CLI handling - applying policy with annotations on pod

pkg/engine/mutation.go

@@ -2,7 +2,6 @@ package engine
 
 import (
 	"time"
-
 	"github.com/go-logr/logr"
 	kyverno "github.com/kyverno/kyverno/pkg/api/kyverno/v1"
 	"github.com/kyverno/kyverno/pkg/engine/mutate"

pkg/engine/utils.go

@@ -6,19 +6,16 @@ import (
 	"fmt"
 	"reflect"
 	"time"
-
 	"github.com/go-logr/logr"
 	"github.com/kyverno/kyverno/pkg/utils"
 	authenticationv1 "k8s.io/api/authentication/v1"
 	rbacv1 "k8s.io/api/rbac/v1"
 	"sigs.k8s.io/controller-runtime/pkg/log"
-
 	kyverno "github.com/kyverno/kyverno/pkg/api/kyverno/v1"
 	"github.com/minio/minio/pkg/wildcard"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
 	"k8s.io/apimachinery/pkg/labels"
-
 	"github.com/kyverno/kyverno/pkg/engine/context"
 	"github.com/kyverno/kyverno/pkg/resourcecache"
 	"k8s.io/apimachinery/pkg/runtime"
@@ -272,12 +269,6 @@ func excludeResource(resource unstructured.Unstructured) bool {
 // - if the policy has auto-gen annotation && resource == Pod
 // - if the auto-gen contains cronJob && resource == Job
 func SkipPolicyApplication(policy kyverno.ClusterPolicy, resource unstructured.Unstructured) bool {
-	if resource.GetKind() == "Pod" && policy.HasAutoGenAnnotation() {
-		if _, ok := policy.GetAnnotations()[PodControllersAnnotation]; ok {
-			delete(policy.Annotations, PodControllersAnnotation)
-		}
-	}
-
 	if policy.HasAutoGenAnnotation() && excludeResource(resource) {
 		return true
 	}

pkg/kyverno/apply/command.go

@@ -379,6 +379,14 @@ func applyPolicyOnResource(policy *v1.ClusterPolicy, resource *unstructured.Unst
 		}
 	}
 
+	if resource.GetKind() == "Pod" && len(resource.GetOwnerReferences()) > 0 {
+		if policy.HasAutoGenAnnotation() {
+			if _, ok := policy.GetAnnotations()[engine.PodControllersAnnotation]; ok {
+				delete(policy.Annotations, engine.PodControllersAnnotation)
+			}
+		}
+	}
+
 	validateResponse := engine.Validate(engine.PolicyContext{Policy: *policy, NewResource: mutateResponse.PatchedResource, Context: ctx})
 	engineResponses = append(engineResponses, validateResponse)
 	if !policyReport {

pkg/kyverno/common/common.go

@@ -9,11 +9,9 @@ import (
 	"io/ioutil"
 	"os"
 	"path/filepath"
-
 	"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
 	"k8s.io/apimachinery/pkg/util/yaml"
 	yaml_v2 "sigs.k8s.io/yaml"
-
 	jsonpatch "github.com/evanphx/json-patch"
 	"github.com/go-logr/logr"
 	v1 "github.com/kyverno/kyverno/pkg/api/kyverno/v1"

pkg/kyverno/common/fetch.go

@@ -6,16 +6,14 @@ import (
 	"fmt"
 	"io/ioutil"
 
-	"github.com/kyverno/kyverno/pkg/kyverno/sanitizedError"
-
 	v1 "github.com/kyverno/kyverno/pkg/api/kyverno/v1"
-	"k8s.io/client-go/kubernetes/scheme"
 	client "github.com/kyverno/kyverno/pkg/dclient"
 	engineutils "github.com/kyverno/kyverno/pkg/engine/utils"
+	"github.com/kyverno/kyverno/pkg/kyverno/sanitizedError"
 	"github.com/kyverno/kyverno/pkg/utils"
 	"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
 	"k8s.io/apimachinery/pkg/runtime"
-//	"k8s.io/apimachinery/pkg/runtime/schema"
+	"k8s.io/apimachinery/pkg/runtime/schema"
 	"k8s.io/client-go/kubernetes/scheme"
 )
 

pkg/kyverno/validate/command.go

@@ -8,17 +8,12 @@ import (
 	"os"
 
 	v1 "github.com/kyverno/kyverno/pkg/api/kyverno/v1"
-	"github.com/kyverno/kyverno/pkg/openapi"
-	"github.com/kyverno/kyverno/pkg/utils"
-
 	"github.com/kyverno/kyverno/pkg/kyverno/common"
 	"github.com/kyverno/kyverno/pkg/kyverno/sanitizedError"
-
+	"github.com/kyverno/kyverno/pkg/openapi"
 	policy2 "github.com/kyverno/kyverno/pkg/policy"
+	"github.com/kyverno/kyverno/pkg/utils"
 	"github.com/spf13/cobra"
-
-	//_ "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/validation"
-
 	log "sigs.k8s.io/controller-runtime/pkg/log"
 	yaml "sigs.k8s.io/yaml"
 )