Add support for the evaluation intervals (#39)

Relates:
stolostron/backlog#20030

Signed-off-by: mprahl <[email protected]>

Author: mprahl

docs/policygenerator-reference.yaml

@@ -25,6 +25,14 @@ policyDefaults:
   # manifests being wrapped in the policy. If set to false, a configuration policy per manifest will
   # be generated. This defaults to true.
   consolidateManifests: true
+  # Optional. This is how often a policy should be evaluated when in a particular compliance state.
+  # When managed clusters have low CPU resources, the evaluation interval can be increased to
+  # to reduce CPU usage on the Kubernetes API.
+  evaluationInterval:
+    # These are in the format of durations (e.g. "1h25m3s"). These can also be set to "never" to
+    # avoid evaluating the policy after it has become a particular compliance state.
+    compliant: 30m
+    noncompliant: 45s
   # Optional. When the policy references a Kyverno policy manifest, this determines if an additional
   # configuration policy should be generated in order to receive policy violations in Open Cluster
   # Management when the Kyverno policy has been violated. This defaults to true.
@@ -85,6 +93,8 @@ policies:
       - path: ""
         # Optional. (See policy[0].complianceType for description.)
         complianceType: "musthave"
+         # Optional. (See policyDefaults.evaluationInterval for description.)
+        evaluationInterval: {}
         # Optional. A Kustomize patch to apply to the manifest(s) at the path. If there
         # are multiple manifests, the patch requires the apiVersion, kind, metadata.name,
         # and metadata.namespace (if applicable) fields to be set so Kustomize
@@ -116,6 +126,8 @@ policies:
       - "CM-2 Baseline Configuration"
     # Optional. (See policyDefaults.disabled for description.)
     disabled: false
+    # Optional. (See policyDefaults.evaluationInterval for description.)
+    evaluationInterval: {}
     # Optional. (See policyDefaults.informKyvernoPolicies for description.)
     informKyvernoPolicies: true
     # Optional. (See policyDefaults.consolidateManifests for description.)

internal/plugin.go

@@ -9,6 +9,7 @@ import (
 	"path/filepath"
 	"sort"
 	"strings"
+	"time"
 
 	"github.com/stolostron/policy-generator-plugin/internal/types"
 	"gopkg.in/yaml.v3"
@@ -222,23 +223,85 @@ func getDefaultBool(config map[string]interface{}, key string) (value bool, set
 func getPolicyBool(
 	config map[string]interface{}, policyIndex int, key string,
 ) (value bool, set bool) {
+	policy := getPolicy(config, policyIndex)
+	if policy == nil {
+		return false, false
+	}
+
+	value, set = policy[key].(bool)
+
+	return
+}
+
+// getPolicy will return a policy at the specified index in the Policy Generator configuration YAML.
+func getPolicy(config map[string]interface{}, policyIndex int) map[string]interface{} {
 	policies, ok := config["policies"].([]interface{})
 	if !ok {
-		return false, false
+		return nil
 	}
 
 	if len(policies)-1 < policyIndex {
-		return false, false
+		return nil
 	}
 
 	policy, ok := policies[policyIndex].(map[string]interface{})
 	if !ok {
-		return false, false
+		return nil
 	}
 
-	value, set = policy[key].(bool)
+	return policy
+}
 
-	return
+// getEvaluationInterval will return the evaluation interval of specified policy in the Policy Generator configuration
+// YAML.
+func isEvaluationIntervalSet(config map[string]interface{}, policyIndex int, complianceType string) bool {
+	policy := getPolicy(config, policyIndex)
+	if policy == nil {
+		return false
+	}
+
+	evaluationInterval, ok := policy["evaluationInterval"].(map[string]interface{})
+	if !ok {
+		return false
+	}
+
+	_, set := evaluationInterval[complianceType].(string)
+
+	return set
+}
+
+// isEvaluationIntervalSetManifest will return the evaluation interval of the specified manifest of the specified policy
+// in the Policy Generator configuration YAML.
+func isEvaluationIntervalSetManifest(
+	config map[string]interface{}, policyIndex int, manifestIndex int, complianceType string,
+) bool {
+	policy := getPolicy(config, policyIndex)
+	if policy == nil {
+		return false
+	}
+
+	manifests, ok := policy["manifests"].([]interface{})
+	if !ok {
+		return false
+	}
+
+	if len(manifests)-1 < manifestIndex {
+		return false
+	}
+
+	manifest, ok := manifests[manifestIndex].(map[string]interface{})
+	if !ok {
+		return false
+	}
+
+	evaluationInterval, ok := manifest["evaluationInterval"].(map[string]interface{})
+	if !ok {
+		return false
+	}
+
+	_, set := evaluationInterval[complianceType].(string)
+
+	return set
 }
 
 // applyDefaults applies any missing defaults under Policy.PlacementBindingDefaults,
@@ -333,6 +396,21 @@ func (p *Plugin) applyDefaults(unmarshaledConfig map[string]interface{}) {
 			policy.Controls = p.PolicyDefaults.Controls
 		}
 
+		// Only use the policyDefault evaluationInterval value when it's not explicitly set on the policy.
+		if policy.EvaluationInterval.Compliant == "" {
+			set := isEvaluationIntervalSet(unmarshaledConfig, i, "compliant")
+			if !set {
+				policy.EvaluationInterval.Compliant = p.PolicyDefaults.EvaluationInterval.Compliant
+			}
+		}
+
+		if policy.EvaluationInterval.NonCompliant == "" {
+			set := isEvaluationIntervalSet(unmarshaledConfig, i, "noncompliant")
+			if !set {
+				policy.EvaluationInterval.NonCompliant = p.PolicyDefaults.EvaluationInterval.NonCompliant
+			}
+		}
+
 		if policy.PolicySets == nil {
 			policy.PolicySets = p.PolicyDefaults.PolicySets
 		}
@@ -409,9 +487,32 @@ func (p *Plugin) applyDefaults(unmarshaledConfig map[string]interface{}) {
 			policy.Standards = p.PolicyDefaults.Standards
 		}
 
-		for i := range policy.Manifests {
-			if policy.Manifests[i].ComplianceType == "" {
-				policy.Manifests[i].ComplianceType = policy.ComplianceType
+		for j := range policy.Manifests {
+			manifest := &policy.Manifests[j]
+
+			if manifest.ComplianceType == "" {
+				manifest.ComplianceType = policy.ComplianceType
+			}
+
+			// If the manifests are consolidated to a single ConfigurationPolicy object, don't set
+			// the evaluation interval per manifest.
+			if policy.ConsolidateManifests {
+				continue
+			}
+
+			// Only use the policy's evaluationInterval value when it's not explicitly set in the manifest.
+			if manifest.EvaluationInterval.Compliant == "" {
+				set := isEvaluationIntervalSetManifest(unmarshaledConfig, i, j, "compliant")
+				if !set {
+					manifest.EvaluationInterval.Compliant = policy.EvaluationInterval.Compliant
+				}
+			}
+
+			if manifest.EvaluationInterval.NonCompliant == "" {
+				set := isEvaluationIntervalSetManifest(unmarshaledConfig, i, j, "noncompliant")
+				if !set {
+					manifest.EvaluationInterval.NonCompliant = policy.EvaluationInterval.NonCompliant
+				}
 			}
 		}
 
@@ -507,13 +608,33 @@ func (p *Plugin) assertValidConfig() error {
 				p.PolicyDefaults.Namespace, policy.Name)
 		}
 
+		if policy.EvaluationInterval.Compliant != "" && policy.EvaluationInterval.Compliant != "never" {
+			_, err := time.ParseDuration(policy.EvaluationInterval.Compliant)
+			if err != nil {
+				return fmt.Errorf(
+					"the policy %s has an invalid policy.evaluationInterval.compliant value: %w", policy.Name, err,
+				)
+			}
+		}
+
+		if policy.EvaluationInterval.NonCompliant != "" && policy.EvaluationInterval.NonCompliant != "never" {
+			_, err := time.ParseDuration(policy.EvaluationInterval.NonCompliant)
+			if err != nil {
+				return fmt.Errorf(
+					"the policy %s has an invalid policy.evaluationInterval.noncompliant value: %w", policy.Name, err,
+				)
+			}
+		}
+
 		if len(policy.Manifests) == 0 {
 			return fmt.Errorf(
 				"each policy must have at least one manifest, but found none in policy %s", policy.Name,
 			)
 		}
 
-		for _, manifest := range policy.Manifests {
+		for j := range policy.Manifests {
+			manifest := &policy.Manifests[j]
+
 			if manifest.Path == "" {
 				return fmt.Errorf(
 					"each policy manifest entry must have path set, but did not find a path in policy %s",
@@ -532,6 +653,40 @@ func (p *Plugin) assertValidConfig() error {
 			if err != nil {
 				return err
 			}
+
+			evalInterval := &manifest.EvaluationInterval
+			if policy.ConsolidateManifests && (evalInterval.Compliant != "" || evalInterval.NonCompliant != "") {
+				return fmt.Errorf(
+					"the policy %s has the evaluationInterval value set on manifest[%d] but "+
+						"consolidateManifests is true",
+					policy.Name,
+					j,
+				)
+			}
+
+			if evalInterval.Compliant != "" && evalInterval.Compliant != "never" {
+				_, err := time.ParseDuration(evalInterval.Compliant)
+				if err != nil {
+					return fmt.Errorf(
+						"the policy %s has an invalid policy.evaluationInterval.manifest[%d].compliant value: %w",
+						policy.Name,
+						j,
+						err,
+					)
+				}
+			}
+
+			if evalInterval.NonCompliant != "" && evalInterval.NonCompliant != "never" {
+				_, err := time.ParseDuration(evalInterval.NonCompliant)
+				if err != nil {
+					return fmt.Errorf(
+						"the policy %s has an invalid policy.evaluationInterval.manifest[%d].noncompliant value: %w",
+						policy.Name,
+						j,
+						err,
+					)
+				}
+			}
 		}
 
 		// Validate policy Placement settings

internal/plugin_config_test.go

@@ -653,6 +653,117 @@ policies:
 	assertEqual(t, err.Error(), expected)
 }
 
+func TestConfigInvalidEvalInterval(t *testing.T) {
+	t.Parallel()
+	tmpDir := t.TempDir()
+	createConfigMap(t, tmpDir, "configmap.yaml")
+
+	tests := []struct {
+		// Individual values can't be used for compliant/noncompliant since an empty string means
+		// to not inherit from the policy defaults.
+		defaultEvalInterval  string
+		policyEvalInterval   string
+		manifestEvalInterval string
+		expectedMsg          string
+	}{
+		{
+			`{"compliant": "not a duration"}`,
+			"",
+			"",
+			`the policy policy-app has an invalid policy.evaluationInterval.compliant value: time: invalid duration ` +
+				`"not a duration"`,
+		},
+		{
+			`{"noncompliant": "not a duration"}`,
+			"",
+			"",
+			`the policy policy-app has an invalid policy.evaluationInterval.noncompliant value: time: invalid ` +
+				`duration "not a duration"`,
+		},
+		{
+			"",
+			`{"compliant": "not a duration"}`,
+			"",
+			`the policy policy-app has an invalid policy.evaluationInterval.compliant value: time: invalid duration ` +
+				`"not a duration"`,
+		},
+		{
+			"",
+			`{"noncompliant": "not a duration"}`,
+			"",
+			`the policy policy-app has an invalid policy.evaluationInterval.noncompliant value: time: invalid ` +
+				`duration "not a duration"`,
+		},
+		{
+			"",
+			"",
+			`{"compliant": "not a duration"}`,
+			`the policy policy-app has the evaluationInterval value set on manifest[0] but consolidateManifests is ` +
+				`true`,
+		},
+		{
+			"",
+			"",
+			`{"noncompliant": "not a duration"}`,
+			`the policy policy-app has the evaluationInterval value set on manifest[0] but consolidateManifests is ` +
+				`true`,
+		},
+		{
+			"",
+			`{"compliant": "10d5h1m"}`,
+			"",
+			`the policy policy-app has an invalid policy.evaluationInterval.compliant value: time: unknown unit "d" ` +
+				`in duration "10d5h1m"`,
+		},
+		{
+			"",
+			`{"noncompliant": "1w2d"}`,
+			"",
+			`the policy policy-app has an invalid policy.evaluationInterval.noncompliant value: time: unknown unit ` +
+				`"w" in duration "1w2d"`,
+		},
+	}
+
+	for _, test := range tests {
+		test := test
+
+		t.Run(
+			fmt.Sprintf("expected=%s", test.expectedMsg),
+			func(t *testing.T) {
+				t.Parallel()
+				config := fmt.Sprintf(`
+apiVersion: policy.open-cluster-management.io/v1
+kind: PolicyGenerator
+metadata:
+  name: policy-generator-name
+policyDefaults:
+  namespace: my-policies
+  evaluationInterval: %s
+policies:
+- name: policy-app
+  evaluationInterval: %s
+  manifests:
+    - path: %s
+      evaluationInterval: %s
+`,
+					test.defaultEvalInterval,
+					test.policyEvalInterval,
+					path.Join(tmpDir, "configmap.yaml"),
+					test.manifestEvalInterval,
+				)
+
+				p := Plugin{}
+				err := p.Config([]byte(config), tmpDir)
+				if err == nil {
+					t.Fatal("Expected an error but did not get one")
+				}
+
+				assertEqual(t, err.Error(), test.expectedMsg)
+			},
+		)
+	}
+}
+
 func TestConfigNoManifests(t *testing.T) {
 	t.Parallel()
 	const config = `