Merge pull request #131 from bytedance/delete-zombie-armorprofile

Delete zombie armorprofile objects

internal/policy/clusterpolicy_controller.go

@@ -28,8 +28,6 @@ import (
 	"k8s.io/apimachinery/pkg/util/wait"
 	appsv1 "k8s.io/client-go/kubernetes/typed/apps/v1"
 	corev1 "k8s.io/client-go/kubernetes/typed/core/v1"
-	"k8s.io/client-go/util/retry"
-
 	"k8s.io/client-go/tools/cache"
 	"k8s.io/client-go/util/workqueue"
 
@@ -40,6 +38,7 @@ import (
 	varmorprofile "github.com/bytedance/vArmor/internal/profile"
 	statusmanager "github.com/bytedance/vArmor/internal/status/api/v1"
 	varmortypes "github.com/bytedance/vArmor/internal/types"
+	varmorutils "github.com/bytedance/vArmor/internal/utils"
 	varmorinterface "github.com/bytedance/vArmor/pkg/client/clientset/versioned/typed/varmor/v1beta1"
 	varmorinformer "github.com/bytedance/vArmor/pkg/client/informers/externalversions/varmor/v1beta1"
 	varmorlister "github.com/bytedance/vArmor/pkg/client/listers/varmor/v1beta1"
@@ -164,15 +163,7 @@ func (c *ClusterPolicyController) handleDeleteVarmorClusterPolicy(name string) e
 		}
 
 		logger.Info("remove the ArmorProfile's finalizers")
-		removeFinalizers := func() error {
-			ap, err := c.varmorInterface.ArmorProfiles(varmorconfig.Namespace).Get(context.Background(), apName, metav1.GetOptions{})
-			if err == nil {
-				ap.Finalizers = []string{}
-				_, err = c.varmorInterface.ArmorProfiles(varmorconfig.Namespace).Update(context.Background(), ap, metav1.UpdateOptions{})
-			}
-			return err
-		}
-		err := retry.RetryOnConflict(retry.DefaultRetry, removeFinalizers)
+		err := varmorutils.RemoveArmorProfileFinalizers(c.varmorInterface, apName, varmorconfig.Namespace)
 		if err != nil {
 			logger.Error(err, "failed to remove the ArmorProfile's finalizers")
 		}
@@ -580,22 +571,31 @@ func (c *ClusterPolicyController) syncClusterPolicy(key string) error {
 		}
 	}
 
-	apName := varmorprofile.GenerateArmorProfileName(varmorconfig.Namespace, vcp.Name, true)
-	ap, err := c.varmorInterface.ArmorProfiles(varmorconfig.Namespace).Get(context.Background(), apName, metav1.GetOptions{})
-	if err != nil {
-		if k8errors.IsNotFound(err) {
-			// VarmorClusterPolicy create event
-			logger.V(3).Info("processing VarmorClusterPolicy create event")
-			return c.handleAddVarmorClusterPolicy(vcp)
+	newPolicy := false
+	apName := varmorprofile.GenerateArmorProfileName(vcp.Namespace, vcp.Name, false)
+	ap, err := c.varmorInterface.ArmorProfiles(vcp.Namespace).Get(context.Background(), apName, metav1.GetOptions{})
+	if err == nil {
+		if policyOwnArmorProfile(vcp, ap, false) {
+			// VarmorClusterPolicy update event
+			logger.V(3).Info("processing VarmorClusterPolicy update event")
+			return c.handleUpdateVarmorClusterPolicy(vcp, ap)
 		} else {
-			logger.Error(err, "c.varmorInterface.ArmorProfiles().Get()")
-			return err
+			logger.Info("remove the finalizers of zombie ArmorProfile", "namespace", ap.Namespace, "name", ap.Name)
+			err := varmorutils.RemoveArmorProfileFinalizers(c.varmorInterface, ap.Namespace, ap.Name)
+			if err != nil {
+				return err
+			}
+			newPolicy = true
 		}
-	} else {
-		// VarmorClusterPolicy update event
-		logger.V(3).Info("processing VarmorClusterPolicy update event")
-		return c.handleUpdateVarmorClusterPolicy(vcp, ap)
 	}
+
+	if k8errors.IsNotFound(err) || newPolicy {
+		// VarmorClusterPolicy create event
+		logger.V(3).Info("processing VarmorClusterPolicy create event")
+		return c.handleAddVarmorClusterPolicy(vcp)
+	}
+
+	return err
 }
 
 func (c *ClusterPolicyController) handleErr(err error, key interface{}) {

internal/policy/policy_controller.go

@@ -28,7 +28,6 @@ import (
 	"k8s.io/apimachinery/pkg/util/wait"
 	appsv1 "k8s.io/client-go/kubernetes/typed/apps/v1"
 	corev1 "k8s.io/client-go/kubernetes/typed/core/v1"
-	"k8s.io/client-go/util/retry"
 
 	"k8s.io/client-go/tools/cache"
 	"k8s.io/client-go/util/workqueue"
@@ -39,6 +38,7 @@ import (
 	varmorprofile "github.com/bytedance/vArmor/internal/profile"
 	statusmanager "github.com/bytedance/vArmor/internal/status/api/v1"
 	varmortypes "github.com/bytedance/vArmor/internal/types"
+	varmorutils "github.com/bytedance/vArmor/internal/utils"
 	varmorinterface "github.com/bytedance/vArmor/pkg/client/clientset/versioned/typed/varmor/v1beta1"
 	varmorinformer "github.com/bytedance/vArmor/pkg/client/informers/externalversions/varmor/v1beta1"
 	varmorlister "github.com/bytedance/vArmor/pkg/client/listers/varmor/v1beta1"
@@ -168,15 +168,7 @@ func (c *PolicyController) handleDeleteVarmorPolicy(namespace, name string) erro
 		}
 
 		logger.Info("remove the ArmorProfile's finalizers")
-		removeFinalizers := func() error {
-			ap, err := c.varmorInterface.ArmorProfiles(namespace).Get(context.Background(), apName, metav1.GetOptions{})
-			if err == nil {
-				ap.Finalizers = []string{}
-				_, err = c.varmorInterface.ArmorProfiles(namespace).Update(context.Background(), ap, metav1.UpdateOptions{})
-			}
-			return err
-		}
-		err := retry.RetryOnConflict(retry.DefaultRetry, removeFinalizers)
+		err := varmorutils.RemoveArmorProfileFinalizers(c.varmorInterface, apName, namespace)
 		if err != nil {
 			logger.Error(err, "failed to remove the ArmorProfile's finalizers")
 		}
@@ -585,22 +577,31 @@ func (c *PolicyController) syncPolicy(key string) error {
 		}
 	}
 
+	newPolicy := false
 	apName := varmorprofile.GenerateArmorProfileName(vp.Namespace, vp.Name, false)
 	ap, err := c.varmorInterface.ArmorProfiles(vp.Namespace).Get(context.Background(), apName, metav1.GetOptions{})
-	if err != nil {
-		if k8errors.IsNotFound(err) {
-			// VarmorPolicy create event
-			logger.V(3).Info("processing VarmorPolicy create event")
-			return c.handleAddVarmorPolicy(vp)
+	if err == nil {
+		if policyOwnArmorProfile(vp, ap, false) {
+			// VarmorPolicy update event
+			logger.V(3).Info("processing VarmorPolicy update event")
+			return c.handleUpdateVarmorPolicy(vp, ap)
 		} else {
-			logger.Error(err, "c.varmorInterface.ArmorProfiles().Get()")
-			return err
+			logger.Info("remove the finalizers of zombie ArmorProfile", "namespace", ap.Namespace, "name", ap.Name)
+			err := varmorutils.RemoveArmorProfileFinalizers(c.varmorInterface, ap.Namespace, ap.Name)
+			if err != nil {
+				return err
+			}
+			newPolicy = true
 		}
-	} else {
-		// VarmorPolicy update event
-		logger.V(3).Info("processing VarmorPolicy update event")
-		return c.handleUpdateVarmorPolicy(vp, ap)
 	}
+
+	if k8errors.IsNotFound(err) || newPolicy {
+		// VarmorPolicy create event
+		logger.V(3).Info("processing VarmorPolicy create event")
+		return c.handleAddVarmorPolicy(vp)
+	}
+
+	return err
 }
 
 func (c *PolicyController) handleErr(err error, key interface{}) {

internal/policy/update.go

@@ -670,3 +670,18 @@ func resetArmorProfileModelStatus(varmorInterface varmorinterface.CrdV1beta1Inte
 			return err
 		})
 }
+
+func policyOwnArmorProfile(obj interface{}, ap *varmor.ArmorProfile, clusterScope bool) bool {
+	if clusterScope {
+		vcp := obj.(*varmor.VarmorClusterPolicy)
+		if len(ap.OwnerReferences) == 1 {
+			return vcp.UID == ap.OwnerReferences[0].UID
+		}
+	} else {
+		vp := obj.(*varmor.VarmorPolicy)
+		if len(ap.OwnerReferences) == 1 {
+			return vp.UID == ap.OwnerReferences[0].UID
+		}
+	}
+	return false
+}

internal/status/api/v1/manager.go

@@ -182,6 +182,16 @@ func (m *StatusManager) rebuildPolicyStatuses() error {
 		}
 
 		for _, ap := range apList.Items {
+			// Try to delete the zombie ArmorProfile objects
+			if ap.DeletionTimestamp != nil {
+				m.log.Info("remove the finalizers of zombie ArmorProfile", "namespace", ap.Namespace, "name", ap.Name)
+				err := varmorutils.RemoveArmorProfileFinalizers(m.varmorInterface, ap.Namespace, ap.Name)
+				if err != nil {
+					m.log.Error(err, "varmorutils.RemoveArmorProfileFinalizers()")
+				}
+				continue
+			}
+
 			statusKey, err := generatePolicyStatusKeyWithArmorProfile(&ap)
 			if err != nil {
 				continue

internal/utils/utils.go

@@ -35,8 +35,10 @@ import (
 	types "k8s.io/apimachinery/pkg/types"
 	"k8s.io/apimachinery/pkg/version"
 	corev1 "k8s.io/client-go/kubernetes/typed/core/v1"
+	"k8s.io/client-go/util/retry"
 
 	varmorconfig "github.com/bytedance/vArmor/internal/config"
+	varmorinterface "github.com/bytedance/vArmor/pkg/client/clientset/versioned/typed/varmor/v1beta1"
 )
 
 const (
@@ -292,3 +294,15 @@ func IsAppArmorGA(versionInfo *version.Info) (bool, error) {
 	}
 	return true, nil
 }
+
+func RemoveArmorProfileFinalizers(i varmorinterface.CrdV1beta1Interface, namespace, name string) error {
+	removeFinalizers := func() error {
+		ap, err := i.ArmorProfiles(namespace).Get(context.Background(), name, metav1.GetOptions{})
+		if err == nil {
+			ap.Finalizers = []string{}
+			_, err = i.ArmorProfiles(namespace).Update(context.Background(), ap, metav1.UpdateOptions{})
+		}
+		return err
+	}
+	return retry.RetryOnConflict(retry.DefaultRetry, removeFinalizers)
+}