Background mode only apply to running pods (#949)

* background mode process Running pod only

* update debug doc

documentation/installation.md

@@ -224,9 +224,9 @@ To build Kyverno in a development environment see: https://github.com/nirmata/ky
 
 To run controller in this mode you should prepare a TLS key/certificate pair for debug webhook, then start controller with kubeconfig and the server address.
 
-1. Run `scripts/deploy-controller-debug.sh --service=localhost --serverIP=<server_IP>`, where <server_IP> is the IP address of the host where controller runs. This scripts will generate a TLS certificate for debug webhook server and register this webhook in the cluster. It also registers a CustomResource policy.
+1. Run `sudo scripts/deploy-controller-debug.sh --service=localhost --serverIP=<server_IP>`, where <server_IP> is the IP address of the host where controller runs. This scripts will generate a TLS certificate for debug webhook server and register this webhook in the cluster. It also registers a CustomResource policy.
 
-2. Start the controller using the following command: `sudo kyverno --kubeconfig=~/.kube/config --serverIP=<server_IP>`
+2. Start the controller using the following command: `sudo go run ./cmd/kyverno/main.go --kubeconfig=~/.kube/config --serverIP=<server_IP>`
 
 # Filter Kubernetes resources that admission webhook should not process
 The admission webhook checks if a policy is applicable on all admission requests. The Kubernetes kinds that are not be processed can be filtered by adding a `ConfigMap` in namespace `kyverno` and specifying the resources to be filtered under `data.resourceFilters`. The default name of this `ConfigMap` is `init-config` but can be changed by modifying the value of the environment variable `INIT_CONFIG` in the kyverno deployment dpec. `data.resourceFilters` must be a sequence of one or more `[<Kind>,<Namespace>,<Name>]` entries with `*` as wildcard. Thus, an item `[Node,*,*]` means that admissions of `Node` in any namespace and with any name will be ignored.

pkg/policy/existing.go

@@ -172,6 +172,12 @@ func getResourcesPerNamespace(kind string, client *client.Client, namespace stri
 			continue
 		}
 
+		if r.GetKind() == "Pod" {
+			if !isRunningPod(r) {
+				continue
+			}
+		}
+
 		// match name
 		if rule.MatchResources.Name != "" {
 			if !wildcard.Match(rule.MatchResources.Name, r.GetName()) {

pkg/policy/utils.go

@@ -1,5 +1,7 @@
 package policy
 
+import "k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
+
 //Contains Check if strint is contained in a list of string
 func containString(list []string, element string) bool {
 	for _, e := range list {
@@ -9,3 +11,13 @@ func containString(list []string, element string) bool {
 	}
 	return false
 }
+
+func isRunningPod(obj unstructured.Unstructured) bool {
+	objMap := obj.UnstructuredContent()
+	phase, ok, err := unstructured.NestedString(objMap, "status", "phase")
+	if !ok || err != nil {
+		return false
+	}
+
+	return phase == "Running"
+}

pkg/policyviolation/namespacedpv.go

@@ -10,7 +10,6 @@ import (
 	client "github.com/nirmata/kyverno/pkg/dclient"
 	"github.com/nirmata/kyverno/pkg/policystatus"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
-	unstructedv1 "k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
 )
 
 //NamespacedPV ...
@@ -97,12 +96,6 @@ func (nspv *namespacedPV) createPV(newPv *kyverno.PolicyViolation) error {
 		return nil
 	}
 
-	if newPv.Spec.ResourceSpec.Kind == "Pod" {
-		if isEvictedPod(obj.Object) {
-			return nil
-		}
-	}
-
 	// set owner reference to resource
 	ownerRef, ok := createOwnerReference(obj)
 	if !ok {
@@ -149,12 +142,3 @@ func (nspv *namespacedPV) updatePV(newPv, oldPv *kyverno.PolicyViolation) error
 	logger.Info("namespaced policy violation updated")
 	return nil
 }
-
-func isEvictedPod(pod map[string]interface{}) bool {
-	reason, ok, _ := unstructedv1.NestedString(pod, "status", "reason")
-	if !ok {
-		return false
-	}
-
-	return reason == "Evicted"
-}