From 5f70f5feece893be347e65062d4bdb4238bc6b7d Mon Sep 17 00:00:00 2001 From: shuting Date: Tue, 15 Dec 2020 15:21:39 -0800 Subject: [PATCH] fixes #1399 (#1400) --- pkg/generate/generate.go | 20 +++++++++++++------- pkg/policy/utils.go | 10 ---------- pkg/policy/validate.go | 5 +++-- pkg/utils/util.go | 7 +++---- pkg/webhooks/generation.go | 8 +++----- 5 files changed, 22 insertions(+), 28 deletions(-) diff --git a/pkg/generate/generate.go b/pkg/generate/generate.go index e1a2840693..2401be0e9a 100644 --- a/pkg/generate/generate.go +++ b/pkg/generate/generate.go @@ -16,6 +16,7 @@ import ( "github.com/kyverno/kyverno/pkg/engine/context" "github.com/kyverno/kyverno/pkg/engine/utils" "github.com/kyverno/kyverno/pkg/engine/variables" + kyvernoutils "github.com/kyverno/kyverno/pkg/utils" apierrors "k8s.io/apimachinery/pkg/api/errors" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" "k8s.io/apimachinery/pkg/apis/meta/v1/unstructured" @@ -132,6 +133,7 @@ func (c *Controller) applyGenerate(resource unstructured.Unstructured, gr kyvern return nil, fmt.Errorf("policy %s, does not apply to resource %v", gr.Spec.Policy, gr.Spec.Resource) } + var applicableRules []string // Removing GR if rule is failed. Used when the generate condition failed but gr exist for _, r := range engineResponse.PolicyResponse.Rules { if !r.Success { @@ -149,18 +151,18 @@ func (c *Controller) applyGenerate(resource unstructured.Unstructured, gr kyvern } for _, v := range grList { - if engineResponse.PolicyResponse.Policy == v.Spec.Policy && engineResponse.PolicyResponse.Resource.Name == v.Spec.Resource.Name && engineResponse.PolicyResponse.Resource.Kind == v.Spec.Resource.Kind && engineResponse.PolicyResponse.Resource.Namespace == v.Spec.Resource.Namespace { - err := c.kyvernoClient.KyvernoV1().GenerateRequests(config.KyvernoNamespace).Delete(contextdefault.TODO(), v.GetName(), metav1.DeleteOptions{}) - if err != nil { - logger.Error(err, " failed to delete generate request") - } + err := c.kyvernoClient.KyvernoV1().GenerateRequests(config.KyvernoNamespace).Delete(contextdefault.TODO(), v.GetName(), metav1.DeleteOptions{}) + if err != nil { + logger.Error(err, "failed to delete generate request") } } + } else { + applicableRules = append(applicableRules, r.Name) } } // Apply the generate rule on resource - return c.applyGeneratePolicy(logger, policyContext, gr) + return c.applyGeneratePolicy(logger, policyContext, gr, applicableRules) } func updateStatus(statusControl StatusControlInterface, gr kyverno.GenerateRequest, err error, genResources []kyverno.ResourceSpec) error { @@ -172,7 +174,7 @@ func updateStatus(statusControl StatusControlInterface, gr kyverno.GenerateReque return statusControl.Success(gr, genResources) } -func (c *Controller) applyGeneratePolicy(log logr.Logger, policyContext engine.PolicyContext, gr kyverno.GenerateRequest) ([]kyverno.ResourceSpec, error) { +func (c *Controller) applyGeneratePolicy(log logr.Logger, policyContext engine.PolicyContext, gr kyverno.GenerateRequest, applicableRules []string) ([]kyverno.ResourceSpec, error) { // List of generatedResources var genResources []kyverno.ResourceSpec // Get the response as the actions to be performed on the resource @@ -191,6 +193,10 @@ func (c *Controller) applyGeneratePolicy(log logr.Logger, policyContext engine.P continue } + if !kyvernoutils.ContainsString(applicableRules, rule.Name) { + continue + } + startTime := time.Now() processExisting := false diff --git a/pkg/policy/utils.go b/pkg/policy/utils.go index b99c343848..58aac763bb 100644 --- a/pkg/policy/utils.go +++ b/pkg/policy/utils.go @@ -2,16 +2,6 @@ package policy import "k8s.io/apimachinery/pkg/apis/meta/v1/unstructured" -//Contains Check if strint is contained in a list of string -func containString(list []string, element string) bool { - for _, e := range list { - if e == element { - return true - } - } - return false -} - func isRunningPod(obj unstructured.Unstructured) bool { objMap := obj.UnstructuredContent() phase, ok, err := unstructured.NestedString(objMap, "status", "phase") diff --git a/pkg/policy/validate.go b/pkg/policy/validate.go index c707c94c45..8a659d6a74 100644 --- a/pkg/policy/validate.go +++ b/pkg/policy/validate.go @@ -11,6 +11,7 @@ import ( dclient "github.com/kyverno/kyverno/pkg/dclient" "github.com/kyverno/kyverno/pkg/kyverno/common" "github.com/kyverno/kyverno/pkg/openapi" + "github.com/kyverno/kyverno/pkg/utils" "github.com/minio/minio/pkg/wildcard" rbacv1 "k8s.io/api/rbac/v1" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" @@ -440,7 +441,7 @@ func validateUniqueRuleName(p kyverno.ClusterPolicy) (string, error) { var ruleNames []string for i, rule := range p.Spec.Rules { - if containString(ruleNames, rule.Name) { + if utils.ContainsString(ruleNames, rule.Name) { return fmt.Sprintf("rule[%d]", i), fmt.Errorf(`duplicate rule name: '%s'`, rule.Name) } ruleNames = append(ruleNames, rule.Name) @@ -626,7 +627,7 @@ func jsonPatchOnPod(rule kyverno.Rule) bool { return false } - if containString(rule.MatchResources.Kinds, "Pod") && rule.Mutation.PatchesJSON6902 != "" { + if utils.ContainsString(rule.MatchResources.Kinds, "Pod") && rule.Mutation.PatchesJSON6902 != "" { return true } diff --git a/pkg/utils/util.go b/pkg/utils/util.go index e92813fcb1..c44a4331b4 100644 --- a/pkg/utils/util.go +++ b/pkg/utils/util.go @@ -7,13 +7,12 @@ import ( "strconv" "strings" - engineutils "github.com/kyverno/kyverno/pkg/engine/utils" - "k8s.io/api/admission/v1beta1" - "k8s.io/apimachinery/pkg/apis/meta/v1/unstructured" - "github.com/go-logr/logr" client "github.com/kyverno/kyverno/pkg/dclient" + engineutils "github.com/kyverno/kyverno/pkg/engine/utils" "github.com/minio/minio/pkg/wildcard" + "k8s.io/api/admission/v1beta1" + "k8s.io/apimachinery/pkg/apis/meta/v1/unstructured" "k8s.io/apimachinery/pkg/runtime/schema" "k8s.io/client-go/kubernetes" "k8s.io/client-go/rest" diff --git a/pkg/webhooks/generation.go b/pkg/webhooks/generation.go index 9f4d9c12de..fb7170dc93 100644 --- a/pkg/webhooks/generation.go +++ b/pkg/webhooks/generation.go @@ -69,11 +69,9 @@ func (ws *WebhookServer) HandleGenerate(request *v1beta1.AdmissionRequest, polic } for _, v := range grList { - if engineResponse.PolicyResponse.Policy == v.Spec.Policy && engineResponse.PolicyResponse.Resource.Name == v.Spec.Resource.Name && engineResponse.PolicyResponse.Resource.Kind == v.Spec.Resource.Kind && engineResponse.PolicyResponse.Resource.Namespace == v.Spec.Resource.Namespace { - err := ws.kyvernoClient.KyvernoV1().GenerateRequests(config.KyvernoNamespace).Delete(contextdefault.TODO(), v.GetName(), metav1.DeleteOptions{}) - if err != nil { - logger.Error(err, "failed to update gr") - } + err := ws.kyvernoClient.KyvernoV1().GenerateRequests(config.KyvernoNamespace).Delete(contextdefault.TODO(), v.GetName(), metav1.DeleteOptions{}) + if err != nil { + logger.Error(err, "failed to update gr") } } } else {