fix: make audit fault tolerant (#2447)

Signed-off-by: Rita Zhang <[email protected]> Signed-off-by: Rita Zhang <[email protected]> Co-authored-by: Sertaç Özercan <[email protected]>
open-policy-agent · Dec 14, 2022 · 0fdd27e · 0fdd27e
1 parent 1b80ba2
commit 0fdd27e
Showing 1 changed file with 3 additions and 4 deletions.
diff --git a/pkg/audit/manager.go b/pkg/audit/manager.go
@@ -56,7 +56,7 @@ var (
 	auditInterval             = flag.Uint("audit-interval", defaultAuditInterval, "interval to run audit in seconds. defaulted to 60 secs if unspecified, 0 to disable")
 	constraintViolationsLimit = flag.Uint("constraint-violations-limit", defaultConstraintViolationsLimit, "limit of number of violations per constraint. defaulted to 20 violations if unspecified")
 	auditChunkSize            = flag.Uint64("audit-chunk-size", defaultListLimit, "(alpha) Kubernetes API chunking List results when retrieving cluster resources using discovery client. defaulted to 500 if unspecified")
-	auditFromCache            = flag.Bool("audit-from-cache", false, "pull resources from OPA cache when auditing")
+	auditFromCache            = flag.Bool("audit-from-cache", false, "pull resources from audit cache when auditing")
 	emitAuditEvents           = flag.Bool("emit-audit-events", false, "(alpha) emit Kubernetes events in gatekeeper namespace with detailed info for each violation from an audit")
 	auditMatchKindOnly        = flag.Bool("audit-match-kind-only", false, "only use kinds specified in all constraints for auditing cluster resources. if kind is not specified in any of the constraints, it will audit all resources (same as setting this flag to false)")
 	apiCacheDir               = flag.String("api-cache-dir", defaultAPICacheDir, "The directory where audit from api server cache are stored, defaults to /tmp/audit")
@@ -481,7 +481,7 @@ func (am *Manager) auditFromCache(ctx context.Context) ([]Result, []error) {
 		}
 		resp, err := am.opa.Review(ctx, au)
 		if err != nil {
-			errs = append(errs, fmt.Errorf("validating %v %s/%s: %v", obj.GroupVersionKind().String(), obj.GetNamespace(), obj.GetName(), err))
+			am.log.Error(err, "Unable to review object from audit cache %v %s/%s", obj.GroupVersionKind().String(), obj.GetNamespace(), obj.GetName())
 			continue
 		}
 
@@ -586,8 +586,7 @@ func (am *Manager) reviewObjects(ctx context.Context, kind string, folderCount i
 				}
 				resultantResp, err := am.opa.Review(ctx, au)
 				if err != nil {
-					// updated to not return err immediately
-					errs = append(errs, err)
+					am.log.Error(err, "Unable to review expanded object", "objName", (*resultant.Obj).GetName(), "objNs", ns)
 					continue
 				}
 				expansion.OverrideEnforcementAction(resultant.EnforcementAction, resultantResp)