update NetworkPolicies

Signed-off-by: Frank Jogeleit <frank.jogeleit@web.de>
kyverno · Sep 16, 2024 · cfc4406 · cfc4406
1 parent 4d7a2e2
commit cfc4406
Show file tree

Hide file tree

Showing 22 changed files with 129 additions and 62 deletions.
diff --git a/charts/policy-reporter/README.md b/charts/policy-reporter/README.md
@@ -56,7 +56,7 @@ Check the [Documentation](https://kyverno.github.io/policy-reporter/guide/02-get
 | image.registry | string | `"ghcr.io"` |  |
 | image.repository | string | `"kyverno/policy-reporter"` |  |
 | image.pullPolicy | string | `"IfNotPresent"` |  |
-| image.tag | string | `"5cb6121"` |  |
+| image.tag | string | `"4d7a2e2"` |  |
 | imagePullSecrets | list | `[]` |  |
 | priorityClassName | string | `""` |  |
 | replicaCount | int | `1` |  |
@@ -117,8 +117,6 @@ Check the [Documentation](https://kyverno.github.io/policy-reporter/guide/02-get
 | sourceFilters[0].uncontrolledOnly | bool | `true` | Filter out PolicyReports of controlled Pods and Jobs, only works for PolicyReport with scope resource |
 | sourceFilters[0].disableClusterReports | bool | `false` | Filter out ClusterPolicyReports |
 | sourceFilters[0].kinds | object | `{"exclude":["ReplicaSet"]}` | Filter out PolicyReports based on the scope resource kind |
-| kyverno-plugin.enabled | bool | `false` |  |
-| trivy-plugin.enabled | bool | `false` |  |
 | global.labels | object | `{}` |  |
 | basicAuth.username | string | `""` |  |
 | basicAuth.password | string | `""` |  |
@@ -311,7 +309,6 @@ Check the [Documentation](https://kyverno.github.io/policy-reporter/guide/02-get
 | target.gcs.customFields | object | `{}` |  |
 | target.gcs.filter | object | `{}` |  |
 | target.gcs.channels | list | `[]` |  |
-| leaderElection.enabled | bool | `false` |  |
 | leaderElection.releaseOnCancel | bool | `true` |  |
 | leaderElection.leaseDuration | int | `15` |  |
 | leaderElection.renewDeadline | int | `10` |  |
@@ -373,7 +370,7 @@ Check the [Documentation](https://kyverno.github.io/policy-reporter/guide/02-get
 | ui.oauth.scopes | list | `[]` | OpenID Connect allowed Scopes |
 | ui.oauth.secretRef | string | `""` | Provide OpenID Connect configuration via Secret supported keys: `provider`, `clientId`, `clientSecret` |
 | ui.banner | string | `""` | optional banner text |
-| ui.displayMode | string | `""` | DisplayMode dark/light uses the OS configured prefered color scheme as default |
+| ui.displayMode | string | `""` | DisplayMode dark/light/colorblind/colorblinddark uses the OS configured prefered color scheme as default |
 | ui.customBoards | list | `[]` | Additional customizable dashboards |
 | ui.sources | list | `[]` | source specific configurations |
 | ui.clusters | list | `[]` | Connected Policy Reporter APIs |
@@ -454,7 +451,6 @@ Check the [Documentation](https://kyverno.github.io/policy-reporter/guide/02-get
 | plugin.kyverno.networkPolicy.egress | list | `[{"ports":[{"port":6443,"protocol":"TCP"}]}]` | A list of valid from selectors according to https://kubernetes.io/docs/concepts/services-networking/network-policies. Enables Kubernetes API Server by default |
 | plugin.kyverno.networkPolicy.ingress | list | `[]` | A list of valid from selectors according to https://kubernetes.io/docs/concepts/services-networking/network-policies. |
 | plugin.kyverno.resources | object | `{}` |  |
-| plugin.kyverno.leaderElection.enabled | bool | `false` | Enables LeaderElection. |
 | plugin.kyverno.leaderElection.lockName | string | `"kyverno-plugin"` | Lock Name |
 | plugin.kyverno.leaderElection.releaseOnCancel | bool | `true` | Released lock when the run context is cancelled. |
 | plugin.kyverno.leaderElection.leaseDuration | int | `15` | LeaseDuration is the duration that non-leader candidates will wait to force acquire leadership. |

diff --git a/charts/policy-reporter/configs/core.tmpl b/charts/policy-reporter/configs/core.tmpl
@@ -142,16 +142,15 @@ reportFilter:
     exclude:
       {{- toYaml . | nindent 6 }}
     {{- end }}
-  clusterReports:
-    disabled: {{ .Values.reportFilter.clusterReports.disabled }}
+  disableClusterReports: {{ .Values.reportFilter.disableClusterReports }}
 
 {{- with .Values.sourceFilters }}
 sourceFilters:
   {{- toYaml . | nindent 2 }}
 {{- end }}
 
 leaderElection:
-  enabled: {{ or .Values.leaderElection.enabled (gt (int .Values.replicaCount) 1) }}
+  enabled: {{ gt (int .Values.replicaCount) 1 }}
   releaseOnCancel: {{ .Values.leaderElection.releaseOnCancel }}
   leaseDuration: {{ .Values.leaderElection.leaseDuration }}
   renewDeadline: {{ .Values.leaderElection.renewDeadline }}

diff --git a/charts/policy-reporter/configs/kyverno-plugin.tmpl b/charts/policy-reporter/configs/kyverno-plugin.tmpl
@@ -1,5 +1,5 @@
 leaderElection:
-  enabled: {{ or .Values.plugin.kyverno.leaderElection.enabled (gt (int .Values.plugin.kyverno.replicaCount) 1) }}
+  enabled: {{ gt (int .Values.plugin.kyverno.replicaCount) 1 }}
   releaseOnCancel: {{ .Values.plugin.kyverno.leaderElection.releaseOnCancel }}
   leaseDuration: {{ .Values.plugin.kyverno.leaderElection.leaseDuration }}
   renewDeadline: {{ .Values.plugin.kyverno.leaderElection.renewDeadline }}

diff --git a/charts/policy-reporter/templates/deployment.yaml b/charts/policy-reporter/templates/deployment.yaml
@@ -99,7 +99,7 @@ spec:
             valueFrom:
               fieldRef:
                 fieldPath: metadata.namespace
-          {{- if or .Values.leaderElection.enabled (gt (int .Values.replicaCount) 1) }}
+          {{- if gt (int .Values.replicaCount) 1 }}
           - name: POD_NAME
             valueFrom:
               fieldRef:

diff --git a/charts/policy-reporter/templates/networkpolicy.yaml b/charts/policy-reporter/templates/networkpolicy.yaml
@@ -22,21 +22,21 @@ spec:
         matchLabels: {{- include "ui.selectorLabels" . | nindent 10 }}
     ports:
     - protocol: TCP
-      port: 8080
-  {{- end }}
-  {{- with .Values.networkPolicy.ingress }}
-    {{- toYaml . | nindent 2 }}
+      port: {{ .Values.ui.service.port }}
   {{- end }}
-  egress:
-  {{- if .Values.ui.enabled }}
-  - to:
+  {{- if .Values.plugin.trivy.enabled }}
+  - from:
     - podSelector:
-        matchLabels: {{- include "ui.selectorLabels" . | nindent 10 }}
+        matchLabels: {{- include "trivy-plugin.selectorLabels" . | nindent 10 }}
     ports:
     - protocol: TCP
-      port: {{ .Values.ui.service.port }}
+      port: {{ .Values.plugin.trivy.service.port }}
+  {{- end }}
+  {{- with .Values.networkPolicy.ingress }}
+    {{- toYaml . | nindent 2 }}
   {{- end }}
   {{- with .Values.networkPolicy.egress }}
+  egress:
     {{- toYaml . | nindent 2 }}
   {{- end }}
 {{- end }}
diff --git a/charts/policy-reporter/templates/plugins/kyverno/deployment.yaml b/charts/policy-reporter/templates/plugins/kyverno/deployment.yaml
@@ -74,7 +74,7 @@ spec:
             valueFrom:
               fieldRef:
                 fieldPath: metadata.namespace
-          {{- if or .Values.plugin.kyverno.leaderElection.enabled (gt (int .Values.plugin.kyverno.replicaCount) 1) }}
+          {{- if gt (int .Values.plugin.kyverno.replicaCount) 1 }}
           - name: POD_NAME
             valueFrom:
               fieldRef:

diff --git a/charts/policy-reporter/templates/plugins/kyverno/role.yaml b/charts/policy-reporter/templates/plugins/kyverno/role.yaml
@@ -1,5 +1,5 @@
 {{- if .Values.plugin.kyverno.enabled -}}
-{{- if and (and .Values.plugin.kyverno.serviceAccount.create .Values.plugin.kyverno.rbac.enabled) (and .Values.plugin.kyverno.blockReports.enabled (or .Values.plugin.kyverno.leaderElection.enabled (gt (int .Values.plugin.kyverno.replicaCount) 1))) -}}
+{{- if and (and .Values.plugin.kyverno.serviceAccount.create .Values.plugin.kyverno.rbac.enabled) (and .Values.plugin.kyverno.blockReports.enabled (gt (int .Values.plugin.kyverno.replicaCount) 1)) -}}
 apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
 metadata:

diff --git a/charts/policy-reporter/templates/plugins/kyverno/rolebinding.yaml b/charts/policy-reporter/templates/plugins/kyverno/rolebinding.yaml
@@ -1,5 +1,5 @@
 {{- if .Values.plugin.kyverno.enabled -}}
-{{- if and (and .Values.plugin.kyverno.serviceAccount.create .Values.plugin.kyverno.rbac.enabled) (and .Values.plugin.kyverno.blockReports.enabled (or .Values.plugin.kyverno.leaderElection.enabled (gt (int .Values.plugin.kyverno.replicaCount) 1))) -}}
+{{- if and (and .Values.plugin.kyverno.serviceAccount.create .Values.plugin.kyverno.rbac.enabled) (and .Values.plugin.kyverno.blockReports.enabled (gt (int .Values.plugin.kyverno.replicaCount) 1)) -}}
 apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
 metadata:

diff --git a/charts/policy-reporter/templates/plugins/trivy/networkpolicy.yaml b/charts/policy-reporter/templates/plugins/trivy/networkpolicy.yaml
@@ -16,8 +16,15 @@ spec:
   ingress:
     {{- toYaml . | nindent 2 }}
   {{- end }}
-  {{- with .Values.plugin.trivy.networkPolicy.egress }}
   egress:
+  - to:
+    - podSelector:
+        matchLabels:
+          {{- include "policyreporter.selectorLabels" . | nindent 10 }}
+    ports:
+    - protocol: TCP
+      port: {{ .Values.service.port }}
+  {{- with .Values.plugin.trivy.networkPolicy.egress }}
     {{- toYaml . | nindent 2 }}
   {{- end }}
 {{- end }}

diff --git a/charts/policy-reporter/templates/role.yaml b/charts/policy-reporter/templates/role.yaml
@@ -1,4 +1,4 @@
-{{- if and .Values.rbac.enabled (or .Values.leaderElection.enabled (gt (int .Values.replicaCount) 1)) -}}
+{{- if and .Values.rbac.enabled (gt (int .Values.replicaCount) 1) -}}
 apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
 metadata:

diff --git a/charts/policy-reporter/templates/rolebinding.yaml b/charts/policy-reporter/templates/rolebinding.yaml
@@ -1,4 +1,4 @@
-{{- if and .Values.rbac.enabled (or .Values.leaderElection.enabled (gt (int .Values.replicaCount) 1)) -}}
+{{- if and .Values.rbac.enabled (gt (int .Values.replicaCount) 1) -}}
 apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
 metadata:

diff --git a/charts/policy-reporter/templates/ui/networkpolicy.yaml b/charts/policy-reporter/templates/ui/networkpolicy.yaml
@@ -12,12 +12,41 @@ spec:
   policyTypes:
   - Ingress
   - Egress
-  {{- with .Values.ui.networkPolicy.ingress }}
   ingress:
+  - from:
+    ports:
+    - protocol: TCP
+      port: {{ .Values.ui.service.port }}
+  {{- with .Values.ui.networkPolicy.ingress }}
     {{- toYaml . | nindent 2 }}
   {{- end }}
-  {{- with .Values.ui.networkPolicy.egress }}
   egress:
+  - to:
+    - podSelector:
+        matchLabels:
+          {{- include "policyreporter.selectorLabels" . | nindent 10 }}
+    ports:
+    - protocol: TCP
+      port: {{ .Values.service.port }}
+  {{- if or .Values.plugin.kyverno.enabled }}
+  - to:
+    - podSelector:
+        matchLabels:
+          {{- include "kyverno-plugin.selectorLabels" . | nindent 10 }}
+    ports:
+    - protocol: TCP
+      port: {{ .Values.plugin.kyverno.service.port }}
+  {{- end }}
+  {{- if or .Values.plugin.trivy.enabled }}
+  - to:
+    - podSelector:
+        matchLabels:
+          {{- include "trivy-plugin.selectorLabels" . | nindent 10 }}
+    ports:
+    - protocol: TCP
+      port: {{ .Values.plugin.trivy.service.port }}
+  {{- end }}
+  {{- with .Values.networkPolicy.egress }}
     {{- toYaml . | nindent 2 }}
   {{- end }}
 {{- end }}

diff --git a/charts/policy-reporter/values.yaml b/charts/policy-reporter/values.yaml
@@ -11,7 +11,7 @@ image:
   registry: ghcr.io
   repository: kyverno/policy-reporter
   pullPolicy: IfNotPresent
-  tag: 5cb6121
+  tag: 4d7a2e2
 
 imagePullSecrets: []
 
@@ -187,12 +187,6 @@ sourceFilters:
   kinds:
     exclude: [ReplicaSet]
 
-kyverno-plugin:
-  enabled: false
-
-trivy-plugin:
-  enabled: false
-
 global:
   # additional labels added on each resource
   labels: {}
@@ -661,7 +655,6 @@ target:
 # if no targets are configured, leaderElection is disabled automatically
 # will be enabled when replicaCount > 1
 leaderElection:
-  enabled: false
   releaseOnCancel: true
   leaseDuration: 15
   renewDeadline: 10
@@ -819,7 +812,7 @@ ui:
   # -- optional banner text
   banner: ""
 
-  # -- DisplayMode dark/light
+  # -- DisplayMode dark/light/colorblind/colorblinddark
   # uses the OS configured prefered color scheme as default
   displayMode: ""
 
@@ -1190,8 +1183,6 @@ plugin:
     # if "blockReports" is disabled, leaderElection is also disabled automatically
     # will be enabled when replicaCount > 1
     leaderElection:
-      # -- Enables LeaderElection.
-      enabled: false
       # -- Lock Name
       lockName: kyverno-plugin
       # -- Released lock when the run context is cancelled.

diff --git a/cmd/send/summary.go b/cmd/send/summary.go
@@ -78,6 +78,12 @@ func NewSummaryCMD() *cobra.Command {
 				logger.Sugar().Infof("email sent to %s\n", strings.Join(c.EmailReports.Summary.To, ", "))
 			}()
 
+			nsclient, err := resolver.NamespaceClient()
+			if err != nil {
+				logger.Error("failed to get namespace client", zap.Error(err))
+				return err
+			}
+
 			for _, ch := range c.EmailReports.Violations.Channels {
 				go func(channel config.EmailReport) {
 					defer wg.Done()
@@ -87,7 +93,7 @@ func NewSummaryCMD() *cobra.Command {
 						return
 					}
 
-					sources := summary.FilterSources(data, config.EmailReportFilterFromConfig(channel.Filter), !channel.Filter.DisableClusterReports)
+					sources := summary.FilterSources(data, config.EmailReportFilterFromConfig(nsclient, channel.Filter), !channel.Filter.DisableClusterReports)
 					if len(sources) == 0 {
 						logger.Info("skip email - no results to send")
 						return

diff --git a/cmd/send/violations.go b/cmd/send/violations.go
@@ -78,6 +78,12 @@ func NewViolationsCMD() *cobra.Command {
 				logger.Sugar().Infof("email sent to %s\n", strings.Join(c.EmailReports.Violations.To, ", "))
 			}()
 
+			nsclient, err := resolver.NamespaceClient()
+			if err != nil {
+				logger.Error("failed to get namespace client", zap.Error(err))
+				return err
+			}
+
 			for _, ch := range c.EmailReports.Violations.Channels {
 				go func(channel config.EmailReport) {
 					defer wg.Done()
@@ -87,7 +93,7 @@ func NewViolationsCMD() *cobra.Command {
 						return
 					}
 
-					sources := violations.FilterSources(data, config.EmailReportFilterFromConfig(channel.Filter), !channel.Filter.DisableClusterReports)
+					sources := violations.FilterSources(data, config.EmailReportFilterFromConfig(nsclient, channel.Filter), !channel.Filter.DisableClusterReports)
 					if len(sources) == 0 {
 						logger.Info("skip email - no results to send")
 						return

diff --git a/pkg/config/resolver.go b/pkg/config/resolver.go
@@ -462,9 +462,14 @@ func (r *Resolver) SummaryGenerator() (*summary.Generator, error) {
 		return nil, err
 	}
 
+	nsclient, err := r.NamespaceClient()
+	if err != nil {
+		return nil, err
+	}
+
 	return summary.NewGenerator(
 		client,
-		EmailReportFilterFromConfig(r.config.EmailReports.Summary.Filter),
+		EmailReportFilterFromConfig(nsclient, r.config.EmailReports.Summary.Filter),
 		!r.config.EmailReports.Summary.Filter.DisableClusterReports,
 	), nil
 }
@@ -483,9 +488,14 @@ func (r *Resolver) ViolationsGenerator() (*violations.Generator, error) {
 		return nil, err
 	}
 
+	nsclient, err := r.NamespaceClient()
+	if err != nil {
+		return nil, err
+	}
+
 	return violations.NewGenerator(
 		client,
-		EmailReportFilterFromConfig(r.config.EmailReports.Violations.Filter),
+		EmailReportFilterFromConfig(nsclient, r.config.EmailReports.Violations.Filter),
 		!r.config.EmailReports.Violations.Filter.DisableClusterReports,
 	), nil
 }
@@ -639,13 +649,18 @@ func NewResolver(config *Config, k8sConfig *rest.Config) Resolver {
 	}
 }
 
-func EmailReportFilterFromConfig(config EmailReportFilter) email.Filter {
-	return email.NewFilter(ToRuleSet(config.Namespaces), ToRuleSet(config.Sources))
+func EmailReportFilterFromConfig(client namespaces.Client, config EmailReportFilter) email.Filter {
+	return email.NewFilter(
+		client,
+		ToRuleSet(config.Namespaces),
+		ToRuleSet(config.Sources),
+	)
 }
 
 func ToRuleSet(filter ValueFilter) validate.RuleSets {
 	return validate.RuleSets{
-		Include: filter.Include,
-		Exclude: filter.Exclude,
+		Include:  filter.Include,
+		Exclude:  filter.Exclude,
+		Selector: helper.ConvertMap(filter.Selector),
 	}
 }
diff --git a/pkg/email/filter.go b/pkg/email/filter.go
@@ -1,22 +1,40 @@
 package email
 
 import (
+	"context"
+
+	"github.com/kyverno/policy-reporter/pkg/kubernetes/namespaces"
 	"github.com/kyverno/policy-reporter/pkg/validate"
+	"go.uber.org/zap"
 )
 
 type Filter struct {
+	client    namespaces.Client
 	namespace validate.RuleSets
 	sources   validate.RuleSets
 }
 
 func (f Filter) ValidateSource(source string) bool {
-	return validate.ContainsRuleSet(source, f.sources)
+	return validate.MatchRuleSet(source, f.sources)
 }
 
 func (f Filter) ValidateNamespace(namespace string) bool {
-	return validate.Namespace(namespace, f.namespace)
+	ruleset := f.namespace
+
+	if len(f.namespace.Selector) > 0 {
+		list, err := f.client.List(context.Background(), f.namespace.Selector)
+		if err != nil {
+			zap.L().Error("failed to resolve namespace selector", zap.Error(err))
+		}
+
+		ruleset = validate.RuleSets{
+			Include: list,
+		}
+	}
+
+	return validate.Namespace(namespace, ruleset)
 }
 
-func NewFilter(namespaces, sources validate.RuleSets) Filter {
-	return Filter{namespaces, sources}
+func NewFilter(client namespaces.Client, namespaces, sources validate.RuleSets) Filter {
+	return Filter{client, namespaces, sources}
 }