Add constraint enforcement (#181)

Needed to flesh out last part of policy view
pluralsh · May 7, 2024 · 3bc855c · 3bc855c
1 parent eab3fca
commit 3bc855c
Show file tree

Hide file tree

Showing 3 changed files with 29 additions and 8 deletions.
diff --git a/go.mod b/go.mod
@@ -19,7 +19,7 @@ require (
 	github.com/open-policy-agent/gatekeeper/v3 v3.15.1
 	github.com/orcaman/concurrent-map/v2 v2.0.1
 	github.com/pkg/errors v0.9.1
-	github.com/pluralsh/console-client-go v0.5.2
+	github.com/pluralsh/console-client-go v0.5.6
 	github.com/pluralsh/controller-reconcile-helper v0.0.4
 	github.com/pluralsh/gophoenix v0.1.3-0.20231201014135-dff1b4309e34
 	github.com/pluralsh/polly v0.1.8

diff --git a/go.sum b/go.sum
@@ -528,6 +528,8 @@ github.com/pkg/errors v0.9.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINE
 github.com/pkg/sftp v1.13.1/go.mod h1:3HaPG6Dq1ILlpPZRO0HVMrsydcdLt6HRDccSgb87qRg=
 github.com/pluralsh/console-client-go v0.5.2 h1:vDiKzZ/vPFivr9TIXSSi/6Q1nOrH4y1huE5XkrCJ3D0=
 github.com/pluralsh/console-client-go v0.5.2/go.mod h1:eyCiLA44YbXiYyJh8303jk5JdPkt9McgCo5kBjk4lKo=
+github.com/pluralsh/console-client-go v0.5.6 h1:8CUQco0vJehtKabVVNHAkFE4V9UI9MaMKvYNgQRrJdo=
+github.com/pluralsh/console-client-go v0.5.6/go.mod h1:eyCiLA44YbXiYyJh8303jk5JdPkt9McgCo5kBjk4lKo=
 github.com/pluralsh/controller-reconcile-helper v0.0.4 h1:1o+7qYSyoeqKFjx+WgQTxDz4Q2VMpzprJIIKShxqG0E=
 github.com/pluralsh/controller-reconcile-helper v0.0.4/go.mod h1:AfY0gtteD6veBjmB6jiRx/aR4yevEf6K0M13/pGan/s=
 github.com/pluralsh/gophoenix v0.1.3-0.20231201014135-dff1b4309e34 h1:ab2PN+6if/Aq3/sJM0AVdy1SYuMAnq4g20VaKhTm/Bw=

diff --git a/internal/controller/constraint_controller.go b/internal/controller/constraint_controller.go
@@ -36,6 +36,15 @@ type BundleData struct {
 	Remediation       string `json:"remediation"`
 }
 
+type StatusViolation struct {
+	Group     string `json:"group"`
+	Version   string `json:"version"`
+	Kind      string `json:"kind"`
+	Name      string `json:"name"`
+	Namespace string `json:"namespace,omitempty"`
+	Message   string `json:"message"`
+}
+
 type ConstraintReconciler struct {
 	client.Client
 	Scheme        *runtime.Scheme
@@ -115,6 +124,11 @@ func GenerateAPIConstraint(instance *unstructured.Unstructured, template *templa
 		}
 	}
 
+	enforcement, found, _ := unstructured.NestedString(instance.Object, "spec", "enforcementAction")
+	if found {
+		pca.Enforcement = toEnforcement(enforcement)
+	}
+
 	violations, found, err := unstructured.NestedSlice(instance.Object, "status", "violations")
 	if err != nil {
 		return nil, err
@@ -180,11 +194,16 @@ func (r *ConstraintReconciler) ConstraintPodStatusToUnstructured(ctx context.Con
 	return u, template, nil
 }
 
-type StatusViolation struct {
-	Group     string `json:"group"`
-	Version   string `json:"version"`
-	Kind      string `json:"kind"`
-	Name      string `json:"name"`
-	Namespace string `json:"namespace,omitempty"`
-	Message   string `json:"message"`
+func toEnforcement(val string) *console.ConstraintEnforcement {
+	if val == "dryrun" {
+		return lo.ToPtr(console.ConstraintEnforcementDryRun)
+	}
+	if val == "warn" {
+		return lo.ToPtr(console.ConstraintEnforcementWarn)
+	}
+	if val == "deny" {
+		return lo.ToPtr(console.ConstraintEnforcementDeny)
+	}
+
+	return nil
 }