ACM-34249: Add Kyverno CEL-based discovered policy types

[Randy424]

Summary

Adds support for the 8 new Kyverno CEL-based policy types (policies.kyverno.io/v1) to the Discovered Policies page, alongside the existing legacy types (kyverno.io/v1). Legacy types now display a deprecation label.

Changes:

• Search queries expanded with 8 new kinds: ValidatingPolicy, MutatingPolicy, GeneratingPolicy, ImageValidatingPolicy, and their Namespaced variants
• Kind filter dropdown includes all new types (prefixed with "Kyverno")
• Deprecation label (orange ExclamationTriangleIcon) on legacy kyverno.io policy names
• Response action filter adds Kyverno Deny option for new types using validationActions[]
• Violation summary deduplicates namespaced types by cluster:name
• Helper functions: isKyvernoApiGroup(), isLegacyKyvernoApiGroup(); getEngineString() handles policies.kyverno.io
• All apiGroup === 'kyverno.io' checks updated to isKyvernoApiGroup() for both API groups

Design doc: ACM-DDR-074

Test plan

• Verify 8 new Kyverno types appear in the Kind filter dropdown
• Verify legacy kyverno.io ClusterPolicy/Policy rows show orange "Deprecated" label
• Verify new policies.kyverno.io types do NOT show deprecation label
• Verify violation counts are correct for new types (uses totalViolations)
• Verify namespaced types show Namespace column in detail views
• Verify Kyverno Deny response action filter works for new types
• Verify existing Gatekeeper, OPA, and Kubernetes policy types are unaffected
• Unit tests pass (98 total, 23 new)

Signed-off-by: Randy Bruno Piverger [email protected]

Summary by CodeRabbit

• New Features

  • Broader Kyverno support: detect legacy and newer Kyverno API groups and update engine labeling; policy compliance/violation counting unified across Kyverno groups.

• UI/UX Improvements

  • Show “Deprecated” badge for legacy Kyverno policies; expanded Kind filter options and updated columns; response-action filter now includes Kyverno Deny/Audit/Enforce.

• Tests

  • Added coverage for detection, grouping, filtering, and violation aggregation across Kyverno API groups.

Screenshots:
New Kyverno types appear in Discovered Policy Table, ClusterPolicy and Policy types now render alongside "Deprecated" tag

Table filter supports new types:
<img width="936" height="621" alt="Screenshot 2026-06-12 at 3 53 31 PM" src="https://github.com/user-attachments/assets/354d14df-12

Discovered Policies > Details > Clusters displays namespace for namespaced Kyverno.

e1-42fc-875c-dc8a1a92050c" />

Discovered Policies > Details > Related resources supports "Reason" column for new Kyverno types

Discovered Policies > Details > Clusters new Kyverno filter values for "Response action"

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: Randy424

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• frontend/src/routes/Governance/OWNERS [Randy424]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[coderabbitai]

📝 Walkthrough

Walkthrough

Centralize Kyverno API-group detection (kyverno.io + policies.kyverno.io) and apply it across discovery, grouping, rendering, filtering, fetching, and tests.

Changes

Kyverno API Group Expansion

Layer / File(s)	Summary
Shared predicates and engine mapping frontend/src/routes/Governance/common/util.tsx, frontend/src/routes/Governance/common/util.test.tsx	Add isKyvernoApiGroup() (kyverno.io + policies.kyverno.io), isLegacyKyvernoApiGroup() (kyverno.io only), and map policies.kyverno.io in getEngineString. Tests added for predicates and engine mapping.
Policy grouping and response-action enrichment frontend/src/routes/Governance/discovered/grouping.ts, frontend/src/routes/Governance/discovered/grouping.test.ts	Introduce internal isKyvernoApiGroup() and refactor grouping: response-action detection, related-item processing, policyReport aggregation, and violation/responseAction enrichment. Add tests for policies.kyverno.io Validating/NamespacedValidating policies.
Details route compliance & response-action filter frontend/src/routes/Governance/discovered/details/common.tsx, frontend/src/routes/Governance/discovered/details/common.test.tsx	Use isKyvernoApiGroup()/isLegacyKyvernoApiGroup() in policyViolationSummary, getCompliance, Violations cell/export logic, and getResponseActionFilter(); add “Kyverno Deny” option and tests validating Deny/Audit behavior and new policy kinds.
DiscoveredPolicies UI and tests frontend/src/routes/Governance/discovered/DiscoveredPolicies.tsx, frontend/src/routes/Governance/discovered/DiscoveredPolicies.test.tsx	Render legacy Kyverno policies with DeprecatedTitle; expand Kind filter options and switch Kind filter to use isKyvernoApiGroup(). Update test expectation to include “Deprecated”.
DiscoveredResources & DiscoveredByCluster rendering frontend/src/routes/Governance/discovered/details/DiscoveredResources.tsx, frontend/src/routes/Governance/discovered/details/DiscoveredByCluster.tsx	Replace hardcoded kyverno.io checks with isKyvernoApiGroup() to gate Reason column, tmpl derivation, kyvernoMessages rendering, Namespace extra column, and cluster-violations compliance branching.
Data fetching: search query updates frontend/src/routes/Governance/discovered/useFetchPolicies.tsx	Replace direct kyverno.io checks with isKyvernoApiGroup(); add searchQuery entry for policies.kyverno.io covering validating/mutating/generating and namespaced variants with ClusterPolicyReport/PolicyReport related kinds.

🎯 3 (Moderate) | ⏱️ ~25 minutes

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 11.11% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title clearly summarizes the main change: adding support for Kyverno CEL-based policy types (policies.kyverno.io/v1) to the Discovered Policies page.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Description check	✅ Passed	PR description comprehensively covers scope, design, changes, test plan, and includes screenshots. Follows template structure with ticket reference and type classification implied.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

🧹 Nitpick comments (1)

frontend/src/routes/Governance/discovered/details/DiscoveredByCluster.tsx (1)

66-69: 💤 Low value

Consider using isLegacyKyvernoApiGroup helper for consistency.

For consistency with the rest of the PR's centralized API-group checks, line 67 could use isLegacyKyvernoApiGroup(apiGroup) instead of the hardcoded apiGroup === 'kyverno.io'.

♻️ Proposed refactor for consistency

-    } else if (
-      (apiGroup === 'kyverno.io' && policyKind === 'Policy') ||
-      (apiGroup === 'policies.kyverno.io' && policyKind.startsWith('Namespaced'))
-    ) {
+    } else if (
+      (isLegacyKyvernoApiGroup(apiGroup) && policyKind === 'Policy') ||
+      (apiGroup === 'policies.kyverno.io' && policyKind.startsWith('Namespaced'))
+    ) {

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@frontend/src/routes/Governance/discovered/details/DiscoveredByCluster.tsx`
around lines 66 - 69, Replace the hardcoded legacy Kyverno API-group check in
DiscoveredByCluster's conditional ((apiGroup === 'kyverno.io' && policyKind ===
'Policy') ...) with the centralized helper isLegacyKyvernoApiGroup(apiGroup);
update the condition to use isLegacyKyvernoApiGroup(apiGroup) && policyKind ===
'Policy' (keeping the other polices.kyverno.io check intact), and add an import
for isLegacyKyvernoApiGroup at the top of the file if it's not already imported
so the DiscoveredByCluster component uses the shared API-group helper
consistently.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Nitpick comments:
In `@frontend/src/routes/Governance/discovered/details/DiscoveredByCluster.tsx`:
- Around line 66-69: Replace the hardcoded legacy Kyverno API-group check in
DiscoveredByCluster's conditional ((apiGroup === 'kyverno.io' && policyKind ===
'Policy') ...) with the centralized helper isLegacyKyvernoApiGroup(apiGroup);
update the condition to use isLegacyKyvernoApiGroup(apiGroup) && policyKind ===
'Policy' (keeping the other polices.kyverno.io check intact), and add an import
for isLegacyKyvernoApiGroup at the top of the file if it's not already imported
so the DiscoveredByCluster component uses the shared API-group helper
consistently.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: a591d4b6-c6d7-4114-8ce5-1720075ffbf8

📥 Commits

Reviewing files that changed from the base of the PR and between f126d97 and 8170a3d.

📒 Files selected for processing (11)

• frontend/src/routes/Governance/common/util.test.tsx
• frontend/src/routes/Governance/common/util.tsx
• frontend/src/routes/Governance/discovered/DiscoveredPolicies.test.tsx
• frontend/src/routes/Governance/discovered/DiscoveredPolicies.tsx
• frontend/src/routes/Governance/discovered/details/DiscoveredByCluster.tsx
• frontend/src/routes/Governance/discovered/details/DiscoveredResources.tsx
• frontend/src/routes/Governance/discovered/details/common.test.tsx
• frontend/src/routes/Governance/discovered/details/common.tsx
• frontend/src/routes/Governance/discovered/grouping.test.ts
• frontend/src/routes/Governance/discovered/grouping.ts
• frontend/src/routes/Governance/discovered/useFetchPolicies.tsx

[coderabbitai]

Actionable comments posted: 1

🧹 Nitpick comments (1)

frontend/src/routes/Governance/discovered/details/common.test.tsx (1)

257-280: ⚡ Quick win

Replace any casts in the new response-action filter tests.

Lines 257, 268, and 280 use any, which bypasses strict typing in this frontend test path.

Proposed fix

-    const denyOption = filter.options.find((o: any) => o.value === 'Deny')
+    const denyOption = filter.options.find((o) => o.value === 'Deny')

-    const item = {
+    const item: Pick<DiscoveredPolicyItem, 'apigroup' | 'responseAction'> = {
       apigroup: 'policies.kyverno.io',
       responseAction: 'Deny',
-    } as any
+    }

-    const item = {
+    const item: Pick<DiscoveredPolicyItem, 'apigroup' | 'responseAction'> = {
       apigroup: 'kyverno.io',
       responseAction: 'Audit',
-    } as any
+    }

As per coding guidelines, “Avoid any type — use unknown if the type is truly unknown.”

#!/bin/bash
rg -nP '\bas\s+any\b|:\s*any\b' frontend/src/routes/Governance/discovered/details/common.test.tsx

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@frontend/src/routes/Governance/discovered/details/common.test.tsx` around
lines 257 - 280, Replace the unsafe "as any" casts in the tests by giving the
test items a concrete type or using unknown then narrowing: declare a small
interface/type (e.g., ResponseActionItem { apigroup: string; responseAction:
string }) and type the test item constants with it (const item:
ResponseActionItem = { ... }) and ensure calls to filter.tableFilterFn receive
that typed item; alternatively, if the real shape is unknown, cast with "as
unknown as ResponseActionItem" rather than "as any". Update occurrences around
denyOption/test blocks and the tests that call getResponseActionFilter and
tableFilterFn to use the new typed item instead of "as any".

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@frontend/src/routes/Governance/discovered/details/common.tsx`:
- Around line 38-43: The code treats namespaced Kyverno policies via
isNamespacedKyverno and calls addComplianceToKyvernoPolicyViolations(policy,
compliance, kyvernoPolicyViolations) then continues before the later
disabled-policy check, so disabled policies get aggregated; fix by performing
the disabled check before handling namespaced Kyverno entries (or include the
disabled condition in the isNamespacedKyverno branch) so that policies with
disabled truthy flag are skipped and not passed to
addComplianceToKyvernoPolicyViolations; update the control flow around
isNamespacedKyverno, addComplianceToKyvernoPolicyViolations, and the existing
disabled check to ensure disabled policies are filtered out first.

---

Nitpick comments:
In `@frontend/src/routes/Governance/discovered/details/common.test.tsx`:
- Around line 257-280: Replace the unsafe "as any" casts in the tests by giving
the test items a concrete type or using unknown then narrowing: declare a small
interface/type (e.g., ResponseActionItem { apigroup: string; responseAction:
string }) and type the test item constants with it (const item:
ResponseActionItem = { ... }) and ensure calls to filter.tableFilterFn receive
that typed item; alternatively, if the real shape is unknown, cast with "as
unknown as ResponseActionItem" rather than "as any". Update occurrences around
denyOption/test blocks and the tests that call getResponseActionFilter and
tableFilterFn to use the new typed item instead of "as any".

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: 89f10099-b089-458e-8b94-badbb06a7b2d

📥 Commits

Reviewing files that changed from the base of the PR and between 8170a3d and 074fccd.

📒 Files selected for processing (11)

• frontend/src/routes/Governance/common/util.test.tsx
• frontend/src/routes/Governance/common/util.tsx
• frontend/src/routes/Governance/discovered/DiscoveredPolicies.test.tsx
• frontend/src/routes/Governance/discovered/DiscoveredPolicies.tsx
• frontend/src/routes/Governance/discovered/details/DiscoveredByCluster.tsx
• frontend/src/routes/Governance/discovered/details/DiscoveredResources.tsx
• frontend/src/routes/Governance/discovered/details/common.test.tsx
• frontend/src/routes/Governance/discovered/details/common.tsx
• frontend/src/routes/Governance/discovered/grouping.test.ts
• frontend/src/routes/Governance/discovered/grouping.ts
• frontend/src/routes/Governance/discovered/useFetchPolicies.tsx

✅ Files skipped from review due to trivial changes (1)

• frontend/src/routes/Governance/discovered/DiscoveredPolicies.test.tsx

🚧 Files skipped from review as they are similar to previous changes (8)

• frontend/src/routes/Governance/discovered/details/DiscoveredResources.tsx
• frontend/src/routes/Governance/common/util.tsx
• frontend/src/routes/Governance/discovered/useFetchPolicies.tsx
• frontend/src/routes/Governance/discovered/grouping.test.ts
• frontend/src/routes/Governance/common/util.test.tsx
• frontend/src/routes/Governance/discovered/details/DiscoveredByCluster.tsx
• frontend/src/routes/Governance/discovered/DiscoveredPolicies.tsx
• frontend/src/routes/Governance/discovered/grouping.ts

[Randy424]

Holding temporarily. Will complete manual test plan and will supply some screenshot to the PR thread before opening up for review. Thanks.

[sonarqubecloud]

Quality Gate passed

Issues
1 New issue
0 Accepted issues

Measures
0 Security Hotspots
90.6% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud