fix: skip rules without operation in resource webhook creation

[snorwin]

Explanation

The error MutatingWebhookConfiguration: webhooks[0].rules[0].operations: Required value occurs when using mutating and generating rules in the same policy.

Related issue

Fixes #10143 .

Milestone of this PR

/milestone 1.12.1

What type of PR is this

/kind bug

Proposed Changes

Add a check in order to skip rules without any mapped operation.

Checklist

• I have read the contributing guidelines.
• I have read the PR documentation guide and followed the process including adding proof manifests to this PR.
• This is a bug fix and I have added unit tests that prove my fix is effective.
• This is a feature and I have added CLI tests that are applicable.
• My PR needs to be cherry picked to a specific release branch which is .
• My PR contains new or altered behavior to Kyverno and
• CLI support should be added and my PR doesn't contain that functionality.

[welcome]

Thanks for opening your first Pull Request here! Please check out our Contributing guidelines and confirm that you Signed off.

[realshuting]

Hi @snorwin - thanks for the fix.

Can you also attach the configured mutatingwebhookconfigurations and validatingwebhookconfigurations for the policy with generate and mutate rules?

[realshuting]

/cherry-pick release-1.12

[snorwin]

Hi @snorwin - thanks for the fix.

Can you also attach the configured mutatingwebhookconfigurations and validatingwebhookconfigurations for the policy with generate and mutate rules?

The policy:

apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
  name: example
spec:
  generateExisting: true
  rules:
    - name: k-kafka-address
      match:
        any:
          - resources:
              kinds:
                - Namespace
      exclude:
        any:
          - resources:
              namespaces:
                - kube-system
                - default
                - kube-public
                - kyverno
      generate:
        synchronize: true
        apiVersion: v1
        kind: ConfigMap
        name: zk-kafka-address
        # generate the resource in the new namespace
        namespace: "{{request.object.metadata.name}}"
        data:
          kind: ConfigMap
          metadata:
            labels:
              somekey: somevalue
          data:
            ZK_ADDRESS: "192.168.10.10:2181,192.168.10.11:2181,192.168.10.12:2181"
            KAFKA_ADDRESS: "192.168.10.13:9092,192.168.10.14:9092,192.168.10.15:9092"
    - name: set-image-pull-policy
      match:
        any:
          - resources:
              kinds:
                - Pod
      mutate:
        patchStrategicMerge:
          spec:
            containers:
              # match images which end with :latest
              - (image): "*:latest"
                # set the imagePullPolicy to "IfNotPresent"
                imagePullPolicy: "IfNotPresent"

generated resource webhook configurations:

apiVersion: admissionregistration.k8s.io/v1
kind: MutatingWebhookConfiguration
metadata:
  annotations:
    admissions.enforcer/disabled: "true"
  labels:
    webhook.kyverno.io/managed-by: kyverno
  name: kyverno-resource-mutating-webhook-cfg
webhooks:
- admissionReviewVersions:
  - v1
  clientConfig:
    service:
      name: kyverno-operator-deploy-svc
      namespace: kyverno
      path: /mutate/fail
      port: 443
  failurePolicy: Fail
  matchPolicy: Equivalent
  name: mutate.kyverno.svc-fail
  namespaceSelector:
    matchExpressions:
    - key: kubernetes.io/metadata.name
      operator: NotIn
      values:
      - kube-system
    - key: kubernetes.io/metadata.name
      operator: NotIn
      values:
      - kyverno
  objectSelector: {}
  reinvocationPolicy: IfNeeded
  rules:
  - apiGroups:
    - ""
    apiVersions:
    - v1
    operations:
    - CREATE
    - UPDATE
    resources:
    - namespaces
    scope: '*'
  - apiGroups:
    - ""
    apiVersions:
    - v1
    operations:
    - CREATE
    - UPDATE
    resources:
    - configmaps
    - pods
    - pods/ephemeralcontainers
    scope: Namespaced
  sideEffects: NoneOnDryRun
  timeoutSeconds: 10
---
apiVersion: admissionregistration.k8s.io/v1
kind: ValidatingWebhookConfiguration
metadata:
  annotations:
    admissions.enforcer/disabled: "true"
  labels:
    webhook.kyverno.io/managed-by: kyverno
  name: kyverno-resource-validating-webhook-cfg
webhooks:
  - admissionReviewVersions:
      - v1
    clientConfig:
      service:
        name: kyverno-operator-deploy-svc
        namespace: kyverno
        path: /validate/fail
        port: 443
    failurePolicy: Fail
    matchPolicy: Equivalent
    name: validate.kyverno.svc-fail
    namespaceSelector:
      matchExpressions:
        - key: kubernetes.io/metadata.name
          operator: NotIn
          values:
            - kube-system
        - key: kubernetes.io/metadata.name
          operator: NotIn
          values:
            - kyverno
    objectSelector: {}
    rules:
      - apiGroups:
          - ""
        apiVersions:
          - v1
        operations:
          - CREATE
          - UPDATE
          - DELETE
          - CONNECT
        resources:
          - configmaps
        scope: Namespaced
      - apiGroups:
          - ""
        apiVersions:
          - v1
        operations:
          - CREATE
          - UPDATE
          - DELETE
          - CONNECT
        resources:
          - namespaces
        scope: '*'
    sideEffects: NoneOnDryRun
    timeoutSeconds: 10

[realshuting]

Why there's an extra rule for namespaces in mutating webhook?

  rules:
  - apiGroups:
    - ""
    apiVersions:
    - v1
    operations:
    - CREATE
    - UPDATE
    resources:
    - namespaces
    scope: '*'

[snorwin]

Why there's an extra rule for namespaces in mutating webhook?

  rules:
  - apiGroups:
    - ""
    apiVersions:
    - v1
    operations:
    - CREATE
    - UPDATE
    resources:
    - namespaces
    scope: '*'

defaultOpn in buildRulesWithOperations (https://github.com/kyverno/kyverno/blob/main/pkg/controllers/webhook/utils.go#L74) are CREATE and UPDATE. We could move the skip to this function if that makes sense?

[realshuting]

The linter check fails, @snorwin - can you fix it https://github.com/kyverno/kyverno/actions/runs/8897683625/job/24433129022?pr=10146?

[codecov]

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 10.15%. Comparing base (e66a550) to head (4321a09).

❗ Current head 4321a09 differs from pull request most recent head 1143762. Consider uploading reports for the commit 1143762 to get more accurate results

Additional details and impacted files

@@            Coverage Diff             @@
##             main   #10146      +/-   ##
==========================================
+ Coverage   10.13%   10.15%   +0.02%     
==========================================
  Files        1030     1030              
  Lines       91776    91779       +3     
==========================================
+ Hits         9299     9321      +22     
+ Misses      81461    81439      -22     
- Partials     1016     1019       +3     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

[welcome]

Congratulations! 🎉

Great job merging your first Pull Request here! How awesome! If you are new to this project, feel free to join our Slack community