From ddf89b4803e13021bbf8353d0d2fc14906a8ab09 Mon Sep 17 00:00:00 2001
From: Shuting Zhao <shutting06@gmail.com>
Date: Fri, 15 May 2020 13:11:28 -0700
Subject: [PATCH 1/3] - fix 811; - suppress log

---
 Makefile                 |  2 +-
 definitions/install.yaml |  2 +-
 pkg/webhooks/mutation.go |  4 +++-
 pkg/webhooks/server.go   | 26 ++++++++++++++++++++++++--
 4 files changed, 29 insertions(+), 5 deletions(-)

diff --git a/Makefile b/Makefile
index 824f8b92e4..337e4fef43 100644
--- a/Makefile
+++ b/Makefile
@@ -10,7 +10,7 @@ TIMESTAMP := $(shell date '+%Y-%m-%d_%I:%M:%S%p')
 
 REGISTRY=index.docker.io
 REPO=$(REGISTRY)/nirmata/kyverno
-IMAGE_TAG=$(GIT_VERSION)
+IMAGE_TAG?=$(GIT_VERSION)
 GOOS ?= $(shell go env GOOS)
 PACKAGE ?=github.com/nirmata/kyverno
 LD_FLAGS="-s -w -X $(PACKAGE)/pkg/version.BuildVersion=$(GIT_VERSION) -X $(PACKAGE)/pkg/version.BuildHash=$(GIT_HASH) -X $(PACKAGE)/pkg/version.BuildTime=$(TIMESTAMP)"
diff --git a/definitions/install.yaml b/definitions/install.yaml
index b8950c12e6..5fcc327d47 100644
--- a/definitions/install.yaml
+++ b/definitions/install.yaml
@@ -712,7 +712,7 @@ spec:
         - name: kyverno
           image: nirmata/kyverno:v1.1.5
           args:
-          - "--filterK8Resources=[Event,*,*][*,kube-system,*][*,kube-public,*][*,kube-node-lease,*][Node,*,*][APIService,*,*][TokenReview,*,*][SubjectAccessReview,*,*][*,kyverno,*]"
+          - "--filterK8Resources=[Event,*,*][*,kube-system,*][*,kube-public,*][*,kube-node-lease,*][Node,*,*][APIService,*,*][TokenReview,*,*][SubjectAccessReview,*,*][*,kyverno,*][Binding,*,*][ReplicaSet,*,*]"
           # customize webhook timout
           # - "--webhooktimeout=4"
           ports:
diff --git a/pkg/webhooks/mutation.go b/pkg/webhooks/mutation.go
index 0afdefa90a..a058bd852f 100644
--- a/pkg/webhooks/mutation.go
+++ b/pkg/webhooks/mutation.go
@@ -72,7 +72,9 @@ func (ws *WebhookServer) HandleMutation(request *v1beta1.AdmissionRequest, resou
 		}
 		// gather patches
 		patches = append(patches, engineResponse.GetPatches()...)
-		logger.Info("mutation rules from policy applied succesfully", "policy", policy.Name)
+		if len(engineResponse.GetPatches()) != 0 {
+			logger.Info("mutation rules from policy applied succesfully", "policy", policy.Name)
+		}
 
 		policyContext.NewResource = engineResponse.PatchedResource
 	}
diff --git a/pkg/webhooks/server.go b/pkg/webhooks/server.go
index f1517ef66f..9171dda8f5 100644
--- a/pkg/webhooks/server.go
+++ b/pkg/webhooks/server.go
@@ -193,7 +193,7 @@ func (ws *WebhookServer) handlerFunc(handler func(request *v1beta1.AdmissionRequ
 }
 
 func (ws *WebhookServer) handleMutateAdmissionRequest(request *v1beta1.AdmissionRequest) *v1beta1.AdmissionResponse {
-	logger := ws.log.WithValues("uid", request.UID, "kind", request.Kind.Kind, "namespace", request.Namespace, "name", request.Name, "operation", request.Operation)
+	logger := ws.log.WithName("handleMutateAdmissionRequest").WithValues("uid", request.UID, "kind", request.Kind.Kind, "namespace", request.Namespace, "name", request.Name, "operation", request.Operation)
 	policies, err := ws.pMetaStore.ListAll()
 	if err != nil {
 		// Unable to connect to policy Lister to access policies
@@ -288,7 +288,7 @@ func (ws *WebhookServer) handleMutateAdmissionRequest(request *v1beta1.Admission
 }
 
 func (ws *WebhookServer) handleValidateAdmissionRequest(request *v1beta1.AdmissionRequest) *v1beta1.AdmissionResponse {
-	logger := ws.log.WithValues("uid", request.UID, "kind", request.Kind.Kind, "namespace", request.Namespace, "name", request.Name, "operation", request.Operation)
+	logger := ws.log.WithName("handleValidateAdmissionRequest").WithValues("uid", request.UID, "kind", request.Kind.Kind, "namespace", request.Namespace, "name", request.Name, "operation", request.Operation)
 	policies, err := ws.pMetaStore.ListAll()
 	if err != nil {
 		// Unable to connect to policy Lister to access policies
@@ -307,6 +307,28 @@ func (ws *WebhookServer) handleValidateAdmissionRequest(request *v1beta1.Admissi
 		}
 	}
 
+	resource, err := convertResource(request.Object.Raw, request.Kind.Group, request.Kind.Version, request.Kind.Kind, request.Namespace)
+	if err != nil {
+		logger.Error(err, "failed to convert RAW resource to unstructured format")
+
+		return &v1beta1.AdmissionResponse{
+			Allowed: false,
+			Result: &metav1.Status{
+				Status:  "Failure",
+				Message: err.Error(),
+			},
+		}
+	}
+
+	if checkPodTemplateAnn(resource) {
+		return &v1beta1.AdmissionResponse{
+			Allowed: true,
+			Result: &metav1.Status{
+				Status: "Success",
+			},
+		}
+	}
+
 	// VALIDATION
 	ok, msg := ws.HandleValidation(request, policies, nil, roles, clusterRoles)
 	if !ok {

From 0952ccec829e89c8c44f77cfc148ebbd1389e88d Mon Sep 17 00:00:00 2001
From: Shuting Zhao <shutting06@gmail.com>
Date: Fri, 15 May 2020 14:49:34 -0700
Subject: [PATCH 2/3] set log to higher level

---
 pkg/webhooks/mutation.go   | 2 +-
 pkg/webhooks/validation.go | 4 +++-
 2 files changed, 4 insertions(+), 2 deletions(-)

diff --git a/pkg/webhooks/mutation.go b/pkg/webhooks/mutation.go
index a058bd852f..b2c912b2ae 100644
--- a/pkg/webhooks/mutation.go
+++ b/pkg/webhooks/mutation.go
@@ -55,7 +55,7 @@ func (ws *WebhookServer) HandleMutation(request *v1beta1.AdmissionRequest, resou
 	}
 
 	for _, policy := range policies {
-		logger.V(2).Info("evaluating policy", "policy", policy.Name)
+		logger.V(3).Info("evaluating policy", "policy", policy.Name)
 
 		policyContext.Policy = policy
 		engineResponse := engine.Mutate(policyContext)
diff --git a/pkg/webhooks/validation.go b/pkg/webhooks/validation.go
index d0b49347ad..a87b7e3133 100644
--- a/pkg/webhooks/validation.go
+++ b/pkg/webhooks/validation.go
@@ -58,7 +58,7 @@ func (ws *WebhookServer) HandleValidation(request *v1beta1.AdmissionRequest, pol
 	}
 	var engineResponses []response.EngineResponse
 	for _, policy := range policies {
-		logger.V(2).Info("evaluating policy", "policy", policy.Name)
+		logger.V(3).Info("evaluating policy", "policy", policy.Name)
 		policyContext.Policy = policy
 		engineResponse := engine.Validate(policyContext)
 		if reflect.DeepEqual(engineResponse, response.EngineResponse{}) {
@@ -74,6 +74,8 @@ func (ws *WebhookServer) HandleValidation(request *v1beta1.AdmissionRequest, pol
 			logger.V(4).Info("failed to apply policy", "policy", policy.Name)
 			continue
 		}
+
+		logger.Info("valiadtion rules from policy applied succesfully", "policy", policy.Name)
 	}
 	// If Validation fails then reject the request
 	// no violations will be created on "enforce"

From eec21ea5caf5fa9136dbcd0167724f8a94f646fa Mon Sep 17 00:00:00 2001
From: Shuting Zhao <shutting06@gmail.com>
Date: Sat, 16 May 2020 21:24:37 -0700
Subject: [PATCH 3/3] Rename function

---
 pkg/webhooks/annotations.go | 2 +-
 pkg/webhooks/server.go      | 4 ++--
 2 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/pkg/webhooks/annotations.go b/pkg/webhooks/annotations.go
index eddded1cde..c44e03017d 100644
--- a/pkg/webhooks/annotations.go
+++ b/pkg/webhooks/annotations.go
@@ -152,7 +152,7 @@ func annotationFromPolicyResponse(policyResponse response.PolicyResponse, log lo
 }
 
 // checkPodTemplateAnn checks if a Pod has annotation "pod-policies.kyverno.io/autogen-applied"
-func checkPodTemplateAnn(resource unstructured.Unstructured) bool {
+func checkPodTemplateAnnotation(resource unstructured.Unstructured) bool {
 	if resource.GetKind() == "Pod" {
 		ann := resource.GetAnnotations()
 		if _, ok := ann[engine.PodTemplateAnnotation]; ok {
diff --git a/pkg/webhooks/server.go b/pkg/webhooks/server.go
index 9171dda8f5..605198310d 100644
--- a/pkg/webhooks/server.go
+++ b/pkg/webhooks/server.go
@@ -226,7 +226,7 @@ func (ws *WebhookServer) handleMutateAdmissionRequest(request *v1beta1.Admission
 		}
 	}
 
-	if checkPodTemplateAnn(resource) {
+	if checkPodTemplateAnnotation(resource) {
 		return &v1beta1.AdmissionResponse{
 			Allowed: true,
 			Result: &metav1.Status{
@@ -320,7 +320,7 @@ func (ws *WebhookServer) handleValidateAdmissionRequest(request *v1beta1.Admissi
 		}
 	}
 
-	if checkPodTemplateAnn(resource) {
+	if checkPodTemplateAnnotation(resource) {
 		return &v1beta1.AdmissionResponse{
 			Allowed: true,
 			Result: &metav1.Status{