diff --git a/pkg/engine/utils.go b/pkg/engine/utils.go index 0e792ace04..063f299999 100644 --- a/pkg/engine/utils.go +++ b/pkg/engine/utils.go @@ -256,15 +256,15 @@ func matchSubjects(ruleSubjects []rbacv1.Subject, userInfo authenticationv1.User } //MatchesResourceDescription checks if the resource matches resource description of the rule or not -func MatchesResourceDescription(resourceRef unstructured.Unstructured, ruleRef kyverno.Rule, admissionInfoRef kyverno.RequestInfo, dynamicConfig []string, namespaceLabels map[string]string) error { +func MatchesResourceDescription(resourceRef unstructured.Unstructured, ruleRef *kyverno.Rule, admissionInfoRef kyverno.RequestInfo, dynamicConfig []string, namespaceLabels map[string]string) error { - rule := *ruleRef.DeepCopy() + rule := ruleRef.DeepCopy() resource := *resourceRef.DeepCopy() admissionInfo := *admissionInfoRef.DeepCopy() var reasonsForFailure []error if len(rule.MatchResources.Any) > 0 { - // inlcude object if ANY of the criterias match + // include object if ANY of the criteria match // so if one matches then break from loop oneMatched := false for _, rmr := range rule.MatchResources.Any { diff --git a/pkg/engine/validation.go b/pkg/engine/validation.go index 844acb72a6..de16f651cb 100644 --- a/pkg/engine/validation.go +++ b/pkg/engine/validation.go @@ -92,7 +92,8 @@ func validateResource(log logr.Logger, ctx *PolicyContext) *response.EngineRespo ctx.JSONContext.Checkpoint() defer ctx.JSONContext.Restore() - for _, rule := range ctx.Policy.Spec.Rules { + for i := range ctx.Policy.Spec.Rules { + rule := &ctx.Policy.Spec.Rules[i] if !rule.HasValidate() { continue } @@ -106,7 +107,7 @@ func validateResource(log logr.Logger, ctx *PolicyContext) *response.EngineRespo ctx.JSONContext.Reset() startTime := time.Now() - ruleResp := processValidationRule(log, ctx, &rule) + ruleResp := processValidationRule(log, ctx, rule) if ruleResp != nil { addRuleResponse(log, resp, ruleResp, startTime) } @@ -417,7 +418,7 @@ func isEmptyUnstructured(u *unstructured.Unstructured) bool { } // matches checks if either the new or old resource satisfies the filter conditions defined in the rule -func matches(logger logr.Logger, rule kyverno.Rule, ctx *PolicyContext) bool { +func matches(logger logr.Logger, rule *kyverno.Rule, ctx *PolicyContext) bool { err := MatchesResourceDescription(ctx.NewResource, rule, ctx.AdmissionInfo, ctx.ExcludeGroupRole, ctx.NamespaceLabels) if err == nil { return true