From 0810290f2640806e6151fcf91b86c577d8490aa7 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Charles-Edouard=20Br=C3=A9t=C3=A9ch=C3=A9?=
 <charles.edouard@nirmata.com>
Date: Fri, 10 Mar 2023 16:44:28 +0100
Subject: [PATCH] fix: process audit policies when admission reports are
 disabled (#6531)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>
---
 .../resource/validation/validation.go         | 34 +++++++++----------
 1 file changed, 17 insertions(+), 17 deletions(-)

diff --git a/pkg/webhooks/resource/validation/validation.go b/pkg/webhooks/resource/validation/validation.go
index faa9b60dbe..a00b10c2fe 100644
--- a/pkg/webhooks/resource/validation/validation.go
+++ b/pkg/webhooks/resource/validation/validation.go
@@ -182,19 +182,17 @@ func (v *validationHandler) handleAudit(
 	namespaceLabels map[string]string,
 	engineResponses ...*engineapi.EngineResponse,
 ) {
-	if !v.admissionReports {
-		return
-	}
+	createReport := v.admissionReports
 	if request.DryRun != nil && *request.DryRun {
-		return
+		createReport = false
 	}
 	// we don't need reports for deletions
 	if request.Operation == admissionv1.Delete {
-		return
+		createReport = false
 	}
 	// check if the resource supports reporting
 	if !reportutils.IsGvkSupported(schema.GroupVersionKind(request.Kind)) {
-		return
+		createReport = false
 	}
 	tracing.Span(
 		context.Background(),
@@ -207,17 +205,19 @@ func (v *validationHandler) handleAudit(
 			}
 			events := webhookutils.GenerateEvents(responses, false)
 			v.eventGen.Add(events...)
-			responses = append(responses, engineResponses...)
-			report := reportutils.BuildAdmissionReport(resource, request, request.Kind, responses...)
-			// if it's not a creation, the resource already exists, we can set the owner
-			if request.Operation != admissionv1.Create {
-				gv := metav1.GroupVersion{Group: request.Kind.Group, Version: request.Kind.Version}
-				controllerutils.SetOwner(report, gv.String(), request.Kind.Kind, resource.GetName(), resource.GetUID())
-			}
-			if len(report.GetResults()) > 0 {
-				_, err = reportutils.CreateReport(ctx, report, v.kyvernoClient)
-				if err != nil {
-					v.log.Error(err, "failed to create report")
+			if createReport {
+				responses = append(responses, engineResponses...)
+				report := reportutils.BuildAdmissionReport(resource, request, request.Kind, responses...)
+				// if it's not a creation, the resource already exists, we can set the owner
+				if request.Operation != admissionv1.Create {
+					gv := metav1.GroupVersion{Group: request.Kind.Group, Version: request.Kind.Version}
+					controllerutils.SetOwner(report, gv.String(), request.Kind.Kind, resource.GetName(), resource.GetUID())
+				}
+				if len(report.GetResults()) > 0 {
+					_, err = reportutils.CreateReport(ctx, report, v.kyvernoClient)
+					if err != nil {
+						v.log.Error(err, "failed to create report")
+					}
 				}
 			}
 		},