list resources once per policy in the background reconcilliation (#3026)

Signed-off-by: ShutingZhao <shuting@nirmata.com>
2025-04-08 18:15:48 +00:00 · 2022-01-20 00:42:01 +08:00 · 2022-01-20 00:42:01 +08:00 · ad56087b91
commit ad56087b91
parent e39489f838
3 changed files with 28 additions and 26 deletions
--- a/pkg/policy/common.go
+++ b/pkg/policy/common.go
@ -153,7 +153,10 @@ func (pc *PolicyController) getResourceList(kind, namespace string, labelSelecto
 	return resourceList
 }

-// GetResourcesPerNamespace ...
+// GetResourcesPerNamespace returns
+// - Namespaced resources across all namespaces if namespace is set to empty "", for Namespaced Kind
+// - Namespaced resources in the given namespace
+// - Cluster-wide resources for Cluster-wide Kind
 func (pc *PolicyController) getResourcesPerNamespace(kind string, namespace string, rule kyverno.Rule, log logr.Logger) map[string]unstructured.Unstructured {
 	resourceMap := map[string]unstructured.Unstructured{}

--- a/pkg/policy/existing.go
+++ b/pkg/policy/existing.go
@ -203,32 +203,25 @@ func (pc *PolicyController) processExistingKinds(kind []string, policy *kyverno.

 	for _, k := range kind {
 		logger = logger.WithValues("rule", rule.Name, "kind", k)
-		namespaced, err := pc.rm.GetScope(k)
+		_, err := pc.rm.GetScope(k)
 		if err != nil {
 			resourceSchema, _, err := pc.client.DiscoveryClient.FindResource("", k)
 			if err != nil {
 				logger.Error(err, "failed to find resource", "kind", k)
 				continue
 			}
-			namespaced = resourceSchema.Namespaced
-			pc.rm.RegisterScope(k, namespaced)
+			pc.rm.RegisterScope(k, resourceSchema.Namespaced)
 		}

 		// this tracker would help to ensure that even for multiple namespaces, duplicate metric are not generated
 		metricRegisteredTracker := false

-		if !namespaced {
-			pc.applyAndReportPerNamespace(policy, k, "", rule, logger.WithValues("kind", k), &metricRegisteredTracker)
+		if policy.Namespace != "" {
+			ns := policy.Namespace
+			pc.applyAndReportPerNamespace(policy, k, ns, rule, logger.WithValues("kind", k).WithValues("ns", ns), &metricRegisteredTracker)
 			continue
 		}

-		namespaces := pc.getNamespacesForRule(&rule, logger.WithValues("kind", k))
-		for _, ns := range namespaces {
-			// for kind: Policy, consider only the namespace which the policy belongs to.
-			// for kind: ClusterPolicy, consider all the namespaces.
-			if policy.Namespace == ns || policy.Namespace == "" {
-				pc.applyAndReportPerNamespace(policy, k, ns, rule, logger.WithValues("kind", k).WithValues("ns", ns), &metricRegisteredTracker)
-			}
-		}
+		pc.applyAndReportPerNamespace(policy, k, "", rule, logger.WithValues("kind", k), &metricRegisteredTracker)
 	}
 }
--- a/pkg/policy/report.go
+++ b/pkg/policy/report.go
@ -32,9 +32,11 @@ func (pc *PolicyController) report(engineResponses []*response.EngineResponse, l

 	// as engineResponses holds the results for all matched resources in one namespace
 	// we can merge pvInfos into a single object to reduce update frequency (throttling request) on RCR
-	info := mergePvInfos(pvInfos)
-	pc.prGenerator.Add(info)
-	logger.V(4).Info("added a request to RCR generator", "key", info.ToKey())
+	infos := mergePvInfos(pvInfos)
+	for _, info := range infos {
+		pc.prGenerator.Add(info)
+		logger.V(4).Info("added a request to RCR generator", "key", info.ToKey())
+	}
 }

 // forceReconciliation forces a background scan by adding all policies to the workqueue
@ -264,21 +266,25 @@ func generateFailEventsPerEr(log logr.Logger, er *response.EngineResponse) []eve
 	return eventInfos
 }

-func mergePvInfos(infos []policyreport.Info) policyreport.Info {
-	aggregatedInfo := policyreport.Info{}
+func mergePvInfos(infos []policyreport.Info) []policyreport.Info {
+	aggregatedInfo := []policyreport.Info{}
 	if len(infos) == 0 {
-		return aggregatedInfo
+		return nil
 	}

-	var results []policyreport.EngineResponseResult
+	aggregatedInfoPerNamespace := make(map[string]policyreport.Info)
 	for _, info := range infos {
-		for _, res := range info.Results {
-			results = append(results, res)
+		if tmpInfo, ok := aggregatedInfoPerNamespace[info.Namespace]; !ok {
+			aggregatedInfoPerNamespace[info.Namespace] = info
+		} else {
+			tmpInfo.Results = append(tmpInfo.Results, info.Results...)
+			aggregatedInfoPerNamespace[info.Namespace] = tmpInfo
 		}
+
 	}

-	aggregatedInfo.PolicyName = infos[0].PolicyName
-	aggregatedInfo.Namespace = infos[0].Namespace
-	aggregatedInfo.Results = results
+	for _, i := range aggregatedInfoPerNamespace {
+		aggregatedInfo = append(aggregatedInfo, i)
+	}
 	return aggregatedInfo
 }