fixes https://github.com/kyverno/kyverno/issues/1238

2025-03-29 02:45:06 +00:00 · 2020-11-18 14:31:43 -08:00 · 2020-11-18 14:31:43 -08:00 · 2d8092d97c
commit 2d8092d97c
parent 50c72e871f
12 changed files with 28 additions and 23 deletions
--- a/charts/kyverno/crds/crds.yaml
+++ b/charts/kyverno/crds/crds.yaml
@ -1286,7 +1286,7 @@ spec:
      type: string
    - jsonPath: .metadata.creationTimestamp
      name: Age
-      type: string
+      type: date
    name: v1
    schema:
      openAPIV3Schema:
--- a/definitions/crds/kyverno.io_generaterequests.yaml
+++ b/definitions/crds/kyverno.io_generaterequests.yaml
@ -36,7 +36,7 @@ spec:
      type: string
    - jsonPath: .metadata.creationTimestamp
      name: Age
-      type: string
+      type: date
    name: v1
    schema:
      openAPIV3Schema:
--- a/definitions/install.yaml
+++ b/definitions/install.yaml
@ -1291,7 +1291,7 @@ spec:
      type: string
    - jsonPath: .metadata.creationTimestamp
      name: Age
-      type: string
+      type: date
    name: v1
    schema:
      openAPIV3Schema:
--- a/definitions/install_debug.yaml
+++ b/definitions/install_debug.yaml
@ -1291,7 +1291,7 @@ spec:
      type: string
    - jsonPath: .metadata.creationTimestamp
      name: Age
-      type: string
+      type: date
    name: v1
    schema:
      openAPIV3Schema:
--- a/pkg/api/kyverno/v1/generaterequest_types.go
+++ b/pkg/api/kyverno/v1/generaterequest_types.go
@ -15,7 +15,7 @@ import (
 // +kubebuilder:printcolumn:name="ResourceName",type="string",JSONPath=".spec.resource.name"
 // +kubebuilder:printcolumn:name="ResourceNamespace",type="string",JSONPath=".spec.resource.namespace"
 // +kubebuilder:printcolumn:name="status",type="string",JSONPath=".status.state"
-// +kubebuilder:printcolumn:name="Age",type="string",JSONPath=".metadata.creationTimestamp"
+// +kubebuilder:printcolumn:name="Age",type="date",JSONPath=".metadata.creationTimestamp"
 // +kubebuilder:resource:shortName=gr
 type GenerateRequest struct {
 	metav1.TypeMeta   `json:",inline" yaml:",inline"`
--- a/pkg/engine/mutation.go
+++ b/pkg/engine/mutation.go
@ -2,6 +2,7 @@ package engine

 import (
 	"time"
+
 	"github.com/go-logr/logr"
 	kyverno "github.com/kyverno/kyverno/pkg/api/kyverno/v1"
 	"github.com/kyverno/kyverno/pkg/engine/mutate"
@ -109,7 +110,6 @@ func startMutateResultResponse(resp *response.EngineResponse, policy kyverno.Clu
 	resp.PolicyResponse.Resource.Namespace = resource.GetNamespace()
 	resp.PolicyResponse.Resource.Kind = resource.GetKind()
 	resp.PolicyResponse.Resource.APIVersion = resource.GetAPIVersion()
-	// TODO(shuting): set response with mutationFailureAction
 }

 func endMutateResultResponse(logger logr.Logger, resp *response.EngineResponse, startTime time.Time) {
--- a/pkg/policymutation/policymutation.go
+++ b/pkg/policymutation/policymutation.go
@ -352,7 +352,7 @@ func generateRulePatches(policy kyverno.ClusterPolicy, controllers string, log l
 // when serilizing data, we would expect to drop the omitempty key
 // otherwise (without the pointer), it will be set to empty value
 // - an empty struct in this case, some may fail the schema validation
-// TODO(shuting) may related to:
+// may related to:
 // https://github.com/kyverno/kyverno/pull/549#discussion_r360088556
 // https://github.com/kyverno/kyverno/issues/568

--- a/pkg/policyreport/builder.go
+++ b/pkg/policyreport/builder.go
@ -21,6 +21,10 @@ import (

 const (
 	clusterreportchangerequest string = "clusterreportchangerequest"
+	resourceLabelName          string = "kyverno.io/resource.name"
+	resourceLabelKind          string = "kyverno.io/resource.kind"
+	resourceLabelNamespace     string = "kyverno.io/resource.namespace"
+	policyLabel                string = "kyverno.io/policy"
 	deletedLabelResource       string = "kyverno.io/delete.resource"
 	deletedLabelResourceKind   string = "kyverno.io/delete.resource.kind"
 	deletedLabelPolicy         string = "kyverno.io/delete.policy"
@ -111,7 +115,7 @@ func (builder *requestBuilder) build(info Info) (req *unstructured.Unstructured,
 		}

 		req = &unstructured.Unstructured{Object: obj}
-		set(req, fmt.Sprintf("reportchangerequest-%s-%s-%s", info.PolicyName, info.Resource.GetNamespace(), info.Resource.GetName()), info)
+		set(req, info)
 	} else {
 		rr := &request.ClusterReportChangeRequest{
 			Summary: calculateSummary(results),
@ -123,7 +127,7 @@ func (builder *requestBuilder) build(info Info) (req *unstructured.Unstructured,
 			return nil, err
 		}
 		req = &unstructured.Unstructured{Object: obj}
-		set(req, fmt.Sprintf("%s-%s", clusterreportchangerequest, info.Resource.GetName()), info)
+		set(req, info)
 	}

 	// deletion of a result entry
@ -135,7 +139,7 @@ func (builder *requestBuilder) build(info Info) (req *unstructured.Unstructured,
 	//   - set label delete.policy=policyName
 	if len(info.Rules) == 0 && info.PolicyName == "" {
 		req.SetLabels(map[string]string{
-			"namespace":              info.Resource.GetNamespace(),
+			resourceLabelNamespace:   info.Resource.GetNamespace(),
 			deletedLabelResource:     info.Resource.GetName(),
 			deletedLabelResourceKind: info.Resource.GetKind()})
 	} else if info.PolicyName != "" && reflect.DeepEqual(info.Resource, unstructured.Unstructured{}) {
@ -160,21 +164,23 @@ func (builder *requestBuilder) build(info Info) (req *unstructured.Unstructured,
 	return req, nil
 }

-func set(obj *unstructured.Unstructured, name string, info Info) {
+func set(obj *unstructured.Unstructured, info Info) {
 	resource := info.Resource
-	obj.SetName(name)
 	obj.SetNamespace(config.KubePolicyNamespace)
 	obj.SetAPIVersion(request.SchemeGroupVersion.Group + "/" + request.SchemeGroupVersion.Version)
 	if resource.GetNamespace() == "" {
+		obj.SetGenerateName(clusterreportchangerequest + "-")
 		obj.SetKind("ClusterReportChangeRequest")
 	} else {
+		obj.SetGenerateName("reportchangerequest-")
 		obj.SetKind("ReportChangeRequest")
 	}

 	obj.SetLabels(map[string]string{
-		"namespace": resource.GetNamespace(),
-		"policy":    info.PolicyName,
-		"resource":  resource.GetKind() + "-" + resource.GetNamespace() + "-" + resource.GetName(),
+		resourceLabelNamespace: resource.GetNamespace(),
+		resourceLabelName:      resource.GetName(),
+		resourceLabelKind:      resource.GetKind(),
+		policyLabel:            info.PolicyName,
 	})

 	if info.FromSync {
@ -243,7 +249,7 @@ func (builder *requestBuilder) fetchCategory(policy, ns string) string {
 		}
 	}

-	pol, err := builder.polLister.Policies("").Get(policy)
+	pol, err := builder.polLister.Policies(ns).Get(policy)
 	if err == nil {
 		if ann := pol.GetAnnotations(); ann != nil {
 			return ann[categoryLabel]
--- a/pkg/policyreport/policyreport.go
+++ b/pkg/policyreport/policyreport.go
@ -22,7 +22,7 @@ func getDeletedResources(aggregatedRequests interface{}) (resources []deletedRes
 			dr := deletedResource{
 				kind: labels[deletedLabelResourceKind],
 				name: labels[deletedLabelResource],
-				ns:   labels["namespace"],
+				ns:   labels[resourceLabelNamespace],
 			}

 			resources = append(resources, dr)
@ -33,7 +33,7 @@ func getDeletedResources(aggregatedRequests interface{}) (resources []deletedRes
 			dr := deletedResource{
 				kind: labels[deletedLabelResourceKind],
 				name: labels[deletedLabelResource],
-				ns:   labels["namespace"],
+				ns:   labels[resourceLabelNamespace],
 			}
 			resources = append(resources, dr)
 		}
@ -124,7 +124,7 @@ func generateHashKey(result map[string]interface{}, dr deletedResource) (string,
 		"%s-%s-%s-%s-%s",
 		result["policy"],
 		result["rule"],
-		resource["name"],
+		resource["kind"],
 		resource["namespace"],
 		resource["name"]), true
 }
--- a/pkg/policyreport/reportcontroller.go
+++ b/pkg/policyreport/reportcontroller.go
@ -116,7 +116,7 @@ func generateCacheKey(changeRequest interface{}) string {
 			return strings.Join([]string{deletedPolicyKey, policy, rule}, "/")
 		}

-		ns := label["namespace"]
+		ns := label[resourceLabelNamespace]
 		if ns == "" {
 			ns = "default"
 		}
@ -398,7 +398,7 @@ func (g *ReportGenerator) aggregateReports(namespace string) (
 			}
 		}

-		selector := labels.SelectorFromSet(labels.Set(map[string]string{"namespace": namespace}))
+		selector := labels.SelectorFromSet(labels.Set(map[string]string{resourceLabelNamespace: namespace}))
 		requests, err := g.reportChangeRequestLister.ReportChangeRequests(config.KubePolicyNamespace).List(selector)
 		if err != nil {
 			return nil, nil, fmt.Errorf("unable to list reportChangeRequests within namespace %s: %v", ns, err)
--- a/pkg/policyreport/reportrequest.go
+++ b/pkg/policyreport/reportrequest.go
@ -332,7 +332,7 @@ func updateReportChangeRequest(dClient *client.Client, old interface{}, new *uns
 		log.V(4).Info("unchanged report request", "name", new.GetName())
 		return nil
 	}
-	// TODO(shuting): set annotation / label
+
 	if _, err = dClient.UpdateResource(new.GetAPIVersion(), new.GetKind(), config.KubePolicyNamespace, new, false); err != nil {
 		return fmt.Errorf("failed to update report request: %v", err)
 	}
--- a/pkg/webhooks/server.go
+++ b/pkg/webhooks/server.go
@ -293,7 +293,6 @@ func (ws *WebhookServer) ResourceMutation(request *v1beta1.AdmissionRequest) *v1
 	if containRBACinfo(mutatePolicies, validatePolicies, generatePolicies) {
 		roles, clusterRoles, err = userinfo.GetRoleRef(ws.rbLister, ws.crbLister, request, ws.configHandler)
 		if err != nil {
-			// TODO(shuting): continue apply policy if error getting roleRef?
 			logger.Error(err, "failed to get RBAC information for request")
 		}
 	}