feat: use pointer in rule (#11037)

* feat: use pointer in rule Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * fix unit tests Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * fix policy controller Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> --------- Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>
2024-12-14 11:57:48 +00:00 · 2024-09-09 15:10:02 +02:00 · 2024-09-09 15:10:02 +02:00 · d5dcd4611d
commit d5dcd4611d
parent 16d59407d1
8 changed files with 23 additions and 16 deletions
--- a/api/kyverno/v1/rule_types.go
+++ b/api/kyverno/v1/rule_types.go
@ -97,7 +97,7 @@ type Rule struct {

 	// Generation is used to create new resources.
 	// +optional
-	Generation Generation `json:"generate,omitempty"`
+	Generation *Generation `json:"generate,omitempty"`

 	// VerifyImages is used to verify image signatures and mutate them to add a digest
 	// +optional
@ -200,7 +200,7 @@ func (r *Rule) HasValidateAllowExistingViolations() bool {

 // HasGenerate checks for generate rule
 func (r *Rule) HasGenerate() bool {
-	return !datautils.DeepEqual(r.Generation, Generation{})
+	return r.Generation != nil && !datautils.DeepEqual(*r.Generation, Generation{})
 }

 func (r *Rule) IsPodSecurity() bool {
--- a/api/kyverno/v1/zz_generated.deepcopy.go
+++ b/api/kyverno/v1/zz_generated.deepcopy.go
@ -1407,7 +1407,11 @@ func (in *Rule) DeepCopyInto(out *Rule) {
 	}
 	in.Mutation.DeepCopyInto(&out.Mutation)
 	in.Validation.DeepCopyInto(&out.Validation)
-	in.Generation.DeepCopyInto(&out.Generation)
+	if in.Generation != nil {
+		in, out := &in.Generation, &out.Generation
+		*out = new(Generation)
+		(*in).DeepCopyInto(*out)
+	}
 	if in.VerifyImages != nil {
 		in, out := &in.VerifyImages, &out.VerifyImages
 		*out = make([]ImageVerification, len(*in))
--- a/pkg/controllers/webhook/controller_test.go
+++ b/pkg/controllers/webhook/controller_test.go
@ -385,7 +385,7 @@ func TestAddOperationsForMutatingtingWebhookConfMultiplePolicies(t *testing.T) {
 					Spec: kyverno.Spec{
 						Rules: []kyverno.Rule{
 							{
-								Generation: kyverno.Generation{},
+								Generation: &kyverno.Generation{},
 								MatchResources: kyverno.MatchResources{
 									ResourceDescription: kyverno.ResourceDescription{
 										Kinds: []string{"Deployments", "StatefulSet", "DaemonSet", "Job"},
--- a/pkg/metrics/parsers.go
+++ b/pkg/metrics/parsers.go
@ -29,7 +29,7 @@ func ParseRuleType(rule kyvernov1.Rule) RuleType {
 	if !datautils.DeepEqual(rule.Mutation, kyvernov1.Mutation{}) {
 		return Mutate
 	}
-	if !datautils.DeepEqual(rule.Generation, kyvernov1.Generation{}) {
+	if rule.Generation != nil && !datautils.DeepEqual(*rule.Generation, kyvernov1.Generation{}) {
 		return Generate
 	}
 	if len(rule.VerifyImages) > 0 {
--- a/pkg/policy/generate.go
+++ b/pkg/policy/generate.go
@ -39,6 +39,9 @@ func (pc *policyController) syncDataPolicyChanges(policy kyvernov1.PolicyInterfa
 	var err error
 	ur := newGenerateUR(policy)
 	for _, rule := range policy.GetSpec().Rules {
+		if !rule.HasGenerate() {
+			continue
+		}
 		generate := rule.Generation
 		if !generate.Synchronize {
 			continue
@ -48,7 +51,6 @@ func (pc *policyController) syncDataPolicyChanges(policy kyvernov1.PolicyInterfa
 				errs = append(errs, err)
 			}
 		}
-
 		for _, foreach := range generate.ForEachGeneration {
 			if foreach.GetData() != nil {
 				if ur, err = pc.buildUrForDataRuleChanges(policy, ur, rule.Name, foreach.GeneratePattern, deleteDownstream, false); err != nil {
@ -57,7 +59,6 @@ func (pc *policyController) syncDataPolicyChanges(policy kyvernov1.PolicyInterfa
 			}
 		}
 	}
-
 	if len(ur.Spec.RuleContext) == 0 {
 		return multierr.Combine(errs...)
 	}
@ -88,7 +89,6 @@ func (pc *policyController) handleGenerateForExisting(policy kyvernov1.PolicyInt
 		if !rule.HasGenerate() {
 			continue
 		}
-
 		// check if the rule sets the generateExisting field.
 		// if not, use the policy level setting
 		generateExisting := rule.Generation.GenerateExisting
@ -99,7 +99,6 @@ func (pc *policyController) handleGenerateForExisting(policy kyvernov1.PolicyInt
 		} else if !policy.GetSpec().GenerateExisting {
 			continue
 		}
-
 		triggers = getTriggers(pc.client, rule, policy.IsNamespaced(), policy.GetNamespace(), pc.log)
 		policyNew.GetSpec().SetRules([]kyvernov1.Rule{rule})
 		for _, trigger := range triggers {
@ -109,7 +108,6 @@ func (pc *policyController) handleGenerateForExisting(policy kyvernov1.PolicyInt
 				errors = append(errors, fmt.Errorf("failed to build policy context for rule %s: %w", rule.Name, err))
 				continue
 			}
-
 			engineResponse := pc.engine.ApplyBackgroundChecks(context.TODO(), policyContext)
 			if len(engineResponse.PolicyResponse.Rules) == 0 {
 				continue
@ -148,6 +146,9 @@ func (pc *policyController) createURForDownstreamDeletion(policy kyvernov1.Polic
 	rules := autogen.ComputeRules(policy, "")
 	ur := newGenerateUR(policy)
 	for _, r := range rules {
+		if !r.HasGenerate() {
+			continue
+		}
 		generate := r.Generation
 		if !generate.Synchronize {
 			continue
--- a/pkg/utils/fuzz/policy_spec.go
+++ b/pkg/utils/fuzz/policy_spec.go
@ -246,7 +246,7 @@ func createRule(f *fuzz.ConsumeFuzzer) (*kyvernov1.Rule, error) {
 		if err != nil {
 			return rule, err
 		}
-		rule.Generation = *g
+		rule.Generation = g
 	}

 	setVerifyImages, err := f.GetBool()
--- a/pkg/validation/policy/actions.go
+++ b/pkg/validation/policy/actions.go
@ -70,7 +70,7 @@ func validateActions(idx int, rule *kyvernov1.Rule, client dclient.Interface, mo
 		// generate uses selfSubjectReviews to verify actions
 		// this need to modified to use different implementation for online and offline mode
 		if mock {
-			checker = generate.NewFakeGenerate(rule.Generation)
+			checker = generate.NewFakeGenerate(*rule.Generation)
 			if w, path, err := checker.Validate(context.TODO(), nil); err != nil {
 				return nil, fmt.Errorf("path: spec.rules[%d].generate.%s.: %v", idx, path, err)
 			} else if warnings != nil {
@ -79,14 +79,14 @@ func validateActions(idx int, rule *kyvernov1.Rule, client dclient.Interface, mo
 		} else {
 			if rule.Generation.Synchronize {
 				admissionSA := fmt.Sprintf("system:serviceaccount:%s:%s", config.KyvernoNamespace(), config.KyvernoServiceAccountName())
-				checker = generate.NewGenerateFactory(client, rule.Generation, admissionSA, logging.GlobalLogger())
+				checker = generate.NewGenerateFactory(client, *rule.Generation, admissionSA, logging.GlobalLogger())
 				if w, path, err := checker.Validate(context.TODO(), []string{"list", "get"}); err != nil {
 					return nil, fmt.Errorf("path: spec.rules[%d].generate.%s.: %v", idx, path, err)
 				} else if warnings != nil {
 					warnings = append(warnings, w...)
 				}
 			}
-			checker = generate.NewGenerateFactory(client, rule.Generation, backgroundSA, logging.GlobalLogger())
+			checker = generate.NewGenerateFactory(client, *rule.Generation, backgroundSA, logging.GlobalLogger())
 			if w, path, err := checker.Validate(context.TODO(), nil); err != nil {
 				return nil, fmt.Errorf("path: spec.rules[%d].generate.%s.: %v", idx, path, err)
 			} else if warnings != nil {
--- a/pkg/validation/policy/validate.go
+++ b/pkg/validation/policy/validate.go
@ -743,8 +743,10 @@ func buildContext(rule *kyvernov1.Rule, background bool, target bool) *enginecon
 	for _, fe := range rule.Mutation.Targets {
 		addContextVariables(fe.Context, ctx)
 	}
-	for _, fe := range rule.Generation.ForEachGeneration {
-		addContextVariables(fe.Context, ctx)
+	if rule.HasGenerate() {
+		for _, fe := range rule.Generation.ForEachGeneration {
+			addContextVariables(fe.Context, ctx)
+		}
 	}
 	return ctx
 }