1
0
Fork 0
mirror of https://github.com/kyverno/kyverno.git synced 2024-12-14 11:57:48 +00:00

fix: non-trigger resources should be skipped for background policies regardless of skipBackgroundRequests settings (#9333)

* fix skip checks

Signed-off-by: ShutingZhao <shuting@nirmata.com>

* fix: skip request for non-triggers

Signed-off-by: ShutingZhao <shuting@nirmata.com>

* add missing files

Signed-off-by: ShutingZhao <shuting@nirmata.com>

* fix: empty policy

Signed-off-by: ShutingZhao <shuting@nirmata.com>

---------

Signed-off-by: ShutingZhao <shuting@nirmata.com>
This commit is contained in:
shuting 2024-01-04 18:47:58 +08:00 committed by GitHub
parent fb0eab660b
commit 025a477688
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
3 changed files with 38 additions and 24 deletions

View file

@ -42,34 +42,37 @@ func NewGenerationHandler(
urGenerator webhookgenerate.Generator,
eventGen event.Interface,
metrics metrics.MetricsConfigManager,
backgroundServiceAccountName string,
) GenerationHandler {
return &generationHandler{
log: log,
engine: engine,
client: client,
kyvernoClient: kyvernoClient,
nsLister: nsLister,
urLister: urLister,
cpolLister: cpolLister,
polLister: polLister,
urGenerator: urGenerator,
eventGen: eventGen,
metrics: metrics,
log: log,
engine: engine,
client: client,
kyvernoClient: kyvernoClient,
nsLister: nsLister,
urLister: urLister,
cpolLister: cpolLister,
polLister: polLister,
urGenerator: urGenerator,
eventGen: eventGen,
metrics: metrics,
backgroundServiceAccountName: backgroundServiceAccountName,
}
}
type generationHandler struct {
log logr.Logger
engine engineapi.Engine
client dclient.Interface
kyvernoClient versioned.Interface
nsLister corev1listers.NamespaceLister
urLister kyvernov1beta1listers.UpdateRequestNamespaceLister
cpolLister kyvernov1listers.ClusterPolicyLister
polLister kyvernov1listers.PolicyLister
urGenerator webhookgenerate.Generator
eventGen event.Interface
metrics metrics.MetricsConfigManager
log logr.Logger
engine engineapi.Engine
client dclient.Interface
kyvernoClient versioned.Interface
nsLister corev1listers.NamespaceLister
urLister kyvernov1beta1listers.UpdateRequestNamespaceLister
cpolLister kyvernov1listers.ClusterPolicyLister
polLister kyvernov1listers.PolicyLister
urGenerator webhookgenerate.Generator
eventGen event.Interface
metrics metrics.MetricsConfigManager
backgroundServiceAccountName string
}
func (h *generationHandler) Handle(
@ -83,6 +86,9 @@ func (h *generationHandler) Handle(
h.handleTrigger(ctx, request, policies, policyContext)
}
if h.backgroundServiceAccountName == policyContext.AdmissionInfo().AdmissionUserInfo.Username {
return
}
h.handleNonTrigger(ctx, policyContext, request)
}

View file

@ -36,6 +36,9 @@ func (h *resourceHandlers) handleMutateExisting(ctx context.Context, logger logr
}
policyNew := skipBackgroundRequests(policy, logger, h.backgroundServiceAccountName, policyContext.AdmissionInfo().AdmissionUserInfo.Username)
if policyNew == nil {
continue
}
logger.V(4).Info("update request for mutateExisting policy")
// skip rules that don't specify the DELETE operation in case the admission request is of type DELETE
@ -82,11 +85,13 @@ func (h *resourceHandlers) handleMutateExisting(ctx context.Context, logger logr
}
func (h *resourceHandlers) handleGenerate(ctx context.Context, logger logr.Logger, request admissionv1.AdmissionRequest, generatePolicies []kyvernov1.PolicyInterface, policyContext *engine.PolicyContext, ts time.Time) {
gh := generation.NewGenerationHandler(logger, h.engine, h.client, h.kyvernoClient, h.nsLister, h.urLister, h.cpolLister, h.polLister, h.urGenerator, h.eventGen, h.metricsConfig)
gh := generation.NewGenerationHandler(logger, h.engine, h.client, h.kyvernoClient, h.nsLister, h.urLister, h.cpolLister, h.polLister, h.urGenerator, h.eventGen, h.metricsConfig, h.backgroundServiceAccountName)
var policies []kyvernov1.PolicyInterface
for _, p := range generatePolicies {
new := skipBackgroundRequests(p, logger, h.backgroundServiceAccountName, policyContext.AdmissionInfo().AdmissionUserInfo.Username)
policies = append(policies, new)
if new != nil {
policies = append(policies, new)
}
}
go gh.Handle(ctx, request, policies, policyContext)
}

View file

@ -111,5 +111,8 @@ func skipBackgroundRequests(policy kyvernov1.PolicyInterface, logger logr.Logger
logger.V(4).Info("applying background rule", "rule", rule.Name, "skipBackgroundRequests", rule.SkipBackgroundRequests, "backgroundSaDesired", bgsaDesired, "backgroundSaActual", bgsaActual)
policyNew.GetSpec().Rules = append(policyNew.GetSpec().Rules, *rule.DeepCopy())
}
if len(policyNew.GetSpec().Rules) == 0 {
return nil
}
return policyNew
}