fix: Warn instead of panic when API resource not found or forbidden

When policies are configured with a spec.rules GVK,
if resource doesn't exist because it has an incorrect GVK,
or if because it is a CRD that we don't know about,
emit warning and skip resource from scan.

The same for when policies are configured with a spec.rules GVK that the
audit-scanner lacks permissions for,
emit warning and skip resource from scan.

Signed-off-by: Víctor Cuadrado Juan <[email protected]>

internal/resources/fetcher.go

@@ -8,6 +8,7 @@ import (
 
 	"github.com/kubewarden/audit-scanner/internal/constants"
 	policiesv1 "github.com/kubewarden/kubewarden-controller/pkg/apis/policies/v1"
+	"github.com/rs/zerolog"
 	"github.com/rs/zerolog/log"
 	v1 "k8s.io/api/core/v1"
 	apimachineryerrors "k8s.io/apimachinery/pkg/api/errors"
@@ -86,8 +87,23 @@ func (f *Fetcher) GetResourcesForPolicies(ctx context.Context, policies []polici
 		}
 
 		resources, err := f.getResourcesDynamically(ctx, &resourceFilter, namespace)
-		// continue if resource doesn't exist.
 		if apimachineryerrors.IsNotFound(err) {
+			// continue if resource doesn't exist
+			log.Warn().
+				Dict("dict", zerolog.Dict().
+					Str("resource GVK", resourceFilter.groupVersionResource.String()).
+					Str("ns", namespace),
+				).Msg("API resource not found")
+			continue
+		}
+		if apimachineryerrors.IsForbidden(err) {
+			// continue if ServiceAccount lacks permissions, GVK may not exist, or
+			// policies may be misconfigured
+			log.Warn().
+				Dict("dict", zerolog.Dict().
+					Str("resource GVK", resourceFilter.groupVersionResource.String()).
+					Str("ns", namespace),
+				).Msg("API resource forbidden, unknown GVK or ServiceAccount lacks permissions")
 			continue
 		}
 		if err != nil {
@@ -135,7 +151,9 @@ func (f *Fetcher) GetClusterWideResourcesForPolicies(ctx context.Context, polici
 		isNamespaced, err := f.isNamespacedResource(resourceFilter.groupVersionResource)
 		if err != nil {
 			if errors.Is(err, constants.ErrResourceNotFound) {
-				log.Warn().Msg(fmt.Sprintf("API resource (%s) not found", resourceFilter.groupVersionResource.String()))
+				log.Warn().
+					Str("resource GVK", resourceFilter.groupVersionResource.String()).
+					Msg("API resource not found")
 				continue
 			}
 			return nil, err
@@ -144,10 +162,24 @@ func (f *Fetcher) GetClusterWideResourcesForPolicies(ctx context.Context, polici
 			continue
 		}
 		resources, err := f.getClusterWideResourcesDynamically(ctx, &resourceFilter)
-		// continue if resource doesn't exist.
 		if apimachineryerrors.IsNotFound(err) {
+			// continue if resource doesn't exist
+			log.Warn().
+				Dict("dict", zerolog.Dict().
+					Str("resource GVK", resourceFilter.groupVersionResource.String()),
+				).Msg("API resource not found")
 			continue
 		}
+		if apimachineryerrors.IsForbidden(err) {
+			// continue if ServiceAccount lacks permissions, GVK may not exist, or
+			// policies may be misconfigured
+			log.Warn().
+				Dict("dict", zerolog.Dict().
+					Str("resource GVK", resourceFilter.groupVersionResource.String()),
+				).Msg("API resource forbidden, unknown GVK or ServiceAccount lacks permissions")
+			continue
+		}
+
 		if err != nil {
 			return nil, err
 		}