mirrors/kyverno
mirrors/kyverno
1
0
Fork 0
mirror of https://github.com/kyverno/kyverno.git synced 2025-03-31 03:45:17 +00:00
Code Activity

Load mutate.targets via dclient (#3797)

Browse source 
* Load mutate.targets via dclient

Signed-off-by: ShutingZhao <shuting@nirmata.com>

* Do not fail on namespace cleanup for e2e generate

Signed-off-by: ShutingZhao <shuting@nirmata.com>

* Fix wildcard name listing for a certain namespace

Signed-off-by: ShutingZhao <shuting@nirmata.com>

* Rename onPolicyUpdate to mutateExistingOnPolicyUpdate

Signed-off-by: ShutingZhao <shuting@nirmata.com>

* Enable "mutateExistingOnPolicyUpdate" on policy events

Signed-off-by: ShutingZhao <shuting@nirmata.com>

Co-authored-by: Prateek Pandey <prateek.pandey@nirmata.com>
This commit is contained in:
shuting 2022-05-06 13:46:36 +08:00 committed by GitHub
parent db3502656d
commit b4f2b63f53
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
20 changed files with 388 additions and 91 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

1
api/kyverno/v1/common_types.go
View file

@ -469,5 +469,6 @@ type ResourceSpec struct {
Namespace string `json:"namespace,omitempty" yaml:"namespace,omitempty"`
// Name specifies the resource name.
// +kubebuilder:validation:MaxLength=63
// +optional
Name string `json:"name,omitempty" yaml:"name,omitempty"`
}

20
api/kyverno/v1/spec_types.go
View file

@ -64,10 +64,10 @@ type Spec struct {
// based on the failure policy. The default timeout is 10s, the value must be between 1 and 30 seconds.
WebhookTimeoutSeconds *int32 `json:"webhookTimeoutSeconds,omitempty" yaml:"webhookTimeoutSeconds,omitempty"`
// OnPolicyUpdate controls if a policy is applied to existing resources for mutateExisting and generate policies.
// MutateExistingOnPolicyUpdate controls if a mutateExisting policy is applied on policy events.
// Default value is "false".
// +optional
OnPolicyUpdate bool `json:"onPolicyUpdate,omitempty" yaml:"onPolicyUpdate,omitempty"`
MutateExistingOnPolicyUpdate bool `json:"mutateExistingOnPolicyUpdate,omitempty" yaml:"mutateExistingOnPolicyUpdate,omitempty"`
}
func (s *Spec) SetRules(rules []Rule) {
@ -148,9 +148,19 @@ func (s *Spec) BackgroundProcessingEnabled() bool {
return *s.Background
}
// GetOnPolicyUpdate return OnPolicyUpdate set value
func (s *Spec) GetOnPolicyUpdate() bool {
return s.OnPolicyUpdate
// IsMutateExisting checks if the mutate policy applies to existing resources
func (s *Spec) IsMutateExisting() bool {
for _, rule := range s.Rules {
if rule.IsMutateExisting() {
return true
}
}
return false
}
// GetMutateExistingOnPolicyUpdate return MutateExistingOnPolicyUpdate set value
func (s *Spec) GetMutateExistingOnPolicyUpdate() bool {
return s.MutateExistingOnPolicyUpdate
}
// GetFailurePolicy returns the failure policy to be applied

8
charts/kyverno/templates/crds.yaml
View file

@ -64,8 +64,8 @@ spec:
- Ignore
- Fail
type: string
onPolicyUpdate:
description: OnPolicyUpdate controls if a policy is applied to existing resources for mutateExisting and generate policies. Default value is "false".
mutateExistingOnPolicyUpdate:
description: MutateExistingOnPolicyUpdate controls if a mutateExisting policy is applied on policy events. Default value is "false".
type: boolean
rules:
description: Rules is a list of Rule instances. A Policy contains multiple rules and each rule can validate, mutate, or generate resources.
@ -2409,8 +2409,8 @@ spec:
- Ignore
- Fail
type: string
onPolicyUpdate:
description: OnPolicyUpdate controls if a policy is applied to existing resources for mutateExisting and generate policies. Default value is "false".
mutateExistingOnPolicyUpdate:
description: MutateExistingOnPolicyUpdate controls if a mutateExisting policy is applied on policy events. Default value is "false".
type: boolean
rules:
description: Rules is a list of Rule instances. A Policy contains multiple rules and each rule can validate, mutate, or generate resources.

7
config/crds/kyverno.io_clusterpolicies.yaml
View file

@ -68,10 +68,9 @@ spec:
- Ignore
- Fail
type: string
onPolicyUpdate:
description: OnPolicyUpdate controls if a policy is applied to existing
resources for mutateExisting and generate policies. Default value
is "false".
mutateExistingOnPolicyUpdate:
description: MutateExistingOnPolicyUpdate controls if a mutateExisting
policy is applied on policy events. Default value is "false".
type: boolean
rules:
description: Rules is a list of Rule instances. A Policy contains

7
config/crds/kyverno.io_policies.yaml
View file

@ -69,10 +69,9 @@ spec:
- Ignore
- Fail
type: string
onPolicyUpdate:
description: OnPolicyUpdate controls if a policy is applied to existing
resources for mutateExisting and generate policies. Default value
is "false".
mutateExistingOnPolicyUpdate:
description: MutateExistingOnPolicyUpdate controls if a mutateExisting
policy is applied on policy events. Default value is "false".
type: boolean
rules:
description: Rules is a list of Rule instances. A Policy contains

14
config/install.yaml
View file

@ -85,10 +85,9 @@ spec:
- Ignore
- Fail
type: string
onPolicyUpdate:
description: OnPolicyUpdate controls if a policy is applied to existing
resources for mutateExisting and generate policies. Default value
is "false".
mutateExistingOnPolicyUpdate:
description: MutateExistingOnPolicyUpdate controls if a mutateExisting
policy is applied on policy events. Default value is "false".
type: boolean
rules:
description: Rules is a list of Rule instances. A Policy contains
@ -3592,10 +3591,9 @@ spec:
- Ignore
- Fail
type: string
onPolicyUpdate:
description: OnPolicyUpdate controls if a policy is applied to existing
resources for mutateExisting and generate policies. Default value
is "false".
mutateExistingOnPolicyUpdate:
description: MutateExistingOnPolicyUpdate controls if a mutateExisting
policy is applied on policy events. Default value is "false".
type: boolean
rules:
description: Rules is a list of Rule instances. A Policy contains

14
config/install_debug.yaml
View file

@ -83,10 +83,9 @@ spec:
- Ignore
- Fail
type: string
onPolicyUpdate:
description: OnPolicyUpdate controls if a policy is applied to existing
resources for mutateExisting and generate policies. Default value
is "false".
mutateExistingOnPolicyUpdate:
description: MutateExistingOnPolicyUpdate controls if a mutateExisting
policy is applied on policy events. Default value is "false".
type: boolean
rules:
description: Rules is a list of Rule instances. A Policy contains
@ -3586,10 +3585,9 @@ spec:
- Ignore
- Fail
type: string
onPolicyUpdate:
description: OnPolicyUpdate controls if a policy is applied to existing
resources for mutateExisting and generate policies. Default value
is "false".
mutateExistingOnPolicyUpdate:
description: MutateExistingOnPolicyUpdate controls if a mutateExisting
policy is applied on policy events. Default value is "false".
type: boolean
rules:
description: Rules is a list of Rule instances. A Policy contains

13
docs/crd/v1/index.html
View file

@ -191,14 +191,14 @@ based on the failure policy. The default timeout is 10s, the value must be betwe
</tr>
<tr>
<td>
<code>onPolicyUpdate</code></br>
<code>mutateExistingOnPolicyUpdate</code></br>
<em>
bool
</em>
</td>
<td>
<em>(Optional)</em>
<p>OnPolicyUpdate controls if a policy is applied to existing resources for mutateExisting and generate policies.
<p>MutateExistingOnPolicyUpdate controls if a mutateExisting policy is applied on policy events.
Default value is &ldquo;false&rdquo;.</p>
</td>
</tr>
@ -384,14 +384,14 @@ based on the failure policy. The default timeout is 10s, the value must be betwe
</tr>
<tr>
<td>
<code>onPolicyUpdate</code></br>
<code>mutateExistingOnPolicyUpdate</code></br>
<em>
bool
</em>
</td>
<td>
<em>(Optional)</em>
<p>OnPolicyUpdate controls if a policy is applied to existing resources for mutateExisting and generate policies.
<p>MutateExistingOnPolicyUpdate controls if a mutateExisting policy is applied on policy events.
Default value is &ldquo;false&rdquo;.</p>
</td>
</tr>
@ -2647,6 +2647,7 @@ string
</em>
</td>
<td>
<em>(Optional)</em>
<p>Name specifies the resource name.</p>
</td>
</tr>
@ -2942,14 +2943,14 @@ based on the failure policy. The default timeout is 10s, the value must be betwe
</tr>
<tr>
<td>
<code>onPolicyUpdate</code></br>
<code>mutateExistingOnPolicyUpdate</code></br>
<em>
bool
</em>
</td>
<td>
<em>(Optional)</em>
<p>OnPolicyUpdate controls if a policy is applied to existing resources for mutateExisting and generate policies.
<p>MutateExistingOnPolicyUpdate controls if a mutateExisting policy is applied on policy events.
Default value is &ldquo;false&rdquo;.</p>
</td>
</tr>

16
pkg/background/update_request_controller.go
View file

@ -1,6 +1,7 @@
package background
import (
"fmt"
"reflect"
"time"
@ -190,8 +191,7 @@ func (c *Controller) syncUpdateRequest(key string) error {
return nil
}
logger.Error(err, "failed to fetch update request", "key", key)
return err
return fmt.Errorf("failed to fetch update request %s: %v", key, err)
}
ur, ok, err := c.MarkUR(ur)
@ -200,17 +200,19 @@ func (c *Controller) syncUpdateRequest(key string) error {
return nil
}
if err != nil {
logger.Error(err, "failed to mark UR handler", "key", key)
return err
return fmt.Errorf("failed to mark handler for UR %s: %v", key, err)
}
logger.V(3).Info("UR is marked successfully", "ur", ur.GetName(), "resourceVersion", ur.GetResourceVersion())
if err := c.ProcessUR(ur); err != nil {
logger.Error(err, "failed to process UR", "key", key)
return err
return fmt.Errorf("failed to process UR %s: %v", key, err)
}
return c.UnmarkUR(ur)
if err = c.UnmarkUR(ur); err != nil {
return fmt.Errorf("failed to un-mark UR %s: %v", key, err)
}
return nil
}
func (c *Controller) enqueueUpdateRequest(obj interface{}) {

120
pkg/engine/loadtargets.go
View file

@ -4,58 +4,108 @@ import (
"fmt"
"github.com/go-logr/logr"
"github.com/kyverno/go-wildcard"
kyverno "github.com/kyverno/kyverno/api/kyverno/v1"
engineUtils "github.com/kyverno/kyverno/pkg/engine/utils"
"github.com/kyverno/kyverno/pkg/engine/variables"
stringutils "github.com/kyverno/kyverno/pkg/utils/string"
"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
)
func loadTargets(logger logr.Logger, targets []kyverno.ResourceSpec, ctx *PolicyContext) ([]unstructured.Unstructured, error) {
targetObjects := make([]unstructured.Unstructured, len(targets))
func loadTargets(targets []kyverno.ResourceSpec, ctx *PolicyContext, logger logr.Logger) ([]unstructured.Unstructured, error) {
targetObjects := []unstructured.Unstructured{}
var errors []error
for i, target := range targets {
apiversion, err := variables.SubstituteAll(logger, ctx.JSONContext, target.APIVersion)
for i := range targets {
spec, err := resolveSpec(i, targets[i], ctx, logger)
if err != nil {
errors = append(errors, fmt.Errorf("failed to substitute variables in target[%d].APIVersion %s: %v", i, target.APIVersion, err))
errors = append(errors, err)
continue
}
kind, err := variables.SubstituteAll(logger, ctx.JSONContext, target.Kind)
objs, err := getTargets(spec, ctx, logger)
if err != nil {
errors = append(errors, fmt.Errorf("failed to substitute variables in target[%d].Kind %s: %v", i, target.Kind, err))
errors = append(errors, err)
continue
}
name, err := variables.SubstituteAll(logger, ctx.JSONContext, target.Name)
if err != nil {
errors = append(errors, fmt.Errorf("failed to substitute variables in target[%d].Name %s: %v", i, target.Name, err))
continue
}
namespace, err := variables.SubstituteAll(logger, ctx.JSONContext, target.Namespace)
if err != nil {
errors = append(errors, fmt.Errorf("failed to substitute variables in target[%d].Namespace %s: %v", i, target.Namespace, err))
continue
}
if namespace == "" {
namespace = "default"
}
obj, err := ctx.Client.GetResource(apiversion.(string), kind.(string), namespace.(string), name.(string))
if err != nil {
errors = append(errors, fmt.Errorf("failed to get target %s/%s %s/%s : %v", apiversion, kind, namespace, name, err))
continue
}
if obj.GetKind() == "" {
obj.SetKind(kind.(string))
}
obj.SetAPIVersion(apiversion.(string))
targetObjects = append(targetObjects, *obj)
targetObjects = append(targetObjects, objs...)
}
return targetObjects, engineUtils.CombineErrors(errors)
}
func resolveSpec(i int, target kyverno.ResourceSpec, ctx *PolicyContext, logger logr.Logger) (kyverno.ResourceSpec, error) {
kind, err := variables.SubstituteAll(logger, ctx.JSONContext, target.Kind)
if err != nil {
return kyverno.ResourceSpec{}, fmt.Errorf("failed to substitute variables in target[%d].Kind %s: %v", i, target.Kind, err)
}
apiversion, err := variables.SubstituteAll(logger, ctx.JSONContext, target.APIVersion)
if err != nil {
return kyverno.ResourceSpec{}, fmt.Errorf("failed to substitute variables in target[%d].APIVersion %s: %v", i, target.APIVersion, err)
}
namespace, err := variables.SubstituteAll(logger, ctx.JSONContext, target.Namespace)
if err != nil {
return kyverno.ResourceSpec{}, fmt.Errorf("failed to substitute variables in target[%d].Namespace %s: %v", i, target.Namespace, err)
}
name, err := variables.SubstituteAll(logger, ctx.JSONContext, target.Name)
if err != nil {
return kyverno.ResourceSpec{}, fmt.Errorf("failed to substitute variables in target[%d].Name %s: %v", i, target.Name, err)
}
return kyverno.ResourceSpec{
APIVersion: apiversion.(string),
Kind: kind.(string),
Namespace: namespace.(string),
Name: name.(string),
}, nil
}
func getTargets(target kyverno.ResourceSpec, ctx *PolicyContext, logger logr.Logger) ([]unstructured.Unstructured, error) {
var targetObjects []unstructured.Unstructured
namespace := target.Namespace
name := target.Name
if namespace != "" && name != "" &&
!stringutils.ContainsWildcard(namespace) && !stringutils.ContainsWildcard(name) {
obj, err := ctx.Client.GetResource(target.APIVersion, target.Kind, namespace, name)
if err != nil {
return nil, fmt.Errorf("failed to get target %s/%s %s/%s : %v", target.APIVersion, target.Kind, namespace, name, err)
}
return []unstructured.Unstructured{*obj}, nil
}
// list all targets if wildcard is specified
objList, err := ctx.Client.ListResource(target.APIVersion, target.Kind, "", nil)
if err != nil {
return nil, err
}
for i := range objList.Items {
obj := objList.Items[i].DeepCopy()
if match(namespace, name, obj.GetNamespace(), obj.GetName()) {
targetObjects = append(targetObjects, *obj)
}
}
return targetObjects, nil
}
func match(namespacePattern, namePattern, namespace, name string) bool {
if namespacePattern == "" && namePattern == "" {
return true
} else if namespacePattern == "" {
if wildcard.Match(namePattern, name) {
return true
}
} else if wildcard.Match(namespacePattern, namespace) {
if namePattern == "" || wildcard.Match(namePattern, name) {
return true
}
}
return false
}

217
pkg/engine/loadtargets_test.go Normal file
View file

@ -0,0 +1,217 @@
package engine
import (
"fmt"
"testing"
"github.com/stretchr/testify/assert"
)
func Test_match(t *testing.T) {
tests := []struct {
testName string
namespacePattern string
namePattern string
namespace string
name string
expectedResult bool
}{
{
testName: "empty-namespacePattern-namePattern-1",
namespacePattern: "",
namePattern: "",
namespace: "foo",
name: "bar",
expectedResult: true,
},
{
testName: "empty-namespacePattern-namePattern-2",
namespacePattern: "",
namePattern: "",
namespace: "",
name: "bar",
expectedResult: true,
},
{
testName: "empty-namespacePattern-1",
namespacePattern: "",
namePattern: "bar",
namespace: "",
name: "bar",
expectedResult: true,
},
{
testName: "empty-namespacePattern-2",
namespacePattern: "",
namePattern: "ba*",
namespace: "",
name: "bar",
expectedResult: true,
},
{
testName: "empty-namespacePattern-3",
namespacePattern: "",
namePattern: "ba*",
namespace: "",
name: "random",
expectedResult: false,
},
{
testName: "empty-namespacePattern-4",
namespacePattern: "",
namePattern: "bar",
namespace: "foo",
name: "bar",
expectedResult: true,
},
{
testName: "empty-namespacePattern-5",
namespacePattern: "",
namePattern: "ba*",
namespace: "foo",
name: "bar",
expectedResult: true,
},
{
testName: "empty-namespacePattern-6",
namespacePattern: "",
namePattern: "ba*",
namespace: "foo",
name: "random",
expectedResult: false,
},
{
testName: "empty-namePattern-1",
namespacePattern: "foo",
namePattern: "",
namespace: "",
name: "bar",
expectedResult: false,
},
{
testName: "empty-namePattern-2",
namespacePattern: "foo",
namePattern: "",
namespace: "foo",
name: "bar",
expectedResult: true,
},
{
testName: "empty-namePattern-3",
namespacePattern: "fo*",
namePattern: "",
namespace: "foo",
name: "bar",
expectedResult: true,
},
{
testName: "empty-namePattern-4",
namespacePattern: "fo*",
namePattern: "",
namespace: "random",
name: "bar",
expectedResult: false,
},
{
testName: "empty-namePattern-5",
namespacePattern: "fo*",
namePattern: "",
namespace: "",
name: "bar",
expectedResult: false,
},
{
testName: "no-empty-pattern-1",
namespacePattern: "foo",
namePattern: "bar",
namespace: "",
name: "",
expectedResult: false,
},
{
testName: "no-empty-pattern-2",
namespacePattern: "foo",
namePattern: "bar",
namespace: "foo",
name: "bar",
expectedResult: true,
},
{
testName: "no-empty-pattern-3",
namespacePattern: "foo",
namePattern: "bar",
namespace: "",
name: "bar",
expectedResult: false,
},
{
testName: "no-empty-pattern-4",
namespacePattern: "foo",
namePattern: "bar",
namespace: "random",
name: "bar",
expectedResult: false,
},
{
testName: "no-empty-pattern-5",
namespacePattern: "foo",
namePattern: "bar",
namespace: "foo",
name: "random",
expectedResult: false,
},
{
testName: "no-empty-pattern-6",
namespacePattern: "fo*",
namePattern: "bar",
namespace: "foo",
name: "bar",
expectedResult: true,
},
{
testName: "no-empty-pattern-7",
namespacePattern: "fo*",
namePattern: "bar",
namespace: "random",
name: "bar",
expectedResult: false,
},
{
testName: "no-empty-pattern-8",
namespacePattern: "fo*",
namePattern: "bar",
namespace: "",
name: "bar",
expectedResult: false,
},
{
testName: "no-empty-pattern-9",
namespacePattern: "foo",
namePattern: "ba*",
namespace: "foo",
name: "bar",
expectedResult: true,
},
{
testName: "no-empty-pattern-10",
namespacePattern: "foo",
namePattern: "ba*",
namespace: "foo",
name: "random",
expectedResult: false,
},
// {
// testName: "",
// namespacePattern: "",
// namePattern: "",
// namespace: "",
// name: "",
// expectedResult: false,
// },
}
for _, test := range tests {
res := match(test.namespacePattern, test.namePattern, test.namespace, test.name)
assert.Equal(t, test.expectedResult, res, fmt.Sprintf("test %s failed", test.testName))
}
}

2
pkg/engine/mutation.go
View file

@ -81,7 +81,7 @@ func Mutate(policyContext *PolicyContext) (resp *response.EngineResponse) {
ruleCopy := rule.DeepCopy()
var patchedResources []unstructured.Unstructured
if !policyContext.AdmissionOperation && rule.IsMutateExisting() {
targets, err := loadTargets(logger, ruleCopy.Mutation.Targets, policyContext)
targets, err := loadTargets(ruleCopy.Mutation.Targets, policyContext, logger)
if err != nil {
rr := ruleResponse(rule, response.Mutation, err.Error(), response.RuleStatusError, nil)
resp.PolicyResponse.Rules = append(resp.PolicyResponse.Rules, *rr)

2
pkg/engine/utils.go
View file

@ -88,7 +88,7 @@ func checkAnnotations(annotations map[string]string, resourceAnnotations map[str
}
}
if match == false {
if !match {
return false
}
}

2
pkg/policy/on_update_policy_test.go
View file

@ -105,5 +105,5 @@ func Test_invalid_onUpdatePolicyPolicy(t *testing.T) {
err := json.Unmarshal(rawPolicy, &policy)
assert.NilError(t, err)
err = ValidateOnPolicyUpdate(&policy, true)
assert.ErrorContains(t, err, "only select variables are allowed in on policy update. Set spec.onPolicyUpdate=false to disable update policy mode for this policy rule: variable \"{{request.userInfo.username}} is not allowed ")
assert.ErrorContains(t, err, "only select variables are allowed in on policy update. Set spec.mutateExistingOnPolicyUpdate=false to disable update policy mode for this policy rule: variable \"{{request.userInfo.username}} is not allowed ")
}

5
pkg/policy/policy_controller.go
View file

@ -473,9 +473,10 @@ func (pc *PolicyController) syncPolicy(key string) error {
policy, err := pc.getPolicy(key)
if err != nil {
if errors.IsNotFound(err) {
// here only takes care of mutateExisting policies
// generate cleanup controller handles policy deletion
mutateURs := pc.listMutateURs(key, nil)
generateURs := pc.listGenerateURs(key, nil)
deleteUR(pc.kyvernoClient, key, append(mutateURs, generateURs...), logger)
deleteUR(pc.kyvernoClient, key, mutateURs, logger)
return nil
}
return err

7
pkg/policy/updaterequest.go
View file

@ -14,6 +14,13 @@ import (
func (pc *PolicyController) updateUR(policyKey string, policy kyverno.PolicyInterface) {
logger := pc.log.WithName("updateUR").WithName(policyKey)
// TODO: add check for genExisting
if !policy.GetSpec().MutateExistingOnPolicyUpdate {
logger.V(4).Info("skip policy application on policy event", "policyKey", policyKey, "mutateExiting", policy.GetSpec().MutateExistingOnPolicyUpdate)
return
}
logger.Info("update URs on policy event")
mutateURs := pc.listMutateURs(policyKey, nil)

4
pkg/policy/validate.go
View file

@ -82,7 +82,7 @@ func Validate(policy kyverno.PolicyInterface, client dclient.Interface, mock boo
namespaced := policy.IsNamespaced()
spec := policy.GetSpec()
background := spec.BackgroundProcessingEnabled()
onPolicyUpdate := spec.GetOnPolicyUpdate()
onPolicyUpdate := spec.GetMutateExistingOnPolicyUpdate()
var errs field.ErrorList
specPath := field.NewPath("spec")
@ -412,7 +412,7 @@ func ValidateOnPolicyUpdate(p kyverno.PolicyInterface, onPolicyUpdate bool) erro
}
if err := containsUserVariables(p, vars); err != nil {
return fmt.Errorf("only select variables are allowed in on policy update. Set spec.onPolicyUpdate=false to disable update policy mode for this policy rule: %s ", err)
return fmt.Errorf("only select variables are allowed in on policy update. Set spec.mutateExistingOnPolicyUpdate=false to disable update policy mode for this policy rule: %s ", err)
}
return nil

6
pkg/webhooks/updaterequest.go
View file

@ -21,8 +21,8 @@ func (ws *WebhookServer) createUpdateRequests(request *admissionv1.AdmissionRequ
generateEngineResponsesSenderForAdmissionRequestsCountMetric := make(chan []*response.EngineResponse, 1)
go ws.handleMutateExisting(request, mutatePolicies, policyContext, ts)
go ws.handleGenerate(request, generatePolicies, policyContext, ts, &admissionReviewCompletionLatencyChannel, &generateEngineResponsesSenderForAdmissionReviewDurationMetric, &generateEngineResponsesSenderForAdmissionRequestsCountMetric)
go ws.registerAdmissionReviewDurationMetricGenerate(logger, string(request.Operation), &admissionReviewCompletionLatencyChannel, &generateEngineResponsesSenderForAdmissionReviewDurationMetric)
go ws.registerAdmissionRequestsMetricGenerate(logger, string(request.Operation), &generateEngineResponsesSenderForAdmissionRequestsCountMetric)
}
@ -38,6 +38,10 @@ func (ws *WebhookServer) handleMutateExisting(request *admissionv1.AdmissionRequ
var engineResponses []*response.EngineResponse
for _, policy := range policies {
if !policy.GetSpec().IsMutateExisting() {
continue
}
var rules []response.RuleResponse
policyContext.Policy = policy
engineResponse := engine.ApplyBackgroundChecks(policyContext)

10
test/e2e/generate/generate_test.go
View file

@ -172,7 +172,10 @@ func Test_ClusterRole_ClusterRoleBinding_Sets(t *testing.T) {
}
return fmt.Errorf("failed to delete namespace: %v", err)
})
Expect(err).NotTo(HaveOccurred())
// Do not fail if waiting fails. Sometimes namespace needs time to be deleted.
if err != nil {
By(err.Error())
}
By(fmt.Sprintf("Test %s Completed \n\n\n", tests.TestName))
}
@ -309,7 +312,10 @@ func Test_Role_RoleBinding_Sets(t *testing.T) {
}
return fmt.Errorf("failed to delete namespace: %v", err)
})
Expect(err).NotTo(HaveOccurred())
// Do not fail if waiting fails. Sometimes namespace needs time to be deleted.
if err != nil {
By(err.Error())
}
By(fmt.Sprintf("Test %s Completed \n\n\n", tests.TestName))
}

4
test/e2e/mutate/resources.go
View file

@ -677,6 +677,7 @@ kind: ClusterPolicy
metadata:
name: "test-post-mutation-create-trigger"
spec:
mutateExistingOnPolicyUpdate: false
rules:
- name: "mutate-deploy-on-configmap-create"
match:
@ -745,6 +746,7 @@ kind: ClusterPolicy
metadata:
name: "test-post-mutation-delete-trigger"
spec:
mutateExistingOnPolicyUpdate: false
rules:
- name: "mutate-deploy-on-configmap-delete"
match:
@ -818,6 +820,7 @@ kind: ClusterPolicy
metadata:
name: "test-post-mutation-create-policy"
spec:
mutateExistingOnPolicyUpdate: true
rules:
- name: "mutate-deploy-on-policy-create"
match:
@ -886,6 +889,7 @@ kind: ClusterPolicy
metadata:
name: "test-post-mutation"
spec:
mutateExistingOnPolicyUpdate: false
rules:
- name: "mutate-deploy-on-configmap-update"
match: