add event handler for NamespacedPolicyViolation

2025-03-31 03:45:17 +00:00 · 2019-11-12 23:43:29 -08:00 · 2019-11-12 23:43:29 -08:00 · 55b0bf0d3a
commit 55b0bf0d3a
parent bdcb2eac6a
3 changed files with 205 additions and 1 deletions
--- a/pkg/client/listers/kyverno/v1alpha1/expansion_generated.go
+++ b/pkg/client/listers/kyverno/v1alpha1/expansion_generated.go
@ -38,8 +38,8 @@ type PolicyViolationListerExpansion interface{}
 // PolicyListerExpansion allows custom methods to be added to
 // PolicyLister.
 type ClusterPolicyListerExpansion interface {
-	// TODO(shuting): change to getpolicyforclusterpolicyviolation?
 	GetPolicyForPolicyViolation(pv *kyverno.ClusterPolicyViolation) ([]*kyverno.ClusterPolicy, error)
+	GetPolicyForNamespacedPolicyViolation(pv *kyverno.NamespacedPolicyViolation) ([]*kyverno.ClusterPolicy, error)
 	ListResources(selector labels.Selector) (ret []*v1alpha1.ClusterPolicy, err error)
 }

@ -131,3 +131,41 @@ func (pl *clusterPolicyLister) GetPolicyForPolicyViolation(pv *kyverno.ClusterPo
 	return policies, nil

 }
+
+func (pl *clusterPolicyLister) GetPolicyForNamespacedPolicyViolation(pv *kyverno.NamespacedPolicyViolation) ([]*kyverno.ClusterPolicy, error) {
+	if len(pv.Labels) == 0 {
+		return nil, fmt.Errorf("no Policy found for PolicyViolation %v because it has no labels", pv.Name)
+	}
+
+	pList, err := pl.List(labels.Everything())
+	if err != nil {
+		return nil, err
+	}
+
+	var policies []*kyverno.ClusterPolicy
+	for _, p := range pList {
+		policyLabelmap := map[string]string{"policy": p.Name}
+
+		ls := &metav1.LabelSelector{}
+		err = metav1.Convert_Map_string_To_string_To_v1_LabelSelector(&policyLabelmap, ls, nil)
+		if err != nil {
+			return nil, fmt.Errorf("failed to generate label sector of Policy name %s: %v", p.Name, err)
+		}
+		selector, err := metav1.LabelSelectorAsSelector(ls)
+		if err != nil {
+			return nil, fmt.Errorf("invalid label selector: %v", err)
+		}
+		// If a policy with a nil or empty selector creeps in, it should match nothing, not everything.
+		if selector.Empty() || !selector.Matches(labels.Set(pv.Labels)) {
+			continue
+		}
+		policies = append(policies, p)
+	}
+
+	if len(policies) == 0 {
+		return nil, fmt.Errorf("could not find Policy set for Namespaced policy Violation %s with labels: %v", pv.Name, pv.Labels)
+	}
+
+	return policies, nil
+
+}
--- a/pkg/policy/controller.go
+++ b/pkg/policy/controller.go
@ -131,6 +131,12 @@ func NewPolicyController(kyvernoClient *kyvernoclient.Clientset, client *client.
 		DeleteFunc: pc.deletePolicyViolation,
 	})

+	pvInformer.Informer().AddEventHandler(cache.ResourceEventHandlerFuncs{
+		AddFunc:    pc.addNamespacedPolicyViolation,
+		UpdateFunc: pc.updateNamespacedPolicyViolation,
+		DeleteFunc: pc.deleteNamespacedPolicyViolation,
+	})
+
 	pc.enqueuePolicy = pc.enqueue
 	pc.syncHandler = pc.syncPolicy

--- a/pkg/policy/namespacedpv.go
+++ b/pkg/policy/namespacedpv.go
@ -0,0 +1,160 @@
+package policy
+
+import (
+	"reflect"
+
+	"github.com/golang/glog"
+	kyverno "github.com/nirmata/kyverno/pkg/api/kyverno/v1alpha1"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	cache "k8s.io/client-go/tools/cache"
+)
+
+func (pc *PolicyController) addNamespacedPolicyViolation(obj interface{}) {
+	pv := obj.(*kyverno.NamespacedPolicyViolation)
+
+	if pv.DeletionTimestamp != nil {
+		// On a restart of the controller manager, it's possible for an object to
+		// show up in a state that is already pending deletion.
+		pc.deletePolicyViolation(pv)
+		return
+	}
+
+	// generate labels to match the policy from the spec, if not present
+	// if updatePolicyLabelIfNotDefined(pc.pvControl, nil) {
+	// 	return
+	// }
+
+	// If it has a ControllerRef, that's all that matters.
+	if controllerRef := metav1.GetControllerOf(pv); controllerRef != nil {
+		p := pc.resolveControllerRef(controllerRef)
+		if p == nil {
+			return
+		}
+		glog.V(4).Infof("Namespaced policy violation %s added.", pv.Name)
+		pc.enqueuePolicy(p)
+		return
+	}
+
+	// Otherwise, it's an orphan. Get a list of all matching Policies and sync
+	// them to see if anyone wants to adopt it.
+	ps := pc.getPolicyForNamespacedPolicyViolation(pv)
+	if len(ps) == 0 {
+		// there is no cluster policy for this violation, so we can delete this cluster policy violation
+		glog.V(4).Infof("PolicyViolation %s does not belong to an active policy, will be cleanedup", pv.Name)
+		if err := pc.pvControl.DeletePolicyViolation(pv.Name); err != nil {
+			glog.Errorf("Failed to deleted policy violation %s: %v", pv.Name, err)
+			return
+		}
+		glog.V(4).Infof("PolicyViolation %s deleted", pv.Name)
+		return
+	}
+	glog.V(4).Infof("Orphan Policy Violation %s added.", pv.Name)
+	for _, p := range ps {
+		pc.enqueuePolicy(p)
+	}
+}
+
+func (pc *PolicyController) updateNamespacedPolicyViolation(old, cur interface{}) {
+	curPV := cur.(*kyverno.NamespacedPolicyViolation)
+	oldPV := old.(*kyverno.NamespacedPolicyViolation)
+	if curPV.ResourceVersion == oldPV.ResourceVersion {
+		// Periodic resync will send update events for all known Policy Violation.
+		// Two different versions of the same replica set will always have different RVs.
+		return
+	}
+
+	// generate labels to match the policy from the spec, if not present
+	// if updatePolicyLabelIfNotDefined(pc.pvControl, curPV) {
+	// 	return
+	// }
+
+	curControllerRef := metav1.GetControllerOf(curPV)
+	oldControllerRef := metav1.GetControllerOf(oldPV)
+	controllerRefChanged := !reflect.DeepEqual(curControllerRef, oldControllerRef)
+	if controllerRefChanged && oldControllerRef != nil {
+		// The ControllerRef was changed. Sync the old controller, if any.
+		if p := pc.resolveControllerRef(oldControllerRef); p != nil {
+			pc.enqueuePolicy(p)
+		}
+	}
+	// If it has a ControllerRef, that's all that matters.
+	if curControllerRef != nil {
+		p := pc.resolveControllerRef(curControllerRef)
+		if p == nil {
+			return
+		}
+		glog.V(4).Infof("PolicyViolation %s updated.", curPV.Name)
+		pc.enqueuePolicy(p)
+		return
+	}
+
+	// Otherwise, it's an orphan. If anything changed, sync matching controllers
+	// to see if anyone wants to adopt it now.
+	labelChanged := !reflect.DeepEqual(curPV.Labels, oldPV.Labels)
+	if labelChanged || controllerRefChanged {
+		ps := pc.getPolicyForNamespacedPolicyViolation(curPV)
+		if len(ps) == 0 {
+			// there is no cluster policy for this violation, so we can delete this cluster policy violation
+			glog.V(4).Infof("PolicyViolation %s does not belong to an active policy, will be cleanedup", curPV.Name)
+			if err := pc.pvControl.DeletePolicyViolation(curPV.Name); err != nil {
+				glog.Errorf("Failed to deleted policy violation %s: %v", curPV.Name, err)
+				return
+			}
+			glog.V(4).Infof("PolicyViolation %s deleted", curPV.Name)
+			return
+		}
+		glog.V(4).Infof("Orphan PolicyViolation %s updated", curPV.Name)
+		for _, p := range ps {
+			pc.enqueuePolicy(p)
+		}
+	}
+}
+
+func (pc *PolicyController) deleteNamespacedPolicyViolation(obj interface{}) {
+	pv, ok := obj.(*kyverno.NamespacedPolicyViolation)
+	// When a delete is dropped, the relist will notice a PolicyViolation in the store not
+	// in the list, leading to the insertion of a tombstone object which contains
+	// the deleted key/value. Note that this value might be stale. If the PolicyViolation
+	// changed labels the new Policy will not be woken up till the periodic resync.
+	if !ok {
+		tombstone, ok := obj.(cache.DeletedFinalStateUnknown)
+		if !ok {
+			glog.Infof("Couldn't get object from tombstone %#v", obj)
+			return
+		}
+		pv, ok = tombstone.Obj.(*kyverno.NamespacedPolicyViolation)
+		if !ok {
+			glog.Infof("Couldn't get object from tombstone %#v", obj)
+			return
+		}
+	}
+	controllerRef := metav1.GetControllerOf(pv)
+	if controllerRef == nil {
+		// No controller should care about orphans being deleted.
+		return
+	}
+	p := pc.resolveControllerRef(controllerRef)
+	if p == nil {
+		return
+	}
+	glog.V(4).Infof("PolicyViolation %s deleted", pv.Name)
+	pc.enqueuePolicy(p)
+}
+
+func (pc *PolicyController) getPolicyForNamespacedPolicyViolation(pv *kyverno.NamespacedPolicyViolation) []*kyverno.ClusterPolicy {
+	policies, err := pc.pLister.GetPolicyForNamespacedPolicyViolation(pv)
+	if err != nil || len(policies) == 0 {
+		return nil
+	}
+	// Because all PolicyViolations's belonging to a Policy should have a unique label key,
+	// there should never be more than one Policy returned by the above method.
+	// If that happens we should probably dynamically repair the situation by ultimately
+	// trying to clean up one of the controllers, for now we just return the older one
+	if len(policies) > 1 {
+		// ControllerRef will ensure we don't do anything crazy, but more than one
+		// item in this list nevertheless constitutes user error.
+		glog.V(4).Infof("user error! more than one policy is selecting policy violation %s with labels: %#v, returning %s",
+			pv.Name, pv.Labels, policies[0].Name)
+	}
+	return policies
+}