report violation for mutation failure only, not block the creation

2025-03-31 03:45:17 +00:00 · 2020-01-16 14:29:44 -08:00 · 2020-01-16 14:29:44 -08:00 · 5d3d27cafd
commit 5d3d27cafd
parent ba8030bec0
3 changed files with 6 additions and 25 deletions
--- a/pkg/engine/mutation.go
+++ b/pkg/engine/mutation.go
@ -143,8 +143,7 @@ func startMutateResultResponse(resp *response.EngineResponse, policy kyverno.Clu
 	resp.PolicyResponse.Resource.Namespace = resource.GetNamespace()
 	resp.PolicyResponse.Resource.Kind = resource.GetKind()
 	resp.PolicyResponse.Resource.APIVersion = resource.GetAPIVersion()
-	// TODO: replace with mutationFailureAction ?
+	// TODO(shuting): set response with mutationFailureAction
 	resp.PolicyResponse.ValidationFailureAction = policy.Spec.ValidationFailureAction
 }
 func endMutateResultResponse(resp *response.EngineResponse, startTime time.Time) {
--- a/pkg/webhooks/mutation.go
+++ b/pkg/webhooks/mutation.go
@ -17,8 +17,8 @@ import (
 )
 // HandleMutation handles mutating webhook admission request
-// return value: blocked, generated patches, error message
+// return value: generated patches
-func (ws *WebhookServer) HandleMutation(request *v1beta1.AdmissionRequest, resource unstructured.Unstructured, policies []kyverno.ClusterPolicy, roles, clusterRoles []string) (bool, []byte, string) {
+func (ws *WebhookServer) HandleMutation(request *v1beta1.AdmissionRequest, resource unstructured.Unstructured, policies []kyverno.ClusterPolicy, roles, clusterRoles []string) []byte {
 	glog.V(4).Infof("Receive request in mutating webhook: Kind=%s, Namespace=%s Name=%s UID=%s patchOperation=%s",
 		request.Kind.Kind, request.Namespace, request.Name, request.UID, request.Operation)
@ -105,14 +105,6 @@ func (ws *WebhookServer) HandleMutation(request *v1beta1.AdmissionRequest, resou
 	// report time
 	reportTime := time.Now()
 	// ENFORCE - block resource creation
 	blocked := toBlockResource(engineResponses)
 	if blocked {
 		glog.V(4).Infof("resource %s/%s/%s is blocked\n", resource.GetKind(), resource.GetNamespace(), resource.GetName())
 		sendStat(blocked)
 		return true, nil, getEnforceFailureErrorMsg(engineResponses)
 	}
 	// AUDIT
 	// generate violation when response fails
 	pvInfos := policyviolation.GeneratePVsFromEngineResponse(engineResponses)
@ -122,7 +114,7 @@ func (ws *WebhookServer) HandleMutation(request *v1beta1.AdmissionRequest, resou
 	events := generateEvents(engineResponses, (request.Operation == v1beta1.Update))
 	ws.eventGen.Add(events...)
-	sendStat(blocked)
+	sendStat(false)
 	// debug info
 	func() {
@ -141,5 +133,5 @@ func (ws *WebhookServer) HandleMutation(request *v1beta1.AdmissionRequest, resou
 	glog.V(4).Infof("report: %v %s/%s/%s", time.Since(reportTime), resource.GetKind(), resource.GetNamespace(), resource.GetName())
 	// patches holds all the successful patches, if no patch is created, it returns nil
-	return false, engineutils.JoinPatches(patches), ""
+	return engineutils.JoinPatches(patches)
 }
--- a/pkg/webhooks/server.go
+++ b/pkg/webhooks/server.go
@ -237,17 +237,7 @@ func (ws *WebhookServer) handleAdmissionRequest(request *v1beta1.AdmissionReques
 	// MUTATION
 	// mutation failure should not block the resource creation
 	// any mutation failure is reported as the violation
-	blocked, patches, errMsg := ws.HandleMutation(request, resource, policies, roles, clusterRoles)
+	patches := ws.HandleMutation(request, resource, policies, roles, clusterRoles)
 	if blocked {
 		glog.V(4).Infof("Deny admission request:  %v/%s/%s", request.Kind, request.Namespace, request.Name)
 		return &v1beta1.AdmissionResponse{
 			Allowed: false,
 			Result: &metav1.Status{
 				Status:  "Failure",
 				Message: errMsg,
 			},
 		}
 	}
 	// patch the resource with patches before handling validation rules
 	patchedResource := processResourceWithPatches(patches, request.Object.Raw)