Bug - annotation inserted to podTemplate by auto-gen should reflect the policy name #850
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
added 2 commits
May 15, 2020 03:02
* 'master' of github.com:nirmata/kyverno: (102 commits) fix 843 (#844) chart readme fixes Fix Helm chart README.md for Helm 3 Add Helm chart for Kyverno - #835 Documentation update 664 tested prototype 823 tested prototype Fixes #817 - slack channel URL 797 typo fix Fixes #797 - update example for mutate patch policy remove cpu limit in BP require_pod_requests_limits.yaml (#807) 808 test fixes 808_prototype 753 reverting autogen rule changes 786 fixed tests 786 tested prototype 775 circle ci fixes 753 fixing tests 775 working prototype 753_avoiding_duplicate_vals ...
|
@evalsocket Please add a brief description of what this PR changes. |
yindia
changed the title
yindia
changed the title
|
Is this PR completed? The code change does not seem to achieve the proposed solution. |
…erno.io/autogen-applied
JimBugwadia
approved these changes
May 17, 2020
realshuting
reviewed
May 17, 2020
pkg/policy/existing.go
Outdated
| @@ -34,8 +34,13 @@ func (pc *PolicyController) processExistingResources(policy kyverno.ClusterPolic | |||
| } | |||
|
|
|||
| // skip reporting violation on pod which has annotation pod-policies.kyverno.io/autogen-applied | |||
| if skipPodApplication(resource, logger) { | |||
| continue | |||
| ann := resource.GetAnnotations() | |||
There was a problem hiding this comment.
We should check the annotation on Policy, not resource.
added 2 commits
May 16, 2020 23:51
* 'fix-829' of github.com:evalsocket/kyverno: Revert Changes
JimBugwadia
approved these changes
May 18, 2020
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Problem
Describe the bug
Currently, with the auto-gen feature, it inserts an annotation
pod-policies.kyverno.io/autogen-applied: "true"to podTemplate, but this creates an issue that the policy with auto-gen disabled will never apply to the pod. Related issue #819.The annotation should contain the policy information(name) and only skip applying to the pod for that particular policy.
For example, there are 2 policies:
policy-awith auto-gen enabled,policy-bwith auto-gen disabled, the inserted annotation should be similar topolicy-a.pod-policies.kyverno.io/autogen-applied: "true", while thepolicy-bshould still apply to the pod.Solution
As per f1ko
However, my proposal would cover your concern.
Policy pol-a has pod-policies.kyverno.io/autogen-controllers: all set.
Therefore, controller rules will be added to the policy (same as now). Then these controller rules should add pod-policies.kyverno.io/autogen-applied: "true" to a Pod (same as now). By doing so all Pod rules in the policy will ignore Pods that have that annotation set (same as now).
So basically there is no change in behavior when it comes to pol-a.
Now lets take a look at pol-b. pol-b has pod-policies.kyverno.io/autogen-controllers: none, therefore no additional rules are added (same as now). However, because autogen-controllers has been set to none, kyverno shall allow Pod rules within that policy to ignore pod-policies.kyverno.io/autogen-applied: "true".
Other changes