mirror of
https://github.com/kyverno/kyverno.git
synced 2025-01-20 18:52:16 +00:00
e0ab72bb9a
This PR refactors the reports generation code. It removes RCR and CRCR crds and replaces them with AdmissionReport, ClusterAdmissionReport, BackgroundScanReport and ClusterBackgroundScanReport crds. The new reports system is based on 4 controllers: Admission reports controller is responsible for cleaning up admission reports and attaching admission reports to their corresponding resource in case of a creation Background scan reports controller is responsible for creating background scan reports when a resource and/or policy changes Aggregation controller takes care of aggregation per resource reports into higher level reports (per namespace) Resources controller is responsible for watching reports that need background scan reports I added two new flags to disable admission reports and/or background scan reports, the whole reporting system can be disabled if something goes wrong. I also added a flag to split reports in chunks to avoid creating too large resources. Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com> Signed-off-by: prateekpandey14 <prateek.pandey@nirmata.com> Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com> Signed-off-by: prateekpandey14 <prateek.pandey@nirmata.com> Co-authored-by: prateekpandey14 <prateek.pandey@nirmata.com>
294 lines
15 KiB
YAML
294 lines
15 KiB
YAML
---
|
|
apiVersion: apiextensions.k8s.io/v1
|
|
kind: CustomResourceDefinition
|
|
metadata:
|
|
annotations:
|
|
controller-gen.kubebuilder.io/version: v0.9.1-0.20220629131006-1878064c4cdf
|
|
creationTimestamp: null
|
|
name: backgroundscanreports.kyverno.io
|
|
spec:
|
|
group: kyverno.io
|
|
names:
|
|
kind: BackgroundScanReport
|
|
listKind: BackgroundScanReportList
|
|
plural: backgroundscanreports
|
|
shortNames:
|
|
- bgscanr
|
|
singular: backgroundscanreport
|
|
scope: Namespaced
|
|
versions:
|
|
- additionalPrinterColumns:
|
|
- jsonPath: .metadata.ownerReferences[0].kind
|
|
name: Kind
|
|
priority: 1
|
|
type: string
|
|
- jsonPath: .metadata.ownerReferences[0].name
|
|
name: Subject
|
|
priority: 1
|
|
type: string
|
|
- jsonPath: .spec.summary.pass
|
|
name: Pass
|
|
type: integer
|
|
- jsonPath: .spec.summary.fail
|
|
name: Fail
|
|
type: integer
|
|
- jsonPath: .spec.summary.warn
|
|
name: Warn
|
|
type: integer
|
|
- jsonPath: .spec.summary.error
|
|
name: Error
|
|
type: integer
|
|
- jsonPath: .spec.summary.skip
|
|
name: Skip
|
|
type: integer
|
|
- jsonPath: .metadata.creationTimestamp
|
|
name: Age
|
|
type: date
|
|
- jsonPath: .metadata.labels['audit\.kyverno\.io/resource\.hash']
|
|
name: Hash
|
|
priority: 1
|
|
type: string
|
|
name: v1alpha2
|
|
schema:
|
|
openAPIV3Schema:
|
|
description: BackgroundScanReport is the Schema for the BackgroundScanReports
|
|
API
|
|
properties:
|
|
apiVersion:
|
|
description: 'APIVersion defines the versioned schema of this representation
|
|
of an object. Servers should convert recognized schemas to the latest
|
|
internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
|
|
type: string
|
|
kind:
|
|
description: 'Kind is a string value representing the REST resource this
|
|
object represents. Servers may infer this from the endpoint the client
|
|
submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
|
|
type: string
|
|
metadata:
|
|
type: object
|
|
spec:
|
|
properties:
|
|
results:
|
|
description: PolicyReportResult provides result details
|
|
items:
|
|
description: PolicyReportResult provides the result for an individual
|
|
policy
|
|
properties:
|
|
category:
|
|
description: Category indicates policy category
|
|
type: string
|
|
message:
|
|
description: Description is a short user friendly message for
|
|
the policy rule
|
|
type: string
|
|
policy:
|
|
description: Policy is the name or identifier of the policy
|
|
type: string
|
|
properties:
|
|
additionalProperties:
|
|
type: string
|
|
description: Properties provides additional information for
|
|
the policy rule
|
|
type: object
|
|
resourceSelector:
|
|
description: SubjectSelector is an optional label selector for
|
|
checked Kubernetes resources. For example, a policy result
|
|
may apply to all pods that match a label. Either a Subject
|
|
or a SubjectSelector can be specified. If neither are provided,
|
|
the result is assumed to be for the policy report scope.
|
|
properties:
|
|
matchExpressions:
|
|
description: matchExpressions is a list of label selector
|
|
requirements. The requirements are ANDed.
|
|
items:
|
|
description: A label selector requirement is a selector
|
|
that contains values, a key, and an operator that relates
|
|
the key and values.
|
|
properties:
|
|
key:
|
|
description: key is the label key that the selector
|
|
applies to.
|
|
type: string
|
|
operator:
|
|
description: operator represents a key's relationship
|
|
to a set of values. Valid operators are In, NotIn,
|
|
Exists and DoesNotExist.
|
|
type: string
|
|
values:
|
|
description: values is an array of string values.
|
|
If the operator is In or NotIn, the values array
|
|
must be non-empty. If the operator is Exists or
|
|
DoesNotExist, the values array must be empty. This
|
|
array is replaced during a strategic merge patch.
|
|
items:
|
|
type: string
|
|
type: array
|
|
required:
|
|
- key
|
|
- operator
|
|
type: object
|
|
type: array
|
|
matchLabels:
|
|
additionalProperties:
|
|
type: string
|
|
description: matchLabels is a map of {key,value} pairs.
|
|
A single {key,value} in the matchLabels map is equivalent
|
|
to an element of matchExpressions, whose key field is
|
|
"key", the operator is "In", and the values array contains
|
|
only "value". The requirements are ANDed.
|
|
type: object
|
|
type: object
|
|
x-kubernetes-map-type: atomic
|
|
resources:
|
|
description: Subjects is an optional reference to the checked
|
|
Kubernetes resources
|
|
items:
|
|
description: 'ObjectReference contains enough information
|
|
to let you inspect or modify the referred object. --- New
|
|
uses of this type are discouraged because of difficulty
|
|
describing its usage when embedded in APIs. 1. Ignored fields. It
|
|
includes many fields which are not generally honored. For
|
|
instance, ResourceVersion and FieldPath are both very rarely
|
|
valid in actual usage. 2. Invalid usage help. It is impossible
|
|
to add specific help for individual usage. In most embedded
|
|
usages, there are particular restrictions like, "must refer
|
|
only to types A and B" or "UID not honored" or "name must
|
|
be restricted". Those cannot be well described when embedded.
|
|
3. Inconsistent validation. Because the usages are different,
|
|
the validation rules are different by usage, which makes
|
|
it hard for users to predict what will happen. 4. The fields
|
|
are both imprecise and overly precise. Kind is not a precise
|
|
mapping to a URL. This can produce ambiguity during interpretation
|
|
and require a REST mapping. In most cases, the dependency
|
|
is on the group,resource tuple and the version of the actual
|
|
struct is irrelevant. 5. We cannot easily change it. Because
|
|
this type is embedded in many locations, updates to this
|
|
type will affect numerous schemas. Don''t make new APIs
|
|
embed an underspecified API type they do not control. Instead
|
|
of using this type, create a locally provided and used type
|
|
that is well-focused on your reference. For example, ServiceReferences
|
|
for admission registration: https://github.com/kubernetes/api/blob/release-1.17/admissionregistration/v1/types.go#L533
|
|
.'
|
|
properties:
|
|
apiVersion:
|
|
description: API version of the referent.
|
|
type: string
|
|
fieldPath:
|
|
description: 'If referring to a piece of an object instead
|
|
of an entire object, this string should contain a valid
|
|
JSON/Go field access statement, such as desiredState.manifest.containers[2].
|
|
For example, if the object reference is to a container
|
|
within a pod, this would take on a value like: "spec.containers{name}"
|
|
(where "name" refers to the name of the container that
|
|
triggered the event) or if no container name is specified
|
|
"spec.containers[2]" (container with index 2 in this
|
|
pod). This syntax is chosen only to have some well-defined
|
|
way of referencing a part of an object. TODO: this design
|
|
is not final and this field is subject to change in
|
|
the future.'
|
|
type: string
|
|
kind:
|
|
description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
|
|
type: string
|
|
name:
|
|
description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
|
|
type: string
|
|
namespace:
|
|
description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/'
|
|
type: string
|
|
resourceVersion:
|
|
description: 'Specific resourceVersion to which this reference
|
|
is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency'
|
|
type: string
|
|
uid:
|
|
description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids'
|
|
type: string
|
|
type: object
|
|
x-kubernetes-map-type: atomic
|
|
type: array
|
|
result:
|
|
description: Result indicates the outcome of the policy rule
|
|
execution
|
|
enum:
|
|
- pass
|
|
- fail
|
|
- warn
|
|
- error
|
|
- skip
|
|
type: string
|
|
rule:
|
|
description: Rule is the name or identifier of the rule within
|
|
the policy
|
|
type: string
|
|
scored:
|
|
description: Scored indicates if this result is scored
|
|
type: boolean
|
|
severity:
|
|
description: Severity indicates policy check result criticality
|
|
enum:
|
|
- critical
|
|
- high
|
|
- low
|
|
- medium
|
|
- info
|
|
type: string
|
|
source:
|
|
description: Source is an identifier for the policy engine that
|
|
manages this report
|
|
type: string
|
|
timestamp:
|
|
description: Timestamp indicates the time the result was found
|
|
properties:
|
|
nanos:
|
|
description: Non-negative fractions of a second at nanosecond
|
|
resolution. Negative second values with fractions must
|
|
still have non-negative nanos values that count forward
|
|
in time. Must be from 0 to 999,999,999 inclusive. This
|
|
field may be limited in precision depending on context.
|
|
format: int32
|
|
type: integer
|
|
seconds:
|
|
description: Represents seconds of UTC time since Unix epoch
|
|
1970-01-01T00:00:00Z. Must be from 0001-01-01T00:00:00Z
|
|
to 9999-12-31T23:59:59Z inclusive.
|
|
format: int64
|
|
type: integer
|
|
required:
|
|
- nanos
|
|
- seconds
|
|
type: object
|
|
required:
|
|
- policy
|
|
type: object
|
|
type: array
|
|
summary:
|
|
description: PolicyReportSummary provides a summary of results
|
|
properties:
|
|
error:
|
|
description: Error provides the count of policies that could not
|
|
be evaluated
|
|
type: integer
|
|
fail:
|
|
description: Fail provides the count of policies whose requirements
|
|
were not met
|
|
type: integer
|
|
pass:
|
|
description: Pass provides the count of policies whose requirements
|
|
were met
|
|
type: integer
|
|
skip:
|
|
description: Skip indicates the count of policies that were not
|
|
selected for evaluation
|
|
type: integer
|
|
warn:
|
|
description: Warn provides the count of non-scored policies whose
|
|
requirements were not met
|
|
type: integer
|
|
type: object
|
|
type: object
|
|
required:
|
|
- spec
|
|
type: object
|
|
served: true
|
|
storage: true
|
|
subresources: {}
|