fix: image cache panic and cleanup (#8512)

Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>
2024-12-15 17:51:20 +00:00 · 2023-09-22 12:40:16 +02:00 · 2023-09-22 12:40:16 +02:00 · 61aa713d27
commit 61aa713d27
parent 21e044eb1a
6 changed files with 18 additions and 20 deletions
--- a/cmd/cleanup-controller/handlers/cleanup/handlers.go
+++ b/cmd/cleanup-controller/handlers/cleanup/handlers.go
@ -16,7 +16,6 @@ import (
 	"github.com/kyverno/kyverno/pkg/engine/factories"
 	"github.com/kyverno/kyverno/pkg/engine/jmespath"
 	"github.com/kyverno/kyverno/pkg/event"
-	"github.com/kyverno/kyverno/pkg/imageverifycache"
 	"github.com/kyverno/kyverno/pkg/metrics"
 	controllerutils "github.com/kyverno/kyverno/pkg/utils/controller"
 	"github.com/kyverno/kyverno/pkg/utils/match"
@ -131,7 +130,6 @@ func (h *handlers) executePolicy(
 		h.jp,
 		h.client,
 		nil,
-		imageverifycache.DisabledImageVerifyCache(),
 		spec.Context,
 		enginectx,
 	); err != nil {
--- a/cmd/cli/kubectl-kyverno/store/contextloader.go
+++ b/cmd/cli/kubectl-kyverno/store/contextloader.go
@ -8,7 +8,6 @@ import (
 	enginecontext "github.com/kyverno/kyverno/pkg/engine/context"
 	"github.com/kyverno/kyverno/pkg/engine/factories"
 	"github.com/kyverno/kyverno/pkg/engine/jmespath"
-	"github.com/kyverno/kyverno/pkg/imageverifycache"
 )

 func ContextLoaderFactory(cmResolver engineapi.ConfigmapResolver) engineapi.ContextLoaderFactory {
@ -49,7 +48,6 @@ func (w wrapper) Load(
 	jp jmespath.Interface,
 	client engineapi.RawClient,
 	rclientFactory engineapi.RegistryClientFactory,
-	ivCache imageverifycache.Client,
 	contextEntries []kyvernov1.ContextEntry,
 	jsonContext enginecontext.Interface,
 ) error {
@ -59,5 +57,5 @@ func (w wrapper) Load(
 	if !GetRegistryAccess() {
 		rclientFactory = nil
 	}
-	return w.inner.Load(ctx, jp, client, rclientFactory, ivCache, contextEntries, jsonContext)
+	return w.inner.Load(ctx, jp, client, rclientFactory, contextEntries, jsonContext)
 }
--- a/pkg/engine/api/contextloader.go
+++ b/pkg/engine/api/contextloader.go
@ -6,7 +6,6 @@ import (
 	kyvernov1 "github.com/kyverno/kyverno/api/kyverno/v1"
 	enginecontext "github.com/kyverno/kyverno/pkg/engine/context"
 	"github.com/kyverno/kyverno/pkg/engine/jmespath"
-	"github.com/kyverno/kyverno/pkg/imageverifycache"
 )

 type RegistryClientFactory interface {
@ -25,7 +24,6 @@ type ContextLoader interface {
 		jp jmespath.Interface,
 		client RawClient,
 		rclientFactory RegistryClientFactory,
-		ivCache imageverifycache.Client,
 		contextEntries []kyvernov1.ContextEntry,
 		jsonContext enginecontext.Interface,
 	) error
--- a/pkg/engine/engine.go
+++ b/pkg/engine/engine.go
@ -180,7 +180,6 @@ func (e *engine) ContextLoader(
 			e.jp,
 			e.client,
 			e.rclientFactory,
-			e.ivCache,
 			contextEntries,
 			jsonContext,
 		)
--- a/pkg/engine/factories/contextloaderfactory.go
+++ b/pkg/engine/factories/contextloaderfactory.go
@ -10,7 +10,6 @@ import (
 	enginecontext "github.com/kyverno/kyverno/pkg/engine/context"
 	"github.com/kyverno/kyverno/pkg/engine/context/loaders"
 	"github.com/kyverno/kyverno/pkg/engine/jmespath"
-	"github.com/kyverno/kyverno/pkg/imageverifycache"
 	"github.com/kyverno/kyverno/pkg/logging"
 	"github.com/kyverno/kyverno/pkg/toggle"
 )
@ -47,7 +46,6 @@ func (l *contextLoader) Load(
 	jp jmespath.Interface,
 	client engineapi.RawClient,
 	rclientFactory engineapi.RegistryClientFactory,
-	ivCache imageverifycache.Client,
 	contextEntries []kyvernov1.ContextEntry,
 	jsonContext enginecontext.Interface,
 ) error {
--- a/pkg/engine/internal/imageverifier.go
+++ b/pkg/engine/internal/imageverifier.go
@ -245,14 +245,19 @@ func (iv *ImageVerifier) Verify(
 			continue
 		}
 		start := time.Now()
+		isInCache := false
+		if iv.ivCache != nil {
 			found, err := iv.ivCache.Get(ctx, iv.policyContext.Policy(), iv.rule.Name, image)
 			if err != nil {
 				iv.logger.Error(err, "error occurred during cache get")
+			} else {
+				isInCache = found
+			}
 		}

 		var ruleResp *engineapi.RuleResponse
 		var digest string
-		if found {
+		if isInCache {
 			iv.logger.V(2).Info("cache entry found", "namespace", iv.policyContext.Policy().GetNamespace(), "policy", iv.policyContext.Policy().GetName(), "ruleName", iv.rule.Name, "imageRef", image)
 			ruleResp = engineapi.RulePass(iv.rule.Name, engineapi.ImageVerify, "verified from cache")
 			digest = imageInfo.Digest
@ -260,6 +265,7 @@ func (iv *ImageVerifier) Verify(
 			iv.logger.V(2).Info("cache entry not found", "namespace", iv.policyContext.Policy().GetNamespace(), "policy", iv.policyContext.Policy().GetName(), "ruleName", iv.rule.Name, "imageRef", image)
 			ruleResp, digest = iv.verifyImage(ctx, imageVerify, imageInfo, cfg)
 			if ruleResp != nil && ruleResp.Status() == engineapi.RuleStatusPass {
+				if iv.ivCache != nil {
 					setted, err := iv.ivCache.Set(ctx, iv.policyContext.Policy(), iv.rule.Name, image)
 					if err != nil {
 						iv.logger.Error(err, "error occurred during cache set")
@ -270,6 +276,7 @@ func (iv *ImageVerifier) Verify(
 					}
 				}
 			}
+		}
 		iv.logger.V(4).Info("time taken by the image verify operation", "duration", time.Since(start))

 		if imageVerify.MutateDigest {