fix: release ur when handler pod is gone (#3973)

Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com>
2025-03-28 10:28:36 +00:00 · 2022-05-20 11:43:00 +02:00 · 2022-05-20 11:43:00 +02:00 · c1df363a0e
commit c1df363a0e
parent 1936d86623
2 changed files with 18 additions and 2 deletions
--- a/cmd/kyverno/main.go
+++ b/cmd/kyverno/main.go
@ -291,8 +291,9 @@ func main() {
 		kyvernoV1.ClusterPolicies(),
 		kyvernoV1.Policies(),
 		kyvernoInformer.Kyverno().V1beta1().UpdateRequests(),
-		eventGenerator,
 		kubeInformer.Core().V1().Namespaces(),
+		kubeInformer.Core().V1().Pods(),
+		eventGenerator,
 		configuration,
 	)

--- a/pkg/background/update_request_controller.go
+++ b/pkg/background/update_request_controller.go
@ -50,6 +50,7 @@ type controller struct {
 	npolicyLister kyvernov1listers.PolicyLister
 	urLister      kyvernov1beta1listers.UpdateRequestNamespaceLister
 	nsLister      corev1listers.NamespaceLister
+	podLister     corev1listers.PodLister

 	// queue
 	queue workqueue.RateLimitingInterface
@ -66,8 +67,9 @@ func NewController(
 	policyInformer kyvernov1informers.ClusterPolicyInformer,
 	npolicyInformer kyvernov1informers.PolicyInformer,
 	urInformer kyvernov1beta1informers.UpdateRequestInformer,
-	eventGen event.Interface,
 	namespaceInformer corev1informers.NamespaceInformer,
+	podInformer corev1informers.PodInformer,
+	eventGen event.Interface,
 	dynamicConfig config.Configuration,
 ) Controller {
 	urLister := urInformer.Lister().UpdateRequests(config.KyvernoNamespace())
@ -78,6 +80,7 @@ func NewController(
 		npolicyLister: npolicyInformer.Lister(),
 		urLister:      urLister,
 		nsLister:      namespaceInformer.Lister(),
+		podLister:     podInformer.Lister(),
 		queue:         workqueue.NewNamedRateLimitingQueue(workqueue.DefaultControllerRateLimiter(), "generate-request"),
 		eventGen:      eventGen,
 		configuration: dynamicConfig,
@ -171,6 +174,18 @@ func (c *controller) syncUpdateRequest(key string) error {
 		_, err := c.kyvernoClient.KyvernoV1beta1().UpdateRequests(config.KyvernoNamespace()).UpdateStatus(context.TODO(), ur, metav1.UpdateOptions{})
 		return err
 	}
+	// if it was acquired by a pod that is gone, release it
+	if ur.Status.Handler != "" {
+		_, err = c.podLister.Pods(config.KyvernoNamespace()).Get(ur.Status.Handler)
+		if err != nil {
+			if apierrors.IsNotFound(err) {
+				ur = ur.DeepCopy()
+				ur.Status.Handler = ""
+				_, err = c.kyvernoClient.KyvernoV1beta1().UpdateRequests(config.KyvernoNamespace()).UpdateStatus(context.TODO(), ur, metav1.UpdateOptions{})
+			}
+			return err
+		}
+	}
 	// if in pending state, try to acquire ur and eventually process it
 	if ur.Status.State == kyvernov1beta1.Pending {
 		ur, ok, err := c.acquireUR(ur)