skip inserting auto-gen annotation to podController on UPDATE admission request (#953)

2024-12-14 11:57:48 +00:00 · 2020-06-25 17:24:10 -07:00 · 2020-06-25 17:24:10 -07:00 · abb51348cf
commit abb51348cf
parent 1ccd5e6e0f
2 changed files with 12 additions and 0 deletions
--- a/pkg/engine/mutation.go
+++ b/pkg/engine/mutation.go
@ -2,6 +2,7 @@ package engine

 import (
 	"encoding/json"
+	"reflect"
 	"strings"
 	"time"

@ -105,6 +106,12 @@ func Mutate(policyContext PolicyContext) (resp response.EngineResponse) {
 	}

 	// insert annotation to podtemplate if resource is pod controller
+	// skip inserting on UPDATE request
+	if !reflect.DeepEqual(policyContext.OldResource, unstructured.Unstructured{}) {
+		resp.PatchedResource = patchedResource
+		return resp
+	}
+
 	// skip inserting on existing resource
 	if policy.HasAutoGenAnnotation() && strings.Contains(PodControllers, resource.GetKind()) {
 		if !patchedResourceHasPodControllerAnnotation(patchedResource) {
--- a/pkg/webhooks/mutation.go
+++ b/pkg/webhooks/mutation.go
@ -40,6 +40,11 @@ func (ws *WebhookServer) HandleMutation(
 		Context:       ctx,
 	}

+	if request.Operation == v1beta1.Update {
+		// set OldResource to inform engine of operation type
+		policyContext.OldResource = resource
+	}
+
 	for _, policy := range policies {
 		logger.V(3).Info("evaluating policy", "policy", policy.Name)