kyverno/pkg/policy/cleanup.go

package policy

import (
	"fmt"
	"reflect"

	"github.com/go-logr/logr"
	kyverno "github.com/kyverno/kyverno/pkg/api/kyverno/v1"
	kyvernolister "github.com/kyverno/kyverno/pkg/client/listers/kyverno/v1"
	"github.com/kyverno/kyverno/pkg/engine/response"
	"k8s.io/apimachinery/pkg/labels"
)

func (pc *PolicyController) cleanUp(ers []response.EngineResponse) {
	for _, er := range ers {
		if !er.IsSuccessful() {
			continue
		}
		if len(er.PolicyResponse.Rules) == 0 {
			continue
		}
		// clean up after the policy has been corrected
		pc.cleanUpPolicyViolation(er.PolicyResponse)
	}
}

func (pc *PolicyController) cleanUpPolicyViolation(pResponse response.PolicyResponse) {
	logger := pc.log
	// - check if there is violation on resource (label:Selector)
	if pResponse.Resource.Namespace == "" {
		pv, err := getClusterPV(pc.cpvLister, pResponse.Policy, pResponse.Resource.Kind, pResponse.Resource.Name, logger)
		if err != nil {
			logger.Error(err, "failed to get cluster policy violation on policy and resource", "policy", pResponse.Policy, "kind", pResponse.Resource.Kind, "name", pResponse.Resource.Name)
			return
		}

		if reflect.DeepEqual(pv, kyverno.ClusterPolicyViolation{}) {
			return
		}
		if err := pc.pvControl.DeleteClusterPolicyViolation(pv.Name); err != nil {
			logger.Error(err, "failed to delete cluster policy violation", "name", pv.Name)
		} else {
			logger.Info("deleted cluster policy violation", "name", pv.Name)
		}
		return
	}

	// namespace policy violation
	nspv, err := getNamespacedPV(pc.nspvLister, pResponse.Policy, pResponse.Resource.Kind, pResponse.Resource.Namespace, pResponse.Resource.Name, logger)
	if err != nil {
		logger.Error(err, "failed to get namespaced policy violation on policy and resource", "policy", pResponse.Policy, "kind", pResponse.Resource.Kind, "namespace", pResponse.Resource.Namespace, "name", pResponse.Resource.Name)
		return
	}

	if reflect.DeepEqual(nspv, kyverno.PolicyViolation{}) {
		return
	}
	if err := pc.pvControl.DeleteNamespacedPolicyViolation(nspv.Namespace, nspv.Name); err != nil {
		logger.Error(err, "failed to delete cluster policy violation", "name", nspv.Name, "namespace", nspv.Namespace)
	} else {
		logger.Info("deleted namespaced policy violation", "name", nspv.Name, "namespace", nspv.Namespace)
	}
}

// Wont do the claiming of objects, just lookup based on selectors
func getClusterPV(pvLister kyvernolister.ClusterPolicyViolationLister, policyName, rkind, rname string, log logr.Logger) (kyverno.ClusterPolicyViolation, error) {
	var err error
	// Check Violation on resource
	pvs, err := pvLister.List(labels.Everything())
	if err != nil {
		log.Error(err, "failed to list cluster policy violations")
		return kyverno.ClusterPolicyViolation{}, fmt.Errorf("failed to list cluster pv: %v", err)
	}

	for _, pv := range pvs {
		// find a policy on same resource and policy combination
		if pv.Spec.Policy == policyName &&
			pv.Spec.ResourceSpec.Kind == rkind &&
			pv.Spec.ResourceSpec.Name == rname {
			return *pv, nil
		}
	}
	return kyverno.ClusterPolicyViolation{}, nil
}

func getNamespacedPV(nspvLister kyvernolister.PolicyViolationLister, policyName, rkind, rnamespace, rname string, log logr.Logger) (kyverno.PolicyViolation, error) {
	nspvs, err := nspvLister.PolicyViolations(rnamespace).List(labels.Everything())
	if err != nil {
		log.Error(err, "failed to list namespaced policy violation")
		return kyverno.PolicyViolation{}, fmt.Errorf("failed to list namespaced pv: %v", err)
	}

	for _, nspv := range nspvs {
		// find a policy on same resource and policy combination
		if nspv.Spec.Policy == policyName &&
			nspv.Spec.ResourceSpec.Kind == rkind &&
			nspv.Spec.ResourceSpec.Name == rname {
			return *nspv, nil
		}
	}

	return kyverno.PolicyViolation{}, nil
}
458 cleanup (#464) * cleanup of policy violation on policy spec changes + refactoring * remove unused code * remove duplicate types * cleanup references * fix info log and clean code * code clean * remove dead code 2019-11-08 20:45:26 -08:00			`package policy`

			`import (`
			`"fmt"`
			`"reflect"`

logs & access 2020-03-17 11:05:20 -07:00			`"github.com/go-logr/logr"`
update nirmata/kyverno to kyverno/kyverno 2020-10-07 11:12:31 -07:00			`kyverno "github.com/kyverno/kyverno/pkg/api/kyverno/v1"`
			`kyvernolister "github.com/kyverno/kyverno/pkg/client/listers/kyverno/v1"`
			`"github.com/kyverno/kyverno/pkg/engine/response"`
458 cleanup (#464) * cleanup of policy violation on policy spec changes + refactoring * remove unused code * remove duplicate types * cleanup references * fix info log and clean code * code clean * remove dead code 2019-11-08 20:45:26 -08:00			`"k8s.io/apimachinery/pkg/labels"`
			`)`

logs & access 2020-03-17 11:05:20 -07:00			`func (pc *PolicyController) cleanUp(ers []response.EngineResponse) {`
			`for _, er := range ers {`
update logging, naming, and event retry (#959) * update logging and naming * check per policy patch count 2020-06-30 11:53:27 -07:00			`if !er.IsSuccessful() {`
logs & access 2020-03-17 11:05:20 -07:00			`continue`
			`}`
			`if len(er.PolicyResponse.Rules) == 0 {`
			`continue`
			`}`
			`// clean up after the policy has been corrected`
			`pc.cleanUpPolicyViolation(er.PolicyResponse)`
			`}`
			`}`

refactor engine packages for validate & generate 2019-12-12 15:02:59 -08:00			`func (pc *PolicyController) cleanUpPolicyViolation(pResponse response.PolicyResponse) {`
logs & access 2020-03-17 11:05:20 -07:00			`logger := pc.log`
- remove policy violation created on owner and related logic; - use generic call to create violation info 2020-01-06 17:07:11 -08:00			`// - check if there is violation on resource (label:Selector)`
handle namespaced/cluster violation cleanup separately 2019-11-14 13:06:56 -08:00			`if pResponse.Resource.Namespace == "" {`
logs & access 2020-03-17 11:05:20 -07:00			`pv, err := getClusterPV(pc.cpvLister, pResponse.Policy, pResponse.Resource.Kind, pResponse.Resource.Name, logger)`
handle namespaced/cluster violation cleanup separately 2019-11-14 13:06:56 -08:00			`if err != nil {`
logs & access 2020-03-17 11:05:20 -07:00			`logger.Error(err, "failed to get cluster policy violation on policy and resource", "policy", pResponse.Policy, "kind", pResponse.Resource.Kind, "name", pResponse.Resource.Name)`
handle namespaced/cluster violation cleanup separately 2019-11-14 13:06:56 -08:00			`return`
			`}`
fix pv cleanup #496 2019-11-14 12:01:41 -08:00
- remove policy violation created on owner and related logic; - use generic call to create violation info 2020-01-06 17:07:11 -08:00			`if reflect.DeepEqual(pv, kyverno.ClusterPolicyViolation{}) {`
			`return`
			`}`
			`if err := pc.pvControl.DeleteClusterPolicyViolation(pv.Name); err != nil {`
logs & access 2020-03-17 11:05:20 -07:00			`logger.Error(err, "failed to delete cluster policy violation", "name", pv.Name)`
			`} else {`
			`logger.Info("deleted cluster policy violation", "name", pv.Name)`
458 cleanup (#464) * cleanup of policy violation on policy spec changes + refactoring * remove unused code * remove duplicate types * cleanup references * fix info log and clean code * code clean * remove dead code 2019-11-08 20:45:26 -08:00			`}`
handle namespaced/cluster violation cleanup separately 2019-11-14 13:06:56 -08:00			`return`
			`}`

- remove policy violation created on owner and related logic; - use generic call to create violation info 2020-01-06 17:07:11 -08:00			`// namespace policy violation`
logs & access 2020-03-17 11:05:20 -07:00			`nspv, err := getNamespacedPV(pc.nspvLister, pResponse.Policy, pResponse.Resource.Kind, pResponse.Resource.Namespace, pResponse.Resource.Name, logger)`
handle namespaced/cluster violation cleanup separately 2019-11-14 13:06:56 -08:00			`if err != nil {`
logs & access 2020-03-17 11:05:20 -07:00			`logger.Error(err, "failed to get namespaced policy violation on policy and resource", "policy", pResponse.Policy, "kind", pResponse.Resource.Kind, "namespace", pResponse.Resource.Namespace, "name", pResponse.Resource.Name)`
handle namespaced/cluster violation cleanup separately 2019-11-14 13:06:56 -08:00			`return`
			`}`

- remove policy violation created on owner and related logic; - use generic call to create violation info 2020-01-06 17:07:11 -08:00			`if reflect.DeepEqual(nspv, kyverno.PolicyViolation{}) {`
			`return`
			`}`
			`if err := pc.pvControl.DeleteNamespacedPolicyViolation(nspv.Namespace, nspv.Name); err != nil {`
logs & access 2020-03-17 11:05:20 -07:00			`logger.Error(err, "failed to delete cluster policy violation", "name", nspv.Name, "namespace", nspv.Namespace)`
			`} else {`
			`logger.Info("deleted namespaced policy violation", "name", nspv.Name, "namespace", nspv.Namespace)`
458 cleanup (#464) * cleanup of policy violation on policy spec changes + refactoring * remove unused code * remove duplicate types * cleanup references * fix info log and clean code * code clean * remove dead code 2019-11-08 20:45:26 -08:00			`}`
			`}`

- remove policy violation created on owner and related logic; - use generic call to create violation info 2020-01-06 17:07:11 -08:00			`// Wont do the claiming of objects, just lookup based on selectors`
logs & access 2020-03-17 11:05:20 -07:00			`func getClusterPV(pvLister kyvernolister.ClusterPolicyViolationLister, policyName, rkind, rname string, log logr.Logger) (kyverno.ClusterPolicyViolation, error) {`
458 cleanup (#464) * cleanup of policy violation on policy spec changes + refactoring * remove unused code * remove duplicate types * cleanup references * fix info log and clean code * code clean * remove dead code 2019-11-08 20:45:26 -08:00			`var err error`
			`// Check Violation on resource`
handle namespaced/cluster violation cleanup separately 2019-11-14 13:06:56 -08:00			`pvs, err := pvLister.List(labels.Everything())`
			`if err != nil {`
logs & access 2020-03-17 11:05:20 -07:00			`log.Error(err, "failed to list cluster policy violations")`
handle namespaced/cluster violation cleanup separately 2019-11-14 13:06:56 -08:00			`return kyverno.ClusterPolicyViolation{}, fmt.Errorf("failed to list cluster pv: %v", err)`
			`}`

			`for _, pv := range pvs {`
			`// find a policy on same resource and policy combination`
			`if pv.Spec.Policy == policyName &&`
- remove policy violation created on owner and related logic; - use generic call to create violation info 2020-01-06 17:07:11 -08:00			`pv.Spec.ResourceSpec.Kind == rkind &&`
			`pv.Spec.ResourceSpec.Name == rname {`
handle namespaced/cluster violation cleanup separately 2019-11-14 13:06:56 -08:00			`return *pv, nil`
			`}`
			`}`
			`return kyverno.ClusterPolicyViolation{}, nil`
			`}`

logs & access 2020-03-17 11:05:20 -07:00			`func getNamespacedPV(nspvLister kyvernolister.PolicyViolationLister, policyName, rkind, rnamespace, rname string, log logr.Logger) (kyverno.PolicyViolation, error) {`
- remove policy violation created on owner and related logic; - use generic call to create violation info 2020-01-06 17:07:11 -08:00			`nspvs, err := nspvLister.PolicyViolations(rnamespace).List(labels.Everything())`
458 cleanup (#464) * cleanup of policy violation on policy spec changes + refactoring * remove unused code * remove duplicate types * cleanup references * fix info log and clean code * code clean * remove dead code 2019-11-08 20:45:26 -08:00			`if err != nil {`
logs & access 2020-03-17 11:05:20 -07:00			`log.Error(err, "failed to list namespaced policy violation")`
rename namespacedpolicyviolation: update code 2019-12-11 16:09:05 -08:00			`return kyverno.PolicyViolation{}, fmt.Errorf("failed to list namespaced pv: %v", err)`
458 cleanup (#464) * cleanup of policy violation on policy spec changes + refactoring * remove unused code * remove duplicate types * cleanup references * fix info log and clean code * code clean * remove dead code 2019-11-08 20:45:26 -08:00			`}`
use store to hold values and queue for keys 2019-11-12 16:01:09 -08:00
fix pv cleanup #496 2019-11-14 12:01:41 -08:00			`for _, nspv := range nspvs {`
use store to hold values and queue for keys 2019-11-12 16:01:09 -08:00			`// find a policy on same resource and policy combination`
fix pv cleanup #496 2019-11-14 12:01:41 -08:00			`if nspv.Spec.Policy == policyName &&`
- remove policy violation created on owner and related logic; - use generic call to create violation info 2020-01-06 17:07:11 -08:00			`nspv.Spec.ResourceSpec.Kind == rkind &&`
			`nspv.Spec.ResourceSpec.Name == rname {`
fix pv cleanup #496 2019-11-14 12:01:41 -08:00			`return *nspv, nil`
use store to hold values and queue for keys 2019-11-12 16:01:09 -08:00			`}`
458 cleanup (#464) * cleanup of policy violation on policy spec changes + refactoring * remove unused code * remove duplicate types * cleanup references * fix info log and clean code * code clean * remove dead code 2019-11-08 20:45:26 -08:00			`}`
fix pv cleanup #496 2019-11-14 12:01:41 -08:00
- remove policy violation created on owner and related logic; - use generic call to create violation info 2020-01-06 17:07:11 -08:00			`return kyverno.PolicyViolation{}, nil`
458 cleanup (#464) * cleanup of policy violation on policy spec changes + refactoring * remove unused code * remove duplicate types * cleanup references * fix info log and clean code * code clean * remove dead code 2019-11-08 20:45:26 -08:00			`}`