kyverno/main.go

package main

import (
	"flag"
	"time"

	"github.com/golang/glog"
	kyvernoclient "github.com/nirmata/kyverno/pkg/client/clientset/versioned"
	kyvernoinformer "github.com/nirmata/kyverno/pkg/client/informers/externalversions"
	"github.com/nirmata/kyverno/pkg/config"
	client "github.com/nirmata/kyverno/pkg/dclient"
	event "github.com/nirmata/kyverno/pkg/event"
	"github.com/nirmata/kyverno/pkg/namespace"
	"github.com/nirmata/kyverno/pkg/policy"
	"github.com/nirmata/kyverno/pkg/policyviolation"
	"github.com/nirmata/kyverno/pkg/webhooks"
	"k8s.io/client-go/informers"
	"k8s.io/sample-controller/pkg/signals"
)

var (
	kubeconfig        string
	serverIP          string
	filterK8Resources string
	cpu               bool
	memory            bool
	webhookTimeout    int
)

const defaultReSyncTime = 10 * time.Second

func main() {
	defer glog.Flush()
	printVersionInfo()
	prof = enableProfiling(cpu, memory)

	// CLIENT CONFIG
	clientConfig, err := createClientConfig(kubeconfig)
	if err != nil {
		glog.Fatalf("Error building kubeconfig: %v\n", err)
	}

	// KYVENO CRD CLIENT
	// access CRD resources
	//		- Policy
	//		- PolicyViolation
	pclient, err := kyvernoclient.NewForConfig(clientConfig)
	if err != nil {
		glog.Fatalf("Error creating client: %v\n", err)
	}
	// DYNAMIC CLIENT
	// - client for all registered resources
	client, err := client.NewClient(clientConfig)
	if err != nil {
		glog.Fatalf("Error creating client: %v\n", err)
	}

	// KYVERNO CRD INFORMER
	// watches CRD resources:
	//		- Policy
	//		- PolicyVolation
	// - cache resync time: 10 seconds
	pInformer := kyvernoinformer.NewSharedInformerFactoryWithOptions(pclient, defaultReSyncTime)
	// EVENT GENERATOR
	// - generate event with retry
	egen := event.NewEventGenerator(client, pInformer.Kyverno().V1alpha1().Policies())

	// mutatingWebhookConfiguration Informer
	kubeInformer := informers.NewSharedInformerFactory(client.Kclient, defaultReSyncTime)
	mutatingWebhookConfigurationLister := kubeInformer.Admissionregistration().V1beta1().MutatingWebhookConfigurations().Lister()

	tlsPair, err := initTLSPemPair(clientConfig, client)
	if err != nil {
		glog.Fatalf("Failed to initialize TLS key/certificate pair: %v\n", err)
	}

	// WEBHOOK REGISTRATION
	// -- validationwebhookconfiguration (Policy)
	// -- mutatingwebhookconfiguration (All resources)
	webhookRegistrationClient, err := webhooks.NewWebhookRegistrationClient(clientConfig, client, serverIP, int32(webhookTimeout))
	if err != nil {
		glog.Fatalf("Unable to register admission webhooks on cluster: %v\n", err)
	}

	if err = webhookRegistrationClient.Register(); err != nil {
		glog.Fatalf("Failed registering Admission Webhooks: %v\n", err)
	}

	// POLICY CONTROLLER
	// - reconciliation policy and policy violation
	// - process policy on existing resources
	// - status: violation count

	pc, err := policy.NewPolicyController(pclient, client, pInformer.Kyverno().V1alpha1().Policies(), pInformer.Kyverno().V1alpha1().PolicyViolations(), egen, mutatingWebhookConfigurationLister, webhookRegistrationClient)
	if err != nil {
		glog.Fatalf("error creating policy controller: %v\n", err)
	}

	// POLICY VIOLATION CONTROLLER
	// status: lastUpdatTime
	pvc, err := policyviolation.NewPolicyViolationController(client, pclient, pInformer.Kyverno().V1alpha1().Policies(), pInformer.Kyverno().V1alpha1().PolicyViolations())
	if err != nil {
		glog.Fatalf("error creating policy violation controller: %v\n", err)
	}

	// GENERATE CONTROLLER
	// - watches for Namespace resource and generates resource based on the policy generate rule
	nsc := namespace.NewNamespaceController(pclient, client, kubeInformer.Core().V1().Namespaces(), pInformer.Kyverno().V1alpha1().Policies(), pInformer.Kyverno().V1alpha1().PolicyViolations(), egen)

	server, err := webhooks.NewWebhookServer(pclient, client, tlsPair, pInformer.Kyverno().V1alpha1().Policies(), pInformer.Kyverno().V1alpha1().PolicyViolations(), egen, webhookRegistrationClient, filterK8Resources)
	if err != nil {
		glog.Fatalf("Unable to create webhook server: %v\n", err)
	}

	stopCh := signals.SetupSignalHandler()

	if err = webhookRegistrationClient.Register(); err != nil {
		glog.Fatalf("Failed registering Admission Webhooks: %v\n", err)
	}

	pInformer.Start(stopCh)
	kubeInformer.Start(stopCh)
	go pc.Run(1, stopCh)
	go pvc.Run(1, stopCh)
	go egen.Run(1, stopCh)
	go nsc.Run(1, stopCh)

	//TODO add WG for the go routines?
	server.RunAsync()

	<-stopCh
	disableProfiling(prof)
	server.Stop()
}

func init() {
	// profiling feature gate
	// cpu and memory profiling cannot be enabled at same time
	// if both cpu and memory are enabled
	// by default is to profile cpu
	flag.BoolVar(&cpu, "cpu", false, "cpu profilling feature gate, default to false || cpu and memory profiling cannot be enabled at the same time")
	flag.BoolVar(&memory, "memory", false, "memory profilling feature gate, default to false || cpu and memory profiling cannot be enabled at the same time")

	flag.IntVar(&webhookTimeout, "webhooktimeout", 2, "timeout for webhook configurations")
	flag.StringVar(&kubeconfig, "kubeconfig", "", "Path to a kubeconfig. Only required if out-of-cluster.")
	flag.StringVar(&serverIP, "serverIP", "", "IP address where Kyverno controller runs. Only required if out-of-cluster.")
	flag.StringVar(&filterK8Resources, "filterK8Resources", "", "k8 resource in format [kind,namespace,name] where policy is not evaluated by the admission webhook. example --filterKind \"[Deployment, kyverno, kyverno]\" --filterKind \"[Deployment, kyverno, kyverno],[Events, *, *]\"")
	config.LogDefaultFlags()
	flag.Parse()
}
NK2: Added script for code-generator, YAMLs with CRDs and stub for main.go 2019-02-06 14:52:09 +02:00			`package main`

			`import (`
NK-23: Thre creation of default loggers moved to inside classes. Removed fatal termination from object constructors. Implemented new KubeClient class with test method which creates a Secret. Improved comments for the types structures. Added WebhookServerConfig structure instead of the most parameters to NewWebhookServer. 2019-03-04 20:40:02 +02:00			`"flag"`
generation test 2019-08-14 18:40:33 -07:00			`"time"`
NK-10: Controller renamed to PolicyController. Created MutationWebhook class in new webhook package. Implemented filtering of incoming objects by Kind. Implemented simple usage of PolicyController in MutationWebhook. 2019-02-21 20:31:18 +02:00
support generation of any resource 2019-05-31 17:59:36 -07:00			`"github.com/golang/glog"`
rebase 2019-08-19 10:00:39 -07:00			`kyvernoclient "github.com/nirmata/kyverno/pkg/client/clientset/versioned"`
			`kyvernoinformer "github.com/nirmata/kyverno/pkg/client/informers/externalversions"`
support generation of any resource 2019-05-31 17:59:36 -07:00			`"github.com/nirmata/kyverno/pkg/config"`
move client to pkg, helper script for self-signed certs & update documentation 2019-05-29 14:12:09 -07:00			`client "github.com/nirmata/kyverno/pkg/dclient"`
rename pkg to kyverno 2019-05-21 11:00:09 -07:00			`event "github.com/nirmata/kyverno/pkg/event"`
namespace controller redesign 2019-08-14 14:56:53 -07:00			`"github.com/nirmata/kyverno/pkg/namespace"`
policyviolation, policy controller reconciliation 2019-08-07 16:14:33 -07:00			`"github.com/nirmata/kyverno/pkg/policy"`
init policy violation container 2019-08-08 15:36:19 -07:00			`"github.com/nirmata/kyverno/pkg/policyviolation"`
rename pkg to kyverno 2019-05-21 11:00:09 -07:00			`"github.com/nirmata/kyverno/pkg/webhooks"`
add check for registerinig webhookconfiguration in policy controller 2019-08-19 19:26:51 -07:00			`"k8s.io/client-go/informers"`
initial feature proposal 2019-05-10 00:05:21 -07:00			`"k8s.io/sample-controller/pkg/signals"`
NK9: Added controller module. Added main loop for controller. Added informer for Policies. Fixed apis definitions to fit the Policy 2019-02-11 19:49:27 +02:00			`)`

			`var (`
rebase with master 2019-07-31 17:43:46 -07:00			`kubeconfig string`
			`serverIP string`
			`filterK8Resources string`
add profiling flags 2019-08-02 11:18:02 -07:00			`cpu bool`
			`memory bool`
expose webhook timeout configuration 2019-08-07 12:32:44 -07:00			`webhookTimeout int`
NK2: Added script for code-generator, YAMLs with CRDs and stub for main.go 2019-02-06 14:52:09 +02:00			`)`

add check for registerinig webhookconfiguration in policy controller 2019-08-19 19:26:51 -07:00			`const defaultReSyncTime = 10 * time.Second`

NK-31: Implemented creation TLS certificate Implemented storing the certificates in secret within the cluster. Implemented the cheking certificate's expiration date. Implemented initialization of server with certs data instead of files. 2019-03-15 19:03:55 +02:00			`func main() {`
support generation of any resource 2019-05-31 17:59:36 -07:00			`defer glog.Flush()`
			`printVersionInfo()`
add profiling flags 2019-08-02 11:18:02 -07:00			`prof = enableProfiling(cpu, memory)`

test policy engine on admission requests 2019-08-09 16:55:43 -07:00			`// CLIENT CONFIG`
NK-31: Implemented creation TLS certificate Implemented storing the certificates in secret within the cluster. Implemented the cheking certificate's expiration date. Implemented initialization of server with certs data instead of files. 2019-03-15 19:03:55 +02:00			`clientConfig, err := createClientConfig(kubeconfig)`
NK-23: Thre creation of default loggers moved to inside classes. Removed fatal termination from object constructors. Implemented new KubeClient class with test method which creates a Secret. Improved comments for the types structures. Added WebhookServerConfig structure instead of the most parameters to NewWebhookServer. 2019-03-04 20:40:02 +02:00			`if err != nil {`
support generation of any resource 2019-05-31 17:59:36 -07:00			`glog.Fatalf("Error building kubeconfig: %v\n", err)`
NK-23: Thre creation of default loggers moved to inside classes. Removed fatal termination from object constructors. Implemented new KubeClient class with test method which creates a Secret. Improved comments for the types structures. Added WebhookServerConfig structure instead of the most parameters to NewWebhookServer. 2019-03-04 20:40:02 +02:00			`}`

test policy engine on admission requests 2019-08-09 16:55:43 -07:00			`// KYVENO CRD CLIENT`
			`// access CRD resources`
			`// - Policy`
			`// - PolicyViolation`
rebase 2019-08-19 10:00:39 -07:00			`pclient, err := kyvernoclient.NewForConfig(clientConfig)`
NK-23: Thre creation of default loggers moved to inside classes. Removed fatal termination from object constructors. Implemented new KubeClient class with test method which creates a Secret. Improved comments for the types structures. Added WebhookServerConfig structure instead of the most parameters to NewWebhookServer. 2019-03-04 20:40:02 +02:00			`if err != nil {`
support generation of any resource 2019-05-31 17:59:36 -07:00			`glog.Fatalf("Error creating client: %v\n", err)`
NK-23: Thre creation of default loggers moved to inside classes. Removed fatal termination from object constructors. Implemented new KubeClient class with test method which creates a Secret. Improved comments for the types structures. Added WebhookServerConfig structure instead of the most parameters to NewWebhookServer. 2019-03-04 20:40:02 +02:00			`}`
start creation policy violation 2019-08-09 19:12:50 -07:00			`// DYNAMIC CLIENT`
			`// - client for all registered resources`
			`client, err := client.NewClient(clientConfig)`
NK-23: Thre creation of default loggers moved to inside classes. Removed fatal termination from object constructors. Implemented new KubeClient class with test method which creates a Secret. Improved comments for the types structures. Added WebhookServerConfig structure instead of the most parameters to NewWebhookServer. 2019-03-04 20:40:02 +02:00			`if err != nil {`
start creation policy violation 2019-08-09 19:12:50 -07:00			`glog.Fatalf("Error creating client: %v\n", err)`
NK-23: Thre creation of default loggers moved to inside classes. Removed fatal termination from object constructors. Implemented new KubeClient class with test method which creates a Secret. Improved comments for the types structures. Added WebhookServerConfig structure instead of the most parameters to NewWebhookServer. 2019-03-04 20:40:02 +02:00			`}`
register webhookconfigurations when policy first applied 2019-08-07 18:01:28 -07:00
test policy engine on admission requests 2019-08-09 16:55:43 -07:00			`// KYVERNO CRD INFORMER`
			`// watches CRD resources:`
			`// - Policy`
			`// - PolicyVolation`
generation test 2019-08-14 18:40:33 -07:00			`// - cache resync time: 10 seconds`
add check for registerinig webhookconfiguration in policy controller 2019-08-19 19:26:51 -07:00			`pInformer := kyvernoinformer.NewSharedInformerFactoryWithOptions(pclient, defaultReSyncTime)`
existing resource reporting 2019-08-13 13:15:04 -07:00			`// EVENT GENERATOR`
			`// - generate event with retry`
			`egen := event.NewEventGenerator(client, pInformer.Kyverno().V1alpha1().Policies())`
test policy engine on admission requests 2019-08-09 16:55:43 -07:00
add check for registerinig webhookconfiguration in policy controller 2019-08-19 19:26:51 -07:00			`// mutatingWebhookConfiguration Informer`
			`kubeInformer := informers.NewSharedInformerFactory(client.Kclient, defaultReSyncTime)`
			`mutatingWebhookConfigurationLister := kubeInformer.Admissionregistration().V1beta1().MutatingWebhookConfigurations().Lister()`

			`tlsPair, err := initTLSPemPair(clientConfig, client)`
			`if err != nil {`
			`glog.Fatalf("Failed to initialize TLS key/certificate pair: %v\n", err)`
			`}`

			`// WEBHOOK REGISTRATION`
			`// -- validationwebhookconfiguration (Policy)`
			`// -- mutatingwebhookconfiguration (All resources)`
			`webhookRegistrationClient, err := webhooks.NewWebhookRegistrationClient(clientConfig, client, serverIP, int32(webhookTimeout))`
			`if err != nil {`
			`glog.Fatalf("Unable to register admission webhooks on cluster: %v\n", err)`
			`}`

			`if err = webhookRegistrationClient.Register(); err != nil {`
			`glog.Fatalf("Failed registering Admission Webhooks: %v\n", err)`
			`}`

test policy engine on admission requests 2019-08-09 16:55:43 -07:00			`// POLICY CONTROLLER`
			`// - reconciliation policy and policy violation`
clean up 2019-08-14 10:01:47 -07:00			`// - process policy on existing resources`
test policy engine on admission requests 2019-08-09 16:55:43 -07:00			`// - status: violation count`
clean up 2019-08-14 10:01:47 -07:00
add check for registerinig webhookconfiguration in policy controller 2019-08-19 19:26:51 -07:00			`pc, err := policy.NewPolicyController(pclient, client, pInformer.Kyverno().V1alpha1().Policies(), pInformer.Kyverno().V1alpha1().PolicyViolations(), egen, mutatingWebhookConfigurationLister, webhookRegistrationClient)`
register webhookconfigurations when policy first applied 2019-08-07 18:01:28 -07:00			`if err != nil {`
policyviolation, policy controller reconciliation 2019-08-07 16:14:33 -07:00			`glog.Fatalf("error creating policy controller: %v\n", err)`
register webhookconfigurations when policy first applied 2019-08-07 18:01:28 -07:00			`}`

test policy engine on admission requests 2019-08-09 16:55:43 -07:00			`// POLICY VIOLATION CONTROLLER`
			`// status: lastUpdatTime`
init policy violation container 2019-08-08 15:36:19 -07:00			`pvc, err := policyviolation.NewPolicyViolationController(client, pclient, pInformer.Kyverno().V1alpha1().Policies(), pInformer.Kyverno().V1alpha1().PolicyViolations())`
			`if err != nil {`
			`glog.Fatalf("error creating policy violation controller: %v\n", err)`
register webhookconfigurations when policy first applied 2019-08-07 18:01:28 -07:00			`}`

namespace controller redesign 2019-08-14 14:56:53 -07:00			`// GENERATE CONTROLLER`
			`// - watches for Namespace resource and generates resource based on the policy generate rule`
			`nsc := namespace.NewNamespaceController(pclient, client, kubeInformer.Core().V1().Namespaces(), pInformer.Kyverno().V1alpha1().Policies(), pInformer.Kyverno().V1alpha1().PolicyViolations(), egen)`

Merge branch 'policyViolation' into 254_dynamic_webhook_configurations # Conflicts: # main.go # pkg/annotations/annotations.go # pkg/annotations/controller.go # pkg/controller/controller.go # pkg/controller/controller_test.go # pkg/engine/engine.go # pkg/engine/generation.go # pkg/engine/mutation.go # pkg/engine/validation.go # pkg/event/controller.go # pkg/webhooks/mutation.go # pkg/webhooks/policyvalidation.go # pkg/webhooks/report.go # pkg/webhooks/server.go # pkg/webhooks/validation.go 2019-08-14 19:00:37 -07:00			`server, err := webhooks.NewWebhookServer(pclient, client, tlsPair, pInformer.Kyverno().V1alpha1().Policies(), pInformer.Kyverno().V1alpha1().PolicyViolations(), egen, webhookRegistrationClient, filterK8Resources)`
Implemented Validation Pattern base. Updated Webhooks registration logic. Updated project for using TLS package 2019-05-14 18:10:25 +03:00			`if err != nil {`
register webhookconfigurations when policy first applied 2019-08-07 18:01:28 -07:00			`glog.Fatalf("Unable to create webhook server: %v\n", err)`
Implemented Validation Pattern base. Updated Webhooks registration logic. Updated project for using TLS package 2019-05-14 18:10:25 +03:00			`}`
NK-23: Thre creation of default loggers moved to inside classes. Removed fatal termination from object constructors. Implemented new KubeClient class with test method which creates a Secret. Improved comments for the types structures. Added WebhookServerConfig structure instead of the most parameters to NewWebhookServer. 2019-03-04 20:40:02 +02:00
			`stopCh := signals.SetupSignalHandler()`
Implemented Validation Pattern base. Updated Webhooks registration logic. Updated project for using TLS package 2019-05-14 18:10:25 +03:00
handle retrys events 2019-07-19 16:17:10 -07:00			`if err = webhookRegistrationClient.Register(); err != nil {`
			`glog.Fatalf("Failed registering Admission Webhooks: %v\n", err)`
NK-23: Thre creation of default loggers moved to inside classes. Removed fatal termination from object constructors. Implemented new KubeClient class with test method which creates a Secret. Improved comments for the types structures. Added WebhookServerConfig structure instead of the most parameters to NewWebhookServer. 2019-03-04 20:40:02 +02:00			`}`
NK-47: Implemented webhook deregistration. TLS pair initialization functionality moved to init.go. Separated server and mutation webhook objects, implemented registration of webhook with the creation of corresponding object. Added comments for webhook configuration definitions, changed name of configuration for debug. 2019-03-22 22:11:55 +02:00
policyviolation, policy controller reconciliation 2019-08-07 16:14:33 -07:00			`pInformer.Start(stopCh)`
namespace controller redesign 2019-08-14 14:56:53 -07:00			`kubeInformer.Start(stopCh)`
policyviolation, policy controller reconciliation 2019-08-07 16:14:33 -07:00			`go pc.Run(1, stopCh)`
init policy violation container 2019-08-08 15:36:19 -07:00			`go pvc.Run(1, stopCh)`
event generator cleanup 2019-08-09 13:41:56 -07:00			`go egen.Run(1, stopCh)`
namespace controller redesign 2019-08-14 14:56:53 -07:00			`go nsc.Run(1, stopCh)`
test policy engine on admission requests 2019-08-09 16:55:43 -07:00
			`//TODO add WG for the go routines?`
Implemented Validation Pattern base. Updated Webhooks registration logic. Updated project for using TLS package 2019-05-14 18:10:25 +03:00			`server.RunAsync()`
add profiling flags 2019-08-02 11:18:02 -07:00
NK-23: Thre creation of default loggers moved to inside classes. Removed fatal termination from object constructors. Implemented new KubeClient class with test method which creates a Secret. Improved comments for the types structures. Added WebhookServerConfig structure instead of the most parameters to NewWebhookServer. 2019-03-04 20:40:02 +02:00			`<-stopCh`
add profiling flags 2019-08-02 11:18:02 -07:00			`disableProfiling(prof)`
			`server.Stop()`
NK9: Added controller module. Added main loop for controller. Added informer for Policies. Fixed apis definitions to fit the Policy 2019-02-11 19:49:27 +02:00			`}`

			`func init() {`
add profiling flags 2019-08-02 11:18:02 -07:00			`// profiling feature gate`
			`// cpu and memory profiling cannot be enabled at same time`
			`// if both cpu and memory are enabled`
			`// by default is to profile cpu`
			`flag.BoolVar(&cpu, "cpu", false, "cpu profilling feature gate, default to false \|\| cpu and memory profiling cannot be enabled at the same time")`
			`flag.BoolVar(&memory, "memory", false, "memory profilling feature gate, default to false \|\| cpu and memory profiling cannot be enabled at the same time")`

expose webhook timeout configuration 2019-08-07 12:32:44 -07:00			`flag.IntVar(&webhookTimeout, "webhooktimeout", 2, "timeout for webhook configurations")`
NK-23: Thre creation of default loggers moved to inside classes. Removed fatal termination from object constructors. Implemented new KubeClient class with test method which creates a Secret. Improved comments for the types structures. Added WebhookServerConfig structure instead of the most parameters to NewWebhookServer. 2019-03-04 20:40:02 +02:00			`flag.StringVar(&kubeconfig, "kubeconfig", "", "Path to a kubeconfig. Only required if out-of-cluster.")`
Allow user to run Kyverno in debug mode 2019-06-10 18:10:51 -07:00			`flag.StringVar(&serverIP, "serverIP", "", "IP address where Kyverno controller runs. Only required if out-of-cluster.")`
rebase with master 2019-07-31 17:43:46 -07:00			`flag.StringVar(&filterK8Resources, "filterK8Resources", "", "k8 resource in format [kind,namespace,name] where policy is not evaluated by the admission webhook. example --filterKind \"[Deployment, kyverno, kyverno]\" --filterKind \"[Deployment, kyverno, kyverno],[Events, , ]\"")`
support generation of any resource 2019-05-31 17:59:36 -07:00			`config.LogDefaultFlags()`
NK-31: Implemented creation TLS certificate Implemented storing the certificates in secret within the cluster. Implemented the cheking certificate's expiration date. Implemented initialization of server with certs data instead of files. 2019-03-15 19:03:55 +02:00			`flag.Parse()`
refactor code 2019-06-05 17:43:59 -07:00			`}`