fix: non-trigger resources should be skipped for background policies regardless of skipBackgroundRequests settings (#9333)

* fix skip checks Signed-off-by: ShutingZhao <shuting@nirmata.com> * fix: skip request for non-triggers Signed-off-by: ShutingZhao <shuting@nirmata.com> * add missing files Signed-off-by: ShutingZhao <shuting@nirmata.com> * fix: empty policy Signed-off-by: ShutingZhao <shuting@nirmata.com> --------- Signed-off-by: ShutingZhao <shuting@nirmata.com>
2024-12-14 11:57:48 +00:00 · 2024-01-04 18:47:58 +08:00 · 2024-01-04 18:47:58 +08:00 · 025a477688
commit 025a477688
parent fb0eab660b
3 changed files with 38 additions and 24 deletions
--- a/pkg/webhooks/resource/generation/handler.go
+++ b/pkg/webhooks/resource/generation/handler.go
@ -42,34 +42,37 @@ func NewGenerationHandler(
 	urGenerator webhookgenerate.Generator,
 	eventGen event.Interface,
 	metrics metrics.MetricsConfigManager,
+	backgroundServiceAccountName string,
 ) GenerationHandler {
 	return &generationHandler{
-		log:           log,
-		engine:        engine,
-		client:        client,
-		kyvernoClient: kyvernoClient,
-		nsLister:      nsLister,
-		urLister:      urLister,
-		cpolLister:    cpolLister,
-		polLister:     polLister,
-		urGenerator:   urGenerator,
-		eventGen:      eventGen,
-		metrics:       metrics,
+		log:                          log,
+		engine:                       engine,
+		client:                       client,
+		kyvernoClient:                kyvernoClient,
+		nsLister:                     nsLister,
+		urLister:                     urLister,
+		cpolLister:                   cpolLister,
+		polLister:                    polLister,
+		urGenerator:                  urGenerator,
+		eventGen:                     eventGen,
+		metrics:                      metrics,
+		backgroundServiceAccountName: backgroundServiceAccountName,
 	}
 }

 type generationHandler struct {
-	log           logr.Logger
-	engine        engineapi.Engine
-	client        dclient.Interface
-	kyvernoClient versioned.Interface
-	nsLister      corev1listers.NamespaceLister
-	urLister      kyvernov1beta1listers.UpdateRequestNamespaceLister
-	cpolLister    kyvernov1listers.ClusterPolicyLister
-	polLister     kyvernov1listers.PolicyLister
-	urGenerator   webhookgenerate.Generator
-	eventGen      event.Interface
-	metrics       metrics.MetricsConfigManager
+	log                          logr.Logger
+	engine                       engineapi.Engine
+	client                       dclient.Interface
+	kyvernoClient                versioned.Interface
+	nsLister                     corev1listers.NamespaceLister
+	urLister                     kyvernov1beta1listers.UpdateRequestNamespaceLister
+	cpolLister                   kyvernov1listers.ClusterPolicyLister
+	polLister                    kyvernov1listers.PolicyLister
+	urGenerator                  webhookgenerate.Generator
+	eventGen                     event.Interface
+	metrics                      metrics.MetricsConfigManager
+	backgroundServiceAccountName string
 }

 func (h *generationHandler) Handle(
@ -83,6 +86,9 @@ func (h *generationHandler) Handle(
 		h.handleTrigger(ctx, request, policies, policyContext)
 	}

+	if h.backgroundServiceAccountName == policyContext.AdmissionInfo().AdmissionUserInfo.Username {
+		return
+	}
 	h.handleNonTrigger(ctx, policyContext, request)
 }

--- a/pkg/webhooks/resource/updaterequest.go
+++ b/pkg/webhooks/resource/updaterequest.go
@ -36,6 +36,9 @@ func (h *resourceHandlers) handleMutateExisting(ctx context.Context, logger logr
 		}

 		policyNew := skipBackgroundRequests(policy, logger, h.backgroundServiceAccountName, policyContext.AdmissionInfo().AdmissionUserInfo.Username)
+		if policyNew == nil {
+			continue
+		}
 		logger.V(4).Info("update request for mutateExisting policy")

 		// skip rules that don't specify the DELETE operation in case the admission request is of type DELETE
@ -82,11 +85,13 @@ func (h *resourceHandlers) handleMutateExisting(ctx context.Context, logger logr
 }

 func (h *resourceHandlers) handleGenerate(ctx context.Context, logger logr.Logger, request admissionv1.AdmissionRequest, generatePolicies []kyvernov1.PolicyInterface, policyContext *engine.PolicyContext, ts time.Time) {
-	gh := generation.NewGenerationHandler(logger, h.engine, h.client, h.kyvernoClient, h.nsLister, h.urLister, h.cpolLister, h.polLister, h.urGenerator, h.eventGen, h.metricsConfig)
+	gh := generation.NewGenerationHandler(logger, h.engine, h.client, h.kyvernoClient, h.nsLister, h.urLister, h.cpolLister, h.polLister, h.urGenerator, h.eventGen, h.metricsConfig, h.backgroundServiceAccountName)
 	var policies []kyvernov1.PolicyInterface
 	for _, p := range generatePolicies {
 		new := skipBackgroundRequests(p, logger, h.backgroundServiceAccountName, policyContext.AdmissionInfo().AdmissionUserInfo.Username)
-		policies = append(policies, new)
+		if new != nil {
+			policies = append(policies, new)
+		}
 	}
 	go gh.Handle(ctx, request, policies, policyContext)
 }
--- a/pkg/webhooks/resource/utils.go
+++ b/pkg/webhooks/resource/utils.go
@ -111,5 +111,8 @@ func skipBackgroundRequests(policy kyvernov1.PolicyInterface, logger logr.Logger
 		logger.V(4).Info("applying background rule", "rule", rule.Name, "skipBackgroundRequests", rule.SkipBackgroundRequests, "backgroundSaDesired", bgsaDesired, "backgroundSaActual", bgsaActual)
 		policyNew.GetSpec().Rules = append(policyNew.GetSpec().Rules, *rule.DeepCopy())
 	}
+	if len(policyNew.GetSpec().Rules) == 0 {
+		return nil
+	}
 	return policyNew
 }