1
0
Fork 0
mirror of https://github.com/kyverno/kyverno.git synced 2024-12-14 11:57:48 +00:00

re-apply policies to managed pods ()

Signed-off-by: Jim Bugwadia <jim@nirmata.com>
This commit is contained in:
Jim Bugwadia 2021-11-01 11:08:24 -07:00 committed by ShutingZhao
parent f08bf6110f
commit ed4dea41f4
4 changed files with 0 additions and 32 deletions

View file

@ -30,12 +30,6 @@ func VerifyAndPatchImages(policyContext *PolicyContext) (resp *response.EngineRe
logger := log.Log.WithName("EngineVerifyImages").WithValues("policy", policy.Name,
"kind", patchedResource.GetKind(), "namespace", patchedResource.GetNamespace(), "name", patchedResource.GetName())
if ManagedPodResource(policy, patchedResource) {
logger.V(4).Info("images for resources managed by workload controllers are already verified", "policy", policy.GetName())
resp.PatchedResource = patchedResource
return
}
startTime := time.Now()
defer func() {
buildResponse(policyContext, resp, startTime)

View file

@ -43,12 +43,6 @@ func Mutate(policyContext *PolicyContext) (resp *response.EngineResponse) {
startMutateResultResponse(resp, policy, patchedResource)
defer endMutateResultResponse(logger, resp, startTime)
if ManagedPodResource(policy, patchedResource) {
logger.V(5).Info("changes to pods managed by workload controllers are not permitted", "policy", policy.GetName())
resp.PatchedResource = patchedResource
return
}
policyContext.JSONContext.Checkpoint()
defer policyContext.JSONContext.Restore()

View file

@ -77,10 +77,6 @@ func buildResponse(ctx *PolicyContext, resp *response.EngineResponse, startTime
func validateResource(log logr.Logger, ctx *PolicyContext) *response.EngineResponse {
resp := &response.EngineResponse{}
if ManagedPodResource(ctx.Policy, ctx.NewResource) {
log.V(5).Info("skip validation of pods managed by workload controllers", "policy", ctx.Policy.GetName())
return resp
}
ctx.JSONContext.Checkpoint()
defer ctx.JSONContext.Restore()

View file

@ -75,22 +75,6 @@ func MergeResources(a, b map[string]unstructured.Unstructured) {
}
}
// ExcludePod filters out the pods with ownerReference
func ExcludePod(resourceMap map[string]unstructured.Unstructured, log logr.Logger) map[string]unstructured.Unstructured {
for uid, r := range resourceMap {
if r.GetKind() != "Pod" {
continue
}
if len(r.GetOwnerReferences()) > 0 {
log.V(4).Info("exclude Pod", "namespace", r.GetNamespace(), "name", r.GetName())
delete(resourceMap, uid)
}
}
return resourceMap
}
// getNamespacesForRule gets the matched namespaces list for the given rule
func (pc *PolicyController) getNamespacesForRule(rule *kyverno.Rule, log logr.Logger) []string {
var matchedNS []string