mirrors/kyverno
mirrors/kyverno
1
0
Fork 0
mirror of https://github.com/kyverno/kyverno.git synced 2025-03-06 16:06:56 +00:00
Code Activity

Merge pull request #1275 from realshuting/bug_fixes

Browse source 
Bug fix - failed to generate reportChangeRequest due to exceeding the label size limit
This commit is contained in:
Jim Bugwadia 2020-11-18 15:30:28 -08:00 committed by GitHub
commit ed37395fbd
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
13 changed files with 210 additions and 99 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

52
charts/kyverno/crds/crds.yaml
View file

@ -1263,13 +1263,34 @@ spec:
kind: GenerateRequest
listKind: GenerateRequestList
plural: generaterequests
shortNames:
- gr
singular: generaterequest
scope: Namespaced
versions:
- name: v1
- additionalPrinterColumns:
- jsonPath: .spec.policy
name: Policy
type: string
- jsonPath: .spec.resource.kind
name: ResourceKind
type: string
- jsonPath: .spec.resource.name
name: ResourceName
type: string
- jsonPath: .spec.resource.namespace
name: ResourceNamespace
type: string
- jsonPath: .status.state
name: status
type: string
- jsonPath: .metadata.creationTimestamp
name: Age
type: date
name: v1
schema:
openAPIV3Schema:
description: GenerateRequest is a request to process generate rule
description: GenerateRequest is a request to process generate rule.
properties:
apiVersion:
description: 'APIVersion defines the versioned schema of this representation
@ -1284,31 +1305,31 @@ spec:
metadata:
type: object
spec:
description: Spec is the information to identify the generate request
description: Spec is the information to identify the generate request.
properties:
context:
description: Context ...
properties:
userInfo:
description: RequestInfo contains permission info carried in an
admission request
admission request.
properties:
clusterRoles:
description: ClusterRoles is a list of possible clusterRoles
send the request
send the request.
items:
type: string
nullable: true
type: array
roles:
description: Roles is a list of possible role send the request
description: Roles is a list of possible role send the request.
items:
type: string
nullable: true
type: array
userInfo:
description: UserInfo is the userInfo carried in the admission
request
request.
properties:
extra:
additionalProperties:
@ -1339,11 +1360,11 @@ spec:
type: object
type: object
policy:
description: Specifies the name of the policy
description: Specifies the name of the policy.
type: string
resource:
description: ResourceSpec is the information to identify the generate
request
request.
properties:
apiVersion:
description: APIVersion specifies resource apiVersion.
@ -1364,11 +1385,11 @@ spec:
- resource
type: object
status:
description: Status contains statistics related to generate request
description: Status contains statistics related to generate request.
properties:
generatedResources:
description: This will track the resources that are generated by the
generate Policy Will be used during clean up resources
generate Policy. Will be used during clean up resources.
items:
description: ResourceSpec contains information to identify a resource.
properties:
@ -1387,20 +1408,21 @@ spec:
type: object
type: array
message:
description: Specifies request status message
description: Specifies request status message.
type: string
state:
description: State represents state of the generate request
description: State represents state of the generate request.
type: string
required:
- state
type: object
required:
- spec
- status
type: object
served: true
storage: true
subresources:
status: {}
status:
acceptedNames:
kind: ""
@ -2658,4 +2680,4 @@ status:
kind: ""
plural: ""
conditions: []
storedVersions: []
storedVersions: []

50
definitions/crds/kyverno.io_generaterequests.yaml
View file

@ -13,13 +13,34 @@ spec:
kind: GenerateRequest
listKind: GenerateRequestList
plural: generaterequests
shortNames:
- gr
singular: generaterequest
scope: Namespaced
versions:
- name: v1
- additionalPrinterColumns:
- jsonPath: .spec.policy
name: Policy
type: string
- jsonPath: .spec.resource.kind
name: ResourceKind
type: string
- jsonPath: .spec.resource.name
name: ResourceName
type: string
- jsonPath: .spec.resource.namespace
name: ResourceNamespace
type: string
- jsonPath: .status.state
name: status
type: string
- jsonPath: .metadata.creationTimestamp
name: Age
type: date
name: v1
schema:
openAPIV3Schema:
description: GenerateRequest is a request to process generate rule
description: GenerateRequest is a request to process generate rule.
properties:
apiVersion:
description: 'APIVersion defines the versioned schema of this representation
@ -34,31 +55,31 @@ spec:
metadata:
type: object
spec:
description: Spec is the information to identify the generate request
description: Spec is the information to identify the generate request.
properties:
context:
description: Context ...
properties:
userInfo:
description: RequestInfo contains permission info carried in an
admission request
admission request.
properties:
clusterRoles:
description: ClusterRoles is a list of possible clusterRoles
send the request
send the request.
items:
type: string
nullable: true
type: array
roles:
description: Roles is a list of possible role send the request
description: Roles is a list of possible role send the request.
items:
type: string
nullable: true
type: array
userInfo:
description: UserInfo is the userInfo carried in the admission
request
request.
properties:
extra:
additionalProperties:
@ -89,11 +110,11 @@ spec:
type: object
type: object
policy:
description: Specifies the name of the policy
description: Specifies the name of the policy.
type: string
resource:
description: ResourceSpec is the information to identify the generate
request
request.
properties:
apiVersion:
description: APIVersion specifies resource apiVersion.
@ -114,11 +135,11 @@ spec:
- resource
type: object
status:
description: Status contains statistics related to generate request
description: Status contains statistics related to generate request.
properties:
generatedResources:
description: This will track the resources that are generated by the
generate Policy Will be used during clean up resources
generate Policy. Will be used during clean up resources.
items:
description: ResourceSpec contains information to identify a resource.
properties:
@ -137,20 +158,21 @@ spec:
type: object
type: array
message:
description: Specifies request status message
description: Specifies request status message.
type: string
state:
description: State represents state of the generate request
description: State represents state of the generate request.
type: string
required:
- state
type: object
required:
- spec
- status
type: object
served: true
storage: true
subresources:
status: {}
status:
acceptedNames:
kind: ""

52
definitions/install.yaml
View file

@ -1268,13 +1268,34 @@ spec:
kind: GenerateRequest
listKind: GenerateRequestList
plural: generaterequests
shortNames:
- gr
singular: generaterequest
scope: Namespaced
versions:
- name: v1
- additionalPrinterColumns:
- jsonPath: .spec.policy
name: Policy
type: string
- jsonPath: .spec.resource.kind
name: ResourceKind
type: string
- jsonPath: .spec.resource.name
name: ResourceName
type: string
- jsonPath: .spec.resource.namespace
name: ResourceNamespace
type: string
- jsonPath: .status.state
name: status
type: string
- jsonPath: .metadata.creationTimestamp
name: Age
type: date
name: v1
schema:
openAPIV3Schema:
description: GenerateRequest is a request to process generate rule
description: GenerateRequest is a request to process generate rule.
properties:
apiVersion:
description: 'APIVersion defines the versioned schema of this representation
@ -1289,31 +1310,31 @@ spec:
metadata:
type: object
spec:
description: Spec is the information to identify the generate request
description: Spec is the information to identify the generate request.
properties:
context:
description: Context ...
properties:
userInfo:
description: RequestInfo contains permission info carried in an
admission request
admission request.
properties:
clusterRoles:
description: ClusterRoles is a list of possible clusterRoles
send the request
send the request.
items:
type: string
nullable: true
type: array
roles:
description: Roles is a list of possible role send the request
description: Roles is a list of possible role send the request.
items:
type: string
nullable: true
type: array
userInfo:
description: UserInfo is the userInfo carried in the admission
request
request.
properties:
extra:
additionalProperties:
@ -1344,11 +1365,11 @@ spec:
type: object
type: object
policy:
description: Specifies the name of the policy
description: Specifies the name of the policy.
type: string
resource:
description: ResourceSpec is the information to identify the generate
request
request.
properties:
apiVersion:
description: APIVersion specifies resource apiVersion.
@ -1369,11 +1390,11 @@ spec:
- resource
type: object
status:
description: Status contains statistics related to generate request
description: Status contains statistics related to generate request.
properties:
generatedResources:
description: This will track the resources that are generated by the
generate Policy Will be used during clean up resources
generate Policy. Will be used during clean up resources.
items:
description: ResourceSpec contains information to identify a resource.
properties:
@ -1392,20 +1413,21 @@ spec:
type: object
type: array
message:
description: Specifies request status message
description: Specifies request status message.
type: string
state:
description: State represents state of the generate request
description: State represents state of the generate request.
type: string
required:
- state
type: object
required:
- spec
- status
type: object
served: true
storage: true
subresources:
status: {}
status:
acceptedNames:
kind: ""
@ -3125,4 +3147,4 @@ spec:
runAsUser: 1000
securityContext:
runAsNonRoot: true
serviceAccountName: kyverno-service-account
serviceAccountName: kyverno-service-account

52
definitions/install_debug.yaml
View file

@ -1268,13 +1268,34 @@ spec:
kind: GenerateRequest
listKind: GenerateRequestList
plural: generaterequests
shortNames:
- gr
singular: generaterequest
scope: Namespaced
versions:
- name: v1
- additionalPrinterColumns:
- jsonPath: .spec.policy
name: Policy
type: string
- jsonPath: .spec.resource.kind
name: ResourceKind
type: string
- jsonPath: .spec.resource.name
name: ResourceName
type: string
- jsonPath: .spec.resource.namespace
name: ResourceNamespace
type: string
- jsonPath: .status.state
name: status
type: string
- jsonPath: .metadata.creationTimestamp
name: Age
type: date
name: v1
schema:
openAPIV3Schema:
description: GenerateRequest is a request to process generate rule
description: GenerateRequest is a request to process generate rule.
properties:
apiVersion:
description: 'APIVersion defines the versioned schema of this representation
@ -1289,31 +1310,31 @@ spec:
metadata:
type: object
spec:
description: Spec is the information to identify the generate request
description: Spec is the information to identify the generate request.
properties:
context:
description: Context ...
properties:
userInfo:
description: RequestInfo contains permission info carried in an
admission request
admission request.
properties:
clusterRoles:
description: ClusterRoles is a list of possible clusterRoles
send the request
send the request.
items:
type: string
nullable: true
type: array
roles:
description: Roles is a list of possible role send the request
description: Roles is a list of possible role send the request.
items:
type: string
nullable: true
type: array
userInfo:
description: UserInfo is the userInfo carried in the admission
request
request.
properties:
extra:
additionalProperties:
@ -1344,11 +1365,11 @@ spec:
type: object
type: object
policy:
description: Specifies the name of the policy
description: Specifies the name of the policy.
type: string
resource:
description: ResourceSpec is the information to identify the generate
request
request.
properties:
apiVersion:
description: APIVersion specifies resource apiVersion.
@ -1369,11 +1390,11 @@ spec:
- resource
type: object
status:
description: Status contains statistics related to generate request
description: Status contains statistics related to generate request.
properties:
generatedResources:
description: This will track the resources that are generated by the
generate Policy Will be used during clean up resources
generate Policy. Will be used during clean up resources.
items:
description: ResourceSpec contains information to identify a resource.
properties:
@ -1392,20 +1413,21 @@ spec:
type: object
type: array
message:
description: Specifies request status message
description: Specifies request status message.
type: string
state:
description: State represents state of the generate request
description: State represents state of the generate request.
type: string
required:
- state
type: object
required:
- spec
- status
type: object
served: true
storage: true
subresources:
status: {}
status:
acceptedNames:
kind: ""
@ -3036,4 +3058,4 @@ spec:
- port: 443
targetPort: https
selector:
app: kyverno
app: kyverno

1
go.sum
View file

@ -1005,6 +1005,7 @@ golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8T
golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543 h1:E7g+9GITq07hpfrRu66IVDexMakfv52eLZ2CXBWiKr4=
golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1 h1:go1bK/D/BFZV2I8cIQd1NKEZ+0owSTG1fDTci4IqFcE=
golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
gomodules.xyz/jsonpatch/v2 v2.0.1/go.mod h1:IhYNNY4jnS53ZnfE4PAmpKtDpTCj1JFXc+3mwe7XcUU=
google.golang.org/api v0.4.0/go.mod h1:8k5glujaEP+g9n7WNsDg8QP6cUVNI86fCNMcbazEtwE=

61
pkg/api/kyverno/v1/generaterequest_types.go
View file

@ -5,79 +5,96 @@ import (
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
)
// GenerateRequest is a request to process generate rule.
// +genclient
// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
//GenerateRequest is a request to process generate rule
// +kubebuilder:object:root=true
// +kubebuilder:subresource:status
// +kubebuilder:printcolumn:name="Policy",type="string",JSONPath=".spec.policy"
// +kubebuilder:printcolumn:name="ResourceKind",type="string",JSONPath=".spec.resource.kind"
// +kubebuilder:printcolumn:name="ResourceName",type="string",JSONPath=".spec.resource.name"
// +kubebuilder:printcolumn:name="ResourceNamespace",type="string",JSONPath=".spec.resource.namespace"
// +kubebuilder:printcolumn:name="status",type="string",JSONPath=".status.state"
// +kubebuilder:printcolumn:name="Age",type="date",JSONPath=".metadata.creationTimestamp"
// +kubebuilder:resource:shortName=gr
type GenerateRequest struct {
metav1.TypeMeta `json:",inline" yaml:",inline"`
metav1.ObjectMeta `json:"metadata,omitempty" yaml:"metadata,omitempty"`
// Spec is the information to identify the generate request
// Spec is the information to identify the generate request.
Spec GenerateRequestSpec `json:"spec" yaml:"spec"`
// Status contains statistics related to generate request
// Status contains statistics related to generate request.
// +optional
Status GenerateRequestStatus `json:"status" yaml:"status"`
}
//GenerateRequestSpec stores the request specification
// GenerateRequestSpec stores the request specification.
type GenerateRequestSpec struct {
// Specifies the name of the policy
// Specifies the name of the policy.
Policy string `json:"policy" yaml:"policy"`
// ResourceSpec is the information to identify the generate request
// ResourceSpec is the information to identify the generate request.
Resource ResourceSpec `json:"resource" yaml:"resource"`
// Context ...
Context GenerateRequestContext `json:"context" yaml:"context"`
}
//GenerateRequestContext stores the context to be shared
// GenerateRequestContext stores the context to be shared.
type GenerateRequestContext struct {
// +optional
UserRequestInfo RequestInfo `json:"userInfo,omitempty" yaml:"userInfo,omitempty"`
}
// RequestInfo contains permission info carried in an admission request
// RequestInfo contains permission info carried in an admission request.
type RequestInfo struct {
// Roles is a list of possible role send the request
// Roles is a list of possible role send the request.
// +nullable
// +optional
Roles []string `json:"roles" yaml:"roles"`
// ClusterRoles is a list of possible clusterRoles send the request
// ClusterRoles is a list of possible clusterRoles send the request.
// +nullable
// +optional
ClusterRoles []string `json:"clusterRoles" yaml:"clusterRoles"`
// UserInfo is the userInfo carried in the admission request
// UserInfo is the userInfo carried in the admission request.
// +optional
AdmissionUserInfo authenticationv1.UserInfo `json:"userInfo" yaml:"userInfo"`
}
//GenerateRequestStatus stores the status of generated request
// GenerateRequestStatus stores the status of generated request.
type GenerateRequestStatus struct {
// State represents state of the generate request
// State represents state of the generate request.
State GenerateRequestState `json:"state" yaml:"state"`
// Specifies request status message
// Specifies request status message.
// +optional
Message string `json:"message,omitempty" yaml:"message,omitempty"`
// This will track the resources that are generated by the generate Policy
// Will be used during clean up resources
// This will track the resources that are generated by the generate Policy.
// Will be used during clean up resources.
GeneratedResources []ResourceSpec `json:"generatedResources,omitempty" yaml:"generatedResources,omitempty"`
}
//GenerateRequestState defines the state of
// GenerateRequestState defines the state of request.
type GenerateRequestState string
const (
//Pending - the Request is yet to be processed or resource has not been created
// Pending - the Request is yet to be processed or resource has not been created.
Pending GenerateRequestState = "Pending"
//Failed - the Generate Request Controller failed to process the rules
// Failed - the Generate Request Controller failed to process the rules.
Failed GenerateRequestState = "Failed"
//Completed - the Generate Request Controller created resources defined in the policy
// Completed - the Generate Request Controller created resources defined in the policy.
Completed GenerateRequestState = "Completed"
)
// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
//GenerateRequestList stores the list of generate requests
// GenerateRequestList stores the list of generate requests.
type GenerateRequestList struct {
metav1.TypeMeta `json:",inline" yaml:",inline"`
metav1.ListMeta `json:"metadata" yaml:"metadata"`

2
pkg/engine/mutation.go
View file

@ -2,6 +2,7 @@ package engine
import (
"time"
"github.com/go-logr/logr"
kyverno "github.com/kyverno/kyverno/pkg/api/kyverno/v1"
"github.com/kyverno/kyverno/pkg/engine/mutate"
@ -109,7 +110,6 @@ func startMutateResultResponse(resp *response.EngineResponse, policy kyverno.Clu
resp.PolicyResponse.Resource.Namespace = resource.GetNamespace()
resp.PolicyResponse.Resource.Kind = resource.GetKind()
resp.PolicyResponse.Resource.APIVersion = resource.GetAPIVersion()
// TODO(shuting): set response with mutationFailureAction
}
func endMutateResultResponse(logger logr.Logger, resp *response.EngineResponse, startTime time.Time) {

2
pkg/policymutation/policymutation.go
View file

@ -352,7 +352,7 @@ func generateRulePatches(policy kyverno.ClusterPolicy, controllers string, log l
// when serilizing data, we would expect to drop the omitempty key
// otherwise (without the pointer), it will be set to empty value
// - an empty struct in this case, some may fail the schema validation
// TODO(shuting) may related to:
// may related to:
// https://github.com/kyverno/kyverno/pull/549#discussion_r360088556
// https://github.com/kyverno/kyverno/issues/568

24
pkg/policyreport/builder.go
View file

@ -21,6 +21,10 @@ import (
const (
clusterreportchangerequest string = "clusterreportchangerequest"
resourceLabelName string = "kyverno.io/resource.name"
resourceLabelKind string = "kyverno.io/resource.kind"
resourceLabelNamespace string = "kyverno.io/resource.namespace"
policyLabel string = "kyverno.io/policy"
deletedLabelResource string = "kyverno.io/delete.resource"
deletedLabelResourceKind string = "kyverno.io/delete.resource.kind"
deletedLabelPolicy string = "kyverno.io/delete.policy"
@ -111,7 +115,7 @@ func (builder *requestBuilder) build(info Info) (req *unstructured.Unstructured,
}
req = &unstructured.Unstructured{Object: obj}
set(req, fmt.Sprintf("reportchangerequest-%s-%s-%s", info.PolicyName, info.Resource.GetNamespace(), info.Resource.GetName()), info)
set(req, info)
} else {
rr := &request.ClusterReportChangeRequest{
Summary: calculateSummary(results),
@ -123,7 +127,7 @@ func (builder *requestBuilder) build(info Info) (req *unstructured.Unstructured,
return nil, err
}
req = &unstructured.Unstructured{Object: obj}
set(req, fmt.Sprintf("%s-%s", clusterreportchangerequest, info.Resource.GetName()), info)
set(req, info)
}
// deletion of a result entry
@ -135,7 +139,7 @@ func (builder *requestBuilder) build(info Info) (req *unstructured.Unstructured,
// - set label delete.policy=policyName
if len(info.Rules) == 0 && info.PolicyName == "" {
req.SetLabels(map[string]string{
"namespace": info.Resource.GetNamespace(),
resourceLabelNamespace: info.Resource.GetNamespace(),
deletedLabelResource: info.Resource.GetName(),
deletedLabelResourceKind: info.Resource.GetKind()})
} else if info.PolicyName != "" && reflect.DeepEqual(info.Resource, unstructured.Unstructured{}) {
@ -160,21 +164,23 @@ func (builder *requestBuilder) build(info Info) (req *unstructured.Unstructured,
return req, nil
}
func set(obj *unstructured.Unstructured, name string, info Info) {
func set(obj *unstructured.Unstructured, info Info) {
resource := info.Resource
obj.SetName(name)
obj.SetNamespace(config.KubePolicyNamespace)
obj.SetAPIVersion(request.SchemeGroupVersion.Group + "/" + request.SchemeGroupVersion.Version)
if resource.GetNamespace() == "" {
obj.SetGenerateName(clusterreportchangerequest + "-")
obj.SetKind("ClusterReportChangeRequest")
} else {
obj.SetGenerateName("reportchangerequest-")
obj.SetKind("ReportChangeRequest")
}
obj.SetLabels(map[string]string{
"namespace": resource.GetNamespace(),
"policy": info.PolicyName,
"resource": resource.GetKind() + "-" + resource.GetNamespace() + "-" + resource.GetName(),
resourceLabelNamespace: resource.GetNamespace(),
resourceLabelName: resource.GetName(),
resourceLabelKind: resource.GetKind(),
policyLabel: info.PolicyName,
})
if info.FromSync {
@ -243,7 +249,7 @@ func (builder *requestBuilder) fetchCategory(policy, ns string) string {
}
}
pol, err := builder.polLister.Policies("").Get(policy)
pol, err := builder.polLister.Policies(ns).Get(policy)
if err == nil {
if ann := pol.GetAnnotations(); ann != nil {
return ann[categoryLabel]

6
pkg/policyreport/policyreport.go
View file

@ -22,7 +22,7 @@ func getDeletedResources(aggregatedRequests interface{}) (resources []deletedRes
dr := deletedResource{
kind: labels[deletedLabelResourceKind],
name: labels[deletedLabelResource],
ns: labels["namespace"],
ns: labels[resourceLabelNamespace],
}
resources = append(resources, dr)
@ -33,7 +33,7 @@ func getDeletedResources(aggregatedRequests interface{}) (resources []deletedRes
dr := deletedResource{
kind: labels[deletedLabelResourceKind],
name: labels[deletedLabelResource],
ns: labels["namespace"],
ns: labels[resourceLabelNamespace],
}
resources = append(resources, dr)
}
@ -124,7 +124,7 @@ func generateHashKey(result map[string]interface{}, dr deletedResource) (string,
"%s-%s-%s-%s-%s",
result["policy"],
result["rule"],
resource["name"],
resource["kind"],
resource["namespace"],
resource["name"]), true
}

4
pkg/policyreport/reportcontroller.go
View file

@ -116,7 +116,7 @@ func generateCacheKey(changeRequest interface{}) string {
return strings.Join([]string{deletedPolicyKey, policy, rule}, "/")
}
ns := label["namespace"]
ns := label[resourceLabelNamespace]
if ns == "" {
ns = "default"
}
@ -398,7 +398,7 @@ func (g *ReportGenerator) aggregateReports(namespace string) (
}
}
selector := labels.SelectorFromSet(labels.Set(map[string]string{"namespace": namespace}))
selector := labels.SelectorFromSet(labels.Set(map[string]string{resourceLabelNamespace: namespace}))
requests, err := g.reportChangeRequestLister.ReportChangeRequests(config.KubePolicyNamespace).List(selector)
if err != nil {
return nil, nil, fmt.Errorf("unable to list reportChangeRequests within namespace %s: %v", ns, err)

2
pkg/policyreport/reportrequest.go
View file

@ -332,7 +332,7 @@ func updateReportChangeRequest(dClient *client.Client, old interface{}, new *uns
log.V(4).Info("unchanged report request", "name", new.GetName())
return nil
}
// TODO(shuting): set annotation / label
if _, err = dClient.UpdateResource(new.GetAPIVersion(), new.GetKind(), config.KubePolicyNamespace, new, false); err != nil {
return fmt.Errorf("failed to update report request: %v", err)
}

1
pkg/webhooks/server.go
View file

@ -293,7 +293,6 @@ func (ws *WebhookServer) ResourceMutation(request *v1beta1.AdmissionRequest) *v1
if containRBACinfo(mutatePolicies, validatePolicies, generatePolicies) {
roles, clusterRoles, err = userinfo.GetRoleRef(ws.rbLister, ws.crbLister, request, ws.configHandler)
if err != nil {
// TODO(shuting): continue apply policy if error getting roleRef?
logger.Error(err, "failed to get RBAC information for request")
}
}