fix: handle resource cleanup when policy is deleted (#5021)

* fix: handle delete UR when policy is deleted Signed-off-by: prateekpandey14 <prateek.pandey@nirmata.com> * fix cleanup Signed-off-by: prateekpandey14 <prateek.pandey@nirmata.com> * use selector to list the update request Signed-off-by: prateekpandey14 <prateek.pandey@nirmata.com> Signed-off-by: prateekpandey14 <prateek.pandey@nirmata.com>
2025-04-08 10:04:25 +00:00 · 2022-10-20 23:18:27 +05:30 · 2022-10-20 23:18:27 +05:30 · 7735ac3f83
commit 7735ac3f83
parent 35491d248e
1 changed files with 67 additions and 24 deletions
--- a/pkg/background/update_request_controller.go
+++ b/pkg/background/update_request_controller.go
@ -180,6 +180,7 @@ func (c *controller) syncUpdateRequest(key string) error {
 	if err != nil {
 		return err
 	}
+
 	// if not in any state, try to set it to pending
 	if ur.Status.State == "" {
 		ur = ur.DeepCopy()
@ -213,7 +214,10 @@ func (c *controller) syncUpdateRequest(key string) error {
 				metav1.ListOptions{LabelSelector: metav1.FormatLabelSelector(selector)},
 			)
 		}
-		return err
+		// check if cleanup is required in case policy is no longer exists
+		if err := c.checkIfCleanupRequired(ur); err != nil {
+			return err
+		}
 	}
 	// if in pending state, try to acquire ur and eventually process it
 	if ur.Status.State == kyvernov1beta1.Pending {
@ -241,6 +245,59 @@ func (c *controller) syncUpdateRequest(key string) error {
 	return err
 }

+func (c *controller) checkIfCleanupRequired(ur *kyvernov1beta1.UpdateRequest) error {
+	var err error
+	pNamespace, pName, err := cache.SplitMetaNamespaceKey(ur.Spec.Policy)
+	if err != nil {
+		return err
+	}
+
+	if pNamespace == "" {
+		_, err = c.cpolLister.Get(pName)
+	} else {
+		_, err = c.polLister.Policies(pNamespace).Get(pName)
+	}
+	if err != nil {
+		if !apierrors.IsNotFound(err) {
+			return err
+		}
+
+		logger.V(4).Info("policy no longer exists, deleting the update request and respective resource based on synchronize", "ur", ur.Name, "policy", ur.Spec.Policy)
+		for _, e := range ur.Status.GeneratedResources {
+			if err := c.cleanupDataResource(e); err != nil {
+				logger.Error(err, "failed to clean up data resource on policy deletion")
+			}
+		}
+		return c.kyvernoClient.KyvernoV1beta1().UpdateRequests(config.KyvernoNamespace()).Delete(context.TODO(), ur.Name, metav1.DeleteOptions{})
+	}
+	return nil
+}
+
+// cleanupDataResource deletes resource if sync is enabled for data policy
+func (c *controller) cleanupDataResource(targetSpec kyvernov1.ResourceSpec) error {
+	target, err := c.client.GetResource(targetSpec.APIVersion, targetSpec.Kind, targetSpec.Namespace, targetSpec.Name)
+	if err != nil {
+		if !apierrors.IsNotFound(err) {
+			return fmt.Errorf("failed to find generated resource %s/%s: %v", targetSpec.Namespace, targetSpec.Name, err)
+		}
+	}
+
+	if target == nil {
+		return nil
+	}
+
+	labels := target.GetLabels()
+	syncEnabled := labels["policy.kyverno.io/synchronize"] == "enable"
+	clone := labels["generate.kyverno.io/clone-policy-name"] != ""
+
+	if syncEnabled && !clone {
+		if err := c.client.DeleteResource(target.GetAPIVersion(), target.GetKind(), target.GetNamespace(), target.GetName(), false); err != nil {
+			return fmt.Errorf("failed to delete data resource %s/%s: %v", targetSpec.Namespace, targetSpec.Name, err)
+		}
+	}
+	return nil
+}
+
 func (c *controller) enqueueUpdateRequest(obj interface{}) {
 	key, err := cache.MetaNamespaceKeyFunc(obj)
 	if err != nil {
@ -282,15 +339,11 @@ func (c *controller) deletePolicy(obj interface{}) {
 		logger.Error(err, "failed to compute policy key")
 	} else {
 		logger.V(4).Info("updating policy", "key", key)
-		urs, err := c.urLister.GetUpdateRequestsForClusterPolicy(key)
-		if err != nil {
-			logger.Error(err, "failed to list update requests for policy", "key", key)
-			return
-		}

+		// check if deleted policy is clone generate policy
 		generatePolicyWithClone := pkgCommon.ProcessDeletePolicyForCloneGenerateRule(p, c.client, c.kyvernoClient, c.urLister, p.GetName(), logger)

-		// get the generated resource name from update request for log
+		// get the generated resource name from update request
 		selector := labels.SelectorFromSet(labels.Set(map[string]string{
 			kyvernov1beta1.URGeneratePolicyLabel: p.Name,
 		}))
@ -301,28 +354,18 @@ func (c *controller) deletePolicy(obj interface{}) {
 			return
 		}

-		for _, ur := range urList {
-			for _, generatedResource := range ur.Status.GeneratedResources {
-				logger.V(4).Info("retaining resource", "apiVersion", generatedResource.APIVersion, "kind", generatedResource.Kind, "name", generatedResource.Name, "namespace", generatedResource.Namespace)
-			}
-		}
-
 		if !generatePolicyWithClone {
-			urs, err := c.urLister.GetUpdateRequestsForClusterPolicy(p.Name)
-			if err != nil {
-				logger.Error(err, "failed to update request for the policy", "name", p.Name)
-				return
-			}
 			// re-evaluate the UR as the policy was updated
-			for _, ur := range urs {
+			for _, ur := range urList {
 				logger.V(4).Info("enqueue the ur for cleanup", "ur name", ur.Name)
 				c.enqueueUpdateRequest(ur)
 			}
-		}
-		// re-evaluate the UR as the policy was updated
-		for _, ur := range urs {
-			logger.V(4).Info("enqueue the ur for cleanup", "ur name", ur.Name)
-			c.enqueueUpdateRequest(ur)
+		} else {
+			for _, ur := range urList {
+				for _, generatedResource := range ur.Status.GeneratedResources {
+					logger.V(4).Info("retaining resource for cloned policy", "apiVersion", generatedResource.APIVersion, "kind", generatedResource.Kind, "name", generatedResource.Name, "namespace", generatedResource.Namespace)
+				}
+			}
 		}
 	}
 }