From c1df363a0e71b5007c61d7d2e9177247b649806c Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Charles-Edouard=20Br=C3=A9t=C3=A9ch=C3=A9?=
 <charled.breteche@gmail.com>
Date: Fri, 20 May 2022 11:43:00 +0200
Subject: [PATCH] fix: release ur when handler pod is gone (#3973)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com>
---
 cmd/kyverno/main.go                         |  3 ++-
 pkg/background/update_request_controller.go | 17 ++++++++++++++++-
 2 files changed, 18 insertions(+), 2 deletions(-)

diff --git a/cmd/kyverno/main.go b/cmd/kyverno/main.go
index ebe2af8e75..eb7d5cd3bf 100644
--- a/cmd/kyverno/main.go
+++ b/cmd/kyverno/main.go
@@ -291,8 +291,9 @@ func main() {
 		kyvernoV1.ClusterPolicies(),
 		kyvernoV1.Policies(),
 		kyvernoInformer.Kyverno().V1beta1().UpdateRequests(),
-		eventGenerator,
 		kubeInformer.Core().V1().Namespaces(),
+		kubeInformer.Core().V1().Pods(),
+		eventGenerator,
 		configuration,
 	)
 
diff --git a/pkg/background/update_request_controller.go b/pkg/background/update_request_controller.go
index 0eb4eba11d..bb3af94723 100644
--- a/pkg/background/update_request_controller.go
+++ b/pkg/background/update_request_controller.go
@@ -50,6 +50,7 @@ type controller struct {
 	npolicyLister kyvernov1listers.PolicyLister
 	urLister      kyvernov1beta1listers.UpdateRequestNamespaceLister
 	nsLister      corev1listers.NamespaceLister
+	podLister     corev1listers.PodLister
 
 	// queue
 	queue workqueue.RateLimitingInterface
@@ -66,8 +67,9 @@ func NewController(
 	policyInformer kyvernov1informers.ClusterPolicyInformer,
 	npolicyInformer kyvernov1informers.PolicyInformer,
 	urInformer kyvernov1beta1informers.UpdateRequestInformer,
-	eventGen event.Interface,
 	namespaceInformer corev1informers.NamespaceInformer,
+	podInformer corev1informers.PodInformer,
+	eventGen event.Interface,
 	dynamicConfig config.Configuration,
 ) Controller {
 	urLister := urInformer.Lister().UpdateRequests(config.KyvernoNamespace())
@@ -78,6 +80,7 @@ func NewController(
 		npolicyLister: npolicyInformer.Lister(),
 		urLister:      urLister,
 		nsLister:      namespaceInformer.Lister(),
+		podLister:     podInformer.Lister(),
 		queue:         workqueue.NewNamedRateLimitingQueue(workqueue.DefaultControllerRateLimiter(), "generate-request"),
 		eventGen:      eventGen,
 		configuration: dynamicConfig,
@@ -171,6 +174,18 @@ func (c *controller) syncUpdateRequest(key string) error {
 		_, err := c.kyvernoClient.KyvernoV1beta1().UpdateRequests(config.KyvernoNamespace()).UpdateStatus(context.TODO(), ur, metav1.UpdateOptions{})
 		return err
 	}
+	// if it was acquired by a pod that is gone, release it
+	if ur.Status.Handler != "" {
+		_, err = c.podLister.Pods(config.KyvernoNamespace()).Get(ur.Status.Handler)
+		if err != nil {
+			if apierrors.IsNotFound(err) {
+				ur = ur.DeepCopy()
+				ur.Status.Handler = ""
+				_, err = c.kyvernoClient.KyvernoV1beta1().UpdateRequests(config.KyvernoNamespace()).UpdateStatus(context.TODO(), ur, metav1.UpdateOptions{})
+			}
+			return err
+		}
+	}
 	// if in pending state, try to acquire ur and eventually process it
 	if ur.Status.State == kyvernov1beta1.Pending {
 		ur, ok, err := c.acquireUR(ur)