Fix: mutate policies kept applying to these terminating Pods (#1978)

* Fix Dev setup * Fix mutate policies kept applying to these terminating Pods * fix patch resource issue Co-authored-by: vyankatesh <vyankatesh@neualto.com>
2025-04-08 18:15:48 +00:00 · 2021-06-10 07:04:10 +05:30 · 2021-06-10 07:04:10 +05:30 · 9d00348a52
commit 9d00348a52
parent 6d2cb87370
2 changed files with 19 additions and 1 deletions
--- a/pkg/webhooks/mutation.go
+++ b/pkg/webhooks/mutation.go
@ -17,7 +17,9 @@ import (
 	"github.com/kyverno/kyverno/pkg/metrics"
 	policyRuleExecutionLatency "github.com/kyverno/kyverno/pkg/metrics/policyruleexecutionlatency"
 	policyRuleResults "github.com/kyverno/kyverno/pkg/metrics/policyruleresults"
+	"github.com/kyverno/kyverno/pkg/utils"
 	v1beta1 "k8s.io/api/admission/v1beta1"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
 )

@ -28,6 +30,7 @@ func (ws *WebhookServer) HandleMutation(
 	resource unstructured.Unstructured,
 	policies []*kyverno.ClusterPolicy,
 	ctx *context.Context,
+	patchedResource []byte,
 	userRequestInfo kyverno.RequestInfo,
 	admissionRequestTimestamp int64) ([]byte, []kyverno.ClusterPolicy, []*response.EngineResponse) {

@ -41,7 +44,22 @@ func (ws *WebhookServer) HandleMutation(
 	}

 	logger := ws.log.WithValues("action", "mutate", "resource", resourceName, "operation", request.Operation, "gvk", request.Kind.String())
+	newR, oldR, err := utils.ExtractResources(patchedResource, request)
+	if err != nil {
+		// as resource cannot be parsed, we skip processing
+		logger.Error(err, "failed to extract resource")
+		return nil, nil, nil
+	}
+	var deletionTimeStamp *metav1.Time
+	if reflect.DeepEqual(newR, unstructured.Unstructured{}) {
+		deletionTimeStamp = newR.GetDeletionTimestamp()
+	} else {
+		deletionTimeStamp = oldR.GetDeletionTimestamp()
+	}

+	if deletionTimeStamp != nil && request.Operation == v1beta1.Update {
+		return nil, nil, nil
+	}
 	var patches [][]byte
 	var engineResponses []*response.EngineResponse
 	var triggeredPolicies []kyverno.ClusterPolicy
--- a/pkg/webhooks/server.go
+++ b/pkg/webhooks/server.go
@ -358,7 +358,7 @@ func (ws *WebhookServer) ResourceMutation(request *v1beta1.AdmissionRequest) *v1
 	var triggeredMutatePolicies []v1.ClusterPolicy
 	var mutateEngineResponses []*response.EngineResponse

-	patches, triggeredMutatePolicies, mutateEngineResponses = ws.HandleMutation(request, resource, mutatePolicies, ctx, userRequestInfo, admissionRequestTimestamp)
+	patches, triggeredMutatePolicies, mutateEngineResponses = ws.HandleMutation(request, resource, mutatePolicies, ctx, patchedResource, userRequestInfo, admissionRequestTimestamp)
 	logger.V(6).Info("", "generated patches", string(patches))

 	// patch the resource with patches before handling validation rules