From ec1723da8fe696f6d073f458f26840550d50aec0 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Alby=20Hern=C3=A1ndez?= <donfumero@gmail.com>
Date: Wed, 20 Nov 2024 15:41:55 +0000
Subject: [PATCH] feat: Emit different events for rejections and
 allowedwithviolations conditions

---
 README.md                                        |  4 ++--
 api/v1alpha1/clusteradmissionpolicy_types.go     |  4 ++--
 charts/admitik/Chart.yaml                        |  4 ++--
 .../admitik_v1alpha1_clusteradmissionpolicy.yaml |  2 +-
 internal/xyz/server.go                           | 16 ++++++++++------
 5 files changed, 17 insertions(+), 13 deletions(-)

diff --git a/README.md b/README.md
index 933fe34..04b07d6 100644
--- a/README.md
+++ b/README.md
@@ -88,9 +88,9 @@ metadata:
 spec:
 
   # (Optional) Action to perform with the conditions are not met
-  # Posible values: Enforce, Audit
+  # Posible values: Enforce, Permissive
   # Enforce: (default) Reject the object.
-  # Audit: Accept the object as if the conditions were met
+  # Permissive: Accept the object
   # Both results create an event in Kubernetes
   failureAction: Enforce
 
diff --git a/api/v1alpha1/clusteradmissionpolicy_types.go b/api/v1alpha1/clusteradmissionpolicy_types.go
index 2c8f984..9541846 100644
--- a/api/v1alpha1/clusteradmissionpolicy_types.go
+++ b/api/v1alpha1/clusteradmissionpolicy_types.go
@@ -22,8 +22,8 @@ import (
 )
 
 const (
-	FailureActionAudit   string = "Audit"
-	FailureActionEnforce string = "Enforce"
+	FailureActionPermissive string = "Permissive"
+	FailureActionEnforce    string = "Enforce"
 )
 
 // WatchedResourceT represents TODO
diff --git a/charts/admitik/Chart.yaml b/charts/admitik/Chart.yaml
index 5d18c8b..a3428b7 100644
--- a/charts/admitik/Chart.yaml
+++ b/charts/admitik/Chart.yaml
@@ -6,8 +6,8 @@ type: application
 description: >-
   A Helm chart for Admitik, an admission controller for Kubernetes
   that allow resources entrance if conditions are met (realtime)
-version: 0.3.2 # chart version
-appVersion: "0.3.2" # admitik version
+version: 0.4.0 # chart version
+appVersion: "0.4.0" # admitik version
 kubeVersion: ">=1.22.0-0" # kubernetes version
 home: https://github.com/freepik-company/admitik
 sources:
diff --git a/config/samples/admitik_v1alpha1_clusteradmissionpolicy.yaml b/config/samples/admitik_v1alpha1_clusteradmissionpolicy.yaml
index 9d48ff2..b36982f 100644
--- a/config/samples/admitik_v1alpha1_clusteradmissionpolicy.yaml
+++ b/config/samples/admitik_v1alpha1_clusteradmissionpolicy.yaml
@@ -7,7 +7,7 @@ metadata:
   name: avoid-colisioning-routes
 spec:
 
-  failureAction: Audit
+  failureAction: Permissive
 
   # Resources to be watched
   watchedResources:
diff --git a/internal/xyz/server.go b/internal/xyz/server.go
index 66b6aad..5ca49ae 100644
--- a/internal/xyz/server.go
+++ b/internal/xyz/server.go
@@ -189,6 +189,7 @@ func (s *HttpServer) handleRequest(response http.ResponseWriter, request *http.R
 
 		// When some condition is not met, evaluate message's template and emit a response
 		if slices.Contains(conditionPassed, false) {
+
 			parsedMessage, err := template.EvaluateTemplate(caPolicyObj.Spec.Message.Template, &specificTemplateInjectedObject)
 			if err != nil {
 				logger.Info(fmt.Sprintf("failed parsing message template: %s", err.Error()))
@@ -196,16 +197,19 @@ func (s *HttpServer) handleRequest(response http.ResponseWriter, request *http.R
 			}
 			reviewResponse.Response.Result.Message = parsedMessage
 
-			// When the policy is in Audit mode, allow it anyway
-			if caPolicyObj.Spec.FailureAction == v1alpha1.FailureActionAudit {
+			// When the policy is in Permissive mode, allow it anyway
+			var kubeEventAction string
+			if caPolicyObj.Spec.FailureAction == v1alpha1.FailureActionPermissive {
 				reviewResponse.Response.Allowed = true
+				kubeEventAction = "AllowedWithViolations"
 				logger.Info(fmt.Sprintf("object accepted with unmet conditions: %s", parsedMessage))
 			} else {
+				kubeEventAction = "Rejected"
 				logger.Info(fmt.Sprintf("object rejected due to unmet conditions: %s", parsedMessage))
 			}
 
 			// Create the Event in Kubernetes about involved object
-			err = createKubeEvent(request.Context(), "default", requestObject, caPolicyObj, parsedMessage)
+			err = createKubeEvent(request.Context(), "default", requestObject, caPolicyObj, kubeEventAction, parsedMessage)
 			if err != nil {
 				logger.Info(fmt.Sprintf("failed creating kubernetes event: %s", err.Error()))
 			}
@@ -246,7 +250,7 @@ func getKubeResourceList(ctx context.Context, group, version, resource, namespac
 
 // createKubeEvent TODO
 func createKubeEvent(ctx context.Context, namespace string, object map[string]interface{},
-	policy v1alpha1.ClusterAdmissionPolicy, message string) (err error) {
+	policy v1alpha1.ClusterAdmissionPolicy, action, message string) (err error) {
 
 	objectData, err := GetObjectBasicData(&object)
 	if err != nil {
@@ -261,8 +265,8 @@ func createKubeEvent(ctx context.Context, namespace string, object map[string]in
 		EventTime:           metav1.NewMicroTime(time.Now()),
 		ReportingController: "admitik",
 		ReportingInstance:   "admission-server",
-		Action:              "Reviewed",
-		Reason:              "ClusterAdmissionPolicyConfigured",
+		Action:              action,
+		Reason:              "ClusterAdmissionPolicyAudit",
 
 		Regarding: corev1.ObjectReference{
 			APIVersion: objectData["apiVersion"].(string),