mirror of
https://github.com/kyverno/kyverno.git
synced 2024-12-14 11:57:48 +00:00
re-apply policies to managed pods (#2648)
Signed-off-by: Jim Bugwadia <jim@nirmata.com>
This commit is contained in:
parent
f08bf6110f
commit
ed4dea41f4
4 changed files with 0 additions and 32 deletions
pkg
|
@ -30,12 +30,6 @@ func VerifyAndPatchImages(policyContext *PolicyContext) (resp *response.EngineRe
|
|||
logger := log.Log.WithName("EngineVerifyImages").WithValues("policy", policy.Name,
|
||||
"kind", patchedResource.GetKind(), "namespace", patchedResource.GetNamespace(), "name", patchedResource.GetName())
|
||||
|
||||
if ManagedPodResource(policy, patchedResource) {
|
||||
logger.V(4).Info("images for resources managed by workload controllers are already verified", "policy", policy.GetName())
|
||||
resp.PatchedResource = patchedResource
|
||||
return
|
||||
}
|
||||
|
||||
startTime := time.Now()
|
||||
defer func() {
|
||||
buildResponse(policyContext, resp, startTime)
|
||||
|
|
|
@ -43,12 +43,6 @@ func Mutate(policyContext *PolicyContext) (resp *response.EngineResponse) {
|
|||
startMutateResultResponse(resp, policy, patchedResource)
|
||||
defer endMutateResultResponse(logger, resp, startTime)
|
||||
|
||||
if ManagedPodResource(policy, patchedResource) {
|
||||
logger.V(5).Info("changes to pods managed by workload controllers are not permitted", "policy", policy.GetName())
|
||||
resp.PatchedResource = patchedResource
|
||||
return
|
||||
}
|
||||
|
||||
policyContext.JSONContext.Checkpoint()
|
||||
defer policyContext.JSONContext.Restore()
|
||||
|
||||
|
|
|
@ -77,10 +77,6 @@ func buildResponse(ctx *PolicyContext, resp *response.EngineResponse, startTime
|
|||
|
||||
func validateResource(log logr.Logger, ctx *PolicyContext) *response.EngineResponse {
|
||||
resp := &response.EngineResponse{}
|
||||
if ManagedPodResource(ctx.Policy, ctx.NewResource) {
|
||||
log.V(5).Info("skip validation of pods managed by workload controllers", "policy", ctx.Policy.GetName())
|
||||
return resp
|
||||
}
|
||||
|
||||
ctx.JSONContext.Checkpoint()
|
||||
defer ctx.JSONContext.Restore()
|
||||
|
|
|
@ -75,22 +75,6 @@ func MergeResources(a, b map[string]unstructured.Unstructured) {
|
|||
}
|
||||
}
|
||||
|
||||
// ExcludePod filters out the pods with ownerReference
|
||||
func ExcludePod(resourceMap map[string]unstructured.Unstructured, log logr.Logger) map[string]unstructured.Unstructured {
|
||||
for uid, r := range resourceMap {
|
||||
if r.GetKind() != "Pod" {
|
||||
continue
|
||||
}
|
||||
|
||||
if len(r.GetOwnerReferences()) > 0 {
|
||||
log.V(4).Info("exclude Pod", "namespace", r.GetNamespace(), "name", r.GetName())
|
||||
delete(resourceMap, uid)
|
||||
}
|
||||
}
|
||||
|
||||
return resourceMap
|
||||
}
|
||||
|
||||
// getNamespacesForRule gets the matched namespaces list for the given rule
|
||||
func (pc *PolicyController) getNamespacesForRule(rule *kyverno.Rule, log logr.Logger) []string {
|
||||
var matchedNS []string
|
||||
|
|
Loading…
Reference in a new issue