[BUG] filterK8Resources is not correctly configured using ConfigMap (#1059)

* configmap issue fixed

* fixed e2e test

* helm template file added

* remove extra check

* string empty check removed

charts/kyverno/templates/configmap.yaml

@@ -7,5 +7,13 @@ metadata:
   namespace: {{ .Release.Namespace }}
 data:
   # resource types to be skipped by kyverno policy engine
+  {{- if .Values.config.resourceFilters }}
   resourceFilters: {{ join "" .Values.config.resourceFilters | quote }}
+  {{- end -}}
+  {{- if .Values.config.excludeGroupRole }}
+  excludeGroupRole: {{ join "" .Values.config.excludeGroupRole | quote }}
+  {{- end -}}
+  {{- if .Values.config.excludeUsername }}
+  excludeUsername: {{ join "" .Values.config.excludeUsername | quote }}
+  {{- end -}}
 {{- end -}}

charts/kyverno/values.yaml

@@ -99,7 +99,10 @@ config:
   - "[*,kyverno,*]"
   # Or give the name of an existing config map (ignores default/provided resourceFilters)
   existingConfig: ''
-  excludeGroupRole: ''
+  excludeGroupRole:
+#  - ""
+  excludeUsername:
+#  - ""
   # existingConfig: init-config
 
 service:

pkg/config/dynamicconfig.go

@@ -109,6 +109,8 @@ func NewConfigData(rclient kubernetes.Interface, cmInformer informers.ConfigMapI
 	if excludeGroupRole != "" {
 		cd.log.Info("init configuration from commandline arguments for excludeGroupRole")
 		cd.initRbac("excludeRoles", excludeGroupRole)
+	}else{
+		cd.initRbac("excludeRoles", "")
 	}
 
 	if excludeUsername != "" {
@@ -180,43 +182,14 @@ func (cd *ConfigData) load(cm v1.ConfigMap) {
 		logger.V(4).Info("configuration: No data defined in ConfigMap")
 		return
 	}
+	// parse and load the configuration
+	cd.mux.Lock()
+	defer cd.mux.Unlock()
 	// get resource filters
 	filters, ok := cm.Data["resourceFilters"]
 	if !ok  {
 		logger.V(4).Info("configuration: No resourceFilters defined in ConfigMap")
-		return
-	}
-
-	// get resource filters
-	excludeGroupRole, ok := cm.Data["excludeGroupRole"]
-	if !ok {
-		logger.V(4).Info("configuration: No excludeGroupRole defined in ConfigMap")
-		return
-	}
-	// get resource filters
-	excludeUsername, ok := cm.Data["excludeUsername"]
-	if !ok {
-		logger.V(4).Info("configuration: No excludeUsername defined in ConfigMap")
-		return
-	}
-	// filters is a string
-	if filters == "" {
-		logger.V(4).Info("configuration: resourceFilters is empty in ConfigMap")
-		return
-	}
-	if excludeGroupRole == "" {
-		logger.V(4).Info("configuration: excludeGroupRole is empty in ConfigMap")
-		return
-	}
-
-	if excludeUsername == "" {
-		logger.V(4).Info("configuration: excludeUsername is empty in ConfigMap")
-		return
-	}
-	// parse and load the configuration
-	cd.mux.Lock()
-	defer cd.mux.Unlock()
-
+	}else{
 		newFilters := parseKinds(filters)
 		if reflect.DeepEqual(newFilters, cd.filters) {
 			logger.V(4).Info("resourceFilters did not change")
@@ -225,6 +198,13 @@ func (cd *ConfigData) load(cm v1.ConfigMap) {
 			// update filters
 			cd.filters = newFilters
 		}
+	}
+
+	// get resource filters
+	excludeGroupRole, ok := cm.Data["excludeGroupRole"]
+	if !ok  {
+		logger.V(4).Info("configuration: No excludeGroupRole defined in ConfigMap")
+	}
 	newExcludeGroupRoles := parseRbac(excludeGroupRole)
 	newExcludeGroupRoles = append(newExcludeGroupRoles, defaultExcludeGroupRole...)
 	if reflect.DeepEqual(newExcludeGroupRoles, cd.excludeGroupRole) {
@@ -235,6 +215,11 @@ func (cd *ConfigData) load(cm v1.ConfigMap) {
 		cd.excludeGroupRole = newExcludeGroupRoles
 	}
 
+	// get resource filters
+	excludeUsername, ok := cm.Data["excludeUsername"]
+	if !ok  {
+		logger.V(4).Info("configuration: No excludeUsername defined in ConfigMap")
+	}else{
 		excludeUsernames := parseRbac(excludeUsername)
 		if reflect.DeepEqual(excludeUsernames, cd.excludeUsername) {
 			logger.V(4).Info("excludeGroupRole did not change")
@@ -243,6 +228,7 @@ func (cd *ConfigData) load(cm v1.ConfigMap) {
 			// update filters
 			cd.excludeUsername = excludeUsernames
 		}
+	}
 
 }