From 41be8e1ab86fefa12cbb86a1a49a91d4fd7b2a3d Mon Sep 17 00:00:00 2001 From: Sandesh More Date: Tue, 25 Oct 2022 12:57:53 +0530 Subject: [PATCH] added support of background-only mode for policies Signed-off-by: Sandesh More --- api/kyverno/v1/spec_types.go | 6 +- api/kyverno/v2beta1/spec_types.go | 6 +- charts/kyverno/templates/crds.yaml | 16 ++--- config/crds/kyverno.io_clusterpolicies.yaml | 10 ++-- config/crds/kyverno.io_policies.yaml | 10 ++-- config/install.yaml | 20 ++++--- config/install_debug.yaml | 20 ++++--- docs/user/crd/index.html | 18 ++++-- .../clientset/versioned/fake/register.go | 14 ++--- .../clientset/versioned/scheme/register.go | 14 ++--- pkg/policy/validate.go | 21 ++++++- pkg/policy/validate_test.go | 59 +++++++++++++++++++ pkg/webhooks/resource/handlers.go | 18 +++--- pkg/webhooks/resource/handlers_test.go | 53 +++++++++++++++++ 14 files changed, 219 insertions(+), 66 deletions(-) diff --git a/api/kyverno/v1/spec_types.go b/api/kyverno/v1/spec_types.go index f215a82eaae8..e89dec66425f 100644 --- a/api/kyverno/v1/spec_types.go +++ b/api/kyverno/v1/spec_types.go @@ -48,10 +48,10 @@ type Spec struct { // ValidationFailureAction defines if a validation policy rule violation should block // the admission review request (enforce), or allow (audit) the admission review request // and report an error in a policy report. Optional. - // Allowed values are audit or enforce. The default value is "audit". + // Allowed values are audit or enforce. + // The default value is "" which means policy will be executed in background-only mode. // +optional - // +kubebuilder:validation:Enum=audit;enforce - // +kubebuilder:default=audit + // +kubebuilder:validation:Enum=audit;enforce;"" ValidationFailureAction ValidationFailureAction `json:"validationFailureAction,omitempty" yaml:"validationFailureAction,omitempty"` // ValidationFailureActionOverrides is a Cluster Policy attribute that specifies ValidationFailureAction diff --git a/api/kyverno/v2beta1/spec_types.go b/api/kyverno/v2beta1/spec_types.go index 10e6538be358..c8f4e7c89e99 100644 --- a/api/kyverno/v2beta1/spec_types.go +++ b/api/kyverno/v2beta1/spec_types.go @@ -30,10 +30,10 @@ type Spec struct { // ValidationFailureAction defines if a validation policy rule violation should block // the admission review request (enforce), or allow (audit) the admission review request // and report an error in a policy report. Optional. - // Allowed values are audit or enforce. The default value is "audit". + // Allowed values are audit or enforce. + // The default value is "" which means policy will be executed in background-only mode. // +optional - // +kubebuilder:validation:Enum=audit;enforce - // +kubebuilder:default=audit + // +kubebuilder:validation:Enum=audit;enforce;"" ValidationFailureAction kyvernov1.ValidationFailureAction `json:"validationFailureAction,omitempty" yaml:"validationFailureAction,omitempty"` // ValidationFailureActionOverrides is a Cluster Policy attribute that specifies ValidationFailureAction diff --git a/charts/kyverno/templates/crds.yaml b/charts/kyverno/templates/crds.yaml index f3b554c8e2b3..82d3471a16ea 100644 --- a/charts/kyverno/templates/crds.yaml +++ b/charts/kyverno/templates/crds.yaml @@ -2811,11 +2811,11 @@ spec: description: SchemaValidation skips policy validation checks. Optional. The default value is set to "true", it must be set to "false" to disable the validation checks. type: boolean validationFailureAction: - default: audit - description: ValidationFailureAction defines if a validation policy rule violation should block the admission review request (enforce), or allow (audit) the admission review request and report an error in a policy report. Optional. Allowed values are audit or enforce. The default value is "audit". + description: ValidationFailureAction defines if a validation policy rule violation should block the admission review request (enforce), or allow (audit) the admission review request and report an error in a policy report. Optional. Allowed values are audit or enforce. The default value is "" which means policy will be executed in background-only mode. enum: - audit - enforce + - "" type: string validationFailureActionOverrides: description: ValidationFailureActionOverrides is a Cluster Policy attribute that specifies ValidationFailureAction namespace-wise. It overrides ValidationFailureAction for the specified namespaces. @@ -6294,11 +6294,11 @@ spec: description: SchemaValidation skips policy validation checks. Optional. The default value is set to "true", it must be set to "false" to disable the validation checks. type: boolean validationFailureAction: - default: audit - description: ValidationFailureAction defines if a validation policy rule violation should block the admission review request (enforce), or allow (audit) the admission review request and report an error in a policy report. Optional. Allowed values are audit or enforce. The default value is "audit". + description: ValidationFailureAction defines if a validation policy rule violation should block the admission review request (enforce), or allow (audit) the admission review request and report an error in a policy report. Optional. Allowed values are audit or enforce. The default value is "" which means policy will be executed in background-only mode. enum: - audit - enforce + - "" type: string validationFailureActionOverrides: description: ValidationFailureActionOverrides is a Cluster Policy attribute that specifies ValidationFailureAction namespace-wise. It overrides ValidationFailureAction for the specified namespaces. @@ -10401,11 +10401,11 @@ spec: description: SchemaValidation skips policy validation checks. Optional. The default value is set to "true", it must be set to "false" to disable the validation checks. type: boolean validationFailureAction: - default: audit - description: ValidationFailureAction defines if a validation policy rule violation should block the admission review request (enforce), or allow (audit) the admission review request and report an error in a policy report. Optional. Allowed values are audit or enforce. The default value is "audit". + description: ValidationFailureAction defines if a validation policy rule violation should block the admission review request (enforce), or allow (audit) the admission review request and report an error in a policy report. Optional. Allowed values are audit or enforce. The default value is "" which means policy will be executed in background-only mode. enum: - audit - enforce + - "" type: string validationFailureActionOverrides: description: ValidationFailureActionOverrides is a Cluster Policy attribute that specifies ValidationFailureAction namespace-wise. It overrides ValidationFailureAction for the specified namespaces. @@ -13884,11 +13884,11 @@ spec: description: SchemaValidation skips policy validation checks. Optional. The default value is set to "true", it must be set to "false" to disable the validation checks. type: boolean validationFailureAction: - default: audit - description: ValidationFailureAction defines if a validation policy rule violation should block the admission review request (enforce), or allow (audit) the admission review request and report an error in a policy report. Optional. Allowed values are audit or enforce. The default value is "audit". + description: ValidationFailureAction defines if a validation policy rule violation should block the admission review request (enforce), or allow (audit) the admission review request and report an error in a policy report. Optional. Allowed values are audit or enforce. The default value is "" which means policy will be executed in background-only mode. enum: - audit - enforce + - "" type: string validationFailureActionOverrides: description: ValidationFailureActionOverrides is a Cluster Policy attribute that specifies ValidationFailureAction namespace-wise. It overrides ValidationFailureAction for the specified namespaces. diff --git a/config/crds/kyverno.io_clusterpolicies.yaml b/config/crds/kyverno.io_clusterpolicies.yaml index 49a3910bc4b7..52304ac23fc9 100644 --- a/config/crds/kyverno.io_clusterpolicies.yaml +++ b/config/crds/kyverno.io_clusterpolicies.yaml @@ -2867,15 +2867,16 @@ spec: disable the validation checks. type: boolean validationFailureAction: - default: audit description: ValidationFailureAction defines if a validation policy rule violation should block the admission review request (enforce), or allow (audit) the admission review request and report an error in a policy report. Optional. Allowed values are audit or enforce. - The default value is "audit". + The default value is "" which means policy will be executed in background-only + mode. enum: - audit - enforce + - "" type: string validationFailureActionOverrides: description: ValidationFailureActionOverrides is a Cluster Policy @@ -8449,15 +8450,16 @@ spec: disable the validation checks. type: boolean validationFailureAction: - default: audit description: ValidationFailureAction defines if a validation policy rule violation should block the admission review request (enforce), or allow (audit) the admission review request and report an error in a policy report. Optional. Allowed values are audit or enforce. - The default value is "audit". + The default value is "" which means policy will be executed in background-only + mode. enum: - audit - enforce + - "" type: string validationFailureActionOverrides: description: ValidationFailureActionOverrides is a Cluster Policy diff --git a/config/crds/kyverno.io_policies.yaml b/config/crds/kyverno.io_policies.yaml index 87c05ffd0c80..0ac8289f160d 100644 --- a/config/crds/kyverno.io_policies.yaml +++ b/config/crds/kyverno.io_policies.yaml @@ -2868,15 +2868,16 @@ spec: disable the validation checks. type: boolean validationFailureAction: - default: audit description: ValidationFailureAction defines if a validation policy rule violation should block the admission review request (enforce), or allow (audit) the admission review request and report an error in a policy report. Optional. Allowed values are audit or enforce. - The default value is "audit". + The default value is "" which means policy will be executed in background-only + mode. enum: - audit - enforce + - "" type: string validationFailureActionOverrides: description: ValidationFailureActionOverrides is a Cluster Policy @@ -8452,15 +8453,16 @@ spec: disable the validation checks. type: boolean validationFailureAction: - default: audit description: ValidationFailureAction defines if a validation policy rule violation should block the admission review request (enforce), or allow (audit) the admission review request and report an error in a policy report. Optional. Allowed values are audit or enforce. - The default value is "audit". + The default value is "" which means policy will be executed in background-only + mode. enum: - audit - enforce + - "" type: string validationFailureActionOverrides: description: ValidationFailureActionOverrides is a Cluster Policy diff --git a/config/install.yaml b/config/install.yaml index 1019c0d5d0d5..cc4d477dc895 100644 --- a/config/install.yaml +++ b/config/install.yaml @@ -4189,15 +4189,16 @@ spec: disable the validation checks. type: boolean validationFailureAction: - default: audit description: ValidationFailureAction defines if a validation policy rule violation should block the admission review request (enforce), or allow (audit) the admission review request and report an error in a policy report. Optional. Allowed values are audit or enforce. - The default value is "audit". + The default value is "" which means policy will be executed in background-only + mode. enum: - audit - enforce + - "" type: string validationFailureActionOverrides: description: ValidationFailureActionOverrides is a Cluster Policy @@ -9771,15 +9772,16 @@ spec: disable the validation checks. type: boolean validationFailureAction: - default: audit description: ValidationFailureAction defines if a validation policy rule violation should block the admission review request (enforce), or allow (audit) the admission review request and report an error in a policy report. Optional. Allowed values are audit or enforce. - The default value is "audit". + The default value is "" which means policy will be executed in background-only + mode. enum: - audit - enforce + - "" type: string validationFailureActionOverrides: description: ValidationFailureActionOverrides is a Cluster Policy @@ -16210,15 +16212,16 @@ spec: disable the validation checks. type: boolean validationFailureAction: - default: audit description: ValidationFailureAction defines if a validation policy rule violation should block the admission review request (enforce), or allow (audit) the admission review request and report an error in a policy report. Optional. Allowed values are audit or enforce. - The default value is "audit". + The default value is "" which means policy will be executed in background-only + mode. enum: - audit - enforce + - "" type: string validationFailureActionOverrides: description: ValidationFailureActionOverrides is a Cluster Policy @@ -21794,15 +21797,16 @@ spec: disable the validation checks. type: boolean validationFailureAction: - default: audit description: ValidationFailureAction defines if a validation policy rule violation should block the admission review request (enforce), or allow (audit) the admission review request and report an error in a policy report. Optional. Allowed values are audit or enforce. - The default value is "audit". + The default value is "" which means policy will be executed in background-only + mode. enum: - audit - enforce + - "" type: string validationFailureActionOverrides: description: ValidationFailureActionOverrides is a Cluster Policy diff --git a/config/install_debug.yaml b/config/install_debug.yaml index 2e5b788140ee..5db6699f6c4b 100644 --- a/config/install_debug.yaml +++ b/config/install_debug.yaml @@ -4183,15 +4183,16 @@ spec: disable the validation checks. type: boolean validationFailureAction: - default: audit description: ValidationFailureAction defines if a validation policy rule violation should block the admission review request (enforce), or allow (audit) the admission review request and report an error in a policy report. Optional. Allowed values are audit or enforce. - The default value is "audit". + The default value is "" which means policy will be executed in background-only + mode. enum: - audit - enforce + - "" type: string validationFailureActionOverrides: description: ValidationFailureActionOverrides is a Cluster Policy @@ -9765,15 +9766,16 @@ spec: disable the validation checks. type: boolean validationFailureAction: - default: audit description: ValidationFailureAction defines if a validation policy rule violation should block the admission review request (enforce), or allow (audit) the admission review request and report an error in a policy report. Optional. Allowed values are audit or enforce. - The default value is "audit". + The default value is "" which means policy will be executed in background-only + mode. enum: - audit - enforce + - "" type: string validationFailureActionOverrides: description: ValidationFailureActionOverrides is a Cluster Policy @@ -16201,15 +16203,16 @@ spec: disable the validation checks. type: boolean validationFailureAction: - default: audit description: ValidationFailureAction defines if a validation policy rule violation should block the admission review request (enforce), or allow (audit) the admission review request and report an error in a policy report. Optional. Allowed values are audit or enforce. - The default value is "audit". + The default value is "" which means policy will be executed in background-only + mode. enum: - audit - enforce + - "" type: string validationFailureActionOverrides: description: ValidationFailureActionOverrides is a Cluster Policy @@ -21785,15 +21788,16 @@ spec: disable the validation checks. type: boolean validationFailureAction: - default: audit description: ValidationFailureAction defines if a validation policy rule violation should block the admission review request (enforce), or allow (audit) the admission review request and report an error in a policy report. Optional. Allowed values are audit or enforce. - The default value is "audit". + The default value is "" which means policy will be executed in background-only + mode. enum: - audit - enforce + - "" type: string validationFailureActionOverrides: description: ValidationFailureActionOverrides is a Cluster Policy diff --git a/docs/user/crd/index.html b/docs/user/crd/index.html index 79e951e4c10d..48db048e8f04 100644 --- a/docs/user/crd/index.html +++ b/docs/user/crd/index.html @@ -164,7 +164,8 @@

ClusterPolicy

ValidationFailureAction defines if a validation policy rule violation should block the admission review request (enforce), or allow (audit) the admission review request and report an error in a policy report. Optional. -Allowed values are audit or enforce. The default value is “audit”.

+Allowed values are audit or enforce. +The default value is “” which means policy will be executed in background-only mode.

@@ -505,7 +506,8 @@

Policy

ValidationFailureAction defines if a validation policy rule violation should block the admission review request (enforce), or allow (audit) the admission review request and report an error in a policy report. Optional. -Allowed values are audit or enforce. The default value is “audit”.

+Allowed values are audit or enforce. +The default value is “” which means policy will be executed in background-only mode.

@@ -3356,7 +3358,8 @@

Spec

ValidationFailureAction defines if a validation policy rule violation should block the admission review request (enforce), or allow (audit) the admission review request and report an error in a policy report. Optional. -Allowed values are audit or enforce. The default value is “audit”.

+Allowed values are audit or enforce. +The default value is “” which means policy will be executed in background-only mode.

@@ -4973,7 +4976,8 @@

ClusterPolicy

ValidationFailureAction defines if a validation policy rule violation should block the admission review request (enforce), or allow (audit) the admission review request and report an error in a policy report. Optional. -Allowed values are audit or enforce. The default value is “audit”.

+Allowed values are audit or enforce. +The default value is “” which means policy will be executed in background-only mode.

@@ -5198,7 +5202,8 @@

Policy

ValidationFailureAction defines if a validation policy rule violation should block the admission review request (enforce), or allow (audit) the admission review request and report an error in a policy report. Optional. -Allowed values are audit or enforce. The default value is “audit”.

+Allowed values are audit or enforce. +The default value is “” which means policy will be executed in background-only mode.

@@ -6025,7 +6030,8 @@

Spec

ValidationFailureAction defines if a validation policy rule violation should block the admission review request (enforce), or allow (audit) the admission review request and report an error in a policy report. Optional. -Allowed values are audit or enforce. The default value is “audit”.

+Allowed values are audit or enforce. +The default value is “” which means policy will be executed in background-only mode.

diff --git a/pkg/client/clientset/versioned/fake/register.go b/pkg/client/clientset/versioned/fake/register.go index cf3c1a08f422..a93604b6d11a 100644 --- a/pkg/client/clientset/versioned/fake/register.go +++ b/pkg/client/clientset/versioned/fake/register.go @@ -43,14 +43,14 @@ var localSchemeBuilder = runtime.SchemeBuilder{ // AddToScheme adds all types of this clientset into the given scheme. This allows composition // of clientsets, like in: // -// import ( -// "k8s.io/client-go/kubernetes" -// clientsetscheme "k8s.io/client-go/kubernetes/scheme" -// aggregatorclientsetscheme "k8s.io/kube-aggregator/pkg/client/clientset_generated/clientset/scheme" -// ) +// import ( +// "k8s.io/client-go/kubernetes" +// clientsetscheme "k8s.io/client-go/kubernetes/scheme" +// aggregatorclientsetscheme "k8s.io/kube-aggregator/pkg/client/clientset_generated/clientset/scheme" +// ) // -// kclientset, _ := kubernetes.NewForConfig(c) -// _ = aggregatorclientsetscheme.AddToScheme(clientsetscheme.Scheme) +// kclientset, _ := kubernetes.NewForConfig(c) +// _ = aggregatorclientsetscheme.AddToScheme(clientsetscheme.Scheme) // // After this, RawExtensions in Kubernetes types will serialize kube-aggregator types // correctly. diff --git a/pkg/client/clientset/versioned/scheme/register.go b/pkg/client/clientset/versioned/scheme/register.go index 776190e3523e..9fbeaa98f0d3 100644 --- a/pkg/client/clientset/versioned/scheme/register.go +++ b/pkg/client/clientset/versioned/scheme/register.go @@ -43,14 +43,14 @@ var localSchemeBuilder = runtime.SchemeBuilder{ // AddToScheme adds all types of this clientset into the given scheme. This allows composition // of clientsets, like in: // -// import ( -// "k8s.io/client-go/kubernetes" -// clientsetscheme "k8s.io/client-go/kubernetes/scheme" -// aggregatorclientsetscheme "k8s.io/kube-aggregator/pkg/client/clientset_generated/clientset/scheme" -// ) +// import ( +// "k8s.io/client-go/kubernetes" +// clientsetscheme "k8s.io/client-go/kubernetes/scheme" +// aggregatorclientsetscheme "k8s.io/kube-aggregator/pkg/client/clientset_generated/clientset/scheme" +// ) // -// kclientset, _ := kubernetes.NewForConfig(c) -// _ = aggregatorclientsetscheme.AddToScheme(clientsetscheme.Scheme) +// kclientset, _ := kubernetes.NewForConfig(c) +// _ = aggregatorclientsetscheme.AddToScheme(clientsetscheme.Scheme) // // After this, RawExtensions in Kubernetes types will serialize kube-aggregator types // correctly. diff --git a/pkg/policy/validate.go b/pkg/policy/validate.go index a14f771ddf4b..1ac8a4360565 100644 --- a/pkg/policy/validate.go +++ b/pkg/policy/validate.go @@ -109,12 +109,31 @@ func validateJSONPatch(patch string, ruleIdx int) error { return nil } +func validateBackgroundOnlyMode(policy kyvernov1.PolicyInterface) error { + validate := policy.GetSpec().ValidationFailureAction + background := policy.GetSpec().BackgroundProcessingEnabled() + if !background { + for _, rule := range policy.GetSpec().Rules { + if validate == "" && (rule.HasValidate() || rule.HasVerifyImages()) { + return fmt.Errorf("%s", "Invalid policy. When background is false ValidationFailureAction must be set to either audit or enforce") + } + } + } + return nil +} + // Validate checks the policy and rules declarations for required configurations func Validate(policy kyvernov1.PolicyInterface, client dclient.Interface, mock bool, openApiManager openapi.Manager) (*admissionv1.AdmissionResponse, error) { namespaced := policy.IsNamespaced() spec := policy.GetSpec() background := spec.BackgroundProcessingEnabled() onPolicyUpdate := spec.GetMutateExistingOnPolicyUpdate() + + err := validateBackgroundOnlyMode(policy) + if err != nil { + return nil, err + } + if !mock { openapicontroller.NewController(client, openApiManager).CheckSync(context.TODO()) } @@ -122,7 +141,7 @@ func Validate(policy kyvernov1.PolicyInterface, client dclient.Interface, mock b var errs field.ErrorList specPath := field.NewPath("spec") - err := ValidateVariables(policy, background) + err = ValidateVariables(policy, background) if err != nil { return nil, err } diff --git a/pkg/policy/validate_test.go b/pkg/policy/validate_test.go index e5587e2ebe88..015f1bddb4e9 100644 --- a/pkg/policy/validate_test.go +++ b/pkg/policy/validate_test.go @@ -2061,3 +2061,62 @@ func Test_ValidateNamespace(t *testing.T) { }) } } + +func Test_Validate_BackgroundOnlyMode_Policy(t *testing.T) { + invalidBackgroundModePolicy := `{ + "apiVersion": "kyverno.io/v1", + "kind": "ClusterPolicy", + "metadata": { + "name": "check-label-app" + }, + "spec": { + "background": false, + "validationFailureAction": "", + "rules": [ + { + "name": "check-label-app", + "match": { + "resources": { + "kinds": [ + "Pod" + ] + } + }, + "validate": { + "message": "The label 'app' is required.", + "pattern": { + "metadata": { + "labels": { + "app": "?*" + } + } + } + } + } + ] + } + } + ` + var inValidPolicy *kyverno.ClusterPolicy + err := json.Unmarshal([]byte(invalidBackgroundModePolicy), &inValidPolicy) + assert.NilError(t, err) + openApiManager, _ := openapi.NewManager() + // vlidate invalid policy + _, err = Validate(inValidPolicy, nil, true, openApiManager) + assert.Error(t, err, "Invalid policy. When background is false ValidationFailureAction must be set to either audit or enforce") + validPolicy := inValidPolicy.DeepCopy() + // validate background-only mode policy + background := true + validPolicy.Spec.Background = &background + _, err = Validate(validPolicy, nil, true, openApiManager) + assert.NilError(t, err) + // validate background mode policy + validPolicy.Spec.ValidationFailureAction = kyverno.Audit + _, err = Validate(validPolicy, nil, true, openApiManager) + assert.NilError(t, err) + // validate non background mode policy + background = false + validPolicy.Spec.Background = &background + _, err = Validate(validPolicy, nil, true, openApiManager) + assert.NilError(t, err) +} diff --git a/pkg/webhooks/resource/handlers.go b/pkg/webhooks/resource/handlers.go index daf7970d9d6c..b0068ebc444b 100644 --- a/pkg/webhooks/resource/handlers.go +++ b/pkg/webhooks/resource/handlers.go @@ -101,10 +101,10 @@ func (h *handlers) Validate(logger logr.Logger, request *admissionv1.AdmissionRe logger.V(4).Info("received an admission request in validating webhook") // timestamp at which this admission request got triggered - policies := filterPolicies(failurePolicy, h.pCache.GetPolicies(policycache.ValidateEnforce, kind, request.Namespace)...) - mutatePolicies := filterPolicies(failurePolicy, h.pCache.GetPolicies(policycache.Mutate, kind, request.Namespace)...) - generatePolicies := filterPolicies(failurePolicy, h.pCache.GetPolicies(policycache.Generate, kind, request.Namespace)...) - imageVerifyValidatePolicies := filterPolicies(failurePolicy, h.pCache.GetPolicies(policycache.VerifyImagesValidate, kind, request.Namespace)...) + policies := filterPolicies(failurePolicy, true, h.pCache.GetPolicies(policycache.ValidateEnforce, kind, request.Namespace)...) + mutatePolicies := filterPolicies(failurePolicy, false, h.pCache.GetPolicies(policycache.Mutate, kind, request.Namespace)...) + generatePolicies := filterPolicies(failurePolicy, false, h.pCache.GetPolicies(policycache.Generate, kind, request.Namespace)...) + imageVerifyValidatePolicies := filterPolicies(failurePolicy, true, h.pCache.GetPolicies(policycache.VerifyImagesValidate, kind, request.Namespace)...) policies = append(policies, imageVerifyValidatePolicies...) if len(policies) == 0 && len(mutatePolicies) == 0 && len(generatePolicies) == 0 { @@ -157,8 +157,8 @@ func (h *handlers) Mutate(logger logr.Logger, request *admissionv1.AdmissionRequ kind := request.Kind.Kind logger = logger.WithValues("kind", kind) logger.V(4).Info("received an admission request in mutating webhook") - mutatePolicies := filterPolicies(failurePolicy, h.pCache.GetPolicies(policycache.Mutate, kind, request.Namespace)...) - verifyImagesPolicies := filterPolicies(failurePolicy, h.pCache.GetPolicies(policycache.VerifyImagesMutate, kind, request.Namespace)...) + mutatePolicies := filterPolicies(failurePolicy, false, h.pCache.GetPolicies(policycache.Mutate, kind, request.Namespace)...) + verifyImagesPolicies := filterPolicies(failurePolicy, true, h.pCache.GetPolicies(policycache.VerifyImagesMutate, kind, request.Namespace)...) if len(mutatePolicies) == 0 && len(verifyImagesPolicies) == 0 { logger.V(4).Info("no policies matched mutate admission request") return admissionutils.ResponseSuccess() @@ -227,9 +227,13 @@ func (h *handlers) handleDelete(logger logr.Logger, request *admissionv1.Admissi } } -func filterPolicies(failurePolicy string, policies ...kyvernov1.PolicyInterface) []kyvernov1.PolicyInterface { +func filterPolicies(failurePolicy string, filterBackgroundOnlyPolicies bool, policies ...kyvernov1.PolicyInterface) []kyvernov1.PolicyInterface { var results []kyvernov1.PolicyInterface for _, policy := range policies { + // exlude background-only policies + if filterBackgroundOnlyPolicies && policy.BackgroundProcessingEnabled() && policy.GetSpec().ValidationFailureAction == "" { + continue + } if failurePolicy == "fail" { if policy.GetSpec().GetFailurePolicy() == kyvernov1.Fail { results = append(results, policy) diff --git a/pkg/webhooks/resource/handlers_test.go b/pkg/webhooks/resource/handlers_test.go index dc6330dadcdc..65c8016652e3 100644 --- a/pkg/webhooks/resource/handlers_test.go +++ b/pkg/webhooks/resource/handlers_test.go @@ -419,3 +419,56 @@ func makeKey(policy kyverno.PolicyInterface) string { return namespace + "/" + name } + +func Test_Filter_BackgroundOnly_Policies(t *testing.T) { + tests := []struct { + policy kyverno.ClusterPolicy + result int + filterBackgroundOnlyPolicies bool + background bool + ValidationFailureAction kyverno.ValidationFailureAction + }{ + { // background only mode + do filter + ValidationFailureAction: "", + filterBackgroundOnlyPolicies: true, + background: true, + result: 0, + }, + { // background only mode + no filter + ValidationFailureAction: "", + filterBackgroundOnlyPolicies: false, + background: true, + result: 1, + }, + { // background mode + Audit mode + do filter + ValidationFailureAction: kyverno.Audit, + filterBackgroundOnlyPolicies: true, + background: true, + result: 1, + }, + { // background mode + Audit mode + no filter + ValidationFailureAction: kyverno.Audit, + result: 1, + filterBackgroundOnlyPolicies: false, + background: true, + }, + { // no background mode + Audit mode + do filter + ValidationFailureAction: kyverno.Audit, + result: 1, + filterBackgroundOnlyPolicies: true, + background: false, + }, + { // no background mode + Audit mode + no filter + ValidationFailureAction: kyverno.Audit, + result: 1, + filterBackgroundOnlyPolicies: false, + background: false, + }, + } + for _, test := range tests { + test.policy.Spec.ValidationFailureAction = test.ValidationFailureAction + test.policy.Spec.Background = &test.background + result := filterPolicies("", test.filterBackgroundOnlyPolicies, &test.policy) + assert.Equal(t, len(result), test.result) + } +}