mirrors/kyverno
mirrors/kyverno
1
0
Fork 0
mirror of https://github.com/kyverno/kyverno.git synced 2025-03-31 03:45:17 +00:00
Code Activity

fix: stop mutation policies when autogen internals is enabled (#4004)

Browse source 
Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com>
This commit is contained in:
Charles-Edouard Brétéché 2022-05-24 13:08:29 +02:00 committed by GitHub
parent e47176d695
commit c9f8a68d8a
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
1 changed files with 31 additions and 21 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

52
pkg/policy/policy_controller.go
View file

@ -26,6 +26,7 @@ import (
"github.com/kyverno/kyverno/pkg/event" "github.com/kyverno/kyverno/pkg/event"
"github.com/kyverno/kyverno/pkg/metrics" "github.com/kyverno/kyverno/pkg/metrics"
"github.com/kyverno/kyverno/pkg/policyreport" "github.com/kyverno/kyverno/pkg/policyreport"
"github.com/kyverno/kyverno/pkg/toggle"
"github.com/kyverno/kyverno/pkg/utils" "github.com/kyverno/kyverno/pkg/utils"
corev1 "k8s.io/api/core/v1" corev1 "k8s.io/api/core/v1"
"k8s.io/apimachinery/pkg/api/errors" "k8s.io/apimachinery/pkg/api/errors"
@ -176,11 +177,13 @@ func (pc *PolicyController) addPolicy(obj interface{}) {
// register kyverno_policy_changes_total metric concurrently // register kyverno_policy_changes_total metric concurrently
go pc.registerPolicyChangesMetricAddPolicy(logger, p) go pc.registerPolicyChangesMetricAddPolicy(logger, p)
if p.Spec.Background == nil || p.Spec.ValidationFailureAction == "" || missingAutoGenRules(p, logger) { if !toggle.AutogenInternals() {
pol, _ := utilscommon.MutatePolicy(p, logger) if p.Spec.Background == nil || p.Spec.ValidationFailureAction == "" || missingAutoGenRules(p, logger) {
_, err := pc.kyvernoClient.KyvernoV1().ClusterPolicies().Update(context.TODO(), pol.(*kyvernov1.ClusterPolicy), metav1.UpdateOptions{}) pol, _ := utilscommon.MutatePolicy(p, logger)
if err != nil { _, err := pc.kyvernoClient.KyvernoV1().ClusterPolicies().Update(context.TODO(), pol.(*kyvernov1.ClusterPolicy), metav1.UpdateOptions{})
logger.Error(err, "failed to add policy ") if err != nil {
logger.Error(err, "failed to add policy ")
}
} }
} }
@ -202,11 +205,13 @@ func (pc *PolicyController) updatePolicy(old, cur interface{}) {
// register kyverno_policy_changes_total metric concurrently // register kyverno_policy_changes_total metric concurrently
go pc.registerPolicyChangesMetricUpdatePolicy(logger, oldP, curP) go pc.registerPolicyChangesMetricUpdatePolicy(logger, oldP, curP)
if curP.Spec.Background == nil || curP.Spec.ValidationFailureAction == "" || missingAutoGenRules(curP, logger) { if !toggle.AutogenInternals() {
pol, _ := utilscommon.MutatePolicy(curP, logger) if curP.Spec.Background == nil || curP.Spec.ValidationFailureAction == "" || missingAutoGenRules(curP, logger) {
_, err := pc.kyvernoClient.KyvernoV1().ClusterPolicies().Update(context.TODO(), pol.(*kyvernov1.ClusterPolicy), metav1.UpdateOptions{}) pol, _ := utilscommon.MutatePolicy(curP, logger)
if err != nil { _, err := pc.kyvernoClient.KyvernoV1().ClusterPolicies().Update(context.TODO(), pol.(*kyvernov1.ClusterPolicy), metav1.UpdateOptions{})
logger.Error(err, "failed to update policy ") if err != nil {
logger.Error(err, "failed to update policy ")
}
} }
} }
@ -271,14 +276,17 @@ func (pc *PolicyController) addNsPolicy(obj interface{}) {
logger.Info("policy created", "uid", p.UID, "kind", "Policy", "name", p.Name, "namespaces", p.Namespace) logger.Info("policy created", "uid", p.UID, "kind", "Policy", "name", p.Name, "namespaces", p.Namespace)
spec := p.GetSpec() if !toggle.AutogenInternals() {
if spec.Background == nil || spec.ValidationFailureAction == "" || missingAutoGenRules(p, logger) { spec := p.GetSpec()
nsPol, _ := utilscommon.MutatePolicy(p, logger) if spec.Background == nil || spec.ValidationFailureAction == "" || missingAutoGenRules(p, logger) {
_, err := pc.kyvernoClient.KyvernoV1().Policies(p.Namespace).Update(context.TODO(), nsPol.(*kyvernov1.Policy), metav1.UpdateOptions{}) nsPol, _ := utilscommon.MutatePolicy(p, logger)
if err != nil { _, err := pc.kyvernoClient.KyvernoV1().Policies(p.Namespace).Update(context.TODO(), nsPol.(*kyvernov1.Policy), metav1.UpdateOptions{})
logger.Error(err, "failed to add namespace policy") if err != nil {
logger.Error(err, "failed to add namespace policy")
}
} }
} }
if !pc.canBackgroundProcess(p) { if !pc.canBackgroundProcess(p) {
return return
} }
@ -296,11 +304,13 @@ func (pc *PolicyController) updateNsPolicy(old, cur interface{}) {
// register kyverno_policy_changes_total metric concurrently // register kyverno_policy_changes_total metric concurrently
go pc.registerPolicyChangesMetricUpdatePolicy(logger, oldP, curP) go pc.registerPolicyChangesMetricUpdatePolicy(logger, oldP, curP)
if curP.Spec.Background == nil || curP.Spec.ValidationFailureAction == "" || missingAutoGenRules(curP, logger) { if !toggle.AutogenInternals() {
nsPol, _ := utilscommon.MutatePolicy(curP, logger) if curP.Spec.Background == nil || curP.Spec.ValidationFailureAction == "" || missingAutoGenRules(curP, logger) {
_, err := pc.kyvernoClient.KyvernoV1().Policies(curP.GetNamespace()).Update(context.TODO(), nsPol.(*kyvernov1.Policy), metav1.UpdateOptions{}) nsPol, _ := utilscommon.MutatePolicy(curP, logger)
if err != nil { _, err := pc.kyvernoClient.KyvernoV1().Policies(curP.GetNamespace()).Update(context.TODO(), nsPol.(*kyvernov1.Policy), metav1.UpdateOptions{})
logger.Error(err, "failed to update namespace policy ") if err != nil {
logger.Error(err, "failed to update namespace policy ")
}
} }
} }