Merge pull request #1001 from evalsocket/patch-4

policy name added in labels
2025-03-31 03:45:17 +00:00 · 2020-07-17 00:47:51 -07:00 · 2020-07-17 00:47:51 -07:00 · 00d22e89e0
commit 00d22e89e0
parent 5e283600fc 3dc72b3b8e
2 changed files with 10 additions and 9 deletions
--- a/pkg/generate/generate.go
+++ b/pkg/generate/generate.go
@ -50,13 +50,13 @@ func (c *Controller) applyGenerate(resource unstructured.Unstructured, gr kyvern
 			for _,e := range gr.Status.GeneratedResources {
 				resp, err := c.client.GetResource(e.Kind,e.Namespace,e.Name);
 				if err != nil {
-					logger.Error(err,"Generated resource failed to get","Resource",resp.GetName())
+					logger.Error(err,"Generated resource failed to get","Resource",e.Name)
 				}

 				labels := resp.GetLabels()
-				if labels["app.kubernetes.io/synchronize"] == "enable" {
+				if labels["policy.kyverno.io/synchronize"] == "enable" {
 					if err := c.client.DeleteResource(resp.GetKind(), resp.GetNamespace(), resp.GetName(), false); err != nil {
-						logger.Error(err,"Generated resource is not deleted","Resource",resp.GetName())
+						logger.Error(err,"Generated resource is not deleted","Resource",e.Name)
 					}
 				}
 			}
@ -135,7 +135,7 @@ func (c *Controller) applyGeneratePolicy(log logr.Logger, policyContext engine.P
 			continue
 		}
 		startTime := time.Now()
-		genResource, err := applyRule(log, c.client, rule, resource, ctx, processExisting)
+		genResource, err := applyRule(log, c.client, rule, resource, ctx, processExisting,policy.Name)
 		if err != nil {
 			return nil, err
 		}
@ -192,7 +192,7 @@ func updateGenerateExecutionTime(newTime time.Duration, oldAverageTimeString str
 	return time.Duration(newAverageTimeInNanoSeconds) * time.Nanosecond
 }

-func applyRule(log logr.Logger, client *dclient.Client, rule kyverno.Rule, resource unstructured.Unstructured, ctx context.EvalInterface, processExisting bool) (kyverno.ResourceSpec, error) {
+func applyRule(log logr.Logger, client *dclient.Client, rule kyverno.Rule, resource unstructured.Unstructured, ctx context.EvalInterface, processExisting bool,policy string) (kyverno.ResourceSpec, error) {
 	var rdata map[string]interface{}
 	var err error
 	var mode ResourceMode
@ -280,10 +280,11 @@ func applyRule(log logr.Logger, client *dclient.Client, rule kyverno.Rule, resou
 	// Add Synchronize label
 	label := newResource.GetLabels()
 	if rule.Generation.Synchronize {
-		label["app.kubernetes.io/synchronize"] = "enable"
+		label["policy.kyverno.io/synchronize"] = "enable"
 	} else {
-		label["app.kubernetes.io/synchronize"] = "disable"
+		label["policy.kyverno.io/synchronize"] = "disable"
 	}
+	label["policy.kyverno.io/policy-name"] = policy
 	newResource.SetLabels(label)

 	if mode == Create {
--- a/pkg/webhooks/server.go
+++ b/pkg/webhooks/server.go
@ -576,14 +576,14 @@ func (ws *WebhookServer) excludeKyvernoResources(request *v1beta1.AdmissionReque
 	if isManagedResourceCheck {
 		labels := resource.GetLabels()
 		if labels != nil {
-			if labels["app.kubernetes.io/managed-by"] == "kyverno" && labels["app.kubernetes.io/synchronize"] == "enable" {
+			if labels["app.kubernetes.io/managed-by"] == "kyverno" && labels["policy.kyverno.io/synchronize"] == "enable" {
 				isAuthorized, err := userinfo.IsRoleAuthorize(ws.rbLister, ws.crbLister, ws.rLister, ws.crLister, request)
 				if err != nil {
 					return fmt.Errorf("failed to get RBAC infromation for request %v", err)
 				}
 				if !isAuthorized {
 					// convert RAW to unstructured
-					return fmt.Errorf("Resource is managed by a Kyverno policy and cannot be update manually. You can edit the generate policy to update this resource.")
+					return fmt.Errorf("Resource is managed by a Kyverno policy and cannot be update manually. You can edit the policy %s to update this resource.",labels["policy.kyverno.io/policy-name"])
 				}
 			}
 		}