diff --git a/pkg/policystatus/main.go b/pkg/policystatus/main.go index ffc2003a10..c4edd70d31 100644 --- a/pkg/policystatus/main.go +++ b/pkg/policystatus/main.go @@ -3,16 +3,14 @@ package policystatus import ( "encoding/json" "fmt" - kyvernolister "github.com/nirmata/kyverno/pkg/client/listers/kyverno/v1" "strings" "sync" "time" - "k8s.io/apimachinery/pkg/util/wait" - - "github.com/nirmata/kyverno/pkg/client/clientset/versioned" - v1 "github.com/nirmata/kyverno/pkg/api/kyverno/v1" + "github.com/nirmata/kyverno/pkg/client/clientset/versioned" + kyvernolister "github.com/nirmata/kyverno/pkg/client/listers/kyverno/v1" + "k8s.io/apimachinery/pkg/util/wait" log "sigs.k8s.io/controller-runtime/pkg/log" ) diff --git a/pkg/webhooks/policymutation.go b/pkg/webhooks/policymutation.go index b6f738f396..8367e651e4 100644 --- a/pkg/webhooks/policymutation.go +++ b/pkg/webhooks/policymutation.go @@ -3,6 +3,7 @@ package webhooks import ( "encoding/json" "fmt" + "reflect" "strings" kyverno "github.com/nirmata/kyverno/pkg/api/kyverno/v1" @@ -13,7 +14,7 @@ import ( func (ws *WebhookServer) policyMutation(request *v1beta1.AdmissionRequest) *v1beta1.AdmissionResponse { logger := ws.log.WithValues("action", "policymutation", "uid", request.UID, "kind", request.Kind, "namespace", request.Namespace, "name", request.Name, "operation", request.Operation) - var policy *kyverno.ClusterPolicy + var policy, oldPolicy *kyverno.ClusterPolicy raw := request.Object.Raw //TODO: can this happen? wont this be picked by OpenAPI spec schema ? @@ -26,6 +27,24 @@ func (ws *WebhookServer) policyMutation(request *v1beta1.AdmissionRequest) *v1be }, } } + + if request.Operation == v1beta1.Update { + if err := json.Unmarshal(request.OldObject.Raw, &oldPolicy); err != nil { + logger.Error(err, "failed to unmarshall old policy admission request") + return &v1beta1.AdmissionResponse{ + Allowed: true, + Result: &metav1.Status{ + Message: fmt.Sprintf("failed to default value, check kyverno controller logs for details: %v", err), + }, + } + } + + if isStatusUpdate(oldPolicy, policy) { + logger.V(3).Info("skip policy mutation on status update") + return &v1beta1.AdmissionResponse{Allowed: true} + } + } + // Generate JSON Patches for defaults patches, updateMsgs := policymutation.GenerateJSONPatchesForDefaults(policy, logger) if patches != nil { @@ -43,3 +62,19 @@ func (ws *WebhookServer) policyMutation(request *v1beta1.AdmissionRequest) *v1be Allowed: true, } } + +func isStatusUpdate(old, new *kyverno.ClusterPolicy) bool { + if !reflect.DeepEqual(old.GetAnnotations(), new.GetAnnotations()) { + return false + } + + if !reflect.DeepEqual(old.GetLabels(), new.GetLabels()) { + return false + } + + if !reflect.DeepEqual(old.Spec, new.Spec) { + return false + } + + return true +}