fix: non-trigger resources should be skipped for background policies regardless of skipBackgroundRequests settings (#9333)

* fix skip checks Signed-off-by: ShutingZhao <shuting@nirmata.com> * fix: skip request for non-triggers Signed-off-by: ShutingZhao <shuting@nirmata.com> * add missing files Signed-off-by: ShutingZhao <shuting@nirmata.com> * fix: empty policy Signed-off-by: ShutingZhao <shuting@nirmata.com> --------- Signed-off-by: ShutingZhao <shuting@nirmata.com>
2024-12-14 11:57:48 +00:00 · 2024-01-04 18:47:58 +08:00 · 2024-01-04 18:47:58 +08:00 · 025a477688
commit 025a477688
parent fb0eab660b
3 changed files with 38 additions and 24 deletions
--- a/pkg/webhooks/resource/generation/handler.go
+++ b/pkg/webhooks/resource/generation/handler.go
@ -42,6 +42,7 @@ func NewGenerationHandler(
 	urGenerator webhookgenerate.Generator,
 	eventGen event.Interface,
 	metrics metrics.MetricsConfigManager,
+	backgroundServiceAccountName string,
 ) GenerationHandler {
 	return &generationHandler{
 		log:                          log,
@ -55,6 +56,7 @@ func NewGenerationHandler(
 		urGenerator:                  urGenerator,
 		eventGen:                     eventGen,
 		metrics:                      metrics,
+		backgroundServiceAccountName: backgroundServiceAccountName,
 	}
 }

@ -70,6 +72,7 @@ type generationHandler struct {
 	urGenerator                  webhookgenerate.Generator
 	eventGen                     event.Interface
 	metrics                      metrics.MetricsConfigManager
+	backgroundServiceAccountName string
 }

 func (h *generationHandler) Handle(
@ -83,6 +86,9 @@ func (h *generationHandler) Handle(
 		h.handleTrigger(ctx, request, policies, policyContext)
 	}

+	if h.backgroundServiceAccountName == policyContext.AdmissionInfo().AdmissionUserInfo.Username {
+		return
+	}
 	h.handleNonTrigger(ctx, policyContext, request)
 }

--- a/pkg/webhooks/resource/updaterequest.go
+++ b/pkg/webhooks/resource/updaterequest.go
@ -36,6 +36,9 @@ func (h *resourceHandlers) handleMutateExisting(ctx context.Context, logger logr
 		}

 		policyNew := skipBackgroundRequests(policy, logger, h.backgroundServiceAccountName, policyContext.AdmissionInfo().AdmissionUserInfo.Username)
+		if policyNew == nil {
+			continue
+		}
 		logger.V(4).Info("update request for mutateExisting policy")

 		// skip rules that don't specify the DELETE operation in case the admission request is of type DELETE
@ -82,11 +85,13 @@ func (h *resourceHandlers) handleMutateExisting(ctx context.Context, logger logr
 }

 func (h *resourceHandlers) handleGenerate(ctx context.Context, logger logr.Logger, request admissionv1.AdmissionRequest, generatePolicies []kyvernov1.PolicyInterface, policyContext *engine.PolicyContext, ts time.Time) {
-	gh := generation.NewGenerationHandler(logger, h.engine, h.client, h.kyvernoClient, h.nsLister, h.urLister, h.cpolLister, h.polLister, h.urGenerator, h.eventGen, h.metricsConfig)
+	gh := generation.NewGenerationHandler(logger, h.engine, h.client, h.kyvernoClient, h.nsLister, h.urLister, h.cpolLister, h.polLister, h.urGenerator, h.eventGen, h.metricsConfig, h.backgroundServiceAccountName)
 	var policies []kyvernov1.PolicyInterface
 	for _, p := range generatePolicies {
 		new := skipBackgroundRequests(p, logger, h.backgroundServiceAccountName, policyContext.AdmissionInfo().AdmissionUserInfo.Username)
+		if new != nil {
 			policies = append(policies, new)
 		}
+	}
 	go gh.Handle(ctx, request, policies, policyContext)
 }
--- a/pkg/webhooks/resource/utils.go
+++ b/pkg/webhooks/resource/utils.go
@ -111,5 +111,8 @@ func skipBackgroundRequests(policy kyvernov1.PolicyInterface, logger logr.Logger
 		logger.V(4).Info("applying background rule", "rule", rule.Name, "skipBackgroundRequests", rule.SkipBackgroundRequests, "backgroundSaDesired", bgsaDesired, "backgroundSaActual", bgsaActual)
 		policyNew.GetSpec().Rules = append(policyNew.GetSpec().Rules, *rule.DeepCopy())
 	}
+	if len(policyNew.GetSpec().Rules) == 0 {
+		return nil
+	}
 	return policyNew
 }