From ed45dc12c09207713f483d31bc6da714f063171a Mon Sep 17 00:00:00 2001 From: shravan Date: Sat, 4 Apr 2020 22:39:21 +0530 Subject: [PATCH 1/2] 775 working prototype --- pkg/engine/mutation.go | 38 +++++++++++++++++++++++++++++--------- 1 file changed, 29 insertions(+), 9 deletions(-) diff --git a/pkg/engine/mutation.go b/pkg/engine/mutation.go index b147f5b490..0449698768 100644 --- a/pkg/engine/mutation.go +++ b/pkg/engine/mutation.go @@ -1,6 +1,7 @@ package engine import ( + "encoding/json" "reflect" "strings" "time" @@ -101,18 +102,19 @@ func Mutate(policyContext PolicyContext) (resp response.EngineResponse) { if reflect.DeepEqual(policyContext.AdmissionInfo, kyverno.RequestInfo{}) { continue } + } - if strings.Contains(PodControllers, resource.GetKind()) { + if strings.Contains(PodControllers, resource.GetKind()) { + if !patchedResourceHasPodControllerAnnotation(patchedResource) { var ruleResponse response.RuleResponse - ruleResponse, patchedResource = mutate.ProcessOverlay(logger, rule.Name, podTemplateRule, patchedResource) + ruleResponse, patchedResource = mutate.ProcessOverlay(logger, "podControllerAnnotation", podTemplateRule.Mutation.Overlay, patchedResource) if !ruleResponse.Success { logger.Info("failed to insert annotation for podTemplate", "error", ruleResponse.Message) - continue - } - - if ruleResponse.Success && ruleResponse.Patches != nil { - logger.V(2).Info("inserted annotation for podTemplate") - resp.PolicyResponse.Rules = append(resp.PolicyResponse.Rules, ruleResponse) + } else { + if ruleResponse.Success && ruleResponse.Patches != nil { + logger.V(2).Info("inserted annotation for podTemplate") + resp.PolicyResponse.Rules = append(resp.PolicyResponse.Rules, ruleResponse) + } } } } @@ -120,6 +122,24 @@ func Mutate(policyContext PolicyContext) (resp response.EngineResponse) { resp.PatchedResource = patchedResource return resp } + +func patchedResourceHasPodControllerAnnotation(resource unstructured.Unstructured) bool { + var podController struct { + Spec struct { + Template struct { + Metadata struct { + Annotations map[string]interface{} `json:"annotations"` + } `json:"metadata"` + } `json:"template"` + } `json:"spec"` + } + + resourceRaw, _ := json.Marshal(resource.Object) + json.Unmarshal(resourceRaw, &podController) + + _, ok := podController.Spec.Template.Metadata.Annotations[PodTemplateAnnotation] + return ok +} func incrementAppliedRuleCount(resp *response.EngineResponse) { resp.PolicyResponse.RulesAppliedCount++ } @@ -150,7 +170,7 @@ var podTemplateRule = kyverno.Rule{ "template": map[string]interface{}{ "metadata": map[string]interface{}{ "annotations": map[string]interface{}{ - "+(pod-policies.kyverno.io/autogen-applied)": "true", + "+(" + PodTemplateAnnotation + ")": "true", }, }, }, From ad3fcb500feffe8c37e735235cfa51378eb8791a Mon Sep 17 00:00:00 2001 From: shravan Date: Sat, 4 Apr 2020 22:52:53 +0530 Subject: [PATCH 2/2] 775 circle ci fixes --- pkg/engine/mutation.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pkg/engine/mutation.go b/pkg/engine/mutation.go index 0449698768..8f76efca9f 100644 --- a/pkg/engine/mutation.go +++ b/pkg/engine/mutation.go @@ -135,7 +135,7 @@ func patchedResourceHasPodControllerAnnotation(resource unstructured.Unstructure } resourceRaw, _ := json.Marshal(resource.Object) - json.Unmarshal(resourceRaw, &podController) + _ = json.Unmarshal(resourceRaw, &podController) _, ok := podController.Spec.Template.Metadata.Annotations[PodTemplateAnnotation] return ok