From b3e227dbaf1ac280865fd505dc02b333c9903004 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Charles-Edouard=20Br=C3=A9t=C3=A9ch=C3=A9?=
 <charled.breteche@gmail.com>
Date: Tue, 17 May 2022 14:15:02 +0200
Subject: [PATCH] fix: use admissionrequest subresource to filter webhooks
 (#3944)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com>

Co-authored-by: shuting <shuting@nirmata.com>
---
 pkg/webhooks/policy/handlers.go | 35 ++++++++++-----------------------
 1 file changed, 10 insertions(+), 25 deletions(-)

diff --git a/pkg/webhooks/policy/handlers.go b/pkg/webhooks/policy/handlers.go
index c30fd59349..e1ba9bbfac 100644
--- a/pkg/webhooks/policy/handlers.go
+++ b/pkg/webhooks/policy/handlers.go
@@ -2,12 +2,10 @@ package policy
 
 import (
 	"fmt"
-	"reflect"
 	"strings"
 	"time"
 
 	"github.com/go-logr/logr"
-	kyvernov1 "github.com/kyverno/kyverno/api/kyverno/v1"
 	client "github.com/kyverno/kyverno/pkg/dclient"
 	"github.com/kyverno/kyverno/pkg/openapi"
 	policyvalidate "github.com/kyverno/kyverno/pkg/policy"
@@ -30,15 +28,15 @@ func NewHandlers(client client.Interface, openAPIController *openapi.Controller)
 }
 
 func (h *handlers) Validate(logger logr.Logger, request *admissionv1.AdmissionRequest) *admissionv1.AdmissionResponse {
-	policy, oldPolicy, err := admissionutils.GetPolicies(request)
+	if request.SubResource != "" {
+		logger.V(4).Info("skip policy validation on status update")
+		return admissionutils.Response(true)
+	}
+	policy, _, err := admissionutils.GetPolicies(request)
 	if err != nil {
 		logger.Error(err, "failed to unmarshal policies from admission request")
 		return admissionutils.ResponseWithMessage(true, fmt.Sprintf("failed to validate policy, check kyverno controller logs for details: %v", err))
 	}
-	if oldPolicy != nil && isStatusUpdate(oldPolicy, policy) {
-		logger.V(4).Info("skip policy validation on status update")
-		return admissionutils.Response(true)
-	}
 	startTime := time.Now()
 	logger.V(3).Info("start policy change validation")
 	defer logger.V(3).Info("finished policy change validation", "time", time.Since(startTime).String())
@@ -54,15 +52,15 @@ func (h *handlers) Validate(logger logr.Logger, request *admissionv1.AdmissionRe
 }
 
 func (h *handlers) Mutate(logger logr.Logger, request *admissionv1.AdmissionRequest) *admissionv1.AdmissionResponse {
-	policy, oldPolicy, err := admissionutils.GetPolicies(request)
+	if request.SubResource != "" {
+		logger.V(4).Info("skip policy validation on status update")
+		return admissionutils.Response(true)
+	}
+	policy, _, err := admissionutils.GetPolicies(request)
 	if err != nil {
 		logger.Error(err, "failed to unmarshal policies from admission request")
 		return admissionutils.ResponseWithMessage(true, fmt.Sprintf("failed to default value, check kyverno controller logs for details: %v", err))
 	}
-	if oldPolicy != nil && isStatusUpdate(oldPolicy, policy) {
-		logger.V(4).Info("skip policy mutation on status update")
-		return admissionutils.Response(true)
-	}
 	startTime := time.Now()
 	logger.V(3).Info("start policy change mutation")
 	defer logger.V(3).Info("finished policy change mutation", "time", time.Since(startTime).String())
@@ -71,16 +69,3 @@ func (h *handlers) Mutate(logger logr.Logger, request *admissionv1.AdmissionRequ
 	}
 	return admissionutils.Response(true)
 }
-
-func isStatusUpdate(old, new kyvernov1.PolicyInterface) bool {
-	if !reflect.DeepEqual(old.GetAnnotations(), new.GetAnnotations()) {
-		return false
-	}
-	if !reflect.DeepEqual(old.GetLabels(), new.GetLabels()) {
-		return false
-	}
-	if !reflect.DeepEqual(old.GetSpec(), new.GetSpec()) {
-		return false
-	}
-	return true
-}