From 717e42dd0b69530408c2e8394ece7b5cd1b02d3d Mon Sep 17 00:00:00 2001
From: shravan <shravan.ss@zopsmart.com>
Date: Thu, 7 May 2020 23:04:15 +0530
Subject: [PATCH] 744 ignoring resources with deletionTimestamp

---
 pkg/engine/validation.go | 5 -----
 pkg/webhooks/server.go   | 9 +++++++++
 2 files changed, 9 insertions(+), 5 deletions(-)

diff --git a/pkg/engine/validation.go b/pkg/engine/validation.go
index e1611fb7c6..a578eabdf4 100644
--- a/pkg/engine/validation.go
+++ b/pkg/engine/validation.go
@@ -97,11 +97,6 @@ func incrementAppliedCount(resp *response.EngineResponse) {
 func isRequestDenied(log logr.Logger, ctx context.EvalInterface, policy kyverno.ClusterPolicy, resource unstructured.Unstructured, admissionInfo kyverno.RequestInfo) *response.EngineResponse {
 	resp := &response.EngineResponse{}
 
-	// deny logic will only be applied to requests from user - system related requests are ignored.
-	if admissionInfo.AdmissionUserInfo.Username != "kubernetes-admin" {
-		return resp
-	}
-
 	for _, rule := range policy.Spec.Rules {
 		if !rule.HasValidate() {
 			continue
diff --git a/pkg/webhooks/server.go b/pkg/webhooks/server.go
index a8e9f652e2..2a9c7551d8 100644
--- a/pkg/webhooks/server.go
+++ b/pkg/webhooks/server.go
@@ -355,6 +355,15 @@ func (ws *WebhookServer) resourceValidation(request *v1beta1.AdmissionRequest) *
 		logger.Error(err, "failed to load service account in context")
 	}
 
+	if val, err := ctx.Query("request.object.metadata.deletionTimestamp"); val != nil && err == nil {
+		return &v1beta1.AdmissionResponse{
+			Allowed: true,
+			Result: &metav1.Status{
+				Status: "Success",
+			},
+		}
+	}
+
 	// VALIDATION
 	ok, msg := ws.HandleValidation(request, policies, nil, ctx, userRequestInfo)
 	if !ok {