feat: Emit different events for rejections and allowedwithviolations …

…conditions

README.md

@@ -88,9 +88,9 @@ metadata:
 spec:
 
   # (Optional) Action to perform with the conditions are not met
-  # Posible values: Enforce, Audit
+  # Posible values: Enforce, Permissive
   # Enforce: (default) Reject the object.
-  # Audit: Accept the object as if the conditions were met
+  # Permissive: Accept the object
   # Both results create an event in Kubernetes
   failureAction: Enforce
 

api/v1alpha1/clusteradmissionpolicy_types.go

@@ -22,8 +22,8 @@ import (
 )
 
 const (
-	FailureActionAudit   string = "Audit"
-	FailureActionEnforce string = "Enforce"
+	FailureActionPermissive string = "Permissive"
+	FailureActionEnforce    string = "Enforce"
 )
 
 // WatchedResourceT represents TODO

charts/admitik/Chart.yaml

@@ -6,8 +6,8 @@ type: application
 description: >-
   A Helm chart for Admitik, an admission controller for Kubernetes
   that allow resources entrance if conditions are met (realtime)
-version: 0.3.2 # chart version
-appVersion: "0.3.2" # admitik version
+version: 0.4.0 # chart version
+appVersion: "0.4.0" # admitik version
 kubeVersion: ">=1.22.0-0" # kubernetes version
 home: https://github.com/freepik-company/admitik
 sources:

config/samples/admitik_v1alpha1_clusteradmissionpolicy.yaml

@@ -7,7 +7,7 @@ metadata:
   name: avoid-colisioning-routes
 spec:
 
-  failureAction: Audit
+  failureAction: Permissive
 
   # Resources to be watched
   watchedResources:

internal/xyz/server.go

@@ -189,23 +189,27 @@ func (s *HttpServer) handleRequest(response http.ResponseWriter, request *http.R
 
 		// When some condition is not met, evaluate message's template and emit a response
 		if slices.Contains(conditionPassed, false) {
+
 			parsedMessage, err := template.EvaluateTemplate(caPolicyObj.Spec.Message.Template, &specificTemplateInjectedObject)
 			if err != nil {
 				logger.Info(fmt.Sprintf("failed parsing message template: %s", err.Error()))
 				return
 			}
 			reviewResponse.Response.Result.Message = parsedMessage
 
-			// When the policy is in Audit mode, allow it anyway
-			if caPolicyObj.Spec.FailureAction == v1alpha1.FailureActionAudit {
+			// When the policy is in Permissive mode, allow it anyway
+			var kubeEventAction string
+			if caPolicyObj.Spec.FailureAction == v1alpha1.FailureActionPermissive {
 				reviewResponse.Response.Allowed = true
+				kubeEventAction = "AllowedWithViolations"
 				logger.Info(fmt.Sprintf("object accepted with unmet conditions: %s", parsedMessage))
 			} else {
+				kubeEventAction = "Rejected"
 				logger.Info(fmt.Sprintf("object rejected due to unmet conditions: %s", parsedMessage))
 			}
 
 			// Create the Event in Kubernetes about involved object
-			err = createKubeEvent(request.Context(), "default", requestObject, caPolicyObj, parsedMessage)
+			err = createKubeEvent(request.Context(), "default", requestObject, caPolicyObj, kubeEventAction, parsedMessage)
 			if err != nil {
 				logger.Info(fmt.Sprintf("failed creating kubernetes event: %s", err.Error()))
 			}
@@ -246,7 +250,7 @@ func getKubeResourceList(ctx context.Context, group, version, resource, namespac
 
 // createKubeEvent TODO
 func createKubeEvent(ctx context.Context, namespace string, object map[string]interface{},
-	policy v1alpha1.ClusterAdmissionPolicy, message string) (err error) {
+	policy v1alpha1.ClusterAdmissionPolicy, action, message string) (err error) {
 
 	objectData, err := GetObjectBasicData(&object)
 	if err != nil {
@@ -261,8 +265,8 @@ func createKubeEvent(ctx context.Context, namespace string, object map[string]in
 		EventTime:           metav1.NewMicroTime(time.Now()),
 		ReportingController: "admitik",
 		ReportingInstance:   "admission-server",
-		Action:              "Reviewed",
-		Reason:              "ClusterAdmissionPolicyConfigured",
+		Action:              action,
+		Reason:              "ClusterAdmissionPolicyAudit",
 
 		Regarding: corev1.ObjectReference{
 			APIVersion: objectData["apiVersion"].(string),