Skip to content

Commit

Permalink
feat: add policy feedback support
Browse files Browse the repository at this point in the history 
Signed-off-by: Charles-Edouard Brétéché <[email protected]>
  • Loading branch information
@eddycharly
eddycharly committed Jun 10, 2024
1 parent 69a4a1f commit d3d2ddb
Show file tree
Hide file tree
Showing 13 changed files with 193 additions and 6 deletions.
17 changes: 17 additions & 0 deletions .crds/json.kyverno.io_validatingpolicies.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -122,6 +122,23 @@ spec:
x-kubernetes-preserve-unknown-fields: true
type: array
type: object
feedback:
description: Feedback declares rule feedback entries.
items:
description: Feedback contains a feedback entry.
properties:
name:
description: Name is the feedback entry name.
type: string
value:
description: Value is the feedback entry value (a JMESPath
expression).
type: string
required:
- name
- value
type: object
type: array
identifier:
description: Identifier declares a JMESPath expression to extract
a name from the payload.
Expand Down
22 changes: 22 additions & 0 deletions .schemas/json/_definitions.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -16592,6 +16592,28 @@
}
}
},
"feedback": {
"description": "Feedback declares rule feedback entries.",
"type": "array",
"items": {
"description": "Feedback contains a feedback entry.",
"type": "object",
"required": [
"name",
"value"
],
"properties": {
"name": {
"description": "Name is the feedback entry name.",
"type": "string"
},
"value": {
"description": "Value is the feedback entry value (a JMESPath expression).",
"type": "string"
}
}
}
},
"identifier": {
"description": "Identifier declares a JMESPath expression to extract a name from the payload.",
"type": "string"
Expand Down
28 changes: 28 additions & 0 deletions .schemas/json/validatingpolicy-json-v1alpha1.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -417,6 +417,34 @@
}
}
},
"feedback": {
"description": "Feedback declares rule feedback entries.",
"type": [
"array",
"null"
],
"items": {
"description": "Feedback contains a feedback entry.",
"type": [
"object",
"null"
],
"required": [
"name",
"value"
],
"properties": {
"name": {
"description": "Name is the feedback entry name.",
"type": "string"
},
"value": {
"description": "Value is the feedback entry value (a JMESPath expression).",
"type": "string"
}
}
}
},
"identifier": {
"description": "Identifier declares a JMESPath expression to extract a name from the payload.",
"type": [
Expand Down
28 changes: 28 additions & 0 deletions .schemas/json/validatingpolicylist-json-v1alpha1.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -440,6 +440,34 @@
}
}
},
"feedback": {
"description": "Feedback declares rule feedback entries.",
"type": [
"array",
"null"
],
"items": {
"description": "Feedback contains a feedback entry.",
"type": [
"object",
"null"
],
"required": [
"name",
"value"
],
"properties": {
"name": {
"description": "Name is the feedback entry name.",
"type": "string"
},
"value": {
"description": "Value is the feedback entry value (a JMESPath expression).",
"type": "string"
}
}
}
},
"identifier": {
"description": "Identifier declares a JMESPath expression to extract a name from the payload.",
"type": [
Expand Down
2 changes: 1 addition & 1 deletion .schemas/openapi/v2/schema.json
View file

Large diffs are not rendered by default.

2 changes: 1 addition & 1 deletion .schemas/openapi/v3/apis/json.kyverno.io/v1alpha1.json
View file

Large diffs are not rendered by default.

9 changes: 5 additions & 4 deletions Makefile
View file
Original file line number Diff line number Diff line change
Expand Up @@ -239,9 +239,9 @@ codegen-docs: codegen-api-docs codegen-cli-docs codegen-jp-docs codegen-catalog
.PHONY: codegen-mkdocs
codegen-mkdocs: codegen-docs ## Generate mkdocs website
@echo Generate mkdocs website... >&2
@$(PIP) install mkdocs
@$(PIP) install --upgrade pip
@$(PIP) install -U mkdocs-material mkdocs-redirects mkdocs-minify-plugin mkdocs-include-markdown-plugin lunr mkdocs-rss-plugin mike
@PIP_BREAK_SYSTEM_PACKAGES=1 $(PIP) install mkdocs
@PIP_BREAK_SYSTEM_PACKAGES=1 $(PIP) install --upgrade pip
@PIP_BREAK_SYSTEM_PACKAGES=1 $(PIP) install -U mkdocs-material mkdocs-redirects mkdocs-minify-plugin mkdocs-include-markdown-plugin lunr mkdocs-rss-plugin mike
@mkdocs build -f ./website/mkdocs.yaml

.PHONY: codegen-schemas-openapi
Expand All @@ -261,7 +261,8 @@ codegen-schemas-openapi: $(KIND) $(HELM) ## Generate openapi schemas (v2 and v3)

.PHONY: codegen-schemas-json
codegen-schemas-json: codegen-schemas-openapi ## Generate json schemas
@$(PIP) install openapi2jsonschema --no-build-isolation
@PIP_BREAK_SYSTEM_PACKAGES=1 $(PIP) install -U pip setuptools
@PIP_BREAK_SYSTEM_PACKAGES=1 $(PIP) install openapi2jsonschema --no-build-isolation
@rm -rf ./.schemas/json
@openapi2jsonschema ./.schemas/openapi/v2/schema.json --kubernetes --stand-alone --expanded -o ./.schemas/json

Expand Down
10 changes: 10 additions & 0 deletions pkg/apis/policy/v1alpha1/feedback.go
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,10 @@
package v1alpha1

// Feedback contains a feedback entry.
type Feedback struct {
// Name is the feedback entry name.
Name string `json:"name"`

// Value is the feedback entry value (a JMESPath expression).
Value string `json:"value"`
}
4 changes: 4 additions & 0 deletions pkg/apis/policy/v1alpha1/validating_rule.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -22,6 +22,10 @@ type ValidatingRule struct {
// +optional
Identifier string `json:"identifier,omitempty"`

// Feedback declares rule feedback entries.
// +optional
Feedback []Feedback `json:"feedback,omitempty"`

// Assert is used to validate matching resources.
Assert *Assert `json:"assert"`
}
21 changes: 21 additions & 0 deletions pkg/apis/policy/v1alpha1/zz_generated.deepcopy.go
View file

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

17 changes: 17 additions & 0 deletions pkg/data/crds/json.kyverno.io_validatingpolicies.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -122,6 +122,23 @@ spec:
x-kubernetes-preserve-unknown-fields: true
type: array
type: object
feedback:
description: Feedback declares rule feedback entries.
items:
description: Feedback contains a feedback entry.
properties:
name:
description: Name is the feedback entry name.
type: string
value:
description: Value is the feedback entry value (a JMESPath
expression).
type: string
required:
- name
- value
type: object
type: array
identifier:
description: Identifier declares a JMESPath expression to extract
a name from the payload.
Expand Down
24 changes: 24 additions & 0 deletions pkg/json-engine/engine.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -34,10 +34,16 @@ type RuleResponse struct {
Rule v1alpha1.ValidatingRule
Timestamp time.Time
Identifier string
Feedback map[string]Feedback
Error error
Violations matching.Results
}

type Feedback struct {
Error error
Value any
}

// PolicyResult specifies state of a policy result
type PolicyResult string

Expand Down Expand Up @@ -103,19 +109,37 @@ func New() engine.Engine[Request, Response] {
return nil
}
}
var feedback map[string]Feedback
for _, f := range r.rule.Feedback {
result, err := template.Execute(context.Background(), f.Value, r.resource, bindings)
if feedback == nil {
feedback = map[string]Feedback{}
}
if err != nil {
feedback[f.Name] = Feedback{
Error: err,
}
} else {
feedback[f.Name] = Feedback{
Value: result,
}
}
}
violations, err := matching.MatchAssert(ctx, nil, r.rule.Assert, r.resource, bindings)
if err != nil {
return []RuleResponse{{
Rule: r.rule,
Timestamp: time.Now(),
Identifier: identifier,
Feedback: feedback,
Error: err,
}}
}
return []RuleResponse{{
Rule: r.rule,
Timestamp: time.Now(),
Identifier: identifier,
Feedback: feedback,
Violations: violations,
}}
})
Expand Down
15 changes: 15 additions & 0 deletions website/docs/apis/kyverno-json.v1alpha1.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -98,6 +98,20 @@ auto_generated: true
| `name` | `string` | :white_check_mark: | | <p>Name is the entry name.</p> |
| `variable` | [`Any`](#json-kyverno-io-v1alpha1-Any) | | | <p>Variable defines an arbitrary variable.</p> |

## `Feedback` {#json-kyverno-io-v1alpha1-Feedback}

**Appears in:**

- [ValidatingRule](#json-kyverno-io-v1alpha1-ValidatingRule)

<p>Feedback contains a feedback entry.</p>


| Field | Type | Required | Inline | Description |
|---|---|---|---|---|
| `name` | `string` | :white_check_mark: | | <p>Name is the feedback entry name.</p> |
| `value` | `string` | :white_check_mark: | | <p>Value is the feedback entry value (a JMESPath expression).</p> |

## `Match` {#json-kyverno-io-v1alpha1-Match}

**Appears in:**
Expand Down Expand Up @@ -141,6 +155,7 @@ auto_generated: true
| `match` | [`Match`](#json-kyverno-io-v1alpha1-Match) | | | <p>Match defines when this policy rule should be applied.</p> |
| `exclude` | [`Match`](#json-kyverno-io-v1alpha1-Match) | | | <p>Exclude defines when this policy rule should not be applied.</p> |
| `identifier` | `string` | | | <p>Identifier declares a JMESPath expression to extract a name from the payload.</p> |
| `feedback` | [`[]Feedback`](#json-kyverno-io-v1alpha1-Feedback) | | | <p>Feedback declares rule feedback entries.</p> |
| `assert` | [`Assert`](#json-kyverno-io-v1alpha1-Assert) | :white_check_mark: | | <p>Assert is used to validate matching resources.</p> |


0 comments on commit d3d2ddb

Please sign in to comment.