From 62a4a3a7da84ea9040da9f38557e039982501e47 Mon Sep 17 00:00:00 2001
From: shuting <shutting06@gmail.com>
Date: Thu, 21 Jan 2021 18:58:53 -0800
Subject: [PATCH] Reduce throttling - skip sending API request for filtered
 resources (#1489)

* skip sending API request for filtered resource

* fix PR comment

Signed-off-by: Shuting Zhao <shutting06@gmail.com>

* fixes https://github.com/kyverno/kyverno/issues/1490

Signed-off-by: Shuting Zhao <shutting06@gmail.com>
---
 cmd/initContainer/main.go   |  6 +++---
 pkg/config/dynamicconfig.go | 13 +++++++++++++
 pkg/policy/common.go        | 21 ++++++++++++++-------
 pkg/policy/existing.go      |  2 +-
 pkg/policyreport/builder.go |  4 ++++
 5 files changed, 35 insertions(+), 11 deletions(-)

diff --git a/cmd/initContainer/main.go b/cmd/initContainer/main.go
index 6da6cc9f62..9b9ba26a02 100644
--- a/cmd/initContainer/main.go
+++ b/cmd/initContainer/main.go
@@ -259,7 +259,7 @@ func removeClusterPolicyReport(client *client.Client, kind string) error {
 	logger := log.Log.WithName("removeClusterPolicyReport")
 
 	cpolrs, err := client.ListResource("", kind, "", nil)
-	if err != nil && !errors.IsNotFound(err) {
+	if err != nil {
 		logger.Error(err, "failed to list clusterPolicyReport")
 		return nil
 	}
@@ -304,7 +304,7 @@ func removeReportChangeRequest(client *client.Client, kind string) error {
 
 	ns := getKyvernoNameSpace()
 	rcrList, err := client.ListResource("", kind, ns, nil)
-	if err != nil && !errors.IsNotFound(err) {
+	if err != nil {
 		logger.Error(err, "failed to list reportChangeRequest")
 		return nil
 	}
@@ -318,7 +318,7 @@ func removeReportChangeRequest(client *client.Client, kind string) error {
 
 func removeClusterReportChangeRequest(client *client.Client, kind string) error {
 	crcrList, err := client.ListResource("", kind, "", nil)
-	if err != nil && !errors.IsNotFound(err) {
+	if err != nil {
 		log.Log.Error(err, "failed to list clusterReportChangeRequest")
 		return nil
 	}
diff --git a/pkg/config/dynamicconfig.go b/pkg/config/dynamicconfig.go
index c3d9e3cd80..e6f056744b 100644
--- a/pkg/config/dynamicconfig.go
+++ b/pkg/config/dynamicconfig.go
@@ -74,12 +74,25 @@ func (cd *ConfigData) GetExcludeUsername() []string {
 	return cd.excludeUsername
 }
 
+// FilterNamespaces filters exclude namespace
+func (cd *ConfigData) FilterNamespaces(namespaces []string) []string {
+	var results []string
+
+	for _, ns := range namespaces {
+		if !cd.ToFilter("", ns, "") {
+			results = append(results, ns)
+		}
+	}
+	return results
+}
+
 // Interface to be used by consumer to check filters
 type Interface interface {
 	ToFilter(kind, namespace, name string) bool
 	GetExcludeGroupRole() []string
 	GetExcludeUsername() []string
 	RestrictDevelopmentUsername() []string
+	FilterNamespaces(namespaces []string) []string
 }
 
 // NewConfigData ...
diff --git a/pkg/policy/common.go b/pkg/policy/common.go
index ba9d2fae1c..c72c7b61b8 100644
--- a/pkg/policy/common.go
+++ b/pkg/policy/common.go
@@ -91,25 +91,32 @@ func ExcludePod(resourceMap map[string]unstructured.Unstructured, log logr.Logge
 	return resourceMap
 }
 
-// GetNamespacesForRule gets the matched namespaces list for the given rule
-func GetNamespacesForRule(rule *kyverno.Rule, nslister listerv1.NamespaceLister, log logr.Logger) []string {
+// getNamespacesForRule gets the matched namespaces list for the given rule
+func (pc *PolicyController) getNamespacesForRule(rule *kyverno.Rule, log logr.Logger) []string {
+	var results []string
+	var matchedNS []string
+
+	defer func() {
+		results = pc.configHandler.FilterNamespaces(matchedNS)
+	}()
+
 	if len(rule.MatchResources.Namespaces) == 0 {
-		return GetAllNamespaces(nslister, log)
+		matchedNS = GetAllNamespaces(pc.nsLister, log)
+		return results
 	}
 
 	var wildcards []string
-	var results []string
 	for _, nsName := range rule.MatchResources.Namespaces {
 		if HasWildcard(nsName) {
 			wildcards = append(wildcards, nsName)
 		}
 
-		results = append(results, nsName)
+		matchedNS = append(matchedNS, nsName)
 	}
 
 	if len(wildcards) > 0 {
-		wildcardMatches := GetMatchingNamespaces(wildcards, nslister, log)
-		results = append(results, wildcardMatches...)
+		wildcardMatches := GetMatchingNamespaces(wildcards, pc.nsLister, log)
+		matchedNS = append(matchedNS, wildcardMatches...)
 	}
 
 	return results
diff --git a/pkg/policy/existing.go b/pkg/policy/existing.go
index ccf657ebb9..7551e62d23 100644
--- a/pkg/policy/existing.go
+++ b/pkg/policy/existing.go
@@ -43,7 +43,7 @@ func (pc *PolicyController) processExistingResources(policy *kyverno.ClusterPoli
 				continue
 			}
 
-			namespaces := GetNamespacesForRule(&rule, pc.nsLister, logger)
+			namespaces := pc.getNamespacesForRule(&rule, logger)
 			for _, ns := range namespaces {
 				pc.applyAndReportPerNamespace(policy, k, ns, rule, logger)
 			}
diff --git a/pkg/policyreport/builder.go b/pkg/policyreport/builder.go
index f8e28b2bda..6f59ef3809 100755
--- a/pkg/policyreport/builder.go
+++ b/pkg/policyreport/builder.go
@@ -49,6 +49,10 @@ func GeneratePRsFromEngineResponse(ers []*response.EngineResponse, log logr.Logg
 			continue
 		}
 
+		if len(er.PolicyResponse.Rules) == 0 {
+			continue
+		}
+
 		// build policy violation info
 		pvInfos = append(pvInfos, buildPVInfo(er))
 	}