fix mutate existing force reconciliation (#9230)

Signed-off-by: ShutingZhao <shuting@nirmata.com>

pkg/policy/mutate.go

@@ -12,10 +12,6 @@ import (
 
 func (pc *policyController) handleMutate(policyKey string, policy kyvernov1.PolicyInterface) error {
 	logger := pc.log.WithName("handleMutate").WithName(policyKey)
-	if !policy.GetSpec().MutateExistingOnPolicyUpdate {
-		logger.V(4).Info("skip policy application on policy event", "policyKey", policyKey, "mutateExiting", policy.GetSpec().MutateExistingOnPolicyUpdate)
-		return nil
-	}
 
 	logger.Info("update URs on policy event")
 	for _, rule := range policy.GetSpec().Rules {

pkg/policy/policy_controller.go

@@ -3,6 +3,7 @@ package policy
 import (
 	"context"
 	"fmt"
+	"os"
 	"time"
 
 	"github.com/go-logr/logr"
@@ -144,11 +145,9 @@ func NewPolicyController(
 
 func (pc *policyController) canBackgroundProcess(p kyvernov1.PolicyInterface) bool {
 	logger := pc.log.WithValues("policy", p.GetName())
-	if !p.BackgroundProcessingEnabled() {
-		if !p.GetSpec().HasGenerate() && !p.GetSpec().IsMutateExisting() {
-			logger.V(4).Info("background processing is disabled")
-			return false
-		}
+	if !p.GetSpec().HasGenerate() && !p.GetSpec().IsMutateExisting() {
+		logger.V(4).Info("policy does not have background rules for reconciliation")
+		return false
 	}
 
 	if err := policyvalidation.ValidateVariables(p, true); err != nil {
@@ -156,6 +155,18 @@ func (pc *policyController) canBackgroundProcess(p kyvernov1.PolicyInterface) bo
 		return false
 	}
 
+	if p.GetSpec().IsMutateExisting() {
+		val := os.Getenv("BACKGROUND_SCAN_INTERVAL")
+		interval, err := time.ParseDuration(val)
+		if err != nil {
+			logger.V(4).Info("failed to parse BACKGROUND_SCAN_INTERVAL env variable, falling to default 1h", "msg", err.Error())
+			interval = time.Hour
+		}
+		if p.GetCreationTimestamp().Add(interval).After(time.Now()) {
+			return p.GetSpec().GetMutateExistingOnPolicyUpdate()
+		}
+	}
+
 	return true
 }
 

test/conformance/chainsaw/mutate/clusterpolicy/standard/existing/background-false/chainsaw-step-01-apply-1-1.yaml

@@ -1,36 +1,4 @@
-apiVersion: kyverno.io/v1
-kind: ClusterPolicy
+apiVersion: v1
+kind: Namespace
 metadata:
-  annotations:
-    kyverno.io/kubernetes-version: "1.24"
-    kyverno.io/kyverno-version: 1.8.0
-    policies.kyverno.io/category: Pod Security Admission
-    policies.kyverno.io/description: 'When Pod Security Admission is configured with
-      a cluster-wide AdmissionConfiguration file which sets either baseline or restricted,
-      for example in many PaaS CIS profiles, it may be necessary to relax this to
-      privileged on a per-Namespace basis so that more granular control can be provided.
-      This policy labels new and existing Namespaces, except that of kube-system,
-      with the `pod-security.kubernetes.io/enforce: privileged` label.      '
-    policies.kyverno.io/minversion: 1.7.0
-    policies.kyverno.io/severity: medium
-    policies.kyverno.io/subject: Namespace
-    policies.kyverno.io/title: Add Privileged Label to Existing Namespaces
-  name: add-privileged-existing-namespaces
-spec:
-  background: false
-  mutateExistingOnPolicyUpdate: true
-  rules:
-  - match:
-      any:
-      - resources:
-          kinds:
-          - Namespace
-    mutate:
-      patchStrategicMerge:
-        metadata:
-          labels:
-            foo: bar
-      targets:
-      - apiVersion: v1
-        kind: Namespace
-    name: label-privileged-namespaces
+  name: background-false-ns

test/conformance/chainsaw/mutate/clusterpolicy/standard/existing/background-false/chainsaw-step-01-apply-1-2.yaml

@@ -0,0 +1,39 @@
+apiVersion: kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+  annotations:
+    kyverno.io/kubernetes-version: "1.24"
+    kyverno.io/kyverno-version: 1.8.0
+    policies.kyverno.io/category: Pod Security Admission
+    policies.kyverno.io/description: 'When Pod Security Admission is configured with
+      a cluster-wide AdmissionConfiguration file which sets either baseline or restricted,
+      for example in many PaaS CIS profiles, it may be necessary to relax this to
+      privileged on a per-Namespace basis so that more granular control can be provided.
+      This policy labels new and existing Namespaces, except that of kube-system,
+      with the `pod-security.kubernetes.io/enforce: privileged` label.      '
+    policies.kyverno.io/minversion: 1.7.0
+    policies.kyverno.io/severity: medium
+    policies.kyverno.io/subject: Namespace
+    policies.kyverno.io/title: Add Privileged Label to Existing Namespaces
+  name: add-privileged-existing-namespaces
+spec:
+  background: false
+  mutateExistingOnPolicyUpdate: true
+  rules:
+  - match:
+      any:
+      - resources:
+          kinds:
+          - Namespace
+          names:
+          - background-false-ns
+    mutate:
+      patchStrategicMerge:
+        metadata:
+          labels:
+            foo: bar
+      targets:
+      - apiVersion: v1
+        kind: Namespace
+        name: background-false-ns
+    name: label-privileged-namespaces

test/conformance/chainsaw/mutate/clusterpolicy/standard/existing/background-false/chainsaw-step-03-assert-1-1.yaml

@@ -1,6 +1,6 @@
 apiVersion: v1
 kind: Namespace
 metadata:
+  name: background-false-ns
   labels:
     foo: bar
-  name: default

test/conformance/chainsaw/mutate/clusterpolicy/standard/existing/background-false/chainsaw-test.yaml

@@ -9,9 +9,12 @@ spec:
     try:
     - apply:
         file: chainsaw-step-01-apply-1-1.yaml
+    - apply:
+        file: chainsaw-step-01-apply-1-2.yaml
     - assert:
         file: chainsaw-step-01-assert-1-1.yaml
   - name: step-03
     try:
     - assert:
         file: chainsaw-step-03-assert-1-1.yaml
+        timeout: 1m30s