chore: add dryrun as label (#11962)

* chore: add dryrun as label Signed-off-by: Javier Solana <javier.solana@cabify.com> * check request.Dryrun to avoif SIGSEGV Signed-off-by: Javier Solana <javier.solana@cabify.com> * chore: add dryrun Signed-off-by: Javier Solana <javier.solana@cabify.com> * chore: add dryrun Signed-off-by: Javier Solana <javier.solana@cabify.com> * chore: update doc to add DryRun Signed-off-by: Javier Solana <javier.solana@cabify.com> * chore: update to add DryRun Signed-off-by: Javier Solana <javier.solana@cabify.com> * chore: update crds Signed-off-by: ShutingZhao <shuting@nirmata.com> --------- Signed-off-by: Javier Solana <javier.solana@cabify.com> Signed-off-by: ShutingZhao <shuting@nirmata.com> Co-authored-by: Javier Solana <javier.solana@cabify.com> Co-authored-by: shuting <shuting@nirmata.com>
2025-03-24 08:36:46 +00:00 · 2025-03-07 16:30:22 +01:00 · 2025-03-07 16:30:22 +01:00 · b00b2c96c8
commit b00b2c96c8
parent 29849e196f
11 changed files with 85 additions and 5 deletions
--- a/api/kyverno/v2/updaterequest_types.go
+++ b/api/kyverno/v2/updaterequest_types.go
@ -144,6 +144,11 @@ type RequestInfo struct {
 	// UserInfo is the userInfo carried in the admission request.
 	// +optional
 	AdmissionUserInfo authenticationv1.UserInfo `json:"userInfo"`
 	// DryRun indicates that modifications will definitely not be persisted for this request.
 	// Defaults to false.
 	// +optional
 	DryRun bool `json:"synchronize,omitempty"`
 }
 // AdmissionRequestInfoObject stores the admission request and operation details
--- a/charts/kyverno/charts/crds/templates/kyverno.io/kyverno.io_updaterequests.yaml
+++ b/charts/kyverno/charts/crds/templates/kyverno.io/kyverno.io_updaterequests.yaml
@ -660,6 +660,11 @@ spec:
                          type: string
                        nullable: true
                        type: array
                      synchronize:
                        description: |-
                          DryRun indicates that modifications will definitely not be persisted for this request.
                          Defaults to false.
                        type: boolean
                      userInfo:
                        description: UserInfo is the userInfo carried in the admission
                          request.
--- a/cmd/cli/kubectl-kyverno/config/crds/cli.kyverno.io_userinfoes.yaml
+++ b/cmd/cli/kubectl-kyverno/config/crds/cli.kyverno.io_userinfoes.yaml
@ -49,6 +49,11 @@ spec:
              type: string
            nullable: true
            type: array
          synchronize:
            description: |-
              DryRun indicates that modifications will definitely not be persisted for this request.
              Defaults to false.
            type: boolean
          userInfo:
            description: UserInfo is the userInfo carried in the admission request.
            properties:
--- a/cmd/cli/kubectl-kyverno/data/crds/cli.kyverno.io_userinfoes.yaml
+++ b/cmd/cli/kubectl-kyverno/data/crds/cli.kyverno.io_userinfoes.yaml
@ -49,6 +49,11 @@ spec:
              type: string
            nullable: true
            type: array
          synchronize:
            description: |-
              DryRun indicates that modifications will definitely not be persisted for this request.
              Defaults to false.
            type: boolean
          userInfo:
            description: UserInfo is the userInfo carried in the admission request.
            properties:
--- a/config/crds/kyverno/kyverno.io_updaterequests.yaml
+++ b/config/crds/kyverno/kyverno.io_updaterequests.yaml
@ -654,6 +654,11 @@ spec:
                          type: string
                        nullable: true
                        type: array
                      synchronize:
                        description: |-
                          DryRun indicates that modifications will definitely not be persisted for this request.
                          Defaults to false.
                        type: boolean
                      userInfo:
                        description: UserInfo is the userInfo carried in the admission
                          request.
--- a/config/install-latest-testing.yaml
+++ b/config/install-latest-testing.yaml
@ -48304,6 +48304,11 @@ spec:
                          type: string
                        nullable: true
                        type: array
                      synchronize:
                        description: |-
                          DryRun indicates that modifications will definitely not be persisted for this request.
                          Defaults to false.
                        type: boolean
                      userInfo:
                        description: UserInfo is the userInfo carried in the admission
                          request.
--- a/docs/user/crd/index.html
+++ b/docs/user/crd/index.html
@ -6946,6 +6946,19 @@ Kubernetes authentication/v1.UserInfo
 <p>UserInfo is the userInfo carried in the admission request.</p>
 </td>
 </tr>
 <tr>
 <td>
 <code>synchronize</code><br/>
 <em>
 bool
 </em>
 </td>
 <td>
 <em>(Optional)</em>
 <p>DryRun indicates that modifications will definitely not be persisted for this request.
 Defaults to false.</p>
 </td>
 </tr>
 </tbody>
 </table>
 <hr />
--- a/docs/user/crd/kyverno.v2.html
+++ b/docs/user/crd/kyverno.v2.html
@ -2419,6 +2419,34 @@ Applicable only to policies that have validate.podSecurity subrule.</p>
      </tr>
      <tr>
        <td><code>synchronize</code>
          </br>
              <span style="font-family: monospace">bool</span>
        </td>
        <td>
          <p>DryRun indicates that modifications will definitely not be persisted for this request.
 Defaults to false.</p>
        </td>
      </tr>
      </tbody>
--- a/pkg/engine/engine.go
+++ b/pkg/engine/engine.go
@ -100,7 +100,7 @@ func (e *engine) Validate(
 		response = response.WithPolicyResponse(policyResponse)
 	}
 	response = response.WithStats(engineapi.NewExecutionStats(startTime, time.Now()))
-	e.reportMetrics(ctx, logger, policyContext.Operation(), policyContext.AdmissionOperation(), response)
+	e.reportMetrics(ctx, logger, policyContext.Operation(), policyContext.AdmissionOperation(), policyContext.AdmissionInfo(), response)
 	return response
 }
@ -118,7 +118,7 @@ func (e *engine) Mutate(
 			WithPolicyResponse(policyResponse)
 	}
 	response = response.WithStats(engineapi.NewExecutionStats(startTime, time.Now()))
-	e.reportMetrics(ctx, logger, policyContext.Operation(), policyContext.AdmissionOperation(), response)
+	e.reportMetrics(ctx, logger, policyContext.Operation(), policyContext.AdmissionOperation(), policyContext.AdmissionInfo(), response)
 	return response
 }
@ -134,7 +134,7 @@ func (e *engine) Generate(
 		response = response.WithPolicyResponse(policyResponse)
 	}
 	response = response.WithStats(engineapi.NewExecutionStats(startTime, time.Now()))
-	e.reportMetrics(ctx, logger, policyContext.Operation(), policyContext.AdmissionOperation(), response)
+	e.reportMetrics(ctx, logger, policyContext.Operation(), policyContext.AdmissionOperation(), policyContext.AdmissionInfo(), response)
 	return response
 }
@ -153,7 +153,7 @@ func (e *engine) VerifyAndPatchImages(
 			WithPatchedResource(patchedResource), innerIvm
 	}
 	response = response.WithStats(engineapi.NewExecutionStats(startTime, time.Now()))
-	e.reportMetrics(ctx, logger, policyContext.Operation(), policyContext.AdmissionOperation(), response)
+	e.reportMetrics(ctx, logger, policyContext.Operation(), policyContext.AdmissionOperation(), policyContext.AdmissionInfo(), response)
 	return response, ivm
 }
@ -169,7 +169,7 @@ func (e *engine) ApplyBackgroundChecks(
 		response = response.WithPolicyResponse(policyResponse)
 	}
 	response = response.WithStats(engineapi.NewExecutionStats(startTime, time.Now()))
-	e.reportMetrics(ctx, logger, policyContext.Operation(), policyContext.AdmissionOperation(), response)
+	e.reportMetrics(ctx, logger, policyContext.Operation(), policyContext.AdmissionOperation(), policyContext.AdmissionInfo(), response)
 	return response
 }
--- a/pkg/engine/metrics.go
+++ b/pkg/engine/metrics.go
@ -2,10 +2,12 @@ package engine
 import (
 	"context"
 	"strconv"
 	"strings"
 	"github.com/go-logr/logr"
 	kyvernov1 "github.com/kyverno/kyverno/api/kyverno/v1"
 	kyvernov2 "github.com/kyverno/kyverno/api/kyverno/v2"
 	engineapi "github.com/kyverno/kyverno/pkg/engine/api"
 	"github.com/kyverno/kyverno/pkg/metrics"
 	"go.opentelemetry.io/otel/attribute"
@ -17,6 +19,7 @@ func (e *engine) reportMetrics(
 	logger logr.Logger,
 	operation kyvernov1.AdmissionOperation,
 	admissionOperation bool,
 	admissionInfo kyvernov2.RequestInfo,
 	response engineapi.EngineResponse,
 ) {
 	if e.resultCounter == nil && e.durationHistogram == nil {
@ -71,6 +74,7 @@ func (e *engine) reportMetrics(
 					attribute.String("rule_result", string(ruleResult)),
 					attribute.String("rule_type", string(ruleType)),
 					attribute.String("rule_execution_cause", string(executionCause)),
 					attribute.String("dry_run", strconv.FormatBool(admissionInfo.DryRun)),
 				}
 				e.resultCounter.Add(ctx, 1, metric.WithAttributes(commonLabels...))
 			}
@ -88,6 +92,7 @@ func (e *engine) reportMetrics(
 					attribute.String("rule_result", string(ruleResult)),
 					attribute.String("rule_type", string(ruleType)),
 					attribute.String("rule_execution_cause", string(executionCause)),
 					attribute.String("dry_run", strconv.FormatBool(admissionInfo.DryRun)),
 				}
 				e.durationHistogram.Record(ctx, rule.Stats().ProcessingTime().Seconds(), metric.WithAttributes(commonLabels...))
 			}
--- a/pkg/webhooks/utils/policy_context_builder.go
+++ b/pkg/webhooks/utils/policy_context_builder.go
@ -34,5 +34,9 @@ func (b *policyContextBuilder) Build(request admissionv1.AdmissionRequest, roles
 		Roles:             roles,
 		ClusterRoles:      clusterRoles,
 	}
 	if request.DryRun != nil {
 		userRequestInfo.DryRun = *request.DryRun
 	}
 	return engine.NewPolicyContextFromAdmissionRequest(b.jp, request, userRequestInfo, gvk, b.configuration)
 }