From b3a1e51a84472aa66bf571cf74190da21f3605e6 Mon Sep 17 00:00:00 2001
From: shuting <shutting06@gmail.com>
Date: Wed, 3 Jun 2020 17:47:06 -0700
Subject: [PATCH] bug fix auto-gen annotation reported as violation (#902)

* fix auto-gen annotation reported as violation

* update log
---
 pkg/engine/mutation.go           |  4 ++--
 pkg/policy/apply.go              | 31 ++++---------------------------
 pkg/policyviolation/generator.go |  2 --
 pkg/webhooks/validation.go       |  2 +-
 4 files changed, 7 insertions(+), 32 deletions(-)

diff --git a/pkg/engine/mutation.go b/pkg/engine/mutation.go
index 704594a45b..df83bc4197 100644
--- a/pkg/engine/mutation.go
+++ b/pkg/engine/mutation.go
@@ -21,6 +21,7 @@ const (
 	PodControllersAnnotation = "pod-policies.kyverno.io/autogen-controllers"
 	//PodTemplateAnnotation defines the annotation key for Pod-Template
 	PodTemplateAnnotation = "pod-policies.kyverno.io/autogen-applied"
+	PodControllerRuleName = "podControllerAnnotation"
 )
 
 // Mutate performs mutation. Overlay first and then mutation patches
@@ -102,7 +103,7 @@ func Mutate(policyContext PolicyContext) (resp response.EngineResponse) {
 	if autoGenPolicy(&policy) && strings.Contains(PodControllers, resource.GetKind()) {
 		if !patchedResourceHasPodControllerAnnotation(patchedResource) {
 			var ruleResponse response.RuleResponse
-			ruleResponse, patchedResource = mutate.ProcessOverlay(logger, "podControllerAnnotation", podTemplateRule.Mutation.Overlay, patchedResource)
+			ruleResponse, patchedResource = mutate.ProcessOverlay(logger, PodControllerRuleName, podTemplateRule.Mutation.Overlay, patchedResource)
 			if !ruleResponse.Success {
 				logger.Info("failed to insert annotation for podTemplate", "error", ruleResponse.Message)
 			} else {
@@ -168,7 +169,6 @@ func endMutateResultResponse(logger logr.Logger, resp *response.EngineResponse,
 // podTemplateRule mutate pod template with annotation
 // pod-policies.kyverno.io/autogen-applied=true
 var podTemplateRule = kyverno.Rule{
-	Name: "autogen-annotate-podtemplate",
 	Mutation: kyverno.Mutation{
 		Overlay: map[string]interface{}{
 			"spec": map[string]interface{}{
diff --git a/pkg/policy/apply.go b/pkg/policy/apply.go
index 2ec9c2719d..0bd7b72c16 100644
--- a/pkg/policy/apply.go
+++ b/pkg/policy/apply.go
@@ -17,12 +17,6 @@ import (
 	"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
 )
 
-const (
-	// JSON patch uses ~1 for / characters
-	// see: https://tools.ietf.org/html/rfc6901#section-3
-	PodTemplateAnnotationApplied = "pod-policies.kyverno.io~1autogen-applied"
-)
-
 // applyPolicy applies policy on a resource
 //TODO: generation rules
 func applyPolicy(policy kyverno.ClusterPolicy, resource unstructured.Unstructured, logger logr.Logger) (responses []response.EngineResponse) {
@@ -87,11 +81,12 @@ func getFailedOverallRuleInfo(resource unstructured.Unstructured, engineResponse
 	for index, rule := range engineResponse.PolicyResponse.Rules {
 		log.V(4).Info("verifying if policy rule was applied before", "rule", rule.Name)
 
-		patches := dropKyvernoAnnotation(rule.Patches, log)
-		if len(patches) == 0 {
+		if rule.Name == engine.PodControllerRuleName {
 			continue
 		}
 
+		patches := rule.Patches
+
 		patch, err := jsonpatch.DecodePatch(utils.JoinPatches(patches))
 		if err != nil {
 			log.Error(err, "failed to decode JSON patch", "patches", patches)
@@ -104,6 +99,7 @@ func getFailedOverallRuleInfo(resource unstructured.Unstructured, engineResponse
 			log.Error(err, "failed to apply JSON patch", "patches", patches)
 			return response.EngineResponse{}, err
 		}
+
 		if !jsonpatch.Equal(patchedResource, rawResource) {
 			log.V(4).Info("policy rule conditions not satisfied by resource", "rule", rule.Name)
 			engineResponse.PolicyResponse.Rules[index].Success = false
@@ -135,25 +131,6 @@ func extractPatchPath(patches [][]byte, log logr.Logger) string {
 	return strings.Join(resultPath, ";")
 }
 
-func dropKyvernoAnnotation(patches [][]byte, log logr.Logger) (resultPathes [][]byte) {
-	for _, patch := range patches {
-		var data jsonPatch
-		if err := json.Unmarshal(patch, &data); err != nil {
-			log.Error(err, "failed to decode the generate patch", "patch", string(patch))
-			continue
-		}
-
-		value := fmt.Sprintf("%v", data.Value)
-		if strings.Contains(value, engine.PodTemplateAnnotation) ||
-			strings.Contains(value, PodTemplateAnnotationApplied) {
-			continue
-		}
-
-		resultPathes = append(resultPathes, patch)
-	}
-	return
-}
-
 func mergeRuleRespose(mutation, validation response.EngineResponse) response.EngineResponse {
 	mutation.PolicyResponse.Rules = append(mutation.PolicyResponse.Rules, validation.PolicyResponse.Rules...)
 	return mutation
diff --git a/pkg/policyviolation/generator.go b/pkg/policyviolation/generator.go
index e25ae23c6f..f395ef1475 100644
--- a/pkg/policyviolation/generator.go
+++ b/pkg/policyviolation/generator.go
@@ -247,8 +247,6 @@ func (gen *Generator) syncHandler(info Info) error {
 	if err := handler.create(pv); err != nil {
 		failure = true
 		logger.Error(err, "failed to create policy violation")
-	} else {
-		logger.Info("created policy violation", "key", info.toKey())
 	}
 
 	if failure {
diff --git a/pkg/webhooks/validation.go b/pkg/webhooks/validation.go
index 6d38fba2dc..55b0f365ec 100644
--- a/pkg/webhooks/validation.go
+++ b/pkg/webhooks/validation.go
@@ -80,7 +80,7 @@ func (ws *WebhookServer) HandleValidation(
 			continue
 		}
 
-		logger.Info("valiadtion rules from policy applied succesfully", "policy", policy.Name)
+		logger.Info("validation rules from policy applied succesfully", "policy", policy.Name)
 	}
 	// If Validation fails then reject the request
 	// no violations will be created on "enforce"