Add support for automatically informing on Kyverno policy violations

By default, when a manifest includes a Kyverno policy, an additional
configuration policy will get generated to inform on Kyverno policy
violations in Open Cluster Management.

Co-authored-by: Dale Haiducek <[email protected]>
Signed-off-by: mprahl <[email protected]>

Author: mprahl

docs/policygenerator-reference.yaml

@@ -21,6 +21,10 @@ policyDefaults:
   # annotation. This defaults to ["CM-2 Baseline Configuration"].
   controls:
     - "CM-2 Baseline Configuration"
+  # Optional. When the policy references a Kyverno policy manifest, this determines if an additonal
+  # configuration policy should be generated in order to receive policy violations in Open Cluster
+  # Management when the Kyverno policy has been violated. This defaults to true.
+  informKyvernoPolicies: true
   # Required. The namespace of all the policies.
   namespace: ""
   # Optional. The placement configuration for the policies. This defaults to a placement
@@ -85,6 +89,8 @@ policies:
       - "CM-2 Baseline Configuration"
     # Optional. (See policyDefaults.disabled for description.)
     disabled: false
+    # Optional. (See policyDefaults.informKyvernoPolicies for description.)
+    informKyvernoPolicies: true
     # Optional. Determines the list of namespaces to check on the cluster for the given manifest. If
     # a namespace is specified in the manifest, the selector is not necessary. This defaults to no
     # selectors.

examples/input3/kyverno.yaml

@@ -0,0 +1,18 @@
+apiVersion: kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+  name: require-labels
+spec:
+  validationFailureAction: audit
+  rules:
+  - name: check-for-labels
+    match:
+      resources:
+        kinds:
+        - Pod
+    validate:
+      message: "The label `friends-character` is required."
+      pattern:
+        metadata:
+          labels:
+            friends-character: "?*"

examples/policyGenerator.yaml

@@ -43,3 +43,7 @@ policies:
             namespace: default
             labels:
               monica: geller
+- name: policy-require-labels
+  disabled: true
+  manifests:
+    - path: input3/

internal/expanders/expanders.go

@@ -0,0 +1,24 @@
+// Copyright Contributors to the Open Cluster Management project
+package expanders
+
+import (
+	"github.com/open-cluster-management/policy-generator-plugin/internal/types"
+)
+
+func GetExpanders() map[string]Expander {
+	return map[string]Expander{
+		"kyverno": KyvernoPolicyExpander{},
+	}
+}
+
+type Expander interface {
+	CanHandle(manifest map[string]interface{}) bool
+	Enabled(policyConf *types.PolicyConfig) bool
+	Expand(manifest map[string]interface{}, severity string) []map[string]map[string]interface{}
+}
+
+// Common constants for the expanders.
+const (
+	configPolicyAPIVersion = "policy.open-cluster-management.io/v1"
+	configPolicyKind       = "ConfigurationPolicy"
+)

internal/expanders/kyverno.go

@@ -0,0 +1,101 @@
+// Copyright Contributors to the Open Cluster Management project
+package expanders
+
+import (
+	"fmt"
+
+	"github.com/open-cluster-management/policy-generator-plugin/internal/types"
+	"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
+)
+
+type KyvernoPolicyExpander struct{}
+
+const (
+	kyvernoAPIVersion             = "kyverno.io/v1"
+	kyvernoClusterKind            = "ClusterPolicy"
+	kyvernoPolicyReportAPIVersion = "wgpolicyk8s.io/v1alpha2"
+	kyvernoNamespacedKind         = "Policy"
+)
+
+// CanHandle determines if the manifest is a Kyverno policy that can be expanded.
+func (k KyvernoPolicyExpander) CanHandle(manifest map[string]interface{}) bool {
+	if a, _, _ := unstructured.NestedString(manifest, "apiVersion"); a != kyvernoAPIVersion {
+		return false
+	}
+
+	kind, _, _ := unstructured.NestedString(manifest, "kind")
+	if kind != kyvernoClusterKind && kind != kyvernoNamespacedKind {
+		return false
+	}
+
+	if n, _, _ := unstructured.NestedString(manifest, "metadata", "name"); n == "" {
+		return false
+	}
+
+	return true
+}
+
+// Enabled determines if the policy configuration allows a Kyverno policy to be expanded.
+func (k KyvernoPolicyExpander) Enabled(policyConf *types.PolicyConfig) bool {
+	return policyConf.InformKyvernoPolicies
+}
+
+// AdditionalPolicyTemplates will generate additional policy templates for the Kyverno policy
+// for auditing purposes through Open Cluster Management. This should be run after the CanHandle
+// method.
+func (k KyvernoPolicyExpander) Expand(
+	manifest map[string]interface{}, severity string,
+) []map[string]map[string]interface{} {
+	templates := []map[string]map[string]interface{}{}
+	// This was previously validated in the CanHandle method.
+	policyName, _, _ := unstructured.NestedString(manifest, "metadata", "name")
+
+	configPolicyName := fmt.Sprintf("inform-kyverno-%s", policyName)
+	configurationPolicy := map[string]map[string]interface{}{
+		"objectDefinition": {
+			"apiVersion": configPolicyAPIVersion,
+			"kind":       configPolicyKind,
+			"metadata":   map[string]interface{}{"name": configPolicyName},
+			"spec": map[string]interface{}{
+				"namespaceSelector": map[string]interface{}{
+					"exclude": []string{"kube-*"},
+					"include": []string{"*"},
+				},
+				"remediationAction": "inform",
+				"severity":          severity,
+				"object-templates": []map[string]interface{}{
+					{
+						"complianceType": "mustnothave",
+						"objectDefinition": map[string]interface{}{
+							"apiVersion": kyvernoPolicyReportAPIVersion,
+							"kind":       kyvernoClusterKind + "Report",
+							"results": []map[string]interface{}{
+								{
+									"policy": policyName,
+									"result": "fail",
+								},
+							},
+						},
+					},
+					{
+						"complianceType": "mustnothave",
+						"objectDefinition": map[string]interface{}{
+							"apiVersion": kyvernoPolicyReportAPIVersion,
+							"kind":       kyvernoNamespacedKind + "Report",
+							"results": []map[string]interface{}{
+								{
+									"policy": policyName,
+									"result": "fail",
+								},
+							},
+						},
+					},
+				},
+			},
+		},
+	}
+
+	templates = append(templates, configurationPolicy)
+
+	return templates
+}

internal/expanders/test_kyverno.go

@@ -0,0 +1,158 @@
+// Copyright Contributors to the Open Cluster Management project
+package expanders
+
+import (
+	"fmt"
+	"reflect"
+	"testing"
+
+	"github.com/open-cluster-management/policy-generator-plugin/internal/types"
+)
+
+func assertEqual(t *testing.T, a interface{}, b interface{}) {
+	t.Helper()
+	if a != b {
+		t.Fatalf("%s != %s", a, b)
+	}
+}
+
+func assertReflectEqual(t *testing.T, a interface{}, b interface{}) {
+	t.Helper()
+	if !reflect.DeepEqual(a, b) {
+		t.Fatalf("%s != %s", a, b)
+	}
+}
+
+func TestCanHandle(t *testing.T) {
+	t.Parallel()
+	k := KyvernoPolicyExpander{}
+
+	tests := []struct{ kind string }{
+		{kyvernoClusterKind},
+		{kyvernoNamespacedKind},
+	}
+
+	for _, test := range tests {
+		test := test
+		t.Run(
+			fmt.Sprintf("kind=%s", test.kind),
+			func(t *testing.T) {
+				t.Parallel()
+				manifest := map[string]interface{}{
+					"apiVersion": kyvernoAPIVersion,
+					"kind":       test.kind,
+					"metadata": map[string]string{
+						"name": "my-awesome-policy",
+					},
+				}
+				assertEqual(t, k.CanHandle(manifest), true)
+			},
+		)
+	}
+}
+
+func TestCanHandleInvalid(t *testing.T) {
+	t.Parallel()
+	k := KyvernoPolicyExpander{}
+
+	tests := []struct{ apiVersion, kind, name string }{
+		{"v1", kyvernoClusterKind, "my-awesome-policy"},
+		{"v1", kyvernoNamespacedKind, "my-awesome-policy"},
+		{kyvernoAPIVersion, "ConfigMap", "my-awesome-policy"},
+		{kyvernoAPIVersion, kyvernoClusterKind, ""},
+		{kyvernoAPIVersion, kyvernoNamespacedKind, ""},
+	}
+
+	for _, test := range tests {
+		test := test
+		t.Run(
+			fmt.Sprintf("kind=%s", test.kind),
+			func(t *testing.T) {
+				t.Parallel()
+				manifest := map[string]interface{}{
+					"apiVersion": test.apiVersion,
+					"kind":       test.kind,
+					"metadata": map[string]string{
+						"name": test.name,
+					},
+				}
+				assertEqual(t, k.CanHandle(manifest), false)
+			},
+		)
+	}
+}
+
+func TestEnabled(t *testing.T) {
+	t.Parallel()
+	k := KyvernoPolicyExpander{}
+	tests := []struct {
+		Enabled  bool
+		Expected bool
+	}{{true, true}, {false, false}}
+	for _, test := range tests {
+		policyConf := types.PolicyConfig{InformKyvernoPolicies: test.Enabled}
+		assertEqual(t, k.Enabled(&policyConf), test.Expected)
+	}
+}
+
+func TestExpand(t *testing.T) {
+	t.Parallel()
+	k := KyvernoPolicyExpander{}
+	manifest := map[string]interface{}{
+		"apiVersion": kyvernoAPIVersion,
+		"kind":       kyvernoClusterKind,
+		"metadata": map[string]string{
+			"name": "my-awesome-policy",
+		},
+	}
+
+	expected := []map[string]map[string]interface{}{
+		{
+			"objectDefinition": {
+				"apiVersion": configPolicyAPIVersion,
+				"kind":       configPolicyKind,
+				"metadata":   map[string]interface{}{"name": "inform-kyverno-my-awesome-policy"},
+				"spec": map[string]interface{}{
+					"namespaceSelector": map[string]interface{}{
+						"exclude": []string{"kube-*"},
+						"include": []string{"*"},
+					},
+					"remediationAction": "inform",
+					"severity":          "medium",
+					"object-templates": []map[string]interface{}{
+						{
+							"complianceType": "mustnothave",
+							"objectDefinition": map[string]interface{}{
+								"apiVersion": kyvernoPolicyReportAPIVersion,
+								"kind":       "ClusterPolicyReport",
+								"results": []map[string]interface{}{
+									{
+										"policy": "my-awesome-policy",
+										"result": "fail",
+									},
+								},
+							},
+						},
+						{
+							"complianceType": "mustnothave",
+							"objectDefinition": map[string]interface{}{
+								"apiVersion": kyvernoPolicyReportAPIVersion,
+								"kind":       "PolicyReport",
+								"results": []map[string]interface{}{
+									{
+										"policy": "my-awesome-policy",
+										"result": "fail",
+									},
+								},
+							},
+						},
+					},
+				},
+			},
+		},
+	}
+
+	templates := k.Expand(manifest, "medium")
+
+	assertReflectEqual(t, templates, expected)
+}