Fix #1446 :Failed to mutate policy (#1767)

* Fix failed to mutate policy Signed-off-by: vyankatesh <vyankatesh@neualto.com> * fix autogen rule issue Signed-off-by: vyankatesh <vyankatesh@neualto.com> * fix issue Signed-off-by: vyankatesh <vyankatesh@neualto.com> * fix issue Signed-off-by: vyankatesh <vyankatesh@neualto.com> * addPolicy and AddNsPolicy changes * fix code indentation * change kind -> policy Signed-off-by: vyankatesh <vyankatesh@neualto.com> * fix kind for policy * fix comments Co-authored-by: vyankatesh <vyankatesh@neualto.com>
kyverno · Apr 7, 2021 · e2cd04c · e2cd04c
1 parent 072d9f7
commit e2cd04c
Showing 1 changed file with 78 additions and 0 deletions.
diff --git a/pkg/policy/validate_controller.go b/pkg/policy/validate_controller.go
@@ -5,7 +5,10 @@ import (
 	"crypto/rand"
 	"fmt"
 	"math/big"
+	random "math/rand"
 	"reflect"
+	"strconv"
+	"strings"
 	"time"
 
 	"github.com/go-logr/logr"
@@ -19,10 +22,12 @@ import (
 	"github.com/kyverno/kyverno/pkg/event"
 	"github.com/kyverno/kyverno/pkg/policyreport"
 	"github.com/kyverno/kyverno/pkg/resourcecache"
+	utils "github.com/kyverno/kyverno/pkg/utils"
 	v1 "k8s.io/api/core/v1"
 	"k8s.io/apimachinery/pkg/api/errors"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/labels"
+	"k8s.io/apimachinery/pkg/runtime/schema"
 	utilruntime "k8s.io/apimachinery/pkg/util/runtime"
 	"k8s.io/apimachinery/pkg/util/wait"
 	informers "k8s.io/client-go/informers/core/v1"
@@ -192,6 +197,15 @@ func (pc *PolicyController) addPolicy(obj interface{}) {
 
 	logger.Info("policy created", "uid", p.UID, "kind", "ClusterPolicy", "name", p.Name)
 
+	if p.Spec.Background == nil || p.Spec.ValidationFailureAction == "" || checkAutoGenRules(p) {
+		p.ObjectMeta.SetAnnotations(map[string]string{"kyverno.io/mutate-policy": strconv.Itoa(random.Intn(100))})
+		p.SetGroupVersionKind(schema.GroupVersionKind{Group: "kyverno.io", Version: "v1", Kind: "ClusterPolicy"})
+		_, err := pc.client.UpdateResource("kyverno.io/v1", "ClusterPolicy", "", p, false)
+		if err != nil {
+			logger.Error(err, "failed to add policy ")
+		}
+	}
+
 	if !pc.canBackgroundProcess(p) {
 		return
 	}
@@ -205,6 +219,15 @@ func (pc *PolicyController) updatePolicy(old, cur interface{}) {
 	oldP := old.(*kyverno.ClusterPolicy)
 	curP := cur.(*kyverno.ClusterPolicy)
 
+	if curP.Spec.Background == nil || curP.Spec.ValidationFailureAction == "" || checkAutoGenRules(curP) {
+		curP.ObjectMeta.SetAnnotations(map[string]string{"kyverno.io/mutate-policy": strconv.Itoa(random.Intn(100))})
+		curP.SetGroupVersionKind(schema.GroupVersionKind{Group: "kyverno.io", Version: "v1", Kind: "ClusterPolicy"})
+		_, err := pc.client.UpdateResource("kyverno.io/v1", "ClusterPolicy", "", curP, false)
+		if err != nil {
+			logger.Error(err, "failed to update policy ")
+		}
+	}
+
 	if !pc.canBackgroundProcess(curP) {
 		return
 	}
@@ -251,6 +274,14 @@ func (pc *PolicyController) addNsPolicy(obj interface{}) {
 	logger.Info("policy created", "uid", p.UID, "kind", "Policy", "name", p.Name, "namespaces", p.Namespace)
 
 	pol := ConvertPolicyToClusterPolicy(p)
+	if pol.Spec.Background == nil || pol.Spec.ValidationFailureAction == "" || checkAutoGenRules(pol) {
+		pol.ObjectMeta.SetAnnotations(map[string]string{"kyverno.io/mutate-policy": strconv.Itoa(random.Intn(100))})
+		pol.SetGroupVersionKind(schema.GroupVersionKind{Group: "kyverno.io", Version: "v1", Kind: "Policy"})
+		_, err := pc.client.UpdateResource("kyverno.io/v1", "Policy", p.Namespace, pol, false)
+		if err != nil {
+			logger.Error(err, "failed to add namespace policy")
+		}
+	}
 	if !pc.canBackgroundProcess(pol) {
 		return
 	}
@@ -263,6 +294,16 @@ func (pc *PolicyController) updateNsPolicy(old, cur interface{}) {
 	oldP := old.(*kyverno.Policy)
 	curP := cur.(*kyverno.Policy)
 	ncurP := ConvertPolicyToClusterPolicy(curP)
+
+	if ncurP.Spec.Background == nil || ncurP.Spec.ValidationFailureAction == "" || checkAutoGenRules(ncurP) {
+		ncurP.ObjectMeta.SetAnnotations(map[string]string{"kyverno.io/mutate-policy": strconv.Itoa(random.Intn(100))})
+		ncurP.SetGroupVersionKind(schema.GroupVersionKind{Group: "kyverno.io", Version: "v1", Kind: "Policy"})
+		_, err := pc.client.UpdateResource("kyverno.io/v1", "Policy", ncurP.GetNamespace(), ncurP, false)
+		if err != nil {
+			logger.Error(err, "failed to update namespace policy ")
+		}
+	}
+
 	if !pc.canBackgroundProcess(ncurP) {
 		return
 	}
@@ -478,3 +519,40 @@ func updateGR(kyvernoClient *kyvernoclient.Clientset, policyKey string, grList [
 		}
 	}
 }
+
+func checkAutoGenRules(policy *kyverno.ClusterPolicy) bool {
+	var podRuleName []string
+	ruleCount := 1
+	for _, rule := range policy.Spec.Rules {
+		if utils.ContainsString(rule.MatchResources.ResourceDescription.Kinds, "Pod") {
+			podRuleName = append(podRuleName, rule.Name)
+		}
+	}
+	if len(podRuleName) > 0 {
+		annotations := policy.GetAnnotations()
+		val, ok := annotations["pod-policies.kyverno.io/autogen-controllers"]
+		if !ok {
+			return true
+		}
+		if val == "none" {
+			return false
+		}
+		res := strings.Split(val, ",")
+
+		if len(res) == 1 {
+			ruleCount = 2
+		}
+		if len(res) > 1 {
+			if utils.ContainsString(res, "CronJob") {
+				ruleCount = 3
+			} else {
+				ruleCount = 2
+			}
+		}
+
+		if len(policy.Spec.Rules) != (ruleCount * len(podRuleName)) {
+			return true
+		}
+	}
+	return false
+}