Validate PolicyManifest before creating an empty PolicyException (#181)

* Validate PolicyManifest before creating an empty PolicyException * Add GSPolicy label * Handle deletion of PolicyExceptions with MatchingLabels * Specify namespace when deleting * Ignore NotFound errors * Add log when deleting PolicyExceptions * Update .gitignore
giantswarm · Jan 31, 2025 · ce26150 · ce26150
1 parent 3818785
commit ce26150
Show file tree

Hide file tree

Showing 4 changed files with 33 additions and 1 deletion.
diff --git a/.gitignore b/.gitignore
@@ -24,3 +24,6 @@ Dockerfile.cross
 *.swp
 *.swo
 *~
+
+# DS_Store files
+*..DS_Store
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -7,6 +7,10 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ## [Unreleased]
 
+### Changed
+
+- Add validation before creating empty PolicyExceptions.
+
 ## [0.1.3] - 2025-01-29
 
 ### Changed

diff --git a/internal/controller/policymanifest_controller.go b/internal/controller/policymanifest_controller.go
@@ -66,14 +66,37 @@ func (r *PolicyManifestReconciler) Reconcile(ctx context.Context, req ctrl.Reque
 		}
 	}
 
+	// Check if the PolicyManifest has any exceptions defined before creation
+	if len(polman.Spec.Exceptions) == 0 && len(polman.Spec.AutomatedExceptions) == 0 {
+		// Create label selector
+		labelSelector := client.MatchingLabels{
+			GSPolicy:  polman.ObjectMeta.Labels[GSPolicy],
+			ManagedBy: ComponentName,
+		}
+		// Delete Exception
+		if err := r.DeleteAllOf(ctx, &kyvernov2beta1.PolicyException{}, client.InNamespace(r.DestinationNamespace), labelSelector); err != nil {
+			if apierrors.IsNotFound(err) {
+				return ctrl.Result{}, nil
+			}
+
+			log.Log.Error(err, fmt.Sprintf("unable to delete PolicyException for %s", polman.ObjectMeta.Name))
+			return ctrl.Result{}, nil
+		}
+
+		log.Log.Info(fmt.Sprintf("PolicyException for %s deleted", polman.ObjectMeta.Name))
+
+		// Exit since there are no exceptions
+		return utils.JitterRequeue(DefaultRequeueDuration, r.MaxJitterPercent, r.Log), nil
+	}
+
 	kyvernoPolicyException := kyvernov2beta1.PolicyException{}
 	// Set kyvernoPolicyException destination namespace.
 	kyvernoPolicyException.Namespace = r.DestinationNamespace
 	// Set kyvernoPolicyException name.
 	kyvernoPolicyException.Name = fmt.Sprintf("gs-kpo-%s-exceptions", polman.ObjectMeta.Name)
 	// Set labels.
 	kyvernoPolicyException.Labels = generateLabels()
-	kyvernoPolicyException.Labels["policy.giantswarm.io/policy"] = polman.ObjectMeta.Labels["policy.giantswarm.io/policy"]
+	kyvernoPolicyException.Labels[GSPolicy] = polman.ObjectMeta.Labels[GSPolicy]
 
 	kyvernoPolicyException.Spec.Background = &r.Background
 

diff --git a/internal/controller/utils.go b/internal/controller/utils.go
@@ -13,13 +13,15 @@ var DefaultRequeueDuration = (time.Minute * 5)
 const (
 	ComponentName = "kyverno-policy-operator"
 	ManagedBy     = "app.kubernetes.io/managed-by"
+	GSPolicy      = "policy.giantswarm.io/policy"
 	MaxNameLength = 58
 )
 
 // generateLabels generates the labels for the Kyverno Policy Exception.
 func generateLabels() map[string]string {
 	labels := map[string]string{
 		ManagedBy: ComponentName,
+		GSPolicy:  "",
 	}
 	return labels
 }
-Original file line number
+Diff line change
@@ Expand Up / @@ -24,3 +24,6 @@ Dockerfile.cross @@
     *.swp
     *.swo
     *~
+    # DS_Store files
+    *..DS_Store