INS-1699: insights is overriding Kyverno policies annotations (#294)

* INS-1699: insights is overriding Kyverno policies annotations

* INS-1699: insights is overriding Kyverno policies annotations

* INS-1699: insights is overriding Kyverno policies annotations

* INS-1699: insights is overriding Kyverno policies annotations

Author: jdesouza

pkg/kyverno/kyverno.go

@@ -290,20 +290,54 @@ func readPolicyFromFile(filePath string) (KyvernoPolicy, error) {
 		return KyvernoPolicy{}, fmt.Errorf("failed to parse YAML in policy file %s: %w", filePath, err)
 	}
 
-	// Extract name from metadata if not set
-	if policy.Name == "" {
-		// Parse YAML to extract metadata.name
-		var yamlData map[string]interface{}
-		err = yaml.Unmarshal(fileContents, &yamlData)
-		if err != nil {
-			return KyvernoPolicy{}, fmt.Errorf("failed to parse YAML metadata in policy file %s: %w", filePath, err)
+	var yamlData map[string]interface{}
+	err = yaml.Unmarshal(fileContents, &yamlData)
+	if err != nil {
+		return KyvernoPolicy{}, fmt.Errorf("failed to parse YAML metadata in policy file %s: %w", filePath, err)
+	}
+
+	if metadata, ok := yamlData["metadata"].(map[string]interface{}); ok {
+		// Store the full metadata object to preserve any additional fields
+		policy.Metadata = make(map[string]any)
+		for k, v := range metadata {
+			policy.Metadata[k] = v
 		}
 
-		if metadata, ok := yamlData["metadata"].(map[string]interface{}); ok {
+		// Extract name if not set
+		if policy.Name == "" {
 			if name, ok := metadata["name"].(string); ok {
 				policy.Name = name
 			}
 		}
+
+		// Extract namespace if present
+		if namespace, ok := metadata["namespace"].(string); ok {
+			policy.Namespace = namespace
+		}
+
+		// Extract labels if present
+		if labels, ok := metadata["labels"].(map[string]interface{}); ok {
+			policy.Labels = make(map[string]any)
+			for k, v := range labels {
+				policy.Labels[k] = v
+			}
+		}
+
+		// Extract annotations if present
+		if annotations, ok := metadata["annotations"].(map[string]interface{}); ok {
+			policy.Annotations = make(map[string]any)
+			for k, v := range annotations {
+				policy.Annotations[k] = v
+			}
+		}
+	}
+
+	// Extract status if present (at the top level)
+	if status, ok := yamlData["status"].(map[string]interface{}); ok {
+		policy.Status = make(map[string]any)
+		for k, v := range status {
+			policy.Status[k] = v
+		}
 	}
 
 	return policy, nil

pkg/kyverno/kyverno_test.go

@@ -15,6 +15,8 @@
 package kyverno
 
 import (
+	"os"
+	"path/filepath"
 	"testing"
 
 	"github.com/stretchr/testify/assert"
@@ -201,3 +203,185 @@ func TestConvertPolicySpecToYAML(t *testing.T) {
 	assert.NoError(t, err)
 	assert.Equal(t, "apiVersion: kyverno.io/v1\nkind: ClusterPolicy\nmetadata:\n  name: test-policy\nspec:\n  metadata:\n    name: test-policy", yaml)
 }
+
+func TestReadPolicyFromFileWithLabelsAndAnnotations(t *testing.T) {
+	// Create a temporary directory and file for testing
+	tmpDir := t.TempDir()
+	policyContent := `apiVersion: kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+  name: policy-with-metadata
+  labels:
+    app: my-app
+    environment: production
+    team: security
+  annotations:
+    description: "This is a test policy with labels and annotations"
+    owner: platform-team
+spec:
+  validationFailureAction: enforce
+  background: true
+  rules:
+  - name: check-labels
+    match:
+      any:
+      - resources:
+          kinds:
+          - Pod
+    validate:
+      message: "Labels are required"
+      pattern:
+        metadata:
+          labels:
+            app: "?*"
+`
+	policyFile := filepath.Join(tmpDir, "policy-with-metadata.yaml")
+	err := os.WriteFile(policyFile, []byte(policyContent), 0644)
+	assert.NoError(t, err)
+
+	policy, err := readPolicyFromFile(policyFile)
+	assert.NoError(t, err)
+
+	// Verify basic fields
+	assert.Equal(t, "policy-with-metadata", policy.Name)
+	assert.Equal(t, "ClusterPolicy", policy.Kind)
+	assert.Equal(t, "kyverno.io/v1", policy.APIVersion)
+
+	// Verify labels are extracted
+	assert.NotNil(t, policy.Labels)
+	assert.Equal(t, "my-app", policy.Labels["app"])
+	assert.Equal(t, "production", policy.Labels["environment"])
+	assert.Equal(t, "security", policy.Labels["team"])
+
+	// Verify annotations are extracted
+	assert.NotNil(t, policy.Annotations)
+	assert.Equal(t, "This is a test policy with labels and annotations", policy.Annotations["description"])
+	assert.Equal(t, "platform-team", policy.Annotations["owner"])
+
+	// Verify spec is extracted
+	assert.NotNil(t, policy.Spec)
+}
+
+func TestReadPolicyFromFileWithoutLabelsAndAnnotations(t *testing.T) {
+	policy, err := readPolicyFromFile("testdata/disallow-privileged.yaml")
+	assert.NoError(t, err)
+
+	// Verify basic fields
+	assert.Equal(t, "disallow-privileged", policy.Name)
+	assert.Equal(t, "Policy", policy.Kind)
+	assert.Equal(t, "kyverno.io/v1", policy.APIVersion)
+
+	// Labels and annotations should be nil or empty
+	assert.Empty(t, policy.Labels)
+	assert.Empty(t, policy.Annotations)
+
+	// Verify spec is extracted
+	assert.NotNil(t, policy.Spec)
+}
+
+func TestReadPolicyFromFileWithNamespaceAndFullMetadata(t *testing.T) {
+	// Create a temporary directory and file for testing
+	tmpDir := t.TempDir()
+	policyContent := `apiVersion: kyverno.io/v1
+kind: Policy
+metadata:
+  name: namespaced-policy
+  namespace: my-namespace
+  labels:
+    app: test-app
+  annotations:
+    description: "A namespaced policy"
+  generateName: test-prefix-
+  finalizers:
+    - kyverno.io/finalizer
+spec:
+  validationFailureAction: enforce
+  background: true
+  rules:
+  - name: check-labels
+    match:
+      any:
+      - resources:
+          kinds:
+          - Pod
+    validate:
+      message: "Labels are required"
+      pattern:
+        metadata:
+          labels:
+            app: "?*"
+`
+	policyFile := filepath.Join(tmpDir, "namespaced-policy.yaml")
+	err := os.WriteFile(policyFile, []byte(policyContent), 0644)
+	assert.NoError(t, err)
+
+	policy, err := readPolicyFromFile(policyFile)
+	assert.NoError(t, err)
+
+	// Verify basic fields
+	assert.Equal(t, "namespaced-policy", policy.Name)
+	assert.Equal(t, "Policy", policy.Kind)
+	assert.Equal(t, "kyverno.io/v1", policy.APIVersion)
+
+	// Verify namespace is extracted
+	assert.Equal(t, "my-namespace", policy.Namespace)
+
+	// Verify labels are extracted
+	assert.NotNil(t, policy.Labels)
+	assert.Equal(t, "test-app", policy.Labels["app"])
+
+	// Verify annotations are extracted
+	assert.NotNil(t, policy.Annotations)
+	assert.Equal(t, "A namespaced policy", policy.Annotations["description"])
+
+	// Verify full metadata is preserved (including generateName, finalizers, etc.)
+	assert.NotNil(t, policy.Metadata)
+	assert.Equal(t, "namespaced-policy", policy.Metadata["name"])
+	assert.Equal(t, "my-namespace", policy.Metadata["namespace"])
+	assert.Equal(t, "test-prefix-", policy.Metadata["generateName"])
+
+	// Check finalizers are preserved
+	finalizers, ok := policy.Metadata["finalizers"].([]interface{})
+	assert.True(t, ok, "finalizers should be a slice")
+	assert.Len(t, finalizers, 1)
+	assert.Equal(t, "kyverno.io/finalizer", finalizers[0])
+
+	// Verify spec is extracted
+	assert.NotNil(t, policy.Spec)
+}
+
+func TestToKyvernoPolicyInputPreservesAllFields(t *testing.T) {
+	policy := KyvernoPolicy{
+		Name:       "test-policy",
+		Kind:       "Policy",
+		APIVersion: "kyverno.io/v1",
+		Namespace:  "test-namespace",
+		Labels: map[string]any{
+			"app": "my-app",
+		},
+		Annotations: map[string]any{
+			"description": "Test policy",
+		},
+		Metadata: map[string]any{
+			"name":         "test-policy",
+			"namespace":    "test-namespace",
+			"generateName": "prefix-",
+		},
+		Spec: map[string]any{
+			"validationFailureAction": "enforce",
+		},
+	}
+
+	input := policy.ToKyvernoPolicyInput()
+
+	// Verify all fields are preserved
+	assert.Equal(t, "test-policy", input.Name)
+	assert.Equal(t, "Policy", input.Kind)
+	assert.Equal(t, "kyverno.io/v1", input.APIVersion)
+	assert.Equal(t, "test-namespace", input.Namespace)
+	assert.Equal(t, "my-app", input.Labels["app"])
+	assert.Equal(t, "Test policy", input.Annotations["description"])
+	assert.NotNil(t, input.Metadata)
+	assert.Equal(t, "prefix-", input.Metadata["generateName"])
+	assert.NotNil(t, input.Spec)
+}

pkg/kyverno/types.go

@@ -28,8 +28,10 @@ type KyvernoPolicy struct {
 	Name              string         `json:"name" yaml:"metadata.name"`
 	Kind              string         `json:"kind" yaml:"kind"`
 	APIVersion        string         `json:"apiVersion" yaml:"apiVersion"`
+	Namespace         string         `json:"namespace,omitempty" yaml:"metadata.namespace"`
 	Labels            map[string]any `json:"labels,omitempty" yaml:"metadata.labels"`
 	Annotations       map[string]any `json:"annotations,omitempty" yaml:"metadata.annotations"`
+	Metadata          map[string]any `json:"metadata,omitempty" yaml:"metadata"` // Full metadata for any additional fields
 	Spec              map[string]any `json:"spec" yaml:"spec"`
 	Status            map[string]any `json:"status,omitempty"`
 	ManagedByInsights *bool          `json:"managedByInsights,omitempty" yaml:"managedByInsights,omitempty"`
@@ -47,24 +49,42 @@ func (k KyvernoPolicy) GetYamlBytes() ([]byte, error) {
 
 // Helper function to convert a KyvernoPolicy spec to YAML string
 func convertPolicySpecToYAML(policy KyvernoPolicy) (string, error) {
-	// Create the full policy structure
-	policyMap := map[string]any{
-		"apiVersion": policy.APIVersion,
-		"kind":       policy.Kind,
-		"metadata": map[string]any{
-			"name": policy.Name,
-		},
-		"spec": policy.Spec,
+	// Start with the full metadata if available, otherwise create a new map
+	var metadata map[string]any
+	if len(policy.Metadata) > 0 {
+		// Deep copy the metadata to avoid modifying the original
+		metadata = make(map[string]any)
+		for k, v := range policy.Metadata {
+			metadata[k] = v
+		}
+	} else {
+		metadata = make(map[string]any)
+	}
+
+	// Ensure name is set in metadata
+	metadata["name"] = policy.Name
+
+	// Add namespace if set
+	if policy.Namespace != "" {
+		metadata["namespace"] = policy.Namespace
 	}
 
-	// Add labels and annotations if they exist and are not empty
+	// Add labels if they exist and are not empty
 	if len(policy.Labels) > 0 {
-		policyMap["metadata"].(map[string]any)["labels"] = policy.Labels
+		metadata["labels"] = policy.Labels
 	}
 
-	// Add existing annotations if they exist
+	// Add annotations if they exist
 	if len(policy.Annotations) > 0 {
-		policyMap["metadata"].(map[string]any)["annotations"] = policy.Annotations
+		metadata["annotations"] = policy.Annotations
+	}
+
+	// Create the full policy structure
+	policyMap := map[string]any{
+		"apiVersion": policy.APIVersion,
+		"kind":       policy.Kind,
+		"metadata":   metadata,
+		"spec":       policy.Spec,
 	}
 
 	// Add status only if it exists and is not null
@@ -181,8 +201,10 @@ type KyvernoPolicyInput struct {
 	Name              string            `json:"name"`
 	Kind              string            `json:"kind"`
 	APIVersion        string            `json:"apiVersion"`
+	Namespace         string            `json:"namespace,omitempty"`
 	Labels            map[string]string `json:"labels,omitempty"`
 	Annotations       map[string]string `json:"annotations,omitempty"`
+	Metadata          map[string]any    `json:"metadata,omitempty"` // Full metadata for any additional fields
 	Spec              map[string]any    `json:"spec"`
 	Status            *map[string]any   `json:"status,omitempty"`
 	ManagedByInsights *bool             `json:"managedByInsights,omitempty"`
@@ -222,8 +244,10 @@ func (k KyvernoPolicy) ToKyvernoPolicyInput() KyvernoPolicyInput {
 		Name:              k.Name,
 		Kind:              k.Kind,
 		APIVersion:        k.APIVersion,
+		Namespace:         k.Namespace,
 		Labels:            labels,
 		Annotations:       annotations,
+		Metadata:          k.Metadata,
 		Spec:              k.Spec,
 		Status:            status,
 		ManagedByInsights: k.ManagedByInsights,