Cleanup the UR for mutate policies once it's completed (#3923)

Signed-off-by: ShutingZhao <shuting@nirmata.com>

pkg/background/common/status.go

@@ -13,7 +13,7 @@ import (
 type StatusControlInterface interface {
 	Failed(ur urkyverno.UpdateRequest, message string, genResources []kyverno.ResourceSpec) error
 	Success(ur urkyverno.UpdateRequest, genResources []kyverno.ResourceSpec) error
-	Skip(gr urkyverno.UpdateRequest, genResources []kyverno.ResourceSpec) error
+	Skip(ur urkyverno.UpdateRequest, genResources []kyverno.ResourceSpec) error
 }
 
 // StatusControl is default implementaation of GRStatusControlInterface

pkg/background/request_process.go

@@ -47,6 +47,10 @@ func (c *Controller) UnmarkUR(ur *urkyverno.UpdateRequest) error {
 		return err
 	}
 
+	if ur.Spec.Type == urkyverno.Mutate && ur.Status.State == urkyverno.Completed {
+		return c.kyvernoClient.KyvernoV1beta1().UpdateRequests(config.KyvernoNamespace).Delete(context.TODO(), ur.GetName(), metav1.DeleteOptions{})
+	}
+
 	newUR.Status.Handler = ""
 	_, err = c.kyvernoClient.KyvernoV1beta1().UpdateRequests(config.KyvernoNamespace).UpdateStatus(context.TODO(), newUR, metav1.UpdateOptions{})
 	return err

pkg/background/update_request_controller.go

@@ -209,7 +209,7 @@ func (c *Controller) syncUpdateRequest(key string) error {
 	}
 
 	if err = c.UnmarkUR(ur); err != nil {
-		return fmt.Errorf("failed to un-mark UR %s: %v", key, err)
+		return fmt.Errorf("failed to unmark UR %s: %v", key, err)
 	}
 
 	return nil

pkg/webhooks/updaterequest.go

@@ -36,6 +36,11 @@ func (ws *WebhookServer) handleMutateExisting(request *admissionv1.AdmissionRequ
 		policyContext.NewResource = policyContext.OldResource
 	}
 
+	if request.Operation == admissionv1.Update && policyContext.NewResource.GetDeletionTimestamp() != nil {
+		logger.V(4).Info("skip creating UR for the trigger resource that is in termination")
+		return
+	}
+
 	var engineResponses []*response.EngineResponse
 	for _, policy := range policies {
 		if !policy.GetSpec().IsMutateExisting() {