Implement default priority configuration

CHANGELOG.md

@@ -1,5 +1,9 @@
 # Changelog
 
+## 0.12.0
+
+* Add support for a special `default` key in the Policy Priority. The `default` key can be used to configure a global default priority instead of `error`
+
 ## 0.11.1
 
 * Use a Secret instead of ConfigMap to persist target configurations

README.md

@@ -135,7 +135,9 @@ You can combine multiple targets by setting the required `host` or `webhook` con
 
 ## Configure Policy Priorities
 
-By default kyverno PolicyReports has no priority or severity for policies. So every passed rule validation will be processed as notice, a failed validation is processed as error. To customize this you can configure a mapping from policies to fail priorities. So you can send them as warnings instead of errors. To configure the priorities create a ConfigMap in the `policy-reporter` namespace with the name `policy-reporter-priorities`. Configure each priority as value with the Policyname as key and the Priority as value. This Configuration is loaded and synchronized during runtime. Any change to this configmap will automaticly synchronized, no new deployment needed.
+By default kyverno PolicyReports has no priority or severity for policies. So every passed rule validation will be processed as notice, a failed validation is processed as error. To customize this you can configure a mapping from policies to fail priorities. So you can send them as debug, info or warnings instead of errors. To configure the priorities create a ConfigMap in the `policy-reporter` namespace with the name `policy-reporter-priorities`. Configure each priority as value with the __Policyname__ as key and the __Priority__ as value. This Configuration is loaded and synchronized during runtime. Any change to this configmap will automaticly synchronized, no new deployment needed.
+
+A special Policyname `default` is supported. The `default` configuration can be used to set a global default priority instead of `error`. 
 
 ###
 ```bash
@@ -149,6 +151,7 @@ metadata:
   name: policy-reporter-priorities
   namespace: policy-reporter
 data:
+  default: debug
   check-label-app: warning
   require-ns-labels: warning
 ```
@@ -177,5 +180,5 @@ helm install policy-reporter policy-reporter/policy-reporter --set metrics.servi
 
 # Todos
 * ~~Support for ClusterPolicyReports~~
-* ~~Additional Targets~~~
+* ~~Additional Targets~~
 * Filter

charts/policy-reporter/Chart.yaml

@@ -3,5 +3,5 @@ name: policy-reporter
 description: K8s PolicyReporter watches for wgpolicyk8s.io/v1alpha1.PolicyReport resources. It creates Prometheus Metrics and can send rule validation events to Loki
 
 type: application
-version: 0.11.1
-appVersion: 0.9.0
+version: 0.12.0
+appVersion: 0.10.0

charts/policy-reporter/values.yaml

@@ -48,7 +48,7 @@ metrics:
 image:
   repository: fjogeleit/policy-reporter
   pullPolicy: IfNotPresent
-  tag: 0.9.0
+  tag: 0.10.0
 
 imagePullSecrets: []
 

pkg/kubernetes/mapper.go

@@ -140,9 +140,7 @@ func (m *mapper) mapResult(result map[string]interface{}) report.Result {
 	}
 
 	if r.Status == report.Error || r.Status == report.Fail {
-		if priority, ok := m.priorityMap[r.Policy]; ok {
-			r.Priority = report.NewPriority(priority)
-		}
+		r.Priority = m.resolvePriority(r.Policy)
 	}
 
 	if rule, ok := result["rule"]; ok {
@@ -160,7 +158,22 @@ func (m *mapper) mapResult(result map[string]interface{}) report.Result {
 	return r
 }
 
+func (m *mapper) resolvePriority(policy string) report.Priority {
+	if priority, ok := m.priorityMap[policy]; ok {
+		return report.NewPriority(priority)
+	}
+
+	if priority, ok := m.priorityMap["default"]; ok {
+		return report.NewPriority(priority)
+	}
+
+	return report.Priority(report.ErrorPriority)
+}
+
 // NewMapper creates an new Mapper instance
-func NewMapper(priorityMap map[string]string) Mapper {
-	return &mapper{priorityMap}
+func NewMapper(priorities map[string]string) Mapper {
+	m := &mapper{}
+	m.SetPriorityMap(priorities)
+
+	return m
 }

pkg/kubernetes/mapper_test.go

@@ -278,15 +278,41 @@ func Test_MapMinClusterPolicyReport(t *testing.T) {
 	}
 }
 
-func Test_MapperSetPriorityMap(t *testing.T) {
-	mapper := kubernetes.NewMapper(make(map[string]string))
-	mapper.SetPriorityMap(map[string]string{"required-label": "debug"})
+func Test_PriorityMap(t *testing.T) {
+	t.Run("Test exact match, without default", func(t *testing.T) {
+		mapper := kubernetes.NewMapper(map[string]string{"required-label": "debug"})
 
-	preport := mapper.MapPolicyReport(policyMap)
+		preport := mapper.MapPolicyReport(policyMap)
 
-	result1 := preport.Results["required-label__app-label-required__fail__dfd57c50-f30c-4729-b63f-b1954d8988d1"]
+		result1 := preport.Results["required-label__app-label-required__fail__dfd57c50-f30c-4729-b63f-b1954d8988d1"]
 
-	if result1.Priority != report.DebugPriority {
-		t.Errorf("Expected Policy '%d' (acutal %d)", report.DebugPriority, result1.Priority)
-	}
+		if result1.Priority != report.DebugPriority {
+			t.Errorf("Expected Policy '%d' (acutal %d)", report.DebugPriority, result1.Priority)
+		}
+	})
+
+	t.Run("Test exact match handled over default", func(t *testing.T) {
+		mapper := kubernetes.NewMapper(map[string]string{"required-label": "debug", "default": "warning"})
+
+		preport := mapper.MapPolicyReport(policyMap)
+
+		result1 := preport.Results["required-label__app-label-required__fail__dfd57c50-f30c-4729-b63f-b1954d8988d1"]
+
+		if result1.Priority != report.DebugPriority {
+			t.Errorf("Expected Policy '%d' (acutal %d)", report.DebugPriority, result1.Priority)
+		}
+	})
+
+	t.Run("Test default expressions", func(t *testing.T) {
+		mapper := kubernetes.NewMapper(make(map[string]string))
+		mapper.SetPriorityMap(map[string]string{"default": "warning"})
+
+		preport := mapper.MapPolicyReport(policyMap)
+
+		result1 := preport.Results["required-label__app-label-required__fail__dfd57c50-f30c-4729-b63f-b1954d8988d1"]
+
+		if result1.Priority != report.WarningPriority {
+			t.Errorf("Expected Policy '%d' (acutal %d)", report.WarningPriority, result1.Priority)
+		}
+	})
 }