mirror of
https://github.com/kyverno/kyverno.git
synced 2025-04-08 10:04:25 +00:00
only generate rule on policy creation
This commit is contained in:
Shuting Zhao
parent
bae2865550
commit
56c03f712a
2 changed files with 21 additions and 12 deletions
|
|
@ -1,6 +1,7 @@
|
|||
package engine
|
||||
|
||||
import (
|
||||
"reflect"
|
||||
"strings"
|
||||
"time"
|
||||
|
||||
|
|
@ -93,6 +94,11 @@ func Mutate(policyContext PolicyContext) (resp response.EngineResponse) {
|
|||
}
|
||||
|
||||
// insert annotation to podtemplate if resource is pod controller
|
||||
// skip inserting on existing resource
|
||||
if reflect.DeepEqual(policyContext.AdmissionInfo, RequestInfo{}) {
|
||||
continue
|
||||
}
|
||||
|
||||
if strings.Contains(PodControllers, resource.GetKind()) {
|
||||
var ruleResponse response.RuleResponse
|
||||
ruleResponse, patchedResource = processOverlay(ctx, podTemplateRule, patchedResource)
|
||||
|
|
@ -101,7 +107,7 @@ func Mutate(policyContext PolicyContext) (resp response.EngineResponse) {
|
|||
continue
|
||||
}
|
||||
|
||||
if ruleResponse.Patches != nil {
|
||||
if ruleResponse.Success && ruleResponse.Patches != nil {
|
||||
glog.V(2).Infof("Inserted annotation to podTemplate of %s/%s/%s: %s", resource.GetKind(), resource.GetNamespace(), resource.GetName(), ruleResponse.Message)
|
||||
resp.PolicyResponse.Rules = append(resp.PolicyResponse.Rules, ruleResponse)
|
||||
}
|
||||
|
|
|
|||
|
|
@ -31,7 +31,7 @@ func (ws *WebhookServer) handlePolicyMutation(request *v1beta1.AdmissionRequest)
|
|||
}
|
||||
}
|
||||
// Generate JSON Patches for defaults
|
||||
patches, updateMsgs := generateJSONPatchesForDefaults(policy)
|
||||
patches, updateMsgs := generateJSONPatchesForDefaults(policy, request.Operation)
|
||||
if patches != nil {
|
||||
patchType := v1beta1.PatchTypeJSONPatch
|
||||
glog.V(4).Infof("defaulted values %v policy %s", updateMsgs, policy.Name)
|
||||
|
|
@ -50,7 +50,7 @@ func (ws *WebhookServer) handlePolicyMutation(request *v1beta1.AdmissionRequest)
|
|||
}
|
||||
}
|
||||
|
||||
func generateJSONPatchesForDefaults(policy *kyverno.ClusterPolicy) ([]byte, []string) {
|
||||
func generateJSONPatchesForDefaults(policy *kyverno.ClusterPolicy, operation v1beta1.Operation) ([]byte, []string) {
|
||||
var patches [][]byte
|
||||
var updateMsgs []string
|
||||
|
||||
|
|
@ -60,17 +60,20 @@ func generateJSONPatchesForDefaults(policy *kyverno.ClusterPolicy) ([]byte, []st
|
|||
updateMsgs = append(updateMsgs, updateMsg)
|
||||
}
|
||||
|
||||
patch, errs := generatePodControllerRule(*policy)
|
||||
if len(errs) > 0 {
|
||||
var errMsgs []string
|
||||
for _, err := range errs {
|
||||
errMsgs = append(errMsgs, err.Error())
|
||||
// TODO(shuting): enable this feature on policy UPDATE
|
||||
if operation == v1beta1.Create {
|
||||
patch, errs := generatePodControllerRule(*policy)
|
||||
if len(errs) > 0 {
|
||||
var errMsgs []string
|
||||
for _, err := range errs {
|
||||
errMsgs = append(errMsgs, err.Error())
|
||||
}
|
||||
glog.Errorf("failed auto generatig rule for pod controllers: %s", errMsgs)
|
||||
updateMsgs = append(updateMsgs, strings.Join(errMsgs, ";"))
|
||||
}
|
||||
glog.Errorf("failed auto generatig rule for pod controllers: %s", errMsgs)
|
||||
updateMsgs = append(updateMsgs, strings.Join(errMsgs, ";"))
|
||||
}
|
||||
|
||||
patches = append(patches, patch...)
|
||||
patches = append(patches, patch...)
|
||||
}
|
||||
return utils.JoinPatches(patches), updateMsgs
|
||||
}
|
||||
|
||||
|
|
|
|||
Loading…
Add table
Reference in a new issue