feat: re-evaluate policy exceptions for existing resources and modify…

… reports accordingly

Signed-off-by: Anushka Mittal <[email protected]>

cmd/reports-controller/main.go

@@ -57,6 +57,7 @@ func createReportControllers(
 	var ctrls []internal.Controller
 	var warmups []func(context.Context) error
 	kyvernoV1 := kyvernoInformer.Kyverno().V1()
+	kyvernoV2alpha1 := kyvernoInformer.Kyverno().V2alpha1()
 	if backgroundScan || admissionReports {
 		resourceReportController := resourcereportcontroller.NewController(
 			client,
@@ -104,6 +105,7 @@ func createReportControllers(
 					metadataFactory,
 					kyvernoV1.Policies(),
 					kyvernoV1.ClusterPolicies(),
+					kyvernoV2alpha1.PolicyExceptions(),
 					kubeInformer.Core().V1().Namespaces(),
 					resourceReportController,
 					backgroundScanInterval,

pkg/controllers/report/background/controller.go

@@ -7,10 +7,13 @@ import (
 	"github.com/go-logr/logr"
 	kyvernov1 "github.com/kyverno/kyverno/api/kyverno/v1"
 	kyvernov1alpha2 "github.com/kyverno/kyverno/api/kyverno/v1alpha2"
+	kyvernov2alpha1 "github.com/kyverno/kyverno/api/kyverno/v2alpha1"
 	policyreportv1alpha2 "github.com/kyverno/kyverno/api/policyreport/v1alpha2"
 	"github.com/kyverno/kyverno/pkg/client/clientset/versioned"
 	kyvernov1informers "github.com/kyverno/kyverno/pkg/client/informers/externalversions/kyverno/v1"
+	kyvernov2alpha1informers "github.com/kyverno/kyverno/pkg/client/informers/externalversions/kyverno/v2alpha1"
 	kyvernov1listers "github.com/kyverno/kyverno/pkg/client/listers/kyverno/v1"
+	kyvernov2alpha1listers "github.com/kyverno/kyverno/pkg/client/listers/kyverno/v2alpha1"
 	"github.com/kyverno/kyverno/pkg/clients/dclient"
 	"github.com/kyverno/kyverno/pkg/config"
 	"github.com/kyverno/kyverno/pkg/controllers"
@@ -52,6 +55,7 @@ type controller struct {
 	// listers
 	polLister      kyvernov1listers.PolicyLister
 	cpolLister     kyvernov1listers.ClusterPolicyLister
+	polexLister    kyvernov2alpha1listers.PolicyExceptionLister
 	bgscanrLister  cache.GenericLister
 	cbgscanrLister cache.GenericLister
 	nsLister       corev1listers.NamespaceLister
@@ -77,6 +81,7 @@ func NewController(
 	metadataFactory metadatainformers.SharedInformerFactory,
 	polInformer kyvernov1informers.PolicyInformer,
 	cpolInformer kyvernov1informers.ClusterPolicyInformer,
+	polexInformer kyvernov2alpha1informers.PolicyExceptionInformer,
 	nsInformer corev1informers.NamespaceInformer,
 	metadataCache resource.MetadataCache,
 	forceDelay time.Duration,
@@ -94,6 +99,7 @@ func NewController(
 		engine:         engine,
 		polLister:      polInformer.Lister(),
 		cpolLister:     cpolInformer.Lister(),
+		polexLister:    polexInformer.Lister(),
 		bgscanrLister:  bgscanr.Lister(),
 		cbgscanrLister: cbgscanr.Lister(),
 		nsLister:       nsInformer.Lister(),
@@ -109,6 +115,7 @@ func NewController(
 	controllerutils.AddDefaultEventHandlers(logger, cbgscanr.Informer(), queue)
 	controllerutils.AddEventHandlersT(polInformer.Informer(), c.addPolicy, c.updatePolicy, c.deletePolicy)
 	controllerutils.AddEventHandlersT(cpolInformer.Informer(), c.addPolicy, c.updatePolicy, c.deletePolicy)
+	controllerutils.AddEventHandlersT(polexInformer.Informer(), c.addException, c.updateException, c.deleteException)
 	c.metadataCache.AddEventHandler(func(eventType resource.EventType, uid types.UID, _ schema.GroupVersionKind, res resource.Resource) {
 		// if it's a deletion, nothing to do
 		if eventType == resource.Deleted {
@@ -198,7 +205,7 @@ func (c *controller) getMeta(namespace, name string) (metav1.Object, error) {
 	}
 }
 
-func (c *controller) needsReconcile(namespace, name, hash string, backgroundPolicies ...kyvernov1.PolicyInterface) (bool, bool, error) {
+func (c *controller) needsReconcile(namespace, name, hash string, exceptions []kyvernov2alpha1.PolicyException, backgroundPolicies ...kyvernov1.PolicyInterface) (bool, bool, error) {
 	// if the reportMetadata does not exist, we need a full reconcile
 	reportMetadata, err := c.getMeta(namespace, name)
 	if err != nil {
@@ -225,11 +232,14 @@ func (c *controller) needsReconcile(namespace, name, hash string, backgroundPoli
 			return true, true, nil
 		}
 	}
-	// if a policy changed, we need a partial reconcile
+	// if a policy or an exception changed, we need a partial reconcile
 	expected := map[string]string{}
 	for _, policy := range backgroundPolicies {
 		expected[reportutils.PolicyLabel(policy)] = policy.GetResourceVersion()
 	}
+	for _, exception := range exceptions {
+		expected[reportutils.PolicyExceptionLabel(exception)] = exception.GetResourceVersion()
+	}
 	actual := map[string]string{}
 	for key, value := range reportMetadata.GetLabels() {
 		if reportutils.IsPolicyLabel(key) {
@@ -251,6 +261,7 @@ func (c *controller) reconcileReport(
 	uid types.UID,
 	gvk schema.GroupVersionKind,
 	resource resource.Resource,
+	exceptions []kyvernov2alpha1.PolicyException,
 	backgroundPolicies ...kyvernov1.PolicyInterface,
 ) error {
 	// namespace labels to be used by the scanner
@@ -280,6 +291,9 @@ func (c *controller) reconcileReport(
 	for _, policy := range backgroundPolicies {
 		expected[reportutils.PolicyLabel(policy)] = policy.GetResourceVersion()
 	}
+	for _, exception := range exceptions {
+		expected[reportutils.PolicyExceptionLabel(exception)] = exception.GetResourceVersion()
+	}
 	actual := map[string]string{}
 	for key, value := range observed.GetLabels() {
 		if reportutils.IsPolicyLabel(key) {
@@ -296,18 +310,32 @@ func (c *controller) reconcileReport(
 			}
 			policyNameToLabel[key] = reportutils.PolicyLabel(policy)
 		}
-		// keep up to date results
+		for _, exception := range exceptions {
+			key, err := cache.MetaNamespaceKeyFunc(exception)
+			if err != nil {
+				return err
+			}
+			policyNameToLabel[key] = reportutils.PolicyExceptionLabel(exception)
+		}
 		for _, result := range observed.GetResults() {
 			// if the policy did not change, keep the result
 			label := policyNameToLabel[result.Policy]
-			if label != "" && expected[label] == actual[label] {
+			exceptionLabel := policyNameToLabel[result.Properties["exception"]]
+			if (label != "" && expected[label] == actual[label]) || (exceptionLabel != "" && expected[exceptionLabel] == actual[exceptionLabel]) {
 				ruleResults = append(ruleResults, result)
 			}
 		}
 	}
 	// calculate necessary results
 	for _, policy := range backgroundPolicies {
-		if full || actual[reportutils.PolicyLabel(policy)] != policy.GetResourceVersion() {
+		reevaluate := false
+		for _, polex := range exceptions {
+			if actual[reportutils.PolicyExceptionLabel(polex)] != polex.GetResourceVersion() {
+				reevaluate = true
+				break
+			}
+		}
+		if full || reevaluate || actual[reportutils.PolicyLabel(policy)] != policy.GetResourceVersion() {
 			scanner := utils.NewScanner(logger, c.engine, c.config, c.jp)
 			for _, result := range scanner.ScanResource(ctx, *target, nsLabels, policy) {
 				if result.Error != nil {
@@ -328,6 +356,9 @@ func (c *controller) reconcileReport(
 	for _, policy := range backgroundPolicies {
 		reportutils.SetPolicyLabel(desired, policy)
 	}
+	for _, exception := range exceptions {
+		reportutils.SetPolicyExceptionLabel(desired, exception)
+	}
 	reportutils.SetResourceVersionLabels(desired, target)
 	reportutils.SetResults(desired, ruleResults...)
 	if full || !controllerutils.HasAnnotation(desired, annotationLastScanTime) {
@@ -401,16 +432,35 @@ func (c *controller) reconcile(ctx context.Context, log logr.Logger, key, namesp
 	if err != nil {
 		return err
 	}
+	// load policy exceptions with background process enabled
+	exceptions, err := utils.FetchPolicyExceptions(c.polexLister, namespace)
+	if err != nil {
+		return err
+	}
 	// we have the resource, check if we need to reconcile
-	if needsReconcile, full, err := c.needsReconcile(namespace, name, resource.Hash, backgroundPolicies...); err != nil {
+	if needsReconcile, full, err := c.needsReconcile(namespace, name, resource.Hash, exceptions, backgroundPolicies...); err != nil {
 		return err
 	} else {
 		defer func() {
 			c.queue.AddAfter(key, c.forceDelay)
 		}()
 		if needsReconcile {
-			return c.reconcileReport(ctx, namespace, name, full, uid, gvk, resource, backgroundPolicies...)
+			return c.reconcileReport(ctx, namespace, name, full, uid, gvk, resource, exceptions, policies...)
 		}
 	}
 	return nil
 }
+
+func (c *controller) addException(obj *kyvernov2alpha1.PolicyException) {
+	c.enqueueResources()
+}
+
+func (c *controller) updateException(old, obj *kyvernov2alpha1.PolicyException) {
+	if old.GetResourceVersion() != obj.GetResourceVersion() {
+		c.enqueueResources()
+	}
+}
+
+func (c *controller) deleteException(obj *kyvernov2alpha1.PolicyException) {
+	c.enqueueResources()
+}

pkg/controllers/report/utils/utils.go

@@ -4,10 +4,13 @@ import (
 	"github.com/go-logr/logr"
 	kyvernov1 "github.com/kyverno/kyverno/api/kyverno/v1"
 	kyvernov1alpha2 "github.com/kyverno/kyverno/api/kyverno/v1alpha2"
+	kyvernov2alpha1 "github.com/kyverno/kyverno/api/kyverno/v2alpha1"
 	"github.com/kyverno/kyverno/pkg/autogen"
+	kyvernov2alpha1listers "github.com/kyverno/kyverno/pkg/client/listers/kyverno/v2alpha1"
 	datautils "github.com/kyverno/kyverno/pkg/utils/data"
 	policyvalidation "github.com/kyverno/kyverno/pkg/validation/policy"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/labels"
 	"k8s.io/apimachinery/pkg/util/sets"
 )
 
@@ -21,6 +24,20 @@ func CanBackgroundProcess(p kyvernov1.PolicyInterface) bool {
 	return true
 }
 
+func FetchPolicyExceptions(polexLister kyvernov2alpha1listers.PolicyExceptionLister, namespace string) ([]kyvernov2alpha1.PolicyException, error) {
+	var exceptions []kyvernov2alpha1.PolicyException
+	if polexs, err := polexLister.PolicyExceptions(namespace).List(labels.Everything()); err != nil {
+		return nil, err
+	} else {
+		for _, polex := range polexs {
+			if polex.Spec.BackgroundProcessingEnabled() {
+				exceptions = append(exceptions, *polex)
+			}
+		}
+	}
+	return exceptions, nil
+}
+
 func BuildKindSet(logger logr.Logger, policies ...kyvernov1.PolicyInterface) sets.Set[string] {
 	kinds := sets.New[string]()
 	for _, policy := range policies {

pkg/utils/report/labels.go

@@ -9,6 +9,7 @@ import (
 
 	kyvernov1 "github.com/kyverno/kyverno/api/kyverno/v1"
 	kyvernov1alpha2 "github.com/kyverno/kyverno/api/kyverno/v1alpha2"
+	kyvernov2alpha1 "github.com/kyverno/kyverno/api/kyverno/v2alpha1"
 	controllerutils "github.com/kyverno/kyverno/pkg/utils/controller"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
@@ -29,13 +30,18 @@ const (
 	LabelDomainPolicy                    = "pol.kyverno.io"
 	LabelPrefixClusterPolicy             = LabelDomainClusterPolicy + "/"
 	LabelPrefixPolicy                    = LabelDomainPolicy + "/"
+	LabelPrefixPolicyException           = "polex.kyverno.io/"
 	LabelPrefixValidatingAdmissionPolicy = "validatingadmissionpolicy.apiserver.io/"
 	//	aggregated admission report label
 	LabelAggregatedReport = "audit.kyverno.io/report.aggregate"
 )
 
 func IsPolicyLabel(label string) bool {
-	return strings.HasPrefix(label, LabelPrefixPolicy) || strings.HasPrefix(label, LabelPrefixClusterPolicy)
+	return strings.HasPrefix(label, LabelPrefixPolicy) || strings.HasPrefix(label, LabelPrefixClusterPolicy) || strings.HasPrefix(label, LabelPrefixPolicyException)
+}
+
+func PolicyExceptionLabel(exception kyvernov2alpha1.PolicyException) string {
+	return LabelPrefixPolicyException + exception.GetName()
 }
 
 func PolicyNameFromLabel(namespace, label string) (string, error) {
@@ -129,6 +135,10 @@ func SetPolicyLabel(report kyvernov1alpha2.ReportInterface, policy kyvernov1.Pol
 	controllerutils.SetLabel(report, PolicyLabel(policy), policy.GetResourceVersion())
 }
 
+func SetPolicyExceptionLabel(report kyvernov1alpha2.ReportInterface, exception kyvernov2alpha1.PolicyException) {
+	controllerutils.SetLabel(report, PolicyExceptionLabel(exception), exception.GetResourceVersion())
+}
+
 func GetResourceUid(report metav1.Object) types.UID {
 	return types.UID(controllerutils.GetLabel(report, LabelResourceUid))
 }

pkg/utils/report/results.go

@@ -100,6 +100,11 @@ func EngineResponseToReportResults(response engineapi.EngineResponse) []policyre
 			Category: annotations[kyvernov1.AnnotationPolicyCategory],
 			Severity: SeverityFromString(annotations[kyvernov1.AnnotationPolicySeverity]),
 		}
+		if ruleResult.Exception() != nil {
+			result.Properties = map[string]string{
+				"exception": ruleResult.Exception().Name,
+			}
+		}
 		pss := ruleResult.PodSecurityChecks()
 		if pss != nil {
 			var controls []string