Merge pull request #490 from nirmata/local_test

fix annotation patch in mutate rule

definitions/install.yaml

@@ -420,7 +420,7 @@ spec:
       serviceAccountName: kyverno-service-account
       containers:
         - name: kyverno
-          image: nirmata/kyverno:v0.11.0
+          image: nirmata/kyverno:latest
           args:
           - "--filterK8Resources=[Event,*,*][*,kube-system,*][*,kube-public,*][*,kube-node-lease,*][Node,*,*][APIService,*,*][TokenReview,*,*][SubjectAccessReview,*,*][*,kyverno,*]"
           # customize webhook timout

pkg/engine/mutation.go

@@ -4,7 +4,6 @@ import (
 	"time"
 
 	"github.com/golang/glog"
-	"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
 )
 
 // Mutate performs mutation. Overlay first and then mutation patches
@@ -34,7 +33,7 @@ func Mutate(policyContext PolicyContext) (response EngineResponse) {
 		response.PolicyResponse.RulesAppliedCount++
 	}
 
-	var patchedResource unstructured.Unstructured
+	patchedResource := policyContext.NewResource
 
 	for _, rule := range policy.Spec.Rules {
 		//TODO: to be checked before calling the resources as well
@@ -61,13 +60,15 @@ func Mutate(policyContext PolicyContext) (response EngineResponse) {
 		// Process Overlay
 		if rule.Mutation.Overlay != nil {
 			var ruleResponse RuleResponse
-			ruleResponse, patchedResource = processOverlay(rule, resource)
+			ruleResponse, patchedResource = processOverlay(rule, patchedResource)
 			if ruleResponse.Success == true && ruleResponse.Patches == nil {
 				// overlay pattern does not match the resource conditions
 				glog.V(4).Infof(ruleResponse.Message)
 				continue
+			} else if ruleResponse.Success == true {
+				glog.Infof("Mutate overlay in rule '%s' successfully applied on %s/%s/%s", rule.Name, resource.GetKind(), resource.GetNamespace(), resource.GetName())
 			}
-			glog.Infof("Mutate overlay in rule '%s' successfully applied on %s/%s/%s", rule.Name, resource.GetKind(), resource.GetNamespace(), resource.GetName())
+
 			response.PolicyResponse.Rules = append(response.PolicyResponse.Rules, ruleResponse)
 			incrementAppliedRuleCount()
 		}
@@ -75,7 +76,7 @@ func Mutate(policyContext PolicyContext) (response EngineResponse) {
 		// Process Patches
 		if rule.Mutation.Patches != nil {
 			var ruleResponse RuleResponse
-			ruleResponse, patchedResource = processPatches(rule, resource)
+			ruleResponse, patchedResource = processPatches(rule, patchedResource)
 			glog.Infof("Mutate patches in rule '%s' successfully applied on %s/%s/%s", rule.Name, resource.GetKind(), resource.GetNamespace(), resource.GetName())
 			response.PolicyResponse.Rules = append(response.PolicyResponse.Rules, ruleResponse)
 			incrementAppliedRuleCount()

pkg/engine/overlay.go

@@ -53,6 +53,11 @@ func processOverlay(rule kyverno.Rule, resource unstructured.Unstructured) (resp
 		}
 	}
 
+	if len(patches) == 0 {
+		response.Success = true
+		return response, resource
+	}
+
 	// convert to RAW
 	resourceRaw, err := resource.MarshalJSON()
 	if err != nil {
@@ -65,11 +70,13 @@ func processOverlay(rule kyverno.Rule, resource unstructured.Unstructured) (resp
 	var patchResource []byte
 	patchResource, err = ApplyPatches(resourceRaw, patches)
 	if err != nil {
-		glog.Info("failed to apply patch")
+		msg := fmt.Sprintf("failed to apply JSON patches: %v", err)
+		glog.V(2).Info(msg)
 		response.Success = false
-		response.Message = fmt.Sprintf("failed to apply JSON patches: %v", err)
+		response.Message = msg
 		return response, resource
 	}
+
 	err = patchedResource.UnmarshalJSON(patchResource)
 	if err != nil {
 		glog.Infof("failed to unmarshall resource to undstructured: %v", err)

pkg/policyviolation/controller.go

@@ -195,7 +195,7 @@ func (pvc *PolicyViolationController) syncPolicyViolation(key string) error {
 	startTime := time.Now()
 	glog.V(4).Infof("Started syncing policy violation %q (%v)", key, startTime)
 	defer func() {
-		glog.V(4).Infof("Finished syncing policy violation %q (%v)", key, time.Since(startTime))
+		glog.V(4).Infof("Finished syncing cluster policy violation %q (%v)", key, time.Since(startTime))
 	}()
 	policyViolation, err := pvc.pvLister.Get(key)
 	if errors.IsNotFound(err) {

pkg/policyviolation/generator.go

@@ -149,7 +149,7 @@ func (gen *Generator) handleErr(err error, key interface{}) {
 
 	// retires requests if there is error
 	if gen.queue.NumRequeues(key) < workQueueRetryLimit {
-		glog.Warningf("Error syncing policy violation %v: %v", key, err)
+		glog.V(4).Infof("Error syncing policy violation %v: %v", key, err)
 		// Re-enqueue the key rate limited. Based on the rate limiter on the
 		// queue and the re-enqueue history, the key will be processed later again.
 		gen.queue.AddRateLimited(key)

pkg/policyviolation/namespacedpv.go

@@ -77,7 +77,7 @@ func createNamespacedPV(dclient *dclient.Client, pvLister kyvernolister.Namespac
 				glog.V(4).Infof("creating new namespaced policy violation for policy %s & resource %s", newPv.Spec.Policy, newPv.Spec.ResourceSpec.ToKey())
 
 				if err := retryGetResource(dclient, newPv.Spec.ResourceSpec); err != nil {
-					return fmt.Errorf("failed to get resource for policy violation '%s': %v", curPv.Name, err)
+					return fmt.Errorf("failed to get resource for policy violation on resource '%s': %v", newPv.Spec.ResourceSpec.ToKey(), err)
 				}
 
 				if _, err := pvInterface.NamespacedPolicyViolations(newPv.Spec.ResourceSpec.Namespace).Create(&newPv); err != nil {

pkg/policyviolation/namespacepvcontroller.go

@@ -187,7 +187,7 @@ func (pvc *NamespacedPolicyViolationController) syncPolicyViolation(key string)
 	startTime := time.Now()
 	glog.V(4).Infof("Started syncing policy violation %q (%v)", key, startTime)
 	defer func() {
-		glog.V(4).Infof("Finished syncing policy violation %q (%v)", key, time.Since(startTime))
+		glog.V(4).Infof("Finished syncing namespaced policy violation %q (%v)", key, time.Since(startTime))
 	}()
 
 	// tags: NAMESPACE/NAME

pkg/webhooks/annotations.go

@@ -31,8 +31,12 @@ type response struct {
 
 func generateAnnotationPatches(engineResponses []engine.EngineResponse) []byte {
 	var annotations map[string]string
-	if len(engineResponses) > 0 {
-		annotations = engineResponses[0].PatchedResource.GetAnnotations()
+
+	for _, er := range engineResponses {
+		if ann := er.PatchedResource.GetAnnotations(); ann != nil {
+			annotations = ann
+			break
+		}
 	}
 
 	if annotations == nil {
@@ -104,7 +108,7 @@ func annotationFromEngineResponses(engineResponses []engine.EngineResponse) []by
 
 	// return nil if there's no patches
 	// otherwise result = null, len(result) = 4
-	if policyPatches == nil {
+	if len(policyPatches) == 0 {
 		return nil
 	}
 

pkg/webhooks/mutation.go

@@ -59,6 +59,7 @@ func (ws *WebhookServer) HandleMutation(request *v1beta1.AdmissionRequest, polic
 
 	// if not then set it from the api request
 	resource.SetGroupVersionKind(schema.GroupVersionKind{Group: request.Kind.Group, Version: request.Kind.Version, Kind: request.Kind.Kind})
+	resource.SetNamespace(request.Namespace)
 	var engineResponses []engine.EngineResponse
 	policyContext := engine.PolicyContext{
 		NewResource: *resource,
@@ -103,6 +104,6 @@ func (ws *WebhookServer) HandleMutation(request *v1beta1.AdmissionRequest, polic
 	}
 
 	sendStat(true)
-	glog.Errorf("Failed to mutate the resource\n")
+	glog.Errorf("Failed to mutate the resource, %s\n", getErrorMsg(engineResponses))
 	return false, nil, getErrorMsg(engineResponses)
 }

test/scenarios/samples/best_practices/add_safe_to_evict.yaml

@@ -14,10 +14,6 @@ expected:
         name: pod-with-emptydir
       rules:
         - name: annotate-empty-dir
-          type: Mutation
-          success: true
-          message: "successfully processed overlay"
-        - name: annotate-host-path
           type: Mutation
           success: true
           message: "successfully processed overlay"

test/scenarios/samples/best_practices/add_safe_to_evict2.yaml

@@ -14,10 +14,6 @@ expected:
         name: pod-with-hostpath
       rules:
         - name: annotate-empty-dir
-          type: Mutation
-          success: true
-          message: "successfully processed overlay"
-        - name: annotate-host-path
           type: Mutation
           success: true
           message: "successfully processed overlay"