cherry-pick #9230 (#9234)

Signed-off-by: ShutingZhao <shuting@nirmata.com>
2025-03-13 19:28:55 +00:00 · 2023-12-21 01:16:09 +08:00 · 2023-12-21 01:16:09 +08:00 · 0c000eb8ee
commit 0c000eb8ee
parent 71f7a67b6e
5 changed files with 50 additions and 29 deletions
--- a/pkg/policy/mutate.go
+++ b/pkg/policy/mutate.go
@ -12,10 +12,6 @@ import (

 func (pc *policyController) handleMutate(policyKey string, policy kyvernov1.PolicyInterface) error {
 	logger := pc.log.WithName("handleMutate").WithName(policyKey)
-	if !policy.GetSpec().MutateExistingOnPolicyUpdate {
-		logger.V(4).Info("skip policy application on policy event", "policyKey", policyKey, "mutateExiting", policy.GetSpec().MutateExistingOnPolicyUpdate)
-		return nil
-	}

 	logger.Info("update URs on policy event")
 	for _, rule := range policy.GetSpec().Rules {
--- a/pkg/policy/policy_controller.go
+++ b/pkg/policy/policy_controller.go
@ -3,6 +3,7 @@ package policy
 import (
 	"context"
 	"fmt"
+	"os"
 	"time"

 	"github.com/go-logr/logr"
@ -144,11 +145,9 @@ func NewPolicyController(

 func (pc *policyController) canBackgroundProcess(p kyvernov1.PolicyInterface) bool {
 	logger := pc.log.WithValues("policy", p.GetName())
-	if !p.BackgroundProcessingEnabled() {
-		if !p.GetSpec().HasGenerate() && !p.GetSpec().IsMutateExisting() {
-			logger.V(4).Info("background processing is disabled")
-			return false
-		}
+	if !p.GetSpec().HasGenerate() && !p.GetSpec().IsMutateExisting() {
+		logger.V(4).Info("policy does not have background rules for reconciliation")
+		return false
 	}

 	if err := policyvalidation.ValidateVariables(p, true); err != nil {
@ -156,6 +155,18 @@ func (pc *policyController) canBackgroundProcess(p kyvernov1.PolicyInterface) bo
 		return false
 	}

+	if p.GetSpec().IsMutateExisting() {
+		val := os.Getenv("BACKGROUND_SCAN_INTERVAL")
+		interval, err := time.ParseDuration(val)
+		if err != nil {
+			logger.V(4).Info("failed to parse BACKGROUND_SCAN_INTERVAL env variable, falling to default 1h", "msg", err.Error())
+			interval = time.Hour
+		}
+		if p.GetCreationTimestamp().Add(interval).After(time.Now()) {
+			return p.GetSpec().GetMutateExistingOnPolicyUpdate()
+		}
+	}
+
 	return true
 }

--- a/test/conformance/kuttl/mutate/clusterpolicy/standard/existing/background-false/01-manifests.yaml
+++ b/test/conformance/kuttl/mutate/clusterpolicy/standard/existing/background-false/01-manifests.yaml
@ -1,36 +1,44 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: background-false-ns
+---
 apiVersion: kyverno.io/v1
 kind: ClusterPolicy
 metadata:
-  name: add-privileged-existing-namespaces
  annotations:
-    policies.kyverno.io/title: Add Privileged Label to Existing Namespaces
+    kyverno.io/kubernetes-version: "1.24"
+    kyverno.io/kyverno-version: 1.8.0
    policies.kyverno.io/category: Pod Security Admission
+    policies.kyverno.io/description: 'When Pod Security Admission is configured with
+      a cluster-wide AdmissionConfiguration file which sets either baseline or restricted,
+      for example in many PaaS CIS profiles, it may be necessary to relax this to
+      privileged on a per-Namespace basis so that more granular control can be provided.
+      This policy labels new and existing Namespaces, except that of kube-system,
+      with the `pod-security.kubernetes.io/enforce: privileged` label.      '
+    policies.kyverno.io/minversion: 1.7.0
    policies.kyverno.io/severity: medium
    policies.kyverno.io/subject: Namespace
-    kyverno.io/kyverno-version: 1.8.0
-    policies.kyverno.io/minversion: 1.7.0
-    kyverno.io/kubernetes-version: "1.24"
-    policies.kyverno.io/description: >-
-      When Pod Security Admission is configured with a cluster-wide AdmissionConfiguration file
-      which sets either baseline or restricted, for example in many PaaS CIS profiles, it may
-      be necessary to relax this to privileged on a per-Namespace basis so that more
-      granular control can be provided. This policy labels new and existing Namespaces, except
-      that of kube-system, with the `pod-security.kubernetes.io/enforce: privileged` label.      
+    policies.kyverno.io/title: Add Privileged Label to Existing Namespaces
+  name: add-privileged-existing-namespaces
 spec:
-  mutateExistingOnPolicyUpdate: true
  background: false
+  mutateExistingOnPolicyUpdate: true
  rules:
-  - name: label-privileged-namespaces
-    match:
+  - match:
      any:
      - resources:
          kinds:
          - Namespace
+          names:
+          - background-false-ns
    mutate:
-      targets:
-        - apiVersion: v1
-          kind: Namespace
      patchStrategicMerge:
        metadata:
          labels:
-            foo: bar
+            foo: bar
+      targets:
+      - apiVersion: v1
+        kind: Namespace
+        name: background-false-ns
+    name: label-privileged-namespaces
--- a/test/conformance/kuttl/mutate/clusterpolicy/standard/existing/background-false/02-assert.yaml
+++ b/test/conformance/kuttl/mutate/clusterpolicy/standard/existing/background-false/02-assert.yaml
@ -0,0 +1,6 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: background-false-ns
+  labels:
+    foo: bar
--- a/test/conformance/kuttl/mutate/clusterpolicy/standard/existing/background-false/03-assert.yaml
+++ b/test/conformance/kuttl/mutate/clusterpolicy/standard/existing/background-false/03-assert.yaml
@ -1,6 +1,6 @@
 apiVersion: v1
 kind: Namespace
 metadata:
-  name: default
+  name: background-false-ns
  labels:
-    foo: bar
+    foo: bar