mirrors/kyverno
1
0
Fork 0
mirror of https://github.com/kyverno/kyverno.git synced 2024-12-15 17:51:20 +00:00
Code Activity
kyverno/pkg/webhookconfig/common.go

365 lines
14 KiB
Go
Raw Normal View History

create policy mutating webhook config resouce + refactoring
2019-08-27 21:52:56 +00:00
package webhookconfig
import (
refactor: remove unstructured usage from webhookconfig (#3737) * refactor: use typed informers and add tombstone support to webhookconfig Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com> * refactor: remove unstructured usage from webhookconfig Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com>
2022-05-02 10:58:04 +00:00
"context"
change cluster role labels (#2776) * change cluster role labels * change cluster role label value * fix cluster role label issue * fix comment
2021-12-02 10:22:34 +00:00
"errors"
refactor: webhookconfig package (part 1) (#3831) * refactor: webhookconfig package (part 1) Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com> * fix: sonatype issue Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com>
2022-05-08 11:47:49 +00:00
"fmt"
Dynamic webhooks (#2425) * support k8s 1.22, update admissionregistration.k8s.io/v1beta1 to admissionregistration.k8s.io/v1 Signed-off-by: ShutingZhao <shutting06@gmail.com> * - add failurePolicy to policy spec; - fix typo Signed-off-by: ShutingZhao <shutting06@gmail.com> * - add schema validation for failurePolicy; - add a printer column Signed-off-by: ShutingZhao <shutting06@gmail.com> * set default failure policy to fail if not defined Signed-off-by: ShutingZhao <shutting06@gmail.com> * resolve conflicts Signed-off-by: ShutingZhao <shutting06@gmail.com> * fix missing type for printerColumn Signed-off-by: ShutingZhao <shutting06@gmail.com> * refactor policy controller Signed-off-by: ShutingZhao <shutting06@gmail.com> * add webhook config manager Signed-off-by: ShutingZhao <shutting06@gmail.com> * - build webhook objects per policy update; - add fail webhook to default webhook configurations Signed-off-by: ShutingZhao <shutting06@gmail.com> * fix panic on policy update Signed-off-by: ShutingZhao <shutting06@gmail.com> * build default webhook: match empty if autoUpdateWebhooks is enabled, otherwise match all Signed-off-by: ShutingZhao <shutting06@gmail.com> * - set default webhook configs rule to empty; - handle policy deletion Signed-off-by: ShutingZhao <shutting06@gmail.com> * reset webhook config if policies with a specific failurePolicy are cleaned up Signed-off-by: ShutingZhao <shutting06@gmail.com> * handle wildcard pocliy Signed-off-by: ShutingZhao <shutting06@gmail.com> * update default webhook timeout to 10s Signed-off-by: ShutingZhao <shutting06@gmail.com> * cleanups Signed-off-by: ShutingZhao <shutting06@gmail.com> * added webhook informer to re-create it immediately if missing Signed-off-by: ShutingZhao <shutting06@gmail.com> * update tag webhookTimeoutSeconds description Signed-off-by: ShutingZhao <shutting06@gmail.com> * fix e2e tests Signed-off-by: ShutingZhao <shutting06@gmail.com> * fix linter issue Signed-off-by: ShutingZhao <shutting06@gmail.com> * correct metric endpoint Signed-off-by: ShutingZhao <shutting06@gmail.com> * add pol.generate.kind to webhooks Signed-off-by: ShutingZhao <shutting06@gmail.com>
2021-10-05 07:15:09 +00:00
"reflect"
change cluster role labels (#2776) * change cluster role labels * change cluster role label value * fix cluster role label issue * fix comment
2021-12-02 10:22:34 +00:00
"strings"
create policy mutating webhook config resouce + refactoring
2019-08-27 21:52:56 +00:00
update nirmata/kyverno to kyverno/kyverno
2020-10-07 18:12:31 +00:00
"github.com/kyverno/kyverno/pkg/config"
Add certificate renewer in webhook registration controller (#1692) * load TLS pair from existing secret, if applicable Signed-off-by: Shuting Zhao <shutting06@gmail.com> * remove Kyverno managed secrets during shutdown Signed-off-by: Shuting Zhao <shutting06@gmail.com> * - add certificate renewer; - re-structure certificate package Signed-off-by: Shuting Zhao <shutting06@gmail.com> * commit un-saved file Signed-off-by: Shuting Zhao <shutting06@gmail.com> * eliminate throttling requests while registering webhook configs Signed-off-by: Shuting Zhao <shutting06@gmail.com> * disable webhook monitor (in old pod) during rolling update Signed-off-by: Shuting Zhao <shutting06@gmail.com> * remove webhook cleanup logic from init container Signed-off-by: Shuting Zhao <shutting06@gmail.com> * update PR template Signed-off-by: Shuting Zhao <shutting06@gmail.com> * update link to the website repo Signed-off-by: Shuting Zhao <shutting06@gmail.com> * update repo name Signed-off-by: Shuting Zhao <shutting06@gmail.com>
2021-03-16 18:31:04 +00:00
"github.com/kyverno/kyverno/pkg/tls"
Dynamic webhooks (#2425) * support k8s 1.22, update admissionregistration.k8s.io/v1beta1 to admissionregistration.k8s.io/v1 Signed-off-by: ShutingZhao <shutting06@gmail.com> * - add failurePolicy to policy spec; - fix typo Signed-off-by: ShutingZhao <shutting06@gmail.com> * - add schema validation for failurePolicy; - add a printer column Signed-off-by: ShutingZhao <shutting06@gmail.com> * set default failure policy to fail if not defined Signed-off-by: ShutingZhao <shutting06@gmail.com> * resolve conflicts Signed-off-by: ShutingZhao <shutting06@gmail.com> * fix missing type for printerColumn Signed-off-by: ShutingZhao <shutting06@gmail.com> * refactor policy controller Signed-off-by: ShutingZhao <shutting06@gmail.com> * add webhook config manager Signed-off-by: ShutingZhao <shutting06@gmail.com> * - build webhook objects per policy update; - add fail webhook to default webhook configurations Signed-off-by: ShutingZhao <shutting06@gmail.com> * fix panic on policy update Signed-off-by: ShutingZhao <shutting06@gmail.com> * build default webhook: match empty if autoUpdateWebhooks is enabled, otherwise match all Signed-off-by: ShutingZhao <shutting06@gmail.com> * - set default webhook configs rule to empty; - handle policy deletion Signed-off-by: ShutingZhao <shutting06@gmail.com> * reset webhook config if policies with a specific failurePolicy are cleaned up Signed-off-by: ShutingZhao <shutting06@gmail.com> * handle wildcard pocliy Signed-off-by: ShutingZhao <shutting06@gmail.com> * update default webhook timeout to 10s Signed-off-by: ShutingZhao <shutting06@gmail.com> * cleanups Signed-off-by: ShutingZhao <shutting06@gmail.com> * added webhook informer to re-create it immediately if missing Signed-off-by: ShutingZhao <shutting06@gmail.com> * update tag webhookTimeoutSeconds description Signed-off-by: ShutingZhao <shutting06@gmail.com> * fix e2e tests Signed-off-by: ShutingZhao <shutting06@gmail.com> * fix linter issue Signed-off-by: ShutingZhao <shutting06@gmail.com> * correct metric endpoint Signed-off-by: ShutingZhao <shutting06@gmail.com> * add pol.generate.kind to webhooks Signed-off-by: ShutingZhao <shutting06@gmail.com>
2021-10-05 07:15:09 +00:00
admregapi "k8s.io/api/admissionregistration/v1"
refactor: remove unstructured usage from webhookconfig (#3737) * refactor: use typed informers and add tombstone support to webhookconfig Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com> * refactor: remove unstructured usage from webhookconfig Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com>
2022-05-02 10:58:04 +00:00
appsv1 "k8s.io/api/apps/v1"
refactor: webhookconfig package (part 3) (#3834) * refactor: webhookconfig package (part 1) Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com> * refactor: webhook config package (part 2) Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com> * refactor: webhookconfig package (part 3) Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com>
2022-05-09 14:31:35 +00:00
corev1 "k8s.io/api/core/v1"
rbacv1 "k8s.io/api/rbac/v1"
refactor: remove unstructured usage from webhookconfig (#3737) * refactor: use typed informers and add tombstone support to webhookconfig Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com> * refactor: remove unstructured usage from webhookconfig Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com>
2022-05-02 10:58:04 +00:00
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
create policy mutating webhook config resouce + refactoring
2019-08-27 21:52:56 +00:00
)
refactor: webhookconfig package (part 1) (#3831) * refactor: webhookconfig package (part 1) Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com> * fix: sonatype issue Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com>
2022-05-08 11:47:49 +00:00
var (
noneOnDryRun = admregapi.SideEffectClassNoneOnDryRun
never = admregapi.NeverReinvocationPolicy
ifNeeded = admregapi.IfNeededReinvocationPolicy
policyRule = admregapi.Rule{
Resources: []string{"clusterpolicies/*", "policies/*"},
APIGroups: []string{"kyverno.io"},
APIVersions: []string{"v1"},
}
verifyRule = admregapi.Rule{
Resources: []string{"leases"},
APIGroups: []string{"coordination.k8s.io"},
APIVersions: []string{"v1"},
}
vertifyObjectSelector = &metav1.LabelSelector{
MatchLabels: map[string]string{
"app.kubernetes.io/name": "kyverno",
},
}
update = []admregapi.OperationType{admregapi.Update}
createUpdate = []admregapi.OperationType{admregapi.Create, admregapi.Update}
all = []admregapi.OperationType{admregapi.Create, admregapi.Update, admregapi.Delete, admregapi.Connect}
)
update webhook registration and monitor (#1318) * update webhook registration and monitor * update log * fix test * improve logs * improve logs * format changes * decrease interval for webhook config checks
2020-11-27 00:07:06 +00:00
func (wrc *Register) readCaData() []byte {
Add certificate renewer in webhook registration controller (#1692) * load TLS pair from existing secret, if applicable Signed-off-by: Shuting Zhao <shutting06@gmail.com> * remove Kyverno managed secrets during shutdown Signed-off-by: Shuting Zhao <shutting06@gmail.com> * - add certificate renewer; - re-structure certificate package Signed-off-by: Shuting Zhao <shutting06@gmail.com> * commit un-saved file Signed-off-by: Shuting Zhao <shutting06@gmail.com> * eliminate throttling requests while registering webhook configs Signed-off-by: Shuting Zhao <shutting06@gmail.com> * disable webhook monitor (in old pod) during rolling update Signed-off-by: Shuting Zhao <shutting06@gmail.com> * remove webhook cleanup logic from init container Signed-off-by: Shuting Zhao <shutting06@gmail.com> * update PR template Signed-off-by: Shuting Zhao <shutting06@gmail.com> * update link to the website repo Signed-off-by: Shuting Zhao <shutting06@gmail.com> * update repo name Signed-off-by: Shuting Zhao <shutting06@gmail.com>
2021-03-16 18:31:04 +00:00
logger := wrc.log.WithName("readCaData")
create policy mutating webhook config resouce + refactoring
2019-08-27 21:52:56 +00:00
var caData []byte
Add certificate renewer in webhook registration controller (#1692) * load TLS pair from existing secret, if applicable Signed-off-by: Shuting Zhao <shutting06@gmail.com> * remove Kyverno managed secrets during shutdown Signed-off-by: Shuting Zhao <shutting06@gmail.com> * - add certificate renewer; - re-structure certificate package Signed-off-by: Shuting Zhao <shutting06@gmail.com> * commit un-saved file Signed-off-by: Shuting Zhao <shutting06@gmail.com> * eliminate throttling requests while registering webhook configs Signed-off-by: Shuting Zhao <shutting06@gmail.com> * disable webhook monitor (in old pod) during rolling update Signed-off-by: Shuting Zhao <shutting06@gmail.com> * remove webhook cleanup logic from init container Signed-off-by: Shuting Zhao <shutting06@gmail.com> * update PR template Signed-off-by: Shuting Zhao <shutting06@gmail.com> * update link to the website repo Signed-off-by: Shuting Zhao <shutting06@gmail.com> * update repo name Signed-off-by: Shuting Zhao <shutting06@gmail.com>
2021-03-16 18:31:04 +00:00
var err error
create policy mutating webhook config resouce + refactoring
2019-08-27 21:52:56 +00:00
// Check if ca is defined in the secret tls-ca
// assume the key and signed cert have been defined in secret tls.kyverno
refactor: use typed k8s client in tls package (#3678) Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com>
2022-04-26 20:18:14 +00:00
if caData, err = tls.ReadRootCASecret(wrc.clientConfig, wrc.kubeClient); err == nil {
refactor logging
2020-03-17 23:25:34 +00:00
logger.V(4).Info("read CA from secret")
create policy mutating webhook config resouce + refactoring
2019-08-27 21:52:56 +00:00
return caData
}
Add certificate renewer in webhook registration controller (#1692) * load TLS pair from existing secret, if applicable Signed-off-by: Shuting Zhao <shutting06@gmail.com> * remove Kyverno managed secrets during shutdown Signed-off-by: Shuting Zhao <shutting06@gmail.com> * - add certificate renewer; - re-structure certificate package Signed-off-by: Shuting Zhao <shutting06@gmail.com> * commit un-saved file Signed-off-by: Shuting Zhao <shutting06@gmail.com> * eliminate throttling requests while registering webhook configs Signed-off-by: Shuting Zhao <shutting06@gmail.com> * disable webhook monitor (in old pod) during rolling update Signed-off-by: Shuting Zhao <shutting06@gmail.com> * remove webhook cleanup logic from init container Signed-off-by: Shuting Zhao <shutting06@gmail.com> * update PR template Signed-off-by: Shuting Zhao <shutting06@gmail.com> * update link to the website repo Signed-off-by: Shuting Zhao <shutting06@gmail.com> * update repo name Signed-off-by: Shuting Zhao <shutting06@gmail.com>
2021-03-16 18:31:04 +00:00
refactor logging
2020-03-17 23:25:34 +00:00
logger.V(4).Info("failed to read CA from kubeconfig")
create policy mutating webhook config resouce + refactoring
2019-08-27 21:52:56 +00:00
return nil
}
refactor: webhookconfig package (part 4) (#3835)
2022-05-09 15:54:20 +00:00
func getHealthyPodsIP(pods []corev1.Pod) []string {
var ips []string
refactor: webhookconfig package (part 3) (#3834) * refactor: webhookconfig package (part 1) Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com> * refactor: webhook config package (part 2) Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com> * refactor: webhookconfig package (part 3) Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com>
2022-05-09 14:31:35 +00:00
for _, pod := range pods {
if pod.Status.Phase == "Running" {
ips = append(ips, pod.Status.PodIP)
}
adding ownerRef with namespace (#2263) Signed-off-by: NoSkillGirl <singhpooja240393@gmail.com>
2021-08-14 00:07:40 +00:00
}
refactor: webhookconfig package (part 4) (#3835)
2022-05-09 15:54:20 +00:00
return ips
adding ownerRef with namespace (#2263) Signed-off-by: NoSkillGirl <singhpooja240393@gmail.com>
2021-08-14 00:07:40 +00:00
}
refactor: webhookconfig package (part 3) (#3834) * refactor: webhookconfig package (part 1) Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com> * refactor: webhook config package (part 2) Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com> * refactor: webhookconfig package (part 3) Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com>
2022-05-09 14:31:35 +00:00
func (wrc *Register) GetKubePolicyClusterRoleName() (*rbacv1.ClusterRole, error) {
refactor: remove unstructured usage from webhookconfig (#3737) * refactor: use typed informers and add tombstone support to webhookconfig Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com> * refactor: remove unstructured usage from webhookconfig Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com>
2022-05-02 10:58:04 +00:00
selector := &metav1.LabelSelector{
MatchLabels: map[string]string{
"app.kubernetes.io/name": "kyverno",
},
}
clusterRoles, err := wrc.kubeClient.RbacV1().ClusterRoles().List(context.TODO(), metav1.ListOptions{LabelSelector: metav1.FormatLabelSelector(selector)})
adding ownerRef with namespace (#2263) Signed-off-by: NoSkillGirl <singhpooja240393@gmail.com>
2021-08-14 00:07:40 +00:00
if err != nil {
return nil, err
}
change cluster role labels (#2776) * change cluster role labels * change cluster role label value * fix cluster role label issue * fix comment
2021-12-02 10:22:34 +00:00
for _, cr := range clusterRoles.Items {
if strings.HasSuffix(cr.GetName(), "webhook") {
return &cr, nil
}
}
return nil, errors.New("failed to get cluster role with suffix webhook")
adding ownerRef with namespace (#2263) Signed-off-by: NoSkillGirl <singhpooja240393@gmail.com>
2021-08-14 00:07:40 +00:00
}
feat: HA (#1931) * Fix Dev setup * webhook monitor - start webhook monitor in main process Signed-off-by: Shuting Zhao <shutting06@gmail.com> * add leaderelection Signed-off-by: Jim Bugwadia <jim@nirmata.com> * - add isLeader; - update to use configmap lock Signed-off-by: Shuting Zhao <shutting06@gmail.com> * - add initialization method - add methods to get attributes Signed-off-by: Shuting Zhao <shutting06@gmail.com> * address comments Signed-off-by: Shuting Zhao <shutting06@gmail.com> * remove newContext in runLeaderElection Signed-off-by: Shuting Zhao <shutting06@gmail.com> * add leader election to GenerateController Signed-off-by: Jim Bugwadia <jim@nirmata.com> * skip processing for non-leaders Signed-off-by: Jim Bugwadia <jim@nirmata.com> * skip processing for non-leaders Signed-off-by: Jim Bugwadia <jim@nirmata.com> * add leader election to generate cleanup controller Signed-off-by: Jim Bugwadia <jim@nirmata.com> * Gracefully drain request * HA - Webhook Register / Webhook Monitor / Certificate Renewer (#1920) * enable leader election for webhook register Signed-off-by: Shuting Zhao <shutting06@gmail.com> * extract certManager to its own process Signed-off-by: Shuting Zhao <shutting06@gmail.com> * leader election for cert manager Signed-off-by: Shuting Zhao <shutting06@gmail.com> * certManager - init certs by the leader Signed-off-by: Shuting Zhao <shutting06@gmail.com> * add leader election to webhook monitor Signed-off-by: Shuting Zhao <shutting06@gmail.com> * update log message Signed-off-by: Shuting Zhao <shutting06@gmail.com> * add leader election to policy controller Signed-off-by: Shuting Zhao <shutting06@gmail.com> * add leader election to policy report controller Signed-off-by: Shuting Zhao <shutting06@gmail.com> * rebuild leader election config Signed-off-by: Shuting Zhao <shutting06@gmail.com> * start informers in leaderelection Signed-off-by: Shuting Zhao <shutting06@gmail.com> * start policy informers in main Signed-off-by: Shuting Zhao <shutting06@gmail.com> * enable leader election in main Signed-off-by: Shuting Zhao <shutting06@gmail.com> * move eventHandler to the leader election start method Signed-off-by: Shuting Zhao <shutting06@gmail.com> * address reviewdog comments Signed-off-by: Shuting Zhao <shutting06@gmail.com> * add clusterrole leaderelection Signed-off-by: Shuting Zhao <shutting06@gmail.com> * fixed generate flow (#1936) Signed-off-by: NoSkillGirl <singhpooja240393@gmail.com> * - init separate kubeclient for leaderelection - fix webhook monitor Signed-off-by: Shuting Zhao <shutting06@gmail.com> * address reviewdog comments Signed-off-by: Shuting Zhao <shutting06@gmail.com> * cleanup Kyverno managed resources on stopLeading Signed-off-by: Shuting Zhao <shutting06@gmail.com> * tag v1.4.0-beta1 Signed-off-by: Shuting Zhao <shutting06@gmail.com> * fix cleanup process on Kyverno stops Signed-off-by: Shuting Zhao <shutting06@gmail.com> * bump kind to 0.11.0, k8s v1.21 (#1980) Co-authored-by: vyankatesh <vyankatesh@neualto.com> Co-authored-by: vyankatesh <vyankateshkd@gmail.com> Co-authored-by: Jim Bugwadia <jim@nirmata.com> Co-authored-by: Pooja Singh <36136335+NoSkillGirl@users.noreply.github.com>
2021-06-08 19:37:19 +00:00
// GetKubePolicyDeployment gets Kyverno deployment using the resource cache
// it does not initialize any client call
refactor: remove unstructured usage from webhookconfig (#3737) * refactor: use typed informers and add tombstone support to webhookconfig Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com> * refactor: remove unstructured usage from webhookconfig Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com>
2022-05-02 10:58:04 +00:00
func (wrc *Register) GetKubePolicyDeployment() (*appsv1.Deployment, error) {
Added Kyverno specific SharedInformerFactory (#2987) * Added Kyverno specific SharedInformerFactory Signed-off-by: Kumar Mallikarjuna <kumar@nirmata.com> * Replace ToUnstructured() Signed-off-by: Kumar Mallikarjuna <kumar@nirmata.com> * Add GVK to returned resource Signed-off-by: Kumar Mallikarjuna <kumar@nirmata.com> Co-authored-by: shuting <shutting06@gmail.com>
2022-01-18 15:52:48 +00:00
deploy, err := wrc.kDeplLister.Deployments(config.KyvernoNamespace).Get(config.KyvernoDeploymentName)
Reduce throttling requests (GET) (#1522) * add resource lister to even handler Signed-off-by: Shuting Zhao <shutting06@gmail.com> * use lister to get Kyverno deployment Signed-off-by: Shuting Zhao <shutting06@gmail.com> * add lister for webhook configs Signed-off-by: Shuting Zhao <shutting06@gmail.com>
2021-02-05 17:58:10 +00:00
if err != nil {
refactor: remove unstructured usage from webhookconfig (#3737) * refactor: use typed informers and add tombstone support to webhookconfig Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com> * refactor: remove unstructured usage from webhookconfig Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com>
2022-05-02 10:58:04 +00:00
return nil, err
Reduce throttling requests (GET) (#1522) * add resource lister to even handler Signed-off-by: Shuting Zhao <shutting06@gmail.com> * use lister to get Kyverno deployment Signed-off-by: Shuting Zhao <shutting06@gmail.com> * add lister for webhook configs Signed-off-by: Shuting Zhao <shutting06@gmail.com>
2021-02-05 17:58:10 +00:00
}
refactor: remove unstructured usage from webhookconfig (#3737) * refactor: use typed informers and add tombstone support to webhookconfig Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com> * refactor: remove unstructured usage from webhookconfig Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com>
2022-05-02 10:58:04 +00:00
return deploy, nil
Reduce throttling requests (GET) (#1522) * add resource lister to even handler Signed-off-by: Shuting Zhao <shutting06@gmail.com> * use lister to get Kyverno deployment Signed-off-by: Shuting Zhao <shutting06@gmail.com> * add lister for webhook configs Signed-off-by: Shuting Zhao <shutting06@gmail.com>
2021-02-05 17:58:10 +00:00
}
refactor: webhookconfig package (part 3) (#3834) * refactor: webhookconfig package (part 1) Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com> * refactor: webhook config package (part 2) Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com> * refactor: webhookconfig package (part 3) Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com>
2022-05-09 14:31:35 +00:00
func (wrc *Register) constructOwner() metav1.OwnerReference {
logger := wrc.log
kubeClusterRoleName, err := wrc.GetKubePolicyClusterRoleName()
if err != nil {
logger.Error(err, "failed to get cluster role")
return metav1.OwnerReference{}
}
return metav1.OwnerReference{
APIVersion: config.ClusterRoleAPIVersion,
Kind: config.ClusterRoleKind,
Name: kubeClusterRoleName.GetName(),
UID: kubeClusterRoleName.GetUID(),
}
}
refactor: webhookconfig package (part 1) (#3831) * refactor: webhookconfig package (part 1) Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com> * fix: sonatype issue Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com>
2022-05-08 11:47:49 +00:00
// webhook utils
func generateRules(rule admregapi.Rule, operationTypes []admregapi.OperationType) []admregapi.RuleWithOperations {
if !reflect.DeepEqual(rule, admregapi.Rule{}) {
return []admregapi.RuleWithOperations{{Operations: operationTypes, Rule: rule}}
}
return nil
}
983 kustomize support (#1026) * prototype - strategic merge patch * add end to end test * add engine strategic merge patch support * set webhook reinvocationPolicy to IfNeeded * refactor engine mutate code * support JMESPath in strategic merge patch * implement patchesJson6902 * update doc * resolve pr comments
2020-08-05 16:11:23 +00:00
refactor: webhookconfig package (part 1) (#3831) * refactor: webhookconfig package (part 1) Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com> * fix: sonatype issue Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com>
2022-05-08 11:47:49 +00:00
func generateDebugMutatingWebhook(name, url string, caData []byte, timeoutSeconds int32, rule admregapi.Rule, operationTypes []admregapi.OperationType, failurePolicy admregapi.FailurePolicyType) admregapi.MutatingWebhook {
return admregapi.MutatingWebhook{
ReinvocationPolicy: &never,
983 kustomize support (#1026) * prototype - strategic merge patch * add end to end test * add engine strategic merge patch support * set webhook reinvocationPolicy to IfNeeded * refactor engine mutate code * support JMESPath in strategic merge patch * implement patchesJson6902 * update doc * resolve pr comments
2020-08-05 16:11:23 +00:00
Name: name,
create policy mutating webhook config resouce + refactoring
2019-08-27 21:52:56 +00:00
ClientConfig: admregapi.WebhookClientConfig{
URL: &url,
CABundle: caData,
},
refactor: webhookconfig package (part 1) (#3831) * refactor: webhookconfig package (part 1) Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com> * fix: sonatype issue Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com>
2022-05-08 11:47:49 +00:00
SideEffects: &noneOnDryRun,
528_add_webhook_defaults
2019-12-05 01:28:39 +00:00
AdmissionReviewVersions: []string{"v1beta1"},
TimeoutSeconds: &timeoutSeconds,
- set failurepolicy of webhookconfiguraitons to ignore; - disable auto-gen on policy disabllow_default_namespace
2020-01-16 02:01:50 +00:00
FailurePolicy: &failurePolicy,
refactor: webhookconfig package (part 1) (#3831) * refactor: webhookconfig package (part 1) Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com> * fix: sonatype issue Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com>
2022-05-08 11:47:49 +00:00
Rules: generateRules(rule, operationTypes),
create policy mutating webhook config resouce + refactoring
2019-08-27 21:52:56 +00:00
}
}
refactor: webhookconfig package (part 1) (#3831) * refactor: webhookconfig package (part 1) Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com> * fix: sonatype issue Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com>
2022-05-08 11:47:49 +00:00
func generateDebugValidatingWebhook(name, url string, caData []byte, timeoutSeconds int32, rule admregapi.Rule, operationTypes []admregapi.OperationType, failurePolicy admregapi.FailurePolicyType) admregapi.ValidatingWebhook {
return admregapi.ValidatingWebhook{
logs & access
2020-03-17 18:05:20 +00:00
Name: name,
ClientConfig: admregapi.WebhookClientConfig{
URL: &url,
CABundle: caData,
},
refactor: webhookconfig package (part 1) (#3831) * refactor: webhookconfig package (part 1) Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com> * fix: sonatype issue Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com>
2022-05-08 11:47:49 +00:00
SideEffects: &noneOnDryRun,
logs & access
2020-03-17 18:05:20 +00:00
AdmissionReviewVersions: []string{"v1beta1"},
TimeoutSeconds: &timeoutSeconds,
FailurePolicy: &failurePolicy,
refactor: webhookconfig package (part 1) (#3831) * refactor: webhookconfig package (part 1) Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com> * fix: sonatype issue Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com>
2022-05-08 11:47:49 +00:00
Rules: generateRules(rule, operationTypes),
logs & access
2020-03-17 18:05:20 +00:00
}
}
refactor: webhookconfig package (part 1) (#3831) * refactor: webhookconfig package (part 1) Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com> * fix: sonatype issue Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com>
2022-05-08 11:47:49 +00:00
func generateMutatingWebhook(name, servicePath string, caData []byte, timeoutSeconds int32, rule admregapi.Rule, operationTypes []admregapi.OperationType, failurePolicy admregapi.FailurePolicyType) admregapi.MutatingWebhook {
return admregapi.MutatingWebhook{
ReinvocationPolicy: &ifNeeded,
983 kustomize support (#1026) * prototype - strategic merge patch * add end to end test * add engine strategic merge patch support * set webhook reinvocationPolicy to IfNeeded * refactor engine mutate code * support JMESPath in strategic merge patch * implement patchesJson6902 * update doc * resolve pr comments
2020-08-05 16:11:23 +00:00
Name: name,
logs & access
2020-03-17 18:05:20 +00:00
ClientConfig: admregapi.WebhookClientConfig{
Service: &admregapi.ServiceReference{
update webhook registration and monitor (#1318) * update webhook registration and monitor * update log * fix test * improve logs * improve logs * format changes * decrease interval for webhook config checks
2020-11-27 00:07:06 +00:00
Namespace: config.KyvernoNamespace,
Name: config.KyvernoServiceName,
logs & access
2020-03-17 18:05:20 +00:00
Path: &servicePath,
},
CABundle: caData,
},
refactor: webhookconfig package (part 1) (#3831) * refactor: webhookconfig package (part 1) Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com> * fix: sonatype issue Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com>
2022-05-08 11:47:49 +00:00
SideEffects: &noneOnDryRun,
logs & access
2020-03-17 18:05:20 +00:00
AdmissionReviewVersions: []string{"v1beta1"},
TimeoutSeconds: &timeoutSeconds,
FailurePolicy: &failurePolicy,
refactor: webhookconfig package (part 1) (#3831) * refactor: webhookconfig package (part 1) Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com> * fix: sonatype issue Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com>
2022-05-08 11:47:49 +00:00
Rules: generateRules(rule, operationTypes),
logs & access
2020-03-17 18:05:20 +00:00
}
}
refactor: webhookconfig package (part 1) (#3831) * refactor: webhookconfig package (part 1) Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com> * fix: sonatype issue Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com>
2022-05-08 11:47:49 +00:00
func generateValidatingWebhook(name, servicePath string, caData []byte, timeoutSeconds int32, rule admregapi.Rule, operationTypes []admregapi.OperationType, failurePolicy admregapi.FailurePolicyType) admregapi.ValidatingWebhook {
return admregapi.ValidatingWebhook{
create policy mutating webhook config resouce + refactoring
2019-08-27 21:52:56 +00:00
Name: name,
ClientConfig: admregapi.WebhookClientConfig{
Service: &admregapi.ServiceReference{
update webhook registration and monitor (#1318) * update webhook registration and monitor * update log * fix test * improve logs * improve logs * format changes * decrease interval for webhook config checks
2020-11-27 00:07:06 +00:00
Namespace: config.KyvernoNamespace,
Name: config.KyvernoServiceName,
create policy mutating webhook config resouce + refactoring
2019-08-27 21:52:56 +00:00
Path: &servicePath,
},
CABundle: caData,
},
refactor: webhookconfig package (part 1) (#3831) * refactor: webhookconfig package (part 1) Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com> * fix: sonatype issue Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com>
2022-05-08 11:47:49 +00:00
SideEffects: &noneOnDryRun,
528_add_webhook_defaults
2019-12-05 01:28:39 +00:00
AdmissionReviewVersions: []string{"v1beta1"},
TimeoutSeconds: &timeoutSeconds,
- set failurepolicy of webhookconfiguraitons to ignore; - disable auto-gen on policy disabllow_default_namespace
2020-01-16 02:01:50 +00:00
FailurePolicy: &failurePolicy,
refactor: webhookconfig package (part 1) (#3831) * refactor: webhookconfig package (part 1) Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com> * fix: sonatype issue Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com>
2022-05-08 11:47:49 +00:00
Rules: generateRules(rule, operationTypes),
}
}
func generateObjectMeta(name string, owner ...metav1.OwnerReference) metav1.ObjectMeta {
return metav1.ObjectMeta{
Name: name,
OwnerReferences: owner,
create policy mutating webhook config resouce + refactoring
2019-08-27 21:52:56 +00:00
}
refactor: webhookconfig package (part 1) (#3831) * refactor: webhookconfig package (part 1) Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com> * fix: sonatype issue Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com>
2022-05-08 11:47:49 +00:00
}
Dynamic webhooks (#2425) * support k8s 1.22, update admissionregistration.k8s.io/v1beta1 to admissionregistration.k8s.io/v1 Signed-off-by: ShutingZhao <shutting06@gmail.com> * - add failurePolicy to policy spec; - fix typo Signed-off-by: ShutingZhao <shutting06@gmail.com> * - add schema validation for failurePolicy; - add a printer column Signed-off-by: ShutingZhao <shutting06@gmail.com> * set default failure policy to fail if not defined Signed-off-by: ShutingZhao <shutting06@gmail.com> * resolve conflicts Signed-off-by: ShutingZhao <shutting06@gmail.com> * fix missing type for printerColumn Signed-off-by: ShutingZhao <shutting06@gmail.com> * refactor policy controller Signed-off-by: ShutingZhao <shutting06@gmail.com> * add webhook config manager Signed-off-by: ShutingZhao <shutting06@gmail.com> * - build webhook objects per policy update; - add fail webhook to default webhook configurations Signed-off-by: ShutingZhao <shutting06@gmail.com> * fix panic on policy update Signed-off-by: ShutingZhao <shutting06@gmail.com> * build default webhook: match empty if autoUpdateWebhooks is enabled, otherwise match all Signed-off-by: ShutingZhao <shutting06@gmail.com> * - set default webhook configs rule to empty; - handle policy deletion Signed-off-by: ShutingZhao <shutting06@gmail.com> * reset webhook config if policies with a specific failurePolicy are cleaned up Signed-off-by: ShutingZhao <shutting06@gmail.com> * handle wildcard pocliy Signed-off-by: ShutingZhao <shutting06@gmail.com> * update default webhook timeout to 10s Signed-off-by: ShutingZhao <shutting06@gmail.com> * cleanups Signed-off-by: ShutingZhao <shutting06@gmail.com> * added webhook informer to re-create it immediately if missing Signed-off-by: ShutingZhao <shutting06@gmail.com> * update tag webhookTimeoutSeconds description Signed-off-by: ShutingZhao <shutting06@gmail.com> * fix e2e tests Signed-off-by: ShutingZhao <shutting06@gmail.com> * fix linter issue Signed-off-by: ShutingZhao <shutting06@gmail.com> * correct metric endpoint Signed-off-by: ShutingZhao <shutting06@gmail.com> * add pol.generate.kind to webhooks Signed-off-by: ShutingZhao <shutting06@gmail.com>
2021-10-05 07:15:09 +00:00
refactor: webhookconfig package (part 1) (#3831) * refactor: webhookconfig package (part 1) Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com> * fix: sonatype issue Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com>
2022-05-08 11:47:49 +00:00
// policy webhook configuration utils
func getPolicyMutatingWebhookConfigName(serverIP string) string {
if serverIP != "" {
return config.PolicyMutatingWebhookConfigurationDebugName
}
return config.PolicyMutatingWebhookConfigurationName
}
func getPolicyValidatingWebhookConfigName(serverIP string) string {
if serverIP != "" {
return config.PolicyValidatingWebhookConfigurationDebugName
}
return config.PolicyValidatingWebhookConfigurationName
}
func constructPolicyValidatingWebhookConfig(caData []byte, timeoutSeconds int32, owner metav1.OwnerReference) *admregapi.ValidatingWebhookConfiguration {
name, path := config.PolicyValidatingWebhookName, config.PolicyValidatingWebhookServicePath
return &admregapi.ValidatingWebhookConfiguration{
ObjectMeta: generateObjectMeta(config.PolicyValidatingWebhookConfigurationName, owner),
Webhooks: []admregapi.ValidatingWebhook{
generateValidatingWebhook(name, path, caData, timeoutSeconds, policyRule, createUpdate, admregapi.Ignore),
},
}
}
func constructDebugPolicyValidatingWebhookConfig(serverIP string, caData []byte, timeoutSeconds int32, owner metav1.OwnerReference) *admregapi.ValidatingWebhookConfiguration {
name, url := config.PolicyValidatingWebhookName, fmt.Sprintf("https://%s%s", serverIP, config.PolicyValidatingWebhookServicePath)
return &admregapi.ValidatingWebhookConfiguration{
ObjectMeta: generateObjectMeta(config.PolicyValidatingWebhookConfigurationDebugName, owner),
Webhooks: []admregapi.ValidatingWebhook{
generateDebugValidatingWebhook(name, url, caData, timeoutSeconds, policyRule, createUpdate, admregapi.Ignore),
},
}
}
func constructPolicyMutatingWebhookConfig(caData []byte, timeoutSeconds int32, owner metav1.OwnerReference) *admregapi.MutatingWebhookConfiguration {
name, path := config.PolicyMutatingWebhookName, config.PolicyMutatingWebhookServicePath
return &admregapi.MutatingWebhookConfiguration{
ObjectMeta: generateObjectMeta(config.PolicyMutatingWebhookConfigurationName, owner),
Webhooks: []admregapi.MutatingWebhook{
generateMutatingWebhook(name, path, caData, timeoutSeconds, policyRule, createUpdate, admregapi.Ignore),
},
}
}
func constructDebugPolicyMutatingWebhookConfig(serverIP string, caData []byte, timeoutSeconds int32, owner metav1.OwnerReference) *admregapi.MutatingWebhookConfiguration {
name, url := config.PolicyMutatingWebhookName, fmt.Sprintf("https://%s%s", serverIP, config.PolicyMutatingWebhookServicePath)
return &admregapi.MutatingWebhookConfiguration{
ObjectMeta: generateObjectMeta(config.PolicyMutatingWebhookConfigurationDebugName, owner),
Webhooks: []admregapi.MutatingWebhook{
generateDebugMutatingWebhook(name, url, caData, timeoutSeconds, policyRule, createUpdate, admregapi.Ignore),
},
}
}
// resource webhook configuration utils
func getResourceMutatingWebhookConfigName(serverIP string) string {
if serverIP != "" {
return config.MutatingWebhookConfigurationDebugName
}
return config.MutatingWebhookConfigurationName
}
func getResourceValidatingWebhookConfigName(serverIP string) string {
if serverIP != "" {
return config.ValidatingWebhookConfigurationDebugName
}
return config.ValidatingWebhookConfigurationName
}
func defaultResourceWebhookRule(autoUpdate bool) admregapi.Rule {
if autoUpdate {
return admregapi.Rule{}
}
return admregapi.Rule{
APIGroups: []string{"*"},
APIVersions: []string{"*"},
Resources: []string{"*/*"},
}
}
func constructDefaultDebugMutatingWebhookConfig(serverIP string, caData []byte, timeoutSeconds int32, autoUpdate bool, owner metav1.OwnerReference) *admregapi.MutatingWebhookConfiguration {
name, url := config.MutatingWebhookName, fmt.Sprintf("https://%s%s", serverIP, config.MutatingWebhookServicePath)
webhook := &admregapi.MutatingWebhookConfiguration{
ObjectMeta: generateObjectMeta(config.MutatingWebhookConfigurationDebugName, owner),
Webhooks: []admregapi.MutatingWebhook{
generateDebugMutatingWebhook(name+"-ignore", url, caData, timeoutSeconds, defaultResourceWebhookRule(autoUpdate), createUpdate, admregapi.Ignore),
},
}
if autoUpdate {
webhook.Webhooks = append(webhook.Webhooks, generateDebugMutatingWebhook(name+"-fail", url, caData, timeoutSeconds, defaultResourceWebhookRule(autoUpdate), createUpdate, admregapi.Fail))
}
return webhook
}
func constructDefaultMutatingWebhookConfig(caData []byte, timeoutSeconds int32, autoUpdate bool, owner metav1.OwnerReference) *admregapi.MutatingWebhookConfiguration {
name, path := config.MutatingWebhookName, config.MutatingWebhookServicePath
webhook := &admregapi.MutatingWebhookConfiguration{
ObjectMeta: generateObjectMeta(config.MutatingWebhookConfigurationName, owner),
Webhooks: []admregapi.MutatingWebhook{
generateMutatingWebhook(name+"-ignore", path, caData, timeoutSeconds, defaultResourceWebhookRule(autoUpdate), createUpdate, admregapi.Ignore),
},
}
if autoUpdate {
webhook.Webhooks = append(webhook.Webhooks, generateMutatingWebhook(name+"-fail", path, caData, timeoutSeconds, defaultResourceWebhookRule(autoUpdate), createUpdate, admregapi.Fail))
}
return webhook
}
func constructDefaultDebugValidatingWebhookConfig(serverIP string, caData []byte, timeoutSeconds int32, autoUpdate bool, owner metav1.OwnerReference) *admregapi.ValidatingWebhookConfiguration {
name, url := config.ValidatingWebhookName, fmt.Sprintf("https://%s%s", serverIP, config.ValidatingWebhookServicePath)
webhook := &admregapi.ValidatingWebhookConfiguration{
ObjectMeta: generateObjectMeta(config.ValidatingWebhookConfigurationDebugName, owner),
Webhooks: []admregapi.ValidatingWebhook{
generateDebugValidatingWebhook(name+"-ignore", url, caData, timeoutSeconds, defaultResourceWebhookRule(autoUpdate), all, admregapi.Ignore),
},
}
if autoUpdate {
webhook.Webhooks = append(webhook.Webhooks, generateDebugValidatingWebhook(name+"-fail", url, caData, timeoutSeconds, defaultResourceWebhookRule(autoUpdate), all, admregapi.Fail))
}
return webhook
}
func constructDefaultValidatingWebhookConfig(caData []byte, timeoutSeconds int32, autoUpdate bool, owner metav1.OwnerReference) *admregapi.ValidatingWebhookConfiguration {
name, path := config.ValidatingWebhookName, config.ValidatingWebhookServicePath
webhook := &admregapi.ValidatingWebhookConfiguration{
ObjectMeta: generateObjectMeta(config.ValidatingWebhookConfigurationName, owner),
Webhooks: []admregapi.ValidatingWebhook{
generateValidatingWebhook(name+"-ignore", path, caData, timeoutSeconds, defaultResourceWebhookRule(autoUpdate), all, admregapi.Ignore),
},
}
if autoUpdate {
webhook.Webhooks = append(webhook.Webhooks, generateValidatingWebhook(name+"-fail", path, caData, timeoutSeconds, defaultResourceWebhookRule(autoUpdate), all, admregapi.Fail))
}
return webhook
}
// verify webhook configuration utils
func getVerifyMutatingWebhookConfigName(serverIP string) string {
if serverIP != "" {
return config.VerifyMutatingWebhookConfigurationDebugName
}
return config.VerifyMutatingWebhookConfigurationName
}
func constructVerifyMutatingWebhookConfig(caData []byte, timeoutSeconds int32, owner metav1.OwnerReference) *admregapi.MutatingWebhookConfiguration {
name, path := config.VerifyMutatingWebhookName, config.VerifyMutatingWebhookServicePath
webhook := generateMutatingWebhook(name, path, caData, timeoutSeconds, verifyRule, update, admregapi.Ignore)
webhook.ObjectSelector = vertifyObjectSelector
return &admregapi.MutatingWebhookConfiguration{
ObjectMeta: generateObjectMeta(config.VerifyMutatingWebhookConfigurationName, owner),
Webhooks: []admregapi.MutatingWebhook{webhook},
}
}
func constructDebugVerifyMutatingWebhookConfig(serverIP string, caData []byte, timeoutSeconds int32, owner metav1.OwnerReference) *admregapi.MutatingWebhookConfiguration {
name, url := config.VerifyMutatingWebhookName, fmt.Sprintf("https://%s%s", serverIP, config.VerifyMutatingWebhookServicePath)
webhook := generateDebugMutatingWebhook(name, url, caData, timeoutSeconds, verifyRule, update, admregapi.Ignore)
webhook.ObjectSelector = vertifyObjectSelector
return &admregapi.MutatingWebhookConfiguration{
ObjectMeta: generateObjectMeta(config.VerifyMutatingWebhookConfigurationDebugName, owner),
Webhooks: []admregapi.MutatingWebhook{webhook},
Dynamic webhooks (#2425) * support k8s 1.22, update admissionregistration.k8s.io/v1beta1 to admissionregistration.k8s.io/v1 Signed-off-by: ShutingZhao <shutting06@gmail.com> * - add failurePolicy to policy spec; - fix typo Signed-off-by: ShutingZhao <shutting06@gmail.com> * - add schema validation for failurePolicy; - add a printer column Signed-off-by: ShutingZhao <shutting06@gmail.com> * set default failure policy to fail if not defined Signed-off-by: ShutingZhao <shutting06@gmail.com> * resolve conflicts Signed-off-by: ShutingZhao <shutting06@gmail.com> * fix missing type for printerColumn Signed-off-by: ShutingZhao <shutting06@gmail.com> * refactor policy controller Signed-off-by: ShutingZhao <shutting06@gmail.com> * add webhook config manager Signed-off-by: ShutingZhao <shutting06@gmail.com> * - build webhook objects per policy update; - add fail webhook to default webhook configurations Signed-off-by: ShutingZhao <shutting06@gmail.com> * fix panic on policy update Signed-off-by: ShutingZhao <shutting06@gmail.com> * build default webhook: match empty if autoUpdateWebhooks is enabled, otherwise match all Signed-off-by: ShutingZhao <shutting06@gmail.com> * - set default webhook configs rule to empty; - handle policy deletion Signed-off-by: ShutingZhao <shutting06@gmail.com> * reset webhook config if policies with a specific failurePolicy are cleaned up Signed-off-by: ShutingZhao <shutting06@gmail.com> * handle wildcard pocliy Signed-off-by: ShutingZhao <shutting06@gmail.com> * update default webhook timeout to 10s Signed-off-by: ShutingZhao <shutting06@gmail.com> * cleanups Signed-off-by: ShutingZhao <shutting06@gmail.com> * added webhook informer to re-create it immediately if missing Signed-off-by: ShutingZhao <shutting06@gmail.com> * update tag webhookTimeoutSeconds description Signed-off-by: ShutingZhao <shutting06@gmail.com> * fix e2e tests Signed-off-by: ShutingZhao <shutting06@gmail.com> * fix linter issue Signed-off-by: ShutingZhao <shutting06@gmail.com> * correct metric endpoint Signed-off-by: ShutingZhao <shutting06@gmail.com> * add pol.generate.kind to webhooks Signed-off-by: ShutingZhao <shutting06@gmail.com>
2021-10-05 07:15:09 +00:00
}
create policy mutating webhook config resouce + refactoring
2019-08-27 21:52:56 +00:00
}
Copy permalink