skip validation patterns for delete requests

2025-03-31 03:45:17 +00:00 · 2021-01-02 01:10:14 -08:00 · 2021-01-02 01:10:14 -08:00 · 68474a9dd2
commit 68474a9dd2
parent c4296d2282
5 changed files with 27 additions and 20 deletions
--- a/pkg/engine/validation.go
+++ b/pkg/engine/validation.go
@ -86,7 +86,7 @@ func incrementAppliedCount(resp *response.EngineResponse) {
 func validateResource(log logr.Logger, ctx *PolicyContext) *response.EngineResponse {
 	resp := &response.EngineResponse{}
 	if ManagedPodResource(ctx.Policy, ctx.NewResource) {
-		log.V(5).Info("skip applying policy as direct changes to pods managed by workload controllers are not allowed", "policy", ctx.Policy.GetName())
+		log.V(5).Info("skip policy as direct changes to pods managed by workload controllers are not allowed", "policy", ctx.Policy.GetName())
 		return resp
 	}

@ -117,9 +117,11 @@ func validateResource(log logr.Logger, ctx *PolicyContext) *response.EngineRespo

 		if rule.Validation.Pattern != nil || rule.Validation.AnyPattern != nil {
 			ruleResponse := validateResourceWithRule(log, ctx, rule)
-			if !common.IsConditionalAnchorError(ruleResponse.Message) {
-				incrementAppliedCount(resp)
-				resp.PolicyResponse.Rules = append(resp.PolicyResponse.Rules, ruleResponse)
+			if ruleResponse != nil {
+				if !common.IsConditionalAnchorError(ruleResponse.Message) {
+					incrementAppliedCount(resp)
+					resp.PolicyResponse.Rules = append(resp.PolicyResponse.Rules, *ruleResponse)
+				}
 			}

 		} else if rule.Validation.Deny != nil {
@ -147,18 +149,25 @@ func validateResource(log logr.Logger, ctx *PolicyContext) *response.EngineRespo
 	return resp
 }

-func validateResourceWithRule(log logr.Logger, ctx *PolicyContext, rule kyverno.Rule) (resp response.RuleResponse) {
+func validateResourceWithRule(log logr.Logger, ctx *PolicyContext, rule kyverno.Rule) (resp *response.RuleResponse) {
 	if reflect.DeepEqual(ctx.OldResource, unstructured.Unstructured{}) {
-		return validatePatterns(log, ctx.JSONContext, ctx.NewResource, rule)
+		resp := validatePatterns(log, ctx.JSONContext, ctx.NewResource, rule)
+		return &resp
+	}
+
+	if reflect.DeepEqual(ctx.NewResource, unstructured.Unstructured{}) {
+		log.V(3).Info("skipping validation on deleted resource")
+		return nil
 	}

 	oldResp := validatePatterns(log, ctx.JSONContext, ctx.OldResource, rule)
 	newResp := validatePatterns(log, ctx.JSONContext, ctx.NewResource, rule)
-	if !isSameRuleResponse(oldResp, newResp) {
-		return newResp
+	if isSameRuleResponse(oldResp, newResp) {
+		log.V(3).Info("skipping modified resource as validation results have not changed")
+		return nil
 	}

-	return response.RuleResponse{}
+	return &newResp
 }

 // matches checks if either the new or old resource satisfies the filter conditions defined in the rule
@ -175,7 +184,7 @@ func matches(logger logr.Logger, rule kyverno.Rule, ctx *PolicyContext) bool {
 		}
 	}

-	logger.V(4).Info("resource fails the match description", "reason", err.Error())
+	logger.V(4).Info("resource does not match rule", "reason", err.Error())
 	return false
 }

@ -285,7 +294,8 @@ func validatePatterns(log logr.Logger, ctx context.EvalInterface, resource unstr
 			return resp
 		}
 	}
-	return response.RuleResponse{}
+
+	return resp
 }

 func buildErrorMessage(rule kyverno.Rule, path string) string {
--- a/pkg/policyreport/builder.go
+++ b/pkg/policyreport/builder.go
@ -32,7 +32,7 @@ func generatePolicyReportName(ns string) string {
 		return clusterpolicyreport
 	}

-	name := fmt.Sprintf("pr-ns-%s", ns)
+	name := fmt.Sprintf("polr-ns-%s", ns)
 	if len(name) > 63 {
 		return name[:63]
 	}
--- a/pkg/webhooks/generation.go
+++ b/pkg/webhooks/generation.go
@ -2,7 +2,6 @@ package webhooks

 import (
 	contextdefault "context"
-	"encoding/json"
 	"fmt"
 	"reflect"
 	"sort"
@ -127,9 +126,6 @@ func (ws *WebhookServer) handleDelete(request *v1beta1.AdmissionRequest) {
 		logger.Error(err, "failed to convert object resource to unstructured format")
 	}

-	r, _ := json.Marshal(resource)
-	fmt.Println(string(r))
-
 	resLabels := resource.GetLabels()
 	if resLabels["app.kubernetes.io/managed-by"] == "kyverno" && resLabels["policy.kyverno.io/synchronize"] == "enable" && request.Operation == v1beta1.Delete {
 		grName := resLabels["policy.kyverno.io/gr-name"]
--- a/pkg/webhooks/server.go
+++ b/pkg/webhooks/server.go
@ -410,7 +410,7 @@ func (ws *WebhookServer) resourceValidation(request *v1beta1.AdmissionRequest) *
 	nsPolicies := ws.pCache.Get(policycache.ValidateEnforce, &request.Namespace)
 	policies = append(policies, nsPolicies...)
 	if len(policies) == 0 {
-		logger.V(4).Info("No enforce Validation policy found, returning")
+		logger.V(4).Info("no enforce validation policies; returning AdmissionResponse.Allowed: true")
 		return &v1beta1.AdmissionResponse{Allowed: true}
 	}

--- a/pkg/webhooks/validation.go
+++ b/pkg/webhooks/validation.go
@ -80,7 +80,6 @@ func HandleValidation(

 	var engineResponses []*response.EngineResponse
 	for _, policy := range policies {
-
 		logger.V(3).Info("evaluating policy", "policy", policy.Name)
 		policyContext.Policy = *policy
 		engineResponse := engine.Validate(policyContext)
@ -97,11 +96,13 @@ func HandleValidation(
 		})

 		if !engineResponse.IsSuccessful() {
-			logger.V(4).Info("failed to apply policy", "policy", policy.Name, "failed rules", engineResponse.GetFailedRules())
+			logger.V(2).Info("validation failed", "policy", policy.Name, "failed rules", engineResponse.GetFailedRules())
 			continue
 		}

-		logger.Info("validation rules from policy applied successfully", "policy", policy.Name)
+		if len(engineResponse.GetSuccessRules()) > 0 {
+			logger.V(2).Info("validation passed", "policy", policy.Name)
+		}
 	}

 	// If Validation fails then reject the request