mirrors/kyverno
mirrors/kyverno
1
0
Fork 0
mirror of https://github.com/kyverno/kyverno.git synced 2025-03-31 03:45:17 +00:00
Code Activity

add comment

Browse source
This commit is contained in:
Shuting Zhao 2019-10-23 09:58:42 -07:00
parent e4791e5828
commit 1db901cca6
2 changed files with 7 additions and 3 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
pkg/policy/controller.go
View file

@ -423,7 +423,7 @@ func (pc *PolicyController) syncPolicy(key string) error {
// remove the recorded stats for the policy
pc.statusAggregator.RemovePolicyStats(key)
// remove webhook configurations if there are not policies
// remove webhook configurations if there are no policies
if err := pc.removeResourceWebhookConfiguration(); err != nil {
// do not fail, if unable to delete resource webhook config
glog.V(4).Infof("failed to remove resource webhook configuration: %v", err)

8
pkg/policyviolation/helpers.go
View file

@ -41,6 +41,9 @@ func CreatePV(pvLister kyvernolister.ClusterPolicyViolationLister, client *kyver
dclient *dclient.Client, engineResponses []engine.EngineResponse, requestBlocked bool) {
var pvs []kyverno.ClusterPolicyViolation
for _, er := range engineResponses {
// create pv on resource owner only when admission request is denied
// check before validate "er.PolicyResponse.Resource.Name" since
// child resource is not created in this case thus it won't have a name
if requestBlocked {
glog.V(4).Infof("Building policy violation for denied admission request, engineResponse: %v", er)
if pvList := buildPVWithOwner(dclient, er); len(pvList) != 0 {
@ -51,7 +54,7 @@ func CreatePV(pvLister kyvernolister.ClusterPolicyViolationLister, client *kyver
// ignore creation of PV for resoruces that are yet to be assigned a name
if er.PolicyResponse.Resource.Name == "" {
glog.V(4).Infof("resource %v, has not been assigned a name. not creating a policy violation for it", er.PolicyResponse.Resource)
glog.V(4).Infof("resource %v, has not been assigned a name, not creating a policy violation for it", er.PolicyResponse.Resource)
continue
}
@ -187,6 +190,8 @@ func getExistingPolicyViolationIfAny(pvListerSynced cache.InformerSynced, pvList
return pvs[0], nil
}
// pass in unstr rather than using the client to get the unstr
// as if name is empty then GetResource panic as it returns a list
func getOwners(dclient *dclient.Client, unstr unstructured.Unstructured) []pvResourceOwner {
resourceOwners := unstr.GetOwnerReferences()
if len(resourceOwners) == 0 {
@ -199,7 +204,6 @@ func getOwners(dclient *dclient.Client, unstr unstructured.Unstructured) []pvRes
var owners []pvResourceOwner
for _, resourceOwner := range resourceOwners {
// if name is empty then GetResource panic as it returns a list
unstrParent, err := dclient.GetResource(resourceOwner.Kind, unstr.GetNamespace(), resourceOwner.Name)
if err != nil {
glog.Errorf("Failed to get resource owner for %s/%s/%s, err: %v", resourceOwner.Kind, unstr.GetNamespace(), resourceOwner.Name, err)