bug fixes

pkg/generate/generate.go

@@ -54,7 +54,6 @@ func (c *Controller) applyGenerate(resource unstructured.Unstructured, gr kyvern
 			return nil, nil
 		}
 		logger.Error(err, "error in getting policy")
-		return nil, nil
 	}
 
 	resourceRaw, err := resource.MarshalJSON()
@@ -267,7 +266,7 @@ func applyRule(log logr.Logger, client *dclient.Client, rule kyverno.Rule, resou
 	// - kyverno.io/generated-by: kind/namespace/name (trigger resource)
 	manageLabels(newResource, resource)
 	logger := log.WithValues("genKind", genKind, "genNamespace", genNamespace, "genName", genName)
-		if mode == Create {
+
 	// Add Synchronize label
 	label := newResource.GetLabels()
 	if rule.Generation.Synchronize {
@@ -277,6 +276,7 @@ func applyRule(log logr.Logger, client *dclient.Client, rule kyverno.Rule, resou
 	}
 	newResource.SetLabels(label)
 
+	if mode == Create {
 		// Reset resource version
 		newResource.SetResourceVersion("")
 		// Create the resource
@@ -289,13 +289,15 @@ func applyRule(log logr.Logger, client *dclient.Client, rule kyverno.Rule, resou
 		logger.V(4).Info("created new resource")
 
 	} else if mode == Update {
-		label := newResource.GetLabels();
+		label := newResource.GetLabels()
+
 		if label != nil {
 			if label["app.kubernetes.io/synchronize"] == "enable" {
 				logger.V(4).Info("updating existing resource")
 				// Update the resource
 				_, err := client.UpdateResource(genKind, genNamespace, newResource, false)
 				if err != nil {
+					logger.Error(err, "updating existing resource")
 					// Failed to update resource
 					return noGenResource, err
 				}
@@ -304,6 +306,8 @@ func applyRule(log logr.Logger, client *dclient.Client, rule kyverno.Rule, resou
 			} else {
 				logger.V(4).Info("Synchronize resource is disabled")
 			}
+		} else {
+			logger.V(4).Info("Synchronize resource is disabled")
 		}
 
 	}

pkg/userinfo/roleRef.go

@@ -2,6 +2,8 @@ package userinfo
 
 import (
 	"fmt"
+	"strings"
+
 	"github.com/nirmata/kyverno/pkg/engine"
 	"github.com/nirmata/kyverno/pkg/utils"
 	v1beta1 "k8s.io/api/admission/v1beta1"
@@ -10,7 +12,6 @@ import (
 	labels "k8s.io/apimachinery/pkg/labels"
 	rbaclister "k8s.io/client-go/listers/rbac/v1"
 	"sigs.k8s.io/controller-runtime/pkg/log"
-	"strings"
 )
 
 const (
@@ -129,10 +130,8 @@ func matchUserOrGroup(subject rbacv1.Subject, userInfo authenticationv1.UserInfo
 	return false
 }
 
-
 //IsRoleAuthorize is role authorize or not
 func IsRoleAuthorize(rbLister rbaclister.RoleBindingLister, crbLister rbaclister.ClusterRoleBindingLister, rLister rbaclister.RoleLister, crLister rbaclister.ClusterRoleLister, request *v1beta1.AdmissionRequest) (bool, error) {
-
 	if strings.Contains(request.UserInfo.Username, SaPrefix) {
 		roles, clusterRoles, err := GetRoleRef(rbLister, crbLister, request)
 		if err != nil {
@@ -140,26 +139,33 @@ func IsRoleAuthorize(rbLister rbaclister.RoleBindingLister, crbLister rbaclister
 		}
 
 		for _, e := range clusterRoles {
-				role,err := crLister.Get(e);
+			if strings.Contains(e, "kyverno:") {
+				return true, nil
+			} else {
+				role, err := crLister.Get(e)
 				if err != nil {
 					return false, err
 				}
 				labels := role.GetLabels()
+
 				if labels["kubernetes.io/bootstrapping"] == "rbac-defaults" {
 					return true, nil
 				}
 			}
+		}
 		for _, e := range roles {
 			roleData := strings.Split(e, ":")
-			    role, err := rLister.Roles(roleData[0]).Get(roleData[1]);
+			role, err := rLister.Roles(roleData[0]).Get(roleData[1])
 			if err != nil {
 				return false, err
 			}
 			labels := role.GetLabels()
+			if !strings.Contains(e, "kyverno:") {
 				if labels["kubernetes.io/bootstrapping"] == "rbac-defaults" {
 					return true, nil
 				}
 			}
+		}
 	} else {
 		// User or Group
 		excludeDevelopmentRole := []string{"minikube-user", "kubernetes-admin"}
@@ -173,7 +179,7 @@ func IsRoleAuthorize(rbLister rbaclister.RoleBindingLister, crbLister rbaclister
 			for _, defaultSuffix := range defaultSuffixs {
 				if strings.Contains(e, defaultSuffix) {
 					matchedRoles = append(matchedRoles, true)
-					break;
+					break
 				}
 			}
 		}