diff --git a/pkg/background/common/resource.go b/pkg/background/common/resource.go index 25c1ed6670..2f5ffa7eeb 100644 --- a/pkg/background/common/resource.go +++ b/pkg/background/common/resource.go @@ -8,7 +8,7 @@ import ( logr "github.com/go-logr/logr" kyvernov1beta1 "github.com/kyverno/kyverno/api/kyverno/v1beta1" "github.com/kyverno/kyverno/pkg/clients/dclient" - "github.com/kyverno/kyverno/pkg/common" + retryutils "github.com/kyverno/kyverno/pkg/utils/retry" admissionv1 "k8s.io/api/admission/v1" "k8s.io/apimachinery/pkg/api/errors" "k8s.io/apimachinery/pkg/apis/meta/v1/unstructured" @@ -41,12 +41,12 @@ func GetResource(client dclient.Interface, urSpec kyvernov1beta1.UpdateRequestSp var resource *unstructured.Unstructured var err error - retry := func() error { + retry := func(_ context.Context) error { resource, err = get() return err } - f := common.RetryFunc(time.Second, 5*time.Second, retry, "failed to get resource", log.WithName("getResource")) + f := retryutils.RetryFunc(context.TODO(), time.Second, 5*time.Second, log.WithName("getResource"), "failed to get resource", retry) if err := f(); err != nil { return nil, err } diff --git a/pkg/background/generate/generate.go b/pkg/background/generate/generate.go index 9e5583c4a4..1933cdbc41 100644 --- a/pkg/background/generate/generate.go +++ b/pkg/background/generate/generate.go @@ -19,7 +19,6 @@ import ( kyvernov1listers "github.com/kyverno/kyverno/pkg/client/listers/kyverno/v1" kyvernov1beta1listers "github.com/kyverno/kyverno/pkg/client/listers/kyverno/v1beta1" "github.com/kyverno/kyverno/pkg/clients/dclient" - pkgcommon "github.com/kyverno/kyverno/pkg/common" "github.com/kyverno/kyverno/pkg/config" "github.com/kyverno/kyverno/pkg/engine" enginecontext "github.com/kyverno/kyverno/pkg/engine/context" @@ -30,6 +29,7 @@ import ( "github.com/kyverno/kyverno/pkg/event" "github.com/kyverno/kyverno/pkg/registryclient" kyvernoutils "github.com/kyverno/kyverno/pkg/utils" + engineutils "github.com/kyverno/kyverno/pkg/utils/engine" kubeutils "github.com/kyverno/kyverno/pkg/utils/kube" "golang.org/x/exp/slices" apierrors "k8s.io/apimachinery/pkg/api/errors" @@ -157,7 +157,7 @@ func (c *GenerateController) ProcessUR(ur *kyvernov1beta1.UpdateRequest) error { } // 2 - Apply the generate policy on the resource - namespaceLabels := pkgcommon.GetNamespaceSelectorsFromNamespaceLister(resource.GetKind(), resource.GetNamespace(), c.nsLister, logger) + namespaceLabels := engineutils.GetNamespaceSelectorsFromNamespaceLister(resource.GetKind(), resource.GetNamespace(), c.nsLister, logger) genResources, precreatedResource, err = c.applyGenerate(*resource, *ur, namespaceLabels) if err != nil { diff --git a/pkg/background/update_request_controller.go b/pkg/background/update_request_controller.go index 0583feb8d6..32a088f37c 100644 --- a/pkg/background/update_request_controller.go +++ b/pkg/background/update_request_controller.go @@ -3,6 +3,7 @@ package background import ( "context" "fmt" + "strings" "time" kyvernov1 "github.com/kyverno/kyverno/api/kyverno/v1" @@ -16,12 +17,12 @@ import ( kyvernov1listers "github.com/kyverno/kyverno/pkg/client/listers/kyverno/v1" kyvernov1beta1listers "github.com/kyverno/kyverno/pkg/client/listers/kyverno/v1beta1" "github.com/kyverno/kyverno/pkg/clients/dclient" - pkgCommon "github.com/kyverno/kyverno/pkg/common" "github.com/kyverno/kyverno/pkg/config" "github.com/kyverno/kyverno/pkg/engine/context/resolvers" "github.com/kyverno/kyverno/pkg/event" "github.com/kyverno/kyverno/pkg/registryclient" kubeutils "github.com/kyverno/kyverno/pkg/utils/kube" + "github.com/pkg/errors" apierrors "k8s.io/apimachinery/pkg/api/errors" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" "k8s.io/apimachinery/pkg/labels" @@ -349,7 +350,7 @@ func (c *controller) deletePolicy(obj interface{}) { logger.V(4).Info("updating policy", "key", key) // check if deleted policy is clone generate policy - generatePolicyWithClone := pkgCommon.ProcessDeletePolicyForCloneGenerateRule(p, c.client, c.kyvernoClient, c.urLister, p.GetName(), logger) + generatePolicyWithClone := c.processDeletePolicyForCloneGenerateRule(p, p.GetName()) // get the generated resource name from update request selector := labels.SelectorFromSet(labels.Set(map[string]string{ @@ -480,3 +481,67 @@ func (c *controller) getPolicy(key string) (kyvernov1.PolicyInterface, error) { } return c.polLister.Policies(namespace).Get(name) } + +func (c *controller) processDeletePolicyForCloneGenerateRule(policy kyvernov1.PolicyInterface, pName string) bool { + generatePolicyWithClone := false + for _, rule := range policy.GetSpec().Rules { + clone, sync := rule.GetCloneSyncForGenerate() + if !(clone && sync) { + continue + } + logger.V(4).Info("generate policy with clone, remove policy name from label of source resource") + generatePolicyWithClone = true + var retryCount int + for retryCount < 5 { + err := c.updateSourceResource(policy.GetName(), rule) + if err != nil { + logger.Error(err, "failed to update generate source resource labels") + if apierrors.IsConflict(err) { + retryCount++ + } else { + break + } + } + break + } + } + + return generatePolicyWithClone +} + +func (c *controller) updateSourceResource(pName string, rule kyvernov1.Rule) error { + obj, err := c.client.GetResource(context.TODO(), "", rule.Generation.Kind, rule.Generation.Clone.Namespace, rule.Generation.Clone.Name) + if err != nil { + return errors.Wrapf(err, "source resource %s/%s/%s not found", rule.Generation.Kind, rule.Generation.Clone.Namespace, rule.Generation.Clone.Name) + } + + var update bool + labels := obj.GetLabels() + update, labels = removePolicyFromLabels(pName, labels) + if !update { + return nil + } + + obj.SetLabels(labels) + _, err = c.client.UpdateResource(context.TODO(), obj.GetAPIVersion(), rule.Generation.Kind, rule.Generation.Clone.Namespace, obj, false) + return err +} + +func removePolicyFromLabels(pName string, labels map[string]string) (bool, map[string]string) { + if len(labels) == 0 { + return false, labels + } + if labels["generate.kyverno.io/clone-policy-name"] != "" { + policyNames := labels["generate.kyverno.io/clone-policy-name"] + if strings.Contains(policyNames, pName) { + desiredLabels := make(map[string]string, len(labels)-1) + for k, v := range labels { + if k != "generate.kyverno.io/clone-policy-name" { + desiredLabels[k] = v + } + } + return true, desiredLabels + } + } + return false, labels +} diff --git a/pkg/common/common.go b/pkg/common/common.go deleted file mode 100644 index e0b3c5aeae..0000000000 --- a/pkg/common/common.go +++ /dev/null @@ -1,150 +0,0 @@ -package common - -import ( - "context" - "encoding/json" - "strings" - "time" - - "github.com/go-logr/logr" - kyvernov1 "github.com/kyverno/kyverno/api/kyverno/v1" - "github.com/kyverno/kyverno/pkg/client/clientset/versioned" - kyvernov1beta1listers "github.com/kyverno/kyverno/pkg/client/listers/kyverno/v1beta1" - "github.com/kyverno/kyverno/pkg/clients/dclient" - enginutils "github.com/kyverno/kyverno/pkg/engine/utils" - "github.com/kyverno/kyverno/pkg/logging" - "github.com/pkg/errors" - corev1 "k8s.io/api/core/v1" - apierrors "k8s.io/apimachinery/pkg/api/errors" - corev1listers "k8s.io/client-go/listers/core/v1" -) - -// Policy Reporting Types -const ( - PolicyViolation = "POLICYVIOLATION" - PolicyReport = "POLICYREPORT" -) - -// GetNamespaceSelectorsFromNamespaceLister - extract the namespacelabels when namespace lister is passed -func GetNamespaceSelectorsFromNamespaceLister(kind, namespaceOfResource string, nsLister corev1listers.NamespaceLister, logger logr.Logger) map[string]string { - namespaceLabels := make(map[string]string) - if kind != "Namespace" && namespaceOfResource != "" { - namespaceObj, err := nsLister.Get(namespaceOfResource) - if err != nil { - logging.Error(err, "failed to get the namespace", "name", namespaceOfResource) - return namespaceLabels - } - return GetNamespaceLabels(namespaceObj, logger) - } - return namespaceLabels -} - -// GetNamespaceLabels - from namespace obj -func GetNamespaceLabels(namespaceObj *corev1.Namespace, logger logr.Logger) map[string]string { - namespaceObj.Kind = "Namespace" - namespaceRaw, err := json.Marshal(namespaceObj) - if err != nil { - logger.Error(err, "failed to marshal namespace") - } - namespaceUnstructured, err := enginutils.ConvertToUnstructured(namespaceRaw) - if err != nil { - logger.Error(err, "failed to convert object resource to unstructured format") - } - return namespaceUnstructured.GetLabels() -} - -// RetryFunc allows retrying a function on error within a given timeout -func RetryFunc(retryInterval, timeout time.Duration, run func() error, msg string, logger logr.Logger) func() error { - return func() error { - registerTimeout := time.After(timeout) - registerTicker := time.NewTicker(retryInterval) - defer registerTicker.Stop() - var err error - - loop: - for { - select { - case <-registerTicker.C: - err = run() - if err != nil { - logger.V(3).Info(msg, "reason", err.Error()) - } else { - break loop - } - - case <-registerTimeout: - return errors.Wrap(err, "retry times out") - } - } - return nil - } -} - -func ProcessDeletePolicyForCloneGenerateRule(policy kyvernov1.PolicyInterface, client dclient.Interface, kyvernoClient versioned.Interface, urlister kyvernov1beta1listers.UpdateRequestNamespaceLister, pName string, logger logr.Logger) bool { - generatePolicyWithClone := false - for _, rule := range policy.GetSpec().Rules { - clone, sync := rule.GetCloneSyncForGenerate() - if !(clone && sync) { - continue - } - - logger.V(4).Info("generate policy with clone, remove policy name from label of source resource") - generatePolicyWithClone = true - - var retryCount int - for retryCount < 5 { - err := updateSourceResource(policy.GetName(), rule, client, logger) - if err != nil { - logger.Error(err, "failed to update generate source resource labels") - if apierrors.IsConflict(err) { - retryCount++ - } else { - break - } - } - break - } - } - - return generatePolicyWithClone -} - -func updateSourceResource(pName string, rule kyvernov1.Rule, client dclient.Interface, log logr.Logger) error { - obj, err := client.GetResource(context.TODO(), "", rule.Generation.Kind, rule.Generation.Clone.Namespace, rule.Generation.Clone.Name) - if err != nil { - return errors.Wrapf(err, "source resource %s/%s/%s not found", rule.Generation.Kind, rule.Generation.Clone.Namespace, rule.Generation.Clone.Name) - } - - var update bool - labels := obj.GetLabels() - update, labels = removePolicyFromLabels(pName, labels) - if !update { - return nil - } - - obj.SetLabels(labels) - _, err = client.UpdateResource(context.TODO(), obj.GetAPIVersion(), rule.Generation.Kind, rule.Generation.Clone.Namespace, obj, false) - return err -} - -func removePolicyFromLabels(pName string, labels map[string]string) (bool, map[string]string) { - if len(labels) == 0 { - return false, labels - } - - if labels["generate.kyverno.io/clone-policy-name"] != "" { - policyNames := labels["generate.kyverno.io/clone-policy-name"] - if strings.Contains(policyNames, pName) { - desiredLabels := make(map[string]string, len(labels)-1) - for k, v := range labels { - if k != "generate.kyverno.io/clone-policy-name" { - desiredLabels[k] = v - } - } - - return true, desiredLabels - } - } - - return false, labels -} diff --git a/pkg/controllers/certmanager/controller.go b/pkg/controllers/certmanager/controller.go index dd8de74ea5..bd36dc0316 100644 --- a/pkg/controllers/certmanager/controller.go +++ b/pkg/controllers/certmanager/controller.go @@ -5,11 +5,11 @@ import ( "time" "github.com/go-logr/logr" - "github.com/kyverno/kyverno/pkg/common" "github.com/kyverno/kyverno/pkg/config" "github.com/kyverno/kyverno/pkg/controllers" "github.com/kyverno/kyverno/pkg/tls" controllerutils "github.com/kyverno/kyverno/pkg/utils/controller" + retryutils "github.com/kyverno/kyverno/pkg/utils/retry" corev1 "k8s.io/api/core/v1" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" "k8s.io/apimachinery/pkg/labels" @@ -102,10 +102,10 @@ func (c *controller) ticker(ctx context.Context, logger logr.Logger) { } func (c *controller) renewCertificates() error { - if err := common.RetryFunc(time.Second, 5*time.Second, c.renewer.RenewCA, "failed to renew CA", logger)(); err != nil { + if err := retryutils.RetryFunc(context.TODO(), time.Second, 5*time.Second, logger, "failed to renew CA", c.renewer.RenewCA)(); err != nil { return err } - if err := common.RetryFunc(time.Second, 5*time.Second, c.renewer.RenewTLS, "failed to renew TLS", logger)(); err != nil { + if err := retryutils.RetryFunc(context.TODO(), time.Second, 5*time.Second, logger, "failed to renew TLS", c.renewer.RenewTLS)(); err != nil { return err } return nil diff --git a/pkg/policy/existing.go b/pkg/policy/existing.go index 6a9c4697ac..89a9c7ab1f 100644 --- a/pkg/policy/existing.go +++ b/pkg/policy/existing.go @@ -10,12 +10,12 @@ import ( "github.com/go-logr/logr" kyvernov1 "github.com/kyverno/kyverno/api/kyverno/v1" "github.com/kyverno/kyverno/pkg/autogen" - "github.com/kyverno/kyverno/pkg/common" "github.com/kyverno/kyverno/pkg/engine" "github.com/kyverno/kyverno/pkg/engine/response" "github.com/kyverno/kyverno/pkg/metrics" policyExecutionDuration "github.com/kyverno/kyverno/pkg/metrics/policyexecutionduration" policyResults "github.com/kyverno/kyverno/pkg/metrics/policyresults" + engineutils "github.com/kyverno/kyverno/pkg/utils/engine" kubeutils "github.com/kyverno/kyverno/pkg/utils/kube" "k8s.io/apimachinery/pkg/apis/meta/v1/unstructured" ) @@ -80,7 +80,7 @@ func (pc *PolicyController) applyPolicy(policy kyvernov1.PolicyInterface, resour logger.V(4).Info("policy and resource already processed", "policyResourceVersion", policy.GetResourceVersion(), "resourceResourceVersion", resource.GetResourceVersion(), "kind", resource.GetKind(), "namespace", resource.GetNamespace(), "name", resource.GetName()) } - namespaceLabels := common.GetNamespaceSelectorsFromNamespaceLister(resource.GetKind(), resource.GetNamespace(), pc.nsLister, logger) + namespaceLabels := engineutils.GetNamespaceSelectorsFromNamespaceLister(resource.GetKind(), resource.GetNamespace(), pc.nsLister, logger) engineResponse := applyPolicy(policy, resource, logger, pc.configHandler.GetExcludeGroupRole(), pc.client, pc.rclient, pc.informerCacheResolvers, namespaceLabels) engineResponses = append(engineResponses, engineResponse...) diff --git a/pkg/tls/renewer.go b/pkg/tls/renewer.go index c49ff42ca8..272dc757b7 100644 --- a/pkg/tls/renewer.go +++ b/pkg/tls/renewer.go @@ -35,9 +35,9 @@ type CertValidator interface { type CertRenewer interface { // RenewCA renews the CA certificate if needed - RenewCA() error + RenewCA(context.Context) error // RenewTLS renews the TLS certificate if needed - RenewTLS() error + RenewTLS(context.Context) error } // certRenewer creates rootCA and pem pair to register @@ -74,7 +74,7 @@ func NewCertRenewer( } // RenewCA renews the CA certificate if needed -func (c *certRenewer) RenewCA() error { +func (c *certRenewer) RenewCA(ctx context.Context) error { secret, key, certs, err := c.decodeCASecret() if err != nil && !apierrors.IsNotFound(err) { logger.Error(err, "failed to read CA") @@ -97,7 +97,7 @@ func (c *certRenewer) RenewCA() error { return err } certs = append(certs, caCert) - if err := c.writeCASecret(caKey, certs...); err != nil { + if err := c.writeCASecret(ctx, caKey, certs...); err != nil { logger.Error(err, "failed to write CA") return err } @@ -106,7 +106,7 @@ func (c *certRenewer) RenewCA() error { } // RenewTLS renews the TLS certificate if needed -func (c *certRenewer) RenewTLS() error { +func (c *certRenewer) RenewTLS(ctx context.Context) error { _, caKey, caCerts, err := c.decodeCASecret() if err != nil { logger.Error(err, "failed to read CA") @@ -132,7 +132,7 @@ func (c *certRenewer) RenewTLS() error { logger.Error(err, "failed to generate TLS") return err } - if err := c.writeTLSSecret(tlsKey, tlsCert); err != nil { + if err := c.writeTLSSecret(ctx, tlsKey, tlsCert); err != nil { logger.Error(err, "failed to write TLS") return err } @@ -203,7 +203,7 @@ func (c *certRenewer) decodeTLSSecret() (*corev1.Secret, *rsa.PrivateKey, *x509. } } -func (c *certRenewer) writeSecret(name string, key *rsa.PrivateKey, certs ...*x509.Certificate) error { +func (c *certRenewer) writeSecret(ctx context.Context, name string, key *rsa.PrivateKey, certs ...*x509.Certificate) error { logger := logger.WithValues("name", name, "namespace", config.KyvernoNamespace()) secret, err := c.getSecret(name) if err != nil && !apierrors.IsNotFound(err) { @@ -228,14 +228,14 @@ func (c *certRenewer) writeSecret(name string, key *rsa.PrivateKey, certs ...*x5 corev1.TLSPrivateKeyKey: privateKeyToPem(key), } if secret.ResourceVersion == "" { - if _, err := c.client.Create(context.TODO(), secret, metav1.CreateOptions{}); err != nil { + if _, err := c.client.Create(ctx, secret, metav1.CreateOptions{}); err != nil { logger.Error(err, "failed to update secret") return err } else { logger.Info("secret created") } } else { - if _, err := c.client.Update(context.TODO(), secret, metav1.UpdateOptions{}); err != nil { + if _, err := c.client.Update(ctx, secret, metav1.UpdateOptions{}); err != nil { logger.Error(err, "failed to update secret") return err } else { @@ -246,11 +246,11 @@ func (c *certRenewer) writeSecret(name string, key *rsa.PrivateKey, certs ...*x5 } // writeCASecret stores the CA cert in secret -func (c *certRenewer) writeCASecret(key *rsa.PrivateKey, certs ...*x509.Certificate) error { - return c.writeSecret(GenerateRootCASecretName(), key, certs...) +func (c *certRenewer) writeCASecret(ctx context.Context, key *rsa.PrivateKey, certs ...*x509.Certificate) error { + return c.writeSecret(ctx, GenerateRootCASecretName(), key, certs...) } // writeTLSSecret Writes the pair of TLS certificate and key to the specified secret. -func (c *certRenewer) writeTLSSecret(key *rsa.PrivateKey, cert *x509.Certificate) error { - return c.writeSecret(GenerateTLSPairSecretName(), key, cert) +func (c *certRenewer) writeTLSSecret(ctx context.Context, key *rsa.PrivateKey, cert *x509.Certificate) error { + return c.writeSecret(ctx, GenerateTLSPairSecretName(), key, cert) } diff --git a/pkg/utils/engine/labels.go b/pkg/utils/engine/labels.go new file mode 100644 index 0000000000..df0d0864ec --- /dev/null +++ b/pkg/utils/engine/labels.go @@ -0,0 +1,21 @@ +package engine + +import ( + "github.com/go-logr/logr" + "github.com/kyverno/kyverno/pkg/logging" + corev1listers "k8s.io/client-go/listers/core/v1" +) + +// GetNamespaceSelectorsFromNamespaceLister - extract the namespacelabels when namespace lister is passed +func GetNamespaceSelectorsFromNamespaceLister(kind, namespaceOfResource string, nsLister corev1listers.NamespaceLister, logger logr.Logger) map[string]string { + namespaceLabels := make(map[string]string) + if kind != "Namespace" && namespaceOfResource != "" { + namespaceObj, err := nsLister.Get(namespaceOfResource) + if err != nil { + logging.Error(err, "failed to get the namespace", "name", namespaceOfResource) + return namespaceLabels + } + return namespaceObj.DeepCopy().GetLabels() + } + return namespaceLabels +} diff --git a/pkg/utils/retry/retry.go b/pkg/utils/retry/retry.go new file mode 100644 index 0000000000..f77c4e9d0d --- /dev/null +++ b/pkg/utils/retry/retry.go @@ -0,0 +1,32 @@ +package retry + +import ( + "context" + "time" + + "github.com/go-logr/logr" + "github.com/pkg/errors" +) + +// RetryFunc allows retrying a function on error within a given timeout +func RetryFunc(ctx context.Context, retryInterval, timeout time.Duration, logger logr.Logger, msg string, run func(context.Context) error) func() error { + return func() error { + ctx, cancel := context.WithTimeout(ctx, timeout) + defer cancel() + registerTicker := time.NewTicker(retryInterval) + defer registerTicker.Stop() + var err error + for { + select { + case <-registerTicker.C: + if err = run(ctx); err != nil { + logger.V(3).Info(msg, "reason", err.Error()) + } else { + return nil + } + case <-ctx.Done(): + return errors.Wrap(err, "retry times out") + } + } + } +} diff --git a/pkg/webhooks/resource/generation/generation.go b/pkg/webhooks/resource/generation/generation.go index 4eeae428f9..58abdfcf5e 100644 --- a/pkg/webhooks/resource/generation/generation.go +++ b/pkg/webhooks/resource/generation/generation.go @@ -14,7 +14,6 @@ import ( "github.com/kyverno/kyverno/pkg/client/clientset/versioned" kyvernov1beta1listers "github.com/kyverno/kyverno/pkg/client/listers/kyverno/v1beta1" "github.com/kyverno/kyverno/pkg/clients/dclient" - "github.com/kyverno/kyverno/pkg/common" "github.com/kyverno/kyverno/pkg/config" "github.com/kyverno/kyverno/pkg/engine" "github.com/kyverno/kyverno/pkg/engine/response" @@ -22,6 +21,7 @@ import ( "github.com/kyverno/kyverno/pkg/event" "github.com/kyverno/kyverno/pkg/metrics" "github.com/kyverno/kyverno/pkg/registryclient" + engineutils "github.com/kyverno/kyverno/pkg/utils/engine" webhookgenerate "github.com/kyverno/kyverno/pkg/webhooks/updaterequest" webhookutils "github.com/kyverno/kyverno/pkg/webhooks/utils" admissionv1 "k8s.io/api/admission/v1" @@ -91,7 +91,7 @@ func (h *generationHandler) Handle( var rules []response.RuleResponse policyContext := policyContext.WithPolicy(policy) if request.Kind.Kind != "Namespace" && request.Namespace != "" { - policyContext = policyContext.WithNamespaceLabels(common.GetNamespaceSelectorsFromNamespaceLister(request.Kind.Kind, request.Namespace, h.nsLister, h.log)) + policyContext = policyContext.WithNamespaceLabels(engineutils.GetNamespaceSelectorsFromNamespaceLister(request.Kind.Kind, request.Namespace, h.nsLister, h.log)) } engineResponse := engine.ApplyBackgroundChecks(h.rclient, policyContext) for _, rule := range engineResponse.PolicyResponse.Rules { diff --git a/pkg/webhooks/resource/handlers.go b/pkg/webhooks/resource/handlers.go index 9d581c50c5..f00f28bbdc 100644 --- a/pkg/webhooks/resource/handlers.go +++ b/pkg/webhooks/resource/handlers.go @@ -12,7 +12,6 @@ import ( kyvernov1beta1listers "github.com/kyverno/kyverno/pkg/client/listers/kyverno/v1beta1" kyvernov2alpha1listers "github.com/kyverno/kyverno/pkg/client/listers/kyverno/v2alpha1" "github.com/kyverno/kyverno/pkg/clients/dclient" - "github.com/kyverno/kyverno/pkg/common" "github.com/kyverno/kyverno/pkg/config" enginectx "github.com/kyverno/kyverno/pkg/engine/context" "github.com/kyverno/kyverno/pkg/engine/context/resolvers" @@ -23,6 +22,7 @@ import ( "github.com/kyverno/kyverno/pkg/policycache" "github.com/kyverno/kyverno/pkg/registryclient" admissionutils "github.com/kyverno/kyverno/pkg/utils/admission" + engineutils "github.com/kyverno/kyverno/pkg/utils/engine" jsonutils "github.com/kyverno/kyverno/pkg/utils/json" "github.com/kyverno/kyverno/pkg/webhooks" "github.com/kyverno/kyverno/pkg/webhooks/resource/generation" @@ -134,7 +134,7 @@ func (h *handlers) Validate(ctx context.Context, logger logr.Logger, request *ad namespaceLabels := make(map[string]string) if request.Kind.Kind != "Namespace" && request.Namespace != "" { - namespaceLabels = common.GetNamespaceSelectorsFromNamespaceLister(request.Kind.Kind, request.Namespace, h.nsLister, logger) + namespaceLabels = engineutils.GetNamespaceSelectorsFromNamespaceLister(request.Kind.Kind, request.Namespace, h.nsLister, logger) } vh := validation.NewValidationHandler(logger, h.kyvernoClient, h.rclient, h.pCache, h.pcBuilder, h.eventGen, h.admissionReports, h.metricsConfig) diff --git a/pkg/webhooks/resource/mutation/mutation.go b/pkg/webhooks/resource/mutation/mutation.go index 3dd3eef8d0..488f9aa7e8 100644 --- a/pkg/webhooks/resource/mutation/mutation.go +++ b/pkg/webhooks/resource/mutation/mutation.go @@ -8,7 +8,6 @@ import ( "github.com/go-logr/logr" kyvernov1 "github.com/kyverno/kyverno/api/kyverno/v1" - "github.com/kyverno/kyverno/pkg/common" "github.com/kyverno/kyverno/pkg/engine" "github.com/kyverno/kyverno/pkg/engine/response" "github.com/kyverno/kyverno/pkg/event" @@ -156,7 +155,7 @@ func (v *mutationHandler) applyMutations( func (h *mutationHandler) applyMutation(ctx context.Context, request *admissionv1.AdmissionRequest, policyContext *engine.PolicyContext) (*response.EngineResponse, [][]byte, error) { if request.Kind.Kind != "Namespace" && request.Namespace != "" { - policyContext = policyContext.WithNamespaceLabels(common.GetNamespaceSelectorsFromNamespaceLister(request.Kind.Kind, request.Namespace, h.nsLister, h.log)) + policyContext = policyContext.WithNamespaceLabels(engineutils.GetNamespaceSelectorsFromNamespaceLister(request.Kind.Kind, request.Namespace, h.nsLister, h.log)) } engineResponse := engine.Mutate(ctx, h.rclient, policyContext)