Reports are not updated after last policy removal

kravciak commented 5 months ago

I have a CA policy that produces audit-report on the namespace. When I delete this policy audit report on namespace is not removed / retriggered, leaving behind clusterpolicyreport.

To reproduce:

install Kubewarden with recommended policies

create safe-labels policy with following settings

apiVersion: policies.kubewarden.io.v1
kind: ClusterAdmissionPolicy
metadata:
name: safelabels
spec:
backgroundAudit: true
policyServer: default
module: ghcr.io/kubewarden/policies/safe-labels:v0.1.14
rules:
- apiGroups:
    - ''
  apiVersions:
    - ''
  resources:
    - 'namespaces'
  operations:
    - CREATE
    - UPDATE
settings:
constrained_labels: {}
denied_labels:
  - qqq

add denied label to default namespace kubectl label ns default qqq=1
trigger audit scan (at this point clusterpolicyreport for default namespace with 1 FAIL is created as expected)
delete safelabels policy and trigger audit scan

Current state:

Clusterpolicyreport for default namespace with 1 FAIL is not removed, UI points to non-existent policy

Expexted state:

Clusterpolicyreport results from non-existent policies are cleaned

flavio commented 5 months ago

To whoever takes that, there must be something wrong with owner references and cluster admission policies.

jvanz commented 5 months ago

I can see the issue. The report is still with one failed result after delete the policy and triggering the audit scanner job again. The problem is not in the owner reference. The owner reference is set to the audited resource. Which makes sense considering that the report can store result from multiple policies. I believe the problem is that we update the report only when we have some audit result. We need to update the audit scanner to remove result from gone policies. I'll take a look in the audit scanner code how to do that.

kubewarden / audit-scanner