-
Notifications
You must be signed in to change notification settings - Fork 784
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
fix: deferred loader panic when mutate and generate policies are applied #9935
fix: deferred loader panic when mutate and generate policies are applied #9935
Conversation
Signed-off-by: Vishal Choudhary <vishal.choudhary@nirmata.com>
Codecov ReportAttention: Patch coverage is
Additional details and impacted files@@ Coverage Diff @@
## main #9935 +/- ##
==========================================
+ Coverage 33.58% 33.65% +0.06%
==========================================
Files 346 347 +1
Lines 23682 23740 +58
==========================================
+ Hits 7954 7990 +36
- Misses 14853 14868 +15
- Partials 875 882 +7 ☔ View full report in Codecov by Sentry. |
Signed-off-by: Vishal Choudhary <vishal.choudhary@nirmata.com>
e87b280
to
375278b
Compare
Signed-off-by: Vishal Choudhary <vishal.choudhary@nirmata.com>
Signed-off-by: Vishal Choudhary <vishal.choudhary@nirmata.com>
/cherry-pick release-1.12 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I am thinking it may be best to pass in the context factory here for the mutate and generate rule invocations:
kyverno/pkg/webhooks/resource/handlers.go
Line 134 in 8369ab6
go h.handleBackgroundApplies(ctx, logger, request.AdmissionRequest, policyContext, generatePolicies, mutatePolicies, startTime) |
5796877
to
82c4bb7
Compare
Signed-off-by: Vishal Choudhary <vishal.choudhary@nirmata.com>
Signed-off-by: Vishal Choudhary <vishal.choudhary@nirmata.com>
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
👍
Signed-off-by: Vishal Choudhary <vishal.choudhary@nirmata.com>
aba258d
to
3a11387
Compare
Signed-off-by: Vishal Choudhary <vishal.choudhary@nirmata.com>
a0c3999
to
15773b1
Compare
Signed-off-by: Vishal Choudhary <vishal.choudhary@nirmata.com>
…ied (#9935) * fix: deferred loader panic when mutate and generate policies are applied Signed-off-by: Vishal Choudhary <vishal.choudhary@nirmata.com> * fix: tests Signed-off-by: Vishal Choudhary <vishal.choudhary@nirmata.com> * fix: update policies Signed-off-by: Vishal Choudhary <vishal.choudhary@nirmata.com> * remove clusterrolebinding Signed-off-by: Vishal Choudhary <vishal.choudhary@nirmata.com> * fix: copy only json context Signed-off-by: Vishal Choudhary <vishal.choudhary@nirmata.com> * fix: polctx Signed-off-by: Vishal Choudhary <vishal.choudhary@nirmata.com> --------- Signed-off-by: Vishal Choudhary <vishal.choudhary@nirmata.com> Co-authored-by: shuting <shuting@nirmata.com>
…ied (#9935) (#9968) * fix: deferred loader panic when mutate and generate policies are applied * fix: tests * fix: update policies * remove clusterrolebinding * fix: copy only json context * fix: polctx --------- Signed-off-by: Vishal Choudhary <vishal.choudhary@nirmata.com> Co-authored-by: Vishal Choudhary <vishal.choudhary@nirmata.com> Co-authored-by: shuting <shuting@nirmata.com>
Explanation
Previously mutate and generate rules were sharing the same policy context and were operating concurrently. This causes a race condition problem where if a checkpoint is created by either of the handlers too soon then a deferred loader creates a loader entry at the wrong level. This causes the deferred loader being deleted too soon and causes a panic in some scenario.
Related issue
Closes #9413
Milestone of this PR
Documentation (required for features)
My PR contains new or altered behavior to Kyverno.
What type of PR is this
Proposed Changes
Deep copy the policy context before passing it to generate and mutate handlers
Proof Manifests
Checklist
Further Comments