From 025a4776888165cc2fd7f5087aa16f90f48beb61 Mon Sep 17 00:00:00 2001 From: shuting Date: Thu, 4 Jan 2024 18:47:58 +0800 Subject: [PATCH] fix: non-trigger resources should be skipped for background policies regardless of `skipBackgroundRequests` settings (#9333) * fix skip checks Signed-off-by: ShutingZhao * fix: skip request for non-triggers Signed-off-by: ShutingZhao * add missing files Signed-off-by: ShutingZhao * fix: empty policy Signed-off-by: ShutingZhao --------- Signed-off-by: ShutingZhao --- pkg/webhooks/resource/generation/handler.go | 50 ++++++++++++--------- pkg/webhooks/resource/updaterequest.go | 9 +++- pkg/webhooks/resource/utils.go | 3 ++ 3 files changed, 38 insertions(+), 24 deletions(-) diff --git a/pkg/webhooks/resource/generation/handler.go b/pkg/webhooks/resource/generation/handler.go index e51260ecb2..f1d1366f85 100644 --- a/pkg/webhooks/resource/generation/handler.go +++ b/pkg/webhooks/resource/generation/handler.go @@ -42,34 +42,37 @@ func NewGenerationHandler( urGenerator webhookgenerate.Generator, eventGen event.Interface, metrics metrics.MetricsConfigManager, + backgroundServiceAccountName string, ) GenerationHandler { return &generationHandler{ - log: log, - engine: engine, - client: client, - kyvernoClient: kyvernoClient, - nsLister: nsLister, - urLister: urLister, - cpolLister: cpolLister, - polLister: polLister, - urGenerator: urGenerator, - eventGen: eventGen, - metrics: metrics, + log: log, + engine: engine, + client: client, + kyvernoClient: kyvernoClient, + nsLister: nsLister, + urLister: urLister, + cpolLister: cpolLister, + polLister: polLister, + urGenerator: urGenerator, + eventGen: eventGen, + metrics: metrics, + backgroundServiceAccountName: backgroundServiceAccountName, } } type generationHandler struct { - log logr.Logger - engine engineapi.Engine - client dclient.Interface - kyvernoClient versioned.Interface - nsLister corev1listers.NamespaceLister - urLister kyvernov1beta1listers.UpdateRequestNamespaceLister - cpolLister kyvernov1listers.ClusterPolicyLister - polLister kyvernov1listers.PolicyLister - urGenerator webhookgenerate.Generator - eventGen event.Interface - metrics metrics.MetricsConfigManager + log logr.Logger + engine engineapi.Engine + client dclient.Interface + kyvernoClient versioned.Interface + nsLister corev1listers.NamespaceLister + urLister kyvernov1beta1listers.UpdateRequestNamespaceLister + cpolLister kyvernov1listers.ClusterPolicyLister + polLister kyvernov1listers.PolicyLister + urGenerator webhookgenerate.Generator + eventGen event.Interface + metrics metrics.MetricsConfigManager + backgroundServiceAccountName string } func (h *generationHandler) Handle( @@ -83,6 +86,9 @@ func (h *generationHandler) Handle( h.handleTrigger(ctx, request, policies, policyContext) } + if h.backgroundServiceAccountName == policyContext.AdmissionInfo().AdmissionUserInfo.Username { + return + } h.handleNonTrigger(ctx, policyContext, request) } diff --git a/pkg/webhooks/resource/updaterequest.go b/pkg/webhooks/resource/updaterequest.go index c8cf096b48..37f706ce0c 100644 --- a/pkg/webhooks/resource/updaterequest.go +++ b/pkg/webhooks/resource/updaterequest.go @@ -36,6 +36,9 @@ func (h *resourceHandlers) handleMutateExisting(ctx context.Context, logger logr } policyNew := skipBackgroundRequests(policy, logger, h.backgroundServiceAccountName, policyContext.AdmissionInfo().AdmissionUserInfo.Username) + if policyNew == nil { + continue + } logger.V(4).Info("update request for mutateExisting policy") // skip rules that don't specify the DELETE operation in case the admission request is of type DELETE @@ -82,11 +85,13 @@ func (h *resourceHandlers) handleMutateExisting(ctx context.Context, logger logr } func (h *resourceHandlers) handleGenerate(ctx context.Context, logger logr.Logger, request admissionv1.AdmissionRequest, generatePolicies []kyvernov1.PolicyInterface, policyContext *engine.PolicyContext, ts time.Time) { - gh := generation.NewGenerationHandler(logger, h.engine, h.client, h.kyvernoClient, h.nsLister, h.urLister, h.cpolLister, h.polLister, h.urGenerator, h.eventGen, h.metricsConfig) + gh := generation.NewGenerationHandler(logger, h.engine, h.client, h.kyvernoClient, h.nsLister, h.urLister, h.cpolLister, h.polLister, h.urGenerator, h.eventGen, h.metricsConfig, h.backgroundServiceAccountName) var policies []kyvernov1.PolicyInterface for _, p := range generatePolicies { new := skipBackgroundRequests(p, logger, h.backgroundServiceAccountName, policyContext.AdmissionInfo().AdmissionUserInfo.Username) - policies = append(policies, new) + if new != nil { + policies = append(policies, new) + } } go gh.Handle(ctx, request, policies, policyContext) } diff --git a/pkg/webhooks/resource/utils.go b/pkg/webhooks/resource/utils.go index c7008f2f0b..296340be0e 100644 --- a/pkg/webhooks/resource/utils.go +++ b/pkg/webhooks/resource/utils.go @@ -111,5 +111,8 @@ func skipBackgroundRequests(policy kyvernov1.PolicyInterface, logger logr.Logger logger.V(4).Info("applying background rule", "rule", rule.Name, "skipBackgroundRequests", rule.SkipBackgroundRequests, "backgroundSaDesired", bgsaDesired, "backgroundSaActual", bgsaActual) policyNew.GetSpec().Rules = append(policyNew.GetSpec().Rules, *rule.DeepCopy()) } + if len(policyNew.GetSpec().Rules) == 0 { + return nil + } return policyNew }