Merge pull request #274 from jvanz/fix-issue263

fix: delete old reports after policy is deleted.
kubewarden · May 20, 2024 · 643a99b · 643a99b
2 parents 22ddde6 + b4a8106
commit 643a99b
Show file tree

Hide file tree

Showing 14 changed files with 322 additions and 114 deletions.
diff --git a/cmd/root.go b/cmd/root.go
@@ -4,6 +4,7 @@ import (
 	"context"
 	"fmt"
 
+	"github.com/google/uuid"
 	"github.com/kubewarden/audit-scanner/internal/k8s"
 	logconfig "github.com/kubewarden/audit-scanner/internal/log"
 	"github.com/kubewarden/audit-scanner/internal/policies"
@@ -70,7 +71,11 @@ There will be a ClusterPolicyReport with results for cluster-wide resources.`,
 		dynamicClient := dynamic.NewForConfigOrDie(config)
 		clientset := kubernetes.NewForConfigOrDie(config)
 
-		client, err := client.New(config, client.Options{Scheme: scheme.NewScheme()})
+		auditScheme, err := scheme.NewScheme()
+		if err != nil {
+			return err
+		}
+		client, err := client.New(config, client.Options{Scheme: auditScheme})
 		if err != nil {
 			return err
 		}
@@ -110,22 +115,23 @@ func startScanner(namespace string, clusterWide bool, scanner *scanner.Scanner)
 		log.Fatal().Msg("Cannot scan cluster wide and only a namespace at the same time")
 	}
 
+	runUID := uuid.New().String()
 	ctx := context.Background()
 	if clusterWide {
 		// only scan clusterwide
-		return scanner.ScanClusterWideResources(ctx)
+		return scanner.ScanClusterWideResources(ctx, runUID)
 	}
 	if namespace != "" {
 		// only scan namespace
-		return scanner.ScanNamespace(ctx, namespace)
+		return scanner.ScanNamespace(ctx, namespace, runUID)
 	}
 
 	// neither clusterWide flag nor namespace was provided, default
 	// behaviour of scanning cluster wide and all ns
-	if err := scanner.ScanClusterWideResources(ctx); err != nil {
+	if err := scanner.ScanClusterWideResources(ctx, runUID); err != nil {
 		return err
 	}
-	return scanner.ScanAllNamespaces(ctx)
+	return scanner.ScanAllNamespaces(ctx, runUID)
 }
 
 func init() {

diff --git a/go.mod b/go.mod
@@ -69,7 +69,6 @@ require (
 	gopkg.in/yaml.v2 v2.4.0 // indirect
 	gopkg.in/yaml.v3 v3.0.1 // indirect
 	k8s.io/apiextensions-apiserver v0.30.0 // indirect
-	k8s.io/component-base v0.30.0 // indirect
 	k8s.io/klog/v2 v2.120.1 // indirect
 	k8s.io/kube-openapi v0.0.0-20240322212309-b815d8309940 // indirect
 	k8s.io/utils v0.0.0-20240310230437-4693a0247e57 // indirect

diff --git a/go.sum b/go.sum
@@ -301,10 +301,6 @@ github.com/kr/pty v1.1.5/go.mod h1:9r2w37qlBe7rQ6e1fg1S/9xpWHSnaqNdHD3WcMdbPDA=
 github.com/kr/text v0.1.0/go.mod h1:4Jbv+DJW3UT/LiOwJeYQe1efqtUx/iVham/4vfdArNI=
 github.com/kr/text v0.2.0 h1:5Nx0Ya0ZqY2ygV366QzturHI13Jq95ApcVaJBhpS+AY=
 github.com/kr/text v0.2.0/go.mod h1:eLer722TekiGuMkidMxC/pM04lWEeraHUUmBw8l2grE=
-github.com/kubewarden/kubewarden-controller v1.12.0-rc1 h1:eyPpuO/DTl82GCnOsNEKSKg6qusk/m8ZQU9SNs6hwsQ=
-github.com/kubewarden/kubewarden-controller v1.12.0-rc1/go.mod h1:x52pDVy2SLtWpy1GEvpEuN4O01dHFAAvvvKS0f7CUtk=
-github.com/kubewarden/kubewarden-controller v1.12.0-rc2 h1:QeHXtLb//DwGS2DTDkv2RJXwJ0r/OFdFqNWj5YDbjms=
-github.com/kubewarden/kubewarden-controller v1.12.0-rc2/go.mod h1:QecSll2vi+k5Okc62yu7wzrxle0Bk5bkwdvgcRCQWsY=
 github.com/kubewarden/kubewarden-controller v1.12.0 h1:ie4NYQfZgxJI9kbB21sglPYAs9RApHauCHj7cIDfmFw=
 github.com/kubewarden/kubewarden-controller v1.12.0/go.mod h1:0vqtpSO1YhVzNTcDpWlgag9VWhOuHpWLL4BKSnuIzPk=
 github.com/magiconair/properties v1.8.0/go.mod h1:PppfXfuXeibc/6YijjN8zIbojt8czPbwD3XqdrwzmxQ=
@@ -354,8 +350,8 @@ github.com/onsi/gomega v1.7.0/go.mod h1:ex+gbHU/CVuBBDIJjb2X0qEXbFg53c61hWP/1Cpa
 github.com/onsi/gomega v1.7.1/go.mod h1:XdKZgCCFLUoM/7CFJVPcG8C1xQ1AJ0vpAezJrB7JYyY=
 github.com/onsi/gomega v1.10.1/go.mod h1:iN09h71vgCQne3DLsj+A5owkum+a2tYe+TOCB1ybHNo=
 github.com/onsi/gomega v1.10.2/go.mod h1:iN09h71vgCQne3DLsj+A5owkum+a2tYe+TOCB1ybHNo=
-github.com/onsi/gomega v1.32.0 h1:JRYU78fJ1LPxlckP6Txi/EYqJvjtMrDC04/MM5XRHPk=
-github.com/onsi/gomega v1.32.0/go.mod h1:a4x4gW6Pz2yK1MAmvluYme5lvYTn61afQ2ETw/8n4Lg=
+github.com/onsi/gomega v1.33.0 h1:snPCflnZrpMsy94p4lXVEkHo12lmPnc3vY5XBbreexE=
+github.com/onsi/gomega v1.33.0/go.mod h1:+925n5YtiFsLzzafLUHzVMBpvvRAzrydIBiSIxjX3wY=
 github.com/pborman/uuid v1.2.0/go.mod h1:X/NO0urCmaxf9VXbdlT7C2Yzkj2IKimNn4k+gtPdI/k=
 github.com/pelletier/go-toml v1.2.0/go.mod h1:5z9KED0ma1S8pY6P1sdut58dfprrGBbd/94hg7ilaic=
 github.com/peterbourgon/diskv v2.0.1+incompatible/go.mod h1:uqqh8zWWbv1HBMNONnaR/tNboyR3/BZd58JJSHlUSCU=
@@ -759,45 +755,28 @@ honnef.co/go/tools v0.0.1-2019.2.3/go.mod h1:a3bituU0lyd329TUQxRnasdCoJDkEUEAqEt
 honnef.co/go/tools v0.0.1-2020.1.3/go.mod h1:X/FiERA/W4tHapMX5mGpAtMSVEeEUOyHaw9vFzvIQ3k=
 k8s.io/api v0.18.6/go.mod h1:eeyxr+cwCjMdLAmr2W3RyDI0VvTawSg/3RFFBEnmZGI=
 k8s.io/api v0.20.2/go.mod h1:d7n6Ehyzx+S+cE3VhTGfVNNqtGc/oL9DCdYYahlurV8=
-k8s.io/api v0.29.3 h1:2ORfZ7+bGC3YJqGpV0KSDDEVf8hdGQ6A03/50vj8pmw=
-k8s.io/api v0.29.3/go.mod h1:y2yg2NTyHUUkIoTC+phinTnEa3KFM6RZ3szxt014a80=
-k8s.io/api v0.29.4 h1:WEnF/XdxuCxdG3ayHNRR8yH3cI1B/llkWBma6bq4R3w=
-k8s.io/api v0.29.4/go.mod h1:DetSv0t4FBTcEpfA84NJV3g9a7+rSzlUHk5ADAYHUv0=
 k8s.io/api v0.30.0 h1:siWhRq7cNjy2iHssOB9SCGNCl2spiF1dO3dABqZ8niA=
 k8s.io/api v0.30.0/go.mod h1:OPlaYhoHs8EQ1ql0R/TsUgaRPhpKNxIMrKQfWUp8QSE=
 k8s.io/api v0.30.1 h1:kCm/6mADMdbAxmIh0LBjS54nQBE+U4KmbCfIkF5CpJY=
 k8s.io/api v0.30.1/go.mod h1:ddbN2C0+0DIiPntan/bye3SW3PdwLa11/0yqwvuRrJM=
 k8s.io/apiextensions-apiserver v0.18.6/go.mod h1:lv89S7fUysXjLZO7ke783xOwVTm6lKizADfvUM/SS/M=
-k8s.io/apiextensions-apiserver v0.29.3 h1:9HF+EtZaVpFjStakF4yVufnXGPRppWFEQ87qnO91YeI=
-k8s.io/apiextensions-apiserver v0.29.3/go.mod h1:po0XiY5scnpJfFizNGo6puNU6Fq6D70UJY2Cb2KwAVc=
 k8s.io/apiextensions-apiserver v0.30.0 h1:jcZFKMqnICJfRxTgnC4E+Hpcq8UEhT8B2lhBcQ+6uAs=
 k8s.io/apiextensions-apiserver v0.30.0/go.mod h1:N9ogQFGcrbWqAY9p2mUAL5mGxsLqwgtUce127VtRX5Y=
 k8s.io/apimachinery v0.18.6/go.mod h1:OaXp26zu/5J7p0f92ASynJa1pZo06YlV9fG7BoWbCko=
 k8s.io/apimachinery v0.20.2/go.mod h1:WlLqWAHZGg07AeltaI0MV5uk1Omp8xaN0JGLY6gkRpU=
-k8s.io/apimachinery v0.29.3 h1:2tbx+5L7RNvqJjn7RIuIKu9XTsIZ9Z5wX2G22XAa5EU=
-k8s.io/apimachinery v0.29.3/go.mod h1:hx/S4V2PNW4OMg3WizRrHutyB5la0iCUbZym+W0EQIU=
-k8s.io/apimachinery v0.29.4 h1:RaFdJiDmuKs/8cm1M6Dh1Kvyh59YQFDcFuFTSmXes6Q=
-k8s.io/apimachinery v0.29.4/go.mod h1:i3FJVwhvSp/6n8Fl4K97PJEP8C+MM+aoDq4+ZJBf70Y=
 k8s.io/apimachinery v0.30.0 h1:qxVPsyDM5XS96NIh9Oj6LavoVFYff/Pon9cZeDIkHHA=
 k8s.io/apimachinery v0.30.0/go.mod h1:iexa2somDaxdnj7bha06bhb43Zpa6eWH8N8dbqVjTUc=
 k8s.io/apimachinery v0.30.1 h1:ZQStsEfo4n65yAdlGTfP/uSHMQSoYzU/oeEbkmF7P2U=
 k8s.io/apimachinery v0.30.1/go.mod h1:iexa2somDaxdnj7bha06bhb43Zpa6eWH8N8dbqVjTUc=
 k8s.io/apiserver v0.18.6/go.mod h1:Zt2XvTHuaZjBz6EFYzpp+X4hTmgWGy8AthNVnTdm3Wg=
 k8s.io/client-go v0.18.6/go.mod h1:/fwtGLjYMS1MaM5oi+eXhKwG+1UHidUEXRh6cNsdO0Q=
 k8s.io/client-go v0.20.2/go.mod h1:kH5brqWqp7HDxUFKoEgiI4v8G1xzbe9giaCenUWJzgE=
-k8s.io/client-go v0.29.3 h1:R/zaZbEAxqComZ9FHeQwOh3Y1ZUs7FaHKZdQtIc2WZg=
-k8s.io/client-go v0.29.3/go.mod h1:tkDisCvgPfiRpxGnOORfkljmS+UrW+WtXAy2fTvXJB0=
-k8s.io/client-go v0.29.4 h1:79ytIedxVfyXV8rpH3jCBW0u+un0fxHDwX5F9K8dPR8=
-k8s.io/client-go v0.29.4/go.mod h1:kC1thZQ4zQWYwldsfI088BbK6RkxK+aF5ebV8y9Q4tk=
 k8s.io/client-go v0.30.0 h1:sB1AGGlhY/o7KCyCEQ0bPWzYDL0pwOZO4vAtTSh/gJQ=
 k8s.io/client-go v0.30.0/go.mod h1:g7li5O5256qe6TYdAMyX/otJqMhIiGgTapdLchhmOaY=
 k8s.io/client-go v0.30.1 h1:uC/Ir6A3R46wdkgCV3vbLyNOYyCJ8oZnjtJGKfytl/Q=
 k8s.io/client-go v0.30.1/go.mod h1:wrAqLNs2trwiCH/wxxmT/x3hKVH9PuV0GGW0oDoHVqc=
 k8s.io/code-generator v0.18.6/go.mod h1:TgNEVx9hCyPGpdtCWA34olQYLkh3ok9ar7XfSsr8b6c=
 k8s.io/component-base v0.18.6/go.mod h1:knSVsibPR5K6EW2XOjEHik6sdU5nCvKMrzMt2D4In14=
-k8s.io/component-base v0.29.3 h1:Oq9/nddUxlnrCuuR2K/jp6aflVvc0uDvxMzAWxnGzAo=
-k8s.io/component-base v0.29.3/go.mod h1:Yuj33XXjuOk2BAaHsIGHhCKZQAgYKhqIxIjIr2UXYio=
-k8s.io/component-base v0.30.0/go.mod h1:V9x/0ePFNaKeKYA3bOvIbrNoluTSG+fSJKjLdjOoeXQ=
 k8s.io/gengo v0.0.0-20190128074634-0689ccc1d7d6/go.mod h1:ezvh/TsK7cY6rbqRK0oQQ8IAqLxYwwyPxAX1Pzy0ii0=
 k8s.io/gengo v0.0.0-20200114144118-36b2048a9120/go.mod h1:ezvh/TsK7cY6rbqRK0oQQ8IAqLxYwwyPxAX1Pzy0ii0=
 k8s.io/gengo v0.0.0-20200413195148-3a45101e95ac/go.mod h1:ezvh/TsK7cY6rbqRK0oQQ8IAqLxYwwyPxAX1Pzy0ii0=
@@ -822,12 +801,6 @@ rsc.io/quote/v3 v3.1.0/go.mod h1:yEA65RcK8LyAZtP9Kv3t0HmxON59tX3rD+tICJqUlj0=
 rsc.io/sampler v1.3.0/go.mod h1:T1hPZKmBbMNahiBKFy5HrXp6adAjACjK9JXDnKaTXpA=
 sigs.k8s.io/apiserver-network-proxy/konnectivity-client v0.0.7/go.mod h1:PHgbrJT7lCHcxMU+mDHEm+nx46H4zuuHZkDP6icnhu0=
 sigs.k8s.io/controller-runtime v0.6.3/go.mod h1:WlZNXcM0++oyaQt4B7C2lEE5JYRs8vJUzRP4N4JpdAY=
-sigs.k8s.io/controller-runtime v0.17.3 h1:65QmN7r3FWgTxDMz9fvGnO1kbf2nu+acg9p2R9oYYYk=
-sigs.k8s.io/controller-runtime v0.17.3/go.mod h1:N0jpP5Lo7lMTF9aL56Z/B2oWBJjey6StQM0jRbKQXtY=
-sigs.k8s.io/controller-runtime v0.18.0 h1:Z7jKuX784TQSUL1TIyeuF7j8KXZ4RtSX0YgtjKcSTME=
-sigs.k8s.io/controller-runtime v0.18.0/go.mod h1:tuAt1+wbVsXIT8lPtk5RURxqAnq7xkpv2Mhttslg7Hw=
-sigs.k8s.io/controller-runtime v0.18.1 h1:RpWbigmuiylbxOCLy0tGnq1cU1qWPwNIQzoJk+QeJx4=
-sigs.k8s.io/controller-runtime v0.18.1/go.mod h1:tuAt1+wbVsXIT8lPtk5RURxqAnq7xkpv2Mhttslg7Hw=
 sigs.k8s.io/controller-runtime v0.18.2 h1:RqVW6Kpeaji67CY5nPEfRz6ZfFMk0lWQlNrLqlNpx+Q=
 sigs.k8s.io/controller-runtime v0.18.2/go.mod h1:tuAt1+wbVsXIT8lPtk5RURxqAnq7xkpv2Mhttslg7Hw=
 sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd h1:EDPBXCAspyGV4jQlpZSudPeMmr1bNJefnuqLsRAsHZo=

diff --git a/internal/constants/constants.go b/internal/constants/constants.go
@@ -8,6 +8,7 @@ const (
 	KubewardenKindClusterAdmissionPolicy = "ClusterAdmissionPolicy"
 	KubewardenKindAdmissionPolicy        = "AdmissionPolicy"
 	DefaultClusterwideReportName         = "clusterwide"
+	AuditScannerRunUIDLabel              = "kubewarden.io/audit-scanner-run-uid"
 )
 
 // ErrResourceNotFound is an error used to tell that the required resource is not found

diff --git a/internal/k8s/client.go b/internal/k8s/client.go
@@ -67,12 +67,10 @@ func (f *Client) GetResources(gvr schema.GroupVersionResource, nsName string) (*
 		if err != nil {
 			return nil, err
 		}
-
 		return resources, nil
 	})
 
 	listPager.PageSize = pageSize
-
 	return listPager, nil
 }
 

diff --git a/internal/policies/client_test.go b/internal/policies/client_test.go
@@ -173,7 +173,7 @@ func TestGetPoliciesForANamespace(t *testing.T) {
 		}).
 		Build()
 
-	client := testutils.NewFakeClient(
+	client, err := testutils.NewFakeClient(
 		namespace,
 		policyServer,
 		policyServerService,
@@ -186,6 +186,7 @@ func TestGetPoliciesForANamespace(t *testing.T) {
 		admissionPolicy3,
 		admissionPolicy4,
 	)
+	require.NoError(t, err)
 
 	policiesClient, err := NewClient(client, "kubewarden", "")
 	require.NoError(t, err)
@@ -338,7 +339,7 @@ func TestGetClusterWidePolicies(t *testing.T) {
 		Namespace("test").
 		Build()
 
-	client := testutils.NewFakeClient(
+	client, err := testutils.NewFakeClient(
 		namespace,
 		policyServer,
 		policyServerService,
@@ -350,6 +351,7 @@ func TestGetClusterWidePolicies(t *testing.T) {
 		clusterAdmissionPolicy6,
 		admissionPolicy1,
 	)
+	require.NoError(t, err)
 
 	policiesClient, err := NewClient(client, "kubewarden", "")
 	require.NoError(t, err)

diff --git a/internal/report/report.go b/internal/report/report.go
@@ -3,6 +3,7 @@ package report
 import (
 	"time"
 
+	"github.com/kubewarden/audit-scanner/internal/constants"
 	policiesv1 "github.com/kubewarden/kubewarden-controller/pkg/apis/policies/v1"
 	admissionv1 "k8s.io/api/admission/v1"
 	corev1 "k8s.io/api/core/v1"
@@ -12,14 +13,15 @@ import (
 )
 
 // NewPolicyReport creates a new PolicyReport from a given resource
-func NewPolicyReport(resource unstructured.Unstructured) *wgpolicy.PolicyReport {
+func NewPolicyReport(scanUID string, resource unstructured.Unstructured) *wgpolicy.PolicyReport {
 	return &wgpolicy.PolicyReport{
 		ObjectMeta: metav1.ObjectMeta{
 			Name:      string(resource.GetUID()),
 			Namespace: resource.GetNamespace(),
 			Labels: map[string]string{
-				labelAppManagedBy:        labelApp,
-				labelPolicyReportVersion: labelPolicyReportVersionValue,
+				labelAppManagedBy:                 labelApp,
+				labelPolicyReportVersion:          labelPolicyReportVersionValue,
+				constants.AuditScannerRunUIDLabel: scanUID,
 			},
 			OwnerReferences: []metav1.OwnerReference{
 				{
@@ -71,13 +73,14 @@ func AddResultToPolicyReport(
 }
 
 // NewClusterPolicyReport creates a new ClusterPolicyReport from a given resource
-func NewClusterPolicyReport(resource unstructured.Unstructured) *wgpolicy.ClusterPolicyReport {
+func NewClusterPolicyReport(scanUID string, resource unstructured.Unstructured) *wgpolicy.ClusterPolicyReport {
 	return &wgpolicy.ClusterPolicyReport{
 		ObjectMeta: metav1.ObjectMeta{
 			Name: string(resource.GetUID()),
 			Labels: map[string]string{
-				labelAppManagedBy:        labelApp,
-				labelPolicyReportVersion: labelPolicyReportVersionValue,
+				labelAppManagedBy:                 labelApp,
+				labelPolicyReportVersion:          labelPolicyReportVersionValue,
+				constants.AuditScannerRunUIDLabel: scanUID,
 			},
 			OwnerReferences: []metav1.OwnerReference{
 				{

diff --git a/internal/report/report_test.go b/internal/report/report_test.go
@@ -4,6 +4,7 @@ import (
 	"testing"
 	"time"
 
+	"github.com/kubewarden/audit-scanner/internal/constants"
 	policiesv1 "github.com/kubewarden/kubewarden-controller/pkg/apis/policies/v1"
 	"github.com/stretchr/testify/assert"
 	admissionv1 "k8s.io/api/admission/v1"
@@ -22,12 +23,13 @@ func TestNewPolicyReport(t *testing.T) {
 	resource.SetName("test-pod")
 	resource.SetResourceVersion("12345")
 
-	policyReport := NewPolicyReport(resource)
+	policyReport := NewPolicyReport("runUID", resource)
 
 	assert.Equal(t, "uid", policyReport.ObjectMeta.Name)
 	assert.Equal(t, "namespace", policyReport.ObjectMeta.Namespace)
 	assert.Equal(t, "kubewarden", policyReport.ObjectMeta.Labels["app.kubernetes.io/managed-by"])
 	assert.Equal(t, "v2", policyReport.ObjectMeta.Labels["kubewarden.io/policyreport-version"])
+	assert.Equal(t, "runUID", policyReport.ObjectMeta.Labels[constants.AuditScannerRunUIDLabel])
 
 	assert.Equal(t, "v1", policyReport.ObjectMeta.OwnerReferences[0].APIVersion)
 	assert.Equal(t, "Pod", policyReport.ObjectMeta.OwnerReferences[0].Kind)
@@ -52,7 +54,7 @@ func TestAddResultToPolicyReport(t *testing.T) {
 		},
 	}
 
-	policyReport := NewPolicyReport(unstructured.Unstructured{})
+	policyReport := NewPolicyReport("scanUID", unstructured.Unstructured{})
 	AddResultToPolicyReport(policyReport, policy, admissionReview, false)
 
 	assert.Len(t, policyReport.Results, 1)
@@ -70,11 +72,12 @@ func TestNewClusterPolicyReport(t *testing.T) {
 	resource.SetKind("Namespace")
 	resource.SetResourceVersion("12345")
 
-	clusterPolicyReport := NewClusterPolicyReport(resource)
+	clusterPolicyReport := NewClusterPolicyReport("runUID", resource)
 
 	assert.Equal(t, "uid", clusterPolicyReport.ObjectMeta.Name)
 	assert.Equal(t, "kubewarden", clusterPolicyReport.ObjectMeta.Labels[labelAppManagedBy])
 	assert.Equal(t, "v2", clusterPolicyReport.ObjectMeta.Labels["kubewarden.io/policyreport-version"])
+	assert.Equal(t, "runUID", clusterPolicyReport.ObjectMeta.Labels[constants.AuditScannerRunUIDLabel])
 
 	assert.Equal(t, "v1", clusterPolicyReport.ObjectMeta.OwnerReferences[0].APIVersion)
 	assert.Equal(t, "Namespace", clusterPolicyReport.ObjectMeta.OwnerReferences[0].Kind)
@@ -99,7 +102,7 @@ func TestAddResultToClusterPolicyReport(t *testing.T) {
 		},
 	}
 
-	clusterPolicyReport := NewClusterPolicyReport(unstructured.Unstructured{})
+	clusterPolicyReport := NewClusterPolicyReport("scanUID", unstructured.Unstructured{})
 	AddResultToClusterPolicyReport(clusterPolicyReport, policy, admissionReview, false)
 
 	assert.Len(t, clusterPolicyReport.Results, 1)

diff --git a/internal/report/store.go b/internal/report/store.go
@@ -2,10 +2,13 @@ package report
 
 import (
 	"context"
+	"fmt"
 
+	auditConstants "github.com/kubewarden/audit-scanner/internal/constants"
 	"github.com/rs/zerolog"
 	"github.com/rs/zerolog/log"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/labels"
 	"sigs.k8s.io/controller-runtime/pkg/client"
 	"sigs.k8s.io/controller-runtime/pkg/controller/controllerutil"
 	wgpolicy "sigs.k8s.io/wg-policy-prototypes/policy-report/pkg/api/wgpolicyk8s.io/v1alpha2"
@@ -55,6 +58,19 @@ func (s *PolicyReportStore) CreateOrPatchPolicyReport(ctx context.Context, polic
 	return nil
 }
 
+func (s *PolicyReportStore) DeleteOldPolicyReports(ctx context.Context, scanRunID, namespace string) error {
+	labelSelector, err := labels.Parse(fmt.Sprintf("%s!=%s,%s=%s", auditConstants.AuditScannerRunUIDLabel, scanRunID, labelAppManagedBy, labelApp))
+	if err != nil {
+		return err
+	}
+	log.Debug().Str("labelSelector", labelSelector.String()).Msg("Deleting old PolicyReports")
+
+	return s.client.DeleteAllOf(ctx, &wgpolicy.PolicyReport{}, &client.DeleteAllOfOptions{ListOptions: client.ListOptions{
+		LabelSelector: labelSelector,
+		Namespace:     namespace,
+	}})
+}
+
 // CreateOrPatchClusterPolicyReport creates or patches a ClusterPolicyReport
 func (s *PolicyReportStore) CreateOrPatchClusterPolicyReport(ctx context.Context, clusterPolicyReport *wgpolicy.ClusterPolicyReport) error {
 	oldClusterPolicyReport := &wgpolicy.ClusterPolicyReport{ObjectMeta: metav1.ObjectMeta{
@@ -84,3 +100,15 @@ func (s *PolicyReportStore) CreateOrPatchClusterPolicyReport(ctx context.Context
 
 	return nil
 }
+
+func (s *PolicyReportStore) DeleteOldClusterPolicyReports(ctx context.Context, scanRunID string) error {
+	labelSelector, err := labels.Parse(fmt.Sprintf("%s!=%s,%s=%s", auditConstants.AuditScannerRunUIDLabel, scanRunID, labelAppManagedBy, labelApp))
+	if err != nil {
+		return err
+	}
+	log.Debug().Str("labelSelector", labelSelector.String()).Msg("Deleting old ClusterPolicyReports")
+
+	return s.client.DeleteAllOf(ctx, &wgpolicy.ClusterPolicyReport{}, &client.DeleteAllOfOptions{ListOptions: client.ListOptions{
+		LabelSelector: labelSelector,
+	}})
+}