diff --git a/pkg/policyviolation/clusterpv.go b/pkg/policyviolation/clusterpv.go index 6d1dbb3d0f..9b4d68415f 100644 --- a/pkg/policyviolation/clusterpv.go +++ b/pkg/policyviolation/clusterpv.go @@ -10,7 +10,6 @@ import ( kyvernolister "github.com/nirmata/kyverno/pkg/client/listers/kyverno/v1" client "github.com/nirmata/kyverno/pkg/dclient" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" - labels "k8s.io/apimachinery/pkg/labels" ) //ClusterPV ... @@ -52,7 +51,15 @@ func (cpv *clusterPV) create(pv kyverno.PolicyViolation) error { } func (cpv *clusterPV) getExisting(newPv kyverno.ClusterPolicyViolation) (*kyverno.ClusterPolicyViolation, error) { - pvs, err := cpv.cpvLister.List(labels.Everything()) + var err error + // use labels + policyLabelmap := map[string]string{"policy": newPv.Spec.Policy, "resource": newPv.Spec.ResourceSpec.ToKey()} + ls, err := converLabelToSelector(policyLabelmap) + if err != nil { + return nil, err + } + + pvs, err := cpv.cpvLister.List(ls) if err != nil { glog.Errorf("unable to list cluster policy violations : %v", err) return nil, err @@ -99,6 +106,7 @@ func (cpv *clusterPV) updatePV(newPv, oldPv *kyverno.ClusterPolicyViolation) err } // set name newPv.SetName(oldPv.Name) + newPv.SetResourceVersion(oldPv.ResourceVersion) // update resource _, err = cpv.kyvernoInterface.ClusterPolicyViolations().Update(newPv) diff --git a/pkg/policyviolation/common.go b/pkg/policyviolation/common.go index 3680f8edc4..76f00c7a39 100644 --- a/pkg/policyviolation/common.go +++ b/pkg/policyviolation/common.go @@ -1,6 +1,7 @@ package policyviolation import ( + "fmt" "time" backoff "github.com/cenkalti/backoff" @@ -9,6 +10,7 @@ import ( client "github.com/nirmata/kyverno/pkg/dclient" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" unstructured "k8s.io/apimachinery/pkg/apis/meta/v1/unstructured" + "k8s.io/apimachinery/pkg/labels" ) func createOwnerReference(resource *unstructured.Unstructured) metav1.OwnerReference { @@ -97,3 +99,18 @@ func GetOwner(dclient *client.Client, ownerMap map[kyverno.ResourceSpec]interfac GetOwner(dclient, ownerMap, *owner) } } + +func converLabelToSelector(labelMap map[string]string) (labels.Selector, error) { + ls := &metav1.LabelSelector{} + err := metav1.Convert_Map_string_To_string_To_v1_LabelSelector(&labelMap, ls, nil) + if err != nil { + return nil, err + } + + policyViolationSelector, err := metav1.LabelSelectorAsSelector(ls) + if err != nil { + return nil, fmt.Errorf("invalid label selector: %v", err) + } + + return policyViolationSelector, nil +} diff --git a/pkg/policyviolation/namespacedpv.go b/pkg/policyviolation/namespacedpv.go index a099cd4728..fe0ef92a08 100644 --- a/pkg/policyviolation/namespacedpv.go +++ b/pkg/policyviolation/namespacedpv.go @@ -10,7 +10,6 @@ import ( kyvernolister "github.com/nirmata/kyverno/pkg/client/listers/kyverno/v1" client "github.com/nirmata/kyverno/pkg/dclient" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" - labels "k8s.io/apimachinery/pkg/labels" ) //NamespacedPV ... @@ -52,7 +51,14 @@ func (nspv *namespacedPV) create(pv kyverno.PolicyViolation) error { } func (nspv *namespacedPV) getExisting(newPv kyverno.NamespacedPolicyViolation) (*kyverno.NamespacedPolicyViolation, error) { - pvs, err := nspv.nspvLister.NamespacedPolicyViolations(newPv.GetNamespace()).List(labels.NewSelector()) + var err error + // use labels + policyLabelmap := map[string]string{"policy": newPv.Spec.Policy, "resource": newPv.Spec.ResourceSpec.ToKey()} + ls, err := converLabelToSelector(policyLabelmap) + if err != nil { + return nil, err + } + pvs, err := nspv.nspvLister.NamespacedPolicyViolations(newPv.GetNamespace()).List(ls) if err != nil { glog.Errorf("unable to list namespaced policy violations : %v", err) return nil, err @@ -99,9 +105,9 @@ func (nspv *namespacedPV) updatePV(newPv, oldPv *kyverno.NamespacedPolicyViolati } // set name newPv.SetName(oldPv.Name) - + newPv.SetResourceVersion(oldPv.ResourceVersion) // update resource - _, err = nspv.kyvernoInterface.NamespacedPolicyViolations(newPv.GetNamespace()).Create(newPv) + _, err = nspv.kyvernoInterface.NamespacedPolicyViolations(newPv.GetNamespace()).Update(newPv) if err != nil { return fmt.Errorf("failed to update namespaced polciy violation: %v", err) }