report violation for mutation failure only, not block the creation

2025-03-29 10:55:05 +00:00 · 2020-01-16 14:29:44 -08:00 · 2020-01-16 14:29:44 -08:00 · 5d3d27cafd
commit 5d3d27cafd
parent ba8030bec0
3 changed files with 6 additions and 25 deletions
--- a/pkg/engine/mutation.go
+++ b/pkg/engine/mutation.go
@ -143,8 +143,7 @@ func startMutateResultResponse(resp *response.EngineResponse, policy kyverno.Clu
 	resp.PolicyResponse.Resource.Namespace = resource.GetNamespace()
 	resp.PolicyResponse.Resource.Kind = resource.GetKind()
 	resp.PolicyResponse.Resource.APIVersion = resource.GetAPIVersion()
-	// TODO: replace with mutationFailureAction ?
-	resp.PolicyResponse.ValidationFailureAction = policy.Spec.ValidationFailureAction
+	// TODO(shuting): set response with mutationFailureAction
 }

 func endMutateResultResponse(resp *response.EngineResponse, startTime time.Time) {
--- a/pkg/webhooks/mutation.go
+++ b/pkg/webhooks/mutation.go
@ -17,8 +17,8 @@ import (
 )

 // HandleMutation handles mutating webhook admission request
-// return value: blocked, generated patches, error message
-func (ws *WebhookServer) HandleMutation(request *v1beta1.AdmissionRequest, resource unstructured.Unstructured, policies []kyverno.ClusterPolicy, roles, clusterRoles []string) (bool, []byte, string) {
+// return value: generated patches
+func (ws *WebhookServer) HandleMutation(request *v1beta1.AdmissionRequest, resource unstructured.Unstructured, policies []kyverno.ClusterPolicy, roles, clusterRoles []string) []byte {
 	glog.V(4).Infof("Receive request in mutating webhook: Kind=%s, Namespace=%s Name=%s UID=%s patchOperation=%s",
 		request.Kind.Kind, request.Namespace, request.Name, request.UID, request.Operation)

@ -105,14 +105,6 @@ func (ws *WebhookServer) HandleMutation(request *v1beta1.AdmissionRequest, resou
 	// report time
 	reportTime := time.Now()

-	// ENFORCE - block resource creation
-	blocked := toBlockResource(engineResponses)
-	if blocked {
-		glog.V(4).Infof("resource %s/%s/%s is blocked\n", resource.GetKind(), resource.GetNamespace(), resource.GetName())
-		sendStat(blocked)
-		return true, nil, getEnforceFailureErrorMsg(engineResponses)
-	}
-
 	// AUDIT
 	// generate violation when response fails
 	pvInfos := policyviolation.GeneratePVsFromEngineResponse(engineResponses)
@ -122,7 +114,7 @@ func (ws *WebhookServer) HandleMutation(request *v1beta1.AdmissionRequest, resou
 	events := generateEvents(engineResponses, (request.Operation == v1beta1.Update))
 	ws.eventGen.Add(events...)

-	sendStat(blocked)
+	sendStat(false)

 	// debug info
 	func() {
@ -141,5 +133,5 @@ func (ws *WebhookServer) HandleMutation(request *v1beta1.AdmissionRequest, resou
 	glog.V(4).Infof("report: %v %s/%s/%s", time.Since(reportTime), resource.GetKind(), resource.GetNamespace(), resource.GetName())

 	// patches holds all the successful patches, if no patch is created, it returns nil
-	return false, engineutils.JoinPatches(patches), ""
+	return engineutils.JoinPatches(patches)
 }
--- a/pkg/webhooks/server.go
+++ b/pkg/webhooks/server.go
@ -237,17 +237,7 @@ func (ws *WebhookServer) handleAdmissionRequest(request *v1beta1.AdmissionReques
 	// MUTATION
 	// mutation failure should not block the resource creation
 	// any mutation failure is reported as the violation
-	blocked, patches, errMsg := ws.HandleMutation(request, resource, policies, roles, clusterRoles)
-	if blocked {
-		glog.V(4).Infof("Deny admission request:  %v/%s/%s", request.Kind, request.Namespace, request.Name)
-		return &v1beta1.AdmissionResponse{
-			Allowed: false,
-			Result: &metav1.Status{
-				Status:  "Failure",
-				Message: errMsg,
-			},
-		}
-	}
+	patches := ws.HandleMutation(request, resource, policies, roles, clusterRoles)

 	// patch the resource with patches before handling validation rules
 	patchedResource := processResourceWithPatches(patches, request.Object.Raw)