feat: add exception logic #5712
Conversation
Codecov Report
@@ Coverage Diff @@
## main #5712 +/- ##
==========================================
- Coverage 34.62% 34.62% -0.01%
==========================================
Files 190 190
Lines 21080 21106 +26
==========================================
+ Hits 7300 7307 +7
- Misses 12970 12986 +16
- Partials 810 813 +3
📣 We’re building smart automated test selection to slash your CI/CD build times. Learn more |
|
Looks good to me. |
pkg/engine/background.go
Outdated
| if err == nil && exception != nil { | ||
| key, err := cache.MetaNamespaceKeyFunc(exception) | ||
| logger := logging.WithName("exception") | ||
| // TODO: increase metrics |
There was a problem hiding this comment.
what does those comment mean? do we need to increment the rule metrics or something else?
There was a problem hiding this comment.
This is recommended by @eddycharly .
I assume this is to instrument the triggered exception count.
cc: @eddycharly Pls fix me if I'm understanding wrong, or anything you'd like to point out.
pkg/engine/background.go
Outdated
| // check if there is a corresponding policy exception | ||
| exception, err := matchesException(policyContext, &rule) | ||
| // if we found an exception | ||
| if err == nil && exception != nil { |
There was a problem hiding this comment.
can we make the handling of the exception reusable for all the rule types? Currently we are duplicating the same 15-20 lines of code in each.
There was a problem hiding this comment.
Yeah, that sounds good. So I extracted the logic to a separate function shouldRespondException. Will that be good?
pkg/engine/background.go
Outdated
| logger := logging.WithName("exception") | ||
| // TODO: increase metrics | ||
| if err != nil { | ||
| logger.Error(err, "failed to compute policy exception key", "namespace", exception.GetNamespace(), "name", exception.GetName()) |
There was a problem hiding this comment.
We need to report a rule error in this case.
There was a problem hiding this comment.
Sounds good! Updated with a RuleResponse returned( assume:Status: response.RuleStatusError). Will that be good?
pkg/engine/background.go
Outdated
| logger.V(3).Info("policy rule skipped due to policy exception", "exception", key) | ||
| return &response.RuleResponse{ | ||
| Name: rule.Name, | ||
| Message: "Rule skipped because of PolicyException" + key, |
There was a problem hiding this comment.
Can we make the text lower case? `rule skipped due to policy exception " + key
There was a problem hiding this comment.
Yeah, sounds good!
Eileen-Yu
force-pushed
the
feat/apply-exception-logic
branch
from
d760469
to
60c244a
Compare
pkg/engine/validation.go
Outdated
| log.Error(err, "failed to compute policy exception key", "namespace", exception.GetNamespace(), "name", exception.GetName()) | ||
| return &response.RuleResponse{ | ||
| Name: rule.Name, | ||
| Message: "failed to find matched exception" + key, |
There was a problem hiding this comment.
needs a space after "...exception" before we + key
There was a problem hiding this comment.
Thx for letting me know 👍
pkg/engine/validation.go
Outdated
| // if we found an exception | ||
| if err == nil && exception != nil { | ||
| key, err := cache.MetaNamespaceKeyFunc(exception) | ||
| // TODO: increase metrics |
There was a problem hiding this comment.
remove as we are returning an error which counts in the metrics
pkg/engine/validation.go
Outdated
| @@ -800,3 +788,29 @@ func matchesException(policyContext *PolicyContext, rule *kyvernov1.Rule) (*kyve | |||
| } | |||
| return nil, nil | |||
| } | |||
|
|
|||
| func shouldRespondException(ctx *PolicyContext, rule *kyvernov1.Rule, log logr.Logger) *response.RuleResponse { | |||
There was a problem hiding this comment.
rename to hasPolicyExceptions
pkg/engine/validation.go
Outdated
| log.V(3).Info("policy rule skipped due to policy exception", "exception", key) | ||
| return &response.RuleResponse{ | ||
| Name: rule.Name, | ||
| Message: "rule skipped due to policy exception" + key, |
There was a problem hiding this comment.
missing space after "....exception"
pkg/engine/validation.go
Outdated
| @@ -800,3 +788,29 @@ func matchesException(policyContext *PolicyContext, rule *kyvernov1.Rule) (*kyve | |||
| } | |||
| return nil, nil | |||
| } | |||
|
|
|||
| func shouldRespondException(ctx *PolicyContext, rule *kyvernov1.Rule, log logr.Logger) *response.RuleResponse { | |||
There was a problem hiding this comment.
change return to (bool, *response.RuleResponse)
There was a problem hiding this comment.
If it returns true then we process the response. Otherwise, we expect a nil response.
There was a problem hiding this comment.
As discussed in channel, comment has been added to make it clear.
Signed-off-by: Eileen Yu <eileenylj@gmail.com>
Eileen-Yu
force-pushed
the
feat/apply-exception-logic
branch
from
60c244a
to
c90823b
Compare
Signed-off-by: Eileen Yu <eileenylj@gmail.com> Signed-off-by: Eileen Yu <eileenylj@gmail.com> Co-authored-by: Jim Bugwadia <jim@nirmata.com> Signed-off-by: Md Sahil <Mohdssahil1@gmail.com>
Signed-off-by: Eileen Yu <eileenylj@gmail.com> Signed-off-by: Eileen Yu <eileenylj@gmail.com> Co-authored-by: Jim Bugwadia <jim@nirmata.com> Signed-off-by: MdSahil-oss <Mohdssahil1@gmail.com>
Signed-off-by: Eileen Yu <eileenylj@gmail.com> Signed-off-by: Eileen Yu <eileenylj@gmail.com> Co-authored-by: Jim Bugwadia <jim@nirmata.com> Signed-off-by: MdSahil-oss <Mohdssahil1@gmail.com>
Signed-off-by: Eileen Yu eileenylj@gmail.com
Explanation
Add policy exception logic to:
Related issue
#2627
Milestone of this PR
What type of PR is this
Proposed Changes
Proof Manifests
Checklist
Further Comments