Merge pull request #314 from Vyom-Yadav/fixHtmlPolicyReport

fix: Fix order of policy report generation
kubearmor · May 24, 2023 · bea659a · bea659a
2 parents f39985f + 7328da3
commit bea659a
Show file tree

Hide file tree

Showing 5 changed files with 63 additions and 36 deletions.
diff --git a/go.mod b/go.mod
@@ -58,6 +58,7 @@ require (
 	github.com/mgutz/ansi v0.0.0-20200706080929-d51e80ef957d
 	github.com/onsi/ginkgo/v2 v2.9.4
 	github.com/onsi/gomega v1.27.6
+	golang.org/x/text v0.9.0
 	k8s.io/api v0.27.1
 	k8s.io/apiextensions-apiserver v0.27.1
 	k8s.io/apimachinery v0.27.1
@@ -316,7 +317,6 @@ require (
 	golang.org/x/net v0.10.0 // indirect
 	golang.org/x/oauth2 v0.8.0 // indirect
 	golang.org/x/term v0.8.0 // indirect
-	golang.org/x/text v0.9.0 // indirect
 	golang.org/x/time v0.3.0 // indirect
 	golang.org/x/tools v0.9.1 // indirect
 	google.golang.org/api v0.120.0 // indirect

diff --git a/recommend/admissionControllerPolicy.go b/recommend/admissionControllerPolicy.go
@@ -3,6 +3,10 @@ package recommend
 import (
 	"context"
 	"errors"
+	"os"
+	"strconv"
+	"strings"
+
 	"github.com/accuknox/auto-policy-discovery/src/libs"
 	"github.com/accuknox/auto-policy-discovery/src/protobuf/v1/worker"
 	"github.com/clarketm/json"
@@ -14,9 +18,6 @@ import (
 	"golang.org/x/exp/slices"
 	"google.golang.org/grpc"
 	"google.golang.org/grpc/credentials/insecure"
-	"os"
-	"strconv"
-	"strings"
 )
 
 var connection *grpc.ClientConn
@@ -86,7 +87,7 @@ func recommendAdmissionControllerPolicies(img ImageInfo) error {
 			if err != nil {
 				return err
 			}
-			if matchAdmissionControllerPolicyTags(&kyvernoPolicy) {
+			if namespaceMatches(kyvernoPolicy.Namespace) && matchAdmissionControllerPolicyTags(&kyvernoPolicy) {
 				img.writeAdmissionControllerPolicy(kyvernoPolicy)
 			}
 		}
@@ -106,3 +107,7 @@ func matchAdmissionControllerPolicyTags(policy *kyvernov1.Policy) bool {
 	}
 	return false
 }
+
+func namespaceMatches(policyNamespace string) bool {
+	return options.Namespace == "" || options.Namespace == policyNamespace
+}
diff --git a/recommend/html/record.html b/recommend/html/record.html
@@ -6,7 +6,11 @@
 						</td>
 					{{else if eq $i 2}}
 						<td>
-						{{.Name}}/10
+						{{if eq .Name "-"}}
+							{{.Name}}
+						{{else}}
+							{{.Name}}/10
+						{{end}}
 						</td>
 					{{else if eq $i 3}}
 						{{if eq .Name "Block"}}
@@ -17,6 +21,10 @@
 							<td>
 								<div class="v38_6985"><span class="v38_6986">{{.Name}}</span></div>
 							</td>
+				        {{else if eq .Name "Enforce"}}
+				            <td>
+					            <div class="v38_6859"><span class="v38_6860">{{.Name}}</span></div>
+				            </td>
 						{{end}}
 					{{else}}
 						<td>{{.Name}}</td>	
@@ -27,7 +35,7 @@
             </tr>
             <tr id="{{.RowID}}" class="hidden_row">
                 <td colspan="100%">
-					<h3>Kubearmor Security Policy</h3>
+					<h3>{{.PolicyType}}</h3>
 <pre>
 {{.Policy}}
 </pre>

diff --git a/recommend/imageHandler.go b/recommend/imageHandler.go
@@ -496,42 +496,51 @@ func imageHandler(namespace, deployment string, labels LabelMap, imageName strin
 		Labels:     labels,
 	}
 
+	if len(options.Policy) == 0 {
+		return fmt.Errorf("no policy specified, specify at least one policy to be recommended")
+	}
+
 	policiesToBeRecommendedSet := make(map[string]bool)
 	for _, policy := range options.Policy {
 		policiesToBeRecommendedSet[policy] = true
 	}
 
-	for policyToBeRecommended := range policiesToBeRecommendedSet {
-		switch policyToBeRecommended {
-		case KyvernoPolicy:
-			if len(img.RepoTags) == 0 {
-				img.RepoTags = append(img.RepoTags, img.Name)
-			}
-			if _, ok := policiesToBeRecommendedSet[KubeArmorPolicy]; !ok {
-				if err := ReportStart(&img); err != nil {
-					log.WithError(err).Error("report start failed")
-					return err
-				}
-			}
-			err := initClientConnection(c)
-			if err != nil {
-				log.WithError(err).Error("failed to initialize client connection.")
-				return err
-			}
-			err = recommendAdmissionControllerPolicies(img)
-			if err != nil {
-				log.WithError(err).Error("failed to recommend admission controller policies.")
-				return err
-			}
-		case KubeArmorPolicy:
-			err := recommendKubeArmorPolicies(imageName, img)
-			if err != nil {
-				log.WithError(err).Error("failed to recommend kubearmor policies.")
+	_, containsKubeArmorPolicy := policiesToBeRecommendedSet[KubeArmorPolicy]
+	if containsKubeArmorPolicy {
+		err := recommendKubeArmorPolicies(imageName, img)
+		if err != nil {
+			log.WithError(err).Error("failed to recommend kubearmor policies.")
+			return err
+		}
+	}
+
+	_, containsKyvernoPolicy := policiesToBeRecommendedSet[KyvernoPolicy]
+
+	// Admission Controller Policies are not recommended based on an image
+	if len(options.Images) == 0 && containsKyvernoPolicy {
+		if len(img.RepoTags) == 0 {
+			img.RepoTags = append(img.RepoTags, img.Name)
+		}
+		if !containsKubeArmorPolicy {
+			if err := ReportStart(&img); err != nil {
+				log.WithError(err).Error("report start failed")
 				return err
 			}
-		default:
-			return fmt.Errorf("policy of kind %s cannot be generated", policyToBeRecommended)
 		}
+		err := initClientConnection(c)
+		if err != nil {
+			log.WithError(err).Error("failed to initialize client connection.")
+			return err
+		}
+		err = recommendAdmissionControllerPolicies(img)
+		if err != nil {
+			log.WithError(err).Error("failed to recommend admission controller policies.")
+			return err
+		}
+	}
+
+	if !containsKyvernoPolicy && !containsKubeArmorPolicy {
+		return fmt.Errorf("policy type not supported: %v", options.Policy)
 	}
 	_ = ReportSectEnd(&img)
 

diff --git a/recommend/report_html.go b/recommend/report_html.go
@@ -14,6 +14,8 @@ import (
 	"time"
 
 	log "github.com/sirupsen/logrus"
+	"golang.org/x/text/cases"
+	"golang.org/x/text/language"
 )
 
 // HTMLReport Report in HTML format
@@ -141,6 +143,7 @@ type RecordInfo struct {
 	Rec         []Col
 	Policy      string
 	Description string
+	PolicyType  string
 	Refs        []Ref
 }
 
@@ -162,6 +165,7 @@ func (r HTMLReport) Record(ms MatchSpec, policyName string) error {
 			{Name: strings.Join(ms.Spec.Tags[:], "\n")},
 		},
 		Policy:      string(policy),
+		PolicyType:  "Kubearmor Security Policy",
 		Description: ms.Description.Detailed,
 		Refs:        ms.Description.Refs,
 	}
@@ -183,10 +187,11 @@ func (r HTMLReport) RecordAdmissionController(policyName, action string, annotat
 			{Name: policyName},
 			{Name: annotations["recommended-policies.kubearmor.io/description"]},
 			{Name: "-"},
-			{Name: action},
+			{Name: cases.Title(language.English).String(action)},
 			{Name: strings.Join(strings.Split(annotations["recommended-policies.kubearmor.io/tags"], ",")[:], "\n")},
 		},
 		Policy:      string(policy),
+		PolicyType:  "Kyverno Policy",
 		Description: annotations["recommended-policies.kubearmor.io/description-detailed"],
 		// TODO: Figure out how to get the references, adding them to annotations would make them too long
 		Refs: []Ref{},