Fix race condition in pCache (#3632)

* fix race condition in pCache
2024-12-14 11:57:48 +00:00 · 2022-04-20 15:30:20 +05:30 · 2022-04-20 15:30:20 +05:30 · c74f5b5680
commit c74f5b5680
parent d936c0a5b4
3 changed files with 25 additions and 5 deletions
--- a/pkg/policycache/informer.go
+++ b/pkg/policycache/informer.go
@ -63,8 +63,7 @@ func (c *Controller) updatePolicy(old, cur interface{}) {
 	if reflect.DeepEqual(pOld.Spec, pNew.Spec) {
 		return
 	}
-	c.Cache.remove(pOld)
-	c.Cache.add(pNew)
+	c.Cache.update(pOld, pNew)
 }

 func (c *Controller) deletePolicy(obj interface{}) {
@ -85,8 +84,7 @@ func (c *Controller) updateNsPolicy(old, cur interface{}) {
 	if reflect.DeepEqual(npOld.Spec, npNew.Spec) {
 		return
 	}
-	c.Cache.remove(npOld)
-	c.Cache.add(npNew)
+	c.Cache.update(npOld, npNew)
 }

 // deleteNsPolicy - Delete Policy from cache
--- a/pkg/policycache/policy_cache.go
+++ b/pkg/policycache/policy_cache.go
@ -21,6 +21,9 @@ type Interface interface {
 	// remove removes a policy from the cache
 	remove(kyverno.PolicyInterface)

+	// update update a policy from the cache
+	update(kyverno.PolicyInterface, kyverno.PolicyInterface)
+
 	get(PolicyType, string, string) []string
 }

@ -83,6 +86,11 @@ func (pc *policyCache) remove(p kyverno.PolicyInterface) {
 	pc.logger.V(4).Info("policy is removed from cache", "name", p.GetName())
 }

+func (pc *policyCache) update(oldP kyverno.PolicyInterface, newP kyverno.PolicyInterface) {
+	pc.pMap.update(oldP, newP)
+	pc.logger.V(4).Info("policy is updated from cache", "name", newP.GetName())
+}
+
 func (pc *policyCache) getPolicyObject(key PolicyType, gvk string, nspace string) (policyObject []kyverno.PolicyInterface) {
 	_, kind := kubeutils.GetKindFromGVK(gvk)
 	policyNames := pc.pMap.get(key, kind, nspace)
--- a/pkg/policycache/policy_map.go
+++ b/pkg/policycache/policy_map.go
@ -27,7 +27,9 @@ type pMap struct {
 func (m *pMap) add(policy kyverno.PolicyInterface) {
 	m.lock.Lock()
 	defer m.lock.Unlock()
-
+	m.addPolicyToCache(policy)
+}
+func (m *pMap) addPolicyToCache(policy kyverno.PolicyInterface) {
 	spec := policy.GetSpec()
 	enforcePolicy := spec.GetValidationFailureAction() == kyverno.Enforce
 	for _, k := range spec.ValidationFailureActionOverrides {
@ -69,6 +71,7 @@ func (m *pMap) add(policy kyverno.PolicyInterface) {
 	m.nameCacheMap[ValidateAudit] = validateAuditMap
 	m.nameCacheMap[Generate] = generateMap
 	m.nameCacheMap[VerifyImages] = imageVerifyMap
+
 }

 func (m *pMap) get(key PolicyType, gvk, namespace string) (names []string) {
@ -91,6 +94,10 @@ func (m *pMap) get(key PolicyType, gvk, namespace string) (names []string) {
 func (m *pMap) remove(policy kyverno.PolicyInterface) {
 	m.lock.Lock()
 	defer m.lock.Unlock()
+	m.removePolicyFromCache(policy)
+
+}
+func (m *pMap) removePolicyFromCache(policy kyverno.PolicyInterface) {
 	var pName = policy.GetName()
 	pSpace := policy.GetNamespace()
 	if pSpace != "" {
@ -113,6 +120,13 @@ func (m *pMap) remove(policy kyverno.PolicyInterface) {
 	}
 }

+func (m *pMap) update(old kyverno.PolicyInterface, new kyverno.PolicyInterface) {
+	m.lock.Lock()
+	defer m.lock.Unlock()
+	m.removePolicyFromCache(old)
+	m.addPolicyToCache(new)
+}
+
 func addCacheHelper(rmr kyverno.ResourceFilter, m *pMap, rule kyverno.Rule, mutateMap map[string]bool, pName string, enforcePolicy bool, validateEnforceMap map[string]bool, validateAuditMap map[string]bool, generateMap map[string]bool, imageVerifyMap map[string]bool) {
 	for _, gvk := range rmr.Kinds {
 		_, k := kubeutils.GetKindFromGVK(gvk)