bug fix auto-gen annotation reported as violation (#902)

* fix auto-gen annotation reported as violation * update log
2025-03-05 15:37:19 +00:00 · 2020-06-03 17:47:06 -07:00 · 2020-06-03 17:47:06 -07:00 · b3a1e51a84
commit b3a1e51a84
parent 32cd23963a
4 changed files with 7 additions and 32 deletions
--- a/pkg/engine/mutation.go
+++ b/pkg/engine/mutation.go
@ -21,6 +21,7 @@ const (
 	PodControllersAnnotation = "pod-policies.kyverno.io/autogen-controllers"
 	//PodTemplateAnnotation defines the annotation key for Pod-Template
 	PodTemplateAnnotation = "pod-policies.kyverno.io/autogen-applied"
 	PodControllerRuleName = "podControllerAnnotation"
 )
 // Mutate performs mutation. Overlay first and then mutation patches
@ -102,7 +103,7 @@ func Mutate(policyContext PolicyContext) (resp response.EngineResponse) {
 	if autoGenPolicy(&policy) && strings.Contains(PodControllers, resource.GetKind()) {
 		if !patchedResourceHasPodControllerAnnotation(patchedResource) {
 			var ruleResponse response.RuleResponse
-			ruleResponse, patchedResource = mutate.ProcessOverlay(logger, "podControllerAnnotation", podTemplateRule.Mutation.Overlay, patchedResource)
+			ruleResponse, patchedResource = mutate.ProcessOverlay(logger, PodControllerRuleName, podTemplateRule.Mutation.Overlay, patchedResource)
 			if !ruleResponse.Success {
 				logger.Info("failed to insert annotation for podTemplate", "error", ruleResponse.Message)
 			} else {
@ -168,7 +169,6 @@ func endMutateResultResponse(logger logr.Logger, resp *response.EngineResponse,
 // podTemplateRule mutate pod template with annotation
 // pod-policies.kyverno.io/autogen-applied=true
 var podTemplateRule = kyverno.Rule{
 	Name: "autogen-annotate-podtemplate",
 	Mutation: kyverno.Mutation{
 		Overlay: map[string]interface{}{
 			"spec": map[string]interface{}{
--- a/pkg/policy/apply.go
+++ b/pkg/policy/apply.go
@ -17,12 +17,6 @@ import (
 	"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
 )
 const (
 	// JSON patch uses ~1 for / characters
 	// see: https://tools.ietf.org/html/rfc6901#section-3
 	PodTemplateAnnotationApplied = "pod-policies.kyverno.io~1autogen-applied"
 )
 // applyPolicy applies policy on a resource
 //TODO: generation rules
 func applyPolicy(policy kyverno.ClusterPolicy, resource unstructured.Unstructured, logger logr.Logger) (responses []response.EngineResponse) {
@ -87,11 +81,12 @@ func getFailedOverallRuleInfo(resource unstructured.Unstructured, engineResponse
 	for index, rule := range engineResponse.PolicyResponse.Rules {
 		log.V(4).Info("verifying if policy rule was applied before", "rule", rule.Name)
-		patches := dropKyvernoAnnotation(rule.Patches, log)
+		if rule.Name == engine.PodControllerRuleName {
 		if len(patches) == 0 {
 			continue
 		}
 		patches := rule.Patches
 		patch, err := jsonpatch.DecodePatch(utils.JoinPatches(patches))
 		if err != nil {
 			log.Error(err, "failed to decode JSON patch", "patches", patches)
@ -104,6 +99,7 @@ func getFailedOverallRuleInfo(resource unstructured.Unstructured, engineResponse
 			log.Error(err, "failed to apply JSON patch", "patches", patches)
 			return response.EngineResponse{}, err
 		}
 		if !jsonpatch.Equal(patchedResource, rawResource) {
 			log.V(4).Info("policy rule conditions not satisfied by resource", "rule", rule.Name)
 			engineResponse.PolicyResponse.Rules[index].Success = false
@ -135,25 +131,6 @@ func extractPatchPath(patches [][]byte, log logr.Logger) string {
 	return strings.Join(resultPath, ";")
 }
 func dropKyvernoAnnotation(patches [][]byte, log logr.Logger) (resultPathes [][]byte) {
 	for _, patch := range patches {
 		var data jsonPatch
 		if err := json.Unmarshal(patch, &data); err != nil {
 			log.Error(err, "failed to decode the generate patch", "patch", string(patch))
 			continue
 		}
 		value := fmt.Sprintf("%v", data.Value)
 		if strings.Contains(value, engine.PodTemplateAnnotation) ||
 			strings.Contains(value, PodTemplateAnnotationApplied) {
 			continue
 		}
 		resultPathes = append(resultPathes, patch)
 	}
 	return
 }
 func mergeRuleRespose(mutation, validation response.EngineResponse) response.EngineResponse {
 	mutation.PolicyResponse.Rules = append(mutation.PolicyResponse.Rules, validation.PolicyResponse.Rules...)
 	return mutation
--- a/pkg/policyviolation/generator.go
+++ b/pkg/policyviolation/generator.go
@ -247,8 +247,6 @@ func (gen *Generator) syncHandler(info Info) error {
 	if err := handler.create(pv); err != nil {
 		failure = true
 		logger.Error(err, "failed to create policy violation")
 	} else {
 		logger.Info("created policy violation", "key", info.toKey())
 	}
 	if failure {
--- a/pkg/webhooks/validation.go
+++ b/pkg/webhooks/validation.go
@ -80,7 +80,7 @@ func (ws *WebhookServer) HandleValidation(
 			continue
 		}
-		logger.Info("valiadtion rules from policy applied succesfully", "policy", policy.Name)
+		logger.Info("validation rules from policy applied succesfully", "policy", policy.Name)
 	}
 	// If Validation fails then reject the request
 	// no violations will be created on "enforce"