// IsFailed checks if any rule created a policy violation
func (er EngineResponse) IsFailed() bool {
for _, r := range er.PolicyResponse.Rules {
if r.Status == RuleStatusFail {
return true
}
}
return false
}
// IsError checks if any rule resulted in a processing error
func (er EngineResponse) IsError() bool {
for _, r := range er.PolicyResponse.Rules {
if r.Status == RuleStatusError {
return true
}
}
return false
}
// IsEmpty checks if any rule results are present
func (er EngineResponse) IsEmpty() bool {
return len(er.PolicyResponse.Rules) == 0
}
// isNil checks if rule is an empty rule
func (er EngineResponse) IsNil() bool {
return reflect.DeepEqual(er, EngineResponse{})
}
// GetPatches returns all the patches joined
func (er EngineResponse) GetPatches() [][]byte {
var patches [][]byte
for _, r := range er.PolicyResponse.Rules {
if r.Patches != nil {
patches = append(patches, r.Patches...)
}
}
return patches
}
// GetFailedRules returns failed rules
func (er EngineResponse) GetFailedRules() []string {
return er.getRules(func(status RuleStatus) bool { return status == RuleStatusFail || status == RuleStatusError })
}
// GetSuccessRules returns success rules
func (er EngineResponse) GetSuccessRules() []string {
return er.getRules(func(status RuleStatus) bool { return status == RuleStatusPass })
}
// GetResourceSpec returns resourceSpec of er
func (er EngineResponse) GetResourceSpec() ResourceSpec {
return ResourceSpec{
Kind: er.PatchedResource.GetKind(),
APIVersion: er.PatchedResource.GetAPIVersion(),
Namespace: er.PatchedResource.GetNamespace(),
Name: er.PatchedResource.GetName(),
UID: string(er.PatchedResource.GetUID()),
}
}
func (er EngineResponse) getRules(predicate func(RuleStatus) bool) []string {
var rules []string
for _, r := range er.PolicyResponse.Rules {
if predicate(r.Status) {
rules = append(rules, r.Name)
}
}
return rules
}
func (er *EngineResponse) GetValidationFailureAction() kyvernov1.ValidationFailureAction {
for _, v := range er.PolicyResponse.ValidationFailureActionOverrides {
for _, ns := range v.Namespaces {
if wildcard.Match(ns, er.PatchedResource.GetNamespace()) {
return v.Action
}
}
}
return er.PolicyResponse.ValidationFailureAction
}
type ValidationFailureActionOverride struct {
Action kyvernov1.ValidationFailureAction `json:"action"`
Namespaces []string `json:"namespaces"`
}
View git blame Copy permalink