feat: add feature flag to disable background scan (#4638)

Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com> Co-authored-by: Prateek Pandey <prateek.pandey@nirmata.com>
2025-03-05 07:26:55 +00:00 · 2022-09-19 14:00:36 +02:00 · 2022-09-19 14:00:36 +02:00 · 328fdc8b3d
commit 328fdc8b3d
parent 6eea7c45f7
4 changed files with 48 additions and 23 deletions
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@ -1,3 +1,9 @@
+## v1.8.0-rc3
+
+### Note
+
+- A new flag `disableBackgroundScan` to disable kyverno background scans (default value is `false`). When this is enabled, kyverno will not perform background scans and won't trigger continuous evaluation of policies.
+
 ## v1.8.0-rc1

 ### Note
--- a/cmd/kyverno/main.go
+++ b/cmd/kyverno/main.go
@ -113,6 +113,7 @@ func main() {
 	flag.IntVar(&changeRequestLimit, "maxReportChangeRequests", 1000, "Maximum pending report change requests per namespace or for the cluster-wide policy report.")
 	flag.Func(toggle.SplitPolicyReportFlagName, toggle.SplitPolicyReportDescription, toggle.SplitPolicyReport.Parse)
 	flag.Func(toggle.ProtectManagedResourcesFlagName, toggle.ProtectManagedResourcesDescription, toggle.ProtectManagedResources.Parse)
+	flag.Func(toggle.DisableBackgroundScanFlagName, toggle.DisableBackgroundScanDescription, toggle.DisableBackgroundScan.Parse)
 	if err := flag.Set("v", "2"); err != nil {
 		setupLog.Error(err, "failed to set log level")
 		os.Exit(1)
--- a/pkg/policy/report.go
+++ b/pkg/policy/report.go
@ -49,31 +49,39 @@ func (pc *PolicyController) forceReconciliation(reconcileCh <-chan bool, cleanup
 	for {
 		select {
 		case <-ticker.C:
-			logger.Info("performing the background scan", "scan interval", pc.reconcilePeriod.String())
-			if err := pc.policyReportEraser.CleanupReportChangeRequests(cleanupReportChangeRequests, nil); err != nil {
-				logger.Error(err, "failed to cleanup report change requests")
-			}
+			if !toggle.DisableBackgroundScan.Enabled() {
+				logger.Info("performing the background scan", "scan interval", pc.reconcilePeriod.String())
+				if err := pc.policyReportEraser.CleanupReportChangeRequests(cleanupReportChangeRequests, nil); err != nil {
+					logger.Error(err, "failed to cleanup report change requests")
+				}

-			if err := pc.policyReportEraser.EraseResultEntries(eraseResultEntries, nil); err != nil {
-				logger.Error(err, "continue reconciling policy reports")
-			}
-
-			pc.requeuePolicies()
-			pc.prGenerator.MapperInvalidate()
-
-		case erase := <-reconcileCh:
-			logger.Info("received the reconcile signal, reconciling policy report")
-			if err := pc.policyReportEraser.CleanupReportChangeRequests(cleanupReportChangeRequests, nil); err != nil {
-				logger.Error(err, "failed to cleanup report change requests")
-			}
-
-			if erase {
 				if err := pc.policyReportEraser.EraseResultEntries(eraseResultEntries, nil); err != nil {
 					logger.Error(err, "continue reconciling policy reports")
 				}
+
+				pc.requeuePolicies()
+				pc.prGenerator.MapperInvalidate()
+			} else {
+				logger.Info("background scan is disabled")
 			}

-			pc.requeuePolicies()
+		case erase := <-reconcileCh:
+			if !toggle.DisableBackgroundScan.Enabled() {
+				logger.Info("received the reconcile signal, reconciling policy report")
+				if err := pc.policyReportEraser.CleanupReportChangeRequests(cleanupReportChangeRequests, nil); err != nil {
+					logger.Error(err, "failed to cleanup report change requests")
+				}
+
+				if erase {
+					if err := pc.policyReportEraser.EraseResultEntries(eraseResultEntries, nil); err != nil {
+						logger.Error(err, "continue reconciling policy reports")
+					}
+				}
+
+				pc.requeuePolicies()
+			} else {
+				logger.Info("background scan is disabled")
+			}

 		case info := <-cleanupChangeRequest:
 			if info.Namespace == nil {
@ -101,12 +109,16 @@ func (pc *PolicyController) forceReconciliation(reconcileCh <-chan bool, cleanup
 				logger.V(3).Info("wiped out result entries for the report", "report", policyreport.GeneratePolicyReportName(ns, ""))
 			}

-			if info.MapperInactive {
-				pc.prGenerator.MapperInactive(ns)
+			if !toggle.DisableBackgroundScan.Enabled() {
+				if info.MapperInactive {
+					pc.prGenerator.MapperInactive(ns)
+				} else {
+					pc.prGenerator.MapperReset(ns)
+				}
+				pc.requeuePolicies()
 			} else {
-				pc.prGenerator.MapperReset(ns)
+				logger.Info("background scan is disabled")
 			}
-			pc.requeuePolicies()

 		case <-stopCh:
 			return
--- a/pkg/toggle/toggle.go
+++ b/pkg/toggle/toggle.go
@ -21,12 +21,18 @@ const (
 	ProtectManagedResourcesDescription = "Set the flag to 'true', to enable managed resources protection."
 	protectManagedResourcesEnvVar      = "FLAG_PROTECT_MANAGED_RESOURCES"
 	defaultProtectManagedResources     = false
+	// disable background scan
+	DisableBackgroundScanFlagName    = "disableBackgroundScan"
+	DisableBackgroundScanDescription = "Set the flag to 'true' to disable background scan."
+	disableBackgroundScanEnvVar      = "FLAG_DISABLE_BG_SCAN"
+	defaultDisableBackgroundScan     = false
 )

 var (
 	AutogenInternals        = newToggle(defaultAutogenInternals, autogenInternalsEnvVar)
 	SplitPolicyReport       = newToggle(defaultSplitPolicyReport, splitPolicyReportEnvVar)
 	ProtectManagedResources = newToggle(defaultProtectManagedResources, protectManagedResourcesEnvVar)
+	DisableBackgroundScan   = newToggle(defaultDisableBackgroundScan, disableBackgroundScanEnvVar)
 )

 type Toggle interface {