Reduce throttling - skip sending API request for filtered resources (#1489)

* skip sending API request for filtered resource * fix PR comment Signed-off-by: Shuting Zhao <shutting06@gmail.com> * fixes https://github.com/kyverno/kyverno/issues/1490 Signed-off-by: Shuting Zhao <shutting06@gmail.com>
2025-03-31 03:45:17 +00:00 · 2021-01-21 18:58:53 -08:00 · 2021-01-21 18:58:53 -08:00 · 62a4a3a7da
commit 62a4a3a7da
parent 42879683d8
5 changed files with 35 additions and 11 deletions
--- a/cmd/initContainer/main.go
+++ b/cmd/initContainer/main.go
@ -259,7 +259,7 @@ func removeClusterPolicyReport(client *client.Client, kind string) error {
 	logger := log.Log.WithName("removeClusterPolicyReport")

 	cpolrs, err := client.ListResource("", kind, "", nil)
-	if err != nil && !errors.IsNotFound(err) {
+	if err != nil {
 		logger.Error(err, "failed to list clusterPolicyReport")
 		return nil
 	}
@ -304,7 +304,7 @@ func removeReportChangeRequest(client *client.Client, kind string) error {

 	ns := getKyvernoNameSpace()
 	rcrList, err := client.ListResource("", kind, ns, nil)
-	if err != nil && !errors.IsNotFound(err) {
+	if err != nil {
 		logger.Error(err, "failed to list reportChangeRequest")
 		return nil
 	}
@ -318,7 +318,7 @@ func removeReportChangeRequest(client *client.Client, kind string) error {

 func removeClusterReportChangeRequest(client *client.Client, kind string) error {
 	crcrList, err := client.ListResource("", kind, "", nil)
-	if err != nil && !errors.IsNotFound(err) {
+	if err != nil {
 		log.Log.Error(err, "failed to list clusterReportChangeRequest")
 		return nil
 	}
--- a/pkg/config/dynamicconfig.go
+++ b/pkg/config/dynamicconfig.go
@ -74,12 +74,25 @@ func (cd *ConfigData) GetExcludeUsername() []string {
 	return cd.excludeUsername
 }

+// FilterNamespaces filters exclude namespace
+func (cd *ConfigData) FilterNamespaces(namespaces []string) []string {
+	var results []string
+
+	for _, ns := range namespaces {
+		if !cd.ToFilter("", ns, "") {
+			results = append(results, ns)
+		}
+	}
+	return results
+}
+
 // Interface to be used by consumer to check filters
 type Interface interface {
 	ToFilter(kind, namespace, name string) bool
 	GetExcludeGroupRole() []string
 	GetExcludeUsername() []string
 	RestrictDevelopmentUsername() []string
+	FilterNamespaces(namespaces []string) []string
 }

 // NewConfigData ...
--- a/pkg/policy/common.go
+++ b/pkg/policy/common.go
@ -91,25 +91,32 @@ func ExcludePod(resourceMap map[string]unstructured.Unstructured, log logr.Logge
 	return resourceMap
 }

-// GetNamespacesForRule gets the matched namespaces list for the given rule
-func GetNamespacesForRule(rule *kyverno.Rule, nslister listerv1.NamespaceLister, log logr.Logger) []string {
+// getNamespacesForRule gets the matched namespaces list for the given rule
+func (pc *PolicyController) getNamespacesForRule(rule *kyverno.Rule, log logr.Logger) []string {
+	var results []string
+	var matchedNS []string
+
+	defer func() {
+		results = pc.configHandler.FilterNamespaces(matchedNS)
+	}()
+
 	if len(rule.MatchResources.Namespaces) == 0 {
-		return GetAllNamespaces(nslister, log)
+		matchedNS = GetAllNamespaces(pc.nsLister, log)
+		return results
 	}

 	var wildcards []string
-	var results []string
 	for _, nsName := range rule.MatchResources.Namespaces {
 		if HasWildcard(nsName) {
 			wildcards = append(wildcards, nsName)
 		}

-		results = append(results, nsName)
+		matchedNS = append(matchedNS, nsName)
 	}

 	if len(wildcards) > 0 {
-		wildcardMatches := GetMatchingNamespaces(wildcards, nslister, log)
-		results = append(results, wildcardMatches...)
+		wildcardMatches := GetMatchingNamespaces(wildcards, pc.nsLister, log)
+		matchedNS = append(matchedNS, wildcardMatches...)
 	}

 	return results
--- a/pkg/policy/existing.go
+++ b/pkg/policy/existing.go
@ -43,7 +43,7 @@ func (pc *PolicyController) processExistingResources(policy *kyverno.ClusterPoli
 				continue
 			}

-			namespaces := GetNamespacesForRule(&rule, pc.nsLister, logger)
+			namespaces := pc.getNamespacesForRule(&rule, logger)
 			for _, ns := range namespaces {
 				pc.applyAndReportPerNamespace(policy, k, ns, rule, logger)
 			}
--- a/pkg/policyreport/builder.go
+++ b/pkg/policyreport/builder.go
@ -49,6 +49,10 @@ func GeneratePRsFromEngineResponse(ers []*response.EngineResponse, log logr.Logg
 			continue
 		}

+		if len(er.PolicyResponse.Rules) == 0 {
+			continue
+		}
+
 		// build policy violation info
 		pvInfos = append(pvInfos, buildPVInfo(er))
 	}