cleanUp

2025-03-31 03:45:17 +00:00 · 2019-07-19 15:10:40 -07:00 · 2019-07-19 15:10:40 -07:00 · 9f157544c9
commit 9f157544c9
parent d68c4ea033
12 changed files with 78 additions and 429 deletions
--- a/pkg/annotations/annotations.go
+++ b/pkg/annotations/annotations.go
@ -23,17 +23,7 @@ type Policy struct {
 type Rule struct {
 	Status  string `json:"status"`
 	Changes string `json:"changes,omitempty"` // TODO for mutation changes
-}
-
-func getStatus(status bool) string {
-	if status {
-		return "Success"
-	}
-	return "Failure"
-}
-
-func buildKey(policyName string) string {
-	return "policies.kyverno.io." + policyName
+	Error   string `json:"error,omitempty"`
 }

 func getRules(rules []*pinfo.RuleInfo, ruleType pinfo.RuleType) map[string]Rule {
@ -47,9 +37,7 @@ func getRules(rules []*pinfo.RuleInfo, ruleType pinfo.RuleType) map[string]Rule
 			continue
 		}
 		annrules[r.Name] =
-			Rule{Status: getStatus(r.IsSuccessful())}
-		// //TODO: add mutation changes in policyInfo and in annotation
-		// annrules = append(annrules, annrule)
+			Rule{Status: getStatus(r.IsSuccessful()), Error: r.GetErrorString()}
 	}
 	return annrules
 }
@ -106,33 +94,6 @@ func (p *Policy) compareGenerationRules(rules map[string]Rule) bool {
 	return false
 }

-// // Update rules of a given type
-// func (p *Policy) updatePolicyRules(rules map[string]Rule, ruleType info.RuleType) bool {
-// 	updates := false
-// 	// Check if new rules are present in existing rules
-// 	// for k, v := range rules {
-// 	// 	_,
-// 	// }
-
-// 	var updatedRules []Rule
-// 	//TODO: check the selecting update add advantage
-// 	// filter rules for different type
-// 	for _, r := range rules {
-// 		if r.Type != ruleType.String() {
-// 			updatedRules = append(updatedRules, r)
-// 		}
-// 	}
-// 	// Add rules for current type
-// 	updatedRules = append(updatedRules, rules...)
-// 	// set the rule
-// 	p.Rules = updatedRules
-// }
-
-// func (p *Policy) containsPolicyRules(rules []Rule, ruleType info.RuleType) {
-// 	for _, r := range rules {
-// 	}
-// }
-
 func newAnnotationForPolicy(pi *pinfo.PolicyInfo) *Policy {
 	return &Policy{Status: getStatus(pi.IsSuccessful()),
 		MutationRules:   getRules(pi.Rules, pinfo.Mutation),
@ -150,7 +111,7 @@ func AddPolicy(obj *unstructured.Unstructured, pi *pinfo.PolicyInfo, ruleType pi
 	// get annotation
 	ann := obj.GetAnnotations()
 	// check if policy already has annotation
-	cPolicy, ok := ann[buildKey(pi.Name)]
+	cPolicy, ok := ann[BuildKey(pi.Name)]
 	if !ok {
 		PolicyByte, err := json.Marshal(PolicyObj)
 		if err != nil {
@ -158,7 +119,7 @@ func AddPolicy(obj *unstructured.Unstructured, pi *pinfo.PolicyInfo, ruleType pi
 			return false
 		}
 		// insert policy information
-		ann[buildKey(pi.Name)] = string(PolicyByte)
+		ann[BuildKey(pi.Name)] = string(PolicyByte)
 		// set annotation back to unstr
 		obj.SetAnnotations(ann)
 		return true
@ -177,7 +138,7 @@ func AddPolicy(obj *unstructured.Unstructured, pi *pinfo.PolicyInfo, ruleType pi
 			return false
 		}
 		// update policy information
-		ann[buildKey(pi.Name)] = string(cPolicyByte)
+		ann[BuildKey(pi.Name)] = string(cPolicyByte)
 		// set annotation back to unstr
 		obj.SetAnnotations(ann)
 		return true
@ -194,10 +155,10 @@ func RemovePolicy(obj *unstructured.Unstructured, policy string) bool {
 	if ann == nil {
 		return false
 	}
-	if _, ok := ann[buildKey(policy)]; !ok {
+	if _, ok := ann[BuildKey(policy)]; !ok {
 		return false
 	}
-	delete(ann, buildKey(policy))
+	delete(ann, BuildKey(policy))
 	// set annotation back to unstr
 	obj.SetAnnotations(ann)
 	return true
@ -225,22 +186,17 @@ func AddPolicyJSONPatch(ann map[string]string, pi *pinfo.PolicyInfo, ruleType pi
 		ann = make(map[string]string, 0)
 	}
 	PolicyObj := newAnnotationForPolicy(pi)
-	cPolicy, ok := ann[buildKey(pi.Name)]
+	cPolicy, ok := ann[BuildKey(pi.Name)]
 	if !ok {
 		PolicyByte, err := json.Marshal(PolicyObj)
 		if err != nil {
 			return nil, nil, err
 		}
 		// insert policy information
-		ann[buildKey(pi.Name)] = string(PolicyByte)
+		ann[BuildKey(pi.Name)] = string(PolicyByte)
 		// create add JSON patch
 		jsonPatch, err := createAddJSONPatch(ann)
-		// var jsonPatch []byte
-		// if len(ann) == 0 {
-		// 	jsonPatch, err = createAddJSONPatch(ann)
-		// } else {
-		// 	jsonPatch, err = createReplaceJSONPatch(ann)
-		// }
+
 		return ann, jsonPatch, err
 	}
 	cPolicyObj := Policy{}
@ -257,7 +213,7 @@ func AddPolicyJSONPatch(ann map[string]string, pi *pinfo.PolicyInfo, ruleType pi
 		return nil, nil, err
 	}
 	// update policy information
-	ann[buildKey(pi.Name)] = string(cPolicyByte)
+	ann[BuildKey(pi.Name)] = string(cPolicyByte)
 	// create update JSON patch
 	jsonPatch, err := createReplaceJSONPatch(ann)
 	return ann, jsonPatch, err
--- a/pkg/annotations/controller.go
+++ b/pkg/annotations/controller.go
@ -79,7 +79,7 @@ func (pc *controller) handleErr(err error, key interface{}) {
 		return
 	}
 	// This controller retries if something goes wrong. After that, it stops trying.
-	if pc.queue.NumRequeues(key) < WorkQueueRetryLimit {
+	if pc.queue.NumRequeues(key) < workQueueRetryLimit {
 		glog.Warningf("Error syncing events %v: %v", key, err)
 		// Re-enqueue the key rate limited. Based on the rate limiter on the
 		// queue and the re-enqueue history, the key will be processed later again.
--- a/pkg/annotations/info.go
+++ b/pkg/annotations/info.go
@ -0,0 +1,18 @@
+package annotations
+
+type info struct {
+	RKind string
+	RNs   string
+	RName string
+	//TODO:Hack as slice makes the struct unhasable
+	Patch *[]byte
+}
+
+func newInfo(rkind, rns, rname string, patch []byte) info {
+	return info{
+		RKind: rkind,
+		RNs:   rns,
+		RName: rname,
+		Patch: &patch,
+	}
+}
--- a/pkg/annotations/utils.go
+++ b/pkg/annotations/utils.go
@ -2,21 +2,15 @@ package annotations

 const annotationQueueName = "annotation-queue"
 const workerThreadCount = 1
-const WorkQueueRetryLimit = 3
+const workQueueRetryLimit = 3

-type info struct {
-	RKind string
-	RNs   string
-	RName string
-	//TODO:Hack as slice makes the struct unhasable
-	Patch *[]byte
-}
-
-func newInfo(rkind, rns, rname string, patch []byte) info {
-	return info{
-		RKind: rkind,
-		RNs:   rns,
-		RName: rname,
-		Patch: &patch,
+func getStatus(status bool) string {
+	if status {
+		return "Success"
 	}
+	return "Failure"
+}
+
+func BuildKey(policyName string) string {
+	return "policies.kyverno.io." + policyName
 }
--- a/pkg/apis/policy/v1alpha1/types.go
+++ b/pkg/apis/policy/v1alpha1/types.go
@ -93,8 +93,9 @@ type Violation struct {

 // FailedRule stored info and type of failed rules
 type FailedRule struct {
-	Name string `json:"name"`
-	Type string `json:"type"` //Mutation, Validation, Genertaion
+	Name  string `json:"name"`
+	Type  string `json:"type"` //Mutation, Validation, Genertaion
+	Error string `json:"error"`
 }

 // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
--- a/pkg/controller/cleanup.go
+++ b/pkg/controller/cleanup.go
@ -28,7 +28,6 @@ func cleanAnnotations(client *client.Client, obj interface{}) {
 	for _, rule := range policy.Spec.Rules {
 		for _, k := range rule.Kinds {
 			if k == "Namespace" {
-				// REWORK: will be handeled by namespace controller
 				continue
 			}
 			// kind -> resource
@ -63,7 +62,7 @@ func cleanAnnotations(client *client.Client, obj interface{}) {
 		// get annotations
 		ann := obj.GetAnnotations()

-		_, patch, err := annotations.RemovePolicyJSONPatch(ann, policy.Name)
+		_, patch, err := annotations.RemovePolicyJSONPatch(ann, annotations.BuildKey(policy.Name))
 		if err != nil {
 			glog.Error(err)
 			continue
--- a/pkg/controller/controller.go
+++ b/pkg/controller/controller.go
@ -87,7 +87,6 @@ func (pc *PolicyController) deletePolicyHandler(resource interface{}) {
 		glog.Error("error decoding object, invalid type")
 		return
 	}
-	//TODO: need to clear annotations on the resources
 	cleanAnnotations(pc.client, resource)
 	glog.Infof("policy deleted: %s", object.GetName())
 }
@ -176,8 +175,7 @@ func (pc *PolicyController) syncHandler(obj interface{}) error {
 		glog.Errorf("invalid policy key: %s", key)
 		return nil
 	}
-
-	// Get Policy resource with namespace/name
+	// Get Policy
 	policy, err := pc.policyLister.Get(name)
 	if err != nil {
 		if errors.IsNotFound(err) {
@ -186,20 +184,20 @@ func (pc *PolicyController) syncHandler(obj interface{}) error {
 		}
 		return err
 	}
-	// process policy on existing resource
-	// get the violations and pass to violation Builder
-	// get the events and pass to event Builder
-	//TODO: processPolicy
+
 	glog.Infof("process policy %s on existing resources", policy.GetName())
+	// Process policy on existing resources
 	policyInfos := engine.ProcessExisting(pc.client, policy)
+
 	events, violations := pc.createEventsAndViolations(policyInfos)
+	// Events, Violations
 	pc.eventController.Add(events...)
 	err = pc.violationBuilder.Add(violations...)
 	if err != nil {
 		glog.Error(err)
 	}

-	// add annotations to resources
+	// Annotations
 	pc.createAnnotations(policyInfos)

 	return nil
@ -277,9 +275,11 @@ func (pc *PolicyController) createEventsAndViolations(policyInfos []*info.Policy
 					case info.Generation:
 						frule.Type = info.Generation.String()
 					}
+					frule.Error = rule.GetErrorString()
 				default:
 					glog.Info("Unsupported Rule type")
 				}
+				frule.Error = rule.GetErrorString()
 				frules = append(frules, frule)
 				events = append(events, e)
 			} else {
@ -291,24 +291,13 @@ func (pc *PolicyController) createEventsAndViolations(policyInfos []*info.Policy
 			e := event.NewEvent("Policy", "", policyInfo.Name, event.PolicyViolation, event.FResourcePolcy, policyInfo.RNamespace+"/"+policyInfo.RName, concatFailedRules(frules))
 			events = append(events, e)
 			// Violation
-			// TODO: Violation is currently create at policy, level not resource level
-			// As we create violation, we check if the
-			v := violation.BuldNewViolation(policyInfo.Name, policyInfo.RKind, policyInfo.RNamespace, policyInfo.RName, event.PolicyViolation.String(), frules)
+			v := violation.BuldNewViolation(policyInfo.Name, policyInfo.RKind, policyInfo.RNamespace, policyInfo.RName, event.PolicyViolation.String(), policyInfo.GetFailedRules())
 			violations = append(violations, v)
 		} else {
 			// clean up violations
 			pc.violationBuilder.RemoveInactiveViolation(policyInfo.Name, policyInfo.RKind, policyInfo.RNamespace, policyInfo.RName, info.Mutation)
 			pc.violationBuilder.RemoveInactiveViolation(policyInfo.Name, policyInfo.RKind, policyInfo.RNamespace, policyInfo.RName, info.Validation)
 		}
-
-		// else {
-		// 	// Policy was processed succesfully
-		// 	e := event.NewEvent("Policy", "", policyInfo.Name, event.PolicyApplied, event.SPolicyApply, policyInfo.Name)
-		// 	events = append(events, e)
-		// 	// Policy applied succesfully on resource
-		// 	e = event.NewEvent(policyInfo.RKind, policyInfo.RNamespace, policyInfo.RName, event.PolicyApplied, event.SRuleApply, strings.Join(sruleNames, ";"), policyInfo.RName)
-		// 	events = append(events, e)
-		// }
 	}
 	return events, violations
 }
--- a/pkg/gencontroller/generation.go
+++ b/pkg/gencontroller/generation.go
@ -78,9 +78,7 @@ func (c *Controller) processPolicy(ns *corev1.Namespace, p *v1alpha1.Policy) {

 		if onViolation {
 			glog.Infof("Adding violation for generation rule of policy %s\n", policyInfo.Name)
-
-			v := violation.NewViolation(event.PolicyViolation, policyInfo.Name, policyInfo.RKind, policyInfo.RName,
-				policyInfo.RNamespace, msg)
+			v := violation.BuldNewViolation(policyInfo.Name, policyInfo.RKind, policyInfo.RNamespace, policyInfo.RName, event.PolicyViolation.String(), policyInfo.GetFailedRules())
 			c.violationBuilder.Add(v)
 		} else {
 			eventInfo = event.NewEvent(policyKind, "", policyInfo.Name, event.RequestBlocked,
--- a/pkg/info/info.go
+++ b/pkg/info/info.go
@ -69,7 +69,7 @@ func (pi *PolicyInfo) GetFailedRules() []v1alpha1.FailedRule {
 	var rules []v1alpha1.FailedRule
 	for _, r := range pi.Rules {
 		if !r.IsSuccessful() {
-			rules = append(rules, v1alpha1.FailedRule{Name: r.Name, Type: r.RuleType.String()})
+			rules = append(rules, v1alpha1.FailedRule{Name: r.Name, Type: r.RuleType.String(), Error: r.GetErrorString()})
 		}
 	}
 	return rules
@ -111,12 +111,18 @@ type RuleInfo struct {
 }

 //ToString reule information
+//TODO: check if this is needed
 func (ri *RuleInfo) ToString() string {
 	str := "rulename: " + ri.Name
 	msgs := strings.Join(ri.Msgs, ";")
 	return strings.Join([]string{str, msgs}, ";")
 }

+//GetErrorString returns the error message for a rule
+func (ri *RuleInfo) GetErrorString() string {
+	return strings.Join(ri.Msgs, ";")
+}
+
 //NewRuleInfo creates a new RuleInfo
 func NewRuleInfo(ruleName string, ruleType RuleType) *RuleInfo {
 	return &RuleInfo{
--- a/pkg/violation/builder.go
+++ b/pkg/violation/builder.go
@ -2,10 +2,7 @@ package violation

 import (
 	"errors"
-	"fmt"
-	"reflect"

-	"github.com/golang/glog"
 	v1alpha1 "github.com/nirmata/kyverno/pkg/apis/policy/v1alpha1"
 	lister "github.com/nirmata/kyverno/pkg/client/listers/policy/v1alpha1"
 	client "github.com/nirmata/kyverno/pkg/dclient"
@ -32,7 +29,6 @@ type builder struct {
 type Builder interface {
 	Generator
 	processViolation(info *Info) error
-	isActive(kind string, rname string, rnamespace string) (bool, error)
 }

 //NewPolicyViolationBuilder returns new violation builder
@ -48,6 +44,20 @@ func NewPolicyViolationBuilder(client *client.Client,
 	return builder
 }

+//BuldNewViolation returns a new violation
+func BuldNewViolation(pName string, rKind string, rNs string, rName string, reason string, frules []v1alpha1.FailedRule) *Info {
+	return &Info{
+		Policy: pName,
+		Violation: v1alpha1.Violation{
+			Kind:      rKind,
+			Namespace: rNs,
+			Name:      rName,
+			Reason:    reason,
+			Rules:     frules,
+		},
+	}
+}
+
 func (b *builder) Add(infos ...*Info) error {
 	if infos == nil {
 		return nil
@ -131,6 +141,7 @@ func (b *builder) processViolation(info *Info) error {
 	return nil
 }

+//RemoveInactiveViolation
 func (b *builder) RemoveInactiveViolation(policy, rKind, rNs, rName string, ruleType info.RuleType) error {
 	statusMap := map[string]interface{}{}
 	violationsMap := map[string]interface{}{}
@ -204,6 +215,7 @@ func (b *builder) RemoveInactiveViolation(policy, rKind, rNs, rName string, rule
 	return nil
 }

+// ResourceRemoval on resources reoval we remove the policy violation in the policy
 func (b *builder) ResourceRemoval(policy, rKind, rNs, rName string) error {
 	statusMap := map[string]interface{}{}
 	violationsMap := map[string]interface{}{}
@ -257,325 +269,3 @@ func (b *builder) ResourceRemoval(policy, rKind, rNs, rName string) error {
 	}
 	return nil
 }
-
-// func (b *builder) processViolation(info *Info) error {
-// 	currVs := map[string]interface{}{}
-// 	statusMap := map[string]interface{}{}
-// 	var ok bool
-// 	//TODO: hack get from client
-// 	p1, err := b.client.GetResource("Policy", "", info.Policy, "status")
-// 	if err != nil {
-// 		return err
-// 	}
-// 	unstr := p1.UnstructuredContent()
-// 	// check if "status" field exists
-// 	status, ok := unstr["status"]
-// 	if ok {
-// 		// status is already present then we append violations
-// 		if statusMap, ok = status.(map[string]interface{}); !ok {
-// 			return errors.New("Unable to parse status subresource")
-// 		}
-// 		violations, ok := statusMap["violations"]
-// 		if !ok {
-// 			glog.Info("violation not present")
-// 		}
-// 		// Violations map[string][]Violations
-// 		glog.Info(reflect.TypeOf(violations))
-// 		if currVs, ok = violations.(map[string]interface{}); !ok {
-// 			return errors.New("Unable to parse violations")
-// 		}
-// 	}
-// 	// Info:
-// 	// Key - Kind, Namespace, Name
-// 	// policy - Name
-// 	//	violation, ok := currVs[info.getKey()]
-// 	// Key -> resource
-// 	// 1> Check if there were any previous violations for the given key
-// 	// 2> If No, create a new one
-// 	if !ok {
-// 		currVs[info.getKey()] = info.Violation
-// 	} else {
-// 		currV := currVs[info.getKey()]
-// 		glog.Info(reflect.TypeOf(currV))
-// 		v, ok := currV.(map[string]interface{})
-// 		if !ok {
-// 			glog.Info("type not matching")
-// 		}
-// 		// get rules
-// 		rules, ok := v["rules"]
-// 		if !ok {
-// 			glog.Info("rules not found")
-// 		}
-// 		glog.Info(reflect.TypeOf(rules))
-// 		rs, ok := rules.([]interface{})
-// 		if !ok {
-// 			glog.Info("type not matching")
-// 		}
-// 		// check if rules are samre
-// 		if isRuleNamesEqual(rs, info.Violation.Rules) {
-// 			return nil
-// 		}
-// 		// else update the errors
-// 		currVs[info.getKey()] = info.Violation
-// 	}
-// 	// newViolation := info.Violation
-// 	// for _, violation := range currentViolations {
-// 	// 	glog.Info(reflect.TypeOf(violation))
-// 	// 	if v, ok := violation.(map[string]interface{}); ok {
-// 	// 		if name, ok := v["name"].(string); ok {
-// 	// 			if namespace, ok := v["namespace"].(string); ok {
-// 	// 				ok, err := b.isActive(info.Kind, name, namespace)
-// 	// 				if err != nil {
-// 	// 					glog.Error(err)
-// 	// 					continue
-// 	// 				}
-// 	// 				if !ok {
-// 	// 					//TODO remove the violation as it corresponds to resource that does not exist
-// 	// 					glog.Info("removed violation")
-// 	// 				}
-// 	// 			}
-// 	// 		}
-// 	// 	}
-// 	// }
-// 	// currentViolations = append(currentViolations, newViolation)
-// 	// // update violations
-// 	// set the updated status
-// 	statusMap["violations"] = currVs
-// 	unstr["status"] = statusMap
-// 	p1.SetUnstructuredContent(unstr)
-// 	_, err = b.client.UpdateStatusResource("Policy", "", p1, false)
-// 	if err != nil {
-// 		return err
-// 	}
-// 	return nil
-// }
-
-func (b *builder) isActive(kind, rname, rnamespace string) (bool, error) {
-	// Generate Merge Patch
-	_, err := b.client.GetResource(b.client.DiscoveryClient.GetGVRFromKind(kind).Resource, rnamespace, rname)
-	if err != nil {
-		glog.Errorf("unable to get resource %s/%s ", rnamespace, rname)
-		return false, err
-	}
-	return true, nil
-}
-
-//NewViolation return new policy violation
-func NewViolation(reason event.Reason, policyName, kind, rname, rnamespace, msg string) *Info {
-	return &Info{Policy: policyName,
-		Violation: v1alpha1.Violation{
-			Kind:      kind,
-			Name:      rname,
-			Namespace: rnamespace,
-			Reason:    reason.String(),
-		},
-	}
-}
-
-// //NewViolationFromEvent returns violation info from event
-// func NewViolationFromEvent(e *event.Info, pName, rKind, rName, rnamespace string) *Info {
-// 	return &Info{
-// 		Policy: pName,
-// 		Violation: types.Violation{
-// 			Kind:      rKind,
-// 			Name:      rName,
-// 			Namespace: rnamespace,
-// 			Reason:    e.Reason,
-// 			Message:   e.Message,
-// 		},
-// 	}
-// }
-// Build a new Violation
-func BuldNewViolation(pName string, rKind string, rNs string, rName string, reason string, frules []v1alpha1.FailedRule) *Info {
-	return &Info{
-		Policy: pName,
-		Violation: v1alpha1.Violation{
-			Kind:      rKind,
-			Namespace: rNs,
-			Name:      rName,
-			Reason:    reason,
-			Rules:     frules,
-		},
-	}
-}
-
-func removeRuleTypes(currRules []interface{}, ruleType info.RuleType) ([]interface{}, error) {
-	//rules := []v1alpha1.FailedRule{}
-	var rules []interface{}
-	// removedRuleCount := 0
-	for _, r := range currRules {
-		glog.Info(reflect.TypeOf(r))
-		rfule, ok := r.(map[string]interface{})
-		if !ok {
-			return nil, fmt.Errorf("incorrect type")
-		}
-		glog.Info(reflect.TypeOf(rfule["type"]))
-		rtype, ok := rfule["type"].(string)
-		if !ok {
-			return nil, fmt.Errorf("incorrect type")
-		}
-		name, ok := rfule["name"].(string)
-		if !ok {
-			return nil, fmt.Errorf("incorrect type")
-		}
-		if rtype != ruleType.String() {
-			rules = append(rules, v1alpha1.FailedRule{Name: name, Type: rtype})
-		}
-	}
-	return rules, nil
-}
-
-func isRuleNamesEqual(currRules []interface{}, newRules []v1alpha1.FailedRule) bool {
-	if len(currRules) != len(newRules) {
-		return false
-	}
-	for i, r := range currRules {
-		glog.Info(reflect.TypeOf(r))
-		rfule, ok := r.(map[string]interface{})
-		if !ok {
-			return false
-		}
-		glog.Info(reflect.TypeOf(rfule["name"]))
-		// name
-		name, ok := rfule["name"].(string)
-		if !ok {
-			return false
-		}
-		if name != newRules[i].Name {
-			return false
-		}
-		// type
-
-		rtype, ok := rfule["type"].(string)
-		if !ok {
-			return false
-		}
-		if rtype != newRules[i].Type {
-			return false
-		}
-
-	}
-	return true
-}
-
-// //RemoveViolation will remove the violation for the resource if there was one
-// func (b *builder) RemoveInactiveViolation(policy, rKind, rNs, rName string, ruleType info.RuleType) error {
-// 	// Remove the <resource, Violation> pair from map
-// 	statusMap := map[string]interface{}{}
-// 	currVs := map[string]interface{}{}
-// 	// Get the policy
-// 	p, err := b.client.GetResource("Policy", "", policy, "status")
-// 	if err != nil {
-// 		glog.Infof("policy %s not found", policy)
-// 		return err
-// 	}
-// 	unstr := p.UnstructuredContent()
-
-// 	// check if "status" field exists
-// 	status, ok := unstr["status"]
-// 	if ok {
-// 		// status is already present then we append violations
-// 		if statusMap, ok = status.(map[string]interface{}); !ok {
-// 			return errors.New("Unable to parse status subresource")
-// 		}
-// 		violations, ok := statusMap["violations"]
-// 		if !ok {
-// 			glog.Info("violation not present")
-// 		}
-// 		glog.Info(reflect.TypeOf(violations))
-// 		if currVs, ok = violations.(map[string]interface{}); !ok {
-// 			return errors.New("Unable to parse violations")
-// 		}
-// 		currV, ok := currVs[BuildKey(rKind, rNs, rName)]
-// 		if !ok {
-// 			// No Violation present
-// 			return nil
-// 		}
-// 		glog.Info(reflect.TypeOf(currV))
-// 		v, ok := currV.(map[string]interface{})
-// 		if !ok {
-// 			glog.Info("type not matching")
-// 		}
-// 		// get rules
-// 		rules, ok := v["rules"]
-// 		if !ok {
-// 			glog.Info("rules not found")
-// 		}
-// 		glog.Info(reflect.TypeOf(rules))
-// 		rs, ok := rules.([]interface{})
-// 		if !ok {
-// 			glog.Info("type not matching")
-// 		}
-// 		// Remove rules of defined type
-// 		newrs, err := removeRuleTypes(rs, ruleType)
-// 		if err != nil {
-// 			glog.Info(err)
-// 		}
-// 		if newrs == nil {
-// 			// all records are removed and is empty
-// 			glog.Info("can remove the record")
-// 			delete(currVs, BuildKey(rKind, rNs, rName))
-// 		} else {
-// 			v["rules"] = newrs
-// 			// update the violation with new rule
-// 			currVs[BuildKey(rKind, rNs, rName)] = v
-// 		}
-// 		// update violations
-// 		statusMap["violations"] = currVs
-// 		// update status
-// 		unstr["status"] = statusMap
-// 		p.SetUnstructuredContent(unstr)
-// 		_, err = b.client.UpdateStatusResource("Policy", "", p, false)
-// 		if err != nil {
-// 			return err
-// 		}
-// 	}
-// 	return nil
-// }
-
-// func (b *builder) ResourceRemoval(policy, rKind, rNs, rName string) error {
-// 	// Remove the <resource, Violation> pair from map
-// 	statusMap := map[string]interface{}{}
-// 	currVs := map[string]interface{}{}
-// 	// Get the policy
-// 	p, err := b.client.GetResource("Policy", "", policy, "status")
-// 	if err != nil {
-// 		glog.Infof("policy %s not found", policy)
-// 		return err
-// 	}
-// 	unstr := p.UnstructuredContent()
-// 	// check if "status" field exists
-// 	status, ok := unstr["status"]
-// 	if ok {
-// 		// status is already present then we append violations
-// 		if statusMap, ok = status.(map[string]interface{}); !ok {
-// 			return errors.New("Unable to parse status subresource")
-// 		}
-// 		violations, ok := statusMap["violations"]
-// 		if !ok {
-// 			glog.Info("violation not present")
-// 		}
-// 		glog.Info(reflect.TypeOf(violations))
-// 		if currVs, ok = violations.(map[string]interface{}); !ok {
-// 			return errors.New("Unable to parse violations")
-// 		}
-// 		_, ok = currVs[BuildKey(rKind, rNs, rName)]
-// 		if !ok {
-// 			// No Violation for this resource
-// 			return nil
-// 		}
-// 		// remove the pair from the map
-// 		delete(currVs, BuildKey(rKind, rNs, rName))
-// 		glog.Info("Removed Violation")
-// 		// update violations
-// 		statusMap["violations"] = currVs
-// 		// update status
-// 		unstr["status"] = statusMap
-// 		p.SetUnstructuredContent(unstr)
-// 		_, err = b.client.UpdateStatusResource("Policy", "", p, false)
-// 		if err != nil {
-// 			return err
-// 		}
-// 	}
-// 	return nil
-// }
--- a/pkg/violation/util.go
+++ b/pkg/violation/util.go
@ -11,7 +11,7 @@ const workqueueViolationName = "Policy-Violations"
 // Event Reason
 const violationEventResrouce = "Violation"

-//ViolationInfo describes the policyviolation details
+//Info describes the policyviolation details
 type Info struct {
 	Policy string
 	policytype.Violation
@ -25,4 +25,3 @@ func (i Info) getKey() string {
 func BuildKey(rKind, rNs, rName string) string {
 	return rKind + "/" + rNs + "/" + rName
 }
-
--- a/pkg/webhooks/validation.go
+++ b/pkg/webhooks/validation.go
@ -14,8 +14,6 @@ import (
 // If there are no errors in validating rule we apply generation rules
 func (ws *WebhookServer) HandleValidation(request *v1beta1.AdmissionRequest) *v1beta1.AdmissionResponse {
 	policyInfos := []*info.PolicyInfo{}
-	// var violations []*violation.Info
-	// var eventsInfo []*event.Info
 	policies, err := ws.policyLister.List(labels.NewSelector())
 	if err != nil {
 		// Unable to connect to policy Lister to access policies
@ -81,6 +79,7 @@ func (ws *WebhookServer) HandleValidation(request *v1beta1.AdmissionRequest) *v1
 			}
 		}
 		policyInfos = append(policyInfos, policyInfo)
+		// annotations
 		annPatch := addAnnotationsToResource(request.Object.Raw, policyInfo, info.Validation)
 		if annPatch != nil {
 			if annPatches == nil {