fix: simplify cli autogen and labels selector check (#8325)

Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>
2024-12-15 17:51:20 +00:00 · 2023-09-10 21:10:02 +02:00 · 2023-09-10 21:10:02 +02:00 · 74fed89a17
commit 74fed89a17
parent 5beaec677f
2 changed files with 35 additions and 37 deletions
--- a/cmd/cli/kubectl-kyverno/processor/policy_processor.go
+++ b/cmd/cli/kubectl-kyverno/processor/policy_processor.go
@ -57,42 +57,9 @@ func (p *PolicyProcessor) ApplyPolicyOnResource() ([]engineapi.EngineResponse, e
 	if p.Variables["request.operation"] == "DELETE" {
 		operation = kyvernov1.Delete
 	}
+	rules := autogen.ComputeRules(p.Policy)

-	policyWithNamespaceSelector := false
-OuterLoop:
-	for _, p := range autogen.ComputeRules(p.Policy) {
-		if p.MatchResources.ResourceDescription.NamespaceSelector != nil ||
-			p.ExcludeResources.ResourceDescription.NamespaceSelector != nil {
-			policyWithNamespaceSelector = true
-			break
-		}
-		for _, m := range p.MatchResources.Any {
-			if m.ResourceDescription.NamespaceSelector != nil {
-				policyWithNamespaceSelector = true
-				break OuterLoop
-			}
-		}
-		for _, m := range p.MatchResources.All {
-			if m.ResourceDescription.NamespaceSelector != nil {
-				policyWithNamespaceSelector = true
-				break OuterLoop
-			}
-		}
-		for _, e := range p.ExcludeResources.Any {
-			if e.ResourceDescription.NamespaceSelector != nil {
-				policyWithNamespaceSelector = true
-				break OuterLoop
-			}
-		}
-		for _, e := range p.ExcludeResources.All {
-			if e.ResourceDescription.NamespaceSelector != nil {
-				policyWithNamespaceSelector = true
-				break OuterLoop
-			}
-		}
-	}
-
-	if policyWithNamespaceSelector {
+	if needsNamespaceLabels(rules...) {
 		resourceNamespace := p.Resource.GetNamespace()
 		namespaceLabels = p.NamespaceSelectorMap[p.Resource.GetNamespace()]
 		if resourceNamespace != "default" && len(namespaceLabels) < 1 {
@ -195,7 +162,7 @@ OuterLoop:
 	}

 	var policyHasValidate bool
-	for _, rule := range autogen.ComputeRules(p.Policy) {
+	for _, rule := range rules {
 		if rule.HasValidate() || rule.HasVerifyImageChecks() {
 			policyHasValidate = true
 		}
@ -214,7 +181,7 @@ OuterLoop:
 	}

 	var policyHasGenerate bool
-	for _, rule := range autogen.ComputeRules(p.Policy) {
+	for _, rule := range rules {
 		if rule.HasGenerate() {
 			policyHasGenerate = true
 		}
--- a/cmd/cli/kubectl-kyverno/processor/utils.go
+++ b/cmd/cli/kubectl-kyverno/processor/utils.go
@ -3,6 +3,7 @@ package processor
 import (
 	"strings"

+	kyvernov1 "github.com/kyverno/kyverno/api/kyverno/v1"
 	engineapi "github.com/kyverno/kyverno/pkg/engine/api"
 )

@ -77,3 +78,33 @@ func combineRuleResponses(imageResponse engineapi.EngineResponse) engineapi.Engi
 	imageResponse.PolicyResponse.Rules = combineRuleResponses
 	return imageResponse
 }
+
+func needsNamespaceLabels(rules ...kyvernov1.Rule) bool {
+	for _, p := range rules {
+		if p.MatchResources.ResourceDescription.NamespaceSelector != nil ||
+			p.ExcludeResources.ResourceDescription.NamespaceSelector != nil {
+			return true
+		}
+		for _, m := range p.MatchResources.Any {
+			if m.ResourceDescription.NamespaceSelector != nil {
+				return true
+			}
+		}
+		for _, m := range p.MatchResources.All {
+			if m.ResourceDescription.NamespaceSelector != nil {
+				return true
+			}
+		}
+		for _, e := range p.ExcludeResources.Any {
+			if e.ResourceDescription.NamespaceSelector != nil {
+				return true
+			}
+		}
+		for _, e := range p.ExcludeResources.All {
+			if e.ResourceDescription.NamespaceSelector != nil {
+				return true
+			}
+		}
+	}
+	return false
+}