ACM-34249: Add Kyverno CEL-based discovered policy types

[Randy424]

Summary

Adds support for the 8 new Kyverno CEL-based policy types (policies.kyverno.io/v1) to the Discovered Policies page, alongside the existing legacy types (kyverno.io/v1). Legacy types now display a deprecation label.

Changes:

• Search queries expanded with 8 new kinds: ValidatingPolicy, MutatingPolicy, GeneratingPolicy, ImageValidatingPolicy, and their Namespaced variants
• Kind filter dropdown includes all new types (prefixed with "Kyverno")
• Deprecation label (orange ExclamationTriangleIcon) on legacy kyverno.io policy names
• Response action filter adds Kyverno Deny option for new types using validationActions[]
• Violation summary deduplicates namespaced types by cluster:name
• Helper functions: isKyvernoApiGroup(), isLegacyKyvernoApiGroup(); getEngineString() handles policies.kyverno.io
• All apiGroup === 'kyverno.io' checks updated to isKyvernoApiGroup() for both API groups

Design doc: ACM-DDR-074

Test plan

• Verify 8 new Kyverno types appear in the Kind filter dropdown
• Verify legacy kyverno.io ClusterPolicy/Policy rows show orange "Deprecated" label
• Verify new policies.kyverno.io types do NOT show deprecation label
• Verify violation counts are correct for new types (uses totalViolations)
• Verify namespaced types show Namespace column in detail views
• Verify Kyverno Deny response action filter works for new types
• Verify existing Gatekeeper, OPA, and Kubernetes policy types are unaffected
• Unit tests pass (98 total, 23 new)

Signed-off-by: Randy Bruno Piverger 21374229+Randy424@users.noreply.github.com

Summary by CodeRabbit

• New Features

  • Added support for additional Kyverno policy types and detection of both legacy and newer Kyverno API groups; engine labeling updated accordingly.
  • Policy compliance and violation counting now consistently handle all Kyverno-related groups.

• UI/UX Improvements

  • Show compact “Deprecated” badge for legacy Kyverno policies; expanded kind filters and updated columns for Kyverno resources.
  • Response-action filtering includes Kyverno Deny/Audit/Enforce options.

• Tests

  • Added tests for detection, grouping, filtering, and violation aggregation across Kyverno API groups.

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: Randy424

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• frontend/src/routes/Governance/OWNERS [Randy424]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: 36a7dc3e-0b05-4f12-8fc1-a08c234780e2

📥 Commits

Reviewing files that changed from the base of the PR and between 074fccd and a91e07c.

📒 Files selected for processing (1)

• frontend/src/routes/Governance/discovered/details/common.tsx

🚧 Files skipped from review as they are similar to previous changes (1)

• frontend/src/routes/Governance/discovered/details/common.tsx

---

📝 Walkthrough

Walkthrough

Centralize Kyverno API-group detection (kyverno.io + policies.kyverno.io) and apply it across discovery, grouping, rendering, filtering, fetching, and tests.

Changes

Kyverno API Group Expansion

Layer / File(s)	Summary
Shared predicates and engine mapping frontend/src/routes/Governance/common/util.tsx, frontend/src/routes/Governance/common/util.test.tsx	Add isKyvernoApiGroup() (kyverno.io + policies.kyverno.io), isLegacyKyvernoApiGroup() (kyverno.io only), and map policies.kyverno.io in getEngineString. Tests added for predicates and engine mapping.
Policy grouping and response-action enrichment frontend/src/routes/Governance/discovered/grouping.ts, frontend/src/routes/Governance/discovered/grouping.test.ts	Introduce internal isKyvernoApiGroup() and refactor grouping: response-action detection, related-item processing, policyReport aggregation, and violation/responseAction enrichment. Add tests for policies.kyverno.io Validating/NamespacedValidating policies.
DiscoveredPolicies UI and tests frontend/src/routes/Governance/discovered/DiscoveredPolicies.tsx, frontend/src/routes/Governance/discovered/DiscoveredPolicies.test.tsx	Pass translation function to nameCell; render compact orange “deprecated” label for legacy Kyverno policies; expand Kind filter options and switch Kind filter to use isKyvernoApiGroup(). Update test expectation to include “Deprecated”.
Details route compliance & response-action filter frontend/src/routes/Governance/discovered/details/common.tsx, frontend/src/routes/Governance/discovered/details/common.test.tsx	Use isKyvernoApiGroup()/isLegacyKyvernoApiGroup() in policyViolationSummary, getCompliance, Violations cell/export logic, and getResponseActionFilter(); add “Kyverno Deny” option and tests validating Deny/Audit behavior and new policy kinds.
DiscoveredResources & DiscoveredByCluster rendering frontend/src/routes/Governance/discovered/details/DiscoveredResources.tsx, frontend/src/routes/Governance/discovered/details/DiscoveredByCluster.tsx	Replace hardcoded kyverno.io checks with isKyvernoApiGroup() to gate Reason column, kyvernoMessages rendering, Namespace extra column, and cluster-violations compliance branching.
Data fetching: search query updates frontend/src/routes/Governance/discovered/useFetchPolicies.tsx	Replace direct kyverno.io checks with isKyvernoApiGroup(); add searchQuery entry for policies.kyverno.io covering validating/mutating/generating and namespaced variants with ClusterPolicyReport/PolicyReport related kinds.

🎯 3 (Moderate) | ⏱️ ~25 minutes

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 11.11% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Title check	✅ Passed	The PR title clearly summarizes the main change: adding support for new Kyverno CEL-based policy types (policies.kyverno.io) to the Discovered Policies page, which directly matches the changeset scope.
Description check	✅ Passed	The PR description covers all required sections: summary of changes with specific details (8 new kinds, filtering, deprecation label, helper functions), test plan with concrete verification steps, and proper attribution via sign-off.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

🧹 Nitpick comments (1)

frontend/src/routes/Governance/discovered/details/DiscoveredByCluster.tsx (1)

66-69: 💤 Low value

Consider using isLegacyKyvernoApiGroup helper for consistency.

For consistency with the rest of the PR's centralized API-group checks, line 67 could use isLegacyKyvernoApiGroup(apiGroup) instead of the hardcoded apiGroup === 'kyverno.io'.

♻️ Proposed refactor for consistency

-    } else if (
-      (apiGroup === 'kyverno.io' && policyKind === 'Policy') ||
-      (apiGroup === 'policies.kyverno.io' && policyKind.startsWith('Namespaced'))
-    ) {
+    } else if (
+      (isLegacyKyvernoApiGroup(apiGroup) && policyKind === 'Policy') ||
+      (apiGroup === 'policies.kyverno.io' && policyKind.startsWith('Namespaced'))
+    ) {

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@frontend/src/routes/Governance/discovered/details/DiscoveredByCluster.tsx`
around lines 66 - 69, Replace the hardcoded legacy Kyverno API-group check in
DiscoveredByCluster's conditional ((apiGroup === 'kyverno.io' && policyKind ===
'Policy') ...) with the centralized helper isLegacyKyvernoApiGroup(apiGroup);
update the condition to use isLegacyKyvernoApiGroup(apiGroup) && policyKind ===
'Policy' (keeping the other polices.kyverno.io check intact), and add an import
for isLegacyKyvernoApiGroup at the top of the file if it's not already imported
so the DiscoveredByCluster component uses the shared API-group helper
consistently.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Nitpick comments:
In `@frontend/src/routes/Governance/discovered/details/DiscoveredByCluster.tsx`:
- Around line 66-69: Replace the hardcoded legacy Kyverno API-group check in
DiscoveredByCluster's conditional ((apiGroup === 'kyverno.io' && policyKind ===
'Policy') ...) with the centralized helper isLegacyKyvernoApiGroup(apiGroup);
update the condition to use isLegacyKyvernoApiGroup(apiGroup) && policyKind ===
'Policy' (keeping the other polices.kyverno.io check intact), and add an import
for isLegacyKyvernoApiGroup at the top of the file if it's not already imported
so the DiscoveredByCluster component uses the shared API-group helper
consistently.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: a591d4b6-c6d7-4114-8ce5-1720075ffbf8

📥 Commits

Reviewing files that changed from the base of the PR and between f126d97 and 8170a3d.

📒 Files selected for processing (11)

• frontend/src/routes/Governance/common/util.test.tsx
• frontend/src/routes/Governance/common/util.tsx
• frontend/src/routes/Governance/discovered/DiscoveredPolicies.test.tsx
• frontend/src/routes/Governance/discovered/DiscoveredPolicies.tsx
• frontend/src/routes/Governance/discovered/details/DiscoveredByCluster.tsx
• frontend/src/routes/Governance/discovered/details/DiscoveredResources.tsx
• frontend/src/routes/Governance/discovered/details/common.test.tsx
• frontend/src/routes/Governance/discovered/details/common.tsx
• frontend/src/routes/Governance/discovered/grouping.test.ts
• frontend/src/routes/Governance/discovered/grouping.ts
• frontend/src/routes/Governance/discovered/useFetchPolicies.tsx

[coderabbitai]

Actionable comments posted: 1

🧹 Nitpick comments (1)

frontend/src/routes/Governance/discovered/details/common.test.tsx (1)

257-280: ⚡ Quick win

Replace any casts in the new response-action filter tests.

Lines 257, 268, and 280 use any, which bypasses strict typing in this frontend test path.

Proposed fix

-    const denyOption = filter.options.find((o: any) => o.value === 'Deny')
+    const denyOption = filter.options.find((o) => o.value === 'Deny')

-    const item = {
+    const item: Pick<DiscoveredPolicyItem, 'apigroup' | 'responseAction'> = {
       apigroup: 'policies.kyverno.io',
       responseAction: 'Deny',
-    } as any
+    }

-    const item = {
+    const item: Pick<DiscoveredPolicyItem, 'apigroup' | 'responseAction'> = {
       apigroup: 'kyverno.io',
       responseAction: 'Audit',
-    } as any
+    }

As per coding guidelines, “Avoid any type — use unknown if the type is truly unknown.”

#!/bin/bash
rg -nP '\bas\s+any\b|:\s*any\b' frontend/src/routes/Governance/discovered/details/common.test.tsx

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@frontend/src/routes/Governance/discovered/details/common.test.tsx` around
lines 257 - 280, Replace the unsafe "as any" casts in the tests by giving the
test items a concrete type or using unknown then narrowing: declare a small
interface/type (e.g., ResponseActionItem { apigroup: string; responseAction:
string }) and type the test item constants with it (const item:
ResponseActionItem = { ... }) and ensure calls to filter.tableFilterFn receive
that typed item; alternatively, if the real shape is unknown, cast with "as
unknown as ResponseActionItem" rather than "as any". Update occurrences around
denyOption/test blocks and the tests that call getResponseActionFilter and
tableFilterFn to use the new typed item instead of "as any".

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@frontend/src/routes/Governance/discovered/details/common.tsx`:
- Around line 38-43: The code treats namespaced Kyverno policies via
isNamespacedKyverno and calls addComplianceToKyvernoPolicyViolations(policy,
compliance, kyvernoPolicyViolations) then continues before the later
disabled-policy check, so disabled policies get aggregated; fix by performing
the disabled check before handling namespaced Kyverno entries (or include the
disabled condition in the isNamespacedKyverno branch) so that policies with
disabled truthy flag are skipped and not passed to
addComplianceToKyvernoPolicyViolations; update the control flow around
isNamespacedKyverno, addComplianceToKyvernoPolicyViolations, and the existing
disabled check to ensure disabled policies are filtered out first.

---

Nitpick comments:
In `@frontend/src/routes/Governance/discovered/details/common.test.tsx`:
- Around line 257-280: Replace the unsafe "as any" casts in the tests by giving
the test items a concrete type or using unknown then narrowing: declare a small
interface/type (e.g., ResponseActionItem { apigroup: string; responseAction:
string }) and type the test item constants with it (const item:
ResponseActionItem = { ... }) and ensure calls to filter.tableFilterFn receive
that typed item; alternatively, if the real shape is unknown, cast with "as
unknown as ResponseActionItem" rather than "as any". Update occurrences around
denyOption/test blocks and the tests that call getResponseActionFilter and
tableFilterFn to use the new typed item instead of "as any".

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: 89f10099-b089-458e-8b94-badbb06a7b2d

📥 Commits

Reviewing files that changed from the base of the PR and between 8170a3d and 074fccd.

📒 Files selected for processing (11)

• frontend/src/routes/Governance/common/util.test.tsx
• frontend/src/routes/Governance/common/util.tsx
• frontend/src/routes/Governance/discovered/DiscoveredPolicies.test.tsx
• frontend/src/routes/Governance/discovered/DiscoveredPolicies.tsx
• frontend/src/routes/Governance/discovered/details/DiscoveredByCluster.tsx
• frontend/src/routes/Governance/discovered/details/DiscoveredResources.tsx
• frontend/src/routes/Governance/discovered/details/common.test.tsx
• frontend/src/routes/Governance/discovered/details/common.tsx
• frontend/src/routes/Governance/discovered/grouping.test.ts
• frontend/src/routes/Governance/discovered/grouping.ts
• frontend/src/routes/Governance/discovered/useFetchPolicies.tsx

✅ Files skipped from review due to trivial changes (1)

• frontend/src/routes/Governance/discovered/DiscoveredPolicies.test.tsx

🚧 Files skipped from review as they are similar to previous changes (8)

• frontend/src/routes/Governance/discovered/details/DiscoveredResources.tsx
• frontend/src/routes/Governance/common/util.tsx
• frontend/src/routes/Governance/discovered/useFetchPolicies.tsx
• frontend/src/routes/Governance/discovered/grouping.test.ts
• frontend/src/routes/Governance/common/util.test.tsx
• frontend/src/routes/Governance/discovered/details/DiscoveredByCluster.tsx
• frontend/src/routes/Governance/discovered/DiscoveredPolicies.tsx
• frontend/src/routes/Governance/discovered/grouping.ts

[sonarqubecloud]

Quality Gate passed

Issues
1 New issue
0 Accepted issues

Measures
0 Security Hotspots
90.8% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

[Randy424]

Holding temporarily. Will complete manual test plan and will supply some screenshot to the PR thread before opening up for review. Thanks.