From 5d3d27cafd51a91c1a19532024212bcc3119744c Mon Sep 17 00:00:00 2001 From: Shuting Zhao Date: Thu, 16 Jan 2020 14:29:44 -0800 Subject: [PATCH] report violation for mutation failure only, not block the creation --- pkg/engine/mutation.go | 3 +-- pkg/webhooks/mutation.go | 16 ++++------------ pkg/webhooks/server.go | 12 +----------- 3 files changed, 6 insertions(+), 25 deletions(-) diff --git a/pkg/engine/mutation.go b/pkg/engine/mutation.go index f332338a38..5427e91732 100644 --- a/pkg/engine/mutation.go +++ b/pkg/engine/mutation.go @@ -143,8 +143,7 @@ func startMutateResultResponse(resp *response.EngineResponse, policy kyverno.Clu resp.PolicyResponse.Resource.Namespace = resource.GetNamespace() resp.PolicyResponse.Resource.Kind = resource.GetKind() resp.PolicyResponse.Resource.APIVersion = resource.GetAPIVersion() - // TODO: replace with mutationFailureAction ? - resp.PolicyResponse.ValidationFailureAction = policy.Spec.ValidationFailureAction + // TODO(shuting): set response with mutationFailureAction } func endMutateResultResponse(resp *response.EngineResponse, startTime time.Time) { diff --git a/pkg/webhooks/mutation.go b/pkg/webhooks/mutation.go index 6af4dc0d26..adff0c3be9 100644 --- a/pkg/webhooks/mutation.go +++ b/pkg/webhooks/mutation.go @@ -17,8 +17,8 @@ import ( ) // HandleMutation handles mutating webhook admission request -// return value: blocked, generated patches, error message -func (ws *WebhookServer) HandleMutation(request *v1beta1.AdmissionRequest, resource unstructured.Unstructured, policies []kyverno.ClusterPolicy, roles, clusterRoles []string) (bool, []byte, string) { +// return value: generated patches +func (ws *WebhookServer) HandleMutation(request *v1beta1.AdmissionRequest, resource unstructured.Unstructured, policies []kyverno.ClusterPolicy, roles, clusterRoles []string) []byte { glog.V(4).Infof("Receive request in mutating webhook: Kind=%s, Namespace=%s Name=%s UID=%s patchOperation=%s", request.Kind.Kind, request.Namespace, request.Name, request.UID, request.Operation) @@ -105,14 +105,6 @@ func (ws *WebhookServer) HandleMutation(request *v1beta1.AdmissionRequest, resou // report time reportTime := time.Now() - // ENFORCE - block resource creation - blocked := toBlockResource(engineResponses) - if blocked { - glog.V(4).Infof("resource %s/%s/%s is blocked\n", resource.GetKind(), resource.GetNamespace(), resource.GetName()) - sendStat(blocked) - return true, nil, getEnforceFailureErrorMsg(engineResponses) - } - // AUDIT // generate violation when response fails pvInfos := policyviolation.GeneratePVsFromEngineResponse(engineResponses) @@ -122,7 +114,7 @@ func (ws *WebhookServer) HandleMutation(request *v1beta1.AdmissionRequest, resou events := generateEvents(engineResponses, (request.Operation == v1beta1.Update)) ws.eventGen.Add(events...) - sendStat(blocked) + sendStat(false) // debug info func() { @@ -141,5 +133,5 @@ func (ws *WebhookServer) HandleMutation(request *v1beta1.AdmissionRequest, resou glog.V(4).Infof("report: %v %s/%s/%s", time.Since(reportTime), resource.GetKind(), resource.GetNamespace(), resource.GetName()) // patches holds all the successful patches, if no patch is created, it returns nil - return false, engineutils.JoinPatches(patches), "" + return engineutils.JoinPatches(patches) } diff --git a/pkg/webhooks/server.go b/pkg/webhooks/server.go index 676bc3d20d..c9704ff160 100644 --- a/pkg/webhooks/server.go +++ b/pkg/webhooks/server.go @@ -237,17 +237,7 @@ func (ws *WebhookServer) handleAdmissionRequest(request *v1beta1.AdmissionReques // MUTATION // mutation failure should not block the resource creation // any mutation failure is reported as the violation - blocked, patches, errMsg := ws.HandleMutation(request, resource, policies, roles, clusterRoles) - if blocked { - glog.V(4).Infof("Deny admission request: %v/%s/%s", request.Kind, request.Namespace, request.Name) - return &v1beta1.AdmissionResponse{ - Allowed: false, - Result: &metav1.Status{ - Status: "Failure", - Message: errMsg, - }, - } - } + patches := ws.HandleMutation(request, resource, policies, roles, clusterRoles) // patch the resource with patches before handling validation rules patchedResource := processResourceWithPatches(patches, request.Object.Raw)