use scope resource if result resources are not defined

Signed-off-by: Frank Jogeleit <frank.jogeleit@web.de>
2024-12-14 11:57:32 +00:00 · 2023-02-18 11:32:22 +01:00 · 2023-02-18 11:32:22 +01:00 · 09bd74d534
commit 09bd74d534
parent e39d8e1ef6
7 changed files with 75 additions and 2 deletions
--- a/pkg/crd/api/policyreport/v1alpha2/clusterpolicyreport_types.go
+++ b/pkg/crd/api/policyreport/v1alpha2/clusterpolicyreport_types.go
@ -124,6 +124,10 @@ func (r *ClusterPolicyReport) GetSeverities() []string {
 	return list
 }

+func (r *ClusterPolicyReport) GetScope() *corev1.ObjectReference {
+	return r.Scope
+}
+
 // +kubebuilder:object:root=true
 // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object

--- a/pkg/crd/api/policyreport/v1alpha2/common.go
+++ b/pkg/crd/api/policyreport/v1alpha2/common.go
@ -273,6 +273,7 @@ func (r *PolicyReportResult) GetID() string {
 type ReportInterface interface {
 	metav1.Object
 	GetID() string
+	GetScope() *corev1.ObjectReference
 	GetResults() []PolicyReportResult
 	GetSummary() PolicyReportSummary
 	GetSource() string
--- a/pkg/crd/api/policyreport/v1alpha2/policyreport_types.go
+++ b/pkg/crd/api/policyreport/v1alpha2/policyreport_types.go
@ -121,6 +121,10 @@ func (r *PolicyReport) GetID() string {
 	return strconv.FormatUint(h1, 10)
 }

+func (r *PolicyReport) GetScope() *corev1.ObjectReference {
+	return r.Scope
+}
+
 // +kubebuilder:object:root=true
 // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object

--- a/pkg/fixtures/policy_results.go
+++ b/pkg/fixtures/policy_results.go
@ -165,3 +165,15 @@ var FailNamespaceResult = v1alpha2.PolicyReportResult{
 		UID:        "536ab69f-1b3c-4bd9-9ba4-274a56188412",
 	}},
 }
+
+var ScopeResult = v1alpha2.PolicyReportResult{
+	Message:  "validation error: requests and limits required. Rule autogen-check-for-requests-and-limits failed at path /spec/template/spec/containers/0/resources/requests/",
+	Policy:   "require-requests-and-limits-required",
+	Rule:     "autogen-check-for-requests-and-limits",
+	Priority: v1alpha2.WarningPriority,
+	Result:   v1alpha2.StatusFail,
+	Severity: v1alpha2.SeverityHigh,
+	Category: "resources",
+	Scored:   true,
+	Source:   "Kyverno",
+}
--- a/pkg/listener/send_result.go
+++ b/pkg/listener/send_result.go
@ -6,6 +6,8 @@ import (
 	"github.com/kyverno/policy-reporter/pkg/crd/api/policyreport/v1alpha2"
 	"github.com/kyverno/policy-reporter/pkg/report"
 	"github.com/kyverno/policy-reporter/pkg/target"
+
+	corev1 "k8s.io/api/core/v1"
 )

 const SendResults = "send_results_listener"
@ -23,6 +25,10 @@ func NewSendResultListener(clients []target.Client, mapper report.Mapper) report
 					result.Priority = mapper.ResolvePriority(result.Policy, result.Severity)
 				}

+				if !result.HasResource() && re.GetScope() != nil {
+					result.Resources = []corev1.ObjectReference{*re.GetScope()}
+				}
+
 				if (preExisted && target.SkipExistingOnStartup()) || !target.Validate(re, result) {
 					return
 				}
--- a/pkg/sqlite3/store.go
+++ b/pkg/sqlite3/store.go
@ -38,7 +38,7 @@ const (

 	resultSQL = `CREATE TABLE policy_report_result (
    "policy_report_id" TEXT NOT NULL,
-    "id" TEXT NOT NULL PRIMARY KEY,
+    "id" TEXT NOT NULL,
    "policy" TEXT,
    "rule" TEXT,
    "message" TEXT,
@ -54,6 +54,7 @@ const (
    "resource_uid" TEXT,
    "properties" TEXT,
    "timestamp" INTEGER,
+	PRIMARY KEY (policy_report_id, id),
    FOREIGN KEY (policy_report_id) REFERENCES policy_report(id) ON DELETE CASCADE
  );`

@ -1126,7 +1127,9 @@ func (s *policyReportStore) persistResults(report v1alpha2.ReportInterface) erro
 			}

 			res := result.GetResource()
-			if res == nil {
+			if res == nil && report.GetScope() != nil {
+				res = report.GetScope()
+			} else if res == nil {
 				res = &corev1.ObjectReference{}
 			}

--- a/pkg/sqlite3/store_test.go
+++ b/pkg/sqlite3/store_test.go
@ -3,6 +3,7 @@ package sqlite3_test
 import (
 	"testing"

+	corev1 "k8s.io/api/core/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"

 	v1 "github.com/kyverno/policy-reporter/pkg/api/v1"
@ -58,6 +59,23 @@ var creport = &v1alpha2.ClusterPolicyReport{
 	Summary: v1alpha2.PolicyReportSummary{},
 }

+var scopeReport = &v1alpha2.PolicyReport{
+	ObjectMeta: metav1.ObjectMeta{
+		Name:              "polr-scope-test",
+		Namespace:         "test",
+		CreationTimestamp: metav1.Now(),
+	},
+	Results: []v1alpha2.PolicyReportResult{fixtures.ScopeResult},
+	Summary: v1alpha2.PolicyReportSummary{Fail: 1, Pass: 0},
+	Scope: &corev1.ObjectReference{
+		APIVersion: "v1",
+		Kind:       "Deployment",
+		Name:       "nginx",
+		Namespace:  "test",
+		UID:        "536ab69f-1b3c-4bd9-9ba4-274a56188409",
+	},
+}
+
 func Test_PolicyReportStore(t *testing.T) {
 	db, _ := sqlite3.NewDatabase("test.db")
 	defer db.Close()
@ -108,6 +126,31 @@ func Test_PolicyReportStore(t *testing.T) {
 			t.Errorf("Should be found in Store after adding report to the store")
 		}
 	})
+	t.Run("Add/Get PolicyReport with ScopeResource", func(t *testing.T) {
+		_, ok := store.Get(scopeReport.GetID())
+		if ok == true {
+			t.Fatalf("Should not be found in empty Store")
+		}
+
+		err := store.Add(scopeReport)
+		if err != nil {
+			t.Fatalf("Unexpected add error: %s", err)
+		}
+
+		rep, ok := store.Get(scopeReport.GetID())
+		if ok == false {
+			t.Error("Should be found in Store after adding report to the store")
+		}
+		if len(rep.GetResults()) == 0 {
+			t.Fatal("Exptected at least one result on the report")
+		}
+		res := rep.GetResults()[0]
+		if !res.HasResource() {
+			t.Error("Expected scope resource set as result resource")
+		}
+
+		store.Remove(rep.GetID())
+	})

 	t.Run("FetchNamespacedKinds", func(t *testing.T) {
 		items, err := store.FetchNamespacedKinds(v1.Filter{Sources: []string{"kyverno"}, ReportLabel: map[string]string{"app": "policy-reporter"}})