nginx
diff --git a/‎deployments/common/crds-v1beta1/k8s.nginx.org_policies.yaml‎
Lines changed: 20 additions & 0 deletions b/‎deployments/common/crds-v1beta1/k8s.nginx.org_policies.yaml‎
Lines changed: 20 additions & 0 deletions
diff --git a/‎deployments/common/crds/k8s.nginx.org_policies.yaml‎
Lines changed: 21 additions & 1 deletion b/‎deployments/common/crds/k8s.nginx.org_policies.yaml‎
Lines changed: 21 additions & 1 deletion
diff --git a/‎deployments/helm-chart/crds/k8s.nginx.org_policies.yaml‎
Lines changed: 20 additions & 0 deletions b/‎deployments/helm-chart/crds/k8s.nginx.org_policies.yaml‎
Lines changed: 20 additions & 0 deletions
diff --git a/‎deployments/helm-chart/templates/rbac.yaml‎
Lines changed: 1 addition & 0 deletions b/‎deployments/helm-chart/templates/rbac.yaml‎
Lines changed: 1 addition & 0 deletions
diff --git a/‎deployments/rbac/rbac.yaml‎
Lines changed: 1 addition & 0 deletions b/‎deployments/rbac/rbac.yaml‎
Lines changed: 1 addition & 0 deletions
diff --git a/‎docs-web/configuration/global-configuration/reporting-resources-status.md‎
Lines changed: 41 additions & 1 deletion b/‎docs-web/configuration/global-configuration/reporting-resources-status.md‎
Lines changed: 41 additions & 1 deletion
diff --git a/‎docs-web/configuration/policy-resource.md‎
Lines changed: 11 additions & 0 deletions b/‎docs-web/configuration/policy-resource.md‎
Lines changed: 11 additions & 0 deletions
diff --git a/‎internal/k8s/controller.go‎
Lines changed: 55 additions & 10 deletions b/‎internal/k8s/controller.go‎
Lines changed: 55 additions & 10 deletions
diff --git a/‎internal/k8s/controller_test.go‎
Lines changed: 1 addition & 0 deletions b/‎internal/k8s/controller_test.go‎
Lines changed: 1 addition & 0 deletions
diff --git a/‎internal/k8s/leader.go‎
Lines changed: 5 additions & 0 deletions b/‎internal/k8s/leader.go‎
Lines changed: 5 additions & 0 deletions
@@ -6,6 +6,14 @@ metadata:
   creationTimestamp: null
   name: policies.k8s.nginx.org
 spec:
+  additionalPrinterColumns:
+    - JSONPath: .status.state
+      description: Current state of the Policy. If the resource has a valid status, it means it has been validated and accepted by the Ingress Controller.
+      name: State
+      type: string
+    - JSONPath: .metadata.creationTimestamp
+      name: Age
+      type: date
   group: k8s.nginx.org
   names:
     kind: Policy
@@ -16,6 +24,8 @@ spec:
     singular: policy
   preserveUnknownFields: false
   scope: Namespaced
+  subresources:
+    status: {}
   validation:
     openAPIV3Schema:
       description: Policy defines a Policy for VirtualServer and VirtualServerRoute resources.
@@ -127,6 +137,16 @@ spec:
                   type: integer
                 zoneSize:
                   type: string
+        status:
+          description: PolicyStatus is the status of the policy resource
+          type: object
+          properties:
+            message:
+              type: string
+            reason:
+              type: string
+            state:
+              type: string
   version: v1
   versions:
     - name: v1
 
@@ -16,7 +16,15 @@ spec:
     singular: policy
   scope: Namespaced
   versions:
-    - name: v1
+    - additionalPrinterColumns:
+        - description: Current state of the Policy. If the resource has a valid status, it means it has been validated and accepted by the Ingress Controller.
+          jsonPath: .status.state
+          name: State
+          type: string
+        - jsonPath: .metadata.creationTimestamp
+          name: Age
+          type: date
+      name: v1
       schema:
         openAPIV3Schema:
           description: Policy defines a Policy for VirtualServer and VirtualServerRoute resources.
@@ -128,8 +136,20 @@ spec:
                       type: integer
                     zoneSize:
                       type: string
+            status:
+              description: PolicyStatus is the status of the policy resource
+              type: object
+              properties:
+                message:
+                  type: string
+                reason:
+                  type: string
+                state:
+                  type: string
       served: true
       storage: true
+      subresources:
+        status: {}
 status:
   acceptedNames:
     kind: ""
 
@@ -6,6 +6,14 @@ metadata:
   creationTimestamp: null
   name: policies.k8s.nginx.org
 spec:
+  additionalPrinterColumns:
+    - JSONPath: .status.state
+      description: Current state of the Policy. If the resource has a valid status, it means it has been validated and accepted by the Ingress Controller.
+      name: State
+      type: string
+    - JSONPath: .metadata.creationTimestamp
+      name: Age
+      type: date
   group: k8s.nginx.org
   names:
     kind: Policy
@@ -16,6 +24,8 @@ spec:
     singular: policy
   preserveUnknownFields: false
   scope: Namespaced
+  subresources:
+    status: {}
   validation:
     openAPIV3Schema:
       description: Policy defines a Policy for VirtualServer and VirtualServerRoute resources.
@@ -127,6 +137,16 @@ spec:
                   type: integer
                 zoneSize:
                   type: string
+        status:
+          description: PolicyStatus is the status of the policy resource
+          type: object
+          properties:
+            message:
+              type: string
+            reason:
+              type: string
+            state:
+              type: string
   version: v1
   versions:
     - name: v1
 
@@ -102,6 +102,7 @@ rules:
   resources:
   - virtualservers/status
   - virtualserverroutes/status
+  - policies/status
   verbs:
   - update
 {{- end }}
 
@@ -76,6 +76,7 @@ rules:
   resources:
   - virtualservers/status
   - virtualserverroutes/status
+  - policies/status
   verbs:
   - update
 - apiGroups:
 
@@ -110,4 +110,44 @@ The Ingress controller must be configured to report a VirtualServer or VirtualSe
 
 See the docs about [ConfigMap keys](/nginx-ingress-controller/configuration/global-configuration/configmap-resource) and [Command-line arguments](/nginx-ingress-controller/configuration/global-configuration/command-line-arguments).
 
-Notes: The Ingress controller does not clear the status of VirtualServer and VirtualServerRoute resources when it is being shut down.
+Notes: The Ingress controller does not clear the status of VirtualServer and VirtualServerRoute resources when it is being shut down.
+
+## Policy Resources
+
+A Policy resource includes the status field with information about the state of the resource.
+You can see the status in the ouput of the `kubectl get policy` command as shown below:
+```
+$ kubectl get policy
+  NAME              STATE   AGE
+  webapp-policy     Valid   30s
+```
+In order to see additional addresses or extra information about the `Status` of the resource, use the following command:
+```
+$ kubectl describe policy <NAME>
+. . .
+Status:
+  Message:  Configuration for default/webapp-policy was added or updated
+  Reason:   AddedOrUpdated
+  State:    Valid
+```
+
+### Status Specification 
+The following fields are reported in Policy status:
+
+```eval_rst
+.. list-table::
+   :header-rows: 1
+
+   * - Field
+     - Description
+     - Type
+   * - ``State``
+     - Current state of the resource. Can be ``Valid`` or ``Invalid``. For more information, refer to the ``message`` field.
+     - ``string``
+   * - ``Reason``
+     - The reason of the last update.
+     - ``string``
+   * - ``Message``
+     - Additional information about the state.
+     - ``string``
+```
@@ -651,4 +651,15 @@ Events:
 ```
 Note how the events section includes a Warning event with the Rejected reason.
 
+Additionally, this information is also available in the `status` field of the Policy resource. Note the Status section of the Policy:
+
+```
+$ kubectl describe pol webapp-policy
+. . .
+Status:
+  Message:  Policy default/webapp-policy is invalid and was rejected: spec.accessControl.allow[0]: Invalid value: "10.0.0.": must be a CIDR or IP
+  Reason:   Rejected
+  State:    Invalid
+```
+
 **Note**: If you make an existing resource invalid, the Ingress Controller will reject it.
@@ -324,6 +324,7 @@ func NewLoadBalancerController(input NewLoadBalancerControllerInput) *LoadBalanc
 		ingressLister:            &lbc.ingressLister,
 		virtualServerLister:      lbc.virtualServerLister,
 		virtualServerRouteLister: lbc.virtualServerRouteLister,
+		policyLister:             lbc.policyLister,
 		keyFunc:                  keyFunc,
 		confClient:               input.ConfClient,
 	}
@@ -822,7 +823,7 @@ func (lbc *LoadBalancerController) syncIngressLink(task task) {
 		}
 	}
 
-	if lbc.areCustomResourcesEnabled && lbc.reportVsVsrStatusEnabled() {
+	if lbc.areCustomResourcesEnabled && lbc.reportCustomResourceStatusEnabled() {
 		virtualServers := lbc.configuration.GetResourcesWithFilter(resourceFilter{VirtualServers: true})
 
 		glog.V(3).Infof("Updating status for %v VirtualServers", len(virtualServers))
@@ -848,9 +849,25 @@ func (lbc *LoadBalancerController) syncPolicy(task task) {
 		pol := obj.(*conf_v1.Policy)
 		err := validation.ValidatePolicy(pol, lbc.isNginxPlus, lbc.enablePreviewPolicies)
 		if err != nil {
-			lbc.recorder.Eventf(pol, api_v1.EventTypeWarning, "Rejected", "Policy %v is invalid and was rejected: %v", key, err)
+			msg := fmt.Sprintf("Policy %v/%v is invalid and was rejected: %v", pol.Namespace, pol.Name, err)
+			lbc.recorder.Eventf(pol, api_v1.EventTypeWarning, "Rejected", msg)
+
+			if lbc.reportCustomResourceStatusEnabled() {
+				err = lbc.statusUpdater.UpdatePolicyStatus(pol, conf_v1.StateInvalid, "Rejected", msg)
+				if err != nil {
+					glog.V(3).Infof("Failed to update policy %s status: %v", key, err)
+				}
+			}
 		} else {
-			lbc.recorder.Eventf(pol, api_v1.EventTypeNormal, "AddedOrUpdated", "Policy %v was added or updated", key)
+			msg := fmt.Sprintf("Policy %v/%v was added or updated", pol.Namespace, pol.Name)
+			lbc.recorder.Eventf(pol, api_v1.EventTypeNormal, "AddedOrUpdated", msg)
+
+			if lbc.reportCustomResourceStatusEnabled() {
+				err = lbc.statusUpdater.UpdatePolicyStatus(pol, conf_v1.StateValid, "AddedOrUpdated", msg)
+				if err != nil {
+					glog.V(3).Infof("Failed to update policy %s status: %v", key, err)
+				}
+			}
 		}
 	}
 
@@ -1022,7 +1039,7 @@ func (lbc *LoadBalancerController) processProblems(problems []ConfigurationProbl
 		eventType := api_v1.EventTypeWarning
 		lbc.recorder.Event(p.Object, eventType, p.Reason, p.Message)
 
-		if lbc.reportVsVsrStatusEnabled() {
+		if lbc.reportCustomResourceStatusEnabled() {
 			state := conf_v1.StateWarning
 			if p.IsError {
 				state = conf_v1.StateInvalid
@@ -1241,7 +1258,7 @@ func (lbc *LoadBalancerController) UpdateVirtualServerStatusAndEventsOnDelete(vs
 		msg := fmt.Sprintf("VirtualServer %s was rejected %s", getResourceKey(&vsConfig.VirtualServer.ObjectMeta), eventWarningMessage)
 		lbc.recorder.Eventf(vsConfig.VirtualServer, eventType, eventTitle, msg)
 
-		if lbc.reportVsVsrStatusEnabled() {
+		if lbc.reportCustomResourceStatusEnabled() {
 			err := lbc.statusUpdater.UpdateVirtualServerStatus(vsConfig.VirtualServer, state, eventTitle, msg)
 			if err != nil {
 				glog.Errorf("Error when updating the status for VirtualServer %v/%v: %v", vsConfig.VirtualServer.Namespace, vsConfig.VirtualServer.Name, err)
@@ -1433,7 +1450,7 @@ func (lbc *LoadBalancerController) updateVirtualServerStatusAndEvents(vsConfig *
 	msg := fmt.Sprintf("Configuration for %v was added or updated %s", getResourceKey(&vsConfig.VirtualServer.ObjectMeta), eventWarningMessage)
 	lbc.recorder.Eventf(vsConfig.VirtualServer, eventType, eventTitle, msg)
 
-	if lbc.reportVsVsrStatusEnabled() {
+	if lbc.reportCustomResourceStatusEnabled() {
 		err := lbc.statusUpdater.UpdateVirtualServerStatus(vsConfig.VirtualServer, state, eventTitle, msg)
 		if err != nil {
 			glog.Errorf("Error when updating the status for VirtualServer %v/%v: %v", vsConfig.VirtualServer.Namespace, vsConfig.VirtualServer.Name, err)
@@ -1463,7 +1480,7 @@ func (lbc *LoadBalancerController) updateVirtualServerStatusAndEvents(vsConfig *
 		msg := fmt.Sprintf("Configuration for %v/%v was added or updated %s", vsr.Namespace, vsr.Name, vsrEventWarningMessage)
 		lbc.recorder.Eventf(vsr, vsrEventType, vsrEventTitle, msg)
 
-		if lbc.reportVsVsrStatusEnabled() {
+		if lbc.reportCustomResourceStatusEnabled() {
 			vss := []*conf_v1.VirtualServer{vsConfig.VirtualServer}
 			err := lbc.statusUpdater.UpdateVirtualServerRouteStatusWithReferencedBy(vsr, vsrState, vsrEventTitle, msg, vss)
 			if err != nil {
@@ -1571,7 +1588,7 @@ 
3486
func (lbc *LoadBalancerController) syncService(task task) {
 			}
 		}
 
-		if lbc.areCustomResourcesEnabled && lbc.reportVsVsrStatusEnabled() {
+		if lbc.areCustomResourcesEnabled && lbc.reportCustomResourceStatusEnabled() {
 			virtualServers := lbc.configuration.GetResourcesWithFilter(resourceFilter{VirtualServers: true})
 
 			glog.V(3).Infof("Updating status for %v VirtualServers", len(virtualServers))
@@ -1628,8 +1645,8 @@ func (lbc *LoadBalancerController) reportStatusEnabled() bool {
 	return false
 }
 
-// reportVsVsrStatusEnabled determines if we should attempt to report status for VirtualServers and VirtualServerRoutes.
-func (lbc *LoadBalancerController) reportVsVsrStatusEnabled() bool {
+// reportCustomResourceStatusEnabled determines if we should attempt to report status for Custom Resources.
+func (lbc *LoadBalancerController) reportCustomResourceStatusEnabled() bool {
 	if lbc.isLeaderElectionEnabled {
 		return lbc.leaderElector != nil && lbc.leaderElector.IsLeader()
 	}
@@ -1861,6 +1878,34 @@ func (lbc *LoadBalancerController) updateVirtualServerRoutesStatusFromEvents() e
 	return nil
 }
 
+func (lbc *LoadBalancerController) updatePoliciesStatus() error {
+	var allErrs []error
+	for _, obj := range lbc.policyLister.List() {
+		pol := obj.(*conf_v1.Policy)
+
+		err := validation.ValidatePolicy(pol, lbc.isNginxPlus, lbc.enablePreviewPolicies)
+		if err != nil {
+			msg := fmt.Sprintf("Policy %v/%v is invalid and was rejected: %v", pol.Namespace, pol.Name, err)
+			err = lbc.statusUpdater.UpdatePolicyStatus(pol, conf_v1.StateInvalid, "Rejected", msg)
+			if err != nil {
+				allErrs = append(allErrs, err)
+			}
+		} else {
+			msg := fmt.Sprintf("Policy %v/%v was added or updated", pol.Namespace, pol.Name)
+			err = lbc.statusUpdater.UpdatePolicyStatus(pol, conf_v1.StateValid, "AddedOrUpdated", msg)
+			if err != nil {
+				allErrs = append(allErrs, err)
+			}
+		}
+	}
+
+	if len(allErrs) != 0 {
+		return fmt.Errorf("not all Policies statuses were updated: %v", allErrs)
+	}
+
+	return nil
+}
+
 // EnqueueTransportServerForService enqueues TransportServers for the given service.
 func (lbc *LoadBalancerController) EnqueueTransportServerForService(service *api_v1.Service) {
 	transportServers := lbc.getTransportServersForService(service)
 
@@ -23,6 +23,7 @@ import (
 	meta_v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/util/intstr"
 	"k8s.io/client-go/kubernetes/fake"
+
 	"k8s.io/client-go/tools/cache"
 )
 
 
@@ -73,6 +73,11 @@ func createLeaderHandler(lbc *LoadBalancerController) leaderelection.LeaderCallb
 				if err != nil {
 					glog.V(3).Infof("error updating VirtualServerRoutes status when starting leading: %v", err)
 				}
+
+				err = lbc.updatePoliciesStatus()
+				if err != nil {
+					glog.V(3).Infof("error updating Policies status when starting leading: %v", err)
+				}
 			}
 		},
 		OnStoppedLeading: func() {
Original file line number	Diff line number	Diff line change
`@@ -23,6 +23,7 @@ import (`
`23`	`23`	`meta_v1 "k8s.io/apimachinery/pkg/apis/meta/v1"`
`24`	`24`	`"k8s.io/apimachinery/pkg/util/intstr"`
`25`	`25`	`"k8s.io/client-go/kubernetes/fake"`
	`26`	`+`
`26`	`27`	`"k8s.io/client-go/tools/cache"`
`27`	`28`	`)`
`28`	`29`
Original file line number	Diff line number	Diff line change
`@@ -73,6 +73,11 @@ func createLeaderHandler(lbc *LoadBalancerController) leaderelection.LeaderCallb`
`73`	`73`	`if err != nil {`
`74`	`74`	`glog.V(3).Infof("error updating VirtualServerRoutes status when starting leading: %v", err)`
`75`	`75`	`}`
	`76`	`+`
	`77`	`+ err = lbc.updatePoliciesStatus()`
	`78`	`+ if err != nil {`
	`79`	`+ glog.V(3).Infof("error updating Policies status when starting leading: %v", err)`
	`80`	`+ }`
`76`	`81`	`}`
`77`	`82`	`},`
`78`	`83`	`OnStoppedLeading: func() {`