feat: add dumpPatch flag (kyverno#11237)

Signed-off-by: Mariam Fahmy <mariam.fahmy@nirmata.com>

charts/kyverno/README.md

@@ -337,6 +337,7 @@ The chart values are organised per component.
 | features.dumpPayload.enabled | bool | `false` | Enables the feature |
 | features.forceFailurePolicyIgnore.enabled | bool | `false` | Enables the feature |
 | features.generateValidatingAdmissionPolicy.enabled | bool | `false` | Enables the feature |
+| features.dumpPatches.enabled | bool | `false` | Enables the feature |
 | features.globalContext.maxApiCallResponseLength | int | `2000000` | Maximum allowed response size from API Calls. A value of 0 bypasses checks (not recommended) |
 | features.logging.format | string | `"text"` | Logging format |
 | features.logging.verbosity | int | `2` | Logging verbosity |

charts/kyverno/templates/_helpers.tpl

@@ -49,6 +49,9 @@
 {{- with .generateValidatingAdmissionPolicy -}}
   {{- $flags = append $flags (print "--generateValidatingAdmissionPolicy=" .enabled) -}}
 {{- end -}}
+{{- with .dumpPatches -}}
+  {{- $flags = append $flags (print "--dumpPatches=" .enabled) -}}
+{{- end -}}
 {{- with .globalContext -}}
   {{- $flags = append $flags (print "--maxAPICallResponseLength=" (int .maxApiCallResponseLength)) -}}
 {{- end -}}

charts/kyverno/templates/admission-controller/deployment.yaml

@@ -181,6 +181,7 @@ spec:
               "dumpPayload"
               "forceFailurePolicyIgnore"
               "generateValidatingAdmissionPolicy"
+              "dumpPatches"
               "globalContext"
               "logging"
               "omitEvents"

charts/kyverno/values.yaml

@@ -661,6 +661,9 @@ features:
   generateValidatingAdmissionPolicy:
     # -- Enables the feature
     enabled: false
+  dumpPatches:
+    # -- Enables the feature
+    enabled: false
   globalContext:
     # -- Maximum allowed response size from API Calls. A value of 0 bypasses checks (not recommended)
     maxApiCallResponseLength: 2000000

cmd/kyverno/main.go

@@ -287,6 +287,7 @@ func main() {
 	flagset.Func(toggle.ProtectManagedResourcesFlagName, toggle.ProtectManagedResourcesDescription, toggle.ProtectManagedResources.Parse)
 	flagset.Func(toggle.ForceFailurePolicyIgnoreFlagName, toggle.ForceFailurePolicyIgnoreDescription, toggle.ForceFailurePolicyIgnore.Parse)
 	flagset.Func(toggle.GenerateValidatingAdmissionPolicyFlagName, toggle.GenerateValidatingAdmissionPolicyDescription, toggle.GenerateValidatingAdmissionPolicy.Parse)
+	flagset.Func(toggle.DumpMutatePatchesFlagName, toggle.DumpMutatePatchesDescription, toggle.DumpMutatePatches.Parse)
 	flagset.BoolVar(&admissionReports, "admissionReports", true, "Enable or disable admission reports.")
 	flagset.IntVar(&servicePort, "servicePort", 443, "Port used by the Kyverno Service resource and for webhook configurations.")
 	flagset.IntVar(&webhookServerPort, "webhookServerPort", 9443, "Port used by the webhook server.")

config/install-latest-testing.yaml

@@ -50712,6 +50712,7 @@ spec:
             - --dumpPayload=false
             - --forceFailurePolicyIgnore=false
             - --generateValidatingAdmissionPolicy=false
+            - --dumpPatches=false
             - --maxAPICallResponseLength=2000000
             - --loggingFormat=text
             - --v=2

pkg/toggle/context.go

@@ -11,6 +11,7 @@ type Toggles interface {
 	ForceFailurePolicyIgnore() bool
 	EnableDeferredLoading() bool
 	GenerateValidatingAdmissionPolicy() bool
+	DumpMutatePatches() bool
 }
 
 type defaultToggles struct{}
@@ -31,6 +32,10 @@ func (defaultToggles) GenerateValidatingAdmissionPolicy() bool {
 	return GenerateValidatingAdmissionPolicy.enabled()
 }
 
+func (defaultToggles) DumpMutatePatches() bool {
+	return DumpMutatePatches.enabled()
+}
+
 type contextKey struct{}
 
 func NewContext(ctx context.Context, toggles Toggles) context.Context {

pkg/toggle/toggle.go

@@ -26,13 +26,19 @@ const (
 	GenerateValidatingAdmissionPolicyDescription = "Set the flag to 'true', to generate validating admission policies."
 	generateValidatingAdmissionPolicyEnvVar      = "FLAG_GENERATE_VALIDATING_ADMISSION_POLICY"
 	defaultGenerateValidatingAdmissionPolicy     = false
+	// dump mutate patches
+	DumpMutatePatchesFlagName    = "dumpPatches"
+	DumpMutatePatchesDescription = "Set the flag to 'true', to dump mutate patches."
+	dumpMutatePatchesEnvVar      = "FLAG_DUMP_PATCHES"
+	defaultDumpMutatePatches     = false
 )
 
 var (
 	ProtectManagedResources           = newToggle(defaultProtectManagedResources, protectManagedResourcesEnvVar)
 	ForceFailurePolicyIgnore          = newToggle(defaultForceFailurePolicyIgnore, forceFailurePolicyIgnoreEnvVar)
 	EnableDeferredLoading             = newToggle(defaultEnableDeferredLoading, enableDeferredLoadingEnvVar)
 	GenerateValidatingAdmissionPolicy = newToggle(defaultGenerateValidatingAdmissionPolicy, generateValidatingAdmissionPolicyEnvVar)
+	DumpMutatePatches                 = newToggle(defaultDumpMutatePatches, dumpMutatePatchesEnvVar)
 )
 
 type ToggleFlag interface {

pkg/webhooks/resource/mutation/mutation.go

@@ -13,6 +13,7 @@ import (
 	"github.com/kyverno/kyverno/pkg/engine/mutate/patch"
 	"github.com/kyverno/kyverno/pkg/event"
 	"github.com/kyverno/kyverno/pkg/metrics"
+	"github.com/kyverno/kyverno/pkg/toggle"
 	"github.com/kyverno/kyverno/pkg/tracing"
 	engineutils "github.com/kyverno/kyverno/pkg/utils/engine"
 	jsonutils "github.com/kyverno/kyverno/pkg/utils/json"
@@ -66,7 +67,9 @@ func (h *mutationHandler) HandleMutation(
 	if err != nil {
 		return nil, nil, err
 	}
-	h.log.V(6).Info("", "generated patches", string(mutatePatches))
+	if toggle.FromContext(ctx).DumpMutatePatches() {
+		h.log.V(2).Info("", "generated patches", string(mutatePatches))
+	}
 	return mutatePatches, webhookutils.GetWarningMessages(mutateEngineResponses), nil
 }