/
result.go
143 lines (134 loc) · 4.1 KB
/
result.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
package processor
import (
"github.com/kyverno/kyverno/cmd/cli/kubectl-kyverno/policy/annotations"
"github.com/kyverno/kyverno/pkg/autogen"
engineapi "github.com/kyverno/kyverno/pkg/engine/api"
"k8s.io/api/admissionregistration/v1alpha1"
)
type ResultCounts struct {
pass int
fail int
warn int
err int
skip int
}
func (rc ResultCounts) Pass() int { return rc.pass }
func (rc ResultCounts) Fail() int { return rc.fail }
func (rc ResultCounts) Warn() int { return rc.warn }
func (rc ResultCounts) Error() int { return rc.err }
func (rc ResultCounts) Skip() int { return rc.skip }
func (rc *ResultCounts) IncrementError(inc int) {
rc.err += inc
}
func (rc *ResultCounts) addEngineResponses(auditWarn bool, responses ...engineapi.EngineResponse) {
for _, response := range responses {
rc.addEngineResponse(auditWarn, response)
}
}
func (rc *ResultCounts) addEngineResponse(auditWarn bool, response engineapi.EngineResponse) {
if !response.IsEmpty() {
genericPolicy := response.Policy()
if polType := genericPolicy.GetType(); polType == engineapi.ValidatingAdmissionPolicyType {
return
}
policy := genericPolicy.AsKyvernoPolicy()
scored := annotations.Scored(policy.GetAnnotations())
for _, rule := range autogen.ComputeRules(policy, "") {
if rule.HasValidate() || rule.HasVerifyImageChecks() || rule.HasVerifyImages() {
for _, valResponseRule := range response.PolicyResponse.Rules {
if rule.Name == valResponseRule.Name() {
switch valResponseRule.Status() {
case engineapi.RuleStatusPass:
rc.pass++
case engineapi.RuleStatusFail:
if !scored {
rc.warn++
break
} else if auditWarn && response.GetValidationFailureAction().Audit() {
rc.warn++
} else {
rc.fail++
}
case engineapi.RuleStatusError:
rc.err++
case engineapi.RuleStatusWarn:
rc.warn++
case engineapi.RuleStatusSkip:
rc.skip++
}
continue
}
}
}
}
}
}
func (rc *ResultCounts) addGenerateResponse(auditWarn bool, resPath string, response engineapi.EngineResponse) {
genericPolicy := response.Policy()
if polType := genericPolicy.GetType(); polType == engineapi.ValidatingAdmissionPolicyType {
return
}
policy := genericPolicy.AsKyvernoPolicy()
for _, policyRule := range autogen.ComputeRules(policy, "") {
for _, ruleResponse := range response.PolicyResponse.Rules {
if policyRule.Name == ruleResponse.Name() {
if ruleResponse.Status() == engineapi.RuleStatusPass {
rc.pass++
} else {
if auditWarn && response.GetValidationFailureAction().Audit() {
rc.warn++
} else {
rc.fail++
}
}
continue
}
}
}
}
func (rc *ResultCounts) addMutateResponse(resourcePath string, response engineapi.EngineResponse) bool {
genericPolicy := response.Policy()
if polType := genericPolicy.GetType(); polType == engineapi.ValidatingAdmissionPolicyType {
return false
}
policy := genericPolicy.AsKyvernoPolicy()
var policyHasMutate bool
for _, rule := range autogen.ComputeRules(policy, "") {
if rule.HasMutate() {
policyHasMutate = true
}
}
if !policyHasMutate {
return false
}
printMutatedRes := false
for _, policyRule := range autogen.ComputeRules(policy, "") {
for _, mutateResponseRule := range response.PolicyResponse.Rules {
if policyRule.Name == mutateResponseRule.Name() {
if mutateResponseRule.Status() == engineapi.RuleStatusPass {
rc.pass++
printMutatedRes = true
} else if mutateResponseRule.Status() == engineapi.RuleStatusSkip {
rc.skip++
} else if mutateResponseRule.Status() == engineapi.RuleStatusError {
rc.err++
} else {
rc.fail++
}
continue
}
}
}
return printMutatedRes
}
func (rc *ResultCounts) addValidatingAdmissionResponse(vap v1alpha1.ValidatingAdmissionPolicy, engineResponse engineapi.EngineResponse) {
for _, ruleResp := range engineResponse.PolicyResponse.Rules {
if ruleResp.Status() == engineapi.RuleStatusPass {
rc.pass++
} else if ruleResp.Status() == engineapi.RuleStatusFail {
rc.fail++
} else if ruleResp.Status() == engineapi.RuleStatusError {
rc.err++
}
}
}