mirrors/kyverno
mirrors/kyverno
1
0
Fork 0
mirror of https://github.com/kyverno/kyverno.git synced 2025-03-31 03:45:17 +00:00
Code Activity

feat(cache): use shallow copy instead of deep copy (#11378)

Browse source 
Signed-off-by: Khaled Emara <khaled.emara@nirmata.com>
This commit is contained in:
Khaled Emara 2024-10-10 13:32:38 +03:00 committed by GitHub
parent 521e43a224
commit 8bf704edc5
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
1 changed files with 22 additions and 10 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

32
pkg/policycache/cache.go
View file

@ -3,7 +3,6 @@ package policycache
import ( import (
kyvernov1 "github.com/kyverno/kyverno/api/kyverno/v1" kyvernov1 "github.com/kyverno/kyverno/api/kyverno/v1"
"github.com/kyverno/kyverno/ext/wildcard" "github.com/kyverno/kyverno/ext/wildcard"
"github.com/kyverno/kyverno/pkg/autogen"
"github.com/kyverno/kyverno/pkg/clients/dclient" "github.com/kyverno/kyverno/pkg/clients/dclient"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
"k8s.io/apimachinery/pkg/runtime/schema" "k8s.io/apimachinery/pkg/runtime/schema"
@ -80,8 +79,12 @@ func filterPolicies(pkey PolicyType, result []kyvernov1.PolicyInterface, nspace
} }
func checkValidationFailureActionOverrides(enforce bool, ns string, policy kyvernov1.PolicyInterface) (bool, kyvernov1.PolicyInterface) { func checkValidationFailureActionOverrides(enforce bool, ns string, policy kyvernov1.PolicyInterface) (bool, kyvernov1.PolicyInterface) {
var filteredRules []kyvernov1.Rule filteredRules := make([]kyvernov1.Rule, 0, len(policy.GetSpec().Rules))
for _, rule := range autogen.ComputeRules(policy, "") {
// Use pointer to avoid copying the rule in each iteration
for i := range policy.GetSpec().Rules {
rule := &policy.GetSpec().Rules[i]
if !rule.HasValidate() { if !rule.HasValidate() {
continue continue
} }
@ -89,7 +92,8 @@ func checkValidationFailureActionOverrides(enforce bool, ns string, policy kyver
// if the field isn't set, use the higher level policy setting // if the field isn't set, use the higher level policy setting
validationFailureAction := rule.Validation.FailureAction validationFailureAction := rule.Validation.FailureAction
if validationFailureAction == nil { if validationFailureAction == nil {
validationFailureAction = &policy.GetSpec().ValidationFailureAction policyAction := policy.GetSpec().ValidationFailureAction
validationFailureAction = &policyAction
} }
validationFailureActionOverrides := rule.Validation.FailureActionOverrides validationFailureActionOverrides := rule.Validation.FailureActionOverrides
@ -98,21 +102,29 @@ func checkValidationFailureActionOverrides(enforce bool, ns string, policy kyver
} }
if (ns == "" || len(validationFailureActionOverrides) == 0) && validationFailureAction.Enforce() == enforce { if (ns == "" || len(validationFailureActionOverrides) == 0) && validationFailureAction.Enforce() == enforce {
filteredRules = append(filteredRules, rule) filteredRules = append(filteredRules, *rule)
continue continue
} }
for _, action := range validationFailureActionOverrides { for _, action := range validationFailureActionOverrides {
if action.Action.Enforce() == enforce && wildcard.CheckPatterns(action.Namespaces, ns) { if action.Action.Enforce() == enforce && wildcard.CheckPatterns(action.Namespaces, ns) {
filteredRules = append(filteredRules, rule) filteredRules = append(filteredRules, *rule)
continue break // Changed continue to break since we found a match
} }
} }
} }
if len(filteredRules) > 0 { if len(filteredRules) > 0 {
filteredPolicy := policy.CreateDeepCopy() var filteredPolicy kyvernov1.PolicyInterface
filteredPolicy.GetSpec().Rules = filteredRules if _, ok := policy.(*kyvernov1.Policy); ok {
shallowCopy := *policy.(*kyvernov1.Policy)
filteredPolicy = &shallowCopy
} else {
shallowCopy := *policy.(*kyvernov1.ClusterPolicy)
filteredPolicy = &shallowCopy
}
filteredPolicy.GetSpec().SetRules(filteredRules)
return true, filteredPolicy return true, filteredPolicy
} }
return false, nil return false, nil
} }