kyverno/pkg/webhooks/updaterequest/generator.go

package updaterequest

import (
	"context"
	"time"

	backoff "github.com/cenkalti/backoff"
	"github.com/gardener/controller-manager-library/pkg/logger"
	"github.com/go-logr/logr"
	urkyverno "github.com/kyverno/kyverno/api/kyverno/v1beta1"
	kyvernoclient "github.com/kyverno/kyverno/pkg/client/clientset/versioned"
	kyvernoinformer "github.com/kyverno/kyverno/pkg/client/informers/externalversions/kyverno/v1"
	urkyvernoinformer "github.com/kyverno/kyverno/pkg/client/informers/externalversions/kyverno/v1beta1"
	kyvernolister "github.com/kyverno/kyverno/pkg/client/listers/kyverno/v1"
	urkyvernolister "github.com/kyverno/kyverno/pkg/client/listers/kyverno/v1beta1"
	"github.com/kyverno/kyverno/pkg/config"
	admissionv1 "k8s.io/api/admission/v1"
	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
	"k8s.io/apimachinery/pkg/labels"
	utilruntime "k8s.io/apimachinery/pkg/util/runtime"
	"k8s.io/client-go/tools/cache"
)

// GenerateRequests provides interface to manage update requests
type Interface interface {
	Apply(gr urkyverno.UpdateRequestSpec, action admissionv1.Operation) error
}

// info object stores message data to create update request
type info struct {
	spec   urkyverno.UpdateRequestSpec
	action admissionv1.Operation
}

// Generator defines the implementation to mange update request resource
type Generator struct {
	client *kyvernoclient.Clientset
	stopCh <-chan struct{}
	log    logr.Logger
	// grLister can list/get generate request from the shared informer's store
	grLister kyvernolister.GenerateRequestNamespaceLister
	grSynced cache.InformerSynced

	urLister urkyvernolister.UpdateRequestNamespaceLister
	urSynced cache.InformerSynced
}

// NewGenerator returns a new instance of UpdateRequest resource generator
func NewGenerator(client *kyvernoclient.Clientset, grInformer kyvernoinformer.GenerateRequestInformer, urInformer urkyvernoinformer.UpdateRequestInformer, stopCh <-chan struct{}, log logr.Logger) *Generator {
	gen := &Generator{
		client:   client,
		stopCh:   stopCh,
		log:      log,
		grLister: grInformer.Lister().GenerateRequests(config.KyvernoNamespace),
		grSynced: grInformer.Informer().HasSynced,
		urLister: urInformer.Lister().UpdateRequests(config.KyvernoNamespace),
		urSynced: urInformer.Informer().HasSynced,
	}
	return gen
}

// Apply creates update request resource
func (g *Generator) Apply(gr urkyverno.UpdateRequestSpec, action admissionv1.Operation) error {
	logger := g.log
	logger.V(4).Info("reconcile Update Request", "request", gr)

	message := info{
		action: action,
		spec:   gr,
	}
	go g.processApply(message)
	return nil
}

// Run starts the update request spec
func (g *Generator) Run(workers int, stopCh <-chan struct{}) {
	logger := g.log
	defer utilruntime.HandleCrash()

	logger.V(4).Info("starting")
	defer func() {
		logger.V(4).Info("shutting down")
	}()

	if !cache.WaitForCacheSync(stopCh, g.grSynced, g.urSynced) {
		logger.Info("failed to sync informer cache")
		return
	}

	<-g.stopCh
}

func (g *Generator) processApply(i info) {
	if err := g.generate(i); err != nil {
		logger.Error(err, "failed to update request CR")
	}
}

func (g *Generator) generate(i info) error {
	if err := retryApplyResource(g.client, i.spec, g.log, i.action, g.urLister); err != nil {
		return err
	}
	return nil
}

func retryApplyResource(client *kyvernoclient.Clientset, urSpec urkyverno.UpdateRequestSpec,
	log logr.Logger, action admissionv1.Operation, urLister urkyvernolister.UpdateRequestNamespaceLister) error {

	if action == admissionv1.Delete && urSpec.Type == urkyverno.Generate {
		return nil
	}

	var i int
	var err error

	_, policyName, err := cache.SplitMetaNamespaceKey(urSpec.Policy)
	if err != nil {
		return err
	}

	applyResource := func() error {
		ur := urkyverno.UpdateRequest{
			Spec: urSpec,
			Status: urkyverno.UpdateRequestStatus{
				State: urkyverno.Pending,
			},
		}

		queryLabels := make(map[string]string)
		if ur.Spec.Type == urkyverno.Mutate {
			queryLabels := map[string]string{
				"mutate.updaterequest.kyverno.io/policy-name":       ur.Spec.Policy,
				"mutate.updaterequest.kyverno.io/trigger-name":      ur.Spec.Resource.Name,
				"mutate.updaterequest.kyverno.io/trigger-namespace": ur.Spec.Resource.Namespace,
				"mutate.updaterequest.kyverno.io/trigger-kind":      ur.Spec.Resource.Kind,
			}

			if ur.Spec.Resource.APIVersion != "" {
				queryLabels["mutate.updaterequest.kyverno.io/trigger-apiversion"] = ur.Spec.Resource.APIVersion
			}
		} else if ur.Spec.Type == urkyverno.Generate {
			queryLabels = labels.Set(map[string]string{
				"generate.kyverno.io/policy-name":        policyName,
				"generate.kyverno.io/resource-name":      urSpec.Resource.Name,
				"generate.kyverno.io/resource-kind":      urSpec.Resource.Kind,
				"generate.kyverno.io/resource-namespace": urSpec.Resource.Namespace,
			})
		}

		ur.SetNamespace(config.KyvernoNamespace)
		isExist := false
		log.V(4).Info("apply UpdateRequest", "ruleType", ur.Spec.Type)

		urList, err := urLister.List(labels.SelectorFromSet(queryLabels))
		if err != nil {
			logger.Error(err, "failed to get update request for the resource", "kind", urSpec.Resource.Kind, "name", urSpec.Resource.Name, "namespace", urSpec.Resource.Namespace)
			return err
		}

		for _, v := range urList {
			log.V(4).Info("updating existing update request", "name", v.GetName())

			v.Spec.Context = ur.Spec.Context
			v.Spec.Policy = ur.Spec.Policy
			v.Spec.Resource = ur.Spec.Resource
			v.Status.Message = ""

			new, err := client.KyvernoV1beta1().UpdateRequests(config.KyvernoNamespace).Update(context.TODO(), v, metav1.UpdateOptions{})
			if err != nil {
				log.V(4).Info("failed to update UpdateRequest, retrying", "retryCount", i, "name", ur.GetName(), "namespace", ur.GetNamespace())
				i++
			} else {
				log.V(4).Info("successfully updated UpdateRequest", "retryCount", i, "name", ur.GetName(), "namespace", ur.GetNamespace())
			}

			new.Status.State = urkyverno.Pending
			if _, err := client.KyvernoV1beta1().UpdateRequests(config.KyvernoNamespace).UpdateStatus(context.TODO(), new, metav1.UpdateOptions{}); err != nil {
				log.Error(err, "failed to set UpdateRequest state to Pending")
			}

			isExist = true
		}

		if !isExist {
			log.V(4).Info("creating new UpdateRequest", "type", ur.Spec.Type)

			ur.SetGenerateName("ur-")
			ur.SetLabels(queryLabels)

			new, err := client.KyvernoV1beta1().UpdateRequests(config.KyvernoNamespace).Create(context.TODO(), &ur, metav1.CreateOptions{})
			if err != nil {
				log.V(4).Info("failed to create UpdateRequest, retrying", "retryCount", i, "name", ur.GetGenerateName(), "namespace", ur.GetNamespace())
				i++
			} else {
				log.V(4).Info("successfully created UpdateRequest", "retryCount", i, "name", new.GetName(), "namespace", ur.GetNamespace())
			}

			new.Status.State = urkyverno.Pending
			if _, err := client.KyvernoV1beta1().UpdateRequests(config.KyvernoNamespace).UpdateStatus(context.TODO(), new, metav1.UpdateOptions{}); err != nil {
				log.Error(err, "failed to set UpdateRequest state to Pending")
			}
		}

		return err
	}

	exbackoff := &backoff.ExponentialBackOff{
		InitialInterval:     500 * time.Millisecond,
		RandomizationFactor: 0.5,
		Multiplier:          1.5,
		MaxInterval:         time.Second,
		MaxElapsedTime:      3 * time.Second,
		Clock:               backoff.SystemClock,
	}

	exbackoff.Reset()
	err = backoff.Retry(applyResource, exbackoff)

	if err != nil {
		return err
	}

	return nil
}
feat: mutate existing resources (#3669) * feat: mutate existing, replace GR by UR in webhook server (#3601) * add attributes for post mutation Signed-off-by: ShutingZhao <shuting@nirmata.com> * add UR informer to webhook server Signed-off-by: ShutingZhao <shuting@nirmata.com> * - replace gr with ur in the webhook server; - create ur for mutateExsiting policies Signed-off-by: ShutingZhao <shuting@nirmata.com> * replace gr by ur across entire packages Signed-off-by: ShutingZhao <shuting@nirmata.com> * add YAMLs Signed-off-by: ShutingZhao <shuting@nirmata.com> * update api docs & fix unit tests Signed-off-by: ShutingZhao <shuting@nirmata.com> * add UR deletion handler Signed-off-by: ShutingZhao <shuting@nirmata.com> * add api docs for v1beta1 Signed-off-by: ShutingZhao <shuting@nirmata.com> * fix clientset method Signed-off-by: ShutingZhao <shuting@nirmata.com> * fix v1beta1 client registration Signed-off-by: ShutingZhao <shuting@nirmata.com> * feat: mutate existing - generates UR for admission requests (#3623) Signed-off-by: ShutingZhao <shuting@nirmata.com> * replace with UR in policy controller generate rules (#3635) Signed-off-by: prateekpandey14 <prateek.pandey@nirmata.com> * - enable mutate engine to process mutateExisting rules; - add unit tests Signed-off-by: ShutingZhao <shuting@nirmata.com> * implemented ur background reconciliation for mutateExisting policies Signed-off-by: ShutingZhao <shuting@nirmata.com> * fix webhook update error Signed-off-by: ShutingZhao <shuting@nirmata.com> * temporary comment out new unit tests Signed-off-by: ShutingZhao <shuting@nirmata.com> * feat: mutate existing, replace GR by UR in webhook server (#3601) * add attributes for post mutation Signed-off-by: ShutingZhao <shuting@nirmata.com> * add UR informer to webhook server Signed-off-by: ShutingZhao <shuting@nirmata.com> * - replace gr with ur in the webhook server; - create ur for mutateExsiting policies Signed-off-by: ShutingZhao <shuting@nirmata.com> * replace gr by ur across entire packages Signed-off-by: ShutingZhao <shuting@nirmata.com> * fix missing policy.kyverno.io/policy-name label (#3599) Signed-off-by: prateekpandey14 <prateek.pandey@nirmata.com> * refactor cli code from pkg to cmd (#3591) * refactor cli code from pkg to cmd Signed-off-by: Mritunjay Sharma <mritunjaysharma394@gmail.com> * fixes in imports Signed-off-by: Mritunjay Sharma <mritunjaysharma394@gmail.com> * fixes tests Signed-off-by: Mritunjay Sharma <mritunjaysharma394@gmail.com> * fixed conflicts Signed-off-by: Mritunjay Sharma <mritunjaysharma394@gmail.com> * moved non-commands to utils Signed-off-by: Mritunjay Sharma <mritunjaysharma394@gmail.com> Co-authored-by: Vyankatesh Kudtarkar <vyankateshkd@gmail.com> * add YAMLs Signed-off-by: ShutingZhao <shuting@nirmata.com> * update api docs & fix unit tests Signed-off-by: ShutingZhao <shuting@nirmata.com> * add UR deletion handler Signed-off-by: ShutingZhao <shuting@nirmata.com> * add api docs for v1beta1 Signed-off-by: ShutingZhao <shuting@nirmata.com> * fix clientset method Signed-off-by: ShutingZhao <shuting@nirmata.com> * add-kms-libraries for cosign (#3603) * add-kms-libraries Signed-off-by: anushkamittal20 <anumittal4641@gmail.com> * Shifted providers to cosign package Signed-off-by: anushkamittal20 <anumittal4641@gmail.com> Signed-off-by: ShutingZhao <shuting@nirmata.com> * Add support for custom image extractors (#3596) Signed-off-by: Sambhav Kothari <skothari44@bloomberg.net> * Update vulnerable dependencies (#3577) Signed-off-by: Shubham Gupta <shubham.gupta2956@gmail.com> Co-authored-by: Jim Bugwadia <jim@nirmata.com> Signed-off-by: ShutingZhao <shuting@nirmata.com> * fix v1beta1 client registration Signed-off-by: ShutingZhao <shuting@nirmata.com> * feat: mutate existing - generates UR for admission requests (#3623) Signed-off-by: ShutingZhao <shuting@nirmata.com> * updating version in Chart.yaml (#3618) * updatimg version in Chart.yaml Signed-off-by: Prateeknandle <prateeknandle@gmail.com> * changes from, make gen-helm Signed-off-by: Prateeknandle <prateeknandle@gmail.com> Co-authored-by: Vyankatesh Kudtarkar <vyankateshkd@gmail.com> Signed-off-by: ShutingZhao <shuting@nirmata.com> * Allow kyverno-policies to have preconditions defined (#3606) * Allow kyverno-policies to have preconditions defined Signed-off-by: Trey Dockendorf <tdockendorf@osc.edu> * Fix docs Signed-off-by: Trey Dockendorf <tdockendorf@osc.edu> Signed-off-by: ShutingZhao <shuting@nirmata.com> * replace with UR in policy controller generate rules (#3635) Signed-off-by: prateekpandey14 <prateek.pandey@nirmata.com> Signed-off-by: ShutingZhao <shuting@nirmata.com> * - enable mutate engine to process mutateExisting rules; - add unit tests Signed-off-by: ShutingZhao <shuting@nirmata.com> * implemented ur background reconciliation for mutateExisting policies Signed-off-by: ShutingZhao <shuting@nirmata.com> * fix webhook update error Signed-off-by: ShutingZhao <shuting@nirmata.com> * temporary comment out new unit tests Signed-off-by: ShutingZhao <shuting@nirmata.com> * Image verify attestors (#3614) * fix logs Signed-off-by: Jim Bugwadia <jim@nirmata.com> * fix logs Signed-off-by: Jim Bugwadia <jim@nirmata.com> * support multiple attestors Signed-off-by: Jim Bugwadia <jim@nirmata.com> * rm CLI tests (not currently supported) Signed-off-by: Jim Bugwadia <jim@nirmata.com> * apply attestor repo Signed-off-by: Jim Bugwadia <jim@nirmata.com> * fix linter issues Signed-off-by: Jim Bugwadia <jim@nirmata.com> * fix entryError assignment Signed-off-by: Jim Bugwadia <jim@nirmata.com> * fix tests Signed-off-by: Jim Bugwadia <jim@nirmata.com> * format Signed-off-by: Jim Bugwadia <jim@nirmata.com> * add intermediary certs Signed-off-by: Jim Bugwadia <jim@nirmata.com> * Allow defining imagePullSecrets (#3633) * Allow defining imagePullSecrets Signed-off-by: Trey Dockendorf <tdockendorf@osc.edu> * Use dict for imagePullSecrets Signed-off-by: Trey Dockendorf <tdockendorf@osc.edu> * Simplify how imagePullSecrets is defined Signed-off-by: Trey Dockendorf <tdockendorf@osc.edu> Signed-off-by: ShutingZhao <shuting@nirmata.com> * Fix race condition in pCache (#3632) * fix race condition in pCache Signed-off-by: ShutingZhao <shuting@nirmata.com> * refact: remove unused Run function from generate (#3638) Signed-off-by: prateekpandey14 <prateek.pandey@nirmata.com> * Remove helm mode setting (#3628) Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com> Signed-off-by: ShutingZhao <shuting@nirmata.com> * refactor: image utils (#3630) Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com> Signed-off-by: ShutingZhao <shuting@nirmata.com> * -resolve lift comments; -fix informer sync issue Signed-off-by: ShutingZhao <shuting@nirmata.com> * refact the update request cleanup controller Signed-off-by: prateekpandey14 <prateek.pandey@nirmata.com> * - fix delete request for mutateExisting; - fix context variable substitution; - improve logging Signed-off-by: ShutingZhao <shuting@nirmata.com> * - enable events; - add last applied annotation Signed-off-by: ShutingZhao <shuting@nirmata.com> * enable mutate existing on policy creation Signed-off-by: ShutingZhao <shuting@nirmata.com> * update autogen code Signed-off-by: ShutingZhao <shuting@nirmata.com> * merge main Signed-off-by: ShutingZhao <shuting@nirmata.com> * add unit tests Signed-off-by: ShutingZhao <shuting@nirmata.com> * address list comments Signed-off-by: ShutingZhao <shuting@nirmata.com> * update api docs Signed-off-by: ShutingZhao <shuting@nirmata.com> * fix "Implicit memory aliasing in for loop" Signed-off-by: ShutingZhao <shuting@nirmata.com> * remove unused definitions Signed-off-by: ShutingZhao <shuting@nirmata.com> * update api docs Signed-off-by: ShutingZhao <shuting@nirmata.com> Co-authored-by: Prateek Pandey <prateek.pandey@nirmata.com> Co-authored-by: Mritunjay Kumar Sharma <mritunjaysharma394@gmail.com> Co-authored-by: Vyankatesh Kudtarkar <vyankateshkd@gmail.com> Co-authored-by: Anushka Mittal <55237170+anushkamittal20@users.noreply.github.com> Co-authored-by: Sambhav Kothari <sambhavs.email@gmail.com> Co-authored-by: Shubham Gupta <shubham.gupta2956@gmail.com> Co-authored-by: Jim Bugwadia <jim@nirmata.com> Co-authored-by: Prateek Nandle <56027872+Prateeknandle@users.noreply.github.com> Co-authored-by: treydock <tdockendorf@osc.edu> Co-authored-by: Charles-Edouard Brétéché <charled.breteche@gmail.com> 2022-04-25 20:20:40 +08:00			`package updaterequest`

			`import (`
			`"context"`
			`"time"`

			`backoff "github.com/cenkalti/backoff"`
			`"github.com/gardener/controller-manager-library/pkg/logger"`
			`"github.com/go-logr/logr"`
			`urkyverno "github.com/kyverno/kyverno/api/kyverno/v1beta1"`
			`kyvernoclient "github.com/kyverno/kyverno/pkg/client/clientset/versioned"`
			`kyvernoinformer "github.com/kyverno/kyverno/pkg/client/informers/externalversions/kyverno/v1"`
			`urkyvernoinformer "github.com/kyverno/kyverno/pkg/client/informers/externalversions/kyverno/v1beta1"`
			`kyvernolister "github.com/kyverno/kyverno/pkg/client/listers/kyverno/v1"`
			`urkyvernolister "github.com/kyverno/kyverno/pkg/client/listers/kyverno/v1beta1"`
			`"github.com/kyverno/kyverno/pkg/config"`
			`admissionv1 "k8s.io/api/admission/v1"`
			`metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"`
			`"k8s.io/apimachinery/pkg/labels"`
			`utilruntime "k8s.io/apimachinery/pkg/util/runtime"`
			`"k8s.io/client-go/tools/cache"`
			`)`

			`// GenerateRequests provides interface to manage update requests`
			`type Interface interface {`
			`Apply(gr urkyverno.UpdateRequestSpec, action admissionv1.Operation) error`
			`}`

			`// info object stores message data to create update request`
			`type info struct {`
			`spec urkyverno.UpdateRequestSpec`
			`action admissionv1.Operation`
			`}`

			`// Generator defines the implementation to mange update request resource`
			`type Generator struct {`
			`client *kyvernoclient.Clientset`
			`stopCh <-chan struct{}`
			`log logr.Logger`
			`// grLister can list/get generate request from the shared informer's store`
			`grLister kyvernolister.GenerateRequestNamespaceLister`
			`grSynced cache.InformerSynced`

			`urLister urkyvernolister.UpdateRequestNamespaceLister`
			`urSynced cache.InformerSynced`
			`}`

			`// NewGenerator returns a new instance of UpdateRequest resource generator`
			`func NewGenerator(client kyvernoclient.Clientset, grInformer kyvernoinformer.GenerateRequestInformer, urInformer urkyvernoinformer.UpdateRequestInformer, stopCh <-chan struct{}, log logr.Logger) Generator {`
			`gen := &Generator{`
			`client: client,`
			`stopCh: stopCh,`
			`log: log,`
			`grLister: grInformer.Lister().GenerateRequests(config.KyvernoNamespace),`
			`grSynced: grInformer.Informer().HasSynced,`
			`urLister: urInformer.Lister().UpdateRequests(config.KyvernoNamespace),`
			`urSynced: urInformer.Informer().HasSynced,`
			`}`
			`return gen`
			`}`

			`// Apply creates update request resource`
			`func (g *Generator) Apply(gr urkyverno.UpdateRequestSpec, action admissionv1.Operation) error {`
			`logger := g.log`
			`logger.V(4).Info("reconcile Update Request", "request", gr)`

			`message := info{`
			`action: action,`
			`spec: gr,`
			`}`
			`go g.processApply(message)`
			`return nil`
			`}`

			`// Run starts the update request spec`
			`func (g *Generator) Run(workers int, stopCh <-chan struct{}) {`
			`logger := g.log`
			`defer utilruntime.HandleCrash()`

			`logger.V(4).Info("starting")`
			`defer func() {`
			`logger.V(4).Info("shutting down")`
			`}()`

			`if !cache.WaitForCacheSync(stopCh, g.grSynced, g.urSynced) {`
			`logger.Info("failed to sync informer cache")`
			`return`
			`}`

			`<-g.stopCh`
			`}`

			`func (g *Generator) processApply(i info) {`
			`if err := g.generate(i); err != nil {`
			`logger.Error(err, "failed to update request CR")`
			`}`
			`}`

			`func (g *Generator) generate(i info) error {`
			`if err := retryApplyResource(g.client, i.spec, g.log, i.action, g.urLister); err != nil {`
			`return err`
			`}`
			`return nil`
			`}`

			`func retryApplyResource(client *kyvernoclient.Clientset, urSpec urkyverno.UpdateRequestSpec,`
			`log logr.Logger, action admissionv1.Operation, urLister urkyvernolister.UpdateRequestNamespaceLister) error {`

			`if action == admissionv1.Delete && urSpec.Type == urkyverno.Generate {`
			`return nil`
			`}`

			`var i int`
			`var err error`

			`_, policyName, err := cache.SplitMetaNamespaceKey(urSpec.Policy)`
			`if err != nil {`
			`return err`
			`}`

			`applyResource := func() error {`
			`ur := urkyverno.UpdateRequest{`
			`Spec: urSpec,`
			`Status: urkyverno.UpdateRequestStatus{`
			`State: urkyverno.Pending,`
			`},`
			`}`

			`queryLabels := make(map[string]string)`
			`if ur.Spec.Type == urkyverno.Mutate {`
			`queryLabels := map[string]string{`
			`"mutate.updaterequest.kyverno.io/policy-name": ur.Spec.Policy,`
			`"mutate.updaterequest.kyverno.io/trigger-name": ur.Spec.Resource.Name,`
			`"mutate.updaterequest.kyverno.io/trigger-namespace": ur.Spec.Resource.Namespace,`
			`"mutate.updaterequest.kyverno.io/trigger-kind": ur.Spec.Resource.Kind,`
			`}`

			`if ur.Spec.Resource.APIVersion != "" {`
			`queryLabels["mutate.updaterequest.kyverno.io/trigger-apiversion"] = ur.Spec.Resource.APIVersion`
			`}`
			`} else if ur.Spec.Type == urkyverno.Generate {`
			`queryLabels = labels.Set(map[string]string{`
			`"generate.kyverno.io/policy-name": policyName,`
			`"generate.kyverno.io/resource-name": urSpec.Resource.Name,`
			`"generate.kyverno.io/resource-kind": urSpec.Resource.Kind,`
			`"generate.kyverno.io/resource-namespace": urSpec.Resource.Namespace,`
			`})`
			`}`

			`ur.SetNamespace(config.KyvernoNamespace)`
			`isExist := false`
			`log.V(4).Info("apply UpdateRequest", "ruleType", ur.Spec.Type)`

			`urList, err := urLister.List(labels.SelectorFromSet(queryLabels))`
			`if err != nil {`
			`logger.Error(err, "failed to get update request for the resource", "kind", urSpec.Resource.Kind, "name", urSpec.Resource.Name, "namespace", urSpec.Resource.Namespace)`
			`return err`
			`}`

			`for _, v := range urList {`
			`log.V(4).Info("updating existing update request", "name", v.GetName())`

			`v.Spec.Context = ur.Spec.Context`
			`v.Spec.Policy = ur.Spec.Policy`
			`v.Spec.Resource = ur.Spec.Resource`
			`v.Status.Message = ""`

			`new, err := client.KyvernoV1beta1().UpdateRequests(config.KyvernoNamespace).Update(context.TODO(), v, metav1.UpdateOptions{})`
			`if err != nil {`
			`log.V(4).Info("failed to update UpdateRequest, retrying", "retryCount", i, "name", ur.GetName(), "namespace", ur.GetNamespace())`
			`i++`
			`} else {`
			`log.V(4).Info("successfully updated UpdateRequest", "retryCount", i, "name", ur.GetName(), "namespace", ur.GetNamespace())`
			`}`

			`new.Status.State = urkyverno.Pending`
			`if _, err := client.KyvernoV1beta1().UpdateRequests(config.KyvernoNamespace).UpdateStatus(context.TODO(), new, metav1.UpdateOptions{}); err != nil {`
			`log.Error(err, "failed to set UpdateRequest state to Pending")`
			`}`

			`isExist = true`
			`}`

			`if !isExist {`
			`log.V(4).Info("creating new UpdateRequest", "type", ur.Spec.Type)`

			`ur.SetGenerateName("ur-")`
			`ur.SetLabels(queryLabels)`

			`new, err := client.KyvernoV1beta1().UpdateRequests(config.KyvernoNamespace).Create(context.TODO(), &ur, metav1.CreateOptions{})`
			`if err != nil {`
			`log.V(4).Info("failed to create UpdateRequest, retrying", "retryCount", i, "name", ur.GetGenerateName(), "namespace", ur.GetNamespace())`
			`i++`
			`} else {`
			`log.V(4).Info("successfully created UpdateRequest", "retryCount", i, "name", new.GetName(), "namespace", ur.GetNamespace())`
			`}`

			`new.Status.State = urkyverno.Pending`
			`if _, err := client.KyvernoV1beta1().UpdateRequests(config.KyvernoNamespace).UpdateStatus(context.TODO(), new, metav1.UpdateOptions{}); err != nil {`
			`log.Error(err, "failed to set UpdateRequest state to Pending")`
			`}`
			`}`

			`return err`
			`}`

			`exbackoff := &backoff.ExponentialBackOff{`
			`InitialInterval: 500 * time.Millisecond,`
			`RandomizationFactor: 0.5,`
			`Multiplier: 1.5,`
			`MaxInterval: time.Second,`
			`MaxElapsedTime: 3 * time.Second,`
			`Clock: backoff.SystemClock,`
			`}`

			`exbackoff.Reset()`
			`err = backoff.Retry(applyResource, exbackoff)`

			`if err != nil {`
			`return err`
			`}`

			`return nil`
			`}`