Merge pull request #2112 from realshuting/bugfixes/inconsistent-polr

Fix inconsistent polr for audit policy

pkg/policymutation/policymutation.go

@@ -267,7 +267,7 @@ func CanAutoGen(policy *kyverno.ClusterPolicy, log logr.Logger) (applyAutoGen bo
 
 		if match.ResourceDescription.Name != "" || match.ResourceDescription.Selector != nil ||
 			exclude.ResourceDescription.Name != "" || exclude.ResourceDescription.Selector != nil {
-			log.Info("skip generating rule on pod controllers: Name / Selector in resource description may not be applicable.", "rule", rule.Name)
+			log.V(3).Info("skip generating rule on pod controllers: Name / Selector in resource description may not be applicable.", "rule", rule.Name)
 			return false, "none"
 		}
 

pkg/webhooks/server.go

@@ -443,13 +443,6 @@ func (ws *WebhookServer) resourceValidation(request *v1beta1.AdmissionRequest) *
 	// Get namespace policies from the cache for the requested resource namespace
 	nsPolicies := ws.pCache.GetPolicyObject(policycache.ValidateEnforce, request.Kind.Kind, request.Namespace)
 	policies = append(policies, nsPolicies...)
-	if len(policies) == 0 {
-		// push admission request to audit handler, this won't block the admission request
-		ws.auditHandler.Add(request.DeepCopy())
-
-		logger.V(4).Info("no enforce validation policies; returning AdmissionResponse.Allowed: true")
-		return &v1beta1.AdmissionResponse{Allowed: true}
-	}
 
 	var roles, clusterRoles []string
 	var err error
@@ -501,6 +494,9 @@ func (ws *WebhookServer) resourceValidation(request *v1beta1.AdmissionRequest) *
 		}
 	}
 
+	// push admission request to audit handler, this won't block the admission request
+	ws.auditHandler.Add(request.DeepCopy())
+
 	return &v1beta1.AdmissionResponse{
 		Allowed: true,
 		Result: &metav1.Status{