2020-01-07 10:33:28 -08:00
|
|
|
package cleanup
|
|
|
|
|
|
|
|
|
|
import (
|
2022-05-24 15:30:00 +02:00
|
|
|
"context"
|
|
|
|
|
"strconv"
|
2020-01-07 10:33:28 -08:00
|
|
|
"time"
|
|
|
|
|
|
2022-05-17 13:12:43 +02:00
|
|
|
kyvernov1 "github.com/kyverno/kyverno/api/kyverno/v1"
|
|
|
|
|
kyvernov1beta1 "github.com/kyverno/kyverno/api/kyverno/v1beta1"
|
2020-10-07 11:12:31 -07:00
|
|
|
kyvernoclient "github.com/kyverno/kyverno/pkg/client/clientset/versioned"
|
2022-05-18 06:02:31 +02:00
|
|
|
kyvernov1informers "github.com/kyverno/kyverno/pkg/client/informers/externalversions/kyverno/v1"
|
|
|
|
|
kyvernov1beta1informers "github.com/kyverno/kyverno/pkg/client/informers/externalversions/kyverno/v1beta1"
|
|
|
|
|
kyvernov1listers "github.com/kyverno/kyverno/pkg/client/listers/kyverno/v1"
|
|
|
|
|
kyvernov1beta1listers "github.com/kyverno/kyverno/pkg/client/listers/kyverno/v1beta1"
|
2021-07-01 00:30:02 +05:30
|
|
|
pkgCommon "github.com/kyverno/kyverno/pkg/common"
|
2020-10-07 11:12:31 -07:00
|
|
|
"github.com/kyverno/kyverno/pkg/config"
|
2022-05-18 06:02:31 +02:00
|
|
|
"github.com/kyverno/kyverno/pkg/dclient"
|
2022-05-24 15:30:00 +02:00
|
|
|
kubeutils "github.com/kyverno/kyverno/pkg/utils/kube"
|
2020-11-20 14:14:59 -08:00
|
|
|
apierrors "k8s.io/apimachinery/pkg/api/errors"
|
2022-05-24 15:30:00 +02:00
|
|
|
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
|
2021-07-01 00:30:02 +05:30
|
|
|
"k8s.io/apimachinery/pkg/labels"
|
2020-01-07 10:33:28 -08:00
|
|
|
utilruntime "k8s.io/apimachinery/pkg/util/runtime"
|
|
|
|
|
"k8s.io/apimachinery/pkg/util/wait"
|
2022-05-17 17:51:03 +02:00
|
|
|
corev1informers "k8s.io/client-go/informers/core/v1"
|
2022-04-25 20:20:40 +08:00
|
|
|
"k8s.io/client-go/kubernetes"
|
2022-05-17 17:51:03 +02:00
|
|
|
corev1listers "k8s.io/client-go/listers/core/v1"
|
2020-01-07 10:33:28 -08:00
|
|
|
"k8s.io/client-go/tools/cache"
|
|
|
|
|
"k8s.io/client-go/util/workqueue"
|
|
|
|
|
)
|
|
|
|
|
|
|
|
|
|
const (
|
2020-12-01 12:30:08 -08:00
|
|
|
maxRetries = 10
|
2020-01-07 10:33:28 -08:00
|
|
|
)
|
|
|
|
|
|
2022-05-24 15:30:00 +02:00
|
|
|
type Controller interface {
|
|
|
|
|
// Run starts workers
|
|
|
|
|
Run(int, <-chan struct{})
|
|
|
|
|
}
|
2021-06-08 12:37:19 -07:00
|
|
|
|
2022-05-24 15:30:00 +02:00
|
|
|
// controller manages life-cycle of generate-requests
|
|
|
|
|
type controller struct {
|
|
|
|
|
// clients
|
|
|
|
|
client dclient.Interface
|
2022-05-02 22:30:07 +02:00
|
|
|
kyvernoClient kyvernoclient.Interface
|
2021-06-08 12:37:19 -07:00
|
|
|
|
2022-05-24 15:30:00 +02:00
|
|
|
// informers
|
2022-05-18 06:02:31 +02:00
|
|
|
pInformer kyvernov1informers.ClusterPolicyInformer
|
|
|
|
|
urInformer kyvernov1beta1informers.UpdateRequestInformer
|
2020-01-07 10:33:28 -08:00
|
|
|
|
2022-05-24 15:30:00 +02:00
|
|
|
// listers
|
|
|
|
|
pLister kyvernov1listers.ClusterPolicyLister
|
2022-05-18 06:02:31 +02:00
|
|
|
npLister kyvernov1listers.PolicyLister
|
|
|
|
|
urLister kyvernov1beta1listers.UpdateRequestNamespaceLister
|
2022-05-17 17:51:03 +02:00
|
|
|
nsLister corev1listers.NamespaceLister
|
2022-04-21 11:42:34 +05:30
|
|
|
|
2022-06-28 12:55:52 +08:00
|
|
|
informersSynced []cache.InformerSynced
|
|
|
|
|
|
2022-05-24 15:30:00 +02:00
|
|
|
// queue
|
|
|
|
|
queue workqueue.RateLimitingInterface
|
2020-01-07 10:33:28 -08:00
|
|
|
}
|
|
|
|
|
|
2022-05-17 08:19:03 +02:00
|
|
|
// NewController returns a new controller instance to manage generate-requests
|
2020-01-07 10:33:28 -08:00
|
|
|
func NewController(
|
2021-06-08 12:37:19 -07:00
|
|
|
kubeClient kubernetes.Interface,
|
2022-05-02 22:30:07 +02:00
|
|
|
kyvernoclient kyvernoclient.Interface,
|
2022-05-03 07:30:04 +02:00
|
|
|
client dclient.Interface,
|
2022-05-18 06:02:31 +02:00
|
|
|
pInformer kyvernov1informers.ClusterPolicyInformer,
|
|
|
|
|
npInformer kyvernov1informers.PolicyInformer,
|
|
|
|
|
urInformer kyvernov1beta1informers.UpdateRequestInformer,
|
2022-05-17 17:51:03 +02:00
|
|
|
namespaceInformer corev1informers.NamespaceInformer,
|
2022-05-24 15:30:00 +02:00
|
|
|
) Controller {
|
2022-06-28 12:55:52 +08:00
|
|
|
c := &controller{
|
2022-04-25 20:20:40 +08:00
|
|
|
client: client,
|
2022-05-24 15:30:00 +02:00
|
|
|
kyvernoClient: kyvernoclient,
|
2022-04-25 20:20:40 +08:00
|
|
|
pInformer: pInformer,
|
2022-04-29 19:05:49 +08:00
|
|
|
urInformer: urInformer,
|
2022-05-24 15:30:00 +02:00
|
|
|
pLister: pInformer.Lister(),
|
|
|
|
|
npLister: npInformer.Lister(),
|
|
|
|
|
urLister: urInformer.Lister().UpdateRequests(config.KyvernoNamespace()),
|
|
|
|
|
nsLister: namespaceInformer.Lister(),
|
2022-04-25 20:20:40 +08:00
|
|
|
queue: workqueue.NewNamedRateLimitingQueue(workqueue.DefaultControllerRateLimiter(), "generate-request-cleanup"),
|
2020-01-07 10:33:28 -08:00
|
|
|
}
|
2022-06-28 12:55:52 +08:00
|
|
|
|
|
|
|
|
c.informersSynced = []cache.InformerSynced{pInformer.Informer().HasSynced, npInformer.Informer().HasSynced, urInformer.Informer().HasSynced, namespaceInformer.Informer().HasSynced}
|
|
|
|
|
return c
|
2022-05-24 15:30:00 +02:00
|
|
|
}
|
2020-11-30 11:22:20 -08:00
|
|
|
|
2022-05-24 15:30:00 +02:00
|
|
|
func (c *controller) Run(workers int, stopCh <-chan struct{}) {
|
|
|
|
|
defer utilruntime.HandleCrash()
|
|
|
|
|
defer c.queue.ShutDown()
|
|
|
|
|
logger.Info("starting")
|
|
|
|
|
defer logger.Info("shutting down")
|
2022-06-28 12:55:52 +08:00
|
|
|
|
|
|
|
|
if !cache.WaitForNamedCacheSync("generate-request-cleanup", stopCh, c.informersSynced...) {
|
|
|
|
|
return
|
|
|
|
|
}
|
|
|
|
|
|
2022-05-24 15:30:00 +02:00
|
|
|
c.pInformer.Informer().AddEventHandler(cache.ResourceEventHandlerFuncs{
|
|
|
|
|
DeleteFunc: c.deletePolicy, // we only cleanup if the policy is delete
|
|
|
|
|
})
|
|
|
|
|
c.urInformer.Informer().AddEventHandler(cache.ResourceEventHandlerFuncs{
|
|
|
|
|
DeleteFunc: c.deleteUR,
|
|
|
|
|
})
|
|
|
|
|
for i := 0; i < workers; i++ {
|
|
|
|
|
go wait.Until(c.worker, time.Second, stopCh)
|
|
|
|
|
}
|
|
|
|
|
<-stopCh
|
2020-01-07 10:33:28 -08:00
|
|
|
}
|
|
|
|
|
|
2022-05-24 15:30:00 +02:00
|
|
|
func (c *controller) deletePolicy(obj interface{}) {
|
|
|
|
|
p, ok := kubeutils.GetObjectWithTombstone(obj).(*kyvernov1.ClusterPolicy)
|
2020-01-07 10:33:28 -08:00
|
|
|
if !ok {
|
2022-05-24 15:30:00 +02:00
|
|
|
logger.Info("Failed to get deleted object", "obj", obj)
|
|
|
|
|
return
|
2020-01-07 10:33:28 -08:00
|
|
|
}
|
2020-11-30 11:22:20 -08:00
|
|
|
|
2020-03-17 11:05:20 -07:00
|
|
|
logger.V(4).Info("deleting policy", "name", p.Name)
|
2021-07-01 00:30:02 +05:30
|
|
|
|
2022-05-05 18:56:27 +08:00
|
|
|
generatePolicyWithClone := pkgCommon.ProcessDeletePolicyForCloneGenerateRule(p, c.client, c.kyvernoClient, c.urLister, p.GetName(), logger)
|
2021-07-01 00:30:02 +05:30
|
|
|
|
2022-04-29 19:05:49 +08:00
|
|
|
// get the generated resource name from update request for log
|
2021-07-01 00:30:02 +05:30
|
|
|
selector := labels.SelectorFromSet(labels.Set(map[string]string{
|
2022-05-17 13:12:43 +02:00
|
|
|
kyvernov1beta1.URGeneratePolicyLabel: p.Name,
|
2021-07-01 00:30:02 +05:30
|
|
|
}))
|
|
|
|
|
|
2022-04-29 19:05:49 +08:00
|
|
|
urList, err := c.urLister.List(selector)
|
2020-01-07 10:33:28 -08:00
|
|
|
if err != nil {
|
2022-05-17 13:12:43 +02:00
|
|
|
logger.Error(err, "failed to get update request for the resource", "label", kyvernov1beta1.URGeneratePolicyLabel)
|
2020-01-07 10:33:28 -08:00
|
|
|
return
|
|
|
|
|
}
|
2020-11-30 11:22:20 -08:00
|
|
|
|
2022-04-29 19:05:49 +08:00
|
|
|
for _, ur := range urList {
|
|
|
|
|
for _, generatedResource := range ur.Status.GeneratedResources {
|
2021-07-09 18:01:46 -07:00
|
|
|
logger.V(4).Info("retaining resource", "apiVersion", generatedResource.APIVersion, "kind", generatedResource.Kind, "name", generatedResource.Name, "namespace", generatedResource.Namespace)
|
2021-07-01 00:30:02 +05:30
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if !generatePolicyWithClone {
|
2022-04-29 19:05:49 +08:00
|
|
|
urs, err := c.urLister.GetUpdateRequestsForClusterPolicy(p.Name)
|
2021-07-01 00:30:02 +05:30
|
|
|
if err != nil {
|
2022-04-29 19:05:49 +08:00
|
|
|
logger.Error(err, "failed to update request for the policy", "name", p.Name)
|
2021-07-01 00:30:02 +05:30
|
|
|
return
|
|
|
|
|
}
|
|
|
|
|
|
2022-04-29 19:05:49 +08:00
|
|
|
for _, ur := range urs {
|
|
|
|
|
logger.V(4).Info("enqueue the ur for cleanup", "ur name", ur.Name)
|
2022-05-05 18:56:27 +08:00
|
|
|
c.enqueue(ur)
|
2021-07-01 00:30:02 +05:30
|
|
|
}
|
2020-01-07 10:33:28 -08:00
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
2022-05-24 15:30:00 +02:00
|
|
|
func (c *controller) deleteUR(obj interface{}) {
|
|
|
|
|
ur, ok := kubeutils.GetObjectWithTombstone(obj).(*kyvernov1beta1.UpdateRequest)
|
2020-01-07 10:33:28 -08:00
|
|
|
if !ok {
|
2022-05-24 15:30:00 +02:00
|
|
|
logger.Info("Failed to get deleted object", "obj", obj)
|
|
|
|
|
return
|
2020-01-07 10:33:28 -08:00
|
|
|
}
|
2022-05-05 18:56:27 +08:00
|
|
|
if ur.Status.Handler != "" {
|
|
|
|
|
return
|
2020-08-31 23:55:13 +05:30
|
|
|
}
|
2022-04-29 19:05:49 +08:00
|
|
|
c.enqueue(ur)
|
2020-01-07 10:33:28 -08:00
|
|
|
}
|
|
|
|
|
|
2022-05-24 15:30:00 +02:00
|
|
|
func (c *controller) enqueue(ur *kyvernov1beta1.UpdateRequest) {
|
2022-04-29 19:05:49 +08:00
|
|
|
key, err := cache.MetaNamespaceKeyFunc(ur)
|
2020-01-07 10:33:28 -08:00
|
|
|
if err != nil {
|
2020-03-17 16:25:34 -07:00
|
|
|
logger.Error(err, "failed to extract key")
|
2020-01-07 10:33:28 -08:00
|
|
|
return
|
|
|
|
|
}
|
2022-04-29 19:05:49 +08:00
|
|
|
logger.V(5).Info("enqueue update request", "name", ur.Name)
|
2020-01-07 10:33:28 -08:00
|
|
|
c.queue.Add(key)
|
|
|
|
|
}
|
|
|
|
|
|
2020-12-22 11:07:31 -08:00
|
|
|
// worker runs a worker thread that just de-queues items, processes them, and marks them done.
|
2022-04-29 19:05:49 +08:00
|
|
|
// It enforces that the syncUpdateRequest is never invoked concurrently with the same key.
|
2022-05-24 15:30:00 +02:00
|
|
|
func (c *controller) worker() {
|
2020-01-07 10:33:28 -08:00
|
|
|
for c.processNextWorkItem() {
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
2022-05-24 15:30:00 +02:00
|
|
|
func (c *controller) processNextWorkItem() bool {
|
2020-01-07 10:33:28 -08:00
|
|
|
key, quit := c.queue.Get()
|
|
|
|
|
if quit {
|
|
|
|
|
return false
|
|
|
|
|
}
|
|
|
|
|
defer c.queue.Done(key)
|
2022-04-29 19:05:49 +08:00
|
|
|
err := c.syncUpdateRequest(key.(string))
|
2020-01-07 10:33:28 -08:00
|
|
|
c.handleErr(err, key)
|
|
|
|
|
|
|
|
|
|
return true
|
|
|
|
|
}
|
|
|
|
|
|
2022-05-24 15:30:00 +02:00
|
|
|
func (c *controller) handleErr(err error, key interface{}) {
|
2020-01-07 10:33:28 -08:00
|
|
|
if err == nil {
|
|
|
|
|
c.queue.Forget(key)
|
|
|
|
|
return
|
|
|
|
|
}
|
|
|
|
|
|
2021-06-08 12:37:19 -07:00
|
|
|
if apierrors.IsNotFound(err) {
|
2022-04-29 19:05:49 +08:00
|
|
|
logger.V(4).Info("dropping update request", "key", key, "error", err.Error())
|
2020-11-13 17:44:34 -08:00
|
|
|
c.queue.Forget(key)
|
|
|
|
|
return
|
|
|
|
|
}
|
|
|
|
|
|
2020-01-07 10:33:28 -08:00
|
|
|
if c.queue.NumRequeues(key) < maxRetries {
|
2022-04-29 19:05:49 +08:00
|
|
|
logger.V(3).Info("retrying update request", "key", key, "error", err.Error())
|
2020-01-07 10:33:28 -08:00
|
|
|
c.queue.AddRateLimited(key)
|
|
|
|
|
return
|
|
|
|
|
}
|
2020-12-01 12:30:08 -08:00
|
|
|
|
2022-04-29 19:05:49 +08:00
|
|
|
logger.Error(err, "failed to cleanup update request", "key", key)
|
2020-01-07 10:33:28 -08:00
|
|
|
c.queue.Forget(key)
|
|
|
|
|
}
|
|
|
|
|
|
2022-05-24 15:30:00 +02:00
|
|
|
func (c *controller) syncUpdateRequest(key string) error {
|
|
|
|
|
logger := logger.WithValues("key", key)
|
2020-01-07 10:33:28 -08:00
|
|
|
var err error
|
|
|
|
|
startTime := time.Now()
|
2022-04-29 19:05:49 +08:00
|
|
|
logger.V(4).Info("started syncing update request", "startTime", startTime)
|
2020-01-07 10:33:28 -08:00
|
|
|
defer func() {
|
2022-04-29 19:05:49 +08:00
|
|
|
logger.V(4).Info("finished syncing update request", "processingTIme", time.Since(startTime).String())
|
2020-01-07 10:33:28 -08:00
|
|
|
}()
|
2022-04-29 19:05:49 +08:00
|
|
|
_, urName, err := cache.SplitMetaNamespaceKey(key)
|
2020-01-07 10:33:28 -08:00
|
|
|
if err != nil {
|
|
|
|
|
return err
|
|
|
|
|
}
|
2022-04-29 19:05:49 +08:00
|
|
|
ur, err := c.urLister.Get(urName)
|
2020-01-07 10:33:28 -08:00
|
|
|
if err != nil {
|
2022-05-24 15:30:00 +02:00
|
|
|
if apierrors.IsNotFound(err) {
|
|
|
|
|
logger.Info("update request has been deleted")
|
|
|
|
|
return nil
|
|
|
|
|
}
|
2020-01-07 10:33:28 -08:00
|
|
|
return err
|
|
|
|
|
}
|
2022-05-24 15:30:00 +02:00
|
|
|
if ur.Status.State == kyvernov1beta1.Pending {
|
|
|
|
|
return nil
|
|
|
|
|
}
|
2022-04-29 19:05:49 +08:00
|
|
|
pNamespace, pName, err := cache.SplitMetaNamespaceKey(ur.Spec.Policy)
|
2020-08-10 22:42:11 +05:30
|
|
|
if err != nil {
|
2022-03-29 18:34:33 +05:30
|
|
|
return err
|
|
|
|
|
}
|
|
|
|
|
if pNamespace == "" {
|
|
|
|
|
_, err = c.pLister.Get(pName)
|
|
|
|
|
} else {
|
|
|
|
|
_, err = c.npLister.Policies(pNamespace).Get(pName)
|
2022-05-05 18:56:27 +08:00
|
|
|
}
|
|
|
|
|
if err != nil {
|
|
|
|
|
if !apierrors.IsNotFound(err) {
|
|
|
|
|
return err
|
2021-10-11 23:57:43 +02:00
|
|
|
}
|
2022-05-05 18:56:27 +08:00
|
|
|
logger.Error(err, "failed to get policy, deleting the update request", "key", ur.Spec.Policy)
|
2022-05-24 15:30:00 +02:00
|
|
|
return c.kyvernoClient.KyvernoV1beta1().UpdateRequests(config.KyvernoNamespace()).Delete(context.TODO(), ur.Name, metav1.DeleteOptions{})
|
2020-08-10 22:42:11 +05:30
|
|
|
}
|
2022-04-29 19:05:49 +08:00
|
|
|
return c.processUR(*ur)
|
2020-01-07 10:33:28 -08:00
|
|
|
}
|
2022-05-24 15:30:00 +02:00
|
|
|
|
|
|
|
|
func (c *controller) processUR(ur kyvernov1beta1.UpdateRequest) error {
|
|
|
|
|
logger := logger.WithValues("kind", ur.Kind, "namespace", ur.Namespace, "name", ur.Name)
|
|
|
|
|
// 1- Corresponding policy has been deleted
|
|
|
|
|
// then we don't delete the generated resources
|
|
|
|
|
|
|
|
|
|
// 2- The trigger resource is deleted, then delete the generated resources
|
|
|
|
|
if !ownerResourceExists(logger, c.client, ur) {
|
|
|
|
|
deleteUR := false
|
|
|
|
|
// check retry count in annotaion
|
|
|
|
|
urAnnotations := ur.Annotations
|
|
|
|
|
if val, ok := urAnnotations["generate.kyverno.io/retry-count"]; ok {
|
|
|
|
|
retryCount, err := strconv.ParseUint(val, 10, 32)
|
|
|
|
|
if err != nil {
|
|
|
|
|
logger.Error(err, "unable to convert retry-count")
|
|
|
|
|
return err
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if retryCount >= 5 {
|
|
|
|
|
deleteUR = true
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if deleteUR {
|
|
|
|
|
if err := deleteGeneratedResources(logger, c.client, ur); err != nil {
|
|
|
|
|
return err
|
|
|
|
|
}
|
|
|
|
|
// - trigger-resource is deleted
|
|
|
|
|
// - generated-resources are deleted
|
|
|
|
|
// - > Now delete the UpdateRequest CR
|
|
|
|
|
return c.kyvernoClient.KyvernoV1beta1().UpdateRequests(config.KyvernoNamespace()).Delete(context.TODO(), ur.Name, metav1.DeleteOptions{})
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
return nil
|
|
|
|
|
}
|
