added the pre-check

Signed-off-by: Ved Ratan <vedratan8@gmail.com>

pkg/adapter/nimbus-kyverno/manager/manager.go

@@ -423,6 +423,10 @@ func createTriggerForKp(ctx context.Context, nameNamespace common.Request) {
 		logger.Error(err, "failed to get existing KyvernoPolicy", "KyvernoPolicy.Name", existingKp.Name, "KyvernoPolicy.Namespace", nameNamespace.Namespace)
 		return
 	}
+	if !strings.Contains(existingKp.GetName(), "mutateexisting") || !utils.CheckIfReady(existingKp.Status.Conditions) {  // check if the policy is ready and the policy is the mutateexisting one
+		return
+	}
+
 	configMap := &corev1.ConfigMap{
 		ObjectMeta: metav1.ObjectMeta{
 			Name:      nameNamespace.Name + "-trigger-configmap",
@@ -439,25 +443,15 @@ func createTriggerForKp(ctx context.Context, nameNamespace common.Request) {
 		return
 	}
 
-	isPolReady := false
-
-	for i := 0; i < len(existingKp.Status.Conditions); i++ {
-		if existingKp.Status.Conditions[i].Type == "Ready" && existingKp.Status.Conditions[i].Reason == "Succeeded" {
-			isPolReady = true
-		}
-	}
-
 	err = k8sClient.Get(ctx, types.NamespacedName{Name: nameNamespace.Name + "-trigger-configmap", Namespace: nameNamespace.Namespace}, &existingConfigMap)
 	if err != nil && errors.IsNotFound(err) {
-		if isPolReady && strings.Contains(existingKp.GetName(), "mutateexisting") {
-			// Create the ConfigMap
-			err = k8sClient.Create(context.TODO(), configMap)
+		// Create the ConfigMap
+		err = k8sClient.Create(context.TODO(), configMap)
 
-			if err != nil {
-				logger.Error(err, "Failed to create trigger ConfigMap", "Namespace", configMap.Namespace)
-			} else {
-				logger.Info("Created trigger ConfigMap", "Namespace", configMap.Namespace)
-			}
+		if err != nil {
+			logger.Error(err, "Failed to create trigger ConfigMap", "Namespace", configMap.Namespace)
+		} else {
+			logger.Info("Created trigger ConfigMap", "Namespace", configMap.Namespace)
 		}
 	}
 }

pkg/adapter/nimbus-kyverno/processor/kpbuilder.go

@@ -110,10 +110,6 @@ func cocoRuntimeAddition(np *v1alpha1.NimbusPolicy) ([]kyvernov1.Policy, error)
 	}
 
 	deploymentsGVR := schema.GroupVersionResource{Group: "apps", Version: "v1", Resource: "deployments"}
-	// labelSelector := metav1.LabelSelector{MatchLabels: labels}
-	// listOptions := metav1.ListOptions{
-	// 	LabelSelector: apiLabels.Set(labelSelector.MatchLabels).String(),
-	// }
 	deployments, err := client.Resource(deploymentsGVR).Namespace(np.Namespace).List(context.TODO(), metav1.ListOptions{})
 	if err != nil {
 		errs = append(errs, err)

pkg/adapter/nimbus-kyverno/utils/utils.go

@@ -11,6 +11,7 @@ import (
 	kyvernov1 "github.com/kyverno/kyverno/api/kyverno/v1"
 	"golang.org/x/text/cases"
 	"golang.org/x/text/language"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 )
 
 func GetGVK(kind string) string {
@@ -47,7 +48,14 @@ func GetGVK(kind string) string {
 	return fmt.Sprintf("%s/%s", apiVersion, Title(kind))
 }
 
+// sort.Slice(planets, func(i, j int) bool {
+// 	return planets[i].Axis < planets[j].Axis
+//   })
+
 func PolEqual(a, b kyvernov1.Policy) (string, bool) {
+	if len(a.Spec.Rules[0].MatchResources.Any) != len(b.Spec.Rules[0].MatchResources.Any) {
+		return "diff: labels not equal", false
+	}
 	if a.ObjectMeta.Name != b.ObjectMeta.Name {
 		return "diff: name", false
 	}
@@ -63,12 +71,52 @@ func PolEqual(a, b kyvernov1.Policy) (string, bool) {
 		return "diff: OwnerReferences", false
 	}
 
-	if !reflect.DeepEqual(a.Spec, b.Spec) && !reflect.DeepEqual(a.Spec.Rules[0], b.Spec.Rules[0]){
+	if !checkLabels(a, b) {
+		return "diff: labels", false
+	}
+
+	if !reflect.DeepEqual(a.Spec, b.Spec) {
 		return "diff: Spec", false
 	}
 	return "", true
 }
 
+func CheckIfReady(conditions []metav1.Condition) bool {
+	for _, condition := range conditions {
+		if condition.Type == "Ready" && condition.Reason == "Succeeded" {
+			return true
+		}
+	}
+	return false
+}
+func checkLabels(a, b kyvernov1.Policy) bool {
+	resourceFiltersA := a.Spec.Rules[0].MatchResources.Any
+	resourceFiltersB := b.Spec.Rules[0].MatchResources.Any
+	if len(resourceFiltersA) != len(resourceFiltersB) {
+		return false
+	}
+	mp := make(map[string]bool)
+	for _, filter := range resourceFiltersA {
+		if filter.Selector != nil {
+			for k,v := range filter.Selector.MatchLabels {
+				key := k+v
+				mp[key] = true
+			}
+		}
+	}
+
+	for _, filter := range resourceFiltersB {
+		if filter.Selector != nil {
+			for k,v := range filter.Selector.MatchLabels {
+				key := k+v
+				if !mp[key] {
+					return false
+				}
+			}
+		}
+	}
+	return true
+}
 func Title(input string) string {
     toTitle := cases.Title(language.Und)
 

pkg/adapter/nimbus-kyverno/watcher/kpwatcher.go

@@ -10,9 +10,9 @@ import (
 
 	"github.com/5GSEC/nimbus/pkg/adapter/common"
 	"github.com/5GSEC/nimbus/pkg/adapter/k8s"
+	"github.com/5GSEC/nimbus/pkg/adapter/nimbus-kyverno/utils"
 	adapterutil "github.com/5GSEC/nimbus/pkg/adapter/util"
 	kyvernov1 "github.com/kyverno/kyverno/api/kyverno/v1"
-	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
 	"k8s.io/apimachinery/pkg/runtime"
 	"k8s.io/apimachinery/pkg/runtime/schema"
@@ -84,7 +84,7 @@ func WatchKps(ctx context.Context, updatedKpCh, deletedKpCh chan common.Request)
 
 			// for mutate existing policy
 			if oldU.GetGeneration() == newU.GetGeneration() {
-				if checkIfReady(newConditions) && !checkIfReady(oldConditions) {
+				if utils.CheckIfReady(newConditions) && !utils.CheckIfReady(oldConditions) {
 					kpNamespacedName := common.Request{
 						Name:      newU.GetName(),
 						Namespace: newU.GetNamespace(),
@@ -123,12 +123,4 @@ func WatchKps(ctx context.Context, updatedKpCh, deletedKpCh chan common.Request)
 	informer.Run(ctx.Done())
 }
 
-func checkIfReady(conditions []metav1.Condition) bool {
-	for _, condition := range conditions {
-		if condition.Type == "Ready" && condition.Reason == "Succeeded" {
-			return true
-		}
-	}
-	return false
-}