cleanup resource & policy

2025-03-31 03:45:17 +00:00 · 2019-12-02 17:15:47 -08:00 · 2019-12-02 17:15:47 -08:00 · 0ea1d9986a
commit 0ea1d9986a
parent 97a435e8cc
9 changed files with 33 additions and 22 deletions
--- a/pkg/policy/clusterpv.go
+++ b/pkg/policy/clusterpv.go
@ -118,8 +118,7 @@ func (pc *PolicyController) getPolicyForClusterPolicyViolation(pv *kyverno.Clust
 	}
 	return policies
 }
-func (pc *PolicyController) getClusterPolicyViolationForPolicy(policy *kyverno.ClusterPolicy) ([]*kyverno.ClusterPolicyViolation, error) {
-	policySelector, err := buildPolicyLabel(policy.Name)
+func (pc *PolicyController) getClusterPolicyViolationForPolicy(policy string) ([]*kyverno.ClusterPolicyViolation, error) {
 	if err != nil {
 		return nil, err
 	}
--- a/pkg/policy/controller.go
+++ b/pkg/policy/controller.go
@ -278,11 +278,11 @@ func (pc *PolicyController) syncPolicy(key string) error {
 	if errors.IsNotFound(err) {
 		glog.V(2).Infof("Policy %v has been deleted", key)
 		// delete cluster policy violation
-		if err := pc.deleteClusterPolicyViolations(policy); err != nil {
+		if err := pc.deleteClusterPolicyViolations(key); err != nil {
 			return err
 		}
 		// delete namespaced policy violation
-		if err := pc.deleteNamespacedPolicyViolations(policy); err != nil {
+		if err := pc.deleteNamespacedPolicyViolations(key); err != nil {
 			return err
 		}
 		// remove the recorded stats for the policy
@ -306,12 +306,12 @@ func (pc *PolicyController) syncPolicy(key string) error {
 	}

 	// cluster policy violations
-	cpvList, err := pc.getClusterPolicyViolationForPolicy(policy)
+	cpvList, err := pc.getClusterPolicyViolationForPolicy(policy.Name)
 	if err != nil {
 		return err
 	}
 	// namespaced policy violation
-	nspvList, err := pc.getNamespacedPolicyViolationForPolicy(policy)
+	nspvList, err := pc.getNamespacedPolicyViolationForPolicy(policy.Name)
 	if err != nil {
 		return err
 	}
@ -324,7 +324,7 @@ func (pc *PolicyController) syncPolicy(key string) error {
 	return pc.syncStatusOnly(policy, cpvList, nspvList)
 }

-func (pc *PolicyController) deleteClusterPolicyViolations(policy *kyverno.ClusterPolicy) error {
+func (pc *PolicyController) deleteClusterPolicyViolations(policy string) error {
 	cpvList, err := pc.getClusterPolicyViolationForPolicy(policy)
 	if err != nil {
 		return err
@ -337,7 +337,7 @@ func (pc *PolicyController) deleteClusterPolicyViolations(policy *kyverno.Cluste
 	return nil
 }

-func (pc *PolicyController) deleteNamespacedPolicyViolations(policy *kyverno.ClusterPolicy) error {
+func (pc *PolicyController) deleteNamespacedPolicyViolations(policy string) error {
 	nspvList, err := pc.getNamespacedPolicyViolationForPolicy(policy)
 	if err != nil {
 		return err
@ -383,8 +383,8 @@ func (pc *PolicyController) calculateStatus(policyName string, pvList []*kyverno
 	return status
 }

-func (pc *PolicyController) getNamespacedPolicyViolationForPolicy(policy *kyverno.ClusterPolicy) ([]*kyverno.NamespacedPolicyViolation, error) {
-	policySelector, err := buildPolicyLabel(policy.Name)
+func (pc *PolicyController) getNamespacedPolicyViolationForPolicy(policy string) ([]*kyverno.NamespacedPolicyViolation, error) {
+	policySelector, err := buildPolicyLabel(policy)
 	if err != nil {
 		return nil, err
 	}
--- a/pkg/policyviolation/builder.go
+++ b/pkg/policyviolation/builder.go
@ -41,7 +41,7 @@ func (pvb *pvBuilder) buildPolicyViolations(owners []kyverno.ResourceSpec, info
 		// there are resource owners
 		// generate PV on them
 		for _, resource := range owners {
-			pv := pvb.build(info.PolicyName, resource.Kind, resource.Namespace, resource.Kind, info.Rules)
+			pv := pvb.build(info.PolicyName, resource.Kind, resource.Namespace, resource.Name, info.Rules)
 			pvs = append(pvs, *pv)
 		}
 	} else {
@ -69,6 +69,9 @@ func (pvb *pvBuilder) build(policy, kind, namespace, name string, rules []kyvern
 		"resource": pv.Spec.ToKey(),
 	}
 	pv.SetLabels(labelMap)
+	if namespace != "" {
+		pv.SetNamespace(namespace)
+	}
 	pv.SetGenerateName(fmt.Sprintf("%s-", policy))
 	return pv
 }
--- a/pkg/policyviolation/clusterpv.go
+++ b/pkg/policyviolation/clusterpv.go
@ -72,7 +72,7 @@ func (cpv *clusterPV) getExisting(newPv kyverno.ClusterPolicyViolation) (*kyvern
 func (cpv *clusterPV) createPV(newPv *kyverno.ClusterPolicyViolation) error {
 	var err error
 	glog.V(4).Infof("creating new policy violation for policy %s & resource %s/%s", newPv.Spec.Policy, newPv.Spec.ResourceSpec.Kind, newPv.Spec.ResourceSpec.Name)
-	obj, err := retryGetResource(newPv.Namespace, cpv.dclient, newPv.Spec.ResourceSpec)
+	obj, err := retryGetResource(cpv.dclient, newPv.Spec.ResourceSpec)
 	if err != nil {
 		return fmt.Errorf("failed to retry getting resource for policy violation %s/%s: %v", newPv.Name, newPv.Spec.Policy, err)
 	}
--- a/pkg/policyviolation/common.go
+++ b/pkg/policyviolation/common.go
@ -25,13 +25,13 @@ func createOwnerReference(resource *unstructured.Unstructured) metav1.OwnerRefer
 	return ownerRef
 }

-func retryGetResource(namespace string, client *client.Client, rspec kyverno.ResourceSpec) (*unstructured.Unstructured, error) {
+func retryGetResource(client *client.Client, rspec kyverno.ResourceSpec) (*unstructured.Unstructured, error) {
 	var i int
 	var obj *unstructured.Unstructured
 	var err error
 	getResource := func() error {
-		obj, err = client.GetResource(rspec.Kind, namespace, rspec.Name)
-		glog.V(5).Infof("retry %v getting %s/%s/%s", i, rspec.Kind, namespace, rspec.Name)
+		obj, err = client.GetResource(rspec.Kind, rspec.Namespace, rspec.Name)
+		glog.V(4).Infof("retry %v getting %s/%s/%s", i, rspec.Kind, rspec.Namespace, rspec.Name)
 		i++
 		return err
 	}
@ -69,8 +69,9 @@ func GetOwners(dclient *client.Client, resource unstructured.Unstructured) []kyv
 func GetOwner(dclient *client.Client, ownerMap map[kyverno.ResourceSpec]interface{}, resource unstructured.Unstructured) {
 	var emptyInterface interface{}
 	resourceSpec := kyverno.ResourceSpec{
-		Kind: resource.GetKind(),
-		Name: resource.GetName(),
+		Kind:      resource.GetKind(),
+		Namespace: resource.GetNamespace(),
+		Name:      resource.GetName(),
 	}
 	if _, ok := ownerMap[resourceSpec]; ok {
 		// owner seen before
--- a/pkg/policyviolation/namespacedpv.go
+++ b/pkg/policyviolation/namespacedpv.go
@ -71,8 +71,8 @@ func (nspv *namespacedPV) getExisting(newPv kyverno.NamespacedPolicyViolation) (

 func (nspv *namespacedPV) createPV(newPv *kyverno.NamespacedPolicyViolation) error {
 	var err error
-	glog.V(4).Infof("creating new policy violation for policy %s & resource %s/%s", newPv.Spec.Policy, newPv.Spec.ResourceSpec.Kind, newPv.Spec.ResourceSpec.Name)
-	obj, err := retryGetResource(newPv.Namespace, nspv.dclient, newPv.Spec.ResourceSpec)
+	glog.V(4).Infof("creating new policy violation for policy %s & resource %s/%s/%s", newPv.Spec.Policy, newPv.Spec.ResourceSpec.Kind, newPv.Spec.ResourceSpec.Namespace, newPv.Spec.ResourceSpec.Name)
+	obj, err := retryGetResource(nspv.dclient, newPv.Spec.ResourceSpec)
 	if err != nil {
 		return fmt.Errorf("failed to retry getting resource for policy violation %s/%s: %v", newPv.Name, newPv.Spec.Policy, err)
 	}
--- a/pkg/webhookconfig/checker.go
+++ b/pkg/webhookconfig/checker.go
@ -2,6 +2,7 @@ package webhookconfig

 import (
 	"fmt"
+	"sync"

 	"github.com/golang/glog"
 	"github.com/nirmata/kyverno/pkg/config"
@ -57,8 +58,9 @@ func (wrc *WebhookRegistrationClient) constructDebugVerifyMutatingWebhookConfig(
 	}
 }

-func (wrc *WebhookRegistrationClient) removeVerifyWebhookMutatingWebhookConfig() {
-	// Muating webhook configuration
+func (wrc *WebhookRegistrationClient) removeVerifyWebhookMutatingWebhookConfig(wg *sync.WaitGroup) {
+	defer wg.Done()
+	// Mutating webhook configuration
 	var err error
 	var mutatingConfig string
 	if wrc.serverIP != "" {
--- a/pkg/webhookconfig/common.go
+++ b/pkg/webhookconfig/common.go
@ -62,15 +62,18 @@ func (wrc *WebhookRegistrationClient) constructOwner() v1.OwnerReference {
 }

 func generateDebugWebhook(name, url string, caData []byte, validate bool, timeoutSeconds int32, resource, apiGroups, apiVersions string, operationTypes []admregapi.OperationType) admregapi.Webhook {
+	sideEffect := admregapi.SideEffectClassSome
 	return admregapi.Webhook{
 		Name: name,
 		ClientConfig: admregapi.WebhookClientConfig{
 			URL:      &url,
 			CABundle: caData,
 		},
+		SideEffects: &sideEffect,
 		Rules: []admregapi.RuleWithOperations{
 			admregapi.RuleWithOperations{
 				Operations: operationTypes,
+
 				Rule: admregapi.Rule{
 					APIGroups: []string{
 						apiGroups,
@ -89,6 +92,7 @@ func generateDebugWebhook(name, url string, caData []byte, validate bool, timeou
 }

 func generateWebhook(name, servicePath string, caData []byte, validation bool, timeoutSeconds int32, resource, apiGroups, apiVersions string, operationTypes []admregapi.OperationType) admregapi.Webhook {
+	sideEffect := admregapi.SideEffectClassSome
 	return admregapi.Webhook{
 		Name: name,
 		ClientConfig: admregapi.WebhookClientConfig{
@ -99,6 +103,7 @@ func generateWebhook(name, servicePath string, caData []byte, validation bool, t
 			},
 			CABundle: caData,
 		},
+		SideEffects: &sideEffect,
 		Rules: []admregapi.RuleWithOperations{
 			admregapi.RuleWithOperations{
 				Operations: operationTypes,
--- a/pkg/webhookconfig/registration.go
+++ b/pkg/webhookconfig/registration.go
@ -219,13 +219,14 @@ func (wrc *WebhookRegistrationClient) removeWebhookConfigurations() {

 	var wg sync.WaitGroup

-	wg.Add(3)
+	wg.Add(4)
 	// mutating and validating webhook configuration for Kubernetes resources
 	go wrc.removeResourceMutatingWebhookConfiguration(&wg)
 	// mutating and validating webhook configurtion for Policy CRD resource
 	go wrc.removePolicyMutatingWebhookConfiguration(&wg)
 	go wrc.removePolicyValidatingWebhookConfiguration(&wg)

+	go wrc.removeVerifyWebhookMutatingWebhookConfig(&wg)
 	// wait for the removal go routines to return
 	wg.Wait()
 }