From d7a37924a99faef26360fc131e1167275edad20e Mon Sep 17 00:00:00 2001
From: shuting <shuting@nirmata.com>
Date: Fri, 7 Mar 2025 16:07:50 +0800
Subject: [PATCH] feat: skip applying a VP which is converted to VAP (#12312)

* feat: skip vpol application if it's converted to vap

Signed-off-by: ShutingZhao <shuting@nirmata.com>

* fix: add missing error checks

Signed-off-by: ShutingZhao <shuting@nirmata.com>

---------

Signed-off-by: ShutingZhao <shuting@nirmata.com>
---
 pkg/cel/engine/provider.go                            |  7 +++++++
 .../validatingadmissionpolicy-generate/controller.go  | 11 +++++++++--
 2 files changed, 16 insertions(+), 2 deletions(-)

diff --git a/pkg/cel/engine/provider.go b/pkg/cel/engine/provider.go
index 7f844b3a7e..e48079330d 100644
--- a/pkg/cel/engine/provider.go
+++ b/pkg/cel/engine/provider.go
@@ -161,6 +161,13 @@ func (r *policyReconciler) Reconcile(ctx context.Context, req ctrl.Request) (ctr
 	if err != nil {
 		return ctrl.Result{}, err
 	}
+
+	if policy.GetStatus().Generated {
+		r.lock.Lock()
+		defer r.lock.Unlock()
+		delete(r.policies, req.NamespacedName.String())
+		return ctrl.Result{}, nil
+	}
 	// get exceptions that match the policy
 	exceptions, err := r.ListExceptions(policy.GetName())
 	if err != nil {
diff --git a/pkg/controllers/validatingadmissionpolicy-generate/controller.go b/pkg/controllers/validatingadmissionpolicy-generate/controller.go
index 50ee1781ac..e14344c5f0 100644
--- a/pkg/controllers/validatingadmissionpolicy-generate/controller.go
+++ b/pkg/controllers/validatingadmissionpolicy-generate/controller.go
@@ -519,14 +519,21 @@ func (c *controller) updatePolicyStatus(ctx context.Context, policy engineapi.Ge
 		latest.Status.ValidatingAdmissionPolicy.Generated = generated
 		latest.Status.ValidatingAdmissionPolicy.Message = msg
 
-		new, _ := c.kyvernoClient.KyvernoV1().ClusterPolicies().UpdateStatus(ctx, latest, metav1.UpdateOptions{})
+		new, err := c.kyvernoClient.KyvernoV1().ClusterPolicies().UpdateStatus(ctx, latest, metav1.UpdateOptions{})
+		if err != nil {
+			logging.Error(err, "failed to update cluster policy status", cpol.GetName(), "status", new.Status)
+		}
 		logging.V(3).Info("updated cluster policy status", "name", cpol.GetName(), "status", new.Status)
 	} else if vpol := policy.AsValidatingPolicy(); vpol != nil {
 		latest := vpol.DeepCopy()
 		latest.Status.Generated = generated
 		latest.Status.Message = msg
 
-		new, _ := c.kyvernoClient.PoliciesV1alpha1().ValidatingPolicies().UpdateStatus(ctx, latest, metav1.UpdateOptions{})
+		new, err := c.kyvernoClient.PoliciesV1alpha1().ValidatingPolicies().UpdateStatus(ctx, latest, metav1.UpdateOptions{})
+		if err != nil {
+			logging.Error(err, "failed to update validating policy status", vpol.GetName(), "status", new.Status)
+		}
+
 		logging.V(3).Info("updated validating policy status", "name", vpol.GetName(), "status", new.Status)
 	}
 }