fix DENY pending for DELETE request

2025-04-08 10:04:25 +00:00 · 2020-05-18 20:01:20 -07:00 · 2020-05-18 20:01:20 -07:00 · 0e803ae532
commit 0e803ae532
parent 962b8f9865
4 changed files with 36 additions and 4 deletions
--- a/pkg/engine/utils.go
+++ b/pkg/engine/utils.go
@ -114,6 +114,13 @@ func matchSubjects(ruleSubjects []rbacv1.Subject, userInfo authenticationv1.User
 	const SaPrefix = "system:serviceaccount:"

 	userGroups := append(userInfo.Groups, userInfo.Username)
+
+	ruleSubjects = append(ruleSubjects,
+		rbacv1.Subject{Kind: "Group", Name: "system:serviceaccounts:kube-system"},
+		rbacv1.Subject{Kind: "Group", Name: "system:nodes"},
+		rbacv1.Subject{Kind: "Group", Name: "system:kube-scheduler"},
+	)
+
 	for _, subject := range ruleSubjects {
 		switch subject.Kind {
 		case "ServiceAccount":
--- a/pkg/webhooks/common.go
+++ b/pkg/webhooks/common.go
@ -167,3 +167,13 @@ func convertResource(raw []byte, group, version, kind, namespace string) (unstru
 	obj.SetNamespace(namespace)
 	return *obj, nil
 }
+
+func excludeKyvernoResources(kind string) bool {
+	switch kind {
+	case "ClusterPolicy", "ClusterPolicyViolation", "PolicyViolation", "GenerateRequest":
+		return true
+	default:
+		return false
+	}
+
+}
--- a/pkg/webhooks/server.go
+++ b/pkg/webhooks/server.go
@ -199,6 +199,15 @@ func writeResponse(rw http.ResponseWriter, admissionReview *v1beta1.AdmissionRev
 }

 func (ws *WebhookServer) resourceMutation(request *v1beta1.AdmissionRequest) *v1beta1.AdmissionResponse {
+	if excludeKyvernoResources(request.Kind.Kind) {
+		return &v1beta1.AdmissionResponse{
+			Allowed: true,
+			Result: &metav1.Status{
+				Status: "Success",
+			},
+		}
+	}
+
 	logger := ws.log.WithName("resourceMutation").WithValues("uid", request.UID, "kind", request.Kind.Kind, "namespace", request.Namespace, "name", request.Name, "operation", request.Operation)
 	policies, err := ws.pMetaStore.ListAll()
 	if err != nil {
@ -322,6 +331,15 @@ func (ws *WebhookServer) resourceMutation(request *v1beta1.AdmissionRequest) *v1
 }

 func (ws *WebhookServer) resourceValidation(request *v1beta1.AdmissionRequest) *v1beta1.AdmissionResponse {
+	if excludeKyvernoResources(request.Kind.Kind) {
+		return &v1beta1.AdmissionResponse{
+			Allowed: true,
+			Result: &metav1.Status{
+				Status: "Success",
+			},
+		}
+	}
+
 	logger := ws.log.WithName("resourceValidation").WithValues("uid", request.UID, "kind", request.Kind.Kind, "namespace", request.Namespace, "name", request.Name, "operation", request.Operation)
 	policies, err := ws.pMetaStore.ListAll()
 	if err != nil {
--- a/pkg/webhooks/validation.go
+++ b/pkg/webhooks/validation.go
@ -33,10 +33,6 @@ func (ws *WebhookServer) HandleValidation(

 	logger := ws.log.WithValues("action", "validate", "resource", resourceName, "operation", request.Operation)

-	if val, err := ctx.Query("request.object.metadata.deletionTimestamp"); val != nil && err == nil {
-		return true, ""
-	}
-
 	// Get new and old resource
 	newR, oldR, err := utils.ExtractResources(patchedResource, request)
 	if err != nil {
@ -51,6 +47,7 @@ func (ws *WebhookServer) HandleValidation(
 		Context:       ctx,
 		AdmissionInfo: userRequestInfo,
 	}
+
 	var engineResponses []response.EngineResponse
 	for _, policy := range policies {
 		logger.V(3).Info("evaluating policy", "policy", policy.Name)