annotatiosn and name key change

2025-03-31 03:45:17 +00:00 · 2019-07-23 00:10:18 -04:00 · 2019-07-23 00:10:18 -04:00 · a7aab6fdc6
commit a7aab6fdc6
parent d5979e8387
3 changed files with 70 additions and 25 deletions
--- a/pkg/annotations/utils.go
+++ b/pkg/annotations/utils.go
@ -12,5 +12,5 @@ func getStatus(status bool) string {
 }

 func BuildKey(policyName string) string {
-	return "policies.kyverno.io." + policyName
+	return "policies.kyverno.io/" + policyName
 }
--- a/pkg/engine/engine.go
+++ b/pkg/engine/engine.go
@ -104,6 +104,16 @@ func mutation(p *types.Policy, rawResource []byte, gvk *metav1.GroupVersionKind)
 		// no rules were processed
 		return nil, nil
 	}
+	// if there are any errors return
+	for _, r := range ruleInfos {
+		if !r.IsSuccessful() {
+			return ruleInfos, nil
+		}
+	}
+	// if there are no patches // for overlay
+	if len(patches) == 0 {
+		return ruleInfos, nil
+	}
 	// option 2: (original Resource + patch) compare with (original resource)
 	mergePatches := JoinPatches(patches)
 	// merge the patches
--- a/pkg/webhooks/utils.go
+++ b/pkg/webhooks/utils.go
@ -106,46 +106,81 @@ func toBlock(pis []*info.PolicyInfo) bool {
 }

 func checkIfOnlyAnnotationsUpdate(request *v1beta1.AdmissionRequest) bool {
+	var err error
 	// process only if its for existing resources
 	if request.Operation != v1beta1.Update {
 		return false
 	}
-	// updated resoruce
-	obj := request.Object
-	objUnstr := unstructured.Unstructured{}
-	objUnstr.SetKind(request.Kind.Kind)
-	//TODO: hack, set kind for unmarshalling and observed generation
-	obj.Raw = setKindForObject(obj.Raw, request.Kind.Kind)
-	obj.Raw = setObserverdGenerationAsZero(obj.Raw)
-	err := objUnstr.UnmarshalJSON(obj.Raw)
+
+	// approach : we only compare if the addition contains annotations the are added with prefix "policies.kyverno.io"
+	// get annotations for the old resource
+	oldObj := request.OldObject
+	oldObjUnstr := unstructured.Unstructured{}
+	// need to set kind as some request dont contain kind meta-data raw resource but in the api request
+	oldObj.Raw = setKindForObject(oldObj.Raw, request.Kind.Kind)
+	err = oldObjUnstr.UnmarshalJSON(oldObj.Raw)
 	if err != nil {
 		glog.Error(err)
 		return false
 	}
-	objUnstr.SetSelfLink("")
-	objUnstr.SetAnnotations(nil)
-	objUnstr.SetGeneration(0)
-	objUnstr.SetResourceVersion("")
+	oldAnn := oldObjUnstr.GetAnnotations()

-	oldobj := request.OldObject
-	oldobjUnstr := unstructured.Unstructured{}
-	oldobj.Raw = setKindForObject(oldobj.Raw, request.Kind.Kind)
-	oldobj.Raw = setObserverdGenerationAsZero(oldobj.Raw)
-	err = oldobjUnstr.UnmarshalJSON(oldobj.Raw)
+	// get annotations for the new resource
+	newObj := request.Object
+	newObjUnstr := unstructured.Unstructured{}
+	// need to set kind as some request dont contain kind meta-data raw resource but in the api request
+	newObj.Raw = setKindForObject(newObj.Raw, request.Kind.Kind)
+	err = newObjUnstr.UnmarshalJSON(newObj.Raw)
 	if err != nil {
 		glog.Error(err)
 		return false
 	}
-	oldobjUnstr.SetSelfLink("")
-	oldobjUnstr.SetAnnotations(nil)
-	oldobjUnstr.SetGeneration(0)
-	oldobjUnstr.SetResourceVersion("")
+	newAnn := newObjUnstr.GetAnnotations()
+	policiesAppliedNew := 0
+	newAnnPolicy := map[string]string{}
+	// check if annotations changed
+	// assuming that we only add an annotation with the given prefix
+	for k, v := range newAnn {
+		// check prefix
+		policyName := strings.Split(k, "/")
+		if len(policyName) == 1 {
+			continue
+		}
+		if policyName[0] == "policies.kyverno.io" {
+			newAnnPolicy[policyName[1]] = v
+			policiesAppliedNew++
+		}
+	}

-	if reflect.DeepEqual(objUnstr, oldobjUnstr) {
-		glog.Info("only annoations added")
+	oldAnnPolicy := map[string]string{}
+	policiesAppliedOld := 0
+	// check if annotations changed
+	// assuming that we only add an annotation with the given prefix
+	for k, v := range oldAnn {
+		// check prefix
+		policyName := strings.Split(k, "/")
+		if len(policyName) == 1 {
+			continue
+		}
+		if policyName[0] == "policies.kyverno.io" {
+			oldAnnPolicy[policyName[1]] = v
+			policiesAppliedOld++
+		}
+	}
+
+	diffCount := policiesAppliedNew - policiesAppliedOld
+	switch diffCount {
+	case 1: // policy applied
 		return true
+	case -1: // policy removed
+		return true
+	case 0: // no new policy added or remove
+		// need to check if the policy was updated
+		if !reflect.DeepEqual(newAnnPolicy, oldAnnPolicy) {
+			return true
+		}
 	}
-	glog.Info("more than annotations changed")
+	// then there is some other change and we should process it
 	return false
 }