anushkamittal2001
commented
2 months ago Today the Kyverno response looks like this:
type EngineResponse struct {
// Resource is the original resource
Resource unstructured.Unstructured
// Policy is the original policy
policy GenericPolicy
// namespaceLabels given by policy context
namespaceLabels map[string]string
// PatchedResource is the resource patched with the engine action changes
PatchedResource unstructured.Unstructured
// PolicyResponse contains the engine policy response
PolicyResponse PolicyResponse
// stats contains engine statistics
stats ExecutionStats
}
type PolicyResponse struct {
// stats contains policy statistics
stats PolicyStats
// Rules contains policy rules responses
Rules []RuleResponse
}
type RuleResponse struct {
// name is the rule name specified in policy
name string
// ruleType is the rule type (Mutation,Generation,Validation) for Kyverno Policy
ruleType RuleType
// message is the message response from the rule application
message string
// status rule status
status RuleStatus
// stats contains rule statistics
stats ExecutionStats
// generatedResource is the generated by the generate rules of a policy
generatedResource unstructured.Unstructured
// patchedTarget is the patched resource for mutate.targets
patchedTarget *unstructured.Unstructured
// patchedTargetParentResourceGVR is the GVR of the parent resource of the PatchedTarget. This is only populated when PatchedTarget is a subresource.
patchedTargetParentResourceGVR metav1.GroupVersionResource
// patchedTargetSubresourceName is the name of the subresource which is patched, empty if the resource patched is not a subresource.
patchedTargetSubresourceName string
// podSecurityChecks contains pod security checks (only if this is a pod security rule)
podSecurityChecks *PodSecurityChecks
// exception is the exception applied (if any)
exception *kyvernov2beta1.PolicyException
// binding is the validatingadmissionpolicybinding (if any)
binding *v1alpha1.ValidatingAdmissionPolicyBinding
// emitWarning enable passing rule message as warning to api server warning header
emitWarning bool
}In kyverno json it looks like this:
type Response struct {
Resource any
Policies []PolicyResponse
}
type PolicyResponse struct {
Policy *v1alpha1.ValidatingPolicy
Rules []RuleResponse
}
type RuleResponse struct {
Rule v1alpha1.ValidatingRule
Timestamp time.Time
Identifier string
Error error
Violations []matching.Result
}
type Result struct {
field.ErrorList
Message string
}I think it makes sense to have some similarity in the two especially in the RuleResponse : rule status and message. New json engine struct could be something like this:
type Response struct {
Resource any
PolicyResponse []PolicyResponse
}
type PolicyResponse struct {
Policy *v1alpha1.ValidatingPolicy
Rules []RuleResponse
}
type RuleResponse struct {
Rule v1alpha1.ValidatingRule
Message string
Timestamp time.Time
Identifier string
Status RuleStatus
Violations []matching.Result
}
Problem Statement
Today the responses of kyverno and kyverno json arent similar, they behave slightly differently. It makes sense that we have some basic consistent behaviour across the two with Kyverno Json as a child project.
Solution Description
we need some convergence of behaviors and at least common fields between our projects
Alternatives
No response
Additional Context
No response
Slack discussion
No response
Research